NE9000 V800R022C00 Configuration Guide 01 Basic Configuration

HUAWEI NetEngine9000
V800R022C00SPC600
Configuration Guide
Issue 01
Date 2022-10-31
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2022. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://www.huawei.com
Email: support@huawei.com
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. i

Configuration Guide Contents
Contents
1 Configuration............................................................................................................................1
1.1 Basic Configuration.................................................................................................................................................................1
1.1.1 About This Document........................................................................................................................................................ 1
1.1.2 First Login Configuration.................................................................................................................................................. 5
1.1.2.1 Overview of First Login.................................................................................................................................................. 5
1.1.2.2 Configuration Precautions for First Login................................................................................................................ 6
1.1.2.3 Logging In to a Device Through a Console Port....................................................................................................6
1.1.2.3.1 Establishing a Physical Connection......................................................................................................................... 6
1.1.2.3.2 Logging In to a Device................................................................................................................................................ 6
1.1.2.4 Performing Batch Device Deployment Through the Plug-and-Play Function.............................................9
1.1.3 Command Line Interface Configuration.................................................................................................................... 10
1.1.3.1 CLI Overview.................................................................................................................................................................... 10
1.1.3.2 Configuration Precautions for Command Line Interface................................................................................. 12
1.1.3.3 Establishing a Command Line Running Environment....................................................................................... 15
1.1.3.3.1 Configuring Header Information...........................................................................................................................15
1.1.3.3.2 Configuring a Device Name.................................................................................................................................... 16
1.1.3.3.3 Configuring Command Levels................................................................................................................................ 16
1.1.3.3.4 Locking a User Interface.......................................................................................................................................... 18
1.1.3.3.5 Configuring the System to Allow the Execution of User-View Commands in the System View.....18
1.1.3.3.6 (Optional) Configuring the Command Timestamp Function......................................................................18
1.1.3.4 How to Use the CLI....................................................................................................................................................... 19
1.1.3.4.1 Entering a Command View..................................................................................................................................... 20
1.1.3.4.2 Editing a Command................................................................................................................................................... 20
1.1.3.4.3 Verifying the Command Line Configuration..................................................................................................... 21
1.1.3.4.4 Checking the Diagnostic Information.................................................................................................................. 22
1.1.3.4.5 Command Display Mode......................................................................................................................................... 22
1.1.3.4.6 Error Messages............................................................................................................................................................ 28
1.1.3.4.7 Configuring an Alias for a Command..................................................................................................................28
1.1.3.4.8 Intelligent Rollback.................................................................................................................................................... 29
1.1.3.4.9 Enabling Secondary Authentication..................................................................................................................... 30
1.1.3.5 How to Obtain Command Help................................................................................................................................ 30
1.1.3.6 How to Use Shortcut Keys.......................................................................................................................................... 31
1.1.3.6.1 Classification of Shortcut Keys............................................................................................................................... 32
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. ii

1.1.3.6.2 Defining Shortcut Keys............................................................................................................................................. 33

1.1.3.6.3 Displaying Shortcut Keys and Their Functions................................................................................................. 34
1.1.3.7 Configuring the Session Log Function.................................................................................................................... 34
1.1.3.8 Configuration Examples for Command Lines.......................................................................................................35
1.1.3.8.1 Example for Using Tab.............................................................................................................................................. 35
1.1.3.8.2 Example for Defining Shortcut Keys.................................................................................................................... 37
1.1.4 User Interface Configuration......................................................................................................................................... 38
1.1.4.1 Overview of User Interfaces....................................................................................................................................... 38
1.1.4.2 Configuration Precautions for User Interface.......................................................................................................41
1.1.4.3 Configuring a Console User Interface..................................................................................................................... 41
1.1.4.3.1 Configuring Physical Attributes for the Console User Interface.................................................................41
1.1.4.3.2 Configuring Terminal Attributes for the Console User Interface............................................................... 42
1.1.4.3.3 Configuring a User Level for the Console User Interface............................................................................. 43
1.1.4.3.4 Configuring an Authentication Mode for the Console User Interface..................................................... 43
1.1.4.3.5 Disabling the Console User Interface.................................................................................................................. 46
1.1.4.3.6 Verifying the Configuration of the Console User Interface..........................................................................46
1.1.4.4 Configuring VTY User Interfaces...............................................................................................................................46
1.1.4.4.1 Configuring the Maximum Number of VTY User Interfaces....................................................................... 47
1.1.4.4.2 Configuring the Limit on Incoming and Outgoing Calls for a VTY User Interface.............................. 48
1.1.4.4.3 Configuring Terminal Attributes for a VTY User Interface........................................................................... 50
1.1.4.4.4 Configuring a User Level for a VTY User Interface......................................................................................... 51
1.1.4.4.5 Configuring an Authentication Mode for a VTY User Interface................................................................. 52
1.1.4.4.6 Configure an Alarm Threshold for the Number of Available VTY Channels......................................... 54
1.1.4.4.7 Enabling the VTY User Interface's Security Policy...........................................................................................55
1.1.4.4.8 Verifying the Configuration of VTY User Interfaces....................................................................................... 55
1.1.4.5 Configuration Examples for User Interfaces......................................................................................................... 55
1.1.4.5.1 Example for Configuring the Console User Interface.................................................................................... 56
1.1.4.5.2 Example for Configuring VTY User Interfaces.................................................................................................. 58
1.1.5 User Login Configuration................................................................................................................................................61
1.1.5.1 Overview of User Login............................................................................................................................................... 61
1.1.5.2 Configuration Precautions for User Login............................................................................................................. 66
1.1.5.3 Configuring Login Through a Console Port.......................................................................................................... 66
1.1.5.3.1 Logging In to a Router Through a Console Port..............................................................................................67
1.1.5.3.2 (Optional) Configuring the Console User Interface....................................................................................... 70
1.1.5.3.3 Verifying the Configuration of Logging In to the System Through the Console Port........................ 71
1.1.5.4 Configuring a User to Log In Through Telnet...................................................................................................... 71
1.1.5.4.1 Configuring a User Level and Authentication Mode for the VTY User Interface................................. 72
1.1.5.4.2 Enabling the Telnet Server Function.................................................................................................................... 76
1.1.5.4.3 Using Telnet to Log In to the System.................................................................................................................. 77
1.1.5.4.4 Configuring Telnet Server Parameters.................................................................................................................78
1.1.5.4.5 (Optional) Configuring CAR for Whitelisted Telnet Sessions...................................................................... 79
1.1.5.4.6 (Optional) Configuring Telnet Access Control..................................................................................................80
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. iii

1.1.5.4.7 (Optional) Enabling the IP Address Blocking Function for Telnet Connections................................... 81
1.1.5.4.8 (Optional) Configuring Alarm Generation and Clearance Thresholds for Telnet Server Login
Failures............................................................................................................................................................................................. 81
1.1.5.4.9 (Optional) Configuring the Maximum Number of Connections for Telnet Login to the Server
Using a Single IP Address.......................................................................................................................................................... 82
1.1.5.4.10 Verifying the Configuration of User Login to the System Using Telnet................................................ 83
1.1.5.5 Configuring STelnet Login........................................................................................................................................... 83
1.1.5.5.1 Configuring a User Level and Authentication Mode for VTY User Interfaces....................................... 84
1.1.5.5.2 Configuring VTY User Interfaces to Support SSH............................................................................................87
1.1.5.5.3 Configuring an SSH User and Specifying a Service Type.............................................................................. 88
1.1.5.5.4 Enabling the STelnet Server Function............................................................................................................... 100
1.1.5.5.5 Using STelnet to Log In to a Server................................................................................................................... 102
1.1.5.5.6 Configuring STelnet Server Parameters............................................................................................................ 109
1.1.5.5.7 (Optional) Configuring CAR for Whitelisted SSH Sessions........................................................................113
1.1.5.5.8 (Optional) Configuring Alarm Generation and Clearance Thresholds for SSH Server Login
Failures.......................................................................................................................................................................................... 114
1.1.5.5.9 (Optional) Configuring the Maximum Number of Connections for SSH Login to the Server Using
a Single IP Address.................................................................................................................................................................... 115
1.1.5.5.10 (Optional) Configuring the Local Port Forwarding Service for the SSH Server...............................115
1.1.5.5.11 Configuring the Keyboard-Interactive Authentication Mode for an SSH Server............................. 116
1.1.5.5.12 Setting Criteria for SSH Session Key Re-negotiation.................................................................................116
1.1.5.5.13 Verifying the Configuration of User Login to the System Using STelnet........................................... 117
1.1.5.6 Configuration Examples for User Login............................................................................................................... 118
1.1.5.6.1 Example for Configuring Login Through a Console Port........................................................................... 118
1.1.5.6.2 Example for Configuring Telnet Login for an IPv4 User............................................................................. 121
1.1.5.6.3 Example for Configuring Telnet Login for an IPv6 User............................................................................. 125
1.1.5.6.4 Example for Configuring STelnet Login for an IPv4 User...........................................................................129
1.1.5.6.5 Example for Configuring STelnet Login for an IPv6 User...........................................................................139
1.1.5.6.6 Example for Configuring an NMS to Communicate with a Device by SSH over a VPN................. 149
1.1.6 File System Configuration............................................................................................................................................ 155
1.1.6.1 Overview of File System Management................................................................................................................ 155
1.1.6.2 Configuration Precautions for File System Management..............................................................................158
1.1.6.3 Operating Files After Logging In to a Device.................................................................................................... 159
1.1.6.3.1 Managing Directories............................................................................................................................................. 159
1.1.6.3.2 Managing Files.......................................................................................................................................................... 163
1.1.6.4 Using FTP to Operate Files....................................................................................................................................... 165
1.1.6.4.1 Configuring a Local FTP User.............................................................................................................................. 166
1.1.6.4.2 (Optional) Specifying a Listening Port Number for the FTP Server....................................................... 167
1.1.6.4.3 Enabling the FTP Server Function...................................................................................................................... 168
1.1.6.4.4 Configuring FTP Server Parameters................................................................................................................... 169
1.1.6.4.5 (Optional) Configuring CAR for Whitelisted FTP Sessions........................................................................ 170
1.1.6.4.6 (Optional) Configuring FTP Access Control.................................................................................................... 171
1.1.6.4.7 (Optional) Configuring the IP Address Locking Function.......................................................................... 171
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. iv

1.1.6.4.8 Using FTP to Access a Device...............................................................................................................................172

1.1.6.4.9 Using FTP Commands to Operate Files............................................................................................................173
1.1.6.4.10 Verifying the Configuration of Using FTP to Operate Files.................................................................... 177
1.1.6.5 Using SFTP to Operate Files.................................................................................................................................... 178
1.1.6.5.1 Configuring an SSH User and Specifying a Service Type........................................................................... 178
1.1.6.5.2 Enabling the SFTP Service..................................................................................................................................... 190
1.1.6.5.3 Configuring SFTP Server Parameters.................................................................................................................192
1.1.6.5.4 (Optional) Configuring CAR for Whitelisted SSH Sessions........................................................................195
1.1.6.5.5 Configuring an Authorized SFTP Server Directory........................................................................................196
1.1.6.5.6 Using SFTP to Log In to the System.................................................................................................................. 197
1.1.6.5.7 Using SFTP Commands to Operate Files......................................................................................................... 197
1.1.6.5.8 Verifying the Configuration of SFTP-based File Operations......................................................................199
1.1.6.6 Using HTTPS to Download Files ........................................................................................................................... 200
1.1.6.7 Configuration Examples for File System Management.................................................................................. 200
1.1.6.7.1 Example for Managing Files After Logging In to the System...................................................................200
1.1.6.7.2 Example for Operating Files After Logging In to the System...................................................................202
1.1.6.7.3 Example for Using FTP to Operate Files.......................................................................................................... 203
1.1.6.7.4 Example for Using SFTP to Operate Files........................................................................................................ 206
1.1.6.7.5 Example for Using SFTP IPv6 to Operate Files.............................................................................................. 208
1.1.7 Configuration Management Configuration........................................................................................................... 210
1.1.7.1 Overview of Configuration Management........................................................................................................... 211
1.1.7.2 Configuration Precautions for Configuration Management......................................................................... 213
1.1.7.3 Configuring a Validation Mode.............................................................................................................................. 214
1.1.7.3.1 Configuring the Immediate Validation Mode................................................................................................ 215
1.1.7.3.2 Configuring the Two-Phase Validation Mode................................................................................................ 216
1.1.7.4 Disabling the Re-confirmation Function............................................................................................................. 218
1.1.7.5 Performing Configuration Rollback....................................................................................................................... 218
1.1.7.5.1 Configuring or Deleting the Configuration Rollback Point Generated Periodically..........................218
1.1.7.5.2 Performing Configuration Rollback................................................................................................................... 219
1.1.7.6 Managing Configuration Files................................................................................................................................. 221
1.1.7.6.1 Default Configuration File.....................................................................................................................................222
1.1.7.6.2 Setting a Default Configuration File for the Startup with Base Configuration.................................. 222
1.1.7.6.3 Saving Configurations.............................................................................................................................................223
1.1.7.6.4 Comparing Configuration Files............................................................................................................................224
1.1.7.6.5 Loading Configuration Files..................................................................................................................................225
1.1.7.6.6 Specifying the Configuration File to Be Loaded at the Next Startup.................................................... 226
1.1.7.6.7 Clearing a Configuration File............................................................................................................................... 228
1.1.7.6.8 Enabling Automatic Database Information Verification............................................................................ 229
1.1.7.6.9 Enabling a Device to Automatically Check the Configuration Data Consistency Between Its
Master and Slave Main Control Boards............................................................................................................................. 230
1.1.7.6.10 Locking the System Configuration...................................................................................................................231
1.1.7.6.11 Using a Configuration Template to Deliver Configurations....................................................................231
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. v

1.1.7.6.12 Viewing the Difference Between the Candidate Configuration and Current Running
Configuration.............................................................................................................................................................................. 235
1.1.7.6.13 Verifying the Configuration of Configuration File Management.......................................................... 236
1.1.7.6.14 Configuration Replacement............................................................................................................................... 237
1.1.7.7 Configuration Examples for Configuration Management............................................................................. 244
1.1.7.7.1 Example for Configuring Services in Immediate Validation Mode......................................................... 244
1.1.7.7.2 Example for One User to Configure Services After Another User Locks Configurations in Two-
Phase Validation Mode............................................................................................................................................................ 246
1.1.7.7.3 Example for Multiple Users to Perform the Same Configuration for a Service in Two-Phase
Validation Mode......................................................................................................................................................................... 247
1.1.7.7.4 Example for Multiple Users to Perform Different Configurations for a Service in Two-Phase
Validation Mode......................................................................................................................................................................... 248
1.1.7.7.5 Example for Multiple Users to Configure Different Services in Two-Phase Validation Mode.......250
1.1.7.7.6 Example for Configuration Rollback..................................................................................................................251
1.1.7.7.7 Example for Managing Configuration Files.................................................................................................... 255
1.1.8 Accessing Other Devices Configuration.................................................................................................................. 257
1.1.8.1 Overview of Accessing Other Devices.................................................................................................................. 257
1.1.8.2 Configuration Precautions for Access to Other Devices.................................................................................260
1.1.8.3 Using Telnet to Log In to Other Devices............................................................................................................. 260
1.1.8.3.1 (Optional) Configuring a Source Address for the Telnet Client............................................................... 261
1.1.8.3.2 Using Telnet to Log In to Other Devices.......................................................................................................... 261
1.1.8.3.3 Verifying the Configuration of Using Telnet to Log In to Other Devices............................................. 262
1.1.8.4 Using STelnet to Log In to Other Devices........................................................................................................... 262
1.1.8.4.1 Configuring First Login to the SSH Server (Enabling First Login on the SSH Client)...................... 263
1.1.8.4.2 Configuring First Login to an SSH Server (Configuring an SSH Client to Assign a Public Key to an
SSH Server).................................................................................................................................................................................. 264
1.1.8.4.3 (Optional) Configuring the Keepalive Feature on the SSH Client.......................................................... 266
1.1.8.4.4 Using STelnet to Log In to Another Device..................................................................................................... 266
1.1.8.4.5 Verifying the Configuration of Using STelnet to Log In to Other Devices........................................... 268
1.1.8.5 Using TFTP to Access Other Devices.....................................................................................................................268
1.1.8.5.1 Configuring a Source Address for a TFTP Client........................................................................................... 269
1.1.8.5.2 Configuring TFTP Access Control........................................................................................................................ 269
1.1.8.5.3 Using TFTP to Download Files from Other Devices..................................................................................... 270
1.1.8.5.4 Using TFTP to Upload Files to Other Devices................................................................................................ 271
1.1.8.5.5 Verifying the Configuration of Using TFTP to Access Other Devices.....................................................271
1.1.8.6 Using FTP to Access Other Devices....................................................................................................................... 272
1.1.8.6.1 (Optional) Configuring a Source Address for an FTP Client..................................................................... 272
1.1.8.6.2 Using FTP to Connect an FTP Client to Other Devices............................................................................... 273
1.1.8.6.3 Using FTP Commands to Operate Files............................................................................................................274
1.1.8.6.4 (Optional) Changing a Login User Role...........................................................................................................277
1.1.8.6.5 Ending a Connection to the FTP Server............................................................................................................278
1.1.8.6.6 Verifying the Configuration of Using FTP to Access Other Devices....................................................... 279
1.1.8.7 Using SFTP to Access Other Devices..................................................................................................................... 279
1.1.8.7.1 (Optional) Configuring a Source Address for the SFTP Client................................................................. 280
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. vi

1.1.8.7.2 Configuring First Login to the SSH Server (Enabling First Login on the SSH Client)...................... 280
1.1.8.7.3 Configuring First Login to the SSH Server (Configuring the SSH Client to Assign the Public Key to
the SSH Server).......................................................................................................................................................................... 281
1.1.8.7.4 Using SFTP to Log In to Another Device Functioning as an SSH Server.............................................. 283
1.1.8.7.5 Using SFTP Commands to Operate Files......................................................................................................... 284
1.1.8.7.6 Verifying the Configuration of Using SFTP to Access Other Devices..................................................... 286
1.1.8.8 Configuring the SFTP Client to Use the One-click File Operation Command to Perform File
Operations.................................................................................................................................................................................... 287
1.1.8.9 Using SCP to Access Other Devices....................................................................................................................... 288
1.1.8.9.1 Configuring the SCP Server...................................................................................................................................288
1.1.8.9.2 Configuring the SCP Client................................................................................................................................... 289
1.1.8.9.3 Verifying the Configuration of Using SCP to Access Other Devices....................................................... 290
1.1.8.10 Configuring an SSL Cipher Suite.......................................................................................................................... 290
1.1.8.11 Configuring and Binding an SSL Policy............................................................................................................. 291
1.1.8.12 Logging In to a Device Using HTTP.................................................................................................................... 295
1.1.8.13 Configuring a DSCP Value for Telnet/SSH Packets........................................................................................296
1.1.8.14 Configuration Examples for Accessing Other Devices..................................................................................297
1.1.8.14.1 Example for Using Telnet to Log In to Another Device............................................................................ 297
1.1.8.14.2 Example for Using STelnet to Log In to Other Devices (RSA Authentication Mode).................... 300
1.1.8.14.3 Example for Using STelnet to Log In to Other Devices (DSA Authentication Mode)....................307
1.1.8.14.4 Example for Using STelnet to Log In to Other Devices (ECC Authentication Mode).................... 315
1.1.8.14.5 Example for Using STelnet to Log In to Another Device (SM2 Authentication Mode).................322
1.1.8.14.6 Example for Using TFTP to Access Other Devices...................................................................................... 328
1.1.8.14.7 Example for Using FTP to Access Other Devices........................................................................................ 331
1.1.8.14.8 Example for Using SFTP to Log In to Other Devices (RSA Authentication Mode)......................... 334
1.1.8.14.9 Example for Using SFTP to Log In to Other Devices (DSA Authentication Mode)........................ 341
1.1.8.14.10 Example for Using SFTP to Log In to Other Devices (ECC Authentication Mode).......................348
1.1.8.14.11 Example for Using SFTP to Log In to Other Devices (SM2 Authentication Mode)......................355
1.1.8.14.12 Example for Using a Non-default Listening Port Number to Access the SSH Server................. 361
1.1.8.14.13 Example for Configuring SSH Clients on the Public Network to Access an SSH Server on a
Private Network......................................................................................................................................................................... 367
1.1.8.14.14 Example for Using SCP to Access Files on Other Devices..................................................................... 377
1.1.8.14.15 Example for Configuring HTTP for Device Login..................................................................................... 380
1.1.9 ZTP Configuration........................................................................................................................................................... 382
1.1.9.1 Overview of ZTP...........................................................................................................................................................382
1.1.9.2 Configuration Precautions for ZTP........................................................................................................................ 383
1.1.9.3 Configuring Automatic ZTP Deployment Through DHCP............................................................................. 384
1.1.9.3.1 Editing an Intermediate File................................................................................................................................. 385
1.1.9.3.2 Configuring a DHCPv4 Server and Relay Agent............................................................................................ 385
1.1.9.3.3 Configuring a DHCPv6 Server and Relay Agent............................................................................................ 387
1.1.9.3.4 Configuring a File Server....................................................................................................................................... 388
1.1.9.3.5 Powering on the Device......................................................................................................................................... 389
1.1.9.3.6 (Optional) Uploading a Pre-Configuration Script.........................................................................................389
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. vii

1.1.9.3.7 Enabling ZTP.............................................................................................................................................................. 390

1.1.9.3.8 Verifying the ZTP Configuration......................................................................................................................... 390
1.1.9.4 Configuration Examples for ZTP.............................................................................................................................390
1.1.9.4.1 Example for Configuring Automatic ZTP Deployment Through DHCP................................................. 390
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. viii

Configuration Guide Figures
Figures
Figure 1-1 PuTTY configuration page....................................................................................................................... 7

Figure 1-2 Port connection configuration page..................................................................................................... 8
Figure 1-3 Login page..................................................................................................................................................... 9
Figure 1-4 Telnet server providing the Telnet client service............................................................................64
Figure 1-5 Usage of Telnet shortcut keys.............................................................................................................. 64
Figure 1-6 Establishing an SSH channel on a local area network (LAN)...................................................66
Figure 1-7 Establishing an SSH channel on a WAN...........................................................................................66
Figure 1-8 PuTTY configuration page..................................................................................................................... 68
Figure 1-9 Port connection configuration page.................................................................................................. 69
Figure 1-10 Login page................................................................................................................................................ 70
Figure 1-11 Networking diagram for configuring SSH services.................................................................. 102
Figure 1-12 PuTTY Key Generator (1).................................................................................................................. 103
Figure 1-15 SSH client configuration page (1)................................................................................................. 106
Figure 1-18 SSH client login authentication page........................................................................................... 108
Figure 1-19 Login through a console port.......................................................................................................... 118
Figure 1-20 PuTTY configuration page................................................................................................................ 119
Figure 1-21 Port connection configuration page............................................................................................. 120
Figure 1-22 Login page............................................................................................................................................. 121
Figure 1-23 Telnet login............................................................................................................................................ 122
Figure 1-24 Telnet login............................................................................................................................................ 125
Figure 1-25 PuTTY configuration page for Telnet login.................................................................................128
Figure 1-26 Login window........................................................................................................................................128
Figure 1-27 STelnet login.......................................................................................................................................... 130
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. ix


Figure 1-35 STelnet login.......................................................................................................................................... 140
Figure 1-43 Networking diagram for configuring an NMS to communicate with a device by SSH
over a VPN...................................................................................................................................................................... 150
Figure 1-44 File operations using FTP.................................................................................................................. 204
Figure 1-45 Using SFTP to operate files.............................................................................................................. 206
Figure 1-46 Using SFTP IPv6 to operate files.................................................................................................... 208
Figure 1-47 Configuring services in immediate validation mode............................................................... 245
Figure 1-48 Networking for one user to configure services after another user locks configurations
in two-phase validation mode................................................................................................................................. 246
Figure 1-49 Networking for multiple users to perform the same configuration for a service in two-
phase validation mode............................................................................................................................................... 247
Figure 1-50 Networking for multiple users to perform different configurations for a service in two-
phase validation mode............................................................................................................................................... 249
Figure 1-51 Networking for multiple users to configure different services in two-phase validation
mode................................................................................................................................................................................. 250
Figure 1-52 Configuration rollback....................................................................................................................... 252
Figure 1-53 Managing configuration files.......................................................................................................... 256
Figure 1-54 Accessing other devices..................................................................................................................... 257
Figure 1-55 Telnet server providing the Telnet client service.......................................................................257
Figure 1-56 Usage of Telnet shortcut keys......................................................................................................... 258
Figure 1-57 Using Telnet on the Telnet client to log in to the Telnet server..........................................261
Figure 1-58 Using STelnet to log in to the SSH server................................................................................... 263
Figure 1-59 Using Telnet to log in to another device..................................................................................... 298
Figure 1-60 Using STelnet to log in to another device...................................................................................301
Figure 1-61 Networking diagram for logging in to another device by using STelnet......................... 308
Figure 1-64 Using TFTP to access another device............................................................................................329
Figure 1-65 Setting the current directory on the TFTP server..................................................................... 330
Figure 1-66 Using FTP to access another device.............................................................................................. 331
Figure 1-67 Using SFTP to access another device............................................................................................334
Figure 1-68 Networking diagram for access another device by using SFTP...........................................341
Figure 1-69 Using SFTP to access another device............................................................................................349
Figure 1-70 Networking diagram for accessing files on an SSH server using SFTP.............................355
Figure 1-71 Using a non-default listening port number to access the SSH server.............................. 361
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. x

Figure 1-72 Configuring an SSH client on the public network to access an SSH server on a private
network............................................................................................................................................................................ 368
Figure 1-73 Using SCP to access another device.............................................................................................. 378
Figure 1-74 Device login using HTTP................................................................................................................... 381
Figure 1-75 Configuring automatic ZTP deployment through DHCP....................................................... 391
Figure 1-76 Configuring the file server................................................................................................................ 392
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. xi

Configuration Guide Tables
Tables
Table 1-1 Feature requirements................................................................................................................................ 12

Table 1-2 Command level description.................................................................................................................... 17
Table 1-3 Common editing functions......................................................................................................................21
Table 1-4 Display functions........................................................................................................................................ 22
Table 1-5 Special characters and their functions................................................................................................ 24
Table 1-6 Common error messages......................................................................................................................... 28
Table 1-7 System shortcut keys.................................................................................................................................32
Table 1-8 Absolute and relative numbers of user interfaces.......................................................................... 39
Table 1-9 Mapping between user levels and command levels...................................................................... 40
Table 1-10 User login modes..................................................................................................................................... 62
Table 1-11 Mapping between user levels and command levels....................................................................73
Table 1-12 Mapping between user levels and command levels....................................................................85
Table 1-13 RSA/DSA, SM2, X509v3-SSH-RSA, and ECC algorithms............................................................. 88
Table 1-14 Application scenario of each authentication type........................................................................89
Table 1-15 Configuring a local user........................................................................................................................ 92
Table 1-16 Configuring an SSH user authentication mode.............................................................................94
Table 1-17 Data preparation................................................................................................................................... 103
Table 1-18 Operations............................................................................................................................................... 109
Table 1-19 Usage scenarios for file system management modes.............................................................. 157
Table 1-20 Feature requirements........................................................................................................................... 158
Table 1-21 Files displayed in the command output........................................................................................ 160
Table 1-22 FTP file attributes.................................................................................................................................. 173
Table 1-23 File operations........................................................................................................................................ 174
Table 1-24 RSA/DSA, SM2, X509v3-SSH-RSA, and ECC algorithms........................................................... 179
Table 1-25 Application scenario of each authentication type..................................................................... 179
Table 1-26 Configuring a local user...................................................................................................................... 182
Table 1-27 Configuring an SSH user authentication mode.......................................................................... 184
Table 1-28 SSH server parameters........................................................................................................................ 192
Table 1-29 Configurations of SFTP server parameters................................................................................... 194
Table 1-30 File operation.......................................................................................................................................... 198
Table 1-31 Advantages and disadvantages of the immediate and two-phase validation modes.. 211
Table 1-33 Deleting all configurations from an interface at a time..........................................................229
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. xii

Configuration Guide Tables
Table 1-34 Special characters in regular expressions and their functions............................................... 232
Table 1-35 Special characters in regular expressions and their functions............................................... 242
Table 1-37 Using FTP commands to connect the FTP client to other devices....................................... 273
Table 1-38 Using FTP commands to connect the FTP client to other devices....................................... 274
Table 1-42 Option field description.......................................................................................................................385
Table 1-43 Option field description.......................................................................................................................388
Table 1-44 Option fields to be configured on the DHCP server................................................................. 392
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. xiii

Configuration Guide 1 Configuration
1 Configuration
1.1 Basic Configuration
1.1.1 About This Document

Purpose
This document provides the basic concepts, configuration procedures, and
configuration examples in different application scenarios of the Basic
Configurations feature.
Licensing Requirements
For details about the License, see the License Guide.
● Carrier user: License Usage Guide
● Enterprise users: License Usage Guide
Related Version
The following table lists the product version related to this document.
Product Name Version
HUAWEI NetEngine9000 V800R022C00SPC600
iMaster NCE-IP V100R022C00SPC100
Intended Audience
This document is intended for:
● Data configuration engineers
Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 1

● Commissioning engineers
● Network monitoring engineers
● System maintenance engineers
Security Declaration
● Notice on Limited Command Permission
The documentation describes commands when you use Huawei devices and
make network deployment and maintenance. The interfaces and commands
for production, manufacturing, repair for returned products are not described
here.
If some advanced commands and compatible commands for engineering or
fault location are incorrectly used, exceptions may occur or services may be
interrupted. It is recommended that the advanced commands be used by
engineers with high rights. If necessary, you can apply to Huawei for the
permissions to use advanced commands.
● Encryption algorithm declaration
The encryption algorithms DES/3DES/RSA (with a key length of less than
2048 bits)/MD5 (in digital signature scenarios and password encryption)/
SHA1 (in digital signature scenarios) have a low security, which may bring
security risks. If protocols allowed, using more secure encryption algorithms,
such as AES/RSA (with a key length of at least 2048 bits)/SHA2/HMAC-SHA2
is recommended.
For security purposes, insecure protocols Telnet, FTP, and TFTP as well as
weak security algorithms in BGP, LDP, PECP, MSDP, DCN, TCP-AO, MSTP, VRRP,
E-Trunk, AAA, IPsec, BFD, QX, port extension, SSH, SNMP, IS-IS, RIP, SSL, NTP,
OSPF, and keychain features are not recommended. To use such weak security
algorithms, run the undo crypto weak-algorithm disable command to enable
the weak security algorithm function. For details, see the Configuration Guide.
● Password configuration declaration
– When the password encryption mode is cipher, avoid setting both the
start and end characters of a password to "%^%#". This causes the
password to be displayed directly in the configuration file.
– To further improve device security, periodically change the password.
● Personal data declaration
– Your purchased products, services, or features may use users' some
personal data during service operation or fault locating. You must define
user privacy policies in compliance with local laws and take proper
measures to fully protect personal data.
– When discarding, recycling, or reusing a device, back up or delete data on
the device as required to prevent data leakage. If you need support,
contact after-sales technical support personnel.
● Feature declaration
– The NetStream feature may be used to analyze the communication
information of terminal customers for network traffic statistics and
management purposes. Before enabling the NetStream feature, ensure
that it is performed within the boundaries permitted by applicable laws
and regulations. Effective measures must be taken to ensure that
information is securely protected.

– The mirroring feature may be used to analyze the communication

information of terminal customers for a maintenance purpose. Before
enabling the mirroring function, ensure that it is performed within the
boundaries permitted by applicable laws and regulations. Effective
measures must be taken to ensure that information is securely protected.
– The packet header obtaining feature may be used to collect or store
some communication information about specific customers for
transmission fault and error detection purposes. Huawei cannot offer
services to collect or store this information unilaterally. Before enabling
the function, ensure that it is performed within the boundaries permitted
by applicable laws and regulations. Effective measures must be taken to
ensure that information is securely protected.
● Reliability design declaration
Network planning and site design must comply with reliability design
principles and provide device- and solution-level protection. Device-level
protection includes planning principles of dual-network and inter-board dual-
link to avoid single point or single link of failure. Solution-level protection
refers to a fast convergence mechanism, such as FRR and VRRP. If solution-
level protection is used, ensure that the primary and backup paths do not
share links or transmission devices. Otherwise, solution-level protection may
fail to take effect.
Special Declaration
● This document serves only as a guide. The content is written based on device
information gathered under lab conditions. The content provided by this
document is intended to be taken as general guidance, and does not cover all
scenarios. The content provided by this document may be different from the
information on user device interfaces due to factors such as version upgrades
and differences in device models, board restrictions, and configuration files.
The actual user device information takes precedence over the content
provided by this document. The preceding differences are beyond the scope of
this document.
● The maximum values provided in this document are obtained in specific lab
environments (for example, only a certain type of board or protocol is
configured on a tested device). The actually obtained maximum values may
be different from the maximum values provided in this document due to
factors such as differences in hardware configurations and carried services.
● Interface numbers used in this document are examples. Use the existing
interface numbers on devices for configuration.
● The pictures of hardware in this document are for reference only.
● The supported boards are described in the document. Whether a
customization requirement can be met is subject to the information provided
at the pre-sales interface.
● In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.
● The configuration precautions described in this document may not accurately
reflect all scenarios.
● Log Reference and Alarm Reference respectively describe the logs and alarms
for which a trigger mechanism is available. The actual logs and alarms that
the product can generate depend on the types of services it supports.

Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a hazard with a high level of risk which, if

not avoided, will result in death or serious injury.
Indicates a hazard with a medium level of risk

which, if not avoided, could result in death or
serious injury.
Indicates a hazard with a low level of risk which, if

not avoided, could result in minor or moderate
injury.
Indicates a potentially hazardous situation which, if

not avoided, could result in equipment damage,
data loss, performance deterioration, or
unanticipated results.
NOTICE is used to address practices not related to
personal injury.
Supplements the important information in the main

text.
NOTE is used to address information not related to
personal injury, equipment damage, and
environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as
follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are

optional.
{ x | y | ... } Optional items are grouped in braces and separated

by vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and

separated by vertical bars. One item is selected or
no item is selected.

Convention Description
{ x | y | ... }* Optional items are grouped in braces and separated

by vertical bars. A minimum of one item or a
maximum of all items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and

separated by vertical bars. Several items or no item
can be selected.
&<1-n> The parameter before the & sign can be repeated 1

to n times.
# A line starting with the # sign is comments.
Change History
Changes between document issues are cumulative. The latest document issue
contains all the changes made in earlier issues.
● Changes in Issue 01 (2022-10-31)

This issue is the first official release. The software version of this issue is
V800R022C00SPC600.
1.1.2 First Login Configuration

To perform basic configurations on a device that is powered on for the first time,
you must use the console port to log in to the device.
1.1.2.1 Overview of First Login

To perform basic configurations on a device that is powered on for the first time,
you must use the console port to log in to the device. Login through the console
port is the most basic mode and the basis for configuring other login modes.
The console port is a serial port on a main control board. Each main control board
provides one console port, and the type of the console port is EIA/TIA-232 DCE.
You can directly connect a terminal's serial port to the console port to configure
the router.
A console port has the following states:

● Connected: The console port is connected.
● Disconnected: The console port is disconnected.
NOTE
● When you log in to the system for the first time, the system prompts you to set the
password.
● You can press CTRL+R to restore the factory settings and clear the configured password.

1.1.2.2 Configuration Precautions for First Login
Feature Requirements
None
1.1.2.3 Logging In to a Device Through a Console Port

You can connect a terminal to the console port on a device to establish a
configuration environment.
Usage Scenario
To perform configurations or management on a device that is powered on for the
first time, you must use the console port to log in to the device.
Pre-configuration Tasks
Before logging in to a device through a console port, complete the following tasks:
● Install a terminal emulation program, such as PuTTY, on the PC.
● Prepare a console configuration cable.
CAUTION
If a third-party USB-to-RJ45 serial cable is used, it is recommended that the

cable length be less than or equal to 2 m to ensure signal integrity.
1.1.2.3.1 Establishing a Physical Connection

You can use a configuration cable to connect the console port on a device to the
COM port on a PC.
Context
NOTE
Use the configuration cable delivered with the device to connect the device to the PC, and
ensure that the console port on the device is connected to the COM port on the PC.
Procedure
Step 1 Power on the device and PC.
Step 2 Use a configuration cable to connect the COM port on the PC to the console port
on the master main control board of the device. If the ACT indicator on the main
control board is steady on, the main control board is the master one.
----End
1.1.2.3.2 Logging In to a Device

You can use the PC to log in to a device to configure and manage the device.

Context
You must configure login parameters based on the physical attributes of the
console port on the device. The physical attributes include the transmission rate,
data bits, parity, stop bits, and flow control mode. For the first login, use the
default values of parameters.
The PuTTY.exe software must have been installed on the client.
Procedure
Step 1 Start the PuTTY.exe program. In the PuTTY configuration page (shown in Figure
1-1), set the connection type to Serial.
Figure 1-1 PuTTY configuration page
Step 2 Choose Serial in the Category navigation tree on the left of the PuTTY
configuration page. In the port connection configuration page (shown in Figure
1-2), set the communication parameters of the port to the default values of the
device. (The following figure is for reference only. Use the default settings during
configuration.)

Figure 1-2 Port connection configuration page
Step 3 Click Open. Then the system prompts you to set an authentication password, as
shown in Figure 1-3. After the confirm the password, the system automatically
saves it.

Figure 1-3 Login page
After the password is set, the command prompt (for example, <HUAWEI>) of the
user view is displayed, which indicates that you have entered the user view and
can perform configurations.
You can enter commands to configure the device or view its running status. Enter
a question mark (?) when you need help.
NOTE
The password must meet the following requirements:

● The password is entered in man-machine interaction mode. The system does not display
the entered password.
● A password is a string of 8 to 16 case-sensitive characters and must contain at least two
types of the following characters: uppercase letters, lowercase letters, digits, and special
characters.
● Special characters exclude question marks (?) and spaces. However, spaces are allowed
in the password if the password is enclosed in quotation marks.
– Double quotation marks cannot contain double quotation marks if spaces are used
in a password.
– Double quotation marks can contain double quotation marks if no space is used in
a password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is
invalid.
The configured password is displayed in ciphertext in the configuration file.
----End
1.1.2.4 Performing Batch Device Deployment Through the Plug-and-Play

Function
To batch deploy devices powered on for the first time, you can use the plug-and-
play function based on DCN or DHCP.

Context
To remotely manage and control devices in a unified manner on large-scale
networks and thereby improve deployment efficiency and reduce O&M costs, you
can use the plug-and-play function based on either DCN or DHCP to batch deploy
devices powered on for the first time:
● DCN: After devices are powered on, their IP addresses (NEIPs) are
automatically generated based on their NEIDs. The mapping between the
NEIPs and NEIDs is contained in link-state advertisements (LSAs), which are
flooded by OSPF to form a core routing table. The NMS accesses the devices
based on the IP address of the GNE and the target NEIDs reported by the
GNE, and remotely manages all the devices through the GNE.
● DHCP: Zero touch provisioning (ZTP) is the main plug-and-play function
implemented in DHCP mode. It allows unconfigured devices to obtain version
files from a file server during the power-on and startup process and then
automatically load the files.
NOTE
If a device is powered on without loading the default configuration file containing the
username and password, it enters the first-login process in which you are prompted to
create a username and set a password. In this case, the device fails to go online through
the plug-and-play function.
Procedure
Step 1 Power on the device.
Step 2 The device enters the corresponding plug-and-play process.
● If DCN Configuration is implemented, the NMS can communicate with the
device for remote management.
● If 1.1.9.3 Configuring Automatic ZTP Deployment Through DHCP is
implemented, the device can obtain version files from the file server and
automatically load the files.
----End
1.1.3 Command Line Interface Configuration

This chapter describes the command line interface that is used to maintain a
router routinely. After you edit and configure a command line in a certain view,
the system displays a success or error message.
1.1.3.1 CLI Overview

The command line interface (CLI) is a common tool for running commands. You
can run CLI commands to configure and manage a router.

NOTICE
When a user runs a command that requires a password entry, some passwords are
displayed in plaintext on a screen. To prevent a password leak, clear the screen
promptly.
Command Line Interface

The command line interface (CLI) is an interface through which you can interact
with a router. The system provides a series of commands that allow you to
configure and manage the router.
The CLI is a traditional configuration tool, which is available on most data
communication products. However, with the wider application of data
communication products worldwide, customers require a more available, flexible,
and friendly CLI.
The CLI has the following characteristics:
● Supports local configurations through the console port.
● Supports local or remote configurations over Telnet or Secure Shell (SSH).
● Provides the user interface view and supports personal configuration and
management for various terminal users.
● Supports the command-based hierarchical protection mode in which users of
different levels can run only the commands of the corresponding levels.
● Allows users to type in a question mark (?) to obtain online help.
● Provides network testing commands, such as the tracert and ping commands,
for quickly diagnosing network connectivity.
● Provides various detailed debugging information to help diagnose network
faults.
● Allows users to log in to and manage other routers using the telnet
command.
● Provides the FTP service to allow users to upload and download files.
● Provides the function to run a historical command.
● Provides multiple intelligent command resolution methods through the
command line interpreter, such as partial match and context-sensitive, which
facilitates users' command entry.

1.1.3.2 Configuration Precautions for Command Line Interface
Table 1-1 Feature requirements

Feature Requirements Series Models
Diagnostic information of all VSs can be NE9000 NE9000

collected in the Admin-VS view. Diagnostic
information of only the current VS can be
collected in a non-Admin-VS view. Each VS can
have only one task for collecting diagnostic
information. Therefore, when you collect all
diagnostic information in the Admin-VS, if a
VSn has an ongoing diagnostic information
collection task, the system does not collect
diagnostic information about the VSn,
affecting the execution efficiency of the one-
click diagnostic command.
1. During a CLI patching operation, if the NE9000 NE9000

current operations of other online users can be
stopped, have other users return to the user
view or customized main directory view.
2. During a CLI patching operation, if the
current operations of other online users cannot
be stopped, wait until their current operations
are complete and then have other users return
to the user view or customized main directory
view. Interruption is not allowed in the
following scenarios:
(1) The system background is automatically
saving configurations.
(2) Another user switches from VR0 to VRn.
(3) Other users are performing operations that
cannot be interrupted. Whether a command
can be interrupted is determined by the APP
and is set during command registration. For
example, the command for committing or
saving the configuration cannot be interrupted,
and the command is an atomic command.
3. During patching for help information,
prompt information, and information
displayed, the help, prompt, display, or log
service is unavailable. Services become normal
after patching is complete.

The Execute CLI capability in the extended NE9000 NE9000

capability set (schema) supports the following
commands: system-view, system-view
immediately, display current-configuration,
quit, return, display saved-configuration time,
configuration exclusive, undo configuration
exclusive, and display diagnostic-information.
When configuring a command, you can input a NE9000 NE9000

question mark (?) to query the help
information about a command. Therefore, the
question mark (?) cannot be delivered as a
character in the command string. This is not
described again hereinafter.
If the card memory is overloaded, when a user NE9000 NE9000

accesses the CLI or each time the user runs a
command, a prompt message is displayed
indicating that the memory usage exceeds the
upper threshold.
In two-phase mode, if the number of NE9000 NE9000

uncommitted configuration commands reaches
the upper threshold, you need to commit these
configurations first. Otherwise, a prompt
message is displayed if you continue to run
configuration commands. This restriction
applies to configuration commands and view
switching commands (such as quit), excluding
query commands and maintenance commands.

1. The display diagnostic-information NE9000 NE9000

command results can be redirected to a file.
The file name extension must be .txt or .zip.
The file name length ranges from 5 to 64. The
file name can contain an absolute path. The
default path is the device working path. The
file contains the command execution process
and the view where the command is executed.
The file collecting progress bar is displayed on
the screen.
2. The display diagnostic-information
command cannot be run by multiple end users
at the same time.
3. The command execution mode can be
adjusted based on the CPU usage.
(1) If the CPU usage exceeds 60%, an error
message is displayed when the command is
run.
(2) If the system detects that the CPU usage
exceeds 85% during command execution, the
execution of the next command is stopped. A
warning message is displayed before the
redirection operation is executed. Then, the
system checks whether the CPU usage falls
below 70% every second. If the CPU usage falls
below 70%, the command execution resumes.
If the CPU usage does not fall below 70% in
300 seconds, an error message is displayed and
the one-click diagnostic command is stopped.
In redirection operation scenarios, no warning
message is displayed. If the CPU usage cannot
fall below 70% in 300 seconds and the one-
click diagnostic command is stopped, the
diagnostic information that has been collected
is written in the file.
(3) The Force option can be selected. In this
case, a command is delivered without the
system checking the CPU usage.

The segment-based filtering function is used NE9000 NE9000

when query commands are executed. If the
segment to be filtered exceeds 512 KB, the
segment-based filtering is degraded to row-
based filtering. #\r\n... is added to separate the
filtered row from the previous segment to
prevent the filtered row from being directly
connected to the previous segment. Therefore,
if #\r\n... is displayed in the command output,
the filtering mode is changed from segment-
based filtering to row-based filtering.
1.1.3.3 Establishing a Command Line Running Environment

Before using the CLI, you can establish a desired running environment for the CLI.
Usage Scenario
Before using the CLI to configure services, you can establish a basic running
environment for the CLI to meet actual requirements.
Before establishing a running environment for the CLI, complete the following
tasks:
● Install the router and power it on.
● Log in to the router through a PC.
1.1.3.3.1 Configuring Header Information

When you access a router, a message is displayed. You can configure desired
content for the message.
Context
Header information refers to a message that is displayed after you access a router
or a message that is displayed after the login authentication is successful and
before you start to configure the router. Header information provides explicit
indications for your login.
NOTE
If you attempt to log in during system initialization, the system displays a message,
indicating that the file system has not completed initialization and files fail to be obtained.
Procedure
Step 1 Run system-view
The system view is displayed.

Step 2 Run header login { information text | file file-name }
Header information displayed during login is configured.
Step 3 Run header shell { information text | file file-name }
Header information displayed after login is configured.
Step 4 Run commit
The configuration is committed.
----End
1.1.3.3.2 Configuring a Device Name

A device name is displayed at the command prompt. You can change a device
name as required.
Procedure
Step 2 Run sysname host-name
Step 3 Run commit
----End
1.1.3.3.3 Configuring Command Levels
Context
If you do not change a command level separately, all originally registered
commands automatically change based on the following rules after the command
level is updated:
● The commands of Level 0 and Level 1 remain unchanged.

● The commands of Level 2 are updated to Level 10 and the commands of
Level 3 are updated to Level 15.
● No commands exist in Level 2 to Level 9 and Level 11 to Level 14. You can
change the commands to these levels separately to refine rights
management.
NOTICE
Do not change the default level of a command. If the default level of a command
is changed, some users may be unable to use the command any longer.

Procedure
Step 2 Run command-privilege level rearrange
The command levels are updated in batches.
Step 3 Run command-privilege level level view view-name command-key
The level of a command is set in a specified view.
All commands have default command views and levels. Generally, you do not
need to configure them.
The command lines are classified into visit level (0), monitoring level (1),
configuration level (2), and management level (3) in an ascending order.
Table 1-2 Command level description
User User Comm Type Description

Class Class and Name
(0 to (0 to Level
3) 15)
0 0 0 Visit Commands of this level include ping,

level tracert, and Telnet (commands used to
access a remote device).
1 1 to 9 0, 1 Monit Commands of this level are used for system

oring maintenance, such as display commands.
level NOTE
Not all display commands are of the monitoring
level. For example, the display current-
configuration commands for configuration file
management are of management level (3).
2 10 to 0, 1, 2 Config Service configuration commands are of this

14 uratio level.
n level
3 15 0, 1, 2, Manag Commands of the management level are

3 ement used for system basic operation to support
level services, including file system, FTP, Trivial
File Transfer Protocol (TFTP), and
configuration file switching commands,
slave board control commands, user
management commands, command level
configuration commands, reboot
commands, and debugging commands.
Step 4 Run commit

----End
1.1.3.3.4 Locking a User Interface

To prevent unauthorized users' access to a user interface, lock the user interface.
Procedure
Step 1 Run configuration exclusive
The configuration is locked and accessible only to the current user.
After the configuration is locked, the current user can individually has unshared
configuration rights.
NOTE
You can run the display configuration-occupied user command to view the current user
that has the unshared configuration rights.

Step 3 Run configuration-occupied timeout timeout-value
The interval after which the configuration is unlocked is set.
Step 4 Run commit
----End
1.1.3.3.5 Configuring the System to Allow the Execution of User-View Commands

in the System View
To run commands that can be run only in the user view, you must return from the
system view to the user view. After completing this configuration task, you can
run these commands in the system view without returning to the user view.
Procedure
Step 2 Run run command-line
The system is configured to allow user-view commands to be executed in the
system view.
----End
1.1.3.3.6 (Optional) Configuring the Command Timestamp Function

You can enable a device to record the date and time when commands are
executed.

Procedure
● Enable the system command timestamp function.
a. Run system-view

b. Run timestamp enable
The system command timestamp function is enabled on the device.
After this function is enabled, the device displays the date and time each
time a display command is run.
c. Run commit
NOTE
This function takes effect only on display commands.

● Enable the session command timestamp function.
a. Run terminal command timestamp
The command timestamp function is enabled for an existing session.
NOTE
● After this function is enabled, the device displays the current system date and
time once you enter any command and press Enter.
● The terminal command timestamp command takes effect on commands
executed only within the existing user session. After you log out of and log in
to the device, the command timestamp function becomes invalid and needs
to be reconfigured.
● If you run the timestamp enable command and then the undo terminal
command timestamp command, the timestamps are displayed after you run
display commands, but are not displayed after you run non-display
commands.
----End
1.1.3.4 How to Use the CLI

You can use the CLI to configure and process the command view, command edit
function, command template, displayed information, and error information.
Usage Scenario
Before using the CLI to configure services, you must understand basic CLI
operations.
Before using the CLI, complete the following tasks:


1.1.3.4.1 Entering a Command View

The CLI provides multiple command views. All commands are registered in one or
more command views. In general, you can run a command only after entering its
view.
NOTE
In two-phase validation mode, if any configurations are not submitted in the system, * is
used for identification in the view. If all configurations have been submitted in the system,
~ is used for identification in the view.
# Set up a connection with the router. If the default configuration is adopted on

the router, enter the user view. The following prompt is displayed:
<HUAWEI>
# Enter system-view and press Enter to enter the system view.

<HUAWEI> system-view
[~HUAWEI]
● # Enter aaa in the system view to enter the AAA view.

[~HUAWEI] aaa
[~HUAWEI-aaa]
NOTE
The default device name is HUAWEI. You can run the sysname command to specify a
device name. You can determine the current view based on the prompt. For example, <>
indicates the user view, and [] indicates any view except the user view.
In the multi-level view, you can directly enter # to return to the system view.
You can enter ! or # followed by a character string in any view. All entered content
(including ! and #) is displayed as comments. That is, the corresponding configuration is
not generated.
You can run the quit command to quit the current view and enter a view of a
lower level. If the current view is the user view, you are logged out of the system.
You can run the return command to quit the current view and enter the user view.
If the current view is the user view, the user view is still displayed.
Certain commands that can be run in the system view can also be run in other
views. The function implemented by a command is determined by the command
view in which the command is run. For example, if the mpls command is run in
the system view, MPLS is enabled globally; if the mpls command is run in the
interface view, MPLS is enabled on the interface.
1.1.3.4.2 Editing a Command

The command editing function enables you to edit a command or obtain help
using certain keys.
The CLI on an NE9000 provides basic command editing functions and supports
multi-line editing. Each command can contain a maximum of 3100 characters.
Table 1-3 describes common editing functions.

Table 1-3 Common editing functions
Key Function
Common key Inserts a character in the place of the cursor and

moves the cursor to the right if the editing buffer is not
fully occupied.
Backspace Deletes a character before the cursor and moves the

cursor to the left. If the cursor reaches the head of the
command, the system does not respond.
Up cursor key (↑) or Accesses the last historical command or displays the
Ctrl+P last historical command if there is an earlier historical
command.
Down cursor key (↓) Accesses the next historical command or displays the
or Ctrl+N next historical command if there is a later historical
command or clears the command if there is no later
historical command.
Tab Runs partial help after you enter an incomplete

keyword and press Tab.
● If the keyword matching the entered one is unique,
the system replaces the entered one with the
complete keyword and displays it in a new line with
the cursor a space behind.
● If there are several matches or no match at all, the
system displays the prefix first. You can press Tab to
switch from one matching keyword to another. In
this case, the cursor closely follows the end of a
word and you can press the spacebar and enter the
next word.
● If you enter an incorrect keyword and press Tab, the
system directly displays it in a new line.
NOTE
For Windows 9X HyperTerminal, the function provided by the Up cursor key (↑) cannot be
implemented, because Windows 9X HyperTerminal has defined a different function for the
key. You can press Ctrl+P to implement the function provided by the key.
Follow-up Procedure
A terminal automatically saves typed historical commands, which can be any
keyboard entry ending with Enter. To delete the historical commands, run the
reset history-command all-users or reset history-command command.
1.1.3.4.3 Verifying the Command Line Configuration

After completing basic configuration, run display commands to verify the
configuration.

Context
Basic configurations are complete.
Procedure
● Run display current-configuration [ configuration [ configuration-type
[ configuration-instance ] | config-type-no-inst ] | all | inactive ] [ include-
default ]
The current configuration is displayed.

● Run display this
The configuration in the current view is displayed.
If the configuration parameters that are taking effect are the same as the
default working parameters, they are not displayed. The configured
parameters that do not take effect are not displayed either.
----End
1.1.3.4.4 Checking the Diagnostic Information

If a fault occurs in the system and the module that causes the fault cannot be
identified, run the display diagnostic-information command to collect diagnostic
information for fault locating.
Procedure
Step 1 Run display diagnostic-information
The diagnostic information about the current system is displayed.
The display diagnostic-information command implements the functions of

multiple common display commands, such as the display clock, display version,
and display current-configuration commands.
----End
1.1.3.4.5 Command Display Mode

All commands have the same display feature. You can flexibly specify the display
mode as required.
Display Feature
When the information cannot be completely displayed on one screen, you can
adopt the pause function. You have three choices, as described in Table 1-4.
Table 1-4 Display functions
Key Function
Space bar Continues to display the information on

the next screen.

Key Function
Enter Continues to display the information in

the next line.
Plus sign (+)+regular-expression Functions the same as | include regular-

expression.
Minus sign (-)+regular-expression Functions the same as | exclude regular-
expression.
Slash (/)+regular-expression Functions the same as | begin regular-
expression.
Ctrl+C+ any other key Stops displaying information and
executing commands.
Regular Expression
A regular expression describes a pattern that matches a set of character strings. It
consists of common characters (such as characters a to z) and special characters
(also called metacharacters). The regular expression functions as a template to
match a character pattern with the searched character string.
The regular expression has the following functions:
● Checks and obtains the sub-character string that matches a certain rule in the
character string.
● Replaces the character string based on the matching rule.
Common and special characters contained in the regular expression are described
as follows:
● Common characters
Common characters match common characters in the character string,
including all uppercase letters, lowercase letters, digits, punctuation marks,
and special symbols. For example, a matches a in abc, and @ matches @ in
xxx@xxx.com.
● Special characters
Special characters, together with common characters, match complicated or
special character strings. For example, ^10 matches 10.10.10.1 not 2.2.2.2.
Table 1-5 describes special characters and their functions.

Table 1-5 Special characters and their functions

Special Function Example
Charact
er
\ Defines an escape character, \* matches *.

which is used to mark the next
character (common or special)
as a common character.
^ Matches the start position of ^10 matches 10.10.10.1 not

the string. 2.2.2.2.
$ Matches the end position of 1$ matches 10.10.10.1 not

the string. 10.10.10.2.
* Matches the preceding 10* matches 1, 10, 100, 1000,

element zero or more times. and so on.
(10)* matches null, 10, 1010,
101010, and so on.
+ Matches the preceding 10+ matches 10, 100, 1000,

element once or more times and so on.
(10)+ matches 10, 1010,
101010, and so on.
? Matches the preceding 10? matches 1 or 10.

element zero times or once. (10)? matches null or 10.
NOTE
Huawei datacom devices do not
support regular expressions
with ?. When regular expressions
with ? are entered on Huawei
datacom devices, helpful
information is provided.
. Matches any single character. a.b matches any string that

starts with a, ends with b, and
contains three characters.
0.0 matches 0x0, 020, and so
on.
.oo matches book, look, tool,
and so on.


Charact
er
() Matches and obtains a string 100(200)+ matches 100200,

within the parentheses. 100200200, and so on.
If the parentheses are empty, (ab) matches abcab.
the string is equivalent to a () can match any string.
null string.
a()b matches 12ab12.
If a pattern string has only (),
it can match any string. a)b matches za)bc.
If the right parenthesis in a a(b is an invalid pattern string.

pattern string has no matching
left parenthesis, the right
parenthesis is used as a
common character.
If the left parenthesis in a
right parenthesis, the pattern
string is invalid.
_ Matches regular expressions _65001_ matches 20 65001 30,

with a sign, such as a comma 20 65001, 65001 30, 65001,
(,), left brace ({), right brace and so on.
(}), left parenthesis ((), right
parenthesis ()), or space. The
underscore (_) can be used at
the beginning of a regular
expression with the same
function as the caret (^) or at
the end of a regular expression
with the same function as the
dollar sign ($).
x|y Matches x or y. 100|200 matches 100 or 200.

1(2|3)4 matches 124 or 134
not 1234, 14, 1224, or 1334.
[xyz] Matches any character in the [123] matches 2 in 255.

regular expression. It cannot [abc] matches characters a, b,
simultaneously match multiple and c.
characters or match the same
character for multiple times.
[^xyz] Matches characters excluding [^123] matches any character

x, y, and z in a character string. except 1, 2, and 3.
That is, it matches any string [âbc] matches any character
with at least one character except a, b, and c.
that is not x, y, or z.


Charact
er
[a-z] Matches any character within a [0-9] matches any character

specified range. It cannot within the specified range.
simultaneously match multiple [a-z] matches any character
characters or match the same within the specified range.
[z-a] is an invalid pattern
string.
[â-z] Matches characters except a, b, [^0-9] matches all non-digit

c, and d in a character string. characters.
That is, it matches any string [â-z] matches all non-letter
with at least one character characters.
that is beyond the range of a
to d. [^z-a] is an invalid pattern
string.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the
screen.
● Degeneration of special characters
Certain special characters degenerate to common characters when being
placed at special positions in the regular expression.
– The special characters following "\" are transferred to match special
characters themselves.
– The special character "*", "+", or "?" is placed at the start position of the
regular expression. For example, +45 matches +45 and abc(*def) matches
abc*def.
– The special character "^" is placed at any position except the start
position of the regular expression. For example, abc^ matches abc^.
– The special character "$" is placed at any position except the end position
of the regular expression. For example, 12$2 matches 12$2.
– The right bracket (for example, ")" or "]") is not paired with its
corresponding left bracket "(" or "[". For example, abc) matches abc) and
0-9] matches 0-9].
NOTE
Unless otherwise specified, degeneration rules are applicable when the preceding
regular expressions serve as subexpressions within parentheses.
● Combination of common and special characters
In practice, multiple common and special characters are often combined to
match a special character string.
The NE9000 supports filter criteria based on a regular expression. All display
commands support regular expressions. If filter criteria are specified in a display
command, the first line in the command output is a complete message that

contains the specified character string, instead of a message that starts with the
specified character string.
| count can be specified to control the number of lines to be displayed in the

command output, and | no-more can be specified so that the command output is
displayed on one screen. | count or | no-more can be used independently or used
with any of the following filter criteria.
| ignore-case can be specified so that the character string is case-insensitive, and |

section can be specified to control the segment to be displayed in the command
output. | ignore-case or | section must be used with any of the following filter
criteria.
For the commands supporting regular expressions, you can choose the following
filter criteria:
● | begin regular-expression
Displays all the lines following the line that matches the regular expression.
That is, the system displays both the line that contains the specified character
string (case-sensitive) and all the following lines on a terminal.
● | exclude regular-expression
Displays all the lines that do not match the regular expression. That is, the
system displays only the lines that do not contain the specified character
string (case-sensitive) on a terminal. If no line matches, the output is empty.
● | include regular-expression
Displays only the lines that match the regular expression. That is, the system
displays only the lines that contain the specified character string (case-
sensitive) on a terminal. If no line matches, the output is empty.
NOTE
The command output can be filtered by multiple regular expressions. The regular
expressions take effect in configuration sequence. A maximum of 32 regular expressions
can be configured to filter the command output. For example, you can run the display
current-configuration | section include ip | exclude address 10.1 | exclude description
command to display the command output that contains ip but does not contain address
10.1 or description.
When you run a display command with filter criteria set, note the following:
● The first line in the output begins with a complete message containing the
specified character string rather than with the specified character string.
● If a configured command does not take effect, no output information is
displayed.
The NE9000 can redirect the output of a display command to a specified file in
either of the following modes:
● > filename
The output is redirected to a specified file. If the file already exists, the
content of the file is overwritten.
● >> filename
The output is appended to a specified file, with the original content of the file
remaining unchanged.

| refresh can be specified to periodically update the query results displayed. |

refresh can be used to update the query results at a specific interval. The default
interval is 5 seconds.
NOTE
● If the interval is too short, the CPU usage will increase. Set the interval to a proper
value.
● If the number of VTY channels is less than four, | refresh cannot be specified for a new
command. The commands with | refresh specified are not affected.
● Only commands starting with display support display.
1.1.3.4.6 Error Messages

If an entered command passes the validation check, the command is executed
correctly. If an entered command does not pass the validation check, the system
displays an error message.
Table 1-6 describes common error messages.
Table 1-6 Common error messages
Error Message Cause
Unrecognized command No command is found.
No keyword is found.
Wrong parameter The parameter type is incorrect.
The parameter value exceeds the limit.
Incomplete command The entered command is incomplete.
Too many parameters The entered parameters are excessive.
Ambiguous command The entered command is ambiguous.
1.1.3.4.7 Configuring an Alias for a Command

To facilitate operations, you can use the command alias function to configure a
character string as an alias for a command.
Context
To enable the command alias function for the current terminal, run the terminal
command alias command. To disable the command alias function for the current
terminal, run the undo terminal command alias command. Disabling the
command alias function does not delete the existing alias configuration.
Therefore, the existing alias configuration continues to take effect if you enable
the command alias function again for the current terminal. You can run the
display terminal command alias command to view the status of the command
alias function.

Procedure
Step 2 Run command alias
The command alias view is displayed.
Step 3 Run alias alias-string [ parameter parameter & <1-32> ] command command
An alias is configured for a command.
----End
Follow-up Procedure
● Run the display command alias command to view the alias configuration.
1.1.3.4.8 Intelligent Rollback

The CLI supports the intelligent rollback function. That is, in the current view, you
can run commands in other views.
Context
Intelligent rollback enables the system to automatically return to the previous
view if a command fails to be run in the current view. The system performs view
return attempts until the applicable view of the command is displayed.
When configuring services, you need to enter the view of the command to be
configured to complete the configuration. In this case, you need to run the quit
command repeatedly to exit the current view and enter the required view. The
intelligent rollback function allows you to run commands of other views in the
current view to reduce repeated quit operations.
NOTE
If command matching fails because an ambiguous command is entered in the current view,
no intelligent rollback can be performed.
Intelligent rollback is not performed when a command fails to be matched.
The undo commands do not support intelligent rollback.
Example
1. Run the terminal command forward matched upper-view command to
enable the intelligent rollback function.
2. Run the system-view command to enter the system view.
3. Run the interface GigabitEthernet1/0/0.1 command to create a sub-interface
and enter the sub-interface view.
4. You do not need to exit the current view. Run the interface LoopBack 1
command to create a loopback interface and enter the loopback interface
view.

NOTICE
If the intelligent rollback function is enabled, commands may be executed in

unexpected views, and services may be interrupted. Before configuring a
command, check whether the command to be configured exists in the view. If the
command does not exist, run the command in the correct view.
To disable the intelligent rollback function, run the terminal command forward
matched upper-view command.
1.1.3.4.9 Enabling Secondary Authentication

Secondary authentication prevents service interruptions caused by misoperations.
Context
Misoperations of some commands cause the configurations of related features to
be deleted, interrupting services and disconnecting the user network. To prevent
misoperations, you can enable secondary authentication.
After secondary authentication is enabled, you need to enter the login password
for secondary authentication before running the reboot, reset saved-
configuration, rollback configuration, undo mpls, undo mpls te, undo mpls
rsvp, undo mpls ldp, undo mpls l2vpn, undo multicast ipv6 routing-enable,
undo multicast routing-enable, undo pim, undo igmp, undo bfd, or undo stp
enable command.
NOTE
To prevent some services from being unavailable due to misoperations, you are advised to
enable secondary authentication.
Example
1. Run system-view
2. Run configuration re-authentication enable
Secondary authentication is enabled.
3. Run commit
1.1.3.5 How to Obtain Command Help

When you enter commands or configure services, command help offers real-time
help in addition to the configuration guide.
The CLI on the NE9000 provides the following online help.
Full Help
You can obtain full help using any of the following methods:
● Enter a question mark (?) in any command view to obtain all the commands
and their simple descriptions.

<HUAWEI> ?
● Enter a command followed by a space and a question mark (?). If the position
of the question mark (?) is for a keyword, all the keywords and their brief
description are listed. Use the following command output as an example:
<HUAWEI> terminal ?
debugging Enable/disable debug information to terminal
logging Enable/disable log information to terminal
The words "debugging" and "logging" are keywords, following with their
descriptions.
● Enter a command followed by a space and a question mark (?). If the position
of the question mark (?) is for a parameter, the value range and function of
the parameter are listed. Use the following command output as an example:
[*HUAWEI] ftp timeout ?
INTEGER<1-35791> The value of FTP timeout, the default value is 10 minutes
[*HUAWEI] ftp timeout 35 ?
<cr>
In the command output, "INTEGER<1-35791>" indicates the value range, and

"The value of FTP timeout, the default value is 10 minutes" is the brief
description of the parameter function. "<cr>" indicates that no parameter is in
the position. In this case, press Enter to run the command.
Partial Help
You can obtain partial help using any of the following methods:
● Enter a string followed by a question mark (?). The system lists all the
keywords that start with the string.
<HUAWEI> d?
debugging delete
dir display
● Enter a command followed by a question mark (?) if there are several

matches for the keyword. The system lists all the keywords that start with the
string.
<HUAWEI> display c?
car clock
configuration control-flap
cpu-defend cpu-monitor
cpu-usage current-configuration
● Enter the initial letters of a keyword in a command line and press Tab. The
system lists the complete keyword. If there are several matches for the
keyword, you can press Tab repeatedly. The system lists various keywords for
you to choose the one you need.
1.1.3.6 How to Use Shortcut Keys

To simplify operations, you can use system or self-defined shortcut keys to enter
commands.
Usage Scenario
When you use commands to configure services, you can define shortcut keys to
rapidly enter commonly used commands.

Before using shortcut keys, complete the following tasks:

1.1.3.6.1 Classification of Shortcut Keys

Shortcut keys consist of user-defined and system shortcut keys. After
understanding the classification of shortcut keys, you can use shortcut keys quickly
and accurately.
Shortcut keys in the system are classified into two types:
● User-defined shortcut keys: You can define shortcut keys: Ctrl+G, Ctrl+L, Ctrl
+O, and Ctrl+U. You can associate each shortcut key with any command.
When you use a shortcut key, the system automatically runs the
corresponding command. For details, see 1.1.3.6.2 Defining Shortcut Keys.
● System shortcut keys: They provide fixed functions and cannot be defined by
users. Table 1-7 describes system shortcut keys.
NOTE
Different terminal software defines shortcut keys differently. Therefore, the shortcut keys on
a terminal may be different from those listed in this section.
Table 1-7 System shortcut keys
Key Function
CTRL_A Moves the cursor to the beginning of the

current line.
CTRL_B Moves the cursor back one character.
CTRL_C Stops the running function.
CTRL_D Deletes the character at the cursor.
CTRL_E Moves the cursor to the end of the

current line.
CTRL_F Moves the cursor forward one character.
CTRL_H Deletes the character on the left of the

cursor.
CTRL_K Ends the connections for outgoing calls.
CTRL_N Displays the next command in the

historical command buffer.
CTRL_P Displays the previous command in the

historical command buffer.
CTRL_R Redisplays information in the current line.

Key Function
CTRL_T Ends the connections for outgoing calls.
CTRL_V Pastes the text of the clipboard.
CTRL_W Deletes the word on the left of the cursor.
CTRL_X Deletes all characters on the left of the

cursor.
CTRL_Y Deletes all characters on the right of the

cursor.
CTRL_Z Returns to the user view.
CTRL_] Ends the connections for incoming calls or

redirects the connection.
ESC_B Moves the cursor back one word.
ESC_D Deletes the word on the right of the

cursor.
ESC_F Moves the cursor forward one word.
ESC_N Moves the cursor to the next line.
ESC_P Moves the cursor to the previous line.
ESC_< Locates the cursor at the start of text in

the clipboard.
ESC_> Locates the cursor at the end of text in

the clipboard.
1.1.3.6.2 Defining Shortcut Keys

Only users of the management level have the right to define shortcut keys.
Procedure
Step 2 Run hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U } command-text
The shortcut keys are defined.
Step 3 Run commit
----End

1.1.3.6.3 Displaying Shortcut Keys and Their Functions

You can use shortcut keys at any position where a command can be entered. After
you use a shortcut key, the system displays the corresponding command on the
screen. The result is the same as that of entering a complete command.
Context
If you enter an incomplete command and do not press Enter, using a shortcut key
causes the system to delete the entered characters and display the corresponding
command on the screen. The result is the same as that of entering a complete
command.
Like the use of commands, the use of shortcut keys also enables the system to
record the original command in the command buffer and logs for fault detection
and query.
Procedure
Step 1 Run display hotkey
The shortcut keys supported by the system and their functions are displayed.
NOTE
The functions of shortcut keys may be affected by the terminal in use. For example, when
the user-defined shortcut keys conflict with the system shortcut keys on the router, an
entered shortcut key is captured by the terminal program and the corresponding command
cannot be run.
----End
1.1.3.7 Configuring the Session Log Function

By default, the global session log function is disabled, and the session log function
of a single connection is enabled. You can perform the following steps to
configure the session log function.
Context
The global session log function is disabled by default. You can enable the global
session log function if you need to save the input, device screen output, and the
time when the device executes commands to the session log file in the root
directory.
The session log function of a single connection is enabled by default. After the
global session log function is enabled, information such as the input and screen
output of all connections on the device is recorded in the log file. If session logs do
not need to be generated for some connections, you can run the terminal
session-log disable command to disable the session log function for these
connections.
Procedure
● Enable the global session log function.

a. Run system-view
b. Run undo info-center session log disable
The global session log function is enabled.
c. Run commit
● Disable the session log function for the current connection.
Run display info-center session log status
The status of the global session log function and the status of the session log
function of all online connections are displayed.
– If the global session log function is enabled, perform the following steps:
i. Run the system-view command to enter the system view.
ii. Run the terminal session-log disable command to disable the
session log function of the current connection.
iii. Run the commit command to commit the configuration.
– If the global session log function is disabled, no further action is required.
----End
Checking the Configurations

Run the display info-center session log status command to view the status of
the global session log function and the session log function of all online
connections.
1.1.3.8 Configuration Examples for Command Lines

This section provides examples about how to use commands.
1.1.3.8.1 Example for Using Tab

You can press Tab to enable the system to display associated keywords or check
whether the keywords are correct.
Networking Requirements
A router is deployed.
Precautions
None
Configuration Roadmap
The configuration roadmap is as follows:
1. If there is only one match for an incomplete keyword, enter the incomplete
keyword and press Tab.

2. If there are several matches for an incomplete keyword, enter the incomplete
keyword and press Tab repeatedly until the desired keyword is found.
3. Enter an incorrect keyword and press Tab. The incorrect keyword remains
unchanged.
The use of Tab is described as follows:
Procedure
● If There Is Only One Match for an Incomplete keyword
a. Enter an incomplete keyword.
[~HUAWEI] ip rout
b. Press Tabs.
The system replaces the entered keyword with the complete keyword
followed by a space.
[~HUAWEI] ip route-static
● If There Are Several Matches for an Incomplete keyword
# The keyword ip route-static can be followed by the following keywords:

[~HUAWEI] ip route-static ?
X.X.X.X Destination IP address
bfd BFD configuration information
default-bfd Default BFD parameter
default-preference Preference-value for IPv4 static-routes
...
a. Enter an incomplete keyword.

[~HUAWEI] ip route-static d
b. Press Tab.
The system first displays the prefixes of all the matched keywords. In this
example, the prefix is default.
[~HUAWEI] ip route-static default-
Press Tab to switch from one matching keyword to another. The cursor
closely follows the end of a word.
[~HUAWEI] ip route-static default-bfd
[*HUAWEI] ip route-static default-preference
Stop pressing Tab when the desired keyword is found.

c. Enter the value 10.
[~HUAWEI] ip route-static default-preference 10
● If an Incorrect Keyword Is Entered

a. Enter an incorrect keyword.
[~HUAWEI] ip route-static default-pe
b. Press Tab.
The system displays the output in a new line. The entered keyword
remains unchanged.
[~HUAWEI] ip route-static default-pe
----End

Configuration Files
None.
1.1.3.8.2 Example for Defining Shortcut Keys

If shortcut keys are defined on a router, all users can use the shortcut keys
regardless of their levels.
A router is deployed.
Precautions
If a user does not have the right to execute the command associated with a
defined shortcut key, the system makes no response when the user presses this
shortcut key.
1. Define the shortcut key Ctrl+U and associate it with the display ip routing-
table command.
2. Press Ctrl+U at the prompt of [~HUAWEI].
Data Preparation
To complete the configuration, you need the following data:
● Shortcut key name

● Name of the command to be associated with the shortcut key
Procedure
Step 1 Define the shortcut key Ctrl+U and associate it with the display ip routing-table
command.
[~HUAWEI] hotkey ctrl_u "display ip routing-table"
[*HUAWEI] commit
Step 2 Press Ctrl+U at the prompt of [~HUAWEI].

[~HUAWEI] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.0.0/16 Direct 0 0 D 10.3.150.51 GigabitEthernet0/0/0

----End
Configuration Files
None
1.1.4 User Interface Configuration

When you log in to a router through a console port or using Telnet or Secure Shell
(SSH), the system provides a user interface for you to manage and monitor
sessions with the router.
1.1.4.1 Overview of User Interfaces

The system supports console and virtual type terminal (VTY) user interfaces.
You can configure, monitor, and maintain local or remote network devices only
after configuring user interfaces, user management, and terminal services. User
interfaces provide login venues, user management ensures login security, and
terminal services provide login protocols. Routers support user login over console
ports.
Each user interface has a user interface view. You can configure parameters in a
user interface view to determine whether authentication is required for login users
and specify levels for the users. This configuration implements uniform
management of various user sessions.
The system supports the following user interfaces:

● Console user interface: manages and monitors users who log in through the
console port.
The type of the console interface is EIA/TIA-232 DCE.
● VTY user interface: manages and monitors users who log in using VTY.
A VTY connection is set up when a user uses Telnet or SSH to log in to a
router. A maximum of 21 users can log in to the router using VTY.
NOTE
If a user logs in to a router in different login modes or at different times, the user may be
allocated different user interfaces.
User Interface Numbering

When a user logs in to a router, the system allocates an idle user interface with
the smallest number to the user based on the user's login mode. The login process
is restricted by the configurations for the user interface.
User interfaces can be numbered in either of the following modes:
● Relative numbering
This mode uniquely specifies a user interface or a group of user interfaces of
the same type.

The numbering format is user interface type + number, adhering to the

following rules:
– Console user interface numbering: CON 0.
– VTY user interface numbering: The first VTY user interface is VTY 0, the
second VTY user interface is VTY 1, and so on.
● Absolute numbering
This mode uniquely specifies a user interface or a group of user interfaces.
The number starts with 0, increasing by 1. Console user interfaces are
numbered before VTY user interfaces.
There are 1 console user interface and 21 VTY user interfaces. You can run the
user-interface maximum-vty command in the system view to set the
maximum number of VTY user interfaces.
Table 1-8 Absolute and relative numbers of user interfaces
User Description Absolute Relative Number

Interface Number
Console Manages and controls 0 0

user users who log in to the
interface device using the
console interface.
This user interface is
supported only by the
Admin-VS.
TTY user Manages and monitors 1–32 The first one is TTY 0,
interface users logging in the second one is
NOTE through the TTY 1, and so forth.
Currently, asynchronized serial Absolute numbers 1
the system port. to 32 correspond to
does not
support the relative numbers TTY
TTY user 0 to TTY 31.
interface.
VTY user Manages and controls 34-54 The first one is VTY
interface users who log in to the 0, the second one is
device using Telnet or VTY 1, and so forth.
SSH. Absolute numbers 34
to 54 correspond to
relative numbers VTY
0 to VTY 20.
Authentication Modes for User Interfaces

After you configure a user authentication mode for a user interface, the system
authenticates users before they access the user interface. The system supports the
following authentication modes:
● Password authentication: Users must enter passwords for login.

● AAA authentication: Users must enter both user names and passwords for
login. If either a user name or a password is incorrect, the login fails. AAA
authentication is usually used for Telnet users.
User Levels for User Interfaces

You can manage login users based on their levels. The levels of commands that a
user can use are determined by the user's level.
● If password authentication is configured, the levels of commands that a user
can use depend on the level of the user interface through which the user logs
in.
● If AAA authentication is configured, the levels of commands that a user can
use depend on the local user level specified in the AAA configuration.
Table 1-9 describes the mapping between user levels and command levels.
Table 1-9 Mapping between user levels and command levels

User User Comm Permi Description
Level Level and ssion
(0 to (0 to Level
3) 15)
0 0 0 Visit Diagnostic commands, such as ping and

tracert, and commands that are used to
access a remote device such as a Telnet
client.
1 1-9 0, 1 Monit Commands of this level are used for system

oring maintenance, including display commands.
NOTE
Not all display commands are of the monitoring
level. For example, the display current-
configuration command is of management level
(3). For details about command levels, see
HUAWEI NetEngine9000 Command Reference.
2 10 to 0, 1, Config Service configuration commands

14 and 2 uratio
n level
3 15 0, 1, 2, Manag Commands of the management level are

and 3 ement used for basic system operation to support
level services, including file system, FTP, TFTP,
and configuration file switching commands,
slave board control commands, user
management commands, command level

1.1.4.2 Configuration Precautions for User Interface
None
1.1.4.3 Configuring a Console User Interface

A console user interface manages and monitors users who log in to a router
through a console port.
Usage Scenario
To log in to a router through a console port for local maintenance, configure a
console user interface, including physical attributes, terminal attributes, user
levels, and authentication modes. You can configure parameters based on use and
security requirements.
Before configuring a console user interface, log in to a router through a console
port.
1.1.4.3.1 Configuring Physical Attributes for the Console User Interface

Physical attributes of the console user interface include the transmission rate, flow
control mode, parity bit, stopbits, and databits for the console port.
Context
To log in to a router through a console port, you must ensure that physical
attributes configured on the terminal emulation program for the console port are
the same as those of the console user interface on the router.
NOTE
This configuration process is supported only on the Admin-VS.
Procedure
Step 2 Run user-interface { ui-type | console first-ui-number }
The console user interface is displayed.
Step 3 Run speed speed-value
A transmission rate is set.
The value can be 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, or
115200, in bit/s.

Step 4 Run flow-control flowtype
A flow control mode is set.
Step 5 Run parity paritytype
A parity bit is set.
Step 6 Run stopbits stopbitvalue
Stopbits are set.
Step 7 Run databits databitvalue
Data bits are set.
Step 8 Run commit
----End
1.1.4.3.2 Configuring Terminal Attributes for the Console User Interface

Terminal attributes of the console user interface include the timeout period of an
idle connection, number of rows displayed on a terminal screen, and buffer size
for historical commands.
Procedure
The console user interface view is displayed.
Step 3 Run shell
The terminal service is started.
Step 4 Run idle-timeout minutes [ seconds ]
A timeout period is set for an idle connection.
If a connection remains idle within a specified timeout period, the system

automatically ends the connection after the timeout period expires.
Step 5 Run screen-length screen-length
The number of rows displayed on each terminal screen is set.
NOTE
Run the screen-length temporary command to set the number of lines in each screen of
the terminal.
Step 6 Run history-command max-size size-value
A buffer size is set for historical commands.

Step 7 Run commit

----End
1.1.4.3.3 Configuring a User Level for the Console User Interface

You can configure a user level for the console user interface to manage users
based on their levels.
Context
User levels correspond to command levels. After a user logs in to a router, the user
can use only commands of the corresponding level or lower.
Procedure
Step 3 Run user privilege level level
NOTE
If the user level configured for a user interface conflicts with the user level configured for a
user, the user level configured for the user takes precedence.
For example, user 001 can use commands at Level 3, and the user level configured for the
user in the user interface view Console 0 is 2. After user 001 logs in through Console 0, the
user can use commands at Level 3 or lower.
Step 4 Run commit

----End
1.1.4.3.4 Configuring an Authentication Mode for the Console User Interface

The system provides AAA authentication and password authentication to improve
system security.
Context
NOTE
The password authentication mode is not secure, and it is strongly recommended to use
AAA authentication mode.
Procedure
● Configure AAA authentication.
a. Run system-view


b. Run user-interface { ui-type | console first-ui-number }
c. Run authentication-mode aaa
The authentication mode is set to AAA authentication.
d. Run quit
Exit the console user interface view.
e. Run aaa
The AAA view is displayed.
f. Run local-useruser-name password [ cipher password | irreversible-
cipher irreversible-cipher-password ]
A local user name and a password are set.
▪ If cipher or irreversible-cipher is not specified, a password is

entered in man-machine interaction mode and the system does not
display the entered password.
When the user security policy is configured, the value is a string of 8
to 128 case-insensitive characters without spaces. When the user
security policy is not configured, the value is a string of 1 to 128
case-insensitive characters without spaces. When the user security
policy is configured, the password cannot be the same as the user
name or its reverse. The password must contain the following
characters: upper-case character, lower-case character, digit, and
special character.
NOTE
Special characters do not include question marks (?) or spaces. However,

when double quotation marks are used around a password, spaces are
allowed in the password.
● Double quotation marks cannot contain double quotation marks if
spaces are used in a password.
● Double quotation marks can contain double quotation marks if no
space is used in a password.
For example, the password "Aa123"45"" is valid, but the password "Aa
123"45"" is invalid.
▪ If cipher is specified, a password can be entered in either simple text

or cipher text.
If a password is entered in simple text, the password requirements
are the same as those when cipher is not specified. When you input
a password in simple text, the system displays the password in
simple text mode, which brings risks.
A password is displayed in cipher text in the configuration file
regardless of whether it is entered in simple text or cipher text.
▪ If irreversible-cipher is specified, a password can be entered in

either simple text or irreversible cipher text.
are the same as those when irreversible-cipher is not specified.


regardless of whether it is entered in simple text or irreversible cipher
text.
g. Run commit

● Configure password authentication.
a. Run system-view

b. Run user-interface { ui-type | console first-ui-number } [ last-ui-
number ]
c. Run authentication-mode password
The authentication mode is set to password authentication.

d. Run set authentication password [ cipher password ]
The authentication password is changed.
NOTE
● If cipher is not specified, a password is entered in man-machine interaction

mode and the system does not display the entered password.
● A password is a string of 8 to 16 case-sensitive characters and must contain
at least two types of the following characters: uppercase letters, lowercase
letters, digits, and special characters.
● Special characters exclude question marks (?) and spaces. However, when
quotation marks (") are used around the password, spaces are allowed in the
password.
● Double quotation marks can contain double quotation marks if no space
is used in a password.
● If cipher is specified, a password can be entered in either simple text or cipher
text.
● If a password is entered in simple text, the password requirements are
the same as those when cipher is not specified. When you input a
password in simple text, the system displays the password in simple text
mode, which brings risks.
● A password is displayed in cipher text in the configuration file regardless
of whether it is entered in simple text or cipher text.
If you have run the undo authentication-mode command to delete the
authentication mode configured for the console user interface, you cannot run
the set authentication password [ cipher password ] command to change the
authentication password.
e. Run commit
----End

1.1.4.3.5 Disabling the Console User Interface

The console user interface can be disabled if it is abnormal or needs to be paused
due to some reasons.
Procedure
Step 3 Run shutdown
The console user interface is disabled.
Step 4 Run commit
----End
1.1.4.3.6 Verifying the Configuration of the Console User Interface

After configuring the console user interface, verify the configuration.
Prerequisites
The console user interface has been configured.
Procedure
● Run the display users [ all ] command to check user login information about
user interfaces.
● Run the display user-interface console 0 command to check physical
attributes and configurations of the user interface.
In VS mode, this command is supported only by the admin VS.
● Run the display local-user command to check the local user list.
● Run the display access-user command to check information about users that
pass AAA authentication.
----End
1.1.4.4 Configuring VTY User Interfaces

VTY user interfaces manage and monitor users who log in to a router using VTY.
Usage Scenario
To log in to a router using Telnet or SSH for local or remote configuration and
maintenance, configure VTY user interfaces, including the maximum number of
VTY user interfaces, limit on incoming and outgoing calls, terminal attributes, user

Before configuring VTY user interfaces, log in to a router through a console port.
1.1.4.4.1 Configuring the Maximum Number of VTY User Interfaces

You can configure the maximum number of VTY user interfaces to limit the
number of concurrent login users.
Context
The maximum number of VTY user interfaces is the total number of users who use
Telnet and SSH to log in.
NOTICE
If the maximum number of VTY user interfaces is set to 0 on a router, no user can
log in to the router using VTY.
Procedure
Step 2 Run user-interface maximum-vtynumber
The maximum number of VTY user interfaces is set.
● If the configured maximum number is less than the current number, online
users are not affected and no additional configuration is needed.
● If the configured maximum number is greater than the current number,
configure the authentication mode and password for additional users. The
system uses password authentication to authenticate users who log in
through newly added user interfaces.
For example, run the authentication-mode commands to increase the
maximum number of allowed online users from 5 to 18. A password is
entered in man-machine interaction mode. The system does not display the
entered password. A password must meet the following requirements:
[~HUAWEI] user-interface maximum-vty 18
[*HUAWEI] user-interface vty 5 17
[*HUAWEI-ui-vty5-17] authentication-mode password
[*HUAWEI-ui-vty5-17] set authentication-mode password
Please configure the login password (8-16)
Enter Password:
Confirm Password:

NOTE

– The password is entered in man-machine interaction mode. The system does not
– A password is a string of 8 to 16 case-sensitive characters and must contain at
least two types of the following characters: uppercase letters, lowercase letters,
digits, and special characters.
– Special characters exclude question marks (?) and spaces. However, spaces are
allowed in the password if the password is enclosed in quotation marks.
▪ Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
▪ Double quotation marks can contain double quotation marks if no space is

used in a password.
invalid.
Step 3 Run commit

----End
1.1.4.4.2 Configuring the Limit on Incoming and Outgoing Calls for a VTY User
Interface
An access control list (ACL) can be configured to limit incoming and outgoing calls
for a VTY user interface.
Context
An ACL can be configured to either allow or deny Telnet connections based on
source or destination IP addresses:
● A basic ACL, with its number ranging from 2000 to 2999, controls Telnet
connections based on source IP addresses.
● An advanced ACL, with its number ranging from 3000 to 3999, controls Telnet
connections based on both source and destination IP addresses.
Procedure
Step 2 Compared to a basic ACL that filters packets based on source addresses, an
advanced ACL supports richer filtering rules: not based only on packet source
addresses but also based on packet destination address or priorities. Run either of
the following commands:
● For a basic ACL:
To enter the ACL view, run the acl { name basic-acl-name { basic | [ basic ]
number basic-acl-number } | [ number ] basic-acl-number } [ match-order
{ config | auto } ] command.

To enter the ACL6 view, run the acl ipv6 { name basic-acl6-name basic |
[ number ] basic-acl6-number } [ match-order { config | auto } ] command.
● For an advanced ACL:
To enter the ACL view, run the acl { name advance-acl-name [ advance |
[ advance ] number advance-acl-number ] | [ number ] advance-acl-
number } [ match-order { config | auto } ] command.
To enter the ACL6 view, run the acl ipv6 { name advance-acl6-name
[ advance | [ advance ] number advance-acl6-number ] | [ number ]
advance-acl6-number } [ match-order { config | auto } ] command.
The user interface supports the basic ACL ranging from 2000 to 2999 and the
advanced ACL ranging from 3000 to 3999.
Step 3 Run either of the following commands:

● For a basic ACL:
To configure a basic ACL rule, run the rule [ rule-id ] [ name rule-name ]
{ deny | permit } [ fragment-type { fragment | non-fragment | non-subseq
| fragment-subseq | fragment-spe-first } | source { source-ip-address
{ source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-
instance vpn-instance-name | vpn-instance-any ] ] * command.
To configure a basic ACL6 rule, run the rule [ rule-id ] [ name rule-name ]
{ deny | permit } [ fragment | source { source-ipv6-address { prefix-length |
source-wildcard } | source-ipv6-address/prefix-length | any } | time-range
time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *
command.
● For an advanced ACL:
To configure an advanced ACL rule, run the rule [ rule-id ] [ name rule-
name ] { deny | permit } { protocol | gre | ip | ipinip | igmp | ospf } [ [ dscp
dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-
address { destination-wildcard | 0 | des-netmask } | any } | destination-pool
destination-pool-name } | fragment-type { fragment | non-fragment | non-
subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-
address { source-wildcard | 0 | src-netmask } | any } | source-pool source-
pool-name } | time-range time-name | [ vpn-instance vpn-instance-name |
vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-
operation length-value ] * command.
To configure an advanced ACL6 rule, run the rule [ rule-id ] [ name rule-
name ] { permit | deny } { hoport [ option-code option-value ] | 1 | 5 |
protocol | gre | ipv6 | ipv6-frag | ipv6-ah | ipv6-esp | ospf | 7-16 | 18-42 | { 43
| ipv6-routing } [ routing-type routing-number ] | 44-57 | 59 | { 60 | ipv6-
destination } [ option-code option-value ] | 61-255 } [ destination
{ destination-ipv6-address { prefix-length | destination-wildcard } | dest-ipv6-
addr-prefix | any } | fragment | { source { source-ipv6-address { prefix-length
| source-wildcard } | src-ipv6-addr-prefix | any } | source-pool source-pool-
name } | time-range time-name | [ dscp dscp | [ precedence { precedence |
critical | flash | flash-override | immediate | internet | network | priority |
routine } | tos { tos | max-reliability | max-throughput | min-delay | min-
monetary-cost | normal } ] * ] | [ vpn-instance vpn-instance-name | vpn-
instance-any ] ] * command.

NOTE
● By default, the deny action in an ACL rule is taken for all the login user packets. Only
users whose source IP addresses match the ACL rule with a permit action can log in to
the device.
In the following example, two rules are configured to prohibit users with the IP address
10.1.1.10 from logging in to the device whereas allowing the other users to log in to the
device:
– rule deny source 10.1.1.10 0
– rule permit source any
If the rule permit source any command is not configured, users whose source IP
addresses are not 10.1.1.10 will also be prohibited from logging in to the device.
● If a user's source IP address does not match the ACL rule that allows login, the user is
prohibited from logging in to the device.
● If the ACL referenced by VTY does not contain any rules or does not exist, any user can
log in to the device.
Step 4 Run quit

Step 5 Run user-interface vty first-ui-number [ last-ui-number ]
One or more VTY user interface views are displayed.
Step 6 Run acl [ ipv6 ] { acl-number | acl-name }{ inbound | outbound }
The limit on incoming and outgoing calls is set for the VTY user interfaces.
● To limit the login of users at a specified IP address or within a specified
address range to a router, specify inbound.
● To limit the login of online users to other devices, specify outbound.
Step 7 Run commit
----End
1.1.4.4.3 Configuring Terminal Attributes for a VTY User Interface

Terminal attributes of a VTY user interface include the timeout period of an idle
connection, number of rows displayed on a terminal screen, and buffer size for
historical commands.
Procedure
Step 3 Run shell
The VTY terminal service is started.

Step 4 Run idle-timeout minutes [ seconds ]
A timeout period is set for an idle connection.
If a connection remains idle within a specified timeout period, the system

automatically ends the connection after the timeout period expires.
Step 5 Run screen-length screen-length
The number of rows displayed on each terminal screen is set.
Step 6 Run history-commandmax-size size-value
A buffer size is set for historical commands.
Step 7 Run commit
----End
1.1.4.4.4 Configuring a User Level for a VTY User Interface

To improve security, configure user levels for user interfaces to manage users
based on their levels. This section describes how to configure a user level for a
VTY user interface.
Context
User levels correspond to command levels. After a user logs in to a router, the user
can use only commands of the corresponding level or lower.
Procedure
Step 3 Run user privilege level level

NOTE
If the user level configured for a user interface conflicts with the user level configured for a
user, the user level configured for the user takes precedence.
For example, user 001 can use commands at Level 3, and the user level configured for the
user in the user interface view VTY 0 is 2. After user 001 logs in through VTY 0, the user can
use commands at Level 3 or lower.
Step 4 Run commit
----End

1.1.4.4.5 Configuring an Authentication Mode for a VTY User Interface

The system provides AAA authentication and password authentication to improve
system security.
Context
NOTE
The password authentication mode is not secure, and it is strongly recommended to use
AAA authentication mode.
Procedure
● Configure AAA authentication.
a. Run system-view

b. Run user-interface vty first-ui-number [ last-ui-number ]

c. Run authentication-mode aaa

d. Run commit

e. Run quit
Exit the VTY user interface views.

f. Run aaa

g. Run local-user user-name password [ cipher password | irreversible-

special character.

NOTE


or cipher text.

text.
h. Run commit
● Configure password authentication.
a. Run system-view
c. Run authentication-mode password
d. Run set authentication password [ cipher password ]
The authentication password is changed.

NOTE
● If cipher is not specified, a password is entered in man-machine interaction

mode and the system does not display the entered password.
● A password is a string of 8 to 16 case-sensitive characters and must contain
at least two types of the following characters: uppercase letters, lowercase
letters, digits, and special characters.
● Special characters exclude question marks (?) and spaces. However, when
quotation marks (") are used around the password, spaces are allowed in the
password.
● Double quotation marks can contain double quotation marks if no space
is used in a password.
text.
● If a password is entered in simple text, the password requirements are
the same as those when cipher is not specified. When you input a
password in simple text, the system displays the password in simple text
mode, which brings risks.
● A password is displayed in cipher text in the configuration file regardless
of whether it is entered in simple text or cipher text.
authentication mode configured for the console user interface, you cannot run
the set authentication password [ cipher password ] command to change the
authentication password.
e. Run commit
----End
1.1.4.4.6 Configure an Alarm Threshold for the Number of Available VTY Channels
By configuring an alarm threshold for the number available VTY channels, you can
know information about available VTY channels on a device in a timely manner.
Context
When the number of available VTY channels on a device is less than or equal to
the threshold, the device reports an alarm.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the user-interface vty available-vty-threshold threshold-value command to

configure an alarm threshold for the number of available VTY channels.
NOTE
If the configured alarm threshold is greater than the maximum number of VTY users, the
system displays a message indicating that the configuration is invalid.

Step 3 Run the commit command to commit the configuration.
----End
1.1.4.4.7 Enabling the VTY User Interface's Security Policy

This section describes how to enable the VTY user interface's security policy. It is
recommended that you enable the security policy to harden the VTY user
interface's security.
Procedure
Step 2 Run undo user-interface vty security-policy disable
The VTY user interface's security policy is enabled.
Step 3 Run commit
----End
1.1.4.4.8 Verifying the Configuration of VTY User Interfaces

After configuring a VTY user interface, verify the configuration.
Prerequisites
A VTY user interface has been configured.
Procedure
user interfaces.
● Run the display user-interface maximum-vty command to check the
configured maximum number of VTY user interfaces.
● Run the display user-interface vty ui-number command to check physical
attributes and configuration of the user interface.
● Run the display vty mode command to check the VTY mode.
----End
1.1.4.5 Configuration Examples for User Interfaces

This section provides examples for configuring console and VTY user interfaces.

1.1.4.5.1 Example for Configuring the Console User Interface

In this configuration example, the physical attributes, terminal attributes, user
level, authentication mode, and password are configured for the console user
interface. After the configuration is complete, you can log in to the device through
the console port in password authentication mode.
To initialize the configurations of a new device or locally maintain the device, log
in to the device through the console user interface. You can configure attributes
for the console user interface based on use and security requirements.
Precautions
1. Configure physical attributes for the console user interface.
2. Configure terminal attributes for the console user interface.
3. Set a user level.
4. Set an authentication mode and password.
NOTE
The user name and password do not have default values. Other parameters have default values,
which are recommended.
Data Preparation
● Transmission rate of a connection: 4800 bit/s
● Flow control mode: none
● Parity: even
● Stopbits: 2
● Databits: 6
● Timeout period of an idle connection: 30 minutes
● Number of rows displayed on a terminal screen: 30
● Buffer size for historical commands: 20
● User level: 15
● Authentication mode: password authentication
Procedure
Step 1 Configure physical attributes for the console user interface.
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] speed 4800
[*HUAWEI-ui-console0] flow-control none

[*HUAWEI-ui-console0] parity even

[*HUAWEI-ui-console0] stopbits 2
[*HUAWEI-ui-console0] databits 6
[*HUAWEI-ui-console0] commit
Step 2 Configure terminal attributes for the console user interface.

[~HUAWEI-ui-console0] shell
[*HUAWEI-ui-console0] idle-timeout 30
[*HUAWEI-ui-console0] screen-length 30
[*HUAWEI-ui-console0] history-command max-size 20
Step 3 Set a user level for the console user interface.

[~HUAWEI-ui-console0] user privilege level 15
Step 4 Configure password authentication for the console user interface.

[~HUAWEI-ui-console0] authentication-mode password
[~HUAWEI-ui-console0] set authentication-mode password
Enter Password:
Confirm Password:
NOTE

characters.
in a password.
a password.
invalid.
[~HUAWEI-ui-console0] quit
After the console user interface has been configured, you can log in to the device
through the console port in password authentication mode. For information about
how to log in to the system through the console port, see 1.1.5.3 Configuring
Login Through a Console Port.
Step 5 Verify the configuration.
After completing the configurations, run the display user-interface command to
view the configuration of Console 0.
<HUAWEI> display user-interface 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
+0 CON 0 9600 - 3 - P -
+ : Current user-interface is active.
F : Current user-interface is active and work in async mode.
Idx : Absolute index of user-interface.
Type : Type and relative index of user-interface.
Privi : The privilege of user-interface.
ActualPrivi : The actual privilege of user-interface.

Auth : The authentication mode of user-interface.

A : Authenticate use AAA.
P : Authenticate use current UI's password.
Int : The physical location of UIs.
----End
Configuration Files
#
sysname HUAWEI
#
user-interface con 0
authentication-mode password
user privilege level 15
set authentication password cipher @%@%(t7h+Qu=a#pz`3Kylk1/,JXR%iy(DA!x8&+!|
#b&.dEW65~.lEqGm~Np$O#2M]xJM@%@%
history-command max-size 20
idle-timeout 30 0
databits 6
parity even
stopbits 2
speed 4800
screen-length 30
#
return
1.1.4.5.2 Example for Configuring VTY User Interfaces

In this configuration example, the maximum number of VTY user interfaces, limit
on incoming and outgoing calls, terminal attributes, user level, authentication
mode, and password are configured. After the configuration is complete, you can
use Telnet or SSH (STelnet) to log in to the device in password authentication
mode.
To log in to a router using Telnet or SSH for local or remote configuration and
maintenance, configure VTY user interfaces, including the maximum number of
VTY user interfaces, limit on incoming and outgoing calls, terminal attributes, user
1. Set the maximum number of VTY user interfaces.
2. Configure the limit on incoming and outgoing calls for VTY user interfaces.
3. Configure terminal attributes for the VTY user interfaces.
4. Set a user level for the VTY user interfaces.
5. Configure an authentication mode and password for the VTY user interfaces.
Data Preparation
● Maximum number of VTY user interfaces: 21

● Number of the ACL applied to limit incoming calls for the VTY user interfaces:
2000
● Timeout period of an idle connection: 30 minutes
● User level: 15
● Authentication mode: password authentication
NOTE
The ACL number for limiting incoming and outgoing calls in VTY user interfaces, password, and
user name do not have default values. Other parameters have default values, which are
recommended.
Procedure
Step 1 Set the maximum number of VTY user interfaces.
[~HUAWEI] user-interface maximum-vty 21
[*HUAWEI] commit
Step 2 Configure the limit on incoming and outgoing calls for VTY user interfaces.
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule deny source 10.1.1.1 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] user-interface vty 0 17
[*HUAWEI-ui-vty0-17] acl 2000 inbound
[*HUAWEI-ui-vty0-17] commit
Step 3 Configure terminal attributes for the VTY user interfaces.

[~HUAWEI-ui-vty0-17] shell
[*HUAWEI-ui-vty0-17] idle-timeout 30
[*HUAWEI-ui-vty0-17] screen-length 30
[*HUAWEI-ui-vty0-17] history-command max-size 20
Step 4 Set a user level for the VTY user interfaces.

[~HUAWEI-ui-vty0-17] user privilege level 15
Step 5 Configure password authentication for the VTY user interfaces.

[~HUAWEI-ui-vty0-17] authentication-mode password
[~HUAWEI-ui-vty0-17] set authentication-mode password
Enter Password:
Confirm Password:

NOTE

characters.
in a password.
a password.
invalid.
[~HUAWEI-ui-vty0-17] quit
After the VTY user interfaces have been configured, you can use Telnet or SSH to
log in to the device in password authentication mode to maintain the device
locally or remotely. For information about how to use Telnet or SSH to log in to a
device, see 1.1.5.4 Configuring a User to Log In Through Telnet or 1.1.5.5
Configuring STelnet Login.
After completing the configurations, run the display user-interface command to
view the configurations of the VTY user interfaces.
Use VTY 14 as an example:
[~HUAWEI] display user-interface vty 14
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
48 VTY 14 - 15 - P -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
----End
Configuration Files
#
acl number 2000
rule 5 deny source 10.1.1.1 0
#
user-interface maximum-vty 21
#
user-interface vty 0 17
authentication-mode password
set authentication password cipher @%@%qQ5h+h1Ba#pJOx#+2[NX>3v'Ks6m@1Qg4%T>-q:D>7{]

(U0.BAb*OlJW&>We\]@%@%
idle-timeout 30 0
screen-length 30
acl 2000 inbound
return
1.1.5 User Login Configuration

You can log in to a device through a console port or using Telnet or SSH (STelnet)
to maintain the device locally or remotely.
Context
If multiple users log in to a device through a console port, the following security
risks occur:
● The device authenticates only the first user.
● The input information of a user is displayed for all users at the same time. For
example, if a user runs a command to change the password, the input
information is visible to all users at the same time.
Therefore, logging in to a device through the console port is not recommended. If
this login mode is required, do not configure multiple users for simultaneous login.
1.1.5.1 Overview of User Login

Users can manage or maintain a device only after logging in to the device
successfully. You can log in to the device through the console port or using Telnet
or STelnet.
You can configure, monitor, and maintain local or remote network devices only
after configuring user interfaces, user management, and terminal services.
User interfaces provide the login portal, user management ensures login security,
and terminal services offer login protocols.
Table 1-10 describes user login modes.

Table 1-10 User login modes

Login Mode Applicable Scenario Remarks
Configuring When a device is powered By default, you can log in to

Login Through a on for the first time, you a device directly through the
Console Port must log in to the device console port.
through the console port.
● If you cannot remotely
access a device, you can
locally log in to the
device through the
console port.
● If a device fails to start,
you can log in to the
device to diagnose the
fault or enter the
BootROM to upgrade the
device through the
console port.
Configuring You can log in to a device By default, you cannot log in

Telnet Login using Telnet to locally or to a device directly using
remotely configure the Telnet. Before you use Telnet
device. The device to log in to a device, you
authenticates users based on must locally log in to the
configured login parameters. device through the console
Telnet facilitates remote port and perform the
device maintenance but following configurations:
provides low security. ● Configure an IP address
for the management
network port on the
device and ensure that a
reachable route exists
between the user
terminal and the device.
By default, no IP address
is configured on the
device.
● Configure an
authentication mode for
the VTY user interface.
● Set a user level for the
VTY user interface.
● Enable the Telnet service.

Login Mode Applicable Scenario Remarks
Configuring STelnet based on the Secure By default, you cannot log in

STelnet Login Shell (SSH) protocol to a device directly using
provides information security STelnet. Before you use
and authentication, which STelnet to log in to a device,
protects devices against you must locally log in to
attacks, such as IP spoofing. the device through the
You can use STelnet to log in console port and perform
to a device to locally or the following configurations:
remotely maintain the ● Configure an IP address
device. for the management
network port on the
device and ensure that a
reachable route exists
between the user
terminal and the device.
By default, no IP address
is configured on the
device.
● Configure an
authentication mode for
the VTY user interface.
● Set a user level for the
VTY user interface.
● Configure the VTY user
interface to support SSH.
● Configure an SSH user
and specify STelnet as the
service type.
● Enable the STelnet
service.
When a user logs in to a device using one of the preceding methods, the device
automatically executes a built-in batch processing file and records the execution
information in the system log file.
Console Port
For information about a console port, see Overview of Logging In to the System
for the First Time.
Telnet
Telnet is an application layer protocol in the TCP/IP protocol suite and provides
remote login and virtual terminal services. The NE9000 provides the following
Telnet services:

● Telnet server: A user runs the Telnet client program on a PC to log in to the
device to configure and manage the device. The device functions as a Telnet
server.
● Telnet client: After using the terminal emulator or Telnet client program on a
PC to connect to the device, a user runs the telnet command to log in to
another device for configuration and management. The device functions as a
Telnet client. In Figure 1-4, the CE functions as both a Telnet server and a
Telnet client.
Figure 1-4 Telnet server providing the Telnet client service
● Telnet service interruption
Figure 1-5 Usage of Telnet shortcut keys
Two types of shortcut keys can be used to interrupt Telnet connections. As

shown in Figure 1-5, P1 uses Telnet to log in to P2 and then to P3. P1 is the
Telnet client of P2, and P2 is the Telnet client of P3. The usage of shortcut
keys is described as follows:
– Ctrl_]: Instructs the server to disconnect a Telnet connection.
When the network works properly, entering the shortcut key Ctrl_]
causes the Telnet server to interrupt the current Telnet connection.
For example, after you enter Ctrl_] on P3, the <P2> prompt is displayed.
<P3> Select Ctrl_] to return to the prompt of P2
The connection was closed by the remote host.
<P2>
After you enter Ctrl_] on P2, the <P1> prompt is displayed.

<P2> Ctrl_]
<P1>
NOTE
If the network connection is disconnected, shortcut keys do not take effect.

– Ctrl_K: Instructs the client to disconnect the connection.

When the server fails and the client is unaware of the failure, the server
does not respond to the client's input. If you enter Ctrl_K, the Telnet
client interrupts and quits the Telnet connection.
For example, enter Ctrl_K on P3 to quit the Telnet connection.
<P3> Ctrl_K
<P1>
NOTICE
When the number of remote login users reaches the maximum number
of VTY user interfaces, the system prompts subsequent users with a
message, indicating that all user interfaces are in use and no more Telnet
connections are allowed.
STelnet
NOTE
Currently, a device running SSH1 or SSH2 can function as an SSH server. Only devices
running SSH2 can function as SSH clients. STelnet is based on SSH2. When the client and
the server set up a secure connection after negotiation, the client can log in to the server in
the same way as using Telnet.
Telnet access is not secure because there is no authentication method and the
data transmitted across Transmission Control Protocol (TCP) connections is in
plaintext. As a result, the system is vulnerable to denial of service (DoS), IP
address spoofing, and route spoofing attacks.
SSH provides secure remote access on an insecure network by supporting the
following functions:
● Supports key authentication. The public and private keys are generated
according to the encryption principle of the asymmetric encryption system,
which helps implement secure key exchange and ensures secure sessions.
● Encrypts transmitted data.
● When the SSH client communicates with the server, the user name and
password are encrypted to prevent the password from being intercepted.
A device serving as an SSH server can accept connection requests from multiple
SSH clients. The device can also serve as an SSH client, helping users establish SSH
connections with an SSH server. This allows users to use SSH to log in to remote
devices from the local device.
● Local connection
As shown in Figure 1-6, an SSH channel is established for a local connection.

Figure 1-6 Establishing an SSH channel on a local area network (LAN)
● Wide area network (WAN) connection

As shown in Figure 1-7, an SSH channel is established for a connection on a
WAN.
Figure 1-7 Establishing an SSH channel on a WAN
1.1.5.2 Configuration Precautions for User Login
None
1.1.5.3 Configuring Login Through a Console Port

To configure a router that is powered on for the first time or locally maintain the
router, log in to the router through the console port.
Usage Scenario
If a router is powered on for the first time, you can log in to the router only
● If you cannot remotely access a device, you can locally log in to the device

● If a device fails to start, you can log in to the device to diagnose the fault or
enter the BootROM to upgrade the device through the console port.
Before logging in to a router through a console port, complete the following tasks:
● Install a terminal emulator on a PC, such as PuTTY.exe.
● Prepare a console configuration cable.
1.1.5.3.1 Logging In to a Router Through a Console Port

You can connect a user terminal to the console port on a router and then log in to
the router.
Context
NOTE
● Communication parameters of the user terminal must be consistent with the physical
attributes of the console user interface on the router.
● If an authentication mode has been configured for the console user interface, a user can
log in to the router only after authentication succeeds, which enhances network
security.
Procedure

configuration.)

saves it.

NOTE

characters.
in a password.
a password.
invalid.
----End
1.1.5.3.2 (Optional) Configuring the Console User Interface

When you log in to a router through a console port to perform local maintenance,
you can configure attributes for the console user interface as needed.

Context
Console user interface attributes have default values on a router. Generally, you do
not need to configure them. To meet specific use requirements or ensure network
security, you can modify console user interface attributes, such as terminal
attributes and authentication mode.
For details about how to configure the console user interface, see Configuring the
Console User Interface.
NOTE
Modifications to console user interface attributes take effect immediately. When you log in
to a router through a console port to configure console user interface attributes, the
connection may be interrupted. Therefore, it is recommended that you configure console
user interface attributes using other login methods. To log in to the router through the
console port again after configuring console user interface attributes, you must ensure that
the configurations of the terminal emulator running on the PC are consistent with the
console user interface attributes configured on the router.
1.1.5.3.3 Verifying the Configuration of Logging In to the System Through the

Console Port
After logging in to a router through a console port, you can view information
about the console user interface, such as the usage, physical attributes and
configurations, local user list, and online users.
Prerequisites
Login through a console port has been configured.
Procedure
user interfaces.
● Run the display user-interface console 0 command to check physical
attributes and configurations of the user interface.
----End
1.1.5.4 Configuring a User to Log In Through Telnet

This section describes how to configure a user to remotely log in to devices
through Telnet to perform management and maintenance.
Usage Scenario
If one or more devices need to be configured and managed, you do not need to
connect each of the devices to the user terminal for local maintenance. If you
have obtained the IP addresses of the devices and it is not the first time for you to

log in to the devices, use Telnet to log in to the devices from the user terminal and
perform remote device configuration. This method allows you to maintain
multiple devices using a single user terminal, greatly facilitating operations.
NOTE
Device IP addresses must be preconfigured through the console port.

You are advised to use STelnet because Telnet is insecure.
Before configuring a user to log in to devices through Telnet, log in to the devices
through the console port and change the default configurations of the devices so
that the user can remotely log in to the devices through Telnet to perform
management and maintenance. To change the default configurations, complete
the following tasks:
● Configure IP addresses for the management network interfaces of the devices
to ensure that the routes between the user terminal and devices are
reachable.
● Configure an authentication mode and user level for VTY user interfaces
to achieve remote device management and maintenance.
● Enable the Telnet server function so that users can remotely log in to
devices through Telnet.
1.1.5.4.1 Configuring a User Level and Authentication Mode for the VTY User
Interface
To use Telnet to log in to a device for remote management and maintenance, you
must first log in to the device through the console port and change the user level
and authentication mode.
Context
Other attributes on the VTY user interface have default values. Generally, you do
not need to modify them. You can also modify these attributes as required. For
details, see 1.1.4.4 Configuring VTY User Interfaces.
Procedure
● Configure a user level for the VTY user interface.
a. Run system-view
The VTY user interface is displayed.
c. Run the user privilege level level command to set the user level. Table
1-11 lists the mapping between user levels and command levels in the
VTY user interface.

NOTE
The value of level ranges from 0 to 15 when the command-privilege level

rearrange configuration exists.
rearrange configuration does not exist.
User User Com Perm Description

Leve Level man ission
l (0 (0 to d
to 3) 15) Level
0 0 0 Visit Diagnostic commands, such as ping

and tracert, and commands that are
used to access a remote device such as
a Telnet client.
1 1-9 0, 1 Monit Commands of this level are used for

oring system maintenance, including display
commands.
NOTE
Not all display commands are of the
monitoring level. For example, the display
current-configuration command is of
management level (3). For details about
command levels, see HUAWEI
NetEngine9000 Command Reference.
2 10 to 0, 1, Confi Service configuration commands

14 and 2 gurati
on
level
3 15 0, 1, Mana Commands of the management level

2, geme are used for basic system operation to
and 3 nt support services, including file system,
level FTP, TFTP, and configuration file
switching commands, slave board
control commands, user management
commands, command level
NOTE
● User levels correspond to command levels. After a user logs in to a device, the
user can use only commands of the corresponding level or lower, which
improves device security.
● If the user level configured for a user interface conflicts with the user level
configured for a user, the user level configured for the user takes precedence.
d. Run commit


● Configure an authentication mode for the VTY user interface.
The system provides password and AAA authentication. You can select either
as required.
– Configure password authentication.
i. Run system-view
ii. Run user-interface vty first-ui-number [ last-ui-number ]
iii. Run authentication-mode password
iv. Run set authentication password [ cipher password ]
The configured password is changed.
NOTE
● If cipher is not specified, a password is entered in man-machine

interaction mode and the system does not display the entered password.
● A password is a string of 8 to 16 case-sensitive characters and must
contain at least two types of the following characters: uppercase letters,
lowercase letters, digits, and special characters.
● Special characters exclude question marks (?) and spaces. However,
when quotation marks (") are used around the password, spaces are
● If cipher is specified, a password can be entered in either simple text or
cipher text.
● If a password is entered in simple text, the password requirements
are the same as those when cipher is not specified. When you
input a password in simple text, the system displays the password
in simple text mode, which brings risks.
● A password is displayed in cipher text in the configuration file
authentication mode configured for the console user interface, you cannot
run the set authentication password [ cipher password ] command to
change the authentication password.
v. Run commit
– Configure AAA authentication.
When the authentication mode is set to AAA authentication, you must
specify the access type of a local user.
i. Run system-view

ii. (Optional) Run crypto password irreversible-algorithm hmac-

sha256
The HMAC-SHA256 ciphertext password encryption algorithm is set.
iii. Run aaa
iv. Run the local-user user-name password [ cipher password |
irreversible-cipher irreversible-cipher-password ] command to
configure the local username and password.
○ If cipher or irreversible-cipher is not specified, a password is
entered in man-machine interaction mode and the system does
not display the entered password.
When the user security policy is configured, the value is a string
of 8 to 128 case-insensitive characters without spaces. When the
user security policy is not configured, the value is a string of 1 to
128 case-insensitive characters without spaces. When the user
security policy is configured, the password cannot be the same
as the user name or its reverse. The password must contain the
following characters: upper-case character, lower-case character,
digit, and special character.
NOTE
Special characters do not include question marks (?) or spaces.

However, when double quotation marks are used around a password,
spaces are allowed in the password.
● Double quotation marks cannot contain double quotation marks
if spaces are used in a password.
● Double quotation marks can contain double quotation marks if
no space is used in a password.
○ If cipher is specified, a password can be entered in either simple
text or cipher text.
If a password is entered in simple text, the password
requirements are the same as those when cipher is not
specified. When you input a password in simple text, the system
displays the password in simple text mode, which brings risks.
○ If irreversible-cipher is specified, a password can be entered in
requirements are the same as those when irreversible-cipher is
not specified.
regardless of whether it is entered in simple text or irreversible
cipher text.
v. Run local-user user-name service-type telnet
The access type of the local user is set to Telnet.

vi. Run local-user user-name user-group user-group-name

The local user is added to a user group.
vii. Run quit
Exit the AAA view.
viii. Run user-interface vty first-ui-number [ last-ui-number ]
ix. Run authentication-mode aaa
x. Run protocol inbound { telnet | all }
Telnet is configured for VTY user interfaces.
xi. Run commit
----End
1.1.5.4.2 Enabling the Telnet Server Function

Before a user terminal establishes a Telnet connection with a device, log in to the
device through the console port to enable the Telnet server function on the device.
You can then use Telnet to remotely log in to the device.
Context
Perform the following steps on the device to be used as a Telnet server as
required:
Procedure
● Enable the Telnet IPv4 server function.
a. Run system-view
b. Run telnet server enable
The Telnet IPv4 server function is enabled.
c. Run commit
● Enable the Telnet IPv6 server function.
a. Run system-view
b. Run telnet ipv6 server enable
The Telnet IPv6 server function is enabled.
c. Run commit

NOTE
If you disable the Telnet server function on a device, the established Telnet
connections are not interrupted but new Telnet connections are denied. In this
situation, you can log in to the device only by using SSH or through the console port.
----End
1.1.5.4.3 Using Telnet to Log In to the System

After you log in to a device through a console port and configure the device, you
can use Telnet to log in to and remotely maintain the device.
Context
To log in to the system by using Telnet, use either the Windows Command Prompt
or third-party software on the terminal. Use the Windows Command Prompt as an
example.
Perform the following steps on the PC.
NOTE
In the case of device login through a VTY channel, to avoid the access failure that occurs
when the number of VTY connections exceeds the upper threshold, you can perform the
following operations to check and configure the maximum number of VTY users that can
log in to the device:
1. Run the display user-interface maximum-vty command to check the maximum
number of VTY users that are supported.
2. Run the display user-interface command to check user interface information. The plus
sign (+) indicates an occupied channel. If all channels are occupied, subsequent users
cannot log in to the device. If an online user logs out, the user may fail to log in again
when its channel is occupied by another user. In this case, run the user-interface
maximum-vty number command to configure the maximum number of users that are
allowed to log in.
Procedure
Step 1 Enter the Windows Command Prompt window.
Step 2 Run the telnet ip-address command to use Telnet to log in to the device.
1. Enter the IP address of the Telnet server.
2. Press Enter. The command prompt of the user view, for example, <HUAWEI>,
is displayed, indicating that you have accessed the Telnet server.
----End
Follow-up Procedure
You can run the kill user-interface { ui-number | ui-type ui-number1 } command
to log out a user.
The parameter console is supported only on the Admin-VS.

1.1.5.4.4 Configuring Telnet Server Parameters

Properly setting parameters for a Telnet server improves network security. Telnet
server parameters include a listening port number and source interface.
Context
● Listening port number
Attackers may access the default listening port, consuming bandwidth,
deteriorating server performance, and causing authorized users unable to log
in to the server. After the listening port number of the Telnet server is
changed, attackers do not know the new listening port number, which
prevents attackers from accessing the listening port.
● Source interface
A Telnet server receives connection requests from all interfaces after a restart
with non-base configuration, leading to low system security. To enhance
system security, specify a source interface for the Telnet server so that only
authorized users can log in to the Telnet server.
If no source interface is specified after the server starts with base
configuration, users cannot log in to the server through Telnet.
After a source interface is specified, the system allows Telnet users to log in to
the Telnet server only through this source interface. Setting this parameter
does not affect the Telnet users who have logged in to the server.
Procedure
Step 2 Configure Telnet server parameters.
● (Optional) Run telnet server port port-number
A listening port number is set for the Telnet server.
If a new listening port number is set, the Telnet server terminates all
established Telnet connections and uses the new port number to listen for
new Telnet connection requests.
● Configure the source interface or source address for the Telnet server.
– Run telnet server-source -i { interface-type interface-number | interface-
name }
The source interface is specified for the Telnet server.
NOTE
If you specify a logical interface as the source interface of the Telnet server, this
interface must have been created. Otherwise, the command cannot be executed
successfully.
– Run telnet server-source all-interface
Any interface on the Telnet server can be used as its source interface.
After the command is run, users can log in to the Telnet server through
any physical interface configured with an IPv4 address or any created
logical interface configured with an IPv4 address.

NOTE
If the telnet server-source all-interface command is run, users can log in to the
Telnet server through any interface with a valid IPv4 address, which increases
system security risks. Therefore, running the command is not recommended.
– Run telnet ipv6 server-source -a ipv6-address [ -vpn-instance vpn-
instance-name ]
A source IPv6 address is specified for the Telnet server.
If a source IPv6 address is specified, the Telnet server allows users to log
in using this source IPv6 address only and denies access of the users who
attempt to log in using other IPv6 addresses.
– Run telnet ipv6 server-source all-interface
The IPv6 address of any interface on the Telnet server can be used as the
source IPv6 address of the Telnet server.
After the command is run, users can log in to the Telnet server through
any physical interface configured with an IPv6 address or any created
logical interface configured with an IPv6 address.
NOTE
If the telnet ipv6 server-source all-interface command is run, users can log in
to the Telnet server through any valid interface IPv6 address, which increases
system security risks. Therefore, running the command is not recommended.
– Run telnet server-source physic-isolate -i { interface-type interface-
number | interface-name } -a ip-address
A source IPv4 interface is specified for the Telnet server, and the interface
isolation attribute is set for the Telnet server.
– Run telnet ipv6 server-source physic-isolate -i { interface-type
interface-number | interface-name } -a ipv6-address
A source IPv6 interface is specified for the Telnet server, and the interface
isolation attribute is set for the Telnet server.
NOTE
After the interface isolation attribute is set successfully, packets can be sent to
the server only through the specified physical interface, and those sent through
other interfaces are discarded.
Step 3 Run commit

----End
1.1.5.4.5 (Optional) Configuring CAR for Whitelisted Telnet Sessions

You can configure CAR for whitelisted Telnet sessions to limit the rate at which
packets of the whitelisted Telnet sessions are sent to the Telnet server. This
configuration prevents Telnet sessions from preempting bandwidth if the Telnet
server encounters a traffic burst.
Context
When packets sent to the Telnet server form a traffic burst, sessions may preempt
bandwidth. To resolve this problem, you can configure CAR for whitelisted Telnet

sessions. This configuration isolates bandwidth resources between sessions. If the

default CAR parameters for whitelisted Telnet sessions do not meet service
requirements, you can adjust them as required.
Procedure
Step 2 Run whitelist session-car telnet-server { cir cir-value | cbs cbs-value | pir pir-
value | pbs pbs-value }*
CAR parameters are configured for whitelisted Telnet sessions.
Step 3 (Optional) Run whitelist session-car telnet-server disable
CAR for whitelisted Telnet sessions is disabled.
Step 4 Run commit
----End
1.1.5.4.6 (Optional) Configuring Telnet Access Control

An ACL can be configured to allow only specified clients to access a Telnet server.
Context
When a device functions as a Telnet server, you can configure an ACL to allow
only the clients that meet the rules specified in the ACL to access the Telnet server.
Perform the following steps on the device that functions as a Telnet server:
Procedure
Step 2 Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } |
[ number ] basic-acl-number } [ match-order { config | auto } ]
The ACL view is displayed.
Step 3 Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type
{ fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-
first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } |
time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-
any ] ] * or rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type
fragment | source { source-ip-address { source-wildcard | 0 | src-netmask } | any }
| time-range time-name | vpn-instance vpn-instance-name ] *
A rule is configured for the ACL.
Step 4 Run quit

Return to the system view.

Step 5 Run telnet server acl { acl4name | acl4num } or telnet ipv6 server acl
{ acl6name | acl6num }
A Telnet ACL is configured.
Step 6 Run commit
----End
1.1.5.4.7 (Optional) Enabling the IP Address Blocking Function for Telnet

Connections
The IP address blocking function for Telnet connections prevents IP addresses that
fail to be authenticated from logging in to a device through Telnet. If this function
is disabled, the device is vulnerable to network attacks.
Context
When a device functions as a Telnet server, you can configure the IP address
blocking function to protect the device against network attacks, thereby
enhancing security.
Perform the following steps on a device that functions as a Telnet server.
Procedure
Step 2 Run the undo telnet server ip-block disable command to enable the IP address
blocking function for Telnet connections.
NOTE
The IP addresses that fail to be authenticated are blocked only when the IP address
blocking function is enabled. This enhances device security.
Step 4 The IP addresses that fail to be authenticated will be locked for 5 minutes. To
unlock a locked IP address in advance, perform the following steps:
1. Run the quit command to exit the system view and enter the user view.
2. Run the activate vty ip-block ip-address ip-address [ vpnname vpn-name ]
command to unblock the IP address that fails to be authenticated for Telnet
connections.
----End
1.1.5.4.8 (Optional) Configuring Alarm Generation and Clearance Thresholds for

Telnet Server Login Failures
This section describes how to configure alarm generation and clearance thresholds
for Telnet server login failures within a specified period. This configuration
facilitates user login management.

Context
When the number of Telnet server login failures within a specified period exceeds
the threshold, an alarm is generated and displayed for an administrator to
promptly handle the associated event.
Perform the following steps on a device that functions as a Telnet server:
Procedure
Step 2 Run telnet server login-failed threshold-alarm upper-limit report-times lower-
limit resume-times period period-time
Alarm generation and clearance thresholds for Telnet server login failures within a
specified period are configured.
NOTE
The alarm generation threshold specified using report-times must be greater than or equal
to the alarm clearance threshold specified using resume-times.
Step 3 Run commit

----End
1.1.5.4.9 (Optional) Configuring the Maximum Number of Connections for Telnet

Login to the Server Using a Single IP Address
You can configure the maximum number of Telnet connections established using a
single IP address. This prevents the situation where other IP addresses fail in login
because an IP address has been used to establish too many connections to a
server.
Context
When a device functions as a Telnet server, you can configure the maximum
number of connections established using a single IP address to prevent malicious
attacks, thereby enhancing security.
Perform the following steps on a device that functions as a Telnet server.
Procedure
Step 2 Run the telnet server ip-limit-session limit-session-num command to configure
the maximum number of connections allowed for Telnet login to the server
through a single IP address.
----End

1.1.5.4.10 Verifying the Configuration of User Login to the System Using Telnet
After using Telnet to log in to a device, you can view information about the
current user interface, every user interface, and established TCP connections.
Prerequisites
Telnet login has been configured.
Procedure
● Run the display users [ all ] command to check information about user
interfaces.
● Run the display tcp status command to check established TCP connections.
● Run the display telnet server status command to check the status and
configurations of the Telnet server.
● After configuring whitelist session-CAR for Telnet, you can verify the
configuration.
– For IPv4, run the display cpu-defend whitelist session-car telnet
statistics slot slot-id command to check statistics about whitelist session-
CAR for Telnet on a specified interface board.
To view new statistics, run the reset cpu-defend whitelist session-car
telnet statistics slot slot-id command to clear the existing statistics
about whitelist session-CAR for Telnet on a specified interface board, and
then run the display cpu-defend whitelist session-car telnet statistics
slot slot-id command.
– For IPv6, run the display cpu-defend whitelist-v6 session-car telnetv6
CAR for Telnet on a specified interface board.
To view new statistics, run the reset cpu-defend whitelist-v6 session-car
telnetv6 statistics slot slot-id command to clear the existing statistics
about whitelist session-CAR for Telnet on a specified interface board, and
then run the display cpu-defend whitelist-v6 session-car telnetv6
statistics slot slot-id command.
● Run the display vty ip-block all command to check all IP addresses that fail
to be authenticated.
● Run the display vty ip-block list command to check the list of IP addresses
that are blocked due to authentication failures.
----End
1.1.5.5 Configuring STelnet Login

STelnet based on SSH2 provides secure remote access over an insecure network.
Usage Scenario
Large numbers of devices need to be managed and maintained on a network. You
cannot connect each device to a terminal. When no reachable route exists
between remote devices and a terminal, you can use Telnet to log in to the
remote devices from the device that you have logged in to. Telnet provides no

secure authentication mode, and data is transmitted in simple mode over TCP,
which brings security risks.
STelnet is a secure Telnet service based on SSH connections. SSH provides

encryption and authentication and protects devices against attacks, such as IP
spoofing.
If the authentication, encryption, and key exchange algorithms used by an SSH

client to log in to a device through STelnet are weak security algorithms, the
device displays a message indicating that these algorithms are insecure and asking
users to use more secure algorithms or upgrade the client.
You can run the display ssh client session command to check the authentication
and encryption algorithms used by the SSH client or the display security risk
feature ssh_client command to check the risk information and handling
suggestions for the SSH client.
Before configuring a user to log in to devices through STelnet, you must log in to
the devices through the console port and change the default configurations of the
devices so that the user can remotely log in to the devices through STelnet to
perform management and maintenance. To change the default configurations,
complete the following tasks:
● Configure IP addresses for the management network interfaces of the devices
to ensure that the routes between the user terminal and devices are
reachable.
● Configure an authentication mode and user level for VTY user interfaces
to achieve remote device management and maintenance.
● Configure VTY user interfaces to support SSH, configure an SSH user and
specify a service type, and enable the STelnet server function so that the
user can remotely log in to the device through STelnet.
1.1.5.5.1 Configuring a User Level and Authentication Mode for VTY User
Interfaces
Context
Other attributes on the VTY user interface have default values. Generally, you do
not need to modify them. You can also modify these attributes as required. For
details, see 1.1.4.4 Configuring VTY User Interfaces.
Procedure
● Configure a user level for the VTY user interface.
a. Run system-view

c. Run the user privilege level level command to set the user level. Table
1-12 lists the mapping between user levels and command levels in the
VTY user interface.
NOTE

rearrange configuration exists.
rearrange configuration does not exist.

User User Com Perm Description
Leve Level man ission
l (0 (0 to d
to 3) 15) Level
0 0 0 Visit Diagnostic commands, such as ping

and tracert, and commands that are
used to access a remote device such as
a Telnet client.
1 1-9 0, 1 Monit Commands of this level are used for

oring system maintenance, including display
commands.
NOTE
Not all display commands are of the
monitoring level. For example, the display
current-configuration command is of
management level (3). For details about
command levels, see HUAWEI
NetEngine9000 Command Reference.
2 10 to 0, 1, Confi Service configuration commands

14 and 2 gurati
on
level
3 15 0, 1, Mana Commands of the management level

2, geme are used for basic system operation to
and 3 nt support services, including file system,
level FTP, TFTP, and configuration file
switching commands, slave board
control commands, user management
commands, command level

NOTE
● User levels correspond to command levels. After a user logs in to a device, the
user can use only commands of the corresponding level or lower, which
improves device security.
● If the user level configured for a user interface conflicts with the user level
configured for a user, the user level configured for the user takes precedence.
d. Run commit
● Configure aaa authentication mode for the VTY user interfaces.
When the authentication mode is set to AAA authentication, you must specify
the access type of a local user.
a. Run system-view
b. (Optional) Run crypto password irreversible-algorithm hmac-sha256
c. Run aaa
d. Run local-user user-name password [ cipher password | irreversible-

special character.
NOTE


or cipher text.



text.
e. Run local-user user-name service-type ssh
The access type of the local user is set to SSH.
f. Run local-user user-name user-group user-group-name
The local user is added to a user group.
g. Run quit
Exit the AAA view.
h. Run user-interface vty first-index [ last-index ]
i. Run authentication-mode aaa
j. Run commit
----End
1.1.5.5.2 Configuring VTY User Interfaces to Support SSH

STelnet is based on SSH2. When the client and the server set up a secure
connection after negotiation, the client can log in to the server in the same way as
using Telnet.
Context
Perform the following steps on the device that functions as an SSH server:
Procedure
Step 3 Run authentication-mode aaa

Step 4 Run protocol inbound { ssh | all }
The VTY user interfaces are configured to support SSH.
NOTE
Before configuring VTY user interfaces to support SSH, you must set the authentication
mode to AAA authentication for the user interfaces. If you do not set the authentication
mode to AAA authentication, the protocol inbound { ssh | all } command does not take
effect.
Step 5 Run commit
----End
1.1.5.5.3 Configuring an SSH User and Specifying a Service Type

To use STelnet to log in to a device, configure an SSH user, configure the device to
generate a local key pair, configure an authentication mode, and specify a service
type for the SSH user.
Context
SSH users can be authenticated in RSA, DSA, ECC, SM2, X509v3-SSH-RSA,
password, password-RSA, password-ECC, password-DSA, password-SM2, password-
X509v3-RSA, or All mode.
If the authentication mode of an SSH user is RSA, DSA, SM2, or ECC, a local RSA,
DSA, SM2, or ECC key pair must be generated on both the server and client. In
addition, the server needs to edit the public key of the client locally. After the
editing, the public key is bound to the local user.
Table 1-13 compares the RSA, DSA, SM2, X509v3-SSH-RSA, and ECC algorithms.
Table 1-13 RSA/DSA, SM2, X509v3-SSH-RSA, and ECC algorithms
Algorith Application Scenarios

m
RSA/DSA An asymmetric public key encryption algorithm, which improves

encryption efficiency and simplifies key management. This algorithm
allows the server to check whether the SSH user, public key, and
digital signature are valid. User authentication succeeds only if all of
them are the same as those configured on the server.
ECC An asymmetric encryption algorithm similar to RSA and DSA.

Compared with the RSA and DSA algorithms, the ECC algorithm has
the following advantages:
● Provides the same security with shorter key length.
● Features a shorter computing process and higher processing
speed.
● Requires less storage space.
● Requires lower bandwidth.


m
SM2 SM2 is an ECC-based asymmetric encryption algorithm.
x509v3- The X509v3-SSH-RSA algorithm is based on a PKI certificate and

ssh-rsa features better scalability and higher security. A PKI certificate must
be bound to a user and server.
Table 1-14 describes the application scenarios of various authentication modes.
Table 1-14 Application scenario of each authentication type

Authentication Mode Application Scenarios
RSA authentication and DSA RSA and DSA are public key encryption
authentication systems and asymmetric encryption
algorithms. They can effectively
improve the encryption efficiency and
simplify key management. The server
checks whether the SSH user, public
key, and digital signature are valid.
User authentication succeeds only if all
of them are the same as those
configured on the server.
ECC authentication Like RSA authentication, the server

first checks the validity of the SSH user
and whether the public key and the
digital signature are valid. If all of
them are consistent with those
configured on the server, user
authentication succeeds. User
authentication succeeds only if all of
them are the same as those
configured on the server. Compared
with RSA authentication, ECC
authentication has the following
advantages:
● Provides the same security with
shorter key length.
● Features a shorter computing
process and higher processing
speed.

Password authentication On the server, the AAA module assigns

each authorized user a password for
login. The server has the mapping
between user names and passwords.
When a user requests to access the
server, the server authenticates the
username and password. If either of
them fails to be authenticated, the
access request of the user is denied.
NOTE
You are advised to select public key
authentication instead of password
authentication as the client identity
authentication mode.
password-RSA, password-DSA, The server authenticates the client by

password-ECC, password-SM2, or checking both the public key and the
password-X509v3-RSA authentication password, and the authentication
succeeds only when both the public
key and the password are consistent
with those configured on the server.
SM2 authentication SM2 is a standard encryption

algorithm. The server checks whether
the SSH user, the public key assigned
to the user, and the digital signature of
the user are valid. User authentication
succeeds only if all of them are the
same as those configured on the
server.
X509v3-SSH-RSA authentication X509v3-SSH-RSA authentication is a

PKI certificate authentication mode,
which features better scalability and
higher security.
All authentication The SSH server authenticates a client

by checking the public key or
password. The client can be
authenticated when either the public
key or password meets the
requirement.

NOTE
For security purposes, do not use the RSA algorithm whose modulus bit value is less than
2048 for the SSH user. You are advised to use the ECC authentication algorithm instead.
The user level depends on the authentication mode and configuration selected by the
access user.
● If password authentication is selected for SSH users, the SSH user level is the same as
that configured in the AAA view.
● If public key authentication or PKI certificate authentication is used for SSH users, and
the ssh authorization-type default { aaa | root } command has been run to
configure a user authorization mode, the SSH user level is determined by the level
configured in the authorization mode.
● If the authorization mode is AAA, the user level is the one configured in the AAA
view.
● If the authorization type is root, the user level is the user level configured on the
VTY interface.
● If public key authentication or PKI certificate authentication is used for SSH users but
the ssh authorization-type default { aaa | root } command has not been run to
configured in the AAA view.
Data Preparation
Before editing a public key, you need to generate a key pair. For details about how
to generate a key pair, see step 1 in 1.1.5.5.5 Using STelnet to Log In to a Server.
Procedure
Step 2 Run ssh user user-name
An SSH user is created.
If password, password-RSA, password-DSA, password-SM2, password-X509v3-RSA,
or password-ECC authentication is configured for the SSH user, create a local user
with the same name as the SSH user in the AAA view and set the local user's
access type to SSH. For configuration details, see Table 1-15.
If RSA, DSA, SM2, X509v3-SSH-RSA, or ECC authentication is configured for the
SSH user, and the default authorization mode AAA is configured for the SSH
connection, create a local user with the same name as the SSH user in the AAA
view and set the local user's access type to SSH. Otherwise, run the ssh
authorization-type default root command in the system view to set the
authorization mode of the SSH connection to Root.

Table 1-15 Configuring a local user

Item Operation
(Optional) Run the crypto password irreversible-algorithm hmac-sha256

Set the command in the system view.
encryption
mode of the
local user
password.
Enter the Run the aaa command in the system view.

AAA view.

Item Operation
Configure the Run the local-user user-name password [ cipher password |

local irreversible-cipher irreversible-cipher-password ] command.
username ● If cipher or irreversible-cipher is not specified, a password is
and entered in man-machine interaction mode and the system
password. does not display the entered password.
When the user security policy is configured, the value is a
string of 8 to 128 case-insensitive characters without spaces.
When the user security policy is not configured, the value is a
When the user security policy is configured, the password
cannot be the same as the user name or its reverse. The
password must contain the following characters: upper-case
character, lower-case character, digit, and special character.
NOTE
– Double quotation marks cannot contain double quotation marks
– Double quotation marks can contain double quotation marks if
For example, the password "Aa123"45"" is valid, but the password
"Aa 123"45"" is invalid.
● If cipher is specified, a password can be entered in either
simple text or cipher text.
specified. When you input a password in simple text, the
system displays the password in simple text mode, which
brings risks.
A password is displayed in cipher text in the configuration
file regardless of whether it is entered in simple text or
cipher text.
● If irreversible-cipher is specified, a password can be entered
in either simple text or irreversible cipher text.
requirements are the same as those when irreversible-
cipher is not specified.
irreversible cipher text.
Set the local Run the local-user user-name service-type ssh command.
user's access
type to SSH.

Item Operation
Exit the AAA Run the quit command.

view and
return to the
system view.
Step 3 Perform any of the operations described in Table 1-16.
Table 1-16 Configuring an SSH user authentication mode
Item Operation Remarks
Configure Run the ssh user user-name If local or HWTACACS

password authentication-type authentication is used and
authentication. password command. only a few users need to be
authenticated, use password
authentication.
Configure RSA 1. Run the ssh user user-name -

authentication. authentication-type rsa
command to configure RSA
authentication.
2. Run the rsa peer-public- -

key key-name encoding-type
enc-type command to enter
the RSA public key view.
3. Run the public-key-code -

begin command to enter the
public key edit view.
4. Enter hex-data to edit the ● In the public key edit

public key. view, only hexadecimal
NOTE strings complying with
Before editing the public key, you the public key format can
need to use the SSH client be entered. Each string is
software to generate the RSA key randomly generated on
pair on the SSH client. The
an SSH client. For
following uses the PuTTYGen.exe
software as an example. For the detailed operations, see
configuration procedure, see step the help document of SSH
1 in Using STelnet to Log In to a client software.
Server. Copy all the public keys
● After entering the public
generated in step 1.c here.
key edit view, you can
When editing the public key
send the RSA public key
generated by PuTTY, set the
encoding mode in step 2 to generated on the SSH
openssh. That is, run the rsa client to the SSH server.
peer-public-key key-name Copy and paste the RSA
encoding-type openssh public key to the device
command. functioning as the SSH
server.


end command to exit the
6. Run the peer-public-key ● A public key can be

end command to exit the generated only after a
public key view and return to valid hex-data complying
the system view. with the public key
format is entered and the
peer-public-key end
command is run.
● If you run the peer-
public-key end command
after key-name specified
in Step 2 is deleted in
another view, the system
displays a message,
indicating that the key
does not exist. The system
then returns to the
system view.
7. Run the ssh user user-name -

assign rsa-key key-name
command to allocate an RSA
public key to the SSH user.
Configure DSA 1. Run the ssh user user-name -

authentication. authentication-type dsa
command to configure DSA
authentication.
2. Run the dsa peer-public- -

the DSA public key view.



Before editing a public key, use the public key format can
the SSH client software to be entered. Each string is
generate a DSA key pair on the randomly generated on
SSH client. The following uses the
an SSH client. For
PuTTYGen.exe software as an
example to describe how to detailed operations, see
generate an RSA key pair. For the the help document of SSH
configuration procedure, see step client software.
1 in 1.1.5.5.5 Using STelnet to
Log In to a Server. Copy all the
public keys generated in step 1.c key edit view, you can
here. send the DSA public key
When editing the public key generated on the SSH
generated by PuTTY, set the client to the SSH server.
encoding mode in step 2 to Copy and paste the DSA
openssh. That is, run the dsa public key to the device
peer-public-key key-name functioning as the SSH
encoding-type openssh
server.
command.


peer-public-key end
command is run.
displays a message,
then returns to the
system view.

assign dsa-key key-name
command to allocate a DSA
Configure ECC 1. Run the ssh user user-name -

authentication. authentication-type ecc
command to configure ECC
authentication.

2. Run the ecc peer-public- -

key key-name [ encoding-
type enc-type ] command to
enter the ECC public key view.


generate an ECC key pair on the randomly generated on
an SSH client. For
here. send the ECC public key
encoding mode in step 2 to Copy and paste the ECC
openssh. That is, run the ecc public key to the device
server.
command.


peer-public-key end
command is run.
displays a message,
then returns to the
system view.


assign ecc-key key-name
command to allocate an ECC
Configure SM2 1. Run the ssh server -

authentication. publickey sm2 command to
enable the SSH server public
key algorithm.

authentication-type sm2
command to configure SM2
authentication.
3. Run the sm2 peer-public- -

key key-name command to
enter the SM2 public key view.


strings complying with
the public key format can
be entered. Each string is
randomly generated on
an SSH client. For
detailed operations, see
the help document of SSH
client software.
send the SM2 public key
generated on the SSH
client to the SSH server.
Copy and paste the SM2
public key to the device
functioning as the SSH
server.



peer-public-key end
command is run.
displays a message,
then returns to the
system view.

assign sm2-key key-name
command to allocate an SM2
Configure 1. Run the ssh user user-name -

X509v3-SSH- authentication-type x509v3-
RSA rsa command to configure
authentication. X509v3-SSH-RSA
authentication for the
specified SSH user.
2. Run the ssh user user-name Currently, only the default

assign pki pki-name certificate can be allocated
command to allocate a PKI to SSH users.
certificate to the SSH user.
Step 4 Run ssh user user-name service-type { stelnet | all }
The service type of the SSH user is configured.
Step 5 (Optional) Run ssh server rsa-key min-length min-length-val
The minimum length of the RSA public key is specified.
Step 6 (Optional) Run ssh user user-name cert-verify-san enable
SAN/CN verification is configured for the SSH user.
Step 7 Run commit
----End

1.1.5.5.4 Enabling the STelnet Server Function
Context
NOTE
For security purposes, do not use RSA keys whose length is less than 2048 bits. You are
advised to use RSA_SHA2_256 and RSA_SHA2_512 instead.
Procedure
Step 2 (Optional) Run the ssh server publickey { dsa | ecc | rsa | sm2 | x509v3-ssh-rsa|
rsa-sha2-256 | rsa-sha2-512 | x509v3-rsa2048-sha256 } * command to configure
a public key encryption algorithm for the SSH server.
Step 3 (Optional) Configure the maximum number of key pairs. Perform one of the
following operations based on the user requirements for system performance:
● Run the rsa key-pair maximum max-keys command to configure the
maximum number of RSA key pairs that can be created.
● Run the dsa key-pair maximum max-keys command to configure the
maximum number of DSA key pairs that can be created.
● Run the ecc key-pair maximum max-keys command to configure the
maximum number of ECC key pairs that can be created.
Step 4 (Optional) Create an SSH server key pair. Use either of the following methods:
● Method 1
– If the user requirements for system security are not high, run the rsa
local-key-pair create command to configure a local RSA key pair or run
the dsa local-key-pair create command to configure a local DSA key
pair.
– If the user requirements for system security are high, run the ecc local-
key-pair create command to configure a local ECC key pair.
After the key pairs are generated, perform any of the following operations
based on the selected public key algorithm:
– Run the display rsa local-key-pair public command to check the public
key in the local RSA key pair.
– Run the display dsa local-key-pair public command to check the public
key in the local DSA key pair.
– Run the display ecc local-key-pair public command to check the public
key in the local ECC key pair.
● Method 2
– If the user requirements for system security are not high, run the rsa key-
pair label label-name command to configure a local RSA key pair or run
the dsa key-pair label label-name command to configure a local DSA
key pair.
– If the user requirements for system security are high, run the ecc key-
pair label label-name [ modulus modulus-bits ] command to create a
local ECC key pair, or run the sm2 key-pair label label-name command
to create a local SM2 key pair.

After key pairs are generated, run the ssh server assign { rsa-host-key | dsa-
host-key | ecc-host-key | sm2-host-key } key-name command to assign a
key pair to the SSH server.
If the authentication mode is set to x509v3-ssh-rsa, run the ssh server assign
pki pki-name command to configure a PKI certificate for the SSH server.
After the key pairs are generated, perform any of the following operations
based on the selected public key algorithm:
– Run the display rsa key-pair [ brief | label label-name ] command to
check RSA key pairs.
– Run the display dsa key-pair [ brief | label label-name ] command to
check DSA key pairs.
– Run the display ecc key-pair [ brief | label label-name ] command to
check ECC key pairs.
– Run the display sm2 key-pair [ brief | label label-name ] command to
check SM2 key pairs.
Step 5 Run stelnet server enable
The STelnet server function is enabled.
If the STelnet server function is disabled on the SSH server, all clients that have
logged in through STelnet are disconnected from the server.
NOTE
SSH uses port 22 to listen to packets. Running this command will enable port 22 to listen to
IPv4 and IPv6 TCP packets.
Step 6 (Optional) Run ssh server security-banner disable

The risk warning function triggered by an SSH server when an insecure algorithm
is used between the SSH server and client is disabled.
Step 7 (Optional) Run ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc
| aes256_cbc | aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 |
aes128_gcm | aes256_gcm | blowfish_cbc | sm4_cbc } *
Encryption algorithms are configured for the SSH server.
NOTE
For security purposes, you are advised to use secure algorithms such as aes128_ctr,
aes256_ctr, aes192_ctr, aes128_gcm, and aes256_gcm.
Step 8 (Optional) Run ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 |
sha2_256_96 | sha2_512 | sm3 } *
HMAC authentication algorithms are configured for the SSH server.
NOTE
For security purposes, you are advised to use a secure algorithm such as sha2_256,
sha2_512 and sm3.
Step 9 (Optional) Run the ssh server key-exchange { dh_group14_sha1 |

dh_group1_sha1 | dh_group_exchange_sha1 | dh_group_exchange_sha256 |
dh_group16_sha512 | ecdh_sha2_nistp256 | ecdh_sha2_nistp384 |

ecdh_sha2_nistp521 | sm2_kep | curve25519_sha256 } * command to configure a

key exchange algorithm list for the SSH server.
NOTE
For security purposes, you are advised to use the curve25519_sha256 key exchange
algorithm.
Step 10 (Optional) Run the ssh server dh-exchange min-len min-len command to
configure the minimum key length supported during diffie-hellman-group-
exchange key exchange with the SSH client.
NOTE
If the SSH client supports the diffie-hellman-group-exchange key exchange algorithm with
a length greater than 1024 bits, you are advised to run the ssh server dh-exchange min-
len command to set the minimum key length to 3072 bits to improve security.
Step 11 Run commit

----End
1.1.5.5.5 Using STelnet to Log In to a Server

After you log in to a device through a console port and configure the device, you
can use STelnet to log in to and remotely maintain the device.
Context
Log in to the server through STelnet from the terminal (SSH client), as shown in
Figure 1-11. On the PC, run SSH1.5 or a later version to set up a local connection
with the device.
This section uses PuTTY as an example to describe how to log in to the SSH server
through STelnet.
Figure 1-11 Networking diagram for configuring SSH services
Data Preparation
PuTTYGen.exe and PuTTY.exe have been installed.

Table 1-17 Data preparation
De Interface IP Address
vic
e
SS GE1/0/0 10.248.103.194/24
H
ser
ver
PC Network port on the PC 10.248.103.195/24
Procedure
Step 1 Create an SSH key pair on the SSH client.
1. Enter the Windows Command Prompt window.
2. Enter PuTTYGen and click Generate to generate a key pair, as shown in
Figure 1-12.
Figure 1-12 PuTTY Key Generator (1)
Move the mouse continuously during the generation of the key pair and move
the pointer in the window other than the process bar in green. Otherwise, the
progress bar stops, and the generation of the key pair stops as well, as shown
in Figure 1-13.

3. After the key pair is generated, enter the password in the Key passphrase text
box and enter the password again in the Confirm passphrase text box. This
password is used for the SSH terminal user to log in to the SSH server. Click
Save private key, enter private for the name of the private key file, and click
Save. Copy the generated public key to the Notepad and name it public.txt.

Step 2 Configure the SSH client.

1. Start the PuTTY.exe program. The PuTTY configuration page as shown in
Figure 1-15 is displayed. For security purposes, using PuTTY 0.58 or later is
recommended. Enter the IP address of the SSH server in the Host Name (or
IP address) text box.

Figure 1-15 SSH client configuration page (1)
2. In the navigation tree on the left of the SSH client configuration page, choose
Category > Connection > SSH. The dialog box as shown in Figure 1-16 is
displayed. In the Protocol options area, set Preferred SSH protocol version
to 2.

3. Select Auth in SSH. The dialog box as shown in Figure 1-17 is displayed. Click
Browse to import the private key file private.ppk.

4. Click Open. If the connection is normal, the system prompts you to enter the
user name, as shown in Figure 1-18.
Figure 1-18 SSH client login authentication page
----End
Follow-up Procedure
When the network administrator needs to disconnect login users from the device,
you can run the kill user-interface { ui-number | { { console | vty | nca | rpc } ui-
number1 | interface-name } } command to clear online users.
console can be specified only for the admin VS.

1.1.5.5.6 Configuring STelnet Server Parameters

You can configure STelnet server parameters to ensure server reliability. STelnet
server parameters include the interval at which key pairs are updated, the timeout
period for SSH authentication, number of SSH authentication retries, compatibility
with earlier SSH versions, and listening port number of an SSH server.
Procedure
Step 2 Perform one or more operations described in Table 1-18.
Table 1-18 Operations

Item Operation Description
(Optional) Run the ssh server rekey- When a configured interval

Configure the interval interval command. arrives, a key pair is
interval at automatically updated,
which key improving security.
pairs are
updated.
(Optional) Run the ssh server timeout If a user has not logged in
Configure the seconds command. when the timeout period for
timeout SSH authentication expires,
period for the system disconnects the
SSH current connection to ensure
authenticatio system security.
n.
(Optional) Run the ssh server To prevent unauthorized users'

Configure the authentication-retries times login, configure the number of
number of command. SSH authentication retries.
SSH
authenticatio
n retries.

(Optional) Run the undo ssh server ip- If an SSH server is enabled to
Enable an block disable lock client IP addresses, locked
SSH server to client IP addresses fail to pass
lock client IP authentication and are
addresses. displayed in the display ssh
server ip-block list command
output.
If an SSH server is disabled
from locking client IP
addresses, the display ssh
server ip-block list command
does not display any client IP
address that is locked because
of an authentication failure.
(Optional) Run the ssh server SSH versions are classified as

Enable compatible-ssh1x enable SSH1.X (earlier than SSH2.0)
compatibility command. or SSH2.0. SSH2.0 has an
with earlier To allow clients running extended structure and
SSH versions. SSH1.5 to log in, run the ssh supports more authentication
server compatible-ssh1x modes and key exchange
enable command to enable methods than SSH1.X.
compatibility with earlier SSH
versions.
NOTE
If the SSH server is enabled to be
compatible with earlier SSH
versions, the system prompts a
security risk.
(Optional) Run the ssh server port port- Attackers may access the
Configure a number command. default listening port,
listening port If a new listening port number consuming bandwidth,
number for is set, the SSH server ends all deteriorating server
the SSH established STelnet and SFTP performance, and causing
server. connections and uses the new authorized users unable to log
port number to listen for in to the server. After the
connection requests. listening port number of the
SSH server is changed,
attackers do not know the
new listening port number,
which prevents attackers from
accessing the listening port
and improves security.

(Optional) Run the ssh [ ipv6 ] server acl This command controls the
Configure an { acl-number | acl-name } clients that can access the SSH
ACL for the command. server running IPv6. This
SSH server. configuration prevents
unauthorized users from
accessing the SSH server,
ensuring security.
(Optional) Run the ssh server keepalive After this feature is enabled,
Enable the enable command. the SSH server returns
keepalive keepalive responses to an SSH
feature on client to check whether the
the SSH connection between them is
server. normal, facilitating fast fault
detection.

Specify the ● Run the ssh server-source - ● If a source interface is

source i { interface-type interface- specified, the server allows
interface or number | interface-name } SSH users to log in using
source command. the source interface only
address for ● Run the ssh server-source and denies access of the
the SSH all-interface command. SSH users who attempt to
server. log in using other source
● Run the ssh ipv6 server- interfaces.
source -a ipv6-address [ -
vpn-instance vpn-instance- ● Any interface on the SSH
name ] command. server can be used as its
source interface. After the
● Run the ssh ipv6 server- command is run, SSH users
source all-interface can log in to the server
command. through any physical
● Run the ssh server-source interface configured with
physic-isolate -i an IPv4 address or any
{ interface-type interface- created logical interface
number | interface-name } - configured with an IPv4
a ip-address command. address.
● Run the ssh ipv6 server- NOTE
source physic-isolate -i If the ssh server-source all-
{ interface-type interface- interface command is run,
users can log in to the SSH
number | interface-name } - server through all valid
a ipv6-address command. interfaces, which increases
system security risks.
Therefore, running the
command is not
recommended.
● If a source IPv6 address is
specified, the server allows
SSH users to log in through
the specified source IPv6
address only and denies
access of the SSH users
who attempt to log in using
other IPv6 addresses.
● Any IPv6 interface on the
SSH server can be used as
its source interface. After
the command is run, SSH
users can log in to the
server through any physical
interface configured with
an IPv6 address or any
created logical interface
configured with an IPv6
address.


NOTE
If the ssh ipv6 server-source
all-interface command is run,
users can log in to the SSH
server through any valid IPv6
interface, which increases
system security risks.
Therefore, running the
command is not
recommended.
● A source IPv4 interface is
specified for the SSH server,
and the interface isolation
attribute is set for the SSH
server.
● A source IPv6 interface is
specified for the SSH server,
and the interface isolation
attribute is set for the SSH
server.
NOTE
After the interface isolation
attribute is set successfully,
packets can be sent to the
server only through the
specified physical interface,
and those sent through other
interfaces are discarded.
(Optional) Run the ssh server Disabling the bogus-list mode

Configure the authentication-method of SSH server authentication
bogus-list bogus-list disable command. reduces the authentication
mode of SSH duration for some clients to
server log in to the server in
authenticatio password authentication
n. mode.
Step 3 Run commit

----End
1.1.5.5.7 (Optional) Configuring CAR for Whitelisted SSH Sessions

You can configure CAR for whitelisted SSH sessions to limit the rate at which
packets of the whitelisted SSH sessions are sent to the SSH server. This
configuration prevents non-whitelisted SSH sessions from preempting bandwidth
if the SSH server encounters a traffic burst.
Context
When packets sent to the SSH server form a traffic burst, sessions may preempt
bandwidth. To resolve this problem, you can configure CAR for whitelisted SSH


default CAR parameters for whitelisted SSH sessions do not meet service
Procedure
Step 2 Run whitelist session-car ssh-server { cir cir-value | cbs cbs-value | pir pir-value |
pbs pbs-value }*
CAR parameters are configured for whitelisted SSH sessions.
Step 3 (Optional) Run whitelist session-car ssh-server disable
CAR for whitelisted SSH sessions is disabled.
Step 4 Run commit
----End
1.1.5.5.8 (Optional) Configuring Alarm Generation and Clearance Thresholds for

SSH Server Login Failures
This section describes how to configure alarm generation and clearance thresholds
for SSH server login failures within a specified period. This configuration facilitates
user login management.
Context
When the number of SSH server login failures within a specified period exceeds
the threshold, an alarm is generated and displayed for an administrator to
promptly handle the associated event.
Perform the following steps on a device that functions as an SSH server:
Procedure
Step 2 Run ssh server login-failed threshold-alarm upper-limit report-times lower-
limit resume-times period period-time
Alarm generation and clearance thresholds for SSH server login failures within a
specified period are configured.
NOTE
The alarm generation threshold specified using report-times must be greater than or equal
to the alarm clearance threshold specified using resume-times.
Step 3 Run commit

----End
1.1.5.5.9 (Optional) Configuring the Maximum Number of Connections for SSH

Login to the Server Using a Single IP Address
You can configure the maximum number of SSH connections established using a
single IP address. This prevents the situation where other IP addresses fail in login
because an IP address has been used to establish too many connections to a
server.
Context
When a device functions as an SSH server, you can configure the maximum
number of connections established using a single IP address to prevent malicious
attacks, thereby enhancing security.
Perform the following steps on a device that functions as an SSH server.
Procedure
Step 2 Run the ssh server ip-limit-session limit-session-num command to configure the
maximum number of connections allowed for SSH login to the server through a
single IP address.
----End
1.1.5.5.10 (Optional) Configuring the Local Port Forwarding Service for the SSH
Server
After the local port forwarding service is enabled on the SSH server, a forwarding
channel can be established between the SSH server and a host with a specified IP
address and port number.
Context
The SSH server can receive forwarding request messages from the SSH client and
establish a TCP connection (forwarding channel) with a host with a specified IP
address and port number to forward data received from the client to the host only
after the local port forwarding function is enabled on the SSH server.
Procedure
Step 2 Run ssh server tcp forwarding enable
The local port forwarding service is enabled on the SSH server.

Step 3 Run commit
----End
1.1.5.5.11 Configuring the Keyboard-Interactive Authentication Mode for an SSH

Server
If an SSH user logs in to a device using password card authentication, keyboard-
interactive authentication must be enabled for this user.
Context
If an SSH user logs in to a device using password card authentication, keyboard-
interactive authentication must be enabled for this user. To enable keyboard-
interactive authentication, run the ssh server authentication-type keyboard-
interactive enable command.
Procedure
Step 2 Run ssh server authentication-type keyboard-interactive enable
Keyboard-interactive authentication is enabled for the SSH server.
Step 3 Run commit
----End
1.1.5.5.12 Setting Criteria for SSH Session Key Re-negotiation
Context
When an SSH session meets one or more of the following criteria, the system re-
negotiates a key and uses the new key to establish SSH session connections,
improving system security.
● The number of interaction packets meets the configured key re-negotiation

criterion.
● The accumulated packet data volume meets the configured key re-
negotiation criterion.
● The session duration meets the configured key re-negotiation criterion.
● This command can be run on an IPv4 or IPv6 SSH client.
NOTE
A key re-negotiation request is initiated when either the SSH client or server meets the key
re-negotiation criteria, and the other party responds.

Procedure
Step 2 Choose either of the following commands based on the SSH service type to
configure criteria that trigger key re-negotiation.
1. Run ssh client rekey { data-limit data-limit | max-patchet max-packet |
time minutes } *
Parameters are configured for SSH client key re-negotiation.
2. Run ssh server rekey { data-limit data-limit | max-patchet max-packet |
time minutes } *
Parameters are configured for SSH server key re-negotiation.
Step 3 Run commit
----End
Checking the Configurations

● Run the display ssh client session command to check the number of packets
sent and received, data volume of packets sent and received, and online
duration of the online session after SSH client key re-negotiation.
1.1.5.5.13 Verifying the Configuration of User Login to the System Using STelnet
After using STelnet to log in to a device, verify the configuration.
Prerequisites
STelnet login has been configured.
Procedure
● Run the display ssh user-information username command on the SSH server
to check information about SSH users.
● Run the display ssh server status command on the SSH server to check its
configuration.
● Run the display ssh server session command on the SSH server to check
information about sessions between the SSH server and SSH clients.
● After configuring whitelist session-CAR for SSH, you can verify the
configuration.
– For IPv4, run the display cpu-defend whitelist session-car ssh statistics
slot slot-id command to check statistics about whitelist session-CAR for
SSH on a specified interface board.
ssh statistics slot slot-id command to clear the existing statistics about
whitelist session-CAR for SSH on a specified interface board, and then run
the display cpu-defend whitelist session-car ssh statistics slot slot-id
command.

– For IPv6, run the display cpu-defend whitelist-v6 session-car sshv6

CAR for SSH on a specified interface board.
sshv6 statistics slot slot-id command to clear the existing statistics
about whitelist session-CAR for SSH on a specified interface board, and
then run the display cpu-defend whitelist-v6 session-car sshv6
----End
1.1.5.6 Configuration Examples for User Login

This section provides examples for configuring login through a console port, Telnet
login, and STelnet login.
1.1.5.6.1 Example for Configuring Login Through a Console Port

In this example, configure login parameters on a PC to implement login through a
console port.
If you have changed the default parameter values for a device's console user
interface, you must accordingly change the login parameter values on a PC before
you log in to the device through the console port next time.
Figure 1-19 Login through a console port
1. Connect the PC to the console port on the router.
2. Set login parameters on the PC.
3. Log in to the router.
Data Preparation
Login parameters need to be configured based on the physical attributes of the
console port on the router. The physical attributes include Bits per second, Data
bits, Parity, Stop bits, and Flow control. For the first login, the default values of the
parameters are used.
The PuTTY.exe software must have been installed on the client.

Procedure
configuration.)

saves it.

NOTE

characters.
in a password.
a password.
invalid.
----End
1.1.5.6.2 Example for Configuring Telnet Login for an IPv4 User

In this example, VTY user interfaces and login parameters are configured for an
IPv4 user to implement Telnet login from an IPv4 client.

It is required that an IPv4 user log in to a device through Telnet from a client on a
different network segment for remote maintenance.
Figure 1-23 Telnet login

NOTE
In this example, interface 1 represents GigabitEthernet0/0/0.
1. Establish a physical connection.
2. Assign an IP address to the management interface on P1.
3. Configure VTY user interface parameters, including the limit on incoming and
outgoing calls.
4. Configure Telnet user information.
Data Preparation
● IP address of the management interface on P1
● Number of the ACL that is used to prohibit users from logging in to another
device: 3001
● Timeout period of a user connection: 20 minutes
● Telnet user information (authentication mode: AAA, user name: huawei,
password: YsHsjx_202206)
Procedure
Step 1 Connect the PC and the device to the network.
Step 2 Assign an IP address to the management interface on P1.
[~HUAWEI] sysname P1
[*HUAWEI] commit
[~P1] interface GigabitEthernet0/0/0
[~P1-GigabitEthernet0/0/0] undo shutdown
[*P1-GigabitEthernet0/0/0] ip address 10.137.217.33 255.255.254.0

[*P1-GigabitEthernet0/0/0] commit
[~P1-GigabitEthernet0/0/0] quit
Step 3 Enable the Telnet server function.

[~P1] telnet server enable
[*P1] telnet server-source -i GigabitEthernet0/0/0
[*P1] commit
Step 4 Configure VTY user interfaces on the device.

# Set the maximum number of VTY user interfaces.
[~P1] user-interface maximum-vty 10
[*P1] commit
# Configure an ACL to prohibit users from logging in to another device.

[~P1] acl 3001
[*P1-acl4-advance-3001] rule deny tcp source any destination-port eq telnet
[*P1-acl4-advance-3001] quit
[*P1] user-interface vty 0 9
[*P1-ui-vty0-9] acl 3001 outbound
# Set terminal attributes for the VTY user interfaces.

[*P1-ui-vty0-9] shell
[*P1-ui-vty0-9] idle-timeout 20
[*P1-ui-vty0-9] screen-length 30
[*P1-ui-vty0-9] history-command max-size 20
# Set an authentication mode for the VTY user interfaces.

[*P1-ui-vty0-9] authentication-mode aaa
[*P1-ui-vty0-9] commit
[~P1-ui-vty0-9] quit
Step 5 Set Telnet user information on the device.

# Specify the login authentication mode.
[~P1] aaa
[*P1-aaa] local-user huawei password
Please configure the passward (8-128)
Enter Password:
Confirm Password:

NOTE
● If cipher or irreversible-cipher is not specified, a password is entered in man-machine

When the user security policy is configured, the value is a string of 8 to 128 case-
insensitive characters without spaces. When the user security policy is not configured,
the value is a string of 1 to 128 case-insensitive characters without spaces.When the
user security policy is configured, the password cannot be the same as the user name or
its reverse. The password must contain the following characters: upper-case character,
lower-case character, digit, and special character.
Special characters do not include question marks (?) or spaces. However, when double
quotation marks are used around a password, spaces are allowed in the password.
in a password.
a password.
invalid.
● If cipher is specified, a password can be entered in either simple text or cipher text.
If a password is entered in simple text, the password requirements are the same as
those when cipher is not specified. When you input a password in simple text, the
system displays the password in simple text mode, which brings risks.
A password is displayed in cipher text in the configuration file regardless of whether it is
entered in simple text or cipher text.
● If irreversible-cipher is specified, a password can be entered in either simple text or
those when irreversible-cipher is not specified.
entered in simple text or irreversible cipher text.
[*P1-aaa] local-user huawei service-type telnet
[*P1-aaa] local-user huawei level 3
[*P1-aaa] commit
[~P1-aaa] quit
Step 6 Log in to P1 from the PC.

Enter the Windows Command Prompt window and run the telnet command to
log in to P1.
Press Enter and enter a user name and password in the login window. After
authentication succeeds, a command prompt of the user view is displayed.
----End
Configuration Files
● P1 configuration file
#
sysname P1
#
acl number 3001
rule 5 deny tcp destination-port eq telnet
#
aaa
local-user huawei password irreversible-cipher $1c$]zV2B\j!z:$hRujV[%/IE|
0MwBQ}5sAX(RdE[oj#5otqG6=@>KK$
local-user huawei service-type telnet

local-user huawei level 3

#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.137.217.33 255.255.254.0
#
telnet server enable
telnet server-source -i GigabitEthernet0/0/0
#
#
authentication-mode aaa
idle-timeout 20 0
screen-length 30
acl 3001 outbound
#
return
1.1.5.6.3 Example for Configuring Telnet Login for an IPv6 User

In this example, VTY user interfaces and login parameters are configured for an
IPv6 user to implement Telnet login from an IPv6 client.
Context
It is required that an IPv6 user log in to a device through Telnet from a client on a
different network segment for remote maintenance.
Figure 1-24 Telnet login

NOTE
Interface 1 in this example represents GigabitEthernet0/0/0.
1. Establish a physical connection.
2. Configure an IPv6 address for the management interface on the device.
3. Configure VTY user interface parameters, including the limit on incoming and
outgoing calls.
4. Configure Telnet user information.
Data Preparation
The latest PuTTY version (0.70 latest release or 0.71) has been installed on the
Telnet client, and IPv6 routes between the Telnet client and Interface 1 are
available.

● IPv6 address of the management interface on the device

● Number of the ACL6 that is used to prohibit users from logging in to another
router: 3001
● Timeout period of a user connection: 20 minutes
● User name (huawei123), password (YsHsjx_202206), and authentication
mode (AAA) of the IPv6 user who accesses the device through Telnet
Procedure
Step 1 Connect the PC and the router to the network.
Step 2 Assign an IPv6 address to the management interface on the device.

[~HUAWEI] sysname Device
[*HUAWEI] commit
[~Device] interface GigabitEthernet0/0/0
[~Device-GigabitEthernet0/0/0] undo shutdown
[~Device-GigabitEthernet0/0/0] ipv6 enable
[*Device-GigabitEthernet0/0/0] ipv6 address 2001:db8::1 32
[*Device-GigabitEthernet0/0/0] commit
[~Device-GigabitEthernet0/0/0] quit
Step 3 Enable the Telnet server function.

[~Device] telnet ipv6 server enable
[*Device] telnet ipv6 server-source -a 2001:db8::1
[*Device] commit
Step 4 Configure VTY user interfaces on the router.
# Set the maximum number of VTY user interfaces.

[~Device] user-interface maximum-vty 15
[*Device] commit
# Configure an ACL6 to prohibit users from logging in to another router.

[~Device] acl ipv6 3001
[*Device-acl6-advance-3001] rule deny tcp source any destination-port eq telnet
[*Device-acl6-advance-3001] quit
[*Device] user-interface vty 0 14
[*Device-ui-vty0-14] acl ipv6 3001 outbound
# Set terminal attributes for the VTY user interfaces.

[*Device-ui-vty0-14] shell
[*Device-ui-vty0-14] idle-timeout 20
[*Device-ui-vty0-14] screen-length 30
[*Device-ui-vty0-14] history-command max-size 20
# Set an authentication mode for the VTY user interfaces.

[*Device-ui-vty0-14] authentication-mode aaa
[*Device-ui-vty0-14] commit
[~Device-ui-vty0-14] quit
Step 5 Set Telnet user information on the router.

# Specify the login authentication mode.

[~Device] aaa
[*Device-aaa] local-user huawei123 password
Enter Password:
Confirm Password:
NOTE

in a password.
a password.
invalid.
[*Device-aaa] local-user huawei123 service-type telnet
[*Device-aaa] local-user huawei123 level 3
[*Device-aaa] commit
[~Device-aaa] quit
Step 6 Log in to the device from the PC.

Double-click PuTTY.exe to open the PuTTY Configuration page, as shown in
Figure 1-25. Select Session, enter the IPv6 address of the server to be accessed in
the Host Name (or IP address) text box, and use the default port number 23.

Figure 1-25 PuTTY configuration page for Telnet login
Click Open. The system prompts you to enter the user name and password, as
shown in Figure 1-26. In this example, the user name is huawei123, and the
password is YsHsjx_202206.
Figure 1-26 Login window
----End
Device configuration file

#
sysname Device
#
acl number 3001

rule 5 deny tcp destination-port eq telnet

#
aaa
local-user huawei123 password irreversible-cipher $1c$]zV2B\j!z:$hRujV[%/IE|
local-user huawei123 service-type telnet
local-user huawei123 level 3
local-user huawei123 state block fail-times 3 interval 5
#
undo shutdown
ipv6 enable
ipv6 address 2001:DB8::1/32
#
telnet ipv6 server enable
telnet ipv6 server-source -a 2001:db8::1
#
#
acl ipv6 3001 outbound
idle-timeout 20 0
screen-length 30
#
return
1.1.5.6.4 Example for Configuring STelnet Login for an IPv4 User

This section describes how to allow an IPv4 user to log in to an SSH server
through STelnet to implement STelnet remote login and device management.
spoofing.
As shown in Figure 1-27, after the STelnet server function is enabled on the router
functioning as an SSH server, the PC functioning as an SSH client can log in to the
SSH server in password, RSA, password-rsa, ECC, password-ecc, DSA, password-
dsa, password-sm2, SM2, x509v3-ssh-rsa, password-x509v3-rsa, or All
authentication mode. This example uses RSA authentication to describe how to
configure an SSH client to log in to the server using STelnet.
To prevent unauthorized users from logging in to the SSH server and improve
system security, configure ACL rules on the SSH server.

Figure 1-27 STelnet login

NOTE
Interface1 in this example represents GigabitEthernet0/0/0.

This section uses the management interface as an example to describe how to configure STelnet
login. In actual application scenarios, you can select an interface for communication between
the client and server based on the networking.
1. Log in to the SSH server through the console port and configure an IPv4
address for the management interface on the SSH server.
2. Configure the VTY user interface on the SSH server.
3. Create a local SSH user and configure the authentication mode and service
type.
4. Create an SSH user and configure the authentication mode for the user.
5. On the SSH client, create a key pair based on the configured SSH user
authentication mode and copy the public key to the SSH server.
6. On the SSH server, edit the public key and assign the edited public key to the
user.
7. Enable STelnet on the SSH server and set the service type of the SSH user to
STelnet.
8. Configure an ACL rule for STelnet client login on the SSH server.
9. Set parameters for STelnet login to the server.
Data Preparation
● PuTTYGen.exe and PuTTY.exe installed on the SSH client

● IP address (10.248.103.194/24) of the management interface on the SSH
server
● Local user's authentication mode (password), username (huawei123), and
password (YsHsjx_202206)
● SSH user's authentication mode (RSA)
● Basic ACL 2000, used to allow the clients of the network segment
10.248.103.0/24 to access the SSH server

Procedure
Step 1 Configure an IP address for the management interface on the SSH server.
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] interface GigabitEthernet0/0/0
[~SSH Server-GigabitEthernet0/0/0] undo shutdown
[*SSH Server-GigabitEthernet0/0/0] ip address 10.248.103.194 255.255.255.0
[*SSH Server-GigabitEthernet0/0/0] commit
[~SSH Server-GigabitEthernet0/0/0] quit
Step 2 Configure the VTY user interface on the SSH server.

[~SSH Server] user-interface vty 0 4
[*SSH Server-ui-vty0-4] authentication-mode aaa
[*SSH Server-ui-vty0-4] protocol inbound ssh
[*SSH Server-ui-vty0-4] user privilege level 3
[*SSH Server-ui-vty0-4] commit
[~SSH Server-ui-vty0-4] quit
NOTE
If SSH is configured as the login protocol, the device automatically disables the Telnet
function.
Step 3 Create a local user on the server, add the user to the administrator group, and
configure the service type of the user.
[~SSH Server] aaa
[~SSH Server-aaa] local-user huawei123 password
Enter Password:
Confirm Password:

NOTE

in a password.
a password.
invalid.
[*SSH Server-aaa] local-user huawei123 service-type ssh
[*SSH Server-aaa] local-user huawei123 user-group manage-ug
[*SSH Server-aaa] commit
[~SSH Server-aaa] quit
Step 4 Create an SSH user on the server and configure the authentication mode for the
user.
[~SSH Server] ssh user huawei123
[*SSH Server] ssh user huawei123 authentication-type rsa
[*SSH Server] ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
[*SSH Server] ssh server hmac sha2_512 sha2_256
[*SSH Server] ssh server key-exchange dh_group_exchange_sha256
[*SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512
[*SSH Server] ssh server dh-exchange min-len 3072
[*SSH Server] ssh client publickey rsa_sha2_256 rsa_sha2_512
[*SSH Server] ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
[*SSH Server] ssh client hmac sha2_512 sha2_256
[*SSH Server] ssh client key-exchange dh_group_exchange_sha256
[*SSH Server] commit
Step 5 Use PuTTY to create an RSA key pair on the SSH client and copy the public key to
the SSH server.
1. Enter the Windows Command Prompt window.
Figure 1-28.

progress bar stops, and the generation of the key pair stops as well. Figure
1-29 shows that the key pair is being generated.

Save. Copy the generated public key to the Notepad and name it public.txt.

Step 6 On the SSH server, edit the public key and assign the edited public key to the user.
[~SSH Server] rsa peer-public-key rsa01 encoding-type openssh
[*SSH Server-rsa-public-key] public-key-code begin
[*SSH Server-rsa-public-key-rsa-key-code] ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAxHbcqV6
qqnb1+jQQ0qFLptxWS1xRFfDe6DuMaX2eRUCx3fp2eBA1bgUfHd7eCO05CfHfC443oNBwlj/39Obi8kS
RIQSlXOU1KIP8DNYtwU/N23p/YDHzbgOVvN6dSr+Ua2Er7m2Hehzdo2XoGuWokqhnuMpA7O7zykXs7rM
6tdf+hh/992o6GHBD9IbJe9mG6WoAmDkBmedXzBqJeeGb2wbGg9hBTIgVQqZNhthGcVlLUlPJlZQi1ZO
L3C/cVIOXqnVOqqxHk6nlWcMRo0PxOAegtyzsBETnvcEO2xVw6zF0WVFvU60C99THB+GpuHuRdWzvUNC
ZpsjmCwkg+4RFGQ== rsa-key-20190422
[*SSH Server-rsa-public-key-rsa-key-code] public-key-code end
[*SSH Server-key-code] peer-public-key end
[*SSH Server] ssh user huawei123 assign rsa-key rsa01
Step 7 Enable the STelnet function and set the service type to STelnet.
[~SSH Server] stelnet server enable
[*SSH Server] ssh server-source -i GigabitEthernet0/0/0
[*SSH Server] ssh user huawei123 service-type stelnet
Step 8 Configure an ACL rule.

[~SSH Server] acl 2000
[*SSH Server-acl4-basic-2000] rule permit source 10.248.103.0 8
[*SSH Server-acl4-basic-2000] quit
[*SSH Server] ssh server acl 2000
Step 9 Use PuTTY.exe to log in to the SSH server from the client.
1. Start the PuTTY.exe program. The client configuration page is displayed, as
shown in Figure 1-31. For security purposes, using PuTTY 0.58 or later is

2. On the SSH client configuration page, choose Connection > SSH from the
Category navigation tree. The dialog box as shown in Figure 1-32 is
displayed. In the Protocol options area, set SSH protocol version to 2.


username, as shown in Figure 1-34.
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#

acl number 2000

rule 5 permit source 10.248.103.0 0.0.0.255
#
rsa peer-public-key rsa01 encoding-type openssh
public-key-code begin
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAxHbcqV6qqnb1+jQQ0qFLptxWS1xRFfDe6DuMaX2eRUCx
3fp2eBA1bgUfHd7eCO05CfHfC443oNBwlj/39Obi8kSRIQSlXOU1KIP8DNYtwU/N23p/YDHzbgOVvN6d
Sr+Ua2Er7m2Hehzdo2XoGuWokqhnuMpA7O7zykXs7rM6tdf+hh/
992o6GHBD9IbJe9mG6WoAmDkBmedX
zBqJeeGb2wbGg9hBTIgVQqZNhthGcVlLUlPJlZQi1ZOL3C/cVIOXqnVOqqxHk6nlWcMRo0PxOAegtyzs
BETnvcEO2xVw6zF0WVFvU60C99THB+GpuHuRdWzvUNCZpsjmCwkg+4RFGQ== rsa-key
public-key-code end
peer-public-key end
#
aaa
local-user huawei123 password irreversible-cipher $1c$+,JS+))\\2$KVNj(.
3`_5x0FCKGv}H&.kUTI`Ff&H*eBqO.ua>)$
local-user huawei123 service-type ssh
local-user huawei123 user-group manage-ug
#
undo shutdown
ip address 10.248.103.194 255.255.255.0
#
stelnet server enable
ssh server-source -i GigabitEthernet0/0/0
ssh user huawei123
ssh user huawei123 authentication-type rsa
ssh user huawei123 assign rsa-key rsa01
ssh user huawei123 service-type stelnet
ssh server acl 2000
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh server hmac sha2_512 sha2_256
ssh server key-exchange dh_group_exchange_sha256
#
ssh server publickey rsa_sha2_256 rsa_sha2_512
#
ssh server dh-exchange min-len 3072
#
ssh client publickey dsa ecc rsa rsa_sha2_256 rsa_sha2_512
#
ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh client hmac sha2_512 sha2_256
ssh client key-exchange dh_group_exchange_sha256
#
protocol inbound ssh
#
return
1.1.5.6.5 Example for Configuring STelnet Login for an IPv6 User

This section describes how to allow an IPv6 user to log in to an SSH server
through STelnet to implement STelnet remote login and device management.


spoofing.
As shown in Figure 1-35, after the STelnet server function is enabled on the router
functioning as an SSH server, the PC functioning as an SSH client can log in to the
SSH server in password, RSA, password-rsa, ECC, password-ecc, DSA, password-
dsa, password-sm2, SM2, x509v3-ssh-rsa, password-x509v3-rsa, or All
authentication mode. RSA authentication mode is used in this example.
To prevent unauthorized users from logging in to the SSH server and improve
system security, configure ACL6 rules on the SSH server.
Figure 1-35 STelnet login

NOTE

This section uses the management interface as an example to describe how to configure STelnet
login. In actual application scenarios, you can select an interface for communication between
the client and server based on the networking.
1. Log in to the SSH server through the console port and configure an IPv6
address for the management interface on the SSH server.
2. Configure the VTY user interface on the SSH server.
3. Create a local SSH user and configure the authentication mode and service
type.
4. Create an SSH user and configure the authentication mode for the user.
5. On the SSH client, create a key pair based on the configured SSH user
authentication mode and copy the public key to the SSH server.
6. On the SSH server, edit the public key and assign the edited public key to the
user.
7. Enable IPv6 STelnet on the SSH server and set the service type of the SSH
user to STelnet.
8. Configure an ACL6 rule for STelnet client login on the SSH server.
9. Set parameters for STelnet login to the server.
Data Preparation

● PuTTYGen.exe and PuTTY.exe installed on the SSH client

● IPv6 address (2001:db8::1/32) of the management interface on the SSH server
● Routes available between the SSH client and the management interface on
the server
● Local user's authentication mode (password), username (huawei123) and
password (YsHsjx_202206)
● SSH user's authentication mode (RSA)
● Basic ACL6 2000, used to allow the clients of the network segment
2001:db8::1/32 to access the SSH server
Procedure
Step 1 Configure an IPv6 address for the management interface on the SSH server.
[*HUAWEI] commit
[~SSH Server-GigabitEthernet0/0/0] ipv6 enable
[*SSH Server-GigabitEthernet0/0/0] ipv6 address 2001:db8::1 32
[*SSH Server-GigabitEthernet0/0/0] commit
[~SSH Server-GigabitEthernet0/0/0] quit
Step 2 Configure the VTY user interface on the SSH server.

[~SSH Server] user-interface maximum-vty 15
NOTE
If SSH is configured as the login protocol, the device automatically disables the Telnet
function.
Step 3 Create a local user on the server, add the user to the administrator group, and
configure the service type of the user.
[~SSH Server] aaa
[~SSH Server-aaa] local-user huawei123 password
Enter Password:
Confirm Password:

NOTE

in a password.
a password.
invalid.
[*SSH Server-aaa] local-user huawei123 service-type ssh
[*SSH Server-aaa] local-user huawei123 user-group manage-ug
Step 4 Create an SSH user on the server and configure the authentication mode for the
user.
[~SSH Server] ssh user huawei123
[*SSH Server] ssh user huawei123 authentication-type rsa
Step 5 Use PuTTY to create an RSA key pair on the SSH client and copy the public key to
the SSH server.
1. Enter the Windows command-line interface.
Figure 1-36.

progress bar stops, and the generation of the key pair stops as well. Figure
1-37 shows that the key pair is being generated.

Save, as shown in Figure 1-38. Copy the generated public key to the Notepad
and name it public.txt.

Step 6 On the SSH server, edit the public key and assign the edited public key to the user.
[~SSH Server] rsa peer-public-key rsa01 encoding-type openssh
[*SSH Server-rsa-public-key-rsa-key-code] ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAxHbcqV6
qqnb1+jQQ0qFLptxWS1xRFfDe6DuMaX2eRUCx3fp2eBA1bgUfHd7eCO05CfHfC443oNBwlj/39Obi8kS
RIQSlXOU1KIP8DNYtwU/N23p/YDHzbgOVvN6dSr+Ua2Er7m2Hehzdo2XoGuWokqhnuMpA7O7zykXs7rM
6tdf+hh/992o6GHBD9IbJe9mG6WoAmDkBmedXzBqJeeGb2wbGg9hBTIgVQqZNhthGcVlLUlPJlZQi1ZO
L3C/cVIOXqnVOqqxHk6nlWcMRo0PxOAegtyzsBETnvcEO2xVw6zF0WVFvU60C99THB+GpuHuRdWzvUNC
ZpsjmCwkg+4RFGQ== rsa-key-20190422
[*SSH Server-key-code] peer-public-key end
[*SSH Server] ssh user huawei123 assign rsa-key rsa01
Step 7 Enable the IPv6 STelnet function and set the service type to STelnet.
[~SSH Server] stelnet ipv6 server enable
[*SSH Server] ssh ipv6 server-source -a 2001:db8::1
[*SSH Server] ssh user huawei123 service-type stelnet
Step 8 Configure an ACL6 rule.

[~SSH Server] acl ipv6 2000
[*SSH Server-acl6-basic-2000] rule permit source 2001:db8::1 32
[*SSH Server-acl6-basic-2000] quit
[*SSH Server] ssh server acl ipv6 2000
Step 9 Use PuTTY.exe to log in to the SSH server from the client.
1. Start the PuTTY.exe program. The PuTTY configuration page as shown in
Figure 1-39 is displayed. For security purposes, using PuTTY 0.58 or later is

2. In the navigation tree on the left of the SSH client configuration page, choose
Category > Connection > SSH. The dialog box as shown in Figure 1-40 is
displayed. In the Protocol options area, set Preferred SSH protocol version
to 2.


user name, as shown in Figure 1-42.
----End
Configuration Files
#
sysname SSH Server

#
acl ipv6 number 2000
rule 5 permit source 2001:DB8::/32
#
rsa peer-public-key rsa01 encoding-type openssh
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAxHbcqV6qqnb1+jQQ0qFLptxWS1xRFfDe6DuMaX2eRUCx
3fp2eBA1bgUfHd7eCO05CfHfC443oNBwlj/39Obi8kSRIQSlXOU1KIP8DNYtwU/N23p/YDHzbgOVvN6d
Sr+Ua2Er7m2Hehzdo2XoGuWokqhnuMpA7O7zykXs7rM6tdf+hh/
992o6GHBD9IbJe9mG6WoAmDkBmedX
zBqJeeGb2wbGg9hBTIgVQqZNhthGcVlLUlPJlZQi1ZOL3C/cVIOXqnVOqqxHk6nlWcMRo0PxOAegtyzs
BETnvcEO2xVw6zF0WVFvU60C99THB+GpuHuRdWzvUNCZpsjmCwkg+4RFGQ== rsa-key
public-key-code end
peer-public-key end
#
aaa
local-user huawei123 password irreversible-cipher $1c$+,JS+))\\2$KVNj(.
3`_5x0FCKGv}H&.kUTI`Ff&H*eBqO.ua>)$
local-user huawei123 service-type ssh
local-user huawei123 user-group manage-ug
#
undo shutdown
ipv6 enable
#
stelnet ipv6 server enable
ssh ipv6 server-source -a 2001:db8::1
ssh user huawei123
ssh user huawei123 authentication-type rsa
ssh user huawei123 assign rsa-key rsa01
ssh user huawei123 service-type stelnet
ssh server acl ipv6 2000
#
#
#
#
#
#
#
return
1.1.5.6.6 Example for Configuring an NMS to Communicate with a Device by SSH

over a VPN
This section provides an example for configuring an NMS to communicate with a
device by SSH over a VPN.
On the network shown in Figure 1-43, an NMS, device, and AAA server are
connected over a VPN. The NMS is integrated with the SSH client and SFTP server
functions. The SSH client uses SSH to log in to and communicate with the device.

The SFTP server uses SFTP for file transfer with the device functioning as an SFTP
client.
Figure 1-43 Networking diagram for configuring an NMS to communicate with a

device by SSH over a VPN
NOTE
In this example, interface 1 stands for GE 1/0/0, interface 2 stands for GE 2/0/0, and
interface 3 stands for GE 3/0/0. The interfaces are bound to the same VPN instance.
Precautions
Ensure that the route between the device and NMS is reachable.
1. Configure a VPN instance.
2. Bind the interfaces connecting the device to the NMS and HWTACACS server
to the VPN instance.
3. Configure a default VPN instance used by the NMS to manage the device.
4. Configure an HWTACACS server.
5. Configure a local AAA user and set its access mode to SSH and authentication
mode to HWTACACS.
6. Configure an SSH user and set its authentication and service modes.
7. Configure an SNMPv3 USM user to allow the NMS to access the device.
8. Configure an SFTP client to use SFTP for file transfer.

NOTE
After the default VPN instance is configured for the NMS to manage the device, the
HWTACACS server, TFTP client, FTP client, SFTP client, SCP client, SNMP module, Info
Center module, PM module, and IP FPM module on the device all belong to the default
VPN if other VPN instances are not configured. If other VPN instances are configured, the
VPN instance configured for each feature is preferentially selected. To access the public
network, you must set the public-net parameter.
Data Preparation
● Name of a VPN instance

● SNMP version
● SNMPv3 USM user name and password
Procedure
Step 1 Configure a VPN instance.
[~HUAWEI] sysname DeviceA
[*HUAWEI] commit
[~DeviceA] ip vpn-instance vrf1
[*DeviceA-vpn-instance-vrf1] ipv4-family
[*DeviceA-vpn-instance-vrf1-af-ipv4] route-distinguisher 22:1
[*DeviceA-vpn-instance-vrf1-af-ipv4] vpn-target 111:1 both
[*DeviceA-vpn-instance-vrf1-af-ipv4] quit
[*DeviceA-vpn-instance-vrf1] quit
[*DeviceA] commit
Step 2 # Bind interfaces to the VPN instance.

[~DeviceA] interface gigabitethernet 1/0/0
[~DeviceA-GigabitEthernet1/0/0] undo shutdown
[*DeviceA-GigabitEthernet1/0/0] ip binding vpn-instance vrf1
[*DeviceA-GigabitEthernet1/0/0] ip-address 10.1.1.2 255.255.255.0
[*DeviceA-GigabitEthernet1/0/0] quit
[*DeviceA] interface gigabitethernet 2/0/0
[*DeviceA-GigabitEthernet2/0/0] undo shutdown
[*DeviceA] interface gigabitethernet 3/0/0
[*DeviceA-GigabitEthernet3/0/0] undo shutdown
[*DeviceA] commit
Step 3 Configure a default VPN instance used by the NMS to manage the device.
[~DeviceA] set net-manager vpn-instance vrf1
NOTE
The VPN configured using this command affects the following service modules on the
device: TFTP client, FTP client, SFTP client, SCP client, Info Center, SNMP, PM, IP FPM, and
TACACS. To access the public network, you must set the public-net parameter.
[*DeviceA] commit
Step 4 Configure an HWTACACS server.

# Enable the HWTACACS function and configure an HWTACACS server template

named ht.
[~DeviceA] hwtacacs enable
[*DeviceA] hwtacacs-server template ht
# Configure an IP address and port number for the primary HWTACACS

authentication and authorization server.
[*DeviceA-hwtacacs-ht] hwtacacs-server authentication 10.2.1.1 49
[*DeviceA-hwtacacs-ht] hwtacacs-server authorization 10.2.1.1 49
# Configure a key for the HWTACACS server.

[*DeviceA-hwtacacs-ht] hwtacacs-server shared-key cipher it-is-my-secret123
[*DeviceA-hwtacacs-ht] commit
[~DeviceA-hwtacacs-ht] quit
# Enter the AAA view.

[~DeviceA] aaa
# Configure an authentication scheme named scheme1 and set the

authentication mode to HWTACACS authentication.
[~DeviceA-aaa] authentication-scheme scheme1
[*DeviceA-aaa-authen-scheme1] authentication-mode hwtacacs
[*DeviceA-aaa-authen-scheme1] commit
[~DeviceA-aaa-authen-scheme1] quit
# Configure an authorization scheme named scheme2 and set the authorization

mode to HWTACACS authorization.
[~DeviceA-aaa] authorization-scheme scheme2
[*DeviceA-aaa-author-scheme2] authorization-mode hwtacacs
[*DeviceA-aaa-author-scheme2] commit
[~DeviceA-aaa-author-scheme2] quit
# Configure the huawei domain. Use the scheme1 authentication scheme,

scheme2 authorization scheme, and ht template in the domain.
[~DeviceA-aaa] domain huawei
[*DeviceA-aaa-domain-huawei] authentication-scheme scheme1
[*DeviceA-aaa-domain-huawei] authorization-scheme scheme2
[*DeviceA-aaa-domain-huawei] hwtacacs-server ht
[*DeviceA-aaa-domain-huawei] commit
[~DeviceA-aaa-domain-huawei] quit
Step 5 Create a local AAA user named sshuser001. Set the access mode to SSH and
authentication mode to HWTACACS.
# Configure a local user named sshuser001 in the huawei domain. After the
configuration is complete, the sshuser001 user uses the authentication and
authorization modes in the huawei domain.
[~DeviceA-aaa] local-user sshuser001@huawei password
Please configure the password (8-128)
Enter Password:
Confirm Password:
[*DeviceA-aaa] local-user sshuser001@huawei service-type ssh
[*DeviceA-aaa] commit
[~DeviceA-aaa] quit
Step 6 Configure authentication and service modes for the SSH user.
[*DeviceA] ssh authentication-type default password
[*DeviceA] ssh user sshuser001 service-type stelnet snetconf
[*DeviceA] commit

Step 7 Enable STelnet on the SSH server.

[~DeviceA] stelnet server enable
[*DeviceA] ssh server-source -i gigabitethernet 3/0/0
[*DeviceA] commit
Step 8 Configure an SNMPv3 USM user to allow the NMS to access the device.
# Enable the SNMP agent function.
[*DeviceA] snmp-agent
[*DeviceA] commit
# Set the SNMP version to SNMPv3.

[~DeviceA] snmp-agent sys-info version v3
[*DeviceA] commit
# Configure a MIB view.

[~DeviceA] snmp-agent mib-view included iso iso
[*DeviceA] commit
# Configure a user group and users in the group, and authenticate and encrypt
user data.
[~DeviceA] snmp-agent group v3 admin privacy write-view iso notify-view iso read-view iso
[*DeviceA] snmp-agent usm-user v3 nms-admin group admin
[*DeviceA] snmp-agent usm-user v3 nms-admin authentication-mode sha
Please configure the authentication password (10-255)
Enter Password:
Confirm Password:
[*DeviceA] snmp-agent usm-user v3 nms2-admin privacy-mode aes128
Please configure the privacy password (10-255)
Enter Password:
Confirm Password:
[*DeviceA] commit
# Configure the alarm function.

[~DeviceA] snmp-agent target-host trap address udp-domain 10.1.1.1 vpn-instance vrf1 params
securityname nms-admin v3 privacy
[*DeviceA] snmp-agent trap enable
[*DeviceA] commit
Step 9 Enable the device functioning as an SFTP client to transfer files with the NMS
functioning as an SFTP server over the VPN.
For details about how to configure the NMS to function as an SFTP server, see the
NMS server configuration guide. The user name and password used for file
transfer between the device and NMS must be the same as those configured on
the SFTP server.
[~DeviceA] ssh client first-time enable
[*DeviceA] commit
[~DeviceA] sftp client-transfile get -a 10.1.1.2 host-ip 10.1.1.1 username sshuser002 password
YsHsjx_202206 sourcefile aaa.txt

After completing the configuration, perform the following operations to check
whether the configuration takes effect.
# Display the SNMP version.
<DeviceA> display snmp-agent sys-info version
The contact person for this managed node:
R&D Beijing, Huawei Technologies co.,Ltd.

The physical location of this node:

Beijing China
SNMP version running in the system:

SNMPv3
# Display local user information.

<DeviceA> display snmp-agent usm-user
User name: nms-admin,
Engine ID: 800007DB0300259E0370C3 active
Authentication Protocol: sha
Privacy Protocol: aes128
Group-name: admin
State: Active
----End
Configuration Files
● DeviceA configuration file
#
sysname DeviceA
#
hwtacacs enable
#
ip vpn-instance vrf1
ipv4-family
route-distinguisher 22:1
apply-label per-instance
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
hwtacacs-server template ht
hwtacacs-server authentication 10.2.1.1 vpn-instance vrf1
hwtacacs-server authorization 10.2.1.1 vpn-instance vrf1
hwtacacs-server shared-key cipher %^%#x@ZaCImt|
X79[Â&]DEYC6[>U]OD(8n&BVHvsu2R{=zVSySB'|H[;I`|ef#%^%#
#
aaa
local-user sshuser001@huawei password irreversible-cipher $1c$\h[;D"`M79$GN]A=y;*4EFG
%t>vIJI=rJvxWe/V%Xbd;(J+AzC+$
local-user sshuser001@huawei service-type ssh
#
authentication-scheme scheme1
authentication-mode hwtacacs
#
authorization-scheme scheme2
authorization-mode hwtacacs
#
accounting-scheme default0
#
accounting-scheme default1
#
domain huawei
authentication-scheme scheme1
authorization-scheme scheme2
hwtacacs-server ht
#
undo shutdown
ip binding vpn-instance vrf1
ip-address 10.1.1.2 255.255.255.0
undo shutdown
ip-address 10.2.1.2 255.255.255.0

undo shutdown
ip-address 10.3.1.1 255.255.255.0
#
snmp-agent
snmp-agent local-engineid 800007DB0300313D6A1FA0
#
snmp-agent sys-info version v3
snmp-agent group v3 admin privacy write-view iso notify-view iso read-view iso
snmp-agent target-host trap address udp-domain 10.1.1.1 vpn-instance vrf1 params securityname
nms-admin v3 privacy
#
snmp-agent mib-view included iso iso
snmp-agent usm-user v3 nms-admin group admin
snmp-agent usm-user v3 nms-admin authentication-mode sha %#%##/L&Fd]S.!i*S7<\jCh2DkfkE4+:<
%Wap|8zZWwPL+[a>h$wy>VJsp9(L{%B%#%#
snmp-agent usm-user v3 nms-admin privacy-mode aes128 %#
%#CM-]HDuhH6VX)**J<186nf({M823f(0Z73++7(A#%,1jODj}D>_HS>W,'Ss=%#%#
#
ssh server-source -i gigabitethernet 3/0/0
ssh user sshuser001
ssh authorization-type default aaa
#
ssh client first-time enable
#
return
1.1.6 File System Configuration

The file system can help you manage files and directories on a storage device.
1.1.6.1 Overview of File System Management

You can view, create, rename, or delete directories and copy, move, rename, or
delete files through the console port or Telnet, STelnet, File Transfer Protocol
(FTP), Trivial File Transfer Protocol (TFTP), or Secure File Transfer Protocol (SFTP).
Files, such as system software and configuration files, are saved on a device's
storage component. You can use the file system to manage the files on the
storage component.
File system operations include directory and file operations.
You can perform any of the following operations to manage directories and files:
● Log in to a device through a console port or using Telnet or STelnet.
For details, see 1.1.5 User Login Configuration.
● Log in to a device using FTP.
● Log in to a device using TFTP.
● Log in to a device using SFTP.
FTP
When two hosts run different operating systems and use different file structures
and character sets, you can use File Transfer Protocol (FTP) to copy files from one
host to the other.
FTP has two file transfer modes:

● Binary mode: is used to transfer program files, such as .app, .bin, and .btm
files.
● ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
FTP is a standard application protocol based on the TCP/IP protocol suite. It is
used to transfer files between local clients and remote servers. FTP uses two TCP
connections to copy a file from one system to another. The TCP connections are
usually established in client-server mode, one for control (the server port number
is 21) and the other for data transmission (the server port number is 20).
● Control connection
A control connection is set up between the FTP client and FTP server.
The control connection always waits for communication between the client
and server. Commands are sent from the client to the server over this
connection. The server responds to the client after receiving the commands.
● Data connection
The server uses port 20 to provide a data connection. The server can either set
up or terminate a data connection. When the client sends files in streams to
the server, only the client can terminate the data connection.
FTP supports file transfer in stream mode. The end of each file is indicated by
end of file (EOF). Therefore, new data connections must be set up for each
file transfer or directory list. When a file is transferred between the client and
server, a data connection is set up.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP)
connections. It uses the UDP port number 69 to transfer files between local hosts
and remote servers. Unlike FTP, TFTP is simple and provides no authentication.
TFTP applies when no complex interaction is required between clients and the
server.
TFTP supports the following transfer modes:
● Binary mode: used for program file transfers
● ASCII mode: used for text file transfers
NOTE
HUAWEI NetEngine9000 can function only as a TFTP client and transmit files in binary
mode.
TFTP transfer requests are initiated by clients:

● When a TFTP client needs to download files from the TFTP server, the client
sends a read request to the server. The server sends data packets to the client,
and the client acknowledges the data packets.
● When a TFTP client needs to upload a file to the TFTP server, the client sends
a write request and then data to the server, and receives acknowledgments
from the server.
SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote
users to securely log in to a device to manage and transfer files. On the other

hand, users can use a device functioning as a client to log in to a remote server
and transfer files securely.
When the SFTP server or the connection between the server and the client fails,
the client needs to promptly detect the fault and removes the connection
proactively. To help the client promptly detect such a fault, configure an interval at
which Keepalive packets are sent if no packet is received and the maximum
number of times that the server does not respond to the client:
● If the client does not receive any packet within the specified period, the client
sends a Keepalive packet to the server.
● If the maximum number of times that the server does not respond exceeds
the specified value, the client proactively releases the connection.
Usage scenarios for file system management modes
Table 1-19 Usage scenarios for file system management modes

File System Advantage Disadvantage Usage Scenario
Manageme
nt Mode
Console You can log in to a device to manage directories and files.

port, Telnet, For details, see 1.1.5 User Login Configuration.
or STelnet
FTP ● Is based on TCP ● FTP commands FTP can be used on

connections, are complicated networks that have
having all TCP and various. delays, packet loss,
characteristics. ● FTP requires and jitters.
● Supports more memory FTP is used for
authentication resources than version upgrade and
and TFTP. file transfer.
authorization. ● Data and even
● Supports file user names and
transfer between passwords are
different file transmitted in
system hosts. plaintext,
bringing security
risks.

File System Advantage Disadvantage Usage Scenario

Manageme
nt Mode
TFTP ● Is based on UDP ● TFTP supports TFTP can be used to

connections. only file transfer. load and upgrade
● Requires fewer ● TFTP does not software on a local
memory allow users to list area network (LAN)
resources than directories or in a laboratory
FTP. negotiate with where the network
the server to is in good
determine files conditions.
that can be TFTP applies when
obtained. no complex
● TFTP does not interaction is
provide required between
authentication or clients and the
authorization. It server.
transmits data in For details, see
plaintext. This 1.1.8.5 Using TFTP
adds security to Access Other
risks and renders Devices.
the device
vulnerable to
attacks and
network viruses.
SFTP Provides strict ● Data SFTP is applicable

encryption and transmission to networks that
integrity protection efficiency is low. have high security
and has high ● Third-party requirements.
security. software must be
installed on
terminals to
support SFTP.
1.1.6.2 Configuration Precautions for File System Management

The file system does not support mutually NE9000 NE9000

exclusive file operations.

A file whose size is greater than or equal to 4 NE9000 NE9000

GB is not supported. For example, the file size
cannot be correctly displayed in the dir
command output.
The available storage space of a file system is NE9000 NE9000

less than the maximum size of the physical
storage. You can run the dir command to check
the available space.
The total length of the directory and file name NE9000 NE9000
in the file system cannot exceed 128
characters. The directory can contain 1 to 128
characters, and the file name can contain 1 to
128 characters. After a directory with the
maximum length is created, files cannot be
stored in the directory. After a file with the
maximum length is created, files cannot be
stored in subdirectories.
The file name is case-sensitive. NE9000 NE9000
1.1.6.3 Operating Files After Logging In to a Device

You can operate files after logging in to a device, including managing a storage
component, directories, and files.
Usage Scenario
When a device fails to save or obtain data, you can log in to the device to repair
the faulty storage component or manage files or directories on the device.
This file operation mode is used when a storage component needs to be managed.
Before logging in to a device to operate files, complete user login
configurations.
1.1.6.3.1 Managing Directories

You can manage directories to logically store files in hierarchy.
Context
Through directory management, you can create, delete, change, or view directories
and view files in directories and sub-directories.

Procedure
● Run cd directory
A directory is changed to a specified directory.
● Run pwd
The current directory is displayed.
● Run dir [ /all ] [ filename ]
Information about all files or a specified file is displayed.
Either an absolute or relative path can be specified in this command.
The following table describes files displayed in the command output.
NOTE
Files displayed depend on the system software version and service configurations. The
following table lists only common files.
The wildcard "*" can be used in the command.
Table 1-21 Files displayed in the command output

File Name File Description
$_checkpoint File in which configuration rollback

point information is saved.
**.cc Software version file.
NextFwdTemplet.txt Forwarding template that is

generated after a forwarding mode
is set.
device.sys System hardware configuration file.
logfile CF card 1 log file, which occupies

independent storage space. If no CF
card 2 is installed, log information is
stored in cfcard:/logfile.
KPISTAT Used to store collected KPI data.
said Used to store information generated

during fault detection, diagnosis,
and rectification on the SAID node.

*.log CF card 2 log file.

● log.log: a common log file that is
smaller than a specified size.
● diag.log: a diagnostic log file that
is smaller than a specified size.
● oper.log: an operation log file
that is smaller than a specified
size.
● security.log: a security log file
that is smaller than a specified
size.
● LocFail_*.log: a log file that is
smaller than a specified size and
contains diagnostic logs
generated each time a board
exception occurs.
To check information about logs,
including event logs, run the display
logbuffer command.
dropCauseLog When a large number of packets are

lost, the device records packet loss
information. For example, the packet
ID, slot of the board where packet
loss occurs, packet loss direction,
label, and IP address are recorded
for fault locating. The file name is
DropCauseLog.log.
lost+found File management module's file that

is damaged and then restored
during a device restart.

**.zip/**.cfg/**.dat System configuration file. For

details, see the save command.
After being compressed, log files are
suffixed with .zip. Compressed log
files are classified as follows:
● log_slot ID_time.log.zip: a
common log file that is greater
than or equal to a specified size.
● diaglog_slot ID_time.log.zip: a
diagnostic log file that is greater
● diaglog_board ID_time.log.zip: a
diagnostic log file that is greater
To set the size of a log file, run the
info-center logfile size command.
*.pat Patch file.

*.PAT
selftest File containing information about

hardware self-test that occurs when
the system starts.
lpustat.dat Log file containing logs generated

when packets are discarded due to a
forwarding engine fault.
The device automatically records
data about lost packets in this case
and saves the data to the lpustat
directory on the CF card of the main
control board as a structured
hexadecimal file named lpustat.dat.
As the lpustat.dat file is stored in
hexadecimal format, it cannot be
directly opened for viewing. To view
this file, ask Huawei engineers to
convert it into an lpustat.csv file in
which data is displayed by time, slot
ID, module, chip, fault ID, and fault
information.
When the remaining space of the CF
card is less than or equal to 110 MB,
the device no longer records packet
loss logs.

insegdroplog.log Log file containing logs about

packet loss during MPLS forwarding.
The device automatically records
packet loss data generated due to
label table query failures that occur
during label-based service
forwarding. The device saves the
data to the insegdroplog directory
on the CF card of the main control
board as a file named
insegdroplog.log. When the
insegdroplog.log file is greater than
8 MB, the device automatically
compresses the file into an
insegdroplog_timestamp.rar package
and deletes the insegdroplog.log file.
If new packet loss occurs, the device
creates another insegdroplog.log file
to record the data. The insegdroplog
directory provides a maximum of 10
MB for log files. When the size of all
log files in the directory exceeds 10
MB, the device deletes earliest log
files to store new ones.
● Run mkdir directory
A directory is created.
● Run rename source-filename destination-filename
The directory is renamed.

● Run rmdir directory
A specified directory is deleted.
----End
1.1.6.3.2 Managing Files

You can log in to the file system to view, delete, or rename files on a device.
Context
● Managing files include displaying file content, copying files, moving files,
renaming files, compressing files, deleting files, restoring deleted files,
deleting files in the recycle bin, running batch files, and configuring
notification modes.
● To operate a file, run the cd directory command to switch the current
directory to the file's directory.

Procedure
● Run more file-name
The content of a specified file is displayed.
● Run copy source-filename destination-filename
A file is copied.
● Run move source-filename destination-filename
A file is moved.
● Run rename source-filename destination-filename
A file is renamed.
● Run zip source-filename destination-filename
A file is compressed.
● Run unzip source-filename destination-filename
A file is decompressed.
● Run delete [ /unreserved ] filename [ all ]
A file is deleted.
If you use the /unreserved parameter in the command, the file cannot be
restored after being deleted.
● Run undelete filename
The deleted file is restored.
NOTE
You can run the dir /all command to view information about all files, including the
files moved to the recycle bin, which are enclosed in square brackets ([]).
The files that are deleted using the delete command with /unreserved specified
cannot be restored.

● Run reset recycle-bin [ /f | filename ]
A file in the recycle bin is deleted.
You can permanently delete files in the recycle bin. The /f parameter indicates
that all files in the recycle bin are deleted without prompting for your
confirmation.
● Run tail file-name
The information in the last lines of a specified file is displayed.
● Run a batch or VRP Shell Languages (VSL) script file.
To perform multiple operations on a file at a time, create and run a batch file.
The created batch file must be saved in a device's storage component in
advance.
To run a batch file, perform the following steps:

a. Run system-view

b. Run execute filename [ parameter &<1-8> ]
A batch or VSL script file is run.

● Configure a notification mode.
The system displays a notification or warning message when you operate a

device (especially operations leading to data loss). To change the notification
mode for file operations, perform the following steps:
a. Run system-view

b. Run file prompt { alert | quiet }
A notification mode is configured.
NOTICE
If the notification mode is set to quiet, the system does not display a
warning message for data loss caused by misoperations.
c. Run commit
----End
1.1.6.4 Using FTP to Operate Files

FTP is used to transfer files between local clients and remote servers.
Usage Scenario
As devices operate stably and are deployed on a large scale, more and more
devices need to be maintained and upgraded remotely. Online software upgrade, a
new upgrade method by loading software packages remotely, facilitates remote
online upgrades, reduces upgrade expenditures, shortens the time that customers
wait for upgrades, and improves customers' satisfaction. The delay, packet loss,
and jitter affect data transmission on networks. To ensure the quality of online
upgrade and data transmission, use FTP to perform online upgrades and transfer
files based on TCP connections.
NOTE
Use the SFTP protocol because this protocol is not secure.
Before using FTP to operate files, configure a reachable route between a terminal
and a device.

1.1.6.4.1 Configuring a Local FTP User

You can configure authentication information, authorization mode, and authorized
directory to prevent unauthorized FTP users from accessing a specified directory.
Context
To use FTP to operate files, configure a local user name and a password on a
device that functions as an FTP server, and specify a service type and an
authorized directory. If you do not perform these operations, you cannot use FTP
to access the device.
Perform the following steps on the device that functions as an FTP server:
Procedure
Step 2 (Optional) Run crypto password irreversible-algorithm hmac-sha256
Step 3 Run aaa
Step 4 Run local-user user-name password [ cipher password | irreversible-cipher

irreversible-cipher-password ]
● If cipher or irreversible-cipher is not specified, a password is entered in man-

machine interaction mode and the system does not display the entered
password.
When the user security policy is configured, the value is a string of 8 to 128
case-insensitive characters without spaces. When the user security policy is
not configured, the value is a string of 1 to 128 case-insensitive characters
without spaces. When the user security policy is configured, the password
cannot be the same as the user name or its reverse. The password must
contain the following characters: upper-case character, lower-case character,
digit, and special character.
NOTE
– Double quotation marks cannot contain double quotation marks if spaces are
used in a password.
– Double quotation marks can contain double quotation marks if no space is used
in a password.
invalid.
text.

If a password is entered in simple text, the password requirements are the

same as those when cipher is not specified. When you input a password in
simple text, the system displays the password in simple text mode, which
brings risks.
A password is displayed in cipher text in the configuration file regardless of
whether it is entered in simple text or cipher text.
● If irreversible-cipher is specified, a password can be entered in either simple
text or irreversible cipher text.
If a password is entered in simple text, the password requirements are the
same as those when irreversible-cipher is not specified.
A password is displayed in cipher text in the configuration file regardless of
whether it is entered in simple text or irreversible cipher text.
Step 5 Run local-user user-name service-type ftp
The service type is set to FTP for the local user.
Step 6 Run local-user user-name ftp-directory directory
An authorized FTP directory is configured for the local user.
NOTE
FTP users are classified as local AAA authentication users or remote authentication
(RADIUS and HWTACACS) users.
● The local-user ftp-directory command must be run to specify the FTP working
directory for local authentication users. Otherwise, local authentication users cannot use
FTP to access the device.
● The FTP working directory for remote authentication users can be specified using the
HWTACACS server. The set default ftp-directory command can be used to specify the
default FTP working directory for remote authentication users.
● A user group or user level needs to be configured on the AAA server for remote
authentication users. For details about the configuration, see the configuration guide
provided by the associated vendor.
Step 7 Run local-user user-name level level

A level is set for the local user.
To access the FTP server, you must set the level of the local user to Level 3 or
higher.
Step 8 Run commit
----End
1.1.6.4.2 (Optional) Specifying a Listening Port Number for the FTP Server
After a listening port number is specified for the FTP server, only users who know
the new port number can access the server, ensuring security.
Context
Users can directly log in to a device functioning as an FTP server by using the
default listening port number. Attackers may access the default listening port,

consuming bandwidth, deteriorating server performance, and causing authorized

users unable to access the server. After a listening port number is specified for the
FTP server, attackers do not know the new listening port number. This effectively
prevents attackers from accessing the listening port.
NOTE
Ensure that the FTP server function is disabled before specifying a listening port number.
Procedure
Step 2 Run ftp [ ipv6 ] server port port-number
A listening port number is specified for the FTP server.
If a new listening port number is set, the FTP server terminates all established FTP
connections and uses the new port number to listen to new FTP connection
attempts.
Step 3 Run commit
----End
1.1.6.4.3 Enabling the FTP Server Function

Before using FTP to operate files, enable the FTP server function on a device.
Context
Perform the following steps on the device to be used as an FTP server:
Procedure
Step 2 Run ftp [ ipv6 ] server enable
The FTP server function is enabled.
NOTE
After files are successfully transferred between the client and server, run the undo ftp
[ ipv6 ] server command to disable the FTP server function for security purposes.
Step 3 Run commit

----End

1.1.6.4.4 Configuring FTP Server Parameters

Configuring proper parameters for the FTP server ensures device security and
maximizes resource usage efficiency.
Context
FTP server parameters can be configured as follows:
● Specifying the source address or source interface of the FTP server restricts
the destination address accessed by clients, ensuring security.
● You can configure the maximum number of FTP connections to the server. If
the maximum number of FTP connections is less than or equal to the existing
FTP connections, the system retains the existing FTP connections but rejects
new connection requests.
● You can configure the timeout period of an idle FTP connection. If no
messages are exchanged between the client and the FTP server within the
specified timeout period, the connection between them is terminated and FTP
connection resources are reclaimed.
Perform the following steps on the device to be used as an FTP server:
Procedure
Step 2 To configure the source address or source interface of the FTP server, perform one
of the following operations as required:
● Run the ftp server-source { -a ip-address | i { interface-type interface-number
| interface-name } } command to configure a source IP address for the FTP
server.
After the source IP address is configured, the address specified in the ftp
command for login to the FTP server must be the configured source IP
address. Otherwise, the login fails.
● Run the ftp server-source all-interface command to allow any interface
having an IPv4 address configured to be used as the source interface of an
FTP server.
NOTE
After this command is run, the FTP server will receive login connection requests from
all interfaces, which increases system security risks. Therefore, running this command
is not recommended.
● Run the ftp ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-
name ] command to configure a source IPv6 address for the FTP server.
● Run the ftp ipv6 server-source all-interface command to allow any interface
having an IPv6 address configured to be used as the source interface of an
FTP server.

NOTE
After this command is run, the FTP server will receive login connection requests from
all interfaces with an IPv6 address configured, which increases system security risks.
Therefore, running this command is not recommended.
● Run the ftp server-source physic-isolate -i { interface-type interface-number
| interface-name } -a ip-address command to specify a source IPv4 interface
for the FTP server and set the interface isolation attribute for the FTP server.
● Run the ftp ipv6 server-source physic-isolate -i { interface-type interface-
number | interface-name } -a ipv6-address command to specify a source IPv6
interface for the FTP server and set the interface isolation attribute for the
FTP server.
NOTE
After the interface isolation attribute is set successfully, packets can be sent to the
server only through the specified physical interface, and those sent through other
interfaces are discarded.
Step 3 (Optional) Run ftp server max-sessions max-sessions-num

The maximum number of FTP connections to the server is set.
Step 4 (Optional) Run ftp [ ipv6 ] timeout minutes
A timeout period of an idle FTP connection is configured.
Step 5 Run commit
----End
1.1.6.4.5 (Optional) Configuring CAR for Whitelisted FTP Sessions

You can configure CAR for whitelisted FTP sessions to limit the rate at which
packets of the whitelisted FTP sessions are sent to the FTP server. This
configuration prevents non-whitelisted FTP sessions from preempting bandwidth if
the FTP server encounters a traffic burst.
Context
When packets sent to the FTP server form a traffic burst, sessions may preempt
bandwidth. To resolve this problem, you can configure CAR for whitelisted FTP
default CAR parameters for whitelisted FTP sessions do not meet service
Procedure
Step 2 Run whitelist session-car ftp-server { cir cir-value | cbs cbs-value | pir pir-value |
pbs pbs-value }*
CAR parameters are configured for whitelisted FTP sessions.

Step 3 (Optional) Run whitelist session-car ftp-server disable

CAR for whitelisted FTP sessions is disabled.
Step 4 Run commit
----End
1.1.6.4.6 (Optional) Configuring FTP Access Control

An ACL can be configured to allow only specified clients to access an FTP server.
Context
When a device functions as an FTP server, you can configure an ACL to allow only
the clients that meet the rules specified in the ACL to access the FTP server.
Procedure
Step 2 Run acl acl-number
The ACL view is displayed.
Step 3 Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type
{ fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-
first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } |
time-range time-name | vpn-instance vpn-instance-name ] *
A rule is configured.
Step 4 Run quit
Step 5 Run ftp [ ipv6 ] acl { acl-number | name }
An FTP ACL is configured.
Step 6 Run commit
----End
1.1.6.4.7 (Optional) Configuring the IP Address Locking Function

To improve device security and protect user passwords against attacks, configure
the FTP-based IP address locking function.
Context
After a user fails to log in to a device using FTP, the number of FTP login failures is
recorded for the IP address. If the number of login failures within a specified

period reaches the threshold, the IP address is locked, and all users who log in
through this IP address cannot set up an FTP connection with this device.
Procedure
Step 2 Run undo ftp server ip-block disable
The client IP address locking function is enabled on the device that functions as an
FTP server.
Step 3 Run ftp server ip-block failed-times failed-times period period
The maximum number of consecutive authentication failures and an

authentication period are configured for client IP address locking.
Step 4 Run ftp server ip-block reactive reactive-period
A period after which the system automatically unlocks a user is specified.
Step 5 Run commit
Step 6 Run quit
The user view is displayed.
Step 7 Run activate ftp server ip-block ip-address ip-address [ vpn-instance vpn-
name ]
The IP address of a user that fails the authentication is unlocked.
----End
1.1.6.4.8 Using FTP to Access a Device

After an FTP server is configured, you can access the server from a PC by using
FTP to manage files on the server.
Context
To log in to the FTP server from the PC, use either the Windows Command Prompt
or third-party software. Use the Windows Command Prompt as an example.
Perform the following steps on the PC:
Procedure
Step 2 Run the ftp ip-address command to log in to the server by using FTP.

Enter the user name and password at the prompt, and press Enter. If the
command prompt of the FTP client view, ftp> for example, is displayed, you have
entered the working path of the FTP server.
----End
1.1.6.4.9 Using FTP Commands to Operate Files

After logging in to a device that functions as an FTP server by using FTP, you can
upload files to or download files from the device, and manage device directories.
Context
Table 1-22 describes FTP file attributes.
Table 1-22 FTP file attributes
File Attribute Description
FTP file type ● ASCII type

A file is transmitted in ASCII characters. In this type, the
Enter key cannot be used to separate lines.
● Binary type
FTP data The following data connection mode can be set for the FTP
connection mode server:
● ACTIVE mode: The server proactively connects clients
during connection establishment.
● PASV mode: The server waits to be connected by clients
during connection establishment.
During connection establishment, the FTP client determines
the data connection mode.
Procedure
Step 1 Perform either of the following steps on the client based on the type of the
server's IP address:
● Run the ftp [ [ -a source-ip-address | -i { interface-type interface-number |
interface-name } ] host-ip [ port-number ] [ vpn-instance vpn-instance-
name ] | public-net ] command to configure the device to use an IPv4
address to establish a connection to the FTP server and enter the FTP client
view.
● Run the ftp ipv6 [ -a source-ip6 ] host-ipv6-address [ [ vpn-instance ipv6-
vpn-instance-name ] | public-net ] [ -oi { interface-type interface-number |
interface-name } ] [ port-number ] command to configure the device to use
an IPv6 address to establish a connection to the FTP server and enter the FTP
client view.

Table 1-23 File operations

File Operation Description
Managi Configuring the ● Run the ascii command to set the file type to
ng files file type ASCII.
● Run the binary command to set the file type to
binary.
The FTP file type is determined by the client. By
default, the ASCII type is used.
Configuring the ● Run the passive command to set the data

data connection mode to PASV.
connection ● Run the undo passive command to set the data
mode connection mode to ACTIVE.
Uploading files ● Run the put local-filename [ remote-filename ]

command to upload a file from the local device
to the remote server.
● Run the mput local-filenames command to
upload files from the local device to a remote
server.
NOTE
You can also run either of the following commands in
the user view to upload the local file to the FTP
server:
– On an IPv4 network:
Run the ftp client-transfile put [ -a source-ipv4 | -
i { interface-type interface-number | interface-
name } ] host-ip ipv4-address [ port portnumber ]
[ vpn-instance vpn-instancename | public-net ]
username user-name sourcefile localfilename
[ destination remotefilename ] command.
Run the ftp client-transfile put ipv6 [ -a source-
ipv6 ] host-ip ipv6-address [ [ vpn-instance ipv6-
vpn-name ] | public-net ] [ port port-number ]
username username sourcefile local-filename
[ destination remote-filename ] command.

Downloading ● Run the get remote-filename [ local-filename ]

files command to download a file from the remote
server and save the file on the local device.
● Run the mget remote-filenames command to
download files from a remote server and save
the files on the local device.
NOTE
You can also run either of the following commands in
the user view to download files from the FTP server to
the local device:
Run the ftp client-transfile get [ -a source-ipv4 | -
i { interface-type interface-number | interface-
name } ] host-ip ipv4-address [ port portnumber ]
[ vpn-instance vpn-instancename | public-net ]
username user-name sourcefile localfilename
[ destination remotefilename ] command.
Run the ftp client-transfile get ipv6 [ -a source-
ipv6 ] host-ip ipv6-address [ [ vpn-instance ipv6-
vpn-name ] | public-net ] [ port port-number ]
username username sourcefile local-filename
[ destination remote-filename ] command.
Enabling the ● If the prompt command is run in the FTP client

file transfer view to enable the file transfer notification
notification function, the system prompts you to confirm the
function upload or download operation before file upload
or download.
● If the prompt command is run again in the FTP
client view, the file transfer notification function
is disabled.
NOTE
The prompt command applies when the mput or
mget command is used to upload or download files. If
the local device has the files to be downloaded by
running the mget command, the system prompts you
to replace the existing ones regardless of whether the
file transfer notification function is enabled.
Enabling the Run the verbose command.

FTP verbose After the verbose function is enabled, all FTP
function response information is displayed. After file transfer
is complete, statistics about the transmission rate
are displayed.

Enabling the Run the append local-filename [ remote-

function of filename ] command.
appending the If the file specified by remote-filename does not
local file exist on the FTP server, the file is automatically
contents to the created on the FTP server, and the local file
file on the FTP contents are automatically appended to the end of
server the created file.
Deleting files Run the delete remote-filename command.
Managi Changing the Run the cd pathname command.

ng working path
directori of a remote
es FTP server
Changing the Run the cdup command.

working path
of an FTP
server to the
parent directory
Displaying the Run the pwd command.

working path
of an FTP
server
Displaying files Run the dir [ remote-directory [ local-filename ] ]

in a directory command.
and the list of If no path name is specified for a specified remote
sub-directories file, the system searches an authorized directory for
a specified file.
Displaying a Run the ls [ remote-directory [ local-filename ] ]

specified command.
remote
directory or file
on an FTP
server
Displaying or Run the lcd [ directory ] command.

changing the The lcd [ directory ] command displays the local
working path working path of the FTP client, whereas the pwd
of an FTP client command displays the working path of the remote
FTP server.
Creating a Run the mkdir remote-directory command.

directory on an The directory can be a combination of letters and
FTP server digits and must not contain special characters, such
as less than (<), greater than (>), question marks
(?), backslashes (\), and colons (:).

Deleting a Run the rmdir remote-directory command.

directory from
an FTP server
Displaying online help for Run the remotehelp [ command ] command.

an FTP command
Changing an FTP user Run the user username [ password ] command.
Step 3 Perform either of the following operations as needed to end an FTP connection.
● Run the bye/quit command to end the connection to the FTP server and
return to the user view.
● Run the close/disconnect command to end both the connection to the FTP
server and the FTP session and remain in the FTP client view.
----End
1.1.6.4.10 Verifying the Configuration of Using FTP to Operate Files

After completing the configuration of using FTP to operate files, you can view the
configuration and status of the FTP server as well as information about logged-in
FTP users.
Prerequisites
The configurations of file operation by using FTP are complete.
Procedure
● Run the display ftp-server command to check the configuration and status of
the FTP server.
● Run the display ftp-users command to check information about logged-in
FTP users.
● After configuring whitelist session-CAR for FTP, you can verify the
configuration.
– For IPv4, run the display cpu-defend whitelist session-car ftp statistics
FTP on a specified interface board.
ftp statistics slot slot-id command to clear the existing statistics about
whitelist session-CAR for FTP on a specified interface board, and then run
the display cpu-defend whitelist session-car ftp statistics slot slot-id
command.
– For IPv6, run the display cpu-defend whitelist-v6 session-car ftpv6
CAR for FTP on a specified interface board.
ftpv6 statistics slot slot-id command to clear the existing statistics about

whitelist session-CAR for FTP on a specified interface board, and then run
the display cpu-defend whitelist-v6 session-car ftpv6 statistics slot
slot-id command.
----End
1.1.6.5 Using SFTP to Operate Files

SFTP enables you to log in to a remote device securely to manage files. SFTP
improves data transmission security.
Usage Scenario
As the device deployment scale increases, more and more devices need to be
maintained and upgraded remotely. Online software upgrade, a new upgrade
method by loading software packages remotely, facilitates remote upgrades,
reduces upgrade costs, shortens the time that customers wait for upgrades, and
improves customers' satisfaction. FTP is usually used to transmit data for online
upgrades. FTP transmits data and even user names and passwords in plaintext,
bringing security risks.
SFTP resolves the security issue. It enables you to securely log in to a remote
device for file management, improving data transmission security. You can then
transfer files and perform online upgrades.
Before using SFTP to operate files, configure a reachable route between a terminal
and a device.
1.1.6.5.1 Configuring an SSH User and Specifying a Service Type

To allow users to log in to a device through SFTP, configure an SSH user, generate
a local key pair, configure a user authentication mode, and specify a service type
for the SSH user.
Context
SSH users can be authenticated in RSA, DSA, ECC, SM2, X509v3-SSH-RSA,
password, password-RSA, password-ECC, password-DSA, password-SM2, password-
X509v3-RSA, or All mode.
If the authentication mode of an SSH user is RSA, DSA, SM2, or ECC, a local RSA,
DSA, SM2, or ECC key pair must be generated on both the server and client. In
addition, the server needs to edit the public key of the client locally. After the
editing, the public key is bound to the local user.
Table 1-24 compares the RSA, DSA, SM2, X509v3-SSH-RSA, and ECC algorithms.

Table 1-24 RSA/DSA, SM2, X509v3-SSH-RSA, and ECC algorithms

m
RSA/DSA An asymmetric public key encryption algorithm, which improves

encryption efficiency and simplifies key management. This algorithm
allows the server to check whether the SSH user, public key, and
digital signature are valid. User authentication succeeds only if all of
them are the same as those configured on the server.
ECC An asymmetric encryption algorithm similar to RSA and DSA.

Compared with the RSA and DSA algorithms, the ECC algorithm has
the following advantages:
● Provides the same security with shorter key length.
● Features a shorter computing process and higher processing
speed.
SM2 SM2 is an ECC-based asymmetric encryption algorithm.
x509v3- The X509v3-SSH-RSA algorithm is based on a PKI certificate and

ssh-rsa features better scalability and higher security. A PKI certificate must
be bound to a user and server.
Table 1-25 describes the application scenarios of various authentication modes.
Table 1-25 Application scenario of each authentication type

RSA authentication and DSA RSA and DSA are public key encryption
authentication systems and asymmetric encryption
algorithms. They can effectively
improve the encryption efficiency and
simplify key management. The server
checks whether the SSH user, public
key, and digital signature are valid.
User authentication succeeds only if all
of them are the same as those
configured on the server.

ECC authentication Like RSA authentication, the server

first checks the validity of the SSH user
and whether the public key and the
digital signature are valid. If all of
them are consistent with those
configured on the server, user
authentication succeeds. User
authentication succeeds only if all of
them are the same as those
configured on the server. Compared
with RSA authentication, ECC
authentication has the following
advantages:
● Provides the same security with
shorter key length.
● Features a shorter computing
process and higher processing
speed.
Password authentication On the server, the AAA module assigns

each authorized user a password for
login. The server has the mapping
between user names and passwords.
When a user requests to access the
server, the server authenticates the
username and password. If either of
them fails to be authenticated, the
access request of the user is denied.
NOTE
You are advised to select public key
authentication instead of password
authentication as the client identity
authentication mode.
password-RSA, password-DSA, The server authenticates the client by

password-ECC, password-SM2, or checking both the public key and the
password-X509v3-RSA authentication password, and the authentication
succeeds only when both the public
key and the password are consistent
with those configured on the server.

SM2 authentication SM2 is a standard encryption

algorithm. The server checks whether
the SSH user, the public key assigned
to the user, and the digital signature of
the user are valid. User authentication
succeeds only if all of them are the
same as those configured on the
server.
X509v3-SSH-RSA authentication X509v3-SSH-RSA authentication is a

PKI certificate authentication mode,
which features better scalability and
higher security.
All authentication The SSH server authenticates a client

by checking the public key or
password. The client can be
authenticated when either the public
key or password meets the
requirement.
NOTE
The user level depends on the authentication mode and configuration selected by the
access user.
● If password authentication is selected for SSH users, the SSH user level is the same as
that configured in the AAA view.
● If public key authentication or PKI certificate authentication is used for SSH users, and
the ssh authorization-type default { aaa | root } command has been run to
configured in the authorization mode.
● If the authorization mode is AAA, the user level is the one configured in the AAA
view.
● If the authorization type is root, the user level is the user level configured on the
VTY interface.
● If public key authentication or PKI certificate authentication is used for SSH users but
the ssh authorization-type default { aaa | root } command has not been run to
configured in the AAA view.
Procedure
Step 2 Run ssh user user-name
An SSH user is created.

If password, password-RSA, password-DSA, password-SM2, password-X509v3-RSA,

or password-ECC authentication is configured for the SSH user, create a local user
with the same name as the SSH user in the AAA view and set the local user's
access type to SSH. For configuration details, see Table 1-26.
If RSA, DSA, SM2, X509v3-SSH-RSA, or ECC authentication is configured for the
SSH user, and the default authorization mode AAA is configured for the SSH
connection, create a local user with the same name as the SSH user in the AAA
view and set the local user's access type to SSH. Otherwise, run the ssh
authorization-type default root command in the system view to set the
authorization mode of the SSH connection to Root.
Table 1-26 Configuring a local user

Item Operation
(Optional) Run the crypto password irreversible-algorithm hmac-sha256

Set the command in the system view.
encryption
mode of the
local user
password.
Enter the Run the aaa command in the system view.

AAA view.

Item Operation
Configure the Run the local-user user-name password [ cipher password |

local irreversible-cipher irreversible-cipher-password ] command.
username ● If cipher or irreversible-cipher is not specified, a password is
and entered in man-machine interaction mode and the system
password. does not display the entered password.
When the user security policy is configured, the value is a
When the user security policy is not configured, the value is a
When the user security policy is configured, the password
cannot be the same as the user name or its reverse. The
password must contain the following characters: upper-case
character, lower-case character, digit, and special character.
NOTE
– Double quotation marks cannot contain double quotation marks
– Double quotation marks can contain double quotation marks if
For example, the password "Aa123"45"" is valid, but the password
"Aa 123"45"" is invalid.
● If cipher is specified, a password can be entered in either
simple text or cipher text.
specified. When you input a password in simple text, the
system displays the password in simple text mode, which
brings risks.
cipher text.
● If irreversible-cipher is specified, a password can be entered
in either simple text or irreversible cipher text.
requirements are the same as those when irreversible-
cipher is not specified.
Set the local Run the local-user user-name service-type ssh command.
user's access
type to SSH.

Item Operation
Exit the AAA Run the quit command.

view and
return to the
system view.
Step 3 Perform any of the operations described in Table 1-27.
Table 1-27 Configuring an SSH user authentication mode
Configure Run the ssh user user-name If local or HWTACACS

password authentication-type authentication is used and
authentication. password command. only a few users need to be
authenticated, use password
authentication.
Configure RSA 1. Run the ssh user user-name -

authentication. authentication-type rsa
command to configure RSA
authentication.
2. Run the rsa peer-public- -

the RSA public key view.


Before editing the public key, you the public key format can
need to use the SSH client be entered. Each string is
software to generate the RSA key randomly generated on
pair on the SSH client. The
an SSH client. For
following uses the PuTTYGen.exe
software as an example. For the detailed operations, see
configuration procedure, see step the help document of SSH
1 in Using STelnet to Log In to a client software.
Server. Copy all the public keys
generated in step 1.c here.
When editing the public key
send the RSA public key
generated by PuTTY, set the
encoding mode in step 2 to generated on the SSH
openssh. That is, run the rsa client to the SSH server.
peer-public-key key-name Copy and paste the RSA
encoding-type openssh public key to the device
command. functioning as the SSH
server.



peer-public-key end
command is run.
displays a message,
then returns to the
system view.

assign rsa-key key-name
command to allocate an RSA
Configure DSA 1. Run the ssh user user-name -

authentication. authentication-type dsa
command to configure DSA
authentication.
2. Run the dsa peer-public- -

the DSA public key view.



generate a DSA key pair on the randomly generated on
an SSH client. For
here. send the DSA public key
encoding mode in step 2 to Copy and paste the DSA
openssh. That is, run the dsa public key to the device
server.
command.


peer-public-key end
command is run.
displays a message,
then returns to the
system view.

assign dsa-key key-name
command to allocate a DSA
Configure ECC 1. Run the ssh user user-name -

authentication. authentication-type ecc
command to configure ECC
authentication.

2. Run the ecc peer-public- -

key key-name [ encoding-
type enc-type ] command to
enter the ECC public key view.


generate an ECC key pair on the randomly generated on
an SSH client. For
here. send the ECC public key
encoding mode in step 2 to Copy and paste the ECC
openssh. That is, run the ecc public key to the device
server.
command.


peer-public-key end
command is run.
displays a message,
then returns to the
system view.


assign ecc-key key-name
command to allocate an ECC
Configure SM2 1. Run the ssh server -

authentication. publickey sm2 command to
enable the SSH server public
key algorithm.

authentication-type sm2
command to configure SM2
authentication.
3. Run the sm2 peer-public- -

key key-name command to
enter the SM2 public key view.


strings complying with
the public key format can
be entered. Each string is
randomly generated on
an SSH client. For
detailed operations, see
the help document of SSH
client software.
send the SM2 public key
generated on the SSH
client to the SSH server.
Copy and paste the SM2
public key to the device
functioning as the SSH
server.



peer-public-key end
command is run.
displays a message,
then returns to the
system view.

assign sm2-key key-name
command to allocate an SM2
Configure 1. Run the ssh user user-name -

X509v3-SSH- authentication-type x509v3-
RSA rsa command to configure
authentication. X509v3-SSH-RSA
authentication for the
specified SSH user.
2. Run the ssh user user-name Currently, only the default

assign pki pki-name certificate can be allocated
command to allocate a PKI to SSH users.
certificate to the SSH user.
Step 4 Run ssh user username service-type { sftp | all }
The service type of the SSH user is configured.
Step 5 (Optional) Run ssh server rsa-key min-length min-length-val
The minimum length of the RSA public key is specified.
Step 6 (Optional) Run ssh user user-name cert-verify-san enable
SAN/CN verification is configured for the SSH user.
Step 7 Run commit
----End

1.1.6.5.2 Enabling the SFTP Service

Before using SFTP to access a device, enable the SFTP service on the device.
Context
Perform the following steps on the device to be used as an SSH server:
NOTE
Procedure
Step 2 (Optional) Run the ssh server publickey { dsa | ecc | rsa | sm2 | x509v3-ssh-rsa|
rsa-sha2-256 | rsa-sha2-512 | x509v3-rsa2048-sha256 } * command to configure
a public key encryption algorithm for the SSH server.
Step 3 (Optional) Configure the maximum number of key pairs. Perform any of the
following operations based on the user requirements for system performance:
● Run the rsa key-pair maximum max-keys command to configure the
maximum number of RSA key pairs that can be created.
● Run the dsa key-pair maximum max-keys command to configure the
maximum number of DSA key pairs that can be created.
● Run the ecc key-pair maximum max-keys command to configure the
maximum number of ECC key pairs that can be created.
Step 4 (Optional) Select either of the following methods to create a key pair for an SSH
server.
● Method 1
– If the user requirements for system security are not high, run the rsa
local-key-pair create command to configure a local RSA key pair or run
the dsa local-key-pair create command to configure a local DSA key
pair.
– If the user requirements for system security are high, run the ecc local-
key-pair create command to configure a local ECC key pair.
● Method 2
– If the user requirements for system security are not high, run the rsa key-
pair label label-name [ modulus modulus-bits ] command to configure
a local RSA key pair or run the dsa key-pair label label-name [ modulus
modulus-bits ] command to configure a local DSA key pair.
– If the user requirements for system security are high, run the ecc key-
pair label label-name [ modulus modulus-bits ] command to configure
a local ECC key pair or run the sm2 key-pair label label-name
[ modulus modulus-bits ] command to configure a local SM2 key pair.
After keys are generated, run the ssh server assign { rsa-host-key | dsa-host-
key | ecc-host-key | sm2-host-key } key-name command to assign a key pair
to an SSH server.

If the authentication mode is set to x509v3-ssh-rsa, run the ssh server assign
pki pki-name command to configure a PKI certificate for the SSH server.
Step 5 Perform any of the following operations based on the SFTP service type:
● Run the sftp server enable command to enable the SFTP service.
● Run the sftp ipv4 server enable command to enable the IPv4 SFTP service.
● Run the sftp ipv6 server enable command to enable the IPv6 SFTP service.
NOTE
SSH uses port 22 to listen to packets. Running this command will enable this port to listen
to IPv4 and IPv6 TCP packets.
Step 6 (Optional) Run ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc
| aes256_cbc | aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 |
aes128_gcm | aes256_gcm | blowfish_cbc | sm4_cbc } *
Encryption algorithms are configured for the SSH server.
NOTE
For security purposes, you are advised to use secure algorithms such as aes128_ctr,
aes256_ctr, aes192_ctr, aes128_gcm, and aes256_gcm.
Step 7 (Optional) Run ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 |
sha2_256_96 | sha2_512 | sm3 } *
HMAC authentication algorithms are configured for the SSH server.
NOTE
For security purposes, you are advised to use secure algorithms such as sha2_256,
sha2_512, sm3.
Step 8 (Optional) Run ssh server key-exchange { dh_group14_sha1 | dh_group1_sha1 |

dh_group_exchange_sha1 | dh_group_exchange_sha256 | dh_group16_sha512 |
ecdh_sha2_nistp256 | ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep |
curve25519_sha256 } *
A key exchange algorithm list is configured for the SSH server.
NOTE
For security purposes, you are advised to use curve25519_sha256 as the key exchange
algorithm.
NOTE
Step 10 Run commit

----End
Verifying the Configuration

● Perform any of the following operations to view information about the locally
generated key pair:
– Run the display rsa key-pair [ brief | label label-name ] command to
view the RSA key pair information.
– Run the display dsa key-pair [ brief | label label-name ] command to
view the DSA key pair information.
– Run the display ecc key-pair [ brief | label label-name ] command to
view the ECC key pair information.
– Run the display sm2 key-pair [ brief | label label-name ] command to
view the SM2 key pair information.
● After a local key pair is generated, perform any of the following operations to
view the public key information in the key pair:
– Run the display rsa local-key-pair public command to view the RSA
public key information.
– Run the display dsa local-key-pair public command to view the DSA
– Run the display ecc local-key-pair public command to view the ECC
1.1.6.5.3 Configuring SFTP Server Parameters

You can configure a device to support the SSH protocol of earlier versions,
configure or change the listening port number of an SFTP server, and set an
interval at which key pairs are updated.
Context
Table 1-28 describes SSH server parameters.
Table 1-28 SSH server parameters
SFTP Server Description

Parameter
Listening port If the standard port is used as the listening port of the SFTP
number of an server, attackers may continuously access this port, consuming
SFTP server a large amount of bandwidth and deteriorating server
performance. As a result, authorized users may fail to access
the server. After the listening port number of the SFTP server is
changed, attackers do not know the new listening port number,
which prevents attackers from accessing the listening port and
improves security.

SFTP Server Description

Parameter
Interval at After an interval is set, key pairs are updated at the configured
which key interval to improve security.
pairs are
updated
Timeout If a user fails to log in when the timeout period for SSH
period for authentication expires, the system disconnects the current
SSH connection to ensure system security.
authenticatio
n
Maximum If the specified maximum number is less than the number of

number of clients that are being connected to the server, the logged-in
clients that users will not be forced offline, and the server no longer
can be accepts new connection requests.
connected to
the server
ACL for the An ACL on the SSH server specifies the clients that can access
SSH server the SSH server running IPv6. This configuration prevents
unauthorized users from accessing the SSH server, ensuring
data security.
Keepalive After this feature is enabled, the SSH server returns keepalive
feature responses to an SSH client to check whether the connection
between them is normal, facilitating fast fault detection.
Timeout If the idle time of a connection exceeds a configured timeout

period for period, the system automatically ends the connection to
disconnecting prevent users who do not perform any operations from
an SFTP client occupying connection resources for a long time.
from the SFTP
server
Source After the source interface is specified, the system only allows
interface of SFTP users to log in to the SSH server through the source
an SSH server interface. SFTP users logging in through other interfaces are
denied.
Bogus-list Disabling the bogus-list mode of SSH server authentication

mode of SSH reduces the authentication duration for some SFTP users to log
server in to the server in password authentication mode.
authenticatio
n
Procedure

Table 1-29 Configurations of SFTP server parameters

Item Operation
(Optional) Enable Run the ssh server compatible-ssh1x enable command.

compatibility with NOTE
earlier SSH If the SSH server is enabled to be compatible with earlier SSH
versions. versions, the system prompts a security risk.
(Optional) Run the ssh server port port-number command.

Configure a If a new listening port number is set, the SFTP server
listening port terminates all established connections before using the
number for the new port number to listen for connection requests.
SFTP server.
(Optional) Run the ssh server rekey-interval hours command.

Configure the
interval at which
key pairs are
updated.
(Optional) Run the ssh server timeout seconds command.

Configure the
timeout period for
SSH authentication.
(Optional) Run the sftp max-sessions max-session-count command.

Configure the If the maximum number is changed to a value less than
maximum number the number of login users, login users' connections are
of clients that can retained but new access requests are rejected.
be connected to the
SSH server.
(Optional) Run the ssh [ ipv6 ] server acl { acl-number | acl6-

Configure an ACL name } command.
for the SSH server.
(Optional) Enable Run the ssh server keepalive enable command.

the keepalive
feature on the SSH
server.
(Optional) Run the sftp idle-timeout minutes [ seconds ] command.

Configure a You can run the sftp idle-timeout 0 0 command to
timeout period for disable the function of disconnecting the client from the
disconnecting an SFTP server in case of timeout.
SFTP client from
the SFTP server.

Item Operation
Specify the source ● Run the ssh server-source -i { interface-type interface-

interface or source number | interface-name } command to specify the
address for the SSH source interface for the SSH server.
server. ● Run the ssh server-source all-interface command to
allow any interface on the SSH server as its source
interface.
● Run the ssh ipv6 server-source -a ipv6-address [ -
vpn-instance vpn-instance-name ] command to
specify a source IPv6 address for the SSH server.
● Run the ssh ipv6 server-source all-interface
command to allow any IPv6 interface on the SSH
server as its source interface.
● Run the ssh server-source physic-isolate -i
{ interface-type interface-number | interface-name } -a
ip-address command to specify a source IPv4 interface
for the SSH server and set the interface isolation
attribute for the SSH server.
● Run the ssh ipv6 server-source physic-isolate -i
{ interface-type interface-number | interface-name } -a
ipv6-address command to specify a source IPv6
interface for the SSH server and set the interface
isolation attribute for the SSH server.
NOTE
After the all-interface parameter is configured, users can log in
to the SSH server through all valid interfaces, which increases
system security risks. Therefore, you are advised to cancel this
configuration.
After the interface isolation attribute is set successfully, packets
can be sent to the server only through the specified physical
interface, and those sent through other interfaces are discarded.
(Optional) Run the ssh server authentication method bogus-list

Configure the disable command.
bogus-list mode of
SSH server
authentication.
Step 3 Run commit
----End
1.1.6.5.4 (Optional) Configuring CAR for Whitelisted SSH Sessions

You can configure CAR for whitelisted SSH sessions to limit the rate at which
packets of the whitelisted SSH sessions are sent to the SSH server. This
configuration prevents non-whitelisted SSH sessions from preempting bandwidth
if the SSH server encounters a traffic burst.

Context
When packets sent to the SSH server form a traffic burst, sessions may preempt
bandwidth. To resolve this problem, you can configure CAR for whitelisted SSH
default CAR parameters for whitelisted SSH sessions do not meet service
Procedure
Step 2 Run whitelist session-car ssh-server { cir cir-value | cbs cbs-value | pir pir-value |
pbs pbs-value }*
CAR parameters are configured for whitelisted SSH sessions.
Step 3 (Optional) Run whitelist session-car ssh-server disable
CAR for whitelisted SSH sessions is disabled.
Step 4 Run commit
----End
1.1.6.5.5 Configuring an Authorized SFTP Server Directory

This topic describes how to configure an authorized SFTP server directory for SSH
users.
Context
When you run the ssh user username sftp-directory directoryname command, if
the username specified using username does not exist, an SSH user with the
specified username is created, and the configured directory is used as the
authorized SFTP service directory. In this case, you can also use the username
specified in the local-user user-name ftp-directory directory command for
authorization. If neither the configured authorized directory nor the default
authorized directory exists, an SFTP client fails to connect to the corresponding
SFTP server.
Procedure
Step 2 Configure an authorized SFTP server directory for SSH users as required.
● Run the ssh user user-name sftp-directory directoryname command to
configure an authorized SFTP server directory for a specified SSH user.
● Run the sftp server default-directory sftpdir command to configure a default
authorized SFTP server directory.

NOTE
● Of the two preceding commands, the ssh user username sftp-directory directoryname
command has a higher priority but takes effect only for a specified SSH user.
● Of the two preceding commands, the sftp server default-directory sftpdir command
has a lower priority but takes effect for all SSH users.
Step 3 Run commit
----End
1.1.6.5.6 Using SFTP to Log In to the System

After the configuration is complete, you can use SFTP to log in to the device for
file management.
Context
Third-party software can be used to implement SFTP login. This example uses
third-party software OpenSSH and Windows Command Prompt.
After installing OpenSSH on a PC, do as follows on the PC:
NOTE
For details about how to install OpenSSH, see the software installation guide.
For details about how to use OpenSSH commands to log in to the device, see the software
help document.
Procedure
Step 2 Run OpenSSH commands to log in to the device in SFTP mode.
If the command prompt of the SFTP client view, such as sftp>, is displayed, you
have entered the working path of the SFTP server.
----End
1.1.6.5.7 Using SFTP Commands to Operate Files

After logging in to the SFTP server, you can manage directories and files on the
server.
Context
After logging in to the SFTP server, you can perform the following operations:
● Obtain command help information on the SFTP client.

● Manage directories on the SFTP server.
● Manage files on the SFTP server.

Procedure
For IPv4:
Run the sftp [ -a source-ip-address ] [ -force-receive-pubkey ] host-ip-address
[ port-number ] [ [ prefer_kex prefer_kex ] | [ prefer_ctos_cipher
prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] |
[ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] |
[ prefer_ctos_compress zlib ] | [ prefer_stoc_compress zlib ] | [ public-net | -
vpn-instance vpn-instance-name ] | [ -ki interval ] | [ -kc count ] | [ identity-key
identity-key-type ] | [ user-identity-key user-key ] ] * command to log in to the
SSH server using an IPv4 address through SFTP and enter the SFTP client view.
For IPv6:
Run the sftp ipv6 [ -force-receive-pubkey ] [ -a source-ipv6-address ] host-ipv6-
address [ [ [ -vpn-instance vpn-instance-name ] | public-net ] | [ -oi { interface-
name | interface-type interface-number } ] [ port-number ] | [ prefer_kex
{ prefer_kex } ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher
prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac
prefer_stoc_hmac ] | [ prefer_ctos_compress zlib ] | [ prefer_stoc_compress zlib ]
| [ -ki interval ] | [ -kc count ] | [ identity-key identity-key-type ] | [ user-
identity-key user-key ] ]* command to log in to the SSH server using an IPv6
address through SFTP and enter the SFTP client view.
Step 3 Perform one or more operations described in Table 1-30 as needed.
Table 1-30 File operation
Managin Changing the current Run the cd [ path ] command.

g working directory
directori
es Changing the current Run the cdup command.
working directory to
the parent directory

current working
directory
Displaying files in a Run the dir [ remote-filename [ local-

directory and the list filename ] ] command.
of sub-directories
Deleting directories Run the rmdir directory-name command.

on the server
Creating a directory Run the mkdir path command.

on the server

Managin Renaming a file on Run the rename old-name new-name

g files the server command.
Downloading files Run the get remote-filename [ local-

from a remote server filename ] command.
Uploading files to a Run the put local-filename [ remote-
remote server filename ] command.
Deleting files from Run the remove path or delete file
the server command.
Displaying command help Run the help [ command-name ] command.

information on the SFTP client
----End
1.1.6.5.8 Verifying the Configuration of SFTP-based File Operations

After completing the configuration of SFTP-based file operations, view information
about SSH users and the configuration of the SSH server.
Prerequisites
The configuration of SFTP-based file operations is complete.
Procedure
● Run the display ssh user-information username command on the SSH server
to check information about SSH users.
● Run the display ssh server status command to view the configuration of the
SSH server.
● Run the display ssh server session command on the SSH server to check
information about sessions between the SSH server and SSH clients.
● After configuring whitelist session-CAR for SSH, you can verify the
configuration.
– For IPv4, run the display cpu-defend whitelist session-car ssh statistics
SSH on a specified interface board.
ssh statistics slot slot-id command to clear the existing statistics about
whitelist session-CAR for SSH on a specified interface board, and then run
the display cpu-defend whitelist session-car ssh statistics slot slot-id
command.
– For IPv6, run the display cpu-defend whitelist-v6 session-car sshv6
CAR for SSH on a specified interface board.
sshv6 statistics slot slot-id command to clear the existing statistics

about whitelist session-CAR for SSH on a specified interface board, and

then run the display cpu-defend whitelist-v6 session-car sshv6
----End
1.1.6.6 Using HTTPS to Download Files

You can download the version package using HTTPS.
Prerequisites
You have logged in to the HTTPS server using HTTPS. For details, see 1.1.8.12
Logging In to a Device Using HTTP.
Context
When the device functions as a client, you can use HTTPS to obtain the version
package from the remote HTTPS server and save it to the local device for version
upgrade.
NOTE
HTTPS is supported, whereas HTTP is not.
Procedure
Step 1 Run download file-url [ save-as file-path | [ ssl-policy policy-name [ ssl-verify
peer [ verify-dns ] ] | verify-dns ] | vpn-instance vpn-name ] *
The version package with the specified URL is downloaded to the corresponding
path of the device.
NOTE
Only .cc version packages can be downloaded in this case.
----End
1.1.6.7 Configuration Examples for File System Management

This section provides configuration examples for using the file system.
1.1.6.7.1 Example for Managing Files After Logging In to the System

In the example, you log in to a device to view and create directories.
You can log in to a device through a console port or using Telnet or STelnet to
manage directories on the device.

Precautions
● To log in to a device through a console port, you must prepare a terminal and
an RS-232 cable.
● To log in to a device using Telnet or STelnet, you must have configured a
Telnet or STelnet server and ensure that the server and terminal are routable.
For detailed configurations, see 1.1.5 User Login Configuration.
NOTE
In this example, login through a console port is used to manage directories.
1. Configure login through a console port.
2. View the current directory.
3. Create a directory.
4. Check that the new directory is created.
Data Preparation
● Name of the directory to be created
Procedure
Step 1 Configure login through a console port.
For detailed configurations, see 1.1.5.6.1 Example for Configuring Login
Through a Console Port.
Step 2 View the current directory.
<HUAWEI> dir
Directory of cfcard:/
Idx Attr Size(Byte) Date Time(LMT) FileName
0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
1 -rw- 524,575 Jan 25 2010 10:03:33 private-data.txt
2 drw- - Sep 09 2009 09:42:52 src
3 drw- - Sep 09 2009 09:42:53 logfile
4 -rw- 280 Sep 09 2009 09:42:53 $_patch_rollback_state
5 -rw- 11,772 Nov 25 2009 16:56:55 $_patchstate_a
6 -rw- 4 Jan 19 2010 03:09:32 snmpnotilog.txt
7 drw- - Sep 09 2009 09:43:00 lam
8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg
9 drw- - Jan 21 2010 11:09:21 logfilelogfile
180,862 KB total (305,358 KB free)
Step 3 Create a directory in the root directory.

<HUAWEI> mkdir abc
Info:Create directory cfcard:/abc/......Done.
Step 4 View the current directory. The command output shows that the new directory has
been created.
<HUAWEI> dir

0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
2 drw- - Sep 09 2009 09:42:52 src
3 drw- - Sep 09 2009 09:42:53 logfile
7 drw- - Sep 09 2009 09:43:00 lam
8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg
10 drw- - Jan 23 2010 11:10:42 abc
180,862 KB total (305,358 KB free)
----End
1.1.6.7.2 Example for Operating Files After Logging In to the System

In the example, you log in to a device to view and copy files.
You can log in to a device through a console port or using Telnet or STelnet to
manage files on the device.
You must enter a correct path for storing files. If you do not specify a target file
name, the source file name is the target file name by default.
Precautions
● To log in to a device through a console port, you must prepare a terminal and
an RS-232 cable.
● To log in to a device using Telnet or STelnet, you must have configured a
Telnet or STelnet server and ensure that the server and terminal are routable.
For detailed configurations, see 1.1.5 User Login Configuration.
NOTE
In this example, login through a console port is used to manage files.
1. Configure login through a console port.
2. View files in a directory.
3. Copy a file to this directory.
4. Check that the file is copied to the specified directory.
Data Preparation
● Source and target file names
● Source and target file paths

Procedure
Step 1 Configure login through a console port.
For detailed configurations, see 1.1.5.6.1 Example for Configuring Login

Through a Console Port.
Step 2 View files in the current directory.

<HUAWEI> dir
0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
2 drw- - Sep 09 2009 09:42:52 src
3 drw- - Sep 09 2009 09:42:53 logfile
7 drw- - Sep 09 2009 09:43:00 lam
8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg
180,862 KB total (305,358 KB free)
Step 3 Copy slave#cfcard:/sample.txt to cfcard:/sample1.txt.

<HUAWEI> copy slave#cfcard:/sample.txt cfcard:/sample1.txt
Copy slave#cfcard:/sample.txt to cfcard:/sample1.txt?[Y/N]: y
.100% complete
Info:Copied file slave#cfcard:/sample.txt to cfcard:/sample1.txt...Done.
Step 4 Check that the file is copied to the specified directory.

<HUAWEI> dir
0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
2 drw- - Sep 09 2009 09:42:52 src
3 drw- - Sep 09 2009 09:42:53 logfile
7 drw- - Sep 09 2009 09:43:00 lam
8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg
10 drw- 1,605 Jan 23 2010 14:30:32 sample1.txt
180,864 KB total (305,356 KB free)
----End
1.1.6.7.3 Example for Using FTP to Operate Files

Files can be uploaded or downloaded using FTP.
As devices operate stably and are deployed on a large scale, more and more
devices need to be maintained and upgraded remotely. Online software upgrade, a
new upgrade method by loading software packages remotely, facilitates remote
online upgrades, reduces upgrade expenditures, shortens the time that customers
wait for upgrades, and improves customers' satisfaction. The delay, packet loss,
and jitter affect data transmission on networks. To ensure the quality of online

upgrade and data transmission, use FTP to perform online upgrades and transfer
files based on TCP connections.
As shown in Figure 1-44, you can log in to the FTP server from the terminal
emulation program to upload or download files.
Figure 1-44 File operations using FTP

NOTE
Interface 1 in this example represents GigabitEthernet0/0/0.
Precautions
After you log in to the FTP server through the console port, configure an IP
address of a logical interface as the source address for FTP login.
1. Configure an IP address for the management interface.
2. Enable the FTP server function.
3. Configure an authentication mode, authorization mode, and authorized
directory.
4. Log in to the FTP server by using the correct user name and password.
5. Upload a file to or download a file from the FTP server.
Data Preparation
● IP address for the FTP server: 10.137.217.221
● FTP user name: huawei
● Path on which the file to be uploaded is saved and the path on which the file
to be downloaded is saved
Procedure
Step 1 Configure an IP address for the FTP server.
[~HUAWEI] sysname server
[*HUAWEI] commit
[~server] interface GigabitEthernet0/0/0
[~server-GigabitEthernet0/0/0] undo shutdown

[*server-GigabitEthernet0/0/0] ip address 10.137.217.221 255.255.0.0

[*server-GigabitEthernet0/0/0] quit
[*server] commit
Step 2 Enable the FTP server function.

[~server] interface LoopBack 0
[~server-LoopBack0] ip address 10.1.1.1 255.255.255.255
[*server-LoopBack0] quit
[*server] ftp server enable
[*server] ftp server-source -i loopback 0
[*server] commit
Step 3 Configure an authentication mode, authorization mode, and authorized directory.

[~server] aaa
[*server-aaa] local-user huawei password
Enter Password:
Confirm Password:
NOTE
A password is entered in man-machine interaction mode. The system does not display the
entered password.
● Double quotation marks cannot contain double quotation marks if spaces are used in
a password.
● Double quotation marks can contain double quotation marks if no space is used in a
password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
[*server-aaa] local-user huawei service-type ftp
[*server-aaa] local-user huawei ftp-directory cfcard:/
[*server-aaa] local-user huawei level 3
[*server-aaa] quit
[*server] commit
Step 4 Run the ftp command at the Windows command prompt, and enter the correct
user name and password to set up an FTP connection to the FTP server.
Step 5 Upload a file to or download a file from the FTP server.
NOTE
You can run the dir command before downloading a file or after uploading a file to view
the detailed information about the file.
----End
FTP Server Configuration File

#
sysname server
#
FTP server enable
FTP server-source -i loopback 0
#
aaa
local-user huawei password cipher @%@%:BC"Qzkbh*9PhJU|U>mX,cZQ@%@%
local-user huawei service-type ftp
local-user huawei ftp-directory cfcard:/
#
undo shutdown

ip address 10.137.217.221 255.255.0.0

#
interface LoopBack 0
ip address 10.1.1.1 255.255.255.255
#
return
1.1.6.7.4 Example for Using SFTP to Operate Files

In this example, a local key pair is configured on the SSH server, and a username
and a password are configured on the server for an SSH user. After the SFTP
service is enabled on the server and the SFTP client is connected to the server, you
can operate files between the client and the server.
As shown in Figure 1-45, after the SFTP service is enabled on the device that
functions as an SSH server, you can log in to the server in password, RSA,
password-RSA, DSA, password-DSA, ECC, password-ECC, SM2, password-SM2,
x509v3-ssh-rsa, password-x509v3-rsa, or All authentication mode from the PC that
functions as an SFTP client.
Figure 1-45 Using SFTP to operate files

NOTE
In this example, interface1 represents GigabitEthernet0/0/0.
Precautions
After you log in to the SFTP server through the console port, configure an IP
address of a logical interface as the source address for SFTP login.

1. Configure the SSH server to generate a local key pair to securely exchange
data between the client and the server.
2. Create an SSH user and configure an authentication mode, username,
password, and authorized directory for the user.
3. Enable the SFTP service on the SSH server and configure a service type.
Data Preparation
● SSH user's authentication mode (password authentication) and username:

(client001)
● User level (3) of client001
● IP address (10.137.217.223) of the SSH server
Procedure
Step 1 Configure an IP address for the SFTP server.
[*HUAWEI] commit
[*SSH Server-GigabitEthernet0/0/0] ip address 10.137.217.223 255.255.0.0
[*SSH Server-GigabitEthernet0/0/0] quit
Step 2 Configure the SSH username and password on the SSH server.
[*SSH Server] aaa
[*SSH Server-aaa] local-user client001 password
Enter Password:
Confirm Password:
[*SSH Server-aaa] local-user client001 level 3
[*SSH Server-aaa] local-user client001 service-type ssh
[*SSH Server-aaa] quit
Step 3 Enable the SFTP service and set the service type to SFTP.
[~SSH Server] interface LoopBack 0
[~SSH Server-LoopBack0] ip address 10.1.1.1 255.255.255.255
[*SSH Server-LoopBack0] quit
[*SSH Server] sftp server enable
[*SSH Server] ssh server-source -i loopback 0
[*SSH Server] ssh user client001 authentication-type password
[~SSH Server] ssh user client001 service-type sftp
Step 4 Configure the authorized directory for the SSH user.

[~SSH Server] ssh user client001 sftp-directory cfcard:/
Start the SFTP software on the client, and enter the username, password, and port
number (22 by default) to access the SSH server and transfer files.
----End

Configuration Files
#
sysname SSH Server
#
aaa
local-user client001 password cipher @%@%.OuC6Vo7Z,A'y~/KB&,vmd@%@%
local-user client001 service-type ssh
local-user client001 level 3
#
undo shutdown
ip address 10.137.217.223 255.255.0.0
#
ip address 10.1.1.1 255.255.255.255
sftp server enable
ssh server-source -i loopback 0
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp stelnet
ssh user client001 sftp-directory cfcard:/
#
return
1.1.6.7.5 Example for Using SFTP IPv6 to Operate Files

In this example, a local key pair is configured on the SSH server, and a username
and a password are configured on the server for an SSH IPv6 user. After the SFTP
IPv6 service is enabled on the server and the SFTP client is connected to the server,
you can operate files between the client and the server.
As shown in Figure 1-46, after the SFTP IPv6 service is enabled on the device that
functions as an SSH server, you can log in to the server in password, RSA,
password-RSA, DSA, password-DSA, ECC, password-ECC, SM2, password-SM2,
x509v3-ssh-rsa, password-x509v3-rsa, or All authentication mode from the SFTP
IPv6 client.
Figure 1-46 Using SFTP IPv6 to operate files

NOTE
In this example, interface1 represents GigabitEthernet0/0/0.

Precautions
After you log in to the SFTP server through the console port, configure an IPv6
address of a logical interface as the source IPv6 address for SFTP login.
1. Configure the SSH server to generate a local key pair to securely exchange
data between the client and the server.
2. Create an SSH IPv6 user and configure an authentication mode, username,
password, and authorized directory for the user.
3. Enable the SFTP IPv6 service on the SSH server and configure a service type.
Data Preparation
● SFTP software installed on the SFTP client
● User's authentication mode (password) and username (client001)
● User level (3) of client001
● IPv6 address (2001:db8::1/32) of the SSH server
● IPv6 routes available between the SFTP client and server
● User type (SSH) and authentication mode (password)
Procedure
Step 1 Configure an IP address for the management interface of the SFTP server.
[*HUAWEI] commit
[~SSH Server-GigabitEthernet0/0/0] ipv6 enable
[*SSH Server-GigabitEthernet0/0/0] ipv6 address 2001:db8::1 32
[*SSH Server-GigabitEthernet0/0/0] quit
Step 2 Configure the SSH username and password on the server.

[*SSH Server] aaa
Enter Password:
Confirm Password:


Step 3 Enable the SFTP function and set the service type to SFTP.
[~SSH Server-LoopBack0] ip address 2001:db8::2 64
[~SSH Server] sftp ipv6 server enable
[*SSH Server] ssh ipv6 server-source -i loopback 0
Step 4 Configure the authorized directory for the SSH user.

[~SSH Server] ssh user client001 sftp-directory home:/
Start the SFTP software on the client, and enter the username, password, and port
number (22 by default) to access the SSH server and transfer files.
----End
SSH server configuration file

#
sysname SSH Server
#
aaa
local-user client001 password cipher @%@%.OuC6Vo7Z,A'y~/KB&,vmd@%@%
#
undo shutdown
ipv6 enable
ipv6 address 2001:db8::1/32
#
sftp ipv6 server enable
ssh ipv6 server-source -i loopback 0
ssh user client001
ssh user client001 service-type sftp
ssh user client001 sftp-directory home:/
#
return
1.1.7 Configuration Management Configuration

The system provides two configuration validation modes to ensure configuration
reliability.
Context
As increasingly new types of services emerge, higher requirements are imposed on
devices. For example, it is required that services take effect after being configured,
invalid configurations be discarded, and impact on the existing services be
minimized.

To ensure reliable user configurations, the system allows two-phase configuration

validation. In the first phase, the system performs syntax and semantics checks. In
the second phase, configurations takes effect and are used for services.
1.1.7.1 Overview of Configuration Management

The system supports two configuration validation modes: immediate validation
and two-phase validation. By default, the two-phase validation mode takes effect.
The system also supports offline configuration, which means that you can change
interface configurations after a board is removed.
Configuration Validation Modes

The two configuration validation modes are described as follows:
● The immediate validation mode is a traditional configuration validation mode.

In this mode, the system-view immediately command is used to enter the
system view. After you enter a command and press Enter, the system
performs a syntax check. If the check is successful, the configuration
immediately takes effect.
NOTE
Configuration rollback is not supported in immediate validation mode.

● In two-phase validation mode, the system configuration process is divided
into two phases:
In this mode, the system-view command is used to enter the system view. In
the first phase, after you enter a configuration command, the system
performs syntax and semantics checks on the candidate database. If an
incorrect clause is found, the system displays a message on the command line
terminal, indicating the fault and cause. After entering a series of commands
to complete a configuration, you can run the commit command to commit
the configuration. The system then enters the second phase, that is,
configuration commitment phase. In the second phase, the system delivers
the configuration in the candidate database to the corresponding service
module. If the configuration takes effect, the system adds it to the running
database. If the same configuration is added, the system displays a message.
The following table describes the advantages and disadvantages of the immediate
and two-phase validation modes.
Table 1-31 Advantages and disadvantages of the immediate and two-phase

validation modes
Validation Mode Advantage Disadvantage
Immediate validation The configuration impact Incorrect configurations

mode on services can be immediately affect
detected immediately. services. You must delete
incorrect configurations
one by one because
deleting services as a
whole is not allowed.

Validation Mode Advantage Disadvantage
Two-phase validation ● All configurations The commit command

mode take effect at the must be run to validate
same time. configurations.
● Configurations in the NOTE
candidate database In two-phase validation
mode, if a configuration
can be previewed.
has not been committed,
● When you find that a the symbol "*" is displayed
configuration in the in the corresponding view
candidate database is (except the user view). If
all configurations have
incorrect or does not
been configured, the
meet your symbol "~" is displayed in
expectation, you can the corresponding view
immediately clear the (except the user view).
configurations that
have not taken effect.
● The impacts of service
configurations on the
existing services can
be minimized.
Offline Configuration
The system supports offline configuration. Specifically, after you configure
interfaces on a board and then remove the board, the configurations are not
affected and you can continue to configure the interfaces.
If you install another board in the slot, the impacts on the previous configurations
are as follows:
● The new board has the same type as the previous board.
The system automatically restores the configurations of all interfaces on the
new board. Then, you can view interface configurations and configure the
interfaces on the new board.
● The new board has interfaces of a different type than the previous board.
The system deletes the configurations of all interfaces on the previous board.
The deleted configurations cannot be restored.
For example, board A has interfaces of type P and configuration information.
a. Remove board A and install board C with interfaces of type E.
b. Remove board C without configuring its interfaces. If you run the display
this command in the interface view on board C, the command output
does not contain original configurations on board A.
c. Install board A or another board with interfaces of type P. If you run the
display this command in the interface view of board A or the board with
interfaces of type P, the command does not contain original
configurations on board A, either.
● The new board has a different number of interfaces of the same type as those
on the previous board.

– If the new board has more interfaces than the previous board does, the
system performs the following operations:
▪ Restores the configuration information on the interfaces that are the

same as those on the previous board.
▪ Keeps default configuration information on the other interfaces of

the new board.
– If the new board has fewer interfaces than the previous board, the system
performs the following operations:
▪ Restores the configuration information on the interfaces that are the

same as those on the previous board.
▪ Deletes the other interfaces of the previous board and their

configuration information.
You can run the display current-configuration inactive or display current-

configuration all command to view offline configuration on a device.
1.1.7.2 Configuration Precautions for Configuration Management
1. Configuration rollback is performed using NE9000 NE9000

commands. If configuration differences still
exist after the rollback, the system prompts
you to check the configurations that are not
rolled back. However, the operation is recorded
as successful in the operation log.
2. When configuration rollback using
NETCONF is finished, the system displays a
rollback success message if the configuration
difference exists. You can check for differences
between the target rollback point and current
configurations to determine whether all
configurations have been rolled back.
3. During configuration rollback, do not
perform operations such as inserting, replacing,
or resetting boards. If such an operation is
performed, the board fails to be registered.
If multiple users commit configurations at the NE9000 NE9000

same time, the operation may fail due to the
conflict. A message indicating that the system
is busy is displayed. Configurations need to be
committed again.

When the system is committing configurations NE9000 NE9000

or rolling back, there is a possibility that the
card that is newly started cannot be registered
for a long time.
Configuration change is not allowed when an NE9000 NE9000

NMS initiates full synchronization to the
device.
When configurations are restored during NE9000 NE9000

device startup, you cannot query the current
configurations.
In two-phase configuration validation mode, NE9000 NE9000

the number of uncommitted configurations are
limited.
After the trial run command is executed to NE9000 NE9000

enable the device to enter the trial running
state, only the current trial running user can
modify the configuration. Other users cannot
modify the configuration during the trial run.
During configuration editing, if the device NE9000 NE9000

memory usage exceeds 90%, the configuration
editing fails.
The configuration cannot be saved during NE9000 NE9000

configuration data restoration when the device
is just started.
Configurations cannot be committed when NE9000 NE9000

configuration data is being restored upon
device startup.
When the configuration difference comparison NE9000 NE9000

command is being executed, if repeated
commands exist in the same view, the current
command fails to be executed.
1.1.7.3 Configuring a Validation Mode

You can configure the immediate or two-phase validation mode for different
reliability requirements.
Usage Scenario
Before configuring a service, you must enter a configuration view. After the
configuration view is displayed, the system initiates the corresponding
configuration transaction based on the configured validation mode. To
immediately validate configurations, configure the immediate validation mode. To

validate configurations after they are complete, configure the two-phase

validation mode.
Before configuring a validation mode, log in to a device and enter the user view.
1.1.7.3.1 Configuring the Immediate Validation Mode

To immediately validate configurations, configure the immediate validation mode.
Context
Before configuring a service, you must enter the system view. After the system
view is displayed, the system initiates the corresponding configuration transaction
based on the configured validation mode. In immediate validation mode, after you
enter a command and press Enter, the system performs a syntax check. If the
check is successful, the configuration immediately takes effect.
Procedure
Step 1 (Optional) Run configuration exclusive
Configurations are locked in the user view.
To use the running database exclusively, lock configurations on the router to
prevent other users from configuring services or committing configurations. Other
users can configure services in the running database only after you unlock
configurations.
To view information about the user who locked the configuration database, run
the display configuration-occupied user command.
NOTICE
After locking configurations, you can edit and commit configurations. Other users
can view and edit configurations but cannot commit configurations.
Other users can configure services in the running database only after you unlock
configurations.
Step 2 Run system-view immediately

The immediate validation mode is configured.

NOTE
To prevent a service from being affected, you can lock the configuration of the service as
soon as the service process is initiated. When the configuration is being locked,
configurations cannot be committed. The configuration of the service remains locked until
the service process successfully starts. During this period, the configuration cannot be
modified but can be viewed.
If the configuration fails to be committed, wait 30 seconds and commit the configuration
again. If the configuration fails to be committed again, a user has locked the configuration.
In immediate validation mode, the command prompt is as follows:
<HUAWEI> system-view immediately
[HUAWEI]
Step 3 (Optional) If the configuration has been locked, run the quit command to return
to the user view. Then, run the undo configuration exclusive command to unlock
the configuration.
NOTICE
After locking the configuration, you must unlock it after completing the
configuration. Otherwise, configurations of other users cannot take effect.
Step 4 Run configuration-occupied timeout timeout-value

A period after which the configuration database is unlocked automatically is
configured.
----End
1.1.7.3.2 Configuring the Two-Phase Validation Mode

To validate configurations after they are complete, configure the two-phase
validation mode.
Context
The two-phase validation mode enhances configuration security and reliability and
minimizes the impact of configurations on services. If the configuration of a
service that has taken effect does not meet your expectation, roll the system back
to the status before the configuration is committed.
Procedure
Step 1 (Optional) Run configuration exclusive
Configurations are locked in the user view.
To use the running database exclusively, lock configurations on the router.

NOTICE
After locking configurations, you can edit and commit configurations. Other users
can view and edit configurations but cannot commit configurations.
Other users can configure services in the running database only after you unlock
configurations.
The two-phase validation mode is configured.
NOTE
In two-phase validation mode, the command prompt is as follows:

[~HUAWEI]
Step 3 (Optional) Run display configuration candidate merge
Configurations in the candidate database are previewed, including uncommitted

and committed ones.
You can run the clear configuration candidate command to delete all
uncommitted configurations.
Step 4 (Optional) Run commit trial [ time ] [ persist persistId ]
The trial running of a system configuration is enabled.
● To disable the trial running function before the trial running times out, run
the abort trial [ { session session-id | persist persistId } ] command to roll
the configuration back to the status before the trial running.
● To view the trial running status of a system configuration, run the display
configuration trial status command.
Step 5 Run commit
NOTE
To prevent a service from being affected, you can lock the configuration of the service as
soon as the service process is initiated. When the configuration is being locked,
configurations cannot be committed. The configuration of the service remains locked until
the service process successfully starts. During this period, the configuration cannot be
committed but can be viewed.
If the configuration fails to be committed, wait 30 seconds and commit the configuration
again. If the configuration fails to be committed again, a user has locked the configuration.
Step 6 (Optional) If the configuration has been locked, run the quit command to return
to the user view. Then, run the undo configuration exclusive command to unlock
the configuration.

NOTICE
After locking the configuration, you must unlock it after completing the
configuration. Otherwise, configurations of other users cannot take effect.
----End
1.1.7.4 Disabling the Re-confirmation Function

Some device commands may result in serious consequences if operations are not
properly performed. To avoid misoperations, re-confirmation is required by default.
Context
If you run some undo commands by mistake, configurations of related features
are deleted, causing interruption of services or networks. To avoid misoperations,
re-confirmation is required by default when running the following commands:
undo mpls, undo mpls te, undo mpls rsvp, undo mpls ldp, undo mpls l2vpn,
undo multicast ipv6 routing-enable, undo multicast routing-enable, undo
pim, undo igmp, undo bfd.
You are advised to enable the function because misoperations will cause services
to be unavailable.
Procedure
Step 2 Run configuration prevent-misoperation disable
The re-confirmation function is disabled.
Step 3 Run commit
----End
1.1.7.5 Performing Configuration Rollback

Configuration rollback allows the system to roll back to a specified historical
configuration state. This section describes how to roll the system back to a
previous configuration.
1.1.7.5.1 Configuring or Deleting the Configuration Rollback Point Generated

Periodically
This section describes how to set the time when configuration rollback points are
periodically generated during proper system running, so that system
configurations can be saved in configuration rollback point files.

Procedure
Step 2 Run set save-configuration checkpoint daily time time
The time when configuration rollback points are periodically generated is set.
Step 3 Run commit
Step 4 Run quit
The user view is displayed.
Step 5 (Optional) Run clear configuration commit label label-name
The configuration rollback point with a specified label is deleted.
----End
1.1.7.5.2 Performing Configuration Rollback

Configuration rollback allows the system to roll back to a specified historical
configuration state. This section describes how to roll back the system to the
specified configuration state.
Context
If you have committed configurations but find unexpected results, roll the system
back to a specified historical configuration state.
Procedure
Step 1 (Optional) Select a validation mode and edit and commit configurations.
NOTE
The system supports two validation modes: immediate mode and two-phase validation
mode.
● In immediate validation mode, after you run a command and press Enter, the system
checks whether the current configuration is different from the previous one. If they are
different, the system commits the current configuration and generates a configuration
rollback point. Multiple configuration rollback points may be created for a feature.
● In two-phase validation mode, after you run a series of commands, the system checks
the differences between the current configuration and the previous one and generates
a configuration rollback point only when you run the commit [ description
description ] command. The configurations of multiple commands for a service take
effect in batches. You can run the description description command to add a brief
description for a configuration rollback point, allowing rapid locating of a desired
configuration rollback point. The two-phase validation mode is recommended for
configuration editing and committing.
● Run the system-view immediately command to enter the system view in
immediate validation mode. After you run commands to edit configurations,
the new configurations take effect immediately.

● Run the system-view command to enter the system view in two-phase

validation mode.
a. (Optional) Run the undo configuration checkpoint auto-save disable
command to enable the device to automatically generate a configuration
rollback point.
b. Edit configurations.
c. Run the commit [ description description | label label ] command to
commit the new configurations for them to take effect.
Step 2 Check the configuration rollback point list and configuration difference.
1. Run the display configuration commit list [ verbose ] [ number-of-commits
| label ] command to check the configuration rollback point list, determine
whether a configuration rollback point is generated, and view information
about each configuration rollback point.
To view information about the most recent configuration rollback points,
specify number-of-commits.
2. Run the display configuration commit changes [ at commit-id | since
commit-id | last number-of-commits ] command to view configuration
changes. Based on the configuration changes, you can determine whether to
roll back system configurations and check the impact of the configuration
rollback operation on system performance.
To view configuration changes at all configuration rollback points, run this
command with no parameter specified.
To view the configuration changes at a configuration rollback point, specify at
commit-id.
To view configuration changes since a configuration rollback point, specify
since commit-id.
To view configuration changes at the most recent configuration rollback
points, specify last number-of-commits.
Step 3 Roll back system configurations as required.

● If the historical configuration corresponding to a configuration rollback point
meets user requirements, perform the following steps:
a. Run the return command to return to the user view. This ensures that no
additional configuration is committed after the configuration rollback
operation begins.
b. Run the rollback configuration { to commit-id commit-id | last number-
of-commits | to label label | to file file-name } command to roll system
configurations back to a previous configuration rollback point by
specifying the desired configuration rollback point or the number of the
configuration rollback points that the incoming configuration rollback
operation is expected to undergo. All configurations that were in place at
the rollback point are restored, regardless of any change executed after
the rollback point was created. Configurations created after the point are
deleted, deleted configurations are restored, and modified configurations
are returned to what they were when the rollback point was created.
To roll system configurations back to a specified configuration rollback
point, specify to commit-id commit-id.

To allow the configuration rollback operation to undergo the most recent

configuration rollback points, specify last number-of-commits.
NOTE
After the configuration rollback operation is complete, you can run the display
configuration rollback result command to view the result of the latest
configuration rollback operation.
● If the current configuration is incorrect or the configuration of the
configuration rollback point meets user requirements, you can perform the
following steps to load the configuration corresponding to the configuration
rollback point, and then edit the required content:
a. Run the return command to return to the user view. This ensures that no
additional configuration is committed after the configuration rollback
operation begins.
b. Run the system-view command to enter the system view.
c. Run the load configuration rollback changes { at commit-id at-
commit-id | to commit-id commit-id | last number-of-commits | to label
user-label } command to load the configuration of a specified
configuration rollback point or the configuration with a specified user
label.
NOTE
After the configuration rollback operation is complete, you can run the display
configuration rollback changes load-result command to view the result of the
latest configuration rollback operation.
----End
Checking the Configuration

● Run the display configuration commit list [ verbose ] [ number-of-commits
| label ] command to view the configuration rollback point list.
● Run the display configuration commit changes [ commit-id | since commit-
id | last number-of-commits ] command to view information about
configuration changes.
● Run the display configuration rollback result command to view information
about the latest configuration rollback operation, including warning and
failure messages if there is any.
● Run the display configuration rollback changes load-result command to
view the command that fails to be executed to load the configuration of the
specified configuration rollback point or the configuration with a specified
user label and the failure cause.
1.1.7.6 Managing Configuration Files

You can manage configuration files, for example, set the configuration file to be
loaded at the next startup or save the configuration file.
Usage Scenario
You can save the current configurations into the configuration file. After the
system restarts, configurations can be restored.

Before managing configuration files, complete the following tasks:
● Power on a router and ensure that it is working properly.
● Configure an account and an authentication mode.
● Configure a reachable route between the router and a terminal.
● Log in to the router.
1.1.7.6.1 Default Configuration File

Each device is delivered with a default configuration file named default.cfg. The
content of this file is as follows:
#
lldp enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
undo icmp name timestamp-reply send
#
#
#
#
ssh client publickey rsa_sha2_256 rsa_sha2_512
#
#
security password
#
rule admin
forbidden word ******
#
mpls ldp-srbe convergence enhance
#
undo ssh server-source all-interface
undo ssh ipv6 server-source all-interface
#
return
A configuration file can be saved or modified only by management users when

the device is not running.
1.1.7.6.2 Setting a Default Configuration File for the Startup with Base
Configuration
If a device is upgraded to the current version and starts with base configuration,
engineers need to perform onsite configuration, which is inconvenient for O&M.
To implement plug-and-play upon the restart of a device with base configuration,
specify a default configuration file for the device. For details, see 1.1.7.6.6
Specifying the Configuration File to Be Loaded at the Next Startup. Note that
the default configuration file must contain configurations required by the plug-
and-play function. When the device with base configuration starts the next time, it
uses the default configuration file for configuration restoration. The default-

custom.defcfg file is the default configuration file of the device. It is used only
when the device goes online for the first time and can be modified as required.
The content of this file is as follows:
#
ssh server-source all-interface
ssh ipv6 server-source all-interface
ssh server key-exchange dh_group_exchange_sha256 dh_group_exchange_sha1 dh_group14_sha1
ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521
#
ssh server publickey ecc rsa rsa_sha2_256 rsa_sha2_512
#
ssh client publickey ecc rsa rsa_sha2_256 rsa_sha2_512
#
ssh client key-exchange dh_group_exchange_sha256 dh_group_exchange_sha1 dh_group14_sha1
ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521
#
return
NOTE
The password in the file can be set to a user-defined simple one. To improve security, it is
recommended that the password contain multiple types of the following characters:
uppercase letters, lowercase letters, digits, and special characters.
1.1.7.6.3 Saving Configurations

Configurations can be saved in a configuration file either automatically or
manually.
Context
To avoid configuration loss on a device due to power-off or an unexpected reset,
the system supports automatic and manual configuration saving.
The configuration file can be automatically saved on the local device or the
backup server. If the local database is insufficient in space or damaged or disaster
tolerance backup is required, save the configuration file on the backup server to
harden the database security.
Perform the following steps on a device.
Procedure
● Enable the system to automatically save configurations.
a. Run the system-view command to enter the system view.
b. Run the set save-configuration [ interval interval | cpu-limit cpu-usage
| delay delay-interval ] * command to enable the system to automatically
save configurations.
▪ To specify an interval at which configurations are automatically

saved, set the interval interval parameter.
▪ To prevent the auto-save function from deteriorating system

performance, set the cpu-limit cpu-usage parameter to specify an
upper threshold for CPU usage. In this way, when the auto-save
timer is triggered and the CPU usage of the device is detected to be
higher than the upper threshold, the device will stop the current
auto-save operation.

▪ To specify a delay for the device to automatically back up

configurations, set the delay delay-interval parameter. If
configurations are changed, the device will automatically save
configurations after the delay expires.
▪ If the interval interval and delay delay-interval parameters are both

set, the parameter that specifies an earlier time triggers the auto-
save operation. When the time specified by the other parameter
arrives, the device checks the configurations again. It performs a new
auto-save operation only when detecting a configuration change.
With the auto-save function enabled, a device automatically saves
configurations to the next-startup configuration file on condition that the
current configurations are different from those in the next-startup
configuration file and the time specified using the interval interval
parameter arrives, regardless of whether the save command is run.
c. (Optional) Run the set save-configuration backup-to-server server
[ ipv6 ] server-ip [ vpn-instance vpn-instance-name ] transport-type
{ tftp | { ftp | sftp } [ port port-value ] user user-name password
password } [ path folder ] command to configure the configuration file
to be saved on the specific server.
NOTE
● When TFTP is used to transmit files, run the tftp client-source command to
configure the loopback interface of the router as the source address of the
client.
● The system supports a maximum of five file servers. The servers are
independent of each other. If a file fails to be uploaded to one of the servers,
the system reports an alarm to the NMS and records a log locally.
● In disaster recovery scenarios, you can run the set save-configuration
backup-to-server command repeatedly to configure multiple file servers.
Before running this command, you need to enable the auto-save function
using the set save-configuration command and enable the FTP, SFTP, or
TFTP service on the server.
● A device supports a server with the same IP address but different VPN
instances. To be specific, if different VPN instances have been configured for a
server with a specific IP address, the device can send configuration files to any
of the VPN instances.
● Save configurations manually.
Run the save command to save the current configuration.
The configuration file name extension must be .dat, .cfg, or .zip.
NOTE
When you save the configuration file for the first time without specifying configuration-
file, you are asked whether to name the configuration file vrpcfg.zip. The configuration file
containing only the default configurations is initially named vrpcfg.zip.
----End
1.1.7.6.4 Comparing Configuration Files

You can compare the current configuration file with the configuration file for the
next startup or a specified configuration file.

Context
NOTE
The compared configuration file name extension must be .cfg or .zip.
Procedure
Step 1 Run compare configuration [ configuration-file ]
The current configuration is compared with the configuration file for the next
startup or a specified configuration file.
After a series of operations are performed, you can run the compare
configuration command to compare whether the current configurations are
identical with the next startup or a specified configuration file from the first line.
The command output helps decide whether to save and set the current
configurations as the next startup configuration file.
The command output respectively displays nine lines of the current configurations
and the next startup or a specified configuration file from the line that contains
differences. If the lines from the differences to the end of the configuration file are
less than nine, the command displays the content till the end of the configuration
file.
----End
1.1.7.6.5 Loading Configuration Files

To run commands in a batch for function configuration on a device that is
properly running, load a configuration file to the device.
Context
To load the configuration file on the remote server or local configuration file to
the running configuration database, perform the following steps:
This function is supported only in the two-phase configuration validation mode.
Procedure
Step 2 Perform one of the following operations based on the location of the
configuration file:
● Run the load configuration file file-name merge [ relative ] command to
load the local configuration file and deliver configurations.
● Run the load configuration server ip-address [ vpn-instance vpn-instance-
name ] transport-type { ftp | sftp } username user-name password
password-value file file-name merge [ relative ] command to load the
configuration file on an IPv4 server and deliver configurations to the local
device.
● Run the load configuration server ipv6 ipv6-address [ vpn-instance vpn-
instance-name ] transport-type { ftp | sftp } username user-name password

password-value file file-name merge [ relative ] command to load the

configuration file on an IPv6 server and deliver configurations to the local
device.
● Run the load configuration server http url url-address [ vpn-instance vpn-
instance-name ] merge [ relative ] command to load the configuration file
on the server at a specified URL and deliver configurations to the local device.
NOTE
Manually constructing a configuration file is not recommended. If the format of a manually

constructed configuration file is incorrect, the configuration restoration may fail or an error
may occur during the configuration restoration.
The specified configuration file to be loaded must exist and meet the following conditions:
● The configuration file can contain only configuration commands, view switching
commands, and pound signs (#). If you load other types of commands, such as display
commands used for query, reset/save/ping commands used for maintenance, quit,
commit, return, upgrade-compatible commands, and one-phase configuration
validation commands, the device reports an error and continues to load follow-up
commands.
● The interactive commands in the configuration file support only Y/N automatic
interaction.
● The indentation of commands in the configuration file must be correct. In the
configuration file, the commands in the system view and the level-1 view under the
system view must be left-aligned, the commands in the level-1 view must be indented
by one space, and each subsequent view must be indented by one more space.
● If the pound sign (#) is left-aligned, the system view is displayed. If the pound sign (#)
is indented, it is used only to isolate command blocks; in this case, the pound sign (#)
must be aligned with the first command in the following command block. If the pound
sign (#) is incorrectly used, configurations may be lost, or commands may be run in
an unexpected view.
● The configuration file name extension must be *.zip, *.cfg, *.txt, *.dat, or *.bat, or name
of text file without suffix. FTP or SFTP also supports the file names with a server
directory. The file name does not support special characters "~" "?" "*" "/" "\" ":" """
"|" "<" ">" "[" "]".
– Both .cfg and .txt files are text files whose content can be directly viewed. If a .cfg
or .txt file is specified as the configuration file to be loaded, the system restores
the commands in the file one by one during the replacement process.
– A .zip file is obtained by compressing a .cfg file, occupying less space. If a .zip file
is specified as the configuration file to be loaded, the system decompresses the
file into a .cfg file, and then restores the commands in the file one by one.
The .cfg file must have the same name as the .zip file. Otherwise, the
configuration file fails to be loaded.
– A .dat file is a compressed file, which can be in binary or text mode. Only a .dat
file exported from a Huawei device is supported, and the file cannot be modified
manually. Otherwise, the file fails to be loaded.
– A .bat file is used for batch processing. It is a text file that can be modified
manually.
Step 3 After loading the configuration file, run commit

----End
1.1.7.6.6 Specifying the Configuration File to Be Loaded at the Next Startup

You can specify a configuration file to be loaded at the next startup of the system.

Context
After the system restarts, it uses the specified configuration file to restore
configurations.
Procedure
● Run startup saved-configuration configuration-file
A configuration file to be loaded at the next startup is specified.
NOTE
Manually constructing a configuration file is not recommended. If the format of a

manually constructed configuration file is incorrect, the configuration restoration may
fail or an error may occur during the configuration restoration.
The configuration file for the next startup must exist and meet the following
requirements:
● The extension of the configuration file must be .dat, .zip, or .cfg. In addition, the
system startup configuration file must be saved in the root directory of the storage
device.
● The configuration file can contain only configuration commands, view switching
commands, and pound signs (#). If you load other types of commands, such as
display commands used for query, reset/save/ping commands used for
maintenance, quit, commit, return, upgrade-compatible commands, and one-phase
configuration validation commands, the device reports an error and continues to
load follow-up commands.
● The interactive commands in the configuration file support only Y/N automatic
interaction.
● The indentation of commands in the configuration file must be correct. In the
configuration file, the commands in the system view and the level-1 view under
the system view must be left-aligned, the commands in the level-1 view must be
indented by one space, and each subsequent view must be indented by one more
space.
● If the pound sign (#) is left-aligned, the system view is displayed. If the pound sign
(#) is indented, it is used only to isolate command blocks; in this case, the pound
sign (#) must be aligned with the first command in the following command block.
If a large amount of configuration data exists, it takes a long time to load the
configuration data during the startup of the device.
● Run the startup default-configuration configuration-file command to
configure or update the default configuration file of the system.
If no configuration file is specified for the next startup, the default

configuration file will be used during system startup.
NOTE
● The extension of the configuration file must be .defcfg, and the configuration file
must have been stored in the root directory of the device before being specified as
the default configuration file.
● The size of the default configuration file cannot exceed 50 KB.
● Exercise caution when running this command. If this command is required, run it
with assistance from technical support personnel.
----End

1.1.7.6.7 Clearing a Configuration File

You can clear the configuration file that is loaded at the current startup of the
system. This section describes how to clear the configuration file that has been
loaded to a device and how to delete configurations from an interface at a time.
Context
The configuration file needs to be cleared in either of the following situations:
● The system software does not match the configuration file after the router is
upgraded.
● The configuration file is damaged or an incorrect configuration file is loaded.
Procedure
● Clear the currently loaded configuration file.
Run reset saved-configuration
The configuration file loaded at the current startup is cleared.
NOTE
Before clearing the configuration file of the router, the system compares the
configuration file loaded at the current startup with that to be loaded at the next
startup.
● If the two configuration files are the same, running this command clears both of
them. To ensure that a configuration file is available at the next startup, you must
specify a configuration file on the router.
● If the two configuration files are different, running this command clears only the
configuration file loaded at the next startup.
● If the configuration file loaded at the current startup of the router is empty and
this command is run, the system displays a message, indicating that the
configuration file does not exist.
Exercise caution when running this command. If this command is required, run it with
assistance from Huawei technical support personnel.
● Delete all configurations from an interface at a time.
You can delete configurations from an interface at a time using either of the
commands listed in Table 1-33.

Table 1-33 Deleting all configurations from an interface at a time

View Command Description Precautions
Syste clear configuration Deletes all Exercise caution

m interface interface- configurations from when running either
view type interface- a specified interface. command.
number Note that the
command is run in
the system view, and
you need to
remember the type
and number of the
interface whose
configurations are to
be deleted.
Inter clear configuration Deletes all

face this configurations from
view the current interface
at a time.
NOTE
You cannot run this
command in the
controller interface
view.
● Delete the default configuration file.

Run reset default-configuration
The default configuration file on the device is deleted.
NOTE
Exercise caution when running this command. If this command is required, run it with
assistance from Huawei technical support personnel.
● Delete the non-activated configuration data of the and absent boards.
a. Run system-view
b. Run clear inactive-configuration { slot slot-id [ card card-number ] | all
The non-activated configurations are deleted.
----End
1.1.7.6.8 Enabling Automatic Database Information Verification
Context
The device data is saved in the central database and service process databases.
Each service process database needs to synchronize data from the central
database. If the data in a service process database is inconsistent with that in the
central database, the host behaviors may not meet operator expectations, causing

service function exceptions. Therefore, automatic data verification needs to be

enabled to periodically check data consistency between service process databases
and the central database. If any inconsistency is detected, an alarm is reported
immediately, notifying you of analyzing the impact on services timely. You can
restart the board or device to rectify the fault.
NOTE
Procedure
Step 2 Run set configuration appdata auto-check enable
The function to automatically check whether data in the service process database
is the same as that in the central database is enabled.
Step 3 Run commit
----End
1.1.7.6.9 Enabling a Device to Automatically Check the Configuration Data

Consistency Between Its Master and Slave Main Control Boards
After a device is enabled to automatically check the configuration data
consistency between its master and slave main control boards, it will report an
alarm for any configuration inconsistency, prompting you to analyze the impact of
the inconsistency on the device.
Context
In normal situations, configuration data is consistent between the master and
slave main control boards of a device. If the configuration data is inconsistent and
a master/slave main control board switchover happens to occur, the configuration
data on the original master main control board will be lost. To prevent this
problem, run the configuration inconsistent slave detect enable command to
enable a device to automatically check the configuration data consistency at a
specified time. If data inconsistency is detected, the device immediately reports an
alarm, prompting you to analyze the impact of the inconsistency on the device. To
remove this inconsistency, you can save the current configuration and then restart
the device.
NOTE
Procedure

Step 2 Run configuration inconsistent slave detect enable

The device is enabled to automatically check the configuration data consistency
between its master and slave main control boards.
Step 3 Run commit
----End
1.1.7.6.10 Locking the System Configuration

This section describes how to lock the system configuration when multiple users
manage a device at the same time. This operation avoids the inconsistency
between the controller and forwarder.
Context
Multiple users can access a device and manage it. A user can be a controller or
another type of user. If the configuration of a forwarder is modified by a non-
controller user, the configurations of the controller and forwarder may be
inconsistent. The following steps can be used to specify the controller to lock the
system configuration of a forwarder to avoid the inconsistency.
Procedure
Step 2 Run configuration exclusive by-user-name user-name
The system configuration is locked by a specified user.
Step 3 Run commit
----End
Follow-up Procedure
Run the display configuration exclusive by-user-name command to view lock
information of the system configuration locked based on user name.
1.1.7.6.11 Using a Configuration Template to Deliver Configurations

Configurations in different views may be identical. To simplify the configurations,
create a configuration template, define configurations that are duplicate in
different views in it, and apply the configuration template to specified views.
Context
Configurations in different views may be identical. To simplify the configurations,
create a configuration template, define configurations that are duplicate in
different views in it, and apply the configuration template to specified views.

Procedure
Step 2 Run command group group-name
A configuration template is created, and the configuration template view is
displayed.
Step 3 Before you configure a service view instance, enter the service view instance. For
example, in the interface view, run interface interface-group-name
The configuration template is associated with Loopback interfaces.
NOTE
Run service view instance commands using regular expressions in the configuration
template view. For example, run the interface <Loopback.> command to associate
loopback interfaces on the device with the current configuration template.
Table 1-34 Special characters in regular expressions and their functions

Characte
r

^ Matches the start position of the ^10 matches 10.10.10.1 not

string. 2.2.2.2.
$ Matches the end position of the 1$ matches 10.10.10.1 not

string. 10.10.10.2.
* Matches the preceding element 10* matches 1, 10, 100, 1000,

zero or more times. and so on.
(10)* matches null, 10, 1010,
101010, and so on.
+ Matches the preceding element 10+ matches 10, 100, 1000, and
once or more times so on.
(10)+ matches 10, 1010, 101010,
and so on.


Characte
r
? Matches the preceding element 10? matches 1 or 10.

zero times or once. (10)? matches null or 10.
NOTE
support regular expressions with ?.
When regular expressions with ? are
entered on Huawei datacom
devices, helpful information is
provided.

0.0 matches 0x0, 020, and so on.
and so on.

If the parentheses are empty, the (ab) matches abcab.
string is equivalent to a null () can match any string.
string.
If a pattern string has only (), it
can match any string. a)b matches za)bc.

parenthesis is used as a common
character.
string is invalid.
_ Matches regular expressions with _65001_ matches 20 65001 30,

a sign, such as a comma (,), left 20 65001, 65001 30, 65001, and
brace ({), right brace (}), left so on.
parenthesis ((), right parenthesis
()), or space. The underscore (_)
can be used at the beginning of
a regular expression with the
same function as the caret (^) or
at the end of a regular
function as the dollar sign ($).


Characte
r

1(2|3)4 matches 124 or 134 not
1234, 14, 1224, or 1334.

[^xyz] Matches characters excluding x, [^123] matches any character

y, and z in a character string. except 1, 2, and 3.
with at least one character that except a, b, and c.
is not x, y, or z.

[z-a] is an invalid pattern string.

with at least one character that characters.
is beyond the range of a to d.
[^z-a] is an invalid pattern
string.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Step 4 Configure data to be delivered. In the following example, IPv6 is enabled. Run ipv6
enable
IPv6 is enabled.
Step 5 (Optional) Run display this command group candidate merge Configurations in
the configuration template are displayed.
Step 6 (Optional) Run display this command group candidate
Changed configurations in the configuration template are displayed.
Step 7 Run end-group
The configuration is committed, and the system view is displayed.

If the existing configuration template is not needed, run the abort command to
discard the existing configuration template and exit the configuration template
view.
Step 8 Run interface interface-type interface-number
Loopback interfaces are created.
Step 9 Run apply-command-group group-name & < 1-8 >
The configuration template is applied to the view.
NOTE
● If this command is run in the system view, the device delivers the configurations in the
configuration template to all matching service view instances.
● If this command is run in a specified service view instance, the device delivers the
configurations in the configuration template to the specified service view instance.
● Multiple configuration templates can apply in a single service view instance.
● Multiple configuration templates can be configured simultaneously in a single apply-
command-group command instance.
If a service view instance does not need configurations in a configuration

template, run the undo command-string command in the configuration template
view to delete the specified service view instance.
If redundant or incorrect configurations exist in a service view instance, access the
specified instance in the configuration template view and run the undo command-
string command to delete the configurations.
NOTE
The command specified in the undo command-string command can only be a service view
instance that is associated with the configuration template or the command that has been
run in that service view instance. If a service view instance is deleted, all configurations in
the configuration template that applies to the instance are also deleted.
----End
Follow-up Procedure
● Run the display current-configuration [ inheritance [ no-comment ] ]
command to check configurations in the configuration template.
● Run the display this [ inheritance [ no-comment ] ] command in a specified
view to view configurations in the configuration template.
1.1.7.6.12 Viewing the Difference Between the Candidate Configuration and

Current Running Configuration
This section describes how to view the difference between the candidate
configuration and current running configuration before the candidate
configuration is committed. If a configuration conflict is found, resolve the conflict
before viewing the configuration difference.
Context
Before committing a set of configuration, you can view the difference between the
modified configuration and current running configuration. If the running

configuration is changed during the period from configuration modification to

configuration difference viewing, a configuration conflict occurs. In addition, an
error message is displayed when you view the configuration difference. In this
case, resolve the configuration conflict so that you can continue to view the
configuration difference.
NOTE
This operation can be performed only in two-phase validation mode.
Procedure
Step 2 Run display configuration candidate changes
The difference between the candidate configuration and current running
configuration is displayed.
If the system displays a message indicating that the current configuration is
changed, go to Step 3 to resolve the configuration conflict and then perform this
step to view the configuration difference.
Step 3 (Optional) Run refresh configuration candidate
The candidate configuration is updated to resolve the configuration conflict.
If a configuration conflict occurs, perform this step to resolve the conflict.
----End
1.1.7.6.13 Verifying the Configuration of Configuration File Management

You can check information about a specified configuration file, the configuration
file loaded at the current startup, or the configuration file to be loaded at the next
startup.
Prerequisites
The configuration file for the next startup has been loaded.
Procedure
● Run the display configuration configuration-file command to check
information about a specified configuration file.
● Run the display saved-configuration last command to check information
about the configuration file loaded at the current startup.
● Run the display saved-configuration configuration command to check
information about the configuration file to be loaded at the next startup.
● Run the display startup command to check the names of the system
software, the configuration file loaded at the current startup, and the
configuration file to be loaded at the next startup.
----End

1.1.7.6.14 Configuration Replacement
Replacing Configurations
This section describes how to replace the configurations on multiple devices that
share the same source to achieve configuration consistency between the devices.
Usage Scenario
In a scenario where a management server manages a device, the server stores the
configurations required by the device. If the configurations on the management
server change, the configurations on the device also need to be changed
accordingly. In this case, you can load the configuration file on the management
server and use this file to replace the configurations on the device, achieving
configuration consistency between the management server and the device.
If one of the devices with the same configurations encounters a configuration
change, the configurations of other devices must be changed accordingly to keep
configuration consistency. In this case, you can load the configurations on the
device with the configuration change to replace the configurations on the other
devices. This ensures that the configurations on all the devices are the same.
The configuration replacement function can replace the entire configuration file
on the current device or the configuration in a specific view, depending on the
content in the source configuration file to be loaded. If the source configuration
file contains the configurations of an entire device, this function replaces all
configurations on the current device. If the source configuration file contains the
configurations only in a specific view (the configurations saved in a view
automatically carry the <replace/> tag), this function replaces the configurations
in the corresponding view.
Procedure
Step 1 Save configurations in a configuration file.
● To load the configuration file of a local device to replace the current running
configurations, perform the following steps on the local device:
– Run the save [ configuration-file ] command in the user view to save the
configuration file of the entire device.
– Run the save configuration-file command in the service view to save the
configuration file in the corresponding view. Then, return to the user
view.
NOTE
If a local configuration file is loaded to replace the current device configuration, the
local configuration file must be stored in the root directory of the device. The save
command saves a configuration file to the root directory by default.
● To load the configuration file of a remote device to replace the current
running configurations, perform the following steps on the remote device:
– Run the save [ configuration-file ] command in the user view to save the
configuration file of the entire device.

– Run the save configuration-file command in the service view to save the
configuration file in the corresponding view. Then, return to the user
view.
NOTE
If you run the command in a non-user view, the configuration-file parameter must be
specified and the file name extension must be .zip or .cfg.
Step 2 Load the configuration file to replace the current running configurations.
1. Run system-view
2. Run any of the following commands according to the location of the source
configuration file to be loaded:
– Run the load configuration file filename replace [ relative ] command
to load a local configuration file and use it to replace the configuration
file in use.
– Run the load configuration { server ip-address | server ipv6 ipv6-
address } [ vpn-instance vpn-instance-name ] transport-type { ftp |
sftp } username user-name password password file filename replace
[ relative ] command to load the configuration file of a specified remote
server and use it to replace the configuration file in use on the local
device.
– Run the load configuration server http url url-address [ vpn-instance
vpn-instance-name ] [ file filename ] replace [ relative ] [ file
filename ] replace [ relative ] command to load a configuration file on
the remote server with a specified URL and use it to replace the
configuration file in use on the local device.

NOTE
The specified configuration file to be loaded must exist and meet the following
conditions:
– The configuration file can contain only configuration commands, view switching
commands, and pound signs (#). If you load other types of commands, such as
display commands used for query, reset/save/ping commands used for
maintenance, quit, commit, return, upgrade-compatible commands, and one-
phase configuration validation commands, the device reports an error and
continues to load follow-up commands.
– The interactive commands in the configuration file support only Y/N automatic
interaction.
– The indentation of commands in the configuration file must be correct. In the
configuration file, the commands in the system view and the level-1 view under
the system view must be left-aligned, the commands in the level-1 view must be
indented by one space, and each subsequent view must be indented by one more
space.
– If the pound sign (#) is left-aligned, the system view is displayed. If the pound
sign (#) is indented, it is used only to isolate command blocks; in this case, the
pound sign (#) must be aligned with the first command in the following
command block. If the pound sign (#) is incorrectly used, configurations may be
lost, or commands may be run in an unexpected view.
– The configuration file name extension must be .zip, .cfg, .txt, .dat, or .bat, or the
file name does not have an extension. In FTP or SFTP mode, a file name can
contain a server directory. A file name does not contain the following special
characters: ~, ?, *, /, \, :, ", |, <, >, [, and ].
▪ Both .cfg and .txt files are text files whose content can be directly viewed. If
a .cfg or .txt file is specified as the configuration file to be loaded, the
system restores the commands in the file one by one during the
replacement process.
▪ A .zip file is obtained by compressing a .cfg file, occupying less space. If

a .zip file is specified as the configuration file to be loaded, the system
decompresses the file into a .cfg file, and then restores the commands in the
file one by one. The .cfg file must have the same name as the .zip file.
Otherwise, the configuration file fails to be loaded.
▪ A .dat file is a compressed file, which can be in binary or text mode. Only
a .dat file exported from a Huawei device is supported, and the file cannot
be modified manually. Otherwise, the file fails to be loaded.
▪ A .bat file is used for batch processing. It is a text file that can be modified
manually.
3. (Optional) Run display configuration candidate
Check whether the post-replacement configurations meet the expectation.
– If the configurations meet the expectation, go to Step d.

– If the configurations do not meet the expectation, run the clear
configuration candidate command to clear the configurations and
perform Step b to load a correct configuration file.
4. Run commit
----End

Verifying the Configuration

● Run the display configuration replace failed command to check information
about configuration replacement failures.
● Run the display configuration replace file command to check the
differences between the new configuration and the target configuration.
Pasting Differential Configurations

If multiple devices share the same source but have different configurations, use
this function to paste differential configurations to desired devices so that the
configurations on the devices are the same.
Usage Scenario
If one of the devices with the same configurations encounters a configuration
change, the configurations of other devices must be changed accordingly to keep
configuration consistency. In this case, you can query the configuration differences
and use the configuration replacement function to paste the differential
configurations to those devices. This ensures that the configurations on all the
devices are the same.
Prerequisites
The system has been configured, and configuration rollback points have been
generated. The list of configuration rollback points can be viewed using the
display configuration commit list [ verbose ] [ number-of-commits | label ]
command.
Procedure
Step 1 View configuration differences.
● View the differential configurations (with the specified tag) between the
configurations in a specified configuration file on the device and the current
running configurations.
– Run the display configuration changes running file file-name with-tag
command to view the current running configurations that are different
from the configurations in the specified configuration file.
– Run the display configuration changes file file-name running with-tag
command to view the specified configuration file's configurations that are
different from the current running configurations.
– Run the display configuration changes running label label with-tag
command to view the current running configurations that are different
from the configurations with a specified tag.
– Run the display configuration changes label label running with-tag
command to view the configurations (with a specified tag) that are
different from the current running configurations.
● View the configuration change information (with the specified tag) recorded
at specified configuration rollback points.

– Run the display configuration commit changes [ at commit-id | since

commit-id | last number-of-commits ] with-tag command to check the
configuration change information (with the specified tag) recorded at
specified configuration rollback points.
Step 2 Copy the differential configurations and paste them to the local device to replace
the current running configurations of the device.
1. Run system-view

2. Run load configuration terminal
The configuration difference pasting view is displayed.
To paste the differential configurations in the configuration difference pasting

view, perform the following steps:
a. After entering the configuration difference pasting view, copy and paste
the queried differential configurations to the current device.
b. After pasting differential configurations, enter end-diff or abort.
▪ end-diff: Ends the pasting and exits from the configuration

difference pasting view.
▪ abort: Cancels the pasting and exits from the configuration

difference pasting view.
3. (Optional) Run display configuration candidate
– If the configurations meet the expectation, go to Step d.

– If the configurations do not meet the expectation, run the clear
configuration candidate command to clear the configurations and
perform Step b to paste differential configurations.
4. Run commit
----End
Replacing Characters
This section describes how to replace a character string on a device. This function
supports batch replacement.
Usage Scenario
If a character string or a type of character string on a device does not meet
requirements, perform the following steps to replace the string in batches. This
function replaces only the character strings in the current view.

Procedure
Step 2 Run replace configuration pattern src-string with target-string
The source character string is replaced with the target character string.
NOTE
The src-string parameter supports regular expressions. You can use a regular expression to
specify a type of source character string.
Table 1-35 Special characters in regular expressions and their functions

Characte
r

^ Matches the start position of the ^10 matches 10.10.10.1 not

string. 2.2.2.2.
$ Matches the end position of the 1$ matches 10.10.10.1 not

string. 10.10.10.2.
* Matches the preceding element 10* matches 1, 10, 100, 1000,

zero or more times. and so on.
(10)* matches null, 10, 1010,
101010, and so on.
+ Matches the preceding element 10+ matches 10, 100, 1000, and
once or more times so on.
(10)+ matches 10, 1010, 101010,
and so on.
? Matches the preceding element 10? matches 1 or 10.

zero times or once. (10)? matches null or 10.
NOTE
support regular expressions with ?.
When regular expressions with ? are
entered on Huawei datacom
devices, helpful information is
provided.


Characte
r

0.0 matches 0x0, 020, and so on.
and so on.

If the parentheses are empty, the (ab) matches abcab.
string is equivalent to a null () can match any string.
string.
If a pattern string has only (), it
can match any string. a)b matches za)bc.

parenthesis is used as a common
character.
string is invalid.
_ Matches regular expressions with _65001_ matches 20 65001 30,

a sign, such as a comma (,), left 20 65001, 65001 30, 65001, and
brace ({), right brace (}), left so on.
parenthesis ((), right parenthesis
()), or space. The underscore (_)
can be used at the beginning of
a regular expression with the
same function as the caret (^) or
at the end of a regular
function as the dollar sign ($).

1(2|3)4 matches 124 or 134 not
1234, 14, 1224, or 1334.



Characte
r
[^xyz] Matches characters excluding x, [^123] matches any character

y, and z in a character string. except 1, 2, and 3.
with at least one character that except a, b, and c.
is not x, y, or z.

[z-a] is an invalid pattern string.

with at least one character that characters.
is beyond the range of a to d.
[^z-a] is an invalid pattern
string.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Step 3 (Optional) Run display configuration candidate
● If the configurations meet the expectation, go to Step 4.

● If the configurations do not meet the expectation, run the clear
configuration candidate command to clear the post-replacement string and
perform Step 2 to perform string replacement again.
Step 4 Run commit
----End
1.1.7.7 Configuration Examples for Configuration Management

This section provides configuration management examples.
1.1.7.7.1 Example for Configuring Services in Immediate Validation Mode

This section describes how to configure services on a router in immediate
validation mode.

As shown inFigure 1-47, the router is connected to the PC.
Figure 1-47 Configuring services in immediate validation mode
To enable services to take effect immediately after they are configured, configure
the services in immediate validation mode.
After you enter a command and press Enter, the system performs a syntax check.
If the check is successful, the configuration immediately takes effect.
1. Configure the immediate validation mode.

2. Configure a service.
Data Preparation
To complete the configuration, you need an interface IP address.
Procedure
Step 1 Configure the immediate validation mode.
<HUAWEI> system-view immediately
Step 2 Configure a service.
# Set the IP address of GigabitEthernet 1/0/4 to 10.1.1.1 on the router.

[HUAWEI] interface GigabitEthernet 1/0/4
[HUAWEI-GigabitEthernet1/0/4] ip address 10.1.1.1 24
----End
Configuration Files
#
sysname HUAWEI
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#

1.1.7.7.2 Example for One User to Configure Services After Another User Locks
Configurations in Two-Phase Validation Mode
This section provides an example for one user to configure services on a router
after another user locks configurations.
As shown inFigure 1-48, both user A and user B log in to the router. After user A
locks configurations on the router, user B attempts to configure services on the
router.
Figure 1-48 Networking for one user to configure services after another user locks
configurations in two-phase validation mode
To use the running database exclusively, lock configurations on the router to

prevent other users from configuring services or committing configurations. In this
case, the system displays a message indicating that the configuration is locked by
a user when other users attempt to perform configurations. Other users can
configure services in the running database only after you unlock configurations.
1. Simulate a situation in which user A locks configurations.

2. Simulate a situation in which user B configures a service.
Data Preparation
Procedure
Step 1 Simulate a situation in which user A locks configurations.
<HUAWEI> configuration exclusive
Step 2 Simulate a situation in which user B configures a service.

[~HUAWEI] interface GigabitEthernet 1/0/4
[~HUAWEI-GigabitEthernet1/0/4] ip address 10.1.1.1 24
[*HUAWEI-GigabitEthernet1/0/4] commit

Error: The configuration is locked by other user. [Session ID = 407]
----End
Configuration Files
#
sysname HUAWEI
#
undo shutdown
#
1.1.7.7.3 Example for Multiple Users to Perform the Same Configuration for a
Service in Two-Phase Validation Mode
This section provides an example for multiple users to perform the same
configuration for a service on one router in two-phase validation mode.
configures a service on the router, user B performs the same configuration for the
service on the router.
Figure 1-49 Networking for multiple users to perform the same configuration for
a service in two-phase validation mode
When the configuration committed by user B is the same as that committed by

user A, the system notifies user B that the configuration conflicts with an existing
configuration.
1. Simulate a situation in which user A and user B perform the same
configuration for a service.
2. Simulate a situation in which user A commits the configuration.
3. Simulate a situation in which user B commits the configuration.
Data Preparation

Procedure
Step 1 Simulate a situation in which user A and user B perform the same configuration
for a service.
● Simulate a situation in which user A sets the IP address of GigabitEthernet
1/0/4 to 10.1.1.1 on the router.
● Simulate a situation in which user B sets the IP address of GigabitEthernet

Step 2 Simulate a situation in which user A commits the configuration.

Step 3 Simulate a situation in which user B commits the configuration.
The system notifies user B that the configuration conflicts with an existing
configuration.
ip address 10.1.1.1 24
Error: The address already exists.
Commit canceled, the configuration conflicted with other user, you can modify
the configuration and commit again.
----End
Configuration Files
#
sysname HUAWEI
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
1.1.7.7.4 Example for Multiple Users to Perform Different Configurations for a

Service in Two-Phase Validation Mode
This section provides an example for multiple users to perform different
configurations for a service on one router.
configures a service on the router, user B performs a different configuration for
the service on the router. For example, user A and user B configure different IP
addresses on the same interface.

Figure 1-50 Networking for multiple users to perform different configurations for
a service in two-phase validation mode
The configuration committed by user B overwrites that committed by user A.
1. Simulate a situation in which user A and user B perform different
configurations for a service.
Data Preparation
To complete the configuration, you need different interface IP addresses.
Procedure
Step 1 Simulate a situation in which user A and user B perform different configurations
for a service.
● Simulate a situation in which user B sets the IP address of GigabitEthernet



The following command output indicates that the configuration committed by

user B has overwritten that committed by user A.
[~HUAWEI-GigabitEthernet1/0/4] display this
#

undo shutdown
ip address 10.1.1.2 255.255.255.0
return
----End
Configuration Files
#
sysname HUAWEI
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
1.1.7.7.5 Example for Multiple Users to Configure Different Services in Two-Phase

Validation Mode
This section provides an example for multiple users to configure different services
on a router.
As shown inFigure 1-51, both user A and user B log in to the router. User A and
user B configure different services on the router.
Figure 1-51 Networking for multiple users to configure different services in two-
phase validation mode
The configurations committed by user A and user B both take effect.
1. Simulate a situation in which user A and user B configure different services.

Data Preparation

Procedure
Step 1 Simulate a situation in which user A and user B configure different services.
● Simulate a situation in which user B enables the SFTP server function.

[~HUAWEI] sftp server enable


The following command output indicates that the configuration committed by

user B has been added to the configuration file.
<HUAWEI> display current-configuration
#
sftp server enable
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
----End
Configuration Files
#
sysname HUAWEI
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
sftp server enable
#
return
1.1.7.7.6 Example for Configuration Rollback

This section provides an example for configuration rollback where a user detects
an IP address configuration error and expects system configurations to roll back to
what they were before the IP addresses were configured.
As shown in Figure 1-52, a user logs in to the router and configures IP addresses
for interfaces on the router. After the IP addresses of interfaces are configured, the
user detects an IP address planning error and expects to reconfigure the IP
addresses of interfaces. Traditionally speaking, the user must delete the IP
addresses one by one and reconfigure them.

Configuration rollback simplifies configuration restoration. Configuration rollback

allows the user to easily roll system configurations back to what they were before
the IP addresses were configured.
Figure 1-52 Configuration rollback

NOTE
Interfaces 1 through 4 in this example represent GE 1/0/0, GE 1/0/1, GE 1/0/2, and GE 1/0/3,
respectively.
Precautions
None
1. Configure IP addresses for interfaces on the router.

2. Check information about configuration rollback points and configuration
changes at the most recent configuration rollback points.
3. Perform configuration rollback by selecting a configuration rollback point to
which system configurations are expected to roll back or the number of
configuration rollback points that a configuration rollback operation is
expected to undergo.
Data Preparation
● GE 1/0/0, GE 1/0/1, GE 1/0/2, and GE 1/0/3 on the router

● IP addresses for the preceding interfaces: 10.0.0.1/30, 10.0.1.1/30, 10.0.2.1/30,
and 10.0.3.1/30

Procedure
Step 1 Configure IP addresses for GE 1/0/0, GE 1/0/1, GE 1/0/2, and GE 1/0/3 on the
router.
[~HUAWEI] interface gigabitethernet 1/0/0
[*HUAWEI-GigabitEthernet1/0/0] quit
[*HUAWEI] interface gigabitethernet 1/0/1
[*HUAWEI-GigabitEthernet1/0/1] ip address 10.0.1.1 30
[*HUAWEI] commit description IP address
[~HUAWEI] quit
Step 2 Check information about configuration rollback points and the differences
between the previous and current configurations.
# Display information about configuration rollback points.
<HUAWEI> display configuration commit list verbose
1) CommitId: 1000000006
Label: -
User: root
User-Intf: VTY 1
Type: CLI
TimeStamp: 2012-06-29 15:55:20
Description: IP address
2) CommitId: 1000000005
Label: -
User: root
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-06-29 11:04:05
Description:
3) CommitId: 1000000004
Label: -
User: root
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-06-29 09:57:34
Description:
4) CommitId: 1000000003
Label: -
User: root
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-06-29 09:57:21
Description:
5) CommitId: 1000000002
Label: -
User: anonymous
User-Intf: CON 1023
Type: CLI
TimeStamp: 2012-06-28 16:31:48
Description:
6) CommitId: 1000000001
Label: -

User: anonymous
User-Intf: CON 1023
Type: CLI
TimeStamp: 2012-06-28 16:31:48
Description:
# Display the configuration changes at the most recent configuration rollback

point.
<HUAWEI> display configuration commit changes last 1
Building configuration
#
+ ip address 10.0.0.1 255.255.255.252
#
+ ip address 10.0.1.1 255.255.255.252
#
+ ip address 10.0.2.1 255.255.255.252
#
+ ip address 10.0.3.1 255.255.255.252
#
Step 3 Perform configuration rollback.
# Roll system configurations back to what they were before the most recent
configuration rollback point was created.
NOTE
In this example, the rollback configuration last 1 command has the same return result as
the rollback configuration to commit-id 1000000005 command, both indicating that
system configurations are rolled back to what they were before configuration rollback point
6 was generated.
<HUAWEI> rollback configuration last 1
# After the configuration rollback operation is complete, check whether a

configuration rollback point has been generated.
<HUAWEI> display configuration commit list verbose
1) CommitId: 1000000007
Label: -
User: root
User-Intf: VTY 1
Type: ROLLBACK
TimeStamp: 2012-06-29 15:58:22
Description:
2) CommitId: 1000000006
Label: -
User: root
User-Intf: VTY 1
Type: CLI
TimeStamp: 2012-06-29 15:55:20
Description: IP address
3) CommitId: 1000000005
Label: -
User: root
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-06-29 11:04:05
Description:

4) CommitId: 1000000004
Label: -
User: root
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-06-29 09:57:34
Description:
5) CommitId: 1000000003
Label: -
User: root
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-06-29 09:57:21
Description:
6) CommitId: 1000000002
Label: -
User: anonymous
User-Intf: CON 1023
Type: CLI
TimeStamp: 2012-06-28 16:31:48
Description:
7) CommitId: 1000000001
Label: -
User: anonymous
User-Intf: CON 1023
Type: CLI
TimeStamp: 2012-06-28 16:31:48
Description:

# Check that the configuration rollback operation is successful.
<HUAWEI> display current-configuration interface
#
undo shutdown
#
undo shutdown
#
undo shutdown
#
undo shutdown
#
----End
Configuration Files
None.
1.1.7.7.7 Example for Managing Configuration Files

This example shows you how to save configurations and set the configuration file
to be loaded at the next startup.
As shown inFigure 1-53, the user logs in to the device to manage configuration
files.

Figure 1-53 Managing configuration files
Precautions
None
1. Modify configurations.
2. Save configurations in a configuration file.
3. Specify the configuration file to be loaded at the next startup.
4. After a system upgrade, compare the current running configurations with
those defined in the configuration file to be loaded at the next startup to
check whether configurations are lost.
Procedure
Step 1 Modify configurations.
For example, enable the SFTP server function.
[~HUAWEI] sftp server enable
[*HUAWEI] commit
[~HUAWEI] quit
Step 2 Save configurations to the configuration file vrpcfg.cfg.

<HUAWEI> save vrpcfg.cfg
Warning: Are you sure to save the configuration to vrpcfg.cfg? [Y/N]: y
Step 3 Specify the configuration file to be loaded at the next startup.

<HUAWEI> startup saved-configuration vrpcfg.cfg
Step 4 After a system upgrade, compare the current running configurations with those
defined in the configuration file to be loaded at the next startup to check whether
configurations are lost.
<HUAWEI> compare configuration
The current configuration is the same as the next startup configuration file.
----End
Configuration Files
#
sysname HUAWEI
#
sftp server enable

1.1.8 Accessing Other Devices Configuration

The device can function as a client to access other devices on the network.
Context
To manage and configure other devices or operate files on them, access the
devices using Telnet, FTP, TFTP, SCP, STelnet or SFTP from the device that you have
logged in to.
1.1.8.1 Overview of Accessing Other Devices

You can log in to one device and access another device using Telnet, FTP, TFTP,
SCP, STelnet or SFTP.
As shown in Figure 1-54, after you use the terminal emulator or Telnet program
on a PC to connect to the router, you can use Telnet, FTP, TFTP, SCP, STelnet or
SFTP to access other devices from the router functioning as a client.
Figure 1-54 Accessing other devices
Telnet
Telnet is an application layer protocol in the TCP/IP protocol suite and provides
remote login and virtual terminal services. The NE9000 provides the following
Telnet services:
● Telnet server: A user runs the Telnet client program on a PC to log in to the
device to configure and manage the device. The device functions as a Telnet
server.
● Telnet client: After using the terminal emulator or Telnet client program on a
PC to connect to the device, a user runs the telnet command to log in to
another device for configuration and management. The device functions as a
Telnet client. In Figure 1-55, the CE functions as both a Telnet server and a
Telnet client.
Figure 1-55 Telnet server providing the Telnet client service

● Telnet service interruption
Figure 1-56 Usage of Telnet shortcut keys
Two types of shortcut keys can be used to interrupt Telnet connections. As

shown in Figure 1-56, P1 uses Telnet to log in to P2 and then to P3. P1 is the
Telnet client of P2, and P2 is the Telnet client of P3. The usage of shortcut
keys is described as follows:
– Ctrl_]: Instructs the server to disconnect a Telnet connection.
When the network works properly, entering the shortcut key Ctrl_]
causes the Telnet server to interrupt the current Telnet connection.
For example, after you enter Ctrl_] on P3, the <P2> prompt is displayed.
<P3> Select Ctrl_] to return to the prompt of P2
<P2>
After you enter Ctrl_] on P2, the <P1> prompt is displayed.
<P2> Ctrl_]
<P1>
NOTE
If the network connection is disconnected, shortcut keys do not take effect.

– Ctrl_K: Instructs the client to disconnect the connection.
When the server fails and the client is unaware of the failure, the server
does not respond to the client's input. If you enter Ctrl_K, the Telnet
client interrupts and quits the Telnet connection.
For example, enter Ctrl_K on P3 to quit the Telnet connection.
<P3> Ctrl_K
<P1>
NOTICE
When the number of remote login users reaches the maximum number
of VTY user interfaces, the system prompts subsequent users with a
message, indicating that all user interfaces are in use and no more Telnet
connections are allowed.
FTP
FTP is a standard application protocol based on the TCP/IP protocol suite. It is
used to transfer files between local clients and remote servers. FTP uses two TCP

connections to copy a file from one system to another. The TCP connections are
usually established in client-server mode, one for control (the server port number
is 21) and the other for data transmission (the server port number is 20).
● Control connection: issues commands from the client to the server and
transmits replies from the server to the client, minimizing the transmission
delay.
● Data connection: transmits data between the client and server, maximizing
the throughput.
FTP has two file transfer modes:
● Binary mode: is used to transfer program files, such as .app, .bin, and .btm
files.
● ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
The device provides the following FTP functions:
● FTP client: Users can use the terminal emulator or the Telnet program to
connect PCs to the device, and run the ftp command to establish a
connection between the device and a remote FTP server to access and
operate files on the server.
● FTP server: Users can use the FTP client program to log in to the device and
operate files on the device.
Before users log in, the network administrator must configure an IP address
for the FTP server.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP)
connections. It uses the UDP port number 69 to transfer files between local hosts
and remote servers. Unlike FTP, TFTP is simple, providing no authentication. It is
applicable to scenarios where complicated interactions between clients and the
server are not required.
TFTP supports both binary and ASCII file transfer modes, which are also supported
by FTP.
NOTE
● Currently, the HUAWEI NetEngine9000 supports only the binary mode for TFTP.
● Currently, the HUAWEI NetEngine9000 can function only as a TFTP client but not a TFTP
server.
TFTP transfer requests are initiated by clients:

● When a TFTP client needs to download files from the server, the client sends a
read request to the TFTP server. The server sends data packets to the client,
and the client acknowledges the data packets.
● When a TFTP client needs to upload a file to the server, the client sends a
write request and then data to the server, and receives acknowledgments
from the server.
SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote
users to securely log in to the device to manage and transfer files. On the other

hand, users can use the device functioning as a client to log in to a remote server
and transfer files securely.
When the SFTP server or the connection between the server and the client fails,
the client needs to detect the fault in time and removes the connection
proactively. To help the client detect such a fault in time, configure an interval at
which Keepalive packets are sent if no packet is received and the maximum
number of times that the server does not respond for the client:
● If the client does not receive any packet within the specified period, the client
sends a Keepalive packet to the server.
● If the maximum number of times that the server does not respond exceeds
the specified value, the client proactively releases the connection.
1.1.8.2 Configuration Precautions for Access to Other Devices

Create an SSL policy. The default DH modulus NE9000 NE9000

is 3072 and can be set to 2048, 3072, or 4096.
The signature algorithms ed25519, ed448, rsa-
pss-pss-sha256, rsa-pss-pss-sha384, rsa-pss-
pss-sha512, rsa-pss-rsae-sha256, rsa-pss-rsae-
sha384 and rsa-pss-rsae-sha512 are enabled
by default and can be configured separately to
enhance security.
After an SSL policy is created, if the SSL
handshake fails because the signature
algorithm does not match or the DH modulus
is too long, run the diffie-hellman modulus
command to adjust the DH modulus length
and run the signature algorithm-list command
to adjust the signature algorithm.
The SCP cannot interwork with the WinSCP NE9000 NE9000

tool.
1.1.8.3 Using Telnet to Log In to Other Devices

Telnet is a client/server application that allows you to log in to remote devices to
manage and maintain the devices.
Usage Scenario
remote devices from the device that you have logged in to.

As shown in Figure 1-57, you can use Telnet on the PC to log in to the Telnet
client. Because the PC does not have a reachable route to the Telnet server, you
cannot remotely manage the Telnet server. To remotely manage the Telnet server,
use Telnet on the Telnet client to log in to the Telnet server.
Figure 1-57 Using Telnet on the Telnet client to log in to the Telnet server
Before using Telnet on the Telnet client to log in to the Telnet server, complete the
following task:
● Configure Telnet login.
● Ensure that the route between the Telnet client and server is reachable.
1.1.8.3.1 (Optional) Configuring a Source Address for the Telnet Client

You can configure a source address for the Telnet client and use the source
address to establish a Telnet connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on a device and use this IP address as
the source address to establish a Telnet connection.
The source of a Telnet client can be a source interface or a source IP address.
Procedure
Step 2 Run telnet client-source { { -a source-ip-address | { -i interface-type interface-

number | interface-name } } } or telnet ipv6 client-source -a ipv6-address [ -vpn-
instance ipv6-vpn-instance-name ]
A source IP address is configured for the Telnet client.
Step 3 Run commit
----End
1.1.8.3.2 Using Telnet to Log In to Other Devices

Telnet is a client/server application that allows you to log in to remote devices to
manage and maintain the devices.

Context
Telnet uses the client/server model to present a user interface that enables a
terminal to remotely log in to a server. You can log in to a device, and then log in
to another device on the network through Telnet to configure and manage the
device. You do not need to connect a hardware terminal to each device.
An IP address can be configured for an interface on the device and specified as the
source IP address of a Telnet connection for security verification.
NOTE
Telnet does not have a secure authentication mode, and transmits data using TCP in
plaintext. This is not safe. On a network with high security requirements, STelnet is
recommended.
Procedure
● Run the following command based on the type of the source IP address.
– The source address is an IPv4 address.
Run the telnet [ -i { interface-type interface-number | interface-name } |
[ vpn-instance vpn-instance-name ] [ -a source-ip-address ] ] host-ip-
address [ port-number ] command to use Telnet to log in to the Telnet
server through an IPv4 address.
– The source address is an IPv6 address.
Run the telnet ipv6 [ -a source-ip6 ] [ public-net | vpn-instance ipv6-
vpn-name ] ipv6-address [ -oi { interface-type interface-number |
interface-name } ] [ port-number ] command to use Telnet to log in to
the Telnet server through an IPv6 address.
----End
1.1.8.3.3 Verifying the Configuration of Using Telnet to Log In to Other Devices

When you use a router to log in to another router, you can check information
about the established TCP connection.
Prerequisites
All configurations for logging in to another device are complete.
Procedure
● Run the display tcp status command to check the status of all TCP
connections.
----End
1.1.8.4 Using STelnet to Log In to Other Devices

STelnet provides secure Telnet services. You can use STelnet to log in to and
manage other devices from the device that you have logged in to.

Usage Scenario

spoofing. As shown in Figure 1-58, the device supports the SSH function. You can
log in to a remote device in SSH mode to manage and maintain the device. The
device that you have logged in functions as an SSH client, and the remote device
functions as an SSH server.
Figure 1-58 Using STelnet to log in to the SSH server
Before using STelnet to log in to other devices, configure STelnet login.
1.1.8.4.1 Configuring First Login to the SSH Server (Enabling First Login on the SSH
Client)
After first login is enabled on the SSH client (STelnet client in this case), the client
does not check the validity of the RSA, DSA, or ECC public key for the SSH server
when logging in to the SSH server for the first time.
Context
After first login is enabled on the SSH client (STelnet client in this case), the client
does not check the validity of the RSA, DSA, SM2, or ECC public key for the SSH
server when logging in to the SSH server for the first time. After the first login, the
SSH client automatically saves the RSA, DSA, SM2, or ECC public key for
subsequent login authentication.
If first login is disabled on an SSH client, the client cannot log in to the SSH server,
because the validity check of the RSA, DSA, SM2, or ECC public key will fail. If the
STelnet client needs to log in to the SSH server for the first time, enable first login
or configure the client to assign an RSA, DSA, SM2, or ECC public key to the server
in advance. For details, see Configuring First Login to the SSH Server
(Configuring the SSH Client to Assign the Public Key to the SSH Server).
Perform the following steps on the router that functions as an SSH client:

Procedure
Step 2 Run ssh client first-time enable
First login is enabled on the SSH client.
Step 3 Run commit
----End
1.1.8.4.2 Configuring First Login to an SSH Server (Configuring an SSH Client to

Assign a Public Key to an SSH Server)
To allow an SSH client (STelnet client in this case) with initial authentication
disabled to successfully log in to an SSH server for the first time, configure the
SSH client to assign an RSA, DSA, SM2, or ECC public key to the SSH server before
the login.
Context
If initial authentication is disabled on an SSH client (STelnet client in this case),
the client cannot log in to the SSH server because of a failure to check the validity
of the RSA, DSA, SM2, or ECC public key on the server. As such, the STelnet client
must assign an RSA, DSA, SM2, or ECC public key to the server before logging in
to the SSH server.
A key pair is created by the SSH server. After the public key in the key pair is
transmitted to the STelnet client, the client modifies the key and allocates it to the
server, so that the client can successfully perform a validity check on the server.
Perform the following steps on the SSH client:
NOTE
For security purposes, you are advised not to use the RSA algorithm with a key length of
less than 2048 bits. Using RSA_SHA2_256 and RSA_SHA2_512 algorithms for higher security
is recommended.
Procedure
Step 2 (Optional) Run ssh client publickey { dsa | ecc | rsa | sm2 | rsa_sha2_256 |
rsa_sha2_512 } *
A public key algorithm is enabled for the SSH client.

NOTE
The dsa and rsa parameters in the command indicate weak security algorithms. You are
advised not to use these algorithms. To prevent security risks, run the crypto weak-
algorithm disable command to disable the weak security algorithm function.
Step 3 Perform any of the following operations based on the selected public key
algorithm:
● To enter the RSA public key view, run the rsa peer-public-key key-name
command.
● To enter the DSA public key view, run the dsa peer-public-key key-name
encoding-type enc-type command.
● To enter the ECC public key view, run the ecc peer-public-key key-name
command.
● To enter the SM2 public key view, run the sm2 peer-public-key key-name
command.
Step 4 Run public-key-code begin
The public key view is displayed.
Step 5 Enter hex-data to edit the public key.
The public key must be a hexadecimal string complying with the public key
format. It is generated randomly on the SSH server.
NOTE
After you enter the public key view, the RSA, DSA, SM2, or ECC public key generated on the
server is sent to the client. Copy and paste the RSA, DSA, SM2, or ECC public key to the SSH
server.
Step 6 Run public-key-code end

Exit the public key view.
If the configured public key contains invalid characters or does not comply with
the public key format, an error message is displayed, and the configured public
key is discarded. If the configured public key is valid, it is saved into the client's
public key chain table.
● If no valid hex-data is specified, no public key is generated.
● If key-name specified in Step 2 has been deleted in another window, the
system displays an error and returns to the system view.
Step 7 Run peer-public-key end
Exit the public key view and return to the system view.
Step 8 Perform any of the following operations based on the selected algorithm:
● Run the ssh client peer server-name assign rsa-key key-name command to
assign an RSA public key to the SSH server.
● Run the ssh client peer server-name assign dsa-key key-name command to
assign a DSA public key to the SSH server.
● Run the ssh client peer server-name assign ecc-key key-name command to
assign an ECC public key to the SSH server.

● Run the ssh client peer server-name assign sm2-key key-name command to
assign an SM2 public key to the SSH server.
Step 9 Run commit
----End
1.1.8.4.3 (Optional) Configuring the Keepalive Feature on the SSH Client

After the keepalive feature is configured on the SSH client, the client sends
keepalive packets at the configured interval to the SSH server to check whether
the connection between them is normal. The keepalive feature implements fast
fault detection.
Procedure
Step 2 Run ssh client keepalive-interval seconds
The interval at which the client sends keepalive packets to the server is configured.
If the client does not receive a response from the server during an interval, the
client sends another keepalive packet to the server. If the server still does not
respond, the client is disconnected from the server.
Step 3 Run ssh client keepalive-maxcount count
The maximum number of keepalive packets that the client sends to the server is
configured.
The interval at which the client sends keepalive packets to the server must be
greater than the maximum number of keepalive packets that the client sends to
the server. For example, if the interval is 0 (no keepalive packet is sent), the
setting of the maximum number of keepalive packets does not take effect.
Step 4 Run commit
----End
1.1.8.4.4 Using STelnet to Log In to Another Device

You can use STelnet to log in to an SSH server from an SSH client to configure and
manage the server.
Context
You can log in to the SSH server from the SSH client without the need of
specifying the listening port number only when the listening port number of the
server is 22. Otherwise, the listening port number must be specified.
Perform the following steps on the device that functions as an SSH client:

Procedure
Step 2 (Optional) Run ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc |
aes256_cbc | aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 |
aes128_gcm | aes256_gcm | sm4_cbc } *
An encryption algorithm is configured for the SSH client.
NOTE
For security purposes, you are advised to use encryption algorithms AES128_CTR,
AES256_CTR, AES192_CTR, AES128_GCM, and AES256_GCM.
The des_cbc, 3des_cbc, aes128_cbc, aes256_cbc, arcfour128, arcfour256, aes192_cbc, and
sm4_cbc parameters in the command indicate weak security algorithms. You are advised
not to use these algorithms. To prevent security risks, run the crypto weak-algorithm
disable command to disable the weak security algorithm function.
Step 3 (Optional) Run ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 |
sha2_256_96 | sha2_512 | sm3 } *
An HMAC authentication algorithm is configured for the SSH client.
NOTE
For security purposes, you are advised to use HMAC algorithms SHA2_256, SHA2_512, and
SM3.
The md5, md5_96, sha1, sha1_96, and sha2_256_96 parameters in the command indicate
weak security algorithms. You are advised not to use these algorithms. To prevent security
risks, run the crypto weak-algorithm disable command to disable the weak security
algorithm function.
Step 4 (Optional) Run ssh client key-exchange { dh_group14_sha1 | dh_group1_sha1 |

curve25519_sha256 } *
A key exchange algorithm is configured for the SSH client.
NOTE
For security purposes, you are advised to use the key exchange algorithm
DH_group16_SHA512.
The dh_group_exchange_sha1, dh_group1_sha1, and dh_group14_sha1 parameters in the
command indicate weak security algorithms. You are advised not to use these algorithms.
To prevent security risks, run the crypto weak-algorithm disable command to disable the
weak security algorithm function.
Step 5 Run commit
Step 6 According to the type of the source IP address, run one of the following
commands in the user or system view:
● If the source address is an IPv4 one:

Run the stelnet [ -a source-ip-address ] [ -force-receive-pubkey ] host-ip-

address [ server-port ] [ [ prefer_kex prefer_kex ] | [ prefer_ctos_cipher
[ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac
prefer_stoc_hmac ] | [ prefer_ctos_compress zlib ] | [ prefer_stoc_compress
zlib ] | [ -vpn-instance vpn-instance-name ] | [ -ki interval ] | [ -kc count ] |
[ identity-key identity-key-type ] | [ user-identity-key user-key ] ] *
command to use STelnet to log in to the SSH server through the IPv4 address.
● If the source address is an IPv6 one:
Run the stelnet ipv6 [ -a source-ipv6-address ] [ -force-receive-pubkey ]
host-ipv6-address [ [ public-net | -vpn-instance vpn-instance-name ] | [ -oi
{ interface-name | interface-type interface-number } ] | [ server-port ] |
[ prefer_kex prefer_kex ] | [ prefer_ctos_cipher prefer_ctos_cipher ] |
[ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac
prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] |
[ prefer_ctos_compress zlib ] | [ prefer_stoc_compress zlib ] | [ -ki interval ]
| [ -kc count ] | [ identity-key identity-key-type ] | [ user-identity-key user-
key ] ] * command to use STelnet to log in to the SSH server through the IPv6
address.
----End
1.1.8.4.5 Verifying the Configuration of Using STelnet to Log In to Other Devices

After completing the configuration for using STelnet to log in to other devices, you
can view mappings between SSH servers and RSA or ECC public keys on the SSH
client, global configuration of SSH servers, and sessions between SSH servers and
the client.
Prerequisites
The configurations for using STelnet to log in to other devices are complete.
Procedure
● Run the display ssh server-info command to check mappings between SSH
servers and RSA or ECC public keys on the client.
----End
1.1.8.5 Using TFTP to Access Other Devices

TFTP is used to transfer files between remote servers and local hosts. Unlike FTP,
TFTP is simple and provides no authentication. TFTP applies when no complex
interaction is required between clients and the server.
Usage Scenario
In the TCP/IP protocol suite, FTP is most commonly used to transfer files. However,
FTP brings complex interactions between terminals and servers, which is hard to
implement on terminals that do not run advanced operating systems. TFTP is
designed for file transfer that does not require complex interactions between
terminals and servers. It is simple, requiring a few costs. TFTP can be used only for
simple file transfer without authentication.

NOTE
The HUAWEI NetEngine9000 can function only as a TFTP client.
Before using TFTP to access other devices, configure user login.
1.1.8.5.1 Configuring a Source Address for a TFTP Client

You can configure a source address for a TFTP client and use the source address to
establish a TFTP connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on a TFTP client and use this IP
address as the source address to establish a TFTP connection.
Perform the following steps on the router that functions as a TFTP client:
Procedure
Step 2 Run tftp client-source { -a ip-address | -i { interface-type interface-number |

interface-name } } or tftp ipv6 client-source -a ipv6-address [ -vpn-instance
ipv6-vpn-instance-name ]
A source address is configured for the TFTP client.
NOTE
The interface type specified by interface-type must be loopback.

After configuring a source address for a TFTP client, ensure that the source address of the
TFTP client displayed on the server is the same as the configured one.
Step 3 Run commit
----End
1.1.8.5.2 Configuring TFTP Access Control

An ACL can be configured to allow the TFTP client to access specified TFTP
servers.
Context
An ACL is a set of sequential rules. These rules are described based on source
addresses, destination addresses, and port numbers of packets. ACL rules are used
to filter packets. After ACL rules are applied to a device, the device permits or
denies packets based on the ACL rules.

Multiple rules can be defined for one ACL. ACL rules are classified as interface,
basic, or advanced ACL rules based on their functions.
Perform the following steps on the router that functions as a TFTP client:
Procedure
Step 2 Run acl acl-number or acl-number
The basic ACL view is displayed.
Step 3 Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ [ fragment |

fragment-type fragment-type-name ] | logging | source { source-ip-address
source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-
name ] *
An ACL rule is configured.
Step 4 Run quit
Step 5 Configure ACL to control the TFTP client's access to TFTP servers.
● For IPv4
Run tftp-server acl { acl-number | acl-name } to apply the ACL to the TFTP
client to control its access to TFTP servers.
● For IPv6
Run tftp-server ipv6 acl { acl-number | acl-name } to apply the ACL to the
TFTP client to control its access to TFTP servers.
Step 6 Run commit
----End
1.1.8.5.3 Using TFTP to Download Files from Other Devices

You can run the tftp command to download files from a remote server to the
local device.
Context
A virtual private network (VPN) is connected to remote devices or terminals over
the Internet. After a TFTP session is established, you can specify vpn-instance-
name in the tftp command to connect to a remote TFTP server.
To download a file, the TFTP client sends a read request to the TFTP server. After
receiving data, the TFTP client sends an acknowledgement message to the server.
Perform one of the following operations based on the IP address type of the
server:

Procedure
● Run tftp [ -a source-ip-address | -i interface-type interface-number ] host-ip-
address [ vpn-instance vpn-instance-name | public-net ] get source-filename
[ destination-filename ]
A file is downloaded using TFTP.

● Run tftp ipv6 [ -a source-ipv6-address ] tftp-server-ipv6 [ vpn-instance vpn-
instance-name | public-net ] [ -oi interface-type interface-number ] get
source-filename [ destination-filename ]
TFTP is used to download files.
----End
1.1.8.5.4 Using TFTP to Upload Files to Other Devices

You can run the tftp command to upload files from the local device to a remote
server.
Context
To upload a file, the TFTP client sends a write request to the TFTP server. After
receiving data, the TFTP client sends an acknowledgment to the server.
Perform one of the following operations based on the IP address type of the
server:
Procedure
● Run tftp [ -a source-ip-address | -i interface-type interface-number ] host-ip-
address [ vpn-instance vpn-instance-name ] put source-filename
[ destination-filename ]
A file is uploaded using TFTP.

● Run tftp ipv6 [ -a source-ipv6–address ] tftp-server-ipv6 [ [ vpn-instance
vpn-instance-name | public-net ] ] [-oi interface-type interface-number ] put
source-filename [ destination-filename ]
TFTP is used to upload files.
----End
1.1.8.5.5 Verifying the Configuration of Using TFTP to Access Other Devices

After completing the configuration for using TFTP to access other devices, you can
view the source address of the TFTP client and configured ACL rules.
Prerequisites
The configurations for using TFTP to access other devices are complete.

Procedure
● Run the display tftp-client command to check the source address of the TFTP
client.
● Run the display acl { acl-number | all } command to check ACL rules
configured on the TFTP client.
----End
1.1.8.6 Using FTP to Access Other Devices

You can log in to an FTP server from the device that functions as an FTP client to
upload files to or download files from the server.
Usage Scenario
To transfer files with a remote FTP server or manage directories of the server,
configure a device as an FTP client and use FTP to access the FTP server.
Before using FTP to access other devices, configure the FTP server, including:
1. Configure a local FTP user.
2. (Optional) Specify a listening port number for the FTP server.
4. (Optional) Configure FTP server parameters.
5. (Optional) Configure FTP access control.
1.1.8.6.1 (Optional) Configuring a Source Address for an FTP Client

You can configure a source address for an FTP client and use the source address to
establish an FTP connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on an FTP client and use this IP
address as the source address to establish an FTP connection.
Perform the following steps on the router that functions as an FTP client:
Procedure
Step 2 Run ftp client-source { -a ip-address | -i { interface-type interface-number |

interface-name } } or ftp ipv6 client-source -a ipv6-address [ -vpn-instance ipv6-
vpn-instance-name ]
A source address is configured for the FTP client.

After configuring a source address for an FTP client, run the display ftp-users
command on the FTP server to check that the source address of the FTP client
displayed in the command output is the same as the configured one.
Step 3 Run commit
----End
1.1.8.6.2 Using FTP to Connect an FTP Client to Other Devices

FTP commands can be used to log in to other devices from an FTP client.
Context
Commands can be run in the user or FTP client view to establish connections to
remote FTP servers.
NOTE
● If the ftp command without any parameters is used in the user view to establish a
control connection to an FTP server, the FTP client view is displayed but the connection
is not established.
● When you run the ftp command in the user view or the open in the FTP client view to
establish a control connection to a remote FTP server using the default listening port
number of the FTP server, you do not need to specify a listening port number in the
command. Otherwise, you must specify a listening port number in the command.
● Before logging in to the FTP server, you can run the set net-manager vpn-instance
command to configure a default VPN instance. After a default VPN instance is
configured, it will be used for FTP operations.
Perform either of the following operations on the FTP client based on the type of
the server's IP address:
Procedure
● If the server has an IPv4 address, use commands described in Table 1-37 to
connect the client to other devices.
Table 1-37 Using FTP commands to connect the FTP client to other devices
View Operation
User view Run the ftp [ -a source-ip-address | { -i interface-type

interface-number | interface-name } ] host-ip [ port-number ]
[ public-net | vpn-instance vpn-instance-name ] command
to establish a connection to the FTP server.
FTP client Run the open [ -a source-ip | { -i interface-type interface-

view number | interface-name } ] host-ip-address [ port-number ]
[ public-net | vpn-instance vpn-instance-name ] command
to establish a connection to the FTP server.
● If the server has an IPv6 address, use commands described in Table 1-38 to
connect the client to other devices.

Table 1-38 Using FTP commands to connect the FTP client to other devices
View Operation
User view Run the ftp ipv6 [ -a source-ip6 ] host-ipv6-address [ [ vpn-

instance ipv6-vpn-instance-name ] | public-net ] [ -oi
{ interface-type interface-number | interface-name } ] [ port-
number ] command to establish a connection to the FTP
server.
FTP client Run the open ipv6 [ -a source-ip6 ] host-ipv6-address [ -oi { -

view i interface-type interface-number | interface-name } ] [ port-
number ] [ vpn-instance vpn-instance | public-net ]
command to establish a connection to the FTP server.
----End
1.1.8.6.3 Using FTP Commands to Operate Files

After logging in to an FTP server, you can use FTP commands to operate files,
including configuring the file transfer mode, viewing online helps about FTP
commands, uploading files, and managing directories and files.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of the
view.
client view.
Managi Configuring the ● Run the ascii command to set the file type to
ng files file type ASCII.
● Run the binary command to set the file type to
binary.
The FTP file type is determined by the client. By
default, the ASCII type is used.

Configuring the ● Run the passive command to set the data

data connection mode to PASV.
connection ● Run the undo passive command to set the data
mode connection mode to ACTIVE.
Uploading files ● Run the put local-filename [ remote-filename ]

command to upload a file from the local device
to a remote server.
● Run the mput local-filenames command to
upload files from the local device to a remote
server.
NOTE
You can also run either of the following commands in the
user view to upload the local file to the FTP server:
● On an IPv4 network:
Run the ftp client-transfile put [ -a source-ipv4 | -i
{ interface-type interface-number | interface-name } ]
host-ip ipv4-address [ port portnumber ] [ vpn-
instance vpn-instancename | public-net ] username
user-name sourcefile localfilename [ destination
remotefilename ] command.
Run the ftp client-transfile put ipv6 [ -a source-
ipv6 ] host-ip ipv6-address [ [ vpn-instance ipv6-vpn-
name ] | public ] [ port port-number ] username
username sourcefile local-filename [ destination
remote-filename ] command.
Downloading ● Run the get remote-filename [ local-filename ]

files command to download a file from a remote
server and save the file on the local device.
● Run the mget remote-filenames command to
download files from a remote server and save
the files on the local device.
NOTE
You can also run either of the following commands in the
user view to download the local file to the FTP server:
Run the ftp client-transfile get [ -a source-ipv4 | -i
{ interface-type interface-number | interface-name } ]
host-ip ipv4-address [ port portnumber ] [ vpn-
instance vpn-instancename | public-net ] username
user-name sourcefile localfilename [ destination
remotefilename ] command.
Run the ftp client-transfile get ipv6 [ -a source-
ipv6 ] host-ip ipv6-address [ [ vpn-instance ipv6-vpn-
name ] | public ] [ port port-number ] username
username sourcefile local-filename [ destination
remote-filename ] command.

Enabling the ● If the prompt command is run in the FTP client

file transfer view to enable the file transfer notification
notification function, the system prompts you to confirm the
function upload or download operation during file
upload or download.
● If the prompt command is run again in the FTP
client view, the file transfer notification function
is disabled.
NOTE
The prompt command applies when the mput or
mget command is used to upload or download files. If
the local device has the files to be downloaded by
running the mget command, the system prompts you
to replace the existing ones regardless of whether the
file transfer notification function is enabled.
Enabling the Run the verbose command.

FTP verbose After the verbose function is enabled, all FTP
function response information is displayed. After file transfer
is complete, statistics about the transmission rate
are displayed.
Enabling the Run the append local-filename [ remote-

function of filename ] command.
appending the If the file specified by remote-filename does not
local file exist on the FTP server, the file is automatically
contents to the created on the FTP server, and the local file
file on the FTP contents are automatically appended to the end of
server the created file.
Deleting files Run the delete remote-filename.

from a server
Managi Changing the Run the cd pathname command.

ng working path
directori of a remote
es FTP server
Changing the Run the cdup command.

working path
of an FTP
server to the
parent directory

working path
of an FTP
server

Displaying files Run the dir [ remote-directory [ local-filename ] ]

in a directory command.
and the list of If no path name is specified for a specified remote
sub-directories file, the system searches an authorized directory for
a specified file.
Displaying a Run the ls [ remote-directory [ local-filename ] ]

specified command.
remote
directory or file
on an FTP
server
Displaying or Run the lcd [ directory ] command.

changing the The lcd [ directory ] command displays the local
working path working path of the FTP client, while the pwd
of an FTP client command displays the working path of the remote
FTP server.
Creating a Run the mkdir remote-directory command.

directory on an The directory can be a combination of letters and
FTP server digits and must not contain special characters, such
as less than (<), greater than (>), question marks
(?), backslashes (\), and colons (:).
Deleting a Run the rmdir remote-directory command.

directory from
an FTP server
Displaying online help for Run the remotehelp [ command ] command.

an FTP command
Enabling the resumable Run the ftp client resumable-transfer enable

data transfer for the FTP command in the system view.
client
----End
1.1.8.6.4 (Optional) Changing a Login User Role

You can use different user roles to log in to an FTP server.
Context
After you log in to an FTP server from a device functioning as an FTP client, you
can use another user name to log in to the server. Changing a login user role does
not affect the current FTP connection. That is, FTP control and data connections
and the connection status do not change.
If you entered an incorrect user name or password, the current FTP connection is
ended. To log in to the server again, you must enter a correct user name and
name.

NOTE
After logging in to the HUAWEI NetEngine9000, you can log in to the FTP server by using
another user name without logging out of the FTP client view. The established FTP
connection is identical with that established by running the ftp command.
Procedure
view.
client view.
Step 2 Run user user-name
The login user role is changed.
After the login user role is changed, the connection between the original user role
and the FTP server is ended.
NOTE
Only FTP users at Level 3 or higher can run the user user-name command to change the
user role and log in to the FTP server.
Step 3 Run commit

----End
1.1.8.6.5 Ending a Connection to the FTP Server

To save system resources and ensure successful logins of authorized users to the
FTP server, end connections to the FTP server.
Context
After the number of users logging in to an FTP server reaches the upper limit, no
more authorized users can log in. To allow authorized users to log in to the FTP
server, end idle connections to the FTP server.
Procedure


view.
client view.
Step 2 Perform either of the following operations as needed to end an FTP connection.
● Run the bye/quit command to end the connection to the FTP server and
return to the user view.
● Run the close/disconnect command to end both the connection to the FTP
server and the FTP session and remain in the FTP client view.
----End
1.1.8.6.6 Verifying the Configuration of Using FTP to Access Other Devices

After completing the configuration of accessing other devices by using FTP, you
can view the parameters configured on the FTP client.
Prerequisites
The configurations of accessing other devices by using FTP are complete.
Procedure
● Run the display ftp-client command to check the source address of the FTP
client.
● Run the display ftp server ip auth-fail information command to check
information about the IP addresses of all the clients that fail to pass
authentication.
● Run the display ftp server ip-block list command to check information
about the locked IP addresses of all the clients that fail to pass
authentication.
● Run the display ftp server ip auth-fail information command to check
information about the IP addresses of all the clients that fail to pass
authentication.
● Run the display ftp server ip-block list command to check information
about the locked IP addresses of all the clients that fail to pass
authentication.
----End
1.1.8.7 Using SFTP to Access Other Devices

SFTP provides secure FTP services. After a device is configured as an SFTP client,
the SFTP server authenticates the client and encrypts data in both directions to
provide secure file transfer.

Usage Scenario
Based on SSH, SFTP ensures that users log in to a remote device securely to
manage and transfer files, enhancing secure file transfer. Because the device can
function as an SFTP client, you can log in to a remote SSH server from the device
to transfer files securely.
Before using SFTP to access other devices, complete the following tasks:
1. Configure an SSH user and specify a service type.
2. Enable the SFTP server function.
3. (Optional) Configure SFTP server parameters.
1.1.8.7.1 (Optional) Configuring a Source Address for the SFTP Client

You can configure a source address for an SFTP client and use the source address
to establish an SFTP connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on the SFTP client and use this IP
address as the source address to establish an SFTP connection.
The source address for an SFTP client can be either a source interface or a source
IP address.
Perform the following steps on the device functioning as an SFTP client:
Procedure
Step 2 Configure an SFTP source IP address or source interface as required.
● In IPv4 scenarios, run the sftp client-source -a source-ip-address { public-net
| -vpn-instance ipv6-vpn-instance-name } } or sftp client-source -i
{ interface-type interface-number | interface-name } command.
● In IPv6 scenarios, run the sftp ipv6 client-source -a source-ipv6-address [ -
vpn-instance ipv6-vpn-instance-name ] command.
Step 3 Run commit
----End
1.1.8.7.2 Configuring First Login to the SSH Server (Enabling First Login on the SSH
Client)
After first login is enabled on an SSH client (SFTP client in this case), the client
does not check the validity of the RSA, DSA, SM2 or ECC public key for the SSH
server when logging in to the SSH server for the first time.

Context
After the first login, the SSH client automatically saves the RSA, DSA, SM2 or ECC
public key for subsequent login authentication.
Procedure
Step 2 Run ssh client first-time enable
First login is enabled on the SSH client.
Step 3 Run commit
----End
1.1.8.7.3 Configuring First Login to the SSH Server (Configuring the SSH Client to
Assign the Public Key to the SSH Server)
To allow an SSH client with initial authentication disabled to successfully log in to
an SSH server for the first time, configure the SSH client to assign an RSA, DSA,
SM2 or ECC public key to the SSH server before the login.
Context
If initial authentication is disabled on the SSH client, the client cannot log in to
the SSH server, because the validity check of the RSA, DSA, SM2 or ECC public key
will fail. An RSA, DSA, SM2 or ECC public key needs to be assigned to the server
before the SSH client logs in to the server.
Perform the following steps on the SSH client:
NOTE
Procedure
Step 2 (Optional) Run ssh client publickey { dsa | ecc | rsa | sm2 | rsa_sha2_256 |
rsa_sha2_512 } *
A public key algorithm is enabled for the SSH client.

NOTE
The dsa and rsa parameters in the command indicate weak security algorithms. You are
advised not to use these algorithms. To prevent security risks, run the crypto weak-
algorithm disable command to disable the weak security algorithm function.
Step 3 Perform any of the following operations based on the selected public key
algorithm:
● To enter the RSA public key view, run the rsa peer-public-key key-name
command.
● To enter the DSA public key view, run the dsa peer-public-key key-name
encoding-type enc-type command.
● To enter the ECC public key view, run the ecc peer-public-key key-name
command.
● To enter the SM2 public key view, run the sm2 peer-public-key key-name
command.
Step 4 Run public-key-code begin
The public key view is displayed.
Step 5 Enter hex-data to edit the public key.
The public key must be a hexadecimal string complying with the public key
format. It is generated randomly on the SSH server.
NOTE
After you enter the public key view, the RSA, DSA, SM2, or ECC public key generated on the
server is sent to the client. Copy and paste the RSA, DSA, SM2, or ECC public key to the SSH
server.
Step 6 Run public-key-code end

Exit the public key view.
If the configured public key contains invalid characters or does not comply with
the public key format, an error message is displayed, and the configured public
key is discarded. If the configured public key is valid, it is saved into the client's
public key chain table.
● If no valid hex-data is specified, no public key is generated.
● If key-name specified in Step 2 has been deleted in another window, the
system displays an error and returns to the system view.
Step 7 Run peer-public-key end
Exit the public key view and return to the system view.
Step 8 Perform any of the following operations based on the selected algorithm:
● Run the ssh client peer server-name assign rsa-key key-name command to
assign an RSA public key to the SSH server.
● Run the ssh client peer server-name assign dsa-key key-name command to
assign a DSA public key to the SSH server.
● Run the ssh client peer server-name assign ecc-key key-name command to
assign an ECC public key to the SSH server.

● Run the ssh client peer server-name assign sm2-key key-name command to
assign an SM2 public key to the SSH server.
Step 9 Run commit
----End
1.1.8.7.4 Using SFTP to Log In to Another Device Functioning as an SSH Server

You can log in to an SSH server from an SSH client by using SFTP.
Context
The command used for the SFTP client is similar to the command used for the
STelnet client. Both commands can carry the source address, key exchange
algorithm, encryption algorithm and HMAC algorithm.
Procedure
NOTE
For security purposes, you are advised to use encryption algorithms AES128_CTR,
The des_cbc, 3des_cbc, aes128_cbc, aes256_cbc, arcfour128, arcfour256, aes192_cbc, and
sm4_cbc parameters in the command indicate weak security algorithms. You are advised
not to use these algorithms. To prevent security risks, run the crypto weak-algorithm
disable command to disable the weak security algorithm function.
sha2_256_96 | sha2_512 | sm3 } *
NOTE
For security purposes, you are advised to use HMAC algorithms SHA2_256, SHA2_512, and
SM3.
The md5, md5_96, sha1, sha1_96, and sha2_256_96 parameters in the command indicate
weak security algorithms. You are advised not to use these algorithms. To prevent security
risks, run the crypto weak-algorithm disable command to disable the weak security
algorithm function.
Step 4 (Optional) Run ssh client key-exchange { dh_group14_sha1 | dh_group1_sha1 |



curve25519_sha256 } *
A key exchange algorithm list is configured for the SSH client.
NOTE
For security purposes, you are advised to use the key exchange algorithm
DH_group16_SHA512.
The dh_group_exchange_sha1, dh_group1_sha1, and dh_group14_sha1 parameters in the
command indicate weak security algorithms. You are advised not to use these algorithms.
To prevent security risks, run the crypto weak-algorithm disable command to disable the
weak security algorithm function.
For IPv4:

For IPv6:

Step 6 Run commit
----End
1.1.8.7.5 Using SFTP Commands to Operate Files

You can manage directories and files of the SSH server through the SFTP client
and view help for all SFTP commands on the SFTP client.
Context
After logging in to the SSH server from the SFTP client, you can perform the
following operations on the SFTP client:
● Create and delete directories of the SSH server; view the current working
directory; view files in a directory and the list of sub-directories.

● Rename, delete, upload, and download files.

● View command help on the SFTP client.
Perform the following steps on the router that functions as an SSH client:
Procedure
For IPv4:

For IPv6:

Managin Changing the current Run the cd [ path ] command.

g working directory
directori
es Changing the current Run the cdup command.
working directory to
the parent directory

current working
directory
Displaying files in a Run the dir [ remote-filename [ local-

directory and the list filename ] ] command.
of sub-directories

Deleting directories Run the rmdir directory-name command.

on the server
Creating a directory Run the mkdir path command.

on the server
Managin Renaming a file on Run the rename old-name new-name

g files the server command.
Downloading files Run the get remote-filename [ local-

from a remote server filename ] command.
Uploading files to a Run the put local-filename [ remote-
remote server filename ] command.
Deleting files from Run the remove path or delete file
the server command.
Displaying command helps on Run the help [ command-name ] command.

the SFTP client
Step 4 Run commit
----End
Follow-up Procedure
There is a limit to the maximum number of SFTP clients that can connect to the
SFTP server at the same time. Therefore, after performing the desired operations
on the SFTP server, disconnect the SFTP client from the SFTP server so that other
users can access the SFTP server.
You can run the bye, exit, or quit command in the SFTP client view to disconnect
the SFTP client from the SFTP server.
1.1.8.7.6 Verifying the Configuration of Using SFTP to Access Other Devices

After completing the configuration of using SFTP to access other devices, you can
view the source address of the SSH client, mappings between SSH servers and RSA
or ECC public keys on the client, global configurations of the SSH servers, and
sessions between the SSH servers and the client.
Prerequisites
The configurations of using SFTP to access other devices are complete.
Procedure
● Run the display sftp-client command to check the source address of the
SFTP client.

servers and RSA public keys on the client.
----End
1.1.8.8 Configuring the SFTP Client to Use the One-click File Operation
Command to Perform File Operations
The device functions as an SFTP client and uses the one-click file operation
command to upload files from the SFTP client to the SFTP server or download files
from the SFTP server to the SFTP client.
Prerequisites
The SFTP server has been configured, and the SFTP client and server have
reachable routes to each other.
Procedure
Step 1 Run the system-view command
Step 2 Run the ssh client first-time enable command
First-time authentication is enabled on the SSH client.
Step 3 Run the commit command

Step 4 Perform either of the following steps based on a network protocol:
● Establish an SFTP connection based on an IPv4 network.
Run the sftp client-transfile { get | put } [ -a source-address | -i { interface-
type interface-number | interface-name } ] host-ip host-ipv4 [ port ]
[ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex
{ prefer_kex } ] | [ identity-key identity-key-type ] | [ prefer_ctos_cipher
prefer_stoc_hmac ] | [ -ki interval ] | [ -kc count ] ] * username user-name
password password sourcefile destination [ destination source-file ]
command to connect to the SFTP server in IPv4 mode and download files
from the SFTP server to the SFTP client or upload files from the SFTP client to
the SFTP server.
● Establish an SFTP connection based on an IPv6 network.
Run the sftp client-transfile { put | get } ipv6 [ -a source-ipv6-address ]
host-ip host-ipv6 [ -oi { interface-type interface-number | interface-name } ]
[ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex
{ prefer_kex } ] | [ identity-key identity-key-type ] | [ prefer_ctos_cipher
prefer_stoc_hmac ] | [ -ki interval ] | [ -kc count ] ] *username user-name
password password sourcefile source-file [ destination destination ]

command to connect to the SFTP server in IPv6 mode and download files
from the SFTP server to the SFTP client or upload files from the SFTP client to
the SFTP server.
----End
1.1.8.9 Using SCP to Access Other Devices

The Secure Copy Protocol (SCP) client sets up a secure connection to the SCP
server so that the client can upload files to or download files from the server.
Usage Scenario
SCP is a secure file transfer method based on SSH2.0 that supports file upload or
download in batches.
Before using SCP to access other devices, ensure that the route between the SCP
client and server is reachable.
1.1.8.9.1 Configuring the SCP Server

This section describes how to configure the SCP server to establish a secure
connection to the SCP client to implement secure remote access.
Context
SCP is a secure file transfer method based on SSH2.0. To use SCP to access other
devices, configure user interfaces to support SSH.
Procedure
Step 1 Configure VTY user interfaces to support SSH (for details, see Configuring VTY
User Interfaces to Support SSH).
Step 2 Configure an SSH user (for details, see Configuring an SSH User and Specifying
a Service Type).
Step 3 Perform the following operations as required:

● To enable the IPv4 SCP service, run the scp server enable or scp ipv4 server
enable command.
● To enable the IPv6 SCP service, run the scp server enable or scp ipv6 server
enable command.
NOTE

Step 5 Run commit
----End
1.1.8.9.2 Configuring the SCP Client

The SCP client sets up a secure connection to the SCP server so that the client can
upload files to or download files from the server.
Procedure
Step 2 (Optional) Run scp client-source { -a source-ip-address [ public-net | -vpn-

instance vpn-instance-name ] | -i { interface-type interface-number | interface-
name } } or scp ipv6 client-source -a ipv6-address [ -vpn-instance ipv6-vpn-
instance-name ]
A source address is configured for the SCP client.
NOTE
For security purposes, you are advised to use secure algorithms such as AES128_CTR,
sha2_256_96 | sha2_512 | sm3 } *
NOTE
For security purposes, you are advised to use secure algorithms such as SHA2_256,
SHA2_512, SM3.
Step 5 Run either of the following operations based on the network protocol to upload
files to or download files from the SCP server.
Run the scp [ -a source-ip-address ] [ -force-receive-pubkey ] [ -port port-
number | public-net | vpn-instance vpn-instance-name | identity-key
identity-key-type | user-identity-key user-key | -r | -c | -cipher cipher | -
prefer-kex prefer-kex ] * source-filename destination-filename or scp { -i
interface-name | interface-type interface-number } [ -force-receive-pubkey ]
[ -port port-number | identity-key identity-key-type | user-identity-key user-
key | -r | -c | -cipher cipher| -prefer-kex prefer-kex ] * source-filename
destination-filename command.

Run the scp ipv6 [ [ vpn-instance vpn-instance-name ] | public-net ] [ -
force-receive-pubkey ] [ [ -port server-port ] | [ identity-key identity-key-
type ] | [ user-identity-key user-key ] | [ [ -a source-ipv6-address ] | [ -oi
{ interface-name | interface-type interface-number } ] ] | -r | -c | [ -cipher
cipher ] | [ -prefer-kex prefer-kex } ] ] * source-filename destination-filename
command.
NOTE
Step 6 Run commit

----End
1.1.8.9.3 Verifying the Configuration of Using SCP to Access Other Devices

After completing the configuration for using SCP to access other devices, you can
view the source IP address of the SCP client.
Prerequisites
The configurations for using SCP to access other devices are complete.
Procedure
● Run the display scp-client command to check the source IP address of the
SCP client.
servers and RSA public keys on the client.
----End
1.1.8.10 Configuring an SSL Cipher Suite

During authentication between the client and server, an encryption algorithm list
is provided for SSL algorithm negotiation. This section describes how to configure
an SSL cipher suite with supported encryption algorithms. Using secure algorithms
enhances system security.
Context
During authentication between the client and server, an encryption algorithm list
is provided for SSL algorithm negotiation. For a system with high security
requirements, you can use encryption algorithms that are more secure to enhance
system security.
Procedure

Step 2 Run ssl cipher-suite-list customization-policy-name
An SSL cipher suite is created, and the SSL cipher suite view is displayed.
Step 3 Run set cipher-suite { tls1_ck_rsa_with_aes_256_sha |

tls1_ck_rsa_with_aes_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha |
tls1_ck_dhe_dss_with_aes_256_sha | tls1_ck_dhe_rsa_with_aes_128_sha |
tls1_ck_dhe_dss_with_aes_128_sha | tls12_ck_rsa_aes_128_cbc_sha |
tls12_ck_rsa_aes_256_cbc_sha | tls12_ck_rsa_aes_128_cbc_sha256 |
tls12_ck_rsa_aes_256_cbc_sha256 | tls12_ck_dhe_dss_aes_128_cbc_sha |
tls12_ck_dhe_rsa_aes_128_cbc_sha | tls12_ck_dhe_dss_aes_256_cbc_sha |
tls12_ck_dhe_rsa_aes_256_cbc_sha | tls12_ck_dhe_dss_aes_128_cbc_sha256 |
tls12_ck_dhe_rsa_aes_128_cbc_sha256 | tls12_ck_dhe_dss_aes_256_cbc_sha256 |
tls12_ck_dhe_rsa_aes_256_cbc_sha256 |
tls12_ck_rsa_with_aes_128_gcm_sha256 |
tls12_ck_rsa_with_aes_256_gcm_sha384 |
tls12_ck_dhe_rsa_with_aes_128_gcm_sha256 |
tls12_ck_dhe_rsa_with_aes_256_gcm_sha384 |
tls12_ck_dhe_dss_with_aes_128_gcm_sha256 |
tls12_ck_dhe_dss_with_aes_256_gcm_sha384 |
tls12_ck_ecdhe_rsa_with_aes_128_gcm_sha256 |
tls12_ck_ecdhe_rsa_with_aes_256_gcm_sha384 | tls13_aes_128_gcm_sha256 |
tls13_aes_256_gcm_sha384 | tls13_chacha20_poly1305_sha256 |
tls13_aes_128_ccm_sha256 }
Encryption algorithms supported by the SSL cipher suite are specified.
NOTE
The tls12_ck_dhe_dss_aes_128_cbc_sha, tls12_ck_dhe_dss_aes_128_cbc_sha256,

tls12_ck_dhe_dss_aes_256_cbc_sha, tls12_ck_dhe_dss_aes_256_cbc_sha256,
tls12_ck_dhe_rsa_aes_128_cbc_sha, tls12_ck_dhe_rsa_aes_128_cbc_sha256,
tls12_ck_dhe_rsa_aes_256_cbc_sha, tls12_ck_dhe_rsa_aes_256_cbc_sha256,
tls12_ck_rsa_aes_128_cbc_sha, tls12_ck_rsa_aes_128_cbc_sha256,
tls12_ck_rsa_aes_256_cbc_sha, tls12_ck_rsa_aes_256_cbc_sha256,
tls12_ck_rsa_with_aes_128_gcm_sha256, tls12_ck_rsa_with_aes_256_gcm_sha384,
tls12_ck_ecdhe_rsa_with_aes_128_gcm_sha256,
tls12_ck_ecdhe_rsa_with_aes_256_gcm_sha384, tls1_ck_dhe_dss_with_aes_128_sha,
tls1_ck_dhe_dss_with_aes_256_sha, tls1_ck_dhe_rsa_with_aes_128_sha,
tls1_ck_dhe_rsa_with_aes_256_sha, tls1_ck_rsa_with_aes_128_sha, and
tls1_ck_rsa_with_aes_256_sha algorithms are not recommended because they are less
secure.
If such an algorithm is required, run the undo crypto weak-algorithm disable command
to enable the weak security algorithm function.
Step 4 Run commit
----End
1.1.8.11 Configuring and Binding an SSL Policy

SSL policies can be used to protect transmitted data from being tampered with,
improving security.

Context
Some traditional protocols, such as syslog, do not have security mechanisms. They
transmit data in clear text, cannot authenticate communicating devices or prevent
transmitted data from being tampered with, exposing data transmission to
security risks. SSL provides data encryption, identity authentication, and message
integrity check o ensure the security of TCP-based application layer protocols.
Procedure
Deploy an SSL policy in the SSL policy view:

2. Run the ssl policy policy-name command to configure an SSL policy and
enter the SSL policy view.
3. (Optional) Run the ecdh group { nist | curve | brainpool } * command to
configure elliptic curve parameters for the ECDHE algorithm.
4. Run the ssl minimum version { tls1.1 | tls1.2 | tls1.3 } command to configure
the minimum version for the SSL policy.
NOTE
After a device configured with TLS 1.0 is upgraded to a version that does not support
configuration of TLS 1.0, the minimum version supported by the SSL policy is still TLS
1.0. You can run the ssl minimum version { tls1.1 | tls1.2 | tls1.3 } command to
reconfigure the minimum version for the SSL policy. This process is irreversible.
After a device which is not configured with the ssl minimum version command is
upgraded to the current version, the minimum version supported by the SSL policy is
TLS 1.1. The default minimum version is TLS 1.2. You can run the ssl minimum
version { tls1.1 | tls1.2 | tls1.3 } command to reconfigure the minimum version for
the SSL policy.
5. (Optional) Run the ssl verify { basic-constrain | key-usage | version { cert-
version3 | crl-version2 } } enable command to enable certificate verification.
6. (Optional) Run the ssl verify certificate-chain minimum-path-length path-
length command to configure the minimum path length for the digital
certificate chain.
7. (Optional) Run the signature algorithm-list { ecdsa-secp256r1-sha256 |
ecdsa-secp384r1-sha384 | ecdsa-secp521r1-sha512 | ed25519 | ed448 | rsa-
pss-pss-sha256 | rsa-pss-pss-sha384 | rsa-pss-pss-sha512 | rsa-pss-rsae-
sha256 | rsa-pss-rsae-sha384 | rsa-pss-rsae-sha512 | rsa-pkcs1-sha256 |
rsa-pkcs1-sha384 | rsa-pkcs1-sha512 | ecdsa-sha1 | ecdsa-sha224 | rsa-sha1
| rsa-sha224 | dsa-sha1 | dsa-sha224 | dsa-sha256 | dsa-sha384 | dsa-
sha512 } * command to configure a signature algorithm for SSL handshake.
NOTE
After the upgrade, fewer signature algorithms are supported by default. As a result,
SSL handshake may fail due to signature algorithm mismatch. To prevent this
problem, you can run this command to adjust the supported signature algorithms.
8. (Optional) Run the pki-domain pki-domain command to bind a PKI domain
to the SSL policy.

NOTE
● After a PKI domain is bound to an SSL policy, the SSL policy uses the certificates
and certificate revocation list (CRL) in the PKI domain.
● In addition to loading and revoking certificates using PKI, you can also perform the
following steps to manually load and revoke certificates.
9. (Optional) Run the certificate load command to load a digital certificate.
Currently, the PEM and PFX certificates and the PEM certificate chain are
supported. Load a digital certificate or certificate chain as needed.
– Run the certificate load pem-cert certFile key-pair { dsa | rsa } key-file
keyFile auth-code [ cipher authCode ] command to load a PEM
certificate for the SSL policy.
– Run the certificate load pfx-cert certFile key-pair { dsa | rsa } mac or
certificate load pfx-cert certFile key-pair { dsa | rsa } { mac cipher
mac-code | key-file keyFile } auth-code cipher authCode command to
load a PFX certificate for the SSL policy.
– Run the certificate load pem-chain certFile key-pair { dsa | rsa } key-
file keyFile auth-code [ cipher authCode ] command to load a certificate
chain in PEM format for the SSL policy.
NOTE
Loading a digital certificate is optional for a device but mandatory for an NMS.
10. (Optional) Run the crl load crlType crlFile command to load a digital CRI.
A maximum of two CRL files can be loaded to an SSL policy.
11. Run the trusted-ca load command to load a trusted-CA file. A maximum of
four trusted-CA files can be loaded for an SSL policy.
– Run the trusted-ca load pem-ca caFile command to load a trusted-CA
file in PEM format for the SSL policy.
– Run the trusted-ca load asn1-ca caFile command to load a trusted-CA
file in ASN1 format for the SSL policy.
– Run the trusted-ca load pfx-ca caFile auth-code [ cipher authCode ]
command to load a trusted-CA file in PFX format for the SSL policy.
12. (Optional) Run the binding cipher-suite-customization customization-name
command to bind a cipher suite to the SSL policy. Before binding a cipher
suite to an SSL policy, ensure that the cipher suite has been configured for the
SSL policy. For details, see 1.1.8.10 Configuring an SSL Cipher Suite.
13. (Optional) Run the cipher-suite exclude key-exchange rsa command to
exclude the RSA key exchange algorithm from the SSL policy cipher suite.
NOTE
The RSA key exchange algorithm is not recommended on networks that have high
security requirements because this algorithm is not secure.
14. (Optional) Run the cipher-suite exclude cipher mode cbc command to
exclude CBC encryption algorithms from the SSL policy cipher suite.
NOTE
The CBC encryption algorithm is not recommended for networks that have high
security requirements because this algorithm is not secure.

15. (Optional) Run the cipher-suite exclude hmac sha1 command to exclude the
SHA1 digest algorithm from the SSL cipher suite.
NOTE
The SHA1 digest algorithm is not recommended for networks that have high security
requirements because this algorithm is not secure.
16. (Optional) Run the diffie-hellman modulus modulus-val command to
configure the modulus of the Diffie-Hellman key exchange algorithm.
NOTE
After the upgrade, the default modulus length of the Diffie-Hellman key exchange
algorithm increases. As a result, SSL handshake may fail if the modulus length is too
long. To prevent this problem, you can run this command to adjust the modulus
length.
17. Run the quit command to return to the system view.
18. (Optional) Run the ssl certificate alarm-threshold early-alarm time check-
interval check-period command to configure the certificate expiration alarm
threshold and check interval.
19. Run the bind ssl-policy command in a service view to bind the SSL policy.
a. Dual-device backup service
Run the remote-backup-service service-name command to enter the
RBS view.
Run the bind ssl-policy ssl-policy-name command to bind an SSL policy.
NOTE

For detailed dual-device backup service configurations, see Establishing a
Dual-Device Backup Platform.
b. DCN service
Run the dcn command to enter the DCN view.
Run the bind ssl-policy ssl-policy-name command to bind an SSL policy.
For detailed DCN service configurations, see Configuring SSL
Authentication on a GNE.
20. Run the commit command to commit the configuration.
Deploy an SSL policy in the DTLS policy view.

2. Run the dtls policy policyName command to configure an SSL policy and
enter the DTLS policy view.
3. (Optional) Run the ssl verify { basic-constrain | key-usage } enable
command to enable certificate verification.
4. (Optional) Run the ssl verify certificate-chain minimum-path-length path-
length command to configure the minimum path length for the digital
certificate chain.
5. (Optional) Run the pki-domain pki-domain command to bind a PKI domain
to the SSL policy.

NOTE
After a PKI domain is bound to an SSL policy, the SSL policy uses the certificates and
CRL in the PKI domain.
6. Run the commit command to commit the configuration.
1.1.8.12 Logging In to a Device Using HTTP

Hypertext Transfer Protocol (HTTP) is an application-layer protocol that transports
hypertext from WWW servers to local browsers. HTTP uses the client/server model
in which requests and replies are exchanged.
Context
To download a certificate from an HTTP server, use HTTP. HTTP transfers web
page information on the Internet.
NOTE
HTTP has security risks.
Before logging in to a device using HTTP, complete the following tasks:
● Configure an SSL policy for the HTTP server.
● Check that the terminal and device are routable to each other.
Procedure
● Configure an SSL policy for the HTTP client.
a. Run system-view
b. Run ssl policy policy-name
An SSL policy is configured, and the SSL policy view is displayed.
c. Run certificate load
A certificate is loaded for the SSL policy. On the HTTP client, a certificate
or certificate chain needs to be loaded for the SSL policy according to the
format of the certificate loaded to the HTTP server.
▪ To load a certificate in the PEM format for the SSL policy, run the
certificate load pem-cert certFile key-pair { dsa | rsa } key-file
keyFile auth-code [ cipher authCode ] command.
▪ To load a certificate in the PFX format for the SSL policy, run the
certificate load pfx-cert certFile key-pair { dsa | rsa } mac or
certificate load pfx-cert certFile key-pair { dsa | rsa } { mac cipher
mac-code | key-file keyFile } auth-code cipher authCode command.
▪ To load a certificate chain in the PEM format for the SSL policy, run
the certificate load pem-chain certFile key-pair { dsa | rsa } key-
file keyFile auth-code [ cipher authCode ] command.

d. Run trusted-ca load
A trusted-CA file is loaded. On the HTTP client, a trusted-CA file needs to

be loaded for the SSL policy according to the format of the trusted-CA
file loaded to the HTTP server.
▪ To load a trusted-CA file in the PEM format for the SSL policy, run
the trusted-ca load pem-ca caFile command.
▪ To load a trusted-CA file in the ASN1 format for the SSL policy, run
the trusted-ca load asn1-ca caFile command.
▪ To load a trusted-CA file in the PFX format for the SSL policy, run the
trusted-ca load pfx-ca caFile auth-code [ cipher authCode ]
command.
e. Run commit

f. Run quit

● Log in to a device using HTTP.
a. Run http
HTTP is enabled, and the HTTP view is displayed.

b. (Optional) Run client source-interface { interface-name | interface-type
interface-number }
A source interface is bound to the HTTP client.
c. Run client ssl-policy policy-name
An SSL policy is configured for the HTTP client.

d. Run client ssl-verify peer
The HTTP client is configured to perform SSL verification on the HTTP

server.
e. Run commit
----End
1.1.8.13 Configuring a DSCP Value for Telnet/SSH Packets

This section describes how to configure a DSCP value for Telnet/SSH packets.
Context
A device can send multiple types of protocol packets, such as NETCONF, Telnet,
and SSH packets. You can run the host-packet type command to uniformly
configure a DSCP value for the protocol packets. If a large number of protocol
packets with the same DSCP value are sent, network congestion may occur. To
address this issue, configure different DSCP values for the packets.

Procedure
Step 2 Run one or more of the following commands based on the service type and
protocol packet type:
1. Run ssh client dscp value
A DSCP value is configured for the SSH packets sent by a client.
2. Run telnet client dscp value
A DSCP value is configured for the Telnet packets sent by a client.
3. Run ssh server dscp value
A DSCP value is configured for the SSH packets sent by a server.
4. Run telnet server dscp value
A DSCP value is configured for the Telnet packets sent by a server.
Step 3 Run commit
----End
Example
Run the display current-configuration command to check the configured DSCP
value.
[~HUAWEI] display current-configuration include-default | include dscp
Info: It will take a long time if the content you search is too much or the string you input is too long, you
can press CTRL_C to break.
telnet server dscp 10
telnet client dscp 10
ssh server dscp 10
ssh client dscp 10
1.1.8.14 Configuration Examples for Accessing Other Devices

This section provides examples for configuring one device to access other devices.
1.1.8.14.1 Example for Using Telnet to Log In to Another Device

This section provides an example for using Telnet to log in to another device. In
this example, the user authentication mode and password are configured to
implement Telnet login.
NOTE
As Telnet poses security risks, using STelnet V2 is recommended.
Large numbers of devices need to be managed and maintained on a network. It is

impossible to connect each device to a terminal. If no reachable route exists

between a remote device and a terminal, you can use Telnet to log in to the
remote device for management and maintenance.
As shown in Figure 1-59, you can use Telnet on the PC to log in to P1 but cannot
directly use Telnet to log in to P2. P1 and P2 are routable to each other. To
remotely manage and configure P2, use Telnet on P1 to log in to P2.
Figure 1-59 Using Telnet to log in to another device

NOTE
In this example, interface 1 stands for GE 1/0/1.
Precautions
● P1 and P2 must be routable to each other.
● To log in to P2 from P1 through Telnet, ensure that you can successfully log in
to P1.
● In insecure network environments, you are advised to use a secure protocol.
1.1.8.14.4 Example for Using STelnet to Log In to Other Devices (ECC
Authentication Mode) provides examples for secure protocols.
1. Configure the Telnet authentication mode and password on P2.
2. Use Telnet on P1 to log in to P2.
Data Preparation
● Host address of P2: 2.1.1.1
● User authentication mode AAA, username huawei, and password
YsHsjx_202206
Procedure
Step 1 Configure the Telnet authentication mode and password on P2.

[*HUAWEI] commit
[~P2] user-interface vty 0 4
[~P2-ui-vty0-4] authentication-mode aaa
[~P2] aaa
[*P2-aaa] local-user huawei password cipher YsHsjx_202206
NOTE

characters.
in a password.
a password.
invalid.
[*P2-aaa] local-user huawei service-type telnet
[*P2-aaa] local-user huawei level 3
[*P2-aaa] commit
[~P2-aaa] quit
If an ACL is configured to access other devices by using Telnet, perform the

following configurations on P2:
[~P2] acl 2000
[*P2-acl4-basic-2000] rule permit source 1.1.1.1 0
[*P2-acl4-basic-2000] quit
[*P2] user-interface vty 0 4
[*P2-ui-vty0-4] acl 2000 inbound
NOTE
The ACL configurations are optional.

After the configurations are complete, use Telnet on P1 to log in to P2.
[*HUAWEI] commit
[~P1] quit
<P1> telnet 2.1.1.1
Trying 2.1.1.1
Press CTRL+K to abort
Connected to 2.1.1.1 ...
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.
Username: huawei
Password:
<P2>
----End

Configuration Files
#
sysname P1
#
interface gigabitethernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
admin
return
#
sysname P2
#
acl number 2000
rule 5 permit source 1.1.1.1 0
#
aaa
local-user huawei password irreversible-cipher $1c$]zV2B\j!z:$hRujV[%/IE|
local-user huawei service-type telnet
#
interface gigabitethernet1/0/1
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
acl 2000 inbound
#
return
1.1.8.14.2 Example for Using STelnet to Log In to Other Devices (RSA

Authentication Mode)
This example shows how to log in to another device by using STelnet. To allow the
STelnet client to connect to the SSH server, configure the client and server to
generate local key pairs, configure the server to generate an RSA public key, and
bind the public key to the client.
spoofing. As shown in Figure 1-60, after the STelnet server function is enabled on
the SSH server, the STelnet client can log in to the SSH server in password, ECC,
password-ECC, DSA, password-DSA, RSA, password-RSA, SM2, password-SM2,
x509v3-ssh-rsa, password-x509v3-rsa or all authentication mode.

Figure 1-60 Using STelnet to log in to another device

NOTE
Precautions
Client001 and client002 are configured to log in to the SSH server in password and
RSA authentication modes, respectively.
1. Configure users client001 and client002 on the SSH server to use different
authentication modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind
client002 to the RSA public key of the SSH server to authenticate the client
when the client attempts to log in to the server.
3. Enable the STelnet server function on the SSH server.
4. Set the service type of client001 and client002 to STelnet.
5. Enable first authentication on the SSH client.
6. Use STelnet on client001 and client002 to log in to the SSH server.
Data Preparation
● Password authentication for client001

● RSA authentication (public key: rsakey001) for client002
● IP address of the SSH server: 10.1.1.1
Procedure
Step 1 Configure the server to generate a local key pair.
[*HUAWEI] commit
Step 2 Create SSH users on the server.

NOTE
SSH users can be authenticated in password, RSA, password-RSA, ECC, password-ECC, DSA,
password-DSA, SM2, password-SM2, or all mode.
● If the authentication mode of an SSH user is password, password-RSA, password-DSA,
password-SM2, or password-ECC, a local user with the same name as the SSH user must
be configured.
● If the authentication mode of an SSH user is RSA, password-RSA, DSA, password-DSA,
SM2, password-SM2, ECC, password-ECC, or all, the RSA, DSA, SM2, or ECC public key of
the SSH client must be saved on the server.
# Configure VTY user interfaces.

[*SSH Server] user-interface vty 0 4
● Create an SSH user named client001.
# Create an SSH user named client001 and configure password authentication
for the user.
[~SSH Server] ssh user client001
# Set a password for client001.
[~SSH Server] aaa
Enter Password:
Confirm Password:
NOTE

used in a password.

used in a password.
invalid.


# Create an SSH user named client002 and configure RSA authentication for
the user.
[*SSH Server] ssh user client002 authentication-type rsa
[*SSH Server] ssh authorization-type default root
Step 3 Configure an RSA public key for the server.

# Configure client002 to generate a local key pair.
[~HUAWEI] sysname client002
[*HUAWEI] commit
[~client002] rsa local-key-pair create
The key name will be: client002_Host
The range of public key size is (2048, 3072).
NOTE: Key pair generation will take a short while.
Please input the modulus [default = 3072]:3072
[*client002] commit
# Check the RSA public key generated on the client.

[~client002] display rsa local-key-pair public
======================Host Key==========================
Time of Key pair created : 13:22:1 2010/10/25
Key Name : client002_Host
Key Type : RSA Encryption Key
========================================================
Key Code:
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203
010001
Host Public Key for PEM format Code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw98
25XYSkri89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn
+8J1LffkxRmHF4uMNk1X3QqiSqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIX
GJb7H/w4zQ==
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw9825XYSkri
89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn+8J1LffkxRmHF4uMNk1X3Qqi

SqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIXGJb7H/w4zQ== rsa-key
Host Public key for SSH1 format code:

1024 65537 125048203250833642388841080101906750228075076456213955541037945628567
57310398880086451511608221218821171562865637463140847157102422109476944363593619
24637760514734544191988044752471924402237145321162849626052751701862381759745461
33321165741031171160914926309797395278974490949461701171569544048167828558985421
======================Server Key========================
Key Name : client002_Server
========================================================
Key Code:
3067
0260
BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F
E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23
7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26
B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3
2B1BBA18 A96FFC29 EF70069D DD1EE053
0203
010001
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key rsakey001
Enter "RSA public key" view, return system view with "peer-public-key end".
Enter "RSA key code" view, return last view with "public-key-code end".
[*SSH Server-rsa-public-key-rsa-key-code] 308188
[*SSH Server-rsa-public-key-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*SSH Server-rsa-public-key-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[*SSH Server-rsa-public-key-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[*SSH Server-rsa-public-key-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[*SSH Server-rsa-public-key-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[*SSH Server-rsa-public-key-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[*SSH Server-rsa-public-key-rsa-key-code] 171896FB 1FFC38CD
[*SSH Server-rsa-public-key] peer-public-key end
Step 4 Bind the RSA public key to client002.

[~SSH Server] ssh user client002 assign rsa-key rsakey001
Step 5 Enable the STelnet server function on the SSH server.

# Enable the STelnet server function.
Step 6 Set the service type of client001 and client002 to STelnet.

[~SSH Server] ssh user client001 service-type stelnet
[*SSH Server] ssh user client002 service-type stelnet
Step 7 Connect STelnet clients to the SSH server.

# If the client logs in to the server for the first time, enable first authentication on
the client.

Enable first authentication on client001.

[*HUAWEI] commit
[~client001] ssh client first-time enable
[*client001] commit

[*client002] ssh client first-time enable
[*client002] commit
# Log in to the SSH server in password authentication mode on STelnet client001

by entering the username and password.
[~client001] stelnet 10.1.1.1
Please input the username:client001
Trying 10.1.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.1.1.1. Please wait...
Enter password:
The following information indicates that the login is successful:

Info: The max number of VTY users is 20, and the number
of current VTY users on line is 6.
The current login time is 2011-01-06 11:42:42.
<SSH Server>
# Log in to the SSH server in RSA authentication mode on client002.

Please input the username: client002
Trying 10.1.1.1 ...
<SSH Server>
If the login succeeds, the user view is displayed. If the login fails, the message
Session is disconnected is displayed.
# Check the status of the SSH server.
[~SSH Server] display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) :3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Enable
SSH server keepalive : Disable
SFTP IPv4 server : Enable
STELNET IPv4 server : Enable
SNETCONF IPv4 server : Enable
SNETCONF IPv4 server port(830) : Disable


SCP IPv4 server : Enable
SSH port forwarding : Disable
SSH IPv4 server port : 22
ACL name :
ACL number :
ACL6 name :
ACL6 number :
SSH server ip-block : Enable
# Check information about SSH users.

[~SSH Server] display ssh user-information
----------------------------------------------------
Username : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory :-
Service-type : stelnet
Authentication-type : rsa
User-public-key-name : rsakey001
Sftp-directory :-
----------------------------------------------------
----End
Configuration Files
#
sysname SSH Server
#
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
rsa peer-public-key rsakey001
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
ssh user client001
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign rsa-key rsakey001
ssh user client002 authentication-type rsa
ssh authorization-type default root
#


#
#
#
#
#
aaa
local-user client001 password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
#
#
return
● Client001 configuration file
#
sysname client001
#
ip address 10.1.2.2 255.255.255.0
#
#
return
#
sysname client002
#
ip address 10.1.3.3 255.255.255.0
#
#
return
1.1.8.14.3 Example for Using STelnet to Log In to Other Devices (DSA

generate local key pairs, configure the server to generate a DSA public key, and
STelnet provides secure Telnet services based on SSH connections. SSH provides
encryption and authentication functions to protect devices against attacks, such as

IP address spoofing. As shown in Figure 1-61, after the STelnet server function is
enabled on the SSH server, the STelnet client can log in to the SSH server in
password, ECC, password-ECC, DSA, password-DSA, RSA, password-RSA, SM2,
password-sm2, x509v3-ssh-rsa, password-x509v3-rsa or all authentication mode.
Figure 1-61 Networking diagram for logging in to another device by using STelnet
NOTE
Precautions
Two users client001 and client002 are configured to log in to the SSH server in the
authentication mode of password and DSA respectively.
client002 to the DSA public key of the SSH server to authenticate the client
6. Client001 and client002 log in to the SSH server by using STelnet.
Data Preparation
● DSA authentication (public key: dsakey001) for client002
Procedure

[*HUAWEI] commit
[~SSH Server] dsa local-key-pair create
Info: The key name will be: SSH SERVER_Host_DSA
Info: The key modulus can be any one of the following : 2048.
Info: Key pair generation will take a short while.
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.

NOTE
be configured.


for the user.

[~SSH Server] aaa
Enter Password:
Confirm Password:

NOTE

used in a password.

used in a password.
invalid.

# Create an SSH user named client002 and configure DSA authentication for
the user.
[*SSH Server] ssh user client002 authentication-type dsa
Step 3 Configure a DSA public key for the server.

[*HUAWEI] commit
[~client002] dsa local-key-pair create
Info: The key name will be: client002_Host_DSA
[*client002] commit
# Check the DSA public key generated on the client.

[~client002] display dsa local-key-pair public
========================================================
Time of Key pair created : 2013-05-21 17:18:17
Key name : client002_Host_DSA
Key modulus : 1024
Key type : DSA Encryption Key

========================================================
Key code:
3082019F
028180
A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C
9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4
0B752AC7 817E877F
0214
CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27
028180
6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66
C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B
264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328
C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E
F459F826 B9A5CF6D
028180
409C0AE7 1DDDDA8C F3924608 DC32728C D6FA51FB
B4933D03 E30780E1 676AA9EE E3A9B677 97DB1D3A
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
6192B926 9AD8764E E9F8661C 8EC08D08 BD83BCE3
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
Host public Key for PEM format Code:

AAAAB3NzaC1kc3MAAACBAKScXq+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4Y
jLfYWGtQ7rxUv7CJYaDdMV9/MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiY
Q/rQWZi47qjnOV/Hyp0WVUeSc2iZFK8JbP3BJWzIoH/d3mA78xxOpAt1KseBfod/
AAAAFQDLxcC8LXtt/hWn+aNvbtFbbsyfJwAAAIBtMgLnTcrF25cDQwWNef2ydtXK
osjQDD1mb2HU8uNkRUAn/QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbFWuD2aVMM
FBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUun88oNGYs+2UNoRbpe
ifGtt570WfgmuaXPbQAAAIBAnArnHd3ajPOSRgjcMnKM1vpR+7STPQPjB4DhZ2qp
7uOptneX2x06V69HnDvcQJYpG0VIQ9iIUdz+sE1ZPxRZkUX7Cwcc7uVflR5kymxM
FmGSuSaa2HZO6fhmHI7AjQi9g7zj4FTuOSAgdolDOwehEhm585ReiPA6j8D7mIOQ
Ww==

ssh-dss AAAAB3NzaC1kc3MAAACBAKScXq
+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4YjLfYWGtQ7rxUv7CJYaDdMV9/
MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiYQ/rQWZi47qjnOV/Hyp0WVUeSc2iZFK8JbP3BJWzIoH/
d3mA78xxOpAt1KseBfod/AAAAFQDLxcC8LXtt/hWn
+aNvbtFbbsyfJwAAAIBtMgLnTcrF25cDQwWNef2ydtXKosjQDD1mb2HU8uNkRUAn/
QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbFWuD2aVMMFBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G
+s8bPioRMowUun88oNGYs+2UNoRbpeifGtt570WfgmuaXPbQAAAIBAnArnHd3ajPOSRgjcMnKM1vpR
+7STPQPjB4DhZ2qp7uOptneX2x06V69HnDvcQJYpG0VIQ9iIUdz
+sE1ZPxRZkUX7Cwcc7uVflR5kymxMFmGSuSaa2HZO6fhmHI7AjQi9g7zj4FTuOSAgdolDOwehEhm585ReiPA6j
8D7mIOQWw== dsa-key
# Copy the DSA public key generated on the client to the server.
[*SSH Server] dsa peer-public-key dsakey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[*SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return last view with "public-key-code end".
[*SSH Server-dsa-public-key-dsa-key-code] 3082019F
[*SSH Server-dsa-public-key-dsa-key-code] 028180
[*SSH Server-dsa-public-key-dsa-key-code] A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C
[*SSH Server-dsa-public-key-dsa-key-code] 9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
[*SSH Server-dsa-public-key-dsa-key-code] 54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
[*SSH Server-dsa-public-key-dsa-key-code] 7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
[*SSH Server-dsa-public-key-dsa-key-code] 43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368

[*SSH Server-dsa-public-key-dsa-key-code] 9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4

[*SSH Server-dsa-public-key-dsa-key-code] 0B752AC7 817E877F
[*SSH Server-dsa-public-key-dsa-key-code] CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27
[*SSH Server-dsa-public-key-dsa-key-code] 6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2
[*SSH Server-dsa-public-key-dsa-key-code] C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
[*SSH Server-dsa-public-key-dsa-key-code] AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66
[*SSH Server-dsa-public-key-dsa-key-code] C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B
[*SSH Server-dsa-public-key-dsa-key-code] 264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328
[*SSH Server-dsa-public-key-dsa-key-code] C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E
[*SSH Server-dsa-public-key-dsa-key-code] F459F826 B9A5CF6D
[*SSH Server-dsa-public-key-dsa-key-code] 409C0AE7 1DDDDA8C F3924608 DC32728C D6FA51FB
[*SSH Server-dsa-public-key-dsa-key-code] B4933D03 E30780E1 676AA9EE E3A9B677 97DB1D3A
[*SSH Server-dsa-public-key-dsa-key-code] 57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
[*SSH Server-dsa-public-key-dsa-key-code] 593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
[*SSH Server-dsa-public-key-dsa-key-code] 6192B926 9AD8764E E9F8661C 8EC08D08 BD83BCE3
[*SSH Server-dsa-public-key-dsa-key-code] E054EE39 20207689 433B07A1 1219B9F3 945E88F0
[*SSH Server-dsa-public-key-dsa-key-code] 3A8FC0FB 9883905B
[*SSH Server-dsa-public-key-dsa-key-code] public-key-code end
[*SSH Server-dsa-public-key] peer-public-key end
Step 4 Bind the DSA public key to client002.

[~SSH Server] ssh user client002 assign dsa-key dsakey001



the client.
[*HUAWEI] commit
[*client001] commit

[*client002] commit

Trying 10.1.1.1 ...


Enter password:

<SSH Server>
# Client002 logs in to the SSH server in DSA authentication mode.

Trying 10.1.1.1 ...
Press CTRL + K to abort
Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please select [R/D/E]:
Enter password:
Warning: The initial password poses security risks.
The password needs to be changed. Change now? [Y/N]:n
Info: The max number of VTY users is 15, the number of current VTY users online is 1, and total number of
terminal users online is 1.
The last login time is 2015-07-13 15:26:18 from 127.0.0.1 through SSH.
<SSH Server>

SSH Version : 2.0
ACL name :
ACL number :
ACL6 name :
ACL6 number :

----------------------------------------------------
User Name : client001
Authentication-Type : password

Sftp-directory :-

Authentication-Type : dsa
User-public-key-name : dsakey001
Sftp-directory :-
----------------------------------------------------
----End
Configuration Files
#
sysname SSH Server
#
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
dsa peer-public-key dsakey001
3082019F
028180
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
0B752AC7 817E877F
0214
028180
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
F459F826 B9A5CF6D
028180
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
public-key-code end
peer-public-key end
#
ssh user client001
ssh user client002
ssh user client002 assign dsa-key dsakey001
ssh user client002 authentication-type dsa
#


#
#
#
#
#
aaa
#
#
return

#
sysname client001
#
ip address 10.1.2.2 255.255.255.0
#
#
return

#
sysname client002
#
ip address 10.1.3.3 255.255.255.0
#
#
return
1.1.8.14.4 Example for Using STelnet to Log In to Other Devices (ECC

generate local key pairs, configure the server to generate an ECC public key, and
encryption and authentication functions to protect devices against attacks, such as

IP address spoofing. After the STelnet server function is enabled on the SSH server,
the STelnet client can log in to the SSH server in password, ECC, password-ECC,
DSA, password-DSA, RSA, password-RSA, SM2, password-sm2, x509v3-ssh-rsa,
password-x509v3-rsa or all authentication mode. As shown in Figure 1-62,
client001 and client002 are configured to log in to the SSH server in password and
ECC authentication modes, respectively.

NOTE
client002 to the ECC public key of the SSH server to authenticate the client
6. Use STelnet on client001 and client002 to log in to the SSH server.
Data Preparation
● ECC authentication (public key: Ecckey001) for client002
● IP address of the SSH server: 10.1.1.1.
Procedure
[*HUAWEI] commit
[~SSH Server] ecc local-key-pair create

Info: The key name will be: SSH Server_Host_ECC

Info: The key modulus can be any one of the following: 256, 384, 521.
Please input the modulus [default=521]:521
Info: Succeeded in creating the ECC host keys.

NOTE
be configured.

[~SSH Server-ui-vty0-4] authentication-mode aaa

for the user.

[~SSH Server] aaa
Enter Password:
Confirm Password:

NOTE

used in a password.

used in a password.
invalid.

# Create an SSH user named client002 and configure ECC authentication for
the user.
[*SSH Server] ssh user client002 authentication-type ecc
Step 3 Configure an ECC public key for the server.

[*HUAWEI] commit
[~client002] ecc local-key-pair create
Info: The key name will be: client002_Host_ECC
[*client002] commit
# Check the ECC public key generated on the client.

[~client002] display ecc local-key-pair public
======================Host Key==========================
Key Name : client002_Host_ECC
Key Type : ECC Encryption Key

========================================================
Key Code:
04D7635B C047B02E 20C1E6CB E04B5E5C
7DCADD88
F676AB0E C91ACB3C B0394B18 FA29E5C2
0426F924
DAD9AA02 C531E5ED C6783FFA 41235A16
8D7723E0
7E63D68D E7

AAAAE2VjZHNhLXNoYTItbmlzdHAxOTIAAABBBL+PCqbAEJKKKUpCYdSfyiyY5Iq3
DM9ZB3mjx62wShmmNMiZJAV+02aMJ6CsHBuWCbVLO/Zg8Ng3kGXC4ltmLXM=
# Copy the ECC public key generated on the client to the server.
[~SSH Server] ecc peer-public-key Ecckey001
Enter "ECC public key" view, return system view with "peer-public-key end".
[*SSH Server-ecc-public-key] public-key-code begin
Enter "ECC key code" view, return last view with "public-key-code end".
[*SSH Server-ecc-public-key-ecc-key-code] 04BF8F0A A6C01092 8A294A42 61D49FCA 2C98E48A
[*SSH Server-ecc-public-key-ecc-key-code] B70CCF59 0779A3C7 ADB04A19 A634C899 24057ED3
[*SSH Server-ecc-public-key-ecc-key-code] 668C27A0 AC1C1B96 09B54B3B F660F0D8 379065C2
[*SSH Server-ecc-public-key-ecc-key-code] E25B662D 73
[*SSH Server-ecc-public-key-ecc-key-code] public-key-code end
[*SSH Server-ecc-public-key] peer-public-key end
Step 4 Bind the ECC public key to client002.

[~SSH Server] ssh user client002 assign ecc-key ecckey001



the client.
[*HUAWEI] commit
[*client001] commit

[*client002] commit

<~client001> stelnet 10.1.1.1

Trying 10.1.1.1 ...

Enter password:

First login successfully.
<SSH Server>
# Log in to the SSH server in ECC authentication mode on client002.

Trying 10.1.1.1 ...
<SSH Server>

SSH Version : 2.0
ACL name :
ACL number :
ACL6 name :
ACL6 number :

----------------------------------------------------
User-public-key-name :

Sftp-directory :-
Authentication-type : ecc
User-public-key-name : ecckey001
User-public-key-type : ECC
Sftp-directory :-
----------------------------------------------------
Total 2, 2 printed
----End
Configuration Files
#
sysname SSH Server
#
ecc peer-public-key ecckey001
04BF8F0A A6C01092 8A294A42 61D49FCA 2C98E48A
B70CCF59 0779A3C7 ADB04A19 A634C899 24057ED3
668C27A0 AC1C1B96 09B54B3B F660F0D8 379065C2
E25B662D 73
public-key-code end
peer-public-key end
#
ssh user client001
ssh user client002
ssh user client002 assign ecc-key ecckey001
ssh user client002 authentication-type ecc
#
#
#
#
#
#
aaa
#
#
return
#
sysname client001

#
ip address 10.1.2.2 255.255.0.0
#
#
return

#
sysname client002
#
ip address 10.1.3.3 255.255.0.0
#
#
return
1.1.8.14.5 Example for Using STelnet to Log In to Another Device (SM2

In this example, local key pairs are generated on the STelnet client and secure
shell (SSH) server, and an SM2 public key is generated on the SSH server and then
bound to the STelnet client, implementing communication between the STelnet
client and SSH server.
STelnet is a secure Telnet service over SSH connections. SSH provides encryption
and authentication functions to protect devices against attacks, such as IP address
spoofing. After STelnet is enabled on an SSH server, an STelnet client can log in to
the SSH server in RSA, DSA, ECC, SM2, x509v3-ssh-rsa, password, password-rsa,
password-ecc, password-dsa, password-sm2, password-x509v3-rsa, or all
authentication mode. On the network shown in Figure 1-63, users client001 and
client002 are configured to log in to the SSH server in password and SM2
authentication modes, respectively.

NOTE

1. Configure client001 and client002 to log in to the SSH server in different
authentication modes.
2. Generate a local key pair on client002 and the SSH server, and bind the SM2
public key of the SSH client to client002 to authenticate the client when the
client logs in to the server.
3. Enable the STelnet service on the SSH server.
6. Configure client001 and client002 to log in to the SSH server using STelnet.
Data Preparation
● client002 with the public key being sm2key001 and authentication mode
being SM2 authentication
● SSH server at IP address 10.1.1.1
Procedure
Step 1 Generate a local key pair on the server.
[*HUAWEI] commit
[~SSH Server] ssh server publickey sm2

NOTE
be configured.

# Configure the VTY user interface.

● Create SSH user client001.

# Create SSH user client001 and configure password authentication for the
user.

[~SSH Server] aaa
Enter Password:
Confirm Password:
NOTE

used in a password.

used in a password.
invalid.

# Create SSH user client002 and configure SM2 authentication for the user.
[*SSH Server] ssh user client002 authentication-type sm2


Step 3 Assign an SM2 public key to the SSH server.

# Generate a local key pair on client002.
[*HUAWEI] commit
[~client002] ssh client publickey sm2
[*client002] sm2 key-pair label sm2key001
Info: Key pair generation will take a short while. Please wait...
Info: Creating the key pair succeeded.
[*client002] ssh client assign sm2-host-key sm2key001
[*client002] commit
# Display the SM2 public key generated on client002.

[~client002] display sm2 key-pair
=====================================
Label Name: sm2key001
Modulus: 521
Time of Key pair created: 2018-06-19 15:39:45
=====================================
Key :
0474F110 F90F131B B6F6D929 9A23A41E F1AB1666 AC4BE4EE EF2CD876
2B633F80 DD5CF42F 147A722F DE527F39 247F3744 C23296BE FE3BE502
EEF7D9EC BC28A576 7E
=====================================
# Send the SM2 public key generated on client002 to the server.

[~SSH Server] sm2 peer-public-key sm2key001
Enter "SM2 public key" view, return system view with "peer-public-key end".
[*SSH Server-sm2-public-key] public-key-code begin
[*SSH Server-sm2-public-key-sm2-key-code] 0474F110 F90F131B B6F6D929 9A23A41E F1AB1666
[*SSH Server-sm2-public-key-sm2-key-code] AC4BE4EE EF2CD876 2B633F80 DD5CF42F 147A722F
[*SSH Server-sm2-public-key-sm2-key-code] DE527F39 247F3744 C23296BE FE3BE502 EEF7D9EC
[*SSH Server-sm2-public-key-sm2-key-code] BC28A576 7E
[*SSH Server-sm2-public-key-sm2-key-code] public-key-code end
[*SSH Server-sm2-public-key] peer-public-key end
Step 4 Bind the SM2 public key to client002.

[~SSH Server] ssh user client002 assign sm2-key sm2key001
Step 5 Assign an SM2 key pair to the SSH server.

# Generate a local SM2 key pair on the SSH server.
[~SSH Server] sm2 key-pair label sm2key001
# Assign the SM2 key pair to the SSH server.

[*SSH Server] ssh server assign sm2-host-key sm2key001
Step 6 Enable STelnet on the SSH server.

# Enable STelnet.




# For the first login, enable first-time authentication on the clients.
Enable first-time authentication on client001.
[*HUAWEI] commit
[*client001] commit

[*client002] commit

Trying 10.1.1.1 ...
Enter password:

First login successfully.
# Connect client002 to the SSH server in SM2 authentication mode.

Trying 10.1.1.1 ...
If the login succeeds, the user view is displayed. If the login fails, a Session is
disconnected message is displayed.
# Display the SSH status.
SSH Version : 2.0


ACL name :
ACL number :
ACL6 name :
ACL6 number :
# Display SSH user information.

----------------------------------------------------
Sftp-directory :-
Authentication-type : sm2
User-public-key-name : sm2key001
User-public-key-type : SM2
Sftp-directory :-
----------------------------------------------------
Total 2, 2 printed
----End
Configuration Files
#
sysname SSH Server
#
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
sm2 peer-public-key sm2key001
0474F110 F90F131B B6F6D929 9A23A41E F1AB1666
AC4BE4EE EF2CD876 2B633F80 DD5CF42F 147A722F
DE527F39 247F3744 C23296BE FE3BE502 EEF7D9EC
BC28A576 7E
public-key-code end
peer-public-key end
#
ssh user client001
ssh user client002
ssh user client002 authentication-type sm2

ssh user client002 assign sm2-key sm2key001

ssh server assign sm2-host-key sm2key001
#
#
#
#
#
#
aaa
#
#
return
● client001 configuration file
#
sysname client001
#
ip address 10.1.2.2 255.255.0.0
#
#
return
#
sysname client002
#
ip address 10.1.3.3 255.255.0.0
#
#
ssh client assign sm2-host-key sm2key001
#
ssh client publickey sm2
#
return
1.1.8.14.6 Example for Using TFTP to Access Other Devices

You can run the TFTP software on the TFTP server and set the directory of source
files on the server to upload and download files.
In the TCP/IP protocol suite, FTP is most commonly used to transfer files. However,
FTP brings complex interactions between terminals and servers, which is hard to
implement on terminals that do not run advanced operating systems. TFTP is

designed for file transfer that does not require complex interactions between
terminals and servers. It is simple, requiring a few costs. TFTP can be used only for
simple file transfer without authentication.
On the network shown in Figure 1-64, a user logs in to a TFTP client from a PC
and then uploads files to or downloads files from a TFTP server.
Figure 1-64 Using TFTP to access another device
Precautions
In insecure network environments, you are advised to use a secure protocol.
1.1.8.14.10 Example for Using SFTP to Log In to Other Devices (ECC
1. Run the TFTP software on the TFTP server and set the directory of source files
on the server.
2. Use TFTP commands on the TFTP client to download files.
3. Use TFTP commands on the TFTP client to upload files.
Data Preparation
● TFTP software to be installed on the TFTP server
● Name of the file to be downloaded and path of the file on the TFTP server
● Name of the file to be uploaded and path of the file on the TFTP client
Procedure
Step 1 Enable the TFTP server function.
Set Current Directory to the directory where the files to be downloaded reside on
the TFTP server, as shown in Figure 1-65.

Figure 1-65 Setting the current directory on the TFTP server
NOTE
The displayed window may vary with the TFTP software.
Run the tftpservermt command on the client to enter the TFTP server path and
run the following command:
/home/tftpservermt # ./tftpserver -v -i tftpserver.ini
TFTP Server MultiThreaded Version 1.61 Unix Built 1611
starting TFTP...
username: root
alias / is mapped to /home/
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 3
file read allowed: Yes
file create allowed: Yes
file overwrite allowed: Yes
thread pool size: 1
listening on: 0.0.0.0:69
Accepting requests..
Step 2 Log in to the TFTP client through the terminal emulation program of the PC to
download a file.
<HUAWEI> tftp 10.18.26.141 get a.txt cfcard:/b.txt
Warning: cfcard:/b.txt exists, overwrite? Please select
[Y/N]:y
Transfer file in binary mode.
Please wait for a while...
/
3338 bytes transferred
File transfer completed

Run the dir command on the TFTP client to view the directory in which the
downloaded file is saved.
<HUAWEI> dir
Directory of 0/17#cfcard:/

0 -rw- 3,338 Jan 25 2011 09:27:41 b.txt
1 -rw- 103,265,123 Jan 25 2011 06:49:07 V800R022C00SPC600B020D0123.cc
2 -rw- 92,766,274 Jan 25 2011 06:49:10 V800R022C00SPC600SPC007B008D1012.cc
109,867,396 KB total (102,926,652 KB free)
Step 4 Log in to the TFTP client through the terminal emulation program of the PC to
upload a file.
<HUAWEI> tftp 10.111.16.160 put sample.txt
Info: Transfer file in binary mode.
Please wait for a while...
\ 100% [***********]
File transfer completed
----End
Configuration Files
None
1.1.8.14.7 Example for Using FTP to Access Other Devices

You can log in to an FTP server from an FTP client to download system software
and configuration files from the server to the client.
Context
NOTE
As FTP poses security risks, using SFTP is recommended.
To transfer files with a remote FTP server or manage directories of the server,
configure a device as an FTP client and use FTP to access the FTP server.
On the network shown in Figure 1-66, the FTP client and server are routable to
each other. To download system software and configuration files from the server
to the client, log in to the server from the client.
Figure 1-66 Using FTP to access another device

NOTE
In this example, interface 1 represents GE 1/0/1.

1. Configure the username and password for an FTP user to log in to the FTP
server and the directory that the user will access.
3. Run login commands to log in to the FTP server.
4. Configure the file transfer mode and working directory to allow the client to
download files from the server.
Data Preparation
● Username and password used by the FTP client for login
● IP address of the FTP server: 1.1.1.1
● Target file and its location on the FTP client
Precautions
In insecure network environments, you are advised to use a secure protocol.
1.1.8.14.10 Example for Using SFTP to Log In to Other Devices (ECC
Procedure
Step 1 Configure an FTP user on the FTP server.
[~HUAWEI] aaa
[*HUAWEI-aaa] local-user huawei password
Enter Password:
Confirm Password:
NOTE

characters.
in a password.
a password.
invalid.
[*HUAWEI-aaa] local-user huawei service-type ftp
[*HUAWEI-aaa] local-user huawei ftp-directory cfcard:/

[*HUAWEI-aaa] local-user huawei level 3

[*HUAWEI-aaa] commit
[*HUAWEI-aaa] quit
Step 2 Enable the FTP server function.

[~HUAWEI] interface LoopBack 0
[~HUAWEI-LoopBack0] ip address 10.1.1.1 255.255.255.255
[*HUAWEI-LoopBack0] quit
[*HUAWEI] ftp server enable
[*HUAWEI] ftp server-source -i loopback 0
[*HUAWEI] commit
[~HUAWEI] quit
Step 3 Log in to the FTP server from the FTP client.

<HUAWEI> ftp 10.1.1.1
Trying 10.1.1.1 ...
Connected to 1.1.1.1.
220 FTP service ready.
User(10.1.1.1:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
Step 4 Set the file transfer mode to binary and specify the Flash working directory on the
FTP client.
[ ftp] binary
200 Type set to I.
[ftp] lcd new_dir:/
The current local directory is new_dir:.
[ftp] commit
Step 5 Download the latest system software from the FTP server to the FTP client.
[ftp] get V800R022C00SPC600B020D0123.cc
200 Port command okay.
150 Opening BINARY mode data connection for V800R022C00SPC600B020D0123.cc.
226 Transfer complete.
FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.
[ftp] quit
Run the dir command to check whether the required file has been downloaded to
the client.
----End
Configuration Files
● FTP server configuration file
#
aaa
local-user huawei password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user huawei ftp-directory cfcard:/
local-user huawei service-type ftp
#
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface loopback 0
ip address 10.1.1.1 255.255.255.255
ftp server enable
ftp server-source -i loopback 0
#
return

● FTP client configuration file

#
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
return
1.1.8.14.8 Example for Using SFTP to Log In to Other Devices (RSA Authentication
Mode)
To allow the SFTP client to connect to the SSH server, configure the client and
server to generate local key pairs, configure the client to generate an RSA public
key, and bind the public key to the client.
As shown in Figure 1-67, after the SFTP server function is enabled on the SSH
server, the SFTP client can log in to the SSH server in password, ECC, password-
ECC, DSA, password-DSA, RSA, password-RSA, SM2, password-SM2, x509v3-ssh-
rsa, password-x509v3-rsa or all authentication mode for file access.
Figure 1-67 Using SFTP to access another device

NOTE
2. Configure SFTP client002 and the SSH server to generate local key pairs, and
bind the RSA public key of the SSH client to client002 to authenticate the
client when the client logs in to the server.

3. Enable the SFTP server function on the SSH server.

4. Configure the service type and authorized directory for the SSH users.
5. Use SFTP on client001 and client002 to log in to the SSH server.
Data Preparation
● RSA authentication (public key: rsakey001) for client002
Procedure
[*HUAWEI] commit
[~SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host

NOTE
be configured.


for the user.


[~SSH Server] aaa
[*SSH Server-aaa]local-user client001 password
Enter Password:
Confirm Password:
NOTE

used in a password.

used in a password.
invalid.

# Create an SSH user named client002 and configure RSA authentication for
the user.
Step 3 Configure an RSA public key for the server.

[*HUAWEI] commit
The key name will be: client002_Host
[*client002] commit


======================Host Key==========================
Key Name : client002_Host
========================================================
Key Code:
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203
010001

AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw98
25XYSkri89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn
+8J1LffkxRmHF4uMNk1X3QqiSqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIX
GJb7H/w4zQ==

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw9825XYSkri
89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn+8J1LffkxRmHF4uMNk1X3Qqi
SqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIXGJb7H/w4zQ== rsa-key
Host Public key for SSH1 format code:

1024 65537 125048203250833642388841080101906750228075076456213955541037945628567
57310398880086451511608221218821171562865637463140847157102422109476944363593619
24637760514734544191988044752471924402237145321162849626052751701862381759745461
33321165741031171160914926309797395278974490949461701171569544048167828558985421
======================Server Key========================
Key Name : client002_Server
========================================================
Key Code:
3067
0260
BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F
E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23
7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26
B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3
2B1BBA18 A96FFC29 EF70069D DD1EE053
0203
010001
[~SSH Server] rsa peer-public-key rsakey001
[*SSH Server-rsa-public-key-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*SSH Server-rsa-public-key-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[*SSH Server-rsa-public-key-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[*SSH Server-rsa-public-key-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5

[*SSH Server-rsa-public-key-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931

[*SSH Server-rsa-public-key-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[*SSH Server-rsa-public-key-rsa-key-code] 171896FB 1FFC38CD
[*SSH Server-rsa-key-code] public-key-code end
Step 4 Bind the RSA public key to client002.

[~SSH Server] ssh user client002 assign rsa-key rsakey001
Step 5 Enable the SFTP service on the SSH server.

# Enable the SFTP service.
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password
authentication mode and client002 in RSA authentication mode.
[*SSH Server] ssh user client001 sftp-directory cfcard:
[*SSH Server] ssh user client002 service-type sftp
Step 7 Connect SFTP clients to the SSH server.

the client.
[*HUAWEI] commit
[*client001] commit

[*client002] commit
# Connect client001 to the SSH server in password authentication mode.

[~client001] sftp 10.1.1.1
Trying 10.1.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] : y
The server's public key will be saved with the name 10.1.1.1. Please wait
Enter password:
# Connect client002 to the SSH server in RSA authentication mode.

[~client002] sftp 10.1.1.1

Trying 10.1.1.1 ...

Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.1.1.1. Please wait.

SSH Version : 2.0
ACL name :
ACL number :
ACL6 name :
ACL6 number :

----------------------------------------------------
Sftp-directory : cfcard:
Service-type : sftp
Authentication-type : rsa
User-public-key-name : rsakey001
Sftp-directory :-
Service-type : sftp
----------------------------------------------------
----End
Configuration Files
#
sysname SSH Server
#
308188
028180


0203
010001
public-key-code end
peer-public-key end
#
ip address 10.1.1.1 255.255.255.255
sftp server enable
ssh user client001
ssh user client001 sftp-directory cfcard:
ssh user client002
#
#
#
#
#
#
aaa
#
undo shutdown
ip address 10.1.1.2 255.255.0.0
#
#
return
#
sysname client001
#
undo shutdown
ip address 10.1.2.2 255.255.0.0
#
#
return
#
sysname client002
#
undo shutdown
ip address 10.1.3.3 255.255.0.0
#


#
return
1.1.8.14.9 Example for Using SFTP to Log In to Other Devices (DSA Authentication
Mode)
server to generate local key pairs, configure the client to generate a DSA public
key, send the public key to the server, and bind the public key to the client.
SFTP is based on SSH connections. SFTP ensures that users log in to a remote
device securely to manage and transfer files, enhancing secure file transfer.
Because the device can function as an SFTP client, you can log in to a remote SSH
server from the device to transfer files securely.
Figure 1-68 Networking diagram for access another device by using SFTP
NOTE
bind the DSA public key of the SSH client to client002 to authenticate the

5. Client001 and client002 log in to the SSH server chain SFTP mode to obtain
files on the server.
Data Preparation
● DSA authentication (public key: dsakey001) for client002
Procedure
[*HUAWEI] commit
[~SSH Server] dsa local-key-pair create
Info: The key name will be: SSH SERVER_Host_DSA

NOTE
be configured.

for the user.


[~SSH Server] aaa
[*SSH Server-aaa]local-user client001 password
Enter Password:
Confirm Password:
NOTE

used in a password.

used in a password.
invalid.
# Create an SSH user named client002 and configure DSA authentication for
the user.
[*SSH Server] ssh user client002 authentication-type dsa
Step 3 Configure the DSA public key on the server.

# Configure the client to generate a local key pair.
[*HUAWEI] commit
[~client002] dsa local-key-pair create
Info: The key name will be: client002_Host_DSA
[*client002] commit
# Check the DSA public key generated on the client.

[~client002] display dsa local-key-pair public

========================================================
Key name : client002_Host_DSA
Key modulus : 1024
Key type : DSA Encryption Key
========================================================
Key code:
3082019F
028180
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
0B752AC7 817E877F
0214
028180
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
F459F826 B9A5CF6D
028180
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
Host public Key for PEM format Code:

AAAAB3NzaC1kc3MAAACBAKScXq+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4Y
jLfYWGtQ7rxUv7CJYaDdMV9/MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiY
Q/rQWZi47qjnOV/Hyp0WVUeSc2iZFK8JbP3BJWzIoH/d3mA78xxOpAt1KseBfod/
AAAAFQDLxcC8LXtt/hWn+aNvbtFbbsyfJwAAAIBtMgLnTcrF25cDQwWNef2ydtXK
osjQDD1mb2HU8uNkRUAn/QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbFWuD2aVMM
FBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUun88oNGYs+2UNoRbpe
ifGtt570WfgmuaXPbQAAAIBAnArnHd3ajPOSRgjcMnKM1vpR+7STPQPjB4DhZ2qp
7uOptneX2x06V69HnDvcQJYpG0VIQ9iIUdz+sE1ZPxRZkUX7Cwcc7uVflR5kymxM
FmGSuSaa2HZO6fhmHI7AjQi9g7zj4FTuOSAgdolDOwehEhm585ReiPA6j8D7mIOQ
Ww==

ssh-dss AAAAB3NzaC1kc3MAAACBAKScXq
+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4YjLfYWGtQ7rxUv7CJYaDdMV9/
MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiYQ/rQWZi47qjnOV/Hyp0WVUeSc2iZFK8JbP3BJWzIoH/
d3mA78xxOpAt1KseBfod/AAAAFQDLxcC8LXtt/hWn
+aNvbtFbbsyfJwAAAIBtMgLnTcrF25cDQwWNef2ydtXKosjQDD1mb2HU8uNkRUAn/
QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbFWuD2aVMMFBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G
+s8bPioRMowUun88oNGYs+2UNoRbpeifGtt570WfgmuaXPbQAAAIBAnArnHd3ajPOSRgjcMnKM1vpR
+7STPQPjB4DhZ2qp7uOptneX2x06V69HnDvcQJYpG0VIQ9iIUdz
+sE1ZPxRZkUX7Cwcc7uVflR5kymxMFmGSuSaa2HZO6fhmHI7AjQi9g7zj4FTuOSAgdolDOwehEhm585ReiPA6j
8D7mIOQWw== dsa-key
# Copy the DSA public key generated on the client to the server.
[~SSH Server] dsa peer-public-key dsakey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[*SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return last view with "public-key-code end".
[*SSH Server-dsa-public-key-dsa-key-code] 3082019F


[*SSH Server-dsa-public-key-dsa-key-code] A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C
[*SSH Server-dsa-public-key-dsa-key-code] 9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
[*SSH Server-dsa-public-key-dsa-key-code] 54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
[*SSH Server-dsa-public-key-dsa-key-code] 7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
[*SSH Server-dsa-public-key-dsa-key-code] 43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
[*SSH Server-dsa-public-key-dsa-key-code] 9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4
[*SSH Server-dsa-public-key-dsa-key-code] 0B752AC7 817E877F
[*SSH Server-dsa-public-key-dsa-key-code] CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27
[*SSH Server-dsa-public-key-dsa-key-code] 6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2
[*SSH Server-dsa-public-key-dsa-key-code] C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
[*SSH Server-dsa-public-key-dsa-key-code] AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66
[*SSH Server-dsa-public-key-dsa-key-code] C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B
[*SSH Server-dsa-public-key-dsa-key-code] 264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328
[*SSH Server-dsa-public-key-dsa-key-code] C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E
[*SSH Server-dsa-public-key-dsa-key-code] F459F826 B9A5CF6D
[*SSH Server-dsa-public-key-dsa-key-code] 409C0AE7 1DDDDA8C F3924608 DC32728C D6FA51FB
[*SSH Server-dsa-public-key-dsa-key-code] B4933D03 E30780E1 676AA9EE E3A9B677 97DB1D3A
[*SSH Server-dsa-public-key-dsa-key-code] 57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
[*SSH Server-dsa-public-key-dsa-key-code] 593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
[*SSH Server-dsa-public-key-dsa-key-code] 6192B926 9AD8764E E9F8661C 8EC08D08 BD83BCE3
[*SSH Server-dsa-public-key-dsa-key-code] E054EE39 20207689 433B07A1 1219B9F3 945E88F0
[*SSH Server-dsa-public-key-dsa-key-code] 3A8FC0FB 9883905B
[*SSH Server-dsa-public-key-dsa-key-code] public-key-code end
[*SSH Server-dsa-public-key] peer-public-key end
Step 4 Bind the DSA public key to client002.

[~SSH Server] ssh user client002 assign dsa-key dsakey001

authentication mode and client002 in DSA authentication mode.
Step 7 Connect the SFTP client to the SSH server.

the client.
[*HUAWEI] commit
[*client001] commit


[*client002] commit
# Client001 logs in to the SSH server in password authentication mode.

[~client001] sftp 10.1.1.1
Trying 10.1.1.1 ...
Save the server's public key? [Y/N] : y
The server's public key will be saved with the name 10.1.1.1. Please wait
Enter password:
# Client002 logs in to the SSH server in DSA authentication mode.

[~client002] sftp 10.1.1.1
Trying 10.1.1.1 ...

SSH Version : 2.0
ACL name :
ACL number :
ACL6 name :
ACL6 number :

----------------------------------------------------
Authentication-Type : password
Service-type : sftp

Authentication-Type : dsa
Sftp-directory :-

Service-type : sftp
----------------------------------------------------
----End
Configuration Files
#
sysname SSH Server
#
dsa peer-public-key dsakey001
3082019F
028180
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
0B752AC7 817E877F
0214
028180
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
F459F826 B9A5CF6D
028180
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
public-key-code end
peer-public-key end
#
ip address 10.1.1.1 255.255.255.255
sftp server enable
ssh user client001
ssh user client002
ssh user client002 assign dsa-key dsakey001
ssh user client002 authentication-type dsa
#
#
#
#
#


#
aaa
#
undo shutdown
ip address 10.1.1.2 255.255.0.0
#
#
return

#
sysname client001
#
undo shutdown
ip address 10.1.2.2 255.255.0.0
#
#
return

#
sysname client002
#
undo shutdown
ip address 10.1.3.3 255.255.0.0
#
#
return
1.1.8.14.10 Example for Using SFTP to Log In to Other Devices (ECC Authentication
Mode)
server to generate local key pairs, configure the client to generate an ECC public
key, and bind the public key to the client.

Figure 1-69 Using SFTP to access another device

NOTE
bind the ECC public key of the SSH client to client002 to authenticate the
5. Use SFTP on client001 and client002 to log in to the SSH server.
Data Preparation
● Client002: ECC authentication (public key: ecckey001)
Procedure
[*HUAWEI] commit
[~SSH Server] ecc local-key-pair create
Info: The key name will be: SSH Server_Host_ECC


NOTE
be configured.

for the user.
[~SSH Server] aaa
Enter Password:
Confirm Password:
NOTE

used in a password.

used in a password.
invalid.


# Create an SSH user named client002 and configure ECC authentication for
the user.
[*SSH Server] ssh user client002 authentication-type ecc
Step 3 Configure an ECC public key for the server.

[*HUAWEI] commit
[~client002] ecc local-key-pair create
Info: The key name will be: client002_Host_ECC
[*client002] commit
# Check the ECC public key generated on the client.

[~client002] display ecc local-key-pair public
======================Host Key==========================
Key Name : client002_Host_ECC
Key Type : ECC Encryption Key
========================================================
Key Code:
04D7635B C047B02E 20C1E6CB E04B5E5C
7DCADD88
F676AB0E C91ACB3C B0394B18 FA29E5C2
0426F924
DAD9AA02 C531E5ED C6783FFA 41235A16
8D7723E0
7E63D68D E7

AAAAE2VjZHNhLXNoYTItbmlzdHAxOTIAAABBBL+PCqbAEJKKKUpCYdSfyiyY5Iq3
DM9ZB3mjx62wShmmNMiZJAV+02aMJ6CsHBuWCbVLO/Zg8Ng3kGXC4ltmLXM=
# Copy the ECC public key generated on the client to the server.
[~SSH Server] ecc peer-public-key ecckey001
Enter "ECC public key" view, return system view with "peer-public-key end".
[*SSH Server-ecc-public-key] public-key-code begin
Enter "ECC key code" view, return last view with "public-key-code end".
[*SSH Server-ecc-public-key-ecc-key-code] 04BF8F0A A6C01092 8A294A42 61D49FCA 2C98E48A
[*SSH Server-ecc-public-key-ecc-key-code] B70CCF59 0779A3C7 ADB04A19 A634C899 24057ED3

[*SSH Server-ecc-public-key-ecc-key-code] 668C27A0 AC1C1B96 09B54B3B F660F0D8 379065C2

[*SSH Server-ecc-public-key-ecc-key-code] E25B662D 73
[*SSH Server-ecc-public-key-ecc-key-code] public-key-code end
[*SSH Server-ecc-public-key] peer-public-key end
Step 4 Bind the ECC public key to client002.

[~SSH Server] ssh user client002 assign ecc-key ecckey001
Step 5 Enable the SFTP server function on the SSH server.

# Enable the SFTP server function.
authentication mode and client002 in ECC authentication mode.

the client.
[*HUAWEI] commit
[*client001] commit

[*client002] commit

[~client001] sftp 10.1.1.1
Trying 10.1.1.1 ...
Enter password:
# Connect client002 to the SSH server in ECC authentication mode.

[~client002] sftp 10.1.1.1
Trying 10.1.1.1 ...

Please select public key type for user authentication [R for RSA/E for ECC] Please select [R/E]:e

SSH Version : 2.0
ACL name :
ACL number :
ACL6 name :
ACL6 number :

----------------------------------------------------
Service-type : sftp
Authentication-type : ecc
User-public-key-name : ecckey001
User-public-key-type : ECC
Service-type : sftp
----------------------------------------------------
Total 2, 2 printed
----End
Configuration Files
#
sysname SSH Server
#
ecc peer-public-key ecckey001
04BF8F0A A6C01092 8A294A42 61D49FCA 2C98E48A
B70CCF59 0779A3C7 ADB04A19 A634C899 24057ED3
668C27A0 AC1C1B96 09B54B3B F660F0D8 379065C2
E25B662D 73
#

ip address 10.1.1.1 255.255.255.255

sftp server enable
ssh user client001
ssh user client002
ssh user client002 assign ecc-key ecckey001
ssh user client002 authentication-type ecc
#
#
#
#
#
#
aaa
#
undo shutdown
ip address 10.1.1.2 255.255.0.0
#
#
return

#
sysname client001
#
undo shutdown
ip address 10.1.2.2 255.255.0.0
#
#
return

#
sysname client002
#
undo shutdown
ip address 10.1.3.3 255.255.0.0
#
#
return

1.1.8.14.11 Example for Using SFTP to Log In to Other Devices (SM2 Authentication
Mode)
In this example, local key pairs are generated on the SFTP client and secure shell
(SSH) server, and an SM2 public key is generated on the SSH server and then
bound to the SFTP client, implementing communication between the SFTP client
and SSH server.
SFTP is established over SSH and enables remote users to securely log in to a
device for file management and transfer. This ensures data transmission security.
In addition, the device provides the SFTP client function so that you can log in to a
remote SSH server from the device to securely transfer files.
Figure 1-70 Networking diagram for accessing files on an SSH server using SFTP
NOTE
1. Configure client001 and client002 to log in to the SSH server in different

authentication modes.
bind the SM2 public key of the SSH client to client002 to authenticate the
3. Enable the SFTP service on the SSH server.

5. Configure client001 and client002 to log in to the SSH server using SFTP for
file access.
Data Preparation

● client002 with the public key being sm2key001 and authentication mode
being SM2 authentication
Procedure
Step 1 Generate a local key pair on the SSH server.
[*HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] ssh server publickey sm2

NOTE
be configured.
# Configure the VTY user interface.


# Create SSH user client001 and configure password authentication for the
user.

[~SSH Server] aaa


Enter Password:
Confirm Password:
NOTE

used in a password.

used in a password.
invalid.

# Create SSH user client002 and configure SM2 authentication for the user.
[*SSH Server] ssh user client002 authentication-type sm2
Step 3 Assign an SM2 public key to the SSH server.

# Generate a local key pair on client002.
[*HUAWEI] commit
[~client002] ssh client publickey sm2
[~client002] sm2 key-pair label sm2key001
Info: Key pair generation will take a short while. Please wait...
Info: Creating the key pair succeeded.
[~client002] ssh client assign sm2-host-key sm2key001
[*client002] commit
# Display the SM2 public key generated on client002.

[~client002] display sm2 key-pair
=====================================
Label Name: sm2key001
Modulus: 521

Time of Key pair created: 2018-06-19 15:39:45

=====================================
Key :
0474F110 F90F131B B6F6D929 9A23A41E F1AB1666 AC4BE4EE EF2CD876
2B633F80 DD5CF42F 147A722F DE527F39 247F3744 C23296BE FE3BE502
EEF7D9EC BC28A576 7E
=====================================
# Send the SM2 public key generated on client002 to the server.

[~SSH Server] sm2 peer-public-key sm2key001
[*SSH Server-sm2-public-key] public-key-code begin
Enter "SM2 key code" view, return last view with "public-key-code end".
[*SSH Server-sm2-public-key-sm2-key-code] 0474F110 F90F131B B6F6D929 9A23A41E F1AB1666
[*SSH Server-sm2-public-key-sm2-key-code] AC4BE4EE EF2CD876 2B633F80 DD5CF42F 147A722F
[*SSH Server-sm2-public-key-sm2-key-code] DE527F39 247F3744 C23296BE FE3BE502 EEF7D9EC
[*SSH Server-sm2-public-key-sm2-key-code] BC28A576 7E
[*SSH Server-sm2-public-key-sm2-key-code] public-key-code end
[*SSH Server-sm2-public-key] peer-public-key end
Step 4 Bind the SM2 public key to client002.

[~SSH Server] ssh user client002 assign sm2-key sm2key001

authentication mode and client002 in SM2 authentication mode.

# For the first login, enable first-time authentication on the clients.
[*HUAWEI] commit
[*client001] commit

[*client002] commit

[~client001] sftp 10.1.1.1
Trying 10.1.1.1 ...


Enter password:
# Connect client002 to the SSH server in SM2 authentication mode.

[~client002] sftp 10.1.1.1
Trying 10.1.1.1 ...

# Display the SSH status.
SSH Version : 2.0
ACL name :
ACL number :
ACL6 name :
ACL6 number :
# Display SSH user information.

----------------------------------------------------
Service-type : sftp
Authentication-type : sm2
User-public-key-name : sm2key001
User-public-key-type : SM2
Service-type : sftp
----------------------------------------------------
Total 2, 2 printed
----End

Configuration Files
#
sysname SSH Server
#
undo shutdown
ip address 10.1.1.2 255.255.0.0
#
sm2 peer-public-key sm2key001
0474F110 F90F131B B6F6D929 9A23A41E F1AB1666
AC4BE4EE EF2CD876 2B633F80 DD5CF42F 147A722F
DE527F39 247F3744 C23296BE FE3BE502 EEF7D9EC
BC28A576 7E
#
ip address 10.1.1.1 255.255.255.255
sftp server enable
ssh user client001
ssh user client002
ssh user client002 assign sm2-key sm2key001
ssh user client002 authentication-type sm2
#
#
#
#
#
#
aaa
#
#
return

#
sysname client001
#
undo shutdown
ip address 10.1.2.2 255.255.0.0
#
#
return


#
sysname client002
#
undo shutdown
ip address 10.1.3.3 255.255.0.0
#
#
return
1.1.8.14.12 Example for Using a Non-default Listening Port Number to Access the
SSH Server
A non-default listening port number can be configured for the SSH server to allow
only authorized users to establish SSH connections with the server.
The default listening port number is 22. If attackers continuously access this port,
bandwidth resources are consumed and performance of the server deteriorates. As
a result, authorized users cannot access the server.
If the listening port number of the SSH server is changed to a non-default one,
attackers do not know the change and continue to send requests for socket
connections to port 22. The SSH server denies the connection requests because the
listening port number is incorrect.
Authorized users can set up socket connections with the SSH server by using the
new listening port number to implement the following functions: negotiate the
version of the SSH protocol, negotiate the algorithm, generate the session key,
authenticate, send the session request, and attend the session.
Figure 1-71 Using a non-default listening port number to access the SSH server
NOTE
In this example, interface 1 represents GigabitEthernet0/0/0.

3. Enable the STelnet and SFTP server functions on the SSH server.
5. Configure a non-default listening port number of the SSH server to allow only
authorized users to access the server.
6. Use STelnet and SFTP respectively on client001 and client002 to log in to the
SSH server.
Data Preparation
● Client001: password authentication and STelnet service type
● Client002: RSA authentication (public key: RsaKey001) and SFTP service type
● Listening port number of the SSH server: 1025
Procedure
[*HUAWEI] commit
The key name will be: CE1_Host
Step 2 Configure the RSA public key on the server.

[*HUAWEI] commit
[*client002] commit

=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047

0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Key name: client002_Server
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[~SSH Server] rsa peer-public-key RsaKey001
[*SSH Server-rsa-key-code] 3047
[*SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[*SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[*SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[*SSH Server-rsa-key-code] 1D7E3E1B
[*SSH Server-rsa-key-code] public-key-code end
[*SSH Server-rsa-public-key] commit

NOTE
There are several authentication modes for SSH users: password, RSA, password-RSA, ECC,
password-ECC, and All.
● If the authentication mode is password, password-ECC, or password-RSA, configure a
local user on the server with the same user name.
● If the authentication mode is RSA, password-RSA, ECC, password-ECC, or All, save the
RSA or ECC public key generated on the SSH client to the server.



for the user.

[~SSH Server] aaa
Enter Password:
Confirm Password:
NOTE

used in a password.

used in a password.
invalid.
# Set the service type of client001 to STelnet.


# Create an SSH user named client002, configure RSA authentication for the
user, and bind the RSA public key to client002.
[*SSH Server] ssh user client002 assign rsa-key RsaKey001
# Set the service type of client002 to SFTP and configure the authorized
directory for the user.
Step 4 Enable the STelnet and SFTP server functions on the SSH server.
[*SSH Server] stelnet server enable

Step 5 Configure a new listening port number on the SSH server.

[*SSH Server] ssh server port 1025
Step 6 Connect the SSH client and the SSH server.

the client.
[*HUAWEI] commit
[*client001] commit

[*client002] commit
# Connect client001 to the SSH server using the new listening port number.
[~client001] stelnet 10.1.1.1 1025
Trying 10.1.1.1 ...
Enter password:

<SSH Server>
# Connect client002 to the SSH server using the new listening port number.
[~client002] sftp 10.1.1.1 1025
Trying 10.1.1.1 ...
..
sftp-client>

Attackers fail to log in to the SSH server using the default listening port number
22.
[~client002] sftp 10.1.1.1
Trying 10.1.1.1 ...
Error: Failed to connect to the server.

SSH Version : 2.0


ACL name :
ACL number :
ACL6 name :
ACL6 number :
----End
Configuration Files
#
sysname SSH Server
#
308188
028180
0203
010001
public-key-code end
peer-public-key end
#
ip address 10.1.1.1 255.255.255.255
sftp server enable
ssh server port 1025
ssh user client001
ssh user client002
#
aaa
#
undo shutdown
ip address 10.1.1.2 255.255.0.0
#

#
return

#
sysname client001
#
undo shutdown
ip address 10.1.2.2 255.255.0.0
#
#
return

#
sysname client002
#
undo shutdown
ip address 10.1.3.3 255.255.0.0
#
#
return
1.1.8.14.13 Example for Configuring SSH Clients on the Public Network to Access
an SSH Server on a Private Network
This example shows how to configure an SSH client on the public network to
access an SSH server on a private network. You can configure SSH-related
attributes for public users to allow them to access devices on private networks in
STelnet or SFTP mode.
As shown in Figure 1-72, PE1 is an SSH client located on the MPLS backbone
network, and CE1 functions as an SSH server located on the private network with
the AS number of 65410. Public network users need to securely access and
manage CE1 after logging in to PE1.

Figure 1-72 Configuring an SSH client on the public network to access an SSH
server on a private network
NOTE
In this example, interface 1, interface 2, and interface 3 represent GE 1/0/1, GE 2/0/1 and
GE 1/0/2, respectively.
1. Configure a VPN instance on PE1 to allow CE1 to access PE1.

2. Set up EBGP peer relationships between PEs and CEs and import VPN routes.
4. Enable the STelnet and SFTP server functions on the SSH server.
5. Connect client001 and client002 to CE1 using STelnet and SFTP, respectively.
Data Preparation
● Name of the VPN instance on the PEs: vpn1

● VPN target on the PEs: 111:1
● IP address of PE1: 10.1.1.2; IP address of PE2: 10.1.2.2
● RSA authentication (public key: RsaKey001) for client002

● IP address of CE1: 10.3.3.3
Procedure
Step 1 Configure the MPLS backbone network.
Configure an IGP to allow PEs and the P on the MPLS backbone network to
communicate with each other. Configure basic MPLS functions, enable MPLS LDP,
and establish LDP LSPs on the MPLS backbone network.
For configuration details, see Configuration Files in this section.
Step 2 Configure VPN instances on PEs and connect CEs to PEs.
# Configure PE1.
[*PE1] ip vpn-instance vpn1
[*PE1-vpn-instance-vpn1] route-distinguisher 100:1
[*PE1-vpn-instance-vpn1] vpn-target 111:1 both
[*PE1-vpn-instance-vpn1] quit
[*PE1] interface gigabitethernet 2/0/1
[*PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1
[*PE1-GigabitEthernet2/0/1] undo shutdown
[*PE1-GigabitEthernet2/0/1] ip address 10.1.1.2 24
[*PE1-GigabitEthernet2/0/1] quit
[*PE1] commit
# Configure PE2.
[*PE2] ip vpn-instance vpn1
[*PE2-vpn-instance-vpn1] route-distinguisher 200:1
[*PE2-vpn-instance-vpn1] vpn-target 111:1 both
[*PE2-vpn-instance-vpn1] quit
[*PE2] interface gigabitethernet 2/0/1
[*PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1
[*PE2-GigabitEthernet2/0/1] undo shutdown
[*PE2-GigabitEthernet2/0/1] ip address 10.1.2.2 24
[*PE2-GigabitEthernet2/0/1] quit
[*PE2] commit
# Configure IP addresses for interfaces on CEs according to Figure 1-72. For

configuration details, see Configuration Files in this section.
After the configuration is complete, run the display ip vpn-instance verbose

command on PEs. You can view the configurations of VPN instances. Each PE can
successfully ping its connected CE.
NOTE
When there are multiple interfaces on a PE bound to the same VPN instance, specify the
source address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-
address command to ping the CE connected to the peer PE. Otherwise, the ping may fail.
[~PE1] ping -vpn-instance vpn1 10.3.3.3
PING 10.3.3.3: 56 data bytes, press CTRL_C to break
Reply from 10.3.3.3: bytes=56 Sequence=1 ttl=255 time=260 ms
--- 10.3.3.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/108/260 ms

Step 3 Establish EBGP peer relationships between the PEs and the CEs to import VPN
routes.
# Configure CE1.
[*CE1] bgp 65410
[*CE1-bgp] peer 10.1.1.2 as-number 100
[*CE1-bgp] import-route direct
[*CE1-bgp] quit
[*CE1] commit
# Configure PE1.
[*PE1] bgp 100
[*PE1-bgp] ipv4-family vpn-instance vpn1
[*PE1-bgp-vpn1] peer 10.3.3.3 as-number 65410
[*PE1-bgp-vpn1] import-route direct
[*PE1-bgp-vpn1] quit
[*PE1-bgp] quit
[*PE1] commit
# Configure CE2.
[*CE2] bgp 65420
[*CE2-bgp] peer 10.1.2.2 as-number 100
[*CE2-bgp] import-route direct
[*CE2-bgp] quit
[*CE2-bgp] commit
# Configure PE2.
[*PE2] bgp 100
[*PE2-bgp] ipv4-family vpn-instance vpn1
[*PE2-bgp-vpn1] peer 10.1.2.1 as-number 65420
[*PE2-bgp-vpn1] import-route direct
[*PE2-bgp-vpn1] quit
[*PE2-bgp] quit
[*PE2-bgp] commit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer
command on PEs. The command output shows that the EBGP peer relationships
between PEs and the CEs are in the Established state.
The following example uses the command output on PE1.
[~PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.3.3.3 4 65410 3 3 0 00:00:37 Established 1
# Set up an MP-IBGP peer relationship between PEs.

For configuration details, see Configuration Files in this section.
[*CE1] rsa local-key-pair create
The key name will be: CE1_Host
Generating keys...
[*CE1] commit
Step 5 Configure the RSA public key on the server.


[*PE1] rsa local-key-pair create

The key name will be: PE1_Host
Generating keys...
[*PE1] commit

[~PE1] display rsa local-key-pair public
=====================================================
Key name: PE1_Host
=====================================================
Key code:
3047
0240
BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695
8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D
E2EE8EB5
0203
010001
Host public key for PEM format code:
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg7
2x/w0h8F2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg72x/w0h8F
2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61 rsa-key
=====================================================
Key name: PE1_Server
=====================================================
Key code:
3067
0260
9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F
23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40
278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437
D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4
970B8CC9 C8684678 CF0682F3 6301F5F3
0203
010001
[*CE1] rsa peer-public-key RsaKey001
[*CE1-rsa-public-key] public-key-code begin
[*CE1-rsa-key-code] 3067
[*CE1-rsa-key-code] BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
[*CE1-rsa-key-code] 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695
[*CE1-rsa-key-code] 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D
[*CE1-rsa-key-code] E2EE8EB5
[*CE1-rsa-key-code] public-key-code end
[*CE1-rsa-public-key] peer-public-key end
[*CE1-rsa-public-key] quit
[*CE1] commit

NOTE
There are several authentication modes for SSH users: password, RSA, password-RSA, DSA,
password-DSA, ECC, password-ECC, SM2, password-SM2 and All.
● If the authentication mode is password, password-ECC, password-DSA, password-sm2 or
password-RSA, configure a local user on the server with the same user name.
● If the authentication mode is RSA, password-RSA, DSA, password-DSA, SM2, password-
SM2, ECC, password-ECC, or All, save the RSA, DSA, SM2, or ECC public key generated
on the SSH client to the server.

[~CE1] user-interface vty 0 4
[~CE1-ui-vty0-4] authentication-mode aaa
[*CE1-ui-vty0-4] protocol inbound ssh
[*CE1-ui-vty0-4] commit
[~CE1-ui-vty0-4] quit

for the user.
[~CE1] ssh user client001
[*CE1] ssh user client001 authentication-type password

[*CE1] aaa
[*CE1-aaa] local-user client001 password
Enter Password:
Confirm Password:
NOTE

used in a password.

used in a password.
invalid.
[*CE1-aaa] local-user client001 service-type ssh
[*CE1-aaa] quit

# Set the service type of client001 to STelnet.

[*CE1] ssh user client001 service-type stelnet
● # Create an SSH user named client002, configure RSA authentication for the
user, and bind the RSA public key to client002.
[*CE1] ssh user client002
[*CE1] ssh user client002 authentication-type rsa
[*CE1] ssh user client002 assign rsa-key RsaKey001
# Set the service type of client002 to SFTP and configure the authorized
directory for the user.
[*CE1] ssh user client002 service-type sftp
[*CE1] ssh user client002 sftp-directory cfcard:
[*CE1] commit
Step 7 Enable the STelnet and SFTP server functions on the SSH server.
[~CE1] interface LoopBack 0
[~CE1-LoopBack0] ip address 10.1.1.1 255.255.255.255
[*CE1-LoopBack0] quit
[*CE1] stelnet server enable
[*CE1] sftp server enable
[*CE1] ssh server-source -i loopback 0
[*CE1] commit
Step 8 Configure PE1 (the SSH client) to log in to CE1 (the SSH server).
the client.
[~PE1] ssh client first-time enable
[*PE1] commit
# Use STelnet to log in to the SSH server.

[~PE1] stelnet 10.1.1.1 -vpn-instance vpn1
Trying 10.1.1.1 ...
The server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y
The server's public key will be saved with the name:10.1.1.1. Please wait...
Enter password:

Info: The max number of VTY users is 10, and the current number
of VTY users on line is 1.
<CE1>
# Use SFTP to log in to the SSH server.

[~PE1] sftp 10.1.1.1 -vpn-instance vpn1
Trying 10.1.1.1 ...
The server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y

The server's public key will be saved with the name:10.1.1.1. Please wait...
After the login succeeds, the following information is displayed.

<sftp-client>

[~CE1] display ssh server status
SSH Version : 2.0
ACL name :
ACL number :
ACL6 name :
ACL6 number :
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
3067
0260
9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5
419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8
9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3
0203
010001
public-key-code end
peer-public-key end
#
ip address 10.1.1.1 255.255.255.255
sftp server enable
ssh user client001
ssh user client002


#
#
#
#
#
#
aaa
#
undo shutdown
ip address 10.3.3.3 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchoronization
import-route direct
peer 10.1.1.2 enable
#
#
return
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#

bgp 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
#
return
● P configuration file
#
sysname P
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 10.3.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.3.1.2 255.255.255.255
mpls
mpls ldp
#

undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.2.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
return
● CE2 configuration file

#
sysname CE2
#
undo shutdown
ip address 10.1.2.1 255.255.255.0
#
bgp 65420
#
ipv4-family unicast
import-route direct
peer 10.1.2.2 enable
#
return
1.1.8.14.14 Example for Using SCP to Access Files on Other Devices

This section provides an example for logging in to an SCP server to download files
from the SCP server to a client.
As shown in Figure 1-73, the device functioning as an SCP client has a reachable
route to an SCP server and can download files from the server.

Figure 1-73 Using SCP to access another device
1. Create a local RSA key pair on the SSH server.
2. Create an SSH user on the SSH server.
3. Enable the SCP service function on the SSH server.
5. Specify the IP address of the source interface on the SCP client.
6. Download files from the SSH server to the SCP client.
Data Preparation
● SSH user name, authentication mode, and authentication password
● IP address of the source interface on the SCP client
● Names and paths of the source and destination files
Procedure
Step 1 Configure the SSH server to generate a local RSA key pair.
[*HUAWEI] commit
The key name will be: SSH Server_Host
Step 2 Create an SSH user on the SSH server.

[*SSH Server-ui-vty0-4] quit

# Create an SSH user named client001 and configure password authentication for
the user.
[*SSH Server] ssh user client001
Info: Succeeded in adding a new SSH user.
# Set the password of the SSH user to %TGB6yhn7ujm.

[*SSH Server] aaa
Enter Password:
Confirm Password:
Info: A new user is added.
# Set the service type of the SSH user to all.

[*SSH Server] ssh user client001 service-type all
Step 3 Enable the SCP service function on the SSH server.

[*SSH Server] scp server enable
Step 4 Download files from the SCP server to the SCP client.
# For the first login, enable first authentication on the SSH client.
[~HUAWEI] sysname SCP Client
[*SCP Client] ssh client first-time enable
# Set the source IP address of the SCP client to 1.1.1.1 (the IP address of a
loopback interface).
[*SCP Client] scp client-source -a 1.1.1.1
Info: Succeeded in setting the source address of the SCP client to 1.1.1.1.
# Use the AES128 algorithm to encrypt the license.txt file, and download the file
to the local user directory from the remote SCP server at 172.16.104.110.
[*SCP Client] scp -a 1.1.1.1 -cipher aes128 client001@172.16.104.110:license.txt license.txt
[*SCP Client] commit
Run the display scp-client command on the SCP client. The command output is
as follows:
<HUAWEI> display scp-client
The source address of SCP client is 1.1.1.1.
----End

Configuration Files
● SCP server configuration file
#
sysname SSH Server
#
aaa
local-user client001 password irreversible-cipher @%@%1-w$!gvBa#6W,ZUm2EN*BYqNWwI3BV\uV`
%_oauS;RQB%>>~GV#QzO~k/8;U6;@%@%
#
scp server enable
ssh user client001
ssh user client001 service-type all
#
#
#
#
#
#
#
return
● SCP client configuration file

#
sysname SCP Client
#
scp client-source 1.1.1.1
#
return
1.1.8.14.15 Example for Configuring HTTP for Device Login

This section provides an example for configuring HTTP for device login, so that
you can log in to an HTTP server from an HTTP client to download the desired
certificate.
An HTTP client can download a certificate from an HTTP server through HTTP. On
the network shown in Figure 1-74, the HTTP client and server are routable to
each other. To download a certificate from the server to the client, log in to the
server from the client.
The server supports SSL policies. To improve data transmission security, configure
an SSL policy on the HTTP client.

Figure 1-74 Device login using HTTP
1. Configure an SSL policy on the HTTP client.
2. Configure the HTTP client.
Data Preparation
● SSL policy name policy1 to be configured on the HTTP client
● Domain name domain1
Procedure
Step 1 Configure an SSL policy on the HTTP client.
# Configure a PKI domain.
[~HUAWEI] pki domain domain1
[*HUAWEI-pki-domain-domain1] commit
[~HUAWEI-pki-domain-domain1] quit
[~HUAWEI] pki import-certificate ca domain domain1 filename test.crt
NOTE
The CA certificate is used as an example. During the actual configuration, you need to
replace ca and test.crt with the existing certificate type and name on the device. You can
directly upload the certificate to the device for installation, or apply for and download the
certificate for installation. For details, see "Obtaining a Certificate" in PKI Configuration.
# Configure an SSL policy and bind it to the PKI domain.

[~HUAWEI] ssl policy policy1
[*HUAWEI-ssl-policy-policy1] pki-domain domain1
[*HUAWEI-ssl-policy-policy1] commit
[~HUAWEI-ssl-policy-policy1] quit
Step 2 Configure the HTTP client.

[~HUAWEI] http
[*HUAWEI-http] client ssl-policy policy1
[*HUAWEI-http] client ssl-verify peer
[*HUAWEI-http] commit
[~HUAWEI-http] quit
Step 3 Check whether the HTTP client is successfully configured.

[~HUAWEI] display ssl policy

SSL Policy Name: policy1
PKI domain: domain1
Policy Applicants: HTTP-CLIENT
Key-pair Type:
Certificate File Type:
Certificate Type:
Certificate Filename:
Key-file Filename:
CRL File:
Trusted-CA File:
----End
Configuration Files
● HTTP client configuration file
#
ssl policy policy1
pki-domain domain1
#
http
client ssl-policy policy1
client ssl-verify peer
#
return
1.1.9 ZTP Configuration

Zero Touch Provisioning (ZTP) can be used to automatically deploy unconfigured
devices after they are powered on.
Context
ZTP can be used to automatically deploy unconfigured devices after they are
powered on, which improves deployment efficiency, especially on a network where
a large number of devices need to be deployed.
In VS mode, this feature is supported only by the admin VS.
1.1.9.1 Overview of ZTP
Definition
ZTP enables a newly delivered or unconfigured device to automatically load
version files (including the system software, configuration file, and patch file)
when the device starts.
Purpose
In conventional network device deployment, network administrators are required
to perform manual onsite configuration and software commissioning on each
device after hardware installation is complete. Therefore, deploying a large
number of geographically scattered devices is inefficient and incurs high labor
costs.
ZTP addresses these issues by automatically loading version files from a file server,
without requiring onsite manual intervention in device deployment and
configuration.

Benefits
ZTP eliminates the need for onsite device deployment and configuration, improves
deployment efficiency, and reduces labor costs.
1.1.9.2 Configuration Precautions for ZTP

During ZTP running: NE9000 NE9000

1. Do not run the mtp assistant disable or
assistant scheduler suspend command to
disable an OPS built-in script assistant.
2. Do not run the undo enable (OPS view)
command to disable the OPS function.
Otherwise, the ZTP function is affected.
The names of the CC software package, NE9000 NE9000

configuration file, and patch file to be
downloaded in the intermediate file cannot be
the same as the names of the running CC
software package, configuration file, and patch
file on the device or the names of the CC
software package, configuration file, and patch
file specified for the next startup. ZTP does not
download any file with the same name as a
file running on the device or a file specified for
the next startup.
During device startup, the sub-interfaces with NE9000 NE9000

VPN instances generated in the pre-
configuration script do not support ZTP.
A device cannot be in the same broadcast NE9000 NE9000

domain with two or more DHCP servers.
Otherwise, ZTP does not take effect.
When ZTP is used, the corresponding option NE9000 NE9000

(for example, 66, 67, or 59) needs to be
specified for the DHCP server. Otherwise, ZTP
will exit.
Before using ZTP for the next startup, check NE9000 NE9000
whether ZTP is enabled. If ZTP is disabled,
enable it. Otherwise, the ZTP process cannot
be started next time.

The address lease needs to be set for the DHCP NE9000 NE9000
server based on the site deployment period. If
the lease is too short, a go-online failure
occurs. You are advised to set a long period for
the DHCP server address.
When ZTP is used, the manually configured NE9000 NE9000

device startup items (CC software package,
configuration file, and patch file) may be
overwritten by ZTP. In this case, you need to
run the set ztp disable command to stop ZTP.
The set save-configuration or undo set save- NE9000 NE9000

configuration command cannot be run when
ZTP is running.
Otherwise, ZTP cannot run properly, or user
configurations may be invalid.
ZTPv6 has the following restrictions: NE9000 NE9000

1. Interconnection with the upstream Eth-Trunk
interface cannot be performed.
2. VLAN learning on QinQ interfaces cannot be
performed.
3. Address conflict detection is not performed,
which may result in conflicts between obtained
IPv6 addresses.
4. Transmission of DHCP Release messages.
The DHCP server cannot receive DHCP Release
messages for address release and can only rely
on the address aging mechanism.
ZTPv4 does not support VLAN learning on NE9000 NE9000

QinQ interfaces. Properly plan the
configuration.
1.1.9.3 Configuring Automatic ZTP Deployment Through DHCP

Automatic deployment of ZTP can be implemented through DHCP. Configuring
automatic deployment through DHCP can lower labor costs and improve
deployment efficiency.
Usage Scenario
In conventional network device deployment, network administrators are required
to perform onsite software commissioning after hardware installation is complete.
Therefore, deploying a large number of geographically scattered devices is
inefficient and incurs high labor costs.

To address these issues, configure DHCP-based ZTP to implement automatic

deployment, without requiring onsite manual intervention in device deployment
and configuration.
Before configuring ZTP, complete the following tasks:
● Configure routes for the target device's gateway to communicate with DHCP
servers and file servers.
● Check that no configuration file is loaded to the target device.
1.1.9.3.1 Editing an Intermediate File
Procedure
Step 1 An intermediate file can be an .ini file, a .cfg file, or a Python script file. The .ini
and .cfg files have low requirements and are easy to configure, whereas Python
script files have high requirements on users. Therefore, for the users who use ZTP
for the first time, it is recommended that an .ini or .cfg file be selected as the
intermediate file. For details about related file formats, see Intermediate File in
the INI Format, Intermediate File in the CFG Format, or Intermediate Files in the
Python Format.
----End
1.1.9.3.2 Configuring a DHCPv4 Server and Relay Agent
Context
Before powering on a device that requires automatic deployment through ZTP,
deploy a DHCPv4 server from which the device can obtain a device management
IP address, gateway address, intermediate file server address, and intermediate file
name.
In the DHCP discover phase, the device sends to the DHCPv4 server a DHCP
discover packet that carries DHCP Option 60 and Option 61. Option 60 (Vendor
class identifier) records the device manufacturer and model, and Option 61
(Client-identifier) records the device ESN.
Table 1-42 describes the Option fields that need to be configured on the DHCPv4
server.
Table 1-42 Option field description
Option Mandatory Function

or Optional
1 Mandatory Specifies the subnet mask of an IP address.
3 Mandatory Specifies the egress gateway of a DHCP client.


or Optional
6 Optional Specifies the IP address of a DNS server. If a

domain name (for example, www.ztp.com) is
specified as the host name of an intermediate
file server, deploy a DNS server to resolve the
domain name to an IP address. If an IP address
is specified as the host name of an intermediate
file server, a DNS server does not need to be
deployed.
66 Optional Specifies the host name of the intermediate file

server. An intermediate file server can be a TFTP,
an FTP, or an SFTP server. The format of this
field is as follows:
● tftp://hostname
● ftp://[username[:password]@]hostname
● sftp://
[username[:password]@]hostname[:port]
username, password, and port are optional.
hostname can be a domain name or an IP
address. If hostname is set to a domain name, a
DNS server needs to be deployed. The value of
port ranges from 0 to 65535. If the specified
value is out of the range, the default value 22 is
used. A port number can be configured only
when hostname of an SFTP server is set to an
IPv4 address.
NOTE
If hostname is set to an IP address, you do not need to
set the file transfer type. The default file transfer type
is TFTP.


or Optional
67 Mandatory Specifies the name of an intermediate file. The

intermediate file name extension is .ini, .py,
or .cfg.
● The name of an intermediate file must not
exceed 64 characters. Otherwise, the file may
fail to be downloaded.
● The name of an intermediate file must not
contain special characters, such as the
ampersand (&), greater-than sign (>), less-
than sign (<), double quote ("), and single
quote (').
● The intermediate file name is in the format
path/filename. In the format, path can be a
relative path without the host name of the
file server, /script/ztp_script.py for example,
or an absolute path with the host name of
the file server, ftp://10.1.1.1/script/
ztp_script.py for example. If a path does not
contain a host name, Option 66 needs to be
set.
150 Optional Specifies the IP address of a TFTP server.
NOTE
The IPv4 address lease that ZTP applies for through DHCPv4 is at least one hour and cannot be
renewed.
If a ZTP device and DHCPv4 server reside on different network segments, deploy a DHCP relay
agent to forward DHCP packets.
1.1.9.3.3 Configuring a DHCPv6 Server and Relay Agent
Context
Before powering on a device that requires automatic deployment through ZTP,
deploy a DHCPv6 server from which the device can obtain a device management
IP address, gateway address, intermediate file server address, and intermediate file
name.
In the DHCPv6 Solicit phase, the device sends to the DHCPv6 server a DHCPv6
Solicit message that carries DHCPv6 Option 6. DHCPv6 Option 6 records the
option code requested by the client.
Table 1-43 describes the option fields that need to be configured on the DHCPv6
server.

Table 1-43 Option field description

or Optional
5 Mandatory Requested IA address, IPv6 address, and lifetime.
59 Mandatory Path of the intermediate file. The intermediate

file name extension is .ini, .py, or .cfg. The
format of this field is as follows:
● tftp://hostname/path/filename
● ftp://[username[:password]@]hostname/
path/filename
● sftp://[username[:password]@]hostname/
path/filename
NOTE
The IPv6 address lease that ZTP applies for through DHCPv6 is at least one hour and cannot be
renewed.
If a ZTP-enabled device and DHCPv6 server reside on different network segments, deploy a
DHCPv6 relay agent to forward DHCPv6 packets.
1.1.9.3.4 Configuring a File Server
Context
A file server stores the files to be downloaded to unconfigured devices, including
the intermediate file and version files. A router can be configured to provide the
file server functionality. A file server consumes device storage resources. Therefore,
ensure that the router has sufficient space to store files before deploying a file
server on the router. If the router does not have sufficient space, you can deploy a
third-party server to store files. For details about configuring a third-party server,
see the corresponding operation guide of the third-party server.
The version file server and intermediate file server can be the same server. A file
server can be a TFTP, FTP, or SFTP server.
NOTE
Ensure that reachable routes are deployed between the file server and unconfigured device.
Follow-up Procedure
After the file server is configured, save the intermediate file and version files to
the file server.
NOTE
To ensure security of the file server, configure a unique user name for the file server and
assign read-only permission to the user to prevent unauthorized modification to the files.
After the ZTP process is complete, disable the file server function.

1.1.9.3.5 Powering on the Device
Context
After ZTP-related configurations are complete, power on the ZTP-enabled device.
The device will then automatically download versions files and restart to complete
automatic deployment.
Procedure
Step 1 Power on the device.
----End
1.1.9.3.6 (Optional) Uploading a Pre-Configuration Script
Context
If you want commands to be delivered to an unconfigured device before the ZTP
process starts, upload a pre-configuration script to the device.
Procedure
Step 1 Edit the pre-configuration script based on the file type and format instructions
described in Preconfiguration Script.
Step 2 Upload the pre-configuration script to the storage medium of the main control
board.
NOTE
FTP, TFTP, or SFTP can be used to upload the script. For upload details, see 1.1.8.6 Using
FTP to Access Other Devices, 1.1.8.5 Using TFTP to Access Other Devices, or 1.1.8.7
Using SFTP to Access Other Devices. Select an upload mode as needed.
Step 3 Run set ztp pre-configuration file-name
The pre-configuration script is loaded.
To disable a device from starting the ZTP process at device startup with base
configuration, run the reset ztp pre-configuration command to clear the pre-
configuration script.
Step 4 Run display ztp status
The ZTP status (including the status the pre-configuration script) is displayed.
NOTE
When the system software is upgraded from an earlier version to the current version, the
loaded pre-configuration script is executed (to prevent this loaded pre-configuration script
from being executed, run the reset ztp pre-configuration command) only if the
configuration file set for startup is vrpcfg.zip.
----End

1.1.9.3.7 Enabling ZTP
Context
To implement automatic deployment through ZTP on a device upon a start with
base configuration, enable ZTP.
Procedure
Step 1 Run set ztp enable
ZTP is enabled.
If automatic deployment through ZTP is not needed, run the set ztp disable
command to disable ZTP.
Step 2 (Optional) Run display ztp status
The ZTP status is displayed.
----End
1.1.9.3.8 Verifying the ZTP Configuration
Procedure
Step 1 After the ZTP process is complete, log in to the device and run the display startup
command to check whether the device startup file is as required.
Step 2 Run the display ztp status command to check whether automatic deployment is
complete through ZTP.
Step 3 If automatic deployment fails, analyze ZTP logs on the device to determine the
failure causes.
ZTP logs are saved to the file named ztp_YYYYMMDDHHMMSS.log in the

directory cfcard:/ztp.
----End
1.1.9.4 Configuration Examples for ZTP

This section provides examples for configuring automatic deployment through
DHCP.
1.1.9.4.1 Example for Configuring Automatic ZTP Deployment Through DHCP
On the network shown in Figure 1-75, two devices (RouterA and RouterB) with
base configuration are newly added and connected to RouterC. RouterC functions
as the egress gateway of RouterA and RouterB. Routes are available for RouterC,
the DHCP server, and the file server to communicate with each other.

The customer requires that RouterA and RouterB automatically load system
software and configuration files after they are powered on to reduce labor costs
and device deployment time.
Figure 1-75 Configuring automatic ZTP deployment through DHCP

NOTE
Interfaces 1 and 2 in this example represent GE 1/0/1 and GE 1/0/2, respectively.
1. Configure an FTP server as the file server to save the intermediate file, system
software, and configuration files.
NOTE
File transfer through FTP is prone to security risks, and therefore the SFTP file transfer
mode is recommended.
2. Edit the Python, INI, or CFG intermediate file to enable the routers to obtain
their system software packages and configuration files according to the
intermediate file.
3. Configure the DHCP server and relay agent to enable RouterA and RouterB to
obtain DHCP information.
4. Power on RouterA and RouterB to start the ZTP process.
Procedure
Step 1 Configure the file server. (The following example uses a PC as the file server. If
another type of device is used as the file server, configure the server according to
the corresponding operation guide.)
1. Configure the file server (PC) as an FTP server. Run an FTP server program
(for example, WFTPD32) on the PC. See Figure 1-76. Choose Security >
Users/rights. In the displayed dialog box, click New User. Set the user name
to ftpuser and password to Pwd123. Enter the FTP working directory in the
Home Directory text box. In this example, the working directory is D:\ztp.
Click Done to close the dialog box.

Figure 1-76 Configuring the file server
2. Configure an IP address and gateway address for the file server. Ensure that
the file server and gateway of RouterA and RouterB have reachable routes to
each other.
After configuring the file server, save the system software and configuration files
to be loaded to the working directory D:\ztp.
Step 2 Edit the intermediate file.
Edit the intermediate file according to 1.1.9.3.1 Editing an Intermediate File. A

CFG intermediate file is used as an example. The file is named ztp_script.cfg. See
Intermediate File in the CFG Format for the file content.
After editing the intermediate file, save the file to the working directory D:\ztp on
the file server.
Step 3 Configure the DHCP server.
# Configure the IP address pool from which the DHCP server assigns IP addresses
to clients. Configure Option fields according to the instructions in Table 1-44. For
configuration details, see the corresponding product documentation and DHCP
server configuration section in this document.
Table 1-44 Option fields to be configured on the DHCP server
Option Description Value
1 Subnet mask of an 255.255.225.0

IP address
3 Egress gateway of a 10.1.1.1

DHCP client
67 File server address ftp://ftpuser:Pwd123@10.1.3.2/ztp_script.cfg

and intermediate
file name
# Configure an IP address and gateway address for the DHCP server. Ensure that
the DHCP server and gateway of RouterA and RouterB have reachable routes to
each other.

Step 4 Configure the DHCP relay agent.

# On RouterC, configure the DHCP relay function and set the IP address of the
interface connected to RouterA and RouterB to 10.1.1.1. Configure 10.1.1.1 as the
default gateway address of RouterA and RouterB.
[~HUAWEI] sysname RouterC
[*HUAWEI] commit
[~RouterC] interface GigabitEthernet 1/0/1
[~RouterC-GigabitEthernet1/0/1] ip address 10.2.2.1 255.255.255.0
[*RouterC-GigabitEthernet1/0/1] undo shutdown
[*RouterC-GigabitEthernet1/0/1] commit
[~RouterC-GigabitEthernet1/0/1] quit
[~RouterC] interface GigabitEthernet 1/0/2
[~RouterC-GigabitEthernet1/0/2] ip address 10.1.1.1 255.255.255.0
[*RouterC-GigabitEthernet1/0/2] dhcp select relay
[*RouterC-GigabitEthernet1/0/2] ip relay address 10.1.2.2
[*RouterC-GigabitEthernet1/0/2] undo shutdown
[*RouterC-GigabitEthernet1/0/2] commit
[~RouterC-GigabitEthernet1/0/2] quit
Step 5 Power on RouterA and RouterB to start the ZTP process.

# Log in to the device and run the display startup command to check whether
the system software and configuration file are as expected. The example uses the
command output on RouterA.
<RouterA> display startup
MainBoard:
Configured startup system software: cfcard:/V800R022C00SPC600B140_0424_new.cc
Startup system software: cfcard:/V800R022C00SPC600B140_0424_new.cc
Next startup system software: cfcard:/V800R022C00SPC600B140_0424_new.cc
Startup saved-configuration file: cfcard:/vrpcfg.cfg
Next startup saved-configuration file: cfcard:/vrpcfg.cfg
Startup paf file: default
Next startup paf file: default
Startup patch package: cfcard:/NE9000V800R022C00SPC600.PAT
Next startup patch package: cfcard:/NE9000V800R022C00SPC600.PAT
----End
Configuration Files
ztp_script.cfg file
NOTE
The SHA256 checksum in the following file is only an example.

#sha256sum="fffcd63f5e31f0891a0349686969969c1ee429dedeaf7726ed304f2d08ce1bc7"
fileserver=sftp://username:password@hostname:port/path;
mac=00e0-fc12-3456;esn=2102351931P0C3000154;devicetype=DEFAULT;system-
version=V800R022C00SPC600;system-software=V800R022C00SPC600.cc;system-config=test.cfg;system-
pat=V800R022C00SPC600SPH001.PAT;
vrpcfg.cfg file
NOTE
The interface IP address and static route configurations in the file are used as an example.
You can modify them as required.
#
sysname HUAWEI

#
ip vpn-instance __LOCAL_OAM_VPN__
ipv4-family
#
interface Ethernet0/0/0
undo shutdown
ip binding vpn-instance __LOCAL_OAM_VPN__
ip address 192.168.130.10 255.255.255.0
#
ip route-static vpn-instance __LOCAL_OAM_VPN__ 0.0.0.0 0.0.0.0 192.168.130.20
#
RouterC configuration file

#
sysname RouterC
#
undo shutdown
ip address 10.2.2.1 255.255.255.0
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
dhcp select relay
ip relay address 10.1.2.2
#
return

NE9000 V800R022C00 Configuration Guide 01 Basic Configuration

Uploaded by

Copyright:

Available Formats

You might also like

NE9000 V800R022C00 Configuration Guide 01 Basic Configuration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NE9000 V800R022C00 Configuration Guide 01 Basic Configuration

Uploaded by

Copyright:

Available Formats

HUAWEI NetEngine9000

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. i

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. ii

1.1.3.6.2 Defining Shortcut Keys............................................................................................................................................. 33

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. iii

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. iv

1.1.6.4.8 Using FTP to Access a Device...............................................................................................................................172

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. v

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. vi

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. vii

1.1.9.3.7 Enabling ZTP.............................................................................................................................................................. 390

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. viii

Figure 1-1 PuTTY configuration page....................................................................................................................... 7

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. ix

Figure 1-34 SSH client login authentication page........................................................................................... 138

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. x

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. xi

Table 1-1 Feature requirements................................................................................................................................ 12

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. xii

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. xiii

1.1 Basic Configuration

1.1.1 About This Document

Product Name Version

HUAWEI NetEngine9000 V800R022C00SPC600

iMaster NCE-IP V100R022C00SPC100

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 1

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 2

– The mirroring feature may be used to analyze the communication

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 3

Indicates a hazard with a high level of risk which, if

Indicates a hazard with a medium level of risk

Indicates a hazard with a low level of risk which, if

Indicates a potentially hazardous situation which, if

Supplements the important information in the main

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are

{ x | y | ... } Optional items are grouped in braces and separated

[ x | y | ... ] Optional items are grouped in brackets and

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 4

{ x | y | ... }* Optional items are grouped in braces and separated

[ x | y | ... ]* Optional items are grouped in brackets and

&<1-n> The parameter before the & sign can be repeated 1

# A line starting with the # sign is comments.

● Changes in Issue 01 (2022-10-31)

1.1.2 First Login Configuration

1.1.2.1 Overview of First Login

A console port has the following states:

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 5

1.1.2.2 Configuration Precautions for First Login

1.1.2.3 Logging In to a Device Through a Console Port

If a third-party USB-to-RJ45 serial cable is used, it is recommended that the

1.1.2.3.1 Establishing a Physical Connection

1.1.2.3.2 Logging In to a Device

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 6

Figure 1-1 PuTTY configuration page