Professional Documents
Culture Documents
Configuration Guide - Basic Configurations (V800R002C01 - 01)
Configuration Guide - Basic Configurations (V800R002C01 - 01)
V800R002C01
01
Date
2011-10-15
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2011-10-15)
Commissioning engineers
Version
HUAWEI NetEngine5000E
Core Router
V800R002C01
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates a hazard with a high level of risk, which if not
avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
Issue 01 (2011-10-15)
ii
Symbol
Description
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
Indicates a tip that may help you solve a problem or save time.
Provides additional information to emphasize or supplement
important points of the main text.
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
iii
Contents
Contents
About This Document.....................................................................................................................ii
1 Logging In to the System for the First Time............................................................................1
1.1 Overview of Logging In to the System for the First Time.................................................................................2
1.2 Logging In to the router Through the Console Port...........................................................................................2
1.2.1 Logging In to the router Through the Console Port..................................................................................3
1.2.2 Logging In to the router.............................................................................................................................3
iv
Contents
4 Transferring Files........................................................................................................................55
4.1 File Transfer Overview.....................................................................................................................................56
4.2 File Transfer Modes Supported by the HUAWEI NetEngine5000E................................................................57
4.3 Operating Files After Logging In to the System..............................................................................................58
4.3.1 Managing Directories..............................................................................................................................59
4.3.2 Managing Files........................................................................................................................................59
4.4 Using FTP to Operate Files..............................................................................................................................61
4.4.1 Configuring a Local FTP User................................................................................................................62
4.4.2 (Optional) Changing the Listening Port Number of the FTP Server.......................................................63
4.4.3 Enabling the FTP Server Function..........................................................................................................63
4.4.4 (Optional) Configuring FTP Server Parameters......................................................................................64
4.4.5 (Optional) Configuring FTP Access Control...........................................................................................65
4.4.6 Using FTP to Access the System.............................................................................................................65
4.4.7 Using FTP to Operate Files.....................................................................................................................66
4.4.8 Checking the Configuration.....................................................................................................................69
4.5 Using SFTP to Operate Files............................................................................................................................70
4.5.1 Configuring an SSH User and Specifying the Service Type...................................................................71
4.5.2 Enabling the SFTP Server Function........................................................................................................73
4.5.3 (Optional) Configuring SFTP Server Parameters....................................................................................74
4.5.4 Using SFTP to Access the System..........................................................................................................76
4.5.5 Using SFTP to Operate Files...................................................................................................................77
4.5.6 Checking the Configuration.....................................................................................................................78
4.6 Configuration Examples...................................................................................................................................80
4.6.1 Example for Operating Files After Logging In to the System................................................................80
4.6.2 Example for Using FTP to Operate Files................................................................................................80
Issue 01 (2011-10-15)
Contents
vi
Contents
7 Device Upgrade..........................................................................................................................166
7.1 Overview of Device Upgrade.........................................................................................................................167
7.2 Upgrade Modes Supported by the NE5000E.................................................................................................167
8 Patch Installation.......................................................................................................................169
8.1 Overview........................................................................................................................................................170
8.2 Patch Installation Modes Supported by the NE5000E...................................................................................170
9 Configuration Management....................................................................................................171
9.1 Introduction to Configuration Management...................................................................................................172
9.2 Configuration Management Features that the NE5000E Supports................................................................173
9.3 Selecting a Configuration Validation Mode...................................................................................................173
9.3.1 Configuring Immediate Configuration Validation Mode......................................................................174
9.3.2 Configuring Two-Phase Configuration Validation Mode.....................................................................175
9.4 Managing Configuration Files........................................................................................................................177
9.4.1 Saving Configurations...........................................................................................................................178
9.4.2 Comparing Configuration Files.............................................................................................................179
9.4.3 Specifying the System Configuration File to Be Loaded at the Next Startup.......................................179
9.4.4 Clearing the System Configuration File Loaded at the Current Startup................................................180
9.4.5 Checking the Configuration...................................................................................................................181
9.5 Configuration Examples.................................................................................................................................183
9.5.1 Example for Configuring User Services in Immediate Configuration Validation Mode......................183
Issue 01 (2011-10-15)
vii
Contents
9.5.2 Example for Configuring Services When Configurations Have Been Locked by Another User in TwoPhase Configuration Validation Mode...........................................................................................................184
9.5.3 Example for Multiple Users to Configure a Same Service in Two-Phase Configuration Validation Mode
........................................................................................................................................................................186
9.5.4 Example for Multiple Users to Configure a Service in Two-Phase Configuration Validation Mode
........................................................................................................................................................................187
9.5.5 Example for Configuring Different Services by Multiple Users in Two-Phase Configuration Validation
Mode...............................................................................................................................................................189
9.5.6 Example for Managing Configuration Files..........................................................................................191
Issue 01 (2011-10-15)
viii
Issue 01 (2011-10-15)
Applicable Environment
When the router is powered on for the first time, you must use the console port to log in to the
router to configure and manage the router.
Pre-configuration Tasks
Before logging in to the router through the console port, complete the following tasks:
l
Configuration Procedures
Figure 1-1 Logging in to the router through the console port
Establish a physical connection
Mandatory procedure
Optional procedure
Issue 01 (2011-10-15)
Applicable Environment
When the router is powered on for the first time, you must use the console port to log in to the
router to configure and manage the router.
Pre-configuration Tasks
Before logging in to the router through the console port, complete the following tasks:
l
Configuration Procedures
Figure 1-2 Logging in to the router through the console port
Establish a physical connection
Mandatory procedure
Optional procedure
Context
Configure physical attributes for the PC according to the attributes configured for the console
port on the router, including the transmission rate, data bits, parity bit, stop bits, and flow control
mode. As the router is logged in for the first time, terminal attributes use the default values.
Procedure
Step 1 Start a terminal emulator (such as HyperTerminal of Windows XP) on the PC to establish a
connection. Follow the instructions as shown in Figure 1-3 and click OK.
Issue 01 (2011-10-15)
Step 2 Set the COM port. Follow the instructions as shown in Figure 1-4 and click OK.
Figure 1-4 Setting the COM port
Step 3 Set communication parameters for the COM port to the default values of the router, as shown
in Figure 1-5 and click OK.
Issue 01 (2011-10-15)
A command prompt such as <HUAWEI> appears, the user view is displayed, and you can start
the configuration on the HUAWEI device.
In the user view, configure the device or check its operating status, or enter a question mark (?)
for online help.
----End
Issue 01 (2011-10-15)
Issue 01 (2011-10-15)
Console: manages and monitors users logging in through the console port.
The type of the console port is EIA/TIA-232 DCE.
A user using different login modes to log in is allocated different user interfaces. A user logging in several
times using the same way may be allocated different user interfaces.
Relative numbering
The relative numbering uniquely specifies a user interface or a group of user interfaces of
the same type.
The numbering format is user interface type + number, adhering to the following rules:
Console port numbering: CON0.
VTY user interface numbering: The first VTY is 0, the second VTY is 1, and so on.
Absolute numbering
The absolute numbering uniquely specifies a user interface or a group of user interfaces.
The number starts with 0, increasing by 1. The console port is numbered before VTY user
interfaces.
There are 20 consoles and 18 VTY user interfaces. You can run the user-interface
maximum-vty command in the system view to set the maximum number of VTY user
interfaces. The default value is 5.
Table 2-1 shows the default absolute numbers of the console and VTY user interfaces.
Numbers 1 to 32 are reserved for TTY user interfaces.
Issue 01 (2011-10-15)
User Interface
CON0
34
35
36
37
38
No-authentication: Users can log in to the device without entering user names or passwords.
This mode is insecure and is not recommended.
Password authentication: Users need to enter passwords but not user names for login.
AAA authentication: Users must enter both user names and passwords for login. If either
a user name or a password is incorrect, the login fails. Telnet users are usually authenticated
in AAA mode.
If AAA authentication is configured, the level of commands that a user can use depends
on the local user priority specified in the AAA configuration.
Applicable Environment
If you need to log in to a device through the console port for local maintenance, configure the
console user interface, including the physical attributes, terminal attributes, user priority, and
user authentication mode. Configure parameters based on the use and security requirements.
Issue 01 (2011-10-15)
Pre-configuration Tasks
Before configuring the console user interface, complete the following task:
l
Configuration Procedures
Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.
Context
When a user logs in a device through the console port, physical attributes set on the
HyperTerminal for the console port must be consistent with the attributes of the console user
interface on the device. Otherwise, the user cannot log in to the device.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
Procedure
Step 1 Run:
system-view
10
2.2.3 Configuring the User Priority for the Console User Interface
You can set user priorities for user interfaces to manage users based on their levels. This section
describes how to set the user priority for the console user interface.
Context
User levels correspond to command levels. User can use commands of the corresponding level
or lower after log in to the system.
Procedure
Step 1 Run:
system-view
If the user priority configured for the user interface and the user priority configured for the user conflict,
the user level takes precedence.
For example, user 001 can use commands at level 3, and the user level configured in the user interface
view Console 0 for the user is 2. After user 001 logs in through Console 0, the user can use commands at
level 3 or lower.
Step 4 Run:
commit
11
Procedure
l
Run:
system-view
Run:
user-interface console ui-number
Run:
authentication-mode aaa
Run:
quit
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
Run:
commit
Run:
system-view
Run:
user-interface console ui-number
Run:
authentication-mode password
12
4.
Run:
set authentication password { cipher | simple } password
Run:
commit
Configure no-authentication.
1.
Run:
system-view
Run:
user-interface console ui-number
Run:
authentication-mode none
No-authentication is set.
4.
Run:
commit
Prerequisite
The configurations of the console user interface are complete.
Procedure
l
Run the display users [ all ] command to check user login information about user interfaces.
Run the display user-interface console 0 command to check physical attributes and
configurations of the user interface.
Run the display local-user command to check the local user list.
Run the display access-user command to check information about logged-in users.
----End
Issue 01 (2011-10-15)
13
Example
Run the display users command to view user login information about the current user interface.
<HUAWEI> display users
User-Intf
Delay
0
CON 0
Username : Unspecified
+ 258 VTY 0
00:00:00
Username : Unspecified
Username : Unspecified
Type
Network Address
AuthenStatus
TEL
10.164.6.15
259 VTY 1
pass
AuthorcmdFlag
no
Run the display user-interface console 0 command to view physical attributes and
configurations of the user interface.
<HUAWEI> display user-interface console 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth Int
0
CON 0
9600
3
N
1
CON 0
9600
3
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Run the display local-user command to view the local user list.
<HUAWEI> display local-user
---------------------------------------------------------------------------Username
State Type
Online
---------------------------------------------------------------------------user123
Active All
0
ll
Active F
0
user1
Active F
0
---------------------------------------------------------------------------Total 3,3 printed
Run the display access-user command to view information about logged-in users.
<HUAWEI> display access-user
----------------------------------------User-name
domain-name
userid
----------------------------------------------root
default
1
abcd
default
2
----------------------------------------------Total users
: 2
Wait authen-ack
: 0
Authentication success
: 2
Applicable Environment
If you need to log in to a device for local or remote configuration and maintenance by using
Telnet or SSH, configure VTY user interfaces, including the maximum number of VTY user
interfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and user
authentication mode. Configure parameters based on the user and security requirements.
Issue 01 (2011-10-15)
14
Pre-configuration Tasks
Before configuring VTY user interfaces, complete the following task:
l
Configuration Procedures
Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.
Context
The maximum number of VTY user interfaces is the total number of users that use Telnet and
SSH to log in.
CAUTION
If the maximum number of VTY user interfaces is set to zero on a device, no user can log in to
the device.
Procedure
Step 1 Run:
system-view
Step 3 Run:
commit
Issue 01 (2011-10-15)
15
Context
An ACL can be configured to either allow or deny Telnet connections based on source or
destination IP addresses:
l
A basic ACL, with number ranging from 2000 to 2999, controls Telnet connections based
on source IP addresses.
An advanced ACL, with number ranging from 3000 to 3999, controls Telnet connections
based on both source and destination IP addresses.
Before configuring the limit on incoming and outgoing calls for VTY user interfaces, run the
acl command in the system view to create an ACL and enter the ACL view. Then, run the
rule command to add rules to the ACL.
Procedure
Step 1 Run:
system-view
The limit on incoming and outgoing calls is set for the VTY user interface.
l Choose inbound if users at a specified IP address or within a specified address range are
either allowed to log in to the device or prohibited from logging in to the device.
l Choose outbound if logged-in users are either allowed to log in to other devices or prohibited
from logging in to other devices.
Step 4 Run:
commit
16
Procedure
Step 1 Run:
system-view
Context
User levels correspond to command levels. User can use commands of the corresponding level
or lower after log in to the system.
Issue 01 (2011-10-15)
17
Procedure
Step 1 Run:
system-view
If the user priority configured for the user interface and the user priority configured for the user conflict,
the user level takes precedence.
For example, a user can use commands at level 3, and the user level configured in the user interface view
VTY0 for the user is 2. After the user logs in through VTY0, the user can use commands at level 3 or lower.
Step 4 Run:
commit
Procedure
l
Run:
system-view
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
authentication-mode aaa
Run:
commit
18
5.
Run:
quit
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
Run:
commit
Run:
system-view
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
authentication-mode password
Run:
set authentication password { cipher | simple } password
Run:
commit
Configure no-authentication.
1.
Run:
system-view
Run:
user-interface vty first-ui-number [ last-ui-number ]
Issue 01 (2011-10-15)
19
Run:
authentication-mode none
Run:
commit
Prerequisite
The configuration of VTY user interfaces are complete.
Procedure
l
Run the display users [ all ] command to check user login information about user interfaces.
Run the display user-interface vty ui-number command to check physical attributes and
configuration of the user interface.
Run the display local-user command to check the local user list.
Run the display vty mode command to check the VTY mode.
----End
Example
Run the display users command to view user login information about the current user interface.
<HUAWEI> display users
User-Intf
Delay
0
CON 0
Username : Unspecified
+ 258 VTY 0
00:00:00
Username : Unspecified
Username : Unspecified
Type
Network Address
AuthenStatus
TEL
10.164.6.15
259 VTY 1
pass
AuthorcmdFlag
no
Run the display user-interface maximum-vty command to view the configured maximum
number of VTY user interfaces.
<HUAWEI> display user-interface maximum-vty
Maximum of VTY user:15
Run the display user-interface vty command to view the configured user interface information.
<HUAWEI> display user-interface vty
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
+ 34
VTY 0
15
15
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Issue 01 (2011-10-15)
Int
-
20
Run the display access-user command to view information about logged-in users.
<HUAWEI> display access-user
----------------------------------------User-name
domain-name
userid
----------------------------------------------root
default
1
abcd
default
2
----------------------------------------------Total users
: 2
Wait authen-ack
: 0
Authentication success
: 2
Run the display vty mode command to view the configured VTY mode. For example:
<HUAWEI> display vty mode
current VTY mode is Human-Machine interface
Networking Requirements
To initialize the configurations of a new device or locally maintain the device, the device must
be logged in to through the console user interface. Attributes are set for the console user interface
based on user and security requirements.
Configuration Notes
By default, terminal services are enabled on all user interfaces. If terminal services are disabled,
use Telnet to log in to the system through the console port and run the shell command to enable
terminal services.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Issue 01 (2011-10-15)
21
4.
The user name and password do not have default values. Other parameters have default values, which are
recommended.
Data Preparation
To complete the configuration, you need the following data:
l
Stop bits: 2
Data bits: 6
Procedure
Step 1 Configure physical attributes for the console user interface.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] speed 4800
[~HUAWEI-ui-console0] flow-control none
[~HUAWEI-ui-console0] parity even
[~HUAWEI-ui-console0] stopbits 2
[~HUAWEI-ui-console0] databits 6
[~HUAWEI-ui-console0] commit
shell
idle-timeout 30
screen-length 30
history-command max-size 20
commit
authentication-mode password
set authentication password simple huawei
commit
quit
After the console user interface has been configured, users can log in to the device through the
console port in password authentication mode. For information about how to log in to the system
through the console port, see 3.2 Logging In to the System Through the Console Port.
Step 5 Verify the configuration.
Issue 01 (2011-10-15)
22
After completing the configurations, run the display_user-interface command to view the
configuration of Console 0.
<HUAWEI> display user-interface 0
Idx Type
Tx/Rx Modem Privi ActualPrivi Auth Int
+0
CON 0
9600 3
N
+ : Current user-interface is active.
F : Current user-interface is active and work in async mode.
Idx : Absolute index of user-interface.
Type : Type and relative index of user-interface.
Privi : The privilege of user-interface.
ActualPrivi : The actual privilege of user-interface.
Auth : The authentication mode of user-interface.
A : Authenticate use AAA.
N : Current user-interface need not authentication.
P : Authenticate use current UI's password.
Int : The physical location of UIs.
----End
Configuration Files
#
sysname HUAWEI
#
user-interface con 0
authentication-mode password
user privilege level 15
set authentication password simple huawei
history-command max-size 20
idle-timeout 30 0
databits 6
parity even
stopbits 2
speed 4800
screen-length 30
#
admin
return
Networking Requirements
If you need to log in to a device for local or remote configuration and maintenance by using
Telnet or SSH, configure VTY user interfaces, including the maximum number of VTY user
interfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and user
authentication mode. Configure parameters based on the user and security requirements.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure the limit on incoming and outgoing calls for VTY user interfaces.
3.
Issue 01 (2011-10-15)
23
4.
5.
Configure the authentication mode and password for the VTY user interface.
Data Preparation
To complete the configuration, you need the following data:
l
Number of the ACL applied to limit incoming calls on the VTY user interface: 2000
User priority: 15
The ACL number for limiting incoming and outgoing calls in VTY user interfaces, password, and user name
do not have default values. Other parameters have default values, which are recommended.
Procedure
Step 1 Set the maximum number of VTY user interfaces.
<HUAWEI> system-view
[~HUAWEI] user-interface maximum-vty 18
[~HUAWEI] commit
Step 2 Configure the limit on incoming and outgoing calls for VTY user interfaces.
[~HUAWEI] acl 2000
[~HUAWEI-acl-basic-2000] rule deny source 10.1.1.1 0
[~HUAWEI-acl-basic-2000] quit
[~HUAWEI] user-interface vty 0 17
[~HUAWEI-ui-vty0-17] acl 2000 inbound
[~HUAWEI-ui-vty0-17] commit
shell
idle-timeout 30
screen-length 30
history-command max-size 20
commit
Step 5 Configure the authentication mode and password for VTY user interfaces.
[~HUAWEI-ui-vty0-17]
[~HUAWEI-ui-vty0-17]
[~HUAWEI-ui-vty0-17]
[~HUAWEI-ui-vty0-17]
authentication-mode password
set authentication password simple huawei
commit
quit
After a VTY user interface is configured, a user can use Telnet or SSH to log in to the device in
password authentication mode to maintain the device locally or remotely. For information about
how to use Telnet or SSH to log in to a device, see 3.3 Logging In to the System by Using
Telnet or 3.4 Logging In to the System by Using STelnet.
Step 6 Verify the configuration.
Issue 01 (2011-10-15)
24
After completing the configurations, run the display user-interface command to view the
configurations of VTY user interfaces.
Use VTY14 as an example:
[~HUAWEI] display user-interface vty 14
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
Int
+ 34
VTY 14
15
15
password +
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
----End
Configuration Files
#
sysname HUAWEI
#
user-interface maximum-vty 18
#
acl number 2000
rule 5 deny source 10.1.1.1 0
#
user-interface vty 0 17
user privilege level 15
set authentication password simple huawei
history-command max-size 20
idle-timeout 30 0
screen-length 30
acl 2000 inbound
#
admin
return
Issue 01 (2011-10-15)
25
Issue 01 (2011-10-15)
26
Application
Logging In to the
System Through the
Console Port
Logging In to the
System by Using
Telnet
Logging In to the
System by Using
STelnet
Telnet Overview
Telnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote login
and virtual terminal services. The NE5000E provides the following Telnet services:
l
Telnet server: A user runs the Telnet client program on a PC to log in to the router to
configure and manage the router. The router functions as a Telnet server.
Telnet client: After using the terminal emulator or Telnet client program on a PC to connect
to the router, a user runs the telnet command to log in to another device for configuration
and management. The router functions as a Telnet client. In Figure 3-1, the CE functions
as both a Telnet server and a Telnet client.
Issue 01 (2011-10-15)
27
Telnet session 1
PC
PE
Telnet server
CE
Telnet session 1
P1
Telnet client
P2
P3
Telnet server
Two pairs of shortcut keys can be used to interrupt Telnet connections. As shown in Figure
3-2, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2. P2 is the
Telnet client of P3. The usage of shortcut keys is described as follows:
Ctrl_]: Instructs the server to disconnect a Telnet connection.
If the shortcut keys Ctrl_] are used when the network works properly, the Telnet server
interrupts the current Telnet connection.
For example, enter Ctrl_] on P3, and the P2 prompt is displayed.
<P3> Select Ctrl_]
The connection was
<P2> Select Ctrl_]
<P2> Ctrl_]
The connection was
<P1>
NOTE
Issue 01 (2011-10-15)
28
CAUTION
When the number of remote login users reaches the maximum number of VTY user
interfaces, the system prompts subsequent users with a message, indicating that all user
interfaces are in use and no more Telnet connections are allowed.
STelnet Overview
NOTE
Currently, a device running SSH1 or SSH2 can function as an SSH server. Only devices running SSH2
can function as SSH clients. STelnet is based on SSH2. When the client and the server set up a secure
connection after negotiation, the client can log in to the server in the same way as using Telnet.
Logins using Telnet add security risks because Telnet does not provide any secure authentication
mechanism and data is transmitted using TCP in plain text. Telnet connections are vulnerable
to Denial of Service (DoS) attacks, IP address spoofing, and route spoofing.
SSH provides secure remote access on an insecure network by supporting the following
functions:
l
Remote Subscriber Access (RSA) authentication: Public and private keys are generated
according to the encryption principle of the asymmetric encryption system to implement
secure key exchange and ensure a secure session.
Data encryption standards: Data Encryption Standard (DES), 3DES, and Advanced
Encryption Standard (AES).
User name and password encryption: This prevents the user name and password from being
intercepted during the communication between the client and the server.
A device serving as an SSH server can accept connection requests from multiple SSH clients.
The device can also serve as an SSH client, helping users establish SSH connections with an
SSH server. This allows users to use SSH to log in to remote devices from the local device.
l
Local connection
As shown in Figure 3-3, an SSH channel is established for a local connection.
Figure 3-3 Establishing an SSH channel on a local area network (LAN)
Server
Ethernet
Server
Issue 01 (2011-10-15)
100BASE-TX
PC
LapTop
PC running SSH Client
29
Remote LAN
Router
WAN
SSH Router
PC
Applicable Environment
A device can be logged in to only through the console port when the device is powered on for
the first time.
Pre-configuration Tasks
Before logging in to the system through the console port, complete the following tasks:
l
Configuration Procedures
Figure 3-5 Logging in to the system through the console port
Configure the console user
interface
Log in to the system through
the console port
Mandatory procedure
Optional procedure
30
Context
If you need to log in to a device through the console port for local maintenance, configure the
console user interface, including the physical attributes, terminal attributes, user priority, and
user authentication mode. Configure parameters based on the use and security requirements.
For configurations of the console user interface, see Configuring the Console User
Interface.
Context
NOTE
l Communication parameters of the user terminal must be consistent with the physical attributes of the
console user interface on the device.
l After a user authentication mode is specified in the console user interface, a user can log in to the device
only after authentication succeeds. This enhances network security.
For information about logging in to the system through the console port, see Logging In to the
router Through the Console Port.
Prerequisite
Configurations of user login through the console port are complete.
Procedure
l
Run the display users [ all ] command to check user login information about user interfaces.
Run the display user-interface console 0 command to check physical attributes and
configurations of the user interface.
Run the display local-user command to check the local user list.
Run the display access-user command to check information about logged-in users.
----End
Example
Run the display users command to view user login information about the current user interface.
<HUAWEI> display users
User-Intf
Delay
0
CON 0
Username : Unspecified
+ 258 VTY 0
00:00:00
Username : Unspecified
Username : Unspecified
Type
Network Address
AuthenStatus
TEL
10.164.6.15
259 VTY 1
pass
AuthorcmdFlag
no
Run the display user-interface console 0 command to view physical attributes and
configurations of the user interface.
Issue 01 (2011-10-15)
31
Run the display local-user command to view the local user list.
<HUAWEI> display local-user
---------------------------------------------------------------------------Username
State Type
Online
---------------------------------------------------------------------------user123
Active All
0
ll
Active F
0
user1
Active F
0
---------------------------------------------------------------------------Total 3,3 printed
Run the display access-user command to view information about logged-in users.
<HUAWEI> display access-user
----------------------------------------User-name
domain-name
userid
----------------------------------------------root
default
1
abcd
default
2
----------------------------------------------Total users
: 2
Wait authen-ack
: 0
Authentication success
: 2
Applicable Environment
If one or more devices need to be configured and managed, you do not need to connect each of
the devices to a terminal to maintain the devices locally. If you have obtained the IP address of
a device and logged in to the device before, you can use Telnet to log in to the device to remotely
configure the device. This allows you to maintain multiple devices on one terminal, greatly
facilitating device management.
NOTE
Pre-configuration Tasks
Before using Telnet to log in to the system, complete the following task:
l
Issue 01 (2011-10-15)
32
Configuration Procedures
Figure 3-6 Logging in to the system by using Telnet
Configure VTY user interfaces
Mandatory procedure
Optional procedure
Context
The default user authentication mode for VTY user interfaces is password authentication. Before
using Telnet or SSH to log in to a device, configure a user authentication mode for VTY user
interfaces. Otherwise, you cannot log in to the device.
NOTE
Authentication mode can be configured for VTY user interfaces by logging in to a device through the
console port.
For configurations about VTY user interfaces, see Configuring VTY User Interfaces.
Context
By default, a local user can use any access type. After the user access mode has been specified,
only users using the specified access mode can log in to the system.
Issue 01 (2011-10-15)
33
Procedure
Step 1 Run:
system-view
Procedure
l
IPv4:
1.
Run:
system-view
Run:
telnet server enable
Run:
commit
IPv6:
1.
Run:
system-view
Issue 01 (2011-10-15)
34
Run:
telnet ipv6 server enable
Run:
commit
l If the undo telnet [ ipv6 ] server enable command is run to disable the Telnet server function
when there are users logging in by using Telnet, the command does not take effect.
l After the Telnet server function is disabled, established Telnet connections are not interrupted,
and no new Telnet connection is allowed. In this situation, users can log in to the system by using
SSH or through the console port.
----End
Context
By default, the listening port number of the Telnet server is 23. Users can log in to the router
without specifying the listening port number. Attackers may access the default listening port,
reducing available bandwidth, affecting performance of the server, and causing valid users
unable to access the server. After the listening port number of the Telnet server is changed,
attackers do not know the new listening port number. This effectively prevents attackers from
accessing the listening port.
Procedure
Step 1 Run:
system-view
35
Context
If you need to log in to the system by using Telnet, use either the Windows Command Prompt
or third-party software on the terminal. Use the Windows Command Prompt as an example.
Do as follows on the PC:
Procedure
Step 1 Enter the Windows Command Prompt window.
Step 2 Run the telnet ip-address command to use Telnet to log in to the device.
1.
2.
Press Enter, and the command prompt of the user view is displayed, such as
<HUAWEI>. This indicates that you have accessed the Telnet server.
Figure 3-8 Schematic diagram 2 for login by using Telnet
----End
Issue 01 (2011-10-15)
36
Prerequisite
The configurations of logging in to the system by using Telnet are complete.
Procedure
l
Run the display users [ all ] command to check information about user interfaces.
Run the display tcp status command to check established TCP connections.
Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display users command to view information about the current user interface.
<HUAWEI]> display users
User-Intf
Delay
Type
34 VTY 0
00:00:12 TEL
Username : Unspecified
+ 35 VTY 1
00:00:00 TEL
Username : Unspecified
Network Address
1.1.1.1
AuthenStatus
1.1.1.2
AuthorcmdFlag
no
no
Run the display tcp status command to view TCP connections. Established in the command
output indicates that a TCP connection has been established.
<HUAWEI> display tcp status
TCPCB
Tid/Soid
Local Add:port
39952df8
36 /1509
0.0.0.0:0
32af9074
59 /1
0.0.0.0:21
34042c80
73 /17
10.1.1.1:23
Foreign Add:port
0.0.0.0:0
0.0.0.0:0
10.2.2.2:1147
0
VPNID
State
0
Closed
14849
LISTEN
Established
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<HUAWEI> display telnet server status
Session 1:
Source ip address
: 10.137.217.221
VTY Index
: 14
Current number of sessions
: 1
Applicable Environment
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, log in to other devices by
using Telnet from the device that you have logged in to. Login by using Telnet brings security
Issue 01 (2011-10-15)
37
risk because Telnet does not provide any secure authentication mechanism and data is
transmitted by using TCP in plain text.
STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and
authentication and protects devices against attacks such as IP address spoofing and plain text
password interception.
Pre-configuration Tasks
Before logging in to the system by using STelnet, complete the following task:
l
Configuration Procedures
Figure 3-9 Logging in to the system by using STelnet
Configure VTY user interfaces
Mandatory procedure
Optional procedure
Context
The default user authentication mode for VTY user interfaces is password authentication. Before
using Telnet or SSH to log in to a device, configure a user authentication mode for VTY user
interfaces. Otherwise, you cannot log in to the device.
Issue 01 (2011-10-15)
38
NOTE
Authentication mode can be configured for VTY user interfaces by logging in to a device through the
console port.
For configurations about VTY user interfaces, see Configuring VTY User Interfaces.
Context
By default, user interfaces support Telnet. If no user interface is enabled with SSH, users cannot
log in to the device by using STelnet.
Do as follows on the device that functions as an SSH server:
Procedure
Step 1 Run:
system-view
Before configuring a user interface to support SSH, set the authentication mode of the user interface to
AAA. Otherwise, the protocol inbound ssh command does not take effect.
Step 5 Run:
commit
39
Context
l
SSH users can be authenticated in four modes: RSA, password, password-RSA, and All.
Password authentication depends on AAA. Before a user log in to the device with password
or password-RSA authentication mode, a local user with the same user name must be
created in the AAA view.
Configuring the system to generate a local RSA key pair is a key step for SSH login. If an
SSH user log in to an SSH server with password authentication mode, configure the server
to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Password-RSA authentication requires success of both password authentication and RSA authentication.
The All authentication mode requires success of either password authentication or RSA authentication.
Procedure
Step 1 Run:
system-view
2.
3.
Run the local-user user-name service-type ssh command to set the local user access type
to SSH.
4.
Run the quit command to exit from the AAA view and enter the system view.
By default, a local user can use any access type. You can specify an access type to allow only
users configured with the specified access type to log in to the device.
Step 3 Run:
rsa local-key-pair create
l The rsa local-key-pair create command must be used to create a local RSA key pair before other SSHrelated configuration.
l After the key pair is generated, run the display rsa local-key-pair public command to view information
about the public key in the local key pair.
Step 4 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
Issue 01 (2011-10-15)
40
Run the ssh user user-name authentication-type rsa command to configure RSA
authentication.
2.
Run the rsa peer-public-key key-name command to enter the public key view.
3.
Run the public-key-code begin command to enter the public key edit view.
4.
l In the public key edit view, only hexadecimal strings complying with the public key format can
be typed in. Each string is randomly generated on an SSH client. For detailed operations, see
manuals for SSH client software.
l After entering the public key edit view, paste the RSA public key generated on the client to the
server.
5.
Run the public-key-code end command to exit from the public key edit view.
l Running the peer-public-key end command generates a key only after a valid hexdata complying with the public key format is entered.
l If the peer-public-key end command is used after the key key-name specified in Step
b is deleted in another window, the system prompts a message, indicating that the key
does not exist, and the system view is displayed.
6.
7.
Run the ssh user user-name assign rsa-key key-name command to assign the SSH user a
public key.
Step 5 (Optional) Configure basic authentication information for the SSH user.
1.
Run the ssh server rekey-interval hours command to set an interval at which the key of
the server is updated.
By default, the interval is 0, indicating that the key is never updated.
2.
Run the ssh server timeout seconds command to set the timeout period for SSH
authentication.
By default, the timeout period is 60 seconds.
3.
Run the ssh server authentication-retries times command to set the retry times of SSH
authentication.
By default, SSH authentication retries a maximum of 3 times.
Step 6 Run:
ssh user username service-type { stelnet | sftp | all }
Issue 01 (2011-10-15)
41
Procedure
Step 1 Run:
system-view
Context
l
The SSH protocol has the following versions: SSH1.X and SSH2.0. Compared with
SSH1.X, SSH2.0 is extended in structure and supports more authentication modes and key
exchange methods. In addition, SSH2.0 supports more advanced services such as SFTP.
The NE5000E supports SSH whose version number ranges from 1.3 to 2.0.
The default listening port number of an SSH server is 22. When the default listening port
number is used, users can directly log in to a device without specifying the listening port
number. Attackers may access the default listening port, consuming bandwidth, affecting
performance of the server, and causing valid users unable to access the server. After the
listening port number of the SSH server is changed, attackers do not know the new port
number. This effectively prevents attackers from accessing the listening port, improving
security.
Issue 01 (2011-10-15)
42
An interval at which the key pair of an SSH server is updated can be set. When the timer
expires, the key pair is automatically updated to improve security.
Procedure
Step 1 Run:
system-view
The listening port number is set for the SSH server is set.
By default, the listening port number is 22.
If a new listening port is set, the SSH server cuts off all established STelnet and SFTP
connections, and then uses the new port number to listen to connection requests.
Step 4 Run:
ssh server rekey-interval hours
The interval at which the key pair of the SSH server is updated is set.
By default, the interval is zero, indicating that the key pair will never be updated.
Step 5 Run:
commit
Context
Third-party software can be used to implement an STelnet login. Use the third-party software
OpenSSH and Windows Command Prompt as an example.
After installing OpenSSH on a PC, do as follows on the PC:
NOTE
For details about how to install OpenSSH, see the software installation guide.
For details about how to use OpenSSH commands to log in to the device, see the software help document.
Issue 01 (2011-10-15)
43
Procedure
Step 1 Enter the Windows Command Prompt window.
Step 2 Run OpenSSH commands to log in to the device by using STelnet, as shown in Figure 3-10.
Figure 3-10 Schematic diagram for login by using STelnet
----End
Prerequisite
The configuration of logging in to the system by using STelnet are complete.
Procedure
l
Run the display ssh user-information username command on the SSH server to check
information about SSH users.
Run the display ssh server status command on the SSH server to check its configuration.
Run the display ssh server session command on the SSH server to check information about
sessions between the SSH server and SSH clients.
Run the display ssh server statistics command on the SSH server to view information
about the total number of connections accepted, denied, closed and total online connections.
----End
Issue 01 (2011-10-15)
44
Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<HUAWEI> display ssh user-information client001
-----------------------------User Name
: client001
Authentication-Type
: password
User-public-key-name : Sftp-directory
: Service-type
: stelnet
----------------------------------Total 1, 1 printed
If no SSH user is specified, information about all SSH users logging in to the SSH server is
displayed.
Run the display ssh server status command to view configuration of the SSH server.
<HUAWEI> display ssh server status
-----------------------------------------SSH Version
: 1.99
SSH authentication timeout
: 60 Seconds
SSH authentication retries
: 3 Times
SSH server key generating interval : 0 Hours
SSH version 1.x compatibility
: ENABLED
SSH server keep alive
: DISABLED
SFTP server
: DISABLED
STELNET server
: DISABLED
SNETCONF server
: DISABLED
SSH server port
: 22
------------------------------------------------
Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
<HUAWEI> display ssh
Session
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
server session
: 1
: VTY 3
: 2.0
: started
: client001
: 1
: aes128-cbc
: aes128-cbc
: hmac-md5
: hmac-md5
: diffie-hellman-group-exchange-sha1
: stelnet
: password
Run the display ssh server statistics command to view the current statistics information of the
SSH server.
<HUAWEI> display ssh server statistics
---------------------------------Total connection accepted
: 1
Total connection denied by ACL
: 2
Total connection denied by CLI
: 0
Total connection denied by AAA
: 3
Total connection denied by Netconf : 1
Total connection closed by CLI
: 1
Total connection closed by Netconf : 4
Total connection closed by sock
: 3
Total online connection
: 5
----------------------------------------
Issue 01 (2011-10-15)
45
Networking Requirements
If the default parameter values for the console user interface on the router are changed, the
parameters must be set accordingly on the user terminal before the next login through the console
port.
Figure 3-11 Networking diagram for login through the console port
PC
Router
Configuration Roadmap
1.
2.
3.
Data Preparation
Communication parameters of the PC (transmission rate: 4800 bps, data bits: 6, parity bit: even,
stop bits: 2, flow control mode: none).
Procedure
Step 1 Establish the configuration environment. Connect the serial interface on the user terminal to the
console port on the router through a standard RS-232 cable.
Step 2 Run the terminal emulator on the PC.
Set communication parameters for the PC, as shown in Figure 3-12 to Figure 3-14. Set the
transmission rate to 4800 bit/s, data bit to 6, parity bit to even, stop bit to 2, and flow control
mode to none.
Issue 01 (2011-10-15)
46
Issue 01 (2011-10-15)
47
Step 3 Power on the router and wait for the completion of the self-check. After the router starts properly
and finishes the self-check, the system prompts you to press Enter, and the command prompt
<HUAWEI> is displayed.
Use commands to view the operating status of the router or configure the router.
----End
Networking Requirements
A user can use a user terminal to log in to the router on another network segment to remotely
maintain the router.
Figure 3-15 Networking diagram for logging in to the system by using Telnet
GE0/0/0
10.137.217.221/16
NetWork
PC
Issue 01 (2011-10-15)
P1
48
Precautions
If a user has passed AAA authentication and logged in to the router by using Telnet, the user is
prohibited from logging in to other routers on the network.
Configuration Roadmap
1.
2.
3.
Configure VTY user interfaces, including the limit on incoming and outgoing calls.
4.
Data Preparation
To complete the configuration, you need the following data:
l
Number of the ACL that is used to prohibit users from logging into another router: 3001
Telnet user information (authentication mode: AAA, user name: huawei, password: hello)
Procedure
Step 1 Connect the PC and the router to the network.
Step 2 Assign an IP address to the MEth interface on P1.
<HUAWEI> system-view
<HUAWEI> sysname P1
<HUAWEI> commit
[~P1] interface gigabitethernet 0/0/0
[~P1-GigabitEthernet0/0/0] undo shutdown
[~P1-GigabitEthernet0/0/0] ip address 10.137.217.221 255.255.0.0
[~P1-GigabitEthernet0/0/0] commit
[~P1-GigabitEthernet0/0/0] quit
49
shell
idle-timeout 20
screen-length 30
history-command max-size 20
Press Enter, and input the user name and password in the login window. After user
authentication succeeds, a command prompt of the user view is displayed, as shown in Figure
3-17. This indicates that you have entered the user view.
Figure 3-17 Window displayed after login to the router
Issue 01 (2011-10-15)
50
----End
Configuration file of P1
sysname P1
#
user-interface maximum-vty 10
#
acl number 3001
rule 5 deny tcp destination-port eq telnet
#
aaa
local-user huawei password cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
local-user huawei level 3
local-user huawei service-type telnet
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.137.217.221 255.255.0.0
#
user-interface vty 0 9
authentication-mode aaa
user privilege level 15
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
history-command max-size 20
idle-timeout 20 0
screen-length 30
acl 2000 inbound
acl 3001 outbound
#
admin
return
Networking Requirements
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, log in to other devices by
using Telnet from the device that you have logged in to. Login by using Telnet brings security
risk because Telnet does not provide any secure authentication mechanism and data is
transmitted by using TCP in plain text.
STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and
authentication and protects devices against attacks such as IP address spoofing and plain text
password interception.
Issue 01 (2011-10-15)
51
As shown in Figure 3-18, after the STelnet server function is enabled on the router functioning
as an SSH server, STelnet clients can log in to the SSH server in password, RSA, passwordRSA, or All authentication mode.
Figure 3-18 Networking diagram for logging in to the system by using STelnet
GE0/0/0
10.137.217.225/16
Network
PC
SSH Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure a local key pair on the SSH server, allowing secure data transmission between
the STelnet client and the SSH server.
3.
4.
Configure an SSH user, including the authentication mode, user name, and password.
5.
Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
To complete the configuration, you need the following data:
l
SSH user authentication mode: password; user name: client001; password: huawei
Procedure
Step 1 Configure a login address.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[~HUAWEI] commit
[~SSH Server] interface gigabitethernet 0/0/0
[~SSH Server-GigabitEthernet0/0/0] undo shutdown
[~SSH Server-GigabitEthernet0/0/0] ip address 10.137.217.225 255.255.0.0
[~SSH Server-GigabitEthernet0/0/0] commit
[~SSH Server-GigabitEthernet0/0/0] quit
Issue 01 (2011-10-15)
52
NOTE
If SSH is configured as the login protocol, the NE5000E automatically disables the Telnet function.
Step 4 Configure the SSH user name and password on the SSH server.
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Step 5 Enable the STelnet server function, and configure STelnet as the service type.
[~SSH Server] stelnet server enable
[~SSH Server] ssh authentication-type default password
[~SSH Server] commit
----End
Configuration Files
l
Issue 01 (2011-10-15)
53
#
rsa local-key-pair create 512
rsa local-key-pair host-key begin
AC010000ABABABAB00486F73740000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000DB07020B
0D0008370200849A356ACBBAC7DBCAB38BA7E9B9B44BDA92208B805287743DD3786B98E2388985
8D07DC8E2B8B371D8C0FC889D7ACD4AA43456973B3EB990E4C93965180EAD43A5F0D8DBAEF607B
2642C968EC4E3DF61D5FE326DDAECC9AAE4FF7D1C9A4810045EBB574B618BFFC038555F3F9D989
6B2B58ED0B92C551C7223B20646DBF6F5369B2BDF0D4B61208D8B52156A095D11EFCD901C85D4A
21332249A63107F7AD3D13885CCC79D5480B4114E0EE984BEE8E9DA4F11945201D0F9DED9A36CC
CFC40FDB07D6F746F0060F95B4C802ACE64E72EBF656AC34335526E4182ABA809C0402A110D932
FA65167199A4F504AF0503DEC1F10A5807A2C9643C09FD1B127199D3AC6E609F9EA78EF6341CDD
C9B45D84AC83C1C383558841346B893D2F6322E1562DE58F947D6F769E525A05376B70F8C39599
F4228A468916C617B61AF1864D4E574C17FC23EA6818A0F68E00D124AD2488E89C2379777BD4
rsa local-key-pair host-key end
#
stelnet server enable
ssh authentication-type default password
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.137.217.225 255.255.255.0
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
aaa
local-user client001 password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user client001 level 3
local-user client001 service-type ssh
#
admin
return
Issue 01 (2011-10-15)
54
4 Transferring Files
Transferring Files
Issue 01 (2011-10-15)
55
4 Transferring Files
FTP
FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transfer
files between local clients and remote servers. FTP uses two TCP connections to copy a file
from one system to another. The TCP connections are usually established in client-server mode,
one for control (the server port number is 21) and the other for data transmission (the sever port
number is 20).
l
Control connection: issues commands from the client to the server and transmits replies
from the server to the client, minimizing the transmission delay.
Data connection: transmits data between the client and server, maximizing the throughput.
Binary mode: is used to transfer program files, such as .app, .bin, and .btm files.
ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to
the device, and run the ftp command to establish a connection between the device and a
remote FTP server to access and operate files on the server.
FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP) connections. It uses
the UDP port number 69 to transfer files between local hosts and remote servers. Unlike FTP,
TFTP is simple, providing no authentication. It is applicable to scenarios where complicated
interactions between clients and the server are not required.
TFTP supports both binary and ASCII file transfer modes, which are also supported by FTP.
NOTE
l Currently, the HUAWEI NetEngine5000E supports only the binary mode for TFTP.
l Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not a TFTP server.
When a TFTP client needs to download files from the server, the client sends a read request
to the TFTP server. The server sends data packets to the client, and the client acknowledges
the data packets.
When a TFTP client needs to upload a file to the server, the client sends a write request
and then data to the server, and receives acknowledgments from the server.
Issue 01 (2011-10-15)
56
4 Transferring Files
SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely
log in to the device to manage and transfer files. On the other hand, users can use the device
functioning as a client to log in to a remote server and transfer files securely.
When the SFTP server or the connection between the server and the client fails, the client needs
to detect the fault in time and removes the connection proactively. To help the client detect such
a fault in time, configure an interval at which Keepalive packets are sent if no packet is received
and the maximum number of times that the server does not respond for the client:
l
If the client does not receive any packet within the specified period, the client sends a
Keepalive packet to the server.
If the maximum number of times that the server does not respond exceeds the specified
value, the client proactively releases the connection.
The file to be uploaded must be less than 2 GB. Uploading a file larger than 2 GB causes the device unable
to display information.
Advantage
Disadvantage
Usage Scenario
FTP
l Is based on TCP
connections, having
all TCP
characteristics.
l Supports
authentication and
authorization.
l Supports file transfer
between different
file system hosts.
Issue 01 (2011-10-15)
57
4 Transferring Files
File
Transfer
Mode
Advantage
Disadvantage
Usage Scenario
TFTP
l Is based on UDP
connections.
SFTP
l Data transmission
efficiency is low.
l Terminals must be
installed with thirdparty software to
support SFTP.
TFTP is applicable to
networks where
complicated
interactions between
clients and the server are
not required.
For details, see 5.4
Using TFTP to Access
Other Devices.
SFTP is applicable to
networks that have high
security requirements.
Applicable Environment
When a device fails to save or obtain data, you can log in to the system to repair the faulty storage
device or manage files or directories on the device.
This file operation mode is used when storage devices need to be managed.
Pre-configuration Tasks
After logging in to the system, complete the following tasks before operating the files:
l
Issue 01 (2011-10-15)
58
4 Transferring Files
Configuration Procedures
Figure 4-1 Operating files after logging in to the system
Manage directories
Manage files
Mandatory procedure
Optional procedure
Context
You can change and display directories, display files in directories and sub-directory lists, and
create and delete directories.
Perform one or multiple of the following operations as required:
Procedure
l
Run:
cd directory
Run:
pwd
Run:
dir [ /all ] [ filename ]
Run:
mkdir directory
A directory is created.
l
Run:
rmdir directory
A directory is deleted.
----End
59
4 Transferring Files
Operation
Displaying a file
Copying a file
Moving a file
Deleting a file
Removing a file
from the recycle
bin
Renaming a file
Issue 01 (2011-10-15)
60
4 Transferring Files
Applicable Environment
As devices operate stably and are deployed in large scopes, more and more devices need to be
maintained and upgraded remotely. Online software upgrade, as a new upgrade method by
loading software packages remotely, facilitates remote online upgrade, reduces upgrade
expenditure, shortens the time that customers wait for upgrade, and improves customers'
satisfaction. In real world situations, the delay, packet loss, and jitter affect data transmission
on networks. To guarantee the quality of online upgrade and data transmission, use FTP to
perform online upgrade and transfer files based on TCP connections.
Pre-configuration Tasks
Before operating files by using FTP, complete the following task:
l
Configuration Procedures
Figure 4-2 File operation by using FTP
Configure local FTP users
Mandatory procedure
Optional procedure
Issue 01 (2011-10-15)
61
4 Transferring Files
Context
To operate files by using FTP, configure local user name and password on a device serving as
an FTP server, and specify the service type and the directory that the user can access. Otherwise,
the user cannot access the FTP server.
Perform the following steps on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view
CAUTION
If the directory is not configured, the user is automatically redirected to cfcard:/.
Step 6 Run:
commit
62
4 Transferring Files
Context
By default, the listening port number of the FTP server is 21. Users can directly log in to a device
functioning as an FTP server by using the default listening port number. Attackers may access
the default listening port, consuming bandwidth, affecting performance of the server, and
causing valid users unable to access the server. After the listening port number of the FTP server
is changed, attackers do not know the new listening port number. This effectively prevents
attackers from accessing the listening port.
NOTE
If the FTP server is already enabled while changing the port number, then FTP server gets restarted.
Procedure
Step 1 Run:
system-view
Context
By default, the FTP server function is disabled. Therefore, you must enable the FTP server
function before using FTP.
Do as follows on the device that functions as an FTP server:
Issue 01 (2011-10-15)
63
4 Transferring Files
Procedure
Step 1 Run:
system-view
After files are successfully transferred between the client and the server, run the undo ftp [ ipv6 ] server
command to disable the FTP server function in time for security.
Step 3 Run:
commit
Context
The FTP server parameters include the source address of the FTP server and the timeout period
of an idle FTP connection.
l
Specifying the source address of the FTP server restricts the destination address accessed
by clients, ensuring security.
After the timeout period of an idle FTP connection is configured, if a client and the server
do not exchange messages within the specified timeout period, the server terminates the
connection and releases the FTP connection resource.
Perform the following steps on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view
64
4 Transferring Files
l Run the ftp timeout minutes command to set the timeout period of an idle FTP connection.
By default, the timeout period of an idle FTP connection is 30 minutes.
Step 3 Run:
commit
Context
When a device functions as an FTP server, you can configure an ACL to allow only the clients
that meet the rules specified in the ACL to access the FTP server.
Do as follows on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view
A rule is configured.
NOTE
FTP supports only basic ACLs whose numbers range from 2000 to 2999.
Step 4 Run:
ftp acl { acl-number | acl-name acl-name }
65
4 Transferring Files
Context
To log in to the FTP server from the PC, use either the Windows Command Prompt or thirdparty software. Use the Windows Command Prompt as an example.
Do as follows on the PC:
Procedure
Step 1 Enter the Windows Command Prompt window.
Step 2 Run the ftp ip-address command to log in to the server by using FTP.
Enter the user name and password at the prompt, and press Enter. When the command prompt
of the FTP client view is displayed, such as ftp>, you have entered the working path of the FTP
server, as shown in Figure 4-3.
Figure 4-3 Schematic diagram for the working path of the FTP server
----End
Context
Table 4-3 lists FTP file attributes.
Table 4-3 File attributes
File Attribute
Description
l ASCII type
A file is transmitted in ASCII characters. In this type, the Enter
key cannot be used to separate lines.
l Binary type
Issue 01 (2011-10-15)
66
4 Transferring Files
File Attribute
Description
The following data connection mode can be set for the FTP server:
l ACTIVE mode: The server proactively connects clients during
connection establishment.
l PASV mode: The server waits to be connected by clients during
connection establishment.
During connection establishment, the FTP client determines the mode
to be either ACTIVE or PASV.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of IP address of the server:
l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip
[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to
establish a connection to the FTP server and enter the FTP client view.
l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ]
command to use an IPv6 address to establish a connection to the FTP server and enter the
FTP client view.
Step 2 Perform one or more operations shown in Table 4-4 as needed.
Table 4-4 File operations
File Operation
Description
Managin
g files
Configuring the
file type
Configuring the
data connection
mode
Uploading files
Issue 01 (2011-10-15)
67
File Operation
Downloading
files
4 Transferring Files
Description
l Run the get remote-filename [ local-filename ] command
to download a file from a remote server and save the file
on the local device.
l Run the mget remote-filenames command to download
files from a remote server and save the files on the local
device.
Managin
g
directori
es
Issue 01 (2011-10-15)
Changing the
working path of a
remote FTP server
Changing the
working path of an
FTP server to the
parent directory
Displaying the
working path of an
FTP server
Displaying files in
a directory and the
list of subdirectories
Displaying a
specified remote
directory or file on
an FTP server
Displaying or
changing the
working path of an
FTP client
The lcd command displays the local working path of the FTP
client, while the pwd command displays the working path
of the remote FTP server.
68
File Operation
4 Transferring Files
Description
Creating a
directory on an
FTP server
Deleting a
directory from an
FTP server
Step 3 Perform either of the following operations as needed to terminate an FTP connection.
l Run the bye/quit command to terminate the connection to the FTP server and return to the
user view.
l Run the close/disconnect command to terminate both the connection to the FTP server and
the FTP session but remain in the FTP client view.
Step 4 Run:
commit
Prerequisite
The configurations of file operation by using FTP are complete.
Procedure
l
Run the display ftp-server command to check the configuration and status of the FTP
server.
Run the display ftp-users command to check information about logged-in FTP users.
----End
Example
Run the display ftp-server command to view the configuration and status of the FTP server.
<HUAWEI> display ftp-server
-------------------------------------------------------------------------Server State
: enabled
IPv6 server State
: enabled
Timeout value (mins)
: 30
Listen port
: 21
Issue 01 (2011-10-15)
69
4 Transferring Files
Run the display ftp-users command to view information about logged-in FTP users, including
the user name, port number, and authorized directory.
<HUAWEI> display ftp-users
----------------------------------------------------------User Name
: root
Host Address
: 2607:F0D0:1002:11::126
Control Port
: 20465
Idle Time (mins) : 1
Root Directory
:cfcard:/
User Name
: root
Host Address
: 10.18.26.139
Control Port
: 28783
Idle Time (mins) : 0
Root Directory
:cfcard:/
-----------------------------------------------------------
Applicable Environment
As devices operate stably and are deployed in large scopes, more and more devices need to be
maintained and upgraded remotely. Online software upgrade, as a new upgrade method by
loading software packages remotely, facilitates remote online upgrade, reduces upgrade
expenditure, shortens the time that customers wait for upgrade, and improves customers'
satisfaction. FTP is usually used to transmit data for online upgrade. FTP transmits data and
even user names and passwords in plain text, bringing security risks.
SFTP enables users to log in to a remote device securely from PCs to manage files. This improves
the security of data transmission for remote upgrade. In addition, the device can function as an
SFTP client. This allows users that have logged in to the device to access other remote devices
to transfer files and perform online upgrade by using SFTP.
Pre-configuration Tasks
Before operating files by using SFTP, complete the following task:
l
Issue 01 (2011-10-15)
70
4 Transferring Files
Configuration Procedures
Figure 4-4 Operating files by using SFTP
Mandatory procedure
Optional procedure
Context
l
SSH users can be authenticated in four modes: RSA, password, password-RSA, and All.
Password authentication depends on AAA. Before a user log in to the device with password
or password-RSA authentication mode, a local user with the same user name must be
created in the AAA view.
Configuring the system to generate a local RSA key pair is a key step for SSH login. If an
SSH user log in to an SSH server with password authentication mode, configure the server
to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Password-RSA authentication requires success of both password authentication and RSA authentication.
The All authentication mode requires success of either password authentication or RSA authentication.
Issue 01 (2011-10-15)
71
4 Transferring Files
Procedure
Step 1 Run:
system-view
2.
3.
Run the local-user user-name service-type ssh command to set the local user access type
to SSH.
4.
Run the quit command to exit from the AAA view and enter the system view.
By default, a local user can use any access type. You can specify an access type to allow only
users configured with the specified access type to log in to the device.
Step 3 Run:
rsa local-key-pair create
l The rsa local-key-pair create command must be used to create a local RSA key pair before other SSHrelated configuration.
l After the key pair is generated, run the display rsa local-key-pair public command to view information
about the public key in the local key pair.
Step 4 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
Issue 01 (2011-10-15)
Run the ssh user user-name authentication-type rsa command to configure RSA
authentication.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
72
4 Transferring Files
2.
Run the rsa peer-public-key key-name command to enter the public key view.
3.
Run the public-key-code begin command to enter the public key edit view.
4.
l In the public key edit view, only hexadecimal strings complying with the public key format can
be typed in. Each string is randomly generated on an SSH client. For detailed operations, see
manuals for SSH client software.
l After entering the public key edit view, paste the RSA public key generated on the client to the
server.
5.
Run the public-key-code end command to exit from the public key edit view.
l Running the peer-public-key end command generates a key only after a valid hexdata complying with the public key format is entered.
l If the peer-public-key end command is used after the key key-name specified in Step
b is deleted in another window, the system prompts a message, indicating that the key
does not exist, and the system view is displayed.
6.
7.
Run the ssh user user-name assign rsa-key key-name command to assign the SSH user a
public key.
Step 5 (Optional) Configure basic authentication information for the SSH user.
1.
Run the ssh server rekey-interval hours command to set an interval at which the key of
the server is updated.
By default, the interval is 0, indicating that the key is never updated.
2.
Run the ssh server timeout seconds command to set the timeout period for SSH
authentication.
By default, the timeout period is 60 seconds.
3.
Run the ssh server authentication-retries times command to set the retry times of SSH
authentication.
By default, SSH authentication retries a maximum of 3 times.
Step 6 Run:
ssh user username service-type { sftp | all }
73
4 Transferring Files
Context
By default, the device is not enabled with the SFTP server function. Users can use SFTP to
establish connections to the device only after the SFTP server function is enabled on the device.
Do as follows on the device that functions as an SSH server:
Procedure
Step 1 Run:
system-view
Context
Table 4-5 lists SFTP server parameters.
Table 4-5 Description of SFTP server parameters
Issue 01 (2011-10-15)
SFTP Server
Parameter
Description
Earlier SSH
version
compatibility
SSH has two versions: SSH1.X (earlier than SSH2.0) and SSH2.0.
Compared with SSH1.X, SSH2.0 is extended in structure and supports
more authentication modes and key exchange methods. In addition,
SSH2.0 supports more advanced services such as SFTP. The HUAWEI
NetEngine5000E supports SSH with version number ranging from 1.3 to
2.0.
74
4 Transferring Files
SFTP Server
Parameter
Description
Listening port
number of an
SFTP server
The default listening port number of an SFTP server is 22. Users can log
in to the device by using the default listening port number. Attackers may
access the default listening port, consuming bandwidth, affecting
performance of the server, and causing valid users unable to access the
server. After the listening port number of the SFTP server is changed,
attackers do not know the new port number. This effectively prevents
attackers from accessing the listening port and improves security.
Interval at
which the key
pair of the SFTP
server is
updated
After the interval is set, the key pair of the SFTP server is updated
periodically to improve security.
Timeout period
of an idle
connection
Maximum
number of
clients that can
be connected to
the server
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
SFTP Server
Parameter
Operation
75
4 Transferring Files
SFTP Server
Parameter
Operation
Timeout period of an
idle connection
If a new listening port is set, the SFTP server cuts off all established
STelnet and SFTP connections, and then uses the new port number
to listen to connection requests. By default, the listening port
number is 22.
By default, the interval is 0, indicating that the key pair will never
be updated.
Run the ssh server timeout seconds command.
By default, the timeout period is 60 seconds.
Step 3 Run:
commit
Context
The third-party software can be used to access the device from the PC by using SFTP. Use the
third-party software OpenSSH and Windows Command Prompt as an example.
After installing OpenSSH on a PC, do as follows on the PC:
NOTE
For details about how to install OpenSSH, see the installation guide of the software.
For details on how to use OpenSSH commands to log in to the system, see the help document of the software.
Procedure
Step 1 Enter the Windows Command Prompt window.
Step 2 Run relevant OpenSSH commands to log in to the device in SFTP mode.
When the command prompt of the SFTP client view is displayed, such as sftp>, you have entered
the working path of the SFTP server, as shown in Figure 4-5.
Issue 01 (2011-10-15)
76
4 Transferring Files
Figure 4-5 Schematic diagram for the working path of the FTP server
----End
Context
After logging in to the SFTP server, you can perform the following operations:
l
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
77
4 Transferring Files
The SFTP client view is displayed. You have successfully logged in to the SSH server by using
SFTP.
Step 3 Perform one or more operations shown in Table 4-7 as needed.
Table 4-7 File operation
File Operation
Description
Managing
directories
Deleting directories on
the server
Creating a directory on
the server
Uploading files to a
remote server
Managing
files
----End
Prerequisite
The configuration of file operation by using SFTP are complete.
Issue 01 (2011-10-15)
78
4 Transferring Files
Procedure
l
Run the display ssh user-information username command on the SSH server to check
information about SSH users.
Run the display ssh server status command on the SSH server to check its configuration.
Run the display ssh server session command on the SSH server to check information about
sessions between the SSH server and SSH clients.
Run the display ssh server statistics command on the SSH server to view information
about the total number of connections accepted, denied, closed and total online connections.
----End
Example
Run the display ssh user-information client001 command to view the authentication mode set
for the SSH user client001 is password and the service type is sftp.
<HUAWEI> display ssh user-information client001
-------------------------------------Username
: client001
Authentication-type
: password
User-public-key-name
: Sftp-directory
: cfcard:/home
Service-type
: sftp
Authorization-cmd
: Yes
--------------------------------------------Total 1, 1 printed
Run the display ssh server status command to view configuration of the SSH server.
<HUAWEI> display ssh server status
SSH version
SSH authentication timeout
SSH server key generating interval
SSH version 1.x compatibility
SSH server keep alive
SFTP server
STELNET server
SNETCONF server
SSH server port
:
:
:
:
:
:
:
:
:
2.0
110 seconds
2 hours
Disable
Enable
Disable
Enable
Disable
1025
NOTE
If the default listening port is in use, information about the current listening port is not displayed.
Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
<HUAWEI> display ssh
Session
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
server session
: 2
: SFTP 0
: 2.0
: started
: client002
: 1
: aes128-cbc
: aes128-cbc
: hmac-md5
: hmac-md5
: diffie-hellman-group-exchange-sha1
: sftp
: password
Run the display ssh server statistics command to view the current statistics information of the
SSH server.
Issue 01 (2011-10-15)
79
4 Transferring Files
Networking Requirements
As devices operate stably and are deployed in large scopes, more and more devices need to be
maintained and upgraded remotely. Online software upgrade, as a new upgrade method by
loading software packages remotely, facilitates remote online upgrade, reduces upgrade
expenditure, shortens the time that customers wait for upgrade, and improves customers'
satisfaction. In real world situations, the delay, packet loss, and jitter affect data transmission
on networks. To guarantee the quality of online upgrade and data transmission, use FTP to
perform online upgrade and transfer files based on TCP connections.
As shown in Figure 4-6, after the FTP server function is enabled on the router, you can log in
to the FTP server from the HyperTerminal to upload or download files.
Figure 4-6 Networking diagram for operating files by using FTP
Network
PC
GE0/0/0
10.137.217.221/16
FTP Server
Precautions
The IP address of the FTP server must be configured on the MEth interface.
Issue 01 (2011-10-15)
80
4 Transferring Files
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Log in to the FTP server by using the correct user name and password.
5.
Data Preparation
To complete the configuration, you need the following data:
l
Path on which the file to be uploaded is saved and the path on which the file to be
downloaded is saved
Procedure
Step 1 Configure the IP address of the FTP server.
<HUAWEI> system-view
[~HUAWEI] sysname server
[~HUAWEI] commit
[~server] interface gigabitethernet0/0/0
[~server-GigabitEthernet0/0/0] undo shutdown
[~server-GigabitEthernet0/0/0] ip address 10.137.217.221 255.255.0.0
[~server-GigabitEthernet0/0/0] quit
[~server] commit
Step 3 Configure the authentication information, authorization mode, and authorized directories for an
FTP user on the FTP server.
[~server] aaa
[~server-aaa] local-user huawei password simple huawei
[~server-aaa] local-user huawei service-type ftp
[~server-aaa] local-user huawei ftp-directory cfcard:/
[~server-aaa] quit
[~server] commit
Step 4 Run the ftp commands at the Windows Command Prompt, and enter the correct user name and
password to set tup an FTP connection to the FTP server, as shown in Figure 4-7.
Issue 01 (2011-10-15)
81
4 Transferring Files
Step 5 Upload a file from the terminal to the server and downloading a file from the server, as shown
in Figure 4-8.
Figure 4-8 Operating files by using FTP
NOTE
You can run the dir command before downloading a file or after uploading a file to view the detailed
information about the file.
----End
Configuration Files
l
Issue 01 (2011-10-15)
82
4 Transferring Files
accounting-scheme default
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.137.217.221 255.255.0.0
#
ftp server enable
#
admin
return
Networking Requirements
As devices operate stably and are deployed in large scopes, more and more devices need to be
maintained and upgraded remotely. Online software upgrade, as a new upgrade method by
loading software packages remotely, facilitates remote online upgrade, reduces upgrade
expenditure, shortens the time that customers wait for upgrade, and improves customers'
satisfaction. FTP is usually used to transmit data for online upgrade. FTP transmits data and
even user names and passwords in plain text, bringing security risks.
SFTP enables users to log in to a remote device securely from PCs to manage files. This improves
the security of data transmission for remote upgrade. In addition, the device can function as an
SFTP client. This allows users that have logged in to the device to access other remote devices
to transfer files and perform online upgrade by using SFTP.
As shown in Figure 4-9, after the SFTP server function is enabled on the router that functions
as an SSH server, you can log in to the server in password, RSA, password-RSA, or all
authentication mode from a PC that functions as an SFTP client.
Figure 4-9 Networking diagram for operating files by using SFTP
Network
GE0/0/0
10.137.217.225/16
PC
SSH Server
Precautions
The IP address of the SSH server must be configured on the MEth interface.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure a local key pair on the SSH server, allowing secure data transmission between
the client and the server.
2.
Issue 01 (2011-10-15)
83
4 Transferring Files
3.
Configure an SSH user, including the user authentication mode, user name, password, and
authorized directory.
4.
Enable the SFTP server function on the SSH server and configure the service type.
Data Preparation
To complete the configuration, you need the following data:
l
SSH user authentication mode: password; user name: client001; password: huawei
Procedure
Step 1 Configure the IP address of the FTP server.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[~HUAWEI] commit
[~SSH Server] interface gigabitethernet0/0/0
[~SSH Server-GigabitEthernet0/0/0] undo shutdown
[~SSH Server-GigabitEthernet0/0/0] ip address 10.137.217.225 255.255.0.0
[~SSH Server-GigabitEthernet0/0/0] quit
[~SSH Server] commit
Step 3 Configure the SSH user name and password on the SSH server.
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
Server] aaa
Server-aaa] local-user client001 password cipher huawei
Server-aaa] local-user client001 level 3
Server-aaa] local-user client001 service-type ssh
Server-aaa] quit
Server] commit
Step 4 Enable the SFTP server function and set the service type to SFTP.
[~SSH Server] sftp server enable
[~SSH Server] ssh user client001 authentication-type password
[~SSH Server] commit
Issue 01 (2011-10-15)
84
4 Transferring Files
Figure 4-10 Schematic diagram for accessing the SFTP server by using the OpenSSH software
----End
Issue 01 (2011-10-15)
85
Issue 01 (2011-10-15)
86
5.1 Overview
You can log in to one device and access another device by using Telnet, FTP, TFTP, or SFTP.
As shown in Figure 5-1, after you use the terminal emulator or Telnet program on a PC to
connect to the router successfully, the router can still function as a client to help you access other
devices on the network by using Telnet, FTP, TFTP, or SFTP.
Figure 5-1 Schematic diagram for accessing other devices
User
Network
PC
IP
Network
Telnet client
Telnet server
Telnet Overview
Telnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote login
and virtual terminal services. The NE5000E provides the following Telnet services:
l
Telnet server: A user runs the Telnet client program on a PC to log in to the router to
configure and manage the router. The router functions as a Telnet server.
Telnet client: After using the terminal emulator or Telnet client program on a PC to connect
to the router, a user runs the telnet command to log in to another device for configuration
and management. The router functions as a Telnet client. In Figure 5-2, the CE functions
as both a Telnet server and a Telnet client.
Figure 5-2 Telnet server providing the Telnet client service
Telnet session 2
Telnet session 1
PC
PE
Telnet server
CE
Telnet session 1
P1
Telnet client
Issue 01 (2011-10-15)
P2
P3
Telnet server
87
Two pairs of shortcut keys can be used to interrupt Telnet connections. As shown in Figure
5-3, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2. P2 is the
Telnet client of P3. The usage of shortcut keys is described as follows:
Ctrl_]: Instructs the server to disconnect a Telnet connection.
If the shortcut keys Ctrl_] are used when the network works properly, the Telnet server
interrupts the current Telnet connection.
For example, enter Ctrl_] on P3, and the P2 prompt is displayed.
<P3> Select Ctrl_]
The connection was
<P2> Select Ctrl_]
<P2> Ctrl_]
The connection was
<P1>
NOTE
CAUTION
When the number of remote login users reaches the maximum number of VTY user
interfaces, the system prompts subsequent users with a message, indicating that all user
interfaces are in use and no more Telnet connections are allowed.
FTP
FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transfer
files between local clients and remote servers. FTP uses two TCP connections to copy a file
from one system to another. The TCP connections are usually established in client-server mode,
one for control (the server port number is 21) and the other for data transmission (the sever port
number is 20).
l
Control connection: issues commands from the client to the server and transmits replies
from the server to the client, minimizing the transmission delay.
Data connection: transmits data between the client and server, maximizing the throughput.
Binary mode: is used to transfer program files, such as .app, .bin, and .btm files.
ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
Issue 01 (2011-10-15)
FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to
the device, and run the ftp command to establish a connection between the device and a
remote FTP server to access and operate files on the server.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
88
FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP) connections. It uses
the UDP port number 69 to transfer files between local hosts and remote servers. Unlike FTP,
TFTP is simple, providing no authentication. It is applicable to scenarios where complicated
interactions between clients and the server are not required.
TFTP supports both binary and ASCII file transfer modes, which are also supported by FTP.
NOTE
l Currently, the HUAWEI NetEngine5000E supports only the binary mode for TFTP.
l Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not a TFTP server.
When a TFTP client needs to download files from the server, the client sends a read request
to the TFTP server. The server sends data packets to the client, and the client acknowledges
the data packets.
When a TFTP client needs to upload a file to the server, the client sends a write request
and then data to the server, and receives acknowledgments from the server.
SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely
log in to the device to manage and transfer files. On the other hand, users can use the device
functioning as a client to log in to a remote server and transfer files securely.
When the SFTP server or the connection between the server and the client fails, the client needs
to detect the fault in time and removes the connection proactively. To help the client detect such
a fault in time, configure an interval at which Keepalive packets are sent if no packet is received
and the maximum number of times that the server does not respond for the client:
l
If the client does not receive any packet within the specified period, the client sends a
Keepalive packet to the server.
If the maximum number of times that the server does not respond exceeds the specified
value, the client proactively releases the connection.
Applicable Environment
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, you can log in to other devices
by using Telnet from the device that you have logged in to.
Issue 01 (2011-10-15)
89
As shown in Figure 5-4, the PC can use Telnet to log in to the Telnet client. As the PC does not
have a reachable route to the Telnet server, you cannot manage the Telnet server remotely. To
manage the Telnet server remotely, you can use the Telnet client to telnet to the Telnet server.
Figure 5-4 Networking diagram for accessing other devices
User
Network
PC
IP
Network
Telnet client
Telnet server
Pre-configuration Tasks
Before logging in to other devices by using Telnet, complete the following task:
l
Configuring a route to ensure that the Telnet client and server are routable.
Context
Telnet provides an interactive interface for users to log in to a remote server. You can log in to
one device, and then telnet to other devices on the network to configure and manage these remote
devices, instead of connecting a terminal to each of the devices.
An IP address can be configured for an interface on the device and specified as the source IP
address of an FTP connection for security checks.
After the source IP address is configured for the Telnet client, the source IP address of the Telnet
client displayed on the server is the same as the configured one.
Perform either of the following operations based on the type of the source IP address:
Procedure
l
----End
Issue 01 (2011-10-15)
90
-------------------------------------------------------------------------------Pid/SocketID
Local Addr:Port
Foreign Addr:Port
VPNID
State
-------------------------------------------------------------------------------0x80C8272F/2
0.0.0.0:23
0.0.0.0:0
42949 LISTEN
0x80932727/4
0.0.0.0:22
0.0.0.0:0
42949 LISTEN
0x30666bb4/9
10.137.217.222:23
10.137.217.223:53930
0
Established
--------------------------------------------------------------------------------
Applicable Environment
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, log in to other devices by
using Telnet from the device that you have logged in to. Login by using Telnet brings security
risk because Telnet does not provide any secure authentication mechanism and data is
transmitted by using TCP in plain text.
STelnet provides secure Telnet services based on SSH connections. Providing encryption and
authentication, SSH protects devices against attacks of IP address spoofing and plain text
password interception. As shown in Figure 5-5, the HUAWEI NetEngine5000E supports the
SSH function. You can log in to a remote device in SSH mode to manage and maintain the
device. In this situation, the device that you have logged in functions as the client, and the remote
device to be logged in is an SSH server.
Figure 5-5 Networking diagram for logging in to other devices by using STelnet
IP network
Telnet client
Telnet server
Pre-configuration Tasks
Before logging in to other devices by using STelnet, complete the following task:
l
Issue 01 (2011-10-15)
91
Configuration Procedures
Figure 5-6 Logging in to other devices by using STelnet
Enable first-time authentication on
the SSH client to allow users to
successfully log in to other devices
at the first time
Mandatory procedure
Optional procedure
Context
After first-time authentication is enabled on the SSH client, the validity of the RSA public key
of the SSH server is not checked when the STelnet client logs in to the SSH server for the first
time. After the first login, the system automatically allocates an RSA public key and saves the
key for authentication during subsequent logins.
If first-time authentication is disabled, the STelnet client cannot log in to the SSH server because
the validity check of the RSA public key fails. If the STelnet client must successfully log in to
the SSH server at the first time, you can enable first-time authentication or configure the client
to assign an RSA public key to the server in advance. For details, see 5.3.2 Configuring Login
to Another Device for the First Time (Binding the SSH Client to the RSA Public Key
Generated on the SSH Server)
Do as follows on the router that functions as an SSH client:
Procedure
Step 1 Run:
system-view
92
Step 3 Run:
commit
Context
If first-time authentication is disabled, the SSH client cannot log in to the SSH server because
the validity check of the RSA public key fails. An RSA public key needs to be assigned to the
server before the SSH client logs in to the server.
The RSA public key assigned to the SSH server must be generated on the server. Otherwise, the
validity check for the RSA public key on the SSH client cannot succeed.
Do as follows on the router that functions as an SSH client:
Procedure
Step 1 Run:
system-view
After entering the public key edit view, copy and paste the RSA public key generated on the server to the
client.
Step 5 Run:
public-key-code end
93
If the configured public key contains invalid characters or does not comply with the public key
format, a prompt is displayed, and the configured public key is discarded. The configuration
fails. If the configured public key is valid, the key will be saved into the client public key chain
table.
l If no valid hex-data is specified, no public key will be generated.
l If key-name specified in Step 2 has been deleted in another window, the system prompts an
error and returns to the system view.
Step 6 Run:
peer-public-key end
Exit from the public key view, and the system view is displayed.
Step 7 Run:
ssh client server-ip-address assign rsa-key key-name
If the public key saved on the SSH client becomes invalid, run the undo ssh client server-ip-address
assign rsa-key command to cancel the binding between the SSH client from the server, and then run the
ssh client server-ip-address assign rsa-key key-name command to assign an RSA public key to the client.
Step 8 Run:
commit
Context
The SSH client can log in to the server without specifying the listening port number only when
the listening port number of the server is 22. Otherwise, the listening port number must be
specified.
Do as follows on the router that functions as an SSH client:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
94
Prerequisite
The configuration for logging in to another device by using STelnet is complete.
Procedure
l
Run the display ssh server-info command to check mappings between SSH servers and
RSA public keys on the client.
----End
Example
Run the display ssh server-info command to view mappings between SSH servers and RSA
public keys on the client.
<HUAWEI> display ssh server-info
Server Name(IP)
Server public key name
________________________________________________________________________
1000::1
1000::1
10.164.39.223
10.164.39.223
11.11.11.23
11.11.11.23
10.164.39.204
10.164.39.204
10.164.39.222
10.164.39.222
Applicable Environment
In the TCP/IP protocol suite, FTP is frequently used to transfer files. However, FTP brings
complicated interactions between terminals and servers, which is hard to implement on terminals
that are not installed with advanced operating systems. TFTP is designed for file transfer that
does not need complicated interactions between terminals and servers. It is simple, requiring a
few costs. TFTP can be used only for simple file transfer without authentication.
NOTE
Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not as TFTP server.
Pre-configuration Tasks
Before using TFTP to access other devices, complete the following task:
Issue 01 (2011-10-15)
95
Configuration Procedures
You can choose one or more configuration tasks (excluding "Checking the Configuration") as
required.
Context
You can assign an IP address to an interface on the TFTP client and use this IP address as the
source address to establish a TFTP connection. This ensures the security of file transfer.
Do as follows on the router that functions as a TFTP client:
Procedure
Step 1 Run:
system-view
Step 3 Run:
commit
Context
An ACL is a set of sequential rules. These rules are described based on source addresses,
destination addresses, and port numbers of packets. ACL rules are used to filter packets. After
ACL rules are applied to a device, the device permits or denies packets based on the ACL rules.
Multiple rules can be defined for one ACL. ACL rules are classified into interface ACL, basic
ACL, and advanced ACL rules based on their functions.
Issue 01 (2011-10-15)
96
NOTE
TFTP supports only basic ACLs (from ACL 2000 to ACL 2999).
Procedure
Step 1 Run:
system-view
The ACL is applied to the TFTP client to control its access to TFTP servers.
Step 6 Run:
commit
Context
A Virtual Private Network (VPN) is a private network. Network devices and terminals on a VPN
can be connected over the internet. After a TFTP session is established, you can specify vpninstance-name in the TFTP command to connect to a remote TFTP server.
To download a file, the TFTP client sends a read request to the TFTP server. After receiving
data, the TFTP client sends an acknowledgment to the server.
Procedure
l
Issue 01 (2011-10-15)
Run:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
97
tftp [ -a source-address | -i interface-type interface-number ] host-ipaddress [ vpn-instance vpn-instance-name ] get } source-filename [ destinationfilename ]
Context
To upload a file, the TFTP client sends a write request to the TFTP server. After receiving data,
the TFTP client sends an acknowledgment to the server.
Procedure
l
Run:
tftp [ -a source-address | -i interface-type interface-number ] host-ipaddress [ vpn-instance vpn-instance-name ] put } source-filename [ destinationfilename ]
Prerequisite
The configurations of using TFTP to access other devices are complete.
Procedure
l
Run the display tftp-client command to check the source address of the TFTP client.
Run the display acl { acl-number | all } command to check ACL rules configured on the
TFTP client.
----End
Example
Run the display tftp-client command to view the source address of the TFTP client.
<HUAWEI> display tftp-client
---------------------------------------------------------------------acl4Number
SrcIPv4Addr
Interface Name
: 0
: 0.0.0.0
: LoopBack0
---------------------------------------------------------------------Issue 01 (2011-10-15)
98
Run the display acl { acl-number | all } command to view ACL rules configured on the TFTP
client.
<HUAWEI> display acl 2001
Basic acl 2001, 2 rules
Acl's step is 5
Acl's match-order is config
rule 5 permit ip source 1.1.1.1 0 (2 times matched)
rule 10 permit ip source 9.9.9.9 0 (3 times matched)
Applicable Environment
When you need to transfer files with a remote FTP server or manage directories of the server,
you can configure the current device as an FTP client and then access the FTP server by using
FTP.
Pre-configuration Tasks
Before using FTP to access another device, complete the following task:
l
Configuration Procedures
Figure 5-7 Using FTP to operate files
Configure the source address for
the FTP client
Use FTP commands to connect to
other devices
Use FTP commands to operate
files
Mandatory procedure
Optional procedure
Issue 01 (2011-10-15)
99
5.5.1 (Optional) Configuring the Source Address for the FTP Client
You can configure a source address for an FTP client and use the source address to establish an
FTP connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on the router and use this IP address as the source
address to establish an FTP connection. This ensures the security of file transfer.
Do as follows on the router that functions as an FTP client:
Procedure
Step 1 Run:
system-view
Context
Commands can be run in the user or FTP client view to establish connections with remote FTP
servers.
NOTE
l If the ftp command without any parameters is used in the user view to establish a control connection
to an FTP server, the FTP client view is displayed but the connection is not established.
l When using the ftp command in the user view or the open command in the FTP client view to establish
a control connection to a remote FTP server, if the listening port number of the FTP server is the default
one, you do not need to specify the listening port number in the command; otherwise, you must specify
the listening port number in the command.
Perform either of the following operations on the FTP client based on the type of IP address of
the server:
Issue 01 (2011-10-15)
100
Procedure
l
If the server has an IPv4 address, use commands listed in Table 5-1 to connect the client
to other devices.
Table 5-1 Using FTP commands to connect the FTP client to other devices
View
Operation
User view
Run the ftp [ [ -a source-ip-address | -i interface-type interfacenumber ] host-ip [ port-number ] [ vpn-instance vpn-instance-name ] ]
command to establish a connection to the FTP server.
FTP client
view
Run the open { -a source-ip | -i interface-type interface-number } hostip-address [ port-number ] [ vpn-instance vpn-instace-name ] command
to establish a connection to the FTP server.
If the server has an IPv6 address, use commands listed in Table 5-2 to connect the client
to other devices.
Table 5-2 Using FTP commands to connect the FTP client to other devices
View
Operation
User view
FTP client
view
Run the open ipv6 [ -i interface-type interface-number ] host-ipv6address [ port-number ] command to establish a connection to the FTP
server.
----End
Procedure
Step 1 Perform either of the following steps on the client, based on the type of IP address of the server:
l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip
[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to
establish a connection to the FTP server and enter the FTP client view.
l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ]
command to use an IPv6 address to establish a connection to the FTP server and enter the
FTP client view.
Step 2 Perform one or more operations shown in Table 5-3 as needed.
Issue 01 (2011-10-15)
101
Description
Managin
g files
Configuring the
file type
Configuring the
data connection
mode
Uploading files
Downloading
files
Managin
g
directori
es
Issue 01 (2011-10-15)
Changing the
working path of a
remote FTP server
102
File Operation
Description
Changing the
working path of an
FTP server to the
parent directory
Displaying the
working path of an
FTP server
Displaying files in
a directory and the
list of subdirectories
Displaying a
specified remote
directory or file on
an FTP server
Displaying or
changing the
working path of an
FTP client
Creating a
directory on an
FTP server
Deleting a
directory from an
FTP server
The lcd command displays the local working path of the FTP
client, while the pwd command displays the working path
of the remote FTP server.
----End
Context
After the device function as an FTP client and establish a connection to an FTP server, you can
change the logged-in user to allow users with different rights to access the server. Changing
logged-in users does not affect established FTP connections. FTP control and data connections
and the connection status do not change.
If the input user name or password of the new user is incorrect, established connections is
disconnected. To access the server, the user must again log in to the FTP client.
Issue 01 (2011-10-15)
103
NOTE
After logging in to the HUAWEI NetEngine5000E, you can log in to the FTP server by using another user
name without logging out of the FTP client view. The established FTP connection is identical with that
established by running the ftp command.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of IP address of the server:
l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip
[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to
establish a connection to the FTP server and enter the FTP client view.
l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ]
command to use an IPv6 address to establish a connection to the FTP server and enter the
FTP client view.
Step 2 Run:
user user-name [ password ]
The logged-in user is changed. Another user logs in to access the FTP server.
After the logged-in user is changed, the connection between the original user and the FTP server
is disconnected.
Step 3 Run:
commit
Context
After the number of users logging in to an FTP server reaches the upper limit, no more valid
users can log in. To allow valid users to log in to the FTP server, terminate idle connections to
the FTP server.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of IP address of the server:
l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip
[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to
establish a connection to the FTP server and enter the FTP client view.
l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ]
command to use an IPv6 address to establish a connection to the FTP server and enter the
FTP client view.
Step 2 Perform either of the following operations as needed to terminate an FTP connection.
Issue 01 (2011-10-15)
104
l Run the bye/quit command to terminate the connection to the FTP server and return to the
user view.
l Run the close/disconnect command to terminate both the connection to the FTP server and
the FTP session but remain in the FTP client view.
----End
Prerequisite
The configurations of accessing other devices by using FTP are complete.
Procedure
l
Run the display ftp-client command to check the source address of the FTP client.
----End
Example
After configuring the source IP address of the FTP client, run the display ftp-client command
to view the configuration.
<HUAWEI> display ftp-client
----------------------------------------SrcIPv4Addr
: 10.1.1.1
Interface Name
:
-----------------------------------------
After configuring the loopback interface of the FTP client, run the display ftp-client command
to view the configuration.
<HUAWEI> display ftp-client
----------------------------------------SrcIPv4Addr
: 0.0.0.0
Interface Name
: LoopBack0
-----------------------------------------
Applicable Environment
SFTP is short for SSH FTP. Based on SSH, SFTP ensures that users log in to a remote device
securely to manage and transfer files, enhancing secure file transfer. As the device can function
as an SFTP client, you can log in to a remote SSH server from the device to transfer files securely.
Pre-configuration Tasks
Before using SFTP to access other devices, complete the following task:
Issue 01 (2011-10-15)
105
Configuring a route between the client and the server to make them routable
Configuration Procedures
Figure 5-8 Using SFTP to access other devices
Configure the source address for the
SFTP client
Mandatory procedure
Optional procedure
Context
You can assign an IP address to an interface on the SFTP client and use this IP address as the
source address to establish an SFTP connection. This ensures the security of file transfer
The source address for an SFTP client can be a source interface or a source IP address.
Do as follows on the device functioning as an SFTP client:
Procedure
Step 1 Run:
system-view
106
Step 3 Run:
commit
Context
After first-time authentication is enabled on the SSH client, the validity of the RSA public key
of the SSH server is not checked when the SFTP client logs in to the SSH server for the first
time. After the first login, the system automatically allocates an RSA public key and saves the
key for authentication during subsequent logins.
Do as follows on the router that functions as an SSH client:
Procedure
Step 1 Run:
system-view
Context
If first-time authentication is disabled, the SFTP client cannot log in to the SSH server because
the validity check of the RSA public key fails. Therefore, you need to assign an RSA public key
to the server before the SFTP client logs in to the server.
Issue 01 (2011-10-15)
107
Procedure
Step 1 Run:
system-view
After entering the public key edit view, copy and paste the RSA public key generated on the server to the
client.
Step 5 Run:
public-key-code end
Exit from the public key view, and the system view is displayed.
Step 7 Run:
ssh client server-ip-address assign rsa-key key-name
If the public key saved on the SSH client becomes invalid, run the undo ssh client server-ip-address
assign rsa-key command to cancel the binding between the SSH client from the server, and then run the
ssh client server-ip-address assign rsa-key key-name command to assign an RSA public key to the client.
Step 8 Run:
commit
Issue 01 (2011-10-15)
108
5.6.4 Using SFTP to Connect the SSH Client to the SSH Server
You can log in to an SSH server from an SSH client by using SFTP.
Context
The command used to enable the SFTP client is similar to the command used to enable the
STelnet client. Both commands can carry the source address, key exchange algorithm,
encryption algorithm, HMAC algorithm, and Keepalive interval.
Do as follows on the device that functions as an SSH client:
Procedure
Step 1 Run:
system-view
The SFTP client view is displayed. You have successfully logged in to the SSH server by using
SFTP.
Step 3 Run:
commit
Context
After logging in to the SSH server from the SFTP client, you can perform the following
operations on the SFTP client:
l
Create and delete directories of the SSH server; view the current working directory; view
files in a directory and the list of sub-directories.
109
Procedure
Step 1 Run:
system-view
The SFTP client view is displayed. You have successfully logged in to the SSH server by using
SFTP.
Step 3 Perform one or more operations shown in Table 5-4 as needed.
Table 5-4 File operation
File Operation
Description
Managing
directories
Deleting directories on
the server
Creating a directory on
the server
Uploading files to a
remote server
Managing
files
110
----End
Prerequisite
The configurations of using SFTP to access other devices are complete.
Procedure
l
Run the display sftp-client command to check the source address of the SSH client.
Run the display ssh server-info command to check mappings between SSH servers and
RSA public keys on the client.
----End
Example
Run the display sftp-client command on the client to view parameters about the SFTP client.
<HUAWEI> display sftp-client
The source address of SFTP client is 1.1.1.1
Run the display ssh server-info command to view mappings between servers and RSA public
keys on the client.
<HUAWEI> display ssh server-info
Server Name(IP)
Server public key name
________________________________________________________________________
1000::1
1000::1
10.1.1.1
10.1.1.1
100.1.1.23
100.1.1.23
10.164.1.1
10.164.1.1
10.164.1.2
10.164.1.2
Networking Requirements
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
Issue 01 (2011-10-15)
111
device and the terminal. To manage and maintain remote devices, you can log in to other devices
by using Telnet from the device that you have logged in to.
As shown in Figure 5-9, a user can telnet to P1 but cannot directly telnet to P2. P1 and P2 are
routable. The user logs in to P1, and then telnet to P2 to remotely configure and manage P2.
Figure 5-9 Networking diagram for using Telnet to log in to another device
Session
Session
GE1/0/1
1.1.1.1/24
Network
PC
Network
P1
GE1/0/1
2.1.1.1/24
P2
Precautions
l
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the Telnet authentication mode and password.
<HUAWEI> system-view
[~HUAWEI] sysname P2
[~HUAWEI] commit
[~P2] user-interface vty 0 4
[~P2-ui-vty0-4] authentication-mode password
[~P2-ui-vty0-4] set authentication password simple hello
[~P2-ui-vty0-4] commit
[~P2-ui-vty0-4] quit
Issue 01 (2011-10-15)
112
[~P2-acl-basic-2000] quit
[~P2] user-interface vty 0 4
[~P2-ui-vty0-4] acl 2000 inbound
[~P2-ui-vty0-4] commit
[~P2-ui-vty0-4] quit
NOTE
----End
Configuration Files
l
Configuration file of P1
#
sysname P1
#
interface gigabitethernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
admin
return
Configuration file of P2
#
sysname P2
#
acl number 2000
rule 5 permit source 1.1.1.1 0
#
interface gigabitethernet1/0/1
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
user-interface vty 0 4
set authentication password simple hello
acl 2000 inbound
#
admin
return
113
Networking Requirements
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, log in to other devices by
using Telnet from the device that you have logged in to. Login by using Telnet brings security
risk because Telnet does not provide any secure authentication mechanism and data is
transmitted by using TCP in plain text.
STelnet provides secure Telnet services based on SSH connections. Providing encryption and
authentication, SSH protects devices against attacks of IP address spoofing and plain text
password interception. As shown in Figure 5-10, after the STelnet server function is enabled
on the SSH server, the STelnet client can log in to the SSH server in the authentication mode of
password, RSA, password-RSA, or all.
Figure 5-10 Networking diagram for logging in to another device by using STelnet
SSH Server
GE0/0/0
1.1.1.1/16
GE0/0/0
1.1.2.2/16
GE0/0/0
1.1.3.3/16
Client 001
Client 002
Precautions
Two users client001 and client002 are configured to log in to the SSH server in the authentication
mode of password and RSA respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2.
Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the RSA public key of the SSH server to authenticate the client when the client attempts to
log in to the server.
3.
4.
5.
6.
Data Preparation
To complete the configuration, you need the following data:
Issue 01 (2011-10-15)
114
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[~HUAWEI] commit
[~SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTE: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus [default = 512] : 1024
There are four authentication modes for SSH users: password, RSA, password-RSA, and all.
l If the authentication mode is password or password-RSA, configure a local user on the server with the
same user name.
l If the authentication mode is RSA, password-RSA, or all, save the RSA public key generated on the
SSH client to the server.
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Issue 01 (2011-10-15)
115
859AD7E4
7CDB95D8
3CDD494A
2C6A82D7
8C364D57
E0D5A1B5
1FFC38CD
A6D0D9B8
4A4AE2F3
236F35AB
5C5F2C36
DD0AA24A
092F7112
121F23F0
D94A73D7
9BBFE19A
67FBC275
A0C2F87F
660BD153
006BB1BB
36FDFD5F
7336150B
2DF7E4C5
474C7931
7FB7D5B2
1EDA55AF
E1539F1F
22135C16
6D87BC2B
A96FFC29
80C71881
9EB3FCAC
AAC236DE
96559C38
EF70069D
CF22D6A4
2BFEF147
EFBF9865
04FC034B
DD1EE053
02682F2F
EEF59F23
E50D8D26
54CFE7B3
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key rsakey001
Enter "RSA public key" view, return system view with "peer-public-key end".
Issue 01 (2011-10-15)
116
# Client001 logs in to the SSH server in password authentication mode by entering the user name
and password.
[~client001] stelnet 1.1.1.1
Please input the username:client001
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 1.1.1.1. Please wait...
Enter password:
Issue 01 (2011-10-15)
117
Enter the password huawei, and information indicating a successful login is displayed as
follows:
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 6.
The current login time is 2011-01-06 11:42:42.
<SSH Server>
If the login succeeds, the user view is displayed. If the login fails, the message Session is
disconnected is displayed.
Step 8 Verify the configuration.
After the configuration is complete, run the display ssh server status, display ssh server
session and display ssh server statistics commands on the SSH server. You can find that the
STelnet server function has been enabled, and the STelnet client has logged in to the server
successfully.
# Check the status of the SSH server.
[~SSH Server] display ssh server status
SSH version
: 1.99
SSH connection timeout
: 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries
: 3 times
SFTP server
: Disable
Stelnet server
: Enable
Issue 01 (2011-10-15)
:
:
:
:
:
:
:
:
2
VTY 4
2.0
started
client002
1
aes128-cbc
aes128-cbc
118
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group-exchange-sha1
stelnet
rsa
----End
Configuration Files
l
Issue 01 (2011-10-15)
A443130F
9BBFE19A
8C364D57
7FB7D5B2
7CDB95D8
7336150B
DD0AA24A
171896FB
4A4AE2F3
40A35DE6
A0C2F87F
1FFC38CD
119
aaa
local-user client001 password simple huawei
local-user client001 service-type ssh
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
admin
return
Networking Requirements
In the TCP/IP protocol suite, FTP is frequently used to transfer files. However, FTP brings
complicated interactions between terminals and servers, which is hard to implement on terminals
that are not installed with advanced operating systems. TFTP is designed for file transfer that
does not need complicated interactions between terminals and servers. It is simple, requiring a
few costs. TFTP can be used only for simple file transfer without authentication.
As shown in Figure 5-11, a user logs in to the TFTP client from a PC, and upload files to and
download files from the TFTP server.
Issue 01 (2011-10-15)
120
Figure 5-11 Networking diagram for accessing another device by using TFTP
10.111.16.160/24
PC
TFTP Client
TFTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Run the TFTP software on the TFTP server and set the directory of source files on the
server.
Use TFTP commands on the TFTP client to download files.
Use TFTP commands on the TFTP client to upload files.
Data Preparation
To complete the configuration, you need the following data:
l
l
l
Procedure
Step 1 Enable the TFTP server function.
Enter the directory in which the file to be downloaded resides on the TFTP server in the Current
Directory column, as shown in Figure 5-12.
Figure 5-12 Setting the current directory on the TFTP server
Issue 01 (2011-10-15)
121
NOTE
Run the tftpservermt command on the client to enter the TFTP server path and run the following
command:
/home/tftpservermt # ./tftpserver -v -i tftpserver.ini
TFTP Server MultiThreaded Version 1.61 Unix Built 1611
starting TFTP...
username: root
alias / is mapped to /home/
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 3
file read allowed: Yes
file create allowed: Yes
file overwrite allowed: Yes
thread pool size: 1
listening on: 0.0.0.0:69
Accepting requests..
Step 2 Log in to the TFTP client from the HyperTerminal to download a file.
<HUAWEI> tftp 10.18.26.141 get a.txt cfcard:/b.txt
Warning: cfcard:/b.txt exists, overwrite? Please select
[Y/N]:y
Transfer file in binary mode.
Please wait for a while...
/
3338 bytes transferred
File transfer completed
FileName
b.txt
VRPV800R002C00B020D0123.cc
Step 4 Log in to the TFTP client from the HyperTerminal to upload a file.
<HUAWEI> tftp 10.111.16.160 put sample.txt
Info: Transfer file in binary mode.
Please wait for a while...
\
100% [***********]
File transfer completed
----End
Configuration Files
None.
Issue 01 (2011-10-15)
122
Networking Requirements
When you need to transfer files with a remote FTP server or manage directories of the server,
you can configure the current device as an FTP client and then access the FTP server by using
FTP.
As shown in Figure 5-13, the FTP client and server are routable. You can log in to the FTP
server from the FTP client to download system software from the FTP server and configure the
software on the client.
Figure 5-13 Networking diagram for accessing another device by using FTP
GE1/0/1
2.1.1.1/24
Network
FTP Client
GE1/0/1
1.1.1.1/24
FTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure the user name and password for an FTP user to log in to the FTP server and the
directory that the user will access.
2.
3.
4.
Configure the file transfer mode and working directory to allow the client to download files
from the server.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure an FTP user on the FTP server.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] local-user huawei password simple 123
[~HUAWEI-aaa] local-user huawei service-type ftp
[~HUAWEI-aaa] local-user huawei ftp-directory cfcard:/
Issue 01 (2011-10-15)
123
[~HUAWEI-aaa] commit
[~HUAWEI-aaa] quit
Step 4 Set the file transfer mode to dir and the working directory to new_dir:/ on the FTP client.
[ftp] binary
200 Type set to I.
[ftp] lcd new_dir:/
The current local directory is new_dir:.
[ftp] commit
Step 5 Download the latest system software from the FTP server on the FTP client.
[ftp] get VRPV800R002C00B020D0123.cc
200 Port command okay.
150 Opening BINARY mode data connection for VRPV800R002C00B020D0123.cc.
226 Transfer complete.
FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.
[ftp] quit
Run the dir command to check whether the required file has been downloaded to the client.
----End
Configuration Files
l
Issue 01 (2011-10-15)
124
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
admin
return
Networking Requirements
SFTP is based on SSH connections. SFTP ensures that users log in to a remote device securely
to manage and transfer files, enhancing secure file transfer. As the device can function as an
SFTP client, you can log in to a remote SSH server from the device to transfer files securely.
As shown in Figure 5-14, after the SFTP server function is enabled on the SSH server, the SFTP
client can log in to the SSH server in the authentication mode of password, RSA, passwordRSA, or all.
Figure 5-14 Networking diagram for access another device by using SFTP
SSH Server
GE0/0/0
1.1.1.1/16
GE0/0/0
1.1.2.2/16
GE0/0/0
1.1.3.3/16
Client 001
Client 002
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2.
Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the RSA public key of the SSH server to authenticate the client when the client attempts to
log in to the server.
3.
4.
Configure the service type and authorized directory for the SSH users.
5.
Client001 and client002 log in to the SSH server chain SFTP mode to obtain files on the
server.
Data Preparation
To complete the configuration, you need the following data:
Issue 01 (2011-10-15)
125
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[~HUAWEI] commit
[~SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTE: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus [default = 512] :
There are four authentication modes for SSH users: password, RSA, password-RSA, and all.
l If the authentication mode is password or password-RSA, configure a local user on the server with the
same user name.
l If the authentication mode is RSA, password-RSA, or all, save the RSA public key generated on the
SSH client to the server.
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Issue 01 (2011-10-15)
126
======================Host Key==========================
Time of Key pair created : 13:22:1 2010/10/25
Key Name : VRPV8_Host
Key Type : RSA Encryption Key
========================================================
Key Code:
308188
028180
B21315DD
A443130F
411B8B73
40A35DE6
1987178B
A9F7E8FE
171896FB
0203
010001
859AD7E4
7CDB95D8
3CDD494A
2C6A82D7
8C364D57
E0D5A1B5
1FFC38CD
A6D0D9B8
4A4AE2F3
236F35AB
5C5F2C36
DD0AA24A
092F7112
121F23F0
D94A73D7
9BBFE19A
67FBC275
A0C2F87F
660BD153
006BB1BB
36FDFD5F
7336150B
2DF7E4C5
474C7931
7FB7D5B2
1EDA55AF
E1539F1F
22135C16
6D87BC2B
A96FFC29
80C71881
9EB3FCAC
AAC236DE
96559C38
EF70069D
CF22D6A4
2BFEF147
EFBF9865
04FC034B
DD1EE053
02682F2F
EEF59F23
E50D8D26
54CFE7B3
# Copy the RSA public key generated on the client to the server.
[~SSH
Enter
[~SSH
Enter
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
Issue 01 (2011-10-15)
127
Server-rsa-key-code] 010001
Server-rsa-key-code] public-key-code end
Server-rsa-public-key] peer-public-key end
Server] commit
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password authentication mode
and client002 in RSA authentication mode.
[~SSH
[~SSH
[~SSH
[~SSH
Server]
Server]
Server]
Server]
ssh
ssh
ssh
ssh
user
user
user
user
client001
client001
client002
client002
service-type sftp
sftp-directory cfcard:
service-type sftp
sftp-directory cfcard:
128
:
:
:
:
:
:
:
:
:
:
:
:
:
2
SFTP 4
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group-exchange-sha1
sftp
rsa
Issue 01 (2011-10-15)
:
:
:
:
client002
rsa
rsakey001
-
129
Service-type
: sftp
----------------------------------------------------
----End
Configuration Files
l
l
Issue 01 (2011-10-15)
130
#
sysname client002
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 1.1.3.3 255.255.0.0
#
ssh client first-time enable
#
admin
return
Networking Requirements
The default SSH listening port number is 22. If attackers continuously access this port, bandwidth
resources are consumed and performance of the server deteriorates. As a result, valid users
cannot access the server.
If the listening port number of the SSH server is changed to a non-default one, attackers do not
know the change and continue to send requests for socket connections to port 22. The SSH server
denies the connection requests because the listening port number is incorrect.
Valid users can set up socket connections with the SSH server by using the new listening port
number to implement the following functions: negotiate the version of the SSH protocol,
negotiate the algorithm, generate the session key, authenticate, send the session request, and
attend the session.
Figure 5-15 Example for accessing the SSH server by using a non-default listening port number
SSH Server
GE0/0/0
1.1.1.1/16
GE0/0/0
1.1.2.2/16
GE0/0/0
1.1.3.3/16
Client 001
Client 002
Configuration Roadmap
The configuration roadmap is as follows:
1.
Issue 01 (2011-10-15)
Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
131
2.
Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the RSA public key of the SSH server to authenticate the client when the client attempts to
log in to the server.
3.
Enable the STelnet and SFTP server functions on the SSH server.
4.
Configure the service type and authorized directory for the SSH users.
5.
Configure a non-default listening port number of the SSH server to allow only valid users
to access the server.
6.
Client001 and client002 log in to the SSH server by using STelnet and SFTP respectively.
Data Preparation
To complete the configuration, you need the following data:
l
Client002: RSA authentication (public key: RsaKey001) and SFTP service type
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname client002
[~HUAWEI] rsa local-key-pair create
The key name will be: client002_Host
The range of public key size is (512 ~ 2048).
NOTE: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus [default = 512] : 1024
[~SSH Server] commit
Issue 01 (2011-10-15)
132
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
# Copy the RSA public key generated on the client to the server.
[~SSH
Enter
[~SSH
Enter
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
[~SSH
There are four authentication modes for SSH users: password, RSA, password-RSA, and all.
l If the authentication mode is password or password-RSA, configure a local user on the server with the
same user name.
l If the authentication mode is RSA, password-RSA, or all, save the RSA public key generated on the
SSH client to the server.
Issue 01 (2011-10-15)
133
Server]
Server]
Server]
Server]
# Set the service type of client002 to SFTP and configure the authorized directory for the
user.
[~SSH Server] ssh user client002 service-type sftp
[~SSH Server] ssh user client002 sftp-directory cfcard:
[~SSH Server] commit
Step 4 Enable the STelnet and SFTP server functions on the SSH server.
[~SSH Server] stelnet server enable
[~SSH Server] sftp server enable
[~SSH Server] commit
# The STelnet client logs in to the SSH server by using the new listening port number.
[~client001] stelnet 1.1.1.1 1025
Please input the username:client001
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 1.1.1.1. Please wait...
Enter password:
Enter the password huawei, and information indicating a successful login is displayed as
follows:
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
<SSH Server>
# The SFTP client logs in to the SSH server by using the new listening port number.
[~client002] sftp 1.1.1.1 1025
Issue 01 (2011-10-15)
134
After the configuration is complete, run the display ssh server status, display ssh server
session and display ssh server statistics commands on the SSH server. The current listening
port number of the SSH server can be displayed in the command output. The command output
also shows that the STelnet or SFTP client has logged in to the server successfully.
# Check the status of the SSH server.
[~SSH Server] display ssh server status
SSH version
: 1.99
SSH connection timeout
: 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries
: 3 times
SFTP server
: Enable
STELNET server
: Enable
SSH server port
: 1025
:
:
:
:
:
:
:
:
:
:
:
:
:
2
VTY 4
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group1-sha1
sftp
rsa
Issue 01 (2011-10-15)
135
----End
Configuration Files
l
Issue 01 (2011-10-15)
A443130F
9BBFE19A
8C364D57
7FB7D5B2
7CDB95D8
7336150B
DD0AA24A
171896FB
4A4AE2F3
40A35DE6
A0C2F87F
1FFC38CD
136
Networking Requirements
As shown in Figure 5-16, PE1 is an SSH client located on the MPLS backbone network, and
CE1 functions as an SSH server located on the private network with the AS number of 65410.
It is required that public network users securely access and manage CE1 after logging in to PE1.
Issue 01 (2011-10-15)
137
Figure 5-16 Networking diagram for configuring an SSH client on the public network to access
an SSH server on a private network
MPLS Backbone
AS:100
Loopback1
1.1.1.9/32
PE1
(SSH
Client)
CE1
(SSH
server)
Loopback1
2.2.2.9/32
POS1/0/1
100.1.1.1/30
POS1/0/1
100.1.1.2/30
GE1/0/1
10.1.1.2/24
Loopback1
3.3.3.9/32
POS1/0/1
200.1.1.2/30
POS1/0/2
200.1.1.1/30
GE1/0/1
10.1.1.1/24
PE2
GE1/0/1
10.1.2.2/24
GE1/0/1
10.1.2.1/24
CE2
VPN Site
VPN Site
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Set up EBGP peer relationships between PEs and CEs and import VPN routes.
3.
Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the RSA public key of the SSH server to authenticate the client when the client attempts to
log in to the server.
4.
Enable the STelnet and SFTP server functions on the SSH server.
5.
Configure client001 to access CE1 by using STelnet and client002 by using SFTP.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the MPLS backbone network.
Issue 01 (2011-10-15)
138
Configure an IGP to allow PEs and the P on the MPLS backbone network to communicate with
each other. Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on
the MPLS backbone network.
For detailed configurations, see the configuration files in this example.
Step 2 Configure VPN instances on PEs and connect CEs to PEs.
# Configure PE1.
[~PE1] ip vpn-instance vpn1
[~PE1-vpn-instance-vpn1] route-distinguisher 100:1
[~PE1-vpn-instance-vpn1] vpn-target 111:1 both
[~PE1-vpn-instance-vpn1] quit
[~PE1] interface gigabitethernet 1/0/1
[~PE1-GigabitEthernet1/0/1] ip binding vpn-instance vpn1
[~PE1-GigabitEthernet1/0/1] undo shutdown
[~PE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24
[~PE1-GigabitEthernet1/0/1] quit
[~PE1] commit
# Configure PE2.
[~PE2] ip vpn-instance vpn1
[~PE2-vpn-instance-vpn1] route-distinguisher 200:1
[~PE2-vpn-instance-vpn1] vpn-target 111:1 both
[~PE2-vpn-instance-vpn1] quit
[~PE2] interface gigabitethernet 1/0/1
[~PE2-GigabitEthernet1/0/1] ip binding vpn-instance vpn1
[~PE2-GigabitEthernet1/0/1] undo shutdown
[~PE2-GigabitEthernet1/0/1] ip address 10.1.2.2 24
[~PE2-GigabitEthernet1/0/1] quit
[~PE2] commit
# Configure IP addresses for interfaces on CEs based on Figure 5-16. The configuration details
are not provided here.
After the configuration is complete, run the display ip vpn-instance verbose command on PEs.
You can view the configurations of VPN instances. Each PE can successfully ping its connected
CE.
NOTE
When there are multiple interfaces on a PE bound to the same VPN instance, specify the source address in
the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping the CE
connected to the peer PE. Otherwise, the ping may fail.
Issue 01 (2011-10-15)
139
Step 3 Establish EBGP peer relationships between the PEs and the CEs to import VPN routes.
# Configure CE1.
[~CE1] bgp 65410
[~CE1-bgp] peer 10.1.1.2 as-number 100
[~CE1-bgp] import-route direct
[~CE1-bgp] quit
[~CE1] commit
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance vpn1
[~PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[~PE1-bgp-vpn1] import-route direct
[~PE1-bgp-vpn1] quit
[~PE1-bgp] quit
[~PE1] commit
# Configure CE2.
[~CE2] bgp
[~CE2-bgp]
[~CE2-bgp]
[~CE2-bgp]
[~CE2-bgp]
65420
peer 10.1.2.2 as-number 100
import-route direct
quit
commit
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] ipv4-family vpn-instance vpn1
[~PE2-bgp-vpn1] peer 10.1.2.1 as-number 65420
[~PE2-bgp-vpn1] import-route direct
[~PE2-bgp-vpn1] quit
[~PE2-bgp] quit
[~PE2-bgp] commit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on PEs. You can find that the EBGP peer relationships between PEs and the CEs are in the
Established state.
Use the peer relationship between PE1 and CE1 as an example.
[~PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1
Peers in established state : 1
Peer
V
AS MsgRcvd MsgSent OutQ
Up/Down
State
10.1.1.1
4
65410
3
3
0 00:00:37 Established
PrefRcv
1
Issue 01 (2011-10-15)
140
# Copy the RSA public key generated on the client to the server.
[~CE1] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[~CE1-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[~CE1-rsa-key-code] 3067
[~CE1-rsa-key-code] 0240
[~CE1-rsa-key-code] BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
[~CE1-rsa-key-code] 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695
[~CE1-rsa-key-code] 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D
[~CE1-rsa-key-code] E2EE8EB5
Issue 01 (2011-10-15)
141
[~CE1-rsa-key-code] 0203
[~CE1-rsa-key-code] 010001
[~CE1-rsa-key-code] public-key-code end
[~CE1-rsa-public-key] peer-public-key end
[~CE1-rsa-public-key] quit
[~CE1] commit
There are four authentication modes for SSH users: password, RSA, password-RSA, and all.
l If the authentication mode is password or password-RSA, configure a local user on the server with the
same user name.
l If the authentication mode is RSA, password-RSA, or all, save the RSA public key generated on the
SSH client to the server.
l # Create an SSH user named client002, configure RSA authentication for the user, and bind
the RSA public key to client002.
[~CE1] ssh user client002
[~CE1] ssh user client002 authentication-type rsa
[~CE1] ssh user client002 assign rsa-key RsaKey001
# Set the service type of client002 to SFTP and configure the authorized directory for the
user.
[~CE1] ssh user client002 service-type sftp
[~CE1] ssh user client002 sftp-directory cfcard:
[~CE1] commit
Step 7 Enable the STelnet and SFTP server functions on the SSH server.
[~CE1] stelnet server enable
[~CE1] sftp server enable
[~CE1] commit
Step 8 Configure PE1 (the SSH client) to log in to CE1 (the SSH server).
# If the client logs in to the server for the first time, enable first-time authentication on the client.
[~PE1] ssh client first-time enable
[~PE1] commit
Issue 01 (2011-10-15)
142
Enter the password huawei, and information indicating a successful login is displayed as
follows:
Info: The max number of VTY users is 10, and the current number
of VTY users on line is 1.
<CE1>
After the login succeeds, the following information is displayed, and you can operate files by
using FTP.
<sftp-client>
Issue 01 (2011-10-15)
1
2
0
3
1
1
4
3
143
----End
Configuration Files
l
Issue 01 (2011-10-15)
144
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
interface GigabitEthernet1/0/1
undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/1
undo shutdown
link-protocol ppp
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface NULL0
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
peer 10.1.1.1 as-number 65410
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.255
#
ssh client first-time enable
#
admin
return
Issue 01 (2011-10-15)
145
mpls
#
mpls ldp
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
interface Pos1/0/1
undo shutdown
link-protocol ppp
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos1/0/2
undo shutdown
link-protocol ppp
ip address 200.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.1.0 0.0.0.255
network 200.1.1.0 0.0.0.255
#
admin
return
Issue 01 (2011-10-15)
146
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
peer 10.1.2.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 200.1.1.0 0.0.0.255
#
admin
return
Issue 01 (2011-10-15)
147
Issue 01 (2011-10-15)
148
Supports the customized management of various terminal users in the user interface view.
Supports the command-based hierarchical protection that users of different levels can run
only the commands of corresponding levels.
Supports the local, password, and AAA authentication modes to ensure system security by
preventing unauthorized users from invading the router.
Supports the configuration that users can type in a question mark "?" to obtain online help.
Provides network testing commands, such as the tracert and ping commands, for quickly
diagnosing network connectivity.
Provides detailed debugging information of various types to help diagnose network faults.
Supports the configuration of logging in to and managing other routers through the
telnet command.
Provides the FTP service that facilitates the upload and download of files.
Provides multiple intelligent command resolution methods through the command line
interpreter, such as partial match and context-sensitive, which facilitates the entry of users.
NOTE
l The system supports the command with a maximum of 1024 characters including incomplete form.
l If a command in an incomplete form is run, the system saves the command to the configuration file as
a command in a complete form, which may cause the command to have more than 1024 characters. In
this case, the command in an incomplete form cannot be restored after the system restarts. So, pay
attention to the length of the command in an incomplete form.
149
Applicable Environment
Before using the command line to configure services, you can establish the basic running
environment for the command line to meet the requirements of the actual environment.
Pre-configuration Tasks
Before establishing the running environment for the command line, complete the following
tasks:
l
Configuration Procedures
To establish the running environment for the command line, perform the following procedures.
Context
The login alert refers to the prompt that is displayed at the time after you access the router or
after you pass the authentication and before you start to exchange configurations with the system.
The login alert is configured to provide explicit indication for your login.
Procedure
Step 1 Run:
system-view
150
Procedure
Step 1 Run:
system-view
Context
If the user does not adjust a command level separately, after the command level is updated, all
originally-registered command lines adjust automatically according to the following rules:
l
The commands of Level 2 are updated to Level 10 and the commands of Level 3 are updated
to Level 15.
No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust
the command lines to these levels separately to refine the management of privilege.
CAUTION
Changing the default level of a command is not recommended. If the default level of a command
is changed, some users may be unable to use the command any longer.
Procedure
Step 1 Run:
system-view
151
When no password is configured for a Level 15 user, the system prompts the user to set a superpassword for the level 15 user. At the same time, the system asks if the user wants to continue
with the update of command line level. Then, just select "N" to set a password. If you select "Y",
the command level can be updated in batches directly. This results in the user not logging in
through the Console port and failing to update the level.
Step 3 Run:
command-privilege level level view view-name command-key
All commands have default command views and levels. You do not need to reconfigure them.
----End
Procedure
Step 1 Run:
lock
Applicable Environment
Before configuring services through command lines, you need to understand the basic operations
of command lines.
Pre-configuration Tasks
Before using command lines, complete the following tasks:
l
Issue 01 (2011-10-15)
152
Configuration Procedures
To use command lines, perform the following procedures as required.
The command line prompt "HUAWEI" is the default host name , and it can be specified by the sysname
command. The current view can be determined according to the prompt. For example, "<>" indicates the
user view; "[]" indicates any view except the user view.
You can run the quit command to quit the current view and enter a view of a lower level. If the
current view is the user view, the system can be existed.
You can run the return command to quit the current view and enter the user view. If the current
view is the user view, the user view is still displayed.
Certain commands that can be run in the system view can also be run in other views. The function
that can be realized through a command, however, is determined by the command view where
the command is run. For example, the mpls command is run to enable MPLS. If the mpls
command is run in the system view, it indicates that MPLS is enabled globally; if the mpls
command is run in the interface view, it indicates that MPLS is enabled on the corresponding
interface.
153
Function
Common key
Presses the key to insert a character in the place of the cursor and
moves the cursor to the right if the editing buffer is not fully
occupied.
BackSpace
Deletes a character before the cursor and moves the cursor to the
left. If the cursor reaches the head of the command, the system
does not make any response.
Up cursor key or
Ctrl_P
Tab
NOTE
On the HyperTerminal of Windows 9X, cursor key is invalid as the HyperTerminals of Windows 9X
define the keys differently. In this case, you can replace the cursor key with Ctrl_P.
Follow-up Procedure
A device automatically saves the typed historical command that is a piece of keyboard entry
ending with Enter or "?".The display history-command command displays commands that
were run recently and help you to search information.
Context
The basic configuration is complete.
Issue 01 (2011-10-15)
154
Procedure
l
Run:
display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | interface interface-type [ interface-number ] ]
Run:
display this
Procedure
Step 1 Run:
display diagnostic-information [ file-name ]
Display Feature
When the information cannot be completely displayed on one screen, you can adopt the pause
function. You have three choices as listed in Table 6-2.
Table 6-2 List of display functions
Issue 01 (2011-10-15)
Key
Function
Ctrl+C
155
Key
Function
Space
Enter
Regular Expression
The regular expression describes a pattern that matches a set of character strings. It consists of
common characters (such as characters a to z) and special characters (or called metacharacters).
The regular expression functions as a template to match a character pattern with the searched
character string.
The regular expression features the following functions:
l
Checks and obtains the sub-character string that matches a certain rule in the character
string.
Common character
Common characters match common characters in the character string, including all the
uppercase letters, lowercase letters, numbers, punctuation marks, and special symbols. For
example, "a" matches "a" in "abc"; "202" matches "202" in "202.113.25.155"; "@" matches
"@" in "xxx@xxx.com".
Special character
Special characters, together with common characters, match complicated or special
character strings. For example, "^10" matches "10.10.10.1" instead of "20.10.10.1".
Table 6-3 describes special characters and their syntax.
Table 6-3 Description of special characters
Issue 01 (2011-10-15)
special
characte
r
Syntax
Example
\* matches "*".
156
special
characte
r
Syntax
Example
x|y
Matches x or y.
[xyz]
[^xyz]
[a-z]
[^a-z]
Issue 01 (2011-10-15)
157
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Unless otherwise specified, degeneration rules are applicable when preceding regular expressions
serve as subexpressions within parentheses.
The NE5000E supports the following filtering modes based on regular expressions.
For the commands supporting the regular expression, you can choose one of the following
filtering modes:
l
| begin regular-expression
Outputs all the lines following the line that matches the regular expression. That is, the
system displays both the line that contains the specified character string (case sensitive)
and all the following lines to the terminal.
| exclude regular-expression
Outputs all the lines that do not match the regular expression. That is, the system displays
only the lines that do not contain the specified character string (case sensitive) to a terminal.
If no line matches the rule, the output is null.
| include regular-expression
Outputs only the lines that match the regular expression. That is, the system displays only
the lines that contain the specified character string (case sensitive) to a terminal. If no line
matches the rule, the output is null.
When you run the display command with filtering rules set to query configurations, note the
following:
l
The first line in the output begins with the entire line contains the specified character string
rather beings with the specified character string.
For some functions, though you have configured them but the configurations do not take
effect, the output of the display command is null.
Issue 01 (2011-10-15)
158
The NE5000E supports the redirection of the output of the display command to a specified file.
There are two redirection modes:
l
> filename
The output of the display command is redirected to a specified file. If the file already exists,
the content of the file is overwritten.
>> filename
The output of the display command is appended to a specified file, with the original content
of the file unchanged.
Cause
Unrecognized command
Wrong parameter
Incomplete command
Ambiguous command
Full Help
You can obtain full help in any of the following methods:
l
Enter a "?" in any command view to obtain all the commands and their simple descriptions.
<HUAWEI> ?
Enter a command followed by a space and a "?". If the position of "?" is for a keyword, all
the keywords and their brief description are listed. Take the following command output as
an example:
<HUAWEI> terminal ?
debugging Debug information to terminal
logging
Log information to terminal
Issue 01 (2011-10-15)
159
The words "debugging" and "logging" are keywords, while "Debug information to
terminal" and "Log information to terminal" are their descriptions.
l
Enter a command followed by a space and a "?". If the position of "?" is for a parameter,
the value range and function of the parameter are listed. Take the following command
output as an example:
[~HUAWEI] ftp timeout ?
INTEGER<1-35791> The value of FTP timeout (in minutes)
[~HUAWEI] ftp timeout 35 ?
<cr>
In the command output, "INTEGER<1-35791>" indicates the value range, and "The value
of FTP timeout (in minutes)" is the brief description of the parameter function. "<cr>"
indicates that no parameter is in the position. In this case, press Enter to run the command.
Partial Help
You can obtain partial help in any of the following methods:
l
Enter a string followed by a "?", and then the system lists all the keywords that start with
the string.
<HUAWEI> d?
debugging
dir
delete
display
Enter a command followed by a "?" if there are several matches for the keyword. Then, all
the keywords start with the string are listed.
<HUAWEI> display c?
car
configuration
cpu-defend
cpu-usage
clock
control-flap
cpu-monitor
current-configuration
Enter the initial letters of a keyword in a command line and press Tab. Then, the complete
keyword is displayed. If there are several matches for the keyword, you can press Tab
repeatedly. Then, various keywords are displayed, and you can choose the one you need.
Applicable Environment
When configuring services through command lines, you can define shortcut keys to rapidly enter
the frequently-used commands.
Pre-configuration Tasks
Before using shortcut keys, complete the following tasks:
l
Issue 01 (2011-10-15)
160
Configuration Procedures
To use shortcut keys, perform the following procedures.
Related Tasks
6.6.1 Example for Using Tab
6.6.2 Example for Defining Shortcut Keys
You can define five shortcut keys: Ctrl+G, Ctrl+L, Ctrl+O, Ctrl+T and Ctrl+U. You
can associate each shortcut key with any command. When you use a shortcut key, the system
automatically runs the corresponding command. For details, see 6.5.2 Defining Shortcut
Keys.
System shortcut keys are fixed. They provide fixed functions and cannot be defined by
users. The main system shortcut keys are listed in Table 6-5.
NOTE
Different terminal software defines shortcut keys differently. Therefore, the shortcut keys on a terminal
may be different from those listed in this section.
Function
Ctrl+C
Ctrl+K
Ctrl+N
Ctrl+P
Ctrl+Z
Ctrl+]
Issue 01 (2011-10-15)
161
Procedure
Step 1 Run:
system-view
Context
If you enter an incomplete command and do not press Enter, the entered characters are cleared
and the corresponding command is displayed on the screen if you use shortcut keys at this time.
The result is the same as that of entering a complete command.
Like the use of commands, the use of shortcut keys also makes the system record the original
command in the command buffer and logs for further fault detection and query.
Procedure
Step 1 Run:
display hotkey
The shortcut keys supported by the system and their functions are displayed.
NOTE
The function of shortcut keys may be affected by the terminal in use. For example, when the user-defined
shortcut keys conflict with the system shortcut keys on the router, the shortcut keys are to be intercepted
by the terminal programs if entered and the corresponding command line cannot be run.
----End
Issue 01 (2011-10-15)
162
Networking Requirements
Any router on the network is required.
Configuration Notes
None.
Configuration Roadmap
The configuration roadmap is as follows:
1.
If there is only one match for the incomplete keyword, enter the incomplete keyword and
press Tab.
2.
If there are several matches for the keyword, enter the incomplete keyword and press
Tab repeatedly until the desired keyword is detected.
3.
Enter the incorrect keyword and press Tab. In this case, the incorrect keyword remains
unchanged.
Data Preparation
None.
The use of Tab is described as follows:
2.
Press Tab.
The system replaces the entered keywords with the complete keywords followed by a space.
[~HUAWEI] ip route-static
Issue 01 (2011-10-15)
163
1.
2.
Press Tab.
The system first displays the prefixes of all the matched keywords. In this example, the
prefix is "default".
[~HUAWEI] ip route-static default-
Press Tab to switch from one matched keyword to another. In this case, the cursor closely
follows the end of a word.
[~HUAWEI] ip route-static default-bfd
[~HUAWEI] ip route-static default-preference
2.
Press Tab.
The system displays the output in a new line. The entered keyword remains unchanged.
[~HUAWEI] ip route-static default-pe
Configuration Files
None.
Related Tasks
6.5 How to Use Shortcut Keys
Networking Requirements
Any router on the network is required.
Configuration Notes
If a user does not have the right to execute the command associated with a defined shortcut key,
the system makes no response when the user presses this shortcut key.
Configuration Roadmap
The configuration roadmap is as follows:
Issue 01 (2011-10-15)
164
1.
Define the keyword Ctrl+U and associate it with the display ip routing-table command.
2.
Data Preparation
To define shortcut keys, you need the following data.
l
Procedure
Step 1 Define the shortcut key Ctrl+U, associate it with the display ip routing-table command, and
run it.
<HUAWEI> system-view
[~HUAWEI] hotkey ctrl_u display ip routing-table
----End
Configuration Files
None.
Related Tasks
6.5 How to Use Shortcut Keys
Issue 01 (2011-10-15)
165
7 Device Upgrade
Device Upgrade
Issue 01 (2011-10-15)
166
7 Device Upgrade
Note
Before upgrading the NE5000E, pay attention to the following items:
l
When upgrading the NE5000E at the site, prepare a spare part for each board.
Obtain the new system software, the Product Adaptive File (PAF) or license file, and the
corresponding documents of the new version from Huawei.
Enable the log function to record all the operations during the upgrade process.
Check software versions of all modules on each board, including versions of the BootROM,
Firmware, and MonitorBus.
The NE5000E works properly and uses FTP/TFTP for the upgrade. Other devices can
perform remote login to the NE5000E.
The NE5000E is upgraded for the first time and has been loaded with the system software
package. Other devices can log in to the NE5000E through the serial interface to configure
the IP address.
167
7 Device Upgrade
The NE5000E is upgraded for the first time, but the system software package of the
NE5000E does not exist or is incorrect.
After the NE5000E is upgraded and restarted, both the master and slave MPUs cannot be
registered.
After the NE5000E is upgraded, the master MPU can be registered but the slave MPUs
cannot be registered.
Issue 01 (2011-10-15)
168
8 Patch Installation
Patch Installation
Issue 01 (2011-10-15)
169
8 Patch Installation
8.1 Overview
A patch can be installed on a device to improve device performance.
Precautions
Note the following points when loading a patch on the NE5000E:
l
When installing or uninstalling a patch, ensure that all boards that are in use on the device
have registered with the system. If any LPU on the device is starting during patch
installation or uninstallation, patch installation or uninstallation probably fails on this LPU.
Do not remove or reinstall boards or close the VTP interface during patch installation.
If the patch contains subcard patches, patch installation may last longer. Wait for at least
60 seconds after patch installation if you intend to delete the installed patch. This ensures
that the same type of subcards on an LPU are in the same status.
If the startup patch command has been used to specify the patch to be loaded at the next
startup, run the patch-state run all command to activate the patch before restarting the
device.
Issue 01 (2011-10-15)
170
9 Configuration Management
Configuration Management
Context
As increasingly new types of services emerge, higher requirements are imposed on devices. For
example, it is required that services take effect after being configured, invalid configurations be
discarded, and impact on the existing services be minimized.
To ensure reliable user configurations, the system allows two-phase configuration validation.
In the first phase, the system performs syntax and semantics checks. In the second phase,
configurations takes effect and are used for services.
9.1 Introduction to Configuration Management
The system supports two configuration validation modes, namely, immediate validation and
two-phase validation. By default, the two-phase configuration validation mode takes effect.
9.2 Configuration Management Features that the NE5000E Supports
Configuration management features allow users to lock, preview, and discard configurations,
and to save the configuration file used at the current startup and the configuration file to be
loaded at the next startup of the system.
9.3 Selecting a Configuration Validation Mode
According to different reliability requirements, you can select either of two configuration
validation modes, namely, immediate validation and two-phase validation.
9.4 Managing Configuration Files
You can set the configuration file to be loaded at the next startup and save the configuration file.
9.5 Configuration Examples
This section provides an example for configuring a configuration management networking. You
can understand the configuration procedures by referring to the configuration flowchart. The
configuration example provides information about the networking requirements, configuration
notes, and configuration roadmap.
Issue 01 (2011-10-15)
171
9 Configuration Management
In the two-phase configuration validation mode, the system configuration process is divided
into two phases:
In this mode, the system-view command is used to enter the system view. In the first phase,
a user enters a configuration command, and then the system performs syntax and semantics
checks on the candidate database. If an incorrect clause is found, the system displays a
message on the command line terminal, indicating the fault and the cause. After entering
a series of command lines to complete a configuration, you can run the commit command
to commit the configuration, and the system enters the second phase, that is, configuration
commit phase. In the second phase, the system delivers the configuration in the candidate
database to the corresponding service module. If the configuration takes effect, the system
adds it to the running database. If the same configuration is added, the system prompts a
message.
The following table lists advantages and disadvantages of the immediate configuration
validation and two-phase configuration validation modes.
Issue 01 (2011-10-15)
Configuration Validation
Mode
Advantage
Disadvantage
Immediate configuration
validation mode
172
Two-phase configuration
validation mode
9 Configuration Management
configuration clearance
Deployment Scenario
Before configuring a service, you must enter a configuration view. After the configuration view
is displayed, the system initiates the corresponding configuration flow according to the set
configuration validation mode. If configurations need to be validated immediately, you can use
the immediate configuration validation mode. If configurations need to be validated after being
configured, you can use the two-phase configuration validation mode.
Issue 01 (2011-10-15)
173
9 Configuration Management
Pre-configuration Tasks
Before managing configuration files, complete the following tasks:
l
Allowing the user to log in to the device and enter the user view.
Configuration Procedures
A user can select either the immediate configuration validation mode or the two-phase
configuration validation mode at a time.
Related Tasks
9.5.1 Example for Configuring User Services in Immediate Configuration Validation Mode
9.5.2 Example for Configuring Services When Configurations Have Been Locked by Another
User in Two-Phase Configuration Validation Mode
9.5.3 Example for Multiple Users to Configure a Same Service in Two-Phase Configuration
Validation Mode
9.5.4 Example for Multiple Users to Configure a Service in Two-Phase Configuration Validation
Mode
9.5.5 Example for Configuring Different Services by Multiple Users in Two-Phase
Configuration Validation Mode
Context
Before configuring a service, you must enter the system view. After the system view is displayed,
the configuration validation mode can be specified. In immediate configuration validation mode,
after a user enters a command line and presses Enter, the system performs the syntax check. The
configuration takes effect as soon as it passes the syntax check.
Procedure
Step 1 (Optional) Run:
lock configuration
Issue 01 (2011-10-15)
174
9 Configuration Management
CAUTION
After locking configurations, you can edit and submit configurations. Other users can view and
edit configurations but cannot submit configurations.
They can configure services in the running database only if you unlock configurations.
Step 2 Run:
system-view immediately
To prevent a service from being affected, you can lock the configuration of a service as soon as the
corresponding service process is initiated. When the configuration is being locked, configurations cannot
be submitted. The configuration of the service is keeping locked until the service process is successfully
started. During this period, the configuration cannot be modified but can be queried.
If the configuration fails to be submitted, waiting for 30 seconds and submitting configuration again are
recommended. If configuration submit fails again, it indicates that the configuration is locked by a user.
In the immediate validation mode, the command prompt is as follows:
<HUAWEI> system-view immediately
[HUAWEI]
quit
CAUTION
After locking a configuration, you must unlock it after completing the configuration. Otherwise,
configurations of other users cannot take effect.
----End
Context
The two-phase configuration validation mode enhances security and reliability of configurations
and minimizes the impact of configurations on services. If the configuration of a service that
has taken effect does not meet expectations, the system can roll back to the status before the
configuration is committed. Figure 9-1 shows the procedures in two-phase configuration
validation mode.
Issue 01 (2011-10-15)
175
9 Configuration Management
M andatory procedure
O ptionalprocedure
Procedure
Step 1 (Optional) Run:
lock configuration
CAUTION
After locking configurations, you can edit and commit configurations. Other users can view and
edit configurations but cannot commit configurations.
They can configure services in the running database only if you unlock configurations.
Step 2 Run:
system-view
The two-phase configuration validation Mode is set and configurations can be edited.
Issue 01 (2011-10-15)
176
9 Configuration Management
NOTE
To prevent a service from being affected, you can lock the configuration of a service as soon as the
corresponding service process is initiated. When the configuration is being locked, configurations cannot
be committed. The configuration of the service is keeping locked until the service process is successfully
started. During this period, the configuration cannot be committed but can be queried.
If the configuration fails to be committed, waiting for 30 seconds and committing configuration again are
recommended. If configuration commit fails again, it indicates that the configuration is locked by a user.
quit
CAUTION
After locking a configuration, you must unlock it after completing the configuration. Otherwise,
configurations of other users cannot take effect.
----End
177
9 Configuration Management
Applicable Environment
Current configurations are saved into the configuration file. After the system is restarted,
configurations can be restored.
Pre-configuration Tasks
Before managing configuration files, complete the following tasks:
l
Configuration Procedures
Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.
Related Tasks
9.5.6 Example for Managing Configuration Files
Context
To avoid configuration loss on the router due to power-off or abnormal reset, the system supports
automatic or manual configuration saving.
To enable the system to automatically save configurations or to save configurations manually,
perform the following steps on the router.
Procedure
l
2.
Issue 01 (2011-10-15)
178
9 Configuration Management
----End
Context
NOTE
The compared filename extension of the configuration file must be .cfg or .zip.
Procedure
Step 1 Run:
compare configuration [ configuration-file ]
The current configuration is compared with the configuration file for next startup or the specified
configuration file.
The comparison begins with the first lines of configuration file.
When comparing differences between the configuration files, the system displays the contents
of the current configuration file and saved configuration file from the first different line. By
default, 150 characters are displayed for each configuration file. If the number of characters from
the first different line to the end is less than 150, the contents after the first different line are all
displayed.
In comparing the current configurations with the configuration file for next startup, if the
configuration file for next startup is unavailable or its contents are null, the system prompts that
reading files fails.
----End
Context
After the system is restarted, you can specify a configuration file to restore system
configurations.
Issue 01 (2011-10-15)
179
9 Configuration Management
Procedure
Step 1 Run:
startup saved-configuration configuration-file
Context
The configuration file needs to be cleared in the following situations:
l
The system software does not match the configuration file after the router is upgraded.
Procedure
Step 1 Run:
reset saved-configuration
Before clearing the configuration file of the router, the system compares the configuration file loaded at
the current startup with that to be loaded at the next startup of the system.
l If the two configuration files are consistent with each other, they are both cleared. At this time, the
configuration file to be loaded at the next startup must be configured on the router. Otherwise, there is
no configuration file on the device after the next startup.
l If the two configuration files are inconsistent with each other, the configuration file loaded at the current
startup is cleared.
l If the configuration file loaded at the current startup of the router is empty, the system will notify users
that the configuration file does not exist after the reset saved-configuration command is run.
WARNING
Exercise caution when using this command, and you are recommended to use this command
under the supervision of technical support personnel.
----End
Issue 01 (2011-10-15)
180
9 Configuration Management
Prerequisite
The file for the next startup has been loaded..
Procedure
l
Run the display saved-configuration last command to check the configuration file loaded
at the current startup of the system.
Run the display saved-configuration command to check the configuration file to be loaded
at the next startup of the system.
Run the display startup command to check the names of system software, and the names
of the configuration file loaded at the current startup and the configuration file to be loaded
at the next startup.
----End
Example
# Display configuration information about specified configuration files.
<HUAWEI> display configuration vrpcfg.db
#
info-center loghost source LoopBack0
info-center loghost 10.1.1.1
info-center loghost 10.1.1.2
#
alarm
suppression name hwBfdSessReachLimit cause-period 5
suppression name hwBfdSessReachLimit clear-period 15
alarm name hwBfdSessReachLimit severity Critical
snmp target-host target-host1 mask name mask1
#
mask name mask1
mask severity Minor
mask severity Warning
mask alarm-name PmThresholdAlarm
#
user-interface maximum-vty 15
#
efm enable
#
aaa
local-user ftp password cipher 0E0`_:6&/NGQ=^Q`MAF4<1!!
local-user ftp ftp-directory cfcard:/
local-user ftp service-type ftp
#
interface Ethernet3/0/1
description Don't Shutdown! It's Management Port!
undo shutdown
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
Issue 01 (2011-10-15)
181
9 Configuration Management
user-interface con 0
set authentication password cipher OUM!K%F<+$[Q=^Q`MAF4<1!!
history-command max-size 30
#
user-interface vty 0 14
user privilege level 3
idle-timeout 0 0
#
return
Display the names of system software, and the names of the configuration file loaded at the
current startup and the configuration file to be loaded at the next startup.
<HUAWEI> display startup
MainBoard
Configured startup system software
Startup system software
Next startup system software
Startup saved-configuration file
Next startup saved-configuration file
Startup paf file
Issue 01 (2011-10-15)
:
:
:
:
:
:
:
VRPV800R002C00SPC001B003.rpg
VRPV800R002C00SPC001B003.rpg
VRPV800R002C00SPC001B003.rpg
cfcard:/v1.cfg
cfcard:/v2.cfg
default
182
9 Configuration Management
:
:
:
:
:
:
:
:
:
:
:
:
:
default
NULL
NULL
VRPV800R002C00SPC001B003.rpg
VRPV800R002C00SPC001B003.rpg
VRPV800R002C00SPC001B003.rpg
cfcard:/v1.cfg
cfcard:/v2.cfg
default
default
NULL
NULL
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For
the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface
number. The slot number is chassis ID/slot ID.
As shown in Figure 9-2, a user logs in to the Router.
Figure 9-2 Networking of configuring services in immediate configuration validation mode
Router
User
IP
Network
To enable services to take effect immediately after they are configured, configure the services
in immediate configuration validation mode.
After you enter a command line and presses Enter, the system performs the syntax check. The
configuration takes effect as soon as it passes the syntax check.
Issue 01 (2011-10-15)
183
9 Configuration Management
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure a service.
Data Preparation
Interface IP address
Procedure
Step 1 Choose the immediate configuration validation mode.
<HUAWEI> system-view immediately
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet4/0/6
undo shutdown
ip address 12.1.1.1 255.255.255.0
#
Related Tasks
9.3 Selecting a Configuration Validation Mode
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For
the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface
number. The slot number is chassis ID/slot ID.
Issue 01 (2011-10-15)
184
9 Configuration Management
As shown in Figure 9-3, user A and user B log in to the Router at the same time. After user A
locks configurations on the Router, user B attempts to configure services on the device.
Figure 9-3 Networking of configuring services when configurations have been locked by
another user in two-phase configuration validation mode
UserA
Router
IP
Network
UserB
To use the running database exclusively, lock configurations on the device to prevent other users
from configuring services and submitting configurations. When configurations are locked by a
user and other users attempt to configure services, the system will notify them that configurations
have been locked. Other users can configure services in the running database only if the user
unlocks configurations.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
User B configures a service. The system will notify user B that the current configuration
fails because configurations have been locked by another user.
Data Preparation
Interface IP address
Procedure
Step 1 User A locks configurations.
<HUAWEI> lock configuration
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet4/0/6
undo shutdown
#
Issue 01 (2011-10-15)
185
9 Configuration Management
Related Tasks
9.3 Selecting a Configuration Validation Mode
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For
the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface
number. The slot number is chassis ID/slot ID.
As shown in Figure 9-4, user A and user B log in to the Router at the same time. After user A
configures a service on the Router, user B performs the same configuration for the service on
the device.
Figure 9-4 Networking of multiple users to configure a same service in two-phase configuration
validation mode
UserA
Router
IP
Network
UserB
When user B submits the configuration that is the same as the configuration submitted by user
A, the system will notify user B that the configuration conflicts with an existing configuration.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
Interface IP address
Issue 01 (2011-10-15)
186
9 Configuration Management
Procedure
Step 1 Allow user A and user B to configure a same service successively.
l User A configures the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 4/0/6
[~HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet4/0/6
undo shutdown
ip address 12.1.1.1 255.255.255.0
#
Related Tasks
9.3 Selecting a Configuration Validation Mode
9.5.4 Example for Multiple Users to Configure a Service in TwoPhase Configuration Validation Mode
This section provides an example for multiple users to configure a service on one router.
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For
the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface
number. The slot number is chassis ID/slot ID.
Issue 01 (2011-10-15)
187
9 Configuration Management
As shown in Figure 9-5, user A and user B log in to the Router at the same time. After user A
configures a service on the Router, user B configures the service on the device. For example,
users A and B both configure different IP addresses on the same interface.
Figure 9-5 Networking of multiple users to configure a service in two-phase configuration
validation mode
UserA
Router
IP
Network
UserB
When user B submits the configuration, it will overwrite the configuration submitted by user A.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
Different interface IP addresses
Procedure
Step 1 Configure a service as user A and user B.
l Configure the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router as user A.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 4/0/6
[~HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24
The following information indicates that the configuration of user B overwrites the configuration
submitted by user A.
[~HUAWEI-GigabitEthernet4/0/6] display this
#
Issue 01 (2011-10-15)
188
9 Configuration Management
interface GigabitEthernet4/0/6
undo shutdown
ip address 12.1.1.2 255.255.255.0
return
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet4/0/6
undo shutdown
ip address 12.1.1.2 255.255.255.0
#
Related Tasks
9.3 Selecting a Configuration Validation Mode
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For
the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface
number. The slot number is chassis ID/slot ID.
As shown in Figure 9-6, user A and user B log in to the Router at the same time. User A and
user B configure different services on the Router.
Figure 9-6 Networking of configuring different services by multiple users in two-phase
configuration validation mode
UserA
Router
IP
Network
UserB
If user A and user B submit two configurations of different services, both configurations take
effect.
Issue 01 (2011-10-15)
189
9 Configuration Management
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
Interface IP address
Procedure
Step 1 Allow user A and user B to configure different services.
l User A configures the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 4/0/6
[~HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24
After user B commits configurations, the system adds new configurations on the basis of original
configurations.
<HUAWEI> display current-configuration
#
ftp server enable
#
interface GigabitEthernet4/0/6
undo shutdown
ip address 12.1.1.1 255.255.255.0
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet4/0/6
undo shutdown
ip address 12.1.1.1 255.255.255.0
#
ftp server enable
#
return
Related Tasks
9.3 Selecting a Configuration Validation Mode
Issue 01 (2011-10-15)
190
9 Configuration Management
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For
the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface
number. The slot number is chassis ID/slot ID.
As shown in Figure 9-7, a user logs in to the Router.
Figure 9-7 Managing Configuration Files
Router
User
IP
Network
Precautions
None.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Change configurations.
2.
3.
4.
After system upgrade, compare the current running configuration with that defined in the
configuration file loaded at system startup to check whether configurations are lost.
Data Preparation
None.
Procedure
Step 1 Change configurations.
For example, enable the FTP service.
<HUAWEI> system-view
Issue 01 (2011-10-15)
191
9 Configuration Management
Step 4 After system upgrade, compare the current running configuration with that defined in the
configuration file loaded at system startup to check whether configurations are lost.
<HUAWEI> compare configuration
The current configuration is the same as the next startup configuration file.
----End
Configuration Files
#
sysname HUAWEI
#
ftp server enable
Related Tasks
9.4 Managing Configuration Files
Issue 01 (2011-10-15)
192
10
Issue 01 (2011-10-15)
193
Storage Devices
Storage devices are hardware devices for storing messages.
At present, the router supports the storage devices such as flash memory, and compact flash (CF)
card.
Directories
The directory is a mechanism with which the system integrates and organizes the file, serving
as a logical container of the file.
Files
The file is a mechanism with which the system stores and manages messages.
Context
You can manage directories by changing and displaying directories, displaying files in
directories and sub-directories, and creating and deleting directories.
Procedure
l
Run:
cd directory
A directory is specified.
l
Run:
pwd
Run:
dir [ /all ] [ filename ]
194
Run:
mkdir directory
Run:
rename source-filename destination-filename
Run:
rmdir directory
Related Tasks
10.5.1 Example for Managing a Directory
Context
l
You can run the cd directory command to enter the required directory from the current
directory.
Run:
Procedure
more filename
Run:
copy source-filename destination-filename
The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.
Run:
move source-filename destination-filename
Run:
rename source-filename destination-filename
Run:
zip source-filename destination-filename
Issue 01 (2011-10-15)
195
Run:
delete [ /unreserved ] filename
Run:
undelete filename
If the current directory is not the parent directory, you must operate the file by using the absolute
path. If you use the parameter /unreserved in the delete command, the file cannot be restored after
being deleted.
Run:
reset recycle-bin [ /f | filename ]
Run:
system-view
Run:
execute filename
Run:
system-view
Run:
file prompt { alert | quiet }
196
CAUTION
If the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation.
----End
Related Tasks
10.5.2 Example for Managing Files
Networking Requirements
The router on which you need to manage a directory is correctly configured.
Configuration Notes
None.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Display the current directory.
<HUAWEI> dir
Directory of cfcard:/
Idx Attr
Size(Byte)
0 -rw1,235
1 -rw524,575
2 drw-
Issue 01 (2011-10-15)
Date
Time(LMT)
Dec 17 2009 17:10:53
Jan 25 2010 10:03:33
Sep 09 2009 09:42:52
FileName
vrpcfg.cfg
private-data.txt
src
197
drw-rw-rw-rwdrw-rwdrw-
Sep
Sep
Nov
Jan
Sep
Jan
Jan
09
09
25
19
09
21
21
2009
2009
2009
2010
2009
2010
2010
09:42:53
09:42:53
16:56:55
03:09:32
09:43:00
12:02:18
11:09:21
logfile
$_patch_rollback_state
$_patchstate_a
snmpnotilog.txt
lam
vrpcfg.cfg
logfilelogfile
Step 3 Display the current directory. You can view that the new directory is successfully created.
<HUAWEI> dir
Directory of cfcard:/
Idx Attr
Size(Byte) Date
Time(LMT) FileName
0 -rw1,235 Dec 17 2009 17:10:53
vrpcfg.cfg
1 -rw524,575 Jan 25 2010 10:03:33
private-data.txt
2 drw- Sep 09 2009 09:42:52
src
3 drw- Sep 09 2009 09:42:53
logfile
4 -rw280 Sep 09 2009 09:42:53
$_patch_rollback_state
5 -rw11,772 Nov 25 2009 16:56:55
$_patchstate_a
6 -rw4 Jan 19 2010 03:09:32
snmpnotilog.txt
7 drw- Sep 09 2009 09:43:00
lam
8 -rw2,584 Jan 21 2010 12:02:18
vrpcfg.cfg
9 drw- Jan 21 2010 11:09:21
logfilelogfile
10 drw- Jan 23 2010 11:10:42
abc
180,862 KB total (305,358 KB free)
----End
Related Tasks
10.3 Managing the Directory
Networking Requirements
By configuring the file system of the router, a user can operate the router through the console
port and copy files to the specified directory.
The file path in the storage device must be correct. If the user does not specify a target file name,
the source file name is the name of the target file by default.
Configuration Notes
None.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Check this directory and view that the file is copied successfully to the specified directory.
Issue 01 (2011-10-15)
198
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Display the file information in the current directory.
<HUAWEI> dir
Directory of cfcard:/
Idx Attr
Size(Byte)
0 -rw1,235
1 -rw524,575
2 drw3 drw4 -rw280
5 -rw11,772
6 -rw4
7 drw8 -rw2,584
9 drw-
Date
Dec 17
Jan 25
Sep 09
Sep 09
Sep 09
Nov 25
Jan 19
Sep 09
Jan 21
Jan 21
2009
2010
2009
2009
2009
2009
2010
2009
2010
2010
Time(LMT)
17:10:53
10:03:33
09:42:52
09:42:53
09:42:53
16:56:55
03:09:32
09:43:00
12:02:18
11:09:21
FileName
vrpcfg.cfg
private-data.txt
src
logfile
$_patch_rollback_state
$_patchstate_a
snmpnotilog.txt
lam
vrpcfg.cfg
logfilelogfile
Step 3 Display the file information about the current directory, and you can view that the file is copied
to the specified directory.
<HUAWEI> dir
Directory of cfcard:/
Idx Attr
Size(Byte)
0 -rw1,235
1 -rw524,575
2 drw3 drw4 -rw280
5 -rw11,772
6 -rw4
7 drw8 -rw2,584
9 drw10 drw1,605
Date
Dec 17
Jan 25
Sep 09
Sep 09
Sep 09
Nov 25
Jan 19
Sep 09
Jan 21
Jan 21
Jan 23
2009
2010
2009
2009
2009
2009
2010
2009
2010
2010
2010
Time(LMT)
17:10:53
10:03:33
09:42:52
09:42:53
09:42:53
16:56:55
03:09:32
09:43:00
12:02:18
11:09:21
14:30:32
FileName
vrpcfg.cfg
private-data.txt
src
logfile
$_patch_rollback_state
$_patchstate_a
snmpnotilog.txt
lam
vrpcfg.cfg
logfilelogfile
sample1.txt
----End
Related Tasks
10.4 Managing Files
Issue 01 (2011-10-15)
199
11
Issue 01 (2011-10-15)
200
Concepts
Clock synchronization refers to the maintenance of a strict relationship between the frequencies
or signal phases of all the devices on a network. This means that signals are transmitted at the
same average rate during a valid period, which allows all the devices on the network to work at
the same rate.
On a digital communication network, the send end sends digital pulse signals in specific
timeslots, and the receive end extracts pulses from these timeslots. In this manner, the send end
and the receive end can communicate with each other. The clocks of the send end and the receive
end must be synchronized, which is the prerequisite for normal communication between the two
ends. Clock synchronization can ensure that the clocks on the send end and the receive end are
synchronized.
Purpose
Clock synchronization is a technique that limits the difference in terms of the clock frequency
or phase between the network elements (NEs) on digital networks to be within a certain range.On
a digital communication network, discrete pulses obtained from Pulse Code Modulation (PCM)coded information are transmitted. If the clock frequencies of two digital switching devices
differ, or digital bit streams are corrupted due to interference during transmission, phase drift or
jitter occurs. Consequently, the buffer of the digital switching system experiences data loss or
duplication, resulting in incorrect transmission of the bit streams. If the frequency difference or
phase difference is beyond the allowed range, error codes and jitter may occur, which causes
network transmission performance to deteriorate.
Issue 01 (2011-10-15)
Type
Description
Number
Internal clock
source
201
BITS clock
source
Line clock
source
Currently,
Synchronous
Digital
Hierarchy
(SDH) or
Plesiochronous
Digital
Hierarchy
(PDH) uses the
Building
Integrated
Timing Supply
System (BITS)
to build up a
digital
synchronization
network and
form a
hierarchical
timing
allocation
system.
On the NE5000E-X16 or
the NE5000E using the
new clock board
CR52CLKB:
On the NE5000E-X16
or the NE5000E using
the new clock board
CR52CLKB:
NOTE
The signal types supported
by the interfaces are
described in Table 11-2 of
Clock Synchronization
Features Supported by the
NE5000E(NE5000E-X16).
Slot ID of an LPU + 2
For example, the number
of the clock source on the
LPU in slot 1 is 3 and the
number of the clock
source on the LPU in slot
2 is 4.
Limited by the lengths of clock cables, the mode of tracing or outputting BITS clock signals through clock
interfaces is applicable to the interfaces on a site. For the limit on the clock cable length, see the "Clock
Cable" in the section "Cables" in the HUAWEI NetEngine5000E Core Router Hardware Description NE5000E-X16 Hardware Description.
202
The BITS clocks that devices can obtain from a BITS clock device are classified into two
types: 2.048 MHz clocks and 2.048 Mbit/s clocks. The input modes of BITS clocks are
classified into BITS0 and BITS1. A router obtains a clock through a clock interface on the
MPU.
The MPU on the NE5000E provides four clock interfaces. Two of them are input interfaces,
which are connected to BITS devices to obtain clock signals. The other two are output
interfaces, which are connected to the clock input interfaces on downstream devices to
provide time signals to the downstream devices.
NOTE
The difference between the 2.048 MHz clock and 2.048 Mbit/s clock is that the 2.048 MHz clock
can provide only pulse signals for clock synchronization, and the 2.048 MHz clock can provide
signals bearing services in addition to pulse signals for clock synchronization.
On the NE5000E-X16 or the NE5000E using the new clock board CR52CLKB:
l
The MPU provides four clock interfaces, CLK/TOD0, CLK/TOD1, CLK/1PPS, and CLK/
Serial.
NOTE
For the schematic diagram of the clock interfaces on the MPU, see the section "Control Plane" in the
chapter "NE5000E-X16 CLC" in the HUAWEI NetEngine5000E Core Router Hardware
Description - NE5000E-X16 Hardware Description.
CLK/TOD0 and CLK/TOD1 are also called BITS0 and BITS1 respectively. CLK/1PPS
and CLK/Serial, as two SMB interfaces, are bound together to form BITS2. A BITS
interface transmits only one type of signal at a time.
RJ45 interfaces and SMB interfaces must be connected to dedicated clock cables to input
and output clock signals. For the description of the clock cable, see the "Clock Cable" in
the section "Cables" in the HUAWEI NetEngine5000E Core Router Hardware Description
- NE5000E-X16 Hardware Description.
The NE5000E-X16 or the NE5000E using the new clock board CR52CLKB can be
configured to trace different types of external BITS clock reference sources by using the
clock bits-type command.
An external clock reference source can be mapped to the index of a user clock reference
source by using the clock bits-map command.
The signal types supported by clock interfaces are listed in the following table.
Issue 01 (2011-10-15)
203
Interface Name
Identified by
Software
Interface
Type
CLK/TOD0
BITS0
RJ45
Clock signals:
l 2.048 Mbit/s clock signals
l 2.048 MHz clock signals
Time signals:
l 1PPS (RS422)+ASCII (RS422)
time signals
l Two DCLS clock channels (one
channel for input, and the other
channel for output)
CLK/TOD1
BITS1
RJ45
Clock signals:
l 2.048 Mbit/s clock signals
l 2.048 MHz clock signals
Time signals:
l 1PPS (RS422)+ASCII (RS422)
time signals
l Two DCLS clock channels (one
channel for input, and the other
channel for output)
CLK/1PPS
CLK/Serial
BITS2
SMB
SMB
Clock signals:
l 2.048 Mbit/s clock signals
l 2.048 MHz clock signals
Time signals:
l 1PPS (TTL)+ASCII (RS232) time
signals
If a BITS interface transmits 2.048 Mbit/s, 2.048 MHz, or two channels of DCLS time
signals, you do not need to configure input or output to specify signal input or output. It
is because these types of clock signals are both input and output on the same interface. For
example, if BITS0 transmits 2.048 Mbit/s time signals, BITS0 inputs and outputs 2.048
Mbit/s clock signals.
If a BITS interface transmits 1PPS+ASCII time signals, signal input or output must be
specified. It is because 1PPS+ASCII time signals can be either input or output at a time on
an interface.
If BITS2 is used to transmit 1PPS+ASCII time signals (RS232), both the two SMB
interfaces either input or output the time signals. If BITS2 transmits clock signals, CLK/
1PPS is always used to input signals and CLK/Serial is always used to output signals.
The limitations on the output of different types of time signals on a device are as follows:
l
Issue 01 (2011-10-15)
If only one channel of time signals needs to be output, the signals can be successfully output.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
204
If two channels of 1PPS+ASCII signals need to be output at the same time, they can be
successfully output.
If one channel of 1PPS+ASCII signals and one channel of DCLS signals need to be output
at the same time, only the 1PPS+ASCII signals can be successfully output.
Manual mode
This mode allows you to configure the clock board to always trace a specified clock source
and not to trace another one even if the specified clock source fails.
Automatic mode
In this mode, clock source selection is based on either priorities of clock sources or
Synchronous Status Message (SSM) levels of clock sources.
An SSM is a group of codes used to indicate the level of clock quality on a synchronization
network. For details about each SSM level, see Chapter "Clock Synchronization" in the
HUAWEI NetEngine5000E Core Router Feature Description - Basic Configurations.
Automatic clock source selection based on priorities: A clock board selects the clock
source with the highest priority. If the clock source with the highest priority is lost, the
clock board automatically switches to trace the clock source with the second highest
priority. If the clock source with the highest priority recovers, the clock board traces the
clock source again. SSM levels are not involved. Clock source priorities are
configurable. If a clock source priority defaults to 19, the clock source will not be
selected during protection switching.
NOTE
Clock source priorities are locally valid, and are not sent to downstream devices by clock signals.
Automatic clock source selection based on SSM levels: A clock board selects the clock
source with the highest SSM level. If the SSM levels of the clock sources are the same,
the clock board selects a clock source among the clock sources based on their priorities.
Issue 01 (2011-10-15)
205
If the clock source with the highest SSM level is lost, the clock board automatically
switches to trace the clock source with the second highest SSM level. If the original
clock source with the highest SSM level recovers, the clock board traces the clock source
again. The SSM level of a clock source can be specified or obtained from clock signals
sent from an upstream device. If the SSM level of a clock source is DNU and automatic
clock source selection based on SSM levels is adopted, the clock source is not selected
during protection switching.
NOTE
For BITS clock source signals received by the system, if the signal type is 2.048 Mbit/s, the SSM
level is extracted by the clock module from signals; if the signal type is 2.048 MHz, the SSM
level needs to be configured.
Configuration Procedures
1.
On the NE5000E using the clock board CR52CLKA, configure the types of the BITS input
and output clocks; on the NE5000E-X16 or the NE5000E using the new clock board
CR52CLKB, configure the external BITS clock reference source.
2.
3.
Configure the system to automatically select a clock source based on the SSM levels or
priorities of clock sources.
Applicable Environment
On a synchronization Ethernet network, if there is a BITS clock on the same site as the router,
the router must be configured to trace the BITS clock. The router serves as the master clock to
provide primary clock signals for the entire network.
The BITS signal type may be 2.048 MHz, 2.048 Mbit/s, 1PPS, or DCLS, which can be configured
on the clock board by using commands.
Pre-configuration Tasks
None.
Configuration Procedures
Figure 11-1 Flowchart for configuring an external BITS clock reference source
Configuring an External Clock Reference Source for
the Router and the Clock Signal Type
Mandatory step
Optionalstep
Issue 01 (2011-10-15)
206
Context
Do as follows on all the routers in the clock synchronization network:
Procedure
Step 1 Run:
system-view
An external BITS clock reference source and its signal type are configured.
For information about the available clock reference source IDs and signal types, see the HUAWEI
NetEngine5000E Core Router Command Reference.
Step 3 Run:
commit
Context
During the configuration of clock synchronization, the indexes of user clock sources are required
in the selection of clock sources. Therefore, each clock source must be mapped to the index of
a user clock source.
Do as follows on all the routers in the clock synchronization network:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
207
An external clock reference source is mapped to the index of a user clock source.
Step 3 Run:
commit
Context
Run the following commands to check the previous configurations:
Procedure
l
Run the display clock bits-type command to check external reference clock sources on
the clock board and their signal types.
Run the display clock source command to check whether external clock reference sources
are successfully mapped to the indexes of user clock reference sources.
----End
Example
Check the external clock reference sources on the clock board and their signal types.
<HUAWEI>display clock bits-type
bits0: 2mbps
bits1: 2mbps
bits2: 2mbps
Check the configured mappings between external clock reference sources and indexes of user
clock reference sources.
<HUAWEI>display clock source
Master clock source:
-----------------------------------------------------------------------------Source
Description Priority
Sa-bit
Input SSM Forcessm
Sourcestate
-----------------------------------------------------------------------------* 1
BITS0
13
sa4
lnc
on
abnormal
2
BITS1
19
sa4
unknown
on
abnormal
-----------------------------------------------------------------------------Slave clock source:
-----------------------------------------------------------------------------Source
Description Priority
Sa-bit
Input SSM Forcessm
Sourcestate
-----------------------------------------------------------------------------1
BITS0
13
sa4
lnc
on
abnormal
2
BITS1
19
sa4
unknown
on
abnormal
------------------------------------------------------------------------------
Issue 01 (2011-10-15)
208
Applicable Environment
If it is determined that a device always traces a certain clock source and does not need perform
protection switching, you can specify a clock source for the device. When the specified clock
source fails, the system, however, does not switch to trace another clock source. Therefore, the
mode of specifying a clock source for a device is not recommended.
In manual mode, you can specify a certain clock source for the clock board to trace. In this mode,
only one clock source can be specified. If the specified clock source is lost, the system enters
the hold-in state. When the precision of the clock in the hold-in state decreases, the device enters
the free running state. In this case, the clock frequency of the device may be different from that
of other devices.
NOTE
In the mode of automatically selecting a clock source, the clock source specified manually does not take
effect.
Pre-configuration Tasks
Before manually specifying a clock source, complete the following tasks: Ensuring that the
device can normally receive clock source signals from the outside and select the manually
specified BITS clock source or line clock source based on the type of the received external clock
source signals.
Procedure
Step 1 Manually configure the clock board to use the BITS clock reference source.
1.
Run:
system-view
Run:
clock manual source source-value
The device is configured to use the BITS clock source received through the clock interface.
3.
Run:
commit
Run:
system-view
Run:
clock source lpuport slot slot-id card card-number port port-number
Issue 01 (2011-10-15)
209
The specified POS interface is enabled to report received clock source signals to the clock
board.
3.
Run:
clock manual source source-value
The device is configured to use the line clock source received through the clock interface.
The value of source-value can be only the reference source to which the installed LPU. The
number of the line clock source is equal to the slot ID of the LPU plus 2.
4.
Run:
commit
Applicable Environment
Where there are multiple clock sources, you can set priorities for the clock sources based on
their quality. In normal situations, a clock board uses the clock source with the highest priority.
When the clock source with the highest priority fails, the clock board uses the clock source with
the second highest priority. When the default priority (19) of a clock reference source is used,
the clock board does not select the clock reference source during protection switching.
If you configure protection switching according to the priorities of clock sources, you need to
configure clock source selection not to be based on SSM levels.
Pre-configuration Tasks
Before configuring automatic clock source selection based on priorities, complete the following
task:
Issue 01 (2011-10-15)
210
Ensuring that a device can normally receive multiple clock source signals from another
device
Configuration Procedures
Figure 11-2 Flowchart for configuring automatic clock source selection based on priorities
Mandatory step
Optional step
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
211
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
When clock source selection is not based on SSM levels, the system selects a clock source according to
the priorities of clock sources.
Step 3 Run:
commit
Context
To ensure that the system can select a high-quality clock source, you need to the set priorities
of the clock sources received by the device based on the quality of the clock sources. The smaller
the priority value of a clock source, the higher the priority.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
212
l If the priority of a reference source is 19 (default value), this reference source is not chosen during
protection switching. The smaller the priority value, the higher the priority.
l In Step 2, you can set the same priority for multiple clock sources. When clock source selection is
performed based on priorities but the priorities of the clock sources are the same, clock source selection
is performed based on the sequence numbers of clock sources in an ascending order.
l If the clock interface on the MPU is not connected to any external clock source, the system ignores
BITS0 and BITS1 when automatically selecting a clock source according to the priorities of clock
sources. Instead, the system directly selects a clock source from the line clock sources of an LPU.
Step 3 Run:
commit
Prerequisite
All the configurations for automatic clock selection based on priorities are complete.
Procedure
l
Run the display clock source command to check the priority of each clock source.
----End
Example
Run the display clock source command, and you can view the priority of each clock source.
For example:
<HUAWEI>display clock source
Master clock source:
-----------------------------------------------------------------------------Source
Description Priority
Sa-bit
Input SSM Forcessm
Sourcestate
-----------------------------------------------------------------------------* 1
BITS0
13
sa4
lnc
on
abnormal
2
BITS1
19
sa4
unknown
on
abnormal
9
LPU7
19
-unknown
on
abnormal
-----------------------------------------------------------------------------Slave clock source:
-----------------------------------------------------------------------------Source
Description Priority
Sa-bit
Input SSM Forcessm
Sourcestate
-----------------------------------------------------------------------------1
BITS0
13
sa4
lnc
on
abnormal
2
BITS1
19
sa4
unknown
on
abnormal
9
LPU7
19
-unknown
on
abnormal
------------------------------------------------------------------------------
Issue 01 (2011-10-15)
213
Applicable Environment
During automatic clock source selection based on priorities, the priorities of clock sources are
set. If the priorities of clock sources are not set based on the quality of the clock sources, the
device may select a clock source of low quality. The SSM levels are defined based on
international standard protocols. The higher the precision of a clock source, the higher the SSM
level of the clock source. When the switching among clock sources is performed based on SSM
levels, the device can select a clock source of higher precision.
When a device has multiple clock sources, the device selects a clock source based on the SSM
levels of the clock sources. The higher the clock precision, the higher the SSM level. In normal
situations, a clock board uses the clock source with the highest SSM level. When the clock source
with the highest SSM level fails, the clock board uses the clock source with the second highest
SSM level.
When a clock board is powered on, the SSM level of all clock sources defaults to Unknown.
The sequence of the SSM levels is Primary Reference Clock (PRC), Transit Node Clock (TNC),
Local Node Clock (LNC), Synchronous Equipment Timing Source (SETS), Unknown, and Do
not use for synchronization (DNU) in a descending order. If the SSM level of a clock source is
DNU and clock source selection is not based on the SSM levels of clock sources, the clock source
is not selected during protection switching.
The SSM level of a clock source can be obtained in either of the following modes:
l
Automatically extracting the SSM levels of clock sources from the received clock source
signals: If the clock source signals received from an upstream device contain SSM levels,
the SSM levels can be used and you do not need to specify SSM levels for the clock sources.
Manually specifying the SSM levels of BITS clock sources: If clock source signals received
from an upstream device do not contain any SSM level, you need to specify the SSM level
for each BITS clock source manually.
NOTE
In actually applications, the clock source signals received from lines contain SSM levels. Therefore, it is
not recommended to specify the SSM levels for line clock sources.
BITS clock sources have two types of signals. When the rate of a clock signal is 2.048 Mbit/s, the clock
board can extract the SSM level of the clock source from the clock signal if the clock signal contains the
SSM level of the clock source. In addition, you can manually specify the SSM level for the clock source
if the clock signal does not contain the SSM level of the clock source. When the frequency of a clock signal
of a clock source is 2.048 MHz, you must manually specify an SSM level for the clock source.
Pre-configuration Tasks
Before configuring automatic clock source selection based on SSM levels, complete the
following task:
Issue 01 (2011-10-15)
214
Ensuring that a device can normally receive multiple clock source signals from another
device
Configuration Procedures
Figure 11-3 Flowchart for configuring automatic clock source selection based on SSM levels
Configure the system to
automatically select a clock
source.
Configuring Clock Source
Selection to Be Based on SSM
Levels
Setting the SSM Level of a 2.048
MHz BITS Clock Source
Configure the 2.048-Mbit/s BITS
clock source to bear SSM
timeslots.
Mandatory step
Optional step
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
215
Context
Do as follows on the router:
After the following configurations, the router can select a clock source and perform switching
protection based on the SSM levels of received clock sources.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
clock ssm-control on
11.6.3 (Optional) Setting the SSM Level of a 2.048 MHz BITS Clock
Source
You need to the configure clock source selection based on SSM levels of 2.048 MHz BITS clock
sources on routers connected to an external BITS clock.
Context
Because the 2.048 MHz BITS clock source signals received by a device do not contain any SSM
level, you need to specify the SSM levels for the clock sources to ensure that clock source
selection is based on SSM levels of the clock sources.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
216
Step 4 Run:
commit
Context
BITS clock sources have two types of clock signals. When the clock signal type is 2.048 Mbit/
s, the clock board can extract an SSM level from the SA timeslot if the SA timeslot contains the
SSM level of the clock source. The default SA timeslots containing SSM levels in the clock
signals generated by the clock devices of different manufacturers are different. Therefore, to
ensure that the NE5000E can correctly extract the SSM levels contained in clock signals, you
need to configure the SA timeslots in 2.048 Mbit/s BITS clock source signals to bear SSM levels
on the NE5000E.
Do as follows on the router connected to an external BITS clock:
Procedure
Step 1 Run:
system-view
The SA timeslots in 2.048 Mbit/s BITS clock source signals are configured to bear SSM levels.
Issue 01 (2011-10-15)
217
Step 3 Run:
commit
Prerequisite
All the configurations of automatic clock source selection based on SSM levels are complete.
Procedure
l
Run the display clock config command to check the SSM level of the clock source being
used by the system.
Run the display clock source command to check the SSM levels of all clock sources of
the system.
----End
Example
Run the display clock config command, and you can view the SSM level of the clock source
being used by the system. For example:
<HUAWEI>display clock config
Current source
: 1
Workmode
: auto
SSM control
: on
Output SSM Level : lnc
PLL state
: Current source step into pull-in range
Run mode
: Clock is in lock mode
Run the display clock source command, and you can view the SSM levels of all clock sources
of the system. For example:
<HUAWEI>display clock source
Master clock source:
-------------------------------------------------------------------------------------Source Description Priority Sa-bit
Input SSM
Forcessm Sourcestate
-------------------------------------------------------------------------------------1
BITS0
10
sa4
unknown
on
abnormal
* 2
BITS1
19
sa4
lnc
on
normal
3
LPU1
19
-unknown
on
abnormal
-------------------------------------------------------------------------------------Slave clock source:
-------------------------------------------------------------------------------------Source Description Priority Sa-bit
Input SSM
Forcessm Sourcestate
-------------------------------------------------------------------------------------1
BITS0
10
sa4
unknown
on
abnormal
2
BITS1
19
sa4
lnc
on
normal
3
LPU1
19
-unknown
on
abnormal
Issue 01 (2011-10-15)
218
--------------------------------------------------------------------------------------
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number; a slot is numbered in the format of chassis ID/
slot number.
As shown in Figure 11-4, BITS clock signals enter Router A and Router D through clock
interfaces. The two external BITS clocks satisfy the requirements for the signal quality of the
G.812 local clock. Normally, the devices on the entire network synchronize with the external
BITS clock of Router A.
When the link between any two routers except the link between Router D and Router E is faulty,
the protection switching among clock sources is performed as follows:
l
When the external BITS clock of Router A becomes faulty, all routers trace the external
BITS clock of Router D.
When the external BITS clock of Router D becomes faulty, all routers trace the external
BITS clock of Router A.
When the external BITS clock of Router A becomes faulty and then the external BITS clock
of Router D becomes faulty, all routers trace the internal clock of Router D.
When the external BITS clock of Router D becomes faulty and then the external BITS clock
of Router A becomes faulty, all routers trace the internal clock of Router A.
Issue 01 (2011-10-15)
219
Figure 11-4 Networking diagram for configuring protection switching among clock sources
BITS
POS1/0/0
W
POS1/0/0 E
POS2/0/0
E 10.1.1.1
POS2/0/0
W 10.1.1.2
RouterA
RouterB
RouterF
POS2/0/0 W
E POS1/0/0
20.1.1.1
POS2/0/0 E
50.1.1.1
RouterC
POS1/0/0W
40.1.1.2
W POS1/0/0
20.1.1.2
RouterE
E POS2/0/0
30.1.1.1
RouterD
POS1/0/0 E
40.1.1.1
W POS2/0/0
30.1.1.2
BITS
Configuration Notes
None.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure the type of the external BITS clock to which Router A and Router D are
connected to 2.048 Mbit/s.
2.
Configure the priority of the clock source on each router. This ensures that the protection
switchover of clock sources is performed based on priorities when a fault occurs.
Data Preparation
To complete the configuration, you need the following data: ID and priority of the clock source
of each router, as shown in Table 11-3.
Table 11-3 Clock sources and their priorities of each router
Issue 01 (2011-10-15)
router
Clock
Source in
Use
Available Clock
Source
ID
Priority
Router A
BITS0
BITS0
220
router
Clock
Source in
Use
Available Clock
Source
ID
Priority
Router A
BITS0
LPU2
Router A
BITS0
LPU1
Router A
BITS0
Internal clock
Router B
LPU1
LPU1
Router B
LPU1
LPU2
Router B
LPU1
Internal clock
Router C
LPU2
LPU2
Router C
LPU2
LPU1
Router C
LPU2
Internal clock
Router D
LPU1
LPU1
Router D
LPU1
LPU2
Router D
LPU1
BITS1
Router D
LPU1
Internal clock
Router E
LPU1
LPU1
Router E
LPU1
LPU2
Router E
LPU1
Internal clock
Router F
LPU2
LPU2
Router F
LPU2
LPU1
Router F
LPU2
Internal clock
Procedure
Step 1 Set the type of the external BITS clock sources of Router A and Router D to 2.048 Mbit/s.
Step 2 Connect BITS clock cables to each router, as shown in Figure 11-4.
Step 3 Configure the IP addresses for interfaces on each router. The configuration details are not
mentioned here.
Step 4 Set priorities of clock sources of each router, as shown in Figure 11-4.
# Configure Router A.
<RouterA> system-view
[~RouterA] clock auto
[~RouterA] clock ssm-control off
[~RouterA] clock priority 1 source 1
[~RouterA] clock priority 2 source 4
Issue 01 (2011-10-15)
221
# Configure Router B.
<RouterB> system-view
[~RouterB] clock auto
[~RouterB] clock ssm-control off
[~RouterB] clock priority 1 source 3
[~RouterB] clock priority 2 source 4
[~RouterB] commit
# Configure Router C.
<RouterC> system-view
[~RouterC] clock auto
[~RouterC] clock ssm-control off
[~RouterC] clock priority 1 source 4
[~RouterC] clock priority 2 source 3
[~RouterC] commit
# Configure Router D.
<RouterD> system-view
[~RouterD] clock auto
[~RouterD] clock ssm-control off
[~RouterD] clock priority 1 source 3
[~RouterD] clock priority 2 source 4
[~RouterD] clock priority 3 source 2
[~RouterD] commit
# Configure Router E.
<RouterE> system-view
[~RouterE] clock auto
[~RouterE] clock ssm-control off
[~RouterE] clock priority 1 source 3
[~RouterE] clock priority 2 source 4
[~RouterE] commit
# Configure Router F.
<RouterF> system-view
[~RouterF] clock auto
[~RouterF] clock ssm-control off
[~RouterF] clock priority 1 source 4
[~RouterF] clock priority 2 source 3
[~RouterF] commit
Issue 01 (2011-10-15)
222
4
LPU2
2
-unknown
on
normal
---------------------------------------------------------------------------------NOTE
"*" indicates that the clock source functions as the master clock source. The master clock source here is
BITS0.
Issue 01 (2011-10-15)
223
After the BITS clock source of Router A is lost, it is found that the status of BITS0 clock source
on is Router A is abnormal and the clock source used by the system is Source 4.
# After the BITS clock of Router A is lost, all routers perform protection switching based on the
priorities of clock sources. Figure 11-5 shows the clock source tracing after the BITS clock
source of Router A is lost.
Figure 11-5 Networking diagram of the clock source tracing after the BITS clock source of
Router A is lost
W
E
RouterA
RouterB
RouterF
W
RouterC
W
RouterE
E
RouterD
E
BITS
----End
Configuration Files
l
Issue 01 (2011-10-15)
224
Issue 01 (2011-10-15)
225
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.1 255.255.255.0
#
clock priority 1 source 3
clock priority 2 source 4
#
return
Issue 01 (2011-10-15)
226