Professional Documents
Culture Documents
Configuration Guide - Basic Configuration (V100R002C00 - 05)
Configuration Guide - Basic Configuration (V100R002C00 - 05)
V100R002C00
Issue
05
Date
2010-01-08
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any
assistance, please contact our local office or company headquarters.
Website:
http://www.huawei.com
Email:
support@huawei.com
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Contents
Contents
About This Document.....................................................................................................................1
1 How to Use Interfaces...............................................................................................................1-1
1.1 Introduction to Interfaces................................................................................................................................1-2
1.2 Setting Parameters of an Interface...................................................................................................................1-5
1.2.1 Establishing the Configuration Task......................................................................................................1-5
1.2.2 Entering the Interface View...................................................................................................................1-6
1.2.3 Viewing All Commands in the Interface View......................................................................................1-6
1.2.4 Configuring the Description for an Interface.........................................................................................1-7
1.2.5 Starting and Shutting Down an Interface...............................................................................................1-7
1.2.6 Exiting from the Interface View.............................................................................................................1-8
1.2.7 Assigning an IP Address to an Interface................................................................................................1-8
1.2.8 Further Configuration an Interface.........................................................................................................1-9
1.2.9 Checking the Configuration.................................................................................................................1-10
1.3 Configuring the Loopback Interface.............................................................................................................1-10
1.3.1 Establishing the Configuration Task....................................................................................................1-10
1.3.2 Configuring IPv4 Parameters of the Loopback Interface.....................................................................1-11
1.3.3 Checking the Configuration.................................................................................................................1-12
1.4 Maintaining the Interface..............................................................................................................................1-12
1.4.1 Clearing Statistics Information on the Interface...................................................................................1-12
1.4.2 Debugging the Interface.......................................................................................................................1-12
Contents
Issue 05 (2010-01-08)
Contents
iii
Contents
Issue 05 (2010-01-08)
Contents
Contents
vi
Issue 05 (2010-01-08)
Figures
Figures
Figure 2-1 Networking diagram of the S9300 acting as the Telnet server...........................................................2-5
Figure 2-2 Networking diagram of the S9300 acting as the Telnet client............................................................2-6
Figure 2-3 Networking diagram of the S9300 acting as the cascading Telnet server..........................................2-6
Figure 2-4 Numbering of user interfaces on the S9300.......................................................................................2-8
Figure 2-5 Logging in to the S9300 through the console interface....................................................................2-10
Figure 2-6 Setting up a new connection.............................................................................................................2-11
Figure 2-7 Setting the connection port...............................................................................................................2-12
Figure 2-8 Setting communication parameters for the port................................................................................2-13
Figure 2-9 Selecting a terminal type..................................................................................................................2-14
Figure 2-10 Logging in to the locally through Telnet.......................................................................................2-25
Figure 2-11 Logging in to the S9300 remotely through Telnet.........................................................................2-28
Figure 2-12 Establishing a local SSH connection between the PC and the S9300............................................2-36
Figure 2-13 Setting up an FTP connection between the PC and the S9300.......................................................2-39
Figure 2-14 Setting up a connection between the S9300 and the TFTP server.................................................2-41
Figure 2-15 Networking diagram of the remote login of the Ethernet user.......................................................2-49
Figure 2-16 Networking diagram for configuring TFTP...................................................................................2-52
Figure 3-1 Hierarchical structure of command views..........................................................................................3-2
Figure 3-2 Authority of users at four levels.........................................................................................................3-8
Figure 5-1 Establishing a local SSH connection between the PC and the S9300................................................5-2
Figure 5-2 Networking diagram for configuring the SSH server to support the access from another port.......5-17
Figure 5-3 Networking diagram of connecting the STelnet client and the SSH server.....................................5-23
Figure 5-4 Networking diagram for connecting the SFTP client and the SSH server.......................................5-29
Figure 6-1 Networking diagram of the S9300 functioning as the FTP server...................................................6-11
Figure 6-2 Networking diagram of the S9300 functioning as the FTP client....................................................6-13
Figure 6-3 Networking diagram for configuring an ACL of the FTP server.....................................................6-15
Issue 05 (2010-01-08)
vii
Tables
Tables
Table 1-1 Description of management interfaces.................................................................................................1-2
Table 1-2 Numbers of management interfaces.....................................................................................................1-2
Table 1-3 Rules for numbering service interfaces................................................................................................1-3
Table 2-1 User login modes..................................................................................................................................2-3
Table 2-2 Types of user interfaces....................................................................................................................... 2-7
Table 2-3 Types of login users.............................................................................................................................2-8
Table 2-4 Authentication modes of login users..................................................................................................2-10
Table 2-5 Communication parameters...............................................................................................................2-13
Table 3-1 Types of command views.....................................................................................................................3-3
Table 3-2 Levels of login users............................................................................................................................ 3-8
Table 3-3 Matching relations of error messages and error causes......................................................................3-10
Table 3-4 Accessing history commands.............................................................................................................3-12
Table 3-5 System hotkeys...................................................................................................................................3-13
Issue 05 (2010-01-08)
ix
Feature description
Data preparation
Pre-configuration tasks
Configuration procedures
Configuration examples
This document guides you through the configuration and the applicable environment of basic
features of the S9300.
Related Versions
The following table lists the product versions related to this document.
Product Name
Version
S9300
V100R002C00
Intended Audience
This document is intended for:
l
NM configuration engineers
Issue 05 (2010-01-08)
Organization
This document is organized as follows.
Chapter
Description
8 Management of
Configuration Files
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
TIP
Issue 05 (2010-01-08)
Symbol
Description
Provides additional information to emphasize or supplement
important points of the main text.
NOTE
General Conventions
The general conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
Courier New
Command Conventions
The command conventions that may be found in this document are defined as follows.
Issue 05 (2010-01-08)
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
>
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows.
Format
Description
Key
Press the key. For example, press Enter and press Tab.
Key 1+Key 2
Key 1, Key 2
Mouse Operations
The mouse operations that may be found in this document are defined as follows.
Action
Description
Click
Double-click
Drag
Press and hold the primary mouse button and move the
pointer to a certain position.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Issue 05 (2010-01-08)
The descriptions about the user level and the command level are updated.
Issue 05 (2010-01-08)
Issue 05 (2010-01-08)
1-1
A physical interface is sometimes called a port. Both physical interfaces and logical interfaces are called
interfaces in this document.
Management Interface
Management interfaces are used for managing and configuring the device. That is, you can log
in to the S9300 through a management interface to configure and manage the S9300.
Management interfaces do not transmit services.
The S9300 provides the following management interfaces:
l
Console interfaces
Ethernet interfaces
Usage
Console interface
Ethernet interface
The S9300s provide three models: S9303, S9306, and S9312. Console and Ethernet interfaces
are configured on the main control board.
The rules for numbering management interfaces are as follows:
Table 1-2 Numbers of management interfaces
1-2
Name
Number
Console interface
Ethernet interface
Issue 05 (2010-01-08)
Slot number: indicates the number of the slot where the LPU is located.
Interface sequence number: indicates the sequence numbers of the interfaces that are
located on an LPU.
...
...
...
Description
...
For example:
If an LPU is installed in slot 3 of the S9300, the fifth interface on the LPU from bottom to up
and from left to right is numbered GE 3/0/4.
Physical Interfaces
Physical interfaces exist on the S9300.
Physical interfaces include management interfaces and service interfaces.
The S9300 supports the following physical interfaces:
l
Issue 05 (2010-01-08)
Console interfaces
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
1-3
Eth interface
Physical interfaces are located on the main control board and LPU of the S9300.
Logical Interfaces
Logical interfaces do not exist and are set up through configurations.
The S9300 supports the following logical interfaces:
l
Eth-Trunks
An Eth-Trunk comprises only Ethernet links.
The Eth-Trunk technology has the following advantages:
For details about the configuration, see the chapter "Configuring the Eth-Trunk" in the
Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet.
l
Loopback interfaces
A loopback interface is a virtual interface. The TCP/IP protocol suite defines that the IP
address 127.0.0.0 is a loopback address. When the system starts, it automatically creates
an interface using the loopback address 127.0.0.1 to receive all data packets sent to the
local host. Some applications such as mutual access between Virtual Private Networks
(VPNs), however, need to be configured with a local interface with a specified IP address
when the configuration of a physical interface is not affected. In this case, the IP address
of the local interface is 32-bit mask, which saves IP addresses; the IP address can be
advertised by routing protocols.
The status of the loopback interface is always Up; therefore, the IP address of the loopback
interface can be used as the router ID, the label switching router (LSR) ID, or the tunnel.
For details, see 1.3 Configuring the Loopback Interface.
Null interfaces
Null interfaces are similar to null devices supported by certain operating systems. Any data
packets sent to this interface are discarded. Null interfaces are mainly used for route
selection and policy-based routing (PBR). For example, if no route is matched during route
selection, the packet is sent to the null interface.
Tunnel interfaces
A tunnel interface is a logical interface. It can be used as the backup interface of other
interfaces and used to set up Generic Routing Encapsulation (GRE) tunnels or
Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) tunnels.
For details about the configuration, see the chapter "Configuring the Tunnel Interface" in
the Quidway S9300 Terabit Routing Switch Configuration Guide - VPN.
sub-interface
The sub-interface supports multiple logical interfaces or network interconnections on a
physical port. That is, several logical interfaces are associated with a physical port and use
1-4
Issue 05 (2010-01-08)
the same parameter values. The link-layer parameters and network-layer parameters of the
logical interfaces are different.For the configuration of sub-interfaces, see "Configuring the
sub-interface" in the Quidway S9300 Terabit Routing Switch Configuration Guide Ethernet.
l
VLANIF interfaces
When the S9300 needs to communicate with devices at the network layer, you can create
a logical interface of the Virtual Local Area Network (VLAN) on the S9300, namely, a
VLANIF interface. You can assign IP addresses to VLANIF interfaces because VLANIF
interfaces work at the network layer. The S9300 then communicates with devices at the
network layer through VLANIF interfaces.
For details about the configuration, see the chapter "Configuring the VLANIF Interface"
in the Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet.
Pre-configuration Tasks
Before setting parameters of an interface, complete the following task:
Installing the LPU on the S9300
Data Preparation
To set parameters of an interface, you need the following data.
Issue 05 (2010-01-08)
1-5
No.
Data
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
All the commands in the view of the specified interface are displayed.
----End
1-6
Issue 05 (2010-01-08)
Procedure
Step 1 Run:
system-view
Run:
system-view
Run:
interface interface-type interface-number
Run:
shutdown
Issue 05 (2010-01-08)
1-7
CAUTION
When a physical interface is idle and is not connected to a cable, shut down this interface
by using the shutdown command to protect the interface against interference.
l
Starting an interface
Do as follows on the S9300.
1.
Run:
system-view
Run:
interface interface-type interface-number
Run:
undo shutdown
Procedure
l
Run the quit command in the interface view to exit form the interface view.
Run the return command in the interface view to return the user view from the interface
view.
----End
VLANIF interfaces
You can assign IP addresses to the VLANIF interfaces that are bound to Layer 2 physical
interfaces.
1-8
Issue 05 (2010-01-08)
Procedure
l
Run:
system-view
Run:
interface Ethernet 0/0/0
Run:
ip address ip-address { mask | mask-length }
Run:
system-view
Run:
vlan vlan-id
Run:
port gigabitethernet interface-number
Run:
quit
Run:
interface vlanif vlan-id
Run:
ip address ip-address { mask | mask-length }
1-9
Configuring routes
For the detailed Configuration, please see the other configuration manuals of S9300.
Procedure
Step 1 Run the display interface [ interface-type [ interface-number ] ] [ | { begin | exclude |
include } regular-expression ] command to check the running status of the interface and the
statistics on the interface.
Step 2 Run the display interface brief command to check the brief information about the interface
Step 3 Run the display interface description command to check the description of the interface.
Step 4 Run the display ip interface [ interface-type interface-number ] command to check the main
configurations of the interface.
Step 5 Run the display ip interface brief [ interface-type interface-number ] command to check the
brief state of the interface.
----End
Pre-configuration Tasks
Before configuring the loopback interface, complete the following task:
1-10
Issue 05 (2010-01-08)
Data Preparation
To configure the loopback interface, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
You can create or delete a loopback interface. When being created, the loopback interface remains in the
Up state until you delete it.
----End
Issue 05 (2010-01-08)
1-11
Procedure
Step 1 Run the display interface loopback [ loopback-number ] [ | { begin | exclude | include }
regular-expression ] command to check the status of the loopback interface.
Step 2 Run the display ip interface [ interface-type interface-number ] command to check the main
configurations of the interface.
----End
CAUTION
The statistics on the interface cannot be restored after you clear them. So, confirm the action
before you use the command.
Procedure
Step 1 Run the reset counters interface [ interface-type [ interface-number ] ] command in the user
view to clear the statistics on the interface.
----End
1-12
Issue 05 (2010-01-08)
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
For the description about debugging commands, see the Quidway S9300 Terabit Routing
Switch Debugging Reference.
For details about debugging commands on the interface, see the following chapters.
Issue 05 (2010-01-08)
1-13
2-1
2-2
Issue 05 (2010-01-08)
You must log in to the S9300 from the console interface for the first time.
Issue 05 (2010-01-08)
Login
Mode
Applicable Scenario
2.2
Logging
In to the
S9300
Through
the
Console
Interface
Logging in to the
S9300 for the first time
Local maintenance
User Type
Description
2-3
Login
Mode
Applicable Scenario
User Type
Description
2.5
Logging
In to the
S9300
Locally
Through
Telnet
2.8
Logging
In to the
S9300
Through
SSH
2-4
2.10
Logging
In to the
S9300
Through
FTP
2.11
S9300
Logging
In to the
TFTP
Service
Through
TFTP
2.13
Logging
In to the
S9300
Through
SFTP
Issue 05 (2010-01-08)
Login
Mode
Applicable Scenario
User Type
Description
2.14
Logging
In to the
S9300
Through
STelnet
You need to manage users and control user authority properly and ensure the security of the
information transmitted.
Telnet server
By default, the S9300 functions as the Telnet server. The Telnet client program runs on the
user terminal.
Figure 2-1 Networking diagram of the S9300 acting as the Telnet server
VLAN1
Telnet
Client
Telnet Session
PC
Ethernet
Telnet
Server
L2 Switch
Ethernet
S9300
You can log in to the S9300 on the PC through Telnet to configure and manage the
S9300. A reachable route must exist between the PC and the S9300.
NOTE
To configure the remote S9300, you must set the attributes of the Telnet terminal service, including:
l
Telnet works normally only when the attributes of the client and server are the same.
Issue 05 (2010-01-08)
2-5
Telnet client
The S9300 functions as the Telnet client to initiate a connection, and a router or an
application server functions as the Telnet server, as shown in Figure 2-2.
Figure 2-2 Networking diagram of the S9300 acting as the Telnet client
Telnet Session1
Telnet
Client
Telnet
Server
Telnet
Server
IP network
S9300
Ethernet
Router
Server
Telnet Session2
The S9300 logs in to the router or the application server through Telnet to perform
configuration and management. A route be reachable must exist between the S9300 and
the router or the application server.
l
Telnet
Client
S9300-A
VLAN1
VLAN2
Telnet Session1
Telnet Session2
Ethernet
S9300-B
Ethernet
Telnet
Server
S9300-C
S9300-A logs in to S9300-B through Telnet. Then, S9300-B logs in to S9300-C through
Telnet. In this manner, the three S9300s form a cascading login structure. In this case,
S9300-A functions as the client of S9300-B and S9300-B functions as the client of
S9300-C.
It is required that routes be reachable between S9300-A, S9300-B, and S9300-C.
TFTP
Compared with FTP, TFTP is based on UDP. It excludes the interfaces for complicated
interactions or access and authentication control. Thus, TFTP is applicable to the environment
without complicated interactions between a client and a server. For example, you can obtain
memory mapping of the system through TFTP when the system is started.
The client initiates the TFTP transfer. To download files, the client sends a Write Request (WRQ)
to the server. The server then sends data packets to the client. After receiving the data packets,
2-6
Issue 05 (2010-01-08)
the client sends an ACK packet to the server. To upload files, the client sends a Read Request
(RRQ) to the server. After the server receives the request, the client sends a data packet to the
server and waits for an ACK packet from the server.
TFTP supports the following file types:
l
Currently, the S9300 can act as only the TFTP client and transfer files in binary mode only.
Purpose
Description
CON
VTY
Relative numbering
Relative numbering indicates that the interfaces of the same type are numbered. The relative
numbering uniquely specifies a user interface of a specified type.
The format of the relative numbering is: user interface type + number. It must comply with
the following rules:
Default number of the VTY: vty0, vty1, vty2, vty3, and vty4
Absolute numbering
The S9300 uniquely specifies the default numbers of 0, 34 38 for the user interfaces of
CON and VTY. You can enter a specific user interface view by entering any of these
numbers.
Issue 05 (2010-01-08)
2-7
Relative
numbering
console0
Obsolute
numbering
0
VTY
vty0
34
vty1
35
vty2
36
vty3
37
vty4
38
In the figure, console 0 and 0 indicate the same user interface; vty1 and 35 indicate the
same user interface.
NOTE
On the S9300, the absolute number can be 0 or 34 to 48, and the default value can be 0 or 34 to 38.
2-8
User Type
Description
Authentication
Super users
Issue 05 (2010-01-08)
User Type
Description
Authentication
Telnet users
Recommended
SSH users
Recommended
FTP users
Recommended
Network
Managemen
t System
(NMS) users
Recommended
The rights that can be obtained by users logging in to the S9300 through Telnet, SSH, and FTP
depend on the priorities of the user interfaces through which they log in to. The S9300 provides
multiple services for a user. To ensure login convenience and security, login users must be
classified, and then assigned levels.
Priorities of Users
The system manages super users and Telnet users according to user levels.
Similar to the command levels, users are classified into 16 levels numbered 0 to 15. The greater
the number, the higher the user level.
NOTE
If the user levels are not set, the four default user levels are used, namly, levels 0 to 3.
The level of the command that a user can run is determined by the level of this user.
l
In the case of non-authentication or password authentication, the level of the command that
the user can run depends on the level of the user interface.
In the case of AAA authentication, the command that the user can run depends on the level
of the local user specified in AAA configuration.
Users of a level can access the commands of this level or lower levels.
For example, user levels 0 to 3 are used in the system. Users of level 2 can access commands of
levels 0, 1, 2. The level 3 user can access commands at all levels.
Issue 05 (2010-01-08)
2-9
Description
Nonauthentication
Users can log in to the S9300 without entering the user name and password.
There is a great potential risk on security.
Password
authentication
Users can log in to the S9300 by entering the password rather than the user
name. The security is ensured.
AAA local
authentication
Users need to enter both the user name and password to log in to the
S9300. The S9300 then authenticates the users according to the locally
configured user information. This further improves the security. It applies
to the users logging in to the S9300 through the console interface and
Telnet.
AAA server
authentication
Users need both the user name and the password to log in to the S9300 and
be authenticated by a dedicated AAA server.
PC
Console interface
S9300
NOTE
If the S9300 is switched on for the first time and you need to manage and configure the S9300, you can
log in to the S9300 through the console interface only.
Pre-configuration Tasks
Before logging in to the S9300 through the console interface, complete the following tasks:
2-10
Issue 05 (2010-01-08)
Data Preparation
None.
Procedure
Step 1 Enable the HyperTerminal on the PC.
Choose Start > All Programs > Accessories > Communications > HyperTerminal to start
the HyperTerminal.
Step 2 Set up a new connection.
As shown in Figure 2-6, enter the name of the new connection in the Name text box and choose
an icon. Click OK.
Figure 2-6 Setting up a new connection
2-11
In other Windows operating systems, Bits per second may be described as Baud rate; Flow control may
be described as Traffic control.
2-12
Issue 05 (2010-01-08)
Value
9600
Data bit
Parity check
None
Stop bit
None
Step 5 After the HyperTerminal is started, select File Attributes to enter the Connect Properties
window as shown in Figure 2-9. Choose the Setting tab, select Auto detect or VT100 from the
Emulation drop-down list box. Click OK to complete the setting.
Issue 05 (2010-01-08)
2-13
After the preceding steps are complete, press Enter. If the prompt <Quidway> is displayed, it
indicates that you have logged in to the S9300. At this time, you can enter the command to
configure and manage the S9300.
----End
2-14
Issue 05 (2010-01-08)
Applicable Environment
You need to log in to the S9300 locally through the console interface to configure and manage
the S9300.
Pre-configuration Tasks
Before configuring the console interface as the user interface, complete the following tasks:
l
Data Preparation
To configure the console interface as the user interface, you need the following data.
No.
Data
NOTE
The preceding data on the S9300 has default values and need not be configured.
Procedure
Step 1 Run:
system-view
Issue 05 (2010-01-08)
2-15
----End
Run:
system-view
Run:
user-interface console interface-number
Run:
authentication-mode aaa
Run:
quit
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
2-16
Issue 05 (2010-01-08)
1.
Run:
system-view
Run:
user-interface console interface-number
Run:
authentication-mode password
Run:
set authentication password { cipher | simple } password
Run:
system-view
Run:
user-interface console interface-number
Run:
authentication-mode none
After this configuration is performed, you can log in to the S9300 without being authenticated.
This lowers the security of the system; therefore, the non-authentication mode is not
recommended.
----End
Procedure
Step 1 Run:
system-view
Issue 05 (2010-01-08)
2-17
The level of the user that logs in through the console interface is set.
Step 4 Run:
quit
Procedure
l
Run the display users [ all ] command to check the status of the user interface.
----End
Issue 05 (2010-01-08)
Pre-configuration Tasks
Before configuring the Telnet terminal service, complete the following tasks:
l
Data Preparation
To configure the Telnet terminal service, you need the following data.
No.
Data
(Optional) Maximum number of VTY user interfaces and limit of calling in and
calling out
10
11
NOTE
The preceding data on the S9300 has default values and need not be configured.
2-19
Context
Do as follows on the S9300.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
2-20
Issue 05 (2010-01-08)
By default, the user interface supports the Telnet service; therefore, you do not need to perform steps 3 and
4.
----End
By default, the users logging in to the S9300 through telnet are authenticated through passwords.
Procedure
l
Run:
system-view
Run:
user-interface { ui-number | vty first-number [ last-number ] }
Run:
authentication-mode none
In password authentication mode, you must set a password to log in to the S9300.
Run:
system-view
Run:
user-interface { ui-number | vty first-number [ last-number ] }
Issue 05 (2010-01-08)
2-21
Run:
authentication-mode password
Run:
set authentication password { cipher | simple } password
Run:
system-view
Run:
user-interface { ui-number | vty first-number [ last-number ] }
Run:
authentication-mode aaa
Run:
quit
Run:
aaa
Run: local-user user-name password { simple | cipher } password The local user
name and password are set.
7.
(Optional) Run:
local-user user-name service-type { ftp | ppp | ssh | telnet | terminal }
*
Run: local-user user-name level level The login level of the user is set.
9.
Run:
authentication-scheme authentication-scheme-name
After setting the user name or password, service type, and login level, you can perform Step
9 and Step 10 to configure the local authentication.
2-22
Issue 05 (2010-01-08)
When you log in to the S9300, you can use the commands of which the levels are
determined by the user level and the user interface level. If both levels need to be
configured, you can access the system according to the user level.
For example:
If Tom's user level is 3, but the default level of VTY0 interface is 1, Tom can use
the commands at or lower than level 3. If no user level is set for Tom, he can only
use the commands at or lower than level 1.
----End
Procedure
Step 1 Run:
system-view
2-23
CAUTION
l
If simple is specified, the password is saved to the configuration file in plain text. Users at
a lower level then can obtain the switching password by viewing the configuration file. In
such a case, the network security cannot be guaranteed. Therefore, it is recommended that
the parameter cipher be specified to save the password in cipher text.
If cipher is specified to set the password, the password cannot be obtained from the system.
Keep the password properly to avoid forgetting or losing it.
----End
Procedure
l
Run the display users [ all ] command to check the status of the user interface.
Run the display user-interface maximum-vty command to check the maximum number
of VTY user interfaces.
Run the display tcp status command to check the status of all the established TCP
connections.
----End
Issue 05 (2010-01-08)
(1)
PC
Ehtnernet port
Straight through cable
(2)
Ethernet port
Crossover cable
HUB
PC
Ethernet port
Straight through cable
(3)
PC
S9300
Ethernet port
Crossover cable or fible
L2 Sw itch
S9300
The Ethernet interface of the PC or the configuration terminal is directly connected to the
Ethernet interface or the Eth interface of the S9300.
The Ethernet interface of the PC or the configuration terminal is connected to the Ethernet
interface or the Eth interface of the S9300 through the HUB.
The Ethernet interface of the PC or the configuration terminal is connected to the Ethernet
interface or the Eth interface of the S9300 through the switch.
Pre-configuration Tasks
Before logging in to the S9300 locally through Telnet, complete the following tasks:
l
Data Preparation
None.
Issue 05 (2010-01-08)
2-25
2.
Press Enter, and then you log in to the Telnet client. The following is displayed in
the Command Prompt window.
Welcome to Microsoft Telnet Client
Escape character is '[CTRL+]'
Microsoft Telnet>
3.
Steps 2 and 3 can be combined as one step. That is, run the telnet [ -a source-ip-address ] hostname [ port-number ] command to directly connect the Telnet server after C:\> is displayed.
host-name can be the host name or IP address of the host.
NOTE
The Telnet command can be entered after C:\> or any other prompts.
Log in to the S9300 through Telnet on the device that functions as the client.
Run the telnet [ -a source-ip-address ] host-name [ port-number ] command to establish a
connection with the Telnet server.
----End
Issue 05 (2010-01-08)
Context
Do as follows on the S9300.
Procedure
Step 1 Run:
system-view
----End
Procedure
l
Run the display users command to check the connection of the current user interface.
Run the display users all command to check the connection of each user interface.
Run the display tcp status command to check the status of all the established TCP
connections.
----End
Example
Run the display tcp status command, and you can view the status of the TCP connection. If the
status of the TCP connection is displayed as Established, it means that a TCP connection is
established.
<S9300> display tcp status
TCPCB
Tid/Soid
Local Add:port
39952df8 36 /1509
0.0.0.0:0
32af9074 59 /1
0.0.0.0:21
Listening
34042c80 73 /17
10.164.39.99:23
Established
Issue 05 (2010-01-08)
Foreign Add:port
0.0.0.0:0
0.0.0.0:0
10.164.6.13:1147
VPNID
0
14849
State
Closed
2-27
Telnet Session
PC
Ethernet
Telnet
Server
L2 Switch
Ethernet
S9300
You can log in to the S9300 remotely through Telnet to configure and manage the S9300. It is
required that the route between the PC and the S9300 should be reachable.
Pre-configuration Tasks
Before logging in to the S9300 remotely through Telnet, complete the following tasks:
l
Data Preparation
None.
2-28
Issue 05 (2010-01-08)
Procedure
Step 1 The method of logging in to the S9300 remotely through Telnet is similar to the method of
logging in to the S9300 locally through Telnet. For details, see 2.5.2 Logging In to the S9300
Through Telnet.
----End
Pre-configuration Tasks
Before configuring the SSH user interface, complete the following tasks:
l
Configuring the RSA public key of the client on the SSH server
Data Preparation
To configure the SSH user interface, you need the following data.
Issue 05 (2010-01-08)
2-29
No.
Data
Procedure
Step 1 Run:
system-view
Run:
aaa
Run:
local-user user-name password { cipher | simple } password
If you do not run the ssh user user-name command to create an SSH user independently, you can create
an SSH user when performing the following configurations:
l
2.7.8 Configuring the Type of the Service for the SSH User
----End
Issue 05 (2010-01-08)
Context
Do as follows on the S9300 that functions as the SSH server.
Procedure
Step 1 Run:
system-view
You can run the protocol inbound ssh command to configure the VTY user interface to support the protocol
only when the AAA authentication mode is configured.
----End
Procedure
Step 1 Run:
system-view
To log in to the S9300 successfully or perform other SSH configurations, you must run the rsa local-keypair create command to generate a local public RSA key pair.
Issue 05 (2010-01-08)
2-31
If the system displays the following information, it indicates that the Flash memory is not formatted:
% Fail to save RSA host keys.
When you run the dir (user-view) command in the user view to check the Flash, the system displays the
following information:
Error: The device is not formatted.
You can run the formate command to format the Flash memory, and then configure the key.
----End
Procedure
Step 1 Run:
system-view
Run:
ssh user user-name authentication-type password
Run:
ssh authentication-type default password
The default password authentication mode is configured for the SSH user.
In the case of local authentication or HWTACACS authentication, the password
authentication mode is used when there are a small number of users; the default password
authentication mode is used when there are a large number of users.
NOTE
To create a local user in the AAA view, see 2.7.2 Creating an SSH User.
l
Run:
ssh user user-name authentication-type rsa
Run:
rsa peer-public-key key-name
Issue 05 (2010-01-08)
3.
Run:
public-key-code begin
5.
Run:
public-key-code end
Run:
peer-public-key end
Exit the public key view and return to the system view.
7.
Run:
ssh user user-name assign rsa-key key-name
After entering the public key edit view, you can send the RSA public key that is generated on the
client to the server. Copy and paste the RSA public key to the S9300 that functions as the SSH
server.
Before the SSH server assigns the RSA public key to the SSH user, the SSH client must generate
the RSA public key and copy it to the SSH server.
----End
Procedure
Step 1 Run:
system-view
2-33
SSH users can be authenticated in four modes: password, RSA, password-rsa, and all. For authorizing SSH
users through command lines in password authentication mode, see the chapter "AAA Configuration"in
the Quidway S9300 Terabit Routing Switch Configuration Guide - ecurity and Reliability. This section
describes how to authorize SSH users through command lines in RSA authentication mode.
Procedure
Step 1 Run:
system-view
Authorization through command lines is configured for the specified SSH user.
After configuring authorization through command lines for the SSH user in RSA mode, you
have to configure the authentication in AAA mode. Otherwise, authorization through command
lines for the SSH user does not take effect.
----End
2.7.8 Configuring the Type of the Service for the SSH User
Context
Do as follows on the S9300 that functions as the SSH server.
Procedure
Step 1 Run:
system-view
Issue 05 (2010-01-08)
Context
Do as follows on the S9300 that functions as the SSH server.
Procedure
Step 1 Run:
system-view
The authorized directory of the SFTP service is configured for the SSH user.
NOTE
The S9300 supports the flash memory and the Compact Flash (CF) card. Therefore, the value of
path in Step 2 can only be flash: or cfcard:. cfcard: depends on the device that is configured with the
CF card or not.
If the S9300 provides the CF card, the default path is cfcard:. You can set the path to the subdirectory
name of the CF card.
----End
Run:
system-view
Run:
undo ssh user user-name
Run:
system-view
Run:
undo ssh user
2-35
Prerequisite
The configurations the SSH user interface are complete.
Procedure
l
Run the display ssh user-information command to check information about all SSH users
on the SSH server.
Run the display ssh user-information user-name command to check information about a
specified SSH user on the SSH server.
----End
Example
Run the display ssh user-information user-name command, and you can view that the
authentication mode of the SSH user named client001 is set to password, with sftp as the type
of the service.
<Quidway> display ssh user-information client001
User Name: client001
Authentication-type: password
User-public-key-name: Sftp-directory: Service-type: sftp
Authorization-cmd: No
PC
2-36
SSH Connection
Ethernet
SSH
Server
L2 Switch
Ethernet
S9300
Issue 05 (2010-01-08)
In the actual networking, a route is required to be reachable between the PC and the S9300.
Pre-configuration Tasks
Before logging in to the S9300 through SSH, complete the following tasks:
l
Setting the private key file and user name used for logging in to the S9300
Data Preparation
None.
Procedure
l
Run the client software that supports SSH1.5 on the PC or the configuration terminal to
access the login interface. After entering the user name, you can log in to the S9300.
On the S9300 that functions as the client, log in to the SSH server through 2.13.2 Logging
In to the S9300 Through SFTP or 2.14.2 Logging In to the S9300 Through STelnet.
----End
2-37
Pre-configuration Tasks
Before configuring the FTP user, complete the following tasks:
l
Data Preparation
To configure the FTP user, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
2-38
Issue 05 (2010-01-08)
Procedure
l
Run the display ftp-users command to check the information about the FTP login user.
----End
PC
FTP Connection
Ethernet
FTP
Server
L2 Switch
Ethernet
S9300
In the actual networking, a route is required to be reachable between the PC and the S9300.
Pre-configuration Tasks
Before logging in to the S9300 through FTP, complete the following tasks:
Issue 05 (2010-01-08)
2-39
Data Preparation
None.
Procedure
l
2.
Press Enter, and then you log in to the FTP client. The following information is
displayed in the Command Prompt window.
ftp>
3.
2-40
Issue 05 (2010-01-08)
NOTE
Steps 2 and 3 can be combined as one step. That is, run the FTP [ -a source-ip-address ]
[host [ port-number ] ] command to directly connect to the FTP server after C:\> is prompted.
Log in to the S9300 through FTP on the device that functions as the client.
Run the ftp [ -a source-ip-address ] [ host [ port-number ] ] command to establish a
connection with the FTP server.
NOTE
For the application of the client, see 6.3 Configuring the S9300 as the FTP Client.
----End
The S9300 can function as only the client to access the TFTP server.
PC
configuration
cable
TFTP Client
TFTP Server
In the actual networking, a route is required to be reachable between the S9300 and the TFTP
server.
Pre-configuration Tasks
Before logging in to the S9300 through TFTP, complete the following tasks:
l
Configuring a reachable route between the S9300 and the TFTP server
Issue 05 (2010-01-08)
2-41
Data Preparation
None.
Procedure
Step 1 Run:
tftp [ -a source-ip-address ] tftp-server get source-filename [ destinationfilename ]
Procedure
Step 1 Run:
tftp [ -a source-ip-address ] tftp-server put source-filename [ destinationfilename ]
Issue 05 (2010-01-08)
Pre-configuration Tasks
Before configuring a limit to access the TFTP server, complete the following tasks:
l
Data Preparation
To configure a limit to access to the TFTP server, you need the following data.
No.
Data
ACL number
Procedure
Step 1 Run:
system-view
2-43
Procedure
Step 1 Run:
system-view
Pre-configuration Tasks
Before logging in to the S9300 through SFTP, complete the following tasks:
2-44
Issue 05 (2010-01-08)
Data Preparation
None.
You can only log in to the SSH server through SFTP on only the S9300 that is configured as the SFTP
client.
Procedure
Step 1 Run:
system-view
The command used to enable the SFTP client functions the same as the command used to enable the STelnet
client. When accessing the SSH server, both the clients can carry the source address and select a key
exchange algorithm, an encryption algorithm, and an HMAC algorithm.
----End
2-45
In the actual networking, a route is required to be reachable between the STelnet client and the
S9300.
Pre-configuration Tasks
Before logging in to the S9300 through STelnet, complete the following tasks:
l
Data Preparation
None.
You can log in to the SSH server through STelnet only on the S9300 that is configured as the STelnet
client.
Procedure
Step 1 Run:
system-view
The STelnet client can carry the source address and select a key exchange algorithm, an encryption
algorithm, and an HMAC algorithm when logging in to the SSH server.
----End
2-46
Issue 05 (2010-01-08)
Pre-configuration Tasks
Before configuring the NMS user to log in to the S9300, complete the following task:
l
Data Preparation
To configure the NMS user to log in to the S9300, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
Issue 05 (2010-01-08)
2-47
Procedure
Step 1 Run:
system-view
Procedure
l
Run the display vty mode command to check the VTY mode.
----End
2-48
Issue 05 (2010-01-08)
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
When a running fault occurs, run the debugging command in the user view to locate the fault.
Procedure
Step 1 Run the debugging telnet command to enable the debugging of Telnet.
----End
PC
Issue 05 (2010-01-08)
S9300-A
10.10.10.8/24
S9300-B
10.10.10.9/24
2-49
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
ID of the VLAN
IP address and number of the interface on the S9300-A that functions as the Telnet client
IP address and number of the interface on the S9300-B that functions as the Telnet server
Authentication mode and the password for a user to log in to S9300-B through Telnet
Procedure
Step 1 Assign IP addresses.
# Assign IP address to S9300-A that functions as the Telnet client.
<S9300-A> system-view
[S9300-A] vlan 2
[S9300-A-vlan2] quit
[S9300-A] interface GigabitEthernet 1/0/1
[S9300-A-GigabitEthernet1/0/1] port hybrid pvid vlan 2
[S9300-A-GigabitEthernet1/0/1] port hybrid untagged vlan 2
[S9300-A-GigabitEthernet1/0/1] quit
[S9300-A] interface vlanif 2
[S9300-A-Vlanif2] ip address 10.10.10.8 255.255.255.0
[S9300-A-Vlanif2] quit
[S9300-A]
Issue 05 (2010-01-08)
----End
Configuration Files
l
2-51
PC
configuration
cable
TFTP Client
TFTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
Run the TFTP software on the TFTP server and set the position where the source file is
located on the S9300.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Name of the destination file and position where the destination file is located on the S9300
Procedure
Step 1 Enable TFTP on the remote server to ensure that the TFTP application software is started.
Step 2 Create VLAN 10 on the S9300 and assign the IP address 10.1.1.1/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway] quit
[Quidway] interface GigabitEthernet 3/0/1
[Quidway-GigabitEthernet2/0/2] port hybrid pvid vlan 10
[Quidway-GigabitEthernet2/0/2] port hybrid untagged vlan 10
[Quidway-GigabitEthernet2/0/2] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.1.1.1 24
Step 3 On the S9300, initiate a connection to the TFTP server and download the 8031.cc file.
<Quidway> tftp 10.1.1.2 get 8031.cc 8031new.cc
Transfer file in binary mode.
Now begin to download file from remote tftp server, please wait for a while...
----End
Configuration Files
None.
2-52
Issue 05 (2010-01-08)
Issue 05 (2010-01-08)
3-1
User view
System view
System
related views
Routing
views
VPN views
Multicast views
PBB
related views
BFD
related views
3-2
Issue 05 (2010-01-08)
Command views are applied to different configuration scenarios, and there are differences and
relations between the command views. For example, when you log in to the S9300, the user
view is displayed. In this view, you can view only the running status and statistics. Then, if you
run the system-view command, the system view is displayed, where you can run commands to
enter protocol and interface views.
Table 3-1 shows the types of command views.
Table 3-1 Types of command views
Issue 05 (2010-01-08)
Views
Types
Common views
Ethernet related
views
Multiprotocol
Label Switching
(MPLS) related
views
Quality of
Service (QoS)
related views
Traffic policy views, traffic classifier views, and traffic behavior views
Security related
views
Multicast views
Virtual Private
Network (VPN)
views
Routing related
views
Loopback interface views, Open Shortest Path First (OSPF) views, OSPF
area views, Intermediate System-to-Intermediate System (IS-IS) views,
Border Gateway Protocol (BGP) views, BGP-IPv4 unicast addressfamily views, BGP-L2VPN address-family views, BGP-VPLS address
family views, and Route-Policy views
3-3
Views
Types
Provider
Backbone
Bridging-Traffic
Engineering
(PBB-TE)
related views
Bidirectional
Forwarding
Detection (BFD)
related views
Ethernet
Operation,
Administration,
and Maintenance
(OAM) related
views
Description
Function
Entry command
Prompt upon
entry
<Quidway>
Quit command
<Quidway>quit
None.
Item
Description
Function
Sets the system parameters of the S9300, and enters other function views
from this view.
Entry command
<Quidway> system-view
Prompt upon
entry
[Quidway]
System View
3-4
Issue 05 (2010-01-08)
Item
Description
Quit command
[Quidway] quit
<Quidway>
Item
Description
Function
Entry command
Prompt upon
entry
[Quidway-EthernetX/Y/Z]
Quit command
[Quidway-EthernetX/Y/Z] quit
[Quidway]
NOTE
X/Y/Z indicates the number of an FE interface that needs to be configured. It is in the format of slot number/
sub card number/interface sequence number.
l
GE interface view
Item
Description
Function
Entry command
Prompt upon
entry
[Quidway-GigabitEthernetX/Y/Z]
Quit command
[Quidway-GigabitEthernetX/Y/Z] quit
[Quidway]
NOTE
X/Y/Z indicates the number of a GE interface that needs to be configured. It is in the format of slot number/
sub card number/interface sequence number.
If an LPU provides GE interfaces and 10GE interfaces, the difference lies in the subcard where the 10GE
interfaces reside. Generally, the sequence number of a 10GE interface is 1. If an LPU provides only 10GE
interfaces, the method of entering the 10GE interface view is the same as the method of entering the GE
interface view.
Issue 05 (2010-01-08)
3-5
0: visit level. The levels of the commands for network diagnostic tools (ping and tracert)
and the commands for accessing external devices from the local device (Telnet and SSH)
are level 0. The configuration files cannot be saved by running the commands of level 0.
1: monitoring level. The levels of the commands for maintaining the system and the display
commands are level 1. The configuration files cannot be saved by running the commands
of level 1.
3: management level. The levels of the commands for system operation and service support
are level 3. The commands of level 3 include:
FTP commands
TFTP commands
To enable refined control of the authority, you can extend the levels of commands to 16 levels
ranging from 0 to 15. For details, see 4.4 Switching Levels of Users and Commands.
NOTE
The default levels of some commands may be higher than the levels defined by command rules according
to the importance of the commands.
The levels of login users are divided into 16 levels to correspond to the levels of commands.
After logging in to the S9300, a user can run only the commands whose levels are equal to or
lower than the level of the user. For user levels, see 2.1 Overview of User Login.
3-6
Issue 05 (2010-01-08)
Accessible Command
Visit
level
Accessible Command
Monitori
ng level
Accessible Command
Configur
ation
level
Accessible Command
Managem
ent level
Commands such as cd, clock, copy, delete, dir, format, free, ftp, lock,
mkdir, more, move, patch, pwd, reboot, rename, rmdir, schedule, startup,
undelete, and tftp
3-7
Name
Accessible Command
Visit
level
Monitori
ng level
Configur
ation
level
Manage
ment
level
All commands
After logging in to the S9300, users obtain the authority that is determined by their own levels.
Users can use only the commands at a level that is equal to or lower than their own levels. Figure
3-2 shows the user authority.
Figure 3-2 Authority of users at four levels
Authority of login users
Authority
of level-3
users
Authority
of level-2
users
Authority
of level-1
users
Visit level
Monitoring level
Configuration
level
Management
level
For example, users at the configuration level can use only the commands at the visit level,
monitoring level, and configuration level. Users at the management level can use commands at
all levels. When users at a lower level switch to a higher level, authentication is required to
prevent unauthorized users from logging in to the S9300.
NOTE
If the command levels are upgraded from 0 to 15, the user levels must also be extended from 0-3 to 0-15.
For details see 4.4 Switching Levels of Users and Commands.
3-8
Issue 05 (2010-01-08)
Procedure
l
Enter "?" to list all commands and their brief description in this command view. This
command is valid in any command view. For example:
<Quidway> ?
Enter a command and ? separated by a space. If a key word is in the position of the ?, all
key words and description are listed. For example:
<Quidway>
chinese
english
<Quidway>
<cr>
language-mode ?
Chinese environment
English environment
language-mode chinese ?
chinese and english are key words. Chinese environment and English environment describe
the two key words separately.
<cr> indicates that no key word or parameter is in this position. You can press Enter to
repeat the command in the next command line.
l
Enter a command and ? separated by a space. If a parameter is in the position of the ?, all
parameters and descriptions are listed. For example:
<Quidway> system-view
[Quidway] sysname ?
TEXT Host name(1 to 30 characters)
Procedure
l
Enter a character string followed by "?" with no space between them, and the system lists
all commands with the character string as the beginning. For example:
<Quidway> d?
debugging
delete
dir
display
Enter a command and a string closely followed by a ?. All keywords of the command
beginning with this string are listed. For example:
<Quidway> display v?
version
vlan
Issue 05 (2010-01-08)
3-9
Enter the preceding letters of a keyword of a command and press Tab. The complete
keyword is displayed. The preceding letters, however, must identify the keyword.
Otherwise, after Tab is continuously pressed, different keywords are displayed, from which
you can select one as required.
If you run the language-mode chinese command in the user view, all the preceding help
messages are displayed in Chinese.
If the commands entered pass the grammar check, it indicates that they are correctly run.
Otherwise, error messages are reported to the user.
Table 3-3 shows the matching relations of error messages and error causes.
Table 3-3 Matching relations of error messages and error causes
Error Message in English
Cause
Unrecognized command
Incomplete command
Ambiguous command
Wrong parameter
----End
3-10
Key
Function
Common key
Backspace
Presses the key to delete a character before the cursor and moves
the cursor forward.
or Ctrl+B
Presses the key to move the cursor to the left by the space of a
character.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 05 (2010-01-08)
Key
Function
or Ctrl+F
Presses the key to move the cursor to the right by the space of a
character.
Tab
When the information displayed exceeds a full screen, the pause function can be applied.
You have three choices.
Key or Command
Function
Ctrl+C
Spacebar
Enter
NOTE
To stop the display, you can press any key excluding F1, PageUp, PageDown, and End. For example,
you can use a letter, a number, or a tab character.
3-11
Command or Key
Result
Displaying history
commands
display history-command
NOTE
On the HyperTerminal of Windows 9X, the cursor key is invalid, because the key is defined differently.
In this case, you can use the shortcut keys Ctrl+P instead of the cursor key .
The history commands saved on the S9300 must be the same as the commands entered by
the user. For example, if a user enters an incomplete command, the saved command must
also be incomplete.
If the user runs the same command several times, the last command is saved on the
S9300. If the command is entered in different formats, they are considered as different
commands.
For example, if the display ip routing-table command is run several times, only the last
one is saved in the history commands.
If the display ip routing-table command is run in the formats of display ip routing and
display ip routing-table, two commands are saved on the S9300.
3.8 Hotkeys
This section describes how to use hotkeys.
3.8.1 Classification of Hotkeys
3.8.2 Defining Hotkeys
3.8.3 Using Hotkeys
Issue 05 (2010-01-08)
Hotkeys that the user can define, including CTRL_G, CTRL_L, CTRL_O and CTRL_T
You can assign commands to the hotkeys as required. When the hotkeys are entered, the
commands corresponding to them are run. For the methods of defining the hotkeys, see
3.8.2 Defining Hotkeys.
System hotkeys
The hotkeys are not defined by users, and their functions are fixed. Table 3-5 describes
system hotkeys and their functions.
NOTE
Different terminal software defines hotkeys differently; therefore, the shortcut keys on the terminal may
be different from the hotkeys listed in this section.
Issue 05 (2010-01-08)
Hotkeys
Function
CTRL_A
CTRL_B
CTRL_C
CTRL_D
CTRL_E
CTRL_F
CTRL_H
CTRL_K
CTRL_N
CTRL_P
CTRL_R
CTRL_U
CTRL_V
CTRL_W
CTRL_X
CTRL_Y
CTRL_Z
CTRL_]
3-13
Hotkeys
Function
ESC_B
ESC_D
ESC_F
ESC_N
ESC_P
ESC_<
ESC_>
When assigning a command to the hotkeys, you need to mark the command with double quotation marks
if the command consists of several words, that is, the command includes spaces. You need not mark the
command with double quotation marks if the command consists of only one word, that is, the command
includes no space.
Command
Assigning a
command to the
hotkeys
The default values of the CTRL_G, CTRL_L, and CTRL_O hotkeys are described as follows:
l
The system does not set default values for the other hotkeys.
3-14
You can use hotkeys where a command can be run. When hotkeys are executed in the
system, the command assigned to the hotkeys is displayed the same as the complete
command is entered.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 05 (2010-01-08)
After entering part of a command and before pressing Enter, the system deletes all the
input characters and displays the command assigned to the hotkeys by entering the hotkeys
that the command is assigned to. This is equivalent to deleting all the input characters and
entering the complete command.
Using hotkeys is the same as running the command assigned to the hotkeys. After hotkeys
are used, the corresponding commands are recorded in the command buffer and log for
fault location and query.
NOTE
The terminals that you use may affect the functions of hotkeys. For example, the function of the hotkey
that is defined by the terminal used by a user varies with the function of the hotkey on the S9300. In this
case, after a user enters hotkeys, the command assigned to the hotkeys is not run.
Command
display hotkey
Step 2 Type Ctrl+T following [Quidway] to display the display ip routing-table command.
[Quidway] display ip routing-table
Route Flags: R - relied, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 9
Routes : 9
Destination/Mask
Proto Pre Cost Flags NextHop
Interface
1.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
44.0.0.0/24 Direct 0
0
D 44.0.0.1
Vlanif44
44.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
192.168.0.0/16 Direct 0
0
D 192.168.32.9
Ethernet0/0/0
192.168.32.9/32 Direct 0
0
D 127.0.0.1
InLoopBack0
----End
Issue 05 (2010-01-08)
3-15
Step 2 After the command is copied, run the display clipboard command to view the contents of the
clipboard.
<Quidway> display clipboard
---------------- CLIPBOARD----------------display ip routing-table
Step 3 Press CTRL_SHIFT_V to view the contents of the clipboard in any view.
<Quidway> display ip routing-table
----End
2.
Press Tab.
The system replaces the incomplete keyword with a complete keyword and displays
the complete keyword in another line. There is only one space between the cursor and
the end of the keyword.
[Quidway] info-center
1.
2.
Press Tab.
The system displays the prefix of all the matched keywords. The prefix in this example
is log.
[Quidway] info-center log
3.
Continue to press Tab to display all the keywords. There is no space between the
cursor and the end of the keywords.
[Quidway] info-center loghost
3-16
Issue 05 (2010-01-08)
Stop pressing Tab when you find the required keyword logfile.
4.
----End
Issue 05 (2010-01-08)
3-17
Issue 05 (2010-01-08)
4-1
4.2.6 Sending Information from One User Interface to Another User Interface
Issue 05 (2010-01-08)
Context
After logging in to the S9300, you enter the user view.
Do as follows on the S9300.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
quit
Procedure
Step 1 Run:
language-mode { chinese | english }
Postrequisite
The help of the S9300 can be displayed in English or Chinese. By default, the language mode
of the S9300 is English.
4-3
Context
You can view information about the status of the system by using the display commands. The
display commands can be classified into the following types according to their functions:
l
For details about the display commands of different protocols and interfaces, see related
chapters. This section describes only the display commands related to the status of the system.
NOTE
Procedure
l
View the commands for displaying the configurations about the system.
Do as follows on the S9300.
1.
Run:
display clock
Run:
display current-configuration
Run:
display saved configuration
Run:
display this
View the commands for displaying the running status of the system.
Do as follows on the S9300.
1.
Run:
display users [ all ]
Run:
display version [ slot-id ]
Run:
display debugging [ interface interface-type interface-number ] [ modulename ]
Issue 05 (2010-01-08)
View the commands for displaying the statistics about the system.
Do as follows on the S9300.
1.
Run:
display diagnostic-information [ file-name ]
display clock
display version
display interface
display current-configuration
display saved-configuration
----End
Procedure
Step 1 Run:
lock
Postrequisite
Before locking the user interface, you need to enter a password and confirm it. Before unlocking
the user interface, you must enter a correct password.
4-5
Context
To send information to another user interface, do as follows on the S9300.
Procedure
Step 1 Run:
send { all | number | ui-type ui-number }
Procedure
Step 1 Run:
free user-interface { number | ui-type ui-number }
The system authenticates the login user that starts to configure the S9300.
To provide login users with explicit prompts, you can perform this configuration.
Do as follows on the S9300.
Procedure
Step 1 Run:
system-view
The header text that is displayed when a user logs in to the S9300 is set.
Step 3 Run:
header shell { information text | file file-name }
4-6
Issue 05 (2010-01-08)
The header text that is displayed after the user succeeds in logging in to the S9300 is set.
----End
Procedure
Step 1 Run:
system-view
host-name
Procedure
Step 1 Run:
clock datetime HH:MM:SS YYYY-MM-DD
Issue 05 (2010-01-08)
4-7
Procedure
Step 1 Run:
system-view
Issue 05 (2010-01-08)
Postrequisite
NOTE
By performing Step 2, you can extend the levels of the commands whose current levels are level 2
to level 10 and extend the levels of the commands whose current levels are level 3 to level 15. No
command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust the command
lines to these levels separately to refine the management of privilege.
By default, the system sets views and levels for all commands; therefore, you need not re-set a view
or level for a command.
When running the command-privilege level rearrange command, the system prompts you to set
the super password for a level 15 user if the password for switching to level 15 is not set. The system
also asks you whether to continue the operation of extending the levels of commands. If you select
N, then you set a password. If you select Y, the system extends the levels of commands in batches.
The users who do not use console ports cannot extend their levels; thus, they cannot use the commands
of higher levels.
Procedure
Step 1 Run:
system-view
The levels of the commands that the current user can access are extended.
----End
4-9
NOTE
If simple is specified, the password is saved in the configuration file in plain text. A user at a lower level
then can easily obtain the password for switching to a higher level by viewing the configuration file. In
such a case, the network security cannot be guaranteed. Therefore, it is recommended that the parameter
cipher be specified to save the password in cipher text.
If cipher is specified to set the password, the password cannot be obtained from the system. Keep the
password safe to avoid forgetting or losing it.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
super [ level ]
When a user logging in to the S9300 switches from a lower level to a higher level by using the super
command, the system sends out a trap message automatically and records the switching of the user level
in a log. If the user switches to a lower level, the system only records the switching in a log.
----End
4-10
Issue 05 (2010-01-08)
Issue 05 (2010-01-08)
5-1
Introduction to SSH
SSH works at the application layer in the TCP/IP protocol suite. SSH provides remote login and
virtual terminal on the network where security is guaranteed. Based on TCP connections, SSH
guarantees security and provides authentication for transmitted information, preventing the
following attacks shown in Figure 5-1:
l
IP spoofing
Figure 5-1 Establishing a local SSH connection between the PC and the S9300
VLAN1
Telnet
Client
Telnet Session
PC
Ethernet
Telnet
Server
L2 Switch
Ethernet
S9300
SSH adopts the client/server model and sets up multiple secure transmission channels. The
S9300, as the SSH server, can be connected to multiple PCs that function as SSH clients. A
Layer 2 switch may exist between the PC and the SSH server. In the actual networking, a route
is required to be reachable between the PC and the S9300.
Currently, there are three SSH versions including v1.0, v1.5, and v2.0. SSHv1.5 and SSHv1.0
are compatible but SSHv2.0 and SSHv1.5 are incompatible.
Advantages of SSH
Different from Telnet and FTP terminal services, SSH provides secure remote access on the
network without security guaranteed. The advantages of SSH are described as follows:
l
5-2
Issue 05 (2010-01-08)
SSH adopts RSA. After the public key and the private key are generated according to the
encryption principle of the asymmetric encryption system, the following information is
transmitted with security between the SSH client and the SSH server:
Key
Interactive data
By using SFTP, you can securely log in to the S9300 to manage files from the remote
device. In this manner, the security of data transmission is improved when files need to
be transferred during the upgrade of the remote system.
The S9300 can function as the client to log in to the remote device through FTP to
transfer files with security.
2.
3.
4.
5.
For details, see the chapter "Setting Up an SSH Connection" in the Quidway S9300 Terabit
Routing Switch Feature Description - Basic Configuration.
5-3
Applicable Environment
You must enable STelnet or SFTP on the SSH server before performing other configurations.
On the SSH server, you can set a listening port number. If you change the default listening port
on the SSH server to another port, attackers will not be aware of this change. In this manner,
attackers cannot consume the bandwidths and system resources by accessing port 22.
Pre-configuration Tasks
Before configuring the SSH server, complete the following tasks:
l
Configuring a reachable route between the SSH client and the server
Configuring the Virtual Type Terminal (VTY) user interface to support the SSH protocol
on the SSH server
Data Preparation
To configure the SSH server, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
Issue 05 (2010-01-08)
Context
Do as follows on the S9300 that functions as the SSH server.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Compared with SSH1.X, SSH2.0 is extended in structure and supports more authentication modes and key
exchange methods. In addition, SSH2.0 supports more advanced services such as SFTP.
----End
5-5
Procedure
Step 1 Run:
system-view
If a new listening port number is set, the SSH server tears down all established STelnet and SFTP
connections, and then uses the new port number. By default, the listening port number on the SSH server
is 22.
----End
Procedure
Step 1 Run:
system-view
The S9300 is enabled to send trap messages to only the Simple Network Management Protocol (SNMP)
module. To view trap messages on the SNMP module, you need to perform related configurations on the
SNMP module. For details, see the chapters "Configuring the Trap Function" and "Configuring the
S9300 to Send Trap Messages in Inform Mode" in the Quidway S9300 Terabit Routing Switch
Configuration Guide - Network Management.
----End
5.2.7 (Optional) Setting the Interval for Updating the Key Pair
Context
Do as follows on the S9300 that functions as the SSH server.
5-6
Issue 05 (2010-01-08)
Procedure
Step 1 Run:
system-view
The interval for updating the key pair on the server is set.
----End
Procedure
l
Run the display ssh server status command to check the global configuration of the SSH
server.
----End
Example
Run the display ssh server status command, and you can view that the protocol version enabled
in the SSH session is SSH1.99, and that the number of times for setting up an SSH session is 5.
<Quidway> display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 2 hours
SSH Authentication retries : 5 times
SFTP server: Enable
STelnet server: Enable
SSH server port: 55535
NOTE
If the default listening port is in use, information about the current listening port is not displayed.
5-7
For details about the configuration on the server, see 2.7 Configuring the SSH
Interface.
For the configuration on the client, you can perform configuration tasks of 5.3.2 Enabling
the Initial Authentication on the STelnet Client and 5.3.3 Assigning the RSA Public
Key to the SSH Server by the STelnet Client.
NOTE
The preceding configurations are exclusive; therefore, you only need to perform either of them.
Pre-configuration Tasks
Before connecting the STelnet client and the SSH server, complete the following tasks:
l
Data Preparation
To connect the STelnet client and the SSH server, you need the following data.
No.
Data
Preferred encryption algorithm from the STelnet client to the SSH server
Preferred encryption algorithm from the SSH server to the STelnet client
Preferred HMAC algorithm from the STelnet client to the SSH server
Preferred HMAC algorithm from the SSH server to the STelnet client
Source address
Issue 05 (2010-01-08)
Context
Do as follows on the S9300 that functions as the STelnet client.
Procedure
Step 1 Run:
system-view
After the initial authentication is enabled, the validity of the RSA public key of the SSH server need
not be checked when an STelnet user logs in to the SSH server for the first time. This is because the
PSA public key of the SSH server is not kept on the STelnet client.
If the initial authentication is not enabled, an STelnet user fails to log in to the SSH server, because
checking the validity of the RSA public fails.
NOTE
In addition to enabling the initial authentication on the STelnet client, you can perform the task of 5.3.3
Assigning the RSA Public Key to the SSH Server by the STelnet Client to implement this function.
----End
5.3.3 Assigning the RSA Public Key to the SSH Server by the
STelnet Client
Context
NOTE
Before the STelnet client assigns the RSA public key to the SSH server, the server must generate the key
and send it to the client. In this manner, checking the validity of the RSA public key on the SSH server can
succeed.
Procedure
Step 1 Run:
system-view
5-9
Procedure
l
Run the display ssh server-info command to check the mapping between the SSH server
and the RSA public key on the SSH client.
Run the display ssh server session command to check the session of the SSH client on the
SSH server.
----End
Example
Run the display ssh server session command, and you can view inforamtion including the
following:
l
The type of the service is set to stelnet, with the authentication mode as password.
Issue 05 (2010-01-08)
Applicable Environment
By using SFTP, you can remotely log in to the S9300 to manage files with security. In this
manner, the security of data transmission is improved when files need to be transferred during
the upgrade of the remote system. The S9300 can function as the client; therefore, you can log
in to the remote device through FTP to transfer files with security from the S9300.
The negotiation process includes configurations on the server and on the client.
l
For details about the configuration on the server, see 2.7 Configuring the SSH
Interface.
For the configuration on the client, you can perform configuration tasks of 5.4.2 Enabling
the Initial Authentication on the SFTP Client and 5.4.3 Assigning the RSA Public Key
to the SSH Server by the SFTP Client.
NOTE
The preceding configurations are exclusive; therefore, you only need to perform either of them.
Pre-configuration Tasks
Before connecting the SFTP client and the SSH server, complete the following tasks:
l
Data Preparation
To connect the SFTP client and the SSH server, you need the following data.
Issue 05 (2010-01-08)
No.
Data
Preferred encryption algorithm from the SFTP client to the SSH server
Preferred encryption algorithm from the SSH server to the SFTP client
Preferred HMAC algorithm from the SFTP client to the SSH server
Preferred HMAC algorithm from the SSH server to the SFTP client
Source address
10
11
5-11
Procedure
Step 1 Run:
system-view
After the initial authentication is enabled, the validity of the RSA public key of the SSH server need
not be checked when an SFTP user logs in to the SSH server for the first time, because the PSA public
key of the SSH server is not kept on the SFTP client.
If the initial authentication is not enabled, an SFTP user fails to log in to the SSH server, because
checking the validity of the RSA public fails.
NOTE
In addition to enabling the initial authentication on the SFTP client, you can perform the task of 5.4.3
Assigning the RSA Public Key to the SSH Server by the SFTP Client to implement this function.
----End
5.4.3 Assigning the RSA Public Key to the SSH Server by the SFTP
Client
Context
NOTE
Before the SFTP client assigns the RSA public key to the SSH server, the server must generate the key and
send it to the client. In this manner, checking the validity of the RSA public on the SSH server can be
successful.
Procedure
Step 1 Run:
system-view
5-12
Issue 05 (2010-01-08)
Procedure
Step 1 Run:
system-view
After logging in to the SSH server, the SFTP client can create or delete the directory on the server, display
the current working directory, and display the files or information in the specified directory.
----End
5-13
Procedure
Step 1 Run:
system-view
After logging in to the SSH server, the SFTP client can change the file name, delete files, view the file list,
and upload and download files.
----End
Procedure
Step 1 Run:
system-view
5-14
Issue 05 (2010-01-08)
Procedure
l
Run the display ssh server session command to check the session of the SSH client on the
SSH server.
----End
Example
Run the display ssh server session command, and you can view information including the
following:
l
The type of the service is set to sftp, with the authentication mode as rsa.
Debugging affects the performance of the system. So, after debugging, run the undo debugging ssh server
all command to disable it immediately.
When a running fault occurs, run the following debugging command in the user view to locate
the fault. For the procedure of displaying the debugging information, see the chapter "Monitoring
Issue 05 (2010-01-08)
5-15
and Debugging" in the S9300 Terabit Routing Switch Configuration Guide - Device
Management.
Procedure
Step 1 Run the debugging ssh server { all | vty index } { all | event | message | packet } command to
enable the debugging of SSH functions.
----End
5.6.1 Example for Configuring the SSH Server to Support the Access
from Another Port
Networking Requirements
The standard listening port is numbered 22, as defined in the SSH protocol. If attackers access
the standard port continuously, the bandwidth is consumed and the performance of the server is
degraded. As a result, other valid users cannot access the port.
If the listening port on the SSH server is changed to a non-default one, attackers will not aware
of this change and continue to send a request for the socket connection to port 22. In this case,
the SSH server detects that it is not the listening port, and then denies the the request for
establishing the socket connection.
Therefore, only valid users can use the specified listening port to set up a socket connection
through the following procedures:
5-16
Authenticating
Issue 05 (2010-01-08)
Figure 5-2 Networking diagram for configuring the SSH server to support the access from
another port
SSH Server
GE1/0/1
10.164.39.222/24
GE1/0/1
10.164.39.220/24
Client001
GE1/0/1
10.164.39.221/24
Client002
S9300
Interface
VLANIF interface
IP address
SSH server
GigabitEthernet 1/0/1
VLANIF 10
10.164.39.222/24
Client001
GigabitEthernet 1/0/1
VLANIF 10
10.164.39.220/24
Client002
GigabitEthernet 1/0/1
VLANIF 10
10.164.39.221/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2.
3.
Create a local key pair on the SFTP client and SSH server separately.
4.
Generate an RSA public key on the SSH server and bind the RSA public key of the SSH
client to Client002.
5.
6.
Configure the type of the service and authenticated directory for the SSH user.
7.
8.
Client001 and Client002 log in to the SSH server through STelnet and SFTP separately.
Data Preparation
To complete the configuration, you need the following data:
l
Server name
Issue 05 (2010-01-08)
5-17
Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.
Create VLAN 10 on the S9300 that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface GigabitEthernet 1/0/1
[Quidway-GigabitEthernet2/0/2] port hybrid pvid vlan 10
[Quidway-GigabitEthernet2/0/2] port hybrid untagged vlan 10
[Quidway-GigabitEthernet2/0/2] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.1.1.2 24
5-18
Issue 05 (2010-01-08)
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]
# Send the RSA public key generated on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] 0240
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] 0203
[Quidway-rsa-key-code] 010001
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end
SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l
Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA
public key of the SSH client to the server.
# Create an SSH user named Client001, and configure the authentication mode as password
for the user.
[Quidway] ssh user client001
[Quidway] ssh user client001 authentication-type password
Issue 05 (2010-01-08)
5-19
# Create an SSH user named Client002, and configure the authentication mode as RSA for the
user. Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002
[Quidway] ssh user client002 authentication-type rsa
[Quidway] ssh user client002 assign rsa-key RsaKey001
# Set the type of service of Client002 to SFTP and the authorized directory as cfcard:/.
[Quidway] ssh user client002 service-type sftp
[Quidway] ssh user client002 sftp-directory cfcard:/
Step 5 Enable the STelnet and SFTP services on the SSH server.
[Quidway] stelnet server enable
[Quidway] sftp server enable
Step 6 Configure the new listening port number on the SSH server.
[Quidway] ssh server port 1025
# The STelnet client logs in to the SSH server by using the new listening port.
[client001] stelnet 10.164.39.222 1025
Please input the username:client001
Trying 100.2.150.13 ...
Press CTRL+K to abort
Connected to 100.2.150.13 ...
he server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y
he server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:
Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:
info: The max number of VTY users is 20, and the current number
of VTY users on line is 1.
<Quidway>
# The SFTP client logs in to the SSH server by using the new listening port.
[client002]sftp 10.164.39.222 1025
Input Username:client002
Trying 100.2.150.13 ...
Press CTRL+K to abort
The server's public key does not match the one we cached.
The server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to update the server's public key we cached?(Y/N):y
sftp-client>
5-20
Issue 05 (2010-01-08)
After the configuration, run the commands of display ssh server status and display ssh server
session on the SSH server. You can check the current listening port number on the SSH server,
and that the STelnet or SFTP client logs in to the server successfully.
# Check the status of the SSH server.
[Quidway] display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP server: Enable
STELNET server: Enable
SSH server port: 1025
----End
Configuration Files
l
Issue 05 (2010-01-08)
5-21
#
aaa
local-user client001 password simple huawei
local-user client001 service-type ssh
#
sftp server enable
stelnet server enable
ssh server port 1025
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type RSA
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type stelnet
ssh user client002 service-type sftp
ssh user client002 sftp-directory flash:
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
l
5.6.2 Example for Connecting the STelnet Client and the SSH Server
5-22
Issue 05 (2010-01-08)
Networking Requirements
As shown in Figure 5-3, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server in the authentication mode of password, RSA, password-rsa,
or all.
The following login users need to be configured.
l
Client001, with the password as huawei and the authentication mode as password
Client002, with the password as rsakey001 and the authentication mode as RSA
GE1/0/1
10.164.39.220/24
Client001
GE1/0/1
10.164.39.221/24
Client002
S9300
Interface
VLANIF interface
IP address
SSH server
GigabitEthernet 1/0/1
VLANIF 10
10.164.39.222/24
Client001
GigabitEthernet 1/0/1
VLANIF 10
10.164.39.220/24
Client002
GigabitEthernet 1/0/1
VLANIF 10
10.164.39.221/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2.
3.
Create a local key pair on the STelnet client and SSH server separately.
4.
Generate an RSA public key on the SSH server and bind the RSA public key of the SSH
client to Client002.
5.
6.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 05 (2010-01-08)
5-23
Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.
Create VLAN 10 on the S9300 that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway] quit
[Quidway] interface GigabitEthernet 1/0/1
[Quidway-GigabitEthernet2/0/2] port hybrid pvid vlan 10
[Quidway-GigabitEthernet2/0/2] port hybrid untagged vlan 10
[Quidway-GigabitEthernet2/0/2] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.1.1.2 24
SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l
Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA
public key of the SSH client to the server.
Issue 05 (2010-01-08)
[Quidway] aaa
[Quidway-aaa] local-user client001 password simple huawei
[Quidway-aaa] local-user client001 service-type ssh
l
# Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.
[Quidway] ssh user client002
[Quidway] ssh user client002 authentication-type rsa
# Send the RSA public key generated on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] 0240
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
Issue 05 (2010-01-08)
5-25
Step 5 Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002 assign rsa-key RsaKey001
# Client001 logs in to the SSH server in password authentication mode by entering the user
name and password.
<client001> system-view
[client001] stelnet 10.164.39.222
Please input the username:client001
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
he server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y
he server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:
Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:
info: The max number of VTY users is 20, and the current number
of VTY users on line is 1.
<Quidway>
Issue 05 (2010-01-08)
----End
Configuration Files
l
Issue 05 (2010-01-08)
5-27
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password simple huawei
local-user client001 service-type ssh
#
stelnet server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type stelnet
ssh user client002 service-type stelnet
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
l
5-28
Issue 05 (2010-01-08)
5.6.3 Example for Connecting the SFTP Clinet and the SSH Server
Networking Requirements
As shown in Figure 5-4, after the SFTP service is enabled on the SSH server, the SFTP client
can log in to the SSH server in the authentication mode of password, RSA, password-rsa, or all.
Figure 5-4 Networking diagram for connecting the SFTP client and the SSH server
SSH Server
GE1/0/1
10.164.39.222/24
GE1/0/1
10.164.39.220/24
Client001
GE1/0/1
10.164.39.221/24
Client002
S9300
Interface
VLANIF interface
IP address
SSH server
GigabitEthernet 1/0/1
VLANIF 10
10.164.39.222/24
Client001
GigabitEthernet 1/0/1
VLANIF 10
10.164.39.220/24
Client002
GigabitEthernet 1/0/1
VLANIF 10
10.164.39.221/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2.
3.
Create a local key pair on the SFTP client and SSH server separately.
4.
Create an RSA public key on the SSH server and bind the RSA public key of the SSH client
to Client002.
5.
6.
Configure the type of service and authenticated directory for the SSH user.
7.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 05 (2010-01-08)
5-29
Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.
Create VLAN 10 on the S9300 that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway] quit
[Quidway] interface GigabitEthernet 1/0/1
[Quidway-GigabitEthernet2/0/2] port hybrid pvid vlan 10
[Quidway-GigabitEthernet2/0/2] port hybrid untagged vlan 10
[Quidway-GigabitEthernet2/0/2] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.1.1.2 24
Assigning an IP address to the S9300 that functions as Client001 or Client002 is the same as
assigning an IP address to VLANIF 10, and is not mentioned here.
Step 2 Create a local key pair on the SSH server.
<Quidway> system-view
[Quidway] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++
SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l
In RSA or all authentication mode, you must copy the RSA public key of the SSH client to the server.
5-30
# Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 05 (2010-01-08)
# Send the RSA public key created on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] 0240
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] 0203
[Quidway-rsa-key-code] 010001
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end
Issue 05 (2010-01-08)
5-31
Step 5 Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002 assign rsa-key RsaKey001
Step 7 On the SSH server, set the type of service for the SSH user and the authorized directory.
Two SSH users are configured on the SSH server: Client001 in the password authentication
mode and Client002 in the RSA authentication mode.
[Quidway]
[Quidway]
[Quidway]
[Quidway]
ssh
ssh
ssh
ssh
user
user
user
user
client001
client001
client002
client002
service-type sftp
sftp-directory flash:
service-type sftp
sftp-directory flash:
5-32
Issue 05 (2010-01-08)
Username: client001
Retry: 1
CTOS Cipher: aes128-cbc
STOC Cipher: aes128-cbc
CTOS Hmac: hmac-sha1-96
STOC Hmac: hmac-sha1-96
Kex: diffie-hellman-group1-sha1
Service Type: sftp
Authentication Type: password
Session 2:
Conn: VTY 4
Version: 2.0
State: started
Username: client002
Retry: 1
CTOS Cipher: aes128-cbc
STOC Cipher: aes128-cbc
CTOS Hmac: hmac-sha1-96
STOC Hmac: hmac-sha1-96
Kex: diffie-hellman-group1-sha1
Service Type: sftp
Authentication Type: rsa
----End
Configuration Files
l
Issue 05 (2010-01-08)
5-33
#
sftp server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type sftp
ssh user client002 service-type sftp
ssh user client001 sftp-directory flash:
ssh user client002 sftp-directory flash:
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
l
5-34
Issue 05 (2010-01-08)
Issue 05 (2010-01-08)
6-1
FTP server: You can log in to the S9300 to access files on the S9300 by running the FTP
program on the host or client.
FTP client: When you set up a connection between the PC and the S9300 through the
emulation terminal program or the Telnet program, you can type the FTP command on the
S9300 to set up a connection with the remote FTP server and access files on remote hosts.
Pre-configuration Tasks
Before configuring the FTP server, complete the following tasks:
l
Data Preparation
To configure the FTP server, you need the following data.
6-2
Issue 05 (2010-01-08)
No.
Data
Timeout interval for disconnecting the FTP server and the client
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The timeout interval for disconnecting the FTP server and the client is set.
----End
6-3
Context
Do as follows on the S9300 that functions as the FTP server.
Procedure
Step 1 Run:
system-view
6.2.5 Setting the Type of the Service and Directory for the FTP Login
User
Context
Do as follows on the S9300 that functions as the FTP server.
Procedure
Step 1 Run:
system-view
Issue 05 (2010-01-08)
Prerequisite
The configurations of the FTP server are complete.
Procedure
l
Run the display ftp-server command to check the configuration and status of the FTP
server.
Run the display ftp-users command to check information about the FTP login user.
----End
Example
After configuring the FTP server is complete, run the display ftp-server command. You can
view that the FTP server is running.
<Quidway> display ftp-server
FTP server is running
Max user number
User count
Timeout value(in minute)
Acl number
FTP server's source address
5
0
30
0
0.0.0.0
Run the display ftp-users command, and you can view information about the FTP user name,
port number, and directory for the FTP login user.
<Quidway> display ftp-users
username
hostport
zll
100.2.150.226
idle
2320
top
0
dir
flash:
6-5
Applicable Environment
You can configure the S9300 as the FTP client, and then log in to the FTP server through the
S9300 to perform operations, such as transferring files and managing directories of the server.
Pre-configuration Tasks
Before configuring the S9300 as the FTP client, complete the following tasks:
l
Configuring a reachable route between the S9300 and the FTP server
Data Preparation
To configure the S9300 as the FTP client, you need the following data.
No.
Data
Procedure
Step 1 Run the following command in the user view:
ftp [ -a source-ip-address ] [ host [ port-number ] ]
Issue 05 (2010-01-08)
Procedure
Step 1 Run:
ftp [ -a source-ip-address ] [ host [ port-number ] ]
A connection with the FTP server is set up and the FTP client view is displayed.
Step 2 (Optional) Run:
ascii | binary
Procedure
Step 1 Run:
ftp [ -a source-ip-address ] [ host [ port-number ] ]
A connection with the FTP server is set up and the FTP client view is displayed.
Step 2 Run:
remotehelp [ command ]
Procedure
Step 1 Run:
ftp [ -a source-ip-address ] [ host [ port-number ] ]
A connection with the FTP server is set up and the FTP client view is displayed.
Step 2 Run the following command as required:
l
Issue 05 (2010-01-08)
6-7
local-filename specifies the local filename. remote-filename specifies the filename that is
uploaded to the remote FTP server and can be renamed. If this parameter is not used, the
name of the file is the same as the name of the file to be uploaded.
l
To download files from the FTP server and store them in a local folder, run:
get remote-filename [ local-filename ]
remote-filename specifies the filename on the server. local-filename specifies the filename
that is downloaded from the FTP server and saved on the local device. If this parameter is
not used, the name of the file is the same as the name of the file on the server.
----End
Procedure
Step 1 Run:
ftp [ -a source-ip-address ] [ host [ port-number ] ]
To change the working path of the FTP server to the parent directory, run:
cdup
The directory can contain letters and numerals, but cannot contain special characters such as <, >, ?, \, or ?
If the mkdir /abc command is used, a subdirectory named abc is created in the root directory.
----End
Issue 05 (2010-01-08)
Procedure
Step 1 Run:
ftp [ -a source-ip-address ] [ host [ port-number ] ]
To display information about a specified directory or a file on the FTP server, run:
ls [ remote-filename ] [ local-filename ]
To display detailed information about a specified directory or a file on the FTP server, run:
dir [ remote-filename ] [ local-filename ]
When local-filename is specified, the displayed information about the file can be downloaded
locally.
----End
Procedure
Step 1 Run:
ftp [ -a source-ip-address ] [ host [ port-number ] ]
The current login user name and password are changed, then the user can login again using
another name and password.
----End
Procedure
Step 1 Run:
bye
Or,
Issue 05 (2010-01-08)
6-9
The client is disconnected from the FTP server and the user view is displayed.
NOTE
----End
Procedure
Step 1 Run the display ftp-users command to check information about the FTP login user.
----End
Example
Run the display ftp-users command, and you can view information about the FTP user name,
port number, and directory for the FTP login user.
<Quidway> display ftp-users
username
host
zll
100.2.150.226
port
2320
idle
0
topdir
flash:
Debugging affects the performance of the system. So, after debugging, run the undo debugging all
command to disable it immediately.
When a running fault of the FTP server occurs, run the following debugging command in the
user view to locate the fault. For the procedure of displaying the debugging information, see the
chapter "Monitoring and Debugging" in the Quidway S9300 Terabit Routing Switch
Configuration Guide - Device Management. For details about the debugging command, see the
Quidway S9300 Terabit Routing Switch Command Reference.
6-10
Issue 05 (2010-01-08)
Procedure
Step 1 Run the debugging ftp-server command to enable the debugging of the FTP server.
----End
FTP Session
PC
Ethernet
FTP
Server
L2 Switch
Ethernet
S9300
Configuration Roadmap
The configuration roadmap is as follows:
1.
Set the correct FTP user name and password on the S9300 that functions as the FTP server.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
Issue 05 (2010-01-08)
6-11
Name of the FTP user set as u1 and the password set as ftppwd on the server
Name of the destination file and position where the destination files are located on the
S9300
Procedure
Step 1 Create VLAN 10 on the S9300 and assign the IP address 10.1.1.2/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface GigabitEthernet 3/0/1
[Quidway-GigabitEthernet2/0/2] port hybrid pvid vlan 10
[Quidway-GigabitEthernet2/0/2] port hybrid untagged vlan 10
[Quidway-GigabitEthernet2/0/2] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.1.1.2 24
Step 2 Start the FTP server on the S9300, and set the FTP user name to u1 and password to ftpwd.
[Quidway] ftp server enable
[Quidway] aaa
[Quidway-aaa] local-user u1 password simple ftppwd
[Quidway-aaa] local-user u1 service-type ftp
[Quidway-aaa] local-user u1 ftp-directory cfcard:/
[Quidway-aaa]return
Step 3 On the PC, initiate a connection to the S9300 with the user name u1 and the password
ftppwd.
Use Windows XP on the FTP client to illustrate the preceding operations.
C:\WINDOWS\Desktop> ftp 10.1.1.2
Connected to 10.1.1.2.
220 FTP service ready
User (10.1.1.1:(none)): u1
331 Password required for ftpuser.
Password:
230 User logged in.
ftp>
Step 4 Set the mode of transferring files to binary and the local directory on the PC.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now C:\temp.
----End
Configuration Files
#
sysname Quidway
#
FTP server enable
#
6-12
Issue 05 (2010-01-08)
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet3/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
aaa
local-user u1 password simple ftppwd
local-user u1 service-type ftp
local-user u1 ftp-directory cfcard:/
#
Return
PC
configuration
cable
FTP Client
FTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Download files from the server to the storage device of the client.
Data Preparation
To complete the configuration, you need the following data:
l
Name of the destination file and position where the destination files are located on the
S9300
Name of the FTP user set as u1 and the password set as ftppwd on the client
Issue 05 (2010-01-08)
6-13
Procedure
Step 1 Enable FTP on the remote FTP server. Add an FTP user named u1 and set the password to
ftppwd.
Step 2 Create VLAN 10 on the S9300 and assign the IP address 10.1.1.1 to VLANIF10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface GigabitEthernet 3/0/1
[Quidway-GigabitEthernet3/0/1] port hybrid
[Quidway-GigabitEthernet3/0/1] port hybrid
[Quidway-GigabitEthernet3/0/1] quit
[Quidway] interface GigabitEthernet 3/0/2
[Quidway-GigabitEthernet3/0/2] port hybrid
[Quidway-GigabitEthernet3/0/2] port hybrid
[Quidway-GigabitEthernet3/0/2] quit
[Quidway] interface GigabitEthernet 3/0/3
[Quidway-GigabitEthernet3/0/3] port hybrid
[Quidway-GigabitEthernet3/0/3] port hybrid
[Quidway-GigabitEthernet3/0/3] quit
[Quidway] interface GigabitEthernet 3/0/4
[Quidway-GigabitEthernet3/0/4] port hybrid
[Quidway-GigabitEthernet3/0/4] port hybrid
[Quidway-GigabitEthernet3/0/4] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.1.1.3 24
pvid vlan 10
untagged vlan 10
pvid vlan 10
untagged vlan 10
pvid vlan 10
untagged vlan 10
pvid vlan 10
untagged vlan 10
Step 3 On theS9300, initiate a connection to the FTP server with the user name tpuser and the password
ftppwd.
<Quidway> ftp 10.1.1.2
Trying 10.1.1.2 ...
Press CTRL+K to abort
Connected to 10.1.1.2.
220 FTP-Server v2.5 for WinSock ready...
User(10.1.1.1:(none)):u1
331 User name okay, need password.
Password:
230 User logged in, proceed.
[ftp]
Step 4 On the S9300, set the mode of transferring files to binary and the flash directory.
[ftp] binary
200 Type set to I.
[ftp] lcd flash:/
Info: Local directory
now
flash:.
Step 5 Download the files of d006.cc and vrpcfg.cfg from the remote FTP server on the S9300.
[ftp] get d006.cc d006.cc
[ftp] get vrpcfg.cfg vrpcfg.cfg
[ftp] quit
<Quidway>
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet3/0/1
6-14
Issue 05 (2010-01-08)
172.16.104.111/24
172.16.105.111/24
PC1
PC2
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Name of the FTP user set as u1 and password set as huawei on the server
Issue 05 (2010-01-08)
6-15
Procedure
Step 1 Configure basic FTP functions.
For details, see 6.5.1 Example for Configuring the FTP Server.
Step 2 Configure an ACL.
<Quidway> system-view
[Quidway] acl number 2001
[Quidway-acl-basic-2001] rule permit source 172.16.104.111 0.0.0.0
[Quidway-acl-basic-2001] quit
----End
Configuration Files
Configuration file of the FTP server
#
sysname Quidway
#
FTP server enable
FTP acl 2001
#
acl number 2001
rule 5 permit source 172.16.104.111 0.0.0.0
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet3/0/1
port default vlan 10
#
aaa
local-user u1 password simple huawei
local-user u1 service-type ftp
local-user u1 ftp-directory cfcard:/
authentication-scheme default
6-16
Issue 05 (2010-01-08)
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
return
Issue 05 (2010-01-08)
6-17
Issue 05 (2010-01-08)
7-1
7.1.3 File
A file stores and manages information.
7.1.4 Directory
A directory collects and organizes files. It is a logical container of files.
Issue 05 (2010-01-08)
Applicable Environment
When the S9300 fails to access information, you need to repair the damaged storage device.
Pre-configuration Tasks
Before managing a storage device, complete the following tasks:
l
Data Preparation
To manage a storage device, you need the following data.
No.
Data
Device name
After the format device-name command is run, the files and directories in the specified storage device are
cleared and cannot be restored. So, confirm the action before you use the command.
Procedure
Step 1 Run the following command in the user view:
format device-name
7-3
Pre-configuration Tasks
Before configuring the file system, complete the following task:
Installing the S9300 and switching it on properly
Data Preparation
To configure the file system, you need the following data.
No.
Data
Procedure
Step 1 Run:
dir [ /all ] [ filename | cfcard: | flash: ]
The parameter cfcard: cannot be specified if the device does not provide a CF card.
----End
7-4
Issue 05 (2010-01-08)
Alert
If a user attempts to perform an operation that may cause data loss or data damage, for
example, deleting a file, the S9300 prompts the user to confirm the operation.
Quiet
The S9300 does not display any message.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
more filename
7-5
Procedure
Step 1 Run:
copy source-filename destination-filename
A file is copied.
----End
Procedure
Step 1 Run:
move source-filename destination-filename
A file is moved.
----End
Procedure
Step 1 Run:
rename source-filename destination-filename
A file is renamed.
----End
Procedure
Step 1 Run:
delete [/unreserved ] filename
A file is deleted.
7-6
Issue 05 (2010-01-08)
NOTE
Deleting a file means moving a file into the recycle bin of the S9300.
The files that are deleted by using the parameter [ /unreserved ] cannot be restored.
----End
Procedure
Step 1 Run:
reset recycle-bin [ filename ]
Procedure
Step 1 Run:
undelete filename
If the current directory is not a root directory, you must perform an operation on the file in the absolute
path.
If you use the parameter [ /unreserved ] in the command for deleting the file, the file cannot be restored
after being deleted.
----End
7-7
Procedure
Step 1 Run:
system-view
Pre-configuration Tasks
Before managing directories, complete the following task:
l
Data Preparation
To manage directories, you need the following data.
7-8
No.
Data
Issue 05 (2010-01-08)
Procedure
Step 1 Run:
pwd
Procedure
Step 1 Run:
mkdir directory
A directory is created.
----End
Procedure
Step 1 Run:
rmdir directory
A directory is deleted.
----End
7-9
Procedure
Step 1 Run:
cd path
Context
NOTE
Debugging affects the performance of the system. So, after debugging, run the undo debugging all
command to disable it immediately.
When a running fault of the file system occurs, run the following debugging command in the
user view to locate the fault. For the procedure of displaying the debugging information, see the
chapter "Debugging and Diagnosis" in the S9300Terabit Routing Switch Configuration Guide
- Device Management.
Procedure
Step 1 Run the debugging vfs { flash | low } command to enable the debugging of the file system.
----End
Configuration Roadmap
The configuration roadmap is as follows:
7-10
1.
2.
Issue 05 (2010-01-08)
3.
Check the directory, and find that the files in the directory are copied to a specified directory.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Display information about the files in the current directory.
<Quidway> dir
Directory of cfcard:/
Idx
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Attr
-rw-rwdrw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-
Size(Byte)
2,210
198
4
4,309
0
140,708
198
22,064,779
10,405
2,449
5,344
11,077
9,893
10,021
10,605
13,717
1,481
0
16,981
3,249
12,885
1,664
Date
Mar 25
May 20
May 22
May 25
May 20
Apr 03
Apr 03
Mar 30
Mar 11
Mar 31
Mar 19
Mar 25
Apr 02
Apr 02
Apr 02
Apr 02
Apr 02
Nov 27
Nov 28
Apr 02
May 20
Apr 03
Feb 20
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2008
2008
2009
2009
2009
2009
Time
10:24:30
10:10:08
15:28:48
11:34:20
16:51:42
17:49:04
18:06:56
18:42:28
18:26:08
14:17:52
15:20:10
16:20:28
16:13:18
17:11:16
17:19:32
19:11:38
19:52:36
12:02:52
11:39:28
20:17:32
16:51:42
18:06:14
09:14:50
FileName
vrpcfg.zip
$_patchstate_a
logfile
snmpnotilog.txt
private-data.txt
stickymac.txt
patchhistory
$_patchstate_a.backup
s9300v100r001c02b118.cc
bfd.pat
vrpcfg0319.zip
vrrp0320.zip
bfd_slave0402.pat
bfd_slave0402_1.pat
bfd_slave0402_2.pat
bfd_slave111.pat
bfd_slave112.pat
backupvrpcfg.zip
epon.zip
bfd_slave113.pat
vrpcfg0325.zip
bfd_slave22.pat
on1018399.dat
Step 3 Display information about the files in the current directory, and you can view that the files are
copied to the specified directory.
<Quidway> dir
Directory of cfcard:/
Idx
0
1
2
3
4
5
6
7
8
Issue 05 (2010-01-08)
Attr
-rw-rwdrw-rw-rw-rw-rw-rw-rw-
Size(Byte)
2,210
198
4
4,309
0
140,708
198
22,064,779
Date
Mar 25
May 20
May 22
May 25
May 20
Apr 03
Apr 03
Mar 30
Mar 11
2009
2009
2009
2009
2009
2009
2009
2009
2009
Time
10:24:30
10:10:08
15:28:48
11:34:20
16:51:42
17:49:04
18:06:56
18:42:28
18:26:08
FileName
vrpcfg.zip
$_patchstate_a
logfile
snmpnotilog.txt
private-data.txt
stickymac.txt
patchhistory
$_patchstate_a.backup
s9300v100r001c02b118.cc
7-11
-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-
10,405
2,449
5,344
11,077
9,893
10,021
10,605
13,717
1,481
0
16,981
3,249
12,885
1,664
684
Mar
Mar
Mar
Apr
Apr
Apr
Apr
Apr
Nov
Nov
Apr
May
Apr
Feb
May
31
19
25
02
02
02
02
02
27
28
02
20
03
20
25
2009
2009
2009
2009
2009
2009
2009
2009
2008
2008
2009
2009
2009
2009
2009
14:17:52
15:20:10
16:20:28
16:13:18
17:11:16
17:19:32
19:11:38
19:52:36
12:02:52
11:39:28
20:17:32
16:51:42
18:06:14
09:14:50
17:53:38
bfd.pat
vrpcfg0319.zip
vrrp0320.zip
bfd_slave0402.pat
bfd_slave0402_1.pat
bfd_slave0402_2.pat
bfd_slave111.pat
bfd_slave112.pat
backupvrpcfg.zip
epon.zip
bfd_slave113.pat
vrpcfg0325.zip
bfd_slave22.pat
on1018399.dat
hostkey
----End
Configuration Files
None.
7-12
Issue 05 (2010-01-08)
Issue 05 (2010-01-08)
8-1
The default parameters are not saved to save space. For details about the default values of
configuration parameters, see the following chapters.
Commands are organized according to command views. The commands used in the same
command view are organized to form a section. Sections are separated from each other by
one or several blank lines or comment lines beginning with #.
The command that can be properly executed by the system, including the commands in an incomplete
format, can contain up to 256 characters.
If a command is used in an incomplete format, the configuration file may contain a command line
consisting of more than 256 characters. This is because the command used is saved to the configuration
file in complete format. When the system restarts, the commands used in incomplete format cannot be
restored.
Issue 05 (2010-01-08)
Procedure
Step 1 Run:
display current-configuration [ configuration [ configuration-type ] | controller
controller-type | interface interface-type [ interface-number ] ] [ | { begin |
exclude | include } regular-expression | feature feature-name [ filter regularexpression ] | filter regular-expression ]
If the display this command is used in the protocol view, all configurations in the protocol view are
displayed; if the display this command is used in the protocol sub-view, the configurations may be not
displayed.
Procedure
Step 1 Run:
display this
8-3
Context
Do as follows on the S9300.
Procedure
Step 1 Run:
display saved-configuration [ last ]
By using the display saved-configuration command, you can view the configuration file
used in the next startup of the S9300. That is, you can view the configuration specified by
the startup saved-configuration command.
By using the display saved-configuration last command, you can view the configurations
saved in the previous startup of the S9300. That is, you can view the configuration file used
in the current startup of the S9300.
----End
Procedure
Step 1 Run:
display startup
The system software and name of the configuration file used in the current startup of the
S9300 are displayed.
The system software and configuration file to be loaded in the next startup of the S9300 are
saved to the root directory of the storage device.
----End
Context
You can change the current configurations of the S9300 through command line interfaces. By
using the save command to save current configurations to a CF card, you can use the current
configurations as initial configurations for the next startup of the S9300.
8-4
Issue 05 (2010-01-08)
Procedure
Step 1 Run:
save [ configuration-file ]
When a configuration file is saved for the first time, the S9300 automatically saves the configuration file
as vrpcfg.cfg if configuration-file is not specified.
----End
Context
You need to delete the configuration file from the CF card in either of the following situations:
l
After the software of the S9300 is upgraded, the upgraded software does not match the
configuration file.
Procedure
Step 1 Run:
reset saved-configuration
Postrequisite
You can use the reset saved-configuration command to delete the contents of the configuration
file that is currently loaded to the S9300. After the configuration file is deleted, the S9300 uses
default configuration parameters for initialization in the next startup in the following scenarios:
l
8-5
Context
By default, the S9300 accesses a configuration file from the CF card for initialization when it is
powered on. The configurations in this configuration file are called initial configurations. If the
CF card does not contain any configuration file, the S9300 uses default parameters for
initialization.
To distinguish from initial configurations, the configurations taking effect when the S9300 works
are called current configurations.
To configure the configuration file to be loaded in the next startup of the S9300, do as follows
on the S9300.
Procedure
l
Run:
startup saved-configuration configuration-file
The configuration file to be loaded for the next startup of the S9300 is configured.
l
Run:
startup system-software file-name slave-board
The configuration file to be loaded for the next startup of the slave board is configured.
----End
Context
Do as follows on the S9300.
Procedure
Step 1 Run:
compare configuration [ current-line-number save-line-number ]
Issue 05 (2010-01-08)