You are on page 1of 4459

ATN 910&910I&910B&950B Multi-Service Access

Equipment
V200R003C00

Configuration Guide(CLI)
Issue

02

Date

2013-12-31

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.


No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions


and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address:

Huawei Industrial Base


Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website:

http://www.huawei.com

Email:

support@huawei.com

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

About This Document

About This Document


Purpose
This document provides features supported by the ATN device.
The usage precautions are as follows:
l

A device can store keys in plaintext, reversible algorithm encryption, or irreversible


algorithm encryption mode. The plaintext mode has the low security level, and the
irreversible algorithm encryption mode has the highest security level. Use different storage
modes for different scenarios. Exercise caution when using an insecure storage mode. The
system automatically selects the irreversible algorithm encryption mode to store local user
keys. Generally, the reversible algorithm encryption mode is used to store protocol keys to
meet interworking requirements.

If the plaintext mode is used, a password is stored in plaintext in the configuration file. This
results in high security risks. The plaintext mode applies only to scenarios with special
requirements, such as compatibility and interworking requirements.

Related Version
The following table lists the product version related to this document.
Product Name

Version

l ATN 910

V200R003C00

l ATN 910I
l ATN 910B
l ATN 950B

Intended Audience
This document is intended for:
l

Commissioning Engineer

Data Configuration Engineer

Network Monitoring Engineer

System Maintenance Engineer

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ii

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

About This Document

Symbol Conventions
Symbol

Description
Indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, may result in minor or moderate injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Calls attention to important information, best practices and
tips.
NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.

Command Conventions

Issue 02 (2013-12-31)

Convention

Description

Boldface

The keywords of a command line are in boldface.

Italic

Command arguments are in italics.

[]

Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... }

Optional items are grouped in braces and separated by


vertical bars. One item is selected.

[ x | y | ... ]

Optional items are grouped in brackets and separated by


vertical bars. One item is selected or no item is selected.

{ x | y | ... }*

Optional items are grouped in braces and separated by


vertical bars. A minimum of one item or a maximum of all
items can be selected.

[ x | y | ... ]*

Optional items are grouped in brackets and separated by


vertical bars. Several items or no item can be selected.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

iii

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

About This Document

GUI Conventions
Convention

Description

Boldface

Buttons, menus, parameters, tabs, window, and dialog titles


are in boldface. For example, click OK.

>

Multi-level menus are in boldface and separated by the ">"


signs. For example, choose File > Create > Folder.

Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.

Changes in Issue 02 (2013-12-31)


This document has the following updates:
Known bugs are fixed.

Changes in Issue 01 (2013-10-31)


This document is the first release of the V200R003C00 version.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

iv

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

Contents
About This Document.....................................................................................................................ii
1 Basic Configurations.....................................................................................................................1
1.1 Logging In to the System for the First Time..................................................................................................................3
1.1.1 Introduction.................................................................................................................................................................3
1.1.2 Logging In to the Device Through the Console Port...................................................................................................3
1.2 CLI Overview.................................................................................................................................................................7
1.2.1 CLI Introduction..........................................................................................................................................................7
1.2.2 Online Help................................................................................................................................................................12
1.2.3 CLI Features..............................................................................................................................................................14
1.2.4 Shortcut Keys............................................................................................................................................................21
1.2.5 Configuration Examples............................................................................................................................................23
1.3 Basic Configuration......................................................................................................................................................27
1.3.1 Configuring the Basic System Environment.............................................................................................................27
1.3.2 Displaying System Status Messages..........................................................................................................................38
1.4 Configuring User Interfaces.........................................................................................................................................39
1.4.1 User Interface Overview............................................................................................................................................39
1.4.2 Configuring the Console User Interface....................................................................................................................41
1.4.3 Configuring the VTY User Interface.........................................................................................................................47
1.4.4 Configuration Examples............................................................................................................................................57
1.5 Configuring User Login................................................................................................................................................60
1.5.1 User Login Overview................................................................................................................................................60
1.5.2 Logging In to Devices Through the Console Port.....................................................................................................62
1.5.3 Using Telnet to Log In to Devices.............................................................................................................................67
1.5.4 Using STelnet to Log In to Devices..........................................................................................................................76
1.5.5 Common Operations After Login..............................................................................................................................93
1.5.6 Configuration Examples............................................................................................................................................96
1.6 Managing the File System..........................................................................................................................................106
1.6.1 File System Overview.............................................................................................................................................106
1.6.2 Using the File System to Manage Files...................................................................................................................108
1.6.3 Using FTP to Manage Files.....................................................................................................................................112
1.6.4 Using SFTP to Manage Files...................................................................................................................................120
1.6.5 Configuration Examples..........................................................................................................................................136
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

1.7 Configuring System Startup.......................................................................................................................................143


1.7.1 System Startup Overview........................................................................................................................................143
1.7.2 Managing Configuration Files.................................................................................................................................144
1.7.3 Specifying a File for System Startup.......................................................................................................................149
1.7.4 Configuration Examples..........................................................................................................................................151
1.8 Accessing Another Device.........................................................................................................................................153
1.8.1 Accessing Another Device......................................................................................................................................153
1.8.2 Using Telnet to Log In to Other Devices................................................................................................................157
1.8.3 Using STelnet to Log In to Another Device............................................................................................................160
1.8.4 Using TFTP to Access Files on Another Device.....................................................................................................165
1.8.5 Using FTP to Access Files on Another Device.......................................................................................................169
1.8.6 Using SFTP to Access Files on Another Device.....................................................................................................175
1.8.7 Configuration Examples..........................................................................................................................................182
1.9 Device Maintenance...................................................................................................................................................230
1.9.1 Introduction of Device Maintenance.......................................................................................................................230
1.9.2 Monitoring the Device Status..................................................................................................................................231
1.9.3 Board Maintence .....................................................................................................................................................235
1.10 Patch Management...................................................................................................................................................236
1.10.1 Patch Management Introduction............................................................................................................................236
1.10.2 Checking Whether a Patch is Running in the System...........................................................................................238
1.10.3 Loading a Patch.....................................................................................................................................................240
1.10.4 Installing a Patch...................................................................................................................................................242
1.10.5 (Optional) Deactivating the Patch.........................................................................................................................244
1.10.6 Configuration Examples for Patch Management...................................................................................................245
1.11 Glossary....................................................................................................................................................................247
1.12 Acronyms and Abbreviations...................................................................................................................................252

2 System Management.................................................................................................................257
2.1 Information Center Configuration..............................................................................................................................259
2.1.1 Information Center Overview..................................................................................................................................259
2.1.2 Enabling Log Output...............................................................................................................................................265
2.1.3 Enabling Alarm Output...........................................................................................................................................272
2.1.4 Enabling the Output of Debugging Information......................................................................................................279
2.1.5 Maintaining Information Center..............................................................................................................................285
2.1.6 Information Center Configuration Examples..........................................................................................................286
2.2 SNMP Configuration..................................................................................................................................................297
2.2.1 Introduction.............................................................................................................................................................298
2.2.2 Configuring a Device to Communicate with an NM Station by Running SNMPv1...............................................304
2.2.3 Configuring a Device to Communicate with an NM Station by Running SNMPv2c.............................................313
2.2.4 Configuring a Device to Communicate with an NM Station by Running SNMPv3...............................................323
2.2.5 SNMP Configuration Examples..............................................................................................................................334
2.3 RMON and RMON2 Configuration...........................................................................................................................345
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

vi

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

2.3.1 Overview of RMON and RMON2..........................................................................................................................345


2.3.2 Configuring RMON.................................................................................................................................................348
2.3.3 Configuring RMON2...............................................................................................................................................354
2.3.4 RMON And RMON2 Configuration Examples......................................................................................................357
2.4 IP FPM Configuration................................................................................................................................................363
2.4.1 Overview.................................................................................................................................................................364
2.4.2 Configuring IP FPM End-to-End Performance Statistics Collection......................................................................367
2.4.3 Configuring IP FPM Hop-by-Hop Performance Statistics Collection....................................................................377
2.4.4 Maintaining IP FPM................................................................................................................................................386
2.4.5 Configuration Examples..........................................................................................................................................387
2.5 NQA Configuration....................................................................................................................................................431
2.5.1 Overview of NQA...................................................................................................................................................431
2.5.2 Configuring the ICMP Test.....................................................................................................................................435
2.5.3 Configuring the FTP Download Test......................................................................................................................438
2.5.4 Configuring the FTP Upload Test...........................................................................................................................441
2.5.5 Configuring the Traceroute Test..............................................................................................................................444
2.5.6 Configuring the SNMP Query Test.........................................................................................................................446
2.5.7 Configuring the TCP Test........................................................................................................................................449
2.5.8 Configuring the UDP Test.......................................................................................................................................452
2.5.9 Configuring the Jitter Test.......................................................................................................................................455
2.5.10 Configuring a Jitter Test Based on the Mechanism That the LPU Sends Packets................................................459
2.5.11 Configuring the LSP Ping Test..............................................................................................................................463
2.5.12 Configuring the LSP Jitter Test.............................................................................................................................469
2.5.13 Configuring the LSP Trace Test............................................................................................................................474
2.5.14 Configuring an ICMP Jitter Test...........................................................................................................................480
2.5.15 Configuring an ICMP Jitter Test Based on the Mechanism that the LPU Sends Packets.....................................483
2.5.16 Configuring a Path Jitter Test................................................................................................................................487
2.5.17 Configuring a Path MTU Test...............................................................................................................................490
2.5.18 Configuring the PWE3 Ping Test to Check the Single-segment PW....................................................................492
2.5.19 Configuring the PWE3 Trace Test to Check the single-segment PW...................................................................495
2.5.20 Configuring Universal NQA Test Parameters.......................................................................................................497
2.5.21 Configuring Round-Trip Transmission Delay Thresholds....................................................................................504
2.5.22 Configuring Uni-directional Transmission Delay Thresholds..............................................................................506
2.5.23 Configuring the Trap Function..............................................................................................................................508
2.5.24 Configuring Test Results to Be Sent to the FTP Server........................................................................................512
2.5.25 Configuring a Threshold for the NQA Alarm.......................................................................................................517
2.5.26 Configuring a MAC Ping Test...............................................................................................................................520
2.5.27 Configuring a VPLS MAC Ping Test....................................................................................................................525
2.5.28 Configuring a VPLS MAC Trace Test..................................................................................................................527
2.5.29 Configuring VPLS PW Ping and VPLS PW Trace Test Instances.......................................................................530
2.5.30 Configuring a General Flow Test Instance............................................................................................................536
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

vii

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

2.5.31 Maintaining NQA..................................................................................................................................................545


2.5.32 NQA Configuration Examples..............................................................................................................................546
2.6 Ping and Tracert..........................................................................................................................................................642
2.6.1 Ping and Tracert Overview......................................................................................................................................642
2.6.2 Configuring Ping and Tracert..................................................................................................................................642
2.6.3 Detecting the LDP LSP Through the Ping or Tracert Operation.............................................................................645
2.6.4 Detecting the TE Tunnel Through the Ping or Tracert Operation...........................................................................647
2.6.5 Detecting the PWE3 Network Through the Ping or Tracert Operation...................................................................649
2.6.6 Detecting the VPLS Network Through the Ping or Tracert Operation...................................................................652
2.6.7 Detecting the BGP or MPLS IP VPN Through the Ping or Tracert Operation.......................................................654
2.6.8 Checking Layer 2+Layer 3 Network Connectivity Using a Ping Operation...........................................................656
2.6.9 Checking the VPLS Network Through VPLS MAC Ping......................................................................................659
2.6.10 Detecting Trunk Member Links Through a Ping Operation.................................................................................662
2.6.11 Configuring Ping/Tracert to Locate a Connection Fault in a Multicast Network.................................................663
2.6.12 Configuring CE Ping to Detect the Connectivity Between the PE and CE...........................................................666
2.7 Fault Management......................................................................................................................................................668
2.7.1 Introduction.............................................................................................................................................................668
2.7.2 Configuring Alarm Management.............................................................................................................................668
2.7.3 Configuring Event Management.............................................................................................................................671
2.7.4 Maintenance.............................................................................................................................................................673
2.8 Performance Management..........................................................................................................................................675
2.8.1 Configuring the Performance Management function..............................................................................................675
2.8.2 Configuration Examples..........................................................................................................................................681
2.9 PoE Configurations.....................................................................................................................................................683
2.9.1 Configuring PoE......................................................................................................................................................683
2.10 Glossary....................................................................................................................................................................686
2.11 Acronyms and Abbreviations...................................................................................................................................687

3 Reliability....................................................................................................................................695
3.1 Reliability Overview...................................................................................................................................................697
3.1.1 Introduction.............................................................................................................................................................697
3.1.2 Reliability Technologies for IP Networks...............................................................................................................699
3.1.3 Reliability Technologies Supported by the ATN....................................................................................................700
3.1.4 Networking of Reliability over an IP Network.......................................................................................................703
3.2 VRRP Configuration..................................................................................................................................................706
3.2.1 VRRP Overview......................................................................................................................................................706
3.2.2 Configuring Basic Functions of a VRRP IPv4 Backup Group...............................................................................713
3.2.3 Configuring an mVRRP IPv4 Backup Group.........................................................................................................723
3.2.4 Configuring VRRP IPv4 Association......................................................................................................................730
3.2.5 Maintaining VRRP..................................................................................................................................................734
3.2.6 Configuration Examples..........................................................................................................................................735
3.3 Bit-Error-Triggered Protection Switching Configuration..........................................................................................749
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

viii

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

3.3.1 Bit-Error-Triggered Protection Switching Overview..............................................................................................749


3.3.2 Configuring TE Bit-Error-Triggered Tunnel Switching.........................................................................................751
3.3.3 Configuring Bit-Error-Triggered Route Switching.................................................................................................758
3.3.4 Configuring Bit-Error-Triggered Section-Layer Protection Switching...................................................................762
3.3.5 Configuration Examples..........................................................................................................................................765
3.4 BFD Configuration.....................................................................................................................................................797
3.4.1 Introduction.............................................................................................................................................................797
3.4.2 Configuring Single-hop BFD..................................................................................................................................803
3.4.3 Configuring the Association Between the BFD Status and the Interface Status.....................................................806
3.4.4 Configuring the Association Between the BFD Status and the Sub-Interface Status.............................................810
3.4.5 Configuring the BFD to Modify the PST................................................................................................................813
3.4.6 Configuring the Multi-Hop BFD.............................................................................................................................815
3.4.7 Configuring a BFD Session with Automatically Negotiated Discriminators..........................................................818
3.4.8 Configuring the Delay of a BFD Session to Go Up................................................................................................820
3.4.9 Adjusting BFD Parameters......................................................................................................................................822
3.4.10 Globally Configuring the Destination Port Number for the Multi-Hop BFD Control Packet..............................827
3.4.11 Configuring the TTL Function Globally...............................................................................................................829
3.4.12 Configuring the Interval for Trap Messages Are Sent...........................................................................................830
3.4.13 Maintaining BFD...................................................................................................................................................832
3.4.14 Configuration Examples........................................................................................................................................833
3.5 GR Configuration.......................................................................................................................................................859
3.5.1 GR Introduction.......................................................................................................................................................859
3.5.2 Configuring the System-Level GR..........................................................................................................................868
3.5.3 Maintaining HA.......................................................................................................................................................870
3.6 Ethernet OAM Configuration.....................................................................................................................................870
3.6.1 CFM Configuration.................................................................................................................................................870
3.6.2 Configuring Basic Ethernet CFM............................................................................................................................875
3.6.3 Configuring Related Parameters of Ethernet CFM.................................................................................................885
3.6.4 Fault Verification on the Ethernet...........................................................................................................................889
3.6.5 Locating the Fault on the Ethernet..........................................................................................................................891
3.6.6 Configuring Association Between Ethernet CFM and an Interface........................................................................893
3.6.7 Associating EFM OAM with Ethernet CFM...........................................................................................................896
3.6.8 Configuring Association Between Ethernet CFM and an Interface (Triggering the Physical Status of the Interface
Associated with Ethernet CFM to Become Down)..........................................................................................................898
3.6.9 Associating Ethernet CFM with VLL.....................................................................................................................901
3.6.10 Associating Ethernet CFM with VPLS.................................................................................................................907
3.6.11 Maintaining Ethernet OAM...................................................................................................................................912
3.6.12 Configuration Examples........................................................................................................................................912
3.7 EFM Configuration.....................................................................................................................................................960
3.7.1 EFM Overview........................................................................................................................................................960
3.7.2 Configuring Basic EFM Functions..........................................................................................................................966
3.7.3 Configuring Link Monitoring..................................................................................................................................971
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ix

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

3.7.4 Configuring Remote Loopback...............................................................................................................................973


3.7.5 Configuring Remote Fault Indication......................................................................................................................976
3.7.6 Configuring EFM Association Functions................................................................................................................977
3.7.7 Maintaining EFM....................................................................................................................................................984
3.7.8 Configuration Examples..........................................................................................................................................985
3.8 Y.1731 Configuration...............................................................................................................................................1002
3.8.1 Y.1731 Overview...................................................................................................................................................1002
3.8.2 Configuring Y.1731 Functions in VLL Networking.............................................................................................1008
3.8.3 Configuring Y.1731 Functions in VPLS Networking...........................................................................................1040
3.8.4 Configuring Y.1731 Functions in VLAN Networking..........................................................................................1071
3.8.5 Configuration Examples........................................................................................................................................1093
3.9 MPLS-TP OAM Configuration................................................................................................................................1143
3.9.1 Introduction...........................................................................................................................................................1143
3.9.2 Configuring MPLS-TP OAM for an LSP..............................................................................................................1146
3.9.3 Configuring MPLS-TP OAM for a PW................................................................................................................1155
3.9.4 Configuration Examples........................................................................................................................................1165
3.10 ISSU Configuration................................................................................................................................................1199
3.10.1 Introduction.........................................................................................................................................................1199
3.10.2 Implementing ISSU.............................................................................................................................................1200
3.10.3 Maintaining ISSU................................................................................................................................................1207
3.10.4 Configuration Examples......................................................................................................................................1207
3.11 Glossary..................................................................................................................................................................1209
3.12 Acronyms and Abbreviations.................................................................................................................................1210

4 Interface Management............................................................................................................1212
4.1 Interface Basic Configuration...................................................................................................................................1213
4.1.1 Interface Basic Configuration Overview...............................................................................................................1213
4.1.2 Configuring an Interface Description....................................................................................................................1222
4.1.3 Configuring the Hold-Time Interval After an Interface Becomes Up/Down........................................................1223
4.1.4 Configuring the Interval for Collecting Traffic Statistics on an Interface.............................................................1225
4.1.5 Enabling the Alarm Function on an Interface........................................................................................................1228
4.1.6 Disabling a Device from Sending Traps to an NMS When an Interface Flaps.....................................................1230
4.1.7 Maintaining Interface Basic Configuration...........................................................................................................1231
4.2 Logical Interface Configuration...............................................................................................................................1232
4.2.1 Logical Interface Configuration Overview............................................................................................................1233
4.2.2 Configuring a Loopback Interface.........................................................................................................................1233
4.2.3 Configuring a NULL Interface..............................................................................................................................1235
4.3 Fast Feeling Configuration.......................................................................................................................................1236
4.3.1 Fast Feeling Configuration Overview...................................................................................................................1236
4.3.2 Configuring Fast Feeling.......................................................................................................................................1237
4.3.3 Maintaining Fast Feeling.......................................................................................................................................1238
4.4 Flapping Control Configuration...............................................................................................................................1238
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

4.4.1 Flapping Control Configuration Overview............................................................................................................1238


4.4.2 Configuring the Interface Flapping Control..........................................................................................................1240
4.4.3 Maintaining the Flapping Control Feature............................................................................................................1242
4.5 Transmission Alarm Configuration..........................................................................................................................1243
4.5.1 Transmission Alarm Configuration Overview......................................................................................................1243
4.5.2 Configuring Transmission Alarm Customization..................................................................................................1244
4.5.3 Configuring the Interval for Filtering Transmission Alarms.................................................................................1247
4.5.4 Configuring Transmission Alarm Suppression Function......................................................................................1249
4.5.5 Maintaining............................................................................................................................................................1251
4.6 Glossary....................................................................................................................................................................1251
4.7 Acronyms and Abbreviations...................................................................................................................................1253

5 LAN Access and MAN Access..............................................................................................1262


5.1 MAC Address Table Configuration.........................................................................................................................1264
5.1.1 MAC Address Table Introduction.........................................................................................................................1264
5.1.2 Configuring the MAC Address Table Based on the VLAN and Layer 2 Interface..............................................1265
5.1.3 Configuring the MAC Address Table Based on the VSI and Layer 3 Interface...................................................1268
5.1.4 Configuring the Aging Time of a MAC Address Table........................................................................................1270
5.1.5 Maintaining MAC Address Table.........................................................................................................................1272
5.1.6 Configuring the Usage Threshold for a MAC Address Table...............................................................................1273
5.1.7 Configuration Examples........................................................................................................................................1273
5.2 Ethernet Interface Configuration..............................................................................................................................1277
5.2.1 Ethernet Interface Introduction..............................................................................................................................1277
5.2.2 Configuring Ethernet Interfaces of the Interface Board........................................................................................1278
5.2.3 Configuring an Ethernet Sub-interface..................................................................................................................1283
5.2.4 Configuring the Alarm Thresholds and Log Thresholds for Inbound and Outbound Bandwidth Usage for an Interface
........................................................................................................................................................................................1288
5.2.5 Maintaining Ethernet Interfaces............................................................................................................................1289
5.2.6 Configuration Examples........................................................................................................................................1289
5.3 Eth-Trunk Interface Configuration...........................................................................................................................1292
5.3.1 Overview of Eth-Trunk Interfaces.........................................................................................................................1292
5.3.2 Configuring an Eth-Trunk Interface to Work in Static LACP Mode....................................................................1295
5.3.3 Configuring an Eth-Trunk Interface to Work in Manual Load Balancing Mode..................................................1309
5.3.4 Configuration Examples........................................................................................................................................1321
5.4 VLAN Configuration................................................................................................................................................1329
5.4.1 VLAN Introduction...............................................................................................................................................1329
5.4.2 Dividing a LAN into VLANs................................................................................................................................1337
5.4.3 Configuring a VLANIF Interface..........................................................................................................................1340
5.4.4 Configuring Inter-VLAN Communication............................................................................................................1344
5.4.5 Configuring VLAN Security Attributes................................................................................................................1352
5.4.6 Configuring VLAN Aggregation to Save IP Addresses........................................................................................1356
5.4.7 Configuring VLAN Policy-based VPN Access.....................................................................................................1362
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xi

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

5.4.8 Configuring Interface Isolation in a VLAN..........................................................................................................1366


5.4.9 Maintaining VLAN................................................................................................................................................1368
5.4.10 Configuration Examples......................................................................................................................................1369
5.5 QinQ Configuration..................................................................................................................................................1393
5.5.1 QinQ Introduction..................................................................................................................................................1394
5.5.2 Configuring the QinQ Tunnel Function................................................................................................................1396
5.5.3 Configuring Selective QinQ on a Layer 2 Interface..............................................................................................1399
5.5.4 Configuring the Sub-interface for VLAN Tag Termination to Access the IP Service..........................................1402
5.5.5 Configuring the Sub-interface for VLAN Tag Termination to Access the VPN Service.....................................1407
5.5.6 Configuring the Sub-interface for QinQ Stacking to Access an L2VPN..............................................................1412
5.5.7 Maintaining QinQ..................................................................................................................................................1416
5.5.8 Configuration Examples........................................................................................................................................1417
5.6 STP/RSTP Configuration.........................................................................................................................................1478
5.6.1 STP/RSTP Overview.............................................................................................................................................1478
5.6.2 Configuring Basic STP/RSTP Functions..............................................................................................................1485
5.6.3 Configuring STP/RSTP Parameters on an Interface.............................................................................................1491
5.6.4 Configuring RSTP Protection Functions...............................................................................................................1499
5.6.5 Configuring STP/RSTP Interoperability Between Huawei Devices and Non-Huawei Devices...........................1503
5.6.6 Maintaining STP/RSTP.........................................................................................................................................1506
5.6.7 Configuration Examples........................................................................................................................................1506
5.7 MSTP Configuration................................................................................................................................................1520
5.7.1 MSTP Overview....................................................................................................................................................1520
5.7.2 Configuring Basic MSTP Functions......................................................................................................................1530
5.7.3 Configuring MSTP Parameters on an Interface....................................................................................................1538
5.7.4 Configuring MSTP Protection Functions..............................................................................................................1543
5.7.5 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices..................................1548
5.7.6 Maintaining MSTP................................................................................................................................................1551
5.7.7 Configuration Examples........................................................................................................................................1552
5.8 RRPP Configuration.................................................................................................................................................1561
5.8.1 RRPP Introduction.................................................................................................................................................1561
5.8.2 Configuring RRPP Functions................................................................................................................................1565
5.8.3 Configuring the Monitoring Interface...................................................................................................................1572
5.8.4 Maintaining RRPP.................................................................................................................................................1574
5.8.5 Configuration Examples........................................................................................................................................1575
5.9 LLDP Configuration.................................................................................................................................................1588
5.9.1 Introduction...........................................................................................................................................................1588
5.9.2 Configuring LLDP.................................................................................................................................................1590
5.9.3 Maintaining LLDP.................................................................................................................................................1597
5.9.4 Configuration Examples........................................................................................................................................1597
5.10 Automatic Link Discovery Configuration..............................................................................................................1608
5.10.1 Overview.............................................................................................................................................................1608
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xii

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

5.10.2 Configuring Automatic Link Discovery..............................................................................................................1610


5.10.3 Maintenance.........................................................................................................................................................1613
5.11 Transparent Transmission of Layer 2 Protocol Packets Configuration..................................................................1613
5.11.1 Overview of Transparent Transmission of Layer 2 Protocol Packets.................................................................1613
5.11.2 Configuring Interface-based Transparent Transmission of Layer 2 Protocol Packets........................................1621
5.11.3 Configuring VLAN-based Transparent Transmission of Layer 2 Protocol Packets...........................................1626
5.11.4 Configuring QinQ-based Transparent Transmission of Layer 2 Protocol Packets.............................................1631
5.11.5 Configuring Hybrid VLAN-based Transparent Transmission of Layer 2 Protocol Packets...............................1636
5.11.6 Configuration Examples......................................................................................................................................1643
5.12 ERPS (G.8032) Configuration................................................................................................................................1672
5.12.1 Introduction.........................................................................................................................................................1672
5.12.2 Configuring ERPSv1...........................................................................................................................................1685
5.12.3 Configuring ERPSv2...........................................................................................................................................1694
5.12.4 Maintaining EPRS...............................................................................................................................................1704
5.12.5 Configuration Examples......................................................................................................................................1705

6 WAN Access.............................................................................................................................1725
6.1 E-Carrier and T-Carrier Interfaces Configuration....................................................................................................1727
6.1.1 Introduction to the E-Carrier and T-Carrier Interfaces..........................................................................................1727
6.1.2 Configuring E1 Interfaces.....................................................................................................................................1730
6.1.3 Configuring CT1 Interfaces...................................................................................................................................1734
6.1.4 Maintaining E-Carrier or T-Carrier Interface Configuration.................................................................................1738
6.1.5 Configuration Examples........................................................................................................................................1740
6.2 Serial Interface Configuration..................................................................................................................................1744
6.2.1 Introduction to the Serial Interface........................................................................................................................1744
6.2.2 Configuring the Link Layer Attributes for a Serial Interface................................................................................1744
6.2.3 Maintaining Serial Interface Configuration...........................................................................................................1748
6.3 POS and CPOS Interface Configuration..................................................................................................................1749
6.3.1 Introduction to the POS and CPOS Interfaces.......................................................................................................1749
6.3.2 Configuring POS Interfaces...................................................................................................................................1754
6.3.3 Configuring STM-1 CPOS Interfaces...................................................................................................................1757
6.3.4 Configuring a CPOS-Trunk Interface....................................................................................................................1760
6.3.5 Configuring E1 Channels of the CPOS Interface..................................................................................................1763
6.3.6 Maintaining CPOS Interface Configuration..........................................................................................................1767
6.3.7 Configuration Examples .......................................................................................................................................1768
6.4 APS Configuration...................................................................................................................................................1770
6.4.1 APS Overview.......................................................................................................................................................1770
6.4.2 Configuring Single-Device APS...........................................................................................................................1773
6.4.3 Configuration Examples........................................................................................................................................1777
6.5 PPP and MP Configuration.......................................................................................................................................1781
6.5.1 Introduction...........................................................................................................................................................1781
6.5.2 Encapsulating an Interface with PPP.....................................................................................................................1782
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xiii

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

6.5.3 Configuring PPP Optional Parameters..................................................................................................................1783


6.5.4 Configuring MP Binding Using an MP-Group.....................................................................................................1785
6.5.5 Configuring MP Limiting Parameters...................................................................................................................1789
6.5.6 Configuring MP Fragmentation.............................................................................................................................1793
6.5.7 Configuring Global-MP-Group Interfaces ...........................................................................................................1794
6.5.8 Configuration Examples........................................................................................................................................1797
6.6 ATM IMA Configuration.........................................................................................................................................1800
6.6.1 ATM IMA Overview.............................................................................................................................................1800
6.6.2 Configuring ATM Services on a Serial Interface..................................................................................................1802
6.6.3 Configuring IMA Groups......................................................................................................................................1807
6.6.4 Configuring IMAoPSN Functions(1-to-1 and N-to-1 ATM Transparent Cell Transport)....................................1813
6.6.5 Configuring ATM-Bundle Group Members..........................................................................................................1820
6.6.6 Configuring ATM Bundle.....................................................................................................................................1826
6.6.7 Configuring ATM OAM.......................................................................................................................................1831
6.6.8 Configuration Examples........................................................................................................................................1835
6.7 TDM Configuration..................................................................................................................................................1854
6.7.1 CES Overview.......................................................................................................................................................1854
6.7.2 Configuring a Serial Interface...............................................................................................................................1856
6.7.3 Configuring a CES Service....................................................................................................................................1858
6.7.4 Configuration Examples........................................................................................................................................1862
6.8 xDSL Configuration.................................................................................................................................................1869
6.8.1 Introduction to xDSL.............................................................................................................................................1869
6.8.2 Configuring xDSL Logical Interfaces...................................................................................................................1872
6.8.3 Configuration Examples........................................................................................................................................1876
6.9 Glossary....................................................................................................................................................................1901
6.10 Acronyms and Abbreviations.................................................................................................................................1902

7 IP Services.................................................................................................................................1909
7.1 IP Addresses Configuration......................................................................................................................................1910
7.1.1 IP Addresses Overview.........................................................................................................................................1910
7.1.2 Configuring IP Addresses for Interfaces...............................................................................................................1911
7.1.3 Maintaining IP Addresses......................................................................................................................................1913
7.1.4 Configuration Examples........................................................................................................................................1913
7.2 ARP Configuration...................................................................................................................................................1918
7.2.1 Introduction...........................................................................................................................................................1918
7.2.2 Configuring Static ARP.........................................................................................................................................1920
7.2.3 Optimizing Dynamic ARP.....................................................................................................................................1923
7.2.4 Configuring Routed Proxy ARP............................................................................................................................1927
7.2.5 Configuring ARP-Ping IP......................................................................................................................................1929
7.2.6 Configuring ARP-Ping MAC................................................................................................................................1931
7.2.7 Maintaining ARP...................................................................................................................................................1932
7.2.8 Configuration Examples........................................................................................................................................1933
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xiv

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

7.3 IP Performance Configuration..................................................................................................................................1936


7.3.1 IP Performance Overview.....................................................................................................................................1936
7.3.2 Improving IP Performance....................................................................................................................................1937
7.3.3 Configuring TCP...................................................................................................................................................1941
7.3.4 Maintaining IP Performance..................................................................................................................................1943
7.3.5 Configuration Examples........................................................................................................................................1945
7.4 ACL Configuration...................................................................................................................................................1947
7.4.1 Introduction...........................................................................................................................................................1947
7.4.2 Configuring a Basic ACL......................................................................................................................................1951
7.4.3 Configuring an Advanced ACL.............................................................................................................................1960
7.4.4 Configuring an Ethernet Frame Header-based ACL.............................................................................................1971
7.4.5 Maintaining an ACL..............................................................................................................................................1975
7.4.6 Configuration Examples........................................................................................................................................1976
7.5 Basic IPv6 Configuration.........................................................................................................................................1979
7.5.1 Basic IPv6 Overview.............................................................................................................................................1979
7.5.2 Configuring an IPv6 Address for an Interface.......................................................................................................1981
7.5.3 Configuring an IPv6 Address Selection Policy Table...........................................................................................1986
7.5.4 Configuring IPv6 Neighbor Discovery..................................................................................................................1987
7.5.5 Configuring PMTU................................................................................................................................................1995
7.5.6 Configuring TCP6.................................................................................................................................................1998
7.5.7 Configuring ICMPv6 Message Control.................................................................................................................2001
7.5.8 Maintaining IPv6...................................................................................................................................................2003
7.5.9 Configuration Examples........................................................................................................................................2004
7.6 ACL6 Configuration.................................................................................................................................................2016
7.6.1 Introduction...........................................................................................................................................................2016
7.6.2 Configuring a Basic ACL6....................................................................................................................................2020
7.6.3 Configuring an Advanced ACL6...........................................................................................................................2026
7.6.4 Configuring an Interface-based ACL6..................................................................................................................2033
7.6.5 Maintaining ACL6.................................................................................................................................................2036
7.6.6 Configuration Examples........................................................................................................................................2037
7.7 Glossary....................................................................................................................................................................2040
7.8 Acronyms and Abbreviations...................................................................................................................................2043

8 IP Routing.................................................................................................................................2046
8.1 IP Routing Basic Configuration...............................................................................................................................2048
8.1.1 Routing Management............................................................................................................................................2048
8.1.2 Configuring Public Network IP FRR....................................................................................................................2050
8.1.3 Configuring the Advertisement of IPv4 ARP Vlink Direct Routes on the Public Network.................................2053
8.1.4 Configuring the Advertisement of IPv6 NDP Vlink Direct Routes on the Public Network.................................2056
8.1.5 Maintaining the Route Management Module........................................................................................................2059
8.1.6 Configuration Example..........................................................................................................................................2062
8.2 IP Static Route Configuration...................................................................................................................................2073
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xv

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

8.2.1 Introduction...........................................................................................................................................................2073
8.2.2 Configuring an IPv4 Static Route..........................................................................................................................2074
8.2.3 Configuring an IPv6 Static Route..........................................................................................................................2078
8.2.4 Configuring BFD for IPv4 Static Routes on the Public Network.........................................................................2080
8.2.5 Configuring NQA for IPv4 Static Routes..............................................................................................................2084
8.2.6 Configuration Examples........................................................................................................................................2089
8.3 RIP Configuration.....................................................................................................................................................2093
8.3.1 Introduction...........................................................................................................................................................2093
8.3.2 Configuring Basic RIP Functions..........................................................................................................................2094
8.3.3 Configuring RIP Route Attributes.........................................................................................................................2100
8.3.4 Controlling the Advertising of RIP Routing Information.....................................................................................2104
8.3.5 Controlling the Receiving of RIP Routing Information........................................................................................2109
8.3.6 Configuring RIP-2 Features...................................................................................................................................2114
8.3.7 Optimizing a RIP Network....................................................................................................................................2118
8.3.8 Configuring RIP GR..............................................................................................................................................2125
8.3.9 Configuring BFD for RIP......................................................................................................................................2127
8.3.10 Configuring Static BFD for RIP..........................................................................................................................2129
8.3.11 Configuring the Network Management Function in RIP....................................................................................2132
8.3.12 Maintaining RIP..................................................................................................................................................2133
8.3.13 Configuration Examples......................................................................................................................................2134
8.4 RIPng Configuration.................................................................................................................................................2141
8.4.1 Introduction...........................................................................................................................................................2141
8.4.2 Configuring Basic RIPng Functions......................................................................................................................2142
8.4.3 Configuring RIPng Route Attributes.....................................................................................................................2145
8.4.4 Controlling the Advertising of RIPng Routing Information.................................................................................2148
8.4.5 Controlling the Receiving of RIPng Routing Information....................................................................................2153
8.4.6 Optimizing a RIPng Network................................................................................................................................2156
8.4.7 Maintaining RIPng................................................................................................................................................2160
8.5 OSPF Configuration.................................................................................................................................................2161
8.5.1 Introduction...........................................................................................................................................................2161
8.5.2 Configuring Basic OSPF Functions......................................................................................................................2168
8.5.3 Configuring OSPF on the NBMA or P2MP Network...........................................................................................2178
8.5.4 Configuring an OSPF Route Selection Rule.........................................................................................................2185
8.5.5 Controlling OSPF Routing Information................................................................................................................2191
8.5.6 Configuring an OSPF Dynamic Hostname...........................................................................................................2209
8.5.7 Configuring an OSPF Stub Area...........................................................................................................................2210
8.5.8 Configuring an NSSA............................................................................................................................................2212
8.5.9 Configuring BFD for OSPF...................................................................................................................................2215
8.5.10 Configuring OSPF IP FRR..................................................................................................................................2220
8.5.11 Configuring OSPF GR.........................................................................................................................................2224
8.5.12 Configuring the Network Management Function of OSPF.................................................................................2229
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xvi

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

8.5.13 Maintaining OSPF...............................................................................................................................................2231


8.5.14 Configuration Examples......................................................................................................................................2232
8.6 OSPFv3 Configuration.............................................................................................................................................2275
8.6.1 Introduction...........................................................................................................................................................2275
8.6.2 Configuring Basic OSPFv3 Functions..................................................................................................................2276
8.6.3 Establishing or Maintaining OSPFv3 Neighbor Relationship...............................................................................2279
8.6.4 Configuring OSPFv3 Areas...................................................................................................................................2282
8.6.5 Configuring OSPFv3 NSSA Areas........................................................................................................................2285
8.6.6 Configuring OSPFv3 Route Attributes..................................................................................................................2287
8.6.7 Controlling OSPFv3 Routing Information............................................................................................................2289
8.6.8 Optimizing an OSPFv3 Network...........................................................................................................................2302
8.6.9 Configuring the Network Management Function of OSPFv3...............................................................................2308
8.6.10 Maintaining OSPFv3...........................................................................................................................................2310
8.7 IS-IS Configuration..................................................................................................................................................2310
8.7.1 Introduction...........................................................................................................................................................2310
8.7.2 Configuring Basic IPv4 IS-IS Functions...............................................................................................................2318
8.7.3 Establishing or Maintaining IS-IS Neighbor Relationships or Adjacencies.........................................................2330
8.7.4 Configuring IPv4 IS-IS Route Selection...............................................................................................................2336
8.7.5 Configuring IPv4 IS-IS Route Summarization......................................................................................................2348
8.7.6 Configuring IPv4 IS-IS to Interact with Other Routing Protocols........................................................................2349
8.7.7 Configuring the IPv4 IS-IS Route Convergence Speed........................................................................................2357
8.7.8 Configuring Basic IPv6 IS-IS Functions...............................................................................................................2367
8.7.9 Configuring IPv6 IS-IS Route Selection...............................................................................................................2379
8.7.10 Configuring IPv6 IS-IS Route Summarization....................................................................................................2392
8.7.11 Configuring IPv6 IS-IS to Interact with Other Routing Protocols......................................................................2393
8.7.12 Configuring the IPv6 IS-IS Route Convergence Speed......................................................................................2401
8.7.13 Configuring Static IPv4 BFD for IS-IS...............................................................................................................2411
8.7.14 Configuring Dynamic IPv4 BFD for IS-IS..........................................................................................................2413
8.7.15 Configuring IPv4 IS-IS Auto FRR......................................................................................................................2416
8.7.16 Configuring IS-IS GR..........................................................................................................................................2419
8.7.17 Improving Security of an IS-IS Network............................................................................................................2422
8.7.18 Maintaining IS-IS................................................................................................................................................2427
8.7.19 Configuration Examples......................................................................................................................................2428
8.8 BGP Configuration...................................................................................................................................................2461
8.8.1 Introduction...........................................................................................................................................................2461
8.8.2 Configuring Basic BGP Functions........................................................................................................................2469
8.8.3 Configuring BGP Route Attributes.......................................................................................................................2475
8.8.4 Configuring BGP to Advertise Routes..................................................................................................................2488
8.8.5 Configuring BGP to Receive Routes.....................................................................................................................2502
8.8.6 Configuring BGP Route Aggregation...................................................................................................................2517
8.8.7 Configuring BGP Peer Groups..............................................................................................................................2519
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xvii

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

8.8.8 Configuring BGP Route Reflectors.......................................................................................................................2523


8.8.9 Configuring a BGP Confederation........................................................................................................................2530
8.8.10 Configuring BGP Community Attributes............................................................................................................2532
8.8.11 Configuring Prefix-based BGP ORF...................................................................................................................2535
8.8.12 Configuring to Adjust the BGP Network Convergence Speed...........................................................................2538
8.8.13 Configuring BGP Route Dampening...................................................................................................................2547
8.8.14 Configuring a BGP Device to Send a Default Route to Its Peer.........................................................................2549
8.8.15 Configuring BGP Load Balancing......................................................................................................................2552
8.8.16 Configuring Path MTU Auto Discovery.............................................................................................................2557
8.8.17 Configuring the BGP Next Hop Delayed Response............................................................................................2559
8.8.18 Configuring BFD for BGP..................................................................................................................................2562
8.8.19 Configuring BGP Auto FRR...............................................................................................................................2564
8.8.20 Configuring BGP GR..........................................................................................................................................2567
8.8.21 Configuring BGP Security...................................................................................................................................2571
8.8.22 Maintaining BGP.................................................................................................................................................2575
8.8.23 Applying BGP AS_Path Regular Expressions....................................................................................................2576
8.8.24 Configuration Examples......................................................................................................................................2587
8.9 BGP4+ Configuration...............................................................................................................................................2624
8.9.1 Introduction...........................................................................................................................................................2624
8.9.2 Configuring Basic BGP4+ Functions....................................................................................................................2625
8.9.3 Configuring BGP4+ Route Attributes...................................................................................................................2629
8.9.4 Controlling the Advertising and Receiving of BGP4+ Routing Information........................................................2638
8.9.5 Configuring Parameters of a Connection Between BGP4+ Peers.........................................................................2648
8.9.6 Configuring BGP4+ PeerTracking........................................................................................................................2656
8.9.7 Configuring BGP4+ Route Dampening................................................................................................................2657
8.9.8 Configuring a BGP4+ Peer Group.........................................................................................................................2659
8.9.9 Configuring a BGP4+ Route Reflector.................................................................................................................2662
8.9.10 Configuring a BGP4+ Confederation..................................................................................................................2667
8.9.11 Configuring BGP4+ Security..............................................................................................................................2669
8.9.12 Maintaining BGP4+.............................................................................................................................................2672
8.10 Routing Policy Configuration.................................................................................................................................2673
8.10.1 Introduction.........................................................................................................................................................2674
8.10.2 Configuring the IP-Prefix List.............................................................................................................................2676
8.10.3 Configuring the Route-Policy..............................................................................................................................2679
8.10.4 Applying Filters to Received Routes...................................................................................................................2685
8.10.5 Applying Filters to Advertised Routes................................................................................................................2697
8.10.6 Applying Filters to Imported Routes...................................................................................................................2710
8.10.7 Controlling the Valid Time of the Routing policy..............................................................................................2713
8.10.8 Maintaining the Routing Policy...........................................................................................................................2715
8.10.9 Configuration Examples......................................................................................................................................2716
8.11 A Glossary..............................................................................................................................................................2720
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xviii

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

8.12 Acronyms and Abbreviations.................................................................................................................................2723

9 IP Multicast...............................................................................................................................2728
9.1 Multicast Configuration Guide.................................................................................................................................2730
9.1.1 Multicast Introduction...........................................................................................................................................2730
9.1.2 IPv4 Multicast-related Concepts...........................................................................................................................2733
9.2 IGMP Configuration.................................................................................................................................................2737
9.2.1 IGMP Introduction................................................................................................................................................2738
9.2.2 Configuring Basic IGMP Functions......................................................................................................................2740
9.2.3 Configuring Options of an IGMP Packet..............................................................................................................2746
9.2.4 Configuring IGMP Query Control........................................................................................................................2751
9.2.5 Configuring SSM Mapping...................................................................................................................................2757
9.2.6 Configuring the IGMP Limit Function..................................................................................................................2760
9.2.7 Maintaining IGMP.................................................................................................................................................2764
9.2.8 Configuration Examples........................................................................................................................................2766
9.3 Layer 2 Multicast Configuration..............................................................................................................................2779
9.3.1 Configuring IGMP Snooping................................................................................................................................2779
9.3.2 Configuring Static Layer 2 Multicast....................................................................................................................2789
9.3.3 Configuring Layer 2 SSM Mapping......................................................................................................................2793
9.3.4 Configuring IGMP Snooping Proxy......................................................................................................................2796
9.3.5 Configuring Layer 2 Multicast Replication...........................................................................................................2801
9.3.6 Configuring the Network Management Function for Layer 2 Multicast...............................................................2804
9.3.7 Maintaining Static Layer 2 Multicast....................................................................................................................2805
9.3.8 Configuration Examples........................................................................................................................................2807
9.4 PIM-DM (IPv4) Configuration.................................................................................................................................2819
9.4.1 PIM-DM (IPv4) Introduction................................................................................................................................2819
9.4.2 Configuring Basic PIM-DM Functions.................................................................................................................2821
9.4.3 Adjusting Control Parameters of a Multicast Source............................................................................................2824
9.4.4 Adjusting Control Parameters for Maintaining Neighbor Relationships..............................................................2827
9.4.5 Adjusting Control Parameters for Prune...............................................................................................................2832
9.4.6 Adjusting Control Parameters for State-Refresh...................................................................................................2836
9.4.7 Adjusting Control Parameters for Graft................................................................................................................2840
9.4.8 Adjusting Control Parameters for Assert...............................................................................................................2842
9.4.9 Configuring PIM Silent Function..........................................................................................................................2845
9.4.10 Maintaining PIM-DM (IPv4)...............................................................................................................................2847
9.4.11 Configuration Example........................................................................................................................................2848
9.5 PIM-SM (IPv4) Configuration.................................................................................................................................2853
9.5.1 PIM-SM (IPv4) Introduction.................................................................................................................................2853
9.5.2 Configuring Basic PIM-SM Functions..................................................................................................................2856
9.5.3 Adjusting Control Parameters for a Multicast Source...........................................................................................2865
9.5.4 Adjusting Control Parameters of the C-RP and C-BSR........................................................................................2869
9.5.5 Configuring a BSR Administrative Domain.........................................................................................................2875
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xix

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

9.5.6 Adjusting Control Parameters for Establishing the Neighbor Relationship..........................................................2879


9.5.7 Adjusting Control Parameters for Source Registering..........................................................................................2885
9.5.8 Adjusting Control Parameters for Forwarding......................................................................................................2889
9.5.9 Adjusting Control Parameters for Assert...............................................................................................................2896
9.5.10 Configuring the SPT Switchover.........................................................................................................................2899
9.5.11 Configuring PIM for Anycast RP........................................................................................................................2902
9.5.12 Configuring BFD for IPv4 PIM...........................................................................................................................2906
9.5.13 Configuring PIM Silent.......................................................................................................................................2909
9.5.14 Maintaining PIM-SM (IPv4)...............................................................................................................................2911
9.5.15 Configuration Examples......................................................................................................................................2913
9.6 MSDP Configuration................................................................................................................................................2926
9.6.1 MSDP Introduction................................................................................................................................................2926
9.6.2 Configuring PIM-SM Inter-domain Multicast......................................................................................................2928
9.6.3 Configuring an Anycast RP in a PIM-SM Domain...............................................................................................2933
9.6.4 Managing MSDP Peer Connections......................................................................................................................2939
9.6.5 Configuring SA Cache...........................................................................................................................................2941
9.6.6 Configuring the SA Request..................................................................................................................................2944
9.6.7 Transmitting Burst Multicast Data Between Domains..........................................................................................2947
9.6.8 Configuring the Filtering Rules for SA Messages.................................................................................................2950
9.6.9 Configuring MSDP Authentication.......................................................................................................................2955
9.6.10 Maintaining MSDP..............................................................................................................................................2958
9.7 MBGP Configuration...............................................................................................................................................2960
9.7.1 MBGP Introduction...............................................................................................................................................2960
9.7.2 Configuring Basic MBGP Functions.....................................................................................................................2960
9.7.3 Configuring the Policy for Advertising MBGP Routes.........................................................................................2966
9.7.4 Configuring the Policy for Exchanging Routes Between MBGP Peers................................................................2971
9.7.5 Configuring MBGP Route Attributes....................................................................................................................2980
9.7.6 Configuring MBGP Route Dampening.................................................................................................................2985
9.7.7 Maintaining MBGP...............................................................................................................................................2987
9.7.8 Configuration Examples........................................................................................................................................2988
9.8 IPv4 Multicast Routing Management.......................................................................................................................2997
9.8.1 IPv4 Multicast Routing Management Introduction...............................................................................................2997
9.8.2 Configuring a Static Multicast Route....................................................................................................................2999
9.8.3 Configuring the Multicast Routing Policy.............................................................................................................3002
9.8.4 Configuring the Multicast Forwarding Scope.......................................................................................................3005
9.8.5 Configuring Control Parameters of the Multicast Forwarding Table....................................................................3008
9.8.6 Maintaining the Multicast Policy..........................................................................................................................3010
9.8.7 Configuration Examples........................................................................................................................................3014
9.8.8 Troubleshooting of Static Multicast Routes..........................................................................................................3022
9.9 Multicast Network Management..............................................................................................................................3022
9.9.1 Multicast Network Management Introduction......................................................................................................3022
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xx

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

9.9.2 Configuring Multicast Network Management.......................................................................................................3023


9.9.3 Adjusting the Frequency for Multicast Protocols to Send Trap Messages............................................................3027
9.10 Glossary..................................................................................................................................................................3029
9.11 Acronyms and Abbreviations.................................................................................................................................3036

10 MPLS........................................................................................................................................3039
10.1 Static LSPs Configuration......................................................................................................................................3040
10.1.1 Introduction.........................................................................................................................................................3040
10.1.2 Configuring Static LSPs......................................................................................................................................3040
10.1.3 Configuring Static BFD for Static LSP...............................................................................................................3045
10.1.4 Maintaining Static LSPs......................................................................................................................................3050
10.1.5 Configuration Examples......................................................................................................................................3051
10.2 MPLS LDP Configuration......................................................................................................................................3065
10.2.1 MPLS LDP Overview.........................................................................................................................................3065
10.2.2 Configuring a Local LDP Session.......................................................................................................................3069
10.2.3 Configuring a Remote LDP Session....................................................................................................................3077
10.2.4 Configuring LDP LSPs........................................................................................................................................3087
10.2.5 Configuring LDP Extension for Inter-Area LSP.................................................................................................3093
10.2.6 Configuring LDP LSP Load Balancing...............................................................................................................3095
10.2.7 Configuring Static BFD for LDP LSP.................................................................................................................3096
10.2.8 Configuring Dynamic BFD for LDP LSP...........................................................................................................3102
10.2.9 Configuring LDP Auto FRR................................................................................................................................3107
10.2.10 Configuring Manual LDP FRR.........................................................................................................................3109
10.2.11 Configuring Synchronization Between LDP and IGP.......................................................................................3112
10.2.12 Configuring Synchronization Between LDP and Static Routes........................................................................3119
10.2.13 Configuring LDP Security Features..................................................................................................................3122
10.2.14 Configuring LDP GR.........................................................................................................................................3126
10.2.15 Maintaining MPLS LDP....................................................................................................................................3129
10.2.16 Configuration Examples....................................................................................................................................3131
10.3 MPLS TE Configuration........................................................................................................................................3214
10.3.1 Introduction.........................................................................................................................................................3214
10.3.2 Configuring Static CR-LSP.................................................................................................................................3218
10.3.3 Configuring a Static Bidirectional Co-routed LSP..............................................................................................3225
10.3.4 Configuring an RSVP-TE Tunnel.......................................................................................................................3234
10.3.5 Configuring a Tunnel Protection Group..............................................................................................................3246
10.3.6 Referencing the CR-LSP Attribute Template to Set Up a CR-LSP....................................................................3250
10.3.7 Configuring an Associated Bidirectional Dynamic LSP.....................................................................................3255
10.3.8 Adjusting RSVP Signaling Parameters...............................................................................................................3257
10.3.9 Configuring RSVP Authentication......................................................................................................................3263
10.3.10 Adjusting the Path of CR-LSP...........................................................................................................................3270
10.3.11 Adjusting the Establishment of MPLS TE Tunnels..........................................................................................3280
10.3.12 Importing Traffic to an MPLS TE Tunnel.........................................................................................................3286
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xxi

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

10.3.13 Adjusting Flooding Threshold of Bandwidth Change.......................................................................................3290


10.3.14 Configuring the Limit Rate of MPLS TE Traffic..............................................................................................3292
10.3.15 Configuring TE Manual FRR............................................................................................................................3294
10.3.16 Configuring MPLS TE Auto FRR.....................................................................................................................3300
10.3.17 Configuring CR-LSP Backup............................................................................................................................3304
10.3.18 Configuring Synchronization of the Bypass Tunnel and the Backup CR-LSP.................................................3312
10.3.19 Configuring RSVP GR......................................................................................................................................3314
10.3.20 Configuring Static BFD for CR-LSP.................................................................................................................3319
10.3.21 Configuring Static BFD for TE.........................................................................................................................3327
10.3.22 Configuring Dynamic BFD for CR-LSP...........................................................................................................3333
10.3.23 Configuring Dynamic BFD for RSVP...............................................................................................................3340
10.3.24 Maintaining MPLS TE......................................................................................................................................3345
10.3.25 Configuration Examples....................................................................................................................................3348
10.4 MPLS Common Configuration..............................................................................................................................3554
10.4.1 Introduction.........................................................................................................................................................3554
10.4.2 Configuring the Mode in Which MPLS Handles the TTL..................................................................................3555
10.4.3 Optimizing MPLS................................................................................................................................................3558
10.4.4 Maintaining MPLS Common Configuration.......................................................................................................3560
10.5 Seamless MPLS Configuration..............................................................................................................................3561
10.5.1 Introduction.........................................................................................................................................................3561
10.5.2 Configuring Intra-AS Seamless MPLS...............................................................................................................3563
10.5.3 Configuring Inter-AS Seamless MPLS...............................................................................................................3573
10.5.4 Configuring Inter-AS Seamless MPLS+HVPN..................................................................................................3585
10.5.5 Maintaining Seamless MPLS..............................................................................................................................3596
10.5.6 Configuration Examples......................................................................................................................................3597

11 VPN..........................................................................................................................................3645
11.1 Tunnel Management Configuration........................................................................................................................3647
11.1.1 Tunnel Management Overview...........................................................................................................................3647
11.1.2 Configuring and Applying a Tunnel Policy........................................................................................................3649
11.1.3 Maintaining VPN Tunnels...................................................................................................................................3656
11.1.4 Configuration Examples......................................................................................................................................3656
11.2 GRE Configuration.................................................................................................................................................3681
11.2.1 Configuring GRE.................................................................................................................................................3681
11.2.2 Configuring the Keepalive Function...................................................................................................................3683
11.2.3 Configuration Examples......................................................................................................................................3686
11.3 BGP MPLS IP VPN Configuration........................................................................................................................3688
11.3.1 BGP MPLS IP VPN Overview............................................................................................................................3688
11.3.2 Configuring Basic BGP/MPLS IP VPN..............................................................................................................3690
11.3.3 Configuring Hub and Spoke................................................................................................................................3708
11.3.4 Configuring OSPF Sham Link............................................................................................................................3717
11.3.5 Configuring a Multi-VPN-Instance CE...............................................................................................................3721
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xxii

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

11.3.6 Configuring VPN GR..........................................................................................................................................3724


11.3.7 Maintaining BGP/MPLS IP VPN........................................................................................................................3732
11.3.8 Configuration Examples......................................................................................................................................3737
11.4 BGP MPLS IPv6 VPN Configuration....................................................................................................................3746
11.4.1 BGP MPLS IPv6 VPN Overview........................................................................................................................3746
11.4.2 Configuring a Basic BGP/MPLS IPv6 VPN.......................................................................................................3748
11.4.3 Configuring Hub and Spoke................................................................................................................................3766
11.4.4 Maintaining BGP/MPLS IPv6 VPN....................................................................................................................3775
11.4.5 Configuration Examples......................................................................................................................................3779
11.5 VLL Configuration.................................................................................................................................................3792
11.5.1 VLL Overview.....................................................................................................................................................3792
11.5.2 Configuring CCC VLL........................................................................................................................................3797
11.5.3 Configuring the SVC VLL..................................................................................................................................3799
11.5.4 Configuring Martini VLL....................................................................................................................................3801
11.5.5 Configuring VLL IP Interworking......................................................................................................................3805
11.5.6 Maintaining VLL.................................................................................................................................................3808
11.5.7 Configuration Examples......................................................................................................................................3810
11.6 PWE3 Configuration..............................................................................................................................................3825
11.6.1 PWE3 Overview..................................................................................................................................................3826
11.6.2 Configuring the Attributes of a PW Template.....................................................................................................3836
11.6.3 Configuring a Static PW......................................................................................................................................3839
11.6.4 Configuring a Dynamic PW................................................................................................................................3841
11.6.5 Configuring a Backup PW...................................................................................................................................3843
11.6.6 Configuring Static BFD for PW..........................................................................................................................3846
11.6.7 Configuring Dynamic BFD for PW.....................................................................................................................3848
11.6.8 Configuring Heterogeneous Transport in PWE3.................................................................................................3852
11.6.9 Maintaining PWE3..............................................................................................................................................3855
11.6.10 Configuration Examples....................................................................................................................................3858
11.7 PWE3 Reliability Configuration............................................................................................................................3885
11.7.1 PWE3 Reliability Overview................................................................................................................................3885
11.7.2 Configuring PW Redundancy in a Scenario Where CEs Asymmetrically Access Three PEs............................3887
11.7.3 Configuring PW APS..........................................................................................................................................3891
11.7.4 Maintaining PWE3 Reliability............................................................................................................................3898
11.7.5 Configuration Examples......................................................................................................................................3899
11.8 VPLS Configuration...............................................................................................................................................3922
11.8.1 VPLS Overview...................................................................................................................................................3922
11.8.2 Configuring Martini VPLS..................................................................................................................................3928
11.8.3 Configuring Related Parameters of a VSI...........................................................................................................3933
11.8.4 Maintaining VPLS...............................................................................................................................................3938
11.8.5 Configuration Examples......................................................................................................................................3941

12 QoS...........................................................................................................................................3967
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xxiii

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

12.1 QoS Overview........................................................................................................................................................3969


12.1.1 Introduction.........................................................................................................................................................3969
12.1.2 End-to-End QoS Model.......................................................................................................................................3970
12.1.3 Techniques Used for the QoS Application..........................................................................................................3976
12.1.4 QoS Supported by the ATN.................................................................................................................................3981
12.2 Traffic Policing and Shaping Configuration..........................................................................................................3981
12.2.1 Introduction.........................................................................................................................................................3981
12.2.2 Configuring Interface-based Traffic Policing......................................................................................................3986
12.2.3 Configuring Traffic Shaping...............................................................................................................................3990
12.2.4 Configuration Examples......................................................................................................................................3991
12.3 Congestion Avoidance Configuration....................................................................................................................3995
12.3.1 Introduction.........................................................................................................................................................3995
12.3.2 Configuring WRED.............................................................................................................................................3997
12.4 Class-Based QoS Configuration.............................................................................................................................4000
12.4.1 Class-Based QoS Overview.................................................................................................................................4000
12.4.2 Configuring Precedence Mapping Based on Simple Traffic Classification........................................................4002
12.4.3 Configuring a Traffic Policy Based on Complex Traffic Classification.............................................................4011
12.4.4 Configuration Examples......................................................................................................................................4023
12.5 VPN Traffic Statistics Configuration.....................................................................................................................4041
12.5.1 Traffic Statistics Supported by the ATN.............................................................................................................4041
12.5.2 Configuring BGP/MPLS IP VPN Traffic Statistics............................................................................................4041
12.5.3 Configuring Traffic Statistics of the Single-hop VLL.........................................................................................4042
12.5.4 Configuring Traffic Statistics of the VPLS.........................................................................................................4044
12.5.5 Maintaining Traffic Statistics..............................................................................................................................4045
12.6 MPLS DiffServ-Mode Configuration.....................................................................................................................4046
12.6.1 Introduction.........................................................................................................................................................4046
12.6.2 Configuring Uniform/Pipe Model for MPLS TE................................................................................................4049
12.6.3 Configuring DiffServ Model Based on VPN......................................................................................................4050
12.6.4 Configuration Examples......................................................................................................................................4054
12.7 HQoS Configuration...............................................................................................................................................4062
12.7.1 HQoS Overview..................................................................................................................................................4062
12.7.2 Configuring Profile-based HQoS........................................................................................................................4068
12.7.3 Configuring HQoS on an Ethernet Interface.......................................................................................................4075
12.7.4 Maintaining HQoS...............................................................................................................................................4078
12.7.5 Configuration Examples......................................................................................................................................4078
12.8 QoS Remarking Configuration...............................................................................................................................4083
12.9 Glossary..................................................................................................................................................................4084
12.10 Acronyms and Abbreviations...............................................................................................................................4091

13 Clock........................................................................................................................................4095
13.1 Clock Synchronization Configuration....................................................................................................................4096
13.1.1 Introduction to Clock Synchronization Configuration........................................................................................4096
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xxiv

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

13.1.2 Setting Basic Clock Synchronization Configurations.........................................................................................4096


13.1.3 Configuring an External BITS Clock Source......................................................................................................4099
13.1.4 Configuring a Clock Reference Source Manually or Forcibly............................................................................4100
13.1.5 Configuring Clock Protection Switching Based on Priorities.............................................................................4102
13.1.6 Configuring Ethernet Clock Synchronization.....................................................................................................4105
13.1.7 Configuring NTR Clock Synchronization...........................................................................................................4108
13.1.8 Configuration Examples......................................................................................................................................4110
13.2 NTP Configuration.................................................................................................................................................4117
13.2.1 Overview of NTP.................................................................................................................................................4117
13.2.2 Configuring Basic NTP Functions......................................................................................................................4121
13.2.3 Configuring NTP Security Mechanisms..............................................................................................................4129
13.2.4 Configuring KOD................................................................................................................................................4136
13.2.5 Maintaining NTP.................................................................................................................................................4138
13.2.6 NTP Configuration Examples.............................................................................................................................4138
13.3 1588v2 Configuration.............................................................................................................................................4148
13.3.1 Overview of 1588v2............................................................................................................................................4149
13.3.2 Configuring 1588v2 on OC.................................................................................................................................4155
13.3.3 Configuring 1588v2 on BC.................................................................................................................................4162
13.3.4 Configuring 1588v2 on TC..................................................................................................................................4168
13.3.5 Configuring 1588v2 on TCandBC......................................................................................................................4174
13.3.6 Configuring the 1588v2 Time Source.................................................................................................................4182
13.3.7 Maintaining 1588v2.............................................................................................................................................4185
13.3.8 Configuration Examples......................................................................................................................................4186
13.4 1588 ACR Configuration........................................................................................................................................4192
13.4.1 Configuring 1588 ACR.......................................................................................................................................4193
13.4.2 1588 ACR Maintenance......................................................................................................................................4198
13.4.3 Configuration Examples......................................................................................................................................4198
13.5 CES ACR Configuration........................................................................................................................................4208
13.5.1 Configuring CES ACR........................................................................................................................................4208
13.5.2 Configuration Examples......................................................................................................................................4211
13.6 Acronyms and Abbreviations.................................................................................................................................4216

14 Security....................................................................................................................................4218
14.1 L2 Limit Configuration..........................................................................................................................................4220
14.1.1 Overview to L2 Limit..........................................................................................................................................4220
14.1.2 Configuring MAC Address Learning Limit........................................................................................................4222
14.1.3 Deleting Dynamic MAC Entries.........................................................................................................................4224
14.1.4 Configuring a MAC Address Whitelist or Blacklist to Filter out Packets..........................................................4226
14.1.5 Configuring BPDU Discard.................................................................................................................................4228
14.1.6 Configuration Examples......................................................................................................................................4229
14.2 ARP Security Configuration...................................................................................................................................4231
14.2.1 Overview to ARP Security..................................................................................................................................4231
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xxv

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

14.2.2 Preventing Attacks on ARP Entries.....................................................................................................................4233


14.2.3 Preventing Scanning Attacks...............................................................................................................................4237
14.2.4 Maintaining the ARP Security.............................................................................................................................4239
14.3 URPF Configuration...............................................................................................................................................4240
14.3.1 Overview to URPF..............................................................................................................................................4240
14.3.2 Configuring URPF...............................................................................................................................................4242
14.3.3 Maintaining the URPF.........................................................................................................................................4245
14.3.4 Configuration Example........................................................................................................................................4245
14.4 Local Attack Defense Configuration......................................................................................................................4247
14.4.1 Overview to Local Attack Defense......................................................................................................................4247
14.4.2 Configuring Attack Defense Tracing and Enabling Alarming for Packet Discarding........................................4248
14.4.3 Configuring Management/Control Plane Protection...........................................................................................4253
14.4.4 Maintainning Local Attack Defense....................................................................................................................4257
14.4.5 Configuration Example........................................................................................................................................4258
14.5 Mirroring Configuration.........................................................................................................................................4260
14.5.1 Overview to Mirroring.........................................................................................................................................4260
14.5.2 Configuring Local Port Mirroring.......................................................................................................................4261
14.5.3 Configuring Local Traffic Mirroring...................................................................................................................4264
14.5.4 Configuration Examples......................................................................................................................................4268
14.6 Configuring the Online Packet Capture Function..................................................................................................4271
14.6.1 Introduction.........................................................................................................................................................4271
14.6.2 Configuring the Online Packet Capture Function...............................................................................................4272
14.6.3 Maintaining the Online Packet Capture Function...............................................................................................4276
14.6.4 Configuration Examples......................................................................................................................................4277
14.7 Keychain Configuration.........................................................................................................................................4284
14.7.1 Overview.............................................................................................................................................................4285
14.7.2 Configuring Basic Keychain Functions...............................................................................................................4286
14.7.3 Configuring TCP Authentication parameters......................................................................................................4294
14.7.4 Maintaining Keychain.........................................................................................................................................4296
14.7.5 Configuration Examples......................................................................................................................................4297

15 User Management..................................................................................................................4302
15.1 AAA Configuration................................................................................................................................................4303
15.1.1 AAA Overview....................................................................................................................................................4303
15.1.2 Configuring AAA Schemes.................................................................................................................................4305
15.1.3 Configuring a RADIUS Server............................................................................................................................4310
15.1.4 Configuring an HWTACACS Server..................................................................................................................4319
15.1.5 Configuring a Domain.........................................................................................................................................4326
15.1.6 Maintaining AAA................................................................................................................................................4332
15.1.7 Configuring and Managing Users........................................................................................................................4332
15.1.8 Configuration Examples......................................................................................................................................4338
15.2 DHCPv4 Configuration..........................................................................................................................................4357
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xxvi

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

15.2.1 Introduction.........................................................................................................................................................4357
15.2.2 DHCPv4 Supported by the ATN.........................................................................................................................4357
15.2.3 Configuring DHCPv4 Relay on the Network Side..............................................................................................4357
15.2.4 Maintaining DHCPv4..........................................................................................................................................4360
15.2.5 Configuration Examples......................................................................................................................................4360
15.3 DCN Configuration................................................................................................................................................4362
15.3.1 Introduction.........................................................................................................................................................4363
15.3.2 Configuring DCN on a GNE...............................................................................................................................4364
15.3.3 Configuring DCN on an NE................................................................................................................................4374
15.3.4 DCN Configuration Examples.............................................................................................................................4381
15.4 PPPoE Configuration..............................................................................................................................................4385
15.4.1 Introduction to PPPoE.........................................................................................................................................4385
15.4.2 Configuring the Device as a PPPoE Client.........................................................................................................4385
15.4.3 Configuration Examples......................................................................................................................................4388

16 Security Hardening...............................................................................................................4390
16.1 Overview................................................................................................................................................................4391
16.1.1 Introduction.........................................................................................................................................................4391
16.1.2 Basic Network Security Principles......................................................................................................................4392
16.2 Network Security Analysis.....................................................................................................................................4393
16.2.1 DoS Attack..........................................................................................................................................................4393
16.2.2 Information Disclosure........................................................................................................................................4393
16.2.3 Damage to Information Integrity.........................................................................................................................4393
16.2.4 Unauthorized Access...........................................................................................................................................4393
16.2.5 Identity Spoofing.................................................................................................................................................4394
16.2.6 Replay Attack......................................................................................................................................................4394
16.2.7 Computer Viruses................................................................................................................................................4394
16.2.8 Engineer Errors....................................................................................................................................................4394
16.2.9 Physical Intrusion................................................................................................................................................4394
16.3 Analysis of Router Security Vulnerabilities...........................................................................................................4394
16.3.1 Limited Processing Capabilities of Control and Management Planes................................................................4395
16.3.2 Insecure Access Channels...................................................................................................................................4395
16.3.3 Potential Security Risks Caused by the Openness of IP Networks.....................................................................4395
16.3.4 Telecom Network Complexity............................................................................................................................4395
16.3.5 Router Complexity..............................................................................................................................................4396
16.4 Evaluation of Router Security Risks......................................................................................................................4396
16.5 Security Defense Architecture................................................................................................................................4399
16.5.1 Overview.............................................................................................................................................................4399
16.5.2 Using Three-Layer and Three-Plane Security Isolation and Defense of the X.805............................................4402
16.5.3 Security Defense Capability on the ATN Control Plane.....................................................................................4403
16.5.4 Security Defense Capabilities of the Forwarding Plane......................................................................................4404
16.5.5 Security Defense Capabilities of the Management Plane....................................................................................4409
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xxvii

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Contents

16.6 Security Hardening Policies of the Router.............................................................................................................4409


16.6.1 Access Control.....................................................................................................................................................4410
16.6.2 Protection Against Attacks..................................................................................................................................4424
16.7 Acronyms and Abbreviations.................................................................................................................................4429

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

xxviii

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Basic Configurations

About This Chapter


The document describes the configuration methods of basic configurations in terms of basic
principles, implementation of protocols, configuration procedures and configuration examples
for the basic configurations of the ATN equipment.
1.1 Logging In to the System for the First Time
This chapter describes how to log in to a new ATN and configure it through the console port or
with the plug-and-play function.
1.2 CLI Overview
The command line interface (CLI) is used to configure and maintain devices.
1.3 Basic Configuration
This chapter describes how to configure the ATN to suit your network environment.
1.4 Configuring User Interfaces
When a user uses a console port, Telnet, or SSH (STelnet) to log in to a ATN, the system manages
the session between the user and the ATN on the corresponding user interface.
1.5 Configuring User Login
A user can log in to the ATN through a console port, or by using Telnet or SSH (STelnet). The
user can maintain the ATN locally or remotely after login.
1.6 Managing the File System
The file system manages the files and directories on the storage devices of the ATN. It can move
or delete a file or directory, or display the contents of a file.
1.7 Configuring System Startup
When the ATN is powered on, system software starts and configuration files are loaded. To
ensure that the ATN runs smoothly, you need to manage system software and configuration files
efficiently.
1.8 Accessing Another Device
To manage configurations or operate files on another device, you can use Telnet, STelnet, TFTP,
FTP, or SFTP to access the device from the device that you have logged in to.
1.9 Device Maintenance
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

With routine device maintenance, you can detect potential operation threats on devices and then
eradicate the potential threats in time to ensure that the system runs securely, stably, and reliably.
1.10 Patch Management
Patch management includes checking the running patch, loading patch files, and installing
patches.
1.11 Glossary
This appendix collates frequently used terms in this document.
1.12 Acronyms and Abbreviations
This appendix collates frequently used acronyms and abbreviations in this document.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

1.1 Logging In to the System for the First Time


This chapter describes how to log in to a new ATN and configure it through the console port or
with the plug-and-play function.

1.1.1 Introduction
You can configure a device that is powered on for the first time by logging in through the console
port.
A main control board provides a NM port/Console port. To configure a device, connect the user
terminal serial port to the device console port or log in to the device through Telnet after
connecting the network port of the terminal to a NM port of the device.
NOTE

The console port applies the non-standard serial port communication cable sequence. For details, see
Management Cables.

1.1.2 Logging In to the Device Through the Console Port


This section describes how to establish the configuration environment by using the console port
to connect a terminal to a ATN.

Before You Start


Before logging in to the ATN through the console port, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This preparation will help you complete the configuration task quickly and
accurately.

Applicable Environment
When you power on the ATN for the first time, use the console port to log in to, configure, and
manage the ATN.

Pre-configuration Tasks
Before logging in to the ATN through the console port, complete the following tasks:
l

Install a terminal emulation program, for example, Windows XP HyperTerminal, on the


PC.

Preparing the console cable

Data Preparation
To log in to the ATN through the console port, you need the following data.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

No.

Data

Terminal communication parameters

1 Basic Configurations

l Baud rate
l Data bit
l Parity
l Stop bit
l Flow-control mode

NOTE

The system automatically uses default parameter values for the first login.

Establishing the Physical Connection


Use a console cable to connect the console port of the ATN to the COM port of a terminal.

Procedure
Step 1 Power on all devices and perform a self-check.
Step 2 Use a cable to connect the COM port on the PC with the console port on the ATN.
----End

Logging In to the Device


To manage a ATN that is being powered on for the first time, you can use the console port to
log in to it.

Context
PC terminal attributes, including the transmission rate, data bit, parity bit, stop bit, and flow
control mode must be configured to match those configured for the console port. Default values
for terminal attributes are used when first logging in to the device.

Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 1-1.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-1 Creating a connection

Step 2 Set an interface, as shown in Figure 1-2.


Figure 1-2 Settings an interface

Step 3 Set communication parameters to match the ATN defaults, as shown in Figure 1-3.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-3 Setting communication parameter

Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system
automatically saves the new password.
An initial password is required for the first login via the console.
Set a password and keep it safe! Otherwise you will not be able to login via the
console.
Please configure the login password (8-16)
Enter Password:
Confirm Password:

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

NOTE

l If the device has the default password before delivery, enter the default password Admin@huawei.com
to log in. The password is insecure, so you must change it immediately. For details on how to change
the password, see Configuring the User Authentication Mode of the Console User Interface.
l After you set the password for the user interface, you must use this user interface to log in to the system
again. Use password authentication mode and enter the new password.
l The passwords must meet the following requirements:
l The password input is in man-machine interaction mode, and the system does not display the
entered password.
l The password is a string of 8 to 16 case-sensitive characters. The password must contain at least
two of the following characters: upper-case characters, lower-case characters, numbers, and special
characters.
Special character except the question mark (?) and space.
The configured password is displayed in the configuration file in ciphertext.
l After you restart the device using the console port, press Enter after the following information is
displayed.
Recover configuration...OK!
Press ENTER to get started.

----End

1.2 CLI Overview


The command line interface (CLI) is used to configure and maintain devices.

1.2.1 CLI Introduction


After you log in to the ATN, a prompt is displayed, informing you that you can interact with the
router through the command line interface (CLI).

Command Line Interface


You can use CLI commands to configure and manage the ATN.
The CLI enables you to access the following features and capabilities:
l

Local or remote configuration through the AUX port.

Local configuration through the console port.

Local or remote configuration through Telnet or Secure Shell (SSH).

Remote configuration by using Modem dialup to log in to an asynchronous serial interface


on the ATN.

The telnet command for directly logging in to and managing other ATNs.

FTP service for uploading and downloading files.

A user interface view for specific configuration management.

A hierarchical command protection structure, which givs certain levels of users permission
to run certain levels of commands.

The ability to enter "?" anytime for online help.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Two authentication modes, namely, password authentication, and Authentication,


Authorization, and Accounting (AAA) authentication. Password and AAA authentication
protect system security by prohibiting unauthorized users from logging in to the ATN.

A command line interpreter, which provides intelligent text entry methods such as key word
fuzzy match and context conjunction. These methods help users to enter commands easily
and correctly.

Network test commands such as tracert and ping, and abundant debugging information
for fast network diagnostics.

The ability to run a command, such as DosKey, that was used previously on the device.
NOTE

l The system supports commands that contain a maximum of 510 characters. A command does not have
to be entered in full, as long as the part of the command entered is unique within the system. For
example, to run the display current-configuration command, enter d cu, di cu, or dis cu. Entering
d c or dis c will not run the command because these entries are not unique to the command.
l The system saves the complete form of incomplete commands to configuration files. Saved commands
may have more than 510 characters. When the system restarts, incomplete commands cannot be
restored. Therefore, pay attention to the length of incomplete commands before saving them.

Command Levels
The system hierarchically structures access to command functions to protect system security.
The system administrator sets user access levels that grant specific users access to specific
command levels.
By default, the user command level is a value ranging from 0 to 3, and the user access level is
a value ranging from 0 to 15. Table 1-1 lists the association between user access levels and
command levels.
Table 1-1 Association between user access levels and command levels
User
Level

Com
man
d
Level

Level
Name

Description

Visiting
level

This level gives users access to commands that run network


diagnostic tools (such as ping and tracert) and commands that
start from a local device, visit external devices (such as Telnet
client side ), and are a part of display commands.

0 and
1

Monitor
ing
level

This level gives access to commands, like the display command,


that are used for system maintenance and fault diagnosis.

Configu
ration
level

This level gives access to commands that configure network


services provided directly to users, including routing and
network layer commands.

Issue 02 (2013-12-31)

0, 1,
and 2

NOTE
Some display commands are not found at this level. For example, the
display current-configuration and display saved-configuration
commands are found in level 3. For details about command levels, see
Command Reference.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

User
Level

Com
man
d
Level

Level
Name

Description

3-15

0, 1,
2, and
3

Manage
ment
level

These levels give access to commands that control basic system


operations and provide support for services, such as the
following command types: file system , FTP , TFTP ,
configuration file switching , power supply control , user
management , level setting , and debugging for fault diagnosis.

To manage efficiently, you can increase the command levels to 0-15..


NOTE

l The default command level may be higher than the actual command level.
l The level of command a user can run is determined by the user level.
l The user level is corresponding with command level. The login users can only use the commands in
levels that are less than or equal to theirs. The user privilege level level command sets the user level.

Searching Commands Based on Command Levels


You can search for all commands at a specific level by performing the following steps:
1.

Open the command reference (.chm.) file.

2.

Click the "Search" tab. The search window is displayed, as shown in Figure 1-4.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-4 Search window

3.

Issue 02 (2013-12-31)

Enter the desired command level in the "Type in the word(s) to search for" textbox and
click "List Topics". All commands in the specified level are displayed as shown in Figure
1-5.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

10

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-5 Searching for commands in a specific level

Command Line Views


The command line interface has different command views. Each command is registered to run
in one or more command views. You can run a command only after you enter an appropriate
command view.
The following example describes how you can open the BFD views.
# Establish a connection to the ATN. If the ATN is using the default configurations, the
<HUAWEI> prompt indicates that you have entered the user view.
<HUAWEI>

# Run the system-view command to enter the system view.


<HUAWEI> system-view
[HUAWEI]

# Run the aaa command in the system view to enter the AAA view.
[HUAWEI] aaa
[HUAWEI-aaa]

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

11

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

NOTE

The command prompt "HUAWEI" is the default host name.

The prompt indicates a specific view. For example, "HUAWEI" indicates the user view, and
"[HUAWEI-ui-console0]" indicates the console user interface view.

Some commands can be used in more than one view, but their effects vary from view to view.
For example, the mpls command can be run in the system view to enable MPLS globally or in
the interface view to enable MPLS only on this interface.

1.2.2 Online Help


When inputting command lines or configuring services, you can use the online help to obtain
immediate assistance.

Full Help
When inputting a command, you can use the full help function to obtain keywords or parameters
for the command.

Procedure
l

When you are inputting commands, you can use any of the following methods to obtain
full help:
Enter a question mark (?) in any command line view to display command names and
descriptions for all commands in that view.
<HUAWEI> ?
User view commands:
arp-ping
backup
batch-cmd
board-channel-check
capture-packet
cd
...
...

ARP-ping
Backup information
Batch commands
Board-Channel-Check enable/disable
enable capturing packet
Change current directory

Enter a command and a question mark (?) separated by a space. All keywords associated
with this command, as well as simple descriptions, are displayed. For example:
<HUAWEI> language-mode ?
Chinese Chinese environment
English English environment

Chinese and English are keywords; Chinese environment and English


environment describe the keywords.
Enter a command and a question mark (?) separated by a space. Parameter names for
this command, as well as parameter descriptions, are displayed. For example:
[HUAWEI] ftp timeout ?
INTEGER<1-35791> The value of FTP timeout, the default value is 30 minutes
[HUAWEI] ftp timeout 35 ?
<cr>
[HUAWEI] ftp timeout 35

In this command output, INTEGER<1-35791> describes the parameter value and The
value of FTP timeout, the default value is 30 minutes is a simple description of what
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

12

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

the parameter sets. <cr> indicates that no parameters are associated with this command,
which is repeated in the next command line. You can press Enter to run the command.
----End

Partial Help
If you enter only the first or first character several characters of a command, partial help provides
keywords that begin with this character or character string.

Procedure
l

Use any of the following methods to obtain partial help from a command line.
Enter a character string followed directly by a question mark (?) to display all commands
that begin with this character string.
<HUAWEI> d?
debugging
dir

delete
display

Enter a command and a character string followed directly by a question mark (?) to
display all key words that begin with this character string.
<HUAWEI> display b?
bfd
bootrom
bulk-stat

bgp
buffer

Enter the first several letters of a key word in the command and then press Tab to display
a complete key word. A complete keyword is displayed only if the partial string of letters
uniquely identifies a specific key word. If they do not identify a specific key word,
continue pressing Tab to display different key words. You can then select the desired
key word.
----End

Command Line Interface Error Messages


If you enter a command and it passes the syntax check, the system executes it. Otherwise, the
system reports an error message.
Table 1-2 lists common error messages.
Table 1-2 Common command line error messages
Error message

Cause of the error

Unrecognized command

The command cannot be found.


The key word cannot be found.

Wrong parameter

The wrong parameter type is entered.


The parameter value is out of range.

Issue 02 (2013-12-31)

Incomplete command

An incomplete command is entered.

Too many parameters

Too many parameters are entered.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

13

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Error message

Cause of the error

Ambiguous command

Ambiguous parameters are entered.

1.2.3 CLI Features


The CLI provides several features that make it easy to use.

Editing
The command line editing function allows you to use certain keys to edit command lines or
obtain help.
Keys that are frequently used for command line editing are shown in Table 1-3.
Table 1-3 Command line editing keys
Key

Function

Common key

Inserts a character at the current cursor position as long as the


editing buffer is not full. The cursor then moves to the right. If the
buffer is full, an alarm is generated.

Backspace

Moves the cursor to the left and deletes the character in that
position. When the cursor reaches the head of the command, an
alarm is generated.

Left cursor key or


Ctrl_B

Moves the cursor to the left one space at a time. When the cursor
reaches the head of the command, an alarm is generated.

Right cursor key or


Ctrl_F

Moves the cursor to the right one space at a time. When the cursor
reaches the end of the command, an alarm is generated.

Tab

Press Tab after typing a partial key word and the system runs
partial help:
l If the matching key word is unique, the system replaces the
typed character string with a complete key word and displays
it in a new line with the cursor placed at the end of the word.
l If there are several matches or no match, the system displays
the prefix first. Then you can press Tab to view any matching
key words one at a time. The cursor directly follows the end of
the word. You can press the spacebar to enter the next word.
l If a non-existent or incorrect key word is entered, press Tab
and the word is displayed on a new line.

Displaying
Command lines have a feature thats control how they are displayed.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

14

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

You can enable this feature on the CLI as follows:


l

You can use the language-mode language-name command to change the language mode
to display prompts and help information in Chinese or English.

If output information cannot be displayed on a full screen, you have three viewing options,
as shown in Table 1-4.

Table 1-4 Display keys


Key

Function

Ctrl_C

Stops the display and running of a command.


NOTE
You can also press any key except the spacebar and Enter to stop the
display and running of a command.

Space

Displays information on the next screen.

Enter

Displays information on the next line.

Regular Expressions
A regular expression describes a set of strings. It consists of common characters (such as letters
from "a" to "z") and special characters (called metacharacters). The regular expression is a
template that enables you to search for required strings. You can use regular expressions to filter
output to locate needed information quickly.
A regular expression provides the following functions:
l

Searches for sub-strings that match a rule in the main string.

Substitutes strings based on specific matching rules.

Formal Language Theory of the Regular Expression


A regular expression consists of common characters and special characters.
l

Common characters
Common characters, including all upper-case and lower-case letters, digits, underline,
punctuation marks, and special symbols, match themselves in a string. For example, "a"
matches the letter "a" in "abc", "202" matches the digit "202" in "202.113.25.155", and
"@" matches the symbol "@" in "xxx@xxx.com".

Special characters
Special characters are used together with common characters to match complex or special
string combinations. Table 1-5 describes special characters and their syntax.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

15

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Table 1-5 Description of special characters


Special
characte
r

Syntax

Example

Defines an escape character, which


is used to mark the next character
(common or special) as the common
character.

\* matches "*".

Matches the starting position of the


string.

^10 matches "10.10.10.1" instead of


"20.10.10.1".

Matches the ending position of the


string.

1$ matches "10.10.10.1" instead of


"10.10.10.2".

Matches the preceding element zero


or more times.

10* matches "1", "10", "100", and


"1000".
(10)* matches "null", "10", "1010",
and "101010".

Matches the preceding element one


or more times

10+ matches "10", "100", and


"1000".
(10)+ matches "10", "1010", and
"101010".

Matches the preceding element zero


or one time.

10? matches "1" and "10".


(10)? matches "null" and "10".

NOTE
Huawei datacom devices do not support
regular expressions with ?. When
regular expressions with ? are entered
on Huawei datacom devices, helpful
information is provided.

Matches any single character.

0.0 matches "0x0" and "020".


.oo matches "book", "look", and
"tool".

()

Defines a subexpression, which can


be null. Both the expression and the
subexpression should be matched.

100(200)+ matches "100200" and


"100200200".

x|y

Matches x or y.

100|200 matches "100" or "200".


1(2|3)4 matches "124" or "134",
instead of "1234", "14", "1224", and
"1334".

Issue 02 (2013-12-31)

[xyz]

Matches any single character in the


regular expression.

[123] matches the character 2 in


"255".

[^xyz]

Matches any character that is not


contained within the brackets.

[^123] matches any character except


for "1", "2", and "3".

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

16

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Special
characte
r

Syntax

Example

[a-z]

Matches any character within the


specified range.

[0-9] matches any character ranging


from 0 to 9.

[^a-z]

Matches any character beyond the


specified range.

[^0-9] matches all non-numeric


characters.

NOTE

Unless otherwise specified, all characters in the preceding table are displayed on the screen.

Degeneration of special characters


A special character becomes a common character when following \. In the following
situations, the special characters listed in Table 1-6 function as common characters.
If the special character "*", "+", or "?" is placed at the beginning of a regular expression,
a special character becomes a common character. For example, +45 matches "+45" and
abc(*def) matches "abc*def".
If the special character "^" is placed in any position except for the beginning of a regular
expression, a special character becomes a common character. For example, abc^
matches "abc^".
If the special character "$" is placed in any position except for the end of a regular
expression, a special character becomes a common character. For example, 12$2
matches "12$2".
If a right parenthesis ")" or right bracket "]" is not paired with a corresponding left
parenthesis "(" or bracket "[", a special character becomes a common character. For
example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE

Unless otherwise specified, degeneration rules also apply when the preceding regular expressions
are subexpressions within parentheses.

Combinations of common and special characters


In actual usage, regular expressions combine multiple common and special characters to
match certain strings.

Regular Expression Examples


The key to using regular expressions is to design them accurately. Table 1-6 shows how to
design regular expressions using special characters and describes the meaning of those regular
expressions.
Table 1-6 Regular expression examples

Issue 02 (2013-12-31)

Regular
Expression

Description

^100

Matches strings beginning with 100, for example, 100085.


Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

17

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Regular
Expression

Description

200$

Matches strings ending with 200, for example, 255.255.100.200.

[0-9]+

Matches strings of repeated digits ranging from 0 to 9, for example,


007.

(abc)*

Matches strings with abc occurring zero or more times, for example,
d and dabc.

^100([0-9]+)*200$

Matches strings beginning with 100 and ending with 200, including
those with zero or several digits in the middle, for example, 100200.

Windows_(95|98|
2000|XP))

Matches Windows 95, Windows 98, Windows 2000, or Windows XP.

100[^0-9]?

Matches strings beginning with 100 followed by zero or one non-digit


character, for example, 100 or 100@.

.\.\*

Matches a string beginning with a single character except \n followed


by . and *, for example, 1.* or a.*.

^172\.18\.(10)\.
([0-9]+)$

Matches an IP address in a line, for example, 172.18.10.X.

Specifying a Filtering Mode in a Command

NOTICE
The ATN uses a regular expression to implement the pipe character filtering function. A display
command supports the pipe character only when there is excessive output information.
When filtering conditions are set to query output, the first line of the command output starts with
information containing the regular expression.
Some commands can carry the parameter | count to display the number of matching entries. The
parameter | count can be used together with other parameters.
For commands that support regular expressions, three filtering methods are available:
l

| begin regular-expression: displays information that begins with the line that matches
regular expression.

| exclude regular-expression: displays information that excludes the lines that match
regular expression.

| include regular-expression: displays information that includes the lines that match regular
expression.
NOTE

The value of regular-expression is a string of 1 to 255 characters.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

18

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Specify a Filtering Mode When Information Is Displayed Screen by Screen


NOTE

When the output of the following commands is displayed screen by screen, you can specify a filtering
mode:
l

display current-configuration

display saved-configuration

display interface

display arp

When a large amount of information is displayed screen by screen, you can specify a filtering
mode in the prompt "---- More ----".
l

/regular-expression: displays the information that begins with the line that matches regular
expression.

-regular-expression: displays the information that excludes lines that match regular
expression.

+regular-expression: displays the information that includes lines that match regular
expression.

Previously-Used Commands
The CLI provides a function similar to DosKey that automatically saves any command used on
the device. If you need to run a command that has been previously executed, you can use this
function to recall the command.
By default, the system saves 10 previously-used commands for each user. You can run the
history-command max-size size-value command in the user view to set the number of
previously-used commands saved by the system. A maximum of 256 previously-used commands
can be saved.
NOTE

Set the number of saved previously-used commands to a reasonably low value. If a large number of
previously-used commands are saved, locating a command can be time-consuming and inefficient.

The keys and commands for accessing previously-used commands are shown in Table 1-7
Table 1-7 Keys and commands for accessing previously-used commands

Issue 02 (2013-12-31)

Action

Key or Command

Result

Display
previouslyused
commands.

display historycommand [ allusers ]

Display previously-used commands entered by


users.

Access the last


previouslyused
command.

Up arrow key () or
Ctrl_P

Display the last previously-used command if there


are more than one. Otherwise, an alarm is
generated.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

19

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Action

Key or Command

Result

Access the next


previouslyused
command.

Down arrow key ()


or Ctrl_N

Display the next previously-used command if there


are more than one. Otherwise, the command is
cleared and an alarm is generated.

NOTE

Windows 9X defines keys differently and the arrow key cannot be used with Windows 9X
HyperTerminals. You can use Ctrl_P instead.

When you use previously-used commands, note the following points:


l

Previously-used commands are saved exactly as they are entered by users. For example, if
a user enters an incomplete command, the saved command is also incomplete.

A command is only saved the first time it is run. If a command is entered in different forms
or with different parameters, each entry is considered to be a different command.
For example, if the display ip routing-table command is run several times, only one
previously-used command is saved. If the disp ip routing command and the display ip
routing-table command are run, two previously-used commands are saved.

Batch Command Execution


If multiple commands are frequently used consecutively, you can edit these commands to be
executed in batches. This simplifies command input and improves efficiency.

Procedure
Step 1 Manually execute the commands in batches.
1.

In the user view, run:


batch-cmd edit

Commands are edited to be executed in batches.


The batch-cmd edit command can be used by only one user at a time.
The maximum length of a command (including the incomplete command) to be entered is
510 characters.
When editing commands, press Enter to complete the editing of each command.
NOTE

l After the batch-cmd edit command is run successfully to edit the commands to be executed in
batches, the system deletes the original commands to be run in batches.
l The commands that are already edited are saved in memory and are deleted for ever when the
system is restarted.

2.

After all commands are edited, you can press the shortcut buttons Ctrl_Z to exit the editing
state and return to the user view.

3.

In the user view, run:


batch-cmd execute

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

20

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

The commands are executed in batches.


The batch-cmd execute command can be used by only one user at a time.
The sequence of running commands is the same as the sequence of editing commands. You
can view the execution of these commands on the CLI. After the execution is complete,
the user view is displayed.
NOTE

If the batch-cmd edit or batch-cmd execute command is among the commands to be executed in
batches, the system displays an error when executing the batch-cmd edit or batch-cmd execute
command and continues to execute the following commands.

----End

1.2.4 Shortcut Keys


System or user-defined shortcut keys make it easier to enter commands.

Classifying Shortcut Keys


There are two types of shortcut keys: system shortcut keys and user-defined shortcut keys.
Familiarize yourself with the shortcut keys so you can use them correctly.
The shortcut keys in the system are classified into the following two types:
l

User-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, and CTRL_U. The user can
assign these shortcut keys to any commands. When a shortcut key is pressed, the system
automatically runs the assigned command. For details about defining the shortcut keys, see
section Defining Shortcut Keys.

System-defined shortcut keys: The system defines a number of shortcut keys with fixed
functions. Table 1-8 lists the system-defined shortcut keys.
NOTE

Different terminal software defines these keys differently. The shortcut keys on your terminal may be
different from those listed in this section.

Table 1-8 System-defined shortcut keys

Issue 02 (2013-12-31)

Key

Function

CTRL_A

The cursor moves to the beginning of the current line.

CTRL_B

The cursor moves to the left one space at a time.

CTRL_C

Terminates the running function.

CTRL_D

Deletes the character where the cursor lies.

CTRL_E

The cursor moves to the end of the current line.

CTRL_F

The cursor moves to the right one space at a time.

CTRL_H

Deletes the character to the left of the cursor.


Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

21

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Key

Function

CTRL_K

Stops the creation of the outbound connection.

CTRL_N

Displays the next command in the previously-used command


buffer.

CTRL_P

Displays the previous command in the previously-used


command buffer.

CTRL_R

Repeats the information displayed on the current line.

CTRL_T

Terminates the outbound connection.

CTRL_V

Pastes the contents onto the clipboard.

CTRL_W

Deletes the character string or character to the left of the cursor.

CTRL_X

Deletes all the characters to the left of the cursor.

CTRL_Y

Deletes all the characters to the right of the cursor.

CTRL_Z

Returns to the user view.

CTRL_]

Terminates the inbound or redirection connections.

ESC_B

The cursor moves one word to the left.

ESC_D

Deletes the word to the right of the cursor.

ESC_F

The cursor moves to the end of the word to the right.

ESC_N

The cursor moves downward to the next line.

ESC_P

The cursor moves upward to the previous line.

ESC_SHIFT_<

Sets the position of the cursor to the beginning of the clipboard.

ESC_SHIFT_>

Sets the position of the cursor to the end of the clipboard.

Defining Shortcut Keys


If you regularly use one or more commands, you can assign shortcut keys to run them, which
facilitates user operations and improves efficiency. Only management-level users have the right
to define shortcut keys.
Configure the following shortcut keys in the system view.

Issue 02 (2013-12-31)

Action

Command

Define shortcut keys

hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U }


command-text

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

22

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

CTRL_G, CTRL_L, CTRL_O and CTRL_U are assigned to run the following commands by
default:
l

CTRL_G: display current-configuration

CTRL_L: display ip routing-table

CTRL_O: undo debugging all

CTRL_U: By default, CTRL_U is not assigned to any command. If no command is


specified for CTRL_U, this shortcut key deletes an entered character or command.

When defining shortcut keys, mark the command with double quotation marks if the command
consists of more than one word or includes spaces.

Using Shortcut Keys


You can use a shortcut key in any position you can enter a command. The system executes the
entered shortcut key and displays the corresponding command on the screen exactly as if you
had entered the complete command.
l

If you have typed part of a command and have not pressed Enter, you can press the shortcut
keys to clear what you have entered or display the full command. This operation has the
same effect as that of deleting a command and then re-entering the complete command.

The shortcut keys are run like the commands. The syntax is recorded in the command buffer
and logged for fault location and querying.
NOTE

The terminal being used may affect the shortcut key functions. For example, if shortcut keys customized
for the terminal conflict with those for the ATN, the input shortcut keys are captured by the terminal program
and do not function.

Run the following command in any view to display the shortcut keys being used.
Action

Command

Check the shortcut keys being used.

display hotkey

1.2.5 Configuration Examples


This section provides several examples that illustrate the use of command lines.

Running Commands in Batches


In this example, you can edit the commands to be run in batches to configure the system to
automatically run them in batches.

Context
If you frequently run commands in a particular order, you can run them in batches to improve
efficiency. This is particularly effective if you run a large number of commands in a row.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

23

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

For example, you can run commands in batches during a preventive maintenance inspection
(PMI). By running commands in batches, you can enter all PMI commands at once and then
send all the command output information to the PMI tool, which can improve the PMI efficiency.
To run commands in batches, log in to the ATN and perform the following:

Procedure
Step 1 Edit the display users, display startup, and display clock commands to be run in batches.
<HUAWEI> batch-cmd edit
Info: Begin editing batch commands. Press "Ctrl+Z" to abort this session.
display users
display startup
display clock
<HUAWEI>

Step 2 Run the commands in batches.


<HUAWEI> batch-cmd execute
<HUAWEI>batch-cmd execute command: display users
User-Intf
Delay
Type
Network Address
AuthenStatus
35 VTY 1
00:00:00 TEL
190.120.2.19
Username : Unspecified
<HUAWEI>batch-cmd execute command: display startup
MainBoard:
Configured startup system software:
Startup system software:
Next startup system software:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup paf file:
Next startup paf file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
<HUAWEI>
batch-cmd execute command: display clock

AuthorcmdFlag
no

cfcard:/V200R003C00.cc
cfcard:/V200R003C00.cc
cfcard:/V200R003C00.cc
cfcard:/vrp.cfg
cfcard:/vrp.cfg
default
default
default
default
NULL
NULL

2011-01-27 01:25:24
Thursday
Time Zone(DefaultZoneName) : UTC
<HUAWEI>
batch-cmd execute finished.

----End

Using the Tab Key


After inputting part of a keyword, you can press Tab to obtain all the related keywords or check
the accuracy of the input keyword.

Context
You do not always need to input complete keywords. Instead, input one or more of the first
characters of a keyword and press Tab to complete the keyword. The Tab key helps search for
and use commands.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

24

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
l

Tab can be used in three ways as shown in the following example.


After you enter part of a key word and press the Tab key, a unique matching key word
is displayed.
1.

Input part of a key word.


[HUAWEI] info-

2.

Press Tab.
The system replaces the incomplete key word with a complete key word and
displays it on a new line followed by a cursor.
[HUAWEI] info-center

After you enter part of a key word and press the Tab key, several matches or no matches
are displayed.
# info-center can be followed by three key words.
[HUAWEI] info-center log?
logbuffer
logfile
loghost

1.

Input the incomplete key word.


[HUAWEI] info-center l

2.

Press Tab.
The system displays the prefix first. In this example, the prefix is "log".
[HUAWEI] info-center log

Continue pressing Tab. The cursor comes right after the end of the word.
[HUAWEI] info-center loghost
[HUAWEI] info-center logbuffer
[HUAWEI] info-center logfile

When you find the key word you need, for example, logfile, stop pressing Tab.
3.

Enter a space and the next word, channel, is displayed.


[HUAWEI] info-center logfile channel

Input an incorrect keyword and press Tab to check the accuracy of the keyword.
1.

For example, input the incorrect keyword loglog.


[HUAWEI] info-center loglog

2.

Press Tab.
[HUAWEI] info-center loglog

The system displays information on a new line, but the keyword loglog remains
unchanged and there is no space between the cursor and the keyword. This result
indicates that this keyword is non-existent.
----End

Using Shortcut Keys


In this example, you assign shortcut keys to frequently-used commands. Then, you can press
the shortcut keys instead of inputting the commands to facilitate user operations and improve
efficiency.

Context
If the login ATN supports shortcut keys, any user, regardless of their user level, can use them.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

25

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Correlate Ctrl_U with the display local-user command and run the shortcut keys.
<HUAWEI> system-view
[HUAWEI] hotkey ctrl_u "display local-user"
NOTE

When defining shortcut keys for a command, use double quotation marks to quote the command
if the command consisting of multiple words, which are separated by spaces. No double
quotation marks are required for single-word commands.
Step 2 Press Ctrl_U when the prompt [HUAWEI] appears.
[HUAWEI] display local-user
---------------------------------------------------------------------------Username
State Type
Access-limit Online
---------------------------------------------------------------------------admin
Active All
No
0
root
Active F
No
0
huawei
Active All
No
2
---------------------------------------------------------------------------Total 3,3 printed

----End

Copying Commands Using Shortcut Keys


In this example, you can use shortcut keys to copy a specified command and then use the shortcut
keys Ctrl_Shift_V to paste the command.

Context
If you need to repeatedly run a command, you can use shortcut keys to copy the command.
The copied command is saved on the clipboard and is available only for the current user. After
the user logs out, the clipboard is cleared.
You can use shortcut keys to copy a command in any view.

Procedure
Step 1 Move the cursor to the beginning of the command and press Esc_Shift_<. Move the cursor to
the end of the command and press Esc_Shift_>.
<HUAWEI> display ip routing-table

Step 2 Run the display clipboard command to view the contents on the clipboard.
<HUAWEI> display clipboard
---------------- CLIPBOARD----------------display ip routing-table

Step 3 Enter the command in any view, and press Ctrl_Shift_V to paste the contents of clipboard.
<HUAWEI> display ip routing-table

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

26

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

NOTE

If you press shortcut keys to copy a new command, you can use shortcut keys to paste only the new
command.

----End

1.3 Basic Configuration


This chapter describes how to configure the ATN to suit your network environment.

1.3.1 Configuring the Basic System Environment


This section describes how to configure the basic system environment.

Before You Start


Before configuring the basic system environment, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.

Applicable Environment
Before configuring services, you need to configure the basic system environment (for example,
the language mode, system time, device name, login information, and command level) to meet
environmental requirements.

Pre-configuration Tasks
Before configuring the basic system environment, power on the ATN.

Data Preparation
To configure the basic system environment, you need the following data.
No.

Data

Language mode

System time

Host name

Login information

Command level

Switching the Language Mode


You can switch between the Chinese mode and the English mode as needed.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

27

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Context
After the language mode is switched, the system displays prompts and command line outputs in
the specified language.
Language information (Chinese and English) has been stored in the system software and does
not need to be loaded.
In the user view, perform the following:

Procedure
l

Run:
language-mode { chinese | english }

The language mode is switched.


By default, the English mode is used.
The help information on the ATN can be in English or in Chinese. The language mode is
stored in the system software and does not need to be loaded.
----End

Configuring the Equipment Name


If multiple devices on a network need to be managed, set equipment names to identify each
device.

Context
New equipment names take effect immediately.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
sysname host-name

The equipment name is set.


By default, the equipment name of the ATN is HUAWEI.
You can change the name of the ATN that appears in the command prompt.
----End

Setting the System Clock


The system clock must be correctly set to ensure synchronization with other devices.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

28

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Context
The system clock is the time indicated by the system timestamp. Because the rules governing
local time differ in different regions, the system clock can be configured to comply with the
rules of any given region.
The system clock is calculated using the following formula: System clock = Coordinated
Universal Time (UTC) + Time zone offset + Daylight saving time offset.
Set the system clock to the correct time to ensure that the device effectively operates with other
devices.
Setting the system clocks of all the devices on a network manually is time-consuming and cannot
ensure the clock accuracy. Network Time Protocol (NTP) can address this problem by
synchronizing all clocks of devices on the network so that the devices can provide uniform timebased applications.
NOTE

A local system running NTP can be synchronized by other clock sources or acts as a clock source to
synchronize other clocks. In addition, mutual synchronization can be implemented through NTP packet
exchanges.

By default, the system clock of NTP-enabled devices is UTC. The time zone and daylight saving
time vary with the country and region, and if a time zone and daylight saving time are configured
on an NTP server, the same time zone and daylight saving time must be configured on NTP
clients.
For details about NTP, see the NTP chapter in Feature Description - Clock.
For details about NTP configurations, see the 13.2 NTP Configuration chapter in Configuration
Guide - Clock.
Perform the following steps in the user view to set the system clock:

Procedure
Step 1 Run:
clock datetime HH:MM:SS YYYY-MM-DD

The current date and time are set.


NOTE

If the time zone has not been configured or is set to 0, the date and time set by this command are considered
to be UTC. Set the time zone and UTC correctly.

Step 2 Run:
system-view

The system view is displayed.


Step 3 Run:
clock timezone time-zone-name { add | minus } offset

The time zone is set.


l If add is configured, the current time is the UTC time plus the time offset. That is, the default
UTC time plus offset is equal to the time of time-zone-name.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

29

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

l If minus is configured, the current time is the UTC time minus the time offset. That is, the
default UTC time minus offset is equal to the time of time-zone-name.
NOTE

UTC stands for the Universal Time Coordinated.


After the time zone is set:
l The time format of local logs is Original system time zone-offset, for example, Oct 30 2013 22:21:11
+08:00.
l The time format of logs sent to the log host is the UTC time, for example, Oct 30 2013 07:58:20. After
the info-center loghost local-time command is run to set the time format to local time, the time format
of user logs is Original system time zone-offset, for example, Oct 30 2013 22:21:11+08:00.

Step 4 Run:
clock daylight-saving-time time-zone-name one-year start-time start-date end-time
end-date offset

or
clock daylight-saving-time time-zone-name repeating start-time { { first | second
| third | fourth | last } weekday month | start-date } end-time { { first |
second | third | fourth | last } weekday month | end-date } offset [ start-year
[ end-year ] ]

Daylight saving time is set.


By default, daylight saving time is not set.
The start time is the local mean time (LMT), and the end time is the daylight saving time (DST).
The start time and end time can be set to date+data, week+week, date+week, or week+date
format. To configure the daylight saving time, run the clock daylight-saving-time command.

NOTICE
When the device is upgraded from an earlier version to the V200R003C00 version, the
configured daylight saving time does not take effect and needs to be reconfigured.
----End

System Clock Display


The system clock is determined by the clock datetime, clock timezone, and clock daylightsaving-time commands.
l

If none of the preceding three commands have been run, the original system time is
displayed after you run the display clock command.

You can also run the three preceding commands in combination with one another to
configure the system clock, as listed in Table 1-9.

In the following examples, the original system time is 08:00:00 January 1, 2010.
l

1: Run the clock datetime command to set the current date and time to date-time.

2: Run the clock timezone command to configure the time zone with the time zone offset
zone-offset.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

30

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

3: Run the clock daylight-saving-time command to configure the daylight saving time
with the offset offset.

[1]: The clock datetime command configuration is optional.

Table 1-9 System clock configuration examples


Operation

Configured System
Time

Example

date-time

Run the clock datetime 8:0:0 2011-11-12


command.
Configured system time:
2011-11-12 08:00:03
Saturday
Time Zone(DefaultZoneName): UTC

Original system time +/zone-offset

Run the clock timezone BJ add 8 command.


Configured system time:
2010-01-01 16:00:20+08:00
Friday
Time Zone(BJ): UTC+08:00

1, 2

date-time +/- zone-offset

Run the clock datetime 8:0:0 2011-11-12 and


clock timezone BJ add 8 commands.
Configured system time:
2011-11-12 16:00:13+08:00
Saturday
Time Zone(BJ): UTC+08:00

[1], 2, 1

date-time

Run the lock timezone NJ add 8 and clock


datetime 9:0:0 2011-11-12 commands.
Configured system time:
2011-11-12 09:00:02+08:00
Saturday
Time Zone(NJ): UTC+08:00

Issue 02 (2013-12-31)

Original system time if


the original system time
is not during the
configured daylight
saving time period

Run the clock daylight-saving-time BJ one-year


6:0 2011-8-1 6:0 2011-10-01 1 command.
Configured system time:
2010-01-01 08:00:51
Friday
Time Zone(DefaultZoneName): UTC
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
Saving time : 01:00:00

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

31

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Operation

1, 3

1 Basic Configurations

Configured System
Time

Example

Original system time +


offset if the original
system time is during the
configured daylight
saving time period

Run the clock daylight-saving-time BJ one-year


6:0 2011-1-1 6:0 2011-9-1 2 command.

date-time if date-time is
not during the configured
daylight saving time
period

Run the clock datetime 9:0:0 2011-11-12 and


clock daylight-saving-time BJ one-year 6:0
2012-8-1 6:0 2012-10-01 1 commands.

Configured system time:


2010-01-01 10:00:34 DST
Friday
Time Zone(BJ): UTC
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00
Saving time : 02:00:00

Configured system time:


2011-11-12 09:00:26
Saturday
Time Zone(DefaultZoneName): UTC
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2012
End year
: 2012
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
Saving time : 01:00:00

date-time + offset if datetime is during the


configured daylight
saving time period

Run the clock datetime 9:0:0 2011-11-12 and


clock daylight-saving-time BJ one-year 9:0
2011-11-12 6:0 2011-12-01 2 commands.
Configured system time:
2011-11-12 11:02:21 DST
Saturday
Time Zone(BJ): UTC
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 11-12 09:00:00
End time
: 12-01 06:00:00
Saving time : 02:00:00

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

32

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Operation

Configured System
Time

Example

[1], 3, 1

date-time if date-time is
not during the configured
daylight saving time
period

Run the clock daylight-saving-time BJ one-year


6:0 2012-8-1 6:0 2012-10-01 1 and clock datetime
9:0 2011-11-12 commands.
Configured system time:
2011-11-12 09:00:02
Saturday
Time Zone(DefaultZoneName): UTC
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2012
End year
: 2012
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
Saving time : 01:00:00

date-time if date-time is
during the configured
daylight saving time
period

Run the clock daylight-saving-time BJ one-year


1:0 2011-1-1 1:0 2011-9-1 2 and clock datetime
3:0 2011-1-1 commands.
Configured system time:
2011-01-01 03:00:19 DST
Saturday
Time Zone(BJ): UTC
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00
Saving time : 02:00:00

2, 3 or 3, 2

Issue 02 (2013-12-31)

Original system time +/zone-offset if the value of


Original system time +/zone-offset is not during
the configured daylight
saving time period

Run the clock timezone BJ add 8 and clock


daylight-saving-time BJ one-year 6:0 2011-1-1
6:0 2011-9-1 2 commands.
Configured system time:
2010-01-01 16:01:29+08:00
Friday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00
Saving time : 02:00:00

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

33

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Operation

1, 2, 3, or 1,
3, 2

Issue 02 (2013-12-31)

1 Basic Configurations

Configured System
Time

Example

Original system time +/zone-offset +/- offset if


the value of Original
system time +/- zoneoffset is during the
configured daylight
saving time period

Run the clock daylight-saving-time BJ one-year


1:0 2010-1-1 1:0 2010-9-1 2 and clock timezone
BJ add 8 commands.

date-time +/- zone-offset


if the value of date-time
+/- zone-offset is not
during the configured
daylight saving time
period

Run the clock datetime 8:0:0 2011-11-12, clock


timezone BJ add 8, and clock daylight-savingtime BJ one-year 6:0 2012-1-1 6:0 2012-9-1 2
commands.

date-time +/- zone-offset


+ offset if the value of
date-time +/- zone-offset
is during the configured
daylight saving time
period

Run the clock datetime 8:0:0 2011-1-1, clock


daylight-saving-time BJ one-year 6:0 2011-1-1
6:0 2011-9-1 2, and clock timezone BJ add 8
commands.

Configured system time:


2010-01-01 18:05:31+08:00 DST
Friday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2010
End year
: 2010
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00
Saving time : 02:00:00

Configured system time:


2011-11-12 16:01:40+08:00
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2012
End year
: 2012
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00
Saving time : 02:00:00

Configured system time:


2011-01-01 18:00:43+08:00 DST
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00
Saving time : 02:00:00

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

34

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Operation

Configured System
Time

Example

[1], 2, 3, 1
or [1], 3, 2,
1

date-time if date-time is
not during the configured
daylight saving time
period

Run the clock daylight-saving-time BJ one-year


6:0 2012-1-1 6:0 2012-9-1 2, clock timezone BJ
add 8, and clock datetime 8:0:0 2011-11-12
commands.
Configured system time:
2011-11-12 08:00:03+08:00
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2012
End year
: 2012
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00
Saving time : 02:00:00

date-time if date-time is
during the configured
daylight saving time
period

Run the clock timezone BJ add 8, clock daylightsaving-time BJ one-year 1:0 2011-1-1 1:0
2011-9-1 2, and clock datetime 3:0:0 2011-1-1
commands.
Configured system time:
2011-01-01 03:00:03+08:00 DST
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00
Saving time : 02:00:00

Configuring a Header
If you need to provide information for users logging in, you can configure a header that the
system displays during or after login.

Context
A header is a text message displayed by the system at the time a user logs in to the ATN.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
header login { information text | file file-name }

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

35

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

A header displayed during login is set.


Step 3 Run:
header shell { information text | file file-name }

A header displayed after login is set.


To display the header when the terminal connection has been activated but the user has not been
authenticated, configure the parameter login.
To display the header after the user has logged in, configure the parameter shell.

NOTICE
l The header message starts and ends with the same character. Enter the first character of the
header and press Enter. An interactive interface for setting the header is displayed. Input the
required information and, when you are finished, end the header by entering the first character
again. The system then exits from the interactive interface.
l If a user logs in to the ATN using SSH1.X, the login header is not displayed during login,
but the shell header is displayed after login.
l If a user logs in to the ATN using SSH2.0, both the login and shell headers are displayed.
----End

Configuring Command Levels


This section describes how to configure command levels to ensure device security or allow lowlevel users to run high-level commands. By default, commands are registered in the sequence
of Level 0 to Level 3. If refined rights management is required, you can divide commands in to
16 levels, that is, from Level 0 to Level 15.

Context
If you do not adjust a command level, after the command level is updated, all originallyregistered command lines adjust automatically according to the following rules:
l

The Level 0 and Level 1 commands remain unchanged.

The Level 2 commands are updated to Level 10 and the Level 3 commands are updated to
Level 15.

No command lines exist in Level 2 to Level 9 or in Level 11 to Level 14. You can adjust
the command lines to these levels to refine the management of privileges.

NOTICE
Do not change the default level of a command. Otherwise, some users may be unable to continue
using the command.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

36

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
command-privilege level rearrange

Update the command levels in batches.


If no password is configured for a Level 15 user, the system prompts you to set a super-password
and asks if you want to continue updating the command line level. Select "N" to set a password.
If you select "Y", the command level can be updated in batches directly. This results in the user
not logging in through the Console port and failing to update the level.
Before running the command, confirm that the user level is 15. Otherwise, this command cannot
be run.
Step 3 Run:
command-privilege level level view view-name command-key

The command level is configured. With this command, you can specify the level for each
command and view multiple commands at one time (command-key).
All commands have default command views and levels. You do not need to reconfigure them.
----End

Configuring the undo Command to Automatically Match the Higher-Level View


After performing this configuration, if a user runs the undo command but it is not registered in
the current view, the system automatically switches to the view one level up from the current
view to search for this command. If the command is found, the undo command takes effect. If
the undo command does not exist in this view, the system progressively searches higher-level
views for the command until it reaches the system view. If the undo command is not found in
the higher-level view, it will not be executed.

Context

NOTICE
The undo command has disadvantages due to automatic matching. For example, when the user
runs the undo ospf command in the interface view where the command is not registered, the
system automatically searches the system view. This may lead to the global deletion of the OSPF
feature.

Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

37

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

The system view is displayed.


Step 2 Run:
matched upper-view

The undo command is configured to automatically search higher-level views if it is run in a


view where it is not registered.
By default, the undo command does not automatically search higher-level views.
NOTE

l The matched upper-view command is valid for current login users who run this command.
l Configuring the undo command to automatically match the upper level view is recommended only if
necessary.

----End

1.3.2 Displaying System Status Messages


This section describes how to use display commands to check basic system configurations.

Context
You can use display commands to collect information about the system status. The display
commands display the following information:
l

System configurations

System running status

Diagnostic information about a system.

Restart information about the main control board

See related sections concerning display commands for information on protocols and interfaces.
This section only shows system-level display commands.

Displaying System Configuration


This section describes how to use command lines to check the system version, system time,
original configuration, and current configuration.

Context
Run the following commands in any view:

Procedure
l

Run the display version command to display the system version.

Run the display clock [ utc ] command to display the system time.

Run the display calendar command to display system calendar.

Run the display saved-configuration command to display the original configuration.

Run the display current-configuration command to display the current configuration.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

38

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

NOTE

l The display version command displays the software version of the system.
l The original configuration refers to information about configuration files the device uses when
it powers on and initializes. The current configuration refers to the configuration files that take
effect when the device is in use. For details, see the chapter "Configuring System Startup" in the
Basic-Configuration.

----End

Displaying the System Status


This section describes how to use command lines to check the system operating status (the
configuration of the current view).

Procedure
l

Run the display this command to display the configuration of the current view.

----End

Collecting System Diagnostic Information


This section describes how to collect information about system modules.

Context
If you cannot perform routine maintenance, run the various display commands to collect the
information you need to locate faults. The display diagnostic-information command gathers
information about all currently running system modules.

Procedure
l

Run:
display diagnostic-information [ file-name ]

System diagnostic information is displayed.


The display diagnostic-information command collects the same information as many
other individual commands, such as display clock, display version, display cpu-usage,
display interface, display current-configuration, display saved-configuration, and
display history-command.
----End

1.4 Configuring User Interfaces


When a user uses a console port, Telnet, or SSH (STelnet) to log in to a ATN, the system manages
the session between the user and the ATN on the corresponding user interface.

1.4.1 User Interface Overview


The system supports console and Virtual Type Terminal (VTY) user interfaces.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

39

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Each user interface has a user interface view. A user interface view is a command line view the
system provides to configure and manage all the physical and logical interfaces in asynchronous
mode.

User Interfaces Supported by the System


l

Console port (CON)


The console port is a serial port provided by the main control board of the device.
The main control board provides one console port. A terminal can use this port to connect
directly to a device to perform local configurations.

Virtual type terminal (VTY)


A VTY is a logical terminal line. A VTY connection is set up when a device uses Telnet
to connect to a terminal. This kind of connection is used to locally or remotely access a
device.

Numbering of a User Interface


After a user logs in to the device, the system assigns the user the lowest numbered idle user
interface. The type of interface assigned depends on the user's login mode. There are two ways
to number user interfaces:
l

Relative numbering
Relative numbering uses a user interface type + number format.
Relative numbering is used to specify user interfaces of a particular type. It can be used to
number single user interfaces or user interface groups and must adhere to the following
rules:
Number of the console port: CON 0
Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on

Absolute numbering
Absolute numbering is used to give a single user interface or a group of user interfaces a
unique number.
Absolute numbering starts with 0. Ports are numbered in a sequence beginning with CON
-> VTY. There is only one console port, and 0-15 VTY interfaces. You can use the userinterface maximum-vty command to set the maximum number of user interfaces.
By default, the system supports three types of user interfaces: CON and VTY.
Table 1-10 shows absolute numbers for the user interfaces in this system.
Table 1-10 Description of absolute and relative numbers for user interfaces

Issue 02 (2013-12-31)

User
interface

Description

Absolute
Number

Relative Number

Console user
interface

Manages and
monitors users that
log in through the
console port.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

40

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

User
interface

Description

Absolute
Number

Relative Number

VTY user
interface

Manages and
monitors users that
use Telnet or SSH to
log in.

34 to 48, and 50
to 54

l Absolute numbers 34 to
48 correspond to relative
numbers TTY 0 to TTY
14.

Among the
absolute
numbers, 49 is
reserved for
future use and
50 to 54 are
reserved for the
network
management
system.

l Absolute numbers 50 to
54 correspond to relative
numbers TTY 16 to TTY
20.
Among the relative numbers,
VTY 15 is reserved for
future use and VTY 16 to
VTY 20 are reserved for the
network management
system.

NOTE

The absolute numbers allocated for VTY interfaces are device-specific.

Run the display user-interface command to view the absolute number of user interfaces.

Authentication of a User Interface


After a user is configured, the system authenticates the user during login.
There are two user authentication modes: password and AAA, which are described as follows:
l

Password authentication: Users must enter a password, but not a username, during the login
process.

AAA authentication: Users must enter a password and a username during the login process.
Telnet/SSH users are usually authenticated in this mode.

Priority of a User Interface


Users logged in to the ATN are managed according to their levels.
A user's level determines the level of commands the user is authorized to run.
l

In the case of password authentication, the level of the command the user can run is
determined by the level of the user interface.

In the case of AAA authentication, the level of the command the user can run is determined
by the level of the local user specified in the AAA configuration.

1.4.2 Configuring the Console User Interface


If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

41

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Before You Start


Before configuring the console user interface, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.

Applicable Environment
If you need to log in to the ATN through a console port to perform local maintenance, you can
configure the corresponding console user interface, including the physical attributes, terminal
attributes, user priority, and user authentication mode. These parameters have default values that
require no additional configuration, but you may modify these parameters as needed.

Pre-configuration Tasks
Before configuring a console user interface, use a terminal to log in to the ATN.

Data Preparation
To configure a console user interface, you need the following data.
No.

Data

Baud rate, flow-control mode, parity, stop bit, and data bit

Idle timeout period, terminal screen length, number of characters in each line
displayed in a terminal screen,and the size of the history command buffer

User priority

User authentication method, username, and password

NOTE

All the default values (excluding the password and username) are stored on the ATN and do not need
additional configuration.

Setting Terminal Attributes of the Console User Interface


This section describes how to set terminal attributes of the console user interface, including the
user timeout disconnection function, number of lines or number of characters in each line
displayed on a terminal screen, and size of the history command buffer.

Context
Terminal attributes of the console user interface have default values on the ATN that you may
modify as needed.

Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

42

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

The system view is displayed.


Step 2 Run:
user-interface console interface-number

The console user interface view is displayed.


Step 3 Run:
shell

The terminal service is started.


Step 4 Run:
idle-timeout minutes [ seconds ]

The idle timeout period is set.


If a connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the idle timeout period on the user interface is 10 minutes.
Step 5 Run:
screen-length screen-length [ temporary ]

The terminal screen length is set.


The parameter temporary is used to display the number of lines to be temporarily displayed on
a terminal screen.
By default, the terminal screen length is 24 lines.
Step 6 Run:
screen-widthscreen-width

The maximum number of characters in each line displayed on a terminal screen is set.
By default, each line displayed on a terminal screen has a maximum of 80 characters.
Step 7 Run:
history-command max-size size-value

The history command buffer is set.


By default, the size of the history command buffer is 10 entries.
----End

Configuring the User Privilege of the Console User Interface


This section describes how to control a user's authority to log in to the ATN and how to configure
a user's priority to improve ATN security.

Context
l

Issue 02 (2013-12-31)

Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

43

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.

For details about command levels, see section 2.1.2 "Command Levels".

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
user-interface console interface-number

The console user interface view is displayed.


Step 3 Run:
user privilege level level

The user privilege is set.


NOTE

l By default, users that log in through the console user interface can use level 15 commands, and users
logging in through other user interfaces can use commands at level 0.
l If the command level and user level are inconsistent, the user level takes precedence.

----End

Configuring the User Authentication Mode of the Console User Interface


The system provides two authentication modes: AAA and password. Configuring user
authentication modes improves ATN security.

Context
The system provides two authentication modes, as described in Table 1-11.
Table 1-11 Authentication Modes
Authen
tication
Mode

Advantage

Disadvantage

AAA

AAA provides user authentication with high


security.

The configuration is complex.


The user name and password for
AAA authentication must be
created.

The user name and password must be entered


for login.
Passwor
d
authenti
cation

Issue 02 (2013-12-31)

Password authentication is based on VTY


channels, which provides security. The
configuration is simple and only the login
password is needed.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

It provides less security than


AAA.
All users can use the login
password to log in to a device.

44

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
l

Configure AAA authentication


1.

Run:
system-view

The system view is displayed.


2.

Run:
aaa

The AAA view is displayed.


3.

Run:
local-user user-name password cipher password

A username and password are created for the local user.


4.

Run:
quit

Exit the AAA view.


5.

Run:
user-interface console interface-number

The console user interface view is displayed.


6.

Run:
authentication-mode aaa

The authentication mode is set to AAA authentication.


l

Configure password authentication


1.

Run:
system-view

The system view is displayed.


2.

Run:
user-interface console interface-number

The console user interface view is displayed.


3.

Run:
authentication-mode password

The authentication mode is set to password authentication.


4.

Run:
set authentication password [ cipher password ]

A password for password authentication is set.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

45

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

NOTE

Passwords must meet the following requirements:


l If you do not enter cipher, the password is input in man-machine interaction mode, and
the system does not display the entered password.
The password is a string of 8 to 16 case-sensitive characters. The password must contain
at least two of the following characters: upper-case characters, lower-case characters,
numbers, and special characters.
Special character except the question mark (?) and space.
l When you enter cipher, the password is displayed in either plaintext or ciphertext.
l When you input the password in plaintext, the password requirements are the same as
those when you do not enter cipher.
l When you input the password in ciphertext, the password must be a string of 56
consecutive characters.
The password is displayed in ciphertext in the configuration file regardless of whether you
input it in plaintext or ciphertext.

----End

Checking the Configuration


After configuring the console user interface, you can view information about the user interface,
physical attributes and configurations of the user interface, local user list, and online users.

Prerequisites
The configurations of the user management function are complete.

Procedure
l

Run the display users [ all ] command to check information about the user interface.

Run the display user-interface console ui-number1 [ summary ] command to check


physical attributes and configurations of the user interface.

Run the display local-user command to check the local user list.

----End

Example
Run the display users command to view information about the current user interface.
<HUAWEI> display users
User-Intf
Delay
0
CON 0
00:00:44
Username : Unspecified

Type

Network Address

AuthenStatus
pass

AuthorcmdFlag
no

Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<HUAWEI> display user-interface console 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
0
CON 0
9600
3
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Int
-

46

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Privi: The privilege of UIs.


ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.

Run the display local-user command to view the local user list.
<HUAWEI> display local-user
---------------------------------------------------------------------------Username
State Type
CAR Access-limit Online
---------------------------------------------------------------------------user123
Active All
Dft
No
0
ll
Active F
Dft
No
0
user1
Active F
Dft
No
0
---------------------------------------------------------------------------Total 3,3 printed

1.4.3 Configuring the VTY User Interface


If you need to use Telnet or SSH to log in to the ATN and perform local or remote maintenance,
you can configure the VTY user interface as needed.

Before You Start


Before configuring a VTY user interface, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration task quickly and correctly.

Applicable Environment
If you need to use Telnet or SSH to log in to the ATN and perform local or remote maintenance,
you can configure a VTY user interface. You can configure the maximum number of VTY user
interfaces, restrictions on incoming and outgoing calls, terminal property, user priority, and user
authentication mode.

Pre-configuration Tasks
Before configuring a VTY user interface, use a terminal to log in to the ATN.

Data Preparation
To configure a VTY user interface, you need the following data.

Issue 02 (2013-12-31)

No.

Data

Maximum VTY user interfaces

(Optional) ACL code to restrict incoming and outgoing calls on VTY user interfaces

Idle timeout period, number of characters in each line displayed on a terminal screen,
and size of the history command buffer

User priority
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

47

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

No.

Data

User authentication method, username, and password

1 Basic Configurations

NOTE

All of the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user
interfaces, user authentication method, username, and password) have default values that require no
additional configuration.

Setting the User Priority of the VTY User Interface


This section describes how to control a user's authority to log in to the ATN and how to configure
a user's priority to improve ATN security.

Context
l

Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.

This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.

For details about command levels, see section 2.1.2 "Command Levels".

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
user-interface vty interface-number

The VTY user interface view is displayed.


Step 3 Run:
user privilege level level

The user priority is set.


By default, users who log in through the VTY user interface can use commands at level 0.
NOTE

If the command level configured in the VTY user interface view and user priority are inconsistent, user
priority takes precedence.

----End

Setting the User Authentication Mode of the VTY User Interface


The system provides two authentication modes: AAA and password. Configuring user
authentication modes improves ATN security.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

48

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Context
The system provides two authentication modes, as described in Table 1-12.
Table 1-12 Authentication Modes
Authen
tication
Mode

Advantage

Disadvantage

AAA

AAA provides user authentication with high


security.

The configuration is complex.


The user name and password for
AAA authentication must be
created.

The user name and password must be entered


for login.
Passwor
d
authenti
cation

Password authentication is based on VTY


channels, which provides security. The
configuration is simple and only the login
password is needed.

It provides less security than


AAA.
All users can use the login
password to log in to a device.

Procedure
l

Configuring AAA authentication


NOTE

Before the authentication mode setting to AAA authentication, the priority of the local user should be
seted to level 2.

1.

Run:
system-view

The system view is displayed.


2.

Run:
user-interface vty number1 [ number2 ]

The VTY user interface view is displayed.


3.

Run:
authentication-mode aaa

The authentication mode is set to AAA authentication.


4.

Run:
quit

You have exited the VTY user interface view.


5.

Run:
aaa

The AAA view is displayed.


6.

Run:
local-user user-name password cipher password

A username and password are created for the local user.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

49

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

7.

1 Basic Configurations

Run:
local-user user-name level value

A priority for the local user is set.


l

Configuring password authentication


1.

Run:
system-view

The system view is displayed.


2.

Run:
user-interface vty number1 [ number2 ]

The VTY user interface view is displayed.


3.

Run:
authentication-mode password

The authentication mode is set to password authentication.


4.

Run:
set authentication password [ cipher password ]

A password is set.
NOTE

Passwords must meet the following requirements:


l If you do not enter cipher, the password is input in man-machine interaction mode, and
the system does not display the entered password.
The password is a string of 8 to 16 case-sensitive characters. The password must contain
at least two of the following characters: upper-case characters, lower-case characters,
numbers, and special characters.
Special character except the question mark (?) and space.
l When you enter cipher, the password is displayed in either plaintext or ciphertext.
l When you input the password in plaintext, the password requirements are the same as
those when you do not enter cipher.
l When you input the password in ciphertext, the password must be a string of 56
consecutive characters.
The password is displayed in ciphertext in the configuration file regardless of whether you
input it in plaintext or ciphertext.

----End

Setting the Terminal Attributes of the VTY User Interface


This section describes how to configure the terminal attributes of a VTY user interface, including
the user idle timeout, number of lines or characters displayed in each line in a terminal screen,
and size of the history command buffer.

Context
On the ATN, the terminal attributes of the VTY user interface have default values, which you
can reconfigure as needed.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

50

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
user-interface vty number1 [ number2 ]

The VTY user interface view is displayed.


Step 3 Run:
shell

The VTY terminal service is enabled.


Step 4 Run:
idle-timeout minutes [ seconds ]

The user idle timeout is enabled.


If the connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the timeout period is 10 minutes.
Step 5 Run:
screen-length screen-length [ temporary ]

The terminal screen length is set.


The parameter temporary is used to display the number of lines to be temporarily displayed on
the terminal screen.
By default, the terminal screen length is 24 lines.
Step 6 Run:
history-command max-size size-value

Set the size of the history command buffer.


By default, a maximum number of 10 commands can be cached in the history command buffer.
----End

Configuring the Maximum Number of VTY User Interfaces


This section describes how to configure the maximum number of VTY user interfaces to limit
the number of users that log in to the ATN.

Context
The maximum number of VTY user interfaces equals the total number of users that can use
Telnet or SSH to log in to the ATN.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

51

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
user-interface maximum-vty number

The maximum number of VTY user interfaces is set.


NOTE

When the maximum number of VTY user interfaces is set to zero, no user (including the network
administrator) can use a VTY user interface to log in to the ATN.

If the set maximum number of VTY user interfaces is less than the maximum number of online
users, a message is displayed indicating that the configuration failed.
If the set maximum number of VTY user interfaces is greater than the maximum number of
current interfaces, the authentication mode and password must be set for the newly added user
interfaces.
Consider, for example, a system that permits a maximum of five users to be online. To enable
15 VTY users to be online at the same time, run the authentication-mode command to configure
authentication modes for VTY user interfaces from 5 to 14. The commands are run as follows:
<HUAWEI> system-view
[HUAWEI] user-interface maximum-vty 15
[HUAWEI] user-interface vty 5 14
[HUAWEI-ui-vty5-14] authentication-mode password

----End

(Optional) Setting Restrictions for Incoming and Outgoing Calls on VTY User
Interfaces
This section describes how to configure an ACL to restrict access of incoming and outgoing
calls on a VTY user interface to specific IP addresses or address segments.

Context
Perform the following steps on the device that functions as a server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Compared to a basic ACL that filters packets based on source addresses, an advanced ACL
supports richer filtering rules: not only based on packet source addresses but also based on packet
destination address or priorities. Run either of the following commands:
l For a basic ACL:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

52

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name [ basic ]
[ number acl-number2 ] } [ match-order { auto | config } ] command.
To enter the ACL6 view, run the acl ipv6 { [ number ] acl6-number1 | name acl-name
[ number acl-number2 ] } [ match-order { auto | config } ] command.
l For an advanced ACL:
To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name
[ advance ] [ number acl-number2 ] } [ match-order { auto | config } ] command.
To enter the ACL6 view, run the acl ipv6 { [ number ] acl6-number1 | name acl-name
[ number acl-number2 ] } [ match-order { auto | config } ] command.
The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL
ranging from 3000 to 3999.
Step 3 Run either of the following commands:
l For a basic ACL:
To configure a basic ACL rule, run the rule [ rule-id ] { deny | permit } [ fragment-type
fragment-type-name | source { source-ip-address source-wildcard | any } | time-range timename | vpn-instance vpn-instance-name ] * command.
To configure a basic ACL6 rule, run the rule [ rule-id ] { deny | permit } [ fragmenttype fragment-type-name | source { source-ip-address source-wildcard | any } | timerange time-name | vpn-instance vpn-instance-name ] * command.
l For an advanced ACL:
To configure an advanced ACL rule, run the rule [ rule-id ] { deny | permit } protocol
[ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ip-address
destination-wildcard | any } | fragment-type fragment-type-name | source { source-ipaddress source-wildcard | any } | time-range time-name | vpn-instance vpn-instancename ] * command.
To configure an advanced ACL6 rule, run the rule [ rule-id ] { deny | permit } protocol
[ [ traffic-class traffic-class | dscp dscp | [ precedence precedence | tos tos ] * ] |
destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefixlength | any } | fragment | source { source-ipv6-address 3prefix-length | source-ipv6address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name ]
* command.
NOTE

l By default, the deny action in an ACL rule is taken for all the login user packets. Only users whose
source IP addresses match the ACL rule with a permit action can log in to the device.
In the following example, two rules are configured to prohibit users with the IP address 10.1.1.10 from
logging in to the device while allowing the other users to log in to the device:
l rule deny source 10.1.1.10 0
l rule permit source any
If the rule permit source any command is not configured, users whose source IP addresses are not
10.1.1.10 will also be prohibited from logging in to the device.
l If a user's source IP address does not match the ACL rule that allows login, the user is prohibited from
logging in to the device.
l If the ACL referenced by VTY does not contain any rules or does not exist, any user can log in to the
device.

Step 4 Run:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

53

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

quit

The system view is displayed.


Step 5 Run:
user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.


Step 6 Run:
acl [ ipv6 ] acl-number { inbound | outbound }

Restrictions for incoming and outgoing calls on the VTY interface are configured.
l If you want to prevent a user with a specific address or segment address from logging in to
the ATN, use the inbound command.
l If you want to enable a user to log in to the ATN but prevent the user from accessing other
ATNs, use the outbound command.
----End

(Optional) Configuring NMS Users to Log In Through VTY User Interfaces


Network Management System (NMS) users can log in to a device through VTY user interfaces
to set device parameters.

Context
NMS users can log in to the ATN through VTY user interfaces to set ATN parameters.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
aaa

The AAA view is displayed.


Step 3 Run:
local-user user-name password cipher password

A local user is created.


Step 4 Run:
local-user user-name user-type netmanager

The local user is set as an NM user.


Step 5 Run:
quit

The system view is displayed.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

54

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Step 6 Run:
user-interface vty first-ui-number [ last-ui-number ]

The user interface view is displayed.


Step 7 Run:
authentication-mode aaa

An authentication mode for logging in to the user interface is configured.


NOTE

The system reserves five VTYs (VTY 16-VTY 20) for an NMS user. The five VTYs are used as special
network management channels. The channels do not support the RSA authentication mode, but they do
support password authentication.

Step 8 Run:
quit

The system view is displayed.


Step 9 Run:
mmi-mode enable

The system is switched to the machine-to-machine mode.


NOTE

l This command is invisible to terminals and cannot be obtained by using the online help. In man-tomachine mode, exercise caution when using this command.
l In the VTY machine-to-machine mode, the system reserves five user interfaces to which an NMS user
can log in through VTYs. A common user cannot log in through Telnet but can log in by using the five
reserved user interfaces.
l In the machine-to-machine mode, the system does not output logs, alarms, or debugging information
to the screen.
l In the machine-to-machine mode, the save and reboot commands can be used directly.
l In the machine-to-machine mode, a maximum of 512 lines are displayed by default. You can use the
screen-length command to adjust this value. In addition, you can run the screen-length temporary
command to adjust the number of lines temporarily displayed on the screen.

----End

Checking the Configuration


After configuring a VTY user interface, you can view the maximum number of VTY user
interfaces, and physical attributes and configurations of user interfaces.

Prerequisites
The configurations of the VTY user interface are complete.

Procedure
l

Run the display users [ all ] command to check information about user interfaces.

Run the display user-interface maximum-vty command to check the maximum number
of VTY user interfaces.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

55

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Run the display user-interface [ ui-type ui-number1 | ui-number ] [ summary ] command


to check the physical attributes and configurations of user interfaces.

Run the display local-user command to check the local user list.

Run the display vty mode command to check the VTY mode.

----End

Example
Run the display users command to view information about current user interfaces.
<HUAWEI> display users
User-Intf
Delay
Type
34 VTY 0
00:00:12 TEL
Username : Unspecified
+ 35 VTY 1
00:00:00 TEL
Username : Unspecified

Network Address
10.138.77.38

AuthenStatus

10.138.77.57

AuthorcmdFlag
no
no

Run the display user-interface maximum-vty command to view the maximum number of VTY
user interfaces.
<HUAWEI> display user-interface maximum-vty
Maximum of VTY user:15

Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check
the physical attributes and configurations of user interfaces.
<HUAWEI> display user-interface vty 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
+ 34
VTY 0
14
14
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.

Int
-

Run the display local-user command to view the local user list.
<HUAWEI> display local-user
---------------------------------------------------------------------------Username
State Type
CAR Access-limit Online
---------------------------------------------------------------------------user123
Active All
Dft
No
0
ll
Active F
Dft
No
0
user1
Active F
Dft
No
0
---------------------------------------------------------------------------Total 3,3 printed

Run the display vty mode command to view the message indicating that the machine-to-machine
interface is enabled. For example:
<HUAWEI> display vty mode
current VTY mode is Machine-Machine interface

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

56

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

1.4.4 Configuration Examples


This section provides examples for configuring console and VTY user interfaces. These
configuration examples explain the networking requirements and provide configuration
roadmaps and notes.

Example for Configuring the Console User Interface


In this example, a console user interface is configured to allow a user in password authentication
mode to log in to the ATN. The physical attributes, terminal attributes, user priority, user
authentication mode, and password are set for the interface.

Networking Requirements
A user uses the console user interface to log in to the ATN to initialize ATN configurations or
perform local router maintenance. You can set console user interface attributes (for example,
security considerations) to allow user logins.
In the console user interface view, the user priority is set to 15, and the password authentication
mode is set (the password is huawei@123).
If no user activity occurs and a connection is idle for more than 30 minutes after login, the
connection is torn down.

Configuration Roadmap
The configuration roadmap is as follows:
1.

Set terminal attributes of the console user interface.

2.

Set the user priority of the console user interface.

3.

Set the user authentication mode and password of the console user interface.

Data Preparation
To complete the configuration, you need the following data:
l

Timeout period for disconnecting from the console user interface: 30 minutes

Number of lines a terminal screen displays: 30

Number of characters a terminal screen displays: 60

Size of the history command buffer: 20

User priority: 15

User authentication mode: password (password: huawei@123)

Procedure
Step 1 Set terminal attributes of the console user interface.
[HUAWEI-ui-console0]
[HUAWEI-ui-console0]
[HUAWEI-ui-console0]
[HUAWEI-ui-console0]
[HUAWEI-ui-console0]

Issue 02 (2013-12-31)

shell
idle-timeout 30
screen-length 30
screen-width 60
history-command max-size 20

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

57

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Step 2 Set the user priority of the console user interface.


[HUAWEI-ui-console0] user privilege level 15

Step 3 Set the user authentication mode in the console user interface to password.
[HUAWEI-ui-console0] authentication-mode password
[HUAWEI-ui-console0] set authentication password cipher huawei@123
[HUAWEI-ui-console0] quit

After the console user interface is configured, a user in password authentication mode can use
a console port to log in and perform local maintenance on the ATN. For details on how a user
logs in to the ATN, see chapter 1.5 Configuring User Login.
----End

Configuration Files
#
sysname HUAWEI
#
user-interface con 0
authentication-mode password
user privilege level 15
set authentication password cipher %@%@Cj+WL0Fp7Jds;@:9{6%5,"OpW%*U6"M&|')[9dQM
qc$O"Os,%@
history-command max-size 20
idle-timeout 30 0
screen-length 30
#
return

Example for Configuring a VTY User Interface


In this example, a VTY user interface is configured to enable a user in password authentication
mode to use Telnet or SSH (Stelnet) to log in to the ATN. The maximum number of VTY user
interfaces permitted, restrictions for incoming and outgoing calls, terminal attributes,
authentication mode, and password are set for the interface.

Networking Requirements
A user uses Telnet or SSH to log in to the ATN using a VTY channel. You can set VTY user
interface attributes as needed (for example, security considerations) to enable user logins.
In the VTY user interface, the user priority is set to 15, the authentication mode is set to password
authentication, and the password is "huawei@123". A user with the IP address of 10.1.1.1 is
prohibited from logging in to the ATN.
If no user activity occurs and a connection is idle for more than 30 minutes after login, the
connection is torn down.

Configuration Roadmap
The configuration roadmap is as follows:
1.

Enter the interface view and set the maximum number of VTY user interfaces to 15.

2.

Set restrictions for incoming and outgoing calls on the VTY user interface to prevent an IP
address or an IP address segment for accessing the ATN.

3.

Set terminal attributes of the VTY user interface.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

58

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

4.

Set the user priority of the VTY user interface.

5.

Set the authentication mode and password of the VTY user interface.

Data Preparation
To complete the configuration, you need the following data:
l

Maximum number of VTY user interfaces: 15

ACL applied to restrict incoming calls on the VTY user interface: 2000

Timeout period for disconnecting from the VTY user interface: 30 minutes

Number of lines a terminal screen displays: 30

Number of characters a terminal screen displays: 60

Size of the history command buffer: 20

User priority: 15

User authentication mode: password (password: huawei@123)

Procedure
Step 1 Set the maximum number of VTY user interfaces.
<HUAWEI> system-view
[HUAWEI] user-interface maximum-vty 15

Step 2 Set the limit on call-in and call-out in the VTY user interface.
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000]
[HUAWEI-acl-basic-2000]
[HUAWEI] user-interface
[HUAWEI-ui-vty0-14] acl

rule deny source 10.1.1.1 0


quit
vty 0 14
2000 inbound

Step 3 Set terminal attributes of the VTY user interface.


[HUAWEI-ui-vty0-14]
[HUAWEI-ui-vty0-14]
[HUAWEI-ui-vty0-14]
[HUAWEI-ui-vty0-14]
[HUAWEI-ui-vty0-14]

shell
idle-timeout 30
screen-length 30
screen-width 60
history-command max-size 20

Step 4 Set the user priority of the VTY user interface.


[HUAWEI-ui-vty0-14] user privilege level 15

Step 5 Set the authentication mode and password of the VTY user interface.
[HUAWEI-ui-vty0-14] authentication-mode password
[HUAWEI-ui-vty0-14] set authentication password cipher huawei@123
[HUAWEI-ui-vty0-14] quit

After the VTY user interface is configured, a user authenticated in password mode can use Telnet
or SSH (Stelnet) to log in to the ATN and perform local or remote maintenance on the ATN.
For details on how a user logs in to the ATN, see the 1.5 Configuring User Login.
----End

Configuration Files
#
sysname HUAWEI
#

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

59

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

acl number 2000


rule 5 deny source 10.1.1.1 0
rule permit source any
#
user-interface maximum-vty 15
user-interface vty 0 14
acl 2000 inbound
user privilege level 15
authentication-mode password
set authentication password cipher %@%@1hG-2Z>g0GbO,b4AEnC/.HD{DMZ@*Gsm4-nwZ3EP
_IF;HD!.%@%@
history-command max-size 20
idle-timeout 30 0
screen-length 30
#
return

1.5 Configuring User Login


A user can log in to the ATN through a console port, or by using Telnet or SSH (STelnet). The
user can maintain the ATN locally or remotely after login.

1.5.1 User Login Overview


When the device works as the server, a user can log in to the device through a console port,
Telnet, STelnet, or web.
A user can manage devices by using either of the following methods:
l

Command line: After logging in to the device through the console port, Telnet, or STelnet,
the user runs command lines provided by the devices to manage and configure the devices.
The user interface must be configured for the corresponding login mode.
Table 1-13 lists the modes by which users can log in to the device to configure and manage
the device using command lines.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

60

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Table 1-13 User login modes


Login Mode

Applicable Scenario

Remarks

1.5.2 Logging In
to Devices
Through the
Console Port

A user logs in to the device


using the console port on
the user terminal to power
on and configure the
device for the first time.

By default, a user can use the console


port to directly log in to the device. The
authentication mode is password
authentication, which indicates that a
password is required for
authentication. The command access
level is 3.

l If a user cannot access


the device remotely,
the user can use the
console port to log in to
the device locally.
l A user can use the
console port to log in to
diagnose a fault if the
device fails to start or
to enter the BootROM
to upgrade the system.
1.5.3 Using
Telnet to Log In
to Devices

A user uses a terminal to


access the network and
then uses Telnet to log in
to the device to perform
local or remote
configuration. The target
device uses the configured
login parameters to
authenticate the user.
The Telnet login mode
facilitates remote device
management and
maintenance.

By default, a user cannot use Telnet to


log in to the device directly. To enable
Telnet login, use the console port to log
in to the device locally and then
perform the following configuration
tasks:
l Configure the IP address of the
management network port on the
device and ensure that a reachable
route exists between the user
terminal and the device. By default,
an IP address is not configured on
the device.
l Configure the user authentication
mode of the VTY user interface. By
default, the user authentication
mode of the VTY user interface is
not configured. Administrators
must manually set a user
authentication mode for the VTY
user interface.
l Configure the user access level of
the VTY user interface. By default,
the user access level of the VTY
user interface is 0.
l Enable the Telnet server function.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

61

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Login Mode

Applicable Scenario

Remarks

1.5.4 Using
STelnet to Log
In to Devices

A user uses a terminal to


access the network. If the
network is insecure, use
the Secure Shell (SSH)
protocol to increase the
security of the
transmission and utilize a
powerful authentication
mechanism. SSH protects
the device system against
attacks, such as IP
proofing and plain text
password interception.

By default, a user can use use STelnet


to directly log in to the device. The
authentication mode is password
authentication, which indicates that a
password is required for
authentication. The command access
level is 3.

The STelnet login mode


better ensures the security
of the exchanged data.

NOTE

Using Telnet to log in is an insecure method because no secure authentication mechanism is used
and data is transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and
encrypts data in both directions to guarantee secure transmissions on a conventional insecure network.
SSH supports security Telnet (STelnet).
For detailed information about SSH, see Feature Description - Basic Configurations.

1.5.2 Logging In to Devices Through the Console Port


When a user needs to maintain a router locally or configure a ATN that is being powered on for
the first time, the user can log in through a console port.

Before You Start


Before configuring user login through a console port, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.

Applicable Environment
A user can locally log in to a device through a console port. The user must log in through a
console port when a router is being powered on for the first time.
l

If a user cannot access the device remotely, the user can use the console port to log in to
the device locally.

A user can use the console port to log in to diagnose a fault if the device fails to start or to
enter the BootROM to upgrade the system.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

62

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Pre-configuration Tasks
Before configuring user login through a console port, complete the following tasks:
l

Configure the PC/terminal (including the serial port and console cable)

Install the terminal emulator (for example, the Windows XP HyperTerminal) to the PC

Data Preparation
To configure user login through a console port, you need the following data.
No.

Data

l Transmission rate, flow control mode, parity mode, stop bit, and data bit
l Number of lines displayed in a terminal screen, number of characters displayed
in a terminal screen, and size of the history command buffer
l User priority
l User authentication mode, username, and password

Logging In to the Device Using a Console Port


A user can log in by using a console port to connect a terminal to the device.

Context
l

Communication parameters of the user terminal must match physical attribute parameters
of the console user interface on the device.

A user authentication mode must be configured on the console user interface.


Authentication enhances network security because a user can log in to the device only after
being successfully authenticated.

Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 1-6.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

63

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-6 Creating a connection

Step 2 Set an interface, as shown in Figure 1-7.


Figure 1-7 Settings an interface

Step 3 Set communication parameters to match the ATN defaults, as shown in Figure 1-8.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

64

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-8 Setting communication parameter

Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system
automatically saves the new password.
An initial password is required for the first login via the console.
Set a password and keep it safe! Otherwise you will not be able to login via the
console.
Please configure the login password (8-16)
Enter Password:
Confirm Password:

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

65

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

NOTE

l If the device has the default password before delivery, enter the default password Admin@huawei.com
to log in. The password is insecure, so you must change it immediately. For details on how to change
the password, see Configuring the User Authentication Mode of the Console User Interface.
l After you set the password for the user interface, you must use this user interface to log in to the system
again. Use password authentication mode and enter the new password.
l The passwords must meet the following requirements:
l The password input is in man-machine interaction mode, and the system does not display the
entered password.
l The password is a string of 8 to 16 case-sensitive characters. The password must contain at least
two of the following characters: upper-case characters, lower-case characters, numbers, and special
characters.
Special character except the question mark (?) and space.
The configured password is displayed in the configuration file in ciphertext.
l After you restart the device using the console port, press Enter after the following information is
displayed.
Recover configuration...OK!
Press ENTER to get started.

----End

(Optional) Configuring the Console User Interface


If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.

Context
Console user interface attributes have default values on the device, and generally need no
modification. To meet specific user requirements or ensure network security, you can modify
console user interface attributes, such as terminal attributes and the user authentication mode.
For detailed settings, see section 4.2 Configuring Console User Interface.
NOTE

Changes to console user interface attributes take effect immediately. Therefore, the connection may be
interrupted if console user interface attributes are modified when you log in to the device through the
console port. For this reason, use another login mode to log into the device when you modify console user
interface attributes. To log in to the device through the console port after you chang the default console
user interface attributes, ensure that the configuration of the terminal emulator running on the PC is
consistent with the console user interface attributes configured on the device.

Checking the Configuration


After logging in through a console port, a user can view the usage information, physical attributes
and configurations, local user list, and online users on the console user interface.

Prerequisites
Configurations that enable a user to log in through a console port are complete.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

66

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
l

Run the display users [ all ] command to check information about the user interface.

Run the display user-interface console ui-number1 [ summary ] command to check


physical attributes and configurations of the user interface.

Run the display local-user command to check the local user list.

----End

Example
Run the display users command to view information about the current user interface.
<HUAWEI> display users
User-Intf
Delay
0
CON 0
00:00:44
Username : Unspecified

Type

Network Address

AuthenStatus
pass

AuthorcmdFlag
no

Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<HUAWEI> display user-interface console 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
0
CON 0
9600
3
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.

Int
-

Run the display local-user command to view the local user list.
<HUAWEI> display local-user
---------------------------------------------------------------------------Username
State Type
CAR Access-limit Online
---------------------------------------------------------------------------user123
Active All
Dft
No
0
ll
Active F
Dft
No
0
user1
Active F
Dft
No
0
---------------------------------------------------------------------------Total 3,3 printed

1.5.3 Using Telnet to Log In to Devices


When multiple ATNs need to be configured and managed, you do not need to maintain each
ATN locally. Instead, you can use Telnet to remotely log in to the ATNs and perform
maintenance, which greatly facilitates device management.

Context
The Telnet protocol poses a security risk, and therefore the STelnet protocol is recommended.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

67

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Before You Start


Before using Telnet to configure user login, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.

Applicable Environment
If you know the IP address of a remote ATN, you can use Telnet to log in to the ATN from a
local terminal. Telnet login allows you to maintain multiple remote ATNs from one local
terminal, which greatly facilitates device management.
Note that ATN IP addresses must be preset through console ports.

Pre-configuration Tasks
Before using Telnet to configure user login, you must log in to the device through the console
port to change the following default configurations on the device. Then users can use Telnet to
remotely log in to the device to manage and maintain it.
l

Configure the IP address of the management network port on the device and ensure that a
reachable route exists between the user terminal and the device

Configuring the User Access Level and User Authentication Mode of the VTY User
Interface for remote device management and maintenance

Enabling the Telnet Service so that users can remotely log in to the device through Telnet

Data Preparation
Before configuring Telnet user login, you need the following data.
No.

Data

l User priority
l User authentication mode, username, and password
l (Optional) Maximum number of VTY user interfaces permitted
l (Optional) ACL to restrict incoming and outgoing calls on VTY user interfaces
l (Optional) Connection timeout period of terminal users, number of lines displayed
in a terminal screen, number of characters displayed in a terminal screen, and size
of the history command buffer

IPv4/IPv6 address or host name of the ATN

TCP port number the remote device uses to provide Telnet services, and the VPN
instance name

Configuring the User Access Level and User Authentication Mode of the VTY User
Interface
By default, the user access level of the VTY user interface is 0. To enable a user terminal to use
Telnet to remotely log in to the device for maintenance and management, log in to the device
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

68

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

using the console port, change the user access level, and set a user authentication mode for the
VTY user interface.

Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see section 4.4 Configuring the VTY
User Interface.
The sequence of the following steps is not fixed but all the configurations are mandatory.

Procedure
l

Configure the user access level of the VTY user interface.


1.

Run:
system-view

The system view is displayed.


2.

Run:
user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.


3.

Run:
user privilege level level

The user access level is set.


By default, the user access level of the VTY user interface is 0. Table 1-14 describes
the relationship between the user access levels and command levels.
Table 1-14 Association between user access levels and command levels
User
Lev
el

Co
mm
and
Lev
el

Level
Name

Description

Visit
level

This level gives access to commands that run network


diagnostic tools, such as ping and tracert, and commands
that start from a local device and visit external devices,
such as Telnet client side.

0 and
1

Monit
oring
level

This level gives access to commands, such as the


display command, that are used for system maintenance
and fault diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display savedconfiguration commands are at level 3. For details about
command levels, see ATN Command Reference.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

69

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

User
Lev
el

Co
mm
and
Lev
el

Level
Name

Description

0, 1,
and 2

Config
uration
level

This level gives access to commands that configure


network services provided directly to users, including
routing and network layer commands.

3-15

0, 1,
2,
and 3

Manag
ement
level

This level gives access to commands that control basic


system operations and provide support for services. These
commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
user management commands, level setting commands,
and debugging commands for fault diagnosis.

NOTE

l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level less than or equal to the command
level of the user. This helps ensure the security of the device.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.

Configure the user authentication mode of the VTY user interface.


Two authentication modes are available: password authentication, and AAA
authentication.
Configuring Password Authentication
1.

Run:
system-view

The system view is displayed.


2.

Run:
user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.


3.

Run:
authentication-mode password

The authentication mode is set to password authentication.


4.

Run:
set authentication password [ cipher password ]

A password in the encrypted text for password authentication is set.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

70

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

NOTE

Passwords must meet the following requirements:


l If you do not enter cipher, the password is input in man-machine interaction mode,
and the system does not display the entered password.
The password is a string of 8 to 16 case-sensitive characters. The password must contain
at least two of the following characters: upper-case characters, lower-case characters,
numbers, and special characters.
Special character except the question mark (?) and space.
l When you enter cipher, the password is displayed in either plaintext or ciphertext.
l When you input the password in plaintext, the password requirements are the same
as those when you do not enter cipher.
l When you input the password in ciphertext, the password must be a string of 56
consecutive characters.
The password is displayed in ciphertext in the configuration file regardless of whether
you input it in plaintext or ciphertext.

Configuring AAA Authentication


When the user authentication mode of the VTY user interface is set to AAA
authentication, the access type of the local user must be specified. A management user
belongs to the default_admin domain by default.
1.

Run:
system-view

The system view is displayed.


2.

Run:
aaa

The AAA view is displayed.


3.

Run:
local-user user-name password cipher password

A username and password for the local user are created.


4.

Run:
local-user user-name service-type telnet

The access type of the local user is set to Telnet.


5.

Run:
quit

You have exited the AAA view.


6.

Run:
user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.


7.

Run:
authentication-mode aaa

The authentication mode is set to AAA authentication.


----End

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

71

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Enabling the Telnet Service


Before a user terminal establishes a Telnet connection with the device, log in to the device
through the console interface to enable the Telnet server function on the device. Then the user
terminal can use Telnet to remotely log in to the device.

Context
Do as follows on the device that serves as an Telnet server.
On the device that serves as a Telnet server, select and perform the following steps for either
IPv4 or IPv6.

Procedure
l

For the IPv4 network


1.

Run:
system-view

The system view is displayed.


2.

Run:
telnet server enable

The Telnet service is enabled.


l

For the IPv6 network


1.

Run:
system-view

The system view is displayed.


2.

Run:
telnet ipv6 server enable

The Telnet service is enabled.


NOTE

l If the undo telnet [ipv6] server enable command is run when a user uses Telnet to log in,
the command does not take effect.
l After the Telnet server function is disabled, you can only use SSH or an asynchronous
serial port (rather than Telnet) to log in to the device.

----End

Using Telnet to Log In to the Device


After a remote device is configured, use Telnet to log in to the device from a terminal and perform
remote maintenance on the device.

Context
Use either the Windows CLI or third-party software in the terminal to log in to the ATN through
Telnet. This section describes how to use the Windows command line prompt.
On the user terminal, perform the following steps::
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

72

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Open the Windows CLI.
Step 2 Run the telnet ip-address command to Telnet the device.
1.

Input the IP address of the Telnet server, as shown in Figure 5-10.


Figure 1-9 Windows CLI

2.

Press Enter to display the command line prompt, such as <HUAWEI>, for the system
view. This indicates that you have accessed the Telnet server.
If the password or AAA authentication mode has been set on the device, you must enter
the login user name and password, and press Enter. The command line prompt of the user
view is displayed, as shown in Figure 1-10.
Figure 1-10 Login

----End

(Optional) Configuring the Listening Port Number of the Telnet Server


Setting appropriate parameters for the Telnet server, such as the listening port number and source
interface, improves network security.

Context
l

Listening port number


By default, the listening port number of a Telnet server is 23. Users can use the default
listening port number to directly log in to the ATN. Attackers may access the default

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

73

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

listening port, which consumes bandwidth, deteriorates server performance, and causes
authorized users to be unable to access the server. After the listening port number of the
Telnet server is changed, attackers do not know the new listening port number. This
effectively prevents attackers from accessing the listening port.
l

Source interface
By default, a Telnet server receives connection requests from all interfaces, and therefore,
the system is vulnerable to attacks. To enhance system security, you can specify the source
interface of the Telnet server. This sets a login condition, and then only authorized users
can log in to the Telnet server.
After the source interface is specified, the system only allows Telnet users to log in to the
Telnet server through this source interface, and Telnet users logging in through other
interfaces are denied. Note that setting this parameter only affects Telnet users that attempt
to log in to the Telnet server, and it does not affect Telnet users that have logged in to the
server.

Perform the following on the ATN that functions as a Telnet server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Configure Telnet server parameters.
l Run:
telnet server port port-number

The listening port number of the Telnet server is set.


If a new listening port number is set, the Telnet server terminates all established Telnet
connections, and uses the new port number to listen to new requests for Telnet connections.
l Run:
telnet server-source -i loopback interface-number

The source interface of the Telnet server is set.


NOTE

Before specifying the source interface of the Telnet server, ensure that the loopback interface to be
specified as the source interface has been created. If the loopback interface has not been created, the
telnet server-source command cannot be correctly executed.

----End

(Optional) Configuring Telnet Access Control


An ACL can be configured to allow only specified clients to access an Telnet server.

Context
When a device functions as an Telnet server, you can configure an ACL to allow only the clients
that meet the rules specified in the ACL to access the Telnet server.
Do as follows on the device that functions as an Telnet server:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

74

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
acl { [ number ] acl-number1 | name acl-name [ basic ] [ number acl-number2 ] }
[ match-order { auto | config } ] or acl ipv6 { [ number ] acl6-number1 | name aclname [ number acl-number2 ] } [ match-order { auto | config } ]

The ACL or ACL6 view is displayed.


Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source
{ source-ip-address source-wildcard | any } | time-range time-name | vpn-instance
vpn-instance-name ] * or rule [ rule-id ] { deny | permit } [ fragment | source
{ source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } |
time-range time-name | vpn-instance vpn-instance-name ] *

The ACL or ACL6 rule is configured.


NOTE

l By default, the deny action in an ACL rule is taken for all the login user packets. Only users whose
source IP addresses match the ACL rule with a permit action can log in to the device.
In the following example, two rules are configured to prohibit users with the IP address 10.1.1.10 from
logging in to the device while allowing the other users to log in to the device:
l rule deny source 10.1.1.10 0
l rule permit source any
If the rule permit source any command is not configured, users whose source IP addresses are not
10.1.1.10 will also be prohibited from logging in to the device.
l If a user's source IP address does not match the ACL rule that allows login, the user is prohibited from
logging in to the device.
l If the ACL referenced by FTP does not contain any rules or does not exist, any user can log in to the
device.

Step 4 Run:
quit

The system view is displayed.


Step 5 Run:
telnet [ ipv6 ] server acl { acl-number | acl-name }

An ACL is configured to filter Telnet users.


----End

Checking the Configuration


After you use Telnet to log in to the system, you can view the connection status of each user
interface, including the current user interface, and the status of all established TCP connections.

Prerequisites
Telnet login configurations are complete.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

75

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
l

Run the display users [ all ] command to check information about users logged in to user
interfaces.

Run the display tcp status command to check TCP connections.

Run the display telnet server status command to check the configuration and status of the
Telnet server.

----End

Example
Run the display users command to view information about the currently-used user interface.
<HUAWEI> display users
User-Intf
Delay
34 VTY 0
00:00:12
Username : Unspecified
+ 35 VTY 1
00:00:00
Username : Unspecified

Type
TEL

Network Address
10.138.77.38

TEL

10.138.77.57

AuthenStatus

AuthorcmdFlag
no
no

Run the display tcp status command to view TCP connections. In the command output,
Established indicates that a TCP connection has been established.
<HUAWEI> display tcp status
TCPCB
Tid/Soid
Local Add:port
State
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established

Foreign Add:port

VPNID

0.0.0.0:0

0.0.0.0:0

14849

10.164.6.13:1147

Run the display telnet server status command to view the configuration and status of the Telnet
server.
<HUAWEI> display telnet server status
TELNET IPV4 server
TELNET IPV6 server
TELNET server port
TELNET Server Source address
ACL4 number
ACL6 number

:Enable
:Enable
:23
:0.0.0.0
:0
:0

1.5.4 Using STelnet to Log In to Devices


STelnet provides secure remote access over an insecure network. After the client/server
negotiation is complete and a secure connection is established, STelnet login is similar to Telnet
login.

Before You Start


Before configuring users to log in using STelnet, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

76

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Applicable Environment
Telnet logins present security risks because no secure authentication mechanism exists and data
is transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts
data in both directions to guarantee secure transmissions on a conventional insecure network.
SSH supports STelnet, and SFTP.

Pre-configuration Tasks
l

Configure the IP address of the management network port on the device and ensure that a
reachable route exists between the user terminal and the device

Configure the user access level and authentication mode of the VTY user interface for
remote device management and maintenance.

Configure the VTY user interface to support the SSH protocol, configure the SSH
user and specify STelnet as a service mode for the SSH user, and enable the STelnet
server function so that the user can remotely log in to the device through STelnet

Data Preparation
To configure users to log in using STelnet, you need the following data:
No.

Data

User authentication mode, username, password, (optional)maximum number of VTY


user interfaces permitted, (optional) ACL for restricting incoming and outgoing calls
on VTY user interfaces, (optional)connection timeout period for terminal users,
number of rows displayed in a terminal screen, and size of the history command buffer

Username, password, authentication mode, and service type of an SSH user, and
remote public Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature
Algorithm (DSA) or Elliptic Curves Cryptography (ECC) key pair allocated to the
SSH user

(Optional) Name of an SSH server, number of the port monitored by the SSH server,
preferred encryption algorithm from the STelnet client to the SSH server, preferred
encryption algorithm from the SSH server to the STelnet client, preferred Hashed
message authentication code (HMAC) algorithm from the STelnet client to the SSH
server, preferred HMAC algorithm from the SSH server to the STelnet client,
preferred algorithm for key exchange, name of the outgoing interface, and source
address

Configuring the User Access Level and User Authentication Mode of the VTY User
Interface
By default, the user access level is 0. Before logging in to the device using STelnet for
maintenance and management, you must log in to the device through the console port to change
the user access level, and set a user authentication mode.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

77

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see section 4.4 Configuring the VTY
User Interface.
The sequence of the following steps is not fixed but all the configurations are mandatory.

Procedure
l

Configure the user access level of the VTY user interface.


1.

Run:
system-view

The system view is displayed.


2.

Run:
user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.


3.

Run:
user privilege level level

The user access level is set.


By default, the user access level of the VTY user interface is 0. Table 1-15 describes
the relationship between the user access levels and command levels.
Table 1-15 Association between user access levels and command levels
User
Lev
el

Co
mm
and
Lev
el

Level
Name

Description

Visit
level

This level gives access to commands that run network


diagnostic tools, such as ping and tracert, and commands
that start from a local device and visit external devices,
such as Telnet client side.

0 and
1

Monit
oring
level

This level gives access to commands, such as the


display command, that are used for system maintenance
and fault diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display savedconfiguration commands are at level 3. For details about
command levels, see ATN Command Reference.

Issue 02 (2013-12-31)

0, 1,
and 2

Config
uration
level

This level gives access to commands that configure


network services provided directly to users, including
routing and network layer commands.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

78

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

User
Lev
el

Co
mm
and
Lev
el

Level
Name

Description

3-15

0, 1,
2,
and 3

Manag
ement
level

This level gives access to commands that control basic


system operations and provide support for services. These
commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
user management commands, level setting commands,
and debugging commands for fault diagnosis.

NOTE

l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level less than or equal to the command
level of the user. This helps ensure the security of the device.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.

Configure the user authentication mode of the VTY user interface.


When the authentication mode of the VTY user interface is set to AAA authentication, the
access type of the local user must be specified.
1.

Run:
system-view

The system view is displayed.


2.

Run:
local-user user-name password cipher password

A username and password for the local user are created.


3.

Run:
local-user user-name service-type ssh

The access type of the local user is set to SSH.


4.

Run:
user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.


5.

Run:
authentication-mode aaa

The authentication mode is set to AAA authentication.


----End

Configuring SSH for the VTY User Interface


For users to log in to the device using STelnet, VTY user interfaces must be configured to support
SSH.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

79

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Context
By default, user interfaces support Telnet. A user interface must be configured to support SSH
for users to log in to the device using STelnet.
NOTE

A VTY user interface configured to support SSH must also be configured with AAA authentication.
Otherwise, the protocol inbound ssh command cannot be configured.

Perform the following on the ATN that serves as an SSH server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]

The VTY user interface is displayed.


Step 3 Run:
authentication-mode aaa

The AAA authentication mode is configured.


Step 4 Run:
protocol inbound ssh

The VTY user interface is configured to support SSH.


----End

Configuring an SSH User and Specifying the Service Types


To implement STelnet access, configure a Secure Shell (SSH) user, create a local Revist-ShamirAdleman algorithm (RSA) or digital signature algorithm (DSA) key pair, configure a user
authentication mode, and specify a service type for the SSH user.

Context
l

These SSH user authentication modes are available: RSA, DSA, ECC, password, passwordRSA, password-DSA, password-ECC, and all. Password authentication depends on
Authentication, Authorization and Accounting (AAA). Before a user logs in to the device
in password, password-RSA, password-ECC, or password-DSA authentication mode, you
must create a local user with the specified username in the AAA view.
Password-RSA authentication depends on both password authentication and RSA
authentication.
Password-DSA authentication depends on both password authentication and DSA
authentication.
Password-ECC authentication depends on both password authentication and ECC
authentication.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

80

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

All authentication depends on either of the following authentications: password


authentication, or DSA authentication or RSA authentication and ECC authentication.
l

The device must be configured to generate local RSA, ECC, or DSA key pairs, which are
a key part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSA, ECC,or DSA key pair.
If an SSH user logs in to an SSH server in RSA, ECC, or DSA authentication mode,
configure both the server and the client to generate local RSA, ECC, or DSA key pairs.
RSA key and DSA key are algorithms for user authentication in SSH. Compared with RSA
authentication, DSA authentication adopts the DSA encryption mode and is widely used.
In many cases, SSH only supports DSA to authenticate the server and the client. When the
RSA or DSA authentication mode is used, the priority of the users depends on the priority
of the VTY user interfaces used for login.

Perform the following operations on the ATN that functions as an SSH server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ssh user user-name

An SSH user is created.


If password authentication is configured for the SSH user, create the same SSH user in the AAA
view
1.

Run the aaa command to enter the AAA view.

2.

Run the local-user user-name password cipher password command to configure a local
username and a password.

Step 3 Create an RSA, DSA, or ECC key pair.


Two methods are available.
Method 1:
l Run the rsa local-key-pair create command to create a local RSA key pair.
NOTE

l Configure the rsa local-key-pair create command to generate a local key pair before completing
other SSH configurations. The minimum length of the server key pair and the host key pair is 512
bits, and the maximum length is 2048 bits.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local
RSA key-pairs, including the local key-pair and server key-pair.
Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair
destroy command. The rsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.

l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

81

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

NOTE

l You must configure the dsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 512 bits, 1024 bits and 2048 bits. By default, the length of the key pair is 2048 bits.
l After a local key pair is generated, you can run the display dsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local
DSA key-pairs, including the local key-pair and server key-pair.
Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair
destroy command. The dsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.

l Run the ecc local-key-pair create command to generate the ECC local-key-pair.
NOTE

l You must configure the ecc local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 256 bits, 384 bits and 521 bits. By default, the length of the key pair is 521 bits.
l After a local key pair is generated, you can run the display ecc local-key-pair public command
to view the public key in the local key pair.
l To clear the local ECC key pair, run the display ecc local-key-pair public command to destroy
all local ECC key-pairs, including the local key-pair and server key-pair.
Check whether all local ECC key pairs are destroyed after running the ecc local-key-pair
destroy command. The ecc local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.

Method 2:
1.

Run the rsa key-pair label, dsa key-pair label, or ecc key-pair label command in the
system view to create an RSA, DSA, or ECC key pair.

2.

Run the ssh server assign { rsa-host-key | rsa-server-key | dsa-host-key | ecc-hostkey } key-name command in the system view to assign an RSA host key, RSA server key,
DSA host key, or ECC host key to an SSH server.

After the key pair is generated, run the display rsa key-pair, display dsa key-pair, or display
ecc key-pair command to check information about the RSA, DSA, or ECC key pair.
Step 4 Perform the operations as described in Table 1-16 based on the configured SSH user
authentication mode.
Table 1-16 Configuring an authentication mode for the SSH user

Issue 02 (2013-12-31)

Operation

Command

Description

Configure
Password
Authentication

1. Run the ssh user user-name


authentication-type password
command

If local or HuaWei Terminal


Access Controller Access Control
System (HWTACACS)
authentication is used and there
are only a few users, use password
authentication.

2. Run the aaa command to enter


the AAA view.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

82

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Operation

Configure RSA
authentication

1 Basic Configurations

Command

Description

3. Run the local-user user-name


password cipher password
command to configure the
username and the password for the
local user.

The username must be the same to


the SSH user.

4. Run the local-user user-name


service-type ssh command to set
the access type of the local user to
SSH.

1. Run the ssh user user-name


authentication-type rsa command
to configure RSA authentication.

2. Run the rsa peer-public-key keyname [ encoding-type { der |


openssh | pem } ] command to
configure an encoding format for an
RSA public key and enter the RSA
public key view.

Huawei data communications


devices support only the DER
format for RSA keys before VRP
V500R012C01 version. If you use
an RSA key in non-DER format,
use a third-party tool to convert
the key into a key in DER format.

The default encoding format is


distinguished encoding rules (DER)
for an RSA public key.

By default, the administrators are


all in the domain default_admin.

Because a third-party tool is not


released with Huawei system
software, RSA usability is
unsatisfactory. In addition to
DER, RSA keys need to support
the privacy-enhanced mail (PEM)
and OpenSSH formats to improve
RSA usability after VRP
V500R012C01 version.
Third-party software, such as
SecureCRT, PuTTY, OpenSSH,
and OpenSSL, can be used to
generate RSA keys in different
formats. The details are as
follows:
l The SecureCRT and PuTTY
generate RSA keys in PEM
format.
l The OpenSSH generates RSA
keys in OpenSSH format.
l The OpenSSL generates RSA
keys in DER format.

3. Run the public-key-code begin


command to enter the public key
edit view.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

83

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Operation

1 Basic Configurations

Command

Description

4. Enter hex-data to edit the public


key.

l In the public key edit view,


only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.

5. Run the public-key-code end


command to exit from the public
key edit view.

6. Run the peer-public-key end


command to return to the system
view.

l Running the peer-public-key


end command generates a key
only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.

1. Run the ssh user user-name


authentication-type dsa command
to configure DSA authentication.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

84

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Operation

1 Basic Configurations

Command

Description

2. Run the dsa peer-public-key


key-name encoding-type { der |
openssh | pem } command to
configure an encoding format for a
DSA public key and enter the DSA
public key view.

Huawei data communications


devices support the DER and
PEM formats for DSA keys
before VRP V500R012C01
version. If you use an RSA key in
non-DER/PEM format, use a
third-party tool to convert the key
into a key in DER or PEM format.
Because a third-party tool is not
released with Huawei system
software, DSA usability is
unsatisfactory. In addition to DER
and PEM, DSA keys need to
support the OpenSSH format to
improve DSA usability after VRP
V500R012C01 version.

3. Run the public-key-code begin


command to enter the public key
edit view.

4. Enter hex-data to edit the public


key.

l In the public key edit view,


only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.

5. Run the public-key-code end


command to exit from the public
key edit view.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

85

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Operation

1 Basic Configurations

Command

Description

6. Run the peer-public-key end


command to return to the system
view.

l Running the peer-public-key


end command generates a key
only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.

Configure ECC
authentication

7. Run the ssh user user-name


assign dsa-key key-name command
to assign the SSH user a public key.

8. Run the ssh user user-name


assign rsa-key key-name command
to assign the SSH user a public key.

1. Run the ssh user user-name


authentication-type ecc command
to configure ECC authentication.

2. Run the ecc peer-public-key keyname encoding-type { der | pem |


openssh } command to configure an
encoding format for a ECC public
key and enter the ECC public key
view.

3. Run the public-key-code begin


command to enter the public key
edit view.

4. Enter hex-data to edit the public


key.

l In the public key edit view,


only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

86

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Operation

1 Basic Configurations

Command

Description

5. Run the public-key-code end


command to exit from the public
key edit view.

6. Run the peer-public-key end


command to return to the system
view.

l Running the peer-public-key


end command generates a key
only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.

7. Run the ssh user user-name


assign ecc-key key-name command
to assign the SSH user a public key.

Step 5 (Optional) Use command lines to authorize SSH users.


Run:
ssh user user-name authorization-cmd aaa

The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Step 6 Run:
ssh user username service-type { stelnet | all }

The service type of the SSH user is configured.


By default, the service type of the SSH user is not configured.
----End

Enabling the STelnet Server Function


Enable the STelnet server function on the device, and then the user terminal can use STelnet to
remotely log in to the device.

Context
By default, the device is enabled with the STelnet server function.
Do as follows on the device that serves as an SSH server:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

87

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
stelnet server enable

The STelnet server function is enabled.


By default, the STelnet server function is disabled.
----End

Using STelnet to Log In to the Device


Users can remotely log in to the device using the Secure Shell (SSH) protocol from remote user
terminals to remotely maintain the device.

Context
Third-party software can be used on a terminal for STelnet login. This section describes the use
of third-party software OpenSSH and the Windows CLI.
After installing OpenSSH on the user terminal, perform the following on the user terminal:
NOTE

For details about how to install OpenSSH, refer to the software installation guide.
For details about how to use OpenSSH commands to log in to the system, see the software help document.

Procedure
Step 1 Open the Windows CLI.
Step 2 Run required OpenSSH commands to log in to the ATN in STelnet mode, as shown in Figure
5-12.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

88

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-11 Logging in to the device in STelnet mode

----End

(Optional) Configuring the STelnet Server Parameters


You can configure a device to be compatible with earlier versions of the SSH protocol, configure
or change the listening port number of an SSH server, set an interval at which the key pair of
the SSH server is updated, and specify the source interface.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Perform any of the operations shown in Table 1-17 as needed.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

89

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Table 1-17 Server parameters

Issue 02 (2013-12-31)

Server
parameters

Command

Description

Configure the
interval at
which the key
pair of the
SSH server is
updated

Run the ssh server rekey-interval


interval command.

You can set an interval at which the


key pair of an SSH server is updated.
When the timer expires, the key pair
is automatically updated, improving
security.

Configure the
timeout
period of SSH
authentication

Run the ssh server timeout


seconds command.

Configure the
number of
times that
SSH
authentication
is retried

Run the ssh server authenticationretries times command.

Configure
earlier SSH
version
compatibility

Run the ssh server compatiblessh1x enable command.

By default, the interval is 0,


indicating that the key is never
updated.

By default, the timeout period is 60


seconds.

By default, SSH authentication


retries a maximum of 3 times.

By default, an SSH server running


SSH2.0 is compatible with SSH1.X.
To prevent clients running SSH1.3 to
SSH1.99 from logging in, run the
undo ssh server compatible-ssh1x
enable command to disable support
for earlier SSH protocol versions.

If a user fails to log in when the


timeout period of SSH
authentication expires, the system
disconnects the current connection
to ensure the system security.
The number of times that SSH
authentication is retried is set to deny
access of invalid users.

There are two SSH versions:


SSH1.X (earlier than SSH2.0) and
SSH2.0. SSH2.0 has an extended
structure and supports more
authentication modes and key
exchange methods than SSH1.X,
SSH 2.0 can eliminate the security
risks that SSH 1.X has. SSH 2.0 is
more secure and therefore is
recommended. SSH2.0 also
supports more advanced services
such as SFTP. The ATN supports
SSH versions ranging from 1.3 to
2.0.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

90

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Server
parameters

Command

Description

Configure the
listening port
number of the
SSH server

Run the ssh server port portnumber command.

The default listening port number of


an SSH server is 22. Users can log in
to the device by using the default
listening port number. Attackers
may access the default listening port,
which consumes bandwidth,
deteriorates server performance, and
causes authorized users to be unable
to access the server. After the
listening port number of the SSH
server is changed, attackers do not
know the new port number. This
effectively prevents attackers from
accessing the listening port and
improves security.

By default, the listening port number


is 22.
If a new listening port is set, the SSH
server cuts off all established STelnet
and SFTP connections, and uses the
new port number to listen to
connection requests.

Source
interface

Run the ssh server-source -i


loopback interface-number
command.
Before the source interface of an
SSH server is specified, ensure that
the loopback interface to be specified
as the source interface has been
created. If the loopback interface is
not created, the ssh server-source
command cannot be correctly
executed.

Configuring
an ACL on the
SSH server

Run the ssh server acl acl-number or


ssh ipv6 server acl acl-number
command.

By default, an SSH server receives


connection requests from all
interfaces, and therefore, the system
is vulnerable to attacks. To enhance
system security, you can specify the
source interface of the SSH server.
This sets a login condition after
which only authorized users can log
in to the SSH server.
After the source interface is
specified, the system only allows
SFTP or STelnet users to log in to the
SSH server through this source
interface. Any SFTP or STelnet
users that log in through other
interfaces are denied. Note that
setting this parameter only affects
SFTP or STelnet users that attempt
to log in to the SSH server, but it does
not affect SFTP or STelnet users that
have already logged in to the server.
This command specifies the clients
that can access the SSH server
running IPv4/IPv6. This
configuration prevents unauthorized
users from accessing the SSH server,
ensuring data security.

----End

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

91

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Checking the Configuration


After configuring users to log in using STelnet, you can view the SSH server configuration.

Prerequisites
STelnet login configurations are complete.

Procedure
l

Run the display ssh user-information username command on the SSH server to check
information about SSH users.

Run the display ssh server status command on the SSH server to check its configurations.

Run the display ssh server session command on the SSH server to check sessions for SSH
users.

----End

Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<HUAWEI> display ssh user-information client001
User Name
: client001
Authentication-type
: password
User-public-key-name
: Sftp-directory
: Service-type
: stelnet

If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view SSH server configurations.
<HUAWEI> display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH authentication retries
SFTP server
Stelnet server
SSH server source
ACL4 number
ACL6 number

:1.99
:60 seconds
:0 hours
:3 times
:Disable
:Enable
:0.0.0.0
:0
:0

Run the display ssh server session command. The command output shows information about
a session between the SSH server and client.
<HUAWEI> display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

92

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)
Kex
Service Type
Authentication Type

1 Basic Configurations
: diffie-hellman-group-exchange-sha1
: stelnet
: password

1.5.5 Common Operations After Login


After logging in to the ATN, you can perform user priority switching, terminal window locking,
and other operations as needed.

Before You Start


Before performing any operations after login, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.

Applicable Environment
Configure user level switching and enable messaging between user interfaces to ensure that
operators can manage ATNs safely.

Pre-configuration Tasks
Before performing operations after login, connect the terminal to the ATN

Data Preparations
Before performing operations after login, you need the following data:
No.

Data

Password used for switching user levels

Type and number of the user interface

Contents of the message to be sent

Locking User Interfaces


If you must be away from your work area, you can lock the user interface on a terminal to prevent
unauthorized access.

Context
The user interface can be a console user interface or VTY user interface.

Procedure
Step 1 Run:
lock

The user interface is locked.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

93

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Step 2 Follow the system prompts and input a password to unlock the user interface.
<HUAWEI> lock
Enter Password:
Confirm Password:

If the locking is successful, the system prompts that the user interface is locked.
You must enter the previously set password to unlock the user interface.
NOTE

The passwords must meet the following requirements:


l The password is a string of 8 to 16 case-sensitive characters.
l The password must contain at least two of the following characters: upper-case characters, lower-case
characters, numbers, and special characters (excluding question marks and spaces).

----End

Sending Messages to Other User Interfaces


Users logged in to different interfaces can send messages to each other.

Context
Users logged in to the ATN can send messages from their user interface to users on other user
interfaces.

Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }

You can enable messages to be sent between user interfaces.


Step 2 Follow the prompt to view the message to be sent. You can press Ctrl_Z or Enter to end the
display or Ctrl_C to abort the display.
----End

Displaying Login Users


You can query information about login users.

Context
You can query the user name, address, and authentication and authorization information.

Procedure
l

Run the display users [ all ] command to view information about logged-in users.
If all is configured, information about all users logged in to user interfaces is displayed.

----End
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

94

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Clearing Logged-in Users


If you want to force a logged-in user to log out of the ATN, you can tear down the connection
between the ATN and the user.

Context
You can run the display users command to view users logged in to the ATN.

Procedure
Step 1 Run:
kill user-interface { ui-number | ui-type ui-number1 }

Online users are cleared.


Step 2 Based on the displayed information, you can confirm whether specified logged-in users have
been cleared.
----End

Configuring Configuration Locking


When multiple users log in to the ATN to configure the device, configuration conflict may occur.
To prevent these conflicts from affecting services, you can enable the configuration locking
function. This allows only one user to configure the device at a time.

Context
Before configuring configuration locking, check whether the configuration set is locked by
another user. If no user has locked the configuration set, you can exclusively lock the
configuration.

Procedure
Step 1 Run:
configuration exclusive

You have obtained exclusive configuration access.


After enabling the configuration locking function, you have the exclusive authority to perform
configurations on the ATN.
NOTE

You can run this command in any view.


You can run the display configuration-occupied user command to see which user has locked the
configuration.
If the configuration set is already locked, you can not relock it.

Step 2 Run:
system-view

The system view is displayed.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

95

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Step 3 Run:
configuration-occupied timeout timeout-value

The timeout period for automatically unlocking the configuration is set.


After the timeout period expires, the configuration is automatically unlocked, and other users
can configure the device.
By default, the timeout period is 30s.
NOTE

l If a user without exclusive configuration access, this command cannot be confiured.


l If the configuration set is locked by another user, this command cannot be configured.
l If the configuration set is locked by the current user, the current user can run this command.

----End

1.5.6 Configuration Examples


This section provides several examples describing how to configure users to log in through a
console port, Telnet, or STelnet. The configuration examples provide information and diagrams
for networking requirements, configuration notes, and configuration roadmaps.

Example for Using a Console Port to Configure User Login


This example describes how to use a console port to configure user login. Login settings that
enable access to the ATN using a console port are configured on a PC.

Networking Requirements
If default values for console user interface parameters are modified, you must reset the
corresponding parameters on the PC before you can log in to the ATN again.
Figure 1-12 Networking diagram for using a console port to log in

PC

ATN

Configuration Roadmap
1.

Connect a PC to the ATN through a console port.

2.

Set login parameters on the PC.

3.

Log in to the ATN.


NOTE

In this example, a terminal emulator is used.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

96

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Data Preparation
Communication parameters for the PC (baud rate: 38400 bps, data bit: 8, stop bit: 1, parity: none,
flow control mode: none)

Procedure
Step 1 Use a cable to connect the serial port of the PC to the console port of the ATN.
Step 2 Run the terminal emulator on the PC. As shown in Figure 1-13, set communication parameters
for the PC to Figure 1-15. Set the transmission rate to 38400 bit/s, data bit to 8, parity bit to
none, stop bit to 1, and flow control mode to none.
Figure 1-13 Connection creation

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

97

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-14 Interface setting

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

98

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-15 Communication parameter settings

Step 3 Power on the ATN. The system starts an automatic configuration and self-check. After the selfcheck is complete, at the prompt "Password:," enter the correct authentication password and
press Enter. If a message (such as <HUAWEI>) is displayed, the login to the system is complete.
Then, you can enter a command to view the operating status of the ATN or configure the
ATN.
----End

Example for Configuring User Login Through Telnet


This example describes how to set parameters for using Telnet to log in to the ATN. In this
configuration example, a user logs in to the ATN after setting the VTY user interface and user
login parameters.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

99

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Networking Requirements
You can use a PC or other terminal to log in to a ATN on another network segment to perform
remote maintenance.
Figure 1-16 Networking diagram for login using Telnet

GE0/2/0
10.137.217.221/16
NetWork
PC

ATN

After a Telnet user logs in to the ATN in AAA authentication mode, the Telnet user is prohibited
from using this ATN to log in to another ATN.

Configuration Roadmap
1.

Establish a physical connection.

2.

Assign IP addresses to interfaces on the ATN.

3.

Set parameters of the VTY user interface, including limit on call-in and call-out.

4.

Set user login parameters.

5.

Log in to the ATN.

Data Preparation
To complete the configuration, you need the following data:
l

IP address of the PC

IP address of the Ethernet interface on the ATN: 10.137.147.91/16

Maximum number of VTY user interfaces: 10

Number of the ACL that is used to prohibit users from logging into another ATN: 3001

Timeout period for disconnecting from the VTY user interface: 20 minutes

Number of lines a terminal screen displays: 30

Size of the history command buffer: 20

Telnet user information (authentication mode: AAA, username: huawei, password:


Hello@123)

Procedure
Step 1 Connect the PC and the ATN to the network.
Step 2 Configure a login address.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/2/0
[HUAWEI-GigabitEthernet0/2/0] undo shutdown
[HUAWEI-GigabitEthernet0/2/0] ip address 10.137.217.221 255.255.0.0

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

100

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

[HUAWEI-GigabitEthernet0/2/0] quit

Step 3 Configure the VTY user interface on the ATN.


# Set the maximum number of VTY user interfaces.
[HUAWEI] user-interface maximum-vty 10

# Configure an ACL that is used to prohibit users from logging into another ATN.
[HUAWEI]acl 3001
[HUAWEI-acl-adv-3001]rule deny tcp source any destination-port eq telnet
[HUAWEI-acl-adv-3001]quit
[HUAWEI] user-interface vty 0 9
[HUAWEI-ui-vty0-9] acl 3001 outbound

# Set terminal attributes of the VTY user interface.


[HUAWEI-ui-vty0-9]
[HUAWEI-ui-vty0-9]
[HUAWEI-ui-vty0-9]
[HUAWEI-ui-vty0-9]

shell
idle-timeout 20
screen-length 30
history-command max-size 20

# Set the user authentication mode of the VTY user interface.


[HUAWEI-ui-vty0-9] authentication-mode aaa
[HUAWEI-ui-vty0-9] quit

Step 4 Set user login parameters on the ATN.


# Specify the user authentication mode.
[HUAWEI] aaa
[HUAWEI-aaa]
[HUAWEI-aaa]
[HUAWEI-aaa]
[HUAWEI-aaa]

local-user huawei password cipher Hello@123


local-user huawei service-type telnet
local-user huawei level 3
quit

Step 5 # Configure user login.


Use the command line to telnet the ATN. The Telnet login window is shown in Figure 5-19.
Figure 1-17 Telnet login window on the PC

Press Enter, and then input the username and password in the login window. If user
authentication succeeds, a command line prompt is displayed in the system view, which indicates
that you have entered the user view.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

101

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-18 Window after login of the ATN

Press Enter and then input the username and password in the login window. If user
authentication succeeds, a command line prompt such as <HUAWEI> is displayed.
----End

Configuration Files
ATN configuration file
#
sysname HUAWEI
#
acl number 3001
rule 5 deny tcp destination-port eq telnet
#
aaa
local-user huawei password cipher %@%@!woZ2kKbSPy)TD0i$iVHq:[{/,ayXgHnsJcf2tT!!N,
6:[!q%@%@
local-user huawei service-type telnet
local-user huawei state block fail-times 3 interval 5
local-user huawei level 3
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.137.147.91 255.255.0.0
#
user-interface maximum-vty 10
user-interface con 0
user-interface vty 0 9
acl 3001 outbound
authentication-mode aaa
history-command max-size 20
idle-timeout 20 0
screen-length 30
#
return

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

102

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Example for Using STelnet to Configure User Login


This example describes how to configure user login through STelnet. After generating the local
key pair, configuring the SSH user name and password, and enabling the STelnet service on the
SSH server, you can connect the Stelnet client to the SSH server.

Networking Requirements
As shown in Figure 1-19, after the STelnet service is enabled on the SSH server, an STelnet
client can use any authentication mode (password, Revest-Shamir-Adleman Algorithm (RSA),
password-RSA, Digital Signature Algorithm (DSA), password-DSA, Elliptic Curves
Cryptography (ECC), password-ECC or all) to log in to the SSH server.
This example uses the password authentication mode.
Figure 1-19 Networking diagram for configuring user login through STelnet

Network

GE0/2/0
10.164.39.210/16
SSH Server

PC

Configuration Roadmap
The configuration roadmap is as follows:
1.

Configure a local key pair on the SSH server to enable secure data exchange between the
STelnet client and the SSH server.

2.

Configure a VTY user interface on the SSH server.

3.

Configure an SSH client, which involves setting a user authentication mode, a username,
and a password.

4.

Enable the STelnet server function on the SSH server and configure a user service type.

Data Preparation
To complete the configuration, you need the following data:
l

SSH user authentication mode: password, username: client001, password: !


QAZ@WSX3edc

User level of client001: 3

IP address of the SSH server: 10.164.39.210

Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

103

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

The key name will be: HUAWEI_Host


The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 2048]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++

Step 2 Configure a VTY user interface.


[SSH
[SSH
[SSH
[SSH

Server] user-interface vty 0 4


Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit

NOTE

If SSH is configured as the login protocol, the ATN automatically disables Telnet.

Step 3 Configure the password of SSH user Client001 as !QAZ@WSX3edc.


[SSH
[SSH
[SSH
[SSH
[SSH

Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]

local-user client001 password cipher !QAZ@WSX3edc


local-user client001 level 3
local-user client001 service-type ssh
quit

Step 4 Enable the STelnet service on the SSH server.


[SSH
[SSH
[SSH
[SSH

Server]
Server]
Server]
Server]

ssh user client001 service-type stelnet


stelnet server enable
ssh user client001 authentication-type password
quit

Step 5 Verify the configuration.


# Use PuTTY software to log in to the device. Specify the IP address of the device as
10.164.39.210 and the login protocol as SSH, as shown in Figure 5-22.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

104

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-20 PuTTY configuration

# Use PuTTY software to log in to the device, and enter the username client001 and the
password !QAZ@WSX3edc, as shown in figure 5-23.
Figure 1-21 Logging in to the device using PuTTY software

----End

Configuration Files
l

SSH server configuration file


#

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

105

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

sysname SSH Server


#
aaa
local-user client001 password cipher %@%@!woZ2kKbSPy)TD0i$iVHq:
[{/,ayXgHnsJcf2tT!!N,
6:[!q%@%@
local-user client001 level 3
local-user client001 service-type ssh
local-user client001 state block fail-times 3 interval 5
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.164.39.210 255.255.255.0
#
stelnet server enable
ssh user client001 authentication-type password
ssh user client001
ssh user client001 service-type stelnet
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return

1.6 Managing the File System


The file system manages the files and directories on the storage devices of the ATN. It can move
or delete a file or directory, or display the contents of a file.

1.6.1 File System Overview


The ATN uses the file system to manage all files.

File System
The file system manages files and directories on the storage devices. It can create, delete, modify,
or rename a file or directory, or display the contents of a file.
The file system has two functions: managing storage devices and managing the files that are
stored on those devices.

Managing Files Using the File System


After logging in to the ATN by using the console port, Telnet, or STelnet, you can manage
storage devices, directories, and files.
l

Storage devices
Storage devices are hardware devices for storing data.
At present, the ATN supports the storage devices such as compact flash (CF) card and flash
card.

Files
A file is resources for storing and managing data.

l
Issue 02 (2013-12-31)

Directories
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

106

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

A directory is a logical container that the system uses to organize files.

File Management Methods


You can use FTP, SFTP to manage files.

Using FTP to Manage Files


FTP is a standard application protocol based on the TCP/IP protocol suite. FTP is used to transfer
files between local clients and remote servers. FTP uses two TCP connections to copy a file
from one system to another. The TCP connections are usually established in client-server mode:
one for control (the server port number is 21) and the other for data transmission (the server port
number is 20).
l

Control connection: issues commands from the client to the server and transmits replies
from the server to the client, which minimizes the transmission delay.

Data connection: transmits data between the client and server, which maximizes the
throughput.

FTP has two file transfer modes:


l

Binary mode: Used to transfer program files, such as .app, .bin, and .btm files.

ASCII mode: Used to transfer text files, such as .txt, .bat, and .cfg files.

The device provides the following FTP functions:


l

FTP client: Users can use the terminal emulator or Telnet program to connect PCs to the
device, and run the ftp command to establish a connection between the device and a remote
FTP server to access and operate files on the server.

FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
NOTE

The FTP is an insecure protocol. When it is used, security risks exist. Therefore, exercise caution when
using it.

Using SFTP to Manage Files


SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely
log in to the device to manage and transfer files. On the other hand, users can use the device that
functions as a client to log in to a remote server and transfer files securely.
If the SFTP server or the connection between the server and the client fails, the client needs to
detect the fault in time and remove the connection. To help the client accomplish this, configure
an interval at which Keepalive packets are sent if no packets are received and the maximum
number of times the server does not respond to the client before being released:
l

If the client does not receive any packets within the specified period, the client sends a
Keepalive packet to the server.

If the maximum number of times the server does not respond exceeds the specified value,
the client proactively releases the connection.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

107

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

1.6.2 Using the File System to Manage Files


You can use the file system to manage storage devices, directories, and files.

Before You Start


Before using the file system to manage files, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration tasks quickly and correctly.

Applicable Environment
Use the file system to manage files or directories on the ATN. If the ATN is unable to save or
obtain data, log in to the file system and repair the faulty storage devices.

Pre-configuration Tasks
Before logging in to the file system to manage files, connect the client to the server.

Data Preparation
To manage files by logging in to the file system, you need the following data:
No.

Data

Storage device name

Directory name

File name

Managing Storage Devices


If a storage device file system on the ATN is not functioning correctly, you must repair and
format the file system before managing the storage device.

Context
If the file system on a storage device fails, the terminal of the ATN prompts you to rectify the
fault.
You can format a storage device if you are unable to repair the file system or do not need any
data saved on the storage device.

NOTICE
Formatting storage devices can lead to data loss. Exercise caution when performing this
operation.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

108

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
l

Run:
fixdisk device-name

The storage device with file system problems is repaired.


NOTE

If, after running this command, the prompt still says the system should be repaired, there may be
damage to the physical storage medium.

Run:
format device-name

The storage device is formatted.


NOTE

If the storage device does not work after you run this command, there may be a hardware fault.

----End

Managing Directories
You can manage directories to store files in a logical hierarchy.

Context
You can manage directories by changing or displaying directories, displaying files in directories
or sub-directories, and creating or deleting directories.

Procedure
l

Run:
cd directory

A directory is specified.
l

Run:
pwd

The current directory is displayed.


l

Run:
dir [ /all ] [ filename ]

A list of files and sub-directories in the directory is displayed.


Either the absolute path or relative path applies.
l

Run:
mkdir make-remote-directory

The directory is created.


l

Run:
rmdir delete-remote-directory

The directory is deleted.


----End
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

109

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Managing Files
You can log in to the file system to view, delete, or rename files on the ATN.

Context
l

Managing files includes: displaying contents, copying, moving, renaming, compressing,


deleting, undeleting, deleting files in the recycle bin, running files in batches and
configuring prompt modes.

You can run the cd directory command to enter another directory from the current directory.

Run:

Procedure
more file-name [ offset ] [ all ]

The content of a file is displayed.


Specify parameters in the more command for file viewing options:
Run the more file-name command to view the file named file-name. Text file contents
are displayed one screen at a time. Press the spacebar on the current terminal to display
all contents of the current file.
Two preconditions must be set to display the contents of a text one file screen at a time:
The value configured by screen-length screen-length temporary command must
be greater than 0.
The total number of lines in the file must be greater than the value configured by the
screen-length command.
Run the more file-name offset command to view the file named file-name. Text file
contents are displayed one screen at a time, beginning with the line specified by
offset. Press and hold the spacebar on the current terminal to display all contents of the
current file.
Two preconditions must be met to display the contents of a text file screen one screen
at a time:
The value configured by the screen-length screen-length command must be greater
than 0.
The difference between the number of file characters subtracted and the value of
offset must be greater than the value configured by the screen-length command.
Run the more file-name all command to view the file named file-name. All text file
contents are displayed without pausing after each screen.
l

Run:
copy source-filename destination-filename

The file is copied.


l

Run:
move source-filename destination-filename

The file is moved.


l

Run:
rename source-filename destination-filename

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

110

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

The file is renamed.


l

Run:
zip source-filename destination-filename

The file is compressed.


l

Run:
delete [ /unreserved ] [ /quiet ] { filename | device-name }

The file is deleted.

NOTICE
If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored
after being deleted.
l

Run:
undelete filename

The deleted file is recovered.


NOTE

If the current directory is not the parent directory, you must use the absolute path to the file to perform
operations.

Run:
reset recycle-bin [ filename ]

The file is deleted.


You can use this command to permanently delete files in the recycle bin.
l

Run the following files in batches.


You can process uploaded files in batches. The edited batch files need to be saved to a
storage device on the ATN.
You can create and run a batch file to implement routine tasks as follows:
1.

Run:
system-view

The system view is displayed.


2.

Run:
execute filename

The batched file is executed.


l

Configure prompt modes.


The system displays prompts or warning messages when you operate the device (especially
if these operations lead to data loss). If you need to change the prompt mode for file
operations, you can configure the file system prompt mode.
1.

Run:
system-view

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

111

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

The system view is displayed.


2.

Run:
file prompt { alert | quiet }

The file system prompt mode is configured.


The default prompt mode is alert.

NOTICE
If the prompt mode is set to quiet, no prompt appears when data is lost due to
inappropriate operating procedures.
----End

1.6.3 Using FTP to Manage Files


FTP can transmit files between local and remote hosts. FTP is widely used for upgrading
versions, downloading logs, transmitting files, and saving time spent on configurations.

Context
The FTP protocol poses a security risk, and therefore the SFTP protocol is recommended.

Before You Start


Before using FTP to manage files, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration task quickly and correctly.

Applicable Environment
When an FTP client logs in to a ATN that serves as an FTP server, the user can transfer files
between the client and the server.

Pre-configuration Tasks
Before using FTP to manage files, connect the FTP client to the server.

Data Preparation
To use FTP to manage files, you need the following data:

Issue 02 (2013-12-31)

No.

Data

FTP username and password, and authorized FTP file directory name

(Optional) Listening port number specified on the FTP server


Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

112

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

No.

Data

(Optional) Source IP address or source interface of the FTP server


(Optional) Timeout period for disconnecting from the FTP server

IP address or host name of the FTP server

Configuring a Local FTP User


You can configure a user authorization mode and an authorized directory for FTP users to access.
Unauthorized users cannot access the specified directory, which reduces security risks.

Context
To use FTP to manage files, you must configure a local username and a password on the ATN
and specify a service type and the directories that can be accessed.
Perform the following operations on the ATN that functions as the FTP server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
set default ftp-directory directory

The default FTP working directory is configured.


NOTE

The configuration in this step takes effect only for TACACS users.

Step 3 Run:
aaa

The AAA view is displayed.


Step 4 Run:
local-user user-name password cipher password

The local user name and password are configured.


Step 5 Run:
local-user user-name service-type ftp

The FTP service type is configured.


Step 6 Run:
local-user user-name level level

The local user level is set.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

113

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

NOTE

The local user level must be set to level 3 or higher.

Step 7 Run:
local-user user-name ftp-directory directory

The authorized directory for the FTP user is configured.


----End

(Optional) Specifying a Port Number for the FTP Server


You can configure or change the listening port number for an FTP server. After the port number
is changed, only the user knows the current port number, which protects system security.

Context
The default listening port number for an FTP server is 21. Users can log in to the ATN directly
by using the default listening port number. Attackers can also access the default listening port
to launch attacks that reduce available bandwidth and affect server performance, which prevents
valid users from accessing the server. Changing the FTP server listening port number effectively
prevents attackers from accessing the server through the listening port.
NOTE

If FTP is not enabled, change the FTP port.


If FTP is enabled, run the undo ftp server command to disable FTP, and then change the FTP port.

Perform the following on the ATN that serves as the FTP server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ftp

[ ipv6 ]server port port-number

The port number of the FTP server is configured.


Once a new listening port number is configured, the FTP server interrupts all existing FTP
connections and starts using the new listening port.
----End

Enabling the FTP Server


You must enable an FTP server on the ATN before using FTP to manage files.

Context
The FTP server is disabled on the ATN by default. You must enable the FTP server before using
it.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

114

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Perform the following on the ATN that serves as the FTP server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ftp

[ ipv6 ]server enable

The FTP server is enabled.


NOTE

When file operations between clients and the ATN are complete, run the undo ftp [ ipv6 ] server command
to disable the FTP server function. This protects ATN security.

----End

(Optional) Configuring the FTP Server Parameters


FTP server parameters include the FTP server source address and the timeout period for FTP
connections.

Context
l

You can configure a source IP address for the FTP server. The FTP client can only access
this address, which protects system security.

You can configure the timeout period for FTP connections on the FTP server. When the
timeout period for an FTP connection expires, the system terminates the connection to
release resources.

Perform the following on the ATN that serves as the FTP server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ftp server-source { -a ip-address | -i
interface-type interface-number }

The source IP address and source interface of an FTP server are configured.
To log in to the FTP server, you must specify the source IP address for the server in the ftp
command, or you cannot log in to the FTP server.
Step 3 Run:
ftp

timeout minutes

The timeout period for the FTP server is configured.


If the client is idle for the configured time, the connection to the FTP server is terminated.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

115

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

By default, the timeout value is 30 minutes.


----End

(Optional) Configuring an FTP ACL


After an FTP ACL is configured, only specified clients can access the ATN.

Context
When the ATNfunctions as an FTP server, you can configure an ACL to allow the clients that
meet matching rules to access the FTP server.
Perform the following steps on the ATN that serves as the FTP server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Compared to a basic ACL that filters packets based on source addresses, an advanced ACL
supports richer filtering rules: not only based on packet source addresses but also based on packet
destination address or priorities. Run either of the following commands:
l For a basic ACL:
To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name [ basic ]
[ number acl-number2 ] } [ match-order { auto | config } ] command.
To enter the ACL6 view, run the acl ipv6 { [ number ] acl6-number1 | name acl-name
[ number acl-number2 ] } [ match-order { auto | config } ] command.
l For an advanced ACL:
To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name
[ advance ] [ number acl-number2 ] } [ match-order { auto | config } ] command.
To enter the ACL6 view, run the acl ipv6 { [ number ] acl6-number1 | name acl-name
[ number acl-number2 ] } [ match-order { auto | config } ] command.
The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL
ranging from 3000 to 3999.
Step 3 Run either of the following commands:
l For a basic ACL:
To configure a basic ACL rule, run the rule [ rule-id ] { deny | permit } [ fragment-type
fragment-type-name | source { source-ip-address source-wildcard | any } | time-range timename | vpn-instance vpn-instance-name ] * command.
To configure a basic ACL6 rule, run the rule [ rule-id ] { deny | permit } [ fragmenttype fragment-type-name | source { source-ip-address source-wildcard | any } | timerange time-name | vpn-instance vpn-instance-name ] * command.
l For an advanced ACL:
To configure an advanced ACL rule, run the rule [ rule-id ] { deny | permit } protocol
[ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ip-address
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

116

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

destination-wildcard | any } | fragment-type fragment-type-name | source { source-ipaddress source-wildcard | any } | time-range time-name | vpn-instance vpn-instancename ] * command.
To configure an advanced ACL6 rule, run the rule [ rule-id ] { deny | permit } protocol
[ [ traffic-class traffic-class | dscp dscp | [ precedence precedence | tos tos ] * ] |
destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefixlength | any } | fragment | source { source-ipv6-address 3prefix-length | source-ipv6address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name ]
* command.
NOTE

l By default, the deny action in an ACL rule is taken for all the login user packets. Only users whose
source IP addresses match the ACL rule with a permit action can log in to the device.
In the following example, two rules are configured to prohibit users with the IP address 10.1.1.10 from
logging in to the device while allowing the other users to log in to the device:
l rule deny source 10.1.1.10 0
l rule permit source any
If the rule permit source any command is not configured, users whose source IP addresses are not
10.1.1.10 will also be prohibited from logging in to the device.
l If a user's source IP address does not match the ACL rule that allows login, the user is prohibited from
logging in to the device.
l If the ACL referenced by FTP does not contain any rules or does not exist, any user can log in to the
device.

Step 4 Run:
quit

The system view is displayed.


Step 5 Run:
ftp

[ ipv6 ] acl acl-number

The FTP ACL is configured.


----End

Using FTP to Access the System


After the FTP server is configured, you can use FTP to access the ATN from a PC and manage
the files on the ATN.

Context
You can use either the Windows command line prompt or third-party software to log in to the
ATN. The example here uses the Windows command line prompt.
Do as follows on the PC:

Procedure
Step 1 Open the Windows CLI.
Step 2 Run the ftp ip-address command to log in to the ATN using FTP.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

117

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Enter a username and password at the prompt, and press Enter. When the Windows command
line prompt, such as ftp>, is displayed in the FTP client view, you have entered the working
directory of the FTP server.
Figure 1-22 Using FTP to log in to the device

----End

Using FTP Commands to Manage Files


After using FTP to log in to the ATN that functions as an FTP server, you can upload and
download files to and from the ATN or manage the directories on the ATN.

Context
After you log in to the FTP server, you can perform the following operations:
l

Configuring the data type for the file

Uploading or downloading files

Creating or deleting directories on the FTP server

Displaying information about a specific remote directory or a file of the FTP server, or
deleting a specific file from the FTP server

After logging in to the FTP server and entering the FTP client view, you can perform the
following operations:

Procedure
l

Configure the data type and transmission mode for a file


Run:
ascii or binary

The data type of the file to be transmitted is ascii or binary.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

118

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

NOTE

FTP supports ASCII and the binary files. The difference the two is:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
An FTP transmission mode can be set for each client. The system uses ASCII transmission mode
by default, but a mode switch command can switch a client between ASCII and binary modes.
The ASCII mode is used to transmit .txt files and the binary mode is used to transmit binary files.

Upload or download files


Upload or download a file.
Run:
put local-filename [ remote-filename ]

The local file is uploaded to the remote FTP server.


Run:
get remote-filename [ local-filename ]

The FTP file is downloaded from the FTP server and saved to the local file.
l

Run one or more of the following commands to manage directories


Run:
cd pathname

The working path of the remote FTP server is specified.


Run:
pwd

The specified directory of the FTP server is displayed.


Run:
lcd [ local-directory ]

The directory of the FTP client is displayed or changed.


Run:
mkdir make-remote-directory

A directory is created on the FTP server.


Run:
rmdir delete-remote-directory

A directory is removed from the FTP server.


l

Run one or more of the following commands to manage files


Run:
ls [ remote-filename ] [ local-filename ]

The specified directory or file on the remote FTP server is displayed.


If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
Run:
dir [ remote-filename ] [ local-filename ]

The specified directory or file on the local FTP server is displayed.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

119

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
Run:
delete remote-filename

The specified file on the FTP server is deleted.


If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
When local-filename is set, related information about the file can be downloaded locally.
NOTE

If you need more information about FTP operations, run the help [ command ] command in the
Windows CLI.

----End

Checking the Configuration


After the configuration is complete, you can view the configuration and status of the FTP server
as well as login information about FTP users.

Prerequisites
All configurations for using FTP to manage files are complete.

Procedure
l

Run the display ftp-users command to check how many users are currently logged in to
the FTP server.

----End

Example
Run the display [ ipv6 ] ftp-server to view the status of the FTP server.
<HUAWEI> display ftp-server
FTP server is running
Max user number
User count
Timeout value(in minute)
Listening Port
Acl number
FTP server's source address

5
1
30
1080
0
1.1.1.1

Run the display ftp-users command to view the username, port number, and authorization
directory of the FTP user.
<HUAWEI> display ftp-users
username host
zll
100.2.150.226

port
1383

idle
3

topdir
cfcard:

1.6.4 Using SFTP to Manage Files


SFTP enables you to securely log in to the ATN from a remote device to manage files, which
makes data transmission to the remote end more secure.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

120

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Before You Start


Before using SFTP to manage files, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration task quickly and correctly.

Applicable Environment
SSH authenticates clients and encrypts data in both directions to guarantee secure data
transmission on conventional networks. SSH supports SFTP.
SFTP is a secure FTP service that enables users to log in to the FTP server to transmit data.

Pre-configuration Tasks
Before using SFTP to manage files, configure reachable routes between the terminal and the
device.

Data Preparation
Before using SFTP to manage files, you need the following data.
No.

Data

Maximum number of Virtual Type Terminal (VTY) user interfaces, (optional) ACL
for restricting incoming and outgoing calls on VTY user interfaces, connection
timeout period of terminal users, number of rows displayed in a terminal screen, size
of the history command buffer, user authentication mode, username, and password

Username, password, authentication mode, and service type of an SSH user, remote
public Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature Algorithm
(DSA) or Elliptic Curves Cryptography (ECC) key pair allocated to the SSH user,
and SFTP working directory of the SSH user

(Optional) Number of the port monitored by the SSH server


(Optional) The interval for updating the key pair on the SSH server

Name of the SSH server, number of the port monitored by the SSH server, preferred
encryption algorithm from the SFTP client to the SSH server, preferred encryption
algorithm from the SSH server to the SFTP client, preferred Hashed message
authentication code (HMAC) algorithm from the SFTP client to the SSH server,
preferred HMAC algorithm from the SSH server to the SFTP client, preferred
algorithm of key exchange, name of the outgoing interface, source address

Directory name and file name

Configuring the VTY User Interface


To allow a user to log in to the device by using SFTP, you need to configure attributes of the
Virtual Type Terminal (VTY) user interface.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

121

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Context
Before a user logs in to the device by using SFTP, you must set the user authentication mode in
the VTY user interface. Otherwise, the user cannot log in to the device.
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see section 4.4 Configuring the VTY
User Interface.

Configuring SSH for the VTY User Interface


Before users can log in to the ATN using SFTP, you must configure VTY user interfaces to
support SSH.

Context
By default, user interfaces support Telnet. If no user interfaces are configured to support SSH,
you cannot log in to the ATN using SFTP.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]

The VTY user interface is displayed.


Step 3 Run:
authentication-mode aaa

The AAA authentication mode is configured.


Step 4 Run:
protocol inbound ssh

The VTY user interface is configured to support SSH.


----End

Configuring an SSH User and Specifying SFTP as One of the Service Types
Before logging in to the ATN using SFTP, you must configure an SSH user, configure the
ATN to generate a local RSA (Revest-Shamir-Adleman Algorithm)or DSA (Digital Signature
Algorithm)or ECC (Elliptic Curves Cryptography)key pair, configure a user authentication
mode, and specify a service type and authorized directory for the SSH user.

Context
l

Issue 02 (2013-12-31)

These SSH user authentication modes are available: RSA, DSA, ECC, password, passwordRSA, password-DSA, password-ECC, and all. Password authentication depends on
Authentication, Authorization and Accounting (AAA). Before a user logs in to the device
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

122

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

in password, password-RSA, password-ECC, or password-DSA authentication mode, you


must create a local user with the specified username in the AAA view.
Password-RSA authentication depends on both password authentication and RSA
authentication.
Password-DSA authentication depends on both password authentication and DSA
authentication.
Password-ECC authentication depends on both password authentication and ECC
authentication.
All authentication depends on either of the following authentications: password
authentication, or DSA authentication or RSA authentication and ECC authentication.
l

The device must be configured to generate local RSA, ECC, or DSA key pairs, which are
a key part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSA, ECC,or DSA key pair.
If an SSH user logs in to an SSH server in RSA, ECC, or DSA authentication mode,
configure both the server and the client to generate local RSA, ECC, or DSA key pairs.
RSA key and DSA key are algorithms for user authentication in SSH. Compared with RSA
authentication, DSA authentication adopts the DSA encryption mode and is widely used.
In many cases, SSH only supports DSA to authenticate the server and the client. When the
RSA or DSA authentication mode is used, the priority of the users depends on the priority
of the VTY user interfaces used for login.

Perform the following operations on the ATN that functions as an SSH server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ssh user user-name

An SSH user is created.


If password authentication is configured for the SSH user, create the same SSH user in the AAA
view
1.

Run the aaa command to enter the AAA view.

2.

Run the local-user user-name password cipher password command to configure a local
username and a password.

Step 3 Run:
local-user user-name level level

The SSH user level is set.


NOTE

The SSH user level must be set to 3 or higher.

Step 4 Create an RSA, DSA, or ECC key pair.


Two methods are available.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

123

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Method 1:
l Run the rsa local-key-pair create command to create a local RSA key pair.
NOTE

l Configure the rsa local-key-pair create command to generate a local key pair before completing
other SSH configurations. The minimum length of the server key pair and the host key pair is 512
bits, and the maximum length is 2048 bits.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local
RSA key-pairs, including the local key-pair and server key-pair.
Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair
destroy command. The rsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.

l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
NOTE

l You must configure the dsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 512 bits, 1024 bits and 2048 bits. By default, the length of the key pair is 2048 bits.
l After a local key pair is generated, you can run the display dsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local
DSA key-pairs, including the local key-pair and server key-pair.
Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair
destroy command. The dsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.

l Run the ecc local-key-pair create command to generate the ECC local-key-pair.
NOTE

l You must configure the ecc local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 256 bits, 384 bits and 521 bits. By default, the length of the key pair is 521 bits.
l After a local key pair is generated, you can run the display ecc local-key-pair public command
to view the public key in the local key pair.
l To clear the local ECC key pair, run the display ecc local-key-pair public command to destroy
all local ECC key-pairs, including the local key-pair and server key-pair.
Check whether all local ECC key pairs are destroyed after running the ecc local-key-pair
destroy command. The ecc local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.

Method 2:
1.

Run the rsa key-pair label, dsa key-pair label, or ecc key-pair label command in the
system view to create an RSA, DSA, or ECC key pair.

2.

Run the ssh server assign { rsa-host-key | rsa-server-key | dsa-host-key | ecc-hostkey } key-name command in the system view to assign an RSA host key, RSA server key,
DSA host key, or ECC host key to an SSH server.

After the key pair is generated, run the display rsa key-pair, display dsa key-pair, or display
ecc key-pair command to check information about the RSA, DSA, or ECC key pair.
Step 5 Perform the operations as described in Table 1-18 based on the configured SSH user
authentication mode.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

124

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Table 1-18 Configuring an authentication mode for the SSH user


Operation

Command

Description

Configure
Password
Authentication

1. Run the ssh user user-name


authentication-type password
command

If local or HuaWei Terminal


Access Controller Access Control
System (HWTACACS)
authentication is used and there
are only a few users, use password
authentication.

2. Run the aaa command to enter


the AAA view.

3. Run the local-user user-name


password cipher password
command to configure the
username and the password for the
local user.

The username must be the same to


the SSH user.

4. Run the local-user user-name


service-type ssh command to set
the access type of the local user to
SSH.

1. Run the ssh user user-name


authentication-type rsa command
to configure RSA authentication.

Configure RSA
authentication

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

By default, the administrators are


all in the domain default_admin.

125

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Operation

1 Basic Configurations

Command

Description

2. Run the rsa peer-public-key keyname [ encoding-type { der |


openssh | pem } ] command to
configure an encoding format for an
RSA public key and enter the RSA
public key view.

Huawei data communications


devices support only the DER
format for RSA keys before VRP
V500R012C01 version. If you use
an RSA key in non-DER format,
use a third-party tool to convert
the key into a key in DER format.

The default encoding format is


distinguished encoding rules (DER)
for an RSA public key.

Because a third-party tool is not


released with Huawei system
software, RSA usability is
unsatisfactory. In addition to
DER, RSA keys need to support
the privacy-enhanced mail (PEM)
and OpenSSH formats to improve
RSA usability after VRP
V500R012C01 version.
Third-party software, such as
SecureCRT, PuTTY, OpenSSH,
and OpenSSL, can be used to
generate RSA keys in different
formats. The details are as
follows:
l The SecureCRT and PuTTY
generate RSA keys in PEM
format.
l The OpenSSH generates RSA
keys in OpenSSH format.
l The OpenSSL generates RSA
keys in DER format.

3. Run the public-key-code begin


command to enter the public key
edit view.

4. Enter hex-data to edit the public


key.

l In the public key edit view,


only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

126

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Operation

1 Basic Configurations

Command

Description

5. Run the public-key-code end


command to exit from the public
key edit view.

6. Run the peer-public-key end


command to return to the system
view.

l Running the peer-public-key


end command generates a key
only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.

1. Run the ssh user user-name


authentication-type dsa command
to configure DSA authentication.

2. Run the dsa peer-public-key


key-name encoding-type { der |
openssh | pem } command to
configure an encoding format for a
DSA public key and enter the DSA
public key view.

Huawei data communications


devices support the DER and
PEM formats for DSA keys
before VRP V500R012C01
version. If you use an RSA key in
non-DER/PEM format, use a
third-party tool to convert the key
into a key in DER or PEM format.
Because a third-party tool is not
released with Huawei system
software, DSA usability is
unsatisfactory. In addition to DER
and PEM, DSA keys need to
support the OpenSSH format to
improve DSA usability after VRP
V500R012C01 version.

3. Run the public-key-code begin


command to enter the public key
edit view.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

127

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Operation

1 Basic Configurations

Command

Description

4. Enter hex-data to edit the public


key.

l In the public key edit view,


only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.

5. Run the public-key-code end


command to exit from the public
key edit view.

6. Run the peer-public-key end


command to return to the system
view.

l Running the peer-public-key


end command generates a key
only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.

Configure ECC
authentication

Issue 02 (2013-12-31)

7. Run the ssh user user-name


assign dsa-key key-name command
to assign the SSH user a public key.

8. Run the ssh user user-name


assign rsa-key key-name command
to assign the SSH user a public key.

1. Run the ssh user user-name


authentication-type ecc command
to configure ECC authentication.

2. Run the ecc peer-public-key keyname encoding-type { der | pem |


openssh } command to configure an
encoding format for a ECC public
key and enter the ECC public key
view.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

128

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Operation

1 Basic Configurations

Command

Description

3. Run the public-key-code begin


command to enter the public key
edit view.

4. Enter hex-data to edit the public


key.

l In the public key edit view,


only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.

5. Run the public-key-code end


command to exit from the public
key edit view.

6. Run the peer-public-key end


command to return to the system
view.

l Running the peer-public-key


end command generates a key
only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.

7. Run the ssh user user-name


assign ecc-key key-name command
to assign the SSH user a public key.

Step 6 (Optional) Use command lines to authorize SSH users.


Run:
ssh user user-name authorization-cmd aaa

The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

129

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Step 7 Run:
ssh user username service-type { SFTP | all }

The service type of an SSH user is set to SFTP or all.


By default, the service type of the SSH user is not configured.
Step 8 Run:
ssh user username sftp-directory directoryname

The authorized directory of the SFTP service for the SSH user is configured.
By default, the authorized directory of the SFTP service for the SSH user is cfcard:.
----End

Enabling the SFTP Service


You must enable the STelnet service before you can use it.

Context
By default, the SFTP server function is not enabled on the ATN. You can use SFTP to establish
connections with the router only after the SFTP server function is enabled on the ATN.
Do as follows on the ATN that serves as an SSH server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
sftp server enable

The SFTP service is enabled.


By default, the SFTP service is disabled.
----End

(Optional) Configuring the SFTP Server Parameters


You can configure a device to be compatible with earlier versions of the SSH protocol, configure
or change the listening port number of an SSH server, set an interval at which the key pair of
the SSH server is updated, and specify the source interface.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

130

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Step 2 Perform any of the operations shown in Table 1-19 as needed.


Table 1-19 Server parameters

Issue 02 (2013-12-31)

Server
parameters

Command

Description

Configure the
interval at
which the key
pair of the
SSH server is
updated

Run the ssh server rekey-interval


interval command.

You can set an interval at which the


key pair of an SSH server is updated.
When the timer expires, the key pair
is automatically updated, improving
security.

Configure the
timeout
period of SSH
authentication

Run the ssh server timeout


seconds command.

Configure the
number of
times that
SSH
authentication
is retried

Run the ssh server authenticationretries times command.

Configure
earlier SSH
version
compatibility

Run the ssh server compatiblessh1x enable command.

By default, the interval is 0,


indicating that the key is never
updated.

By default, the timeout period is 60


seconds.

By default, SSH authentication


retries a maximum of 3 times.

By default, an SSH server running


SSH2.0 is compatible with SSH1.X.
To prevent clients running SSH1.3 to
SSH1.99 from logging in, run the
undo ssh server compatible-ssh1x
enable command to disable support
for earlier SSH protocol versions.

If a user fails to log in when the


timeout period of SSH
authentication expires, the system
disconnects the current connection
to ensure the system security.
The number of times that SSH
authentication is retried is set to deny
access of invalid users.

There are two SSH versions:


SSH1.X (earlier than SSH2.0) and
SSH2.0. SSH2.0 has an extended
structure and supports more
authentication modes and key
exchange methods than SSH1.X,
SSH 2.0 can eliminate the security
risks that SSH 1.X has. SSH 2.0 is
more secure and therefore is
recommended. SSH2.0 also
supports more advanced services
such as SFTP. The ATN supports
SSH versions ranging from 1.3 to
2.0.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

131

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Server
parameters

Command

Description

Configure the
listening port
number of the
SSH server

Run the ssh server port portnumber command.

The default listening port number of


an SSH server is 22. Users can log in
to the device by using the default
listening port number. Attackers
may access the default listening port,
which consumes bandwidth,
deteriorates server performance, and
causes authorized users to be unable
to access the server. After the
listening port number of the SSH
server is changed, attackers do not
know the new port number. This
effectively prevents attackers from
accessing the listening port and
improves security.

By default, the listening port number


is 22.
If a new listening port is set, the SSH
server cuts off all established STelnet
and SFTP connections, and uses the
new port number to listen to
connection requests.

Source
interface

Run the ssh server-source -i


loopback interface-number
command.
Before the source interface of an
SSH server is specified, ensure that
the loopback interface to be specified
as the source interface has been
created. If the loopback interface is
not created, the ssh server-source
command cannot be correctly
executed.

Configuring
an ACL on the
SSH server

Run the ssh server acl acl-number or


ssh ipv6 server acl acl-number
command.

By default, an SSH server receives


connection requests from all
interfaces, and therefore, the system
is vulnerable to attacks. To enhance
system security, you can specify the
source interface of the SSH server.
This sets a login condition after
which only authorized users can log
in to the SSH server.
After the source interface is
specified, the system only allows
SFTP or STelnet users to log in to the
SSH server through this source
interface. Any SFTP or STelnet
users that log in through other
interfaces are denied. Note that
setting this parameter only affects
SFTP or STelnet users that attempt
to log in to the SSH server, but it does
not affect SFTP or STelnet users that
have already logged in to the server.
This command specifies the clients
that can access the SSH server
running IPv4/IPv6. This
configuration prevents unauthorized
users from accessing the SSH server,
ensuring data security.

----End

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

132

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Using SFTP to Access the System


After the configuration is complete, you can use SFTP to log in to the ATN from a user terminal
and manage files on the ATN.

Context
You can use third-party software to access the ATN from the user terminal using SFTP. The
example here uses third-party software OpenSSH and the Windows CLI.
Install OpenSSH on the user terminal and then perform the following:
NOTE

For details on how to install OpenSSH, see the software installation guide.
For details on how to use OpenSSH commands to log in to the ATN, see help documentation for the
software.

Procedure
Step 1 Open the Windows CLI.
Step 2 Run OpenSSH commands to log in to the ATN in SFTP mode.
When a command line prompt, such as sftp>, is displayed in the SFTP client view, as shown in
Figure 6-2, you have entered the working directory of the SFTP server.
Figure 1-23 Using SFTP to log in to the device

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

133

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

----End

Using SFTP to Manage Files


You can log in to the SSH server from an SFTP client to create or delete directories on the SSH
server.

Context
After logging in to the SFTP server, you can perform the following operations:
l

Display the SFTP client command help

Manage directories on the SFTP server

Manage files on the SFTP server

After logging in to the SFTP server and entering the SFTP client view, you can perform one or
more of the following operations.

Procedure
l

Run:
help [ all | command-name ]

The SFTP client command help is displayed.


l

Perform the following operations as required.


Run:
cd [ remote-directory ]

The current operating directory of the users is changed.


Run:
pwd

The current operating directory of the users is displayed.


Run:
dir/ls [ path ]

A list of files in the specified directory is displayed.


Run:
rmdir delete-remote-directory &<1-10>

The directory on the server is deleted.


Run:
mkdir make-remote-directory

A directory is created on the server.


l

Perform of the following operations as required.


Run:
rename old-name new-name

The name of the specified file on the server is changed.


Run:
get remote-filename [ local-filename ]

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

134

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

The file on the remote server is downloaded.


Run:
put local-filename [ remote-filename ]

The local file is uploaded to the remote server.


Run:
rmdir delete-remote-directory &<1-10>

The file on the server is removed.


----End

Checking the Configuration


After using SFTP to manage files, you can view SSH user information and global configurations
for the SSH server.

Prerequisites
The configurations of SSH users are complete.

Procedure
l

Run the display ssh user-information username command on the SSH server to check
information about the SSH client.

Run the display ssh server status command on the SSH server to check its global
configurations.

Run the display ssh server session command on the SSH server to check information about
connection sessions with SSH clients.

----End

Example
Run the display ssh user-information username command. It shows that the SSH user named
clinet001 is authenticated by password.
[HUAWEI] display ssh user-information client001
User Name
: client001
Authentication-type
: password
User-public-key-name
: Sftp-directory
: Service-type
: sftp

If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view the global configurations of an SSH server.
<HUAWEI> display ssh server status
SSH version
: 1.99
-------------------------------------------------------------------------------

If no SSH user is specified, information about all SSH users logging in to an SSH server will be
displayed.
Run the display ssh server status command to view the global configurations of an SSH server.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

135

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

<HUAWEI> display ssh server status


<HUAWEI> display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH Authentication retries
SFTP server
Stelnet server
SSH server port
SSH server source
ACL4 number
ACL6 number

: 1.99
: 60 seconds
: 2 hours
: 5 times
: Enable
: Enable
: 55535
:0.0.0.0
:0
:0

NOTE

If the default listening port is in use, information about the current listening port is not displayed.

Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
<HUAWEI> display ssh server
Session 2:
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type

session
:
:
:
:
:
:
:
:
:
:
:
:

VTY 4
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group-exchange-sha1
sftp
password

1.6.5 Configuration Examples


The examples in this section show how to use FTP, SFTP, or FTPS to access the system and
manage files. These configuration examples explain the networking requirements and provide
configuration roadmaps and configuration notes.

Example for Using the File System to Manage Files


This example shows how to use the file system to manage files. In the example, you log in to
the ATN to view and copy directories.

Networking Requirements
You can log in to the ATN through the console port, Telnet, or STelnet to manage files on the
ATN.
You must enter the path to the file on the storage device correctly. If you do not specify a target
file name, the source file name is the name of the target file by default.

Configuration Roadmap
The configuration roadmap is as follows:
1.
Issue 02 (2013-12-31)

Check the files in a directory.


Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

136

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

2.

Copy a file to this directory.

3.

Check that the file has been copied to the directory.

Data Preparation
To complete the configuration, you need the following data:
l

Source file name and target file name

Source file path and target file path

Procedure
Step 1 Display the file information in the directory of cfcard:/folder2, cfcard:/ is the flash memory
identifier.
<HUAWEI> pwd
cfcard:/
<HUAWEI> cd cfcard:/folder2
<HUAWEI> dir
Info: File can't be found in the directory.
499,720 KB total (47,776 KB free)

Step 2 Copy files from cfcard:/folder1/sample.txt to cfcard:/folder2/sample.txt.


<HUAWEI> copy cfcard:/folder1/sample.txt cfcard:/folder2
Copy cfcard:/folder1/sample.txt to cfcard:/folder2/sample.txt?[Y/N]:Y
100% complete
Info: Copied file cfcard:/folder1/sample.txt to cfcard:/folder2/sample.txt...Done.

Step 3 Display the file information about the current directory to check that the file has been copied to
the specified directory.
<HUAWEI> dir
Directory of cfcard:/folder2/
Idx
0

Attr
-rw-

Size(Byte)
6

Date
Time(LMT)
Dec 21 2011 16:15:52

FileName
sample.txt

499,720 KB total (47,768 KB free)

----End

Example for Using FTP to Manage Files


This example shows how to use FTP to manage files. In the example, a user uses FTP to log in
to the ATN from a PC and then download files to the FTP client.

Networking Requirements
As shown in Figure 1-24, after the FTP server is enabled on the ATN, you can log in to the FTP
server from the HyperTerminal to upload or download files.
Figure 1-24 Networking for using FTP to manage files

Network
PC

Issue 02 (2013-12-31)

GE0/2/0
10.137.217.221/16
FTP Server

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

137

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Configuration Roadmap
The configuration roadmap is as follows:
1.

Configure the IP address of the FTP server.

2.

Enable the FTP server.

3.

Configure the authentication information, authorization mode, and directories that can be
accessed for an FTP user.

4.

Enter the username and password to log in to the FTP server.

5.

Upload files to or download files from the FTP server.

Data Preparation
To complete the configuration, you need the following data:
l

IP address of the FTP server: 10.137.217.221

Timeout period for the FTP connection: 30 minutes

On the server, FTP username: huawei and password: !QAZ@WSX3edc

Destination file name and its location on the FTP client

Procedure
Step 1 Configure the IP address of the FTP server.
[server] interface gigabitethernet0/2/0
[server-GigabitEthernet0/2/0] undo shutdown
[server-GigabitEthernet0/2/0] ip address 10.137.217.221 255.255.0.0
[server-GigabitEthernet0/2/0] quit

Step 2 Enable the FTP server.


<HUAWEI>
[HUAWEI]
[server]
[server]

system-view
sysname server
ftp server enable
ftp timeout 30

Step 3 Configure the authentication information, authorization mode, and directories that can be
accessed for an FTP user on the FTP server.
[server] aaa
[server-aaa]
[server-aaa]
[server-aaa]
[server-aaa]
[server-aaa]

local-user
local-user
local-user
local-user
quit

huawei
huawei
huawei
huawei

password cipher !QAZ@WSX3edc


level 3
service-type ftp
ftp-directory cfcard:

Step 4 Run FTP commands at the Windows command line prompt, and enter the username and
password to set up an FTP connection with the FTP server, as shown in Figure 6-4.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

138

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-25 Logging in to the FTP server

Step 5 Upload and download files, as shown in Figure 6-5.


Figure 1-26 Using FTP to manage files

NOTE

You can run the dir command before downloading a file or after uploading a file to view detailed
information about the file.

----End
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

139

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Configuration File
l

FTP server configuration file


#
sysname Server
#
FTP server enable
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.137.217.221 255.255.0.0
#
aaa
local-user huawei password cipher $1a$9zS'/]'y<:$My1[;/,aS>nhG{H7GaM+{4,O6Q
8A~<75q"C}O0H
local-user huawei level 3
local-user huawei service-type ftp
local-user huawei state block fail-times 3 interval 5
local-user huawei ftp-directory cfcard:
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
return

Example for Using SFTP to Manage Files


This example shows how to use SFTP to manage files. In the example, a local key pair and a
user name and a password are configured on the SSH server for an SSH user. After SFTP services
are enabled on the server and the SFTP client is connected to the server, you can manage files
between the client and the server.

Networking Requirements
As shown in Figure 1-27, after SFTP services are enabled on the ATN that functions as an SSH
server, you can log in to the server from an SFTP client PC in password, Revest-Shamir-Adleman
Algorithm (RSA), password-RSA, Digital Signature Algorithm (DSA), password-DSA, Elliptic
Curves Cryptography (ECC), password-ECC or all authentication mode.
Configure a user to log in to the SSH server in password authentication mode.
Figure 1-27 Networking diagram for using SFTP to manage files

Network

GE0/2/0
10.164.39.210/16
SSH Server

PC

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

140

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Configuration Roadmap
The configuration roadmap is as follows:
1.

Configure a local key pair on the SSH server to exchange data securely between the SFTP
client and the SSH server.

2.

Configure VTY user interfaces on the SSH server.

3.

Configure an SSH user, including user authentication mode, username, password, and
authorization directory.

4.

Enable SFTP services on the SSH server and configure a user service type.

Data Preparation
To complete the configuration, you need the following data:
l

SSH user authentication mode: password, username: client001, password: !


QAZ@WSX3edc

User level of client001: 3

IP address of the SSH server: 10.137.217.225

Procedure
Step 1 Configure a local key pair on the SSH server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: HUAWEI_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 2048]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++

Step 2 Configure VTY user interfaces on the SSH server.


[SSH
[SSH
[SSH
[SSH

Server] user-interface vty 0 4


Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit

Step 3 Configure the SSH username and password on the SSH server.
[SSH
[SSH
[SSH
[SSH
[SSH

Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]

local-user client001 password cipher !QAZ@WSX3edc


local-user client001 level 3
local-user client001 service-type ssh
quit

Step 4 Enable SFTP and configure the user service type as SFTP.
[SSH Server] sftp server enable
[SSH Server] ssh user client001 authentication-type password
[SSH Server] ssh user client001 service-type sftp

Step 5 Configure the authorization directory for the SSH user.


[SSH Server] ssh user client001 sftp-directory cfcard:

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

141

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Step 6 Verify the configurations.


Figure 1-28 Access interface

----End

Configuration File
l

SSH server configuration file


#
sysname SSH Server
#
aaa
local-user client001 password cipher $1a$9zS'/]'y<:$My1[;/,aS>nhG{H7GaM
+{4,O6Q
8A~<75q"C}O0H
local-user client001 level 3
local-user client001 service-type ssh
local-user client001 state block fail-times 3 interval 5
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.137.217.225 255.255.255.0
#
sftp server enable
ssh user client001 authentication-type password
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

142

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

1.7 Configuring System Startup


When the ATN is powered on, system software starts and configuration files are loaded. To
ensure that the ATN runs smoothly, you need to manage system software and configuration files
efficiently.

1.7.1 System Startup Overview


When the ATN is powered on, system software starts and configuration files are loaded.

System Software
System software provides an operating system for the ATN. System software must be set up
correctly for the ATN to run and provide services efficiently.
The extension of the system software file is .cc. The file must be saved in the root directory of
the storage device.

Configuration Files
The configuration file is used to configure the initial settings of the ATN.
The configuration file is a text file with the following properties:
l

It is saved in the command format.

To save space, default parameters are not saved.

Commands are organized according to the command view. All commands of the same
command view are grouped into a section. Every two command sections are separated by
one or several blank lines or comment lines (beginning with "#").

The sequence of the command sections is as follows: global configuration, physical


interface configuration, logical interface configuration, and routing protocol configuration.

The filename extension of the configuration file must be .cfg or .zip, and must be stored in
the root directory of a storage device.

In a configuration file, the commands must be expressed in full names. No abbreviation is


allowed.

In a configuration file, each command is wrapped using \r\n. No other invisible characters
can be used to wrap commands.

Transmitting the configuration file using FTP in bin mode to a device is recommended.
NOTE

l The system supports commands that contain a maximum of 510 characters. A command does not have
to be entered in full, as long as the part of the command entered is unique within the system. For
example, to run the display current-configuration command, enter d cu, di cu, or dis cu. Entering
d c or dis c will not run the command because these entries are not unique to the command.
l The system saves the complete form of incomplete commands to configuration files. Saved commands
may have more than 510 characters. When the system restarts, incomplete commands cannot be
restored. Therefore, pay attention to the length of incomplete commands before saving them.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

143

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Configuration Files and Current Configurations


When the ATN is running, current configurations differ from configuration files.
The concepts of configuration files and current configurations are defined as follows.
Concept

Identifying Method

Configuration files

Current configurations

When the ATN is powered


on, it retrieves configuration
files from a default save path
to initialize itself. If
configuration files do not
exist in the default save path,
the ATN uses default
initialization parameters.

l Run the display startup


command to view the
configuration files for the
current startup and next
startup on the ATN.

Current configurations
indicate the configurations in
effect on the ATN when it is
actually running.

Run the display currentconfiguration command to


view current configurations
on the ATN.

l Run the display savedconfiguration command


to view the configuration
file for the next startup on
the ATN.

You can use the command line interface to modify current ATN configurations. Use the save
command to save modified configurations to the next startup configuration file on the storage
device. This configuration file will be used to initialize the ATN the next time the ATN is
powered on.

1.7.2 Managing Configuration Files


You can manage the configuration files for the current and next startup operations on the
ATN.

Before You Start


Before managing configuration files, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration task quickly and correctly.

Applicable Environment
Configuration files can be saved, cleared, and compared. Configuration file management is
required to upgrade the ATN, take preventive measures, repair configuration files, and view
configurations after the ATN starts.

Pre-configuration Tasks
Before managing configuration files, install and power on the ATN.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

144

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Data Preparation
To manage configuration files, you need the following data.
No.

Data

Configuration file and its name

Configuration file saving interval and delay interval

Number of the start line from which the comparison of the configuration files
begins

Saving Configuration Files


The configurations completed by using command lines are valid only for the current operation
on the ATN. To allow the configurations to be valid for the next startup, you need to save the
current configurations to the next startup configuration file before restarting the ATN.

Context
You can save configuration files on demand or set the system to save configuration files at regular
intervals. This prevents data loss if the ATN restarts without warning or when it is powered off.
Run one of the following commands to save configuration files.

Procedure
l

Run:

NOTICE
When the automatic saving function is enabled and the LPU is not correctly installed,
corresponding configurations may be lost.
1.

system-view

The system view is displayed.


2.

set save-configuration [ interval interval | cpu-limit cpu-usage |delay


delay-interval ] *

The configuration file is saved at intervals.


After you specify the parameter interval interval, the system saves the current
configuration if the configuration has changed; if the configuration has not changed,
the system does not save saves the current configuration.
If you do not run the set save-configuration command, the system does not
automatically save configurations.
If you run the set save-configuration command without specifying interval, the
system automatically saves configurations at an interval of 30 minutes.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

145

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

When you configure the automatic saving function, to prevent that function from
affecting system performance, you can set the upper limit of the CPU usage for the
system during automatic saving. When automatic saving is triggered by the expiry of
the timer, the CPU usage is checked. If the CPU usage is higher than the set upper
limit, automatic saving will be canceled.
After you specify delay delay-interval, if the configuration is changed, the device
automatically saves the configuration after the specified delay.
After you configure the configurations to be automatically saved, the system
automatically saves the changed configurations to the configuration file for the next
startup. Then, the configuration files change according to the saved configurations.
Before you configure the configurations to be automatically saved on the server, you
need to run the set save-configuration backup-to-server server server-ip [ vpninstance vpn-instance-name ] transport-type { ftp | sftp } user user-name
password password [ path folder ] or set save-configuration backup-to-server
server server-ip transport-type tftp [ path folder ] command to configure the server,
including the IP address, username, password of the server, destination path, and mode
of transporting the configuration file to the server.
NOTE

If you use TFTP, run the tftp client-source command to configure a loopback interface address as
a client source IP address on the ATN, thereby improving security.

Run:
save [ all ] [ configuration-file ]

The current configurations are saved.


The extension of the configuration file must be .cfg or .zip. The system startup configuration
file must be saved in the root directory of a storage device.
You can modify the current configuration through the CLI. To set the current configuration
as initial configuration when the ATN starts next time, you can use the save command to
save the current configuration in the cfcard memory.
You can use the save all command to save all the current configurations, including the
configurations of the boards that have not been inserted, to the next startup configuration
file.
NOTE

When you save the configuration file for the first time, if you do not specify the optional parameter
configuration-file, the ATN asks you whether you want to save the file as "vrpcfg.zip". "vrpcfg.zip"
is the default configuration file which initially contains no configuration.

----End

Clearing a Configuration File


This section describes how to clear the content of the configuration file that has been loaded to
a device or how to delete configurations on an interface to restore the default configurations.

Context
The configuration file stored in the cfcard memory needs to be cleared in the following cases:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

146

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

The system software does not match the configuration file after the ATN has been upgraded.

The configuration file is destroyed or an incorrect configuration file has been loaded.

Perform the following operations to clear the content of a configuration file:

Procedure
l

Clear the currently loaded configuration file.


Run the reset saved-configuration command to clear the currently loaded configuration
file.
If the configuration file used for the current startup of the ATN is the same as the file
to be used for the next startup, running the reset saved-configuration command clears
both files. The ATN will use the default configuration file for the next startup.
If the configuration file used for the current startup of the ATN is different from the file
to be used for the next startup, running the reset saved-configuration command clears
the configuration file used for the next startup.
If you run the reset saved-configuration command and the configuration file used for
the current startup of the ATN is empty, the system states that the configuration file
does not exist.

NOTICE
l Exercise caution when running this command. If necessary, do so under the guidance
of Huawei technical support personnel.
l After the contents of a configuration file are cleared, the empty configuration file with
the original file name remains.
l After the configuration file is cleared, if you do not run the startup savedconfiguration configuration-file command to specify a new configuration file or the
save command to save the configuration file, the ATN will use the default configuration
file at the next startup.
----End

Comparing Configuration Files


You can determine whether the current configuration file or another file specified on the ATN
will be used for the next startup by comparing them.

Context
You can compare the current configuration file to the file specified for the next startup to
determine which one to specify for the next startup.

Procedure
l

Run:
compare configuration [ configuration-file ] [ current-line-number save-linenumber ]

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

147

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

The current configuration is compared with the configuration file for next startup.
If no parameter is specified, the system compares whether the current configurations
are identical with the next startup configuration file from the first line.
If configuration-file is configured, the system checks whether the current configuration
file is the same as the specified configuration file.
If no parameter is set, the comparison begins with the first lines of the configuration
files. If values for current-line-number and save-line-number are set, the comparison
continues and ignore differences between the configuration files.
The system begins to display the content of the current and saved configuration file from
the first line that is different between the two files. Beginning with this line, 150 characters
are displayed by default for each of the files. If fewer than 150 characters remain after the
first line with a difference, all remaining file content is displayed.
NOTE

When trying to compare configuration files, if the configuration file for next startup is unavailable
or its content is empty, the system cannot read the file.

----End

Checking the Configuration


After managing configuration files, you can view the current configuration files and files in the
storage device.

Prerequisites
The configurations for managing configuration files are complete.

Procedure
l

Run the display current-configuration [ configuration [ configuration-type


[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] or display
current-configuration [ all | inactive ]command to check current configurations.

Run the display startup command to check files for startup.

Run the dir [ /all ] [ filename ] command to check files saved in the storage device.

Run the display saved-configuration configuration command to view configurations of


the autosave function, including the status of the autosave function, time for autosave check,
threshold for the CPU usage, and period during which configurations remain unchanged
(when the period expires, configurations are automatically saved).

Run the display changed-configuration time command to check the time of the last
configuration change.

----End

Example
Run the display startup command to check files for startup.
<HUAWEI> display startup

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

148

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)
MainBoard:
Configured startup system software:
Startup system software:
Next startup system software:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup paf file:
Next startup paf file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:

1 Basic Configurations

cfcard:/V200R003C00.cc
cfcard:/V200R003C00.cc
cfcard:/V200R003C00.cc
cfcard:/vrp.cfg
cfcard:/vrp.cfg
default
default
default
default
NULL
NULL

1.7.3 Specifying a File for System Startup


You can specify a file to be used for system startup by specifying the system software and
configuration file for the next startup of the ATN.

Before You Start


Before specifying a file for system startup, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration task quickly and correctly.

Applicable Environment
To enable the ATN to provide user-defined configurations during the next startup, you need to
correctly specify the system software and configuration file for the next startup.

Pre-configuration Tasks
Before specifying a file for system startup, install the ATN and powerg it on.

Data Preparation
To specify a file for system startup, you need the following data.
No.

Data

System software and its file name on the ATN

Configuration file and its file name on the device

Configuring System Software for the ATN to Load at the Next Startup
If you need to upgrade a ATN's system software, you can specify the ATN system software to
be loaded at the next startup.

Context
The system will continue to load the current system software at each startup until different system
software is specified for the next system startup. To change system software for the next startup,
you need to specify the system software you require.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

149

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

The filename extension of the system software must be .cc and the file must be stored in the root
directory of a storage device.

Procedure
Step 1 Run:
startup system-software system-file [ slave-board ]

The ATN system software to be load at the next startup of the ATN is configured.
You can specify the system-file and use the system software for the next startup that is saved on
the device.
slave-board is valid only on the ATN with dual main control boards.
----End

Configuring the Configuration File for the ATN to Load at the Next Startup
Before restarting a ATN, you can specify which configuration files will be loaded at the next
startup.

Context
Run the display startup command on the ATN to check whether a specific configuration file
is set to be loaded at the next startup. If a specific configuration file is not specified, the default
configuration file will be loaded at the next startup.
The filename extension of the configuration file must be .cfg or .zip, and the file must be stored
in the root directory of a storage device.
When the ATN is powered on, by default, it reads the configuration file from the cfcard memory
to initialize. The data in this configuration file is the initial configuration. If no configuration
file is saved in the cfcard memory, the ATN uses default parameters for initiation.

Procedure
l

Run:
startup saved-configuration configuration-file

A configuration file is saved for the ATN to load at the next startup.
The system allows you to set different names for the configuration files on the master and
slave main control boards, but the system requires your confirmation. After your
confirmation, the system can be restarted.
----End

Checking the Configuration


After specifying a configuration file for system startup, you can check the content of the
configuration file and information about the files to be used at the ATN's next startup.

Prerequisites
A configuration file has been specified for system startup.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

150

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
l

Run the display current-configuration [ configuration [ configuration-type


[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] command to
check current configurations.

Run the display saved-configuration [ last | time | configuration ] command to check the
contents of the configuration file to be loaded at the next startup.

Run the display startup command to check information about the files to be used at next
startup.

----End

Example
Run the display startup command to check information about the files to be used at the next
startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software:
Startup system software:
Next startup system software:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup paf file:
Next startup paf file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:

cfcard:/V200R003C00.cc
cfcard:/V200R003C00.cc
cfcard:/V200R003C00.cc
cfcard:/vrp.cfg
cfcard:/vrp.cfg
default
default
default
default
NULL
NULL

1.7.4 Configuration Examples


The example in this section shows how to configure system startup. The example explains the
networking requirements, and provides a configuration roadmap and configuration notes.

Example for Configuring System Startup


This example shows how to configure system startup. In the example, a configuration file is
saved and the system software and configuration file to be loaded at the next startup are specified
so that the ATN can start appropriately.

Networking Requirements
After the ATN is configured, new configurations take effect after the system restarts.

Configuration Roadmap
The configuration roadmap is as follows:
1.

Save the current configuration.

2.

Specify the configuration file to be loaded at the next startup of the ATN.

3.

Specify the system software to be loaded at the next startup of the ATN.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

151

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Data Preparation
To complete the configuration, you need the following data:
l

Name of the configuration file

File name of the system software

Procedure
Step 1 Check the configuration file and system software that were used during the current startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software:
Startup system software:
Next startup system software:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup paf file:
Next startup paf file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:

cfcard:/V200R003C00.cc
cfcard:/V200R003C00.cc
cfcard:/V200R003C00.cc
cfcard:/vrp.cfg
cfcard:/vrp.cfg
default
default
default
default
NULL
NULL

Step 2 Save the current configuration to the specified file.


<HUAWEI> save vrpcfg.cfg

The system prompts you whether to save the current configuration to the file named vrpcfg.cfg
on the control boards. After entering y at the prompt, you save the configuration successfully.
Step 3 Specify the configuration file to be loaded at the ATN's next startup.
<HUAWEI> startup saved-configuration vrpcfg.cfg

Step 4 Specify the system software to be loaded at the ATN's next startup.
Specify the system software to be loaded at the next startup of the master main control board.
<HUAWEI> startup system-software V200R003C00.cc

Specify the system software to be loaded at the next startup of the slave main control board.
(Skip this step if the chassis is ATN 910/ATN 910I/ATN 910B.)
<HUAWEI> startup system-software V200R003C00.cc slave-board
NOTE

l The slave main control board automatically synchronizes with the master main control board after the
configuration file to be loaded during the next startup is specified for the master main control board.
l Ensure that the system software to be loaded during the next startup of the ATN is saved on the master
and slave main control boards of the ATN. Configure the system software to be loaded during the next
startup of the master and slave main control boards respectively.

Step 5 Verify the configuration.


After the configuration is complete, run the following command to check which configuration
file and system software will be loaded at the ATN's next startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software:
Startup system software:
Next startup system software:

Issue 02 (2013-12-31)

cfcard:/V200R003C00.cc
cfcard:/V200R003C00.cc
cfcard:/V200R003C00.cc

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

152

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)
Startup saved-configuration file:
Next startup saved-configuration file:
Startup paf file:
Next startup paf file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:

1 Basic Configurations
cfcard:/vrp.cfg
cfcard:/vrpcfg.cfg
default
default
default
default
NULL
NULL

----End

Configuration Files
None.

1.8 Accessing Another Device


To manage configurations or operate files on another device, you can use Telnet, STelnet, TFTP,
FTP, or SFTP to access the device from the device that you have logged in to.

1.8.1 Accessing Another Device


To manage configurations or use files on a device other than the device to which you are logged
in, you can use Telnet, FTP, TFTP, or SSH to access that device.
Figure 1-29 Networking diagram for accessing another device from the ATN

As shown in Figure 1-29, when you run a terminal emulation or Telnet program on a PC to
connect to the ATN, the ATN can still function as a client to access another device on the
network. There are several ways to accomplish this.

Telnet Method
To configure and manage a remote device on the network, you can use the ATN that you have
logged in to as a client to log in to that device, or you can use a redirection terminal service on
the ATN to log in to that device.
Telnet is an application layer protocol in the TCP/IP protocol suite that provides remote login
and virtual terminal services.
The ATN provides the following Telnet services:
l

Telnet server: You can run the Telnet client program on a PC to log in to a ATN to complete
configuration and management tasks. The ATN acts as a Telnet server.

Telnet client: You can run the terminal emulation program or Telnet client program on a
PC to connect to the ATN. You can then run the telnet command to log in to other ATNs

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

153

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

to configure and manage them. As shown in Figure 1-30,ATN A serves as both a Telnet
server and a Telnet client.
Figure 1-30 Telnet client services

Redirection terminal services: You can run the Telnet client program on a PC to log in to
the ATN through a specified port number. Then connect to serial interface devices that are
connected through the asynchronous interface of the ATN, as shown in Figure 1-31. This
scenario is typically used to connect an asynchronous ATN interface with multiple remote
devices to complete configuration and maintenance tasks.
Figure 1-31 Telnet redirection services

NOTE

Only devices that provide asynchronous interfaces support the Telnet redirection service.

Interruption of Telnet services


Two shortcut key combinations can terminate a Telnet connection.
As shown in Figure 1-32, ATN A logs in to ATN B through Telnet, and ATN B logs in
to ATN C through Telnet. Thus, a cascade network is formed. In this case, ATN A is the
client of ATN B and ATN B is the client of ATN C. Figure 1-32 illustrates the usage of
shortcut keys.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

154

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-32 Usage of Telnet shortcut keys

Ctrl_]: The server interrupts the connection.


If the network connection is normal and you press Ctrl_], the Telnet server terminates the
current Telnet connection. For example:
<ATNC>

Press Ctrl_] to return to the ATN B prompt.


Info: The max number of VTY users is 10, and the current number
of VTY users on line is 1.
Info: The connection was closed by the remote host.
<ATNB>

Press Ctrl_] to return to the ATN A prompt.


Info: The max number of VTY users is 10, and the current number
of VTY users on line is 1.
Info: The connection was closed by the remote host.
<ATNA>
NOTE

If a router becomes disconnected from the network, these shortcut keys are invalid. Instructions
cannot be sent to the server.

Ctrl_]: The client interrupts the connection.


If the server fails and the client is unaware of this failure, the client continues to transmit
data but the server does not respond. In this case, press Ctrl_T to terminate the Telnet
connection.
For example:
<ATNC>

Press Ctrl_T to terminate and quit a Telnet connection.


<ATNA>

NOTICE
If remote login users are using the maximum number of VTY user interfaces allowed, the
system states that all user interfaces are in use and does not allow additional Telnet logins.

FTP Method
To access files on a remote FTP server, you can use FTP to establish a connection between the
ATN to which you are logged in and the remote FTP server.
FTP can transmit files between hosts and provide users with common FTP commands for file
system management. That is, you can use an FTP client program that does not reside on the
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

155

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

ATN to upload or download files and access directories on the router, and you can use an FTP
client program that resides on the ATN to transfer files to the FTP servers of other devices.
FTP can transmit files between local and remote hosts. It is widely used for upgrading versions,
downloading logs, transmitting files, and saving configurations.

TFTP Method
If network client/server interaction requirements are relatively simple, you can enable the TFTP
service on the ATN that functions as a TFTP client to access files on a TFTP server.
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.
Unlike FTP, TFTP does not have a complex interactive access interface or authentication control.
TFTP is used in environments where there is no complex interaction between the client and the
server. For example, TFTP is used to obtain a memory image of the system when the system
starts up.
Implementation of TFTP is based on the User Datagram Protocol (UDP).
The client initiates a TFTP transfer. To download files, the client sends a read request packet to
the TFTP server, receives packets from the server, and returns an acknowledgement to the server.
To upload files, the client sends a write request packet to the TFTP server, sends packets to the
server, and receives an acknowledgement from the server.
TFTP uses two formats for file transfer:
l

Binary format: transfers program files.

ASCII format: transfers text files.

The ATN can only serve as a TFTP client and can only transfer files in binary format.

SSH Method
Logging in to a remote device using SSH (including STelnet, SFTP) provides secure
communications between the remote device and the ATN to which you are logged in.

SSH Overview
When users on an insecure network use Telnet to log in to the ATN, the Secure Shell (SSH)
feature provides authentication and keeps data secure. SSH defends the ATN from IP address
spoofing and other such attacks, and protects the ATN against the interception of plain text
passwords.
The SSH client function enables users to establish SSH connections with ATNs that serve as
SSH servers or with UNIX hosts.

SSH Client Function


The ATN supports the STelnet client function and SFTP client function.
l

STelnet client (Secure Telnet)


Telnet does not provide secure authentication and TCP transmits data in plain text, which
creates security vulnerabilities. Denial of service (DOS) attacks, host IP address spoofing,

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

156

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

and route spoofing also threaten system security. Therefore, Telnet services are vulnerable
to network attacks.
SSH implements secure remote access on insecure networks and has the following
advantages compared with Telnet:
SSH supports Remote Subscriber Access (RSA) authentication and Digital Signature
Algorithm authentication (DSA) and Elliptic Curves Cryptography authentication
(ECC). SSH uses RSA authentication or DSA authentication or ECC authentication to
generate and exchange public and private keys compliant with an asymmetric
encryption system that protects session security.
SSH supports Data Encryption Standard (DES), 3DES, RC4 , and Advanced Encryption
Standard (AES) authentications.
SSH usernames and passwords are encrypted in the communication between an SSH
client and server, which prevents password interception.
SSH encrypts transmitted data.
If the STelnet server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at configured time intervals. If a configured number of keepalive packets receives no reply
from the server, the client determines that there is a fault and releases the connection.
l

SFTP client
SFTP is short for Secure FTP. You can log in to a device from a secure remote end to
manage files, which improves data transmission security when the remote system is
updated. The client function enables you to use SFTP to log in to the remote device for
secure file transmission.
If the SFTP server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at configured time intervals. If a configured number of keepalive packets receives no reply
from the server, the client determines that there is a fault and releases the connection.

1.8.2 Using Telnet to Log In to Other Devices


On most networks, multiple ATNs need to be managed and maintained, but it may be impossible
to connect some of these ATNs to a PC terminal. In other cases, there may be no reachable route
between a router and a PC terminal. You can log in to a local ATN and then use Telnet to log
in to remote ATNs to complete management and maintenance tasks.
The Telnet protocol poses a security risk, and therefore the STelnet protocol is recommended.

Before You Start


Before configuring logins to another device from the device to which you are logged in,
familiarize yourself with the applicable environment, complete the pre-configuration tasks, and
obtain any data required for the configuration. This will help you complete the configuration
task quickly and correctly.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

157

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Applicable Environment
Figure 1-33 Networking diagram for accessing another device to which you are logged in

As shown in Figure 1-33, you can use Telnet to log in to ATN A from a PC. You cannot,
however, manage ATN B remotely, because there is no reachable route between the PC and
ATN B. To manage ATN B remotely, you must use Telnet and log in from ATN A.
In this situation, ATN A functions as a Telnet client and ATN B functions as a server.

Pre-configuration Tasks
Before using Telnet to log in to another device on the network, complete the following tasks:
l

Log in to devices using Telnet.

Configure a reachable route between the client and Telnet server

Data Preparation
To use Telnet to log in to another device, you need the following data:
No.

Data

IP address or host name of ATNB

Number of the TCP port ATNB uses to provide Telnet services

(Optional) Configuring a Source IP Address for a Telnet Client


You can configure a source IP address for a Telnet client and then use this address to set up a
Telnet connection from the client to the server along a specific route.

Context
An IP address is configured for an interface on the ATN and functions as the source IP address
of a Telnet connection. This configuration enables security checks.
The source of a client can be a source interface or a source IP address.
Do as follows on a ATN that functions as a Telnet client.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

158

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
telnet client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address of a Telnet client is configured.


After the configuration, the source IP address of the Telnet client displayed on the Telnet server
must be the same as the configured IP address.
----End

Using Telnet to Log In to Another Device


You can use Telnet to log in to and manage another ATN.

Context
Telnet provides an interactive CLI for users to log in to a remote server. Users can first use Telnet
to log in to a host, and then remotely use Telnet again to log in to a remote host. This host can
then be remotely configured and managed. Not all hosts need to be connected directly to a
hardware terminal.
Do as follows on the ATN that serves as a Telnet client:

Procedure
l

Select and perform one of the following steps for IPv4 or IPv6.
Run:
telnet [ vpn-instance vpn-instance-name ] [ -a source-ip-address | -i
interface-type interface-number ] host-name [ port-number ]

Log in to the ATN and manage other ATNs.


Run:
telnet ipv6 [ -a source-ip-address ] [ vpn6-instance vpn6-instance-name ]
host-name [ -oi interface-type interface-number ] [ port-number ]

Log in to the ATN and manage other ATNs.


----End

Checking the Configuration


When you use a ATN to log in to another ATN, you can check information about the established
TCP connection.

Prerequisites
All configurations for logging in to another device are complete.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

159

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
l

Run the display tcp status command to check the status of all TCP connections.

----End

Example
Run the display tcp status command to view the status of TCP connections. The Established
status indicates that a TCP connection has been established.
<HUAWEI> display tcp status
TCPCB
Tid/Soid
Local Add:port
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established

Foreign Add:port
0.0.0.0:0

VPNID
0

0.0.0.0:0

14849

10.164.6.13:1147

State

1.8.3 Using STelnet to Log In to Another Device


STelnet provides secure Telnet services. You can use STelnet to log in to another ATN and
manage the device remotely.

Before You Start


Before you use STelnet to configure login to another device, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain any date required for
the configuration. This will help you complete the configuration task quickly and correctly.

Applicable Environment
Telnet logins are insecure because no secure authentication mechanism is available and data is
transmitted over TCP connections in plain text mode.
STelnet is a secure Telnet protocol. STelnet is based on SSH. SSH users can use STelnet services
in place of ordinary Telnet services.
In this configuration, the device to which you have logged in functions as a Telnet client, and
the device to which you want to log in functions as an SSH server.

Pre-configuration Tasks
Before you use STelnet to log in to another device, complete the following tasks:
l

Use STelnet to log in to devices.

Configure a reachable route between the client and SSH server.

Data Preparation
To use STelnet to log in to another device, you need the following data.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

160

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

No.

Data

Name of the SSH server and public key that is assigned by the client to the SSH server

IPv4 or IPv6 address or host name of the SSH server, number of the port monitored
by the SSH server, preferred encryption algorithm for data from the SFTP client to
the SSH server, preferred encryption algorithm for data from the SSH server to the
SFTP client, preferred Hashed message authentication code (HMAC) algorithm for
data from the SFTP client to the SSH server, preferred HMAC algorithm for data from
the SSH server to the SFTP client, preferred algorithm of key exchange, and
user information for logging in to the SSH server

Enabling First-Time Authentication on the SSH Client


After first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the Revest-Shamir-Adleman Algorithm (RSA) orDigital Signature Algorithm
(DSA) public key when it logs in to the SSH server for the first time.

Context
If first-time authentication on the SSH client is enabled, the STelnet client does not check the
validity of the RSA or DSA public key when it logs in to the SSH server for the first time. After
the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at the next login.
Do as follows on the ATN that serves as an SSH client:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ssh client first-time enable

First-time authentication on the SSH client is enabled.


By default, first-time authentication on the SSH client is disabled.
NOTE

l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the RSA or DSA public key validity check and cannot
log in to the server.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

161

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

NOTE

To ensure that an STelnet client can log in to an SSH server on the first attempt, you can assign an RSA
or DSA public key to the SSH server on the SSH client in advance. You can also enable first-time
authentication on the SSH client.

----End

Allocating a Public Key to the SSH Server


To configure the first successful login to another device on an SSH client, you must allocate an
Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature Algorithm (DSA) or Elliptic
Curves Cryptography (ECC) public key to the SSH server before login.

Context
If first-time authentication is not enabled on the SSH client, when the STelnet client logs in to
the SSH server for the first time, the STelnet client fails to pass the RSA or DSA or ECC public
key validity check and cannot log in to the server. You must allocate an RSA or DSA or ECC
public key to the SSH server before the STelnet client logs in to the SSH server.
Do as follows on the ATN that serves as an SSH client:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] or dsa peerpublic-key key-name encoding-type { der | openssh | pem } or ecc peer-public-key
key-name encoding-type { der | openssh | pem }

An encoding format is configured for a public key, and the public key view is displayed.
Step 3 Run:
public-key-code begin

The public key editing view is displayed.


Step 4 Run:
hex-data

The public key is edited.


The public key is a string of hexadecimal alphanumeric characters an SSH client generates.
NOTE

l The RSA or DSA or ECC public key assigned to the SSH server must be generated on the server.
Otherwise, the validity check for the RSA or DSA or ECC public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA or ECC public key generated on the
server to the ATN that functions as the client.

Step 5 Run:
public-key-code end

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

162

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Quit the public key editing view.


l If the specified hex-data is invalid, the public key cannot be generated after you run the peerpublic-key end command.
l If the specified key-name is deleted in other views, the system determines that the key does
not exist after you run the peer-public-key end command, and the system view is displayed.
Step 6 Run:
peer-public-key end

Return to the system view from the public key view.


Step 7 Run:
ssh client servername assign { rsa-key | dsa-key | ecc-key } keyname

The RSA or DSA or ECC public key is assigned to the SSH server
NOTE

If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key | ecc-key } command to cancel the association between the SSH client and the
SSH server. Then, run the ssh client servername assign { rsa-key | dsa-key | ecc-key } keyname command
to allocate a new RSA or DSA or ECC public key to the SSH server.

----End

Using STelnet to Log In to Another Device


You can use STelnet to log in to an SSH server from an SSH client.

Context
When accessing an SSH server, an STelnet client can carry the source address and the VPN
instance name; choose the key exchange algorithm, encryption algorithm, or Hashed message
authentication code (HMAC) algorithm; and configure the keepalive function.
Do as follows on the ATN that serves as an SSH client:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 According to the address type of the SSH server, select and run one of the following two
commands.
For IPv4 addresses,
Run the stelnet [ -a source-address ] host-ipv4 [ port ] [ [ -vpn-instance vpn-instance-name ] |
[ prefer_kex { dh_group1 | dh_exchange_group | dh-exchange-group-sha256 | ecdh-sha2nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 } ] | [ identity-key { rsa | dsa | ecc } ] |
[ prefer_ctos_cipher { des | 3des | aes128 | aes256 | arcfour128 | arcfour256 } ] |
[ prefer_stoc_cipher { des | 3des | aes128 | aes256 | arcfour128 | arcfour256 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] |
[ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ -ki
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

163

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

aliveinterval ] | [ -kc alivecountmax ] ] * command. You can log in to the SSH server through
STelnet.
For IPv6 addresses,
Run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ]
[ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des |
3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] |
[ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] ] * [ -ki
aliveinterval [ -kc alivecountmax ] ] command. You can log in to the SSH server through STelnet.
----End

Checking the Configuration


After configuring login to another device using STelnet, you can check the mappings between
all SSH servers of the STelnet client and the Revest-Shamir-Adleman Algorithm (RSA) or
Digital Signature Algorithm (DSA) public keys on the client. You can also check the global
configurations of the SSH servers, and information about sessions between the SSH servers and
the STelnet client.

Prerequisites
The configurations for logging in to another device by using STelnet are complete.

Procedure
l

Run the display ssh server-info command to check the mappings between all SSH servers
of the SSH client and the RSA or DSA public keys on the client.

----End

Example
Run the display ssh server-info to view the mappings between all servers of the SSH client and
the RSA or DSA public keys on the SSH client.
<HUAWEI> display ssh server-info
Server Name(IP)
Server Public Key Type Server public key name
______________________________________________________________________________
10.137.128.216
RSA
10.137.128.217
RSA
10.137.128.217
DSA
sdfasdfasdfasdfasdfasdfadfasdf
127.0.0.1
RSA
127.0.0.1
DSA
1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1
RSA
0ffff:ffff:
1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000fff
1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000ffff:
1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1
RSA

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

10.137.128.216
10.137.128.217

127.0.0.1
10.137.128.217
1fff:00ffff:00ffff:

1fff:00ffff:ffff:00ffff:

1fff:ffff:ffff:00ffff:

164

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)
1fff:ffff:ffff:ffff:ffff:ffff:
8.1.1.2

1 Basic Configurations

RSA

8.1.1.2

1.8.4 Using TFTP to Access Files on Another Device


You can configure the ATN as a TFTP client and log in to the TFTP server to upload and
download files.

Before You Start


Before configuring access to another device using TFTP, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.

Applicable Environment
You can use TFTP to in a simple interaction environment to transfer files between a server and
a client.
The current ATN functions as a TFTP client, and the ATN to be accessed functions as a TFTP
server.

Pre-configuration Tasks
Before configuring access to another device using TFTP, configure a reachable route between
the client and the TFTP server.

Data Preparation
To access another device using TFTP, you need the following data.
No.

Data

(Optional) Source address or source interface of the ATN that functions as a TFTP
client

IP address or host name of the TFTP server

Name of the specific file in the TFTP server and the file directory

(Optional) Configuring a Source IP Address for a TFTP Client


You can configure a source IP address for a TFTP client and then use the source IP address to
set up a TFTP connection from the TFTP client to the server along a specific route.

Context
An IP address is configured for an interface on the ATN. This IP address functions as the source
IP address of a TFTP connection, which enables security checks to be implemented.
The source address of a client can be configured as a source interface or a source IP address.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

165

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Do as follows on a ATN that functions as a TFTP client:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
tftp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address of a TFTP client is configured.


After the configuration, the source IP address of the TFTP client displayed on the TFTP server
must be the same as the configured one.
----End

(Optional) Configuring TFTP Access Authority


This section describes how to use an ACL rule to specify which TFTP servers can be accessed
by using TFTP from the ATN to which you are logged in.

Context
When the ATNfunctions as an TFTP server, you can configure an ACL to allow the clients that
meet matching rules to access the TFTP server.
Perform the following steps on the ATN that serves as the TFTP client:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
acl { [ number ] acl-number1 | name acl-name [ basic ] [ number acl-number2 ] }
[ match-order { auto | config } ] or acl ipv6 { [ number ] acl6-number1 | name aclname [ number acl-number2 ] } [ match-order { auto | config } ]

The ACL or ACL6 view is displayed.


TFTP supports only the basic ACL (2000 to 2999).
Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source
{ source-ip-address source-wildcard | any } | time-range time-name | vpn-instance
vpn-instance-name ] * or rule [ rule-id ] { deny | permit } [ fragment | source
{ source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } |
time-range time-name | vpn-instance vpn-instance-name ] *

The basic ACL or ACL6 rule is configured.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

166

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

NOTE

l By default, the deny action in an ACL rule is taken for all the login user packets. Only users whose
source IP addresses match the ACL rule with a permit action can log in to the device.
In the following example, two rules are configured to prohibit users with the IP address 10.1.1.10 from
logging in to the device while allowing the other users to log in to the device:
l rule deny source 10.1.1.10 0
l rule permit source any
If the rule permit source any command is not configured, users whose source IP addresses are not
10.1.1.10 will also be prohibited from logging in to the device.
l If a user's source IP address does not match the ACL rule that allows login, the user is prohibited from
logging in to the device.
l If the ACL referenced by TFTP does not contain any rules or does not exist, any user can log in to the
device.

Step 4 Run:
quit

The system view is displayed.


Step 5 Run:
tftp-server acl acl-number

The ACL can be used to limit access to the TFTP server.


Step 6 According to the address type of the TFTP server, select and run one of the following two
commands.
l For IPv4 addresses,
Run the tftp-server acl acl-number command. You can use the ACL to limit the access to
the TFTP server.
l For IPv6 addresses,
Run the tftp-server ipv6 acl acl6-number command. You can use the ACL to limit the access
to the TFTP server.
----End

Using TFTP to Download Files


You can download files from a TFTP server to a TFTP client.

Context
Do as follows on the ATN that serves as the TFTP client:

Procedure
l

Run the following commands according to the server IP address type.


If the IP address of the server is an IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] get source-filename
[ destination-filename ]

The ATN is configured to download files through TFTP.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

167

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

If the IP address of the server is an IPv6 address, run:


tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ interface-type
interface-number ] get source-filename [ destination-filename ]

The ATN is configured to download files using TFTP.


----End

Using TFTP to Upload Files


You can upload files from a TFTP client to a TFTP server.

Context
Do as follows on the ATN that serves as the TFTP client:

Procedure
l

If the IP address of the server is an IPv4 address, run:


tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] put source-filename
[ destination-filename ]

The ATN is configured to upload files using TFTP.


l

Run the following commands according to the server IP address type.


If the IP address of the server is an IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] put source-filename
[ destination-filename ]

The ATN is configured to upload files using TFTP.


If the IP address of the server is an IPv6 address, run:
tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -oi interface-type
interface-number ] put source-filename [ destination-filename ]

The ATN is configured to upload files using TFTP.


----End

Checking the Configuration


When a device is configured as a TFTP client, you can check the source address of the client
and the configured ACL rule.

Prerequisites
Configurations for using the device as a TFTP client are complete.

Procedure
l

Run the display tftp-client command to check the device address that is set as the source
address of the TFTP client.

Run the display acl { name acl-name | acl-number | all } command to check the ACL rule
that is configured on the TFTP client.

----End
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

168

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Example
Run the display tftp-client command to view the source address of the TFTP client.
<HUAWEI> display tftp-client
The source address of TFTP client is 1.1.1.1.

Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured
on the TFTP client.
<HUAWEI> display acl 2001
Basic acl 2001, 2 rules,
Acl's step is 5
rule 5 permit
rule 10 permit source 1.1.1.1 0

1.8.5 Using FTP to Access Files on Another Device


This section describes how to configure a ATN as an FTP client to log in to an FTP server and
how to upload files to or download files from this server.

Context
The FTP protocol poses a security risk, and therefore the SFTP protocol is recommended.

Before You Start


Before configuring the use of FTP to access files on another device, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain any data required
for the configuration. This will help you complete the configuration task quickly and correctly.

Applicable Environment
Before transmitting files between a client and a remote FTP server or managing directories on
the server, you can configure the ATN to which you have logged in as an FTP client. You can
then use FTP to access the FTP server for file transmission or directory management.

Pre-configuration Tasks
Before configuring the use of FTP to access files on another device, configure a reachable route
between the ATN and the FTP server.

Data Preparation
To configure the use of FTP to access files on another device, you need the following data:

Issue 02 (2013-12-31)

No.

Data

(Optional) Source IP address or source interface of the ATN that functions as an FTP
client

Host name or IP address of the FTP server, port number of the connecting FTP, login
username, and password
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

169

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

No.

Data

Local file names and file names on the remote FTP server, name of the working
directory on the remote FTP server, name of the working directory on the local FTP
client, or directory name of the remote FTP server

(Optional) Configuring the Source IP Address and Interface of the FTP Client
This section describes how to configure the source IP address and interface of an FTP client to
connect to an FTP server.

Prerequisites
An IP address is configured for an interface on the ATN and functions as the source IP address
for an FTP connection. This allows implementation of security checks.
The source of a client can be a source interface or a source IP address.
Configuring a source interface as the source for a client is possible only if the system has a
loopback interface.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ftp client-source { -a source-ip-address | -i interface-type interface-number }

The source address of the FTP client is configured.


After the source address of the FTP client is configured, you can run the display ftp-users
command on the FTP server to check that the displayed source address of the FTP client is the
same as the configured one.
----End

Connecting to Other Devices Using FTP Commands


You can run FTP commands to log in to other devices from the ATN that functions as the FTP
client.

Context
You can log in to the FTP server in the user view or the FTP view.
Do as follows on the ATN that serves as the client:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

170

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Run the following commands according to types of the server IP address.
l If the IP address of the server is an IPv4 address, do as follows:
In the user view, establish a connection to the FTP server.
Run:
ftp [ -a source-ip-address | -i interface-type interface-number ] host [ portnumber ] [ public-net | vpn-instance vpn-instance-name ]

The ATN is connected to the FTP server.


In the FTP view, establish a connection to the FTP server.
1.

In the user view,Run:


ftp

The FTP view is displayed.


2.

Run:
open [-a source-ip-address | -i interface-type interface-number ] host
[ port-number ] [ vpn-instance vpn-instance-name ]

The ATN is connected to the FTP server.


NOTE

Before logging in to the FTP server, you can run the set net-manager vpn-instance
command to configure a default VPN instance. After a default VPN instance is configured,
it will be used for FTP operations.

l If the IP address of the server is an IPv6 address, do as follows:


In the user view, establish a connection to the FTP server.
Run:
ftp ipv6 host [ port-number ]

The ATN is connected to the FTP server.


In the FTP view, establish a connection to the FTP server.
1.

In the user view,Run:


ftp

The FTP view is displayed.


2.

Run:
open ipv6 host-ipv6-address [ port-number ]

The ATN is connected to the FTP server.


----End

Using FTP Commands to Manage Files


After you log in to an FTP server, you can use FTP commands to manage files. File operations
include configuring a file transmission method, checking online help about FTP commands,
uploading or downloading files, and managing directories and files.

Context
After logging in to an FTP server, you can perform the following operations:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

171

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Configure a data type for transmission files and a file transmission method.

Check the online help about FTP commands in the FTP client view.

Upload local files to the remote FTP server, or download files from the FTP server and
save them locally.

Create directories on or delete directories from the FTP server.

Display information about a specified remote directory or a file of the FTP server, or delete
a specified file from the FTP server.

After you log in to the ATN that functions as a client and enter the FTP client view, you can
perform the following steps:

Procedure
l

Configure the data type and transmission mode for the file.
Run:
ascii | binary

The data type of the file to be transmitted is ascii or binary mode.


NOTE

FTP supports both ASCII and binary files. Their differences are as follows:
l In ASCII transmission mode, ASCII characters are used to separate the carriage returned
from line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
Clients can select an FTP transmission mode as required. The system defaults to the ASCII
transmission mode. The client can use a mode switch command to switch between the ASCII
mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary mode is
used to transmit binary files.

Run:
passive

The passive file transfer mode is configured.


Run:
verbose

The verbose mode for FTP is enabled.


When the verbose mode is enabled, all FTP responses are displayed. Then, file
transmission efficiency statistics will be displayed.
l

View online help for FTP commands.


remotehelp [ command ]

The online help of the FTP commands is displayed.


l

Upload or download files.


Upload or download a file.
Run:
put local-filename [ remote-filename ]

The local file is uploaded to the remote FTP server.


Run:
get remote-filename [ local-filename ]

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

172

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

The FTP file is downloaded from the FTP server and saved to the local file.
l

Run one or more of the the following commands to manage directories.


Run:
cd pathname

The working path of the remote FTP server is specified.


Run:
cdup

The working path of the FTP server is switched to the upper-level directory.
Run:
pwd

The specified directory of the FTP server is displayed.


Run:
lcd [ local-directory ]

The directory of the FTP client is displayed or changed.


Run:
mkdir make-remote-directory

A directory is created on the FTP server.


Run:
rmdir delete-remote-directory

A directory is removed from the FTP server.


NOTE

l A directory name can use letters and digits, but not special characters such as <, >, ?, \ and :.
l When you run the mkdir /abc command, you create a sub-directory named "abc".

Run one or more of the the following commands to manage files.


Run:
ls [ remote-filename ] [ local-filename ]

The specified directory or file on the remote FTP server is displayed.


If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
If local-filename is configured, the remote file can be saved in another local file.
Run:
dir [ remote-filename ] [ local-filename ]

The specified directory or file on the local FTP server is displayed.


If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
If local-filename is configured, the remote file can be saved in another local file.
Run:
delete remote-filename

The specified file on the FTP server is deleted.


If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
----End
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

173

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Changing Login Users


After you log in to an FTP server, you can change the username on the client and re-log in to
the server with the new username.

Context
If you are logged in to the ATN that functions as an FTP client, you can switch to a different
username and log in to the FTP server without logging out of the FTP client view. The FTP
connection established in this way is identical to that established by running the ftp command.
Perform the following steps on the ATN that functions as a client:

Procedure
l

Run:
user user-name [ password ]

The user that previously logged in to the FTP server is changed and the new user logs in
to the server.
When the username used to log in to the FTP server is changed, the original connection
between the user and the FTP server is interrupted.
----End

Disconnecting from the FTP Server


You can terminate a connection with an FTP server and return to the user view or FTP view.

Context
Various commands can be used from the FTP client view to terminate a connection with an FTP
server.
Do as follows on the ATN that serves as the client.

Procedure
l

Run one of the following commands depending on your system configurations.


Run:
bye

Or
quit

The client ATN is disconnected from the FTP server.


Return to the user view.
Run:
close

Or
disconnect

The client ATN is disconnected from the FTP server.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

174

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Return to the FTP view.


----End

Checking the Configuration


After the configurations for accessing other devices using FTP are complete, you can view the
source parameters configured on the FTP client.

Prerequisites
The configurations for accessing other devices using FTP are complete.

Procedure
l

Run the display ftp-client command to view the source parameters of the FTP client.

----End

Example
Run the display ftp-client command to view the source parameters of the FTP client.
<HUAWEI> display ftp-client
The source address of FTP client is 1.1.1.1.

1.8.6 Using SFTP to Access Files on Another Device


SFTP is a secure FTP service. After the ATN is configured as an SFTP client, the SFTP server
authenticates the client and encrypts data in both directions to provide secure data transmission.

Before You Start


Before you configure the use of SFTP to access files on another device, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain any data required
for the configuration. This will help you complete the configuration task quickly and correctly.

Applicable Environment
SFTP is a secure FTP protocol that is based on SSH. SFTP allows users to log in to a remote
device and transmit or manage files securely. You can log in to a remote SSH server from the
ATN that functions as an SFTP client.

Pre-configuration Tasks
Before configuring the use of SFTP to access files on another device, configure a reachable route
between the client and SSH server.

Data Preparation
To use SFTP to access files on another device, you need the following data:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

175

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

No.

Data

(Optional) Source address of the device that functions as the SFTP client

(Optional) Name of the SSH server

(Optional) Public key assigned by the client to the SSH server

IPv4 or IPv6 address or host name of the SSH server

Number of the port monitored by the SSH server, preferred encryption algorithm for
data from the SFTP client to the SSH server, preferred encryption algorithm for data
from the SSH server to the SFTP client, preferred HMAC algorithm for data from the
SFTP client to the SSH server, preferred HMAC algorithm for data from the SSH
server to the SFTP client, preferred algorithm for key exchange, name of the outgoing
interface, source address, and user information for logging in to the SSH server

Name and directory of a specified file on the SSH server

(Optional) Configuring a Source IP Address for an SFTP Client


You can configure a source IP address for an SFTP client and then use this source address to set
up an SFTP connection from the client to server along a specific route.

Context
An IP address is configured for an interface on the ATN. This IP address functions as the source
IP address of an FTP connection, which enables security checks to be implemented.
The source address of a client can be configured as a source interface or a source IP address.
Do as follows on a ATN that functions as an SFTP client.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
sftp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address is configured for an SFTP client.


----End

Enabling the First-Time Authentication on the SSH Client


After first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the RSA or DSA public key when it logs in to the SSH server for the first time.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

176

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Context
If first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the RSA or DSA public key when it logs in to the SSH server for the first time. After
the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at the next login.
Do as follows on the ATN that serves as an SSH client:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ssh client first-time enable

First-time authentication on the SSH client is enabled.


By default, first-time authentication on the SSH client is disabled.
NOTE

l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the RSA or DSA public key validity check and cannot
log in to the server.
NOTE

To ensure that an STelnet client can log in to an SSH server on the first attempt, you can assign an RSA
or DSA public key to the SSH server on the SSH client in advance. You can also enable first-time
authentication on the SSH client.

----End

Allocating a Public Key to the SSH Server


To configure the first successful login to another device on an SSH client, allocate an RSA or
DSA or ECC public key on the SSH server before you log in.

Context
If first-time authentication is not enabled on an SSH client, when the SFTP client logs in to an
SSH server for the first time, the SFTP client fails to pass the RSA or DSA or ECC public key
validity check and cannot log in to the server.
Do as follows on the ATN that functions as an SSH client:

Procedure
Step 1 Run:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

177

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

system-view

The system view is displayed.


Step 2 Run:
rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] or dsa peerpublic-key key-name encoding-type { der | openssh | pem } or ecc peer-public-key
key-name encoding-type { der | openssh | pem }

An encoding format is configured for a public key, and the public key view is displayed.
Step 3 Run:
public-key-code begin

The public key editing view is displayed.


Step 4 Run:
hex-data

The public key is edited.


The public key is a string of hexadecimal alphanumeric characters an SSH client generates.
NOTE

l The RSA or DSA or ECC public key assigned to the SSH server must be generated on the server.
Otherwise, the validity check for the RSA or DSA or ECC public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA or ECC public key generated on the
server to the ATN that functions as the client.

Step 5 Run:
public-key-code end

Quit the public key editing view.


l If the specified hex-data is invalid, the public key cannot be generated after you run the peerpublic-key end command.
l If the specified key-name is deleted in other views, the system determines that the key does
not exist after you run the peer-public-key end command, and the system view is displayed.
Step 6 Run:
peer-public-key end

Return to the system view from the public key view.


Step 7 Run:
ssh client servername assign { rsa-key | dsa-key | ecc-key } keyname

The RSA or DSA or ECC public key is assigned to the SSH server
NOTE

If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key | ecc-key } command to cancel the association between the SSH client and the
SSH server. Then, run the ssh client servername assign { rsa-key | dsa-key | ecc-key } keyname command
to allocate a new RSA or DSA or ECC public key to the SSH server.

----End
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

178

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Using SFTP to Connect to Other Devices


You can use SFTP to log in to an SSH server from an SSH client.

Context
The command for enabling an SFTP client is similar to that of STelnet. When accessing an SSH
server, SFTP can carry the source address and name of the VPN instance and choose the key
exchange algorithm, encryption algorithm, and HMAC algorithm, and configure the keepalive
function.
Do as follows on the ATN that serves as an SSH client:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 According to the address type of the SSH server, select and perform one of the following
configurations.
l For IPv4 addresses,
Run:
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4
[ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex
{ dh_group1 | dh_exchange_group | dh-exchange-group-sha256 | ecdh-sha2-nistp256
| ecdh-sha2-nistp384 | ecdh-sha2-nistp521 } ] | [ prefer_ctos_cipher { des |
3des | aes128 | aes256 | arcfour128 | arcfour256 } ] | [ prefer_stoc_cipher
{ des | 3des | aes128 | aes256 | arcfour128 | arcfour256 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ]
| [ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ]
| [ -ki aliveinterval ] | [ -kc alivecountmax ] | [ identity-key { dsa | rsa |
ecc } ] ] *

You can log in to the SSH server through SFTP.


l For IPv6 addresses,
Run:
sftp ipv6 [[ -a source-address | -oi interface-type interface-number ] |
[ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des |
3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 |
aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5
| md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 |
md5 | md5_96 } ] | [ -ki aliveinterval] |[ -kc alivecountmax ] | [ identity-key
{ dsa | rsa } ] ]* host-ipv6 [ port ]

----End

Using SFTP Commands to Manage Files


You can use an SFTP client to manage directories and files on the SSH server, and check the
command help on the SFTP client.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

179

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Context
After you log in to an SSH server from an SFTP client, you can use the SFTP client to perform
the following operations:
l

Create or delete directories on the SSH server, display the current working directory, or
display the specified directory and information about the file in the specified directory.

Change file names, delete files, display a file list, and upload or download files.

Display the SFTP client command help.

After you log in to the ATN that functions as an SSH client and enter the SFTP client view, you
can perform the following steps:

Procedure
l

Manage directories.
Perform the following steps as required:
Run:
cd [ remote-directory ]

The current operating directory of the users is changed.


Run:
cdup

The view is switched to a directory one level up.


Run:
pwd

The current operating directory of the users is displayed.


Run:
dir / ls [ remote-directory ]

A list of files in the specified directory is displayed.


Run:
rmdir delete-remote-directory & <1-10>

The directory on the server is deleted.


Run:
mkdir make-remote-directory

A directory is created on the server.


l

Manage files.
Perform the following steps as required:
Run:
rename old-name new-name

The name of the specified file on the server is changed.


Run:
get remote-filename [local-filename]

The file on the remote server is downloaded.


Run:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

180

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

put local-filename [remote-filename]

The local file is uploaded to the remote server.


Run:
remove remote-filename

The file on the server is removed.


l

Display the SFTP client command help.


Run:
help [all | command-name ]

The SFTP client command help is displayed.


----End

Checking the Configuration


After using SFTP to log in to another device, you can view the source address of the SSH client,
mappings between all SSH servers and the RSA, DSA public keys on the client, global
configurations of the SSH servers, and sessions between the SSH servers and the client.

Prerequisites
The configuration for using SFTP to access files on another device is complete.

Procedure
l

Run the display sftp-client command to check the source IP address of the SFTP client on
the SSH client.

Run the display ssh server-info command to check the mapping between the SSH server
and the RSA or DSA public key on the SSH client.

----End

Example
Run the display sftp-client command on the client to view the source parameters of the device
that functions as an SFTP client.
<HUAWEI> display sftp-client
The source address of SFTP client is 1.1.1.1

Run the display ssh server-info command to view the mappings between all servers and the
RSA or DSA public keys on the SSH client.
<HUAWEI> display ssh server-info
Server Name(IP)
Server Public Key Type Server public key name
______________________________________________________________________________
10.137.128.216
RSA
10.137.128.217
RSA
10.137.128.217
DSA
sdfasdfasdfasdfasdfasdfadfasdf
127.0.0.1
RSA
127.0.0.1
DSA
1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1
RSA
0ffff:ffff:

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

10.137.128.216
10.137.128.217

127.0.0.1
10.137.128.217
1fff:00ffff:00ffff:

181

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000fff
1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000ffff:
1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1
RSA
1fff:ffff:ffff:ffff:ffff:ffff:
8.1.1.2
RSA

1fff:00ffff:ffff:00ffff:

1fff:ffff:ffff:00ffff:

8.1.1.2

1.8.7 Configuration Examples


This section provides examples for accessing another device. These examples explain the
networking requirements, configuration notes, and configuration roadmap.

Example for Using Telnet to Log In to Another Device


This section provides an example for using Telnet to log in to another device. In this example,
the authentication mode and password are configured for users to log in through Telnet.

Networking Requirements
As shown in Figure 1-34, users can Telnet ATN A but cannot Telnet ATN B. The route between
ATN A and ATN B is reachable. In this case, users can Telnet ATN B from ATN A to remotely
configure and manage ATN B.
Figure 1-34 Networking diagram for using Telnet to log in to another device

Session

Session

Network
PC

GE0/2/0
1.1.1.1/24

Network

ATNA

GE0/2/0
2.1.1.1/24
ATNB

Configuration Roadmap
The configuration roadmap is as follows:
1.

On ATN B, configure the authentication mode and password for users on ATN A to log in
to ATN B..

2.

Configure a Telnet server port number on ATN B to ensure that users log in only through
this port.

Data Preparation
To complete the configuration, you need the following data:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

182

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Host address of ATN B: 2.1.1.1

Password for user login: hello@123

Telnet server port number: 1028

1 Basic Configurations

Procedure
Step 1 Configure the authentication mode and password for Telnet services on ATN B.
<HUAWEI> system-view
[HUAWEI] sysname ATNB
[ATNB] user-interface vty 0 4
[ATNB-ui-vty0-4]set authentication password cipher hello@123
[ATNB-ui-vty0-4] quit

To configure an ACL for Telnetting another device, run the following commands on ATN B.
[ATNB] acl 2000
[ATNB-acl-basic-2000] rule permit source 1.1.1.1 0
[ATNB-acl-basic-2000] quit
[ATNB] user-interface vty 0 4
[ATNB-ui-vty0-4] acl 2000 inbound
[ATNB-ui-vty0-4] quit
NOTE

Configuring an ACL for Telnet services is optional.

Step 2 Log in to ATN B from ATN A through Telnet.


<HUAWEI> system-view
[HUAWEI] sysname ATNA
[ATNA] quit
<ATNA> telnet 2.1.1.1
Trying 2.1.1.1 ...
Press CTRL+K to abort
Connected to 2.1.1.1 ...
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.
Login authentication
Password:
Info: Authentication success,Welcome!
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2010-02-22 14:31:01.
<ATNB>

Step 3 Configure a Telnet server port number on ATN B.


<ATNB> system-view
[ATNB] telnet server port 1028
Warning: This operation will cause all the online Telnet users to be offline. Co
ntinue?[Y/N]: y
Info: Succeeded in changing the listening port of telnet server.

Step 4 Use the port number 1028 to log in to ATN B from ATN A through Telnet.
<ATNA> telnet 2.1.1.1 1028
Trying 2.1.1.1 ...
Press CTRL+K to abort
Connected to 2.1.1.1 ...
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.
Login authentication
Password:
Info: Authentication success,Welcome!
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2010-02-22 14:33:48.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

183

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

<ATNB>

----End

Configuration Files
l

ATN A configuration file


#
sysname ATNA
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
return

ATN B configuration file


#
sysname ATNB
#
acl number 2000
rule 5 permit source 1.1.1.1 0
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
acl 2000 inbound
set authentication password cipher %$%$4X_W6DAY]Bzf%$%$4X_W6DAY]Bzf
#
return

Example for Using Telnet on a VPN to Log In to Another Device


This section provides an example for logging in to another device by using Telnet on a VPN. In
this example, the authentication mode and password are configured for users on a VPN so they
can log in to the ATN through Telnet.

Networking Requirements
As shown in Figure 1-35, ATN A and ATN B can ping through each other. Users can log in to
ATN A from ATN B through Telnet.
Figure 1-35 Networking diagram for logging in to another device by using Telnet on a VPN

GE0/2/0
1.1.1.1 24
IP Network
ATNA

Issue 02 (2013-12-31)

GE0/2/0
1.1.1.2 24
VPN tt

ATNB

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

184

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Configuration Roadmap
The configuration roadmap is as follows:
1.

Configure a VPN on ATN B.

2.

Configure the authentication mode and password of the user interface VTY0 to VTY4 on
ATN B.

3.

Set the user to enter the password to log in to ATN B from ATN A in Telnet mode.

Data Preparation
To complete the configuration, you need the following data:
l

Host IP address of ATN B

Authentication mode and password

VPN instance

Procedure
Step 1 Configure the VPN instance and IP address.
# Configure ATN A.
<HUAWEI> system-view
[HUAWEI] sysname ATNA
[ATNA] interface gigabitethernet0/2/0
[ATNA-GigabitEthernet0/2/0] undo shutdown
[ATNA-GigabitEthernet0/2/0] ip address 1.1.1.1 24

# Configure ATN B.
<HUAWEI> system-view
[HUAWEI] sysname ATNB
[ATNB] ip vpn-instance tt
[ATNB-vpn-instance-tt] route-distinguisher 1000:1
[ATNB-vpn-instance-tt] quit
[ATNB] interface gigabitethernet0/2/0
[ATNB-GigabitEthernet0/2/0] undo shutdown
[ATNB-GigabitEthernet0/2/0] ip binding vpn-instance tt
[ATNB-GigabitEthernet0/2/0] ip address 1.1.1.2 24
[ATNB-GigabitEthernet0/2/0] quit
[ATNB] quit

Step 2 Configure the Telnet authentication mode and password on ATN B.


<ATNB> system-view
[ATNB] user-interface vty 0 4
[ATNB-ui-vty0-4] authentication-mode password
Please configure the login password (6-16)
Enter
Password:
Confirm Password:
[ATNB-ui-vty0-4] quit

To configure Telnet terminal services based on the ACL, perform the following on ATN B.
[ATNB] acl 2000
[ATNB-acl-basic-2000] rule permit vpn-instance tt source 1.1.1.1 0
[ATNB-acl-basic-2000] quit
[ATNB] user-interface vty 0 4
[ATNB-ui-vty0-4] acl 2000 inbound

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

185

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

NOTE

Configuring Telnet terminal services based on the ACL is optional.

Step 3 Verify the configuration.


After the configuration is complete, you can log in to ATN B from ATN A through Telnet.
<ATNA> telnet 1.1.1.2
Trying 1.1.1.2 ...
Press CTRL+K to abort
Connected to 1.1.1.2 ...
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.
Login authentication
Password:
Info: Authentication success,Welcome!
Note: The max number of VTY users is 10, and the current number
of VTY users on line is 1.
<ATNB>

----End

Configuration Files
l

ATN A configuration file


#
sysname ATNA
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
return

ATN B configuration file


#
sysname ATNB
#
ip vpn-instance tt
route-distinguisher 1000:1
#
acl number 2000
rule 5 permit vpn-instance tt source 1.1.1.1 0
#
interface GigabitEthernet0/2/0
undo shutdown
ip binding vpn-instance tt
ip address 1.1.1.2 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
acl 2000 inbound
set authentication password cipher Hb(c;\@iU'@X,k6.E\Z,*.S#
#
return

Example for Using STelnet (RSA Authentication Mode) to Log In to the SSH Server
This section provides an example for logging in to another device by using STelnet.In this
example, the local key pairs are generated on the STelnet client and the SSH server, and the
public RSA key is generated on the SSH server and then bound to the STelnet client. In this
manner, the STelnet client can connect to the SSH server.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

186

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Networking Requirements
As shown in Figure 1-36, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, DSA, password-DSA,
ECC, password-ECC, or all authentication mode. In this example, the Huawei ATN functions
as an SSH server.
Two users, Client001 and Client002, are configured to log in to the SSH server in the password
and RSA authentication modes, respectively.
Figure 1-36 Networking diagram for using STelnet to log in to another device
SSH Server
GE0/2/0
10.10.1.1/16

GE0/2/0
10.10.2.2/16

GE0/2/0
10.10.3.3/16

Client 001

Client 002

Configuration Roadmap
The configuration roadmap is as follows:
1.

Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.

2.

Create a local RSA key pair on STelnet client Client002 and the SSH server, and bind client
Client002 to an RSA key to authenticate the client when the client attempts to log in to the
server.

3.

Enable the STelnet service on the SSH server.

4.

Set the service type of Client001 and Client002 to STelnet.

5.

Enable first-time authentication on the SSH clients.

6.

Users Client001 and Client002 can now log in to the SSH server through STelnet.

Data Preparation
To complete the configuration, you need the following data:
l

Client001 with the password !QAZ@WSX3edc and authentication mode password

Client002 with the public key RsaKey001 and authentication mode RSA

IP address of the SSH server: 10.10.1.1.

Procedure
Step 1 Generate a local key pair on the server.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

187

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 2048]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++

Step 2 Create an SSH user on the server.


NOTE

The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa,
ECC, password-ECC, and all.
l When the SSH user adopts the password, password-ECC, password-DSA, or password-RSA
authentication mode, configure a local user with the same name.
l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, or
all authentication mode, the server should save the RSA or DSA or ECC public key for the SSH client.

# Configure the VTY user interface.


[SSH
[SSH
[SSH
[SSH

Server] user-interface vty 0 4


Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit

l Create SSH user Client001.


# Configure password authentication for SSH user Client001.
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password

# Configure password of SSH user Client001 to !QAZ@WSX3edc.


[SSH
[SSH
[SSH
[SSH

Server] aaa
Server-aaa]local-user huawei password cipher !QAZ@WSX3edc
Server-aaa] local-user client001 service-type ssh
Server-aaa] quit

l Create SSH user Client002.


# Configure RSA authentication for SSH user Client002.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type rsa

Step 3 Configure the RSA public key on the server.


# Generate a local key pair on the client.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] rsa local-key-pair create

# View the RSA public key generated on the client.


[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

188

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]

# Send the RSA public key generated on the client software to the server.
[SSH Server]rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[SSH Server-rsa-public-key]public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[SSH Server-rsa-key-code]3047
[SSH Server-rsa-key-code]0240
[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[SSH Server-rsa-key-code] 1D7E3E1B
[SSH Server-rsa-key-code]0203
[SSH Server-rsa-key-code]010001
[SSH Server-rsa-key-code]public-key-code end
[SSH Server-rsa-public-key]peer-public-key end

Step 4 Bind SSH user Client002 to the RSA public key of the SSH client.
[SSH Server] ssh user client002 assign rsa-key RsaKey001

Step 5 Enable the STelnet service on the SSH server.


# Enable the STelnet service.
[SSH Server] stelnet server enable

Step 6 Configure the STelnet service for SSH users Client001 and Client002.
[SSH Server] ssh user client001 service-type stelnet
[SSH Server] ssh user client002 service-type stelnet

Step 7 Connect the STelnet client to the SSH server.


# At the first login, you need to enable the first authentication on the SSH client.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

189

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Enable the first authentication on Client001.


<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable

Enable the first authentication on Client002.


<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] ssh client first-time enable

# Client001 of the STelnet connects to the SSH server in password authentication mode. Enter
the user name and password.
<client001> system-view
[client001] stelnet 10.10.1.1
Please input the username:client001
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.10.1.1. Please wait...
Enter password:

Enter the password !QAZ@WSX3edc. The login is complete.


Info: The max number of VTY users is 20, and the number
of current VTY users on line is 6.
The current login time is 2010-09-06 11:42:42.
<SSH Server>

# Connect STelnet client Client002 to the SSH server in RSA authentication mode.
<client002> system-view
[client002] stelnet 10.10.1.1
Please input the username: client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.10.1.1. Please wait...
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 6.
The current login time is 2010-09-06 11:42:42.
<SSH Server>

Step 8 Verify the configuration.


After the configuration, run the display ssh server status and display ssh server session
commands. You can view that the STelnet service is enabled and the STelnet client is connected
to the SSH server.
# Display the SSH status.
[SSH Server] display ssh server status
SSH version
: 1.99
SSH connection timeout
: 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries
: 3 times
SFTP server
: Disable
Stelnet server
: Enable

# Display the connection of the SSH server.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

190

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

[SSH Server] display ssh server session


Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: stelnet
Authentication Type : password
Session 2:
Conn
: VTY 4
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: stelnet
Authentication Type : rsa

# Display information about the SSH user.


[SSH Server] display ssh user-information
User 1:
User Name
: client001
Authentication-type : password
User-public-key-name : Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: No
User 2:
User Name
: client002
Authentication-type : rsa
User-public-key-name : RsaKey001
Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: No

----End

Configuration Files
l

SSH server configuration file


#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B
0203
010001
public-key-code end
peer-public-key end
#
aaa

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

191

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

local-user client001 password cipher $1a$9zS'/]'y<:$My1[;/,aS>nhG{H7GaM


+{4,O6Q
8A~<75q"C}O0H
local-user client001 service-type ssh
local-user client001 state block fail-times 3 interval 5
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
stelnet server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type stelnet
ssh user client002 service-type stelnet
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return

Client001 configuration file


#
sysname client001
#
interface GigabitEthernet0/2/0
ip address 10.10.2.2 255.255.0.0
#
ssh client first-time enable
#
return

Client002 configuration file


#
sysname client002
#
interface GigabitEthernet0/2/0
ip address 10.10.3.3 255.255.0.0
#
ssh client first-time enable
#
return

Example for Using STelnet (DSA Authentication Mode) to Log In to the SSH Server
This section provides an example for logging in to the SSH server using STelnet. In this example,
the local key pairs are generated on the STelnet client and secure shell (SSH) server, and the
digital signature algorithm (DSA) public key is generated on the SSH server and then bound to
the STelnet client. These configurations implement communication between the STelnet clients
and SSH server.

Networking Requirements
After the STelnet service is enabled on the SSH server, the STelnet client can log in to the SSH
server in any of the following authentication modes: password, RSA, password-RSA, DSA,
password-DSA, ECC, password-ECC, and all. In this example, the Huawei ATN functions as
an SSH server.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

192

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

In Figure 1-37, two users Client001 and Client002, are configured to use STelnet to log in to
the SSH server in password authentication mode and DSA authentication mode, respectively.
Figure 1-37 Networking diagram for STelnet login mode
SSH Server
GE0/2/0
10.10.1.1/16

GE0/2/0
10.10.2.2/16

GE0/2/0
10.10.3.3/16

Client 001

Client 002

Configuration Roadmap
The configuration roadmap is as follows:
1.

Configure Client001 and Client002 to log in to the SSH server in password authentication
mode and DSA authentication mode, respectively.

2.

Create a local DSA key pair on Client002 and the SSH server, and bind Client002 to the
SSH client's DSA public key. These configurations implement authentication for the client
that attempts to log in to the server.

3.

Enable the STelnet service on the SSH server.

4.

Set the service type of Client001 and Client002 to STelnet.

5.

Enable first-time authentication on the SSH clients.

6.

Use Client001 and Client002 to use STelnet to log in to the SSH server.

Data Preparation
To complete the configuration, you need the following data:
l

Client001 with the password %TGB6yhn7ujm and authentication mode password

Client002 with the public key DsaKey001 and authentication mode DSA

SSH server IP address: 10.10.1.1

Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create
Info: The key name will be: ssh server_Host_DSA.
Info: The key modulus can be any one of the following : 512, 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

193

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Info: Generating keys...


Info: Succeeded in creating the DSA host keys.

Step 2 Create SSH users on the server.


NOTE

The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa,
ECC, password-ECC, and all.
l When the SSH user adopts the password, password-ECC, password-DSA, or password-RSA
authentication mode, configure a local user with the same name.
l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, or
all authentication mode, the server should save the RSA or DSA or ECC public key for the SSH client.

# Configure the VTY user interface.


[SSH
[SSH
[SSH
[SSH

Server] user-interface vty 0 4


Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit

l Create SSH user Client001.


# Create SSH user Client001 and configure the authentication mode as password.
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password

# Set Client001's password to %TGB6yhn7ujm.


[SSH
[SSH
[SSH
[SSH

Server] aaa
Server-aaa] local-user client001 password cipher %TGB6yhn7ujm
Server-aaa] local-user client001 service-type ssh
Server-aaa] quit

l Create SSH user Client002.


# Create SSH user Client002 and configure the authentication mode as DSA.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type dsa

Step 3 Configure the DSA public key on the server.


.
# Generate a local key pair on Client002.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] dsa local-key-pair create
Info: The key name will be: ssh server_Host_DSA.
Info: The key modulus can be any one of the following : 512, 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.

# View the DSA public key generated on Client002.


[client002] display dsa local-key-pair public
=====================================================
Time of Key pair created: 10:14:48 2011/12/01
Key name
: client002_Host_DSA
Key modulus : 2048
Key type
: DSA encryption Key
=====================================================
Key code:
3081DC
0240

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

194

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)
AE0AE467
A34004C1
6CC46D2D
87C63485
0214
94FC5624
0240
91FF0F2C
7BCA4251
0B4C3530
C986329F
0240
9D5CA69C
717B2208
EC06D0AE
958C4074

1 Basic Configurations

2BF3587F 30FE81FF A14D8070 1FC2930B


B37824BB D3160595 702901CD 53F0EAE0
BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE

DCEB09DA E9B88293 2AC88508 AB7C813F


91996828 BAAD5068 CD2FE83E CEFA1CF4
9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
DAA25592 DEAFA0EB 61225712 E4AF6139

7BD9249B B4F1D747 707B5C13 EB980A1E


8F9C46F5 0F1875DE 013FFCD3 D4089356
B256A4DD 4B418138 74CEBD9C 16123F7A

Host public key for PEM format code:


---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWV
cCkBzVPw6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biC
kyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614
zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQQCdXKace9kkm7Tx10dw
e1wT65gKHnF7IgiPnEb1Dxh13gE//NPUCJNW7AbQrrJWpN1LQYE4dM69nBYSP3qV
jEB0
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-dss AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/
6FNgHAfwpMLo0AEwbN4JLvTFgWVcCkBzVPw6uBsxG0tvnj2pD3Equ/
HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna
6biCkyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614zA0zXe/
SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQQCdXKace9kkm7Tx10dw
e1wT65gKHnF7IgiPnEb1Dxh13gE//NPUCJNW7AbQrrJWpN1LQYE4dM69nBYSP3qVjEB0

# Send the DSA public key generated on the client to the server.
[SSH Server] dsa peer-public-key DsaKey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return the last view with "public-key-code end".
[SSH Server-dsa-key-code] 3081DC
[SSH Server-dsa-key-code] 0240
[SSH Server-dsa-key-code] AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B
[SSH Server-dsa-key-code] A34004C1 B37824BB D3160595 702901CD 53F0EAE0
[SSH Server-dsa-key-code] 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE
[SSH Server-dsa-key-code] 87C63485
[SSH Server-dsa-key-code] 0214
[SSH Server-dsa-key-code] 94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
[SSH Server-dsa-key-code] 0240
[SSH Server-dsa-key-code] 91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4
[SSH Server-dsa-key-code] 7BCA4251 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
[SSH Server-dsa-key-code] 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139
[SSH Server-dsa-key-code] C986329F
[SSH Server-dsa-key-code] 0240
[SSH Server-dsa-key-code] 9D5CA69C 7BD9249B B4F1D747 707B5C13 EB980A1E
[SSH Server-dsa-key-code] 717B2208 8F9C46F5 0F1875DE 013FFCD3 D4089356
[SSH Server-dsa-key-code] EC06D0AE B256A4DD 4B418138 74CEBD9C 16123F7A
[SSH Server-dsa-key-code] 958C4074
[SSH Server-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end
[SSH Server]

Step 4 Bind Client002 to the SSH client's DSA public key.


[SSH Server] ssh user client002 assign dsa-key DsaKey001

Step 5 Enable the STelnet service on the SSH server.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

195

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

# Enable the STelnet service.


[SSH Server] stelnet server enable

Step 6 Configure the STelnet service for Client001 and Client002.


[SSH Server] ssh user client001 service-type stelnet
[SSH Server] ssh user client002 service-type stelnet

Step 7 Connect the STelnet client to the SSH server.


# At the first login, Enable first-time authentication on the SSH clients.
Enable first-time authentication on Client001.
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable

Enable first-time authentication on Client002.


<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] ssh client first-time enable

# Connect Client001 to the SSH server in password authentication mode. Enter the user name
and password.
<client001> system-view
[client001] stelnet 10.10.1.1
Please input the username:client001
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.10.1.1. Please wait...
Enter password:

Enter the password huawei. The command output shows that the login is complete.
Info: The max number of VTY users is 20, and the number of current VTY users on line
is 6. The current login time is 2010-09-06 11:42:42.
<SSH Server>

# Connect client002 to the SSH server in DSA authentication mode.


<client002> system-view
[client002] stelnet 10.10.1.1
Please input the username: client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.10.1.1. Please wait...
Info: The max number of VTY users is 20, and the number of current VTY users on line
is 6. The current login time is 2010-09-06 11:42:42.
<SSH Server>

Step 8 Verify the configuration.


After the configuration is complete, run the display ssh server status and display ssh server
session commands. The command outputs show that the STelnet service is enabled and the
STelnet clients have logged in to the SSH server.
# View the SSH status.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

196

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

[SSH Server] display ssh server status


SSH version
: 1.99
SSH connection timeout
: 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries
: 3 times
SFTP server
: Disable
Stelnet server
: Enable

# View the connection of the SSH server.


[SSH Server] display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: stelnet
Authentication Type : password
Session 2:
Conn
: VTY 4
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: stelnet
Authentication Type : dsa

# View information about the SSH users.


[SSH Server] display ssh user-information
User 1:
User Name
: client001
Authentication-type : password
User-public-key-name : Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: No
User 2:
User Name
: client002
Authentication-type : dsa
User-public-key-name : DsaKey001
Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: No

----End

Configuration Files
l

Configuration file of the SSH server


#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
public-key-code begin

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

197

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher $1a$tPJ:9op=TO$ggyaYR@nY>"NbzP%N`
$3M~Gz@l
s$KN)mWYXahwu
local-user client001 service-type ssh
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
stelnet server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type dsa
ssh user client002 assign dsa-key DsaKey001
ssh user client001 service-type stelnet
ssh user client002 service-type stelnet
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return

Client001 configuration file


#
sysname client001
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.10.2.2 255.255.0.0
#
ssh client first-time enable
#
return

Client002 configuration file


#
sysname client002
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.10.3.3 255.255.0.0
#
ssh client first-time enable
#
return

Example for Using TFTP to Access Files on Another Device


In this example, the TFTP application is run on the TFTP server and the location of the source
file on the server is set. Then, you can upload and download files.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

198

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Networking Requirements
As shown in Figure 1-38, the IP address of the TFTP server is 10.111.16.160/24.
Figure 1-38 Networking diagram for using TFTP to access files on another device

Configuration Roadmap
The configuration roadmap is as follows:
1.

Run the TFTP application on the TFTP server, and set the location of the file on the server.

2.

Use the TFTP command on the ATN to download the file.

3.

Use the TFTP command on the ATN to upload the file.

Data Preparation
To complete the configuration, you need the following data:
l

The TFTP application installed on the TFTP server

The path of the file on the TFTP server

The destination file name and its path on the ATN

Procedure
Step 1 Start the TFTP server, and set its Current Directory as the directory where the
V200R003C00.cc file resides. Figure 1-39 shows the interface.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

199

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-39 Setting the base directory of the TFTP server

NOTE

The display may be different depending on which TFTP server application is run on the computer.

Step 2 Log in to the ATN from computer HyperTerminal and enter the following command to download
the file.
<HUAWEI>tftp 10.111.16.160 get V200R003C00.cc cfcard:/V200R003C00.cc
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...|
TFTP: Downloading the file successfully.
15805100 bytes received in 42734
second.

Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory
on the ATN.
<HUAWEI> dir cfcard:
Directory of cfcard:/
Idx Attr Size(Byte)
1
-rw40
2
-rw396
3
-rw540
4
-rw2718
5
-rw14343
6
-rw1004
7
-rw6247
8
-rw14343
9
-rw- 86235884

Date
Jun 24
May 19
May 19
Jun 21
May 19
Feb 05
May 19
May 16
Feb 05

2006
2006
2006
2006
2006
2001
2006
2006
2001

Time
09:30:40
15:00:10
15:00:10
17:46:46
15:00:10
09:51:22
15:00:10
14:13:42
10:23:46

FileName
private-data.txt
rsahostkey.dat
rsaserverkey.dat
1.cfg
paf.txt
vrp1.zip
license.txt
paf.txt.bak
V200R003C00.cc

Step 4 Log in to the ATN from computer HyperTerminal and enter the following command to upload
the file.
<HUAWEI> tftp 10.111.16.160 put cfcard:/vrpcfg.zip
Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait.../
TFTP: Uploading the file successfully.
1217 bytes send in 1 second.

----End
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

200

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Example for Configuring Access to the TFTP Server on the Public Network When
the Management VPN Instance Is Used
This section provides an example for configuring access to the TFTP server on the public network
when the management VPN instance is used. In this example, after you log in to a ATN
configured with the management VPN instance, you can download files from the TFTP server
on the public network.

Networking Requirements
As shown in Figure 1-40, a management VPN instance is configured on the ATN. Users use
the VPN instance to access the FTP server from the ATN. To enable the client to access the
TFTP server on the public network, connect the ATN to the TFTP server on the public network.
Log in to the ATN from the HyperTerminal and then download the file V200R003C00.cc from
the TFTP server.
Figure 1-40 Networking diagram of configuring access to the TFTP server on the public network
when the management VPN instance is used

Configuration Roadmap
The configuration roadmap is as follows:
1.

Run the TFTP application on the TFTP server, and set the location of the file on the server.

2.

Use the TFTP command on the ATN to download the file.

3.

Use the TFTP command on the ATN to upload the file.

Data Preparation
To complete the configuration, you need the following data:
l

The TFTP application installed on the TFTP server

The path of the file on the TFTP server

The destination file name and its path on the ATN

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

201

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Start the TFTP server, and set its Current Directory as the directory where the
V200R003C00.cc file resides. Figure 1-41 shows the interface.
Figure 1-41 Setting the base directory of the TFTP server

NOTE

The display may be different depending on which TFTP server application is run on the computer.

Step 2 Log in to the ATN from computer HyperTerminal and enter the following command to download
the file.
<HUAWEI>tftp 10.111.16.160 public-net get V200R003C00.cc cfcard:/V200R003C00.cc
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...|
TFTP: Downloading the file successfully.
15805100 bytes received in 42734
second.

Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory
on the ATN.
<HUAWEI> dir cfcard:
Directory of cfcard:/
Idx Attr Size(Byte)
1
-rw40
2
-rw396
3
-rw540
4
-rw2718
5
-rw14343
6
-rw1004
7
-rw6247
8
-rw14343
9
-rw- 86235884

Date
Jun 24
May 19
May 19
Jun 21
May 19
Feb 05
May 19
May 16
Feb 05

2006
2006
2006
2006
2006
2001
2006
2006
2001

Time
09:30:40
15:00:10
15:00:10
17:46:46
15:00:10
09:51:22
15:00:10
14:13:42
10:23:46

FileName
private-data.txt
rsahostkey.dat
rsaserverkey.dat
1.cfg
paf.txt
vrp1.zip
license.txt
paf.txt.bak
V200R003C00.cc

Step 4 Log in to the ATN from computer HyperTerminal and enter the following command to upload
the file.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

202

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

<HUAWEI> tftp 10.111.16.160 public-net put cfcard:/vrpcfg.zip


Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait.../
TFTP: Uploading the file successfully.
1217 bytes send in 1 second.

----End

Configuration Files
None.

Example for Using FTP to Access Files on Another Device


This section provides an example for using FTP to access files on another device. In this example,
a user logs in to the FTP server from the ATN to download system software and configuration
software from the FTP server.

Networking Requirements
As shown in Figure 1-42, the route between ATN A that functions as the FTP client and the
FTP server is reachable. A user needs to download system software and configuration software
from the FTP server. The Huawei ATN functions as an FTP server.
Figure 1-42 Networking diagram for using FTP to access files on another device

GE0/2/0
2.1.1.1/24

Network

GE0/2/0
1.1.1.1/24

ATNA

FTP Server

Configuration Roadmap
The configuration roadmap is as follows:
1.

Configure the user name and password for an FTP user to log in to the FTP server.

2.

Enable the FTP server on the ATN.

3.

Run login commands to log in to the FTP server.

4.

Configure the file transmission mode and directories for the client before downloading
required files from the FTP server.

Data Preparation
To complete the configuration, you need the following data:
l

User name: huawei and password: !QAZ@WSX3edc

IP address of the FTP server: 1.1.1.1

Target file and its location on ATN A

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

203

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Configure an FTP user on the FTP server.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user
[HUAWEI-aaa] local-user
[HUAWEI-aaa] local-user
[HUAWEI-aaa] local-user
[HUAWEI-aaa] quit

huawei
huawei
huawei
huawei

password cipher !QAZ@WSX3edc


service-type ftp
ftp-directory cfcard:
level 3

Step 2 Enable the FTP server.


[HUAWEI] ftp server enable

Step 3 Log in to the FTP server from ATN A.


<HUAWEI> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 FTP service ready.
User(1.1.1.1:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]

Step 4 On ATN A, configure the binary format as the file transfer mode and flash:/ as the working
directory.
[ftp] binary
200 Type set to I.
[ftp] lcd cfcard:/
Info: Local directory now cfcard:.

Step 5 On ATN A, download the latest system software from the remote FTP server.
[ftp] get V200R003C00.cc
200 Port command okay.
150 Opening ASCII mode data connection for V200R003C00.cc.
226 Transfer complete.
FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.
[ftp] quit

You can run the dir command to check whether the required file is downloaded to the client.
----End

Configuration Files
l

Configuration file on the FTP server


#
FTP server enable
#
aaa
local-user huawei password cipher $1a$9zS'/]'y<:$My1[;/,aS>nhG{H7GaM+{4,O6Q
8A~<75q"C}O0H
local-user huawei service-type ftp
local-user huawei state block fail-times 3 interval 5
local-user huawei ftp-directory cfcard:
local-user huawei level 3
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 1.1.1.1 255.255.255.0

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

204

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Return

Configuration file on the FTP client


#
interface GigabitEthernet0/2/0
undo shutdown
ip address 2.1.1.1 255.255.255.0
Return

Example for Configuring Access to the FTP Server on the Public Network When
the Management VPN Instance Is Used
This section provides an example for configuring access to the FTP server on the public network
when the management VPN instance is used. In this example, after you log in to a ATN
configured with the management VPN instance, you can download files from the FTP server on
the public network.

Networking Requirements
As shown in Figure 1-43, a management VPN instance is configured on ATN A. Users use the
VPN instance to access the FTP server. To enable ATN A to access the FTP server on the public
network, you need to connect the ATN to the FTP server on the public network.
The route between ATN that functions as the FTP client and the FTP server is reachable. A user
needs to download system software and configuration software from the FTP server on the public
network.
Figure 1-43 Networking diagram of configuring access to the FTP server on the public network
when the management VPN instance is used

GE0/2/0
2.1.1.1/24

Network

GE0/2/0
1.1.1.1/24

ATNA

FTP Server

Configuration Roadmap
1.

Log in to the FTP server from the FTP client on the public network.

2.

Download the system files from the server to the storage devices on the client side.

Data Preparation
To complete the configuration, you need the following data:
l

IP address of the FTP server: 1.1.1.1

User name: huawei and password: huawei

The destination file name and its position in the ATN

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

205

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Log in to the FTP server from the ATN.
<HUAWEI> ftp 1.1.1.1 public-net
Trying 1.1.1.1
Press CTRL+K to abort
Connected to 1.1.1.1
220 FTP service ready.
User(ftp 1.1.1.1:(none)):huawei
331 Password required for huawei
Password:
230 User logged in.

Step 2 Configure the transmission mode to the binary format and configure the directory of the cfcard
memory on the ATN..
[ftp] binary
200 Type set to I.
[ftp] lcd cfcard:/
Info: Local directory now cfcard:.

Step 3 Download the newest system software from the remote FTP server on the ATN.
[ftp] get V200R003C00.cc
200 Port command okay.
150 Opening ASCII mode data connection for V200R003C00.cc.
226 Transfer complete.
FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.
[ftp] quit

----End

Configuration Files
None.

Example for Using SFTP (RSA Authentication Mode) to Access Files on Another
Device
In this example, the local key pairs are generated on the SFTP client and the SSH server
respectively, and the public RSA key is generated on the SSH server that binds the public RSA
key to the SFTP client. In this manner, the SFTP client can connect to the SSH server.

Networking Requirements
As shown in Figure 1-44, after the SFTP service is enabled on the SSH server, the SFTP client
can log in to the SSH server with the password, RSA, password-RSA, DSA, password-DSA,
ECC, password-ECC, or all authentication. In this example, the Huawei ATN functions as an
SSH server.
Two users client001 and client002, are configured to log in to the SSH server in password and
RSA authentication modes, respectively.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

206

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-44 Networking diagram for accessing files on another device by using SFTP
SSH Server
GE0/2/0
10.10.1.1/16

GE0/2/0
10.10.2.2/16

GE0/2/0
10.10.3.3/16

Client 001

Client 002

Configuration Roadmap
The configuration roadmap is as follows:
1.

Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.

2.

Create a local RSA key pair on SFTP client Client002 and the SSH server, and bind client
Client002 to an RSA key to authenticate the client when the client attempts to log in to the
server.

3.

Enable the SFTP service on the SSH server.

4.

Configure the service mode and authorization directory for the SSH user.

5.

Client001 and Client002 log in to the SSH server by using an SFTP to access files on the
server.

Data Preparation
To complete the configuration, you need the following data:
l

Client001 password: %TGB6yhn7ujm. Adopt password authentication.

Client002: adopt RSA authentication and assign public key RsaKey001 to Client002.

IP address of the SSH server: 10.10.1.1.

Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 2048]: 768
Generating keys...
.........++++++++
......................++++++++

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

207

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

......................+++++++++
.....+++++++++

Step 2 Create an SSH user on the server.


NOTE

The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa,
ECC, password-ECC, and all.
l When the SSH user adopts the password, password-ECC, password-DSA, or password-RSA
authentication mode, configure a local user with the same name.
l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, or
all authentication mode, the server should save the RSA or DSA or ECC public key for the SSH client.

# Configure the VTY user interface.


[SSH
[SSH
[SSH
[SSH

Server] user-interface vty 0 4


Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit

l Create Client001 for the SSH user.


# Create an SSH user with the name Client001. The authentication mode is password.
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password

# Set %TGB6yhn7ujm as the password for Client001 of the SSH user.


[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher $1a$9zS'/]'y<:$My1
[;/,aS>nhG{H7GaM+{4,O6Q
8A~<75q"C}O0H
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit

l Create Client002 for the SSH user.


# Create an SSH user with user name Client002 and RSA authentication.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type rsa

Step 3 Configure the public RSA key of the server.


# Generate a local key pair on the client.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] rsa local-key-pair create

# View the RSA public key generated on the client.


[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

208

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7


yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]

# Send the RSA public key generated on the client to the server.
[SSH Server] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[SSH Server-rsa-key-code] 3047
[SSH Server-rsa-key-code] 0240
[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[SSH Server-rsa-key-code] 1D7E3E1B
[SSH Server-rsa-key-code] 0203
[SSH Server-rsa-key-code] 010001
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end

Step 4 Bind the RSA public key of SSH client to Client002 of the SSH user.
[SSH Server] ssh user client002 assign rsa-key RsaKey001

Step 5 Enable the STelnet service on the SSH server.


# Enable the STelnet service.
[SSH Server] sftp server enable

Step 6 Configure the service type and authorized directory of the SSH user.
Two SSH users are configured on the SSH server: Client001 and Client002. The password
authentication mode is configured for Client001 and the RSA authentication mode is configured
for Client002.
[SSH
[SSH
[SSH
[SSH

Server]
Server]
Server]
Server]

ssh
ssh
ssh
ssh

user
user
user
user

client001
client001
client002
client002

service-type sftp
sftp-directory cfcard:
service-type sftp
sftp-directory cfcard:

Step 7 Connect the STelnet client to the SSH server.


# For the first login, you need to enable the first authentication on the SSH client.
Enable the first authentication on Client001.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

209

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable

Enable the first authentication on Client002.


<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] ssh client first-time enable

# Connect the STelnet client Client001 to the SSH server in password authentication mode.
<client001> system-view
[client001] sftp 10.10.1.1
Please input the username:client001
Trying 10.10.1.1 ...
Press CTRL+K to abort
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] : y
The server's public key will be saved with the name 10.10.1.1. Please wait.
..
Enter password:
sftp-client>

# Connect STelnet client Client002 to the SSH server in RSA authentication mode.
<client002> system-view
[client002] sftp 10.10.1.1
Please input the username: client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.10.1.1. Please wait.
..
sftp-client>

Step 8 Verify the configuration.


After the configuration, run the display ssh server status and display ssh server session
commands. You can view that the STelnet service is enabled and the SFTP client is connected
to the SSH server.
# Display the SSH status.
[SSH Server] display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP server: Enable
Stelnet server: Disable

# Display the connection of the SSH server.


[SSH Server] display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

210

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)
Service Type
Authentication Type
Session 2:
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type

1 Basic Configurations
: sftp
: password
:
:
:
:
:
:
:
:
:
:
:
:

VTY 4
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group1-sha1
sftp
rsa

# Display information about the SSH user.


[SSH Server]display ssh user-information
User 1:
User Name
: client001
Authentication-type : password
User-public-key-name : Sftp-directory
: cfcard:
Service-type
: sftp
Authorization-cmd
: No
User 2:
User Name
: client002
Authentication-type : rsa
User-public-key-name : RsaKey001
Sftp-directory
: cfcard:
Service-type
: sftp
Authorization-cmd
: No

----End

Configuration Files
l

SSH server configuration file


#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %TGB6yhn7ujm
local-user client001 service-type ssh
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
sftp server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

211

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

ssh user client002 assign rsa-key RsaKey001


ssh user client001 service-type sftp
ssh user client002 service-type sftp
ssh user client001 sftp-directory cfcard:.
ssh user client002 sftp-directory cfcard:.
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
Return

Configuration file of Client001 on the SSH client


#
sysname client001
#
interface GigabitEthernet0/2/0
ip address 10.10.2.2 255.255.0.0
#
ssh client first-time enable
#
return

Configuration file of Client002 on the SSH client


#
sysname client002
#
interface GigabitEthernet0/2/0
ip address 10.10.3.3 255.255.0.0
#
ssh client first-time enable
#
return

Example for Using SFTP (DSA Authentication Mode) to Log In to the SSH Server
This section provides an example for using SFTP to log in to the secure shell (SSH) server. In
this example, the local key pairs are generated on the SFTP client and SSH server, and the public
DSA key is generated on the SSH server and bound to the SFTP client. These configurations
create an implement connection between the SFTP client and SSH server.

Networking Requirements
In Figure 1-45, after the SFTP service is enabled on the SSH server, the SFTP client can log in
to the SSH server in any of the following authentication modes: password, RSA, password-RSA,
DSA, password-DSA, ECC, password-ECC, and all. In this example, the Huawei ATN functions
as an SSH server.
Two users client001 and client002 are configured to log in to the SSH server in password
authentication mode and DSA authentication mode, respectively.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

212

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Figure 1-45 Networking diagram for using SFTP to access files on other devices
SSH Server
GE0/2/0
10.10.1.1/16

GE0/2/0
10.10.2.2/16

GE0/2/0
10.10.3.3/16

Client 001

Client 002

Configuration Roadmap
The configuration roadmap is as follows:
1.

Configure Cient001 and Client002 to log in to the SSH server in different authentication
modes.

2.

Create a local DSA key pair on client002 and the SSH server, and bind client002 to the
SSH client's DSA public key. These configurations implement authentication for the client
that attempts to log in to the server.

3.

Enable the SFTP service on the SSH server.

4.

Configure the service type and authorized directory for the SSH users.

5.

Use client001 and client002 to log in to the SSH server. Then use SFTP to access files on
the server.

Data Preparation
To complete the configuration, you need the following data:
l

Client001 with the password %TGB6yhn7ujm and authentication mode password

Client002 with the public key DsaKey001 and authentication mode DSA

Directory to which SSH users are allowed access: flash

SSH server IP address: 10.10.1.1

Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The DSA host key named SSH Server_Host_DSA already exists.
Warning: Do you want to replace it ?[Y/N]: y
Info: The key modulus can be any one of the following : 512, 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

213

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Step 2 Create SSH users on the server.


NOTE

The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa,
ECC, password-ECC, and all.
l When the SSH user adopts the password, password-ECC, password-DSA, or password-RSA
authentication mode, configure a local user with the same name.
l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, or
all authentication mode, the server should save the RSA or DSA or ECC public key for the SSH client.

# Configure the VTY user interface.


[SSH
[SSH
[SSH
[SSH
[SSH

Server] user-interface vty 0 4


Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] user privilege level 3
Server-ui-vty0-4] quit

l Create SSH user Client001.


# Create SSH user Client001 and configure the authentication mode as password.
[SSH Server] ssh user client001 Info: Succeeded in adding a new SSH user.
[SSH Server] ssh user client001 authentication-type password

# Set client001's password to %TGB6yhn7ujm.


[SSH
[SSH
[SSH
[SSH
[SSH

Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]

local-user client001 password cipher %TGB6yhn7ujm


local-user client001 service-type ssh
local-user client001 level 15
quit

l Create SSH user Client002.


# Create SSH user Client002 and configure the authentication mode as DSA.
[SSH Server] ssh user client002 Info: Succeeded in adding a new SSH user.
[SSH Server] ssh user client002 authentication-type dsa

Step 3 Configure the DSA public key on the server.


.
# Generate a local key pair on the client.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] dsa local-key-pair create
Info: The key name will be: client002_Host_DSA.
Info: The key modulus can be any one of the following : 512, 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
[client002] display dsa local-key-pair public
=====================================================
Time of Key pair created: 19:05:37 2012/7/12
Key name
: client002_Host_DSA
Key modulus : 2048
Key type
: DSA encryption Key
=====================================================
Key code:
3081DC
0240
AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B
A34004C1 B37824BB D3160595 702901CD 53F0EAE0
6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE
87C63485

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

214

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)
0214
94FC5624
0240
91FF0F2C
7BCA4251
0B4C3530
C986329F
0240
A40A1B4E
51475F29
D8A1B55A
E5FC773C

1 Basic Configurations

DCEB09DA E9B88293 2AC88508 AB7C813F


91996828 BAAD5068 CD2FE83E CEFA1CF4
9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
DAA25592 DEAFA0EB 61225712 E4AF6139

7176FF2C 72052269 15A538DA F085C88C


CC3D1E63 83FB4193 93AFE905 65FDA2C7
15ECC7F7 A0D78921 BDF53C84 7CCBF47B

Host public key for PEM format code:


---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWV
cCkBzVPw6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biC
kyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614
zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQQCkChtOcXb/LHIFImkV
pTja8IXIjFFHXynMPR5jg/tBk5Ov6QVl/aLH2KG1WhXsx/eg14khvfU8hHzL9Hvl
/Hc8
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-dss AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWVcCkBzVPw
6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biCkyrIhQirfIE/AAAAQQCR/w8s
kZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKf
AAAAQQCkChtOcXb/LHIFImkVpTja8IXIjFFHXynMPR5jg/tBk5Ov6QVl/aLH2KG1WhXsx/eg14khvfU8
hHzL9Hvl/Hc8 dsa-key

# Send the DSA public key generated on the client to the server.
[SSH Server] dsa peer-public-key DsaKey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return the last view with "public-key-code end".
[SSH Server-dsa-key-code] 3081DC
[SSH Server-dsa-key-code] 0240
[SSH Server-dsa-key-code] AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B
[SSH Server-dsa-key-code] A34004C1 B37824BB D3160595 702901CD 53F0EAE0
[SSH Server-dsa-key-code] 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE
[SSH Server-dsa-key-code] 87C63485
[SSH Server-dsa-key-code] 0214
[SSH Server-dsa-key-code] 94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
[SSH Server-dsa-key-code] 0240
[SSH Server-dsa-key-code] 91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4
[SSH Server-dsa-key-code] 7BCA4251 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
[SSH Server-dsa-key-code] 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139
[SSH Server-dsa-key-code] C986329F
[SSH Server-dsa-key-code] 0240
[SSH Server-dsa-key-code] 77DF0AD1 511AF98F FE573511 2E25EE9B B908EF02
[SSH Server-dsa-key-code] 9023CCF9 0C82B474 2A9D8445 5004779F 18853E9F
[SSH Server-dsa-key-code] 0D7EE1CA D59FAF7F 13260646 44C0E8F4 119F0BF1
[SSH Server-dsa-key-code] B442C340
[SSH Server-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end
[SSH Server]

Step 4 Bind client002 to the SSH client's DSA public key.


[SSH Server] ssh user client002 assign dsa-key DsaKey001

Step 5 Enable the SFTP service on the SSH server.


# Enable the SFTP service.
[SSH Server] sftp server enable

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

215

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password authentication mode
and client002 in DSA authentication mode.
[SSH Server] ssh user client001 service-type sftp
[SSH Server] ssh user client002 service-type sftp

Step 7 Connect the SFTP client to the SSH server.


# At the first login, Enable first-time authentication on the SSH clients.
Enable first-time authentication on Client001.
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable

Enable first-time authentication on client002.


[client002] ssh client first-time enable

# Connect Client001 to the SSH server in password authentication mode.


[client001] sftp 10.10.1.1
Please input the username:client001
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.10.1.1. Please wait...
Enter password:
sftp-client>

# Connect client002 to the SSH server in DSA authentication mode.


Please input the username:client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.10.1.1. Please wait...
sftp-client>

Step 8 Verify the configuration.


After the configuration is complete, run the display ssh server status and display ssh server
session commands. The command outputs show that the SFTP service is enabled and the SFTP
clients have logged in to the SSH server.
# View the SSH status.
SSH version
SSH connection timeout
SSH server key generating interval
SSH authentication retries
SFTP server
Stelnet server
Scp server
SSH server source

:1.99
:60 seconds
:0 hours
:3 times
:Enable
:Disable
:Disable
:0.0.0.0

# View the connection of the SSH server.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

216

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

[SSH Server] display ssh server session


Session 1:
Conn
: VTY 0
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
CTOS Compress
: none
STOC Compress
: none
Kex
: diffie-hellman-group1-sha1
Public Key
: rsa
Service Type
: sftp
Authentication Type : dsa
Session 2:
Conn
: VTY 1
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
CTOS Compress
: none
STOC Compress
: none
Kex
: diffie-hellman-group1-sha1
Public Key
: rsa
Service Type
: sftp
Authentication Type : password

# View information about the SSH users.


[SSH Server] display ssh user-information
User 1:
User Name
: client001
Authentication-type : password
User-public-key-name : User-public-key-type : Service-type
Authorization-cmd
User 2:
User Name
Authentication-type
User-public-key-name
User-public-key-type
Service-type
Authorization-cmd

: sftp
: No
:
:
:
:

client002
dsa
DsaKey001
dsa

: sftp
: No

----End

Configuration Files
l

SSH server configuration file


#
sysname SSH Server
#
dsa peer-public-key DsaKey001 encoding-type der
public-key-code begin
3081DC
0240

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

217

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B A34004C1 B37824BB D3160595


702901CD 53F0EAE0 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE 87C63485
0214
94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
0240
91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4 7BCA4251 9F04FD24 6CFB50A3
AD78CC0D 335DEFD2 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139 C986329F
0240
77DF0AD1 511AF98F FE573511 2E25EE9B B908EF02 9023CCF9 0C82B474 2A9D8445
5004779F 18853E9F 0D7EE1CA D59FAF7F 13260646 44C0E8F4 119F0BF1 B442C340
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher $1a$tPJ:9op=TO$ggyaYR@nY>"NbzP%N`
$3M~Gz@l
s$KN)mWYXahwu
local-user client001 service-type ssh
local-user client001 level 15
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh
ssh
ssh
ssh

user
user
user
user

client002
client002 authentication-type dsa
client002 assign dsa-key DsaKey001
client002 service-type sftp

#
return

Client001 configuration file


#
sysname client001
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.10.2.2 255.255.0.0
#
ssh client first-time enable
#
return

Client002 configuration file


#
sysname client002
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.10.3.3 255.255.0.0
#
ssh client first-time enable
#
return

Example for Configuring Access to the SFTP Server on the Public Network When
the Management VPN Instance Is Used
This section provides an example for configuring access to the SFTP server on the public network
when the management VPN instance is used. In this example, after you generate the local key
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

218

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

pair on the SFTP client and SSH server, generate the RSA public key on the SSH server, and
bind the RSA public key to the client, you can connect the SFTP client to the SFTP server on
the public network when you use the management VPN instance.

Networking Requirements
As shown in Figure 1-46, a management VPN instance is configured for Client001 and
Client002. Users use the VPN instance to access the FTP server. To enable the client to access
the SFTP server on the public network, you need to connect the ATN to the SFTP server on the
public network.
The Huawei ATN functions as an SSH server. Two users Client001 and Client002 are configured
to log in to the SSH server in the password and RSA authentication modes, respectively.
Figure 1-46 Networking diagram for configuring access to the SFTP server on the public
network when the management VPN instance is used
SSH Server
GE0/2/0
10.10.1.1/16

GE0/2/0
10.10.2.2/16

GE0/2/0
10.10.3.3/16

Client 001

Client 002

Configuration Roadmap
The configuration roadmap is as follows:
1.

Configure Client001 and Client002 to log in to the SSH server in different authentication
modes..

2.

Create a local RSA key pair on STelnet client Client002 and the SSH server, and bind client
Client002 to an RSA key to authenticate the client when the client attempts to log in to the
server.

3.

Enable the SFTP service on the SSH server.

4.

Configure the service mode and authorization directory for the SSH user.

5.

Configure Client001 and Client002 to log in to the SSH server on the public network
through SFTP..

Data Preparation
To complete the configuration, you need the following data:
l

Client001 with the password %TGB6yhn7ujm and authentication mode password

Client002 with the public key RsaKey001 and authentication mode RSA

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

219

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

IP address of the SSH server: 10.10.1.1.

Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: HUAWEI_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 2048]: 768
Generating keys...
.........++++++++
......................++++++++
......................+++++++++
.....+++++++++

Step 2 Create an SSH user on the server.


NOTE

The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa,
ECC, password-ECC, and all.
l When the SSH user adopts the password, password-ECC, password-DSA, or password-RSA
authentication mode, configure a local user with the same name.
l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, or
all authentication mode, the server should save the RSA or DSA or ECC public key for the SSH client.

# Configure the VTY user interface.


[SSH
[SSH
[SSH
[SSH

Server] user-interface vty 0 4


Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit

l Create Client001 for the SSH user.


# Create an SSH user with the name Client001. The authentication mode is password.
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password

# Set %TGB6yhn7ujm as the password for Client001 of the SSH user.


[SSH
[SSH
[SSH
[SSH

Server] aaa
Server-aaa] local-user client001 password cipher %TGB6yhn7ujm
Server-aaa] local-user client001 service-type ssh
Server-aaa] quit

l Create Client002 for the SSH user.


# Create an SSH user with user name Client002 and RSA authentication.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type rsa

Step 3 Configure the RSA public key on the server.


# Generate a local key pair on the client.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] rsa local-key-pair create

# View the RSA public key generated on the client.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

220

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

[client002] display rsa local-key-pair public


=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]

# Send the RSA public key generated on the client to the server.
[SSH Server] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[SSH Server-rsa-key-code] 3047
[SSH Server-rsa-key-code] 0240
[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[SSH Server-rsa-key-code] 1D7E3E1B
[SSH Server-rsa-key-code] 0203
[SSH Server-rsa-key-code] 010001
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end

Step 4 Bind the RSA public key of the SSH client to Client002 of the SSH user.
[SSH Server] ssh user client002 assign rsa-key RsaKey001

Step 5 Enable the STelnet service on the SSH server.


# Enable the STelnet service.
[SSH Server] sftp server enable

Step 6 Configure the service type and authorized directory for the SSH users.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

221

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Two SSH users are configured on the SSH server: Client001 and Client002. The password
authentication mode is configured for Client001 and the RSA authentication mode is configured
for Client002.
[SSH
[SSH
[SSH
[SSH

Server]
Server]
Server]
Server]

ssh
ssh
ssh
ssh

user
user
user
user

client001
client001
client002
client002

service-type sftp
sftp-directory cfcard:
service-type sftp
sftp-directory cfcard:

Step 7 Connect the STelnet client to the SSH server.


# At the first login, you need to enable the first authentication on the SSH client.
Enable the first authentication on Client001.
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable

Enable the first authentication on Client002.


<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] ssh client first-time enable

# Connect STelnet client Client001to the SSH server in password authentication mode.
<client001> system-view
[client001] sftp 10.10.1.1 public-net
Please input the username:client001
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
Enter password:
sftp-client>

# Connect STelnet client Client002 to the SSH server in RSA authentication mode.
<client002> system-view
[client002] sftp 10.10.1.1 public-net
Please input the username: client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
sftp-client>

Step 8 Verify the configuration.


After the configuration, run the display ssh server status and display ssh server session
commands. You can view that the STelnet service is enabled and the SFTP client is connected
to the SSH server.
# Display the SSH status.
[SSH Server] display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP server: Enable
STELNET server: Disable

# Display the connection of the SSH server.


[SSH Server] display ssh server session
Session 1:

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

222

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
Session 2:
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type

1 Basic Configurations
:
:
:
:
:
:
:
:
:
:
:
:

VTY 3
2.0
started
client001
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group1-sha1
sftp
password

:
:
:
:
:
:
:
:
:
:
:
:

VTY 4
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group1-sha1
sftp
rsa

# Display information about the SSH user.


[SSH Server] display ssh user-information
User 1:
User Name
: client001
Authentication-type : password
User-public-key-name : Sftp-directory
: cfcard:
Service-type
: sftp
Authorization-cmd
: No
User 2:
User Name
: client002
Authentication-type : rsa
User-public-key-name : RsaKey001
Sftp-directory
: cfcard:
Service-type
: sftp
Authorization-cmd
: No

----End

Configuration Files
l

SSH server configuration file


#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher $1a$9zS'/]'y<:$My1[;/,aS>nhG{H7GaM
+{4,O6Q
8A~<75q"C}O0H

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

223

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

local-user client001 service-type ssh


#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
sftp server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type sftp
ssh user client002 service-type sftp
ssh user client001 sftp-directory cfcard:.
ssh user client002 sftp-directory cfcard:.
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
Return

Client001 configuration file


#
sysname client001
#
interface GigabitEthernet0/2/0
ip address 10.10.2.2 255.255.0.0
#
ssh client first-time enable
#
return

Client002 configuration file


#
sysname client002
#
interface GigabitEthernet0/2/0
ip address 10.10.3.3 255.255.0.0
#
ssh client first-time enable
#
return

Example for Accessing the SSH Server Through Other Ports


This section provides an example for accessing the SSH server through other port numbers. In
this example, the monitoring port number of the SSH server is set to a port number other than
the standard monitoring port number so that only valid users can set up connections with the
SSH server.

Networking Requirements
The standard monitored port number of the SSH protocol is 22. Frequent malicious access to
the standard port consumes bandwidth and affects the performance of the server, and therefore,
other users cannot access the standard port.
After the number of the port monitored by the SSH server is set to another port number, the
attacker does not know the new monitored port number and keeps sending socket connection
requests to standard port 22. When the SSH detects that the port number in the connection
requests is not the number of the monitored port, the SSH does not set up the socket connection.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

224

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Therefore, only the valid user can set up the socket connection through the non-standard
monitored port set by the SSH server, and only the valid user can negotiate the SSH version
number, negotiate the algorithm, generate the session key, authenticate the server, send a session
request, and perform the interactive session.
The ATN functions as an SSH server. Client Client001 is configured to use STelnet in password
authentication mode to log in to the SSH server and client Client002 is configured to use SFTP
in RSA authentication mode of RSA to log in to the SSH server.
Figure 1-47 Networking diagram for accessing the SSH server through other port numbers
SSH Server
GE0/2/0
10.10.1.1/16

GE0/2/0
10.10.2.2/16

GE0/2/0
10.10.3.3/16

Client 001

Client 002

Configuration Roadmap
The configuration roadmap is as follows:
1.

Configure Client001 and Client002 to log in to the SSH server in different authentication
modes..

2.

Create a local RSA key pair on STelnet client Client002 and the SSH server, and bind client
Client002 to an RSA key to authenticate the client when the client attempts to log in to the
server.

3.

Enable STelnet and SFTP services on the SSH server.

4.

Configure the service mode and authorization directory for the SSH user.

5.

Configure the listening port number for the SSH server so that the client can access the
server through other port numbers.

6.

Client001 and Client002 log in to the SSH server through STelnet and SFTP respectively.

Data Preparation
To complete the configuration, you need the following data:
l

Client001 with the password %TGB6yhn7ujm and authentication mode password

Client002 with the public key RsaKey001 and authentication mode RSA

IP address of the SSH server: 10.10.1.1.

Number of the port monitored by the SSH server: 1025.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

225

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 On the client, generate a local key pair.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 2048]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++

Step 2 Configure the RSA public key on the server.


# Generate a local key pair of client on the client.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] rsa local-key-pair create

# View the RSA public key generated on the client.


[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001

# Send the RSA public key generated on the client to the server.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

226

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

[SSH Server] rsa peer-public-key RsaKey001


Enter "RSA public key" view, return system view with "peer-public-key end".
[SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[SSH Server-rsa-key-code] 3047
[SSH Server-rsa-key-code] 0240
[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[SSH Server-rsa-key-code] 1D7E3E1B
[SSH Server-rsa-key-code] 0203
[SSH Server-rsa-key-code] 010001
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end

Step 3 Create an SSH user on the server.


NOTE

The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa,
ECC, password-ECC, and all.
l When the SSH user adopts the password, password-ECC, password-DSA, or password-RSA
authentication mode, configure a local user with the same name.
l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, or
all authentication mode, the server should save the RSA or DSA or ECC public key for the SSH client.

# Configure the VTY user interface.


[SSH
[SSH
[SSH
[SSH

Server] user-interface vty 0 4


Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit

l Create Client001 for the SSH user.


# Create an SSH user with the name Client001. The authentication mode is password.
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password

# Set %TGB6yhn7ujm as the password for SSH user Client001.


[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher $1a$9zS'/]'y<:$My1
[;/,aS>nhG{H7GaM+{4,O6Q
8A~<75q"C}O0H
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit

# Configure Client001 with service type of STelnet.


[SSH Server] ssh user client001 service-type stelnet

l Create Client002 for the SSH user.


Create an SSH user with the name Client002 and RSA authentication, and bind it to the RSA
public key of the SSH client.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type rsa
[SSH Server] ssh user client002 assign rsa-key RsaKey001

# Configure the service type of Client002 as SFTP and the authorization directory.
[SSH Server] ssh user client002 service-type sftp
[SSH Server] ssh user client002 sftp-directory cfcard:

Step 4 Enable the STelnet service and the SFTP service on the SSH server.
# Enable the STelnet service and the SFTP service.
[SSH Server] stelnet server enable

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

227

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

[SSH Server] sftp server enable

Step 5 Configure a new number for the port monitored by the SSH server.
[SSH Server] ssh server port 1025

Step 6 Connect the STelnet client to the SSH server.


# At the first login, you need to enable the first authentication on the SSH client.
Enable the first authentication on Client001.
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable

Enable the first authentication on Client002.


<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] ssh client first-time enable

# Connect the STelnet client to the SSH server through the new port number.
[client001] stelnet 10.10.1.1 1025
Please input the username:client001
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
he server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
he server's public key will be saved with the name 10.10.1.1. Please wait...
Enter password:

Enter the password Huawei and view the following:


Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
<SSH Server>

# Connect the SFTP client to the SSH server through the new port number.
[client002] sftp 10.10.1.1 1025
Please input the username:client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.10.1.1. Please wait.
..
sftp-client>

Step 7 Verify the configuration.


The attacker fails to log in to the SSH server through port 22.
[client002] sftp 10.10.1.1
Please input the username:client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
Error: Failed to connect to the server.

After the configuration, run the display ssh server status and display ssh server session
commands. You can view the number of the port monitored by the SSH server and that the
STelnet client or SFTP client is connected to the SSH server.
# Display the SSH status.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

228

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

[SSH Server] display ssh server status


SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP server: Enable
STELNET server: Enable
SSH server port: 1025

# Display the connection of the SSH server.


[SSH Server] display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: stelnet
Authentication Type : password
Session 2:
Conn
: VTY 4
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: sftp
Authentication Type : rsa

----End

Configuration Files
l

SSH server configuration file


#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %TGB6yhn7ujm
local-user client001 service-type ssh
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.10.1.1 255.255.0.0
#

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

229

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

sftp server enable


stelnet server enable
ssh server port 1025
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type RSA
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type stelnet
ssh user client002 service-type sftp
ssh user client002 sftp-directory cfcard:.
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return

Client001 configuration file


#
sysname client001
#
interface GigabitEthernet0/2/0
ip address 10.10.2.2 255.255.0.0
#
ssh client first-time enable
#
return

Client002 configuration file


#
sysname client002
#
interface GigabitEthernet0/2/0
ip address 10.10.3.3 255.255.0.0
#
ssh client first-time enable
#
return

1.9 Device Maintenance


With routine device maintenance, you can detect potential operation threats on devices and then
eradicate the potential threats in time to ensure that the system runs securely, stably, and reliably.

1.9.1 Introduction of Device Maintenance


Device maintenance involves replacing boards and monitoring the internal environment.

Overview of Device Maintenance


Device maintenance involves replacing boards and monitoring the internal environment.

Concept
The stable running of a ATNdepends on the mature network planning and the routine
maintenance. In addition, fast location of the hidden hazards is necessary.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

230

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

The maintenance personnel must check the alarm information in time and deal with the fault
properly to keep the device in normal operation and reduce the failure rate. Thus, the system
runs in a safe, stable, and reliable environment.

Maintenance Operation
Maintenance such as board replacement and internal environment check ensures the normal
operation of the ATN.

Maintenance Features Supported by the ATN


The ATN allows the operation status to be monitored.

Monitoring
In routine maintenance of the device, you can run the display commands to view the working
status of the ATN. This can help the maintenance personnel fast locate the fault during the
troubleshooting procedure.

1.9.2 Monitoring the Device Status


You can monitor the device status to facilitate fault location and cause analysis.

Displaying the System Version Information


The system version information includes the system software version and various hardware
versions.

Procedure
Step 1 Run:
display version

The system version information is displayed.


You can run this command in any view to view the system version information. The main
information is as follows:
l System software version
l Hardware and software version of the MPUs
l Hardware and software version physical interface card
.
l Hardware and software version of the Fan
.
----End

Displaying Basic Information About the Router


Basic ATN information includes detailed information about the system-control board, physical
interface card, clock board, power supply, and fan module.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

231

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Run:
display device [ pic-status | slot-id]

Basic information about the ATN is displayed.


You can run this command in any view to view the basic device information. Enter slot-id to
view information about the board in the specified slot.
l Choose a board in a certain slot. You can view basic information about this board.
l Run:
display device pic-status
Basic information about the PIC card is displayed.
----End

Displaying the Electronic Label


The electronic label information includes the type of board/card, bar code, BOM code, English
description, production date, supplier name, issuing number, Common Language Equipment
Identification (CLEI) code, and sales BOM code.

Procedure
l

Run:
display elabel [ backplane | slot-id ]

The electronic label is displayed.


In practice, you can run this command in the user view to view information about the
electronic label of the boards. Enter slot-id to view information about the electronic label
of the board in the specified slot.
Displayed information includes the type of the board and PIC card, bar code, BOM, English
description, production date, supplier name, issuing number, Common Language
Equipment Identification (CLEI) code, and sales BOM.
NOTE

You can back up the electronic label of the specified board in the following ways:
l Run the backup elabel filename [ backplane | slot-id ] command to back up the electronic label
to the CF card on the ATN.
l Run the backup elabel ftp host filename username password [ backplane | slot-id ] command
to back up the electronic label to the specified FTP server.

----End

Displaying the Memory Usage


By specifying the slot ID, you can check the memory usage of the system control board.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

232

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Run:
display memory-usage [ slave ]

The memory usage threshold of the main system control board is displayed.
NOTE

To set the memory usage threshold in the main system control board, you can run the set memory-usage
threshold thresholdcommand.

----End

Displaying the CPU Usage


By specifying the slot ID, you can check the CPU usage of the MPU.

Procedure
Step 1 Run:
display cpu-usage [ task-name ] [ congfiguration ]
[ slave ]
NOTE

Only the ATN 950B supports the slave parameter.


To set the threshold of the CPU usage on the main MPU, you can run the set cpu-usage threshold thresholdvalue [ slave ] command, and run thedisplay cpu-usage configuration command can display the current
configuration of the CPU usage.

----End

Displaying Alarm Information


The alarm information includes the alarm severity, alarm date and time, and alarm description.

Procedure
Step 1 Run:
display alarm { slot-id | all }

Information about the alarm is displayed.


You can run this command in any view to view current information about the ATN alarm. Alarm
information includes the following:
l Alarm severity
l Alarm date and time
l Alarm description
NOTE

After the ATN alarm is displayed, you can run the clear alarm index index-id { send-trap | no-trap }
command to clear the alarm at the specified index-id.

----End
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

233

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Displaying the Board Temperature


The temperature information includes the temperature status of each board, temperature alarm
thresholds of a board, and actual temperature of a board.

Procedure
Step 1 Run:
display temperature slot slot-id

The temperature of the specified board is displayed.


In practice, using this command in any view, you can view the current temperature of the
ATN.The temperature information includes the following:
l Current temperature status of the board
l Threshold to the alarm temperature of the board
l Actual temperature of the board
----End

Displaying the Board Voltage


The voltage information includes the number of voltage sensors on each board, working voltage
sensor of each board, working status of the voltage sensor on each board, and voltage alarm
thresholds of each board.

Procedure
Step 1 Run:
display voltage slot slot-id

The board voltage is displayed.


In practice, using this command in any view, you can view the voltage of all the boards. The
voltage information includes the following:
l Number of the voltage sensors
l Working voltage sensors
l Working status of the voltage sensors
l Alarm field value of the voltage
l Actual board voltage
----End

Displaying the Power Supply Status


The power supply information includes the slot ID of the power supply module, whether the
power supply module is registered, working mode of the power supply module, and cable status
of the power supply module.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

234

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Run:
display power

The power supply status is displayed.


In practice, using this command in any view, you can view the power supply status. The displayed
information includes the following:
l Slot number of the power supply module
l Presence status of the power supply module
l Operation mode of the power supply module
l Cable status of the power supply module
----End

Displaying the Sequence Number of the MPU


Each MPU has a globally unique equipment serial number (ESN).

Procedure
Step 1 Run:
display esn

The sequence number of the MPU is displayed. In the operation, using this command in any
view, you can view the sequence number of the MPU on the ATN.
----End

1.9.3 Board Maintence


Board Maintenance involves resetting a board and clearing the maximum CPU usage.

Resetting a Board
You need to back up important data before resetting a board.

Context
In the case that a board is faulty, you can use the reset slot command to reset the board.

CAUTION
Back up important data before resetting the board.
Do as follows on the ATN:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

235

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Run:
reset slot slot-id

The board is reset.


NOTE

l If this command is run to reset a master MPU and no slave MPU exists, the master MPU is reset with
the CPU being powered on. If a slave MPU exists, this command performs master/slave MPU
switchover.
l If the board is still abnormal after being reset, contact the Huawei technical support personnel.

----End

1.10 Patch Management


Patch management includes checking the running patch, loading patch files, and installing
patches.

1.10.1 Patch Management Introduction


This section describes basic patch functions.

Patch Management Overview


You can install patches to improve system functions.

Patch Overview
You occasionally need to revise the system software, such as remove system defects or add new
functions, while the device is running. In the past, it was common practice to shut the system
down before performing an upgrade, but this static upgrade affects the service on the device and
does not improve its communication. However, if you load a patch to the system software, you
can upgrade it online without interrupting the operation of the device. This dynamic upgrade
does not affect services and can actually improve its communication.

Patch Area
In the memory of the Main Processing Unit (MPU), a space, called a patch area, is reserved for
the patch.
To install the patch, save it to the patch area in the memory of the board.
The patch saved in the patch area is numbered uniquely. Up to 2000 patches can be saved to the
patch area in the memory of the MPU .

Patch States
The patch state can be idle, deactive, active, or running. For details, see Table 1-20,
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

236

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Table 1-20 Patch states


State

Description

States Conversion

No patch
(idle)

The patch file is saved to the CF


card but is not loaded to the patch
area in the memory.

When the patch is loaded to the patch


area, the patch status is set to deactive.

deactive

The patch is loaded to the patch


area but is disabled.

The patch in the deactive state can be:


l Uninstalled, that is, deleted from the
patch area.
l Enabled temporarily and then
switched to the active state.

active

The patch is loaded to the patch


area and enabled temporarily.

The patch in the active state can be:

If the board is reset, the active


patch on that board switches to the
deactive state.

l Uninstalled, that is, deleted from the


patch area.
l Enabled temporarily and then
switched to the active state.
l Enabled permanently and then
switched to the running state.

running

The patch is loaded to the patch


area and enabled permanently.
If the board is reset, the patch on
the board remains in the running
state.

The patch in the running state can be


uninstalled and deleted from the patch
area.

Figure 1-48shows the conversion between patch states.


Figure 1-48 Conversion between patch states

Load patch
No patch

Delete patch

Deactivated

Deactive patch

Delete patch

Active patch

Delete patch

Running

Issue 02 (2013-12-31)

Run patch

Activated

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

237

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Patches Supported by the ATN


The ATN enables patches to be loaded to the system or a certain board.

Patch Functions
Installing patches can improve system functions or fix bugs. By installing a patch, you can
upgrade the system without upgrading the system software.

Logic Relationships Between Configuration Tasks


Figure 1-49shows the logical relationships between the configuration tasks.
Figure 1-49 Logical relationships between configuration tasks
Resort to
technical
support for
new patch

Run VRP

Normally run
Yes

No

Enable patch
temporarily

Bug removed

No

Disable patch

Yes

End

Unload patch

1.10.2 Checking Whether a Patch is Running in the System


The system allows only one patch to run. Therefore, confirm that no patch is running before
loading a new patch.

Before You Start


Before checking the running patch, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.

Applicable Environment
The system allows the running of only one patch at a time. Therefore, you need to confirm no
patch is running in the current system before installing a patch. If a patch is running, delete it
before installing the new patch.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

238

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Pre-configuration Tasks
Before checking whether a patch is running in the system, complete the following tasks:
l

Ensure that the ATN starts normally after being powered on.

Ensure that you can log in to the ATN.

Data Preparation
None

Checking the Running of a Patch in the System


You can run the display patch-information command to view information about the running
patch units, activated patch units, and deactivated patch units.

Context
Do as follows on the ATN to be upgraded:

Procedure
Step 1 Run:
display patch-information

All information about the current patch is displayed, including information about the patch units
that are running, the patch units that are activated, and the patch units that are deactivated.
----End

Example
<HUAWEI> display patch-information
Info: No patch exists.

This indicates that no patch is running in the current system.


NOTE

If patches are running, delete them before loading new patches.

(Optional) Deleting a Patch


The system allows only one patch to run at a time. If a patch is running, delete it before loading
a new patch.

Context
Before installing a patch, you need to delete the running patch.
Do as follows on the ATN to be upgraded.

Procedure
Step 1 Run:patch delete all
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

239

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

The running patch is deleted.


----End

1.10.3 Loading a Patch


Patches can be loaded through FTP or TFTP.

Before You Start


Before loading a patch, familiarize yourself with the applicable environment, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration
task quickly and accurately.

Applicable Environment
Before you upload a patch, upload it to the root directory of the CF card of the master MPU.
Then, copy the patch to the root directory of the CF card of the slave MPU.
NOTE

Only ATN 950B supports a slave MPU. You must upload the patch file to the slave MPU.

The three methods used to upload a patch are FTP,.

Pre-configuration Tasks
Before loading a patch, complete the following tasks:
l

Ensure that the ATN starts normally after being powered on.

Ensure that you can log in to the ATN.

Data Preparation
Before running a patch, obtain a patch that is consistent with the board.
No.

Data

Uploading a Patch to the Root Directory of the CF Card of the Master MPU

Copying a Patch to the Root Directory of the CF Card of the Slave MPU

Loading a Patch
On a dual-MPU router, you need to load a patch to both the master MPU and the slave MPU.

Context
Do as follows on the ATN to be upgraded:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

240

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Upload a patch to the root directory of the CF card of the master MPU.
The ATN supports the uploading of files through FTP, TFTP,. For more information, see: "FTP,
TFTP,". Choose an uploading method based on your requirements.
Step 2 Run:
startup patch file-name

The patch package is specified for the MPU on the next startup.
Step 3 Run:
startup patch file-name

The patch package is specified for the master MPU on the next startup. (Skip this step if the
chassis is ATN 910/ATN 910I/ATN 910B.)
Step 4 Run:
startup patch file-name slave-board

The patch package is specified for the slave MPU on the next startup. (Skip this step if the
chassis is ATN 910/ATN 910I/ATN 910B.)
----End

Checking the Configuration


After a patch is loaded, you can check patch information.

Context
Run the following commands to check the previous configuration.

Procedure
l

Run:
dir cfcard:/

Check the files on the MPU.


l

Run:
dir slave#cfcard:/

Check the files on the slave MPU.


NOTE

Only the ATN 950B supports the slave#cfcard:/ parameter.

Run:
display startup

Check the patch file used in the next system startup.


----End
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

241

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

1.10.4 Installing a Patch


You can install a patch on the system to repair it. By installing the patch, you can upgrade the
system without upgrading the system software.

Establishing the Configuration Task


Before installing a patch on the system, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.

Applicable Environment
Installing patches can fix system vulnerabilities or correct system defects. By installing a patch,
you can upgrade the system without upgrading the system software.
When a patch is uploaded, the system checks that the patch version is the same as the system
version. If the two versions are not the same, the system prompts that the patch uploading fails.

Pre-configuration Tasks
Before installing a patch, upload the patch to the root directory of the CF card of the master
MPU and slave MPU.
NOTE

Only ATN 950B supports a slave MPU. You must upload the patch file to the slave MPU.

Data Preparation
None

Loading a Patch
You can load a patch only when the patch version matches the system software version.

Context
Do as follows on the ATN to be upgraded:

Procedure
Step 1 Run:
patch load file-name all

The patch is loaded.


----End

Follow-up Procedure
When a patch is loaded, the system checks whether the patch version is the same as the system
version. If both versions are not the same, the system determines that the patch loading fails.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

242

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

When the patch is loaded successfully, it's status is Deactive. This status remains Deactive after
the board is reset.

Activating a Patch
A patch can be activated only when it is correctly loaded and is in the deactivated state.

Context
Do as follows on the ATN to be upgraded:

Procedure
Step 1 Run:
patch active all

The patch is activated.


----End

Follow-up Procedure
A patch can be activated only when it is correctly loaded and is in the deactivated state. When
a patch is activated, it immediately becomes valid. After the board is reset, however, the status
of the patch becomes Deactive , and the patch does not remain valid.

Running a Patch
A patch can be run only after it is activated. Running a patch means that the patch is activated
permanently.

Context
Do as follows on the ATN be upgraded:

Procedure
Step 1 Run:
patch run all

The patch is run.


----End

Follow-up Procedure
A patch can be run only after it is activated. Running a patch means that the patch is activated
permanently and the patch remains valid after the board is reset. The status of the patch remains
Running.

Checking the Configuration


After a patch is installed on the system, you can check the patch status.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

243

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
l

Run:
display patch-information

Check the patch state.


----End

1.10.5 (Optional) Deactivating the Patch


If an installed patch does not take effect, you need to deactivate it.

Before You Start


Before deactivating a patch, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.

Applicable Environment
After a patch is activated, you need to determine whether the patch has achieved the expected
effect. If the patch is not valid, you need to activate it.
A patch can be deactivated only after it is activated.

Pre-configuration Tasks
None

Data Preparation
None

Deactivating a Patch
Deactivating a patch makes an active patch become inactive.

Procedure
Step 1 Run:
patch deactive all

The patch is deactivated.


----End

Checking the Configuration


After a patch is deactivated, you can run the display command to check the patch status.

Procedure
l
Issue 02 (2013-12-31)

Run:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

244

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

display patch-information

Check the patch state.


----End

1.10.6 Configuration Examples for Patch Management


This section describes some configuration examples for managing patches.

Example for Installing a Patch


When the system has vulnerabilities or defects, you can install a patch to repair the system.

Networking Requirements
Figure 1-50shows that some urgent bug occurs in the system software at the Provider Edge (PE)
connected to the Internet. Huawei provides the patch file to remove the bug. The patch in this
patch file must be installed to remove the bug.
Figure 1-50 Networking diagram of installing a patch

FTP Server
10.1.1.2/24

GE0/2/0
10.1.1.1/24
MPLS Core
PE

PC
10.1.1.3/24

Configuration Roadmap
The configuration roadmap is as follows:
1.

Save the patch file to the root directory of the CF card on the MPU.

2.

Load the patch.

3.

Activate the patch.

4.

Run the patch.

Data Preparation
To complete the configuration, you need the following data:
l

File name of the patch: patch.pat

Path the patch saved to on the MPU: cfcard:/

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

245

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Procedure
Step 1 Upload the patch file for the system software.
# Log in to the FTP server.
<PE> ftp 10.1.1.2
Trying 10.1.1.2 ...
Press CTRL+K to abort
Connected to 192.168.1.2.
220 FTP service ready.
User(10.1.1.2:(none)):huawei
331 Password required for huawei.
Password:
230 User logged in.
[ftp]

# Configure the binary transmission format and the working directory of the CF card on PE.
[ftp] binary
200 Type set to I.
[ftp] lcd cfcard:/
% Local directory now cfcard:.

# Load the patch file for the current system software from the remote FTP server.
[ftp] get patch.pat
200 Port command okay.
150 Opening ASCII mode data connection for license.txt.
226 Transfer complete.
FTP: 6309 byte(s) received in 0.188 second(s) 33.55Kbyte(s)/sec.
[ftp] bye
221 Server closing.
<PE>

# Copy the patch file to the CF card on the slave MPU. (Skip this step if the chassis is ATN
910/ATN 910I/ATN 910B.)
<PE> copy cfcard:/patch.pat slave#cfcard:/
Copy cfcard:/patch.pat to slave#cfcard:/patch.pat?[Y/N]:y
100% complete
Info:Copied file cfcard:/ patch.pat to slave#cfcard:/ patch.pat...Done

Step 2 Load the patch.


<PE>

patch load patch.pat all

Step 3 Activate the patch.


<PE> patch active all

Step 4 Run the patch.


<PE> patch run all

Step 5 Verify the configuration


<PE> display patch-information
Patch Package Name
:cfcard:/patch.pat
Patch Package Version:V200R003C00
The state of the patch state file is: Running
The current state is: Running
************************************************************************
*
The hot patch information, as follows:
*
************************************************************************
Slot

Issue 02 (2013-12-31)

Type

State

Count

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

246

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

-----------------------------------------------------------2
C
Running
1

----End

Configuration Files
None

1.11 Glossary
This appendix collates frequently used terms in this document.
A
Accounting

A network security service that records the user's access to the


network.

Agent

A process that is used in all managed devices. It receives request


packets from the NM Station and performs the Read or Write
operation on managed variables according to packet types and
generates response packets and sends them to the NM Station.

AH

Authentication Header. A security protocol that provides data


authentication and integrity for IP packets. AH is used in the
transmission mode and in the tunneling mode.

ASSP

Analogue Sensor Signal Processes. An error tolerance protocol


that provides the interface backup in the multiple access, multicast
and broadcast in LAN (such as Ethernet).

Authentication

A method used to prove user identity.

Authorization

A method used to prove identity of users to use the service.

B
Backup center

A mechanism in which the interfaces on a device back up each


other and trace the status of the interface. If an interface is Down,
the backup center provides a backup interface to undertake the
service.

BFD

Bidirectional Forwarding Detection. A unified detection


mechanism that is used to detect and monitor the link or IP routes
forwarding at a fast pace.

Black list

A filtering mode that is used to filter the packet according to the


source IP address. Compared with the ACL, the black list can filter
the packet at a high speed because its matching region is simple.
It can shield the packet from the specified IP address.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

247

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

CLI

Command Line Interface. An interface that allows the user to


interact with the operating system. Users can configure and
manage the ATN by entering commands through the CLI.

Congestion avoidance

A flow control mechanism by which the network overload is


relieved by adjusting the network traffic. When the congestion
occurs and becomes worse, the packet is discarded by monitoring
the network resource.

Congestion management A flow control measure to solve the problem of network resource
competition. When the network congestion occurs, it places the
packet into the queue for buffer and determines the order of
forwarding the packet.
Command line level

The priority of the system command that is divided into 4 levels.


Users of a level can run the command only of the same or lower
level.

E
Ethernet

A baseband LAN specification created by Xerox and developed


by Xerox, Intel, and Digital Equipment Corporation (DEC). This
specification is similar to IEEE802.3.

Ethernet_II

An encapsulation format of the Ethernet frame. Ethernet_II that


contains a 16-bit protocol type field is the standard ARPA Ethernet
Version 2.0 encapsulation.

Ethernet_SNAP

An encapsulation format of the Ethernet frame. The frame format


complies with RFC 1042 and enables the transmission of the
Ethernet frame on the IEEE 802.2 media.

F
FIFO

First In First Out. A queuing scheme in which the first data into
the network is also the fist data out of the network.

File system

A method in which files and directories in the storage devices are


managed, such as creating a file system, creating, deleting,
modifying and renaming a file or directory or displaying the
contents of the file.

FTP

File Transfer Protocol. An application protocol in the TCP/IP


stack, used for transferring files between remote hosts. FTP is
implemented based on the file system.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

248

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

HGMPv2

1 Basic Configurations

Huawei Group Management Protocol Version 2. A protocol with


which the discovery, topology collection, centralized management
and remote maintenance are implemented on Layer 2 devices of a
cluster that are connected with the ATN.

I
Information center

The information hinge in the MA5200G that can classify and filter
the output information.

Interface mirroring

A method of copying the packet of the mirrored interface to the


other mirroring interfaces to forward the packet.

IP negotiated

An attribute of the interface. When the user accesses the Internet


through the ISP, the IP address is usually allocated by the peer
server. The PPP packet must be encapsulated and the IP address
negotiated attribute must be configured on the interface so that the
local interface accepts the IP address allocated by the peer end
through the PPP negotiation.

IP unnumbered

A mechanism in which the interface that is not configured with an


IP address can borrow the IP address of the interface that is
configured with an IP address to save the IP address resource.

ISATAP tunnel

Intra-site Automatic Tunnel Addressing Protocol. A protocol that


is used for the IPv4/IPv6 host in the IPv4 network to access the
IPv6 network. The ISATAP tunnel can be established between the
ISATAP hosts or between the ISATAP host and the ISATAP
ATN.

ISIS-TE

Traffic engineering of IS-IS. (For the information of IS-IS, refer


to Acronyms and Abbreviations)

L
LAN interface

Local Area Network interface. Often an Ethernet interface through


which the ATN can exchange data with the network device in a
LAN.

License

Permission of some features that dynamically control the product.

Logical interface

A configured interface that can exchange data but does not exist
physically. A logical interface can be a sub-interface, virtualtemplate interface, virtual Ethernet interface, Loopback interface,
Null interface and Tunnel interface.

M
MIB

Issue 02 (2013-12-31)

Management Information Base. A database of variables of the


monitored network device. It can uniquely define a managed
object.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

249

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Modem

Modulator-demodulator. Device that converts digital and analog


signals.

Multicast

A process of transmitting packets of data from one source to many


destinations. The destination address of the multicast packet uses
Class D address, that is, the IP address ranges from 224.0.0.0 to
239.255.255.255. Each multicast address represents a multicast
group rather than a host.

N
NDP

Neighbor Discovery Protocol. A protocol that is used to discover


the information of the neighboring Huawei device that is
connected with the local device.

NMS

Network Management System. A system that sends various query


packets and receives the response packet and trap packet from the
managed devices and displays all the information.

NTDP

A protocol that is used to collect the information of the adjacency


and the backup switch of each device in the network.

NTP

Network Time Protocol. An application protocol that is used to


synchronize the distributed server and the client side.

O
OSPF-TE

Traffic engineering of OSPF. (For the information of OSPF, refer


to Acronyms and Abbreviations)

P
Policy-based routing

A routing scheme that forwards packets to specific interfaces based


on user-configured policies.

Issue 02 (2013-12-31)

Regular expression

When a lot of information is output, you can filter the unnecessary


contents out with regular expressions and display the necessary
contents.

RMON

Remote monitoring. An MIB agent specification defined by the


IETF that defines functions for the remote monitoring of the data
flow of a network segment or the whole network.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

250

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

ATN

A device on the network layer that selects routes in the network.


The ATN selects the optimal route according to the destination
address of the received packet through a network and forwards the
packet to the next ATN. The last ATN is responsible for sending
the packet to the destination host.

RRPP

Rapid Ring Protection Protocol. A protocol that is applied on the


data link layer. When the Ethernet ring is complete, it can prevent
the broadcast storm caused by the data loop. When a link is
disconnected on an Ethernet ring, it can rapidly restore the
communication link between the nodes on the ring network.

RSVP-TE

Traffic engineering of RSVP. (For the information of RSVP, refer


to Acronyms and Abbreviations)

S
Service tracing

A method of service debugging, diagnosis and error detection that


is mainly used for service personnel to locate the fault in user
access. The service tracing can output the status change and the
result of the protocol processing of the specified user during the
access to the terminal or the server for the reference and analysis
of the service personnel.

SSH

Secure Shell. A protocol that provides a secure connection to a


ATN through a TCP application.

Static ARP

A protocol that binds some IP addresses to a specified gateway.


The packet of these IP addresses must be forwarded through this
gateway.

System environment

Basic parameters for running the MA5200G such as host name,


language mode and system time. After configuration, the system
environment can meet the requirements of the actual environment.

Issue 02 (2013-12-31)

Telnet

An application protocol of the TCP/IP stack that provides virtual


terminal services for a wide variety of remote systems.

Terminal

A device that is connected with other devices through the serial


port. The keyboard and the display have no disk drives.

Traffic policing

A process used to measure the actual traffic flow across a given


connection and compare it to the total admissible traffic flow for
that connection. When the traffic exceeds the flow that is agreed
upon , some restrictions or penalties are adopted to protect the
interest and the network resource of the operator.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

251

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

Traffic shaping

A flow control measure to shape the flow rate. It is often used to


control the flow in regular amounts to ensure that the traffic is
within the traffic stipulated for the downstream ATN and prevents
unnecessary discard and congestion.

Tunnel

Secure communication path between two peers in the VPN that


protect the internal information of the VPN from the interruption.

V
VPN

Virtual Private Network. A new technology developed with the


Internet to provide an apparent single private network over a public
network. "Virtual" means the network is a logical network.

VRP

Versatile Routing Platform. A versatile routing operating system


platform developed for all data communication products of
Huawei. With the IP service as its core, the VRP adopts the
componentized architecture. The VRP realizes rich functions and
provides tailorability and scalability based on applications.

VRRP

Virtual ATN Redundancy Protocol. An error tolerant protocol


defined in RFC 2338. It forms a backup group for a group of
ATN in a LAN that functions as a virtual ATN.

VTY

Virtual type terminal. A terminal line that is used to access a


ATN through Telnet.

X
X.25

A protocol applied on the data link layer that defines how


connections between DTE and DCE are maintained for remote
terminal access and computer communications in PDNs.

XModem

A transmission protocol in the format of the binary code.

XOT

X.25 over TCP. A protocol that implements the interconnection


between two X.25 networks through the TCP packet bearing X.25
frames.

1.12 Acronyms and Abbreviations


This appendix collates frequently used acronyms and abbreviations in this document.
Numerics
3DES

Issue 02 (2013-12-31)

Triple Data Encryption Standard

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

252

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

A
AAA

Authentication, Authorization and Accounting

ACL

Access Control List

ARP

Address Resolution Protocol

AES

Advanced Encryption Standard

ASPF

Application Specific Packet Filter

AUX

Auxiliary port

B
BGP

Border Gateway Protocol

C
CBQ

Class-based Queue

CHAP

Challenge Handshake Authentication Protocol

CQ

Custom Queuing

CR-LDP

Constraint-based Routing LDP

D
DES

Data Encryption Standard

DHCP

Dynamic Host Configuration Protocol

DNS

Domain Name System

E
ESP

Encapsulating Security Payload

F
FR

Frame Relay

G
GRE

Issue 02 (2013-12-31)

Generic Routing Encapsulation

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

253

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1 Basic Configurations

H
HDLC

High Level Data Link Control

I
IETF

Internet Engineering Task Force

IKE

Internet Key Exchange

IPSec

IP Security

IS-IS

Intermediate System-to-Intermediate System intra-domain


routing information exchange protocol

ITU-T

International Telecommunication Union Telecommunications


Standardization Sector

L
L2TP

Layer Two Tunneling Protocol

LAPB

Link Access Procedure Balanced

LDP

Label Distribution Protocol

M
MAC

Medium Access Control

MBGP

Multiprotocol Extensions for BGP-4

MFR

Multiple Frame Relay

MP

MultiLink PPP

MPLS

Multiprotocol Label Switching

MSDP

Multicast Source Discovery Protocol

MTU

Maximum Transmission Unit

N
NAT

Network Address Translation

O
OAM

Issue 02 (2013-12-31)

Operation, Administration and Maintenance

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

254

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

OSPF

1 Basic Configurations

Open Shortest Path First

P
PAP

Password Authentication Protocol

PE

Provider Edge

Ping

Ping (Packet Internet Groper)

PPP

Point-to-Point Protocol

PPPoA

PPP over AAL5

PPPoE

Point-to-Point Protocol over Ethernet

PPPoEoA

PPPoE on AAL5

PQ

Priority Queuing

Q
QoS

Quality of Service

R
RADIUS

Remote Authentication Dial In User Service

RIP

Routing Information Protocol

RPR

Resilient Packet Ring

RSVP

Resource Reservation Protocol

S
SFTP

SSH File Transfer Protocol

T
TE

Traffic Engineering

TCP

Transmission Control Protocol

TFTP

Trivial File Transfer Protocol

V
VPN

Issue 02 (2013-12-31)

Virtual Private Network

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

255

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

VRP

Versatile Routing Platform

VRRP

Virtual Router Redundancy Protocol

1 Basic Configurations

W
WAN

Wide Area Network

WFQ

Weighted Fair Queuing

WRED

Weighted Random Early Detection

X
XOT

Issue 02 (2013-12-31)

X.25 Over TCP

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

256

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

System Management

About This Chapter


The document describes the configuration methods of system management in terms of basic
principles, implementation of protocols, configuration procedures and configuration examples
for the system management of the ATN equipment.
2.1 Information Center Configuration
This chapter describes how to configure the information center to control the output of logs,
alarms, and debugging messages.
2.2 SNMP Configuration
The Simple Network Management Protocol (SNMP) is a standard network management protocol
widely used on TCP/IP networks. It uses a central computer (a network management station)
that runs network management software to manage network elements. There are three SNMP
versions, SNMPv1, SNMPv2c, and SNMPv3. You can configure one or more versions, if
needed.
2.3 RMON and RMON2 Configuration
This chapter describes how to monitor the Ethernet interface through Remote Network
Monitoring (RMON) and Remote Network Monitoring Version 2 (RMON2).
2.4 IP FPM Configuration
IP Flow Performance Measurement (FPM) is a Huawei proprietary feature that measures packet
loss rate and delay of end-to-end service packets transmitted on an IP network to determine
network performance. This feature is easy to deploy and provides an accurate assessment of
network performance.
2.5 NQA Configuration
This chapter describes how to configure the Network Quality Analysis (NQA) to monitor the
network operating status and collect network operation indexes in real time.
2.6 Ping and Tracert
This chapter describes how to check the network connectivity through ping and tracert
operations.
2.7 Fault Management
2.8 Performance Management
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

257

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Performance management (PM) can discover potential problems in the network and provide
references for system decisions by monitoring and collecting performance indicators in the
system (such as the CPU usage and number of received and sent packets at an interface). PM is
used for network condition analysis, capacity planning, fault location and other purposes.
2.9 PoE Configurations
2.10 Glossary
This chapter lists the frequently used terms in this document and corresponding English full
names.
2.11 Acronyms and Abbreviations
This chapter lists the frequently used acronyms in this document and corresponding English full
names.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

258

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

2.1 Information Center Configuration


This chapter describes how to configure the information center to control the output of logs,
alarms, and debugging messages.

2.1.1 Information Center Overview


The information center controls the output of logs, alarms, and debugging messages.

Introduction
The information center works as the information hub of a ATN. It classifies and filters the output
of a system. The information center uses a debugging program to help network administrator
and developers monitor network operation and analyze network faults.

Information Center Supported by the ATN


The information center outputs logs, alarms, and debugging messages at eight severity levels
through 10 information channels.

Information Classification
The information center receives and processes information of the following types:
l

Logs

Debugging information

Alarms

Severity Levels of Information


Information has eight severity levels as shown in Table 2-1. The lower the severity level, the
more severe the information.
Table 2-1 Description of the severity levels of information

Issue 02 (2013-12-31)

Threshold

Severity Level

Description

Emergencies

A fatal fault, such as a program exception or incorrect


memory usage, occurs on the device. The system must
restart.

Alert

An important fault, such as the device memory


reaching the highest limit, occurs on the device. The
fault needs to be fixed immediately.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

259

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Threshold

Severity Level

Description

Critical

A crucial fault, such as the memory or temperature


reaching the lowest limit, or the BFD device being
unreachable, occurs on the device. An internal fault
can also be generated by the device itself. The fault
needs to be analyzed and fixed.

Error

A fault, such as a user running incorrect commands,


entering a wrong password, or receiving wrong
protocol packets from other devices, occurs on the
device. These faults can be caused by improper
operation or a wrong process.
They do not affect services but should be given
attention.

Warning

An abnormal situation, such as the user disabling the


routing process, the BFD detecting packet loss, or the
wrong protocol packet being received occurs on the
device.
The fault may affect services and should be given
attention.

Notification

Indicates the key operations used to ensure that the


device runs normally, such as the execution of the
shutdown command, the performance of neighbor
discovery, or the status change of the state machine.

Informational

Indicates the common operations used to ensure that


the device runs normally, such as the execution of the
display command.

Debugging

Indicates that the common device information does


not require attention.

When information filtering based on severity levels is enabled, only the information whose
severity level threshold is less than or equal to the configured value is output.
For example, if the severity level value is configured to 6, only information with a severity level
ranging from 0 to 6 is output.

Working Process of the Information Center


The working process of the information center is as follows:
l

The information center receives logs, alarms, and debugging information from all modules.

The information center outputs information with different severity levels to different
information channels according to the configuration.

Information is transmitted in different directions based on the relationship between the


information channel and the output direction.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

260

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Generally, the information center distributes three types of information classified into eight
levels to 10 information channels. Information is then output to different directions.
As shown in Figure 2-1, logs, alarms, and debugging information have default output channels.
They can be customized to be output from other channels. For example, logs can be configured
to be output to the log cache through Channel 6 rather than the default Channel 4.
Figure 2-1 Functions of the information channel

Information Channels and Output Directions


The system supports 10 channels. The first six channels (Channel 0 to Channel 5) have default
channel names and are associated with six default output directions. For devices equipped a CF
card, log information is output to log files through Channel 9 by default. That is, seven total
default output directions are supported.
For details of the association relationship between default channels and output directions, see
Table 2-2.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

261

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Table 2-2 Association relationship between default channels and output directions
Channel
Number

Default
Channel Name

Output
Direction

Description

Console

Console

Outputs logs, alarms, and debugging


information to the local console.

Monitor

Monitor

Outputs logs, alarms, and debugging


information to the VTY terminals for
remote maintenance.

Loghost

Log host

Outputs logs, alarms, and debugging


information to the log host. Information is
saved to the log host in the file format for
easy reference.

Trapbuffer

Trap buffer

Outputs alarms to the alarm buffer. The


ATN assigns a specific area to be the alarm
buffer for recording alarms.

Logbuffer

Log buffer

Outputs logs to the log buffer. The ATN


assigns a specified area to be the log buffer
for recording logs.

Snmpagent

SNMP agent

Outputs alarms to the SNMP agent.

Unspecified

Unspecified

Reserved, this channel can be configured to


output to different directions.

Unspecified

Unspecified

Reserved, this channel can be configured to


output to different directions.

Unspecified

Unspecified

Reserved, this channel can be configured to


output to different directions.

Channel9

Log file

Outputs logs, alarms and debugging


information to the log file on the CF card

In the case of multiple log hosts, logs can be output through one channel or several channels.
For example, some logs can be output to a log host through Channel 2 (loghost) and some logs
can be output to another log host through Channel 6. For easy management, the name of Channel
6 can be changed.

Format of Logs
Syslog is a sub-function of the information center. It outputs information to a log host through
port 514.
Figure 2-2 shows the format of logs.
Figure 2-2 Format of the output logs

<Int_16>TIMESTAMP HOSTNAME %%ddAAA/B/CCC(t)[e]:slot=XXX; YYYY


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

262

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Table 2-3 describes each field in a log message.


Table 2-3 Description of each field in a log message
Field

Indication

Description

<Int_16>

Leading character

Leading characters are added before logs are


output to log hosts.
Logs saved in the local device do not contain
leading characters.

TIMESTAMP

Time to send out the


information

Available formats for the timestamp are as follows:


l boot: The timestamp in this format indicates a
relative time.
l date: The timestamp in this format indicates the
system time. Timestamps in logs, alarms and
debugging information are in this format by
default.
l short-date: Unlike the date format, timestamps
in the short-date format do not indicate the year.
l format-date: The timestamp in this format is
another format of the system time.
l none: indicates that the information does not
contain any timestamp.
There is a space between the timestamp and the
host name.

Issue 02 (2013-12-31)

HOSTNAME

Host name

By default, the name is HUAWEI.

%%

Huawei logo

Indicates that log information is output by a


Huawei device.

dd

Version number

Identifies the version of the log format.

AAA

Module name

Indicates the name of the module that outputs


information to the information center.

Log level

Indicates the severity level of a log.

CCC

Brief description

Describes the information type.

(t)

Information type

Indicates the user log identifier.

[e]

Information counter

Indicates the log sequence number.

slot=XXX

Location information

Indicates the number of the slot that sends the


location information.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

263

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Field

Indication

Description

YYYY

Descriptor

Indicates detailed information output from each


module to the information center.
Before outputting logs, each module fills in this
field to describe log content.

Format of Alarms
Figure 2-3 shows the format of the output alarms.
Figure 2-3 Format of the output alarms

Table 2-4 describes each field in an alarm message.


Table 2-4 Description of each field of in an alarm message
Field

Indication

Description

TimeStamp

Time to send out the


information

Available formats for the timestamp are as follows:


l boot: The timestamp in this format indicates a
relative time.
l date: The timestamp in this format indicates the
system time. Timestamps in logs, alarms and
debugging information are in this format by
default.
l short-date: Unlike the date format, timestamps
in the short-date format do not indicate the year.
l format-date: The timestamp in this format is
another format of the system time.
l none: indicates that the information does not
contain a timestamp.
There is a space between the timestamp and the
host name.

Issue 02 (2013-12-31)

HostName

Host name

By default, the name is HUAWEI.There is a space


between the sysname and module name.

ModuleName

Module name

Indicates the name of the module that generates an


alarm.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

264

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Field

Indication

Description

Severity

Severity level

Severity levels available for an alarm message are


as follows:
l Critical
l Major
l Minor
l Warning

Brief

Brief information

Provides brief information of the alarms.

Description

Description

Provides detailed description of the alarms.

2.1.2 Enabling Log Output


This section describes how to output logs of a specific module to a log file, console, terminal,
or log host.

Before You Start


Before configuring the log output, familiarize yourself with the usage scenario, complete the
pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.

Applicable Environment
The system logs the operation information about devices in real time. It then outputs logs to the
log buffer, log file, console, terminal, and log host for storage and future reference. In this
manner, when faults occur on devices, users can locate the faults based on the logs.

Pre-configuration Tasks
Before configuring the log output, complete the following tasks:
l

Connecting the ATN to the PC properly

Ensuring that the route between the ATN and the log host is reachable

Configuring an Virtual Private Network (VPN) instance

Data Preparation
To configure the log output, you need the following data.
No.

Data

l Channel number
l Channel name

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

265

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

No.

Data

Module name

Address of the log host

Severity level of the log

(Optional) Size of the log buffer

(Optional) VPN instance name

2 System Management

Enabling the Information Center


If the information center function is disabled, you can enable it. By default, this function is
enabled.

Context
The information center classifies and outputs information. When it is heavily loaded with
information processing, system performance degrades.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
info-center enable

The information center is enabled.


By default, the information center is enabled.
----End

(Optional) Naming an Information Channel


Naming an information channel helps clarify what is output by each channel.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
info-center channel channel-number name channel-name

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

266

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

A channel is named.
----End

(Optional) Configuring the Function of Filtering Logs by IDs


The binary log function can filter specific logs.

Context
Binary logs provide the function of filtering specified logs by their IDs. To filter certain logs,
the user can obtain IDs of these logs through log resolution tools and add these IDs to the log
filtering list.
After that, the information center does not send these logs in each output direction.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
info-center filter-id { id }

&<1-50>

One or more IDs are added and a space is used to separate these IDs.
NOTE

Currently, only 50 IDs can be shielded. The aggregation of these shielded IDs is called a log ID filtering
list. The log ID filtering list is arranged by ID values.

----End

Outputting Logs to the Log Buffer


The log buffer stores the latest logs generated by the system. You can set the log buffer size or
channels in this task.

Procedure
l

Configure the channel through which logs are output.


1.

Run the following command on the ATN enabled with the information center:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default } channel { channel-number |
channel-name } [ log { state { off | on } | level severity } * ]

Logs are sent to the information channel.


Logs can be output only after the information center is enabled.
l
Issue 02 (2013-12-31)

Configure the channel through which logs are output.


Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

267

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1.

2 System Management

Run the following command on the ATN enabled with the information center:
system-view

The system view is displayed.


2.

Run:
info-center logbuffer [ channel { channel-number | channel-name } ]

The channel through which logs are output to the log buffer is configured.
3.

(Optional) Run:
info-center logbuffer [ channel { channel-number | channel-name } | size
buffersize ] *

The size of the log buffer is configured.


After the information center is enabled, logs are output to the log buffer through
Channel 4 by default and the log buffer can cache a maximum of 512 logs.
----End

Outputting Logs to a Log File


When a fault occurs on the device, you locate the fault based on information saved in the log
file.

Procedure
Step 1 Send logs to a channel.
1.

Run:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default }channel { channel-number | channelname } [ log { state { off | on } | level severity } * ]

Logs are sent the information channel.


Logs can be output only after the information center is enabled.
Step 2 Configure the channel through which logs are output to the log file.
1.

Run:
info-center logfile channel { channel-number | channel-name }

The channel through which logs are output to the log file is configured.
Step 3 (Optional) Configure the size of the log file output by the information center.
1.

Run:
info-center logfile size size

The size of the configuration file is set.


By default, the size of log files is 8 MB.
Step 4 (Optional) Configure the maximum number of compressed log files to be stored.
1.
Issue 02 (2013-12-31)

Run:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.

268

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

info-center max-logfile-number filenumbers

The maximum number of compressed log files to be stored is set.


By default, a maximum number of 200 compressed log files can be stored. If the configured
maximum number is reached, the system will delete earlier compressed log files.
Step 5 (Optional) Save the configurations to a log file.
1.

Run:
save logfile

The configurations are saved to a log file.


----End

Configuring a Device to Send Log Information to a Console


By configuring a device to send log information to a console, you can view the operating status
of the device on the console.

Context
Perform the following operations on the ATN configured with an information center:

Procedure
Step 1 Configure a device to send log information through a channel.
1.

Run:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default } channel { channel-number |
channel-name } [ log { state { off | on } | level severity } * ]

Log information is added to the channel.


Log information can be sent only after the information center is enabled.
Step 2 Configure the channel through which log information is sent to the console.
1.

Run:
info-center console channel { channel-number | channel-name }

The channel through which log information is sent to the console is configured.
2.

Run:
quit

Return to the user view.


Step 3 Enable the terminal display.
1.

Run:
terminal monitor

Terminal display is enabled.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

269

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2.

2 System Management

Run:
terminal logging

The terminal is enabled to display log information asynchronously.


3.

(Optional) Run:
terminal echo synchronous

The terminal is enabled to display log information synchronously.


----End

Configuring a Device to Send Log Information to a Terminal


By configuring a device to send log information to a terminal, you can view the operating status
of the device on the terminal.

Procedure
Step 1 Configure a device to send log information through a channel.
1.

Run:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default } channel { channel-number | channelname } [ log { state { off | on } | level severity } * ]

Log information is added to the channel.


Log information can be sent only after the information center is enabled.
Step 2 Configure the channel through which log information is sent to the terminal.
1.

Run:
info-center monitor channel { channel-number | channel-name }

The channel through which log information is sent to the terminal is configured.
2.

Run:
quit

Return to the user view.


Step 3 Enable terminal display.
1.

Run:
system-view

The system view is displayed.


terminal monitor

Terminal display is enabled.


2.

Run:
terminal logging

The terminal is enabled to display log information asynchronously.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

270

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

3.

2 System Management

(Optional) Run:
terminal echo synchronous

The terminal is enabled to display log information synchronously.


----End

Outputting Logs to the Log Host


By outputting logs to the log host, you can view the operating status of the device on the log
host.

Procedure
Step 1 Configure logs to be output through the channel.
1.

Run:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default } channel { channel-number |
channel-name } [ log { state { off | on } | level severity } * ]

Logs are added to the information channel.


Step 2 Configure the channel through which logs are output to the log host.
l (On an IPv4 network) Run:
info-center loghost ip-address [ channel { channel-number | channel-name } |
facility local-number | { language language-name } | { vpn-instance vpn-instancename | public-net } ] *

The channel through which logs are output to the log host is configured.
By default, logs are not output to the log host after the information center is enabled.
l (On an IPv6 network) Run:
info-center loghost ipv6 ipv6-address [ channel { channel-number | channelname } | facility local-number | { language language-name } ] *

The channel through which logs are output to the log host is configured.
By default, logs are not output to the log host.
The system supports the configuration of a maximum of eight log hosts to implement backup
among log hosts.
Step 3 Run:
info-center loghost source interface-type interface-number

A source interface is configured. This interface is recognized by the log host as the log sending
interface.
Each device has multiple interfaces that can send logs. All of these interfaces are configured to
report the source interfaces address, if configured, when they send logs. This helps the log host
quickly determine the source device from which the logs were sent.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

271

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

By default, this interface is not configured, so that the log host will be aware of all actual log
sending interfaces on a device.
----End

Checking the Configuration


Checking the Configuration of Information Center

Prerequisites
The configurations of the Information Center function are complete.

Procedure
l

Run the display channel [ channel-number | channel-name ] command to check the


configuration of a channel.

Run the display info-center [ statistics ] command to check the information recorded by
an information center.

Run the display logbuffer [ level severity | size value | slot slot-id ] * command to view
the information recorded by a log buffer.

Run the display info-center filter-id [ id ] command to check whether the ID of a single
log is added into the filtering list.

Run the display info-center filter-id command to check whether IDs of all logs are added
into the filtering list.

----End

2.1.3 Enabling Alarm Output


This section describes how to configure a specific module to output alarm information to log
files, consoles, terminals, or SNMP agents.

Before You Start


Before configuring the alarm output, familiarize yourself with the usage scenario, complete the
pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.

Applicable Environment
The device can generate alarms in specific situations to draw attention of the administrators.
Alarms can be output to the alarm buffer, log file, Console, terminal, and Network Management
System (NMS), through which the administrator can easily locate and rectify the fault.

Pre-configuration Tasks
Before enabling alarm output, complete the following tasks:
l

Connecting the ATN and the NM station correctly

Configuring routes between the ATN and the NM station

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

272

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Data Preparation
To configure alarm output, you need the following data.
No.

Data

l Channel number
l Channel name

Module name

Severity level of alarms

(Optional) Size of an alarm buffer

IP address of Network Management System

Enabling the Information Center


If the information center function is disabled, you can enable it. By default, this function is
enabled.

Context
Classifying and outputting a large amount of information degrades system performance.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
info-center enable

The information center is enabled.


By default, the information center is enabled.
----End

(Optional) Naming an Information Channel


Naming information channels helps clarify what is output by each channel.

Context
Perform the following steps on the ATN configured with the information center.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

273

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
info-center channel channel-number name channel-name

The information channel specified by the channel-number is named as channel-name.


----End

Outputting Alarms to the Alarm Buffer


By default, alarms are output to the alarm buffer through a default channel. You can configure
alarms to be output through a specific channel.

Context
Perform the following steps on the ATN configured with the information center:

Procedure
Step 1 Configure the alarms to be output through the channel.
1.

Run:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default } channel { channel-number | channelname } [ trap { state { off | on } | level severity } * ]

Alarms are added to the information channel.


For the specific modules, the default configurations are as follows:
For the log information, the state is on and the allowed information level is warning.
For the alarm information, the state is on and the allowed information level is
debugging.
For the debugging information, the state is off.
Step 2 Configure the channel through which alarms are output to the alarm buffer.
1.

Run:
info-center trapbuffer [ channel { channel-number | channel-name } ]

The alarm buffer is set to receive information.


2.

Run:
(optional)info-center trapbuffer [ channel {
| size buffersize ] *

channel-number | channel-name }

The channel through which alarms are output to the alarm buffer is configured.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

274

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

After the information center is enabled, alarms default to be output through Channel 3 to
the alarm buffer and the alarm buffer can contain 256 pieces of information.
----End

Outputting Alarms to the Log File


When a fault occurs on the device, you can analyze the output alarms to provide references for
fault location.

Context
Perform the following steps on the ATN configured with the information center:

Procedure
Step 1 Send logs to the channel.
1.

Run:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default } channel { channel-number | channelname } [ trap { state { off | on } | level severity } * ]

Alarms are added to the information channel.


For the specific modules, the default configurations are as follows:
For the log information, the state is on and the allowed information level is warning.
For the alarm information, the state is on and the allowed information level is
debugging.
For the debugging information, the state is off.
Step 2 Configure the channel through which alarms are output to the log file.
1.

Run:
info-center logfile channel { channel-number | channel-name }

The channel through which alarms are output to the log file is configured.
By default, alarms are output through Channel 9 to the log file after the information center
is enabled.
Step 3 (Optional) Configure the size of the log file output by the information center.
1.

Run:
info-center logfile size size

The size of the log buffer is set.


By default, the size of log files is 8 MB.
Step 4 (Optional) Configure the maximum number of compressed log files to be stored.
1.

Run:
info-center max-logfile-number filenumbers

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

275

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

The maximum number of compressed log files to be stored is set.


By default, a maximum number of 200 compressed log files can be stored. If the configured
maximum number is reached, the system will delete earlier compressed log files.
Step 5 (Optional) Save the configurations to a log file.
1.

Run:

save logfile

The configurations are saved to a log file.


----End

Configuring a Device to Send Trap Information to a Console


By outputting alarms to the console, you can view the operating status of the device on the
console.

Context
Perform the following operations on the ATN configured with an information center:

Procedure
Step 1 Configure a device to send trap information through a channel.
1.

Run:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default } channel { channel-number | channelname } [ trap { state { off | on } | level severity } * ]

Trap information is added to the channel.


For a specific module, the default configurations are as follows:
For the log information, the state is on and the allowed information level is warning.
For the trap information, the state is on and the allowed information level is debugging.
For the debugging information, the state is off.
Step 2 Configure the channel through which trap information is sent to the console.
1.

Run:
info-center console channel { channel-number | channel-name }

The channel through which trap information is sent to the console is configured.
By default, trap information is sent to the console through channel 0.
2.

Run:
quit

Return to the user view.


Step 3 Enable terminal display.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

276

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1.

2 System Management

Run:
terminal monitor

Terminal display is enabled.


2.

Run:
terminal trapping

The terminal is enabled to display trap information asynchronously.


3.

(Optional) Run:
terminal echo synchronous

The terminal is enabled to display trap information synchronously.


----End

Configuring a Device to Send Trap Information to a Terminal


By configuring a device to send trap information to a terminal, you can view the operating status
of the device on the terminal.

Context
Perform the following operations on the ATN configured with an information center:

Procedure
Step 1 Configure a device to send trap information through a channel.
1.

Run:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default } channel { channel-number | channelname } [ trap { state { off | on } | level severity } * ]

Trap information is added to the channel.


For a specific module, the default configurations are as follows:
For the log information, the state is on and the allowed information level is warning.
For the trap information, the state is on and the allowed information level is debugging.
For the debugging information, the state is off.
Step 2 Configure the channel through which trap information is sent to the terminal.
1.

Run:
info-center monitor channel { channel-number | channel-name }

The channel through which trap information is sent to the terminal is configured.
By default, trap information is sent to the terminal through channel 1.
2.

Run:
quit

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

277

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Return to the user view.


Step 3 Enable terminal display.
1.

Run:
terminal monitor

Terminal display is enabled.


2.

Run:
terminal trapping

The terminal is enabled to display trap information asynchronously.


3.

(Optional) Run:
terminal echo synchronous

The terminal is enabled to display trap information synchronously.


----End

Outputting Alarms to the SNMP Agent


By outputting alarms to the SNMP agent, you can view the operating status of the device on the
NMS.

Context
Perform the following steps on the ATN configured with the information center:

Procedure
Step 1 Configure the alarms to be output through the channel.
1.

Run:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default } channel { channel-number | channelname } [ trap { state { off | on } | level severity } * ]

Alarms are added to the information channel.


For the specific modules, the default configurations are as follows:
For the log information, the state is on and the allowed information level is warning.
For the alarm information, the state is on and the allowed information level is
debugging.
For the debugging information, the state is off.
Step 2 Configure the channel through which alarms are output to the SNMP agent.
1.

Run:
info-center snmp channel { channel-number | channel-name }

The channel through which alarms are output to the SNMP agent is configured.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

278

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

By default, alarms are output to the SNMP agent through Channel 5.


2.

Run:
snmp-agent

SNMP agent is enabled.


----End

Checking the Configuration


After configuring the alarm output, you can use related commands to confirm the configuration.

Prerequisites
The configurations of the Alarm output function are complete.

Procedure
l

Run the display channel [ channel-number | channel-name ] command to check the


configuration of a channel.

Run the display info-center [ statistics ] command to check the information recorded by
the information center.

Run the display trapbuffer [ size value ] command to check the information recorded by
the alarm buffer.

----End

2.1.4 Enabling the Output of Debugging Information


This section describes how to configure a specific module to output debugging information to
log files, consoles, terminals, or SNMP agents.

Context

NOTICE
Debugging degrades system performance. Therefore, after debugging, run the undo debugging
all command to disable debugging immediately. When the CPU usage is close to 100%,
debugging ARP may cause boards to reset. So, confirm the action before you use the command.

Before You Start


Before configuring the debugging message output, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.

Applicable Environment
When faults occur on a device, you can enable the information center to output debugging
information for easy faults location and analysis.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

279

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Pre-configuration Tasks
Before enabling the output of debugging information, complete the following tasks:
l

Connecting the ATN and the PC correctly

Configuring routes between the ATN and the log host

Data Preparation
To enable the output of debugging information, you need the following data.
No.

Data

l Channel number
l Channel name

Module name

Severity level of debugging information

IP address of a log host

Enabling the Information Center


If the information center function is disabled, you can enable it. By default, this function is
enabled.

Context
Classifying and outputting a large amount of information degrades system performance.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
info-center enable

The information center is enabled.


By default, the information center is enabled.
----End

(Optional) Naming an Information Channel


Naming information channels helps clarify what is output by each channel.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

280

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Context
Perform the following steps on the ATN configured with the information center.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
info-center channel channel-number name channel-name

The name of the specified channel is set.


----End

Outputting Debugging Information to the Log File


When a fault occurs on the device, you can analyze the output debugging messages to provide
references for fault location.

Context
Perform the following steps on the ATN configured with the information center:

Procedure
Step 1 Configure debugging information to be output through the channel.
1.

Run:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default } channel { channel-number | channelname } [ debug { state { off | on } | level severity } * ]

Debugging information is added to the information channel.


For the specific modules, the default configurations are as follows:
For the log information, the state is on and the allowed information level is warning.
For the alarm information, the state is on and the allowed information level is
debugging.
For the debugging information, the state is off.
Step 2 Configure the channel through which debugging information is output to the log file.
1.

Run:
info-center logfile channel { channel-number | channel-name }

The channel through which debugging information is output to the log file is configured.
Step 3 (Optional) Configure the size of the log file output by the information center.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

281

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1.

2 System Management

Run:
info-center logfile size size

By default, the debugging information is not saved in the log file. If you want the debugging
information to be saved in the log file, run the info-center source default channel 9
debug state on level severity command to add records to the information channel.
Step 4 (Optional) Configure the maximum number of compressed log files to be stored.
1.

Run:
info-center max-logfile-number filenumbers

The maximum number of compressed log files to be stored is set.


By default, a maximum number of 200 compressed log files can be stored. If the configured
maximum number is reached, the system will delete earlier compressed log files.
Step 5 (Optional) Save the configurations to a log file.
1.

Run:

save logfile

The configurations are saved to a log file.


----End

Configuring a Device to Send Debugging Information to a Console


After you use a console to log in to a device, configure the device to send debugging information
to the console for real-time query.

Context
Perform the following operations on the ATN configured with an information center:

Procedure
Step 1 Configure a device to send debugging information through a channel.
1.

Run:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default } channel { channel-number | channelname } [ debug { state { off | on } | level severity } * ]

Debugging information is added to the channel.


For a specific module, the default configurations are as follows:
For the log information, the state is on and the allowed information level is warning.
For the trap information, the state is on and the allowed information level is debugging.
For the debugging information, the state is off.
Step 2 Configure the channel through which debugging information is sent to the console.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

282

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

1.

2 System Management

Run:
info-center console channel { channel-number | channel-name }

The channel through which debugging information is sent to the console is configured.
2.

Run:
quit

Return to the user view.


Step 3 Enable terminal display.
1.

Run:
terminal monitor

Terminal display is enabled.


2.

Run:
terminal debugging

The terminal is enabled to display debugging information asynchronously.


3.

(Optional) Run:
terminal echo synchronous

The terminal is enabled to display debugging information synchronously.


----End

Configuring a Device to Send Debugging Information to a Terminal


After you use a terminal to log in to a device, configure the device to send debugging information
to the terminal for real-time query.

Context
Perform the following operations on the ATN configured with an information center:

Procedure
Step 1 Configure a device to send debugging information through a channel.
1.

Run:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default } channel { channel-number | channelname } [ debug { state { off | on } | level severity } * ]

Debugging information is added to the channel.


For a specific module, the default configurations are as follows:
For the log information, the state is on and the allowed information level is warning.
For the trap information, the state is on and the allowed information level is debugging.
For the debugging information, the state is off.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

283

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Step 2 Configure the channel through which debugging information is sent to the terminal.
1.

Run:
info-center monitor channel { channel-number | channel-name }

The channel through which debugging information is sent to the terminal is configured.
2.

Run:
quit

Return to the user view.


Step 3 Enable terminal display.
1.

Run:
terminal monitor

Terminal display is enabled.


2.

Run:
terminal debugging

The terminal is enabled to display debugging information asynchronously.


3.

(Optional) Run:
terminal echo synchronous

The terminal is enabled to display debugging information synchronously.


----End

Outputting Debugging Information to the Log Host


By outputting debugging messages to the log host, you can view debugging messages more
conveniently.

Procedure
Step 1 Configure debugging information to be output through the channel.
1.

Run:
system-view

The system view is displayed.


2.

Run:
info-center source { module-name | default } channel { channel-number | channelname } [ debug { state { off | on } | level severity } * ]

Debugging information is added to the information channel.


Step 2 Configure the channel through which debugging information is output to the log host.
l (On an IPv4 network) Run:
info-center loghost ip-address [ channel { channel-number | channel-name } |
facility local-number | { language language-name } | { vpn-instance vpn-instancename| public-net } ] *

The channel through which debugging information is output to the log host is configured.
By default, debugging information is not output to the log host after the information center
is enabled.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

284

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

The system supports the configuration of a maximum of eight log hosts to implement backup
among log hosts.
Step 3 Run:
info-center loghost source interface-type interface-number

A source interface is configured. This interface is recognized by the log host as the log sending
interface.
Each device has multiple interfaces that can send logs. All of these interfaces are configured to
report the source interface's address, if configured, when they send logs. This helps the log host
quickly determine the source device from which the logs were sent.
By default, this interface is not configured, so that the log host will be aware of all actual log
sending interfaces on a device.
----End

Checking the Configuration


After configuring the debugging message output, you can view the configuration of the
information center.

Prerequisites
The configurations of the Debugging Information function are complete.

Procedure
l

Run the display channel [ channel-number | channel-name ] command to check the


configuration of a channel.

Run the display info-center [ statistics ] command to check the information recorded by
an information center.

----End

2.1.5 Maintaining Information Center


This section describes how to run the following commands to delete messages in the buffer of
the information center. Note that deleted messages cannot be restored.

Context

NOTICE
Statistics about the information center cannot be restored after being cleared. So, confirm the
action before you use the command.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

285

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Procedure
l

To clear statistics about the information center, run the reset info-center statistics
command in the user view.

To clear statistics about the log buffer, run the reset logbuffer command in the user view.

To clear statistics about the alarm buffer, run the reset trapbuffer command in the user
view.

----End

2.1.6 Information Center Configuration Examples


This section provides information center configuration examples.

Example for Outputting Logs to the Log File


This part describes how to output logs of a specific module or specific severity level to the log
file. This facilitates maintenance engineers to monitor the operating status of the device and
locate the fault occurred on the device by checking the output logs.

Networking Requirements
As shown in Figure 2-4, ATNA is required to transport logs to a File Transfer Protocol (FTP)
server so that maintenance engineers can easily obtain the operation status of ATNA and locate
the faults occurring on ATNA.
Figure 2-4 Networking diagram of outputting logs to the log file

10.2.1.1/16
GE0/2/0

IP network
FTP Server
10.1.1.1/16

ATNA

Configuration Roadmap
The configuration roadmap is as follows:
1.

Enable the information center.

2.

Configure the contents of the logs to be output.

3.

Configure the channel through which logs are output.

4.

Set logs to be output to the FTP server.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

286

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Data Preparation
To complete the configuration, you need the following data:
l

IP address of each interface

Information channel number

Module enabled to output logs

Severity levels of logs

Language in which logs are output

IP address of the FTP server

User name and password of the FTP server

Procedure
Step 1 Configure the routing protocol to make the ATN device and the FTP server reachable. (The
detailed procedure is not mentioned here.)
Step 2 Configure the channel used to output logs.
# Enable the information center.
<HUAWEI> system-view
[HUAWEI] sysname ATNA
[ATNA] info-center enable

Step 3 Configure the logs to be output through the channel.


# Configure the module enabled to output logs and the severity levels of logs allowed to be
output.
[ATNA] info-center source ip channel channel9 log level warning

Step 4 Configure the channel through which logs are output.


# Configure the channel through which logs are output to the log file.
[ATNA] info-center logfile channel channel9
[ATNA] quit

Step 5 Set logs to be output to the FTP server.


# Log in to the FTP server.
<ATNA> ftp 10.1.1.1

# Set logs to be output to the FTP server.


[ftp] put 2007_07.log
[ftp] quit
[ATNA] quit
<ATNA>

Step 6 Verify the configuration.


# View the logs output through the channel.
<ATNA> display info-center
Information Center:enabled
logfile:
channel number : 9, channel name : channel9, language : english

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

287

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Information timestamp setting:


log - date, trap - date, debug - boot
Sent messages = 5753, Received messages = 5866
IO Reg messages = 124 IO Sent messages = 114

# View the received logs on the FTP server. (The display is omitted here.)
----End

Configuration Files
#
sysname ATNA
#
info-center source IP channel 9 log level warning
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.2.1.1 255.255.0.0
#
ip route-static 10.1.0.0 255.255.0.0 10.2.1.2
#
return

Example for Outputting Logs to Log Hosts


This part describes how to output logs of different modules or severity levels to different log
hosts, and how to configure backup log hosts for backing up logs.

Networking Requirements
As shown in Figure 2-5, it is required to output logs of multiple types and severity levels to
different log hosts through information channels.
ATN sends the logs (with the severity level as notification) generated on the Forwarding
Information Base (FIB) module and the IP module to the log host Server 1. Server 3 functions
as a backup ATN device of Server 1.
ATN sends the logs (with the severity level as warning) generated on the Point-to-Point Protocol
(PPP) module and the AAA module to the log host Server 1. Server 4 functions as a backup
ATN device of Server 2.
Both the ATNs and the log hosts require to be configured.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

288

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Figure 2-5 Networking diagram of outputting logs to the log host

10.1.1.2/24
Server 3

10.1.1.1/24
Server1

GE0/2/0
172.168.0.1/24
ATN
Server 4
10.2.1.2/24

Server 2
10.2.1.1/24

Configuration Roadmap
The configuration roadmap is as follows:
1.

Enable the information center.

2.

Name the tunnel.

3.

Specify the module enabled to output logs.

4.

Configure the channel for outputting logs.

5.

Configure the source interface that sends logs.

6.

Configure the log host.

Data Preparation
To complete the configuration, you need the following data:
l

IP address of the log host

Information channel number

Name of the channel through which logs are output

Module enabled to output logs

Information severity level

Language in which the log is output

Procedure
Step 1 Configure routing protocols to make the ATN device and log server routable. (The detailed
procedure is not mentioned here.)
Step 2 Configure the channel for outputting logs.
# Enable the information center.
<HUAWEI> system-view

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

289

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

[HUAWEI] info-center enable

Step 3 Name the channel.


# Name the channel through which logs are output.
[HUAWEI] info-center channel 6 name loghost1

Step 4 Configure the channel through which logs are output.


# Configure the module enabled to output logs and the severity levels of logs allowed to be
output.
[HUAWEI]
[HUAWEI]
[HUAWEI]
[HUAWEI]

info-center
info-center
info-center
info-center

source
source
source
source

fib channel loghost log level notification


ip channel loghost log level notification
ppp channel loghost1 log level warning
aaa channel loghost1 log level warning

Step 5 Configure the source interface that sends logs.


# Configure the source interface that sends logs.
[HUAWEI] info-center loghost source gigabitethernet0/2/0

Step 6 Configure the logs to be output to a specified log host.


# Specify Server 1 as the log server and Server 3 as the backup log server to receive the logs
from the FIB module and the IP module. The logs are output in English, by Local2.
[HUAWEI] info-center loghost 10.1.1.1 channel loghost facility local2 language
english
[HUAWEI] info-center loghost 10.1.1.3 channel loghost facility local2 language
english

# Specify Server 2 as the log server and Server 4 as the backup log server to receive the logs
from the PPP module and the AAA module. The logs are output by Local4.
[HUAWEI] info-center loghost 10.2.1.2 channel loghost1 facility local4 language
english
[HUAWEI] info-center loghost 10.2.1.4 channel loghost1 facility local4 language
english

Step 7 Configure the log server.


A log server is used to collect logs of the device because the storage memory of the ATN device
is not large enough to record the generated logs.
Log servers can be installed with UNIX or LINUX operating system or with the log software of
the third party.
If being installed with UNIX or LINUX operating system, the host can collect logs when enabled
with Syslog.
Take the host installed with LINUX operating system as an example.
l To create log files:
Run the touch loghost.info command in the directory /var/log to create a file loghost.info
to record logs of the ATN device.
l To edit configuration files:
Edit etc/syslog.conf to loghost.info /var/log/ATN device.log, that is specify the log host
name. The logs with the severity level as informational are then output to /var/log/loghost.log
of the system.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

290

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

l To configure the file etc/sysconfig/syslog:


Modify syslogd_options="-m o" to syslogd_option="-1 -m o", enabling the system to record
the logs of the remote devices.
l To enable Syslog:
Run the service syslog restart command.
For the host installed with the log software of a third party, you can configure the log software
of the third party to implement the log collection function on the host. For example, the HUAWEI
iManager U2000 supports the log management function and hence can receive, filter, save, and
forward the Syslog messages sent by the device or triggers other actions.
Step 8 Verify the configuration.
# Display the configuration of the log host.
<HUAWEI> display info-center
Information Center:enabled
Log host:
the interface name of the source address:gigabitethernet0/2/0
10.1.1.1, channel number 2, channel name loghost,
language english
local2
10.1.1.3, channel number 2, channel name loghost,
language english
local2
10.2.1.2, channel number 6, channel name loghost1
language english
local4
10.2.1.4, channel number 6, channel name loghost1
language english
local4
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
enabled,max buffer size 1024, current buffer size 512,
current messages 50, channel number : 4, channel name : logbuffer
dropped messages 13, overwritten messages 3
Trap buffer:
enabled,max buffer size 1024, current buffer size 256,
current messages 2, channel number:3, channel name:trapbuffer
dropped messages 0, overwritten messages 0
Information timestamp setting:
log - date, trap - date, debug - boot

, host facility

, host facility

, host facility

, host facility

Sent messages = 683, Received messages = 682


IO Reg messages = 0 IO Sent messages = 0

----End

Configuration Files
#
sysname HUAWEI
#
info-center channel 6 name loghost1
info-center source FIB channel loghost channel 2 log level notification
info-center source IP channel 2 log level notification

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

291

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

info-center source PPP channel 6 log level warning


info-center source AAA channel 6 log level warning
info-center loghost source gigabitethernet0/2/0
info-center loghost 10.1.1.1 facility local2
info-center loghost 10.1.1.3 facility local2
info-center loghost 10.2.1.2 channel 6 facility local4
info-center loghost 10.2.1.4 channel 6 facility local4
#interface gigabitethernet0/2/0
undo shutdown
ip address 172.168.0.1 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 172.168.0.2
ip route-static 10.2.1.0 255.255.255.0 172.168.0.2
#
return

Example for Configuring Binary Logs to be sent to the Log Host


This part describes how to output logs to the log host in binary mode. Outputting logs in binary
mode can effectively lighten the network load.

Networking Requirements
As shown in Figure 2-6, binary logs generated on ATNA are sent to the log host in real time.
Users or maintenance personnel can analyze the log through log analysis tools and locate the
fault.
Figure 2-6 Example for Configuring Binary Logs to be sent to the Log Host

GE0/2/0
11.1.1.1/24
Loghost
11.1.1.6/24

ATNA

Configuration Roadmap
The configuration roadmap is as follows:
1.

Enable the information center on the ATN device.

2.

Add the ID of a log to be filtered.

3.

Configure binary logs to be sent to the log host.

Data Preparation
To complete the configuration, you need to perform the following data:
l

ID of the log to be filtered

IP address of the FTP server

User name and password used for logging into the FTP server

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

292

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

IP address of the log host

Procedure
Step 1 Configure routes between ATNA and Loghost. (The detailed procedure is not mentioned here.)
Step 2 Enable the information center.
# Enable the information center.
<HUAWEI> system-view
[HUAWEI] info-center enable

Step 3 Add the ID of a log to be filtered.


# Configure the module and channel used to output alarm messages.
[HUAWEI] info-center filter-id 1077514264

Step 4 Configure binary logs to be sent to the log host.


[HUAWEI] info-center loghost 11.1.1.6 binary

Step 5 Verify the configuration.


# Check the added ID of the log to be filtered.
[HUAWEI] display info-center filter-id 1077514264
ID:
1077514264
Content:
task: [string] ip: [string] user: [string] command: [string]
Filtered Number: 3

# Check the channel used by the SNMP agent to output alarms.


[HUAWEI] display info-center
Information Center:enabled
Log host:
11.1.1.1, channel number 2, channel name loghost,
language english , host facility local7, binary
loghost
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
enabled,max buffer size 1024, current buffer size 512,
current messages 512, channel number : 4, channel name : logbuffer
dropped messages 0, overwritten messages 14
Trap buffer:
enabled,max buffer size 1024, current buffer size 256,
current messages 256, channel number:3, channel name:trapbuffer
dropped messages 0, overwritten messages 238
logfile:
channel number : 9, channel name : channel9, language : english
Information timestamp setting:
log - formate-date millisecond, trap - date, debug - date
Sent messages = 49890, Received messages = 50171
IO Reg messages = 123 IO Sent messages = 282

----End

Configuration Files
#

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

293

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

sysname HUAWEI
#
interface gigabitethernet0/2/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
info-center filter-id 1077514264
info-center source FIB channel 0 log level alert
info-center loghost 11.1.1.6 binary
#
return

Example for Outputting Alarms to the SNMP Agent


After alarms are output to the SNMP agent, the NM Station can receive the alarms sent from
the device.

Networking Requirements
As shown in Figure 2-7, alarms are required to be output first to the SNMP agent and then be
transmitted to the NM Station through SNMP Agent.
Figure 2-7 Networking diagram of outputting alarms to the SNMP Agent

GE0/2/0
NM Station
10.1.1.1/24

Agent
10.1.1.2/24

Configuration Roadmap
The configuration roadmap is as follows:
1.

Enable the information center on the ATN device.

2.

Specify the module enabled to output logs and configure the channel through which the
alarm is output.

3.

Enable outputting alarm to the SNMP agent.

4.

Enable transmitting alarms to the NM Station through SNMP.

Data Preparation
To complete the configuration, you need the following data:
l

Information channel number

Module enabled to output alarms

Severity levels of alarms

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

294

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Procedure
Step 1 Enable the information center.
<HUAWEI> system-view
[HUAWEI] info-center enable

Step 2 Specify the module enabled to output alarms and configure the channel used to output alarms.
# Specify the module enabled to output alarms and configure the channel used to output alarms.
[HUAWEI] info-center source ip channel channel7 trap level informational state on
NOTE

By default, alarms are output through the SNMP agent and information about all modules is displayed.

Step 3 Enable outputting alarms to the SNMP agent.


# Enable outputting alarms to the SNMP agent.
[HUAWEI] info-center snmp channel channel7

Step 4 Enable transmitting alarms to the NM Station through SNMP agent.


# Start the SNMP agent and set the SNMP version to SNMPv2c.
[HUAWEI] snmp-agent sys-info version v2c

# Configure the alarm function.


[HUAWEI] snmp-agent trap enable
[HUAWEI] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname public

Step 5 Verify the configuration.


# View the channel used to output alarms to the SNMP agent.
[HUAWEI] display info-center
Information Center:enabled
SNMP Agent:
channel number : 7, channel name : channel7

# View the alarms output through the channel selected by SNMP agent.
[HUAWEI] display channel 7
channel number:7, channel name:channel7
MODU_ID NAME
ENABLE LOG_LEVEL
ENABLE TRAP_LEVEL
ENABLE DEBUG_LEVEL
ffff0000 default Y
debugging
Y
debugging
N
debugging
416a0000 IP
Y
debugging
Y
informational N
debugging

# View the alarms output to the NM Station through SNMP agent.


[HUAWEI] display snmp-agent target-host
Target-host NO. 1
----------------------------------------------------------IP-address
: 10.1.1.1
VPN instance : Security name : public
Port
: 3000
Type
: trap
Version
: v1
Level
: No authentication and privacy
NMS type
: NMS
-----------------------------------------------------------

----End
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

295

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Configuration Files
#
sysname HUAWEI
#
info-center source IP channel 7 trap level informational
info-center snmp channel 7
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100003598
snmp-agent community write write
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version v2c v3
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public
snmp-agent trap enable
#
return

Example for Outputting the Debugging Information to the Console


After debugging messages are configured to be output to the console, when a fault occurs on the
device you can log in to the device through the console and run the debugging command to view
debugging messages.

Networking Requirements
As shown in Figure 2-8, it is required to output the debugging information of the Address
Resolution Protocol (ARP) module to the Console.
Figure 2-8 Networking diagram of outputting information to the Console

Console
ATN

PC

Configuration Roadmap
The configuration roadmap is as follows:
1.

Enable the information center.

2.

Set the logs to be output to the Console and the information source.

3.

Configure the channel through which the debugging information is output.

4.

Enable the terminal monitor function and display the debugging information.

Data Preparation
To complete the configuration, you need the following data:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

296

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

Information channel number

Module enabled to output the logs

Information severity level

2 System Management

Procedure
Step 1 Enable the information center.
<HUAWEI> system-view
[HUAWEI] info-center enable

Step 2 Allow the debugging on the ARP module to be output to the Console with the severity level of
the information as debugging.
[HUAWEI] info-center source arp channel console debug level debugging
[HUAWEI] info-center console channel console
[HUAWEI] quit

Step 3 Enable the terminal monitor function to display the debugging information.
<HUAWEI> terminal monitor
<HUAWEI> terminal debugging

Step 4 Enable ARP module debugging.


<HUAWEI> debugging arp packet

Step 5 Verify the configuration.


# View the configuration of the channel.
<HUAWEI> display channel 0
channel number:0, channel name:console
MODU_ID NAME
ENABLE LOG_LEVEL
ENABLE TRAP_LEVEL
ffff0000 default Y
warning
Y
debugging
810000
ARP
Y
warning
Y
debugging

ENABLE DEBUG_LEVEL
Y
debugging
Y
debugging

----End

Configuration Files
#
sysname HUAWEI
#
info-center source arp channel 0
#
return

2.2 SNMP Configuration


The Simple Network Management Protocol (SNMP) is a standard network management protocol
widely used on TCP/IP networks. It uses a central computer (a network management station)
that runs network management software to manage network elements. There are three SNMP
versions, SNMPv1, SNMPv2c, and SNMPv3. You can configure one or more versions, if
needed.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

297

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

2.2.1 Introduction
SNMP provides a set of standard protocols for the communication between the network
management station (NM station) and devices, allowing the NM station to normally manage
devices and receive alarms reported by the devices.

SNMP Overview
Get and Set operations can be performed on a managed device that runs the SNMP agent to
manage device objects by NM stations These objects are uniquely identified in the Management
Information Base (MIB).
As network services develop, more devices are deployed on existing networks. The devices are
not close to the central equipment room where a network administrator works. When faults occur
on the remote devices, the network administrator cannot detect, locate or rectify faults
immediately because the devices do not report the faults. This affects maintenance efficiency
and greatly increases maintenance workload.
To solve this problem, equipment vendors have provided network management functions in
some products. These functions allow the NM station to query the status of remote devices, and
devices can send alarms to the NM station in the case of particular events.
SNMP operates at the application layer of the IP suite and defines how to transmit management
information between the NM station and devices. SNMP defines several device management
operations that the NM station can perform and allows devices to send alarms to notify the NM
station of device faults.
An SNMP-managed network consists of three components: NM station, agent, and managed
device. The NM station uses the MIB to identify and manage device objects. The operations
used for device management include GetRequest, GetNextRequest, GetResponse, GetBulk,
SetRequest, and notification from the agent to the NM station. The following sections give details
on the components, MIB, and operations.

SNMP Components
SNMP device management uses the following three components:
l

NM station: sends various query packets to query managed devices and receives alarms
from these devices.

Agent: is a network-management process on a managed device. An agent has the following


functions:
Receives and parses query packets sent from the NM station.
Reads or writes management variables based on the query type, and generates and sends
response packets to the NM station.
Sends an alarm to the NM station when triggering conditions defined on each protocol
module corresponding to the alarm are met. For example, the system view is displayed
or closed, or the device is restarted.

Managed device: is managed by an NM station and generates and reports alarms to the NM
station.

Figure 2-9 shows the relationship between the NM station and agent.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

298

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Figure 2-9 SNMP structure


UDP Port161
Request
Response

Agent

NM Station
UDP Port162

Trap

NM Station

Agent

MIB
SNMP uses a hierarchical naming convention to identify managed objects and to distinguish
between managed objects. This hierarchical structure is similar to a tree with the nodes
representing managed objects. Figure 2-10 shows a managed object that can be identified by
the path from the root to the node representing it.
Figure 2-10 Structure of a MIB tree

1
2

1
1

1 B
5
A

2
6

As shown in Figure 2-10, object B is uniquely identified by a string of numbers, {1.2.1.1}. Such
a number string is called an Object Identifier (OID). A MIB tree is used to describe the hierarchy
of data in a MIB that collects the definitions of variables on the managed devices.
A user can use a standard MIB or define a MIB based on certain standards. Using a standard
MIB can reduce the costs on proxy deployment and therefore reduce the costs on the entire
network management system.

SNMP Operations
SNMP uses Get and Set operations to replace a complex command set. The operations described
in Figure 2-11 can implement all functions.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

299

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Figure 2-11 Schematic diagram of SNMP operations


get-request
get-response
get-next-request
get-response
NM Station
UDP Port162

set-request
get-response

Agent
UDP Port161

trap

Table 2-5 gives details on the SNMP operations.


Table 2-5 SNMP operations
Operation

Function

GetRequest

Retrieves the value of a variable. The NM station sends the


request to a managed device to obtain the value of an object
on the device.

GetNextRequest

Retrieves the value of the next variable. The NM station


sends the request to a managed device to obtain the status
of the next object on the device.

GetResponse

Responds to GetRequest, GetNextRequest, and


SetRequest operations. It is sent from the managed device
to the NM station.

GetBulk

Request from the NMS-to-agent, equaling continuous


GetNextRequest operations.

SetRequest

Sets the value of a variable. The NM station sends the


request to a managed device to adjust the status of an object
on the device.

Trap

Reports an event to the NM station.

NOTE

The NM station uses SNMP to monitor and manage network devices. It cannot be used to monitor and
manage the operation of the entire network. To monitor and manage the operation of an entire network,
for example, to learn network performance or collect network statistics, see the Configuration Guide System Management for details about the configurations of Remote Network Monitoring (RMON) and
RMON2, and fault and performance management.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

300

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

SNMP Features Supported by the ATN


This section compares SNMP versions in terms of their support for features and usage scenarios.
Use it as a reference when you select the SNMP version during network deployment.
The ATN supports SNMPv1, SNMPv2c, and SNMPv3. Table 2-6 lists the features supported
by SNMP, and Table 2-7 shows the support of different SNMP versions for the features. Table
2-8 describes the usage scenarios of SNMP versions, which will help you choose a proper version
for the communication between an NM station and managed devices based on the network
operation conditions.
NOTE

When multiple NM stations using different SNMP versions manage the same device in a network,
SNMPv1, SNMPv2c, and SNMPv3 can all be configured on the device for its communication with all the
NM stations.

Table 2-6 Description of features supported by SNMP


Feature

Description

Access control

Restricts a user's device administration rights.


It gives specific users the rights to manage
specified objects on devices and therefore
provides fine management.

Authentication and encryption

Authenticates and encrypts the packets


transmitted between the NM station and
managed devices. This prevents data packets
from being intercepted or modified,
improving data sending security.

Error code

Identifies particular faults. An administrator


uses error codes to quickly locate and rectify
faults. The more error codes received, the
more they help an administrator in device
management.

Trap

Sent from managed devices to the NM


station. These traps allow an administrator to
discover device faults immediately.
After sending traps, the managed devices do
not require the acknowledgement from the
NM station.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

301

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Feature

Description

Inform

Sent from managed devices to the NM


station.
The managed devices require the
acknowledgement from the NM station after
sending informs. If a managed device does
not receive an acknowledgement after
sending an inform, it will resend the inform
to the NM station and generate alarm logs.
Even if the NM station restarts, it can still
synchronize the informs sent during the
restart process.
If the managed device does not receive an
acknowledgement from the NM station after
sending an inform, it will store the inform in
its memory. In this regard, using informs may
consume lots of system resources.
Allows an administrator to perform GetNext
operation in batches. In a large-scale network,
GetBulk reduces the administrator's
workload and improves management
efficiency.

GetBulk

Table 2-7 Different SNMP versions' support for the features

Issue 02 (2013-12-31)

Feature

SNMPv1

SNMPv2c

SNMPv3

Access control

Community-namebased access control


supported

Community-namebased access control


supported

User or user-groupbased access control


supported

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

302

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Feature

SNMPv1

SNMPv2c

SNMPv3

Authentication and
encryption

Not supported

Not supported

Supported, and the


supported
authentication and
encryption modes are
as follows:
Authentication
mode:
l Message Digest 5
(MD5)
l Secure Hash
Algorithm (SHA)
Encryption mode:
l Data Encryption
Standard 56
(DES56)
l Triple Data
Encryption
Standard (3DES)
l Advanced
Encryption
Standard 128
(AES128)
l Advanced
Encryption
Standard 192
(AES192)
l Advanced
Encryption
Standard 256
(AES256)

Issue 02 (2013-12-31)

Error code

6 error codes
supported

16 error codes
supported

16 error codes
supported

Trap

Supported

Supported

Supported

Inform

Not supported

Supported

Supported

GetBulk

Not supported

Supported

Supported

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

303

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Table 2-8 Usage scenarios of different SNMP versions


Version

Usage Scenario

SNMPv1

Applies to small-scale networks whose


networking is simple and security
requirements are low or whose security and
stability are good, such as campus networks
and small enterprise networks.

SNMPv2c

Applies to medium and large-scale networks


whose security requirements are not strict or
whose security is good (for example, VPNs)
but whose services are so busy that traffic
congestion may occur.
Using informs can ensure that the messages
sent from managed devices are received by
the NM station.

SNMPv3

This version is applicable to networks of


various scales, especially the networks that
have strict requirements on security and can
be managed only by authorized
administrators, such as the scenario where
data between the NM station and managed
devices needs to be transmitted over a public
network.

If you plan to build a new network, choose an SNMP version based on your usage scenario. If
you plan to expand or upgrade an existing network, choose an SNMP version to match the SNMP
version running on the NM station to ensure the normal communication between managed
devices and the NM station.

2.2.2 Configuring a Device to Communicate with an NM Station by


Running SNMPv1
After SNMPv1 is configured, a managed device and an NM station can run SNMPv1 to
communicate with each other. To ensure normal communication, you need to configure both
sides. This section describes only the configurations on a managed device (the agent side). For
details about configurations on an NM station, see the pertaining NM station operation guide.

Context
The NM station manages a device in the following manners:
l

Issue 02 (2013-12-31)

Sends requests to the managed device to perform the GetRequest, GetNextRequest,


GetResponse, GetBulk, or SetRequest operation, obtaining data and setting values.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

304

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

NOTE

When SNMPv1 is used, Counter64 nodes cannot be visited.


SNMPv1 has a security risk. Using SNMPv3 is recommended.

Receives alarms from the managed device and locates and rectify device faults based on
the alarm information.

In the following configuration, after basic SNMP functions are configured, the NM station can
manage the device in these manners. For details on how to configure finer management such as
accurate access control or alarm module specification, see the following configuration
procedures.

Before You Start


Before configuring a device to communicate with an NM station by running SNMPv1,
familiarize yourself with the usage scenario, complete the pre-configuration tasks, and obtain
the data required for the configuration.

Applicable Environment
SNMP needs to be deployed in a network to allow the NM station to manage network devices.
If the network has a few devices and its security is good, such as a campus network or a small
enterprise network, SNMPv1 can be deployed to ensure the normal communication between the
NM station and managed devices.

Pre-configuration Tasks
Before configuring a device to communicate with an NM station by running SNMPv1, complete
the following task:
l

Configuring a routing protocol to ensure that the ATN and NM station are routable

Data Preparation
Before configuring a device to communicate with an NM station by running SNMPv1, you need
the following data.

Issue 02 (2013-12-31)

No.

Data

SNMP version, SNMP community name, destination address of alarm messages,


administrator's contact information and location, and the maximum SNMP packet
size

(Optional) ACL number, IP address of the NM station, and MIB object

(Optional) Name of the alarm-sending module, source address of trap messages,


queue length for trap messages, and lifetime of trap messages

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

305

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Configuring Basic SNMPv1 Functions


After basic SNMP functions are configured, an NM station can perform basic operations such
as Get and Set operations on a managed device, and the managed device can send alarms to the
NM station.

Context
Steps Step 4, Step 5, and Step 6 are mandatory for the configuration of basic SNMP functions.
After the configurations are complete, basic SNMP communication can be conducted between
the NM station and managed device.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 (Optional) Run:
snmp-agent

The SNMP agent function is enabled.


By default, the SNMP agent function is disabled. Running any command with the parameter
snmp-agent can enable the SNMP agent function, so this step is optional.
Step 3 (Optional) Run:
snmp-agent udp-port

The port number monitored by the SNMP Agent is configured.


By default, the port number monitored by the agent is 161.
The snmp-agent udp-port command can be used to change the number of the port monitored
by the SNMP Agent, to improve the security of the device.
Step 4 Run:
snmp-agent sys-info version v1

The SNMP version is set.


By default, SNMPv3 is enabled.
After SNMPv1 is enabled on the managed device, the device supports both SNMPv1 and
SNMPv3. This means that the device can be monitored and managed by NM stations running
SNMPv1 or SNMPv3.
Step 5 Run:
snmp-agent community { read | write } [ cipher ] community-name [ acl acl-number |
mib-view view-name ] *

The community name is set.


The community name will be saved in encrypted format in the configuration file.
By default, the complexity check is enabled for a community name. If a community name fails
the complexity check, the community name cannot be configured. To disable the complexity
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

306

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

check for a community name, run the snmp-agent community complexity-check disable
command.
NOTE

The HUAWEI has the following requirements for community name complexity:
l The default minimum length of a community name is eight characters. The set password min-length
command determines the minimum length of a community name.
l A community name includes at least two kinds of characters, which can be uppercase letters, lowercase
letters, digits, and special characters except question marks (?) and spaces.

After the community name is set, if no MIB view is configured, the NM station that uses the
community name has rights to access objects in the Viewdefault view.
Step 6 Choose either of the following commands as needed to configure a destination IP address for
the alarms and error codes sent from the device.
l To configure a destination IPv4 address for the alarms and error codes sent from the device,
run:
snmp-agent target-host trap address udp-domain ip-address [ udp-port portnumber | source interface-type interface-number | { public-net | vpn-instance
vpn-instance-name } ] * params securityname security-string [ v1 | v2c | v3
[ authentication | privacy ] ] [ private-netmanager ] [ notify-filter-profile
profile-name | ext-vb ] *

The descriptions of the command parameters are as follows:


l The default destination UDP port number is 162. In some special cases (for example, port
mirroring is configured to prevent a well-known port from being attacked), the parameter
udp-port can be used to specify a non-well-known UDP port number. This ensures normal
communication between the NM station and managed device.
l If the alarms sent from the managed device to the NM station need to be transmitted over a
public network, the parameter public-net needs to be configured. If the alarms sent from the
managed device to the NM station need to be transmitted over a private network, the
parameter vpn-instance vpn-instance-name needs to be used to specify a VPN that will take
over the sending task.
l The parameter securityname identifies the alarm sender, which will help you learn the alarm
source.
l If the NM station and managed device are both Huawei products, the parameter privatenetmanager can be configured to add more information to alarms, such as the alarm type,
alarm sequence number, and alarm sending time. The information will help you locate and
rectify faults more quickly.
Step 7 (Optional) Run:
snmp-agent sys-info { contact contact | location location }

The equipment administrator's contact information or location is configured.


This step is required when the NM station administrator must know equipment administrators'
contact information and locations when the NM station manages many devices. This allows the
NM station administrator to contact the equipment administrators quickly for fault location and
rectification.
To configure both the equipment administrator's contact information and location, you must run
the command twice to configure them separately.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

307

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Step 8 (Optional) Run:


snmp-agent packet max-size byte-count

The maximum size of an SNMP packet that the device can receive or send is set.
By default, the maximum size of an SNMP packet that the device can receive or send is 12000
bytes.
After the maximum size is set, the device will discard any SNMP packet that is larger than the
set size. The allowable maximum size of an SNMP packet for a device depends on the size of a
packet that the NM station can process; otherwise, the NM station cannot process the SNMP
packets sent from the device.
----End

Follow-up Procedure
After the configurations are complete, basic communication can be conducted between the NM
station and managed device.
l

Access control allows any NM station that uses the community name to monitor and manage
all the objects on the managed device.

The managed device sends alarms generated by the modules that are enabled by default to
the NM station.

If finer device management is required, follow directions below to configure a managed device:
l

To allow a specified NM station that uses the community name to manage specified objects
on the device, follow the procedure described in Controlling the NM Station's Access to
the Device.

To allow a specified module on the managed device to report alarms to the NM station,
follow the procedure described in Configuring the Trap Function.

If the NM station and managed device are both Huawei products, follow the procedure
described in Enabling the SNMP Extended Error Code Function to allow the device to
send more types of error codes. This allows more specific error identification and facilitates
your fault location and rectification.

(Optional) Controlling the NM Station's Access to the Device


This section describes how to specify an NM station and manageable MIB objects for SNMPbased communication between the NM station and managed device to improve communication
security.

Context
If a device is managed by multiple NM stations that use the same community name, note the
following points:
l

If all the NM stations that use the community name need to have rights to access the objects
in the Viewdefault view (1.3.6.1), skip the following steps.

If some of the NM stations that use the community name need to have rights to access the
objects in the Viewdefault view (1.3.6.1), skip Step5.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

308

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

If all the NM stations need to manage specified objects on the device, skip Step2, Step3,
and Step4.

If some of the NM stations that use the community name need to manage specified objects
on the device, perform all the following steps.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
acl acl-number

A basic ACL is created to filter the NM station users that can manage the device.
NOTE

SNMP supports only basic ACLs whose numbers range from 2000 to 2999.

Step 3 Run:
rule [ rule-id ] { deny | permit } interface { interface-type interface-number |
any }

A rule is added to the ACL.


Step 4 Run:
quit

Return to the system view.


Step 5 Run:
snmp-agent mib-view { excluded | included } view-name oid-tree

A MIB view is created, and manageable MIB objects are specified.


By default, an NM station has rights to access the objects in the Viewdefault view (1.3.6.1).
l If a few MIB objects on a device or some objects in the current MIB view do not or no longer
need to be managed by the NM station, excluded needs to be specified in the related command
to exclude these MIB objects.
l If a few MIB objects on the device or some objects in the current MIB view need to be
managed by the NM station, included needs to be specified in the related command to include
these MIB objects.
Step 6 Run:
snmp-agent acl

An SNMP ACL is configured.


By default, no SNMP ACL is configured.
SNMP ACLs take precedence over ACLs based on SNMP community names, SNMP groups,
and SNMP users.
Step 7 Run:
snmp-agent community { read | write } { community-name | cipher community-name } [
mib-view view-name | acl acl-number ]*

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

309

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

The NM station's access rights are specified.


l read needs to be configured in the command if the NM station administrator needs the read
permission in the specified view in some cases. For example, a low-level administrator needs
to read certain data. write needs to be configured in the command if the NM station
administrator needs the read and write permissions in the specified view in some cases. For
example, a high-level administrator needs to read and write certain data.
l cipher is used to display the community name in cipher text. It can be configured in the
command to improve security. If the parameter is configured, the administrator needs to
remember the community name. If the community name is forgotten, it cannot be obtained
by querying the device.
l If some of the NM stations that use the community name need to have rights to access the
objects in the Viewdefault view (1.3.6.1), mib-view view-name does not need to be
configured in the command.
l If all the NM stations that use the community name need to manage specified objects on the
device, acl acl-number does not need to be configured in the command.
l If some of the NM stations that use the community name need to manage specified objects
on the device, both mib-view and acl need to be configured in the command.
----End

Follow-up Procedure
After the access rights are configured, especially after the IP address of the NM station is
specified, if the IP address changes (for example, the NM station changes its location, or IP
addresses are reallocated due to network adjustment), you need to change the IP address of the
NM station in the ACL. Otherwise, the NM station cannot access the device.

(Optional) Enabling the SNMP Extended Error Code Function


This section describes how to enable the extended SNMP error code function when both the NM
station and managed device are Huawei products. After this function is enabled, more types of
error codes are provided to help you locate and rectify faults more quickly and accurately.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
snmp-agent extend error-code enable

The SNMP extended error code function is enabled.


By default, SNMP standard error codes are used. After the extended error code function is
enabled, extended error codes can be sent to the NM station.
----End
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

310

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

(Optional) Configuring the Trap Function


This section describes how to specify the alarms to be sent to the NM station, which will help
you to locate important problems. After relevant parameters are set, the security of alarm sending
can be improved.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
snmp-agent trap enable

Alarm sending is enabled.


NOTE

If the snmp-agent trap enable command is run to enable the trap functions of all modules, note the
following points:
l To disable the trap functions of all modules, you need to run the snmp-agent trap disable command.
l To restore the trap functions of all modules to the default status, you need to run the undo snmp-agent
trap enable or undo snmp-agent trap disable command.
l To disable one trap function of a module, you need to run the undo snmp-agent trap enable featurename command.

Step 3 Run:
snmp-agent trap enable feature-name feature-name trap-name trap-name

A trap function of a feature module is enabled. This means that an alarm of a specified feature
can be sent to the NM station.
The undo snmp-agent trap enable feature-name command can be used to disable a trap
function of a module.
Step 4 Run:
snmp-agent mib-view { excluded | included } view-name oid-tree
The MIB-view is configured.
For SNMPv1 and SNMPv2c, the defaule mib-view is ViewDefault and the OID is 1.3.6.1. But
there is not any default mib-view, the user need to configure manually.
Step 5 Run:
snmp-agent notify-filter-profile { excluded

| included } profile-name oid-tree

Trap messages allowed to be sent to the NM station are specified or updated.


At present, the snmp-agent notify-filter-profile command supports either the variable OID of
a character string or an object name. If the entered parameter is a character string, the asterisk
(*) can be used as the mask. The asterisk (*) can be placed only in the middle, not at the beginning
or end of the string.
Step 6 Run:
snmp-agent trap source interface-type interface-number

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

311

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

The source interface for trap messages is specified.


After the source interface is specified, its IP address becomes the source IP address of trap
messages. Configuring the IP address of the local loopback interface as the source interface is
recommended, which can ensure device security.
The source interface specified on the ATN for trap messages must be consistent with that
specified on the NM station; otherwise, the NM station will not accept the trap messages sent
from the ATN.
Step 7 Run:
snmp-agent trap source-port port-number

The source port to send trap is set.


The source port is fixed, the packets can be filtered by firewall to improve the security of the
network.
Step 8 Run:
snmp-agent trap queue-size size

The length of the queue storing trap messages to be sent to the destination host is set.
The queue length depends on the number of generated trap messages. If the ATN frequently
generates trap messages, a longer queue length can be set to prevent trap messages from being
lost.
Step 9 Run:
snmp-agent trap life seconds

The lifetime of every trap message is set.


The lifetime of every trap message depends on the number of generated trap messages. If the
ATN frequently generates trap messages, a longer lifetime can be set for every trap message to
prevent trap messages from being lost.
----End

Checking the Configuration


After SNMPv1 functions are configured, you can view the SNMPv1 configurations.

Prerequisites
The configurations of basic SNMPv1 functions are complete.

Procedure
l

Run the display snmp-agent community command to check the configured community
name.

Run the display snmp-agent sys-info version command to check the enabled SNMP
version.

Run the display acl acl-number command to check the rules in the specified ACL.

Run the display snmp-agent mib-view command to check the MIB view.

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

312

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Run the display snmp-agent sys-info contact command to check the equipment
administrator's contact information.

Run the display snmp-agent sys-info location command to check the location of the
device.

Run the display snmp-agent target-host command to view information about all
destination hosts, such as the IP addresses.

Run the display snmp-agent trap command to view whether the router is enabled to send
alarms to the NM station.

Run the display snmp-agent statistics command to view the statistics of SNMP packets.

Run the display current-configuration | include max-size command to check the


allowable maximum size of an SNMP packet.

Run the display current-configuration | include trap command to check trap


configurations.

Run the display snmp-agent extend error-code status command to check whether the
SNMP extended error code feature is enabled.

----End

2.2.3 Configuring a Device to Communicate with an NM Station by


Running SNMPv2c
After SNMPv2c is configured, a managed device and an NM station can run SNMPv2c to
communicate with each other. To ensure normal communication, you need to configure both
sides. This section describes only the configurations on a managed device (the agent side). For
details about configurations on an NM station, see the pertaining NM station operation guide.

Context
The NM station manages a device in the following manners:
l

Sends requests to the managed device to perform the GetRequest, GetNextRequest,


GetResponse, GetBulk, or SetRequest operation, obtaining data and setting values.
NOTE

SNMPv2c has a security risk. Using SNMPv3 is recommended.

Receives alarms from the managed device and locates and rectify device faults based on
the alarm information.

In the following configuration, after basic SNMP functions are configured, the NM station can
manage the device in these manners. For details on how to configure finer management such as
accurate access control or alarm module specification, see the following configuration
procedures.

Before You Start


Before configuring a device to communicate with an NM station by running SNMPv2c,
familiarize yourself with the usage scenario, complete the pre-configuration tasks, and obtain
the data required for the configuration.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

313

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Applicable Environment
SNMP needs to be deployed in a network to allow the NM station to manage network devices.
If your network is a large scale with many devices and its security requirements are not strict or
its security is good (for example, a VPN network) but services on the network are so busy that
traffic congestion may occur, SNMPv2c can be deployed to ensure communication between the
NM station and managed devices.

Pre-configuration Tasks
Before configuring a device to communicate with an NM station by running SNMPv2c, complete
the following task:
l

Configuring a routing protocol to ensure that the ATN and NM station are routable

Data Preparation
Before configuring a device to communicate with an NM station by running SNMPv2c, you
need the following data.
No.

Data

SNMP version, SNMP community name, address of the alarm destination host,
administrator's contact information and location, and the maximum SNMP packet
size

(Optional) ACL number, IP address of the NM station, MIB object

(Optional) Name of the alarm-sending module, source address of trap messages,


queue length for trap messages, lifetime of trap messages, expiry time of informs,
allowable number of inform retransmissions, allowable maximum number of informs
to be acknowledged, aging time of log messages, and allowable maximum number
of log messages about the trap and inform events in the log buffer

Configuring Basic SNMPv2c Functions


After basic SNMP functions are configured, an NM station can perform basic operations such
as Get and Set operations on a managed device, and the managed device can send alarms to the
NM station.

Context
Steps Step 4, Step 5, and Step 6 are mandatory for the configuration of basic SNMP functions.
After the configurations, basic SNMP communication can be conducted between the NM station
and managed device.

Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

314

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

The system view is displayed.


Step 2 (Optional) Run:
snmp-agent

The SNMP agent function is enabled.


By default, the SNMP agent function is disabled. Running any command with the parameter
snmp-agent can enable the SNMP agent function, so this step is optional.
Step 3 (Optional) Run:
snmp-agent udp-port

The port number monitored by the SNMP Agent is configured.


By default, the port number monitored by the agent is 161.
The snmp-agent udp-port command can be used to change the number of the port monitored
by the SNMP Agent, to improve the security of the device.
Step 4 Run:
snmp-agent sys-info version v2c

The SNMP version is set.


By default, SNMPv3 is enabled.
After SNMPv2c is enabled on the managed device, the device supports both SNMPv2c and
SNMPv3. This means that the device can be monitored and managed by NM stations running
SNMPv2c and SNMPv3.
Step 5 Run:
snmp-agent community { read | write } [ cipher ] community-name [ acl acl-number |
mib-view view-name ] *

The community name is set.


The community name will be saved in encrypted format in the configuration file.
By default, the complexity check is enabled for a community name. If a community name fails
the complexity check, the community name cannot be configured. To disable the complexity
check for a community name, run the snmp-agent community complexity-check disable
command.
NOTE

The HUAWEI has the following requirements for community name complexity:
l The default minimum length of a community name is eight characters. The set password min-length
command determines the minimum length of a community name.
l A community name includes at least two kinds of characters, which can be uppercase letters, lowercase
letters, digits, and special characters except question marks (?) and spaces.

After the community name is set, if no MIB view is configured, the NM station that uses the
community name has rights to access objects in the Viewdefault view.
Step 6 Choose one of the following commands as needed to configure the destination IP address for
the alarms and error codes sent from the device.
l If the network is an IPv4 network, configure the device to send either traps or informs to the
NM station.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

315

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

NOTE

The differences between traps and informs are as follows:


l The traps sent by the managed device do not need to be acknowledged by the NM station.
l The informs sent by the managed device need to be acknowledged by the NM station. If no
acknowledgement message from the NM station is received within a specified time period, the
managed device will resend the inform until the number of retransmissions reaches the maximum.
When the managed device sends an inform, it records the inform in the log. If the NM station and
link between the NM station and managed device recovers from a fault, the NM station can still
learn the inform sent during the fault occurrence and rectification.
In this regard, informs are more reliable than traps, but the device may need to buffer a lot of informs
because of the inform retransmission mechanism and this may consume many memory resources.
If the network is stable, using traps is recommended. If the network is unstable and the device's memory
capacity is sufficient, using informs is recommended.
Informs and traps must have different destination IP addresses. If a same destination IP address is
configured for both of them, the later configuration overrides the previous configuration.

To configure a destination IP address for the traps and error codes sent from the device,
run:
snmp-agent target-host trap address udp-domain ip-address [ udp-port portnumber | source interface-type interface-number | { public-net | vpninstance vpn-instance-name } ] * params securityname security-string [ v1 |
v2c | v3 [ authentication | privacy ] ] [ private-netmanager ] [ notifyfilter-profile profile-name | ext-vb ] *

To configure a destination IP address for the informs and error codes sent from the device,
run:
snmp-agent target-host inform ip-address [ udp-port port-number | source
interface-type interface-number | vpn-instance vpn-instance-name | publicnet ] * params securityname security-string v2c [ notify-filter-profile
profile-name | ext-vb ] *

The descriptions of the command parameters are as follows:


l The default destination User Datagram Protocol (UDP) port number is 162. In some special
cases (for example, port mirroring is configured to prevent a well-known port from being
attacked), the parameter udp-port can be used to specify a non-well-known UDP port
number. This ensures normal communication between the NM station and managed device.
l If the alarms sent from the managed device to the NM station need to be transmitted over a
public network, the parameter public-net needs to be configured. If the alarms sent from the
managed device to the NM station need to be transmitted over a private network, the
parameter vpn-instance vpn-instance-name needs to be used to specify a VPN that will take
over the sending task.
l The parameter securityname identifies the alarm sender, which will help you learn the alarm
source.
l If the NM station and managed device are both Huawei products, the parameter privatenetmanager can be configured to add more information to alarms, such as the alarm type,
alarm sequence number, and alarm sending time. The information will help you locate and
rectify faults more quickly.
Step 7 (Optional) Run:
snmp-agent sys-info { contact contact | location location }

The equipment administrator's contact information or location is configured.


This step is required when the NM station administrator must know equipment administrators'
contact information and locations when the NM station manages many devices. This allows the
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

316

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

NM station administrator to contact the equipment administrators quickly for fault location and
rectification.
To configure both the equipment administrator's contact information and location, you must run
the command twice to configure them separately.
Step 8 (Optional) Run:
snmp-agent packet max-size byte-count

The maximum size of an SNMP packet that the device can receive or send is set.
By default, the maximum size of an SNMP packet that the device can receive or send is 12000
bytes.
After the maximum size is set, the device will discard any SNMP packet that is larger than the
set size. The allowable maximum size of an SNMP packet for a device depends on the size of a
packet that the NM station can process; otherwise, the NM station cannot process the SNMP
packets sent from the device.
----End

Follow-up Procedure
After the configurations are complete, basic communication can be conducted between the NM
station and managed device.
l

Access control allows any NM station that uses the community name to monitor and manage
all the objects on the managed device.

The managed device sends alarms generated by the modules that are open by default to the
NM station.

If finer device management is required, follow directions below to configure the managed
device:
l

To allow a specified NM station that uses the community name to manage specified objects
of the device, follow the procedure described in Controlling the NM Station's Access to
the Device.

To allow a specified module on the managed device to report alarms to the NM station,
follow the procedure described in Configuring the Trap Function.

If the NM station and managed device are both Huawei products, follow the procedure
described in Enabling the SNMP Extended Error Code Function to allow the device to
send more types of error codes. This allows more specific error identification and facilitates
your fault location and rectification.

(Optional) Controlling the NM Station's Access to the Device


This section describes how to specify an NM station and manageable MIB objects for SNMPbased communication between the NM station and managed device to improve communication
security.

Context
If a device is managed by multiple NM stations that use the same community name, note the
following points:
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

317

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

If all the NM stations that use the community name need to have rights to access the objects
in the Viewdefault view (1.3.6.1), skip the following steps.

If some of the NM stations that use the community name need to have rights to access the
objects in the Viewdefault view (1.3.6.1), skip Step5.

If all the NM stations need to manage specified objects on the device, skip Step2, Step3,
and Step4.

If some of the NM stations that use the community name need to manage specified objects
on the device, perform all the following steps.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
acl acl-number

A basic ACL is created to filter the NM station users that can manage the device.
NOTE

SNMP supports only basic ACLs whose numbers range from 2000 to 2999.

Step 3 Run:
rule [ rule-id ] { deny | permit } interface { interface-type interface-number |
any }

A rule is added to the ACL.


Step 4 Run:
quit

Return to the system view.


Step 5 Run:
snmp-agent mib-view { excluded | included } view-name oid-tree

A MIB view is created, and manageable MIB objects are specified.


By default, an NM station has rights to access the objects in the Viewdefault view (1.3.6.1).
l If a few MIB objects on a device or some objects in the current MIB view do not or no longer
need to be managed by the NM station, excluded needs to be specified in the related command
to exclude these MIB objects.
l If a few MIB objects on the device or some objects in the current MIB view need to be
managed by the NM station, included needs to be specified in the related command to include
these MIB objects.
Step 6 Run:
snmp-agent acl

An SNMP ACL is configured.


By default, no SNMP ACL is configured.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

318

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

SNMP ACLs take precedence over ACLs based on SNMP community names, SNMP groups,
and SNMP users.
Step 7 Run:
snmp-agent community { read | write } { community-name | cipher community-name } [
mib-view view-name | acl acl-number ]*

The NM station's access rights are specified.


l read needs to be configured in the command if the NM station administrator needs the read
permission in the specified view in some cases. For example, a low-level administrator needs
to read certain data. write needs to be configured in the command if the NM station
administrator needs the read and write permissions in the specified view in some cases. For
example, a high-level administrator needs to read and write certain data.
l cipher is used to display the community name in cipher text. It can be configured in the
command to improve security. If the parameter is configured, the administrator needs to
remember the community name. If the community name is forgotten, it cannot be obtained
by querying the device.
l If some of the NM stations that use the community name need to have rights to access the
objects in the Viewdefault view (1.3.6.1), mib-view view-name does not need to be
configured in the command.
l If all the NM stations that use the community name need to manage specified objects on the
device, acl acl-number does not need to be configured in the command.
l If some of the NM stations that use the community name need to manage specified objects
on the device, both mib-view and acl need to be configured in the command.
----End

Follow-up Procedure
After the access rights are configured, especially after the IP address of the NM station is
specified, if the IP address changes (for example, the NM station changes its location, or IP
addresses are reallocated due to network adjustment), you need to change the IP address of the
NM station in the ACL. Otherwise, the NM station cannot access the device.

(Optional) Enabling the SNMP Extended Error Code Function


This section describes how to enable the extended SNMP error code function when both the NM
station and managed device are Huawei products. After this function is enabled, more types of
error codes are provided to help you locate and rectify faults more quickly and accurately.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
snmp-agent extend error-code enable

The SNMP extended error code function is enabled.


Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

319

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

By default, SNMP standard error codes are used. After the extended error code function is
enabled, extended error codes can be sent to the NM station.
----End

(Optional) Configuring the Trap Function


This section describes how to specify the alarms to be sent to the NM station, which will help
you to locate important problems. After relevant parameters are set, the security of alarm sending
can be improved.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
snmp-agent trap enable

Alarm sending is enabled.


NOTE

If the snmp-agent trap enable command is run to enable the trap functions of all modules, note the
following points:
l To disable the trap functions of all modules, you need to run the snmp-agent trap disable command.
l To restore the trap functions of all modules to the default status, you need to run the undo snmp-agent
trap enable or undo snmp-agent trap disable command.
l To disable one trap function of a module, you need to run the undo snmp-agent trap enable featurename command.
To enable the trap of performance management in batches, you need to run snmp-agent trap enable
feature-name bulkstat trap-name { hwbulkstatcollectincomplete | hwbulkstatcollectresume |
hwbulkstattransferfilediscard | hwbulkstaturlconnectionfail | hwbulkstaturlconnectionresume }
command.
To enable the specified trap of performance management, you need to run snmp-agent trapfeaturenamebulkstattrap-name trap-name description description-text command.

Step 3 Run:
snmp-agent trap enable feature-name feature-name trap-name trap-name

A trap function of a feature module is enabled. This means that an alarm of a specified feature
can be sent to the NM station.
The undo snmp-agent trap enable feature-name feature-name trap-name trap-name
command can be used to disable a trap function of a module.
Step 4 (Optional) Run:
snmp-agent trap feature-name feature-name trap-name trap-name description
description-text

Description of the specified trap message is sent to the NMS.


Step 5 Configure trap function parameters based on the trap usage or inform usage selected during the
configuration of basic SNMPv2c functions.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

320

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

If traps are used, follow the procedure described in Configuring trap parameters; if informs
are used, follow the procedure described in Configuring inform parameters.
Configuring trap parameters:
1.

Run:
snmp-agent notify-filter-profile { excluded | included } profile-name oid-tree

Trap messages allowed to be sent to the NM station are specified or updated.


At present, the snmp-agent notify-filter-profile command supports either the variable
OID of a character string or an object name. If the entered parameter is a character string,
the asterisk (*) can be used as the mask. The asterisk (*) can be placed only in the middle,
not at the beginning or end of the string.
2.

Run:
snmp-agent trap source interface-type interface-number

The source interface for trap messages is specified.


After the source interface is specified, its IP address becomes the source IP address of trap
messages. Configuring the IP address of the local loopback interface as the source interface
is recommended, which can ensure device security.
3.

Run:
snmp-agent trap source-port port-number

The source port to send trap is set.


The source port is fixed, the packets can be filtered by firewall to improve the security of
the network.
4.

Run:
snmp-agent trap queue-size size

The length of the queue storing trap messages to be sent to the destination host is set.
The queue length depends on the number of generated trap messages. If the ATN frequently
generates trap messages, a longer queue length can be set to prevent trap messages from
being lost.
5.

Run:
snmp-agent trap life seconds

The lifetime of every trap message is set.


The lifetime of every trap message depends on the number of generated trap messages. If
the ATN frequently generates trap messages, a longer lifetime can be set for every trap
message to prevent trap messages from being lost.
Configuring inform parameters:
1.

Run:
snmp-agent inform { timeout seconds | resend-times times | pending number }*

The timeout period for waiting for Inform ACK messages, number of inform
retransmissions, and allowable maximum number of informs to be acknowledged are set.
If the network is unstable, you need to specify the number of inform retransmissions and
allowable maximum number of informs to be acknowledged when you set a timeout period
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

321

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

for waiting for Inform ACK messages. By default, the timeout period for waiting for Inform
ACK messages is 15 seconds; the number of inform retransmissions is 3; the allowable
maximum number of informs waiting to be acknowledged is 39.
Setting the number of inform retransmissions to a value smaller than or equal to 10 is
recommended. Otherwise, device performance will be affected.
2.

Run:
snmp-agent inform { timeout seconds | resend-times times } *address udpdomain ip-address[ vpn-instance vpn-instance-name ] params securityname
security-string

The timeout period for waiting for Inform ACK messages from a specified NM station and
the number of inform retransmissions are set.
If the network is unstable, you need to specify the number of inform retransmissions and
allowable maximum number of informs to be acknowledged when you set a timeout period
for waiting for Inform ACK messages. By default, the timeout period for waiting for Inform
ACK messages is 15 seconds, and the number of inform retransmissions is 3.
Setting the number of inform retransmissions to a value smaller than or equal to 10 is
recommended. Otherwise, device performance will be affected.
3.

Run:
snmp-agent notification-log enable

The alarm logging function is enabled.


If the link between the managed device and the NM station fails, the managed device will
stop sending informs to the NM station because the NM station is unroutable but the
managed device will continue logging informs. If the link recovers, the NM station will
learn the informs logged by the managed device during the link failure.
After the alarm logging function is enabled, the system logs only informs, not traps.
By default, the alarm logging function is disabled.
4.

Run:
snmp-agent notification-log { global-ageout ageout | global-limit limit }*

The aging time of alarm logs and maximum number of alarm logs allowed to be stored in
the log buffer are set.
By default, the aging time of alarm logs is 24 hours. If the aging time expires, alarms logs
will be automatically deleted.
By default, the log buffer can store a maximum of 500 alarm logs. If the number of alarm
logs in the log buffer exceeds 500, the device will delete the alarm logs from the earliest
one.
----End

Checking the Configuration


After SNMPv2c functions are configured, you can view the SNMPv2c configurations.

Prerequisites
The configurations of basic SNMPv2c functions are complete.
Issue 02 (2013-12-31)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

322

ATN 910&910I&910B&950B Multi-Service Access


Equipment
Configuration Guide(CLI)

2 System Management

Procedure
l

Run the display snmp-agent community command to check the configured community
name.

Run the display snmp-agent sys-info version command to check the enabled SNMP
version.

Run the display acl acl-number command to check the rules in the specified ACL.

Run the display snmp-agent mib-view command to check the MIB view.

Run the display snmp-agent sys-info contact command to check the equipment
administrator's contact information.

Run the display snmp-agent sys-info location command to check the location of the
device.

Run the display snmp-agent trap command to view whether the router is enabled to send
alarms to the NM station.

Run the display snmp-agent statistics command to view the statistics of SNMP packets.

Run the display current-configuration | include max-size command to check the


allowable maximum size of an SNMP packet.

Run the display current-configuration | include trap command to check trap


configurations.

Run the display snmp-agent target-host command to check information about the target
host.

Run the display snmp-agent inform [ address udp-domain ip-address [ vpn-instance


vpn-instance-name ] params securityname security-string ] command to check inform
parameters and device statistics with the NM station being specified or not.

Run the display snmp-agent notification-log info command to check alarm logs stored
in the log buffer.

Run the display snmp-agent extend error-code status command to check whether the
SNMP extended error code feature is enabled.

----End

2.2.4 Configuring a Device to Communicate with an NM Station by


Running SNMPv3
After SNMPv3 is configured, a managed device and an NM station can run SNMPv3 to
communicate with each other. To ensure normal communication, you need to configure both
sides. This section describes only the configurations on a managed device (the agent side). For
details about configurations on an NM station, see the pertaining NM station operation guide.

Context
The NM station manages a device in the following manners:
l