Professional Documents
Culture Documents
NE9000 V800R022C00 Configuration Guide 01 Basic Configuration
NE9000 V800R022C00 Configuration Guide 01 Basic Configuration
NE9000 V800R022C00 Configuration Guide 01 Basic Configuration
V800R022C00SPC600
Configuration Guide
Issue 01
Date 2022-10-31
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: https://www.huawei.com
Email: support@huawei.com
Contents
1 Configuration............................................................................................................................1
1.1 Basic Configuration.................................................................................................................................................................1
1.1.1 About This Document........................................................................................................................................................ 1
1.1.2 First Login Configuration.................................................................................................................................................. 5
1.1.2.1 Overview of First Login.................................................................................................................................................. 5
1.1.2.2 Configuration Precautions for First Login................................................................................................................ 6
1.1.2.3 Logging In to a Device Through a Console Port....................................................................................................6
1.1.2.3.1 Establishing a Physical Connection......................................................................................................................... 6
1.1.2.3.2 Logging In to a Device................................................................................................................................................ 6
1.1.2.4 Performing Batch Device Deployment Through the Plug-and-Play Function.............................................9
1.1.3 Command Line Interface Configuration.................................................................................................................... 10
1.1.3.1 CLI Overview.................................................................................................................................................................... 10
1.1.3.2 Configuration Precautions for Command Line Interface................................................................................. 12
1.1.3.3 Establishing a Command Line Running Environment....................................................................................... 15
1.1.3.3.1 Configuring Header Information...........................................................................................................................15
1.1.3.3.2 Configuring a Device Name.................................................................................................................................... 16
1.1.3.3.3 Configuring Command Levels................................................................................................................................ 16
1.1.3.3.4 Locking a User Interface.......................................................................................................................................... 18
1.1.3.3.5 Configuring the System to Allow the Execution of User-View Commands in the System View.....18
1.1.3.3.6 (Optional) Configuring the Command Timestamp Function......................................................................18
1.1.3.4 How to Use the CLI....................................................................................................................................................... 19
1.1.3.4.1 Entering a Command View..................................................................................................................................... 20
1.1.3.4.2 Editing a Command................................................................................................................................................... 20
1.1.3.4.3 Verifying the Command Line Configuration..................................................................................................... 21
1.1.3.4.4 Checking the Diagnostic Information.................................................................................................................. 22
1.1.3.4.5 Command Display Mode......................................................................................................................................... 22
1.1.3.4.6 Error Messages............................................................................................................................................................ 28
1.1.3.4.7 Configuring an Alias for a Command..................................................................................................................28
1.1.3.4.8 Intelligent Rollback.................................................................................................................................................... 29
1.1.3.4.9 Enabling Secondary Authentication..................................................................................................................... 30
1.1.3.5 How to Obtain Command Help................................................................................................................................ 30
1.1.3.6 How to Use Shortcut Keys.......................................................................................................................................... 31
1.1.3.6.1 Classification of Shortcut Keys............................................................................................................................... 32
1.1.5.4.7 (Optional) Enabling the IP Address Blocking Function for Telnet Connections................................... 81
1.1.5.4.8 (Optional) Configuring Alarm Generation and Clearance Thresholds for Telnet Server Login
Failures............................................................................................................................................................................................. 81
1.1.5.4.9 (Optional) Configuring the Maximum Number of Connections for Telnet Login to the Server
Using a Single IP Address.......................................................................................................................................................... 82
1.1.5.4.10 Verifying the Configuration of User Login to the System Using Telnet................................................ 83
1.1.5.5 Configuring STelnet Login........................................................................................................................................... 83
1.1.5.5.1 Configuring a User Level and Authentication Mode for VTY User Interfaces....................................... 84
1.1.5.5.2 Configuring VTY User Interfaces to Support SSH............................................................................................87
1.1.5.5.3 Configuring an SSH User and Specifying a Service Type.............................................................................. 88
1.1.5.5.4 Enabling the STelnet Server Function............................................................................................................... 100
1.1.5.5.5 Using STelnet to Log In to a Server................................................................................................................... 102
1.1.5.5.6 Configuring STelnet Server Parameters............................................................................................................ 109
1.1.5.5.7 (Optional) Configuring CAR for Whitelisted SSH Sessions........................................................................113
1.1.5.5.8 (Optional) Configuring Alarm Generation and Clearance Thresholds for SSH Server Login
Failures.......................................................................................................................................................................................... 114
1.1.5.5.9 (Optional) Configuring the Maximum Number of Connections for SSH Login to the Server Using
a Single IP Address.................................................................................................................................................................... 115
1.1.5.5.10 (Optional) Configuring the Local Port Forwarding Service for the SSH Server...............................115
1.1.5.5.11 Configuring the Keyboard-Interactive Authentication Mode for an SSH Server............................. 116
1.1.5.5.12 Setting Criteria for SSH Session Key Re-negotiation.................................................................................116
1.1.5.5.13 Verifying the Configuration of User Login to the System Using STelnet........................................... 117
1.1.5.6 Configuration Examples for User Login............................................................................................................... 118
1.1.5.6.1 Example for Configuring Login Through a Console Port........................................................................... 118
1.1.5.6.2 Example for Configuring Telnet Login for an IPv4 User............................................................................. 121
1.1.5.6.3 Example for Configuring Telnet Login for an IPv6 User............................................................................. 125
1.1.5.6.4 Example for Configuring STelnet Login for an IPv4 User...........................................................................129
1.1.5.6.5 Example for Configuring STelnet Login for an IPv6 User...........................................................................139
1.1.5.6.6 Example for Configuring an NMS to Communicate with a Device by SSH over a VPN................. 149
1.1.6 File System Configuration............................................................................................................................................ 155
1.1.6.1 Overview of File System Management................................................................................................................ 155
1.1.6.2 Configuration Precautions for File System Management..............................................................................158
1.1.6.3 Operating Files After Logging In to a Device.................................................................................................... 159
1.1.6.3.1 Managing Directories............................................................................................................................................. 159
1.1.6.3.2 Managing Files.......................................................................................................................................................... 163
1.1.6.4 Using FTP to Operate Files....................................................................................................................................... 165
1.1.6.4.1 Configuring a Local FTP User.............................................................................................................................. 166
1.1.6.4.2 (Optional) Specifying a Listening Port Number for the FTP Server....................................................... 167
1.1.6.4.3 Enabling the FTP Server Function...................................................................................................................... 168
1.1.6.4.4 Configuring FTP Server Parameters................................................................................................................... 169
1.1.6.4.5 (Optional) Configuring CAR for Whitelisted FTP Sessions........................................................................ 170
1.1.6.4.6 (Optional) Configuring FTP Access Control.................................................................................................... 171
1.1.6.4.7 (Optional) Configuring the IP Address Locking Function.......................................................................... 171
1.1.7.6.12 Viewing the Difference Between the Candidate Configuration and Current Running
Configuration.............................................................................................................................................................................. 235
1.1.7.6.13 Verifying the Configuration of Configuration File Management.......................................................... 236
1.1.7.6.14 Configuration Replacement............................................................................................................................... 237
1.1.7.7 Configuration Examples for Configuration Management............................................................................. 244
1.1.7.7.1 Example for Configuring Services in Immediate Validation Mode......................................................... 244
1.1.7.7.2 Example for One User to Configure Services After Another User Locks Configurations in Two-
Phase Validation Mode............................................................................................................................................................ 246
1.1.7.7.3 Example for Multiple Users to Perform the Same Configuration for a Service in Two-Phase
Validation Mode......................................................................................................................................................................... 247
1.1.7.7.4 Example for Multiple Users to Perform Different Configurations for a Service in Two-Phase
Validation Mode......................................................................................................................................................................... 248
1.1.7.7.5 Example for Multiple Users to Configure Different Services in Two-Phase Validation Mode.......250
1.1.7.7.6 Example for Configuration Rollback..................................................................................................................251
1.1.7.7.7 Example for Managing Configuration Files.................................................................................................... 255
1.1.8 Accessing Other Devices Configuration.................................................................................................................. 257
1.1.8.1 Overview of Accessing Other Devices.................................................................................................................. 257
1.1.8.2 Configuration Precautions for Access to Other Devices.................................................................................260
1.1.8.3 Using Telnet to Log In to Other Devices............................................................................................................. 260
1.1.8.3.1 (Optional) Configuring a Source Address for the Telnet Client............................................................... 261
1.1.8.3.2 Using Telnet to Log In to Other Devices.......................................................................................................... 261
1.1.8.3.3 Verifying the Configuration of Using Telnet to Log In to Other Devices............................................. 262
1.1.8.4 Using STelnet to Log In to Other Devices........................................................................................................... 262
1.1.8.4.1 Configuring First Login to the SSH Server (Enabling First Login on the SSH Client)...................... 263
1.1.8.4.2 Configuring First Login to an SSH Server (Configuring an SSH Client to Assign a Public Key to an
SSH Server).................................................................................................................................................................................. 264
1.1.8.4.3 (Optional) Configuring the Keepalive Feature on the SSH Client.......................................................... 266
1.1.8.4.4 Using STelnet to Log In to Another Device..................................................................................................... 266
1.1.8.4.5 Verifying the Configuration of Using STelnet to Log In to Other Devices........................................... 268
1.1.8.5 Using TFTP to Access Other Devices.....................................................................................................................268
1.1.8.5.1 Configuring a Source Address for a TFTP Client........................................................................................... 269
1.1.8.5.2 Configuring TFTP Access Control........................................................................................................................ 269
1.1.8.5.3 Using TFTP to Download Files from Other Devices..................................................................................... 270
1.1.8.5.4 Using TFTP to Upload Files to Other Devices................................................................................................ 271
1.1.8.5.5 Verifying the Configuration of Using TFTP to Access Other Devices.....................................................271
1.1.8.6 Using FTP to Access Other Devices....................................................................................................................... 272
1.1.8.6.1 (Optional) Configuring a Source Address for an FTP Client..................................................................... 272
1.1.8.6.2 Using FTP to Connect an FTP Client to Other Devices............................................................................... 273
1.1.8.6.3 Using FTP Commands to Operate Files............................................................................................................274
1.1.8.6.4 (Optional) Changing a Login User Role...........................................................................................................277
1.1.8.6.5 Ending a Connection to the FTP Server............................................................................................................278
1.1.8.6.6 Verifying the Configuration of Using FTP to Access Other Devices....................................................... 279
1.1.8.7 Using SFTP to Access Other Devices..................................................................................................................... 279
1.1.8.7.1 (Optional) Configuring a Source Address for the SFTP Client................................................................. 280
1.1.8.7.2 Configuring First Login to the SSH Server (Enabling First Login on the SSH Client)...................... 280
1.1.8.7.3 Configuring First Login to the SSH Server (Configuring the SSH Client to Assign the Public Key to
the SSH Server).......................................................................................................................................................................... 281
1.1.8.7.4 Using SFTP to Log In to Another Device Functioning as an SSH Server.............................................. 283
1.1.8.7.5 Using SFTP Commands to Operate Files......................................................................................................... 284
1.1.8.7.6 Verifying the Configuration of Using SFTP to Access Other Devices..................................................... 286
1.1.8.8 Configuring the SFTP Client to Use the One-click File Operation Command to Perform File
Operations.................................................................................................................................................................................... 287
1.1.8.9 Using SCP to Access Other Devices....................................................................................................................... 288
1.1.8.9.1 Configuring the SCP Server...................................................................................................................................288
1.1.8.9.2 Configuring the SCP Client................................................................................................................................... 289
1.1.8.9.3 Verifying the Configuration of Using SCP to Access Other Devices....................................................... 290
1.1.8.10 Configuring an SSL Cipher Suite.......................................................................................................................... 290
1.1.8.11 Configuring and Binding an SSL Policy............................................................................................................. 291
1.1.8.12 Logging In to a Device Using HTTP.................................................................................................................... 295
1.1.8.13 Configuring a DSCP Value for Telnet/SSH Packets........................................................................................296
1.1.8.14 Configuration Examples for Accessing Other Devices..................................................................................297
1.1.8.14.1 Example for Using Telnet to Log In to Another Device............................................................................ 297
1.1.8.14.2 Example for Using STelnet to Log In to Other Devices (RSA Authentication Mode).................... 300
1.1.8.14.3 Example for Using STelnet to Log In to Other Devices (DSA Authentication Mode)....................307
1.1.8.14.4 Example for Using STelnet to Log In to Other Devices (ECC Authentication Mode).................... 315
1.1.8.14.5 Example for Using STelnet to Log In to Another Device (SM2 Authentication Mode).................322
1.1.8.14.6 Example for Using TFTP to Access Other Devices...................................................................................... 328
1.1.8.14.7 Example for Using FTP to Access Other Devices........................................................................................ 331
1.1.8.14.8 Example for Using SFTP to Log In to Other Devices (RSA Authentication Mode)......................... 334
1.1.8.14.9 Example for Using SFTP to Log In to Other Devices (DSA Authentication Mode)........................ 341
1.1.8.14.10 Example for Using SFTP to Log In to Other Devices (ECC Authentication Mode).......................348
1.1.8.14.11 Example for Using SFTP to Log In to Other Devices (SM2 Authentication Mode)......................355
1.1.8.14.12 Example for Using a Non-default Listening Port Number to Access the SSH Server................. 361
1.1.8.14.13 Example for Configuring SSH Clients on the Public Network to Access an SSH Server on a
Private Network......................................................................................................................................................................... 367
1.1.8.14.14 Example for Using SCP to Access Files on Other Devices..................................................................... 377
1.1.8.14.15 Example for Configuring HTTP for Device Login..................................................................................... 380
1.1.9 ZTP Configuration........................................................................................................................................................... 382
1.1.9.1 Overview of ZTP...........................................................................................................................................................382
1.1.9.2 Configuration Precautions for ZTP........................................................................................................................ 383
1.1.9.3 Configuring Automatic ZTP Deployment Through DHCP............................................................................. 384
1.1.9.3.1 Editing an Intermediate File................................................................................................................................. 385
1.1.9.3.2 Configuring a DHCPv4 Server and Relay Agent............................................................................................ 385
1.1.9.3.3 Configuring a DHCPv6 Server and Relay Agent............................................................................................ 387
1.1.9.3.4 Configuring a File Server....................................................................................................................................... 388
1.1.9.3.5 Powering on the Device......................................................................................................................................... 389
1.1.9.3.6 (Optional) Uploading a Pre-Configuration Script.........................................................................................389
Figures
Figure 1-72 Configuring an SSH client on the public network to access an SSH server on a private
network............................................................................................................................................................................ 368
Figure 1-73 Using SCP to access another device.............................................................................................. 378
Figure 1-74 Device login using HTTP................................................................................................................... 381
Figure 1-75 Configuring automatic ZTP deployment through DHCP....................................................... 391
Figure 1-76 Configuring the file server................................................................................................................ 392
Tables
Table 1-34 Special characters in regular expressions and their functions............................................... 232
Table 1-35 Special characters in regular expressions and their functions............................................... 242
Table 1-36 Feature requirements........................................................................................................................... 260
Table 1-37 Using FTP commands to connect the FTP client to other devices....................................... 273
Table 1-38 Using FTP commands to connect the FTP client to other devices....................................... 274
Table 1-39 File operations........................................................................................................................................ 274
Table 1-40 File operations........................................................................................................................................ 285
Table 1-41 Feature requirements........................................................................................................................... 383
Table 1-42 Option field description.......................................................................................................................385
Table 1-43 Option field description.......................................................................................................................388
Table 1-44 Option fields to be configured on the DHCP server................................................................. 392
1 Configuration
Licensing Requirements
For details about the License, see the License Guide.
● Carrier user: License Usage Guide
● Enterprise users: License Usage Guide
Related Version
The following table lists the product version related to this document.
Intended Audience
This document is intended for:
● Data configuration engineers
● Commissioning engineers
● Network monitoring engineers
● System maintenance engineers
Security Declaration
● Notice on Limited Command Permission
The documentation describes commands when you use Huawei devices and
make network deployment and maintenance. The interfaces and commands
for production, manufacturing, repair for returned products are not described
here.
If some advanced commands and compatible commands for engineering or
fault location are incorrectly used, exceptions may occur or services may be
interrupted. It is recommended that the advanced commands be used by
engineers with high rights. If necessary, you can apply to Huawei for the
permissions to use advanced commands.
● Encryption algorithm declaration
The encryption algorithms DES/3DES/RSA (with a key length of less than
2048 bits)/MD5 (in digital signature scenarios and password encryption)/
SHA1 (in digital signature scenarios) have a low security, which may bring
security risks. If protocols allowed, using more secure encryption algorithms,
such as AES/RSA (with a key length of at least 2048 bits)/SHA2/HMAC-SHA2
is recommended.
For security purposes, insecure protocols Telnet, FTP, and TFTP as well as
weak security algorithms in BGP, LDP, PECP, MSDP, DCN, TCP-AO, MSTP, VRRP,
E-Trunk, AAA, IPsec, BFD, QX, port extension, SSH, SNMP, IS-IS, RIP, SSL, NTP,
OSPF, and keychain features are not recommended. To use such weak security
algorithms, run the undo crypto weak-algorithm disable command to enable
the weak security algorithm function. For details, see the Configuration Guide.
● Password configuration declaration
– When the password encryption mode is cipher, avoid setting both the
start and end characters of a password to "%^%#". This causes the
password to be displayed directly in the configuration file.
– To further improve device security, periodically change the password.
● Personal data declaration
– Your purchased products, services, or features may use users' some
personal data during service operation or fault locating. You must define
user privacy policies in compliance with local laws and take proper
measures to fully protect personal data.
– When discarding, recycling, or reusing a device, back up or delete data on
the device as required to prevent data leakage. If you need support,
contact after-sales technical support personnel.
● Feature declaration
– The NetStream feature may be used to analyze the communication
information of terminal customers for network traffic statistics and
management purposes. Before enabling the NetStream feature, ensure
that it is performed within the boundaries permitted by applicable laws
and regulations. Effective measures must be taken to ensure that
information is securely protected.
Special Declaration
● This document serves only as a guide. The content is written based on device
information gathered under lab conditions. The content provided by this
document is intended to be taken as general guidance, and does not cover all
scenarios. The content provided by this document may be different from the
information on user device interfaces due to factors such as version upgrades
and differences in device models, board restrictions, and configuration files.
The actual user device information takes precedence over the content
provided by this document. The preceding differences are beyond the scope of
this document.
● The maximum values provided in this document are obtained in specific lab
environments (for example, only a certain type of board or protocol is
configured on a tested device). The actually obtained maximum values may
be different from the maximum values provided in this document due to
factors such as differences in hardware configurations and carried services.
● Interface numbers used in this document are examples. Use the existing
interface numbers on devices for configuration.
● The pictures of hardware in this document are for reference only.
● The supported boards are described in the document. Whether a
customization requirement can be met is subject to the information provided
at the pre-sales interface.
● In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.
● The configuration precautions described in this document may not accurately
reflect all scenarios.
● Log Reference and Alarm Reference respectively describe the logs and alarms
for which a trigger mechanism is available. The actual logs and alarms that
the product can generate depend on the types of services it supports.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as
follows.
Convention Description
Convention Description
Change History
Changes between document issues are cumulative. The latest document issue
contains all the changes made in earlier issues.
The console port is a serial port on a main control board. Each main control board
provides one console port, and the type of the console port is EIA/TIA-232 DCE.
You can directly connect a terminal's serial port to the console port to configure
the router.
NOTE
● When you log in to the system for the first time, the system prompts you to set the
password.
● You can press CTRL+R to restore the factory settings and clear the configured password.
Feature Requirements
None
Usage Scenario
To perform configurations or management on a device that is powered on for the
first time, you must use the console port to log in to the device.
Pre-configuration Tasks
Before logging in to a device through a console port, complete the following tasks:
● Install a terminal emulation program, such as PuTTY, on the PC.
● Prepare a console configuration cable.
CAUTION
Context
NOTE
Use the configuration cable delivered with the device to connect the device to the PC, and
ensure that the console port on the device is connected to the COM port on the PC.
Procedure
Step 1 Power on the device and PC.
Step 2 Use a configuration cable to connect the COM port on the PC to the console port
on the master main control board of the device. If the ACT indicator on the main
control board is steady on, the main control board is the master one.
----End
Context
You must configure login parameters based on the physical attributes of the
console port on the device. The physical attributes include the transmission rate,
data bits, parity, stop bits, and flow control mode. For the first login, use the
default values of parameters.
The PuTTY.exe software must have been installed on the client.
Procedure
Step 1 Start the PuTTY.exe program. In the PuTTY configuration page (shown in Figure
1-1), set the connection type to Serial.
Step 2 Choose Serial in the Category navigation tree on the left of the PuTTY
configuration page. In the port connection configuration page (shown in Figure
1-2), set the communication parameters of the port to the default values of the
device. (The following figure is for reference only. Use the default settings during
configuration.)
Step 3 Click Open. Then the system prompts you to set an authentication password, as
shown in Figure 1-3. After the confirm the password, the system automatically
saves it.
After the password is set, the command prompt (for example, <HUAWEI>) of the
user view is displayed, which indicates that you have entered the user view and
can perform configurations.
You can enter commands to configure the device or view its running status. Enter
a question mark (?) when you need help.
NOTE
----End
Context
To remotely manage and control devices in a unified manner on large-scale
networks and thereby improve deployment efficiency and reduce O&M costs, you
can use the plug-and-play function based on either DCN or DHCP to batch deploy
devices powered on for the first time:
● DCN: After devices are powered on, their IP addresses (NEIPs) are
automatically generated based on their NEIDs. The mapping between the
NEIPs and NEIDs is contained in link-state advertisements (LSAs), which are
flooded by OSPF to form a core routing table. The NMS accesses the devices
based on the IP address of the GNE and the target NEIDs reported by the
GNE, and remotely manages all the devices through the GNE.
● DHCP: Zero touch provisioning (ZTP) is the main plug-and-play function
implemented in DHCP mode. It allows unconfigured devices to obtain version
files from a file server during the power-on and startup process and then
automatically load the files.
NOTE
If a device is powered on without loading the default configuration file containing the
username and password, it enters the first-login process in which you are prompted to
create a username and set a password. In this case, the device fails to go online through
the plug-and-play function.
Procedure
Step 1 Power on the device.
Step 2 The device enters the corresponding plug-and-play process.
● If DCN Configuration is implemented, the NMS can communicate with the
device for remote management.
● If 1.1.9.3 Configuring Automatic ZTP Deployment Through DHCP is
implemented, the device can obtain version files from the file server and
automatically load the files.
----End
NOTICE
When a user runs a command that requires a password entry, some passwords are
displayed in plaintext on a screen. To prevent a password leak, clear the screen
promptly.
Feature Requirements
Usage Scenario
Before using the CLI to configure services, you can establish a basic running
environment for the CLI to meet actual requirements.
Pre-configuration Tasks
Before establishing a running environment for the CLI, complete the following
tasks:
● Install the router and power it on.
● Log in to the router through a PC.
Context
Header information refers to a message that is displayed after you access a router
or a message that is displayed after the login authentication is successful and
before you start to configure the router. Header information provides explicit
indications for your login.
NOTE
If you attempt to log in during system initialization, the system displays a message,
indicating that the file system has not completed initialization and files fail to be obtained.
Procedure
Step 1 Run system-view
The system view is displayed.
----End
Procedure
Step 1 Run system-view
----End
Context
If you do not change a command level separately, all originally registered
commands automatically change based on the following rules after the command
level is updated:
NOTICE
Do not change the default level of a command. If the default level of a command
is changed, some users may be unable to use the command any longer.
Procedure
Step 1 Run system-view
All commands have default command views and levels. Generally, you do not
need to configure them.
The command lines are classified into visit level (0), monitoring level (1),
configuration level (2), and management level (3) in an ascending order.
----End
Procedure
Step 1 Run configuration exclusive
The configuration is locked and accessible only to the current user.
After the configuration is locked, the current user can individually has unshared
configuration rights.
NOTE
You can run the display configuration-occupied user command to view the current user
that has the unshared configuration rights.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run run command-line
The system is configured to allow user-view commands to be executed in the
system view.
----End
Procedure
● Enable the system command timestamp function.
a. Run system-view
After this function is enabled, the device displays the date and time each
time a display command is run.
c. Run commit
NOTE
NOTE
● After this function is enabled, the device displays the current system date and
time once you enter any command and press Enter.
● The terminal command timestamp command takes effect on commands
executed only within the existing user session. After you log out of and log in
to the device, the command timestamp function becomes invalid and needs
to be reconfigured.
● If you run the timestamp enable command and then the undo terminal
command timestamp command, the timestamps are displayed after you run
display commands, but are not displayed after you run non-display
commands.
----End
Usage Scenario
Before using the CLI to configure services, you must understand basic CLI
operations.
Pre-configuration Tasks
Before using the CLI, complete the following tasks:
NOTE
In two-phase validation mode, if any configurations are not submitted in the system, * is
used for identification in the view. If all configurations have been submitted in the system,
~ is used for identification in the view.
NOTE
The default device name is HUAWEI. You can run the sysname command to specify a
device name. You can determine the current view based on the prompt. For example, <>
indicates the user view, and [] indicates any view except the user view.
In the multi-level view, you can directly enter # to return to the system view.
You can enter ! or # followed by a character string in any view. All entered content
(including ! and #) is displayed as comments. That is, the corresponding configuration is
not generated.
You can run the quit command to quit the current view and enter a view of a
lower level. If the current view is the user view, you are logged out of the system.
You can run the return command to quit the current view and enter the user view.
If the current view is the user view, the user view is still displayed.
Certain commands that can be run in the system view can also be run in other
views. The function implemented by a command is determined by the command
view in which the command is run. For example, if the mpls command is run in
the system view, MPLS is enabled globally; if the mpls command is run in the
interface view, MPLS is enabled on the interface.
The CLI on an NE9000 provides basic command editing functions and supports
multi-line editing. Each command can contain a maximum of 3100 characters.
Key Function
Up cursor key (↑) or Accesses the last historical command or displays the
Ctrl+P last historical command if there is an earlier historical
command.
Down cursor key (↓) Accesses the next historical command or displays the
or Ctrl+N next historical command if there is a later historical
command or clears the command if there is no later
historical command.
NOTE
For Windows 9X HyperTerminal, the function provided by the Up cursor key (↑) cannot be
implemented, because Windows 9X HyperTerminal has defined a different function for the
key. You can press Ctrl+P to implement the function provided by the key.
Follow-up Procedure
A terminal automatically saves typed historical commands, which can be any
keyboard entry ending with Enter. To delete the historical commands, run the
reset history-command all-users or reset history-command command.
Context
Basic configurations are complete.
Procedure
● Run display current-configuration [ configuration [ configuration-type
[ configuration-instance ] | config-type-no-inst ] | all | inactive ] [ include-
default ]
If the configuration parameters that are taking effect are the same as the
default working parameters, they are not displayed. The configured
parameters that do not take effect are not displayed either.
----End
Procedure
Step 1 Run display diagnostic-information
----End
Display Feature
When the information cannot be completely displayed on one screen, you can
adopt the pause function. You have three choices, as described in Table 1-4.
Key Function
Key Function
Regular Expression
A regular expression describes a pattern that matches a set of character strings. It
consists of common characters (such as characters a to z) and special characters
(also called metacharacters). The regular expression functions as a template to
match a character pattern with the searched character string.
The regular expression has the following functions:
● Checks and obtains the sub-character string that matches a certain rule in the
character string.
● Replaces the character string based on the matching rule.
Common and special characters contained in the regular expression are described
as follows:
● Common characters
Common characters match common characters in the character string,
including all uppercase letters, lowercase letters, digits, punctuation marks,
and special symbols. For example, a matches a in abc, and @ matches @ in
xxx@xxx.com.
● Special characters
Special characters, together with common characters, match complicated or
special character strings. For example, ^10 matches 10.10.10.1 not 2.2.2.2.
Table 1-5 describes special characters and their functions.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the
screen.
● Degeneration of special characters
Certain special characters degenerate to common characters when being
placed at special positions in the regular expression.
– The special characters following "\" are transferred to match special
characters themselves.
– The special character "*", "+", or "?" is placed at the start position of the
regular expression. For example, +45 matches +45 and abc(*def) matches
abc*def.
– The special character "^" is placed at any position except the start
position of the regular expression. For example, abc^ matches abc^.
– The special character "$" is placed at any position except the end position
of the regular expression. For example, 12$2 matches 12$2.
– The right bracket (for example, ")" or "]") is not paired with its
corresponding left bracket "(" or "[". For example, abc) matches abc) and
0-9] matches 0-9].
NOTE
Unless otherwise specified, degeneration rules are applicable when the preceding
regular expressions serve as subexpressions within parentheses.
● Combination of common and special characters
In practice, multiple common and special characters are often combined to
match a special character string.
The NE9000 supports filter criteria based on a regular expression. All display
commands support regular expressions. If filter criteria are specified in a display
command, the first line in the command output is a complete message that
contains the specified character string, instead of a message that starts with the
specified character string.
For the commands supporting regular expressions, you can choose the following
filter criteria:
● | begin regular-expression
Displays all the lines following the line that matches the regular expression.
That is, the system displays both the line that contains the specified character
string (case-sensitive) and all the following lines on a terminal.
● | exclude regular-expression
Displays all the lines that do not match the regular expression. That is, the
system displays only the lines that do not contain the specified character
string (case-sensitive) on a terminal. If no line matches, the output is empty.
● | include regular-expression
Displays only the lines that match the regular expression. That is, the system
displays only the lines that contain the specified character string (case-
sensitive) on a terminal. If no line matches, the output is empty.
NOTE
The command output can be filtered by multiple regular expressions. The regular
expressions take effect in configuration sequence. A maximum of 32 regular expressions
can be configured to filter the command output. For example, you can run the display
current-configuration | section include ip | exclude address 10.1 | exclude description
command to display the command output that contains ip but does not contain address
10.1 or description.
When you run a display command with filter criteria set, note the following:
● The first line in the output begins with a complete message containing the
specified character string rather than with the specified character string.
● If a configured command does not take effect, no output information is
displayed.
The NE9000 can redirect the output of a display command to a specified file in
either of the following modes:
● > filename
The output is redirected to a specified file. If the file already exists, the
content of the file is overwritten.
● >> filename
The output is appended to a specified file, with the original content of the file
remaining unchanged.
● If the interval is too short, the CPU usage will increase. Set the interval to a proper
value.
● If the number of VTY channels is less than four, | refresh cannot be specified for a new
command. The commands with | refresh specified are not affected.
● Only commands starting with display support display.
No keyword is found.
Context
To enable the command alias function for the current terminal, run the terminal
command alias command. To disable the command alias function for the current
terminal, run the undo terminal command alias command. Disabling the
command alias function does not delete the existing alias configuration.
Therefore, the existing alias configuration continues to take effect if you enable
the command alias function again for the current terminal. You can run the
display terminal command alias command to view the status of the command
alias function.
Procedure
Step 1 Run system-view
Step 3 Run alias alias-string [ parameter parameter & <1-32> ] command command
----End
Follow-up Procedure
● Run the display command alias command to view the alias configuration.
Context
Intelligent rollback enables the system to automatically return to the previous
view if a command fails to be run in the current view. The system performs view
return attempts until the applicable view of the command is displayed.
When configuring services, you need to enter the view of the command to be
configured to complete the configuration. In this case, you need to run the quit
command repeatedly to exit the current view and enter the required view. The
intelligent rollback function allows you to run commands of other views in the
current view to reduce repeated quit operations.
NOTE
If command matching fails because an ambiguous command is entered in the current view,
no intelligent rollback can be performed.
Intelligent rollback is not performed when a command fails to be matched.
The undo commands do not support intelligent rollback.
Example
1. Run the terminal command forward matched upper-view command to
enable the intelligent rollback function.
2. Run the system-view command to enter the system view.
3. Run the interface GigabitEthernet1/0/0.1 command to create a sub-interface
and enter the sub-interface view.
4. You do not need to exit the current view. Run the interface LoopBack 1
command to create a loopback interface and enter the loopback interface
view.
NOTICE
Context
Misoperations of some commands cause the configurations of related features to
be deleted, interrupting services and disconnecting the user network. To prevent
misoperations, you can enable secondary authentication.
After secondary authentication is enabled, you need to enter the login password
for secondary authentication before running the reboot, reset saved-
configuration, rollback configuration, undo mpls, undo mpls te, undo mpls
rsvp, undo mpls ldp, undo mpls l2vpn, undo multicast ipv6 routing-enable,
undo multicast routing-enable, undo pim, undo igmp, undo bfd, or undo stp
enable command.
NOTE
To prevent some services from being unavailable due to misoperations, you are advised to
enable secondary authentication.
Example
1. Run system-view
The system view is displayed.
2. Run configuration re-authentication enable
Secondary authentication is enabled.
3. Run commit
The configuration is committed.
Full Help
You can obtain full help using any of the following methods:
● Enter a question mark (?) in any command view to obtain all the commands
and their simple descriptions.
<HUAWEI> ?
● Enter a command followed by a space and a question mark (?). If the position
of the question mark (?) is for a keyword, all the keywords and their brief
description are listed. Use the following command output as an example:
<HUAWEI> terminal ?
debugging Enable/disable debug information to terminal
logging Enable/disable log information to terminal
The words "debugging" and "logging" are keywords, following with their
descriptions.
● Enter a command followed by a space and a question mark (?). If the position
of the question mark (?) is for a parameter, the value range and function of
the parameter are listed. Use the following command output as an example:
[*HUAWEI] ftp timeout ?
INTEGER<1-35791> The value of FTP timeout, the default value is 10 minutes
[*HUAWEI] ftp timeout 35 ?
<cr>
Partial Help
You can obtain partial help using any of the following methods:
● Enter a string followed by a question mark (?). The system lists all the
keywords that start with the string.
<HUAWEI> d?
debugging delete
dir display
car clock
configuration control-flap
cpu-defend cpu-monitor
cpu-usage current-configuration
● Enter the initial letters of a keyword in a command line and press Tab. The
system lists the complete keyword. If there are several matches for the
keyword, you can press Tab repeatedly. The system lists various keywords for
you to choose the one you need.
Usage Scenario
When you use commands to configure services, you can define shortcut keys to
rapidly enter commonly used commands.
Pre-configuration Tasks
Before using shortcut keys, complete the following tasks:
● User-defined shortcut keys: You can define shortcut keys: Ctrl+G, Ctrl+L, Ctrl
+O, and Ctrl+U. You can associate each shortcut key with any command.
When you use a shortcut key, the system automatically runs the
corresponding command. For details, see 1.1.3.6.2 Defining Shortcut Keys.
● System shortcut keys: They provide fixed functions and cannot be defined by
users. Table 1-7 describes system shortcut keys.
NOTE
Different terminal software defines shortcut keys differently. Therefore, the shortcut keys on
a terminal may be different from those listed in this section.
Key Function
Key Function
Procedure
Step 1 Run system-view
----End
Context
If you enter an incomplete command and do not press Enter, using a shortcut key
causes the system to delete the entered characters and display the corresponding
command on the screen. The result is the same as that of entering a complete
command.
Like the use of commands, the use of shortcut keys also enables the system to
record the original command in the command buffer and logs for fault detection
and query.
Procedure
Step 1 Run display hotkey
The shortcut keys supported by the system and their functions are displayed.
NOTE
The functions of shortcut keys may be affected by the terminal in use. For example, when
the user-defined shortcut keys conflict with the system shortcut keys on the router, an
entered shortcut key is captured by the terminal program and the corresponding command
cannot be run.
----End
Context
The global session log function is disabled by default. You can enable the global
session log function if you need to save the input, device screen output, and the
time when the device executes commands to the session log file in the root
directory.
The session log function of a single connection is enabled by default. After the
global session log function is enabled, information such as the input and screen
output of all connections on the device is recorded in the log file. If session logs do
not need to be generated for some connections, you can run the terminal
session-log disable command to disable the session log function for these
connections.
Procedure
● Enable the global session log function.
a. Run system-view
The system view is displayed.
b. Run undo info-center session log disable
The global session log function is enabled.
c. Run commit
The configuration is committed.
● Disable the session log function for the current connection.
Run display info-center session log status
The status of the global session log function and the status of the session log
function of all online connections are displayed.
– If the global session log function is enabled, perform the following steps:
i. Run the system-view command to enter the system view.
ii. Run the terminal session-log disable command to disable the
session log function of the current connection.
iii. Run the commit command to commit the configuration.
– If the global session log function is disabled, no further action is required.
----End
Networking Requirements
A router is deployed.
Precautions
None
Configuration Roadmap
The configuration roadmap is as follows:
1. If there is only one match for an incomplete keyword, enter the incomplete
keyword and press Tab.
2. If there are several matches for an incomplete keyword, enter the incomplete
keyword and press Tab repeatedly until the desired keyword is found.
3. Enter an incorrect keyword and press Tab. The incorrect keyword remains
unchanged.
Procedure
● If There Is Only One Match for an Incomplete keyword
a. Enter an incomplete keyword.
[~HUAWEI] ip rout
b. Press Tabs.
The system replaces the entered keyword with the complete keyword
followed by a space.
[~HUAWEI] ip route-static
b. Press Tab.
The system first displays the prefixes of all the matched keywords. In this
example, the prefix is default.
[~HUAWEI] ip route-static default-
Press Tab to switch from one matching keyword to another. The cursor
closely follows the end of a word.
[~HUAWEI] ip route-static default-bfd
[*HUAWEI] ip route-static default-preference
b. Press Tab.
The system displays the output in a new line. The entered keyword
remains unchanged.
[~HUAWEI] ip route-static default-pe
----End
Configuration Files
None.
Networking Requirements
A router is deployed.
Precautions
If a user does not have the right to execute the command associated with a
defined shortcut key, the system makes no response when the user presses this
shortcut key.
Configuration Roadmap
The configuration roadmap is as follows:
1. Define the shortcut key Ctrl+U and associate it with the display ip routing-
table command.
2. Press Ctrl+U at the prompt of [~HUAWEI].
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Define the shortcut key Ctrl+U and associate it with the display ip routing-table
command.
<HUAWEI> system-view
[~HUAWEI] hotkey ctrl_u "display ip routing-table"
[*HUAWEI] commit
----End
Configuration Files
None
You can configure, monitor, and maintain local or remote network devices only
after configuring user interfaces, user management, and terminal services. User
interfaces provide login venues, user management ensures login security, and
terminal services provide login protocols. Routers support user login over console
ports.
Each user interface has a user interface view. You can configure parameters in a
user interface view to determine whether authentication is required for login users
and specify levels for the users. This configuration implements uniform
management of various user sessions.
NOTE
If a user logs in to a router in different login modes or at different times, the user may be
allocated different user interfaces.
● Relative numbering
This mode uniquely specifies a user interface or a group of user interfaces of
the same type.
TTY user Manages and monitors 1–32 The first one is TTY 0,
interface users logging in the second one is
NOTE through the TTY 1, and so forth.
Currently, asynchronized serial Absolute numbers 1
the system port. to 32 correspond to
does not
support the relative numbers TTY
TTY user 0 to TTY 31.
interface.
VTY user Manages and controls 34-54 The first one is VTY
interface users who log in to the 0, the second one is
device using Telnet or VTY 1, and so forth.
SSH. Absolute numbers 34
to 54 correspond to
relative numbers VTY
0 to VTY 20.
● AAA authentication: Users must enter both user names and passwords for
login. If either a user name or a password is incorrect, the login fails. AAA
authentication is usually used for Telnet users.
Feature Requirements
None
Usage Scenario
To log in to a router through a console port for local maintenance, configure a
console user interface, including physical attributes, terminal attributes, user
levels, and authentication modes. You can configure parameters based on use and
security requirements.
Pre-configuration Tasks
Before configuring a console user interface, log in to a router through a console
port.
Context
To log in to a router through a console port, you must ensure that physical
attributes configured on the terminal emulation program for the console port are
the same as those of the console user interface on the router.
NOTE
Procedure
Step 1 Run system-view
The value can be 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, or
115200, in bit/s.
----End
Procedure
Step 1 Run system-view
NOTE
Run the screen-length temporary command to set the number of lines in each screen of
the terminal.
----End
Context
User levels correspond to command levels. After a user logs in to a router, the user
can use only commands of the corresponding level or lower.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run user-interface { ui-type | console first-ui-number }
The console user interface view is displayed.
Step 3 Run user privilege level level
NOTE
If the user level configured for a user interface conflicts with the user level configured for a
user, the user level configured for the user takes precedence.
For example, user 001 can use commands at Level 3, and the user level configured for the
user in the user interface view Console 0 is 2. After user 001 logs in through Console 0, the
user can use commands at Level 3 or lower.
----End
Context
NOTE
The password authentication mode is not secure, and it is strongly recommended to use
AAA authentication mode.
Procedure
● Configure AAA authentication.
a. Run system-view
NOTE
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run user-interface { ui-type | console first-ui-number }
The console user interface view is displayed.
Step 3 Run shutdown
The console user interface is disabled.
Step 4 Run commit
The configuration is committed.
----End
Prerequisites
The console user interface has been configured.
Procedure
● Run the display users [ all ] command to check user login information about
user interfaces.
● Run the display user-interface console 0 command to check physical
attributes and configurations of the user interface.
In VS mode, this command is supported only by the admin VS.
● Run the display local-user command to check the local user list.
● Run the display access-user command to check information about users that
pass AAA authentication.
----End
Usage Scenario
To log in to a router using Telnet or SSH for local or remote configuration and
maintenance, configure VTY user interfaces, including the maximum number of
VTY user interfaces, limit on incoming and outgoing calls, terminal attributes, user
levels, and authentication modes. You can configure parameters based on use and
security requirements.
Pre-configuration Tasks
Before configuring VTY user interfaces, log in to a router through a console port.
Context
The maximum number of VTY user interfaces is the total number of users who use
Telnet and SSH to log in.
NOTICE
If the maximum number of VTY user interfaces is set to 0 on a router, no user can
log in to the router using VTY.
Procedure
Step 1 Run system-view
● If the configured maximum number is less than the current number, online
users are not affected and no additional configuration is needed.
● If the configured maximum number is greater than the current number,
configure the authentication mode and password for additional users. The
system uses password authentication to authenticate users who log in
through newly added user interfaces.
For example, run the authentication-mode commands to increase the
maximum number of allowed online users from 5 to 18. A password is
entered in man-machine interaction mode. The system does not display the
entered password. A password must meet the following requirements:
<HUAWEI> system-view
[~HUAWEI] user-interface maximum-vty 18
[*HUAWEI] user-interface vty 5 17
[*HUAWEI-ui-vty5-17] authentication-mode password
[*HUAWEI-ui-vty5-17] set authentication-mode password
Please configure the login password (8-16)
Enter Password:
Confirm Password:
NOTE
▪ Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
----End
1.1.4.4.2 Configuring the Limit on Incoming and Outgoing Calls for a VTY User
Interface
An access control list (ACL) can be configured to limit incoming and outgoing calls
for a VTY user interface.
Context
An ACL can be configured to either allow or deny Telnet connections based on
source or destination IP addresses:
● A basic ACL, with its number ranging from 2000 to 2999, controls Telnet
connections based on source IP addresses.
● An advanced ACL, with its number ranging from 3000 to 3999, controls Telnet
connections based on both source and destination IP addresses.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Compared to a basic ACL that filters packets based on source addresses, an
advanced ACL supports richer filtering rules: not based only on packet source
addresses but also based on packet destination address or priorities. Run either of
the following commands:
● For a basic ACL:
To enter the ACL view, run the acl { name basic-acl-name { basic | [ basic ]
number basic-acl-number } | [ number ] basic-acl-number } [ match-order
{ config | auto } ] command.
To enter the ACL6 view, run the acl ipv6 { name basic-acl6-name basic |
[ number ] basic-acl6-number } [ match-order { config | auto } ] command.
● For an advanced ACL:
To enter the ACL view, run the acl { name advance-acl-name [ advance |
[ advance ] number advance-acl-number ] | [ number ] advance-acl-
number } [ match-order { config | auto } ] command.
To enter the ACL6 view, run the acl ipv6 { name advance-acl6-name
[ advance | [ advance ] number advance-acl6-number ] | [ number ]
advance-acl6-number } [ match-order { config | auto } ] command.
The user interface supports the basic ACL ranging from 2000 to 2999 and the
advanced ACL ranging from 3000 to 3999.
NOTE
● By default, the deny action in an ACL rule is taken for all the login user packets. Only
users whose source IP addresses match the ACL rule with a permit action can log in to
the device.
In the following example, two rules are configured to prohibit users with the IP address
10.1.1.10 from logging in to the device whereas allowing the other users to log in to the
device:
– rule deny source 10.1.1.10 0
– rule permit source any
If the rule permit source any command is not configured, users whose source IP
addresses are not 10.1.1.10 will also be prohibited from logging in to the device.
● If a user's source IP address does not match the ACL rule that allows login, the user is
prohibited from logging in to the device.
● If the ACL referenced by VTY does not contain any rules or does not exist, any user can
log in to the device.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run user-interface vty first-ui-number [ last-ui-number ]
One or more VTY user interface views are displayed.
Step 3 Run shell
The VTY terminal service is started.
----End
Context
User levels correspond to command levels. After a user logs in to a router, the user
can use only commands of the corresponding level or lower.
Procedure
Step 1 Run system-view
If the user level configured for a user interface conflicts with the user level configured for a
user, the user level configured for the user takes precedence.
For example, user 001 can use commands at Level 3, and the user level configured for the
user in the user interface view VTY 0 is 2. After user 001 logs in through VTY 0, the user can
use commands at Level 3 or lower.
----End
Context
NOTE
The password authentication mode is not secure, and it is strongly recommended to use
AAA authentication mode.
Procedure
● Configure AAA authentication.
a. Run system-view
NOTE
NOTE
----End
1.1.4.4.6 Configure an Alarm Threshold for the Number of Available VTY Channels
By configuring an alarm threshold for the number available VTY channels, you can
know information about available VTY channels on a device in a timely manner.
Context
When the number of available VTY channels on a device is less than or equal to
the threshold, the device reports an alarm.
Procedure
Step 1 Run the system-view command to enter the system view.
If the configured alarm threshold is greater than the maximum number of VTY users, the
system displays a message indicating that the configuration is invalid.
----End
Procedure
Step 1 Run system-view
----End
Prerequisites
A VTY user interface has been configured.
Procedure
● Run the display users [ all ] command to check user login information about
user interfaces.
● Run the display user-interface maximum-vty command to check the
configured maximum number of VTY user interfaces.
● Run the display user-interface vty ui-number command to check physical
attributes and configuration of the user interface.
● Run the display local-user command to check the local user list.
● Run the display access-user command to check information about users that
pass AAA authentication.
● Run the display vty mode command to check the VTY mode.
----End
Networking Requirements
To initialize the configurations of a new device or locally maintain the device, log
in to the device through the console user interface. You can configure attributes
for the console user interface based on use and security requirements.
Precautions
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure physical attributes for the console user interface.
2. Configure terminal attributes for the console user interface.
3. Set a user level.
4. Set an authentication mode and password.
NOTE
The user name and password do not have default values. Other parameters have default values,
which are recommended.
Data Preparation
To complete the configuration, you need the following data:
● Transmission rate of a connection: 4800 bit/s
● Flow control mode: none
● Parity: even
● Stopbits: 2
● Databits: 6
● Timeout period of an idle connection: 30 minutes
● Number of rows displayed on a terminal screen: 30
● Buffer size for historical commands: 20
● User level: 15
● Authentication mode: password authentication
Procedure
Step 1 Configure physical attributes for the console user interface.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] speed 4800
[*HUAWEI-ui-console0] flow-control none
NOTE
After the console user interface has been configured, you can log in to the device
through the console port in password authentication mode. For information about
how to log in to the system through the console port, see 1.1.5.3 Configuring
Login Through a Console Port.
Step 5 Verify the configuration.
After completing the configurations, run the display user-interface command to
view the configuration of Console 0.
<HUAWEI> display user-interface 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
+0 CON 0 9600 - 3 - P -
+ : Current user-interface is active.
F : Current user-interface is active and work in async mode.
Idx : Absolute index of user-interface.
Type : Type and relative index of user-interface.
Privi : The privilege of user-interface.
ActualPrivi : The actual privilege of user-interface.
----End
Configuration Files
#
sysname HUAWEI
#
user-interface con 0
authentication-mode password
user privilege level 15
set authentication password cipher @%@%(t7h+Qu=a#pz`3Kylk1/,JXR%iy(DA!x8&+!|
#b&.dEW65~.lEqGm~Np$O#2M]xJM@%@%
history-command max-size 20
idle-timeout 30 0
databits 6
parity even
stopbits 2
speed 4800
screen-length 30
#
return
Networking Requirements
To log in to a router using Telnet or SSH for local or remote configuration and
maintenance, configure VTY user interfaces, including the maximum number of
VTY user interfaces, limit on incoming and outgoing calls, terminal attributes, user
levels, and authentication modes. You can configure parameters based on use and
security requirements.
Configuration Roadmap
The configuration roadmap is as follows:
1. Set the maximum number of VTY user interfaces.
2. Configure the limit on incoming and outgoing calls for VTY user interfaces.
3. Configure terminal attributes for the VTY user interfaces.
4. Set a user level for the VTY user interfaces.
5. Configure an authentication mode and password for the VTY user interfaces.
Data Preparation
To complete the configuration, you need the following data:
● Maximum number of VTY user interfaces: 21
● Number of the ACL applied to limit incoming calls for the VTY user interfaces:
2000
● Timeout period of an idle connection: 30 minutes
● Number of rows displayed on a terminal screen: 30
● Buffer size for historical commands: 20
● User level: 15
● Authentication mode: password authentication
NOTE
The ACL number for limiting incoming and outgoing calls in VTY user interfaces, password, and
user name do not have default values. Other parameters have default values, which are
recommended.
Procedure
Step 1 Set the maximum number of VTY user interfaces.
<HUAWEI> system-view
[~HUAWEI] user-interface maximum-vty 21
[*HUAWEI] commit
Step 2 Configure the limit on incoming and outgoing calls for VTY user interfaces.
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule deny source 10.1.1.1 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] user-interface vty 0 17
[*HUAWEI-ui-vty0-17] acl 2000 inbound
[*HUAWEI-ui-vty0-17] commit
NOTE
After the VTY user interfaces have been configured, you can use Telnet or SSH to
log in to the device in password authentication mode to maintain the device
locally or remotely. For information about how to use Telnet or SSH to log in to a
device, see 1.1.5.4 Configuring a User to Log In Through Telnet or 1.1.5.5
Configuring STelnet Login.
Step 6 Verify the configuration.
After completing the configurations, run the display user-interface command to
view the configurations of the VTY user interfaces.
Use VTY 14 as an example:
[~HUAWEI] display user-interface vty 14
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
48 VTY 14 - 15 - P -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
----End
Configuration Files
#
acl number 2000
rule 5 deny source 10.1.1.1 0
#
user-interface maximum-vty 21
#
user-interface vty 0 17
authentication-mode password
user privilege level 15
set authentication password cipher @%@%qQ5h+h1Ba#pJOx#+2[NX>3v'Ks6m@1Qg4%T>-q:D>7{]
(U0.BAb*OlJW&>We\]@%@%
history-command max-size 20
idle-timeout 30 0
screen-length 30
acl 2000 inbound
return
Context
If multiple users log in to a device through a console port, the following security
risks occur:
● The device authenticates only the first user.
● The input information of a user is displayed for all users at the same time. For
example, if a user runs a command to change the password, the input
information is visible to all users at the same time.
Therefore, logging in to a device through the console port is not recommended. If
this login mode is required, do not configure multiple users for simultaneous login.
When a user logs in to a device using one of the preceding methods, the device
automatically executes a built-in batch processing file and records the execution
information in the system log file.
Console Port
For information about a console port, see Overview of Logging In to the System
for the First Time.
Telnet
Telnet is an application layer protocol in the TCP/IP protocol suite and provides
remote login and virtual terminal services. The NE9000 provides the following
Telnet services:
● Telnet server: A user runs the Telnet client program on a PC to log in to the
device to configure and manage the device. The device functions as a Telnet
server.
● Telnet client: After using the terminal emulator or Telnet client program on a
PC to connect to the device, a user runs the telnet command to log in to
another device for configuration and management. The device functions as a
Telnet client. In Figure 1-4, the CE functions as both a Telnet server and a
Telnet client.
NOTE
When the server fails and the client is unaware of the failure, the server
does not respond to the client's input. If you enter Ctrl_K, the Telnet
client interrupts and quits the Telnet connection.
For example, enter Ctrl_K on P3 to quit the Telnet connection.
<P3> Ctrl_K
<P1>
NOTICE
When the number of remote login users reaches the maximum number
of VTY user interfaces, the system prompts subsequent users with a
message, indicating that all user interfaces are in use and no more Telnet
connections are allowed.
STelnet
NOTE
Currently, a device running SSH1 or SSH2 can function as an SSH server. Only devices
running SSH2 can function as SSH clients. STelnet is based on SSH2. When the client and
the server set up a secure connection after negotiation, the client can log in to the server in
the same way as using Telnet.
Telnet access is not secure because there is no authentication method and the
data transmitted across Transmission Control Protocol (TCP) connections is in
plaintext. As a result, the system is vulnerable to denial of service (DoS), IP
address spoofing, and route spoofing attacks.
SSH provides secure remote access on an insecure network by supporting the
following functions:
● Supports key authentication. The public and private keys are generated
according to the encryption principle of the asymmetric encryption system,
which helps implement secure key exchange and ensures secure sessions.
● Encrypts transmitted data.
● When the SSH client communicates with the server, the user name and
password are encrypted to prevent the password from being intercepted.
A device serving as an SSH server can accept connection requests from multiple
SSH clients. The device can also serve as an SSH client, helping users establish SSH
connections with an SSH server. This allows users to use SSH to log in to remote
devices from the local device.
● Local connection
As shown in Figure 1-6, an SSH channel is established for a local connection.
Feature Requirements
None
Usage Scenario
If a router is powered on for the first time, you can log in to the router only
through the console port.
● If you cannot remotely access a device, you can locally log in to the device
through the console port.
● If a device fails to start, you can log in to the device to diagnose the fault or
enter the BootROM to upgrade the device through the console port.
Pre-configuration Tasks
Before logging in to a router through a console port, complete the following tasks:
● Install a terminal emulator on a PC, such as PuTTY.exe.
● Prepare a console configuration cable.
Context
NOTE
● Communication parameters of the user terminal must be consistent with the physical
attributes of the console user interface on the router.
● If an authentication mode has been configured for the console user interface, a user can
log in to the router only after authentication succeeds, which enhances network
security.
Procedure
Step 1 Start the PuTTY.exe program. In the PuTTY configuration page (shown in Figure
1-8), set the connection type to Serial.
Step 2 Choose Serial in the Category navigation tree on the left of the PuTTY
configuration page. In the port connection configuration page (shown in Figure
1-9), set the communication parameters of the port to the default values of the
device. (The following figure is for reference only. Use the default settings during
configuration.)
Step 3 Click Open. Then the system prompts you to set an authentication password, as
shown in Figure 1-10. After the confirm the password, the system automatically
saves it.
After the password is set, the command prompt (for example, <HUAWEI>) of the
user view is displayed, which indicates that you have entered the user view and
can perform configurations.
You can enter commands to configure the device or view its running status. Enter
a question mark (?) when you need help.
NOTE
----End
Context
Console user interface attributes have default values on a router. Generally, you do
not need to configure them. To meet specific use requirements or ensure network
security, you can modify console user interface attributes, such as terminal
attributes and authentication mode.
For details about how to configure the console user interface, see Configuring the
Console User Interface.
NOTE
Modifications to console user interface attributes take effect immediately. When you log in
to a router through a console port to configure console user interface attributes, the
connection may be interrupted. Therefore, it is recommended that you configure console
user interface attributes using other login methods. To log in to the router through the
console port again after configuring console user interface attributes, you must ensure that
the configurations of the terminal emulator running on the PC are consistent with the
console user interface attributes configured on the router.
Prerequisites
Login through a console port has been configured.
Procedure
● Run the display users [ all ] command to check user login information about
user interfaces.
● Run the display user-interface console 0 command to check physical
attributes and configurations of the user interface.
In VS mode, this command is supported only by the admin VS.
● Run the display local-user command to check the local user list.
● Run the display access-user command to check information about users that
pass AAA authentication.
----End
Usage Scenario
If one or more devices need to be configured and managed, you do not need to
connect each of the devices to the user terminal for local maintenance. If you
have obtained the IP addresses of the devices and it is not the first time for you to
log in to the devices, use Telnet to log in to the devices from the user terminal and
perform remote device configuration. This method allows you to maintain
multiple devices using a single user terminal, greatly facilitating operations.
NOTE
Pre-configuration Tasks
Before configuring a user to log in to devices through Telnet, log in to the devices
through the console port and change the default configurations of the devices so
that the user can remotely log in to the devices through Telnet to perform
management and maintenance. To change the default configurations, complete
the following tasks:
● Configure IP addresses for the management network interfaces of the devices
to ensure that the routes between the user terminal and devices are
reachable.
● Configure an authentication mode and user level for VTY user interfaces
to achieve remote device management and maintenance.
● Enable the Telnet server function so that users can remotely log in to
devices through Telnet.
1.1.5.4.1 Configuring a User Level and Authentication Mode for the VTY User
Interface
To use Telnet to log in to a device for remote management and maintenance, you
must first log in to the device through the console port and change the user level
and authentication mode.
Context
Other attributes on the VTY user interface have default values. Generally, you do
not need to modify them. You can also modify these attributes as required. For
details, see 1.1.4.4 Configuring VTY User Interfaces.
Procedure
● Configure a user level for the VTY user interface.
a. Run system-view
The system view is displayed.
b. Run user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface is displayed.
c. Run the user privilege level level command to set the user level. Table
1-11 lists the mapping between user levels and command levels in the
VTY user interface.
NOTE
NOTE
● User levels correspond to command levels. After a user logs in to a device, the
user can use only commands of the corresponding level or lower, which
improves device security.
● If the user level configured for a user interface conflicts with the user level
configured for a user, the user level configured for the user takes precedence.
d. Run commit
----End
Context
Perform the following steps on the device to be used as a Telnet server as
required:
Procedure
● Enable the Telnet IPv4 server function.
a. Run system-view
The system view is displayed.
b. Run telnet server enable
The Telnet IPv4 server function is enabled.
c. Run commit
The configuration is committed.
● Enable the Telnet IPv6 server function.
a. Run system-view
The system view is displayed.
b. Run telnet ipv6 server enable
The Telnet IPv6 server function is enabled.
c. Run commit
The configuration is committed.
NOTE
If you disable the Telnet server function on a device, the established Telnet
connections are not interrupted but new Telnet connections are denied. In this
situation, you can log in to the device only by using SSH or through the console port.
----End
Context
To log in to the system by using Telnet, use either the Windows Command Prompt
or third-party software on the terminal. Use the Windows Command Prompt as an
example.
NOTE
In the case of device login through a VTY channel, to avoid the access failure that occurs
when the number of VTY connections exceeds the upper threshold, you can perform the
following operations to check and configure the maximum number of VTY users that can
log in to the device:
1. Run the display user-interface maximum-vty command to check the maximum
number of VTY users that are supported.
2. Run the display user-interface command to check user interface information. The plus
sign (+) indicates an occupied channel. If all channels are occupied, subsequent users
cannot log in to the device. If an online user logs out, the user may fail to log in again
when its channel is occupied by another user. In this case, run the user-interface
maximum-vty number command to configure the maximum number of users that are
allowed to log in.
Procedure
Step 1 Enter the Windows Command Prompt window.
Step 2 Run the telnet ip-address command to use Telnet to log in to the device.
1. Enter the IP address of the Telnet server.
2. Press Enter. The command prompt of the user view, for example, <HUAWEI>,
is displayed, indicating that you have accessed the Telnet server.
----End
Follow-up Procedure
You can run the kill user-interface { ui-number | ui-type ui-number1 } command
to log out a user.
Context
● Listening port number
Attackers may access the default listening port, consuming bandwidth,
deteriorating server performance, and causing authorized users unable to log
in to the server. After the listening port number of the Telnet server is
changed, attackers do not know the new listening port number, which
prevents attackers from accessing the listening port.
● Source interface
A Telnet server receives connection requests from all interfaces after a restart
with non-base configuration, leading to low system security. To enhance
system security, specify a source interface for the Telnet server so that only
authorized users can log in to the Telnet server.
If no source interface is specified after the server starts with base
configuration, users cannot log in to the server through Telnet.
After a source interface is specified, the system allows Telnet users to log in to
the Telnet server only through this source interface. Setting this parameter
does not affect the Telnet users who have logged in to the server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure Telnet server parameters.
● (Optional) Run telnet server port port-number
A listening port number is set for the Telnet server.
If a new listening port number is set, the Telnet server terminates all
established Telnet connections and uses the new port number to listen for
new Telnet connection requests.
● Configure the source interface or source address for the Telnet server.
– Run telnet server-source -i { interface-type interface-number | interface-
name }
The source interface is specified for the Telnet server.
NOTE
If you specify a logical interface as the source interface of the Telnet server, this
interface must have been created. Otherwise, the command cannot be executed
successfully.
– Run telnet server-source all-interface
Any interface on the Telnet server can be used as its source interface.
After the command is run, users can log in to the Telnet server through
any physical interface configured with an IPv4 address or any created
logical interface configured with an IPv4 address.
NOTE
If the telnet server-source all-interface command is run, users can log in to the
Telnet server through any interface with a valid IPv4 address, which increases
system security risks. Therefore, running the command is not recommended.
– Run telnet ipv6 server-source -a ipv6-address [ -vpn-instance vpn-
instance-name ]
A source IPv6 address is specified for the Telnet server.
If a source IPv6 address is specified, the Telnet server allows users to log
in using this source IPv6 address only and denies access of the users who
attempt to log in using other IPv6 addresses.
– Run telnet ipv6 server-source all-interface
The IPv6 address of any interface on the Telnet server can be used as the
source IPv6 address of the Telnet server.
After the command is run, users can log in to the Telnet server through
any physical interface configured with an IPv6 address or any created
logical interface configured with an IPv6 address.
NOTE
If the telnet ipv6 server-source all-interface command is run, users can log in
to the Telnet server through any valid interface IPv6 address, which increases
system security risks. Therefore, running the command is not recommended.
– Run telnet server-source physic-isolate -i { interface-type interface-
number | interface-name } -a ip-address
A source IPv4 interface is specified for the Telnet server, and the interface
isolation attribute is set for the Telnet server.
– Run telnet ipv6 server-source physic-isolate -i { interface-type
interface-number | interface-name } -a ipv6-address
A source IPv6 interface is specified for the Telnet server, and the interface
isolation attribute is set for the Telnet server.
NOTE
After the interface isolation attribute is set successfully, packets can be sent to
the server only through the specified physical interface, and those sent through
other interfaces are discarded.
Context
When packets sent to the Telnet server form a traffic burst, sessions may preempt
bandwidth. To resolve this problem, you can configure CAR for whitelisted Telnet
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run whitelist session-car telnet-server { cir cir-value | cbs cbs-value | pir pir-
value | pbs pbs-value }*
CAR parameters are configured for whitelisted Telnet sessions.
Step 3 (Optional) Run whitelist session-car telnet-server disable
CAR for whitelisted Telnet sessions is disabled.
Step 4 Run commit
The configuration is committed.
----End
Context
When a device functions as a Telnet server, you can configure an ACL to allow
only the clients that meet the rules specified in the ACL to access the Telnet server.
Perform the following steps on the device that functions as a Telnet server:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } |
[ number ] basic-acl-number } [ match-order { config | auto } ]
The ACL view is displayed.
Step 3 Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type
{ fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-
first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } |
time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-
any ] ] * or rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type
fragment | source { source-ip-address { source-wildcard | 0 | src-netmask } | any }
| time-range time-name | vpn-instance vpn-instance-name ] *
A rule is configured for the ACL.
Step 4 Run quit
----End
Context
When a device functions as a Telnet server, you can configure the IP address
blocking function to protect the device against network attacks, thereby
enhancing security.
Perform the following steps on a device that functions as a Telnet server.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the undo telnet server ip-block disable command to enable the IP address
blocking function for Telnet connections.
Step 3 Run the commit command to commit the configuration.
NOTE
The IP addresses that fail to be authenticated are blocked only when the IP address
blocking function is enabled. This enhances device security.
Step 4 The IP addresses that fail to be authenticated will be locked for 5 minutes. To
unlock a locked IP address in advance, perform the following steps:
1. Run the quit command to exit the system view and enter the user view.
2. Run the activate vty ip-block ip-address ip-address [ vpnname vpn-name ]
command to unblock the IP address that fails to be authenticated for Telnet
connections.
----End
Context
When the number of Telnet server login failures within a specified period exceeds
the threshold, an alarm is generated and displayed for an administrator to
promptly handle the associated event.
Perform the following steps on a device that functions as a Telnet server:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run telnet server login-failed threshold-alarm upper-limit report-times lower-
limit resume-times period period-time
Alarm generation and clearance thresholds for Telnet server login failures within a
specified period are configured.
NOTE
The alarm generation threshold specified using report-times must be greater than or equal
to the alarm clearance threshold specified using resume-times.
----End
Context
When a device functions as a Telnet server, you can configure the maximum
number of connections established using a single IP address to prevent malicious
attacks, thereby enhancing security.
Perform the following steps on a device that functions as a Telnet server.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the telnet server ip-limit-session limit-session-num command to configure
the maximum number of connections allowed for Telnet login to the server
through a single IP address.
Step 3 Run the commit command to commit the configuration.
----End
1.1.5.4.10 Verifying the Configuration of User Login to the System Using Telnet
After using Telnet to log in to a device, you can view information about the
current user interface, every user interface, and established TCP connections.
Prerequisites
Telnet login has been configured.
Procedure
● Run the display users [ all ] command to check information about user
interfaces.
● Run the display tcp status command to check established TCP connections.
● Run the display telnet server status command to check the status and
configurations of the Telnet server.
● After configuring whitelist session-CAR for Telnet, you can verify the
configuration.
– For IPv4, run the display cpu-defend whitelist session-car telnet
statistics slot slot-id command to check statistics about whitelist session-
CAR for Telnet on a specified interface board.
To view new statistics, run the reset cpu-defend whitelist session-car
telnet statistics slot slot-id command to clear the existing statistics
about whitelist session-CAR for Telnet on a specified interface board, and
then run the display cpu-defend whitelist session-car telnet statistics
slot slot-id command.
– For IPv6, run the display cpu-defend whitelist-v6 session-car telnetv6
statistics slot slot-id command to check statistics about whitelist session-
CAR for Telnet on a specified interface board.
To view new statistics, run the reset cpu-defend whitelist-v6 session-car
telnetv6 statistics slot slot-id command to clear the existing statistics
about whitelist session-CAR for Telnet on a specified interface board, and
then run the display cpu-defend whitelist-v6 session-car telnetv6
statistics slot slot-id command.
● Run the display vty ip-block all command to check all IP addresses that fail
to be authenticated.
● Run the display vty ip-block list command to check the list of IP addresses
that are blocked due to authentication failures.
----End
Usage Scenario
Large numbers of devices need to be managed and maintained on a network. You
cannot connect each device to a terminal. When no reachable route exists
between remote devices and a terminal, you can use Telnet to log in to the
remote devices from the device that you have logged in to. Telnet provides no
secure authentication mode, and data is transmitted in simple mode over TCP,
which brings security risks.
You can run the display ssh client session command to check the authentication
and encryption algorithms used by the SSH client or the display security risk
feature ssh_client command to check the risk information and handling
suggestions for the SSH client.
Pre-configuration Tasks
Before configuring a user to log in to devices through STelnet, you must log in to
the devices through the console port and change the default configurations of the
devices so that the user can remotely log in to the devices through STelnet to
perform management and maintenance. To change the default configurations,
complete the following tasks:
● Configure IP addresses for the management network interfaces of the devices
to ensure that the routes between the user terminal and devices are
reachable.
● Configure an authentication mode and user level for VTY user interfaces
to achieve remote device management and maintenance.
● Configure VTY user interfaces to support SSH, configure an SSH user and
specify a service type, and enable the STelnet server function so that the
user can remotely log in to the device through STelnet.
1.1.5.5.1 Configuring a User Level and Authentication Mode for VTY User
Interfaces
Context
Other attributes on the VTY user interface have default values. Generally, you do
not need to modify them. You can also modify these attributes as required. For
details, see 1.1.4.4 Configuring VTY User Interfaces.
Procedure
● Configure a user level for the VTY user interface.
a. Run system-view
The system view is displayed.
b. Run user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface is displayed.
c. Run the user privilege level level command to set the user level. Table
1-12 lists the mapping between user levels and command levels in the
VTY user interface.
NOTE
NOTE
● User levels correspond to command levels. After a user logs in to a device, the
user can use only commands of the corresponding level or lower, which
improves device security.
● If the user level configured for a user interface conflicts with the user level
configured for a user, the user level configured for the user takes precedence.
d. Run commit
The configuration is committed.
● Configure aaa authentication mode for the VTY user interfaces.
When the authentication mode is set to AAA authentication, you must specify
the access type of a local user.
a. Run system-view
The system view is displayed.
b. (Optional) Run crypto password irreversible-algorithm hmac-sha256
The HMAC-SHA256 ciphertext password encryption algorithm is set.
c. Run aaa
The AAA view is displayed.
d. Run local-user user-name password [ cipher password | irreversible-
cipher irreversible-cipher-password ]
A local user name and a password are set.
----End
Context
Perform the following steps on the device that functions as an SSH server:
Procedure
Step 1 Run system-view
NOTE
Before configuring VTY user interfaces to support SSH, you must set the authentication
mode to AAA authentication for the user interfaces. If you do not set the authentication
mode to AAA authentication, the protocol inbound { ssh | all } command does not take
effect.
----End
Context
SSH users can be authenticated in RSA, DSA, ECC, SM2, X509v3-SSH-RSA,
password, password-RSA, password-ECC, password-DSA, password-SM2, password-
X509v3-RSA, or All mode.
If the authentication mode of an SSH user is RSA, DSA, SM2, or ECC, a local RSA,
DSA, SM2, or ECC key pair must be generated on both the server and client. In
addition, the server needs to edit the public key of the client locally. After the
editing, the public key is bound to the local user.
Table 1-13 compares the RSA, DSA, SM2, X509v3-SSH-RSA, and ECC algorithms.
RSA authentication and DSA RSA and DSA are public key encryption
authentication systems and asymmetric encryption
algorithms. They can effectively
improve the encryption efficiency and
simplify key management. The server
checks whether the SSH user, public
key, and digital signature are valid.
User authentication succeeds only if all
of them are the same as those
configured on the server.
NOTE
For security purposes, do not use the RSA algorithm whose modulus bit value is less than
2048 for the SSH user. You are advised to use the ECC authentication algorithm instead.
The user level depends on the authentication mode and configuration selected by the
access user.
● If password authentication is selected for SSH users, the SSH user level is the same as
that configured in the AAA view.
● If public key authentication or PKI certificate authentication is used for SSH users, and
the ssh authorization-type default { aaa | root } command has been run to
configure a user authorization mode, the SSH user level is determined by the level
configured in the authorization mode.
● If the authorization mode is AAA, the user level is the one configured in the AAA
view.
● If the authorization type is root, the user level is the user level configured on the
VTY interface.
● If public key authentication or PKI certificate authentication is used for SSH users but
the ssh authorization-type default { aaa | root } command has not been run to
configure a user authorization mode, the SSH user level is determined by the level
configured in the AAA view.
Data Preparation
Before editing a public key, you need to generate a key pair. For details about how
to generate a key pair, see step 1 in 1.1.5.5.5 Using STelnet to Log In to a Server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ssh user user-name
An SSH user is created.
If password, password-RSA, password-DSA, password-SM2, password-X509v3-RSA,
or password-ECC authentication is configured for the SSH user, create a local user
with the same name as the SSH user in the AAA view and set the local user's
access type to SSH. For configuration details, see Table 1-15.
If RSA, DSA, SM2, X509v3-SSH-RSA, or ECC authentication is configured for the
SSH user, and the default authorization mode AAA is configured for the SSH
connection, create a local user with the same name as the SSH user in the AAA
view and set the local user's access type to SSH. Otherwise, run the ssh
authorization-type default root command in the system view to set the
authorization mode of the SSH connection to Root.
Item Operation
Set the local Run the local-user user-name service-type ssh command.
user's access
type to SSH.
Item Operation
----End
Context
NOTE
For security purposes, do not use RSA keys whose length is less than 2048 bits. You are
advised to use RSA_SHA2_256 and RSA_SHA2_512 instead.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 (Optional) Run the ssh server publickey { dsa | ecc | rsa | sm2 | x509v3-ssh-rsa|
rsa-sha2-256 | rsa-sha2-512 | x509v3-rsa2048-sha256 } * command to configure
a public key encryption algorithm for the SSH server.
Step 3 (Optional) Configure the maximum number of key pairs. Perform one of the
following operations based on the user requirements for system performance:
● Run the rsa key-pair maximum max-keys command to configure the
maximum number of RSA key pairs that can be created.
● Run the dsa key-pair maximum max-keys command to configure the
maximum number of DSA key pairs that can be created.
● Run the ecc key-pair maximum max-keys command to configure the
maximum number of ECC key pairs that can be created.
Step 4 (Optional) Create an SSH server key pair. Use either of the following methods:
● Method 1
– If the user requirements for system security are not high, run the rsa
local-key-pair create command to configure a local RSA key pair or run
the dsa local-key-pair create command to configure a local DSA key
pair.
– If the user requirements for system security are high, run the ecc local-
key-pair create command to configure a local ECC key pair.
After the key pairs are generated, perform any of the following operations
based on the selected public key algorithm:
– Run the display rsa local-key-pair public command to check the public
key in the local RSA key pair.
– Run the display dsa local-key-pair public command to check the public
key in the local DSA key pair.
– Run the display ecc local-key-pair public command to check the public
key in the local ECC key pair.
● Method 2
– If the user requirements for system security are not high, run the rsa key-
pair label label-name command to configure a local RSA key pair or run
the dsa key-pair label label-name command to configure a local DSA
key pair.
– If the user requirements for system security are high, run the ecc key-
pair label label-name [ modulus modulus-bits ] command to create a
local ECC key pair, or run the sm2 key-pair label label-name command
to create a local SM2 key pair.
After key pairs are generated, run the ssh server assign { rsa-host-key | dsa-
host-key | ecc-host-key | sm2-host-key } key-name command to assign a
key pair to the SSH server.
If the authentication mode is set to x509v3-ssh-rsa, run the ssh server assign
pki pki-name command to configure a PKI certificate for the SSH server.
After the key pairs are generated, perform any of the following operations
based on the selected public key algorithm:
– Run the display rsa key-pair [ brief | label label-name ] command to
check RSA key pairs.
– Run the display dsa key-pair [ brief | label label-name ] command to
check DSA key pairs.
– Run the display ecc key-pair [ brief | label label-name ] command to
check ECC key pairs.
– Run the display sm2 key-pair [ brief | label label-name ] command to
check SM2 key pairs.
Step 5 Run stelnet server enable
The STelnet server function is enabled.
If the STelnet server function is disabled on the SSH server, all clients that have
logged in through STelnet are disconnected from the server.
NOTE
SSH uses port 22 to listen to packets. Running this command will enable port 22 to listen to
IPv4 and IPv6 TCP packets.
NOTE
For security purposes, you are advised to use secure algorithms such as aes128_ctr,
aes256_ctr, aes192_ctr, aes128_gcm, and aes256_gcm.
Step 8 (Optional) Run ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 |
sha2_256_96 | sha2_512 | sm3 } *
HMAC authentication algorithms are configured for the SSH server.
NOTE
For security purposes, you are advised to use a secure algorithm such as sha2_256,
sha2_512 and sm3.
For security purposes, you are advised to use the curve25519_sha256 key exchange
algorithm.
Step 10 (Optional) Run the ssh server dh-exchange min-len min-len command to
configure the minimum key length supported during diffie-hellman-group-
exchange key exchange with the SSH client.
NOTE
If the SSH client supports the diffie-hellman-group-exchange key exchange algorithm with
a length greater than 1024 bits, you are advised to run the ssh server dh-exchange min-
len command to set the minimum key length to 3072 bits to improve security.
----End
Context
Log in to the server through STelnet from the terminal (SSH client), as shown in
Figure 1-11. On the PC, run SSH1.5 or a later version to set up a local connection
with the device.
This section uses PuTTY as an example to describe how to log in to the SSH server
through STelnet.
Data Preparation
PuTTYGen.exe and PuTTY.exe have been installed.
De Interface IP Address
vic
e
SS GE1/0/0 10.248.103.194/24
H
ser
ver
Procedure
Step 1 Create an SSH key pair on the SSH client.
1. Enter the Windows Command Prompt window.
2. Enter PuTTYGen and click Generate to generate a key pair, as shown in
Figure 1-12.
Move the mouse continuously during the generation of the key pair and move
the pointer in the window other than the process bar in green. Otherwise, the
progress bar stops, and the generation of the key pair stops as well, as shown
in Figure 1-13.
3. After the key pair is generated, enter the password in the Key passphrase text
box and enter the password again in the Confirm passphrase text box. This
password is used for the SSH terminal user to log in to the SSH server. Click
Save private key, enter private for the name of the private key file, and click
Save. Copy the generated public key to the Notepad and name it public.txt.
2. In the navigation tree on the left of the SSH client configuration page, choose
Category > Connection > SSH. The dialog box as shown in Figure 1-16 is
displayed. In the Protocol options area, set Preferred SSH protocol version
to 2.
3. Select Auth in SSH. The dialog box as shown in Figure 1-17 is displayed. Click
Browse to import the private key file private.ppk.
4. Click Open. If the connection is normal, the system prompts you to enter the
user name, as shown in Figure 1-18.
----End
Follow-up Procedure
When the network administrator needs to disconnect login users from the device,
you can run the kill user-interface { ui-number | { { console | vty | nca | rpc } ui-
number1 | interface-name } } command to clear online users.
console can be specified only for the admin VS.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Perform one or more operations described in Table 1-18.
(Optional) Run the ssh server timeout If a user has not logged in
Configure the seconds command. when the timeout period for
timeout SSH authentication expires,
period for the system disconnects the
SSH current connection to ensure
authenticatio system security.
n.
(Optional) Run the undo ssh server ip- If an SSH server is enabled to
Enable an block disable lock client IP addresses, locked
SSH server to client IP addresses fail to pass
lock client IP authentication and are
addresses. displayed in the display ssh
server ip-block list command
output.
If an SSH server is disabled
from locking client IP
addresses, the display ssh
server ip-block list command
does not display any client IP
address that is locked because
of an authentication failure.
(Optional) Run the ssh server port port- Attackers may access the
Configure a number command. default listening port,
listening port If a new listening port number consuming bandwidth,
number for is set, the SSH server ends all deteriorating server
the SSH established STelnet and SFTP performance, and causing
server. connections and uses the new authorized users unable to log
port number to listen for in to the server. After the
connection requests. listening port number of the
SSH server is changed,
attackers do not know the
new listening port number,
which prevents attackers from
accessing the listening port
and improves security.
(Optional) Run the ssh [ ipv6 ] server acl This command controls the
Configure an { acl-number | acl-name } clients that can access the SSH
ACL for the command. server running IPv6. This
SSH server. configuration prevents
unauthorized users from
accessing the SSH server,
ensuring security.
(Optional) Run the ssh server keepalive After this feature is enabled,
Enable the enable command. the SSH server returns
keepalive keepalive responses to an SSH
feature on client to check whether the
the SSH connection between them is
server. normal, facilitating fast fault
detection.
Context
When packets sent to the SSH server form a traffic burst, sessions may preempt
bandwidth. To resolve this problem, you can configure CAR for whitelisted SSH
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run whitelist session-car ssh-server { cir cir-value | cbs cbs-value | pir pir-value |
pbs pbs-value }*
CAR parameters are configured for whitelisted SSH sessions.
Step 3 (Optional) Run whitelist session-car ssh-server disable
CAR for whitelisted SSH sessions is disabled.
Step 4 Run commit
The configuration is committed.
----End
Context
When the number of SSH server login failures within a specified period exceeds
the threshold, an alarm is generated and displayed for an administrator to
promptly handle the associated event.
Perform the following steps on a device that functions as an SSH server:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ssh server login-failed threshold-alarm upper-limit report-times lower-
limit resume-times period period-time
Alarm generation and clearance thresholds for SSH server login failures within a
specified period are configured.
NOTE
The alarm generation threshold specified using report-times must be greater than or equal
to the alarm clearance threshold specified using resume-times.
----End
Context
When a device functions as an SSH server, you can configure the maximum
number of connections established using a single IP address to prevent malicious
attacks, thereby enhancing security.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ssh server ip-limit-session limit-session-num command to configure the
maximum number of connections allowed for SSH login to the server through a
single IP address.
----End
1.1.5.5.10 (Optional) Configuring the Local Port Forwarding Service for the SSH
Server
After the local port forwarding service is enabled on the SSH server, a forwarding
channel can be established between the SSH server and a host with a specified IP
address and port number.
Context
The SSH server can receive forwarding request messages from the SSH client and
establish a TCP connection (forwarding channel) with a host with a specified IP
address and port number to forward data received from the client to the host only
after the local port forwarding function is enabled on the SSH server.
Procedure
Step 1 Run system-view
----End
Context
If an SSH user logs in to a device using password card authentication, keyboard-
interactive authentication must be enabled for this user. To enable keyboard-
interactive authentication, run the ssh server authentication-type keyboard-
interactive enable command.
Procedure
Step 1 Run system-view
----End
Context
When an SSH session meets one or more of the following criteria, the system re-
negotiates a key and uses the new key to establish SSH session connections,
improving system security.
A key re-negotiation request is initiated when either the SSH client or server meets the key
re-negotiation criteria, and the other party responds.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Choose either of the following commands based on the SSH service type to
configure criteria that trigger key re-negotiation.
1. Run ssh client rekey { data-limit data-limit | max-patchet max-packet |
time minutes } *
Parameters are configured for SSH client key re-negotiation.
2. Run ssh server rekey { data-limit data-limit | max-patchet max-packet |
time minutes } *
Parameters are configured for SSH server key re-negotiation.
Step 3 Run commit
The configuration is committed.
----End
1.1.5.5.13 Verifying the Configuration of User Login to the System Using STelnet
After using STelnet to log in to a device, verify the configuration.
Prerequisites
STelnet login has been configured.
Procedure
● Run the display ssh user-information username command on the SSH server
to check information about SSH users.
● Run the display ssh server status command on the SSH server to check its
configuration.
● Run the display ssh server session command on the SSH server to check
information about sessions between the SSH server and SSH clients.
● After configuring whitelist session-CAR for SSH, you can verify the
configuration.
– For IPv4, run the display cpu-defend whitelist session-car ssh statistics
slot slot-id command to check statistics about whitelist session-CAR for
SSH on a specified interface board.
To view new statistics, run the reset cpu-defend whitelist session-car
ssh statistics slot slot-id command to clear the existing statistics about
whitelist session-CAR for SSH on a specified interface board, and then run
the display cpu-defend whitelist session-car ssh statistics slot slot-id
command.
Networking Requirements
If you have changed the default parameter values for a device's console user
interface, you must accordingly change the login parameter values on a PC before
you log in to the device through the console port next time.
Configuration Roadmap
The configuration roadmap is as follows:
1. Connect the PC to the console port on the router.
2. Set login parameters on the PC.
3. Log in to the router.
Data Preparation
Login parameters need to be configured based on the physical attributes of the
console port on the router. The physical attributes include Bits per second, Data
bits, Parity, Stop bits, and Flow control. For the first login, the default values of the
parameters are used.
The PuTTY.exe software must have been installed on the client.
Procedure
Step 1 Start the PuTTY.exe program. In the PuTTY configuration page (shown in Figure
1-20), set the connection type to Serial.
Step 2 Choose Serial in the Category navigation tree on the left of the PuTTY
configuration page. In the port connection configuration page (shown in Figure
1-21), set the communication parameters of the port to the default values of the
device. (The following figure is for reference only. Use the default settings during
configuration.)
Step 3 Click Open. Then the system prompts you to set an authentication password, as
shown in Figure 1-22. After the confirm the password, the system automatically
saves it.
After the password is set, the command prompt (for example, <HUAWEI>) of the
user view is displayed, which indicates that you have entered the user view and
can perform configurations.
You can enter commands to configure the device or view its running status. Enter
a question mark (?) when you need help.
NOTE
----End
Networking Requirements
It is required that an IPv4 user log in to a device through Telnet from a client on a
different network segment for remote maintenance.
Configuration Roadmap
The configuration roadmap is as follows:
1. Establish a physical connection.
2. Assign an IP address to the management interface on P1.
3. Configure VTY user interface parameters, including the limit on incoming and
outgoing calls.
4. Configure Telnet user information.
Data Preparation
To complete the configuration, you need the following data:
● IP address of the management interface on P1
● Maximum number of VTY user interfaces: 10
● Number of the ACL that is used to prohibit users from logging in to another
device: 3001
● Timeout period of a user connection: 20 minutes
● Number of rows displayed on a terminal screen: 30
● Buffer size for historical commands: 20
● Telnet user information (authentication mode: AAA, user name: huawei,
password: YsHsjx_202206)
Procedure
Step 1 Connect the PC and the device to the network.
Step 2 Assign an IP address to the management interface on P1.
<HUAWEI> system-view
[~HUAWEI] sysname P1
[*HUAWEI] commit
[~P1] interface GigabitEthernet0/0/0
[~P1-GigabitEthernet0/0/0] undo shutdown
[*P1-GigabitEthernet0/0/0] ip address 10.137.217.33 255.255.254.0
[*P1-GigabitEthernet0/0/0] commit
[~P1-GigabitEthernet0/0/0] quit
NOTE
----End
Configuration Files
● P1 configuration file
#
sysname P1
#
acl number 3001
rule 5 deny tcp destination-port eq telnet
#
aaa
local-user huawei password irreversible-cipher $1c$]zV2B\j!z:$hRujV[%/IE|
0MwBQ}5sAX(RdE[oj#5otqG6=@>KK$
local-user huawei service-type telnet
Context
Networking Requirements
It is required that an IPv6 user log in to a device through Telnet from a client on a
different network segment for remote maintenance.
Configuration Roadmap
1. Establish a physical connection.
2. Configure an IPv6 address for the management interface on the device.
3. Configure VTY user interface parameters, including the limit on incoming and
outgoing calls.
4. Configure Telnet user information.
Data Preparation
The latest PuTTY version (0.70 latest release or 0.71) has been installed on the
Telnet client, and IPv6 routes between the Telnet client and Interface 1 are
available.
Procedure
Step 1 Connect the PC and the router to the network.
NOTE
Click Open. The system prompts you to enter the user name and password, as
shown in Figure 1-26. In this example, the user name is huawei123, and the
password is YsHsjx_202206.
----End
Networking Requirements
Large numbers of devices need to be managed and maintained on a network. You
cannot connect each device to a terminal. When no reachable route exists
between remote devices and a terminal, you can use Telnet to log in to the
remote devices from the device that you have logged in to. Telnet provides no
secure authentication mode, and data is transmitted in simple mode over TCP,
which brings security risks.
STelnet is a secure Telnet service based on SSH connections. SSH provides
encryption and authentication and protects devices against attacks, such as IP
spoofing.
As shown in Figure 1-27, after the STelnet server function is enabled on the router
functioning as an SSH server, the PC functioning as an SSH client can log in to the
SSH server in password, RSA, password-rsa, ECC, password-ecc, DSA, password-
dsa, password-sm2, SM2, x509v3-ssh-rsa, password-x509v3-rsa, or All
authentication mode. This example uses RSA authentication to describe how to
configure an SSH client to log in to the server using STelnet.
To prevent unauthorized users from logging in to the SSH server and improve
system security, configure ACL rules on the SSH server.
Configuration Roadmap
The configuration roadmap is as follows:
1. Log in to the SSH server through the console port and configure an IPv4
address for the management interface on the SSH server.
2. Configure the VTY user interface on the SSH server.
3. Create a local SSH user and configure the authentication mode and service
type.
4. Create an SSH user and configure the authentication mode for the user.
5. On the SSH client, create a key pair based on the configured SSH user
authentication mode and copy the public key to the SSH server.
6. On the SSH server, edit the public key and assign the edited public key to the
user.
7. Enable STelnet on the SSH server and set the service type of the SSH user to
STelnet.
8. Configure an ACL rule for STelnet client login on the SSH server.
9. Set parameters for STelnet login to the server.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure an IP address for the management interface on the SSH server.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] interface GigabitEthernet0/0/0
[~SSH Server-GigabitEthernet0/0/0] undo shutdown
[*SSH Server-GigabitEthernet0/0/0] ip address 10.248.103.194 255.255.255.0
[*SSH Server-GigabitEthernet0/0/0] commit
[~SSH Server-GigabitEthernet0/0/0] quit
NOTE
If SSH is configured as the login protocol, the device automatically disables the Telnet
function.
Step 3 Create a local user on the server, add the user to the administrator group, and
configure the service type of the user.
[~SSH Server] aaa
[~SSH Server-aaa] local-user huawei123 password
Please configure the passward (8-128)
Enter Password:
Confirm Password:
NOTE
Step 4 Create an SSH user on the server and configure the authentication mode for the
user.
[~SSH Server] ssh user huawei123
[*SSH Server] ssh user huawei123 authentication-type rsa
[*SSH Server] ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
[*SSH Server] ssh server hmac sha2_512 sha2_256
[*SSH Server] ssh server key-exchange dh_group_exchange_sha256
[*SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512
[*SSH Server] ssh server dh-exchange min-len 3072
[*SSH Server] ssh client publickey rsa_sha2_256 rsa_sha2_512
[*SSH Server] ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
[*SSH Server] ssh client hmac sha2_512 sha2_256
[*SSH Server] ssh client key-exchange dh_group_exchange_sha256
[*SSH Server] commit
Step 5 Use PuTTY to create an RSA key pair on the SSH client and copy the public key to
the SSH server.
1. Enter the Windows Command Prompt window.
2. Enter PuTTYGen and click Generate to generate a key pair, as shown in
Figure 1-28.
Move the mouse continuously during the generation of the key pair and move
the pointer in the window other than the process bar in green. Otherwise, the
progress bar stops, and the generation of the key pair stops as well. Figure
1-29 shows that the key pair is being generated.
3. After the key pair is generated, enter the password in the Key passphrase text
box and enter the password again in the Confirm passphrase text box. This
password is used for the SSH terminal user to log in to the SSH server. Click
Save private key, enter private for the name of the private key file, and click
Save. Copy the generated public key to the Notepad and name it public.txt.
Step 6 On the SSH server, edit the public key and assign the edited public key to the user.
[~SSH Server] rsa peer-public-key rsa01 encoding-type openssh
[*SSH Server-rsa-public-key] public-key-code begin
[*SSH Server-rsa-public-key-rsa-key-code] ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAxHbcqV6
qqnb1+jQQ0qFLptxWS1xRFfDe6DuMaX2eRUCx3fp2eBA1bgUfHd7eCO05CfHfC443oNBwlj/39Obi8kS
RIQSlXOU1KIP8DNYtwU/N23p/YDHzbgOVvN6dSr+Ua2Er7m2Hehzdo2XoGuWokqhnuMpA7O7zykXs7rM
6tdf+hh/992o6GHBD9IbJe9mG6WoAmDkBmedXzBqJeeGb2wbGg9hBTIgVQqZNhthGcVlLUlPJlZQi1ZO
L3C/cVIOXqnVOqqxHk6nlWcMRo0PxOAegtyzsBETnvcEO2xVw6zF0WVFvU60C99THB+GpuHuRdWzvUNC
ZpsjmCwkg+4RFGQ== rsa-key-20190422
[*SSH Server-rsa-public-key-rsa-key-code] public-key-code end
[*SSH Server-key-code] peer-public-key end
[*SSH Server] ssh user huawei123 assign rsa-key rsa01
[*SSH Server] commit
Step 7 Enable the STelnet function and set the service type to STelnet.
[~SSH Server] stelnet server enable
[*SSH Server] ssh server-source -i GigabitEthernet0/0/0
[*SSH Server] ssh user huawei123 service-type stelnet
[*SSH Server] commit
Step 9 Use PuTTY.exe to log in to the SSH server from the client.
1. Start the PuTTY.exe program. The client configuration page is displayed, as
shown in Figure 1-31. For security purposes, using PuTTY 0.58 or later is
recommended. Enter the IP address of the SSH server in the Host Name (or
IP address) text box.
2. On the SSH client configuration page, choose Connection > SSH from the
Category navigation tree. The dialog box as shown in Figure 1-32 is
displayed. In the Protocol options area, set SSH protocol version to 2.
3. Select Auth in SSH. The dialog box as shown in Figure 1-33 is displayed. Click
Browse to import the private key file private.ppk.
4. Click Open. If the connection is normal, the system prompts you to enter the
username, as shown in Figure 1-34.
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
Networking Requirements
Large numbers of devices need to be managed and maintained on a network. You
cannot connect each device to a terminal. When no reachable route exists
between remote devices and a terminal, you can use Telnet to log in to the
remote devices from the device that you have logged in to. Telnet provides no
secure authentication mode, and data is transmitted in simple mode over TCP,
which brings security risks.
As shown in Figure 1-35, after the STelnet server function is enabled on the router
functioning as an SSH server, the PC functioning as an SSH client can log in to the
SSH server in password, RSA, password-rsa, ECC, password-ecc, DSA, password-
dsa, password-sm2, SM2, x509v3-ssh-rsa, password-x509v3-rsa, or All
authentication mode. RSA authentication mode is used in this example.
To prevent unauthorized users from logging in to the SSH server and improve
system security, configure ACL6 rules on the SSH server.
Configuration Roadmap
The configuration roadmap is as follows:
1. Log in to the SSH server through the console port and configure an IPv6
address for the management interface on the SSH server.
2. Configure the VTY user interface on the SSH server.
3. Create a local SSH user and configure the authentication mode and service
type.
4. Create an SSH user and configure the authentication mode for the user.
5. On the SSH client, create a key pair based on the configured SSH user
authentication mode and copy the public key to the SSH server.
6. On the SSH server, edit the public key and assign the edited public key to the
user.
7. Enable IPv6 STelnet on the SSH server and set the service type of the SSH
user to STelnet.
8. Configure an ACL6 rule for STelnet client login on the SSH server.
9. Set parameters for STelnet login to the server.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure an IPv6 address for the management interface on the SSH server.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] interface GigabitEthernet0/0/0
[~SSH Server-GigabitEthernet0/0/0] undo shutdown
[~SSH Server-GigabitEthernet0/0/0] ipv6 enable
[*SSH Server-GigabitEthernet0/0/0] ipv6 address 2001:db8::1 32
[*SSH Server-GigabitEthernet0/0/0] commit
[~SSH Server-GigabitEthernet0/0/0] quit
NOTE
If SSH is configured as the login protocol, the device automatically disables the Telnet
function.
Step 3 Create a local user on the server, add the user to the administrator group, and
configure the service type of the user.
[~SSH Server] aaa
[~SSH Server-aaa] local-user huawei123 password
Please configure the passward (8-128)
Enter Password:
Confirm Password:
NOTE
Step 4 Create an SSH user on the server and configure the authentication mode for the
user.
[~SSH Server] ssh user huawei123
[*SSH Server] ssh user huawei123 authentication-type rsa
[*SSH Server] ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
[*SSH Server] ssh server hmac sha2_512 sha2_256
[*SSH Server] ssh server key-exchange dh_group_exchange_sha256
[*SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512
[*SSH Server] ssh server dh-exchange min-len 3072
[*SSH Server] ssh client publickey rsa_sha2_256 rsa_sha2_512
[*SSH Server] ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
[*SSH Server] ssh client hmac sha2_512 sha2_256
[*SSH Server] ssh client key-exchange dh_group_exchange_sha256
[*SSH Server] commit
Step 5 Use PuTTY to create an RSA key pair on the SSH client and copy the public key to
the SSH server.
1. Enter the Windows command-line interface.
2. Enter PuTTYGen and click Generate to generate a key pair, as shown in
Figure 1-36.
Move the mouse continuously during the generation of the key pair and move
the pointer in the window other than the process bar in green. Otherwise, the
progress bar stops, and the generation of the key pair stops as well. Figure
1-37 shows that the key pair is being generated.
3. After the key pair is generated, enter the password in the Key passphrase text
box and enter the password again in the Confirm passphrase text box. This
password is used for the SSH terminal user to log in to the SSH server. Click
Save private key, enter private for the name of the private key file, and click
Save, as shown in Figure 1-38. Copy the generated public key to the Notepad
and name it public.txt.
Step 6 On the SSH server, edit the public key and assign the edited public key to the user.
[~SSH Server] rsa peer-public-key rsa01 encoding-type openssh
[*SSH Server-rsa-public-key] public-key-code begin
[*SSH Server-rsa-public-key-rsa-key-code] ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAxHbcqV6
qqnb1+jQQ0qFLptxWS1xRFfDe6DuMaX2eRUCx3fp2eBA1bgUfHd7eCO05CfHfC443oNBwlj/39Obi8kS
RIQSlXOU1KIP8DNYtwU/N23p/YDHzbgOVvN6dSr+Ua2Er7m2Hehzdo2XoGuWokqhnuMpA7O7zykXs7rM
6tdf+hh/992o6GHBD9IbJe9mG6WoAmDkBmedXzBqJeeGb2wbGg9hBTIgVQqZNhthGcVlLUlPJlZQi1ZO
L3C/cVIOXqnVOqqxHk6nlWcMRo0PxOAegtyzsBETnvcEO2xVw6zF0WVFvU60C99THB+GpuHuRdWzvUNC
ZpsjmCwkg+4RFGQ== rsa-key-20190422
[*SSH Server-rsa-public-key-rsa-key-code] public-key-code end
[*SSH Server-key-code] peer-public-key end
[*SSH Server] ssh user huawei123 assign rsa-key rsa01
[*SSH Server] commit
Step 7 Enable the IPv6 STelnet function and set the service type to STelnet.
[~SSH Server] stelnet ipv6 server enable
[*SSH Server] ssh ipv6 server-source -a 2001:db8::1
[*SSH Server] ssh user huawei123 service-type stelnet
[*SSH Server] commit
Step 9 Use PuTTY.exe to log in to the SSH server from the client.
1. Start the PuTTY.exe program. The PuTTY configuration page as shown in
Figure 1-39 is displayed. For security purposes, using PuTTY 0.58 or later is
recommended. Enter the IP address of the SSH server in the Host Name (or
IP address) text box.
2. In the navigation tree on the left of the SSH client configuration page, choose
Category > Connection > SSH. The dialog box as shown in Figure 1-40 is
displayed. In the Protocol options area, set Preferred SSH protocol version
to 2.
3. Select Auth in SSH. The dialog box as shown in Figure 1-41 is displayed. Click
Browse to import the private key file private.ppk.
4. Click Open. If the connection is normal, the system prompts you to enter the
user name, as shown in Figure 1-42.
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
acl ipv6 number 2000
rule 5 permit source 2001:DB8::/32
#
rsa peer-public-key rsa01 encoding-type openssh
public-key-code begin
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAxHbcqV6qqnb1+jQQ0qFLptxWS1xRFfDe6DuMaX2eRUCx
3fp2eBA1bgUfHd7eCO05CfHfC443oNBwlj/39Obi8kSRIQSlXOU1KIP8DNYtwU/N23p/YDHzbgOVvN6d
Sr+Ua2Er7m2Hehzdo2XoGuWokqhnuMpA7O7zykXs7rM6tdf+hh/
992o6GHBD9IbJe9mG6WoAmDkBmedX
zBqJeeGb2wbGg9hBTIgVQqZNhthGcVlLUlPJlZQi1ZOL3C/cVIOXqnVOqqxHk6nlWcMRo0PxOAegtyzs
BETnvcEO2xVw6zF0WVFvU60C99THB+GpuHuRdWzvUNCZpsjmCwkg+4RFGQ== rsa-key
public-key-code end
peer-public-key end
#
aaa
local-user huawei123 password irreversible-cipher $1c$+,JS+))\\2$KVNj(.
3`_5x0FCKGv}H&.kUTI`Ff&H*eBqO.ua>)$
local-user huawei123 service-type ssh
local-user huawei123 user-group manage-ug
#
interface GigabitEthernet0/0/0
undo shutdown
ipv6 enable
ipv6 address 2001:DB8::1/32
#
stelnet ipv6 server enable
ssh ipv6 server-source -a 2001:db8::1
ssh user huawei123
ssh user huawei123 authentication-type rsa
ssh user huawei123 assign rsa-key rsa01
ssh user huawei123 service-type stelnet
ssh server acl ipv6 2000
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh server hmac sha2_512 sha2_256
ssh server key-exchange dh_group_exchange_sha256
#
ssh server publickey rsa_sha2_256 rsa_sha2_512
#
ssh server dh-exchange min-len 3072
#
ssh client publickey dsa ecc rsa rsa_sha2_256 rsa_sha2_512
#
ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh client hmac sha2_512 sha2_256
ssh client key-exchange dh_group_exchange_sha256
#
user-interface vty 0 14
authentication-mode aaa
protocol inbound ssh
user privilege level 3
#
return
Networking Requirements
On the network shown in Figure 1-43, an NMS, device, and AAA server are
connected over a VPN. The NMS is integrated with the SSH client and SFTP server
functions. The SSH client uses SSH to log in to and communicate with the device.
The SFTP server uses SFTP for file transfer with the device functioning as an SFTP
client.
In this example, interface 1 stands for GE 1/0/0, interface 2 stands for GE 2/0/0, and
interface 3 stands for GE 3/0/0. The interfaces are bound to the same VPN instance.
Precautions
Ensure that the route between the device and NMS is reachable.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a VPN instance.
2. Bind the interfaces connecting the device to the NMS and HWTACACS server
to the VPN instance.
3. Configure a default VPN instance used by the NMS to manage the device.
4. Configure an HWTACACS server.
5. Configure a local AAA user and set its access mode to SSH and authentication
mode to HWTACACS.
6. Configure an SSH user and set its authentication and service modes.
7. Configure an SNMPv3 USM user to allow the NMS to access the device.
8. Configure an SFTP client to use SFTP for file transfer.
NOTE
After the default VPN instance is configured for the NMS to manage the device, the
HWTACACS server, TFTP client, FTP client, SFTP client, SCP client, SNMP module, Info
Center module, PM module, and IP FPM module on the device all belong to the default
VPN if other VPN instances are not configured. If other VPN instances are configured, the
VPN instance configured for each feature is preferentially selected. To access the public
network, you must set the public-net parameter.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure a VPN instance.
<HUAWEI> system-view
[~HUAWEI] sysname DeviceA
[*HUAWEI] commit
[~DeviceA] ip vpn-instance vrf1
[*DeviceA-vpn-instance-vrf1] ipv4-family
[*DeviceA-vpn-instance-vrf1-af-ipv4] route-distinguisher 22:1
[*DeviceA-vpn-instance-vrf1-af-ipv4] vpn-target 111:1 both
[*DeviceA-vpn-instance-vrf1-af-ipv4] quit
[*DeviceA-vpn-instance-vrf1] quit
[*DeviceA] commit
Step 3 Configure a default VPN instance used by the NMS to manage the device.
[~DeviceA] set net-manager vpn-instance vrf1
NOTE
The VPN configured using this command affects the following service modules on the
device: TFTP client, FTP client, SFTP client, SCP client, Info Center, SNMP, PM, IP FPM, and
TACACS. To access the public network, you must set the public-net parameter.
[*DeviceA] commit
Step 5 Create a local AAA user named sshuser001. Set the access mode to SSH and
authentication mode to HWTACACS.
# Configure a local user named sshuser001 in the huawei domain. After the
configuration is complete, the sshuser001 user uses the authentication and
authorization modes in the huawei domain.
[~DeviceA-aaa] local-user sshuser001@huawei password
Please configure the password (8-128)
Enter Password:
Confirm Password:
[*DeviceA-aaa] local-user sshuser001@huawei service-type ssh
[*DeviceA-aaa] commit
[~DeviceA-aaa] quit
Step 6 Configure authentication and service modes for the SSH user.
[*DeviceA] ssh authentication-type default password
[*DeviceA] ssh user sshuser001 service-type stelnet snetconf
[*DeviceA] commit
Step 8 Configure an SNMPv3 USM user to allow the NMS to access the device.
# Enable the SNMP agent function.
[*DeviceA] snmp-agent
[*DeviceA] commit
# Configure a user group and users in the group, and authenticate and encrypt
user data.
[~DeviceA] snmp-agent group v3 admin privacy write-view iso notify-view iso read-view iso
[*DeviceA] snmp-agent usm-user v3 nms-admin group admin
[*DeviceA] snmp-agent usm-user v3 nms-admin authentication-mode sha
Please configure the authentication password (10-255)
Enter Password:
Confirm Password:
[*DeviceA] snmp-agent usm-user v3 nms2-admin privacy-mode aes128
Please configure the privacy password (10-255)
Enter Password:
Confirm Password:
[*DeviceA] commit
Step 9 Enable the device functioning as an SFTP client to transfer files with the NMS
functioning as an SFTP server over the VPN.
For details about how to configure the NMS to function as an SFTP server, see the
NMS server configuration guide. The user name and password used for file
transfer between the device and NMS must be the same as those configured on
the SFTP server.
[~DeviceA] ssh client first-time enable
[*DeviceA] commit
[~DeviceA] sftp client-transfile get -a 10.1.1.2 host-ip 10.1.1.1 username sshuser002 password
YsHsjx_202206 sourcefile aaa.txt
----End
Configuration Files
● DeviceA configuration file
#
sysname DeviceA
#
hwtacacs enable
#
ip vpn-instance vrf1
ipv4-family
route-distinguisher 22:1
apply-label per-instance
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
hwtacacs-server template ht
hwtacacs-server authentication 10.2.1.1 vpn-instance vrf1
hwtacacs-server authorization 10.2.1.1 vpn-instance vrf1
hwtacacs-server shared-key cipher %^%#x@ZaCImt|
X79[^A&]DEYC6[>U]OD(8n&BVHvsu2R{=zVSySB'|H[;I`|ef#%^%#
#
aaa
local-user sshuser001@huawei password irreversible-cipher $1c$\h[;D"`M79$GN]A=y;*4EFG
%t>vIJI=rJvxWe/V%Xbd;(J+AzC+$
local-user sshuser001@huawei service-type ssh
#
authentication-scheme scheme1
authentication-mode hwtacacs
#
authorization-scheme scheme2
authorization-mode hwtacacs
#
accounting-scheme default0
#
accounting-scheme default1
#
domain huawei
authentication-scheme scheme1
authorization-scheme scheme2
hwtacacs-server ht
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vrf1
ip-address 10.1.1.2 255.255.255.0
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vrf1
ip-address 10.2.1.2 255.255.255.0
interface GigabitEthernet3/0/0
undo shutdown
ip binding vpn-instance vrf1
ip-address 10.3.1.1 255.255.255.0
#
snmp-agent
snmp-agent local-engineid 800007DB0300313D6A1FA0
#
snmp-agent sys-info version v3
snmp-agent group v3 admin privacy write-view iso notify-view iso read-view iso
snmp-agent target-host trap address udp-domain 10.1.1.1 vpn-instance vrf1 params securityname
nms-admin v3 privacy
#
snmp-agent mib-view included iso iso
snmp-agent usm-user v3 nms-admin group admin
snmp-agent usm-user v3 nms-admin authentication-mode sha %#%##/L&Fd]S.!i*S7<\jCh2DkfkE4+:<
%Wap|8zZWwPL+[a>h$wy>VJsp9(L{%B%#%#
snmp-agent usm-user v3 nms-admin privacy-mode aes128 %#
%#CM-]HDuhH6VX)**J<186nf({M823f(0Z73++7(A#%,1jODj}D>_HS>W,'Ss=%#%#
#
stelnet server enable
ssh server-source -i gigabitethernet 3/0/0
ssh user sshuser001
ssh authorization-type default aaa
#
ssh client first-time enable
#
return
FTP
When two hosts run different operating systems and use different file structures
and character sets, you can use File Transfer Protocol (FTP) to copy files from one
host to the other.
FTP has two file transfer modes:
● Binary mode: is used to transfer program files, such as .app, .bin, and .btm
files.
● ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
FTP is a standard application protocol based on the TCP/IP protocol suite. It is
used to transfer files between local clients and remote servers. FTP uses two TCP
connections to copy a file from one system to another. The TCP connections are
usually established in client-server mode, one for control (the server port number
is 21) and the other for data transmission (the server port number is 20).
● Control connection
A control connection is set up between the FTP client and FTP server.
The control connection always waits for communication between the client
and server. Commands are sent from the client to the server over this
connection. The server responds to the client after receiving the commands.
● Data connection
The server uses port 20 to provide a data connection. The server can either set
up or terminate a data connection. When the client sends files in streams to
the server, only the client can terminate the data connection.
FTP supports file transfer in stream mode. The end of each file is indicated by
end of file (EOF). Therefore, new data connections must be set up for each
file transfer or directory list. When a file is transferred between the client and
server, a data connection is set up.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP)
connections. It uses the UDP port number 69 to transfer files between local hosts
and remote servers. Unlike FTP, TFTP is simple and provides no authentication.
TFTP applies when no complex interaction is required between clients and the
server.
TFTP supports the following transfer modes:
● Binary mode: used for program file transfers
● ASCII mode: used for text file transfers
NOTE
HUAWEI NetEngine9000 can function only as a TFTP client and transmit files in binary
mode.
SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote
users to securely log in to a device to manage and transfer files. On the other
hand, users can use a device functioning as a client to log in to a remote server
and transfer files securely.
When the SFTP server or the connection between the server and the client fails,
the client needs to promptly detect the fault and removes the connection
proactively. To help the client promptly detect such a fault, configure an interval at
which Keepalive packets are sent if no packet is received and the maximum
number of times that the server does not respond to the client:
● If the client does not receive any packet within the specified period, the client
sends a Keepalive packet to the server.
● If the maximum number of times that the server does not respond exceeds
the specified value, the client proactively releases the connection.
Feature Requirements
The total length of the directory and file name NE9000 NE9000
in the file system cannot exceed 128
characters. The directory can contain 1 to 128
characters, and the file name can contain 1 to
128 characters. After a directory with the
maximum length is created, files cannot be
stored in the directory. After a file with the
maximum length is created, files cannot be
stored in subdirectories.
Usage Scenario
When a device fails to save or obtain data, you can log in to the device to repair
the faulty storage component or manage files or directories on the device.
This file operation mode is used when a storage component needs to be managed.
Pre-configuration Tasks
Before logging in to a device to operate files, complete user login
configurations.
Context
Through directory management, you can create, delete, change, or view directories
and view files in directories and sub-directories.
Procedure
● Run cd directory
A directory is changed to a specified directory.
● Run pwd
The current directory is displayed.
● Run dir [ /all ] [ filename ]
Information about all files or a specified file is displayed.
Either an absolute or relative path can be specified in this command.
The following table describes files displayed in the command output.
NOTE
Files displayed depend on the system software version and service configurations. The
following table lists only common files.
The wildcard "*" can be used in the command.
A directory is created.
● Run rename source-filename destination-filename
----End
Context
● Managing files include displaying file content, copying files, moving files,
renaming files, compressing files, deleting files, restoring deleted files,
deleting files in the recycle bin, running batch files, and configuring
notification modes.
● To operate a file, run the cd directory command to switch the current
directory to the file's directory.
Procedure
● Run more file-name
The content of a specified file is displayed.
● Run copy source-filename destination-filename
A file is copied.
● Run move source-filename destination-filename
A file is moved.
● Run rename source-filename destination-filename
A file is renamed.
● Run zip source-filename destination-filename
A file is compressed.
● Run unzip source-filename destination-filename
A file is decompressed.
● Run delete [ /unreserved ] filename [ all ]
A file is deleted.
If you use the /unreserved parameter in the command, the file cannot be
restored after being deleted.
In VS mode, this command is supported only by the admin VS.
● Run undelete filename
The deleted file is restored.
NOTE
You can run the dir /all command to view information about all files, including the
files moved to the recycle bin, which are enclosed in square brackets ([]).
The files that are deleted using the delete command with /unreserved specified
cannot be restored.
a. Run system-view
a. Run system-view
NOTICE
If the notification mode is set to quiet, the system does not display a
warning message for data loss caused by misoperations.
c. Run commit
----End
Usage Scenario
As devices operate stably and are deployed on a large scale, more and more
devices need to be maintained and upgraded remotely. Online software upgrade, a
new upgrade method by loading software packages remotely, facilitates remote
online upgrades, reduces upgrade expenditures, shortens the time that customers
wait for upgrades, and improves customers' satisfaction. The delay, packet loss,
and jitter affect data transmission on networks. To ensure the quality of online
upgrade and data transmission, use FTP to perform online upgrades and transfer
files based on TCP connections.
NOTE
Pre-configuration Tasks
Before using FTP to operate files, configure a reachable route between a terminal
and a device.
Context
To use FTP to operate files, configure a local user name and a password on a
device that functions as an FTP server, and specify a service type and an
authorized directory. If you do not perform these operations, you cannot use FTP
to access the device.
Perform the following steps on the device that functions as an FTP server:
Procedure
Step 1 Run system-view
Special characters do not include question marks (?) or spaces. However, when double
quotation marks are used around a password, spaces are allowed in the password.
– Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
– Double quotation marks can contain double quotation marks if no space is used
in a password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is
invalid.
● If cipher is specified, a password can be entered in either simple text or cipher
text.
NOTE
FTP users are classified as local AAA authentication users or remote authentication
(RADIUS and HWTACACS) users.
● The local-user ftp-directory command must be run to specify the FTP working
directory for local authentication users. Otherwise, local authentication users cannot use
FTP to access the device.
● The FTP working directory for remote authentication users can be specified using the
HWTACACS server. The set default ftp-directory command can be used to specify the
default FTP working directory for remote authentication users.
● A user group or user level needs to be configured on the AAA server for remote
authentication users. For details about the configuration, see the configuration guide
provided by the associated vendor.
----End
1.1.6.4.2 (Optional) Specifying a Listening Port Number for the FTP Server
After a listening port number is specified for the FTP server, only users who know
the new port number can access the server, ensuring security.
Context
Users can directly log in to a device functioning as an FTP server by using the
default listening port number. Attackers may access the default listening port,
NOTE
Ensure that the FTP server function is disabled before specifying a listening port number.
Perform the following steps on the device that functions as an FTP server:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ftp [ ipv6 ] server port port-number
A listening port number is specified for the FTP server.
If a new listening port number is set, the FTP server terminates all established FTP
connections and uses the new port number to listen to new FTP connection
attempts.
Step 3 Run commit
The configuration is committed.
----End
Context
Perform the following steps on the device to be used as an FTP server:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ftp [ ipv6 ] server enable
The FTP server function is enabled.
NOTE
After files are successfully transferred between the client and server, run the undo ftp
[ ipv6 ] server command to disable the FTP server function for security purposes.
----End
Context
FTP server parameters can be configured as follows:
● Specifying the source address or source interface of the FTP server restricts
the destination address accessed by clients, ensuring security.
● You can configure the maximum number of FTP connections to the server. If
the maximum number of FTP connections is less than or equal to the existing
FTP connections, the system retains the existing FTP connections but rejects
new connection requests.
● You can configure the timeout period of an idle FTP connection. If no
messages are exchanged between the client and the FTP server within the
specified timeout period, the connection between them is terminated and FTP
connection resources are reclaimed.
Procedure
Step 1 Run system-view
Step 2 To configure the source address or source interface of the FTP server, perform one
of the following operations as required:
● Run the ftp server-source { -a ip-address | i { interface-type interface-number
| interface-name } } command to configure a source IP address for the FTP
server.
After the source IP address is configured, the address specified in the ftp
command for login to the FTP server must be the configured source IP
address. Otherwise, the login fails.
● Run the ftp server-source all-interface command to allow any interface
having an IPv4 address configured to be used as the source interface of an
FTP server.
NOTE
After this command is run, the FTP server will receive login connection requests from
all interfaces, which increases system security risks. Therefore, running this command
is not recommended.
● Run the ftp ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-
name ] command to configure a source IPv6 address for the FTP server.
● Run the ftp ipv6 server-source all-interface command to allow any interface
having an IPv6 address configured to be used as the source interface of an
FTP server.
NOTE
After this command is run, the FTP server will receive login connection requests from
all interfaces with an IPv6 address configured, which increases system security risks.
Therefore, running this command is not recommended.
● Run the ftp server-source physic-isolate -i { interface-type interface-number
| interface-name } -a ip-address command to specify a source IPv4 interface
for the FTP server and set the interface isolation attribute for the FTP server.
● Run the ftp ipv6 server-source physic-isolate -i { interface-type interface-
number | interface-name } -a ipv6-address command to specify a source IPv6
interface for the FTP server and set the interface isolation attribute for the
FTP server.
NOTE
After the interface isolation attribute is set successfully, packets can be sent to the
server only through the specified physical interface, and those sent through other
interfaces are discarded.
----End
Context
When packets sent to the FTP server form a traffic burst, sessions may preempt
bandwidth. To resolve this problem, you can configure CAR for whitelisted FTP
sessions. This configuration isolates bandwidth resources between sessions. If the
default CAR parameters for whitelisted FTP sessions do not meet service
requirements, you can adjust them as required.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run whitelist session-car ftp-server { cir cir-value | cbs cbs-value | pir pir-value |
pbs pbs-value }*
CAR parameters are configured for whitelisted FTP sessions.
Context
When a device functions as an FTP server, you can configure an ACL to allow only
the clients that meet the rules specified in the ACL to access the FTP server.
Perform the following steps on the device that functions as an FTP server:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run acl acl-number
The ACL view is displayed.
Step 3 Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type
{ fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-
first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } |
time-range time-name | vpn-instance vpn-instance-name ] *
A rule is configured.
Step 4 Run quit
Return to the system view.
Step 5 Run ftp [ ipv6 ] acl { acl-number | name }
An FTP ACL is configured.
Step 6 Run commit
The configuration is committed.
----End
Context
After a user fails to log in to a device using FTP, the number of FTP login failures is
recorded for the IP address. If the number of login failures within a specified
period reaches the threshold, the IP address is locked, and all users who log in
through this IP address cannot set up an FTP connection with this device.
Procedure
Step 1 Run system-view
The client IP address locking function is enabled on the device that functions as an
FTP server.
Step 7 Run activate ftp server ip-block ip-address ip-address [ vpn-instance vpn-
name ]
----End
Context
To log in to the FTP server from the PC, use either the Windows Command Prompt
or third-party software. Use the Windows Command Prompt as an example.
Procedure
Step 1 Enter the Windows Command Prompt window.
Step 2 Run the ftp ip-address command to log in to the server by using FTP.
Enter the user name and password at the prompt, and press Enter. If the
command prompt of the FTP client view, ftp> for example, is displayed, you have
entered the working path of the FTP server.
----End
Context
Table 1-22 describes FTP file attributes.
FTP data The following data connection mode can be set for the FTP
connection mode server:
● ACTIVE mode: The server proactively connects clients
during connection establishment.
● PASV mode: The server waits to be connected by clients
during connection establishment.
During connection establishment, the FTP client determines
the data connection mode.
Procedure
Step 1 Perform either of the following steps on the client based on the type of the
server's IP address:
● Run the ftp [ [ -a source-ip-address | -i { interface-type interface-number |
interface-name } ] host-ip [ port-number ] [ vpn-instance vpn-instance-
name ] | public-net ] command to configure the device to use an IPv4
address to establish a connection to the FTP server and enter the FTP client
view.
● Run the ftp ipv6 [ -a source-ip6 ] host-ipv6-address [ [ vpn-instance ipv6-
vpn-instance-name ] | public-net ] [ -oi { interface-type interface-number |
interface-name } ] [ port-number ] command to configure the device to use
an IPv6 address to establish a connection to the FTP server and enter the FTP
client view.
Managi Configuring the ● Run the ascii command to set the file type to
ng files file type ASCII.
● Run the binary command to set the file type to
binary.
The FTP file type is determined by the client. By
default, the ASCII type is used.
Step 3 Perform either of the following operations as needed to end an FTP connection.
● Run the bye/quit command to end the connection to the FTP server and
return to the user view.
● Run the close/disconnect command to end both the connection to the FTP
server and the FTP session and remain in the FTP client view.
Step 4 Run the commit command to commit the configuration.
----End
Prerequisites
The configurations of file operation by using FTP are complete.
Procedure
● Run the display ftp-server command to check the configuration and status of
the FTP server.
● Run the display ftp-users command to check information about logged-in
FTP users.
● After configuring whitelist session-CAR for FTP, you can verify the
configuration.
– For IPv4, run the display cpu-defend whitelist session-car ftp statistics
slot slot-id command to check statistics about whitelist session-CAR for
FTP on a specified interface board.
To view new statistics, run the reset cpu-defend whitelist session-car
ftp statistics slot slot-id command to clear the existing statistics about
whitelist session-CAR for FTP on a specified interface board, and then run
the display cpu-defend whitelist session-car ftp statistics slot slot-id
command.
– For IPv6, run the display cpu-defend whitelist-v6 session-car ftpv6
statistics slot slot-id command to check statistics about whitelist session-
CAR for FTP on a specified interface board.
To view new statistics, run the reset cpu-defend whitelist-v6 session-car
ftpv6 statistics slot slot-id command to clear the existing statistics about
whitelist session-CAR for FTP on a specified interface board, and then run
the display cpu-defend whitelist-v6 session-car ftpv6 statistics slot
slot-id command.
----End
Usage Scenario
As the device deployment scale increases, more and more devices need to be
maintained and upgraded remotely. Online software upgrade, a new upgrade
method by loading software packages remotely, facilitates remote upgrades,
reduces upgrade costs, shortens the time that customers wait for upgrades, and
improves customers' satisfaction. FTP is usually used to transmit data for online
upgrades. FTP transmits data and even user names and passwords in plaintext,
bringing security risks.
SFTP resolves the security issue. It enables you to securely log in to a remote
device for file management, improving data transmission security. You can then
transfer files and perform online upgrades.
Pre-configuration Tasks
Before using SFTP to operate files, configure a reachable route between a terminal
and a device.
Context
SSH users can be authenticated in RSA, DSA, ECC, SM2, X509v3-SSH-RSA,
password, password-RSA, password-ECC, password-DSA, password-SM2, password-
X509v3-RSA, or All mode.
If the authentication mode of an SSH user is RSA, DSA, SM2, or ECC, a local RSA,
DSA, SM2, or ECC key pair must be generated on both the server and client. In
addition, the server needs to edit the public key of the client locally. After the
editing, the public key is bound to the local user.
Table 1-24 compares the RSA, DSA, SM2, X509v3-SSH-RSA, and ECC algorithms.
RSA authentication and DSA RSA and DSA are public key encryption
authentication systems and asymmetric encryption
algorithms. They can effectively
improve the encryption efficiency and
simplify key management. The server
checks whether the SSH user, public
key, and digital signature are valid.
User authentication succeeds only if all
of them are the same as those
configured on the server.
NOTE
For security purposes, do not use the RSA algorithm whose modulus bit value is less than
2048 for the SSH user. You are advised to use the ECC authentication algorithm instead.
The user level depends on the authentication mode and configuration selected by the
access user.
● If password authentication is selected for SSH users, the SSH user level is the same as
that configured in the AAA view.
● If public key authentication or PKI certificate authentication is used for SSH users, and
the ssh authorization-type default { aaa | root } command has been run to
configure a user authorization mode, the SSH user level is determined by the level
configured in the authorization mode.
● If the authorization mode is AAA, the user level is the one configured in the AAA
view.
● If the authorization type is root, the user level is the user level configured on the
VTY interface.
● If public key authentication or PKI certificate authentication is used for SSH users but
the ssh authorization-type default { aaa | root } command has not been run to
configure a user authorization mode, the SSH user level is determined by the level
configured in the AAA view.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ssh user user-name
An SSH user is created.
Item Operation
Set the local Run the local-user user-name service-type ssh command.
user's access
type to SSH.
Item Operation
----End
Context
Perform the following steps on the device to be used as an SSH server:
NOTE
For security purposes, do not use RSA keys whose length is less than 2048 bits. You are
advised to use RSA_SHA2_256 and RSA_SHA2_512 instead.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run the ssh server publickey { dsa | ecc | rsa | sm2 | x509v3-ssh-rsa|
rsa-sha2-256 | rsa-sha2-512 | x509v3-rsa2048-sha256 } * command to configure
a public key encryption algorithm for the SSH server.
Step 3 (Optional) Configure the maximum number of key pairs. Perform any of the
following operations based on the user requirements for system performance:
● Run the rsa key-pair maximum max-keys command to configure the
maximum number of RSA key pairs that can be created.
● Run the dsa key-pair maximum max-keys command to configure the
maximum number of DSA key pairs that can be created.
● Run the ecc key-pair maximum max-keys command to configure the
maximum number of ECC key pairs that can be created.
Step 4 (Optional) Select either of the following methods to create a key pair for an SSH
server.
● Method 1
– If the user requirements for system security are not high, run the rsa
local-key-pair create command to configure a local RSA key pair or run
the dsa local-key-pair create command to configure a local DSA key
pair.
– If the user requirements for system security are high, run the ecc local-
key-pair create command to configure a local ECC key pair.
● Method 2
– If the user requirements for system security are not high, run the rsa key-
pair label label-name [ modulus modulus-bits ] command to configure
a local RSA key pair or run the dsa key-pair label label-name [ modulus
modulus-bits ] command to configure a local DSA key pair.
– If the user requirements for system security are high, run the ecc key-
pair label label-name [ modulus modulus-bits ] command to configure
a local ECC key pair or run the sm2 key-pair label label-name
[ modulus modulus-bits ] command to configure a local SM2 key pair.
After keys are generated, run the ssh server assign { rsa-host-key | dsa-host-
key | ecc-host-key | sm2-host-key } key-name command to assign a key pair
to an SSH server.
If the authentication mode is set to x509v3-ssh-rsa, run the ssh server assign
pki pki-name command to configure a PKI certificate for the SSH server.
Step 5 Perform any of the following operations based on the SFTP service type:
● Run the sftp server enable command to enable the SFTP service.
● Run the sftp ipv4 server enable command to enable the IPv4 SFTP service.
● Run the sftp ipv6 server enable command to enable the IPv6 SFTP service.
NOTE
SSH uses port 22 to listen to packets. Running this command will enable this port to listen
to IPv4 and IPv6 TCP packets.
Step 6 (Optional) Run ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc
| aes256_cbc | aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 |
aes128_gcm | aes256_gcm | blowfish_cbc | sm4_cbc } *
NOTE
For security purposes, you are advised to use secure algorithms such as aes128_ctr,
aes256_ctr, aes192_ctr, aes128_gcm, and aes256_gcm.
Step 7 (Optional) Run ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 |
sha2_256_96 | sha2_512 | sm3 } *
NOTE
For security purposes, you are advised to use secure algorithms such as sha2_256,
sha2_512, sm3.
NOTE
For security purposes, you are advised to use curve25519_sha256 as the key exchange
algorithm.
Step 9 (Optional) Run the ssh server dh-exchange min-len min-len command to
configure the minimum key length supported during diffie-hellman-group-
exchange key exchange with the SSH client.
NOTE
If the SSH client supports the diffie-hellman-group-exchange key exchange algorithm with
a length greater than 1024 bits, you are advised to run the ssh server dh-exchange min-
len command to set the minimum key length to 3072 bits to improve security.
----End
Context
Table 1-28 describes SSH server parameters.
Listening port If the standard port is used as the listening port of the SFTP
number of an server, attackers may continuously access this port, consuming
SFTP server a large amount of bandwidth and deteriorating server
performance. As a result, authorized users may fail to access
the server. After the listening port number of the SFTP server is
changed, attackers do not know the new listening port number,
which prevents attackers from accessing the listening port and
improves security.
Interval at After an interval is set, key pairs are updated at the configured
which key interval to improve security.
pairs are
updated
Timeout If a user fails to log in when the timeout period for SSH
period for authentication expires, the system disconnects the current
SSH connection to ensure system security.
authenticatio
n
ACL for the An ACL on the SSH server specifies the clients that can access
SSH server the SSH server running IPv6. This configuration prevents
unauthorized users from accessing the SSH server, ensuring
data security.
Keepalive After this feature is enabled, the SSH server returns keepalive
feature responses to an SSH client to check whether the connection
between them is normal, facilitating fast fault detection.
Source After the source interface is specified, the system only allows
interface of SFTP users to log in to the SSH server through the source
an SSH server interface. SFTP users logging in through other interfaces are
denied.
Procedure
Step 1 Run system-view
Item Operation
----End
Context
When packets sent to the SSH server form a traffic burst, sessions may preempt
bandwidth. To resolve this problem, you can configure CAR for whitelisted SSH
sessions. This configuration isolates bandwidth resources between sessions. If the
default CAR parameters for whitelisted SSH sessions do not meet service
requirements, you can adjust them as required.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run whitelist session-car ssh-server { cir cir-value | cbs cbs-value | pir pir-value |
pbs pbs-value }*
CAR parameters are configured for whitelisted SSH sessions.
Step 3 (Optional) Run whitelist session-car ssh-server disable
CAR for whitelisted SSH sessions is disabled.
Step 4 Run commit
The configuration is committed.
----End
Context
When you run the ssh user username sftp-directory directoryname command, if
the username specified using username does not exist, an SSH user with the
specified username is created, and the configured directory is used as the
authorized SFTP service directory. In this case, you can also use the username
specified in the local-user user-name ftp-directory directory command for
authorization. If neither the configured authorized directory nor the default
authorized directory exists, an SFTP client fails to connect to the corresponding
SFTP server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure an authorized SFTP server directory for SSH users as required.
● Run the ssh user user-name sftp-directory directoryname command to
configure an authorized SFTP server directory for a specified SSH user.
● Run the sftp server default-directory sftpdir command to configure a default
authorized SFTP server directory.
NOTE
● Of the two preceding commands, the ssh user username sftp-directory directoryname
command has a higher priority but takes effect only for a specified SSH user.
● Of the two preceding commands, the sftp server default-directory sftpdir command
has a lower priority but takes effect for all SSH users.
----End
Context
Third-party software can be used to implement SFTP login. This example uses
third-party software OpenSSH and Windows Command Prompt.
NOTE
For details about how to install OpenSSH, see the software installation guide.
For details about how to use OpenSSH commands to log in to the device, see the software
help document.
Procedure
Step 1 Enter the Windows Command Prompt window.
If the command prompt of the SFTP client view, such as sftp>, is displayed, you
have entered the working path of the SFTP server.
----End
Context
After logging in to the SFTP server, you can perform the following operations:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run either of the following commands:
For IPv4:
Run the sftp [ -a source-ip-address ] [ -force-receive-pubkey ] host-ip-address
[ port-number ] [ [ prefer_kex prefer_kex ] | [ prefer_ctos_cipher
prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] |
[ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] |
[ prefer_ctos_compress zlib ] | [ prefer_stoc_compress zlib ] | [ public-net | -
vpn-instance vpn-instance-name ] | [ -ki interval ] | [ -kc count ] | [ identity-key
identity-key-type ] | [ user-identity-key user-key ] ] * command to log in to the
SSH server using an IPv4 address through SFTP and enter the SFTP client view.
For IPv6:
Run the sftp ipv6 [ -force-receive-pubkey ] [ -a source-ipv6-address ] host-ipv6-
address [ [ [ -vpn-instance vpn-instance-name ] | public-net ] | [ -oi { interface-
name | interface-type interface-number } ] [ port-number ] | [ prefer_kex
{ prefer_kex } ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher
prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac
prefer_stoc_hmac ] | [ prefer_ctos_compress zlib ] | [ prefer_stoc_compress zlib ]
| [ -ki interval ] | [ -kc count ] | [ identity-key identity-key-type ] | [ user-
identity-key user-key ] ]* command to log in to the SSH server using an IPv6
address through SFTP and enter the SFTP client view.
Step 3 Perform one or more operations described in Table 1-30 as needed.
----End
Prerequisites
The configuration of SFTP-based file operations is complete.
Procedure
● Run the display ssh user-information username command on the SSH server
to check information about SSH users.
● Run the display ssh server status command to view the configuration of the
SSH server.
● Run the display ssh server session command on the SSH server to check
information about sessions between the SSH server and SSH clients.
● After configuring whitelist session-CAR for SSH, you can verify the
configuration.
– For IPv4, run the display cpu-defend whitelist session-car ssh statistics
slot slot-id command to check statistics about whitelist session-CAR for
SSH on a specified interface board.
To view new statistics, run the reset cpu-defend whitelist session-car
ssh statistics slot slot-id command to clear the existing statistics about
whitelist session-CAR for SSH on a specified interface board, and then run
the display cpu-defend whitelist session-car ssh statistics slot slot-id
command.
– For IPv6, run the display cpu-defend whitelist-v6 session-car sshv6
statistics slot slot-id command to check statistics about whitelist session-
CAR for SSH on a specified interface board.
To view new statistics, run the reset cpu-defend whitelist-v6 session-car
sshv6 statistics slot slot-id command to clear the existing statistics
----End
Prerequisites
You have logged in to the HTTPS server using HTTPS. For details, see 1.1.8.12
Logging In to a Device Using HTTP.
Context
When the device functions as a client, you can use HTTPS to obtain the version
package from the remote HTTPS server and save it to the local device for version
upgrade.
NOTE
Procedure
Step 1 Run download file-url [ save-as file-path | [ ssl-policy policy-name [ ssl-verify
peer [ verify-dns ] ] | verify-dns ] | vpn-instance vpn-name ] *
The version package with the specified URL is downloaded to the corresponding
path of the device.
NOTE
----End
Networking Requirements
You can log in to a device through a console port or using Telnet or STelnet to
manage directories on the device.
Precautions
● To log in to a device through a console port, you must prepare a terminal and
an RS-232 cable.
● To log in to a device using Telnet or STelnet, you must have configured a
Telnet or STelnet server and ensure that the server and terminal are routable.
For detailed configurations, see 1.1.5 User Login Configuration.
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure login through a console port.
2. View the current directory.
3. Create a directory.
4. Check that the new directory is created.
Data Preparation
To complete the configuration, you need the following data:
● Name of the directory to be created
Procedure
Step 1 Configure login through a console port.
For detailed configurations, see 1.1.5.6.1 Example for Configuring Login
Through a Console Port.
Step 2 View the current directory.
<HUAWEI> dir
Directory of cfcard:/
Idx Attr Size(Byte) Date Time(LMT) FileName
0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
1 -rw- 524,575 Jan 25 2010 10:03:33 private-data.txt
2 drw- - Sep 09 2009 09:42:52 src
3 drw- - Sep 09 2009 09:42:53 logfile
4 -rw- 280 Sep 09 2009 09:42:53 $_patch_rollback_state
5 -rw- 11,772 Nov 25 2009 16:56:55 $_patchstate_a
6 -rw- 4 Jan 19 2010 03:09:32 snmpnotilog.txt
7 drw- - Sep 09 2009 09:43:00 lam
8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg
9 drw- - Jan 21 2010 11:09:21 logfilelogfile
Step 4 View the current directory. The command output shows that the new directory has
been created.
<HUAWEI> dir
Directory of cfcard:/
Idx Attr Size(Byte) Date Time(LMT) FileName
0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
1 -rw- 524,575 Jan 25 2010 10:03:33 private-data.txt
2 drw- - Sep 09 2009 09:42:52 src
3 drw- - Sep 09 2009 09:42:53 logfile
4 -rw- 280 Sep 09 2009 09:42:53 $_patch_rollback_state
5 -rw- 11,772 Nov 25 2009 16:56:55 $_patchstate_a
6 -rw- 4 Jan 19 2010 03:09:32 snmpnotilog.txt
7 drw- - Sep 09 2009 09:43:00 lam
8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg
9 drw- - Jan 21 2010 11:09:21 logfilelogfile
10 drw- - Jan 23 2010 11:10:42 abc
180,862 KB total (305,358 KB free)
----End
Networking Requirements
You can log in to a device through a console port or using Telnet or STelnet to
manage files on the device.
You must enter a correct path for storing files. If you do not specify a target file
name, the source file name is the target file name by default.
Precautions
● To log in to a device through a console port, you must prepare a terminal and
an RS-232 cable.
● To log in to a device using Telnet or STelnet, you must have configured a
Telnet or STelnet server and ensure that the server and terminal are routable.
For detailed configurations, see 1.1.5 User Login Configuration.
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure login through a console port.
2. View files in a directory.
3. Copy a file to this directory.
4. Check that the file is copied to the specified directory.
Data Preparation
To complete the configuration, you need the following data:
● Source and target file names
● Source and target file paths
Procedure
Step 1 Configure login through a console port.
----End
Networking Requirements
As devices operate stably and are deployed on a large scale, more and more
devices need to be maintained and upgraded remotely. Online software upgrade, a
new upgrade method by loading software packages remotely, facilitates remote
online upgrades, reduces upgrade expenditures, shortens the time that customers
wait for upgrades, and improves customers' satisfaction. The delay, packet loss,
and jitter affect data transmission on networks. To ensure the quality of online
upgrade and data transmission, use FTP to perform online upgrades and transfer
files based on TCP connections.
As shown in Figure 1-44, you can log in to the FTP server from the terminal
emulation program to upload or download files.
Precautions
After you log in to the FTP server through the console port, configure an IP
address of a logical interface as the source address for FTP login.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IP address for the management interface.
2. Enable the FTP server function.
3. Configure an authentication mode, authorization mode, and authorized
directory.
4. Log in to the FTP server by using the correct user name and password.
5. Upload a file to or download a file from the FTP server.
Data Preparation
To complete the configuration, you need the following data:
● IP address for the FTP server: 10.137.217.221
● FTP user name: huawei
● Path on which the file to be uploaded is saved and the path on which the file
to be downloaded is saved
Procedure
Step 1 Configure an IP address for the FTP server.
<HUAWEI> system-view
[~HUAWEI] sysname server
[*HUAWEI] commit
[~server] interface GigabitEthernet0/0/0
[~server-GigabitEthernet0/0/0] undo shutdown
NOTE
A password is entered in man-machine interaction mode. The system does not display the
entered password.
Special characters do not include question marks (?) or spaces. However, when double
quotation marks are used around a password, spaces are allowed in the password.
● Double quotation marks cannot contain double quotation marks if spaces are used in
a password.
● Double quotation marks can contain double quotation marks if no space is used in a
password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
[*server-aaa] local-user huawei service-type ftp
[*server-aaa] local-user huawei ftp-directory cfcard:/
[*server-aaa] local-user huawei level 3
[*server-aaa] quit
[*server] commit
Step 4 Run the ftp command at the Windows command prompt, and enter the correct
user name and password to set up an FTP connection to the FTP server.
Step 5 Upload a file to or download a file from the FTP server.
NOTE
You can run the dir command before downloading a file or after uploading a file to view
the detailed information about the file.
----End
Networking Requirements
As the device deployment scale increases, more and more devices need to be
maintained and upgraded remotely. Online software upgrade, a new upgrade
method by loading software packages remotely, facilitates remote upgrades,
reduces upgrade costs, shortens the time that customers wait for upgrades, and
improves customers' satisfaction. FTP is usually used to transmit data for online
upgrades. FTP transmits data and even user names and passwords in plaintext,
bringing security risks.
SFTP resolves the security issue. It enables you to securely log in to a remote
device for file management, improving data transmission security. You can then
transfer files and perform online upgrades.
As shown in Figure 1-45, after the SFTP service is enabled on the device that
functions as an SSH server, you can log in to the server in password, RSA,
password-RSA, DSA, password-DSA, ECC, password-ECC, SM2, password-SM2,
x509v3-ssh-rsa, password-x509v3-rsa, or All authentication mode from the PC that
functions as an SFTP client.
Precautions
After you log in to the SFTP server through the console port, configure an IP
address of a logical interface as the source address for SFTP login.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the SSH server to generate a local key pair to securely exchange
data between the client and the server.
2. Create an SSH user and configure an authentication mode, username,
password, and authorized directory for the user.
3. Enable the SFTP service on the SSH server and configure a service type.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure an IP address for the SFTP server.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] interface GigabitEthernet0/0/0
[~SSH Server-GigabitEthernet0/0/0] undo shutdown
[*SSH Server-GigabitEthernet0/0/0] ip address 10.137.217.223 255.255.0.0
[*SSH Server-GigabitEthernet0/0/0] quit
[*SSH Server] commit
Step 2 Configure the SSH username and password on the SSH server.
[*SSH Server] aaa
[*SSH Server-aaa] local-user client001 password
Please configure the passward (8-128)
Enter Password:
Confirm Password:
[*SSH Server-aaa] local-user client001 level 3
[*SSH Server-aaa] local-user client001 service-type ssh
[*SSH Server-aaa] quit
[*SSH Server] commit
Step 3 Enable the SFTP service and set the service type to SFTP.
[~SSH Server] interface LoopBack 0
[~SSH Server-LoopBack0] ip address 10.1.1.1 255.255.255.255
[*SSH Server-LoopBack0] quit
[*SSH Server] sftp server enable
[*SSH Server] ssh server-source -i loopback 0
[*SSH Server] ssh user client001 authentication-type password
[*SSH Server] commit
[~SSH Server] ssh user client001 service-type sftp
[*SSH Server] commit
Start the SFTP software on the client, and enter the username, password, and port
number (22 by default) to access the SSH server and transfer files.
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
aaa
local-user client001 password cipher @%@%.OuC6Vo7Z,A'y~/KB&,vmd@%@%
local-user client001 service-type ssh
local-user client001 level 3
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.137.217.223 255.255.0.0
#
interface LoopBack 0
ip address 10.1.1.1 255.255.255.255
sftp server enable
ssh server-source -i loopback 0
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp stelnet
ssh user client001 sftp-directory cfcard:/
#
return
Networking Requirements
As the device deployment scale increases, more and more devices need to be
maintained and upgraded remotely. Online software upgrade, a new upgrade
method by loading software packages remotely, facilitates remote upgrades,
reduces upgrade costs, shortens the time that customers wait for upgrades, and
improves customers' satisfaction. FTP is usually used to transmit data for online
upgrades. FTP transmits data and even user names and passwords in plaintext,
bringing security risks.
SFTP resolves the security issue. It enables you to securely log in to a remote
device for file management, improving data transmission security. You can then
transfer files and perform online upgrades.
As shown in Figure 1-46, after the SFTP IPv6 service is enabled on the device that
functions as an SSH server, you can log in to the server in password, RSA,
password-RSA, DSA, password-DSA, ECC, password-ECC, SM2, password-SM2,
x509v3-ssh-rsa, password-x509v3-rsa, or All authentication mode from the SFTP
IPv6 client.
Precautions
After you log in to the SFTP server through the console port, configure an IPv6
address of a logical interface as the source IPv6 address for SFTP login.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the SSH server to generate a local key pair to securely exchange
data between the client and the server.
2. Create an SSH IPv6 user and configure an authentication mode, username,
password, and authorized directory for the user.
3. Enable the SFTP IPv6 service on the SSH server and configure a service type.
Data Preparation
To complete the configuration, you need the following data:
● SFTP software installed on the SFTP client
● User's authentication mode (password) and username (client001)
● User level (3) of client001
● IPv6 address (2001:db8::1/32) of the SSH server
● IPv6 routes available between the SFTP client and server
● User type (SSH) and authentication mode (password)
Procedure
Step 1 Configure an IP address for the management interface of the SFTP server.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] interface GigabitEthernet0/0/0
[~SSH Server-GigabitEthernet0/0/0] undo shutdown
[~SSH Server-GigabitEthernet0/0/0] ipv6 enable
[*SSH Server-GigabitEthernet0/0/0] ipv6 address 2001:db8::1 32
[*SSH Server-GigabitEthernet0/0/0] quit
[*SSH Server] commit
Step 3 Enable the SFTP function and set the service type to SFTP.
[~SSH Server] interface LoopBack 0
[~SSH Server-LoopBack0] ip address 2001:db8::2 64
[*SSH Server-LoopBack0] quit
[~SSH Server] sftp ipv6 server enable
[*SSH Server] ssh ipv6 server-source -i loopback 0
[*SSH Server] ssh user client001 authentication-type password
[*SSH Server] commit
[~SSH Server] ssh user client001 service-type sftp
[*SSH Server] commit
Start the SFTP software on the client, and enter the username, password, and port
number (22 by default) to access the SSH server and transfer files.
----End
Context
As increasingly new types of services emerge, higher requirements are imposed on
devices. For example, it is required that services take effect after being configured,
invalid configurations be discarded, and impact on the existing services be
minimized.
The following table describes the advantages and disadvantages of the immediate
and two-phase validation modes.
Offline Configuration
The system supports offline configuration. Specifically, after you configure
interfaces on a board and then remove the board, the configurations are not
affected and you can continue to configure the interfaces.
If you install another board in the slot, the impacts on the previous configurations
are as follows:
● The new board has the same type as the previous board.
The system automatically restores the configurations of all interfaces on the
new board. Then, you can view interface configurations and configure the
interfaces on the new board.
● The new board has interfaces of a different type than the previous board.
The system deletes the configurations of all interfaces on the previous board.
The deleted configurations cannot be restored.
For example, board A has interfaces of type P and configuration information.
a. Remove board A and install board C with interfaces of type E.
b. Remove board C without configuring its interfaces. If you run the display
this command in the interface view on board C, the command output
does not contain original configurations on board A.
c. Install board A or another board with interfaces of type P. If you run the
display this command in the interface view of board A or the board with
interfaces of type P, the command does not contain original
configurations on board A, either.
● The new board has a different number of interfaces of the same type as those
on the previous board.
– If the new board has more interfaces than the previous board does, the
system performs the following operations:
Feature Requirements
Usage Scenario
Before configuring a service, you must enter a configuration view. After the
configuration view is displayed, the system initiates the corresponding
configuration transaction based on the configured validation mode. To
immediately validate configurations, configure the immediate validation mode. To
Pre-configuration Tasks
Before configuring a validation mode, log in to a device and enter the user view.
Context
Before configuring a service, you must enter the system view. After the system
view is displayed, the system initiates the corresponding configuration transaction
based on the configured validation mode. In immediate validation mode, after you
enter a command and press Enter, the system performs a syntax check. If the
check is successful, the configuration immediately takes effect.
Procedure
Step 1 (Optional) Run configuration exclusive
Configurations are locked in the user view.
To use the running database exclusively, lock configurations on the router to
prevent other users from configuring services or committing configurations. Other
users can configure services in the running database only after you unlock
configurations.
To view information about the user who locked the configuration database, run
the display configuration-occupied user command.
NOTICE
After locking configurations, you can edit and commit configurations. Other users
can view and edit configurations but cannot commit configurations.
Other users can configure services in the running database only after you unlock
configurations.
NOTE
To prevent a service from being affected, you can lock the configuration of the service as
soon as the service process is initiated. When the configuration is being locked,
configurations cannot be committed. The configuration of the service remains locked until
the service process successfully starts. During this period, the configuration cannot be
modified but can be viewed.
If the configuration fails to be committed, wait 30 seconds and commit the configuration
again. If the configuration fails to be committed again, a user has locked the configuration.
In immediate validation mode, the command prompt is as follows:
<HUAWEI> system-view immediately
[HUAWEI]
Step 3 (Optional) If the configuration has been locked, run the quit command to return
to the user view. Then, run the undo configuration exclusive command to unlock
the configuration.
NOTICE
After locking the configuration, you must unlock it after completing the
configuration. Otherwise, configurations of other users cannot take effect.
----End
Context
The two-phase validation mode enhances configuration security and reliability and
minimizes the impact of configurations on services. If the configuration of a
service that has taken effect does not meet your expectation, roll the system back
to the status before the configuration is committed.
Procedure
Step 1 (Optional) Run configuration exclusive
Configurations are locked in the user view.
To use the running database exclusively, lock configurations on the router.
NOTICE
After locking configurations, you can edit and commit configurations. Other users
can view and edit configurations but cannot commit configurations.
Other users can configure services in the running database only after you unlock
configurations.
NOTE
You can run the clear configuration candidate command to delete all
uncommitted configurations.
● To disable the trial running function before the trial running times out, run
the abort trial [ { session session-id | persist persistId } ] command to roll
the configuration back to the status before the trial running.
● To view the trial running status of a system configuration, run the display
configuration trial status command.
NOTE
To prevent a service from being affected, you can lock the configuration of the service as
soon as the service process is initiated. When the configuration is being locked,
configurations cannot be committed. The configuration of the service remains locked until
the service process successfully starts. During this period, the configuration cannot be
committed but can be viewed.
If the configuration fails to be committed, wait 30 seconds and commit the configuration
again. If the configuration fails to be committed again, a user has locked the configuration.
Step 6 (Optional) If the configuration has been locked, run the quit command to return
to the user view. Then, run the undo configuration exclusive command to unlock
the configuration.
NOTICE
After locking the configuration, you must unlock it after completing the
configuration. Otherwise, configurations of other users cannot take effect.
----End
Context
If you run some undo commands by mistake, configurations of related features
are deleted, causing interruption of services or networks. To avoid misoperations,
re-confirmation is required by default when running the following commands:
undo mpls, undo mpls te, undo mpls rsvp, undo mpls ldp, undo mpls l2vpn,
undo multicast ipv6 routing-enable, undo multicast routing-enable, undo
pim, undo igmp, undo bfd.
You are advised to enable the function because misoperations will cause services
to be unavailable.
Procedure
Step 1 Run system-view
----End
Procedure
Step 1 Run system-view
The time when configuration rollback points are periodically generated is set.
----End
Context
If you have committed configurations but find unexpected results, roll the system
back to a specified historical configuration state.
Procedure
Step 1 (Optional) Select a validation mode and edit and commit configurations.
NOTE
The system supports two validation modes: immediate mode and two-phase validation
mode.
● In immediate validation mode, after you run a command and press Enter, the system
checks whether the current configuration is different from the previous one. If they are
different, the system commits the current configuration and generates a configuration
rollback point. Multiple configuration rollback points may be created for a feature.
● In two-phase validation mode, after you run a series of commands, the system checks
the differences between the current configuration and the previous one and generates
a configuration rollback point only when you run the commit [ description
description ] command. The configurations of multiple commands for a service take
effect in batches. You can run the description description command to add a brief
description for a configuration rollback point, allowing rapid locating of a desired
configuration rollback point. The two-phase validation mode is recommended for
configuration editing and committing.
● Run the system-view immediately command to enter the system view in
immediate validation mode. After you run commands to edit configurations,
the new configurations take effect immediately.
Step 2 Check the configuration rollback point list and configuration difference.
1. Run the display configuration commit list [ verbose ] [ number-of-commits
| label ] command to check the configuration rollback point list, determine
whether a configuration rollback point is generated, and view information
about each configuration rollback point.
To view information about the most recent configuration rollback points,
specify number-of-commits.
2. Run the display configuration commit changes [ at commit-id | since
commit-id | last number-of-commits ] command to view configuration
changes. Based on the configuration changes, you can determine whether to
roll back system configurations and check the impact of the configuration
rollback operation on system performance.
To view configuration changes at all configuration rollback points, run this
command with no parameter specified.
To view the configuration changes at a configuration rollback point, specify at
commit-id.
To view configuration changes since a configuration rollback point, specify
since commit-id.
To view configuration changes at the most recent configuration rollback
points, specify last number-of-commits.
After the configuration rollback operation is complete, you can run the display
configuration rollback result command to view the result of the latest
configuration rollback operation.
● If the current configuration is incorrect or the configuration of the
configuration rollback point meets user requirements, you can perform the
following steps to load the configuration corresponding to the configuration
rollback point, and then edit the required content:
a. Run the return command to return to the user view. This ensures that no
additional configuration is committed after the configuration rollback
operation begins.
b. Run the system-view command to enter the system view.
c. Run the load configuration rollback changes { at commit-id at-
commit-id | to commit-id commit-id | last number-of-commits | to label
user-label } command to load the configuration of a specified
configuration rollback point or the configuration with a specified user
label.
NOTE
After the configuration rollback operation is complete, you can run the display
configuration rollback changes load-result command to view the result of the
latest configuration rollback operation.
----End
Usage Scenario
You can save the current configurations into the configuration file. After the
system restarts, configurations can be restored.
Pre-configuration Tasks
Before managing configuration files, complete the following tasks:
● Power on a router and ensure that it is working properly.
● Configure an account and an authentication mode.
● Configure a reachable route between the router and a terminal.
● Log in to the router.
1.1.7.6.2 Setting a Default Configuration File for the Startup with Base
Configuration
If a device is upgraded to the current version and starts with base configuration,
engineers need to perform onsite configuration, which is inconvenient for O&M.
To implement plug-and-play upon the restart of a device with base configuration,
specify a default configuration file for the device. For details, see 1.1.7.6.6
Specifying the Configuration File to Be Loaded at the Next Startup. Note that
the default configuration file must contain configurations required by the plug-
and-play function. When the device with base configuration starts the next time, it
uses the default configuration file for configuration restoration. The default-
custom.defcfg file is the default configuration file of the device. It is used only
when the device goes online for the first time and can be modified as required.
The content of this file is as follows:
#
ssh server-source all-interface
ssh ipv6 server-source all-interface
ssh server key-exchange dh_group_exchange_sha256 dh_group_exchange_sha1 dh_group14_sha1
ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521
#
ssh server publickey ecc rsa rsa_sha2_256 rsa_sha2_512
#
ssh client publickey ecc rsa rsa_sha2_256 rsa_sha2_512
#
ssh client key-exchange dh_group_exchange_sha256 dh_group_exchange_sha1 dh_group14_sha1
ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521
#
return
NOTE
The password in the file can be set to a user-defined simple one. To improve security, it is
recommended that the password contain multiple types of the following characters:
uppercase letters, lowercase letters, digits, and special characters.
Context
To avoid configuration loss on a device due to power-off or an unexpected reset,
the system supports automatic and manual configuration saving.
The configuration file can be automatically saved on the local device or the
backup server. If the local database is insufficient in space or damaged or disaster
tolerance backup is required, save the configuration file on the backup server to
harden the database security.
Perform the following steps on a device.
Procedure
● Enable the system to automatically save configurations.
a. Run the system-view command to enter the system view.
b. Run the set save-configuration [ interval interval | cpu-limit cpu-usage
| delay delay-interval ] * command to enable the system to automatically
save configurations.
● When TFTP is used to transmit files, run the tftp client-source command to
configure the loopback interface of the router as the source address of the
client.
● The system supports a maximum of five file servers. The servers are
independent of each other. If a file fails to be uploaded to one of the servers,
the system reports an alarm to the NMS and records a log locally.
● In disaster recovery scenarios, you can run the set save-configuration
backup-to-server command repeatedly to configure multiple file servers.
Before running this command, you need to enable the auto-save function
using the set save-configuration command and enable the FTP, SFTP, or
TFTP service on the server.
● A device supports a server with the same IP address but different VPN
instances. To be specific, if different VPN instances have been configured for a
server with a specific IP address, the device can send configuration files to any
of the VPN instances.
● Save configurations manually.
Run the save command to save the current configuration.
The configuration file name extension must be .dat, .cfg, or .zip.
NOTE
When you save the configuration file for the first time without specifying configuration-
file, you are asked whether to name the configuration file vrpcfg.zip. The configuration file
containing only the default configurations is initially named vrpcfg.zip.
----End
Context
NOTE
Procedure
Step 1 Run compare configuration [ configuration-file ]
The current configuration is compared with the configuration file for the next
startup or a specified configuration file.
After a series of operations are performed, you can run the compare
configuration command to compare whether the current configurations are
identical with the next startup or a specified configuration file from the first line.
The command output helps decide whether to save and set the current
configurations as the next startup configuration file.
The command output respectively displays nine lines of the current configurations
and the next startup or a specified configuration file from the line that contains
differences. If the lines from the differences to the end of the configuration file are
less than nine, the command displays the content till the end of the configuration
file.
----End
Context
To load the configuration file on the remote server or local configuration file to
the running configuration database, perform the following steps:
This function is supported only in the two-phase configuration validation mode.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Perform one of the following operations based on the location of the
configuration file:
● Run the load configuration file file-name merge [ relative ] command to
load the local configuration file and deliver configurations.
● Run the load configuration server ip-address [ vpn-instance vpn-instance-
name ] transport-type { ftp | sftp } username user-name password
password-value file file-name merge [ relative ] command to load the
configuration file on an IPv4 server and deliver configurations to the local
device.
● Run the load configuration server ipv6 ipv6-address [ vpn-instance vpn-
instance-name ] transport-type { ftp | sftp } username user-name password
----End
Context
After the system restarts, it uses the specified configuration file to restore
configurations.
Procedure
● Run startup saved-configuration configuration-file
NOTE
NOTE
● The extension of the configuration file must be .defcfg, and the configuration file
must have been stored in the root directory of the device before being specified as
the default configuration file.
● The size of the default configuration file cannot exceed 50 KB.
● Exercise caution when running this command. If this command is required, run it
with assistance from technical support personnel.
----End
Context
The configuration file needs to be cleared in either of the following situations:
● The system software does not match the configuration file after the router is
upgraded.
● The configuration file is damaged or an incorrect configuration file is loaded.
Procedure
● Clear the currently loaded configuration file.
Run reset saved-configuration
The configuration file loaded at the current startup is cleared.
NOTE
Before clearing the configuration file of the router, the system compares the
configuration file loaded at the current startup with that to be loaded at the next
startup.
● If the two configuration files are the same, running this command clears both of
them. To ensure that a configuration file is available at the next startup, you must
specify a configuration file on the router.
● If the two configuration files are different, running this command clears only the
configuration file loaded at the next startup.
● If the configuration file loaded at the current startup of the router is empty and
this command is run, the system displays a message, indicating that the
configuration file does not exist.
Exercise caution when running this command. If this command is required, run it with
assistance from Huawei technical support personnel.
● Delete all configurations from an interface at a time.
You can delete configurations from an interface at a time using either of the
commands listed in Table 1-33.
NOTE
Exercise caution when running this command. If this command is required, run it with
assistance from Huawei technical support personnel.
● Delete the non-activated configuration data of the and absent boards.
a. Run system-view
The system view is displayed.
b. Run clear inactive-configuration { slot slot-id [ card card-number ] | all
The non-activated configurations are deleted.
----End
Context
The device data is saved in the central database and service process databases.
Each service process database needs to synchronize data from the central
database. If the data in a service process database is inconsistent with that in the
central database, the host behaviors may not meet operator expectations, causing
NOTE
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run set configuration appdata auto-check enable
The function to automatically check whether data in the service process database
is the same as that in the central database is enabled.
Step 3 Run commit
The configuration is committed.
----End
Context
In normal situations, configuration data is consistent between the master and
slave main control boards of a device. If the configuration data is inconsistent and
a master/slave main control board switchover happens to occur, the configuration
data on the original master main control board will be lost. To prevent this
problem, run the configuration inconsistent slave detect enable command to
enable a device to automatically check the configuration data consistency at a
specified time. If data inconsistency is detected, the device immediately reports an
alarm, prompting you to analyze the impact of the inconsistency on the device. To
remove this inconsistency, you can save the current configuration and then restart
the device.
NOTE
This configuration process is supported only on the Admin-VS.
Procedure
Step 1 Run system-view
The system view is displayed.
----End
Context
Multiple users can access a device and manage it. A user can be a controller or
another type of user. If the configuration of a forwarder is modified by a non-
controller user, the configurations of the controller and forwarder may be
inconsistent. The following steps can be used to specify the controller to lock the
system configuration of a forwarder to avoid the inconsistency.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run configuration exclusive by-user-name user-name
The system configuration is locked by a specified user.
Step 3 Run commit
The configuration is committed.
----End
Follow-up Procedure
Run the display configuration exclusive by-user-name command to view lock
information of the system configuration locked based on user name.
Context
Configurations in different views may be identical. To simplify the configurations,
create a configuration template, define configurations that are duplicate in
different views in it, and apply the configuration template to specified views.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run command group group-name
A configuration template is created, and the configuration template view is
displayed.
Step 3 Before you configure a service view instance, enter the service view instance. For
example, in the interface view, run interface interface-group-name
The configuration template is associated with Loopback interfaces.
NOTE
Run service view instance commands using regular expressions in the configuration
template view. For example, run the interface <Loopback.> command to associate
loopback interfaces on the device with the current configuration template.
+ Matches the preceding element 10+ matches 10, 100, 1000, and
once or more times so on.
(10)+ matches 10, 1010, 101010,
and so on.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Step 4 Configure data to be delivered. In the following example, IPv6 is enabled. Run ipv6
enable
IPv6 is enabled.
Step 5 (Optional) Run display this command group candidate merge Configurations in
the configuration template are displayed.
If the existing configuration template is not needed, run the abort command to
discard the existing configuration template and exit the configuration template
view.
Step 8 Run interface interface-type interface-number
Loopback interfaces are created.
Step 9 Run apply-command-group group-name & < 1-8 >
The configuration template is applied to the view.
NOTE
● If this command is run in the system view, the device delivers the configurations in the
configuration template to all matching service view instances.
● If this command is run in a specified service view instance, the device delivers the
configurations in the configuration template to the specified service view instance.
● Multiple configuration templates can apply in a single service view instance.
● Multiple configuration templates can be configured simultaneously in a single apply-
command-group command instance.
The command specified in the undo command-string command can only be a service view
instance that is associated with the configuration template or the command that has been
run in that service view instance. If a service view instance is deleted, all configurations in
the configuration template that applies to the instance are also deleted.
----End
Follow-up Procedure
● Run the display current-configuration [ inheritance [ no-comment ] ]
command to check configurations in the configuration template.
● Run the display this [ inheritance [ no-comment ] ] command in a specified
view to view configurations in the configuration template.
Context
Before committing a set of configuration, you can view the difference between the
modified configuration and current running configuration. If the running
NOTE
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run display configuration candidate changes
The difference between the candidate configuration and current running
configuration is displayed.
If the system displays a message indicating that the current configuration is
changed, go to Step 3 to resolve the configuration conflict and then perform this
step to view the configuration difference.
Step 3 (Optional) Run refresh configuration candidate
The candidate configuration is updated to resolve the configuration conflict.
If a configuration conflict occurs, perform this step to resolve the conflict.
----End
Prerequisites
The configuration file for the next startup has been loaded.
Procedure
● Run the display configuration configuration-file command to check
information about a specified configuration file.
● Run the display saved-configuration last command to check information
about the configuration file loaded at the current startup.
● Run the display saved-configuration configuration command to check
information about the configuration file to be loaded at the next startup.
● Run the display startup command to check the names of the system
software, the configuration file loaded at the current startup, and the
configuration file to be loaded at the next startup.
----End
Replacing Configurations
This section describes how to replace the configurations on multiple devices that
share the same source to achieve configuration consistency between the devices.
Usage Scenario
In a scenario where a management server manages a device, the server stores the
configurations required by the device. If the configurations on the management
server change, the configurations on the device also need to be changed
accordingly. In this case, you can load the configuration file on the management
server and use this file to replace the configurations on the device, achieving
configuration consistency between the management server and the device.
If one of the devices with the same configurations encounters a configuration
change, the configurations of other devices must be changed accordingly to keep
configuration consistency. In this case, you can load the configurations on the
device with the configuration change to replace the configurations on the other
devices. This ensures that the configurations on all the devices are the same.
The configuration replacement function can replace the entire configuration file
on the current device or the configuration in a specific view, depending on the
content in the source configuration file to be loaded. If the source configuration
file contains the configurations of an entire device, this function replaces all
configurations on the current device. If the source configuration file contains the
configurations only in a specific view (the configurations saved in a view
automatically carry the <replace/> tag), this function replaces the configurations
in the corresponding view.
This function is supported only in the two-phase configuration validation mode.
Procedure
Step 1 Save configurations in a configuration file.
● To load the configuration file of a local device to replace the current running
configurations, perform the following steps on the local device:
– Run the save [ configuration-file ] command in the user view to save the
configuration file of the entire device.
– Run the save configuration-file command in the service view to save the
configuration file in the corresponding view. Then, return to the user
view.
NOTE
If a local configuration file is loaded to replace the current device configuration, the
local configuration file must be stored in the root directory of the device. The save
command saves a configuration file to the root directory by default.
● To load the configuration file of a remote device to replace the current
running configurations, perform the following steps on the remote device:
– Run the save [ configuration-file ] command in the user view to save the
configuration file of the entire device.
– Run the save configuration-file command in the service view to save the
configuration file in the corresponding view. Then, return to the user
view.
NOTE
If you run the command in a non-user view, the configuration-file parameter must be
specified and the file name extension must be .zip or .cfg.
Step 2 Load the configuration file to replace the current running configurations.
1. Run system-view
The system view is displayed.
2. Run any of the following commands according to the location of the source
configuration file to be loaded:
– Run the load configuration file filename replace [ relative ] command
to load a local configuration file and use it to replace the configuration
file in use.
– Run the load configuration { server ip-address | server ipv6 ipv6-
address } [ vpn-instance vpn-instance-name ] transport-type { ftp |
sftp } username user-name password password file filename replace
[ relative ] command to load the configuration file of a specified remote
server and use it to replace the configuration file in use on the local
device.
– Run the load configuration server http url url-address [ vpn-instance
vpn-instance-name ] [ file filename ] replace [ relative ] [ file
filename ] replace [ relative ] command to load a configuration file on
the remote server with a specified URL and use it to replace the
configuration file in use on the local device.
NOTE
The specified configuration file to be loaded must exist and meet the following
conditions:
– The configuration file can contain only configuration commands, view switching
commands, and pound signs (#). If you load other types of commands, such as
display commands used for query, reset/save/ping commands used for
maintenance, quit, commit, return, upgrade-compatible commands, and one-
phase configuration validation commands, the device reports an error and
continues to load follow-up commands.
– The interactive commands in the configuration file support only Y/N automatic
interaction.
– The indentation of commands in the configuration file must be correct. In the
configuration file, the commands in the system view and the level-1 view under
the system view must be left-aligned, the commands in the level-1 view must be
indented by one space, and each subsequent view must be indented by one more
space.
– If the pound sign (#) is left-aligned, the system view is displayed. If the pound
sign (#) is indented, it is used only to isolate command blocks; in this case, the
pound sign (#) must be aligned with the first command in the following
command block. If the pound sign (#) is incorrectly used, configurations may be
lost, or commands may be run in an unexpected view.
– The configuration file name extension must be .zip, .cfg, .txt, .dat, or .bat, or the
file name does not have an extension. In FTP or SFTP mode, a file name can
contain a server directory. A file name does not contain the following special
characters: ~, ?, *, /, \, :, ", |, <, >, [, and ].
▪ Both .cfg and .txt files are text files whose content can be directly viewed. If
a .cfg or .txt file is specified as the configuration file to be loaded, the
system restores the commands in the file one by one during the
replacement process.
▪ A .dat file is a compressed file, which can be in binary or text mode. Only
a .dat file exported from a Huawei device is supported, and the file cannot
be modified manually. Otherwise, the file fails to be loaded.
▪ A .bat file is used for batch processing. It is a text file that can be modified
manually.
3. (Optional) Run display configuration candidate
----End
Usage Scenario
If one of the devices with the same configurations encounters a configuration
change, the configurations of other devices must be changed accordingly to keep
configuration consistency. In this case, you can query the configuration differences
and use the configuration replacement function to paste the differential
configurations to those devices. This ensures that the configurations on all the
devices are the same.
Prerequisites
The system has been configured, and configuration rollback points have been
generated. The list of configuration rollback points can be viewed using the
display configuration commit list [ verbose ] [ number-of-commits | label ]
command.
Procedure
Step 1 View configuration differences.
● View the differential configurations (with the specified tag) between the
configurations in a specified configuration file on the device and the current
running configurations.
– Run the display configuration changes running file file-name with-tag
command to view the current running configurations that are different
from the configurations in the specified configuration file.
– Run the display configuration changes file file-name running with-tag
command to view the specified configuration file's configurations that are
different from the current running configurations.
– Run the display configuration changes running label label with-tag
command to view the current running configurations that are different
from the configurations with a specified tag.
– Run the display configuration changes label label running with-tag
command to view the configurations (with a specified tag) that are
different from the current running configurations.
● View the configuration change information (with the specified tag) recorded
at specified configuration rollback points.
Step 2 Copy the differential configurations and paste them to the local device to replace
the current running configurations of the device.
1. Run system-view
----End
Replacing Characters
This section describes how to replace a character string on a device. This function
supports batch replacement.
Usage Scenario
If a character string or a type of character string on a device does not meet
requirements, perform the following steps to replace the string in batches. This
function replaces only the character strings in the current view.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run replace configuration pattern src-string with target-string
The source character string is replaced with the target character string.
NOTE
The src-string parameter supports regular expressions. You can use a regular expression to
specify a type of source character string.
+ Matches the preceding element 10+ matches 10, 100, 1000, and
once or more times so on.
(10)+ matches 10, 1010, 101010,
and so on.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
----End
Networking Requirements
As shown inFigure 1-47, the router is connected to the PC.
To enable services to take effect immediately after they are configured, configure
the services in immediate validation mode.
After you enter a command and press Enter, the system performs a syntax check.
If the check is successful, the configuration immediately takes effect.
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need an interface IP address.
Procedure
Step 1 Configure the immediate validation mode.
<HUAWEI> system-view immediately
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet1/0/4
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
1.1.7.7.2 Example for One User to Configure Services After Another User Locks
Configurations in Two-Phase Validation Mode
This section provides an example for one user to configure services on a router
after another user locks configurations.
Networking Requirements
As shown inFigure 1-48, both user A and user B log in to the router. After user A
locks configurations on the router, user B attempts to configure services on the
router.
Figure 1-48 Networking for one user to configure services after another user locks
configurations in two-phase validation mode
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need an interface IP address.
Procedure
Step 1 Simulate a situation in which user A locks configurations.
<HUAWEI> configuration exclusive
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet1/0/4
undo shutdown
#
1.1.7.7.3 Example for Multiple Users to Perform the Same Configuration for a
Service in Two-Phase Validation Mode
This section provides an example for multiple users to perform the same
configuration for a service on one router in two-phase validation mode.
Networking Requirements
As shown inFigure 1-49, both user A and user B log in to the router. After user A
configures a service on the router, user B performs the same configuration for the
service on the router.
Figure 1-49 Networking for multiple users to perform the same configuration for
a service in two-phase validation mode
Configuration Roadmap
The configuration roadmap is as follows:
1. Simulate a situation in which user A and user B perform the same
configuration for a service.
2. Simulate a situation in which user A commits the configuration.
3. Simulate a situation in which user B commits the configuration.
Data Preparation
To complete the configuration, you need an interface IP address.
Procedure
Step 1 Simulate a situation in which user A and user B perform the same configuration
for a service.
● Simulate a situation in which user A sets the IP address of GigabitEthernet
1/0/4 to 10.1.1.1 on the router.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 1/0/4
[~HUAWEI-GigabitEthernet1/0/4] ip address 10.1.1.1 24
The system notifies user B that the configuration conflicts with an existing
configuration.
[*HUAWEI-GigabitEthernet1/0/4] commit
ip address 10.1.1.1 24
Error: The address already exists.
Commit canceled, the configuration conflicted with other user, you can modify
the configuration and commit again.
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet1/0/4
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
Networking Requirements
As shown inFigure 1-50, both user A and user B log in to the router. After user A
configures a service on the router, user B performs a different configuration for
the service on the router. For example, user A and user B configure different IP
addresses on the same interface.
Figure 1-50 Networking for multiple users to perform different configurations for
a service in two-phase validation mode
Configuration Roadmap
The configuration roadmap is as follows:
1. Simulate a situation in which user A and user B perform different
configurations for a service.
2. Simulate a situation in which user A commits the configuration.
3. Simulate a situation in which user B commits the configuration.
Data Preparation
To complete the configuration, you need different interface IP addresses.
Procedure
Step 1 Simulate a situation in which user A and user B perform different configurations
for a service.
● Simulate a situation in which user A sets the IP address of GigabitEthernet
1/0/4 to 10.1.1.1 on the router.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 1/0/4
[~HUAWEI-GigabitEthernet1/0/4] ip address 10.1.1.1 24
interface GigabitEthernet1/0/4
undo shutdown
ip address 10.1.1.2 255.255.255.0
return
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet1/0/4
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
Networking Requirements
As shown inFigure 1-51, both user A and user B log in to the router. User A and
user B configure different services on the router.
Figure 1-51 Networking for multiple users to configure different services in two-
phase validation mode
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need an interface IP address.
Procedure
Step 1 Simulate a situation in which user A and user B configure different services.
● Simulate a situation in which user A sets the IP address of GigabitEthernet
1/0/4 to 10.1.1.1 on the router.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 1/0/4
[~HUAWEI-GigabitEthernet1/0/4] ip address 10.1.1.1 24
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet1/0/4
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
sftp server enable
#
return
Networking Requirements
As shown in Figure 1-52, a user logs in to the router and configures IP addresses
for interfaces on the router. After the IP addresses of interfaces are configured, the
user detects an IP address planning error and expects to reconfigure the IP
addresses of interfaces. Traditionally speaking, the user must delete the IP
addresses one by one and reconfigure them.
Interfaces 1 through 4 in this example represent GE 1/0/0, GE 1/0/1, GE 1/0/2, and GE 1/0/3,
respectively.
Precautions
None
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure IP addresses for GE 1/0/0, GE 1/0/1, GE 1/0/2, and GE 1/0/3 on the
router.
<HUAWEI> system-view
[~HUAWEI] interface gigabitethernet 1/0/0
[~HUAWEI-GigabitEthernet1/0/0] ip address 10.0.0.1 30
[*HUAWEI-GigabitEthernet1/0/0] quit
[*HUAWEI] interface gigabitethernet 1/0/1
[*HUAWEI-GigabitEthernet1/0/1] ip address 10.0.1.1 30
[*HUAWEI-GigabitEthernet1/0/1] quit
[*HUAWEI] interface gigabitethernet 1/0/2
[*HUAWEI-GigabitEthernet1/0/2] ip address 10.0.2.1 30
[*HUAWEI-GigabitEthernet1/0/2] quit
[*HUAWEI] interface gigabitethernet 1/0/3
[*HUAWEI-GigabitEthernet1/0/3] ip address 10.0.3.1 30
[*HUAWEI-GigabitEthernet1/0/3] quit
[*HUAWEI] commit description IP address
[~HUAWEI] quit
Step 2 Check information about configuration rollback points and the differences
between the previous and current configurations.
# Display information about configuration rollback points.
<HUAWEI> display configuration commit list verbose
1) CommitId: 1000000006
Label: -
User: root
User-Intf: VTY 1
Type: CLI
TimeStamp: 2012-06-29 15:55:20
Description: IP address
2) CommitId: 1000000005
Label: -
User: root
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-06-29 11:04:05
Description:
3) CommitId: 1000000004
Label: -
User: root
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-06-29 09:57:34
Description:
4) CommitId: 1000000003
Label: -
User: root
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-06-29 09:57:21
Description:
5) CommitId: 1000000002
Label: -
User: anonymous
User-Intf: CON 1023
Type: CLI
TimeStamp: 2012-06-28 16:31:48
Description:
6) CommitId: 1000000001
Label: -
User: anonymous
User-Intf: CON 1023
Type: CLI
TimeStamp: 2012-06-28 16:31:48
Description:
#
interface GigabitEthernet1/0/0
+ ip address 10.0.0.1 255.255.255.252
#
interface GigabitEthernet1/0/1
+ ip address 10.0.1.1 255.255.255.252
#
interface GigabitEthernet1/0/2
+ ip address 10.0.2.1 255.255.255.252
#
interface GigabitEthernet1/0/3
+ ip address 10.0.3.1 255.255.255.252
#
# Roll system configurations back to what they were before the most recent
configuration rollback point was created.
NOTE
In this example, the rollback configuration last 1 command has the same return result as
the rollback configuration to commit-id 1000000005 command, both indicating that
system configurations are rolled back to what they were before configuration rollback point
6 was generated.
<HUAWEI> rollback configuration last 1
2) CommitId: 1000000006
Label: -
User: root
User-Intf: VTY 1
Type: CLI
TimeStamp: 2012-06-29 15:55:20
Description: IP address
3) CommitId: 1000000005
Label: -
User: root
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-06-29 11:04:05
Description:
4) CommitId: 1000000004
Label: -
User: root
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-06-29 09:57:34
Description:
5) CommitId: 1000000003
Label: -
User: root
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-06-29 09:57:21
Description:
6) CommitId: 1000000002
Label: -
User: anonymous
User-Intf: CON 1023
Type: CLI
TimeStamp: 2012-06-28 16:31:48
Description:
7) CommitId: 1000000001
Label: -
User: anonymous
User-Intf: CON 1023
Type: CLI
TimeStamp: 2012-06-28 16:31:48
Description:
----End
Configuration Files
None.
Networking Requirements
As shown inFigure 1-53, the user logs in to the device to manage configuration
files.
Precautions
None
Configuration Roadmap
The configuration roadmap is as follows:
1. Modify configurations.
2. Save configurations in a configuration file.
3. Specify the configuration file to be loaded at the next startup.
4. After a system upgrade, compare the current running configurations with
those defined in the configuration file to be loaded at the next startup to
check whether configurations are lost.
Procedure
Step 1 Modify configurations.
For example, enable the SFTP server function.
<HUAWEI> system-view
[~HUAWEI] sftp server enable
[*HUAWEI] commit
[~HUAWEI] quit
Step 4 After a system upgrade, compare the current running configurations with those
defined in the configuration file to be loaded at the next startup to check whether
configurations are lost.
<HUAWEI> compare configuration
The current configuration is the same as the next startup configuration file.
----End
Configuration Files
#
sysname HUAWEI
#
sftp server enable
Context
To manage and configure other devices or operate files on them, access the
devices using Telnet, FTP, TFTP, SCP, STelnet or SFTP from the device that you have
logged in to.
Telnet
Telnet is an application layer protocol in the TCP/IP protocol suite and provides
remote login and virtual terminal services. The NE9000 provides the following
Telnet services:
● Telnet server: A user runs the Telnet client program on a PC to log in to the
device to configure and manage the device. The device functions as a Telnet
server.
● Telnet client: After using the terminal emulator or Telnet client program on a
PC to connect to the device, a user runs the telnet command to log in to
another device for configuration and management. The device functions as a
Telnet client. In Figure 1-55, the CE functions as both a Telnet server and a
Telnet client.
NOTE
NOTICE
When the number of remote login users reaches the maximum number
of VTY user interfaces, the system prompts subsequent users with a
message, indicating that all user interfaces are in use and no more Telnet
connections are allowed.
FTP
FTP is a standard application protocol based on the TCP/IP protocol suite. It is
used to transfer files between local clients and remote servers. FTP uses two TCP
connections to copy a file from one system to another. The TCP connections are
usually established in client-server mode, one for control (the server port number
is 21) and the other for data transmission (the server port number is 20).
● Control connection: issues commands from the client to the server and
transmits replies from the server to the client, minimizing the transmission
delay.
● Data connection: transmits data between the client and server, maximizing
the throughput.
FTP has two file transfer modes:
● Binary mode: is used to transfer program files, such as .app, .bin, and .btm
files.
● ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
The device provides the following FTP functions:
● FTP client: Users can use the terminal emulator or the Telnet program to
connect PCs to the device, and run the ftp command to establish a
connection between the device and a remote FTP server to access and
operate files on the server.
● FTP server: Users can use the FTP client program to log in to the device and
operate files on the device.
Before users log in, the network administrator must configure an IP address
for the FTP server.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP)
connections. It uses the UDP port number 69 to transfer files between local hosts
and remote servers. Unlike FTP, TFTP is simple, providing no authentication. It is
applicable to scenarios where complicated interactions between clients and the
server are not required.
TFTP supports both binary and ASCII file transfer modes, which are also supported
by FTP.
NOTE
● Currently, the HUAWEI NetEngine9000 supports only the binary mode for TFTP.
● Currently, the HUAWEI NetEngine9000 can function only as a TFTP client but not a TFTP
server.
SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote
users to securely log in to the device to manage and transfer files. On the other
hand, users can use the device functioning as a client to log in to a remote server
and transfer files securely.
When the SFTP server or the connection between the server and the client fails,
the client needs to detect the fault in time and removes the connection
proactively. To help the client detect such a fault in time, configure an interval at
which Keepalive packets are sent if no packet is received and the maximum
number of times that the server does not respond for the client:
● If the client does not receive any packet within the specified period, the client
sends a Keepalive packet to the server.
● If the maximum number of times that the server does not respond exceeds
the specified value, the client proactively releases the connection.
Feature Requirements
Usage Scenario
Large numbers of devices need to be managed and maintained on a network. You
cannot connect each device to a terminal. When no reachable route exists
between remote devices and a terminal, you can use Telnet to log in to the
remote devices from the device that you have logged in to.
As shown in Figure 1-57, you can use Telnet on the PC to log in to the Telnet
client. Because the PC does not have a reachable route to the Telnet server, you
cannot remotely manage the Telnet server. To remotely manage the Telnet server,
use Telnet on the Telnet client to log in to the Telnet server.
Figure 1-57 Using Telnet on the Telnet client to log in to the Telnet server
Pre-configuration Tasks
Before using Telnet on the Telnet client to log in to the Telnet server, complete the
following task:
● Configure Telnet login.
● Ensure that the route between the Telnet client and server is reachable.
Context
You can assign an IP address to an interface on a device and use this IP address as
the source address to establish a Telnet connection.
Procedure
Step 1 Run system-view
----End
Context
Telnet uses the client/server model to present a user interface that enables a
terminal to remotely log in to a server. You can log in to a device, and then log in
to another device on the network through Telnet to configure and manage the
device. You do not need to connect a hardware terminal to each device.
An IP address can be configured for an interface on the device and specified as the
source IP address of a Telnet connection for security verification.
NOTE
Telnet does not have a secure authentication mode, and transmits data using TCP in
plaintext. This is not safe. On a network with high security requirements, STelnet is
recommended.
Procedure
● Run the following command based on the type of the source IP address.
– The source address is an IPv4 address.
Run the telnet [ -i { interface-type interface-number | interface-name } |
[ vpn-instance vpn-instance-name ] [ -a source-ip-address ] ] host-ip-
address [ port-number ] command to use Telnet to log in to the Telnet
server through an IPv4 address.
– The source address is an IPv6 address.
Run the telnet ipv6 [ -a source-ip6 ] [ public-net | vpn-instance ipv6-
vpn-name ] ipv6-address [ -oi { interface-type interface-number |
interface-name } ] [ port-number ] command to use Telnet to log in to
the Telnet server through an IPv6 address.
----End
Prerequisites
All configurations for logging in to another device are complete.
Procedure
● Run the display tcp status command to check the status of all TCP
connections.
----End
Usage Scenario
Large numbers of devices need to be managed and maintained on a network. You
cannot connect each device to a terminal. When no reachable route exists
between remote devices and a terminal, you can use Telnet to log in to the
remote devices from the device that you have logged in to. Telnet provides no
secure authentication mode, and data is transmitted in simple mode over TCP,
which brings security risks.
Pre-configuration Tasks
Before using STelnet to log in to other devices, configure STelnet login.
1.1.8.4.1 Configuring First Login to the SSH Server (Enabling First Login on the SSH
Client)
After first login is enabled on the SSH client (STelnet client in this case), the client
does not check the validity of the RSA, DSA, or ECC public key for the SSH server
when logging in to the SSH server for the first time.
Context
After first login is enabled on the SSH client (STelnet client in this case), the client
does not check the validity of the RSA, DSA, SM2, or ECC public key for the SSH
server when logging in to the SSH server for the first time. After the first login, the
SSH client automatically saves the RSA, DSA, SM2, or ECC public key for
subsequent login authentication.
If first login is disabled on an SSH client, the client cannot log in to the SSH server,
because the validity check of the RSA, DSA, SM2, or ECC public key will fail. If the
STelnet client needs to log in to the SSH server for the first time, enable first login
or configure the client to assign an RSA, DSA, SM2, or ECC public key to the server
in advance. For details, see Configuring First Login to the SSH Server
(Configuring the SSH Client to Assign the Public Key to the SSH Server).
Perform the following steps on the router that functions as an SSH client:
Procedure
Step 1 Run system-view
----End
Context
If initial authentication is disabled on an SSH client (STelnet client in this case),
the client cannot log in to the SSH server because of a failure to check the validity
of the RSA, DSA, SM2, or ECC public key on the server. As such, the STelnet client
must assign an RSA, DSA, SM2, or ECC public key to the server before logging in
to the SSH server.
A key pair is created by the SSH server. After the public key in the key pair is
transmitted to the STelnet client, the client modifies the key and allocates it to the
server, so that the client can successfully perform a validity check on the server.
NOTE
For security purposes, you are advised not to use the RSA algorithm with a key length of
less than 2048 bits. Using RSA_SHA2_256 and RSA_SHA2_512 algorithms for higher security
is recommended.
Procedure
Step 1 Run system-view
Step 2 (Optional) Run ssh client publickey { dsa | ecc | rsa | sm2 | rsa_sha2_256 |
rsa_sha2_512 } *
NOTE
The dsa and rsa parameters in the command indicate weak security algorithms. You are
advised not to use these algorithms. To prevent security risks, run the crypto weak-
algorithm disable command to disable the weak security algorithm function.
Step 3 Perform any of the following operations based on the selected public key
algorithm:
● To enter the RSA public key view, run the rsa peer-public-key key-name
command.
● To enter the DSA public key view, run the dsa peer-public-key key-name
encoding-type enc-type command.
● To enter the ECC public key view, run the ecc peer-public-key key-name
command.
● To enter the SM2 public key view, run the sm2 peer-public-key key-name
command.
Step 4 Run public-key-code begin
The public key view is displayed.
Step 5 Enter hex-data to edit the public key.
The public key must be a hexadecimal string complying with the public key
format. It is generated randomly on the SSH server.
NOTE
After you enter the public key view, the RSA, DSA, SM2, or ECC public key generated on the
server is sent to the client. Copy and paste the RSA, DSA, SM2, or ECC public key to the SSH
server.
● Run the ssh client peer server-name assign sm2-key key-name command to
assign an SM2 public key to the SSH server.
Step 9 Run commit
The configuration is committed.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ssh client keepalive-interval seconds
The interval at which the client sends keepalive packets to the server is configured.
If the client does not receive a response from the server during an interval, the
client sends another keepalive packet to the server. If the server still does not
respond, the client is disconnected from the server.
Step 3 Run ssh client keepalive-maxcount count
The maximum number of keepalive packets that the client sends to the server is
configured.
The interval at which the client sends keepalive packets to the server must be
greater than the maximum number of keepalive packets that the client sends to
the server. For example, if the interval is 0 (no keepalive packet is sent), the
setting of the maximum number of keepalive packets does not take effect.
Step 4 Run commit
The configuration is committed.
----End
Context
You can log in to the SSH server from the SSH client without the need of
specifying the listening port number only when the listening port number of the
server is 22. Otherwise, the listening port number must be specified.
Perform the following steps on the device that functions as an SSH client:
Procedure
Step 1 Run system-view
Step 2 (Optional) Run ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc |
aes256_cbc | aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 |
aes128_gcm | aes256_gcm | sm4_cbc } *
NOTE
For security purposes, you are advised to use encryption algorithms AES128_CTR,
AES256_CTR, AES192_CTR, AES128_GCM, and AES256_GCM.
The des_cbc, 3des_cbc, aes128_cbc, aes256_cbc, arcfour128, arcfour256, aes192_cbc, and
sm4_cbc parameters in the command indicate weak security algorithms. You are advised
not to use these algorithms. To prevent security risks, run the crypto weak-algorithm
disable command to disable the weak security algorithm function.
Step 3 (Optional) Run ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 |
sha2_256_96 | sha2_512 | sm3 } *
NOTE
For security purposes, you are advised to use HMAC algorithms SHA2_256, SHA2_512, and
SM3.
The md5, md5_96, sha1, sha1_96, and sha2_256_96 parameters in the command indicate
weak security algorithms. You are advised not to use these algorithms. To prevent security
risks, run the crypto weak-algorithm disable command to disable the weak security
algorithm function.
NOTE
For security purposes, you are advised to use the key exchange algorithm
DH_group16_SHA512.
The dh_group_exchange_sha1, dh_group1_sha1, and dh_group14_sha1 parameters in the
command indicate weak security algorithms. You are advised not to use these algorithms.
To prevent security risks, run the crypto weak-algorithm disable command to disable the
weak security algorithm function.
Step 6 According to the type of the source IP address, run one of the following
commands in the user or system view:
● If the source address is an IPv4 one:
----End
Prerequisites
The configurations for using STelnet to log in to other devices are complete.
Procedure
● Run the display ssh server-info command to check mappings between SSH
servers and RSA or ECC public keys on the client.
----End
Usage Scenario
In the TCP/IP protocol suite, FTP is most commonly used to transfer files. However,
FTP brings complex interactions between terminals and servers, which is hard to
implement on terminals that do not run advanced operating systems. TFTP is
designed for file transfer that does not require complex interactions between
terminals and servers. It is simple, requiring a few costs. TFTP can be used only for
simple file transfer without authentication.
NOTE
Pre-configuration Tasks
Before using TFTP to access other devices, configure user login.
Context
You can assign an IP address to an interface on a TFTP client and use this IP
address as the source address to establish a TFTP connection.
Perform the following steps on the router that functions as a TFTP client:
Procedure
Step 1 Run system-view
NOTE
----End
Context
An ACL is a set of sequential rules. These rules are described based on source
addresses, destination addresses, and port numbers of packets. ACL rules are used
to filter packets. After ACL rules are applied to a device, the device permits or
denies packets based on the ACL rules.
Multiple rules can be defined for one ACL. ACL rules are classified as interface,
basic, or advanced ACL rules based on their functions.
Perform the following steps on the router that functions as a TFTP client:
Procedure
Step 1 Run system-view
Step 5 Configure ACL to control the TFTP client's access to TFTP servers.
● For IPv4
Run tftp-server acl { acl-number | acl-name } to apply the ACL to the TFTP
client to control its access to TFTP servers.
● For IPv6
Run tftp-server ipv6 acl { acl-number | acl-name } to apply the ACL to the
TFTP client to control its access to TFTP servers.
----End
Context
A virtual private network (VPN) is connected to remote devices or terminals over
the Internet. After a TFTP session is established, you can specify vpn-instance-
name in the tftp command to connect to a remote TFTP server.
To download a file, the TFTP client sends a read request to the TFTP server. After
receiving data, the TFTP client sends an acknowledgement message to the server.
Perform one of the following operations based on the IP address type of the
server:
Procedure
● Run tftp [ -a source-ip-address | -i interface-type interface-number ] host-ip-
address [ vpn-instance vpn-instance-name | public-net ] get source-filename
[ destination-filename ]
----End
Context
To upload a file, the TFTP client sends a write request to the TFTP server. After
receiving data, the TFTP client sends an acknowledgment to the server.
Perform one of the following operations based on the IP address type of the
server:
Procedure
● Run tftp [ -a source-ip-address | -i interface-type interface-number ] host-ip-
address [ vpn-instance vpn-instance-name ] put source-filename
[ destination-filename ]
----End
Prerequisites
The configurations for using TFTP to access other devices are complete.
Procedure
● Run the display tftp-client command to check the source address of the TFTP
client.
● Run the display acl { acl-number | all } command to check ACL rules
configured on the TFTP client.
----End
Usage Scenario
To transfer files with a remote FTP server or manage directories of the server,
configure a device as an FTP client and use FTP to access the FTP server.
Pre-configuration Tasks
Before using FTP to access other devices, configure the FTP server, including:
1. Configure a local FTP user.
2. (Optional) Specify a listening port number for the FTP server.
3. Enable the FTP server function.
4. (Optional) Configure FTP server parameters.
5. (Optional) Configure FTP access control.
Context
You can assign an IP address to an interface on an FTP client and use this IP
address as the source address to establish an FTP connection.
Perform the following steps on the router that functions as an FTP client:
Procedure
Step 1 Run system-view
After configuring a source address for an FTP client, run the display ftp-users
command on the FTP server to check that the source address of the FTP client
displayed in the command output is the same as the configured one.
Step 3 Run commit
The configuration is committed.
----End
Context
Commands can be run in the user or FTP client view to establish connections to
remote FTP servers.
NOTE
● If the ftp command without any parameters is used in the user view to establish a
control connection to an FTP server, the FTP client view is displayed but the connection
is not established.
● When you run the ftp command in the user view or the open in the FTP client view to
establish a control connection to a remote FTP server using the default listening port
number of the FTP server, you do not need to specify a listening port number in the
command. Otherwise, you must specify a listening port number in the command.
● Before logging in to the FTP server, you can run the set net-manager vpn-instance
command to configure a default VPN instance. After a default VPN instance is
configured, it will be used for FTP operations.
Perform either of the following operations on the FTP client based on the type of
the server's IP address:
Procedure
● If the server has an IPv4 address, use commands described in Table 1-37 to
connect the client to other devices.
Table 1-37 Using FTP commands to connect the FTP client to other devices
View Operation
● If the server has an IPv6 address, use commands described in Table 1-38 to
connect the client to other devices.
Table 1-38 Using FTP commands to connect the FTP client to other devices
View Operation
----End
Procedure
Step 1 Perform either of the following steps on the client, based on the type of the
server's IP address:
● Run the ftp [ [ -a source-ip-address | -i { interface-type interface-number |
interface-name } ] host-ip [ port-number ] [ vpn-instance vpn-instance-
name ] | public-net ] command to configure the device to use an IPv4
address to establish a connection to the FTP server and enter the FTP client
view.
● Run the ftp ipv6 [ -a source-ip6 ] host-ipv6-address [ [ vpn-instance ipv6-
vpn-instance-name ] | public-net ] [ -oi { interface-type interface-number |
interface-name } ] [ port-number ] command to configure the device to use
an IPv6 address to establish a connection to the FTP server and enter the FTP
client view.
Managi Configuring the ● Run the ascii command to set the file type to
ng files file type ASCII.
● Run the binary command to set the file type to
binary.
The FTP file type is determined by the client. By
default, the ASCII type is used.
----End
Context
After you log in to an FTP server from a device functioning as an FTP client, you
can use another user name to log in to the server. Changing a login user role does
not affect the current FTP connection. That is, FTP control and data connections
and the connection status do not change.
If you entered an incorrect user name or password, the current FTP connection is
ended. To log in to the server again, you must enter a correct user name and
name.
NOTE
After logging in to the HUAWEI NetEngine9000, you can log in to the FTP server by using
another user name without logging out of the FTP client view. The established FTP
connection is identical with that established by running the ftp command.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of the
server's IP address:
● Run the ftp [ [ -a source-ip-address | -i { interface-type interface-number |
interface-name } ] host-ip [ port-number ] [ vpn-instance vpn-instance-
name ] | public-net ] command to configure the device to use an IPv4
address to establish a connection to the FTP server and enter the FTP client
view.
● Run the ftp ipv6 [ -a source-ip6 ] host-ipv6-address [ [ vpn-instance ipv6-
vpn-instance-name ] | public-net ] [ -oi { interface-type interface-number |
interface-name } ] [ port-number ] command to configure the device to use
an IPv6 address to establish a connection to the FTP server and enter the FTP
client view.
Step 2 Run user user-name
The login user role is changed.
After the login user role is changed, the connection between the original user role
and the FTP server is ended.
NOTE
Only FTP users at Level 3 or higher can run the user user-name command to change the
user role and log in to the FTP server.
----End
Context
After the number of users logging in to an FTP server reaches the upper limit, no
more authorized users can log in. To allow authorized users to log in to the FTP
server, end idle connections to the FTP server.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of the
server's IP address:
● Run the ftp [ [ -a source-ip-address | -i { interface-type interface-number |
interface-name } ] host-ip [ port-number ] [ vpn-instance vpn-instance-
Step 2 Perform either of the following operations as needed to end an FTP connection.
● Run the bye/quit command to end the connection to the FTP server and
return to the user view.
● Run the close/disconnect command to end both the connection to the FTP
server and the FTP session and remain in the FTP client view.
----End
Prerequisites
The configurations of accessing other devices by using FTP are complete.
Procedure
● Run the display ftp-client command to check the source address of the FTP
client.
● Run the display ftp server ip auth-fail information command to check
information about the IP addresses of all the clients that fail to pass
authentication.
● Run the display ftp server ip-block list command to check information
about the locked IP addresses of all the clients that fail to pass
authentication.
● Run the display ftp server ip auth-fail information command to check
information about the IP addresses of all the clients that fail to pass
authentication.
● Run the display ftp server ip-block list command to check information
about the locked IP addresses of all the clients that fail to pass
authentication.
----End
Usage Scenario
Based on SSH, SFTP ensures that users log in to a remote device securely to
manage and transfer files, enhancing secure file transfer. Because the device can
function as an SFTP client, you can log in to a remote SSH server from the device
to transfer files securely.
Pre-configuration Tasks
Before using SFTP to access other devices, complete the following tasks:
1. Configure an SSH user and specify a service type.
2. Enable the SFTP server function.
3. (Optional) Configure SFTP server parameters.
Context
You can assign an IP address to an interface on the SFTP client and use this IP
address as the source address to establish an SFTP connection.
The source address for an SFTP client can be either a source interface or a source
IP address.
Perform the following steps on the device functioning as an SFTP client:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure an SFTP source IP address or source interface as required.
● In IPv4 scenarios, run the sftp client-source -a source-ip-address { public-net
| -vpn-instance ipv6-vpn-instance-name } } or sftp client-source -i
{ interface-type interface-number | interface-name } command.
● In IPv6 scenarios, run the sftp ipv6 client-source -a source-ipv6-address [ -
vpn-instance ipv6-vpn-instance-name ] command.
Step 3 Run commit
The configuration is committed.
----End
1.1.8.7.2 Configuring First Login to the SSH Server (Enabling First Login on the SSH
Client)
After first login is enabled on an SSH client (SFTP client in this case), the client
does not check the validity of the RSA, DSA, SM2 or ECC public key for the SSH
server when logging in to the SSH server for the first time.
Context
After the first login, the SSH client automatically saves the RSA, DSA, SM2 or ECC
public key for subsequent login authentication.
Perform the following steps on the device that functions as an SSH client:
Procedure
Step 1 Run system-view
----End
1.1.8.7.3 Configuring First Login to the SSH Server (Configuring the SSH Client to
Assign the Public Key to the SSH Server)
To allow an SSH client with initial authentication disabled to successfully log in to
an SSH server for the first time, configure the SSH client to assign an RSA, DSA,
SM2 or ECC public key to the SSH server before the login.
Context
If initial authentication is disabled on the SSH client, the client cannot log in to
the SSH server, because the validity check of the RSA, DSA, SM2 or ECC public key
will fail. An RSA, DSA, SM2 or ECC public key needs to be assigned to the server
before the SSH client logs in to the server.
NOTE
For security purposes, do not use RSA keys whose length is less than 2048 bits. You are
advised to use RSA_SHA2_256 and RSA_SHA2_512 instead.
Procedure
Step 1 Run system-view
Step 2 (Optional) Run ssh client publickey { dsa | ecc | rsa | sm2 | rsa_sha2_256 |
rsa_sha2_512 } *
NOTE
The dsa and rsa parameters in the command indicate weak security algorithms. You are
advised not to use these algorithms. To prevent security risks, run the crypto weak-
algorithm disable command to disable the weak security algorithm function.
Step 3 Perform any of the following operations based on the selected public key
algorithm:
● To enter the RSA public key view, run the rsa peer-public-key key-name
command.
● To enter the DSA public key view, run the dsa peer-public-key key-name
encoding-type enc-type command.
● To enter the ECC public key view, run the ecc peer-public-key key-name
command.
● To enter the SM2 public key view, run the sm2 peer-public-key key-name
command.
Step 4 Run public-key-code begin
The public key view is displayed.
Step 5 Enter hex-data to edit the public key.
The public key must be a hexadecimal string complying with the public key
format. It is generated randomly on the SSH server.
NOTE
After you enter the public key view, the RSA, DSA, SM2, or ECC public key generated on the
server is sent to the client. Copy and paste the RSA, DSA, SM2, or ECC public key to the SSH
server.
● Run the ssh client peer server-name assign sm2-key key-name command to
assign an SM2 public key to the SSH server.
Step 9 Run commit
The configuration is committed.
----End
Context
The command used for the SFTP client is similar to the command used for the
STelnet client. Both commands can carry the source address, key exchange
algorithm, encryption algorithm and HMAC algorithm.
Perform the following steps on the device that functions as an SSH client:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc |
aes256_cbc | aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 |
aes128_gcm | aes256_gcm | sm4_cbc } *
An encryption algorithm is configured for the SSH client.
NOTE
For security purposes, you are advised to use encryption algorithms AES128_CTR,
AES256_CTR, AES192_CTR, AES128_GCM, and AES256_GCM.
The des_cbc, 3des_cbc, aes128_cbc, aes256_cbc, arcfour128, arcfour256, aes192_cbc, and
sm4_cbc parameters in the command indicate weak security algorithms. You are advised
not to use these algorithms. To prevent security risks, run the crypto weak-algorithm
disable command to disable the weak security algorithm function.
Step 3 (Optional) Run ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 |
sha2_256_96 | sha2_512 | sm3 } *
An HMAC authentication algorithm is configured for the SSH client.
NOTE
For security purposes, you are advised to use HMAC algorithms SHA2_256, SHA2_512, and
SM3.
The md5, md5_96, sha1, sha1_96, and sha2_256_96 parameters in the command indicate
weak security algorithms. You are advised not to use these algorithms. To prevent security
risks, run the crypto weak-algorithm disable command to disable the weak security
algorithm function.
NOTE
For security purposes, you are advised to use the key exchange algorithm
DH_group16_SHA512.
The dh_group_exchange_sha1, dh_group1_sha1, and dh_group14_sha1 parameters in the
command indicate weak security algorithms. You are advised not to use these algorithms.
To prevent security risks, run the crypto weak-algorithm disable command to disable the
weak security algorithm function.
For IPv4:
For IPv6:
----End
Context
After logging in to the SSH server from the SFTP client, you can perform the
following operations on the SFTP client:
● Create and delete directories of the SSH server; view the current working
directory; view files in a directory and the list of sub-directories.
Perform the following steps on the router that functions as an SSH client:
Procedure
Step 1 Run system-view
For IPv4:
For IPv6:
----End
Follow-up Procedure
There is a limit to the maximum number of SFTP clients that can connect to the
SFTP server at the same time. Therefore, after performing the desired operations
on the SFTP server, disconnect the SFTP client from the SFTP server so that other
users can access the SFTP server.
You can run the bye, exit, or quit command in the SFTP client view to disconnect
the SFTP client from the SFTP server.
Prerequisites
The configurations of using SFTP to access other devices are complete.
Procedure
● Run the display sftp-client command to check the source address of the
SFTP client.
● Run the display ssh server-info command to check mappings between SSH
servers and RSA public keys on the client.
----End
1.1.8.8 Configuring the SFTP Client to Use the One-click File Operation
Command to Perform File Operations
The device functions as an SFTP client and uses the one-click file operation
command to upload files from the SFTP client to the SFTP server or download files
from the SFTP server to the SFTP client.
Prerequisites
The SFTP server has been configured, and the SFTP client and server have
reachable routes to each other.
Procedure
Step 1 Run the system-view command
The system view is displayed.
Step 2 Run the ssh client first-time enable command
First-time authentication is enabled on the SSH client.
command to connect to the SFTP server in IPv6 mode and download files
from the SFTP server to the SFTP client or upload files from the SFTP client to
the SFTP server.
----End
Usage Scenario
SCP is a secure file transfer method based on SSH2.0 that supports file upload or
download in batches.
Pre-configuration Tasks
Before using SCP to access other devices, ensure that the route between the SCP
client and server is reachable.
Context
SCP is a secure file transfer method based on SSH2.0. To use SCP to access other
devices, configure user interfaces to support SSH.
Procedure
Step 1 Configure VTY user interfaces to support SSH (for details, see Configuring VTY
User Interfaces to Support SSH).
Step 2 Configure an SSH user (for details, see Configuring an SSH User and Specifying
a Service Type).
Step 4 (Optional) Run the ssh server dh-exchange min-len min-len command to
configure the minimum key length supported during diffie-hellman-group-
exchange key exchange with the SSH client.
NOTE
If the SSH client supports the diffie-hellman-group-exchange key exchange algorithm with
a length greater than 1024 bits, you are advised to run the ssh server dh-exchange min-
len command to set the minimum key length to 3072 bits to improve security.
----End
Procedure
Step 1 Run system-view
Step 3 (Optional) Run ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc |
aes256_cbc | aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 |
aes128_gcm | aes256_gcm | sm4_cbc } *
NOTE
For security purposes, you are advised to use secure algorithms such as AES128_CTR,
AES256_CTR, AES192_CTR, AES128_GCM, and AES256_GCM.
Step 4 (Optional) Run ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 |
sha2_256_96 | sha2_512 | sm3 } *
NOTE
For security purposes, you are advised to use secure algorithms such as SHA2_256,
SHA2_512, SM3.
Step 5 Run either of the following operations based on the network protocol to upload
files to or download files from the SCP server.
● On an IPv4 network:
Run the scp [ -a source-ip-address ] [ -force-receive-pubkey ] [ -port port-
number | public-net | vpn-instance vpn-instance-name | identity-key
identity-key-type | user-identity-key user-key | -r | -c | -cipher cipher | -
prefer-kex prefer-kex ] * source-filename destination-filename or scp { -i
interface-name | interface-type interface-number } [ -force-receive-pubkey ]
[ -port port-number | identity-key identity-key-type | user-identity-key user-
key | -r | -c | -cipher cipher| -prefer-kex prefer-kex ] * source-filename
destination-filename command.
● On an IPv6 network:
Run the scp ipv6 [ [ vpn-instance vpn-instance-name ] | public-net ] [ -
force-receive-pubkey ] [ [ -port server-port ] | [ identity-key identity-key-
type ] | [ user-identity-key user-key ] | [ [ -a source-ipv6-address ] | [ -oi
{ interface-name | interface-type interface-number } ] ] | -r | -c | [ -cipher
cipher ] | [ -prefer-kex prefer-kex } ] ] * source-filename destination-filename
command.
NOTE
For security purposes, do not use the RSA algorithm whose modulus bit value is less than
2048 for the SSH user. You are advised to use the ECC authentication algorithm instead.
----End
Prerequisites
The configurations for using SCP to access other devices are complete.
Procedure
● Run the display scp-client command to check the source IP address of the
SCP client.
● Run the display ssh server-info command to check mappings between SSH
servers and RSA public keys on the client.
----End
Context
During authentication between the client and server, an encryption algorithm list
is provided for SSL algorithm negotiation. For a system with high security
requirements, you can use encryption algorithms that are more secure to enhance
system security.
Procedure
Step 1 Run system-view
The system view is displayed.
An SSL cipher suite is created, and the SSL cipher suite view is displayed.
NOTE
----End
Context
Some traditional protocols, such as syslog, do not have security mechanisms. They
transmit data in clear text, cannot authenticate communicating devices or prevent
transmitted data from being tampered with, exposing data transmission to
security risks. SSL provides data encryption, identity authentication, and message
integrity check o ensure the security of TCP-based application layer protocols.
Procedure
Deploy an SSL policy in the SSL policy view:
After a device configured with TLS 1.0 is upgraded to a version that does not support
configuration of TLS 1.0, the minimum version supported by the SSL policy is still TLS
1.0. You can run the ssl minimum version { tls1.1 | tls1.2 | tls1.3 } command to
reconfigure the minimum version for the SSL policy. This process is irreversible.
After a device which is not configured with the ssl minimum version command is
upgraded to the current version, the minimum version supported by the SSL policy is
TLS 1.1. The default minimum version is TLS 1.2. You can run the ssl minimum
version { tls1.1 | tls1.2 | tls1.3 } command to reconfigure the minimum version for
the SSL policy.
5. (Optional) Run the ssl verify { basic-constrain | key-usage | version { cert-
version3 | crl-version2 } } enable command to enable certificate verification.
6. (Optional) Run the ssl verify certificate-chain minimum-path-length path-
length command to configure the minimum path length for the digital
certificate chain.
7. (Optional) Run the signature algorithm-list { ecdsa-secp256r1-sha256 |
ecdsa-secp384r1-sha384 | ecdsa-secp521r1-sha512 | ed25519 | ed448 | rsa-
pss-pss-sha256 | rsa-pss-pss-sha384 | rsa-pss-pss-sha512 | rsa-pss-rsae-
sha256 | rsa-pss-rsae-sha384 | rsa-pss-rsae-sha512 | rsa-pkcs1-sha256 |
rsa-pkcs1-sha384 | rsa-pkcs1-sha512 | ecdsa-sha1 | ecdsa-sha224 | rsa-sha1
| rsa-sha224 | dsa-sha1 | dsa-sha224 | dsa-sha256 | dsa-sha384 | dsa-
sha512 } * command to configure a signature algorithm for SSL handshake.
NOTE
After the upgrade, fewer signature algorithms are supported by default. As a result,
SSL handshake may fail due to signature algorithm mismatch. To prevent this
problem, you can run this command to adjust the supported signature algorithms.
8. (Optional) Run the pki-domain pki-domain command to bind a PKI domain
to the SSL policy.
NOTE
● After a PKI domain is bound to an SSL policy, the SSL policy uses the certificates
and certificate revocation list (CRL) in the PKI domain.
● In addition to loading and revoking certificates using PKI, you can also perform the
following steps to manually load and revoke certificates.
9. (Optional) Run the certificate load command to load a digital certificate.
Currently, the PEM and PFX certificates and the PEM certificate chain are
supported. Load a digital certificate or certificate chain as needed.
– Run the certificate load pem-cert certFile key-pair { dsa | rsa } key-file
keyFile auth-code [ cipher authCode ] command to load a PEM
certificate for the SSL policy.
– Run the certificate load pfx-cert certFile key-pair { dsa | rsa } mac or
certificate load pfx-cert certFile key-pair { dsa | rsa } { mac cipher
mac-code | key-file keyFile } auth-code cipher authCode command to
load a PFX certificate for the SSL policy.
– Run the certificate load pem-chain certFile key-pair { dsa | rsa } key-
file keyFile auth-code [ cipher authCode ] command to load a certificate
chain in PEM format for the SSL policy.
NOTE
Loading a digital certificate is optional for a device but mandatory for an NMS.
10. (Optional) Run the crl load crlType crlFile command to load a digital CRI.
A maximum of two CRL files can be loaded to an SSL policy.
11. Run the trusted-ca load command to load a trusted-CA file. A maximum of
four trusted-CA files can be loaded for an SSL policy.
– Run the trusted-ca load pem-ca caFile command to load a trusted-CA
file in PEM format for the SSL policy.
– Run the trusted-ca load asn1-ca caFile command to load a trusted-CA
file in ASN1 format for the SSL policy.
– Run the trusted-ca load pfx-ca caFile auth-code [ cipher authCode ]
command to load a trusted-CA file in PFX format for the SSL policy.
12. (Optional) Run the binding cipher-suite-customization customization-name
command to bind a cipher suite to the SSL policy. Before binding a cipher
suite to an SSL policy, ensure that the cipher suite has been configured for the
SSL policy. For details, see 1.1.8.10 Configuring an SSL Cipher Suite.
13. (Optional) Run the cipher-suite exclude key-exchange rsa command to
exclude the RSA key exchange algorithm from the SSL policy cipher suite.
NOTE
The RSA key exchange algorithm is not recommended on networks that have high
security requirements because this algorithm is not secure.
14. (Optional) Run the cipher-suite exclude cipher mode cbc command to
exclude CBC encryption algorithms from the SSL policy cipher suite.
NOTE
The CBC encryption algorithm is not recommended for networks that have high
security requirements because this algorithm is not secure.
15. (Optional) Run the cipher-suite exclude hmac sha1 command to exclude the
SHA1 digest algorithm from the SSL cipher suite.
NOTE
The SHA1 digest algorithm is not recommended for networks that have high security
requirements because this algorithm is not secure.
16. (Optional) Run the diffie-hellman modulus modulus-val command to
configure the modulus of the Diffie-Hellman key exchange algorithm.
NOTE
After the upgrade, the default modulus length of the Diffie-Hellman key exchange
algorithm increases. As a result, SSL handshake may fail if the modulus length is too
long. To prevent this problem, you can run this command to adjust the modulus
length.
17. Run the quit command to return to the system view.
18. (Optional) Run the ssl certificate alarm-threshold early-alarm time check-
interval check-period command to configure the certificate expiration alarm
threshold and check interval.
19. Run the bind ssl-policy command in a service view to bind the SSL policy.
a. Dual-device backup service
Run the remote-backup-service service-name command to enter the
RBS view.
Run the bind ssl-policy ssl-policy-name command to bind an SSL policy.
NOTE
NOTE
After a PKI domain is bound to an SSL policy, the SSL policy uses the certificates and
CRL in the PKI domain.
6. Run the commit command to commit the configuration.
Context
To download a certificate from an HTTP server, use HTTP. HTTP transfers web
page information on the Internet.
NOTE
Pre-configuration Tasks
Before logging in to a device using HTTP, complete the following tasks:
● Configure an SSL policy for the HTTP server.
● Check that the terminal and device are routable to each other.
Procedure
● Configure an SSL policy for the HTTP client.
a. Run system-view
The system view is displayed.
b. Run ssl policy policy-name
An SSL policy is configured, and the SSL policy view is displayed.
c. Run certificate load
A certificate is loaded for the SSL policy. On the HTTP client, a certificate
or certificate chain needs to be loaded for the SSL policy according to the
format of the certificate loaded to the HTTP server.
▪ To load a certificate in the PEM format for the SSL policy, run the
certificate load pem-cert certFile key-pair { dsa | rsa } key-file
keyFile auth-code [ cipher authCode ] command.
▪ To load a certificate in the PFX format for the SSL policy, run the
certificate load pfx-cert certFile key-pair { dsa | rsa } mac or
certificate load pfx-cert certFile key-pair { dsa | rsa } { mac cipher
mac-code | key-file keyFile } auth-code cipher authCode command.
▪ To load a certificate chain in the PEM format for the SSL policy, run
the certificate load pem-chain certFile key-pair { dsa | rsa } key-
file keyFile auth-code [ cipher authCode ] command.
▪ To load a trusted-CA file in the PEM format for the SSL policy, run
the trusted-ca load pem-ca caFile command.
▪ To load a trusted-CA file in the ASN1 format for the SSL policy, run
the trusted-ca load asn1-ca caFile command.
▪ To load a trusted-CA file in the PFX format for the SSL policy, run the
trusted-ca load pfx-ca caFile auth-code [ cipher authCode ]
command.
e. Run commit
----End
Context
A device can send multiple types of protocol packets, such as NETCONF, Telnet,
and SSH packets. You can run the host-packet type command to uniformly
configure a DSCP value for the protocol packets. If a large number of protocol
packets with the same DSCP value are sent, network congestion may occur. To
address this issue, configure different DSCP values for the packets.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run one or more of the following commands based on the service type and
protocol packet type:
1. Run ssh client dscp value
A DSCP value is configured for the SSH packets sent by a client.
2. Run telnet client dscp value
A DSCP value is configured for the Telnet packets sent by a client.
3. Run ssh server dscp value
A DSCP value is configured for the SSH packets sent by a server.
4. Run telnet server dscp value
A DSCP value is configured for the Telnet packets sent by a server.
Step 3 Run commit
The configuration is committed.
----End
Example
Run the display current-configuration command to check the configured DSCP
value.
<HUAWEI> system-view
[~HUAWEI] display current-configuration include-default | include dscp
Info: It will take a long time if the content you search is too much or the string you input is too long, you
can press CTRL_C to break.
telnet server dscp 10
telnet client dscp 10
ssh server dscp 10
ssh client dscp 10
Networking Requirements
NOTE
between a remote device and a terminal, you can use Telnet to log in to the
remote device for management and maintenance.
As shown in Figure 1-59, you can use Telnet on the PC to log in to P1 but cannot
directly use Telnet to log in to P2. P1 and P2 are routable to each other. To
remotely manage and configure P2, use Telnet on P1 to log in to P2.
Precautions
● P1 and P2 must be routable to each other.
● To log in to P2 from P1 through Telnet, ensure that you can successfully log in
to P1.
● In insecure network environments, you are advised to use a secure protocol.
1.1.8.14.4 Example for Using STelnet to Log In to Other Devices (ECC
Authentication Mode) provides examples for secure protocols.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the Telnet authentication mode and password on P2.
2. Use Telnet on P1 to log in to P2.
Data Preparation
To complete the configuration, you need the following data:
● Host address of P2: 2.1.1.1
● User authentication mode AAA, username huawei, and password
YsHsjx_202206
Procedure
Step 1 Configure the Telnet authentication mode and password on P2.
<HUAWEI> system-view
[~HUAWEI] sysname P2
[*HUAWEI] commit
[~P2] user-interface vty 0 4
[~P2-ui-vty0-4] authentication-mode aaa
[*P2-ui-vty0-4] commit
[~P2-ui-vty0-4] quit
[~P2] aaa
[*P2-aaa] local-user huawei password cipher YsHsjx_202206
NOTE
NOTE
----End
Configuration Files
● P1 configuration file
#
sysname P1
#
interface gigabitethernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
admin
return
● P2 configuration file
#
sysname P2
#
acl number 2000
rule 5 permit source 1.1.1.1 0
#
aaa
local-user huawei password irreversible-cipher $1c$]zV2B\j!z:$hRujV[%/IE|
0MwBQ}5sAX(RdE[oj#5otqG6=@>KK$
local-user huawei service-type telnet
local-user huawei level 3
#
interface gigabitethernet1/0/1
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
user-interface vty 0 4
authentication-mode aaa
acl 2000 inbound
#
return
Networking Requirements
Large numbers of devices need to be managed and maintained on a network. You
cannot connect each device to a terminal. When no reachable route exists
between remote devices and a terminal, you can use Telnet to log in to the
remote devices from the device that you have logged in to. Telnet provides no
secure authentication mode, and data is transmitted in simple mode over TCP,
which brings security risks.
STelnet is a secure Telnet service based on SSH connections. SSH provides
encryption and authentication and protects devices against attacks, such as IP
spoofing. As shown in Figure 1-60, after the STelnet server function is enabled on
the SSH server, the STelnet client can log in to the SSH server in password, ECC,
password-ECC, DSA, password-DSA, RSA, password-RSA, SM2, password-SM2,
x509v3-ssh-rsa, password-x509v3-rsa or all authentication mode.
Precautions
Client001 and client002 are configured to log in to the SSH server in password and
RSA authentication modes, respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different
authentication modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind
client002 to the RSA public key of the SSH server to authenticate the client
when the client attempts to log in to the server.
3. Enable the STelnet server function on the SSH server.
4. Set the service type of client001 and client002 to STelnet.
5. Enable first authentication on the SSH client.
6. Use STelnet on client001 and client002 to log in to the SSH server.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
NOTE
SSH users can be authenticated in password, RSA, password-RSA, ECC, password-ECC, DSA,
password-DSA, SM2, password-SM2, or all mode.
● If the authentication mode of an SSH user is password, password-RSA, password-DSA,
password-SM2, or password-ECC, a local user with the same name as the SSH user must
be configured.
● If the authentication mode of an SSH user is RSA, password-RSA, DSA, password-DSA,
SM2, password-SM2, ECC, password-ECC, or all, the RSA, DSA, SM2, or ECC public key of
the SSH client must be saved on the server.
NOTE
▪ Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203
010001
SqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIXGJb7H/w4zQ== rsa-key
======================Server Key========================
Time of Key pair created : 13:22:1 2010/10/25
Key Name : client002_Server
Key Type : RSA Encryption Key
========================================================
Key Code:
3067
0260
BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F
E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23
7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26
B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3
2B1BBA18 A96FFC29 EF70069D DD1EE053
0203
010001
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key rsakey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[*SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[*SSH Server-rsa-public-key-rsa-key-code] 308188
[*SSH Server-rsa-public-key-rsa-key-code] 028180
[*SSH Server-rsa-public-key-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*SSH Server-rsa-public-key-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[*SSH Server-rsa-public-key-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[*SSH Server-rsa-public-key-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[*SSH Server-rsa-public-key-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[*SSH Server-rsa-public-key-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[*SSH Server-rsa-public-key-rsa-key-code] 171896FB 1FFC38CD
[*SSH Server-rsa-public-key-rsa-key-code] 0203
[*SSH Server-rsa-public-key-rsa-key-code] 010001
[*SSH Server-rsa-public-key-rsa-key-code] public-key-code end
[*SSH Server-rsa-public-key] peer-public-key end
[*SSH Server] commit
If the login succeeds, the user view is displayed. If the login fails, the message
Session is disconnected is displayed.
Step 8 Verify the configuration.
# Check the status of the SSH server.
[~SSH Server] display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) :3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Enable
SSH server keepalive : Disable
SFTP IPv4 server : Enable
SFTP IPv6 server : Enable
STELNET IPv4 server : Enable
STELNET IPv6 server : Enable
SNETCONF IPv4 server : Enable
SNETCONF IPv6 server : Enable
SNETCONF IPv4 server port(830) : Disable
Username : client002
Authentication-type : rsa
User-public-key-name : rsakey001
User-public-key-type : -
Sftp-directory :-
Service-type : stelnet
----------------------------------------------------
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
rsa peer-public-key rsakey001
public-key-code begin
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
stelnet server enable
ssh server-source -i GigabitEthernet0/0/0
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign rsa-key rsakey001
ssh user client002 authentication-type rsa
ssh authorization-type default root
ssh user client002 service-type stelnet
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
Networking Requirements
Large numbers of devices need to be managed and maintained on a network. You
cannot connect each device to a terminal. When no reachable route exists
between remote devices and a terminal, you can use Telnet to log in to the
remote devices from the device that you have logged in to. Telnet provides no
secure authentication mode, and data is transmitted in simple mode over TCP,
which brings security risks.
STelnet provides secure Telnet services based on SSH connections. SSH provides
encryption and authentication functions to protect devices against attacks, such as
IP address spoofing. As shown in Figure 1-61, after the STelnet server function is
enabled on the SSH server, the STelnet client can log in to the SSH server in
password, ECC, password-ECC, DSA, password-DSA, RSA, password-RSA, SM2,
password-sm2, x509v3-ssh-rsa, password-x509v3-rsa or all authentication mode.
Figure 1-61 Networking diagram for logging in to another device by using STelnet
NOTE
Precautions
Two users client001 and client002 are configured to log in to the SSH server in the
authentication mode of password and DSA respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different
authentication modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind
client002 to the DSA public key of the SSH server to authenticate the client
when the client attempts to log in to the server.
3. Enable the STelnet server function on the SSH server.
4. Set the service type of client001 and client002 to STelnet.
5. Enable first authentication on the SSH client.
6. Client001 and client002 log in to the SSH server by using STelnet.
Data Preparation
To complete the configuration, you need the following data:
● Password authentication for client001
● DSA authentication (public key: dsakey001) for client002
● IP address of the SSH server: 10.1.1.1
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] dsa local-key-pair create
Info: The key name will be: SSH SERVER_Host_DSA
Info: The key modulus can be any one of the following : 2048.
Info: Key pair generation will take a short while.
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
SSH users can be authenticated in password, RSA, password-RSA, ECC, password-ECC, DSA,
password-DSA, SM2, password-SM2, or all mode.
● If the authentication mode of an SSH user is password, password-RSA, password-DSA,
password-SM2, or password-ECC, a local user with the same name as the SSH user must
be configured.
● If the authentication mode of an SSH user is RSA, password-RSA, DSA, password-DSA,
SM2, password-SM2, ECC, password-ECC, or all, the RSA, DSA, SM2, or ECC public key of
the SSH client must be saved on the server.
NOTE
▪ Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
========================================================
Key code:
3082019F
028180
A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C
9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4
0B752AC7 817E877F
0214
CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27
028180
6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66
C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B
264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328
C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E
F459F826 B9A5CF6D
028180
409C0AE7 1DDDDA8C F3924608 DC32728C D6FA51FB
B4933D03 E30780E1 676AA9EE E3A9B677 97DB1D3A
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
6192B926 9AD8764E E9F8661C 8EC08D08 BD83BCE3
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
# Copy the DSA public key generated on the client to the server.
[*SSH Server] dsa peer-public-key dsakey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[*SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return last view with "public-key-code end".
[*SSH Server-dsa-public-key-dsa-key-code] 3082019F
[*SSH Server-dsa-public-key-dsa-key-code] 028180
[*SSH Server-dsa-public-key-dsa-key-code] A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C
[*SSH Server-dsa-public-key-dsa-key-code] 9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
[*SSH Server-dsa-public-key-dsa-key-code] 54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
[*SSH Server-dsa-public-key-dsa-key-code] 7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
[*SSH Server-dsa-public-key-dsa-key-code] 43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
If the login succeeds, the user view is displayed. If the login fails, the message
Session is disconnected is displayed.
Sftp-directory :-
Service-type : stelnet
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
dsa peer-public-key dsakey001
public-key-code begin
3082019F
028180
A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C
9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4
0B752AC7 817E877F
0214
CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27
028180
6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66
C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B
264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328
C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E
F459F826 B9A5CF6D
028180
409C0AE7 1DDDDA8C F3924608 DC32728C D6FA51FB
B4933D03 E30780E1 676AA9EE E3A9B677 97DB1D3A
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
6192B926 9AD8764E E9F8661C 8EC08D08 BD83BCE3
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
public-key-code end
peer-public-key end
#
stelnet server enable
ssh server-source -i GigabitEthernet0/0/0
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign dsa-key dsakey001
ssh user client002 authentication-type dsa
ssh authorization-type default root
ssh user client002 service-type stelnet
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh server hmac sha2_512 sha2_256
Networking Requirements
Large numbers of devices need to be managed and maintained on a network. You
cannot connect each device to a terminal. When no reachable route exists
between remote devices and a terminal, you can use Telnet to log in to the
remote devices from the device that you have logged in to. Telnet provides no
secure authentication mode, and data is transmitted in simple mode over TCP,
which brings security risks.
STelnet is a secure Telnet service based on SSH connections. SSH provides
encryption and authentication functions to protect devices against attacks, such as
IP address spoofing. After the STelnet server function is enabled on the SSH server,
the STelnet client can log in to the SSH server in password, ECC, password-ECC,
DSA, password-DSA, RSA, password-RSA, SM2, password-sm2, x509v3-ssh-rsa,
password-x509v3-rsa or all authentication mode. As shown in Figure 1-62,
client001 and client002 are configured to log in to the SSH server in password and
ECC authentication modes, respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different
authentication modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind
client002 to the ECC public key of the SSH server to authenticate the client
when the client attempts to log in to the server.
3. Enable the STelnet server function on the SSH server.
4. Set the service type of client001 and client002 to STelnet.
5. Enable first authentication on the SSH client.
6. Use STelnet on client001 and client002 to log in to the SSH server.
Data Preparation
To complete the configuration, you need the following data:
● Password authentication for client001
● ECC authentication (public key: Ecckey001) for client002
● IP address of the SSH server: 10.1.1.1.
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] ecc local-key-pair create
SSH users can be authenticated in password, RSA, password-RSA, ECC, password-ECC, DSA,
password-DSA, SM2, password-SM2, or all mode.
● If the authentication mode of an SSH user is password, password-RSA, password-DSA,
password-SM2, or password-ECC, a local user with the same name as the SSH user must
be configured.
● If the authentication mode of an SSH user is RSA, password-RSA, DSA, password-DSA,
SM2, password-SM2, ECC, password-ECC, or all, the RSA, DSA, SM2, or ECC public key of
the SSH client must be saved on the server.
NOTE
▪ Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
========================================================
Key Code:
04D7635B C047B02E 20C1E6CB E04B5E5C
7DCADD88
F676AB0E C91ACB3C B0394B18 FA29E5C2
0426F924
DAD9AA02 C531E5ED C6783FFA 41235A16
8D7723E0
7E63D68D E7
# Copy the ECC public key generated on the client to the server.
[~SSH Server] ecc peer-public-key Ecckey001
Enter "ECC public key" view, return system view with "peer-public-key end".
[*SSH Server-ecc-public-key] public-key-code begin
Enter "ECC key code" view, return last view with "public-key-code end".
[*SSH Server-ecc-public-key-ecc-key-code] 04BF8F0A A6C01092 8A294A42 61D49FCA 2C98E48A
[*SSH Server-ecc-public-key-ecc-key-code] B70CCF59 0779A3C7 ADB04A19 A634C899 24057ED3
[*SSH Server-ecc-public-key-ecc-key-code] 668C27A0 AC1C1B96 09B54B3B F660F0D8 379065C2
[*SSH Server-ecc-public-key-ecc-key-code] E25B662D 73
[*SSH Server-ecc-public-key-ecc-key-code] public-key-code end
[*SSH Server-ecc-public-key] peer-public-key end
[*SSH Server] commit
If the login succeeds, the user view is displayed. If the login fails, the message
Session is disconnected is displayed.
User-public-key-type : -
Sftp-directory :-
Service-type : stelnet
Username : client002
Authentication-type : ecc
User-public-key-name : ecckey001
User-public-key-type : ECC
Sftp-directory :-
Service-type : stelnet
----------------------------------------------------
Total 2, 2 printed
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
ecc peer-public-key ecckey001
public-key-code begin
04BF8F0A A6C01092 8A294A42 61D49FCA 2C98E48A
B70CCF59 0779A3C7 ADB04A19 A634C899 24057ED3
668C27A0 AC1C1B96 09B54B3B F660F0D8 379065C2
E25B662D 73
public-key-code end
peer-public-key end
#
stelnet server enable
ssh server-source -i GigabitEthernet0/0/0
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign ecc-key ecckey001
ssh user client002 authentication-type ecc
ssh authorization-type default root
ssh user client002 service-type stelnet
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh server hmac sha2_512 sha2_256
ssh server key-exchange dh_group_exchange_sha256
#
ssh server publickey rsa_sha2_256 rsa_sha2_512
#
ssh server dh-exchange min-len 3072
#
ssh client publickey dsa ecc rsa rsa_sha2_256 rsa_sha2_512
#
ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh client hmac sha2_512 sha2_256
ssh client key-exchange dh_group_exchange_sha256
#
aaa
local-user client001 password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user client001 service-type ssh
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user privilege level 3
#
return
● Client001 configuration file
#
sysname client001
#
interface GigabitEthernet0/0/0
ip address 10.1.2.2 255.255.0.0
#
ssh client first-time enable
#
return
Networking Requirements
Large numbers of devices need to be managed and maintained on a network. You
cannot connect each device to a terminal. When no reachable route exists
between remote devices and a terminal, you can use Telnet to log in to the
remote devices from the device that you have logged in to. Telnet provides no
secure authentication mode, and data is transmitted in simple mode over TCP,
which brings security risks.
STelnet is a secure Telnet service over SSH connections. SSH provides encryption
and authentication functions to protect devices against attacks, such as IP address
spoofing. After STelnet is enabled on an SSH server, an STelnet client can log in to
the SSH server in RSA, DSA, ECC, SM2, x509v3-ssh-rsa, password, password-rsa,
password-ecc, password-dsa, password-sm2, password-x509v3-rsa, or all
authentication mode. On the network shown in Figure 1-63, users client001 and
client002 are configured to log in to the SSH server in password and SM2
authentication modes, respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure client001 and client002 to log in to the SSH server in different
authentication modes.
2. Generate a local key pair on client002 and the SSH server, and bind the SM2
public key of the SSH client to client002 to authenticate the client when the
client logs in to the server.
3. Enable the STelnet service on the SSH server.
4. Set the service type of client001 and client002 to STelnet.
5. Enable first authentication on the SSH client.
6. Configure client001 and client002 to log in to the SSH server using STelnet.
Data Preparation
To complete the configuration, you need the following data:
● Password authentication for client001
● client002 with the public key being sm2key001 and authentication mode
being SM2 authentication
● SSH server at IP address 10.1.1.1
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] ssh server publickey sm2
SSH users can be authenticated in password, RSA, password-RSA, ECC, password-ECC, DSA,
password-DSA, SM2, password-SM2, or all mode.
● If the authentication mode of an SSH user is password, password-RSA, password-DSA,
password-SM2, or password-ECC, a local user with the same name as the SSH user must
be configured.
● If the authentication mode of an SSH user is RSA, password-RSA, DSA, password-DSA,
SM2, password-SM2, ECC, password-ECC, or all, the RSA, DSA, SM2, or ECC public key of
the SSH client must be saved on the server.
NOTE
▪ Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
If the login succeeds, the user view is displayed. If the login fails, a Session is
disconnected message is displayed.
Step 9 Verify the configuration.
# Display the SSH status.
[~SSH Server] display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) :3
SSH server key generating interval (Hours) : 0
Username : client002
Authentication-type : sm2
User-public-key-name : sm2key001
User-public-key-type : SM2
Sftp-directory :-
Service-type : stelnet
----------------------------------------------------
Total 2, 2 printed
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
sm2 peer-public-key sm2key001
public-key-code begin
0474F110 F90F131B B6F6D929 9A23A41E F1AB1666
AC4BE4EE EF2CD876 2B633F80 DD5CF42F 147A722F
DE527F39 247F3744 C23296BE FE3BE502 EEF7D9EC
BC28A576 7E
public-key-code end
peer-public-key end
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 authentication-type sm2
Networking Requirements
In the TCP/IP protocol suite, FTP is most commonly used to transfer files. However,
FTP brings complex interactions between terminals and servers, which is hard to
implement on terminals that do not run advanced operating systems. TFTP is
designed for file transfer that does not require complex interactions between
terminals and servers. It is simple, requiring a few costs. TFTP can be used only for
simple file transfer without authentication.
On the network shown in Figure 1-64, a user logs in to a TFTP client from a PC
and then uploads files to or downloads files from a TFTP server.
Precautions
In insecure network environments, you are advised to use a secure protocol.
1.1.8.14.10 Example for Using SFTP to Log In to Other Devices (ECC
Authentication Mode) provides examples for secure protocols.
Configuration Roadmap
The configuration roadmap is as follows:
1. Run the TFTP software on the TFTP server and set the directory of source files
on the server.
2. Use TFTP commands on the TFTP client to download files.
3. Use TFTP commands on the TFTP client to upload files.
Data Preparation
To complete the configuration, you need the following data:
● TFTP software to be installed on the TFTP server
● Name of the file to be downloaded and path of the file on the TFTP server
● Name of the file to be uploaded and path of the file on the TFTP client
Procedure
Step 1 Enable the TFTP server function.
Set Current Directory to the directory where the files to be downloaded reside on
the TFTP server, as shown in Figure 1-65.
NOTE
Run the tftpservermt command on the client to enter the TFTP server path and
run the following command:
/home/tftpservermt # ./tftpserver -v -i tftpserver.ini
TFTP Server MultiThreaded Version 1.61 Unix Built 1611
starting TFTP...
username: root
alias / is mapped to /home/
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 3
file read allowed: Yes
file create allowed: Yes
file overwrite allowed: Yes
thread pool size: 1
listening on: 0.0.0.0:69
Accepting requests..
Step 2 Log in to the TFTP client through the terminal emulation program of the PC to
download a file.
<HUAWEI> tftp 10.18.26.141 get a.txt cfcard:/b.txt
Warning: cfcard:/b.txt exists, overwrite? Please select
[Y/N]:y
Transfer file in binary mode.
Please wait for a while...
/
3338 bytes transferred
File transfer completed
Run the dir command on the TFTP client to view the directory in which the
downloaded file is saved.
<HUAWEI> dir
Directory of 0/17#cfcard:/
Step 4 Log in to the TFTP client through the terminal emulation program of the PC to
upload a file.
<HUAWEI> tftp 10.111.16.160 put sample.txt
Info: Transfer file in binary mode.
Please wait for a while...
\ 100% [***********]
File transfer completed
----End
Configuration Files
None
Context
NOTE
Networking Requirements
To transfer files with a remote FTP server or manage directories of the server,
configure a device as an FTP client and use FTP to access the FTP server.
On the network shown in Figure 1-66, the FTP client and server are routable to
each other. To download system software and configuration files from the server
to the client, log in to the server from the client.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the username and password for an FTP user to log in to the FTP
server and the directory that the user will access.
2. Enable the FTP server function.
3. Run login commands to log in to the FTP server.
4. Configure the file transfer mode and working directory to allow the client to
download files from the server.
Data Preparation
To complete the configuration, you need the following data:
● Username and password used by the FTP client for login
● IP address of the FTP server: 1.1.1.1
● Target file and its location on the FTP client
Precautions
In insecure network environments, you are advised to use a secure protocol.
1.1.8.14.10 Example for Using SFTP to Log In to Other Devices (ECC
Authentication Mode) provides examples for secure protocols.
Procedure
Step 1 Configure an FTP user on the FTP server.
<HUAWEI> system-view
[~HUAWEI] aaa
[*HUAWEI-aaa] local-user huawei password
Please configure the password (8-128)
Enter Password:
Confirm Password:
NOTE
Step 4 Set the file transfer mode to binary and specify the Flash working directory on the
FTP client.
[ ftp] binary
200 Type set to I.
[ftp] lcd new_dir:/
The current local directory is new_dir:.
[ftp] commit
Step 5 Download the latest system software from the FTP server to the FTP client.
[ftp] get V800R022C00SPC600B020D0123.cc
200 Port command okay.
150 Opening BINARY mode data connection for V800R022C00SPC600B020D0123.cc.
226 Transfer complete.
FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.
[ftp] quit
Run the dir command to check whether the required file has been downloaded to
the client.
----End
Configuration Files
● FTP server configuration file
#
aaa
local-user huawei password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user huawei ftp-directory cfcard:/
local-user huawei level 3
local-user huawei service-type ftp
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface loopback 0
ip address 10.1.1.1 255.255.255.255
ftp server enable
ftp server-source -i loopback 0
#
return
1.1.8.14.8 Example for Using SFTP to Log In to Other Devices (RSA Authentication
Mode)
To allow the SFTP client to connect to the SSH server, configure the client and
server to generate local key pairs, configure the client to generate an RSA public
key, and bind the public key to the client.
Networking Requirements
Based on SSH, SFTP ensures that users log in to a remote device securely to
manage and transfer files, enhancing secure file transfer. Because the device can
function as an SFTP client, you can log in to a remote SSH server from the device
to transfer files securely.
As shown in Figure 1-67, after the SFTP server function is enabled on the SSH
server, the SFTP client can log in to the SSH server in password, ECC, password-
ECC, DSA, password-DSA, RSA, password-RSA, SM2, password-SM2, x509v3-ssh-
rsa, password-x509v3-rsa or all authentication mode for file access.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different
authentication modes to log in to the SSH server.
2. Configure SFTP client002 and the SSH server to generate local key pairs, and
bind the RSA public key of the SSH client to client002 to authenticate the
client when the client logs in to the server.
Data Preparation
To complete the configuration, you need the following data:
● Password authentication for client001
● RSA authentication (public key: rsakey001) for client002
● IP address of the SSH server: 10.1.1.2
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (2048, 3072).
NOTE: Key pair generation will take a short while.
Please input the modulus [default = 3072]:3072
SSH users can be authenticated in password, RSA, password-RSA, ECC, password-ECC, DSA,
password-DSA, SM2, password-SM2, or all mode.
● If the authentication mode of an SSH user is password, password-RSA, password-DSA,
password-SM2, or password-ECC, a local user with the same name as the SSH user must
be configured.
● If the authentication mode of an SSH user is RSA, password-RSA, DSA, password-DSA,
SM2, password-SM2, ECC, password-ECC, or all, the RSA, DSA, SM2, or ECC public key of
the SSH client must be saved on the server.
NOTE
▪ Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203
010001
======================Server Key========================
Time of Key pair created : 13:22:1 2010/10/25
Key Name : client002_Server
Key Type : RSA Encryption Key
========================================================
Key Code:
3067
0260
BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F
E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23
7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26
B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3
2B1BBA18 A96FFC29 EF70069D DD1EE053
0203
010001
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key rsakey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[*SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[*SSH Server-rsa-public-key-rsa-key-code] 308188
[*SSH Server-rsa-public-key-rsa-key-code] 028180
[*SSH Server-rsa-public-key-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*SSH Server-rsa-public-key-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[*SSH Server-rsa-public-key-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[*SSH Server-rsa-public-key-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password
authentication mode and client002 in RSA authentication mode.
[~SSH Server] ssh user client001 service-type sftp
[*SSH Server] ssh user client001 sftp-directory cfcard:
[*SSH Server] ssh user client002 service-type sftp
[*SSH Server] ssh user client002 sftp-directory cfcard:
[*SSH Server] commit
Username : client002
Authentication-type : rsa
User-public-key-name : rsakey001
Sftp-directory :-
Service-type : sftp
----------------------------------------------------
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
1.1.8.14.9 Example for Using SFTP to Log In to Other Devices (DSA Authentication
Mode)
To allow the SFTP client to connect to the SSH server, configure the client and
server to generate local key pairs, configure the client to generate a DSA public
key, send the public key to the server, and bind the public key to the client.
Networking Requirements
SFTP is based on SSH connections. SFTP ensures that users log in to a remote
device securely to manage and transfer files, enhancing secure file transfer.
Because the device can function as an SFTP client, you can log in to a remote SSH
server from the device to transfer files securely.
As shown in Figure 1-68, after the SFTP server function is enabled on the SSH
server, the SFTP client can log in to the SSH server in password, ECC, password-
ECC, DSA, password-DSA, RSA, password-RSA, SM2, password-SM2, x509v3-ssh-
rsa, password-x509v3-rsa or all authentication mode for file access.
Figure 1-68 Networking diagram for access another device by using SFTP
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different
authentication modes to log in to the SSH server.
2. Configure SFTP client002 and the SSH server to generate local key pairs, and
bind the DSA public key of the SSH client to client002 to authenticate the
client when the client logs in to the server.
3. Enable the SFTP server function on the SSH server.
4. Configure the service type and authorized directory for the SSH users.
5. Client001 and client002 log in to the SSH server chain SFTP mode to obtain
files on the server.
Data Preparation
To complete the configuration, you need the following data:
● Password authentication for client001
● DSA authentication (public key: dsakey001) for client002
● IP address of the SSH server: 10.1.1.2
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] dsa local-key-pair create
Info: The key name will be: SSH SERVER_Host_DSA
Info: The key modulus can be any one of the following : 2048.
Info: Key pair generation will take a short while.
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
SSH users can be authenticated in password, RSA, password-RSA, ECC, password-ECC, DSA,
password-DSA, SM2, password-SM2, or all mode.
● If the authentication mode of an SSH user is password, password-RSA, password-DSA,
password-SM2, or password-ECC, a local user with the same name as the SSH user must
be configured.
● If the authentication mode of an SSH user is RSA, password-RSA, DSA, password-DSA,
SM2, password-SM2, ECC, password-ECC, or all, the RSA, DSA, SM2, or ECC public key of
the SSH client must be saved on the server.
NOTE
▪ Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
3082019F
028180
A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C
9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4
0B752AC7 817E877F
0214
CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27
028180
6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66
C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B
264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328
C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E
F459F826 B9A5CF6D
028180
409C0AE7 1DDDDA8C F3924608 DC32728C D6FA51FB
B4933D03 E30780E1 676AA9EE E3A9B677 97DB1D3A
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
6192B926 9AD8764E E9F8661C 8EC08D08 BD83BCE3
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
# Copy the DSA public key generated on the client to the server.
[~SSH Server] dsa peer-public-key dsakey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[*SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return last view with "public-key-code end".
[*SSH Server-dsa-public-key-dsa-key-code] 3082019F
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password
authentication mode and client002 in DSA authentication mode.
[~SSH Server] ssh user client001 service-type sftp
[*SSH Server] ssh user client001 sftp-directory cfcard:
[*SSH Server] ssh user client002 service-type sftp
[*SSH Server] ssh user client002 sftp-directory cfcard:
Service-type : sftp
----------------------------------------------------
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
dsa peer-public-key dsakey001
public-key-code begin
3082019F
028180
A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C
9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4
0B752AC7 817E877F
0214
CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27
028180
6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66
C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B
264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328
C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E
F459F826 B9A5CF6D
028180
409C0AE7 1DDDDA8C F3924608 DC32728C D6FA51FB
B4933D03 E30780E1 676AA9EE E3A9B677 97DB1D3A
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
6192B926 9AD8764E E9F8661C 8EC08D08 BD83BCE3
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
public-key-code end
peer-public-key end
#
interface loopback 0
ip address 10.1.1.1 255.255.255.255
sftp server enable
ssh server-source -i loopback 0
ssh user client001
ssh user client001 authentication-type password
ssh user client001 sftp-directory cfcard:
ssh user client001 service-type sftp
ssh user client002
ssh user client002 assign dsa-key dsakey001
ssh user client002 authentication-type dsa
ssh authorization-type default root
ssh user client002 sftp-directory cfcard:
ssh user client002 service-type sftp
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh server hmac sha2_512 sha2_256
ssh server key-exchange dh_group_exchange_sha256
#
ssh server publickey rsa_sha2_256 rsa_sha2_512
#
ssh server dh-exchange min-len 3072
#
ssh client publickey dsa ecc rsa rsa_sha2_256 rsa_sha2_512
#
1.1.8.14.10 Example for Using SFTP to Log In to Other Devices (ECC Authentication
Mode)
To allow the SFTP client to connect to the SSH server, configure the client and
server to generate local key pairs, configure the client to generate an ECC public
key, and bind the public key to the client.
Networking Requirements
Based on SSH, SFTP ensures that users log in to a remote device securely to
manage and transfer files, enhancing secure file transfer. Because the device can
function as an SFTP client, you can log in to a remote SSH server from the device
to transfer files securely.
As shown in Figure 1-69, after the SFTP server function is enabled on the SSH
server, the SFTP client can log in to the SSH server in password, ECC, password-
ECC, DSA, password-DSA, RSA, password-RSA, SM2, password-SM2, x509v3-ssh-
rsa, password-x509v3-rsa or all authentication mode for file access.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different
authentication modes to log in to the SSH server.
2. Configure SFTP client002 and the SSH server to generate local key pairs, and
bind the ECC public key of the SSH client to client002 to authenticate the
client when the client logs in to the server.
3. Enable the SFTP server function on the SSH server.
4. Configure the service type and authorized directory for the SSH users.
5. Use SFTP on client001 and client002 to log in to the SSH server.
Data Preparation
To complete the configuration, you need the following data:
● Password authentication for client001
● Client002: ECC authentication (public key: ecckey001)
● IP address of the SSH server: 10.1.1.2
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] ecc local-key-pair create
Info: The key name will be: SSH Server_Host_ECC
Info: The key modulus can be any one of the following: 256, 384, 521.
Info: Key pair generation will take a short while.
Please input the modulus [default=521]:521
Info: Generating keys...
Info: Succeeded in creating the ECC host keys.
SSH users can be authenticated in password, RSA, password-RSA, ECC, password-ECC, DSA,
password-DSA, SM2, password-SM2, or all mode.
● If the authentication mode of an SSH user is password, password-RSA, password-DSA,
password-SM2, or password-ECC, a local user with the same name as the SSH user must
be configured.
● If the authentication mode of an SSH user is RSA, password-RSA, DSA, password-DSA,
SM2, password-SM2, ECC, password-ECC, or all, the RSA, DSA, SM2, or ECC public key of
the SSH client must be saved on the server.
NOTE
▪ Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
# Copy the ECC public key generated on the client to the server.
[~SSH Server] ecc peer-public-key ecckey001
Enter "ECC public key" view, return system view with "peer-public-key end".
[*SSH Server-ecc-public-key] public-key-code begin
Enter "ECC key code" view, return last view with "public-key-code end".
[*SSH Server-ecc-public-key-ecc-key-code] 04BF8F0A A6C01092 8A294A42 61D49FCA 2C98E48A
[*SSH Server-ecc-public-key-ecc-key-code] B70CCF59 0779A3C7 ADB04A19 A634C899 24057ED3
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password
authentication mode and client002 in ECC authentication mode.
[*SSH Server] ssh user client001 service-type sftp
[*SSH Server] ssh user client001 sftp-directory cfcard:
[*SSH Server] ssh user client002 service-type sftp
[*SSH Server] ssh user client002 sftp-directory cfcard:
Please select public key type for user authentication [R for RSA/E for ECC] Please select [R/E]:e
Username : client002
Authentication-type : ecc
User-public-key-name : ecckey001
User-public-key-type : ECC
Sftp-directory : cfcard:
Service-type : sftp
----------------------------------------------------
Total 2, 2 printed
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
ecc peer-public-key ecckey001
public-key-code begin
04BF8F0A A6C01092 8A294A42 61D49FCA 2C98E48A
B70CCF59 0779A3C7 ADB04A19 A634C899 24057ED3
668C27A0 AC1C1B96 09B54B3B F660F0D8 379065C2
E25B662D 73
#
interface loopback 0
1.1.8.14.11 Example for Using SFTP to Log In to Other Devices (SM2 Authentication
Mode)
In this example, local key pairs are generated on the SFTP client and secure shell
(SSH) server, and an SM2 public key is generated on the SSH server and then
bound to the SFTP client, implementing communication between the SFTP client
and SSH server.
Networking Requirements
SFTP is established over SSH and enables remote users to securely log in to a
device for file management and transfer. This ensures data transmission security.
In addition, the device provides the SFTP client function so that you can log in to a
remote SSH server from the device to securely transfer files.
As shown in Figure 1-70, after the SFTP server function is enabled on the SSH
server, the SFTP client can log in to the SSH server in password, ECC, password-
ECC, DSA, password-DSA, RSA, password-RSA, SM2, password-SM2, x509v3-ssh-
rsa, password-x509v3-rsa or all authentication mode for file access.
Figure 1-70 Networking diagram for accessing files on an SSH server using SFTP
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
5. Configure client001 and client002 to log in to the SSH server using SFTP for
file access.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Generate a local key pair on the SSH server.
<HUAWEI> system-view
[*HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] ssh server publickey sm2
SSH users can be authenticated in password, RSA, password-RSA, ECC, password-ECC, DSA,
password-DSA, SM2, password-SM2, or all mode.
● If the authentication mode of an SSH user is password, password-RSA, password-DSA,
password-SM2, or password-ECC, a local user with the same name as the SSH user must
be configured.
● If the authentication mode of an SSH user is RSA, password-RSA, DSA, password-DSA,
SM2, password-SM2, ECC, password-ECC, or all, the RSA, DSA, SM2, or ECC public key of
the SSH client must be saved on the server.
NOTE
▪ Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password
authentication mode and client002 in SM2 authentication mode.
[*SSH Server] ssh user client001 service-type sftp
[*SSH Server] ssh user client001 sftp-directory cfcard:
[*SSH Server] ssh user client002 service-type sftp
[*SSH Server] ssh user client002 sftp-directory cfcard:
Username : client002
Authentication-type : sm2
User-public-key-name : sm2key001
User-public-key-type : SM2
Sftp-directory : cfcard:
Service-type : sftp
----------------------------------------------------
Total 2, 2 printed
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.1.1.2 255.255.0.0
#
sm2 peer-public-key sm2key001
public-key-code begin
0474F110 F90F131B B6F6D929 9A23A41E F1AB1666
AC4BE4EE EF2CD876 2B633F80 DD5CF42F 147A722F
DE527F39 247F3744 C23296BE FE3BE502 EEF7D9EC
BC28A576 7E
#
interface loopback 0
ip address 10.1.1.1 255.255.255.255
sftp server enable
ssh server-source -i loopback 0
ssh user client001
ssh user client001 authentication-type password
ssh user client001 sftp-directory cfcard:
ssh user client001 service-type sftp
ssh user client002
ssh user client002 assign sm2-key sm2key001
ssh user client002 authentication-type sm2
ssh authorization-type default root
ssh user client002 sftp-directory cfcard:
ssh user client002 service-type sftp
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh server hmac sha2_512 sha2_256
ssh server key-exchange dh_group_exchange_sha256
#
ssh server publickey rsa_sha2_256 rsa_sha2_512
#
ssh server dh-exchange min-len 3072
#
ssh client publickey dsa ecc rsa rsa_sha2_256 rsa_sha2_512
#
ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh client hmac sha2_512 sha2_256
ssh client key-exchange dh_group_exchange_sha256
#
aaa
local-user client001 password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user client001 level 3
local-user client001 service-type ssh
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
1.1.8.14.12 Example for Using a Non-default Listening Port Number to Access the
SSH Server
A non-default listening port number can be configured for the SSH server to allow
only authorized users to establish SSH connections with the server.
Networking Requirements
The default listening port number is 22. If attackers continuously access this port,
bandwidth resources are consumed and performance of the server deteriorates. As
a result, authorized users cannot access the server.
If the listening port number of the SSH server is changed to a non-default one,
attackers do not know the change and continue to send requests for socket
connections to port 22. The SSH server denies the connection requests because the
listening port number is incorrect.
Authorized users can set up socket connections with the SSH server by using the
new listening port number to implement the following functions: negotiate the
version of the SSH protocol, negotiate the algorithm, generate the session key,
authenticate, send the session request, and attend the session.
Figure 1-71 Using a non-default listening port number to access the SSH server
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different
authentication modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind
client002 to the RSA public key of the SSH server to authenticate the client
when the client attempts to log in to the server.
3. Enable the STelnet and SFTP server functions on the SSH server.
4. Configure the service type and authorized directory for the SSH users.
5. Configure a non-default listening port number of the SSH server to allow only
authorized users to access the server.
6. Use STelnet and SFTP respectively on client001 and client002 to log in to the
SSH server.
Data Preparation
To complete the configuration, you need the following data:
● Client001: password authentication and STelnet service type
● Client002: RSA authentication (public key: RsaKey001) and SFTP service type
● IP address of the SSH server: 10.1.1.2
● Listening port number of the SSH server: 1025
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] rsa local-key-pair create
The key name will be: CE1_Host
The range of public key size is (2048, 3072).
NOTE: Key pair generation will take a short while.
Please input the modulus [default = 3072]:3072
[*SSH Server] commit
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[*SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[*SSH Server-rsa-key-code] 3047
[*SSH Server-rsa-key-code] 0240
[*SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[*SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[*SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[*SSH Server-rsa-key-code] 1D7E3E1B
[*SSH Server-rsa-key-code] 0203
[*SSH Server-rsa-key-code] 010001
[*SSH Server-rsa-key-code] public-key-code end
[*SSH Server-rsa-public-key] peer-public-key end
[*SSH Server-rsa-public-key] commit
There are several authentication modes for SSH users: password, RSA, password-RSA, ECC,
password-ECC, and All.
● If the authentication mode is password, password-ECC, or password-RSA, configure a
local user on the server with the same user name.
● If the authentication mode is RSA, password-RSA, ECC, password-ECC, or All, save the
RSA or ECC public key generated on the SSH client to the server.
NOTE
▪ Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
# Set the service type of client002 to SFTP and configure the authorized
directory for the user.
[~SSH Server] ssh user client002 service-type sftp
[*SSH Server] ssh user client002 sftp-directory cfcard:
[*SSH Server] commit
Step 4 Enable the STelnet and SFTP server functions on the SSH server.
[~SSH Server] interface LoopBack 0
[~SSH Server-LoopBack0] ip address 10.1.1.1 255.255.255.255
[*SSH Server-LoopBack0] quit
[*SSH Server] stelnet server enable
[*SSH Server] sftp server enable
[*SSH Server] ssh server-source -i loopback 0
# Connect client001 to the SSH server using the new listening port number.
[~client001] stelnet 10.1.1.1 1025
Please input the username:client001
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.1.1.1. Please wait...
Enter password:
# Connect client002 to the SSH server using the new listening port number.
[~client002] sftp 10.1.1.1 1025
Please input the username:client002
Trying 10.1.1.1 ...
Press CTRL+K to abort
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.1.1.1. Please wait.
..
sftp-client>
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
interface loopback 0
ip address 10.1.1.1 255.255.255.255
stelnet server enable
sftp server enable
ssh server-source -i loopback 0
ssh server port 1025
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key rsakey001
ssh user client002 sftp-directory cfcard:
ssh user client002 service-type sftp
#
aaa
local-user client001 password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user client001 service-type ssh
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.1.1.2 255.255.0.0
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
1.1.8.14.13 Example for Configuring SSH Clients on the Public Network to Access
an SSH Server on a Private Network
This example shows how to configure an SSH client on the public network to
access an SSH server on a private network. You can configure SSH-related
attributes for public users to allow them to access devices on private networks in
STelnet or SFTP mode.
Networking Requirements
As shown in Figure 1-72, PE1 is an SSH client located on the MPLS backbone
network, and CE1 functions as an SSH server located on the private network with
the AS number of 65410. Public network users need to securely access and
manage CE1 after logging in to PE1.
Figure 1-72 Configuring an SSH client on the public network to access an SSH
server on a private network
NOTE
In this example, interface 1, interface 2, and interface 3 represent GE 1/0/1, GE 2/0/1 and
GE 1/0/2, respectively.
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure the MPLS backbone network.
Configure an IGP to allow PEs and the P on the MPLS backbone network to
communicate with each other. Configure basic MPLS functions, enable MPLS LDP,
and establish LDP LSPs on the MPLS backbone network.
# Configure PE1.
[*PE1] ip vpn-instance vpn1
[*PE1-vpn-instance-vpn1] route-distinguisher 100:1
[*PE1-vpn-instance-vpn1] vpn-target 111:1 both
[*PE1-vpn-instance-vpn1] quit
[*PE1] interface gigabitethernet 2/0/1
[*PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1
[*PE1-GigabitEthernet2/0/1] undo shutdown
[*PE1-GigabitEthernet2/0/1] ip address 10.1.1.2 24
[*PE1-GigabitEthernet2/0/1] quit
[*PE1] commit
# Configure PE2.
[*PE2] ip vpn-instance vpn1
[*PE2-vpn-instance-vpn1] route-distinguisher 200:1
[*PE2-vpn-instance-vpn1] vpn-target 111:1 both
[*PE2-vpn-instance-vpn1] quit
[*PE2] interface gigabitethernet 2/0/1
[*PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1
[*PE2-GigabitEthernet2/0/1] undo shutdown
[*PE2-GigabitEthernet2/0/1] ip address 10.1.2.2 24
[*PE2-GigabitEthernet2/0/1] quit
[*PE2] commit
NOTE
When there are multiple interfaces on a PE bound to the same VPN instance, specify the
source address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-
address command to ping the CE connected to the peer PE. Otherwise, the ping may fail.
[~PE1] ping -vpn-instance vpn1 10.3.3.3
PING 10.3.3.3: 56 data bytes, press CTRL_C to break
Reply from 10.3.3.3: bytes=56 Sequence=1 ttl=255 time=260 ms
Reply from 10.3.3.3: bytes=56 Sequence=2 ttl=255 time=70 ms
Reply from 10.3.3.3: bytes=56 Sequence=3 ttl=255 time=60 ms
Reply from 10.3.3.3: bytes=56 Sequence=4 ttl=255 time=60 ms
Reply from 10.3.3.3: bytes=56 Sequence=5 ttl=255 time=90 ms
--- 10.3.3.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/108/260 ms
Step 3 Establish EBGP peer relationships between the PEs and the CEs to import VPN
routes.
# Configure CE1.
[*CE1] bgp 65410
[*CE1-bgp] peer 10.1.1.2 as-number 100
[*CE1-bgp] import-route direct
[*CE1-bgp] quit
[*CE1] commit
# Configure PE1.
[*PE1] bgp 100
[*PE1-bgp] ipv4-family vpn-instance vpn1
[*PE1-bgp-vpn1] peer 10.3.3.3 as-number 65410
[*PE1-bgp-vpn1] import-route direct
[*PE1-bgp-vpn1] quit
[*PE1-bgp] quit
[*PE1] commit
# Configure CE2.
[*CE2] bgp 65420
[*CE2-bgp] peer 10.1.2.2 as-number 100
[*CE2-bgp] import-route direct
[*CE2-bgp] quit
[*CE2-bgp] commit
# Configure PE2.
[*PE2] bgp 100
[*PE2-bgp] ipv4-family vpn-instance vpn1
[*PE2-bgp-vpn1] peer 10.1.2.1 as-number 65420
[*PE2-bgp-vpn1] import-route direct
[*PE2-bgp-vpn1] quit
[*PE2-bgp] quit
[*PE2-bgp] commit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer
command on PEs. The command output shows that the EBGP peer relationships
between PEs and the CEs are in the Established state.
The following example uses the command output on PE1.
[~PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.3.3.3 4 65410 3 3 0 00:00:37 Established 1
# Copy the RSA public key generated on the client to the server.
[*CE1] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[*CE1-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[*CE1-rsa-key-code] 3067
[*CE1-rsa-key-code] 0240
[*CE1-rsa-key-code] BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
[*CE1-rsa-key-code] 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695
[*CE1-rsa-key-code] 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D
[*CE1-rsa-key-code] E2EE8EB5
[*CE1-rsa-key-code] 0203
[*CE1-rsa-key-code] 010001
[*CE1-rsa-key-code] public-key-code end
[*CE1-rsa-public-key] peer-public-key end
[*CE1-rsa-public-key] quit
[*CE1] commit
NOTE
There are several authentication modes for SSH users: password, RSA, password-RSA, DSA,
password-DSA, ECC, password-ECC, SM2, password-SM2 and All.
● If the authentication mode is password, password-ECC, password-DSA, password-sm2 or
password-RSA, configure a local user on the server with the same user name.
● If the authentication mode is RSA, password-RSA, DSA, password-DSA, SM2, password-
SM2, ECC, password-ECC, or All, save the RSA, DSA, SM2, or ECC public key generated
on the SSH client to the server.
NOTE
▪ Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
● # Create an SSH user named client002, configure RSA authentication for the
user, and bind the RSA public key to client002.
[*CE1] ssh user client002
[*CE1] ssh user client002 authentication-type rsa
[*CE1] ssh user client002 assign rsa-key RsaKey001
[*SSH Server] ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
[*SSH Server] ssh server hmac sha2_512 sha2_256
[*SSH Server] ssh server key-exchange dh_group_exchange_sha256
[*SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512
[*SSH Server] ssh server dh-exchange min-len 3072
[*SSH Server] ssh client publickey rsa_sha2_256 rsa_sha2_512
[*SSH Server] ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
[*SSH Server] ssh client hmac sha2_512 sha2_256
[*SSH Server] ssh client key-exchange dh_group_exchange_sha256
# Set the service type of client002 to SFTP and configure the authorized
directory for the user.
[*CE1] ssh user client002 service-type sftp
[*CE1] ssh user client002 sftp-directory cfcard:
[*CE1] commit
Step 7 Enable the STelnet and SFTP server functions on the SSH server.
[~CE1] interface LoopBack 0
[~CE1-LoopBack0] ip address 10.1.1.1 255.255.255.255
[*CE1-LoopBack0] quit
[*CE1] stelnet server enable
[*CE1] sftp server enable
[*CE1] ssh server-source -i loopback 0
[*CE1] commit
Step 8 Configure PE1 (the SSH client) to log in to CE1 (the SSH server).
# If the client logs in to the server for the first time, enable first authentication on
the client.
[~PE1] ssh client first-time enable
[*PE1] commit
The server's public key will be saved with the name:10.1.1.1. Please wait...
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
rsa peer-public-key rsakey001
public-key-code begin
3067
0260
9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5
419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8
9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3
0203
010001
public-key-code end
peer-public-key end
#
interface loopback 0
ip address 10.1.1.1 255.255.255.255
stelnet server enable
sftp server enable
ssh server-source -i loopback 0
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign rsa-key rsakey001
ssh user client002 authentication-type rsa
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchoronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
peer 10.3.3.3 as-number 65410
#
ssh client first-time enable
#
return
● P configuration file
#
sysname P
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.3.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
apply-label per-instance
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.3.1.2 255.255.255.255
mpls
mpls ldp
#
interface GigabitEthernet2/0/1
undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.2.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchoronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
peer 10.1.2.1 as-number 65420
#
return
Networking Requirements
As shown in Figure 1-73, the device functioning as an SCP client has a reachable
route to an SCP server and can download files from the server.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a local RSA key pair on the SSH server.
2. Create an SSH user on the SSH server.
3. Enable the SCP service function on the SSH server.
4. Enable first authentication on the SSH client.
5. Specify the IP address of the source interface on the SCP client.
6. Download files from the SSH server to the SCP client.
Data Preparation
To complete the configuration, you need the following data:
● SSH user name, authentication mode, and authentication password
● IP address of the source interface on the SCP client
● Names and paths of the source and destination files
Procedure
Step 1 Configure the SSH server to generate a local RSA key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (2048, 3072).
NOTE: Key pair generation will take a short while.
Please input the modulus [default = 3072]:3072
# Create an SSH user named client001 and configure password authentication for
the user.
[*SSH Server] ssh user client001
Info: Succeeded in adding a new SSH user.
[*SSH Server] ssh user client001 authentication-type password
[*SSH Server] ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
[*SSH Server] ssh server hmac sha2_512 sha2_256
[*SSH Server] ssh server key-exchange dh_group_exchange_sha256
[*SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512
[*SSH Server] ssh server dh-exchange min-len 3072
[*SSH Server] ssh client publickey rsa_sha2_256 rsa_sha2_512
[*SSH Server] ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
[*SSH Server] ssh client hmac sha2_512 sha2_256
[*SSH Server] ssh client key-exchange dh_group_exchange_sha256
Step 4 Download files from the SCP server to the SCP client.
# For the first login, enable first authentication on the SSH client.
<HUAWEI> system-view
[~HUAWEI] sysname SCP Client
[*SCP Client] ssh client first-time enable
# Set the source IP address of the SCP client to 1.1.1.1 (the IP address of a
loopback interface).
[*SCP Client] scp client-source -a 1.1.1.1
Info: Succeeded in setting the source address of the SCP client to 1.1.1.1.
# Use the AES128 algorithm to encrypt the license.txt file, and download the file
to the local user directory from the remote SCP server at 172.16.104.110.
[*SCP Client] scp -a 1.1.1.1 -cipher aes128 client001@172.16.104.110:license.txt license.txt
[*SCP Client] commit
Run the display scp-client command on the SCP client. The command output is
as follows:
<HUAWEI> display scp-client
The source address of SCP client is 1.1.1.1.
----End
Configuration Files
● SCP server configuration file
#
sysname SSH Server
#
aaa
local-user client001 password irreversible-cipher @%@%1-w$!gvBa#6W,ZUm2EN*BYqNWwI3BV\uV`
%_oauS;RQB%>>~GV#QzO~k/8;U6;@%@%
local-user client001 service-type ssh
local-user client001 level 3
#
scp server enable
ssh server-source -i GigabitEthernet0/0/0
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type all
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh server hmac sha2_512 sha2_256
ssh server key-exchange dh_group_exchange_sha256
#
ssh server publickey rsa_sha2_256 rsa_sha2_512
#
ssh server dh-exchange min-len 3072
#
ssh client publickey dsa ecc rsa rsa_sha2_256 rsa_sha2_512
#
ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh client hmac sha2_512 sha2_256
ssh client key-exchange dh_group_exchange_sha256
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
Networking Requirements
An HTTP client can download a certificate from an HTTP server through HTTP. On
the network shown in Figure 1-74, the HTTP client and server are routable to
each other. To download a certificate from the server to the client, log in to the
server from the client.
The server supports SSL policies. To improve data transmission security, configure
an SSL policy on the HTTP client.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an SSL policy on the HTTP client.
2. Configure the HTTP client.
Data Preparation
To complete the configuration, you need the following data:
● SSL policy name policy1 to be configured on the HTTP client
● Domain name domain1
Procedure
Step 1 Configure an SSL policy on the HTTP client.
# Configure a PKI domain.
<HUAWEI> system-view
[~HUAWEI] pki domain domain1
[*HUAWEI-pki-domain-domain1] commit
[~HUAWEI-pki-domain-domain1] quit
[~HUAWEI] pki import-certificate ca domain domain1 filename test.crt
NOTE
The CA certificate is used as an example. During the actual configuration, you need to
replace ca and test.crt with the existing certificate type and name on the device. You can
directly upload the certificate to the device for installation, or apply for and download the
certificate for installation. For details, see "Obtaining a Certificate" in PKI Configuration.
----End
Configuration Files
● HTTP client configuration file
#
ssl policy policy1
pki-domain domain1
#
http
client ssl-policy policy1
client ssl-verify peer
#
return
Context
ZTP can be used to automatically deploy unconfigured devices after they are
powered on, which improves deployment efficiency, especially on a network where
a large number of devices need to be deployed.
In VS mode, this feature is supported only by the admin VS.
Definition
ZTP enables a newly delivered or unconfigured device to automatically load
version files (including the system software, configuration file, and patch file)
when the device starts.
Purpose
In conventional network device deployment, network administrators are required
to perform manual onsite configuration and software commissioning on each
device after hardware installation is complete. Therefore, deploying a large
number of geographically scattered devices is inefficient and incurs high labor
costs.
ZTP addresses these issues by automatically loading version files from a file server,
without requiring onsite manual intervention in device deployment and
configuration.
Benefits
ZTP eliminates the need for onsite device deployment and configuration, improves
deployment efficiency, and reduces labor costs.
Feature Requirements
Before using ZTP for the next startup, check NE9000 NE9000
whether ZTP is enabled. If ZTP is disabled,
enable it. Otherwise, the ZTP process cannot
be started next time.
The address lease needs to be set for the DHCP NE9000 NE9000
server based on the site deployment period. If
the lease is too short, a go-online failure
occurs. You are advised to set a long period for
the DHCP server address.
Usage Scenario
In conventional network device deployment, network administrators are required
to perform onsite software commissioning after hardware installation is complete.
Therefore, deploying a large number of geographically scattered devices is
inefficient and incurs high labor costs.
Pre-configuration Tasks
Before configuring ZTP, complete the following tasks:
● Configure routes for the target device's gateway to communicate with DHCP
servers and file servers.
● Check that no configuration file is loaded to the target device.
Procedure
Step 1 An intermediate file can be an .ini file, a .cfg file, or a Python script file. The .ini
and .cfg files have low requirements and are easy to configure, whereas Python
script files have high requirements on users. Therefore, for the users who use ZTP
for the first time, it is recommended that an .ini or .cfg file be selected as the
intermediate file. For details about related file formats, see Intermediate File in
the INI Format, Intermediate File in the CFG Format, or Intermediate Files in the
Python Format.
----End
Context
Before powering on a device that requires automatic deployment through ZTP,
deploy a DHCPv4 server from which the device can obtain a device management
IP address, gateway address, intermediate file server address, and intermediate file
name.
In the DHCP discover phase, the device sends to the DHCPv4 server a DHCP
discover packet that carries DHCP Option 60 and Option 61. Option 60 (Vendor
class identifier) records the device manufacturer and model, and Option 61
(Client-identifier) records the device ESN.
Table 1-42 describes the Option fields that need to be configured on the DHCPv4
server.
NOTE
The IPv4 address lease that ZTP applies for through DHCPv4 is at least one hour and cannot be
renewed.
If a ZTP device and DHCPv4 server reside on different network segments, deploy a DHCP relay
agent to forward DHCP packets.
Context
Before powering on a device that requires automatic deployment through ZTP,
deploy a DHCPv6 server from which the device can obtain a device management
IP address, gateway address, intermediate file server address, and intermediate file
name.
In the DHCPv6 Solicit phase, the device sends to the DHCPv6 server a DHCPv6
Solicit message that carries DHCPv6 Option 6. DHCPv6 Option 6 records the
option code requested by the client.
Table 1-43 describes the option fields that need to be configured on the DHCPv6
server.
NOTE
The IPv6 address lease that ZTP applies for through DHCPv6 is at least one hour and cannot be
renewed.
If a ZTP-enabled device and DHCPv6 server reside on different network segments, deploy a
DHCPv6 relay agent to forward DHCPv6 packets.
Context
A file server stores the files to be downloaded to unconfigured devices, including
the intermediate file and version files. A router can be configured to provide the
file server functionality. A file server consumes device storage resources. Therefore,
ensure that the router has sufficient space to store files before deploying a file
server on the router. If the router does not have sufficient space, you can deploy a
third-party server to store files. For details about configuring a third-party server,
see the corresponding operation guide of the third-party server.
The version file server and intermediate file server can be the same server. A file
server can be a TFTP, FTP, or SFTP server.
NOTE
Ensure that reachable routes are deployed between the file server and unconfigured device.
Follow-up Procedure
After the file server is configured, save the intermediate file and version files to
the file server.
NOTE
To ensure security of the file server, configure a unique user name for the file server and
assign read-only permission to the user to prevent unauthorized modification to the files.
After the ZTP process is complete, disable the file server function.
Context
After ZTP-related configurations are complete, power on the ZTP-enabled device.
The device will then automatically download versions files and restart to complete
automatic deployment.
Procedure
Step 1 Power on the device.
----End
Context
If you want commands to be delivered to an unconfigured device before the ZTP
process starts, upload a pre-configuration script to the device.
Procedure
Step 1 Edit the pre-configuration script based on the file type and format instructions
described in Preconfiguration Script.
Step 2 Upload the pre-configuration script to the storage medium of the main control
board.
NOTE
FTP, TFTP, or SFTP can be used to upload the script. For upload details, see 1.1.8.6 Using
FTP to Access Other Devices, 1.1.8.5 Using TFTP to Access Other Devices, or 1.1.8.7
Using SFTP to Access Other Devices. Select an upload mode as needed.
To disable a device from starting the ZTP process at device startup with base
configuration, run the reset ztp pre-configuration command to clear the pre-
configuration script.
The ZTP status (including the status the pre-configuration script) is displayed.
NOTE
When the system software is upgraded from an earlier version to the current version, the
loaded pre-configuration script is executed (to prevent this loaded pre-configuration script
from being executed, run the reset ztp pre-configuration command) only if the
configuration file set for startup is vrpcfg.zip.
----End
Context
To implement automatic deployment through ZTP on a device upon a start with
base configuration, enable ZTP.
Procedure
Step 1 Run set ztp enable
ZTP is enabled.
If automatic deployment through ZTP is not needed, run the set ztp disable
command to disable ZTP.
----End
Procedure
Step 1 After the ZTP process is complete, log in to the device and run the display startup
command to check whether the device startup file is as required.
Step 2 Run the display ztp status command to check whether automatic deployment is
complete through ZTP.
Step 3 If automatic deployment fails, analyze ZTP logs on the device to determine the
failure causes.
----End
Networking Requirements
On the network shown in Figure 1-75, two devices (RouterA and RouterB) with
base configuration are newly added and connected to RouterC. RouterC functions
as the egress gateway of RouterA and RouterB. Routes are available for RouterC,
the DHCP server, and the file server to communicate with each other.
The customer requires that RouterA and RouterB automatically load system
software and configuration files after they are powered on to reduce labor costs
and device deployment time.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an FTP server as the file server to save the intermediate file, system
software, and configuration files.
NOTE
File transfer through FTP is prone to security risks, and therefore the SFTP file transfer
mode is recommended.
2. Edit the Python, INI, or CFG intermediate file to enable the routers to obtain
their system software packages and configuration files according to the
intermediate file.
3. Configure the DHCP server and relay agent to enable RouterA and RouterB to
obtain DHCP information.
4. Power on RouterA and RouterB to start the ZTP process.
Procedure
Step 1 Configure the file server. (The following example uses a PC as the file server. If
another type of device is used as the file server, configure the server according to
the corresponding operation guide.)
1. Configure the file server (PC) as an FTP server. Run an FTP server program
(for example, WFTPD32) on the PC. See Figure 1-76. Choose Security >
Users/rights. In the displayed dialog box, click New User. Set the user name
to ftpuser and password to Pwd123. Enter the FTP working directory in the
Home Directory text box. In this example, the working directory is D:\ztp.
Click Done to close the dialog box.
2. Configure an IP address and gateway address for the file server. Ensure that
the file server and gateway of RouterA and RouterB have reachable routes to
each other.
After configuring the file server, save the system software and configuration files
to be loaded to the working directory D:\ztp.
After editing the intermediate file, save the file to the working directory D:\ztp on
the file server.
# Configure the IP address pool from which the DHCP server assigns IP addresses
to clients. Configure Option fields according to the instructions in Table 1-44. For
configuration details, see the corresponding product documentation and DHCP
server configuration section in this document.
# Configure an IP address and gateway address for the DHCP server. Ensure that
the DHCP server and gateway of RouterA and RouterB have reachable routes to
each other.
----End
Configuration Files
ztp_script.cfg file
NOTE
vrpcfg.cfg file
NOTE
The interface IP address and static route configurations in the file are used as an example.
You can modify them as required.
#
sysname HUAWEI
#
ip vpn-instance __LOCAL_OAM_VPN__
ipv4-family
#
interface Ethernet0/0/0
undo shutdown
ip binding vpn-instance __LOCAL_OAM_VPN__
ip address 192.168.130.10 255.255.255.0
#
ip route-static vpn-instance __LOCAL_OAM_VPN__ 0.0.0.0 0.0.0.0 192.168.130.20
#