Professional Documents
Culture Documents
Configuration Guide - Basic Configuration: Quidway S5700 Series Ethernet Switches V100R006C00
Configuration Guide - Basic Configuration: Quidway S5700 Series Ethernet Switches V100R006C00
V100R006C00
01
Date
2011-07-15
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2011-07-15)
Commissioning engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
Issue 01 (2011-07-15)
TIP
NOTE
ii
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Issue 01 (2011-07-15)
iii
Contents
Contents
About This Document.....................................................................................................................ii
1 Logging In to Switch.....................................................................................................................1
1.1 Introduction........................................................................................................................................................2
1.1.1 Login Through the Console.......................................................................................................................2
1.1.2 Login Through Telnet................................................................................................................................2
1.2 Logging In to the Device Through the Console Port..........................................................................................2
1.2.1 Establishing the Configuration Task.........................................................................................................3
1.2.2 Establishing the Physical Connection........................................................................................................3
1.2.3 Configuring Terminals..............................................................................................................................4
1.2.4 Logging In to the Device...........................................................................................................................4
1.3 Logging In to Device Through Telnet................................................................................................................4
1.3.1 Establishing the Configuration Task.........................................................................................................5
1.3.2 Establishing the Physical Connection........................................................................................................5
1.3.3 Configuring Login User Parameters..........................................................................................................6
1.3.4 Logging In from the Telnet Client.............................................................................................................6
1.4 Configuration Examples.....................................................................................................................................6
1.4.1 Example for Logging In Through the Console Port..................................................................................6
1.4.2 Example for Logging In Through Telnet..................................................................................................9
2 CLI Overview...............................................................................................................................11
2.1 CLI Introduction...............................................................................................................................................12
2.1.1 Command Line Interface.........................................................................................................................12
2.1.2 Command Levels.....................................................................................................................................12
2.1.3 Command Views.....................................................................................................................................13
2.2 Online Help.......................................................................................................................................................15
2.2.1 Full Help..................................................................................................................................................15
2.2.2 Partial Help..............................................................................................................................................16
2.2.3 Error Messages of the Command Line Interface.....................................................................................16
2.3 Features of Command Line Interface...............................................................................................................17
2.3.1 Editing.....................................................................................................................................................17
2.3.2 Displaying................................................................................................................................................18
2.3.3 Regular Expressions................................................................................................................................18
2.3.4 History Commands..................................................................................................................................22
Issue 01 (2011-07-15)
iv
Contents
4 Basic Configuration.....................................................................................................................35
4.1 Basic Configuration Introduction.....................................................................................................................36
4.2 Configuring the Basic System Environment....................................................................................................36
4.2.1 Establishing the Configuration Task.......................................................................................................36
4.2.2 Configuring the Equipment Name...........................................................................................................37
4.2.3 Setting the System Clock.........................................................................................................................37
4.2.4 Configuring a Header..............................................................................................................................38
4.2.5 Configuring Command Levels................................................................................................................39
4.3 Configuring Basic User Environment..............................................................................................................40
4.3.1 Establishing the Configuration Task.......................................................................................................40
4.3.2 Configuring the Password for Switching User Levels............................................................................40
4.3.3 Switching User Levels.............................................................................................................................41
4.3.4 Locking User Interfaces...........................................................................................................................42
4.4 Displaying System Status Messages.................................................................................................................42
4.4.1 Displaying System Configuration...........................................................................................................42
4.4.2 Displaying System Status........................................................................................................................43
4.4.3 Collecting System Diagnostic Information.............................................................................................43
5 User Management........................................................................................................................44
5.1 User Management Introduction........................................................................................................................45
5.1.1 User Interface..........................................................................................................................................45
Issue 01 (2011-07-15)
Contents
vi
Contents
vii
Contents
viii
Contents
ix
Contents
9.8.3 Example for Configuring the Switch as the STelnet Client to Connect to the SSH Server .................153
9.8.4 Example for Connecting the SFTP Clinet and the SSH Server.............................................................159
9.8.5 Example for Configuring the SSH Server to Support the Access from Another Port...........................165
9.8.6 Example for Authenticating SSH Through RADIUS............................................................................172
9.8.7 Example for Configuring the SCP Client..............................................................................................177
11 SSL Configuration...................................................................................................................190
11.1 SSL...............................................................................................................................................................191
11.2 SSL Features Supported by the S5700.........................................................................................................192
11.3 Configuring Login to an FTPS Server from a User Terminal......................................................................193
11.3.1 Establishing the Configuration Task...................................................................................................193
11.3.2 Configuring an SSL Policy and Loading a Digital Certificate............................................................194
11.3.3 Enabling the FTPS Function................................................................................................................195
11.3.4 Accessing an FTPS Server..................................................................................................................196
11.3.5 Checking the Configuration.................................................................................................................196
11.4 Configuring Login to an FTPS Server from an FTPS Client.......................................................................197
11.4.1 Establishing the Configuration Task...................................................................................................197
11.4.2 Configuring the FTPS Client...............................................................................................................198
11.4.3 Configuring the FTPS Server..............................................................................................................200
11.4.4 Accessing an FTPS Server..................................................................................................................201
11.4.5 Checking the Configuration.................................................................................................................203
11.5 Configuring Secure Web Network Management.........................................................................................204
11.5.1 Establishing the Configuration Task...................................................................................................205
11.5.2 Configuring an SSL Policy and Loading a Digital Certificate............................................................206
11.5.3 Loading a Web Page File.....................................................................................................................207
11.5.4 Enabling the HTTPS Function............................................................................................................207
11.5.5 Creating a Web Account......................................................................................................................208
11.5.6 Logging In to the Web System............................................................................................................209
11.5.7 Checking the Configuration.................................................................................................................209
11.6 Configuration Examples...............................................................................................................................210
11.6.1 Example for Configuring Login to an FTPS Server from a User Terminal........................................210
11.6.2 Example for Configuring Login to an FTPS Server from an FTPS Client.........................................214
11.6.3 Example for Configuring Secure Web Network Management............................................................222
Issue 01 (2011-07-15)
1 Logging In to Switch
Logging In to Switch
Issue 01 (2011-07-15)
1 Logging In to Switch
1.1 Introduction
You can log in to switches through console port or Telnet.
Password authentication: indicates that the login user should enter the correct password.
AAA local authentication: indicates that the login user should enter the correct user name
and password.
None authentication: indicates that the login user need not enter the user name or password.
If the login succeeds, a command line prompt such as <Quidway> appears on the Telnet client
interface.
Enter a command to check the running status of the switch or to configure the switch.
Enter "?" for help.
NOTE
Do not modify the IP address of the switch when you configure the switch through Telnet because the
modification may terminate Telnet connection. Otherwise, set up the connection again after entering a new
IP address.
Issue 01 (2011-07-15)
1 Logging In to Switch
Applicable Environment
If you log in to the switch for the first time or perform the local configuration, you need to log
in to the switch through the console port.
NOTE
If you cannot log in to the switch through the telnet, you need to log in to the switch through the console
port.
Pre-configuration Tasks
Before configuring login to the switch through the console port, complete the following tasks:
l
Data Preparation
To login the switch through the console port, you need the following data.
NOTE
If the AAA authentication mode is configured for users to log in to the switch through the console interface,
the correct user name and password must be entered for a successful login.
No.
Data
(Optional) User name and password to be entered for a successful login in AAA
authentication mode
Context
Do as follows on the switch:
Issue 01 (2011-07-15)
1 Logging In to Switch
Procedure
Step 1 Connect the COM port on the PC and the console port on the switch by a cable.
Step 2 Power on all devices to perform a self-check.
----End
Context
Do as follows on the PC:
Procedure
Step 1 Run the terminal emulation program on the PC, setting the communication parameters as
follows:
l Baud rate: 9600 bps
l Data bit: 8
l Stop bit: 1
l Parity: none
l Flow control: none
----End
Context
Do as follows on the PC:
Procedure
Step 1 Press Enter until a command line prompt such as <Quidway> appears. Now the user view is
displayed for you to configure the switch.
NOTE
If the AAA or Password authentication mode is configured for users to log in to the switch through the
console interface, the correct user name and password must be entered for a successful login.
----End
1 Logging In to Switch
Applicable Environment
If you know the IP address of the switch, you can log in to the switch through Telnet for local
or remote configuration.
Pre-configuration Tasks
Before configuring the switch through Telnet, complete the following tasks:
l
Preparing the PC (including the serial port and Ethernet crossover/direct cable)
Data Preparation
To log in to the switch through Telnet, you need the following data.
No.
Data
IP address of the PC
Prerequisite
Establishing the Physical Connection are complete.
Procedure
Step 1 Connect the switch and the PC directly or connect the switch and the PC to the network through
cables.
----End
Issue 01 (2011-07-15)
1 Logging In to Switch
Context
Do as follows on the switch:
Procedure
Step 1 Configure the authentication mode of login users.
Step 2 Configure the authority limitation of login user.
For details, see 5.4 Configuring VTY User Interface and 5.6 Configuring User
Management.
----End
Context
Do as follows on the PC:
Procedure
Step 1 Run the Telnet program on the PC that functions as a client, and enter the IP address of the
interface on the destination switch that provides the Telnet service.
Step 2 Enter the user name and password in the login window. After authentication, a command line
prompt such as <Quidway> appears. Now enter the configuration environment in the user view.
----End
Networking Requirements
Initialize the configuration of the switch when the switch is powered on for the first time.
Issue 01 (2011-07-15)
1 Logging In to Switch
PC
Switch
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the terminal communication parameters (including
baud rate, data bit, parity, stop bit, and flow control).
Procedure
Step 1 Connect the serial port of the PC (or terminal) to the console port of the switch through a standard
RS-232 cable. The local configuration environment is established.
Step 2 Run the terminal emulation program on the PC. Set the terminal communication parameters to
be 9600 bps, data bit to be 8, stop bit to be 1. Specify no parity and no flow control as shown
from Figure 1-2 to Figure 1-4.
Figure 1-2 New connection
Issue 01 (2011-07-15)
1 Logging In to Switch
Issue 01 (2011-07-15)
1 Logging In to Switch
Step 3 Power on the switch to perform a self-check and the system performs automatic configuration.
When the self-check ends, you are prompted to press Enter until a command line prompt such
as <Quidway> appears.
Enter the command to check the running status of the switch or configure the switch.
Enter "?" for help.
----End
Networking Requirements
You can log in to the switch on other network segments through the PC or other terminals to
perform remote maintenance.
Figure 1-5 Establishing the configuration environment through WAN
IP
Network
PC
Switch
Target
Switch
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data
l
IP address of the PC
User information accessed through Telnet (including the user name, password, and
authentication mode)
Procedure
Step 1 Connect the PC and the switch to the network.
Issue 01 (2011-07-15)
1 Logging In to Switch
Click OK.
Enter the user name and password in the login window. After authentication, a command line
prompt such as <Quidway> appears. Now enter the configuration environment in the user view.
NOTE
Before logging in to the switch, ensure that the PC and switch can ping each other.
----End
Issue 01 (2011-07-15)
10
2 CLI Overview
CLI Overview
Issue 01 (2011-07-15)
11
2 CLI Overview
Hierarchical command protection for users of different levels, that is, running the
commands of the corresponding level.
Network testing commands such as tracert and ping for rapidly diagnosing a network.
The telnet command for directly logging in to and manage other switch.
A command line interpreter provides intelligent command resolution methods such as key
word fuzzy match and context conjunction. These methods make it easy for users to enter
their commands.
NOTE
l The system supports the command with up to 512 characters. The command can be incomplete.
l The system saves the incomplete command to the configuration files in the complete form; therefore,
the command may have more than 512 characters. When the system is restarted, however, the
incomplete command cannot be restored. Therefore, pay attention to the length of the incomplete
command.
Issue 01 (2011-07-15)
Level 0-Visit level: Commands of this level include commands of network diagnosis tool
(such as ping and tracert) and commands that start from the local device and visit external
device (such as Telnet client side).
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
12
2 CLI Overview
Level 1-Monitoring level: Commands of this level, including the display commands, are
used for system maintenance and fault diagnosis.
Level 2-Configuration level: Commands of this level are service configuration commands
that provide direct network service to the user, including routing and network layer
commands.
Level 3-Management level: Commands of this level are commands that influence the basic
operation of the system and provide support to the service. They include file system
commands, FTP commands, TFTP commands, XModem downloading commands,
configuration file switching commands, power supply control commands, backup board
control commands, user management commands, level setting commands, system internal
parameter setting commands, and debugging commands that are used for fault diagnosis.
CAUTION
Not all display commands are of the monitoring level. For example, the display currentconfiguration and display saved-configuration commands are of the management level. For
the level of a command, see the Quidway S5700 Series Command Reference.
To implement efficient management, you can increase the command levels to 0-15. For the
increase in the command levels, refer to Chapter 4 "Basic Configuration" Configuring
Command Levels in the Quidway S5700 Series Configuration Guide - Basic Configurations.
NOTE
l The default command level may be higher than the command level defined according to the command
rules in application.
l Login users have the same 16 levels as the command levels. The login users can use only the command
of the levels that are equal to or lower than their own levels. For details of login user levels, refer to
User Management.
# Type aaa in the system view, and you can enter the AAA view.
[Quidway] aaa
[Quidway-aaa]
Issue 01 (2011-07-15)
13
2 CLI Overview
NOTE
The prompt <Quidway> indicates the default switch name. The prompt <> indicates the user view and the
prompt [] indicates other views.
Some commands that are implemented in the system view can also be implemented in the other
views; however, the functions that can be implemented are command view-specific.
Common Views
The S5700 provides various command line views. For the methods of entering the command
line views except the following views, see the Quidway S5700 Command Reference.
l
User View
Item
Description
Function
Entry command
Prompt upon
entry
<Quidway>
Quit command
<Quidway>quit
Prompt upon
quit
None.
System View
Item
Description
Function
Sets the system parameters of the S5700, and enters other function
views from this view.
Entry command
<Quidway> system-view
Prompt upon
entry
[Quidway]
Quit command
[Quidway] quit
Prompt upon
quit
<Quidway>
Issue 01 (2011-07-15)
Item
Description
Function
Entry
command
14
2 CLI Overview
Item
Description
Prompt upon
entry
[Quidway-GigabitEthernetX/Y/Z]
Quit command
[Quidway-GigabitEthernetX/Y/Z] quit
Prompt upon
quit
[Quidway]
NOTE
X/Y/Z indicates the number of a GE interface that needs to be configured. It is in the format of
slot number/sub card number/interface sequence number.
If an LPU provides GE interfaces and 10GE interfaces, the difference lies in the subcard where
the 10GE interfaces reside. Generally, the sequence number of a 10GE interface is 1. If an LPU
provides only 10GE interfaces, the method of entering the 10GE interface view is the same as
the method of entering the GE interface view.
Context
The command line of S5700 provides three types of online help:
l
Full help
Partial help
In a command view, enter ? to obtain all the commands in this command view and
descriptions of the commands.
<Quidway> ?
Enter a command and a ? separated by a space. If a keyword is in place of the ?, all keywords
and their descriptions are listed. Here is an example.
[Quidway-ui-vty0] authentication-mode ?
aaa
AAA authentication
none
Login without checking
password Authentication through the password of a user terminal interface
[Quidway-ui-vty0] authentication-mode aaa ?
<cr>
[Quidway-ui-vty0] authentication-mode aaa
aaa, none and password are keywords. AAA authentication, Login without checking and
Authentication through the password of a user terminal interface are the descriptions of the
two keywords.
Issue 01 (2011-07-15)
15
2 CLI Overview
<cr> indicates that no key word or parameter is in this position and you can press Enter to
repeat the command in the next command line.
l
Context
You can obtain the partial help of the command line in the following ways.
Procedure
l
Enter a character string with a "?" closely following it to display all commands that begin
with this character string.
<Quidway> d?
debugging
dir
Enter a command and a character string with "?" closely following it to display all the key
words that begin with this character string.
<Quidway> display b?
bfd
bootrom
bpdu-tunnel
delete
display
bgp
bpdu
buffer
Enter the first several letters of a key word in the command and then press Tab to display
the complete key word on the condition that the letters uniquely identify the key word.
Otherwise, if you continue to press Tab, different key words are displayed. You can select
the needed key word.
----End
Unrecognized command
Issue 01 (2011-07-15)
16
2 CLI Overview
Error messages
Wrong parameter
Incomplete command
Ambiguous command
2.3.1 Editing
The editing function of command lines helps you edit command lines or obtain help by using
certain keys.
The command line supports multi-line edition. The maximum length of each command is 512
characters.
Keys for editing that are often used are shown in Table 2-2.
Table 2-2 Keys for editing
Issue 01 (2011-07-15)
Key
Function
Common key
Backspace
Deletes the character on the left of the cursor that moves to the
left. When the cursor reaches the head of the command, an alarm
is generated.
Moves the cursor to the left by the space of a character. When the
cursor reaches the head of the command, an alarm is generated.
17
2 CLI Overview
Key
Function
Tab
Press Tab after typing the incomplete key word and the system
runs the partial help:
l If the matching key word is unique, the system replaces the
typed one with the complete key word and displays it in a new
line with the cursor a space behind.
l If there are several matches or no match at all, the system
displays the prefix first. Then you can press Tab to view the
matching key word one by one. In this case, the cursor closely
follows the end of the word and you can type a space to enter
the next word.
l If a wrong key word is entered, press Tab and the word is
displayed in a new line.
2.3.2 Displaying
All command lines have the same displaying feature. You can construct the displaying mode as
required.
You can control the display of information on CLI as follows:
l
When the information displayed exceeds a full screen, it provides the pause function. In
this case, the user has three choices as shown in Table 2-3.
Function
Ctrl_C
Space
Enter
18
2 CLI Overview
Searching for and obtaining a sub-string that matches a rule in the string.
Common characters
Common characters are used to match themselves in a string, including all upper-case and
lower-case letters, digits, punctuations, and special symbols. For example, a matches the
letter "a" in "abc", 202 matches the digit "202" in "202.113.25.155", and @ matches the
symbol "@" in "xxx@xxx.com".
Particular characters
Particular characters are used together with common characters to match the complex or
particular string combination. Table 2-4 describes particular characters and their syntax.
Table 2-4 Description of particular characters
Particul
ar
characte
r
Syntax
Example
\* matches "*".
Issue 01 (2011-07-15)
19
2 CLI Overview
Particul
ar
characte
r
Syntax
Example
()
x|y
Matches x or y.
[xyz]
[^xyz]
[a-z]
[^a-z]
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Issue 01 (2011-07-15)
20
2 CLI Overview
The right bracket such as ")" or "]" being not paired with its corresponding left bracket
"(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules are applicable when preceding regular expressions
serve as subexpressions within parentheses.
CAUTION
The Quidway S5700 Series uses a regular expression to implement the filtering function of the
pipe character. A display command supports the pipe character only when there is excessive
output information.
When the output information is queried according to the filtering conditions, the first line of the
command output starts with the information containing the regular expression.
The command can carry the parameter | count to display the number of matching entries. The
parameter | count can be used together with other parameters.
For the commands supporting regular expressions, the three filtering methods are as follows:
l
| begin regular-expression: displays the information that begins with the line that matches
regular expression.
| exclude regular-expression: displays the information that excludes the lines that match
regular expression.
| include regular-expression: displays the information that includes the lines that match
regular expression.
NOTE
/regular-expression: displays the information that begins with the line that matches regular
expression.
-regular-expression: displays the information that excludes lines that match regular
expression.
+regular-expression: displays the information that includes lines that match regular
expression.
Issue 01 (2011-07-15)
21
2 CLI Overview
Key or Command
Result
Display the
history
commands.
display historycommand
Up cursor key or
Ctrl_P
NOTE
On the HyperTerminal of Windows 9X, cursor key is invalid as the HyperTerminals of Windows 9X
define the keys differently. In this case, you can replace the cursor key with Ctrl_P.
The saved history commands are the same as that those entered by users. For example, if
the user enters an incomplete command, the saved command also is incomplete.
If the user runs the same command several times, the earliest command is saved. If the
command is entered in different forms, they are considered as different commands.
For example, if the display ip routing-table command is run several times, only one history
command is saved. If the disp ip routing command and the display ip routing-table
command are run, two history commands are saved.
Issue 01 (2011-07-15)
22
2 CLI Overview
NOTE
Different terminal software defines these keys differently. Therefore, the shortcut keys on the terminal may
be different from those listed in this section.
Function
CTRL_A
CTRL_B
CTRL_C
CTRL_D
CTRL_E
CTRL_F
CTRL_H
CTRL_K
CTRL_N
CTRL_P
CTRL_R
CTRL_T
CTRL_V
CTRL_W
CTRL_X
CTRL_Y
CTRL_Z
CTRL_]
ESC_B
ESC_D
ESC_F
ESC_N
ESC_P
Issue 01 (2011-07-15)
23
2 CLI Overview
Procedure
l
2.
Press Tab.
The system replaces the incomplete keyword with a complete keyword and displays
the complete keyword in another line. There is only one space between the cursor and
the end of the keyword.
[Quidway] info-center
1.
loghost
2.
Press Tab.
The system displays the prefix of all the matched keywords. The prefix in this example
is log.
[Quidway] info-center log
3.
Continue to press Tab to display all the keywords. There is no space between the
cursor and the end of the keywords.
[Quidway] info-center loghost
[Quidway] info-center logbuffer
Stop pressing Tab when you find the required keyword logbuffer.
4.
----End
Issue 01 (2011-07-15)
24
Issue 01 (2011-07-15)
25
A physical interface is sometimes called a port. Both physical interfaces and logical interfaces are called
interfaces in this document.
Management Interface
Management interfaces are used to manage and configure a device. You can log in to the
S5700 through a management interface to configure and manage the S5700. Management
interfaces do not transmit service data.
The S5700 provides a console interface and an MEth interface as the management interface.
Table 3-1 Description of management interfaces
Name
Description
Usage
Console
interface
MEth
interface
The following table shows the rule for numbering management interfaces.
Table 3-2 Management interface numbers
Issue 01 (2011-07-15)
Name
Number
Console interface
Console 0
MEth interface
MEth 0/0/1
26
Slot ID: indicates the slot where an interface is located. The value is 0.
Subcard ID: indicates the subcard where an interface is located. The value is 0 or 1.
The value 1 indicates that the subcard is a front card.
In a stack system, interfaces are numbered in the format stack ID/subcard ID/interface sequence
number.
l
Stack ID: indicates the ID of an S5700 in the stack system. The value ranges from 0 to 8.
Interface sequence number: indicates the sequence number of an interface on the S5700.
...
...
...
1
Description
The S5700 has two rows of service
interfaces with the lower-left interface
numbered 1. The other interfaces are
numbered in ascending order from
bottom to up, and then from left to right.
For example, the upper-left interface
numbered 0/0/2.
Physical Interfaces
Physical interfaces are interfaces that actually exist on the S5700.
Physical interfaces include management interfaces and service interfaces.
The S5700 supports the following physical interfaces:
l
Console interface
Eth interface
Logical Interfaces
Logical interfaces do not exist and are set up by configurations.
Issue 01 (2011-07-15)
27
Eth-Trunk
The Eth-Trunk consists of Ethernet links only.
The Eth-Trunk technique has the following advantages:
Increased bandwidth: The bandwidth of an Eth-Trunk is the total bandwidth of all
member interfaces.
Improved reliability: When a link fails, traffic is automatically switched to other
available links. This ensures link reliability.
For details about the Eth-Trunk configuration, see "Configuring the Eth-Trunk" in the
Quidway S5700 Series Ethernet Switches Configuration Guide - Ethernet.
Loopback interface
A loopback interface is a virtual interface. The TCP/IP protocol suite defines IP address
127.0.0.0 as a loopback address. When the system starts, it automatically creates an
interface using the loopback address 127.0.0.1 to receive all data packets sent to the local
device.
Some applications such as mutual access between virtual private networks need a local
interface with a specified IP address without affecting the configuration of physical
interfaces. This IP address has a 32-bit mask (to save IP addresses) and can be advertised
by routing protocols.
The status of a loopback interface is always Up; therefore, the IP address of the loopback
interface can be used as the router ID, the label switching router (LSR) ID, or be land to a
tunnel.
For details, see 3.3 Configuring the Loopback Interface.
Null interface
Null interfaces are similar to null devices supported by certain operating systems. Any data
packets sent to a null interface are discarded. Null interfaces are used for route selection
and policy-based routing (PBR). For example, if a packet matches no route during route
selection, the packet is sent to the null interface.
Tunnel interface
A tunnel interface can be used as the backup interface of other interfaces and used to set
up Generic Routing Encapsulation (GRE) tunnels or Multiprotocol Label Switching
(MPLS) Traffic Engineering (TE) tunnels.
VLANIF interface
When the S5700 needs to communicate with devices at the network layer, you can create
a logical interface of the Virtual Local Area Network (VLAN) on the S5700, namely, a
VLANIF interface. You can assign IP addresses to VLANIF interfaces because VLANIF
interfaces work at the network layer. The S5700 then communicates with devices at the
network layer through VLANIF interfaces.
For details about the configuration, see "Configuring the VLANIF Interface" in the
Quidway S5700 Series Ethernet Switches Configuration Guide - Ethernet.
Issue 01 (2011-07-15)
28
Applicable Environment
To facilitate the configuration and maintenance of an interface, the S5700 provides interface
views. The commands related to the interface are valid only in the interface views.
The basic interface configurations include entering an interface view, configuring interface
description, enabling an interface, and disabling an interface.
Pre-configuration Tasks
Installing the LPU on the S5700
Data Preparation
To set parameters of an interface, you need the following data.
No.
Data
Context
Do as follows on the S5700.
Procedure
Step 1 Run:
system-view
29
Context
Do as follows on the S5700.
Procedure
Step 1 Run:
system-view
All the commands in the view of the specified interface are displayed.
----End
Procedure
Step 1 Run:
system-view
30
Context
NOTE
Procedure
l
Run:
system-view
Run:
interface interface-type interface-number
Run:
shutdown
Starting an interface
Do as follows on the S5700.
1.
Run:
system-view
Run:
interface interface-type interface-number
Run:
undo shutdown
Context
When you access a network through an interface, you need to further setting multiple parameters
of the interface based on the networking requirements in addition to performing basic
configurations on the interface.
Further configurations of an interface include:
Issue 01 (2011-07-15)
31
Configuring routes
For the detailed Configuration, please see the other configuration manuals of S5700.
For the detailed Configuration, please see Quidway S5700 Series Ethernet Switches
Configuration Guide - Ethernet and Quidway S5700 Series Ethernet Switches Configuration
Guide - IP Routing.
Procedure
Step 1 Run the display interface [ interface-type [ interface-number ] ] command to check the running
status of the interface and the statistics on the interface.
Step 2 Run the display interface description command to check the brief information about the
interface
Step 3 Run the display ip interface [ interface-type interface-number ] command to check the main
configurations of the interface.
Step 4 Run the display ip interface brief [ interface-type interface-number ] command to check the
brief state of the interface.
----End
Applicable Environment
Some applications such as mutual access between virtual private networks need to be configured
with a local interface with a specified IP address when the configuration of a physical interface
is not affected. In this case, the IP address of the local interface needs to be advertised by routing
protocols. Loopback interfaces are used to improve the reliability of the configuration.
Pre-configuration Tasks
Before configuring the loopback interface, complete the following task:
l
Issue 01 (2011-07-15)
32
Data Preparation
To configure the loopback interface, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
The loopback interface is configured to check the source IPv4 addresses of packets.
----End
Procedure
Step 1 Run the display interface loopback [ number ] command to check the status of the loopback
interface.
----End
Issue 01 (2011-07-15)
33
Procedure
Step 1 Run the reset counters interface [ interface-type [ interface-number ] ] command in the user
view to clear the statistics on the interface.
----End
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
For the description about debugging commands, see the Quidway S5700 Series Ethernet
Switches Debugging Reference.
For details about debugging commands on an interface, see the following chapters.
Issue 01 (2011-07-15)
34
4 Basic Configuration
Basic Configuration
Issue 01 (2011-07-15)
35
4 Basic Configuration
Basic system environment: includes the language mode, host name, system name, system
time, header text, and command level for actual environment.
Basic user environment: includes password for changing levels and the terminal lock.
Applicable Environment
Before configuring the services, you need to configure the basic system environments to meet
the requirements of the actual environments.
By default, the S5700 supports commands of Level 0 to Level 3, namely, visit level, monitoring
level, configuration level, and management level.
If the user needs to define more levels, or refine management privileges on the device, the user
can extend the range of command line level from the range of Level 0 to Level 3 to the range of
Level 0 to Level 15.
Pre-configuration Tasks
Before configuring basic system environment, complete the following task:
l
Data Preparation
To configure basic system environment, you need the following data.
Issue 01 (2011-07-15)
No.
Data
System time
Host name
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
36
No.
Data
Login information
Command level
4 Basic Configuration
Context
Do as follows on the switch:
Procedure
Step 1 Run:
system-view
Context
You need to set the system time properly to ensure the cooperation between the S5700 and other
devices. The S5700 supports the configurations of the time zone and the daylight saving time.
NOTE
Procedure
Step 1 Run:
clock datetime
Issue 01 (2011-07-15)
HH:MM:SS YYYY-MM-DD
37
4 Basic Configuration
or
clock daylight-saving-time time-zone-name repeating start-time { { first | second
| third | fourth | last } weekday month | start-date } end-time { { first |
second | third | fourth | last } weekday month | end-date } offset [ start-year
[ end-year ] ]
When the current time is within the daylight saving time, running the clock timezone time-zone-name
{ add | minus } offset command can successfully set the time zone name. If the display clock command
is run to view the time zone name at the moment, the time zone name, however, is displayed as the name
of the daylight saving time. After the daylight saving time ends, the set time zone name can be displayed.
----End
Context
Do as follows on the switch:
Procedure
Step 1 Run:
system-view
38
4 Basic Configuration
l If a user logs in to the switch by using SSH1.X, the login header is not displayed during login, but the
shell header is displayed after login.
l If a user logs in to the switch by using SSH2.0, both login and shell headers are displayed.
----End
Context
If the user does not adjust a command level separately, after the command level is updated, all
originally-registered command lines adjust automatically according to the following rules:
l
The command Level 2 is updated to Level 10 and Level 3 is updated to Level 15.
No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust
the command lines to these levels separately to refine the management of privilege.
NOTE
The updation of command Level 2 to Level 10 and Level 3 to Level 15 is not a two-step process but onestep by batch.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
39
4 Basic Configuration
The command level is configured. With the command, you can specify the level and view
multiple commands at one time (command-key).
All commands have default command views and levels. You need not reconfigure them.
----End
Applicable Environment
The user can log in to a switch with lower level to perform simple configurations or view
configurations. When the configuration is complicated, the user needs to switch to a high level.
Thus, it requires the user to configure the basic environment for switching levels.
Pre-configuration Tasks
Before configuring the basic environment for the user, complete the following task:
l
Data Preparation
To configure the basic environment for the user, you need the following data:
No.
Data
Context
When users log in to the switch with a lower user level, they switch to a higher user level to
perform advanced operations by entering the corresponding password. The password needs to
be configured in advance.
Issue 01 (2011-07-15)
40
4 Basic Configuration
CAUTION
When simple is used, the password is saved in the configuration files in simple text. Login users
with lower level can obtain the password by viewing the configuration. This may cause security
problems. Therefore, cipher is used to save the password in encrypted text.
If the pass word is set in cipher mode, the password cannot be resumed from the system. Save
the password to avoid oblivion or miss.
Do as follows on the switch:
Procedure
Step 1 Run:
system-view
Context
An accurate password must be entered when the user is switched from a lower level to a higher
level.
Do as follows on the switch:
Procedure
Step 1 Run:
super [ level ]
When the login user of lower level is switched to the user of higher level through the super command, the
system automatically sends trap messages and records the switchover in a log. When the switched level
is lower than that of the current level, the system only records the switchover in a log.
----End
Issue 01 (2011-07-15)
41
4 Basic Configuration
Context
When you leave the operation terminals for a moment, you can lock the user interface to prevent
unauthorized users from operating the interface.
Do as follows on the switch:
Procedure
Step 1 Run:
lock
If the locking is successful, the system prompts that the user interface is locked.
You must enter a correct password to unlock the user interface.
----End
Context
You can use the display commands to collect information about the system status. The display
commands are classified according to the following functions:
l
See the related sections for display commands for protocols and interfaces. The following only
shows the system display commands.
Run the following commands in any view.
42
4 Basic Configuration
Prerequisite
Basic Configuration are complete.
Procedure
l
----End
Prerequisite
Basic configuration are complete.
Procedure
l
Run the display this command to display the configuration of the current view.
----End
Context
Basic configuration is complete.
Procedure
Step 1 Run:
display diagnostic-information [ file-name ]
43
5 User Management
User Management
Issue 01 (2011-07-15)
44
5 User Management
Purpose
Description
CON
VTY
Relative numbering
Relative numbering indicates that the interfaces of the same type are numbered. The relative
numbering uniquely specifies a user interface of a specified type.
The format of the relative numbering is: user interface type + number. It must comply with
the following rules:
Number of the CON interface: console0
Default number of the VTY: vty0, vty1, vty2, vty3, and vty4
Absolute numbering
The S5700 uniquely specifies the default numbers of 0, 34 38 for the user interfaces of
CON and VTY. You can enter a specific user interface view by entering any of these
numbers.
Issue 01 (2011-07-15)
45
5 User Management
Relative
numbering
Obsolute
numbering
console0
VTY
vty0
34
vty1
35
vty2
36
vty3
37
vty4
38
In the figure, console 0 and 0 indicate the same user interface; vty1 and 35 indicate the
same user interface.
NOTE
Issue 01 (2011-07-15)
User Type
Description
Authentication
Super users
46
5 User Management
User Type
Description
Authentication
Telnet users
Recommended
SSH users
Recommended
FTP users
Recommended
The rights that can be obtained by users logging in to the S5700 through Telnet, SSH, and FTP
depend on the priorities of the user interfaces through which they log in to. The S5700 provides
multiple services for a user. To ensure login convenience and security, login users must be
classified, and then assigned levels.
Priorities of Users
The system manages super users and Telnet users according to user levels.
Similar to the command levels, users are classified into 16 levels numbered 0 to 15. The greater
the number, the higher the user level.
NOTE
If the user levels are not set, the four default user levels are used, namely, levels 0 to 3.
The level of the command that a user can run is determined by the level of this user.
l
In the case of non-authentication or password authentication, the level of the command that
the user can run depends on the level of the user interface.
In the case of AAA authentication, the command that the user can run depends on the level
of the local user specified in AAA configuration.
Users of a level can access the commands of this level or lower levels.
Assuming that user levels 0 to 3 are used in the system, users of level 2 can access commands
of levels 0, 1, and 2, and users of level 3 can access commands at all levels.
Issue 01 (2011-07-15)
47
5 User Management
Description
Nonauthentication
Users can log in to the S5700 without entering the user name and password.
There is a great potential security risk.
Password
authentication
Users can log in to the S5700 by entering only the password. In this
manner, security is ensured.
AAA
authentication
Users need to enter both the user name and password to log in to the
S5700. The S5700 then authenticates the users according to the configured
user information. This further improves security. It applies to the users
logging in to the S5700 through the console interface and Telnet users.
PC
Console interface
Switch
NOTE
If the S5700 is switched on for the first time and you need to manage and configure the S5700, you can
log in to the S5700 through the console interface only.
Pre-configuration Tasks
Before logging in to the S5700 through the console interface, complete the following tasks:
l
Data Preparation
None.
Issue 01 (2011-07-15)
48
5 User Management
Procedure
Step 1 Enable the HyperTerminal on the PC.
Choose Start > All Programs > Accessories > Communications > HyperTerminal to start
the HyperTerminal.
Step 2 Set up a new connection.
As shown in Figure 5-3, enter the name of the new connection in the Name text box and choose
an icon. Click OK.
Figure 5-3 Setting up a new connection
Issue 01 (2011-07-15)
49
5 User Management
In other Windows operating systems, Bits per second may be described as Baud rate; Flow control may
be described as Traffic control.
Issue 01 (2011-07-15)
50
5 User Management
Value
9600
Data bit
Parity check
None
Stop bit
None
Step 5 After the HyperTerminal is started, select File Attributes to enter the Connect Properties
window as shown in Figure 5-6. Choose the Setting tab, select Auto detect or VT100 from the
Emulation drop-down list box. Click OK to complete the setting.
Issue 01 (2011-07-15)
51
5 User Management
After the preceding steps are complete, press Enter. If the prompt <Quidway> is displayed, it
indicates that you have logged in to the S5700. At this time, you can enter the command to
configure and manage the S5700.
----End
Applicable Environment
A console user interface is required for maintaining the local switch.
Pre-configuration Tasks
Before configuring a console interface, complete the following tasks:
Issue 01 (2011-07-15)
52
5 User Management
Data Preparation
To configure a console interface, you need the following data.
No.
Data
Baud rate, flow-control mode, parity, stop bit, and data bit
User priority
NOTE
All the configuration items of the switch, excluding the user name and password, have default values and
do not need to be configured additionally.
Context
Do as follows on the switch that the user logs in to:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
53
5 User Management
The flow control mode is set. By default, the flow-control mode is none.
Step 5 (Optional) Run:
parity { even | mark | none | odd | space }
When the user logs in to a switch through a console port, the configured attributes for the console port on
the HyperTerminal should be in accordance with the attributes of the interface on the switch. Otherwise,
the user cannot log in to the switch.
----End
Context
Do as follows on the switch to which a user logs in:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
54
5 User Management
The maximum number of characters in each line displayed on a terminal screen is set.
By default, each line displayed on a terminal screen has a maximum of 80 characters.
Step 7 Run:
history-command max-size size-value
Context
Do as follows on the switch that the user logs in to:
Procedure
Step 1 Run:
system-view
55
5 User Management
For more information about the command priority, see "Command Level" in Chapter 3 "CLI
Overview".
----End
Procedure
l
Run:
system-view
Run:
user-interface console interface-number
Run:
authentication-mode aaa
Run:
quit
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
Run:
system-view
Run:
user-interface console interface-number
Run:
authentication-mode password
Run:
set authentication password { cipher | simple } password
56
5 User Management
Configuring Non-Authentication
1.
Run:
system-view
Run:
user-interface console interface-number
Run:
authentication-mode none
Prerequisite
The configurations of the User Management function are complete.
Procedure
l
Run the display users [ all ] command to check information about user interface.
Run the display local-user command to check the local user list.
----End
Applicable Environment
If you want to log in to the switch using Telnet or SSH to perform management or configuration
operations, .a VTY interface is required.
Issue 01 (2011-07-15)
57
5 User Management
Pre-configuration Tasks
Before configuring a VTY user interface, complete the following tasks:
l
Data Preparation
To configure a VTY user interface, you need the following data.
No.
Data
(Optional) Number of the ACL for limiting incoming and outgoing calls of users
logging in using VTY user interfaces
Timeout period for idle users, maximum number of lines to be displayed on each
screen , maximum number of characters in each line, and the size of the history
command buffer
Context
Do as follows on the switch that the user logs in to:
Procedure
Step 1 Run:
system-view
The maximum VTY user interfaces that can log in to the switch is set.
NOTE
When the maximum number of VTY user interfaces is set to zero, any user including the NMS user cannot
log in to a switch.
If the maximum number of VTY user interfaces to be configured is smaller than the maximum
number of current interfaces, other parameters need not be configured.
Issue 01 (2011-07-15)
58
5 User Management
If the maximum number of VTY user interfaces to be configured is larger than the maximum
number of current interfaces, the authentication mode and password need to be configured for
newly added user interfaces.
For newly added user interfaces, the system applies password authentication by default.
For example, a maximum of five users are allowed online. To allow 15 VTY users online at the
same time, you need to run the authentication-mode command and the set authentication
password command to configure authentication modes and passwords for user interfaces from
VTY 5 to VTY 14. The command is run as follows:
<Quidway> system-view
[Quidway] user-interface maximum-vty 15
[Quidway] user-interface vty 5 14
[Quidway-ui-vty5-14] authentication-mode password
[Quidway-ui-vty5-14] set authentication password cipher huawei
----End
Context
Do as follows on the switch that the user logs in to:
Procedure
Step 1 Run:
system-view
59
5 User Management
Context
Do as follows on the switch:
Procedure
Step 1 Run:
system-view
The maximum number of characters in each line displayed on a terminal screen is set.
By default, each line displayed on a terminal screen has a maximum of 80 characters.
Step 7 Run:
history-command max-size size-value
Context
The switch supports user authentication of three types:
Issue 01 (2011-07-15)
60
5 User Management
Password authentication: requires no user name but a password must be set. Otherwise, the
user can log in to the switch only through the console interface.
None: requires neither user name nor password. No authentication is needed when the user
logs in to the switch.
Procedure
1.
Run:
system-view
Run:
user-interface vty number1 [ number2 ]
Run:
authentication-mode aaa
Run:
quit
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
Run:
system-view
Run:
user-interface vty number1 [ number2 ]
Run:
authentication-mode password
Run:
set authentication password { cipher | simple } password
Configuring Non-Authentication
1.
Issue 01 (2011-07-15)
61
5 User Management
system-view
Run:
user-interface vty number1 [ number2 ]
Run:
authentication-mode none
Prerequisite
The configuration of VTY User Interface are complete.
Procedure
l
Run the display users [ all ] command to check the usage information of the user interface.
Run the display user-interface maximum-vty command to check the number of maximum
VTY user interfaces.
----End
Applicable Environment
To ensure that the operator managesswitchs safely, you need to send messages between user
interfaces and clear designated user.
Pre-configuration Tasks
Before managing the user interface, complete the following tasks:
Issue 01 (2011-07-15)
62
5 User Management
Data Preparations
To manage the user interface, you need the following data:
No.
Data
Context
Do as follows on the switch:
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
Context
Do as follows on the switch:
Procedure
Step 1 Run:
free user-interface { ui-number | ui-type ui-number1 }
63
5 User Management
Prerequisite
The configuration of User Interfaces are complete.
Procedure
Step 1 Run the display users [ all ] command to check the usage information of the user interface.
----End
Applicable Environment
After the IP address is assigned to the main control board or the interface board, any remote user
can use Telnet to log in to the switch, or connect the switch through PPP to access networks.
This compromises the security. To ensure network security and ease user management, configure
a user name and the user password for the switch.
Pre-configuration Tasks
Before configuring a user, complete the following tasks:
l
Data Preparation
To configure a user, you need the following data.
Issue 01 (2011-07-15)
No.
Data
Authentication mode
User priority
64
5 User Management
Context
Do as follows on the switch that the user logs in to:
Procedure
Step 1 Run:
system-view
Context
Do as follows on the switch that the user logs in to:
Procedure
Step 1 Run:
system-view
65
5 User Management
NOTE
----End
Context
Do as follows on the switch that the user logs in to:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
66
5 User Management
Context
CAUTION
Configuring the non-authentication mode may cause security problems of the switch.
Do as follows on the switch that the user logs in to:
Procedure
Step 1 Run:
system-view
l If the authentication mode is non-authentication or password authentication, the priority of the userinterface determines the command level that the users can access.
l If the authentication mode needs the username and the password, the priority of the user determines
the command level that the users can access.
----End
Context
Refer to the Quidway S5700 Series Configuration Guide - Security.
Prerequisite
The configuration of User Management are complete.
Procedure
l
Issue 01 (2011-07-15)
Run the display users [ all ] command to check the user information.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
67
Run the display local-user command to check the local user list.
5 User Management
----End
Context
CAUTION
After the first and second configuration examples are complete, the commands with priorities
higher than 2 cannot be run if the current user is VTY0. Ensure that users can log in to
theswitch in other methods to delete configurations.
Networking Requirements
The COM port of the PC is connected with the Console port. Set the priority of VTY0 to 2 and
authenticate the passwords of users. Users need to enter the password Huawei to log in
successfully.
After login, if the operations are not carried out in 30 minutes, it means that the user-interface
is disconnected from the switch.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-07-15)
68
5 User Management
Procedure
Step 1 Configure the priority of VTY0 to be 2 on the Switch.
<Quidway> system-view
[Quidway] user-interface vty0
[Quidway-ui-vty0] user privilege level 2
----End
Configuration Files
#
sysname Quidway
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
#
user-interface vty 0
user privilege level 2
set authentication password simple huawei
idle-timeout 30
#
return
Networking Requirements
The COM port of the PC and the console port of the switch are connected.
Configure the priority of VTY0 to be 2, perform AAA authentication on the user that logs in
through VTY0. The login user must enter the username "huawei" and the password "huawei".
After login, if the user does not operate the switch within 30 minutes, the connection with the
switch is disabled.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enter the user interface view to configure the priority of VTY0 to be 2 and the disconnection
time.
2.
Enter the AAA view to configure the username, the password, and the user level.
3.
Switch on the idle timeout for the local user in the AAA view.
Data Preparation
To complete the configuration, you need the following data:
Issue 01 (2011-07-15)
69
Disconnect time
5 User Management
Procedure
Step 1 Configure the priority of VTY0 to be 2 and the disconnection time within 30 minutes.
<Quidway> system-view
[Quidway] user-interface vty0
[Quidway-ui-vty0] user privilege level 2
[Quidway-ui-vty0] authentication-mode aaa
[Quidway-ui-vty0] idle-timeout 30
[Quidway-ui-vty0] quit
Step 2 Configuring the local username, the password, and user level.
[Quidway] aaa
[Quidway-aaa] local-user huawei password cipher huawei
[Quidway-aaa] local-user huawei privilege level 2
----End
Configuration Files
#
sysname Quidway
#
aaa
local-user huawei password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user huawei privilege level 2
local-user huawei idle-cut
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
user-interface vty 0
authentication-mode aaa
user privilege level 2
idle-timeout 30
#
return
Issue 01 (2011-07-15)
70
Issue 01 (2011-07-15)
71
Storage Device
A storage device is a hardware device used to store data.
Different products support different storage devices. Currently, the S5700 supports the flash
memory.
File
A file stores and manages information.
Directory
A directory collects and organizes files. It is a logical container of files.
Data Preparation
To manage a storage device, you need the following data.
Issue 01 (2011-07-15)
No.
Data
Device name
72
Context
Do as follows on the switch:
Procedure
Step 1 Run:
fixdisk device-name
After this command is run, if the prompt that the system should be repaired is still received, it indicates
that the physical medium may be damaged.
----End
CAUTION
After the format flash: command is run, the files and directories in the Flash are cleared and
cannot be restored. So, confirm the action before you use the command.
Procedure
Step 1 Run the following command in the user view:
format flash:
73
Applicable Environment
When you need to transfer files between the client and the server, configure the directory by
using the file system.
Pre-configuration Tasks
Before configuring the management directory, complete the following tasks:
l
Data Preparation
To configure a management directory, you need the following data.
No.
Data
Context
Do as follows on the switch.
Procedure
Step 1 Run:
pwd
Context
Do as follows on the switch:
Procedure
Step 1 Run:
cd directory
Issue 01 (2011-07-15)
74
A directory is specified.
Step 2 Run:
pwd
Context
Do as follows on the switch:
Procedure
Step 1 Run:
cd directory
Context
Do as follows on the switch:
Procedure
Step 1 Run:
cd directory
75
Context
Do as follows on the switch:
Procedure
Step 1 Run:
cd directory
Applicable Environment
To view, delete, or rename files on the switch, you need to configure files using the file system.
Pre-configuration Tasks
Before configuring the file system, complete the following tasks:
l
Data Preparation
To configure a file system, you need the following data.
Issue 01 (2011-07-15)
No.
Data
76
Context
Do as follows on the switch:
Procedure
Step 1 Run:
cd directory
Context
Do as follows on the switch:
Procedure
Step 1 Run:
cd directory
The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.
----End
Context
Do as follows on the switch:
Issue 01 (2011-07-15)
77
Procedure
Step 1 Run:
cd directory
Context
Do as follows on the switch:
Procedure
Step 1 Run:
cd directory
Context
Do as follows on the switch.
Procedure
Step 1 Run:
zip source-filename destination-filename
78
Context
Do as follows on the switch:
Procedure
Step 1 Run:
cd directory
Context
Do as follows on the switch:
Procedure
Step 1 Run:
reset recycle-bin [ filename ]
Context
Do as follows on the switch:
Procedure
Step 1 Run:
undelete filename
l If the current directory is not the parent directory, you must operate the file by using the absolute path.
l If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored after being
deleted.
----End
Issue 01 (2011-07-15)
79
Prerequisite
Uploading the batched files on the client end to the switch.
Context
When the batch file is created, you can run the batch file to implement routine tasks
automatically.
Procedure
Step 1 Run:
system-view
Prerequisite
Before configuring a file system, complete the following tasks:
l
Context
The data may be lost or damaged during the process, and the prompt is required.
Procedure
Step 1 Run:
system-view
80
CAUTION
If the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation.
----End
Issue 01 (2011-07-15)
81
Issue 01 (2011-07-15)
82
l Before loading the configuration file to V200R006C00, check whether the configuration file contains
the preceding message. If not, the system processes the configuration file in the same way as earlier
configuration file. In this case, some configurations may not function properly.
The configuration file of V200R006C00 must begin with the message like "!Software
Version V200R006C00."
To save space, default parameters are not saved. For the default values of the configuration
parameters, see following sections.
Commands are organized on the basis of the command view. All commands of the identical
command view are grouped into a section. Every two command sections are separated by
one or several blank lines or comment lines (beginning with "#").
l The system can run the command with the maximum length of 512 characters, including the command
in an incomplete form.
l If the configuration is in the incomplete form, the command is saved in complete form. Therefore, the
command length in the configuration file may exceed 512 characters. When the system restarts, these
commands cannot be restored.
Initial configurations: On powering on, the switch retrieves the configuration files from a
default save path to initiate itself. If configuration files do not exist in the default save path,
the switch uses the default parameters.
Users can modify the current configurations of the switch through the command line
interface. Use the save command to save the current configuration to the configuration file
of the default storage devices, and the current configuration becomes the initial
configuration of the switch when the switch is powered on next time.
Issue 01 (2011-07-15)
83
Applicable Environment
In one of the following situations, you need to manage configuration files:
l
To start the switch normally, you need to select the correct S5700 system software and
configuration file for the switch to load.
After modifying current configurations, you need to save the modified contents.
Pre-configuration Tasks
Before managing configuration files, complete the following task:
l
Data Preparation
To manage configuration files, you need the following data.
No.
Data
The number of the start line from which the comparison of the configuration files
begins
7.2.2 Configuring System Software for a switch to Load for the Next
Startup
To upgrade the system software of a switch, you can specify the S5700 system software to be
loaded for the next startup.
Context
Do as follows on the switch:
Issue 01 (2011-07-15)
84
Procedure
Step 1 Run:
startup system-software system-file [ slave-board ]
The S5700 system software for the switch to load next time when it starts is configured.
The system software package must use .cc as the extension and be saved to the root directory of
the flash memory.
If the BootROM version of next startup software that you specify is different from the current
BootROM version, the system prompts you to upgrade the BootRom.
----End
7.2.3 Configuring the Configuration File for Switch to Load for the
Next Startup
Before restarting a switch, you can specify the configuration files that are loaded for the next
startup.
Context
Do as follows on the switch:
Procedure
Step 1 Run:
startup saved-configuration configuration-file
Configuration file is saved for the switch to load next time on startup.
The filename extension of the configuration file must be .cfg or .zip, and must be stored in the
root directory of a storage device.
When the switch turns on, it initiates by reading the configuration file from the flash memory
by default. Thus, the configuration in this configuration file is called initial configuration. If no
configuration file is saved in the flash, the switch initiates with default parameters.
The effective configuration when a switch is working is called current configuration.
----End
Procedure
l
Run:
save [ all ] [ configuration-file ]
85
The user can modify the current configuration through the command line interface. To set
the current configuration as initial configuration when the switch starts next time, you can
use the save command to save the current configuration in the flash memory.
You can use the save all command to save all the current configurations, including the
configurations of the boards that are not inserted, to the default directory.
NOTE
When saving the configuration file for the first time, if you do not specify the optional parameter
configuration-file, the switch asks you whether to save the file as "vrpcfg.zip" or not.
----End
Context
The configuration file stored in the flash memory needs to be cleared in the following cases:
l
The system software does not match the configuration file after the switch has been
upgraded.
The configuration file is destroyed or an incorrect configuration file has been loaded.
Procedure
Run the reset saved-configuration command to clear the currently loaded configuration
file.
If the configuration file of the switch used for the current startup is the same as that used
for the next startup, running the reset saved-configuration command will clear both
the configuration files. The switch will uses the default configuration file for the next
startup.
If the configuration file of the switch used for the current startup is different from that
used at the next startup, running the reset saved-configuration command will clear the
configuration file used for the current startup.
If the configuration file of the switch used for the current startup is empty, the system
will prompt you that the configuration file does not exist after you run the reset savedconfiguration command.
If you do not run the startup saved-configuration configuration-file command to specify
a new correct configuration file, or do not run the save command to save the configuration
file after the configuration file is cleared, the switch will use the default configuration file
at the next startup.
----End
86
Context
Do as follows on the switch:
Procedure
Step 1 Run:
compare configuration [ configuration-file ] [ current-line-number save-linenumber ]
The current configuration is compared with the configuration file for next startup.
If no parameter is set, the comparison begins with the first lines of configuration files. currentline-number and save-line-number are used to continue the comparison by ignoring the
differences between the configuration files.
When comparing differences between the configuration files, the system displays the contents
of the current configuration file and saved configuration file from the first different line. By
default, 150 characters are displayed for each configuration file. If the number of characters from
the first different line to the end is less than 150, the contents after the first different line are all
displayed.
In comparing the current configurations with the configuration file for next startup, if the
configuration file for next startup is unavailable or its contents are null, the system prompts that
reading files fails.
----End
Prerequisite
The configuration of Managing Configuration Files are complete.
Procedure
l
Run the display saved-configuration [ last ] command to check the configuration file that
the switch loads the next time when it starts.
Run the display startup command to check the file information used by the device upon
start.
Run the dir [ /all ] [ filename ] command to check check the file information in storage
device.
----End
Example
After the configurations succeed, run the preceding commands, and you can find the following
results:
l
Issue 01 (2011-07-15)
The current configuration of the switch is correct without any redundant configuration.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
87
The S5700 system software and configuration file that are to be loaded on the switch next
time are correct and they are saved in the root directory of the storage device.
Issue 01 (2011-07-15)
88
Issue 01 (2011-07-15)
89
8.1.1 FTP
You can transfer files between local and remote hosts through FTP. FTP is commonly used in
version upgrade, log downloading, file transfer, and configuration saving.
File Transfer Protocol (FTP) is an application layer protocol in the TCP/IP protocol suite. It
implements file transfer between local and remote hosts based on related file systems. The FTP
protocol is implemented based on corresponding file system.
The switch provides the following FTP services:
l
FTP server service. Users can run the FTP client program to log in to the switch and access
the files on the switch.
FTP client service. Users can establish a connection with the switch by running a terminal
emulation program or a Telnet program on a PC. Enter an FTP command to connect with
the remote FTP server and access the files on the remote host.
8.1.2 TFTP
TFTP does not have a complex interactive access interface and authentication control. TFTP is
applicable when there is no complex interaction between the client and server.
The Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.
Compared with FTP, TFTP does not have a complex interactive access interface and
authentication control. TFTP is applicable in an environment where there is no complex
interaction between the client and the server. For example, TFTP is used to obtain the memory
image of the system when the system starts up.
TFTP is implemented based on the User Datagram Protocol (UDP).
The client initiates the TFTP transfer. To download files, the client sends a read request packet
to the TFTP server, receives packets from the server, and sends acknowledgement to the server.
To upload files, the client sends a write request packet to the TFTP server, sends packets to the
server, and receives acknowledgement from the server.
TFTP transfers the files in two formats:
l
At present, the S5700 serves only as the TFTP client and transfers files in the binary format.
Issue 01 (2011-07-15)
90
Applicable Environment
When the switch serves as the FTP server, after the client logs in to the switch through FTP, the
user can transfer files between the client and the server.
Pre-configuration Tasks
Before configuring the switch as the FTP server, complete the following tasks:
l
Data Preparation
To configure the switch as the FTP server, you need the following data.
NOTE
No.
Data
Context
If the FTP is not enabled, change the FTP port as required.
If the FTP service is enabled, run the undo ftp server command to disable the FTP service, and
then change the FTP port.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
91
Procedure
Step 1 Run:
system-view
When the file operation between clients and the switch ends, run the undo ftp [ ipv6 ] server command
to disable the FTP server function. This ensures the security of the switch.
----End
Context
If the client is idle for the configured time, the connection is removed from the FTP server.
By default, the timeout value is 10 minutes.
Procedure
Step 1 Run:
system-view
92
Context
Do as follows on the switch that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Context
Do as follows on the switch that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
93
Prerequisite
The configuration of the Switch to be the FTP Server are complete.
Procedure
l
Run the display [ ipv6 ] ftp-server the configuration and running information about the
FTP server.
Run the display ftp-users command to check the login FTP user.
----End
Example
After configuring the FTP server, run the display [ ipv6 ] ftp-server command. You can view
that the parameters of the current FTP server.
<Quidway> display ftp-server
FTP server is running
Max user number
User count
Timeout value(in minute)
Listening Port
Acl number
5
0
30
1080
0
Run the display ftp-users command to view the user name, port number, authorization directory
of the FTP user configured presently.
<Quidway> display ftp-users
username host
zll
100.2.150.226
port
1383
idle
3
topdir
flash:
94
Applicable Environment
When the switch serves as the FTP server, for security, you can configure the switch by the
access control list (ACL) to be accessed by only those clients that meet the matching conditions.
Pre-configuration Tasks
Before configuring the FTP ACL, complete the following tasks:
l
Data Preparation
To configure the FTP ACL, you need the following data.
No.
Data
ACL number
Context
Do as follows on the switch that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Context
Do as follows on the switch that serves as the FTP server:
Issue 01 (2011-07-15)
95
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the switch that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Prerequisite
The configuration of FTP ACL are complete.
Issue 01 (2011-07-15)
96
Procedure
l
Run the display ftp-server [ ] command to check the configuration and status of the FTP
server.
----End
Example
After configuring an FTP server, you can run the display ftp-server command and view that
the ACL number allocated for the FTP server is 2345.
<Quidway> display ftp-server
FTP server is running
Max user number
User count
Timeout value(in minute)
Listening Port
Acl number
SSL security status
5
0
30
1080
2345
Disabled
Applicable Environment
When a switch serves as an FTP client, you can log in to the FTP server through the switch and
then transmit files or manage server directory.
Pre-configuration Tasks
Before configuring the switch as an FTP client, complete the following tasks:
l
Data Preparation
To configure the switch as an FTP client, you need the following data.
NOTE
Issue 01 (2011-07-15)
No.
Data
97
No.
Data
Local file name and file name on the remote FTP server
Working directory name of the remote FTP server, local working directory of the
FTP client, or directory name of the remote FTP server
Context
Do as follows on the switch that serves as the client:
Procedure
Step 1 Run the following commands according to types of the server IP address.
l If the IP address of the server is an IPv4 address, do as follows:
In the user view, establish a connection to the FTP server.
Run:
ftp [ host [ port-number ] [ public-net | vpn-instance vpn-instance-name ] ]
Run:
ftp
Run:
open host [ port-number ] [ public-net | vpn-instance vpn-instance-name ]
Before logging in to the FTP server, you can run the set net-manager vpn-instance
command to configure a default VPN instance. After that, the default VPN instance is used
in the FTP operation.
Run:
ftp
Issue 01 (2011-07-15)
98
Run:
open ipv6 host [ port-number ]
8.4.3 Configuring Data Type and Transmission Mode for the File
This section describes how to configure the data type and transmission mode for the file.
Context
Do as follows on the switch that serves as the client:
Procedure
Step 1 Run:
ascii | binary
FTP server supports ascii mode for data transmission. But in Quidway S5700 Series, user has to switch to binary
mode for data transfer.
Step 2 Run:
passive
Context
This configuration provides help information for protocol commands.
Procedure
Step 1 Run:
remotehelp command
99
Context
Do as follows on the switch that serves as the client:
Procedure
Step 1 Upload or download files.
l Run:
put local-filename [ remote-filename ]
The FTP file is downloaded from the FTP server and saved to the local file.
----End
Context
Do as follows on the switch that serves as the client:
Procedure
Step 1 Run one or more commands in the following order to manage directories.
l Run:
cd pathname
The working path of the FTP server is switched to the upper-level directory.
l Run:
pwd
100
l Run:
rmdir remote-directory
l The directory to be created can comprise letters and digits, but not special characters such as <,
>, ?, \ and :.
l When running the mkdir /abc command, you create a sub-directory named "abc".
----End
Context
Do as follows on the switch that serves as the client:
Procedure
Step 1 Run one or more commands in the following to manage directories.
l Run:
ls [ remote-filename ] [ local-filename ]
Prerequisite
This configuration must be performed in FTP view.
Issue 01 (2011-07-15)
101
Context
The username and password are of string data type. The string length for username must be in
the range of 1 to 85 case-insensitive characters and password must be in the range of 1 to 16
case-insensitive characters.
Procedure
Step 1 Run:
user username [ password ]
The current login user is changed and the user logs in again.
----End
Prerequisite
The configurations must be performed in the FTP view.
Procedure
Step 1 Run:
bye
or
quit
or
disconnect
Issue 01 (2011-07-15)
102
Applicable Environment
You can transfer files through TFTP between the server and the client in a simple interaction
environment.
Pre-configuration Tasks
Before configuring TFTP, complete the following tasks:
l
Data Preparation
To configure TFTP, you need the following data.
No.
Data
File directory
Context
Do as follows on a switch that functions as a TFTP client.
Procedure
Step 1 Run:
system-view
103
After the configuration, the source IP address of the TFTP client displayed on the TFTP server
must be the same as the configured one.
----End
Context
Do as follows on the switch that serves as the TFTP client:
Procedure
Step 1 Run the following commands according to the type of the server IP addresses.
l The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server
[ public-net | vpn-instance vpn-instance-name ] get source-filename
[ destination-filename ]
Context
Do as follows on the switch that serves as the TFTP client:
Procedure
Step 1 Run the following commands according to the type of the server IP addresses.
l The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server
[ public-net | vpn-instance vpn-instance-name ] put source-filename
[ destination-filename ]
104
Applicable Environment
When the switch serves as the TFTP client, you can configure the ACL on the switch. After the
configuration, you can control the TFTP server to which the device can log in through TFTP.
Pre-configuration Tasks
Before configuring a limit to access the TFTP server, complete the following tasks:
l
Data Preparation
To configure a limit to access to the TFTP server, you need the following data.
No.
Data
ACL number
Context
NOTE
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
105
Context
Do as follows on the switch that serves as the TFTP client:
Procedure
Step 1 Run:
system-view
106
Networking Requirements
As shown in Figure 8-1, the local PC functions as the FTP client of which the IP address is
10.1.1.1/24.
The Switch acts as the FTP server. VLAN 10 is created on the Switch and
GigabitEthernet0/0/1 is added to VLAN 10. The IP address 10.1.1.2/24 is assigned to VLANIF
10.
The PC uploads files to the Switch.
Figure 8-1 Networking diagram of the Switch functioning as the FTP server
VLAN10
FTP Client FTP Session
PC
Ethernet
FTP Server
L2 Switch
Ethernet
Switch
Switch
Interface
VLANIF interface
IP address
FTP Server
GigabitEthernet0/0/1
VLANIF 10
10.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Set the correct FTP user name and password on the Switch that functions as the FTP server.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Name of the FTP user set as u1 and the password set as ftppwd on the server
Name of the destination file and position where the destination files are located on the
Switch
Procedure
Step 1 Create VLAN 10 on the Switch and assign the IP address 10.1.1.2/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface gigabitethernet 0/0/1
[Quidway-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-GigabitEthernet0/0/1] port hybrid untagged vlan 10
Issue 01 (2011-07-15)
107
[Quidway-GigabitEthernet0/0/1] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.1.1.2 24
Step 2 Start the FTP server on the Switch, and set the FTP user name to u1 and password to ftpwd.
[Quidway] ftp
[Quidway] aaa
[Quidway-aaa]
[Quidway-aaa]
[Quidway-aaa]
[Quidway-aaa]
server enable
local-user u1 password simple ftppwd
local-user u1 service-type ftp
local-user u1 ftp-directory flash:/
return
Step 3 On the PC, initiate a connection to the Switch with the user name u1 and the password
ftppwd.
Use Windows XP on the FTP client to illustrate the preceding operations.
C:\WINDOWS\Desktop> ftp 10.1.1.2
Connected to 10.1.1.2.
220 FTP service ready.
User (10.1.1.1:(none)): u1
331 Password required for u1
Password:
230 User logged in.
ftp>
Step 4 Set the mode of transferring files to binary and the local directory on the PC.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now C:\temp.
----End
Configuration Files
#
sysname Quidway
#
FTP server enable
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
aaa
local-user u1 password simple ftppwd
local-user u1 ftp-directory flash:/
local-user u1 service-type ftp
#
Return
Issue 01 (2011-07-15)
108
Networking Requirements
As shown in Figure 8-2, the IP address of the FTP server is 172.16.104.110/24.
The routes between PC1, PC2, and FTP server are reachable. On the S5700 that functions as the
FTP server, it is required that the FTP server should permit only PC1 with the IP address as
172.16.104.111 to download and upload files through FTP, and PC2 should not connect to the
FTP server after the ACL is configured.
Figure 8-2 Networking diagram for configuring an ACL of the FTP server
FTP Server
172.16.104.110/24
172.16.104.111/24
172.16.105.111/24
PC1
PC2
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Name of the FTP user set as u1 and password set as huawei on the server
Procedure
Step 1 Configure basic FTP functions.
For details, see 8.7.1 Example for Configuring the FTP Server.
Step 2 Configure an ACL.
<Quidway> system-view
[Quidway] acl number 2001
[Quidway-acl-basic-2001] rule permit source 172.16.104.111 0.0.0.0
Issue 01 (2011-07-15)
109
[Quidway-acl-basic-2001] quit
----End
Configuration Files
Configuration file of the FTP server
#
sysname Quidway
#
FTP server enable
FTP acl 2001
#
acl number 2001
rule 5 permit source 172.16.104.111 0
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
local-user u1 password simple huawei
local-user u1 ftp-directory flash:/
local-user u1 service-type ftp
#
return
110
Networking Requirements
As shown in Figure 8-3, the remote server at 10.1.1.2 serves as the FTP server. The Switch and
the FTP server are directly connected and on the same network segment. The Switch has a
reachable route to the FTP server.
The Switch acts as the FTP client. Interfaces ranging from GigabitEthernet0/0/1 to
GigabitEthernet0/0/4 can be used to set up FTP connections and they share the IP address
10.1.1.1.
The Switch downloads files from the FTP server.
Figure 8-3 Networking diagram of the Switch functioning as the FTP client
FTP session
PC
configuration
cable
FTP Client
FTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Download files from the server to the storage device of the client.
Data Preparation
To complete the configuration, you need the following data:
l
Name of the destination file and position where the destination files are located on the
Switch
Name of the FTP user set as u1 and the password set as ftppwd on the client
Procedure
Step 1 Enable FTP on the remote FTP server. Add an FTP user named u1 and set the password to
ftppwd.
Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1 to VLANIF10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet0/0/1] port
[Quidway-GigabitEthernet0/0/1] port
[Quidway-GigabitEthernet0/0/1] quit
[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet0/0/2] port
[Quidway-GigabitEthernet0/0/2] port
[Quidway-GigabitEthernet0/0/2] quit
[Quidway] interface gigabitethernet
Issue 01 (2011-07-15)
0/0/1
hybrid pvid vlan 10
hybrid untagged vlan 10
0/0/2
hybrid pvid vlan 10
hybrid untagged vlan 10
0/0/3
111
Step 3 On the Switch, initiate a connection to the FTP server with the user name tpuser and the password
ftppwd.
<Quidway> ftp 10.1.1.2
Trying 10.1.1.2 ...
Press CTRL+K to abort
Connected to 10.1.1.2.
220 FTP service ready.
User(10.1.1.2:(none)):u1
331 Password required for u1.
Enter password:
230 User logged in.
[ftp]
Step 4 On the Switch, set the mode of transferring files to binary and the flash directory.
[ftp] binary
200 Type set to I.
[ftp] lcd flash:/
The current local directory is flash:.
Step 5 Download the vrpcfg.cfg file from the remote FTP server on the Switch.
[ftp] get vrpcfg.cfg vrpcfg.cfg
200 Port command okay.
150 Opening BINARY mode data connection for vrpcfg.cfg.
226 Transfer complete.
FTP: 9124 byte(s) received in 3.100 second(s) 2.94Kbyte(s)/sec.
[ftp] quit
<Quidway>
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.3 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet0/0/2
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet0/0/3
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet0/0/4
port hybrid pvid vlan 10
port hybrid untagged vlan 10
Issue 01 (2011-07-15)
112
#
return
Networking Requirements
As shown in Figure 8-4, the Switch cannot function as the TFTP server. The remote server at
10.1.1.2 functions as the TFTP server.
The Switch acts as a TFTP client. VLAN 10 is created on the Switch, and
GigabitEthernet0/0/1 is added to VLAN 10. The IP address 10.1.1.1/24 is assigned to VLANIF
10.
The Switch downloads files from the TFTP server.
Figure 8-4 Networking diagram for configuring TFTP
TFTP session
PC
configuration
cable
TFTP Client
TFTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
Run the TFTP software on the TFTP server and set the position where the source file is
located on the Switch.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Name of the destination file and position where the destination file is located on the Switch
Procedure
Step 1 Enable TFTP on the remote server to ensure that the TFTP application software is started.
Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface gigabitethernet 0/0/1
Issue 01 (2011-07-15)
113
Step 3 On the Switch, initiate a connection to the TFTP server and download the 8031.cc file.
<Quidway> tftp 10.1.1.2 get 8031.cc 8031new.cc
Info: Transfer file in binary mode.
Downloading the file from the remote tftp server, please wait...
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
Return
Issue 01 (2011-07-15)
114
115
Telnet Services
Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login and
a virtual terminal service through the network.
The S5700 provides the following Telnet services:
l
Telnet server: You can run the Telnet client program on a PC to log in to the switch,
configure and manage it. The switch acts as a Telnet server.
Telnet client: You can run the terminal emulation program or the Telnet client program on
a PC to connect with the switch. With the telnet command, you can log in to other
switchs to configure and manage them. As shown in Figure 9-1, Switch A serves as both
the Telnet server and the Telnet client.
Figure 9-1 Telnet client services
Telnet Session2
Telnet Session 1
Telnet
Server
PC
Issue 01 (2011-07-15)
SwitchA
SwitchB
116
Introduction to SSH
SSH works at the application layer in the TCP/IP protocol suite. SSH provides remote login and
virtual terminal on the network where security is guaranteed. Based on TCP connections, SSH
guarantees security and provides authentication for transmitted information, preventing the
following attacks shown in Figure 9-2:
l
IP spoofing
VLAN1
SSH
Client
PC
Telnet Session
Ethernet
SSH
Server
L2 Switch Ethernet
Switch
SSH adopts the client/server model and sets up multiple secure transmission channels. The
Switch, as the SSH server, can be connected to multiple PCs that function as SSH clients. A
Layer 2 switch may exist between the PC and the SSH server. In the actual networking, a route
is required to be reachable between the PC and the Switch.
Advantages of SSH
The applications of SSH include STelnet and SFTP.
Different from Telnet and FTP terminal services, SSH provides secure remote access on the
network without security guaranteed. The advantages of SSH are described as follows:
l
Issue 01 (2011-07-15)
117
SCP client
SCP enables you to log in to the device securely from a remote device to upload or download
files. Data transfer in this mode is much safer for remote system update. In addition, SCP
provides the client function so that a local device can log in to a remote device for secure
data transfer.
Unlike SFTP, SCP simplifies the file transfer process by combing user authentication and
file transfer, thus improving the configuration efficiency.
2.
3.
4.
5.
Issue 01 (2011-07-15)
118
Applicable Environment
To remotely log in to the switch through the Telnet protocol for maintenance and management,
you need to configure Telnet terminal services.
Pre-configuration Tasks
Before configuring Telnet terminal services, complete the following tasks:
l
Ensuring that the IP addresses of interfaces on the switch are configured correctly
Configuring the user account, correct login authentication mode, and call-in and call-out
restriction
Ensuring that reachable routes exist between the terminal and the switch
Data Preparation
To configure Telnet terminal services, you need the following data.
No.
Data
Number of the TCP port that is used by the remote switch to provide Telnet services
(Optional) Timeout period after which the server terminates the connection with the
user interface
Context
Do as follows on the switch that serves as an Telnet server.
Select and perform one of the following two steps for IPv4 or IPv6.
Procedure
l
Run:
system-view
119
2.
Run:
telnet server enable
Run:
system-view
Run:
telnet ipv6 server enable
----End
Context
Do as follows on the switch that serves as a Telnet client:
Select and perform one of the following two steps for IPv4 or IPv6.
Procedure
l
Run:
telnet
Run:
telnet ipv6 host-name [ port-number ]
120
Context
Do as follows on the switch that functions as a Telnet server:
Procedure
Step 1 Run:
system-view
Context
Do as follows on the switch that serves as a Telnet client:
Procedure
Step 1 Run:
system-view
121
Prerequisite
The configuration of Telnet Terminal Services are complete.
Procedure
l
Run the display users command to check information about connected users.
Run the display users all command to check information about all users, including
connected and disconnected users.
Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display tcp status command to view TCP connections. In the command output,
Established indicates that a TCP connection has been established.
<Quidway> display tcp status
TCPCB
Tid/Soid
Local Add:port
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established
Foreign Add:port
0.0.0.0:0
VPNID
0
0.0.0.0:0
14849
10.164.6.13:1147
State
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<Quidway> display telnet server status
TELNET IPV4 server
TELNET IPV6 server
TELNET server port
:Enable
:Enable
:23
122
Applicable Environment
The STelnet or SFTP client can log in to the SSH server to perform operations only after SSH
users are correctly configured on the SSH server.
Pre-configuration Tasks
Before configuring SSH users, complete the following tasks:
l
Configuring an RSA public key for the SSH client on the SSH server
Data Preparation
To configure SSH users, you need the following data.
No.
Data
Context
NOTE
Besides creating an SSH user separately, you can also create an SSH user when you configure the following.
l Configuring the Authentication Mode for SSH Users
l Configuring the Service Type of SSH Users
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
123
If you want to create an SSH user in the password authentication mode, you need to create a
local user with the same name in the AAA view.
1.
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
Context
Do as follows on the switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view
The authentication mode of the VTY user interface must be set to AAA. Otherwise, the protocol
inbound ssh command cannot be configured successfully.
----End
Context
Do as follows on the switchs that serve as a client or a server:
Issue 01 (2011-07-15)
124
Procedure
Step 1 Run:
system-view
To log in to an SSH server, the local RSA key pair must be configured and generated first. Before performing
the other SSH configurations, you must configure the rsa local-key-pair create command to generate a
local key pair.
----End
Context
Do as follows on the switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view
Run:
ssh user user-name authentication-type rsa
Issue 01 (2011-07-15)
125
Run:
rsa peer-public-key key-name
Run:
public-key-code begin
Run:
hex-data
Run:
public-key-code end
Run:
peer-public-key end
Run:
ssh user user-name assign rsa-key key-name
l After the public key editing view is displayed, the RSA public key generated on the client can be sent
to the server. Copy the RSA public key to the switch that serves as the SSH server.
l Before the peer RSA public key is assigned to the SSH users, the SSH server must be configured and
the peer RSA public key must be the RSA public key of the SSH client.
----End
Context
Do as follows on the switch that serves as an SSH server:
Issue 01 (2011-07-15)
126
Procedure
Step 1 Run:
system-view
Context
NOTE
There are four authentication modes for an SSH user, namely, password, rsa, password-rsa, and all. For
details of the configuration of the command line authorization for password authentication, refer to the
chapter "AAA and User Management" in the Quidway S5700 Series Configuration Guide - Security. This
section describes how to configure the command line authorization for RSA authentication.
Procedure
Step 1 Run:
system-view
The command line authorization is configured for the specified SSH user.
----End
Issue 01 (2011-07-15)
127
Follow-up Procedure
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Context
Do as follows on the switch that functions as an SSH server:
Procedure
Step 1 Run:
system-view
Context
Do as follows on the switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view
The authorized directory of the SFTP service for SSH users is configured.
By default, the authorized directory of the SFTP service for SSH users is Flash.
----End
Issue 01 (2011-07-15)
128
Prerequisite
The configuration of SSH Users are complete.
Procedure
l
Run the display ssh user-information command to check the information about the SSH
client on the SSH server.
Run the display ssh user-information username command to check the information about
the specified SSH client on the SSH server.
----End
Example
Run the display ssh user-information username command. It shows that the SSH user named
clinet001 is authenticated by password, and its service type is sftp.
[Quidway] display ssh user-information client001
User Name
: client001
Authentication-type
: password
User-public-key-name
: Sftp-directory
: Service-type
: sftp
Authorization-cmd
: No
Applicable Environment
Before configuring the SSH server, you must enable STelnet, SFTP, or SCP on the SSH server.
You can change the number of the port monitored by the SSH server to other port numbers. This
can prevent attackers from accessing standard ports of the SSH server and thus save bandwidth
and system resources.
Pre-configuration Tasks
Before configuring the SSH server, complete the following tasks:
l
Ensuring that the SSH client and the SSH server are routable
Issue 01 (2011-07-15)
129
Data Preparation
To configure the SSH server, you need the following data.
No.
Data
Context
Do as follows on the switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view
Context
Do as follows on the switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
130
Context
Do as follows on the S5700 functioning as the SCP server:
Procedure
Step 1 Run:
system-view
Context
Do as follows on the switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view
131
NOTE
l Compared with SSH1.X, SSH2.0 is extended in structure to more authentication modes and key
exchange modes with higher service capability, such as SFTP.
l The S5700 supports the SSH protocol of version 1.3 to version 2.0.
----End
Context
Do as follows on the switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view
9.4.7 (Optional) Configuring the Interval for Updating the Key Pair
on the SSH Server
You can configure the interval for updating the key pair of the SSH server, which can guarantee
the security.
Context
Do as follows on the switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
132
Prerequisite
The configurations of the SSH server are complete.
Procedure
Step 1 Run the display ssh server status command to view the global configuration of the SSH server.
----End
Example
Run the display ssh server status command, and you can view that the SSH version of the SSH
session is 1.99, and the times for re-establishing the SSH session is 5.
<Quidway> display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH Authentication retries
SFTP server
Stelnet server
Scp server
SSH server port
:
:
:
:
:
:
:
:
1.99
60 seconds
2 hours
5 times
Enable
Enable
Enable
55535
NOTE
If the number of the monitored port is the default number, information about the currently monitored port
will not be displayed.
Applicable Environment
STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the same manner
as using the Telnet service.
Issue 01 (2011-07-15)
133
Pre-configuration Tasks
Before connecting the STelnet client to the SSH server, complete the following tasks:
l
Data Preparation
To connect the STelnet client to the SSH server, you need the following data:
No.
Data
Preferred encrypted algorithm from the STelnet client to the SSH server
Preferred encrypted algorithm from the SSH server to the STelnet client
Preferred HMAC algorithm from the STelnet client to the SSH server
Preferred HMAC algorithm from the SSH server to the STelnet client
Source address
Context
If the first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the RSA public key when logging in to the SSH server for the first time. After
the login, the system automatically allocates the RSA public key and saves it for authentication
in next login.
To simplify user operations, you are recommended to enable the first-time authentication on the
SSH client.
Do as follows on the switch that serves as an SSH client:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
134
l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity
of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first
time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH
server.
l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to the
SSH server for the first time, the STelnet client fails to pass the check on the RSA public key validity
and cannot log in to the server.
TIP
To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSA
public key in advance to the SSH server on the SSH client in addition to enabling the first-time
authentication on the SSH client.
----End
Context
If the first-time authentication on the SSH client is disabled, you need to allocate an RSA public
key to the SSH server before the STelnet client logs in to the SSH server.
Do as follows on the switch that serves as an SSH client:
Procedure
Step 1 Run:
system-view
135
l Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the
SSH server and must be configured on the SSH client. Then, the STelnet client client can successfully
undergo the validity check on the RSA public key of the SSH server.
l If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign rsa-key command to cancel the association between the SSH client and the SSH server. Then,
run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to
the SSH server.
----End
Context
NOTE
When accessing an SSH server, the STelnet client can carry the source address and the VPN instance name
and choose the key exchange algorithm, encryption algorithm, or HMAC algorithm, and configure the
keepalive function..
Procedure
Step 1 Run:
system-view
136
Prerequisite
The configuration of the STelnet Client Function are complete.
Procedure
l
Run the display ssh server-info command to check the mapping between the RSA public
key and the SSH client on the SSH client.
Run the display ssh server session command to check the session of the SSH client on the
SSH server.
----End
Example
When running the display ssh server session command, you can view that the client logs in
from VTY3, with Stelent service by password authentication.
<Quidway> display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: stelnet
Authentication Type : password
Issue 01 (2011-07-15)
137
Applicable Environment
SFTP enables users to log in to the device from a secure remote end to manage files. This
improves the security of data transmission for the remote end to update its system. The SFTP
client function also enables you to log in to the remote device through SFTP for the secure file
transmission.
Pre-configuration Tasks
Before connecting the SFTP client to the SSH server, complete the following tasks:
l
Data Preparation
To connect an SFTP client to an SSH server, you need the following data.
Issue 01 (2011-07-15)
No.
Data
Preferred encrypted algorithm from the SFTP client to the SSH server
Preferred encrypted algorithm from the SFTP server to the SSH client
Preferred HMAC algorithm from the SFTP client to the SSH server
Preferred HMAC algorithm from the SFTP server to the SSH client
Directory name
10
File name
138
Context
If the first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the RSA public key when logging in to the SSH server for the first time. After
the login, the system automatically allocates the RSA public key and saves it for authentication
in next login.
To simplify user operations, you are recommended to enable the first-time authentication on the
SSH client.
Do as follows on the switch that serves as an SSH client:
Procedure
Step 1 Run:
system-view
l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity
of the RSA public key of the SSH server when the SFTP client logs in to the SSH server for the first
time. The check is skipped because the SFTP server has not saved the RSA public key of the SSH
server.
l If the first-time authentication is not enabled on the SSH client, when the SFTP client logs in to the
SSH server for the first time, the SFTP client fails to pass the check on the RSA public key validity
and cannot log in to the server.
TIP
Except for enabling the first-time authentication on the SSH client, the SFTP client can assign the RSA
public key in advance to the SSH server on the SSH client to log in to the server successfully for the first
time.
----End
Context
If the first-time authentication on the SSH client is disabled, you need to assign an RSA public
key to the SSH server before the STelnet client logs in to the SSH server.
Do as follows on the switch that serves as an SSH client:
Issue 01 (2011-07-15)
139
Procedure
Step 1 Run:
system-view
l Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the
SSH server and must be configured on the SSH client. Then, the SFTP client can successfully undergo
the validity check on the RSA public key of the SSH server.
l If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign rsa-key command to cancel the association between the SSH client and the SSH server. Then,
run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to
the SSH server.
----End
140
Context
NOTE
The command of enabling the SFTP client is similar to that of the STelnet. When accessing the SSH server,
the SFTP can carry the source address and choose the key exchange algorithm, encrypted algorithm and
HMAC algorithm, and configure the keepalive function.
Procedure
Step 1 Run:
system-view
----End
Context
NOTE
After the SFTP client logs in to the SSH server, the SFTP client can create or delete the directory on the
SSH server, display the current operating directory and information about a specified directory and its files.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
141
142
Context
NOTE
After the SFTP client logs in to the SSH server, SFTP client can change file names, delete files, display
the file list, upload and download files on the SFTP server.
Procedure
Step 1 Run:
system-view
143
Context
Do as follows on the login switch:
Procedure
Step 1 Run:
system-view
Step 3 Run:
help [all | command-name ]
Prerequisite
The configuration of the SFTP Client Function are complete.
Procedure
l
Issue 01 (2011-07-15)
Run the display ssh server-info command to check the mapping between the SSH server
and the RSA public key on the SSH client.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
144
Run the display ssh server session command to check the session of the SSH client on the
SSH server.
----End
Example
Run the display ssh server session command, and you can view that the client logs in from the
VTY4 through the sftp service in rsa authentication mode.
[Quidway] display ssh server session
Session 2:
Conn
: VTY 4
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: sftp
Authentication Type : rsa
Applicable Environment
SCP is a secure file transfer method based on SSH2.0. Unlike SFTP, SCP allows file uploading
or downloading without user authentication and public key assignment, and also supports file
uploading or downloading in batches.
Pre-configuration Tasks
Before configuring the SCP client, complete the following tasks:
l
Data Preparation
To configure the SCP client, you need the following data.
Issue 01 (2011-07-15)
145
No.
Data
(Optional) Source IPv4 or IPv6 address and source interface of the local switch
Port number of the remote SCP server, VPN instance name, encryption algorithm for
uploading or downloading files, source files to be uploaded or downloaded, and
destination files to be uploaded or downloaded
Context
Do as follows on the switch functioning as the SCP client:
Procedure
Step 1 Run:
system-view
Context
NOTE
When logging in to the SCP server, the SCP client can carry source IP address and VPN instance name,
and select an encryption algorithm.
Procedure
Step 1 Run:
system-view
146
Step 2 Files are uploaded from the SCP client to the remote SCP server or downloaded from the remote
SCP server to the SCP client.
l Basing on IPv4 address
scp [ -port port-number | public-net | vpn-instance vpn-instance-name | -a sourceaddress
| -i interface-type interface-number | -r | -cipher { des | 3des | aes128 } | -c ]* sourcefile
destinationfile
l Basing on IPv6 address
scp ipv6 [ -port port-number | public-net | vpn-instance vpn-instance-name | -a
sourceipv6address | -r | -cipher { des | 3des | aes128 } | -c ]* sourcefile destinationfile [ -i
interface-type interface-number ]
----End
Prerequisite
The configurations of the SCP client are complete.
Context
l
Run the display scp-client command to view the source IP address or source interface of
the SCP client.
Example
Run the display scp-client command, and you can view the source IP address of the SCP client.
<Quidway> display scp-client
The source of SCP ipv4 client: 1.1.1.1
The source of SCP ipv6 client: --
Networking Requirements
As shown in Figure 9-3, after logging in to Switch A, the user logs in to Switch B through Telnet
by using the default interface 23.
Issue 01 (2011-07-15)
147
Figure 9-3 Networking diagram of the remote login of the Ethernet user
PC
SwitchA
10.10.10.8/24
SwitchB
10.10.10.9/24
Switch
Interface
VLANIF interface
IP address
SwitchA
GigabitEthernet0/0/1
VLANIF 2
10.10.10.8/24
SwitchB
GigabitEthernet0/0/1
VLANIF 2
10.10.10.9/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
ID of the VLAN
IP address and number of the interface on the Switch A that functions as the Telnet client
IP address and number of the interface on the Switch B that functions as the Telnet server
Authentication mode and the password for a user to log in to Switch B through Telnet
Procedure
Step 1 Assign IP addresses.
# Assign IP address to Switch A that functions as the Telnet client.
<SwitchA> system-view
[SwitchA] vlan 2
[SwitchA-vlan2] quit
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 2
[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 2
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface vlanif 2
[SwitchA-Vlanif2] ip address 10.10.10.8 255.255.255.0
[SwitchA-Vlanif2] quit
[SwitchA]
Issue 01 (2011-07-15)
148
----End
Configuration Files
l
Issue 01 (2011-07-15)
149
Networking Requirements
As shown in Figure 9-4, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, or all authentication
mode.
Configure Client001 with the password as huawei and adopt the password authentication.
The IP address of the SSH server is 192.168.1.1.
The user interface supports only SSH.
Figure 9-4 Networking diagram of configuring the PC as the STelnet client to connect to the
SSH server
IP Network
SSH Client
SSH Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Configure password authentication as the default authentication mode on the SSH server.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Generate a local key pair on the server.
<Quidway> system-view
Issue 01 (2011-07-15)
150
NOTE
If SSH is configured as the login protocol, the S5700 automatically disables Telnet.
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Issue 01 (2011-07-15)
151
# Log in to the device through the software putty, and enter the user name client001 and the
password huawei.
Issue 01 (2011-07-15)
152
----End
Configuration Files
l
Networking Requirements
When you need to log in from a switch to other switches to configure the switches, you can
configure the switch as an STelnet client.
As shown in Figure 9-5, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server in the authentication mode of password, RSA, password-rsa,
or all.
The following login users need to be configured.
l
Client001, with the password as huawei and the authentication mode as password
Client002, with the password as rsakey001 and the authentication mode as RSA
Issue 01 (2011-07-15)
153
Figure 9-5 Networking diagram of connecting the STelnet client and the SSH server
SSH Server
10.164.39.222/24
10.164.39.221/24
10.164.39.220/24
Client001 Client002
Switch
Interface
SSH server
GigabitEthernet0/0/1
VLANIF 10
10.164.39.222/24
Client001
GigabitEthernet0/0/1
VLANIF 10
10.164.39.220/24
Client002
GigabitEthernet0/0/1
VLANIF 10
10.164.39.221/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2.
3.
Create a local key pair on the STelnet client and SSH server separately.
4.
Generate an RSA public key on the SSH server and bind the RSA public key of the SSH
client to Client002.
5.
6.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.
Create VLAN 10 on the Switch that functions as the server and assign IP address
10.164.39.222/24 to interface VLANIF10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
Issue 01 (2011-07-15)
154
Assigning an IP address to the Switch that functions as Client001 or Client002 is the same as
assigning an IP address to VLANIF 10, and is not mentioned here.
Step 2 Create a local key pair on the SSH server.
<Quidway> system-view
[Quidway] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES:If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA
public key of the SSH client to the server.
l # Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.
[Quidway] ssh user client002
[Quidway] ssh user client002 authentication-type rsa
155
# Send the RSA public key generated on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] 0240
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] 0203
[Quidway-rsa-key-code] 010001
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end
Step 5 Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002 assign rsa-key RsaKey001
156
# Client001 logs in to the SSH server in password authentication mode by entering the user
name and password.
<client001> system-view
[client001] stelnet 10.164.39.222
Please input the username:client001
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:
Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:
info: The max number of VTY users is 20, and the current number
of VTY users on line is 1.
<Quidway>
:1.99
:60 seconds
:0 hours
:3 times
:Disable
:Enable
:Disable
Issue 01 (2011-07-15)
157
Username: client001
Retry: 1
CTOS Cipher: aes128-cbc
STOC Cipher: aes128-cbc
CTOS Hmac: hmac-sha1-96
STOC Hmac: hmac-sha1-96
Kex: diffie-hellman-group1-sha1
Service Type: stelnet
Authentication Type: password
Session 1:
Conn: VTY 4
Version: 2.0
State: started
Username: client002
Retry: 1
CTOS Cipher: aes128-cbc
STOC Cipher: aes128-cbc
CTOS Hmac: hmac-sha1-96
STOC Hmac: hmac-sha1-96
Kex: diffie-hellman-group1-sha1
Service Type: stelnet
Authentication Type: rsa
----End
Configuration Files
l
Issue 01 (2011-07-15)
158
9.8.4 Example for Connecting the SFTP Clinet and the SSH Server
In this example, the local key pairs are generated on the SFTP client and the SSH server
respectively; the public RSA key is generated on the SSH server and bind the RSA public key
to the SFTP client. In this manner, the SFTP client can connect to the SSH server.
Networking Requirements
As shown in Figure 9-6, after the SFTP service is enabled on the SSH server, the SFTP client
can log in to the SSH server in the authentication mode of password, RSA, password-rsa, or all.
Issue 01 (2011-07-15)
159
Figure 9-6 Networking diagram for connecting the SFTP client and the SSH server
SSH Server
10.164.39.222/24
10.164.39.220/24
10.164.39.221/24
Client001 Client002
Switch
Interface
VLANIF interface
IP address
SSH server
GigabitEthernet0/0/1
VLANIF 10
10.164.39.222/24
Client001
GigabitEthernet0/0/1
VLANIF 10
10.164.39.220/24
Client002
GigabitEthernet0/0/1
VLANIF 10
10.164.39.221/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2.
3.
Create a local key pair on the SFTP client and SSH server separately.
4.
Create an RSA public key on the SSH server and bind the RSA public key of the SSH client
to Client002.
5.
6.
Configure the type of service and authenticated directory for the SSH user.
7.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.
Create VLAN 10 on the S5700 that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
Issue 01 (2011-07-15)
160
[Quidway] quit
[Quidway] interface gigabitethernet 0/0/1
[Quidway-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-GigabitEthernet0/0/1] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.164.39.222 24
Assigning an IP address to the S5700 that functions as Client001 or Client002 is the same as
assigning an IP address to VLANIF 10, and is not mentioned here.
Step 2 Create a local key pair on the SSH server.
<Quidway> system-view
[Quidway] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++
SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l In password or password-rsa authentication mode, you must configure a local user.
l In RSA or all authentication mode, you must copy the RSA public key of the SSH client to the server.
l # Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.
[Quidway] ssh user client002
[Quidway] ssh user client002 authentication-type rsa
Issue 01 (2011-07-15)
161
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]
# Send the RSA public key created on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] 0240
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] 0203
[Quidway-rsa-key-code] 010001
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end
Step 5 Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002 assign rsa-key RsaKey001
Step 7 On the SSH server, set the type of service for the SSH user and the authorized directory.
Two SSH users are configured on the SSH server: Client001 in the password authentication
mode and Client002 in the RSA authentication mode.
Issue 01 (2011-07-15)
162
ssh
ssh
ssh
ssh
user
user
user
user
service-type sftp
sftp-directory flash:/
service-type sftp
sftp-directory flash:/
:1.99
:60 seconds
:0 hours
:3 times
:Enable
:Disable
:Disable
Issue 01 (2011-07-15)
163
Retry: 1
CTOS Cipher: aes128-cbc
STOC Cipher: aes128-cbc
CTOS Hmac: hmac-sha1-96
STOC Hmac: hmac-sha1-96
Kex: diffie-hellman-group1-sha1
Service Type: sftp
Authentication Type: rsa
----End
Configuration Files
l
Issue 01 (2011-07-15)
164
9.8.5 Example for Configuring the SSH Server to Support the Access
from Another Port
In this example, the monitoring port number of the SSH server is set to a port number other than
the standard monitoring port number so that only valid users can set up connections with the
SSH server.
Networking Requirements
The standard listening port is numbered 22, as defined in the SSH protocol. If attackers access
the standard port continuously, the bandwidth is consumed and the performance of the server is
degraded. As a result, other valid users cannot access the port.
If the listening port on the SSH server is changed to a non-default one, attackers will not aware
of this change and continue to send a request for the socket connection to port 22. In this case,
the SSH server detects that it is not the listening port, and then denies the the request for
establishing the socket connection.
Therefore, only valid users can use the specified listening port to set up a socket connection
through the following procedures:
Issue 01 (2011-07-15)
165
Authenticating
Figure 9-7 Networking diagram for configuring the SSH server to support the access from
another port
SSH Server
10.164.39.222/24
10.164.39.220/24
10.164.39.221/24
Client001 Client002
Switch
Interface
VLANIF interface
IP address
SSH server
GigabitEthernet0/0/1
VLANIF 10
10.164.39.222/24
Client001
GigabitEthernet0/0/1
VLANIF 10
10.164.39.220/24
Client002
GigabitEthernet0/0/1
VLANIF 10
10.164.39.221/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2.
3.
Create a local key pair on the SFTP client and SSH server separately.
4.
Generate an RSA public key on the SSH server and bind the RSA public key of the SSH
client to Client002.
5.
6.
Configure the type of the service and authenticated directory for the SSH user.
7.
8.
Client001 and Client002 log in to the SSH server through STelnet and SFTP separately.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-07-15)
166
Server name
Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.
Create VLAN 10 on the Switch that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface gigabitethernet 0/0/1
[Quidway-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-GigabitEthernet0/0/1] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.164.39.222 24
Issue 01 (2011-07-15)
167
# Send the RSA public key generated on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] 0240
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] 0203
[Quidway-rsa-key-code] 010001
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end
SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA
public key of the SSH client to the server.
# Create an SSH user named Client001, and configure the authentication mode as password
for the user.
[Quidway] ssh user client001
[Quidway] ssh user client001 authentication-type password
168
[Quidway] aaa
[Quidway-aaa] local-user client001 password simple huawei
[Quidway-aaa] local-user client001 service-type ssh
[Quidway-aaa] quit
# Create an SSH user named Client002, and configure the authentication mode as RSA for the
user. Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002
[Quidway] ssh user client002 authentication-type rsa
[Quidway] ssh user client002 assign rsa-key RsaKey001
# Set the type of service of Client002 to SFTP and the authorized directory as flash:/.
[Quidway] ssh user client002 service-type sftp
[Quidway] ssh user client002 sftp-directory flash:/
Step 5 Enable the STelnet and SFTP services on the SSH server.
[Quidway] stelnet server enable
[Quidway] sftp server enable
Step 6 Configure the new listening port number on the SSH server.
[Quidway] ssh server port 1025
# The STelnet client logs in to the SSH server by using the new listening port.
[client001] stelnet 10.164.39.222 1025
Please input the username:client001
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
The server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y
The server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:
Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:
info: The max number of VTY users is 20, and the current number
of VTY users on line is 1.
<Quidway>
# The SFTP client logs in to the SSH server by using the new listening port.
[client002]sftp 10.164.39.222 1025
Please input the username:client002
Trying 10.164.39.222 ...
Press CTRL+K to abort
The server's public key does not match the one we cached.
The server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to update the server's public key we cached?(Y/N):y
sftp-client>
169
After the configuration, run the commands of display ssh server status and display ssh server
session on the SSH server. You can check the current listening port number on the SSH server,
and that the STelnet or SFTP client logs in to the server successfully.
# Check the status of the SSH server.
[Quidway] display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH Authentication retries
SFTP server
Stelnet server
Scp server
SSH server port
:1.99
:60 seconds
:0 hours
:3 times
:Enable
:Enable
:Disable
:1025
----End
Configuration Files
l
Issue 01 (2011-07-15)
170
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password simple huawei
local-user client001 service-type ssh
#
sftp server enable
stelnet server enable
ssh server port 1025
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type stelnet
ssh user client002 service-type sftp
ssh user client002 sftp-directory flash:/
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
Issue 01 (2011-07-15)
171
Networking Requirements
When an RADIUS user is connected to an SSH server, the SSH server sends the user name and
password of the SSH client to the RADIUS server (compatible with the TACACS server) for
authentication.
The RADIUS server authenticates the user and sends the result (passed or failed) back to the
SSH server. If the authentication is successful, the user level is sent along with the result. The
SSH server determines whether the SSH client is allowed to set up a connection according to
the authentication result.
Figure 9-8 shows the networking diagram.
Figure 9-8 Networking diagram of authenticating the SSH through RADIUS
10.164.39.221/24
SSH Client
10.164.39.222/24
SSH Server
10.164.6.49/24
Radius Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Generate the local key pair on STelnet client and SSH server respectively. The SSH server
monitors the port number.
5.
Generate the local key pair on the client and SSH server .
6.
Generate the RSA public key on SSH server and bind the RSA public key of the SSH client
to ssh2@ssh.com.
7.
8.
Configure the service mode and authorization directory of the SSH user.
9.
Users ssh1@ssh.com and ssh2@ssh.com log in to the SSH server through STelnet and
SFTP respectively.
Data Preparation
To complete the configuration, you need the following data:
Issue 01 (2011-07-15)
172
RADIUS authentication
Procedure
Step 1 Generate a local key pair on the SSH server.
<Quidway> system-view
[Quidway] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Issue 01 (2011-07-15)
173
# Send the RSA public key generated on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] 0240
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] 0203
[Quidway-rsa-key-code] 010001
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end
ssh
ssh
ssh
ssh
ssh
ssh
ssh
user
user
user
user
user
user
user
ssh1@ssh.com
ssh1@ssh.com authentication-type password
ssh1@ssh.com service-type stelnet
ssh2@ssh.com
ssh2@ssh.com authentication-type password
ssh2@ssh.com service-type sftp
client001 sftp-directory flash:/
# Configure the IP address as 10.164.6.49 and port of the RADIUS authentication server as 1812.
[Quidway-radius-ssh] radius-server authentication 10.164.6.49 1812
Issue 01 (2011-07-15)
174
# For the first login, you need to enable the first authentication on SSH client.
[client] ssh client first-time enable
[client] quit
# Connect the STelnet client to the SSH server in the RADIUS authentication.
<client> system-view
[client] stelnet 10.164.39.222
Please input the username: ssh1@ssh.com
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
he server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y
he server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:
# Connect the SFTP client to the SSH server in the RADIUS authentication.
<client> system-view
[client] sftp 10.164.39.222
Please input the username: ssh2@ssh.com
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
Enter password:
sftp-client>
Issue 01 (2011-07-15)
175
Shared-secret-key
: huawei
Timeout-interval(in second)
: 5
Primary-authentication-server
: 10.164.6.49
:1812
LoopBack:NULL
Primary-accounting-server
: 0.0.0.0
:0
LoopBack:NULL
Secondary-authentication-server : 0.0.0.0
:0
LoopBack:NULL
Secondary-accounting-server
: 0.0.0.0
:0
LoopBack:NULL
Retransmission
: 3
Domain-included
: YES
Calling-station-id MAC-format
: xxxx-xxxx-xxxx
------------------------------------------------------------------Total of radius template :1
----End
Configuration Files
Configuration file of the SSH server
#
sysname Quidway
#
radius-server template ssh
radius-server authentication 10.164.6.49 1812
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
authentication-scheme newscheme
authentication-mode radius
#
Issue 01 (2011-07-15)
176
domain ssh.com
authentication-scheme newscheme
radius-server ssh
#
#
sftp server enable
stelnet server enable
ssh user ssh1@ssh.com
ssh user ssh2@ssh.com
ssh user ssh1@ssh.com authentication-type password
ssh user ssh2@ssh.com authentication-type password
ssh user ssh2@ssh.com assign rsa-key RsaKey001
ssh user ssh1@ssh.com service-type stelnet
ssh user ssh2@ssh.com service-type sftp
ssh user client001 sftp-directory flash:/
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
Return
Networking Requirements
As shown in Figure 9-9, the switch functioning as the SCP client has a reachable route to the
SCP server, and can download files from the SCP server.
Figure 9-9 Networking diagram of the SCP client
SCP Server
172.16.104.110/24
1.1.1.1/32
SCP Client
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Issue 01 (2011-07-15)
177
5.
6.
Data Preparation
To complete the configuration, you need the following data:
l
The name and path of the destination files and the source files.
Procedure
Step 1 Create a local RSA key pair on the SSH server.
<Quidway> system-view
[Quidway] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 512
Generating keys...
.....++++++++++++
....++++++++++++
......++++++++
................................++++++++
Server] aaa
Server-aaa] local-user client001 password cipher huawei
Server-aaa] local-user client001 service-type ssh
Server-aaa] quit
# Configure the service type for the SSH users Client001 to all.
[SSH Server] ssh user client001 service-type all
Step 4 Download files from the SCP server to the SCP client.
# For the first login, you need to enable the first authentication on SSH client.
<Quidway> system-view
[Quidway] sysname SCP Client
[SCP Client] ssh client first-time enable
Issue 01 (2011-07-15)
178
# Configure the IP address 1.1.1.1 of a loopback interface as the source IP address for the SCP
client.
[SCP Client] scp client-source -a 1.1.1.1
# Use 3des to encrypt the file license.txt, and then download the file to the local working
directory from the remote SCP server with the IP address of 172.16.104.110.
[SCP Client] scp -a 1.1.1.1 -cipher 3des client001@172.16.104.110:license.txt
license.txt
Configuration Files
l
Issue 01 (2011-07-15)
179
10
Issue 01 (2011-07-15)
180
Switch
HTTP
Connection
PC
Procedure
Step 1 Enable the HyperTerminal on the PC.
Issue 01 (2011-07-15)
181
Choose Start > All Programs > Accessories > Communications > HyperTerminal to start
the HyperTerminal.
Step 2 Set up a new connection.
As shown in Figure 10-2, enter the name of the new connection in the Name text box and choose
an icon. Click OK.
Figure 10-2 Setting up a new connection
Issue 01 (2011-07-15)
182
In other Windows operating systems, Bits per second may be described as Baud rate; Flow control may
be described as Traffic control.
Issue 01 (2011-07-15)
183
Value
9600
Data bit
Parity check
None
Stop bit
None
Step 5 After the HyperTerminal is started, select File Attributes to enter the Connect Properties
window as shown in Figure 10-5. Choose the Setting tab, select Auto detect or VT100 from
the Emulation drop-down list box. Click OK to complete the setting.
Issue 01 (2011-07-15)
184
After the preceding steps are complete, press Enter. If the prompt <Quidway> is displayed, it
indicates that you have logged in to the S5700. At this time, you can enter the command to
configure and manage the S5700.
----End
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface meth 0/0/1
Issue 01 (2011-07-15)
185
Prerequisite
To obtain the Web page file of the S5700, log in to http://support.huawei.com, and then choose
Software Center > Version Software > Data Communication Product Line > Ethernet
Switch > S23&33&53&CX200D Series. Download the software package of the current
version. The Web page file is contained in the software package. The file name is Product Name
+ the Version of Software.web.zip.
Before uploading the Web page file, copy the Web page file to the client from which you log in
to the S5700.
Context
NOTE
You can also download Web files through TFTP. In this case, the S5700 functions as the TFTP client, and
the terminal that stores the Web files functions as the TFTP server. For details, see 8.5.3 Downloading
Files Through TFTP.
Procedure
Step 1 Run:
system-view
ftp-directory directory
service-type ftp
186
Step 7 Run the following command in the cmd view of the PC:
ftp ip-address
The user name and password are displayed. The PC can log in to the S5700.
C:\>ftp 10.1.1.132
Connected to 10.1.1.132.
220 FTP service ready.
User (10.1.1.132:(none)): client
331 Password required for client.
Password:
230 User logged in.
ftp>
----End
Context
Before loading the Web page file, upload it to the S5700.
Procedure
Step 1 Run:
system-view
Context
Before enabling the HTTP server,load the Web Page File to S5700.
Issue 01 (2011-07-15)
187
Procedure
Step 1 Run:
system-view
You are recommended to set the password in the cipher text. Simple user name and password should not
be used for the sake of security.
Step 5 Run:
local-user user-name
service-type http
Procedure
Step 1 Open the Web browser on the PC, and then enter the management address of the S5700 in the
address bar (the PC and the S5700 have reachable routes to each other). Then, press Enter to
display the Login dialog box. As shown in Figure 10-6, enter the pre-set Web user name,
password and verify code, and then choice the language.
Issue 01 (2011-07-15)
188
NOTE
If you select Save my password before clicking Login, you do not need to enter the password at next
login.
Step 2 Click Login or press enter to display the homepage of the Web system.
You can configure the S5700 after logging in to the Web system. For details on how to configure
the S5700 on the Web system, see the Quidway S5700 Series Ethernet Switches Web Network
Management System Client Operation Guide.
----End
Issue 01 (2011-07-15)
189
11 SSL Configuration
11
SSL Configuration
Issue 01 (2011-07-15)
190
11 SSL Configuration
11.1 SSL
Currently, SSL is only used for the File Transfer Protocol-SSL (FTPS) and the Hypertext
Transfer Protocol-SSL (HTTPS) applications (secure Web network management is an HTTPS
application).
Overview
SSL is a cryptographic protocol that provides communication security over the Internet. It allows
a client and a server to communicate across a network in a way designed to prevent
eavesdropping by authenticating the server or the client. SSL has the following advantages:
l
Provides high security assurance. It uses data encryption, authentication, and a message
integrity check to ensure secure data transmission over the network.
Supports various application layer protocols. SSL is originally designed for securing World
Wide Web traffic. As SSL functions between the application layer and the transport layer,
it secures data transmission based on TCP connections for any application layer protocol.
Is easy to deploy. Currently, SSL has become a world-wide communications standard for
authenticating Web site and Web page users and encrypting data transmitted between
browser users and Web servers.
Helps authorized users to securely access servers and prevents unauthorized users from
accessing servers.
Encrypts data transmitted between a client and a server for data transmission security and
computes a digest for data integrity, which implements security management for devices.
Defines an access control policy on a device based on certificate attributes to control the
access rights of clients, which prevents unauthorized users from attacking the device.
Basic Concepts
l
Issue 01 (2011-07-15)
191
11 SSL Configuration
CA2
CAn
Server's
certificate
Certificate authentication
Digital certificate
A digital certificate is an electronic document which uses a digital signature to bind a public
key with an identity. The digital certificate includes information such as the name of a
person or an organization that applies for the certificate, public key, digital-signed signature
of the CA that issues the digital certificate, and validity period of the digital certificate. A
digital certificate validates the identities of two communicating parties, improving
communication reliability.
A user must obtain the public key certificate of the information sender in advance to decrypt
and authenticate information in the certificate. In addition, the user also needs the CA
certificate of the information sender to verify the identity of the information sender.
FTPS
FTPS that adds support for SSL is an extension to the commonly used FTP.
Using SSL to authenticate the identities of the client and server, encrypt data to be transmitted,
and check message integrity, FTPS provides a secure FTP server access.
l
Issue 01 (2011-07-15)
192
11 SSL Configuration
HTTPS
HTTPS that adds support for SSL is an extension to the commonly used HTTP.
Using SSL to authenticate the identities of the client and server, encrypt data to be transmitted,
and check message integrity, HTTPS provides a secure Web access.
an SSL policy is configured on the device that functions as an HTTP server. After a digital
certificate is loaded to and the HTTPS server function is enabled on the server, users can log in
to the server to remotely manage the server using Web pages.
Applicable Environment
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats.An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.
As shown in Figure 11-2, an SSL policy is configured on the FTP server. After a digital
certificate is loaded and the FTPS server function is enabled on the server, you can log in to the
server from a terminal on which the SSL-capable FTP client software is installed to securely
operate files transmitted between the terminal and the server.
Issue 01 (2011-07-15)
193
11 SSL Configuration
Network
VLANIF10
192.168.0.1/24
FTP-Server
PC
Pre-configuration Tasks
Before configuring login to an FTPS server from a user terminal, complete the following tasks:
l
Loading a digital certificate to the sub-directory named security of the system directory
on the FTPS server
Data Preparation
To configure login to an FTPS server from a user terminal, you need the following data.
No.
Data
Context
The FTPS server needs to obtain a digital certificate from a CA. The client that will access the
server needs the CA certificate from the CA to verify the validity of the digital certificate of the
server.
NOTE
A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the
FTPS server must be obtained from a corresponding CA.
A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:
l
The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem.
The PEM format is applicable to text transmission between systems.
The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der.
The ASN1 format is the default format for most browsers.
Issue 01 (2011-07-15)
The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
194
11 SSL Configuration
The PFX format is a binary format that can be converted into the PEM or ASN1 format.
Perform the following steps on the device that functions as an FTPS server:
Procedure
Step 1 Run:
system-view
Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain
has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate
chain.
----End
Context
NOTE
Before enabling the FTPS server function, disable the FTP server function.
Perform the following steps on the device that functions as an FTPS server:
Issue 01 (2011-07-15)
195
11 SSL Configuration
Procedure
Step 1 Run:
system-view
Prerequisite
The configurations of login to an FTPS server from a user terminal are complete.
Procedure
l
Run the display ssl policy command to check the configured SSL policy and loaded digital
certificate.
Run the display ftp-server command to check the SSL policy name and the FTPS server
status.
----End
Example
Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the configured SSL policy and loaded digital certificate.
<Quidway> display ssl policy
SSL Policy Name: ftp_server
Policy Applicants: FTP secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Issue 01 (2011-07-15)
196
11 SSL Configuration
Run the display ftp-server command on the FTP server. The command output shows that the
SSL policy name is ftp_server and the FTPS server is running.
<Quidway> display ftp-server
FTP server is stopped
Max user number
User count
Timeout value(in minute)
Listening port
Acl number
FTP server's source address
FTP SSL policy
FTP Secure-server is running
5
1
30
21
0
0.0.0.0
ftp_server
Applicable Environment
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats. To improve security, perform the following steps on the FTP client
and server:
l
Configure an SSL policy on the FTP client and load a trusted-CA file to the client.
Configure an SSL policy on the FTP server and load a digital certificate to the server.
The client uses the trusted-CA file and digital certificate to authenticate the server so that the
authorized client can access the correct server.
As shown in Figure 11-3,
l
An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP
client to verify the identify of the certificate owner, sign a digital certificate to prevent
eavesdropping and tampering, and manage the certificate and key.
Issue 01 (2011-07-15)
197
11 SSL Configuration
Network
VLANIF40
192.168.0.2/24
FTP-Server
VLANIF30
1.1.1.2/24
VLANIF10
192.168.0.1/24
PC1
PC2
If the FTPS client and server are routable, you can log in to the FTPS server from the FTPS
client to remotely manage files.
Pre-configuration Tasks
Before configuring login to an FTPS server from an FTPS client, complete the following tasks:
l
Loading a trusted-CA file to the sub-directory named security of the system directory on
the FTPS client
Loading a digital certificate to the sub-directory named security of the system directory
on the FTPS server
Data Preparation
To configure login to an FTPS server from an FTPS client, you need the following data.
No.
Data
SSL policy name, trusted-CA file, (optional) CRL file, and IP address of the FTPS
client
Context
A trusted-CA file can be in the PEM, ASN1, or PFX format. Details are as follows:
l
Issue 01 (2011-07-15)
The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
198
11 SSL Configuration
The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der.
The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx.
A CRL file can be in either the ASN1 or PEM format. These two formats represent the same
contents.
Procedure
Step 1 Run:
system-view
l If the trusted-CA file configured on the FTPS server contains only one certificate, configure all the
trusted-CA certificates of upper levels to the root CA certificate on the client.
l If a certificate chain is configured on the FTPS server, configure only the root CA certificate on the
client.
A CRL is loaded.
A maximum of two CRL files can be loaded to an SSL policy. If multiple CRL files are loaded,
these files will be added to the existing CRL file list.
----End
Issue 01 (2011-07-15)
199
11 SSL Configuration
Context
The FTPS server needs to obtain a digital certificate from a CA. The client that will access the
server needs the CA certificate from the CA to verify the validity of the digital certificate of the
server.
NOTE
A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the
FTPS server must be obtained from a corresponding CA.
A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:
l
The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem.
The PEM format is applicable to text transmission between systems.
The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der.
The ASN1 format is the default format for most browsers.
The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx.
The PFX format is a binary format that can be converted into the PEM or ASN1 format.
Perform the following steps on the device that functions as an FTPS server:
Procedure
Step 1 Run:
system-view
200
11 SSL Configuration
l Run:
certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code |
key-file key-filename } auth-code auth-code
Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain
has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate
chain.
Step 4 Run:
ftp secure-server ssl-policy policy-name
Before enabling the FTPS server function, disable the FTP server function.
----End
Procedure
l
On an IPv4 network:
In the user view, run:
ftp ssl-policy policy-name [ [ -a source-ip-address | -i interface-type
interface-number ] host [ port-number ] [ public-net | vpn-instance vpninstance-name ] ]
A control connection is established with a remote FTPS server and the FTP client view is
displayed.
l
On an IPv6 network:
In the user view, run:
ftp ssl-policy policy-name ipv6 host [ port-number ]
A control connection is established with a remote FTPS server and the FTP client view is
displayed.
----End
Issue 01 (2011-07-15)
201
11 SSL Configuration
Follow-up Procedure
The client can log in to the server only after the entered user name and password are authenticated
by the server. After logging in to the FTPS server, you can operate files on the FTPS server in
the same way as that on an FTP server. Table 11-1 lists file operations on an FTP server.
Table 11-1 File operations
File Operation
Operation
Managin
g files
Configuring the
file type
Configuring the
data connection
mode
Uploading files
Downloading
files
Issue 01 (2011-07-15)
202
11 SSL Configuration
File Operation
Operation
Managin
g
directori
es
Changing the
working path of a
remote FTP server
Changing the
working path of an
FTP server to the
parent directory
Displaying the
working path of an
FTP server
Displaying files in
the directory and
the list of subdirectories
Displaying a
specified remote
directory or file on
an FTP server
Displaying or
changing the
working path of an
FTP client
Creating a
directory on an
FTP server
Deleting a
directory from an
FTP server
The lcd command displays the local working path of the FTP
client, whereas the pwd command displays the working path
of the remote FTP server.
Prerequisite
The configurations of login to an FTPS server from an FTPS client are complete.
Issue 01 (2011-07-15)
203
11 SSL Configuration
Procedure
l
Run the display ssl policy command to check the SSL policy configured on and trustedCA certificate loaded to the FTPS client as well as the SSL policy configured on and digital
certificate loaded to the FTPS server.
Run the display ftp-server command to check the SSL policy name and the FTPS server
status.
----End
Example
Run the display ssl policy command on the FTPS client. The command output shows detailed
information about the configured SSL policy and loaded trusted-CA file.
<Quidway> display ssl policy
SSL Policy Name: ftp_client
Policy Applicants:
Key-pair Type:
Certificate File Type:
Certificate Type:
Certificate Filename:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem
Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the configured SSL policy and loaded digital certificate.
<Quidway> display ssl policy
SSL Policy Name: ftp_server
Policy Applicants: FTP secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
Run the display ftp-server command on the FTP server. The command output shows that the
SSL policy name is ftp_server and the FTPS server is running.
<Quidway> display ftp-server
FTP server is stopped
Max user number
User count
Timeout value(in minute)
Listening port
Acl number
FTP server's source address
FTP SSL policy
FTP Secure-server is running
5
1
30
21
0
0.0.0.0
ftp_server
204
11 SSL Configuration
Applicable Environment
After a device that supports Web network management is enabled with the HTTP function, the
device can function as a Web server. Users can log in to the device using HTTP and use Web
pages to access and control the device. HTTP does not provide a mechanism that allows users
to authenticate a Web server or protects privacy of data transmission. To address this problem,
you can configure HTTPS on the device. HTTPS that adds support for SSL is an extension to
the commonly used HTTP. SSL allows the client and server to authenticate each other and
encrypts data to be transmitted.
As shown in Figure 11-4, an SSL policy is configured on the device that functions as an HTTP
server. After a digital certificate is loaded to and the HTTPS server function is enabled on the
server, users can log in to the server to remotely manage the server using Web pages.
Figure 11-4 Networking diagram for accessing another device by using HTTPS
Network
VLANIF10
192.168.0.1/24
HTTP-Server
PC
Pre-configuration Tasks
Before configuring an HTTPS server, complete the following tasks:
l
Uploading a digital certificate to a device that will function as an HTTPS server and copying
the certificate to the sub-directory named security of the system directory on the HTTPS
server
Data Preparation
To configure an HTTPS server, you need the following data.
Issue 01 (2011-07-15)
No.
Data
IP address, Web page file, and Web account of the HTTPS server
205
11 SSL Configuration
Context
Before using HTTPS to securely manage files, the HTTPS server needs to obtain a digital
certificate from a CA. The digital certificate is used to authenticate clients. This ensures that
only authorized clients can log in to the HTTPS server.
NOTE
A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the
HTTPS server can be generated using a third-party tool such as OpenSSL. OpenSSL can be considered as
a CA. For the procedure for generating a digital certificate, see the OpenSSL usage guide.
The digital certificate includes information such as the name of a person or an organization that
applies for the certificate, public key, digital-signed signature of the CA that issues the digital
certificate, and validity period of the digital certificate. A CA can issue a certificate chain along
with a digital certificate. After receiving a certificate chain, the receiver owns all the certificates
on the chain.
A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:
l
The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem. A PEM certificate contains only a public key but not a private key, and
the public key is usually encrypted.
The PEM format is applicable to text transmission between systems.
The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der. An ANS1 certificate contains only a public key but not a
private key, and the public key is not encrypted.
The ASN1 format is the default format for most browsers.
The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx. A PFX certificate can contain a private key, and the key is usually
encrypted.
The PFX format is a binary format that can be converted into the PEM or ASN1 format.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-07-15)
206
11 SSL Configuration
Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain
has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate
chain.
----End
Procedure
Step 1 Run:
system-view
Context
NOTE
Before enabling the HTTPS server function, disable the HTTP server function.
Issue 01 (2011-07-15)
207
11 SSL Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Setting the password in cipher text is recommended. Simple user names and passwords are insecure.
Step 4 Run:
Issue 01 (2011-07-15)
208
11 SSL Configuration
Enter the HTTP user name, password, and verification code. Click Login or press Enter to enter
the Web system.
Prerequisite
The configurations of secure Web network management are complete.
Procedure
l
Run the display ssl policy command to check the configured SSL policy and loaded digital
certificate.
Run the display http server command to check the SSL policy name and the HTTPS server
status.
----End
Issue 01 (2011-07-15)
209
11 SSL Configuration
Example
Run the display ssl policy command. The command output shows detailed information about
the configured SSL policy and loaded digital certificate.
<Quidway> display ssl policy
SSL Policy Name: http_server
Policy Applicants: WEB secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
Run the display http server command. The command output shows the SSL policy name and
the HTTPS server status.
<Quidway> display http server
HTTP Server Status
HTTP Server Port
HTTP Timeout Interval
Current Online Users
Maximum Users Allowed
HTTP Secure-server Status
HTTP Secure-server Port
HTTP SSL Policy
:
:
:
:
:
:
:
:
disabled
80(80)
20
0
5
enabled
443(443)
http_server
Networking Requirements
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats.An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.
As shown in Figure 11-6, an SSL policy is configured on the FTP server. After a digital
certificate is loaded and the FTPS server function is enabled on the server, you can log in to the
server from a terminal on which the SSL-capable FTP client software is installed to securely
operate files transmitted between the terminal and the server.
Issue 01 (2011-07-15)
210
11 SSL Configuration
Network
VLANIF10
192.168.0.1/24
FTP-Server
PC
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Upload a digital certificate.
# Configure an IP address for the FTP server so that the PC and FTP server are routable.
<Quidway> system-view
[Quidway] sysname FTP-Server
[FTP-Server] interface gigabitethernet0/0/1
[FTP-Server-GigabitEthernet0/0/1] port link-type access
[FTP-Server-GigabitEthernet0/0/1] quit
[FTP-Server] vlan 10
[FTP-Server-vlan10] port gigabitethernet0/0/1
[FTP-Server-vlan10] quit
[FTP-Server] interface vlanif 10
[FTP-Server-Vlanif10] ip address 192.168.0.1 24
[FTP-Server-Vlanif10] quit
# Configure the authentication information, authorization mode, and authorized directory for an
FTP user on the FTP server.
[FTP-Server] aaa
[FTP-Server-aaa] local-user huawei password simple huawei
[FTP-Server-aaa] local-user huawei service-type ftp
Issue 01 (2011-07-15)
211
11 SSL Configuration
# Run the ftp ftp-server-address commands at the Windows command prompt. Enter the correct
user name and password to set up an FTP connection to the FTP server, as shown in Figure
11-7.
Figure 11-7 Logging in to an FTP server from a user terminal
Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure
11-8.
Figure 11-8 Uploading a digital certificate
Issue 01 (2011-07-15)
212
11 SSL Configuration
After the preceding configurations are complete, run the dir command on the FTP server. The
command output shows that the digital certificate has been successfully uploaded to the server.
<FTP-Server> dir
Directory of flash:/
Idx
Attr
0 drw1 -rw2 -rw3 -rw4 -rw-
Size(Byte)
Date
May
May
May
May
May
524,575
446
1,302
951
10
10
10
10
10
Time(LMT) FileName
2011 05:05:40
src
2011 05:05:53
private-data.txt
2011 05:05:51
vrpcfg.zip
2011 05:32:05
1_servercert_pem_rsa.pem
2011 05:32:44
1_serverkey_pem_rsa.pem
After the preceding configurations are complete, run the dir command in the security subdirectory on the FTP server. The command output shows that the digital certificate has been
successfully uploaded to the server.
<FTP-Server> cd security/
<FTP-Server> dir
Directory of flash:/security/
Idx
0
1
Attr
-rw-rw-
Size(Byte)
1,302
951
Date
Time(LMT)
May 10 2011 05:44:34
May 10 2011 05:45:22
FileName
1_servercert_pem_rsa.pem
1_serverkey_pem_rsa.pem
Before enabling the FTPS server function, disable the FTP server function.
[FTP-Server] undo ftp server
[FTP-Server] ftp secure-server ssl-policy ftp_server
[FTP-Server] ftp secure-server enable
Issue 01 (2011-07-15)
213
11 SSL Configuration
# Run the display ftp-server command on the FTPS server. The command output shows that
the configured SSL policy name is ftp_server and the FTPS server is running.
[FTP-Server] display ftp-server
FTP server is stopped
Max user number
User count
Timeout value(in minute)
Listening port
Acl number
FTP server's source address
FTP SSL policy
FTP Secure-server is running
5
1
30
21
0
0.0.0.0
ftp_server
You can establish a connection with the FTPS server using the SSL-capable FTP client software
and upload files to and download files from the server.
----End
Configuration Files
Configuration file of the FTPS server
#
sysname FTP-Server
#
FTP secure-server enable
ftp secure-server ssl-policy ftp_server
#
vlan batch 10
#
ssl policy ftp_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
1_serverkey_pem_rsa.pem auth-code 123456
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
local-user huawei password simple huawei
local-user huawei service-type ftp
local-user huawei ftp-directory flash:/
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
return
Issue 01 (2011-07-15)
214
11 SSL Configuration
Networking Requirements
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats.An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.
As shown in Figure 11-9,
l
An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP
client to verify the identify of the certificate owner, sign a digital certificate to prevent
eavesdropping and tampering, and manage the certificate and key.
Network
VLANIF40
192.168.0.2/24
FTP-Server
VLANIF30
1.1.1.2/24
VLANIF10
192.168.0.1/24
PC1
PC2
If the FTPS client and server are routable, you can log in to the FTPS server from the FTPS
client to remotely manage files.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Upload certificates.
l Upload the digital certificate saved on PC2 to the FTP server.
l Upload the trusted-CA file saved on PC1 to the FTP client.
2.
3.
Issue 01 (2011-07-15)
215
11 SSL Configuration
4.
Configure IP addresses for the interfaces that interconnect the FTP client and server to
ensure that the client and server are routable.
5.
Run the ftp command on the FTP client to log in to the FTPS server to remotely manage
files.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Upload certificates.
l Perform the following steps on the FTP server:
# Configure an IP address for the FTP server so that the PC and FTP server are routable.
<Quidway> system-view
[Quidway] sysname FTP-Server
[FTP-Server] interface gigabitethernet0/0/1
[FTP-Server-GigabitEthernet0/0/1] port link-type access
[FTP-Server-GigabitEthernet0/0/1] quit
[FTP-Server] vlan 10
[FTP-Server-vlan10] port gigabitethernet0/0/1
[FTP-Server-vlan10] quit
[FTP-Server] interface vlanif 10
[FTP-Server-Vlanif10] ip address 192.168.0.1 24
[FTP-Server-Vlanif10] quit
# Configure the authentication information, authorization mode, and authorized directory for
an FTP user on the FTP server.
[FTP-Server] aaa
[FTP-Server-aaa] local-user huawei password simple huawei
[FTP-Server-aaa] local-user huawei service-type ftp
[FTP-Server-aaa] local-user huawei ftp-directory flash:
[FTP-Server-aaa] quit
[FTP-Server] quit
# Run the ftp ftp-server-address commands at the Windows command prompt. Enter the
correct user name and password to set up an FTP connection to the FTP server, as shown in
Figure 11-10.
Issue 01 (2011-07-15)
216
11 SSL Configuration
Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure
11-11.
Figure 11-11 Uploading a digital certificate
After the preceding configurations are complete, run the dir command on the FTP server.
The command output shows that the digital certificate has been successfully uploaded to the
server.
<FTP-Server> dir
Directory of flash:/
Idx
0
1
2
Issue 01 (2011-07-15)
Attr
drw-rw-rw-
Size(Byte)
524,575
446
Date
Time(LMT)
May 10 2011 05:05:40
May 10 2011 05:05:53
May 10 2011 05:05:51
FileName
src
private-data.txt
vrpcfg.zip
217
11 SSL Configuration
-rw-rwdrw-
1,302
951
-
1_servercert_pem_rsa.pem
1_serverkey_pem_rsa.pem
security
Attr
-rw-rw-rwdrw-rw-rwdrw-rwdrwdrw-
Size(Byte)
524,558
1,237
1,241
421
1,308,478
4
-
Date
May 10
May 10
May 10
Apr 09
Apr 09
Apr 14
Apr 10
Apr 19
Apr 11
Apr 13
2011
2011
2011
2011
2011
2011
2011
2011
2011
2011
Time(LMT)
04:50:39
05:55:33
05:55:44
19:46:14
19:46:14
19:22:45
01:35:54
04:24:28
16:18:53
11:37:40
FileName
private-data.txt
1_cacert_pem_rsa.pem
1_rootcert_pem_rsa.pem
src
vrpcfg.zip
web.zip
logfile
snmpnotilog.txt
security
lam
After the preceding configurations are complete, run the dir command in the security subdirectory on the FTP server. The command output shows that the digital certificate has been
successfully uploaded to the server.
<FTP-Server> cd security/
<FTP-Server> dir
Directory of flash:/security/
Idx
0
1
Attr
-rw-rw-
Size(Byte)
1,302
951
Date
Time(LMT)
May 10 2011 05:44:34
May 10 2011 05:45:22
FileName
1_servercert_pem_rsa.pem
1_serverkey_pem_rsa.pem
After the preceding configurations are complete, run the display ssl policy command on the
FTP server. The command output shows detailed information about the loaded certificate.
[FTP-Server] display ssl policy
SSL Policy Name: ftp_server
Policy Applicants: FTP secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Issue 01 (2011-07-15)
218
11 SSL Configuration
Certificate Type:
Certificate Filename:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
certificate
1_servercert_pem_rsa.pem
1_serverkey_pem_rsa.pem
123456
Attr
-rw-rw-
Size(Byte)
1,237
1,241
Date
Time(LMT)
May 10 2011 05:57:15
May 10 2011 05:57:29
FileName
1_cacert_pem_rsa.pem
1_rootcert_pem_rsa.pem
After the preceding configurations are complete, run the display ssl policy command on the
FTP client. The command output shows detailed information about the trusted-CA file.
[FTP-Client] display ssl policy
SSL Policy Name: ftp_client
Policy Applicants:
Key-pair Type:
Certificate File Type:
Certificate Type:
Certificate Filename:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem
Before enabling the FTPS server function, disable the FTP server function.
[FTP-Server] undo ftp server
[FTP-Server] ftp secure-server ssl-policy ftp_server
[FTP-Server] ftp secure-server enable
Step 4 Configure IP addresses for the interfaces that interconnect the FTP client and server.
# Configure the FTP server.
[FTP-Server] interface gigabitethernet 0/0/2
[FTP-Server-GigabitEthernet0/0/2] port link-type access
[FTP-Server-GigabitEthernet0/0/2] quit
[FTP-Server] vlan 30
Issue 01 (2011-07-15)
219
11 SSL Configuration
Step 5 Run the ftp command on the FTP client to log in to the FTPS server to remotely manage files.
<FTP-Client> ftp ssl-policy ftp_client 1.1.1.2
Trying 1.1.1.2 ...
Press CTRL+K to abort
Connected to 1.1.1.2.
220 FTP service ready.
234 AUTH command successfully, Security mechanism accepted.
200 PBSZ is ok.
200 Data channel security level is changed to private.
User(1.1.1.2:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
The client can log in to the FTP server only after the correct user name and password are entered.
Step 6 Verify the configuration.
# Run the display ftp-server command on the FTPS server. The command output shows that
the configured SSL policy name is ftp_server and the FTPS server is running.
[FTP-Server] display ftp-server
FTP server is stopped
Max user number
User count
Timeout value(in minute)
Listening port
Acl number
FTP server's source address
FTP SSL policy
FTP Secure-server is running
5
1
30
21
0
0.0.0.0
ftp_server
You can use the FTP client to remotely manage files on the FTPS server.
----End
Configuration Files
l
Issue 01 (2011-07-15)
220
11 SSL Configuration
#
ssl policy ftp_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
1_serverkey_pem_rsa.pem auth-code 123456
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
local-user huawei password simple huawei
local-user huawei service-type ftp
local-user huawei ftp-directory flash:/
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif30
ip address 1.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 30
#
return
Issue 01 (2011-07-15)
221
11 SSL Configuration
Networking Requirements
After a device that supports Web network management is enabled with the HTTP function, the
device can function as a Web server. Users can log in to the device using HTTP and use Web
pages to access and control the device. HTTP does not provide a mechanism that allows users
to authenticate a Web server or protects privacy of data transmission. To address this problem,
you can configure HTTPS on the device. HTTPS that adds support for SSL is an extension to
the commonly used HTTP. SSL allows the client and server to authenticate each other and
encrypts data to be transmitted.
As shown in Figure 11-12, an SSL policy is configured on the device that functions as an HTTP
server. After a digital certificate is loaded to and the HTTPS server function is enabled on the
server, users can log in to the server to remotely manage the server using Web pages.
Figure 11-12 Networking diagram for accessing another device by using HTTPS
Network
VLANIF10
192.168.0.1/24
HTTP-Server
PC
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-07-15)
222
l
l
11 SSL Configuration
Web account
Web page file
Procedure
Step 1 Upload the digital certificate and Web page file.
# Configure an IP address for the device that functions as an HTTP server so that the PC and
HTTP server are routable.
<Quidway> system-view
[Quidway] sysname HTTP-Server
[HTTP-Server] interface gigabitethernet0/0/1
[HTTP-Server-GigabitEthernet0/0/1] port link-type access
[HTTP-Server-GigabitEthernet0/0/1] quit
[HTTP-Server] vlan 10
[HTTP-Server-vlan10] port gigabitethernet0/0/1
[HTTP-Server-vlan10] quit
[HTTP-Server] interface vlanif 10
[HTTP-Server-Vlanif10] ip address 192.168.0.1 24
[HTTP-Server-Vlanif10] quit
# Configure the authentication information, authorization mode, and authorized directory for
FTP users.
[HTTP-Server] aaa
[HTTP-Server-aaa] local-user huawei password simple huawei
[HTTP-Server-aaa] local-user huawei service-type ftp
[HTTP-Server-aaa] local-user huawei ftp-directory flash:
[HTTP-Server-aaa] quit
[HTTP-Server] quit
# Upload the digital certificate and Web page file from the PC to the HTTP server, as shown in
Figure 11-13.
Figure 11-13 Uploading a digital certificate
Issue 01 (2011-07-15)
223
11 SSL Configuration
After the preceding configurations are complete, run the dir command on the HTTP server. The
command output shows that the digital certificate and Web page file have been successfully
uploaded to the server.
<HTTP-Server> dir
Directory of flash:/
Idx
0
1
2
3
4
5
6
7
8
9
Attr
-rw-rw-rwdrw-rw-rwdrw-rwdrwdrw-
Size(Byte)
524,558
1,302
951
421
1,308,478
4
-
Date
Apr 14
Apr 14
Apr 14
Apr 09
Apr 09
Apr 14
Apr 10
Apr 14
Apr 11
Apr 13
2011
2011
2011
2011
2011
2011
2011
2011
2011
2011
Time(LMT)
16:24:39
19:22:30
19:22:35
19:46:14
19:46:14
19:22:45
01:35:54
04:56:35
16:18:53
11:37:40
FileName
private-data.txt
1_servercert_pem_rsa.pem
1_serverkey_pem_rsa.pem
src
vrpcfg.zip
web.zip
logfile
snmpnotilog.txt
security
lam
After the preceding configurations are complete, run the dir command in the security subdirectory on the HTTP server. The command output shows that the digital certificate has been
successfully uploaded to the server.
<HTTP-Server> cd security/
<HTTP-Server> dir
Directory of flash:/security/
Idx
1
2
Attr
-rw-rw-
Size(Byte)
1,302
951
Date
Time(LMT)
Apr 13 2011 14:29:31
Apr 13 2011 14:29:49
FileName
1_servercert_pem_rsa.pem
1_serverkey_pem_rsa.pem
After the preceding configurations are complete, run the display ssl policy command on the
HTTP server. The command output shows detailed information about the loaded certificate.
[HTTP-Server] display ssl policy
SSL Policy Name: http_server
Policy Applicants: WEB secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
Issue 01 (2011-07-15)
224
11 SSL Configuration
CRL File:
Trusted-CA File:
Before enabling the HTTPS server function, disable the HTTP server function.
[HTTP-Server] undo http server enable
[HTTP-Server] http secure-server ssl-policy http_server
[HTTP-Server] http secure-server enable
Enter the HTTP user name, password, and verification code. Click Login or press Enter to enter
the Web system.
Step 6 Verify the configuration.
# Run the display http server command on the HTTPS server. The command output shows the
SSL policy name and the HTTPS server status.
[HTTP-Server] display http-server
HTTP Server Status
HTTP Server Port
Issue 01 (2011-07-15)
: disabled
: 80(80)
225
11 SSL Configuration
:
:
:
:
:
:
20
0
5
enabled
443(443)
http_server
----End
Configuration Files
Configuration file of the HTTPS server
#
sysname FTP-Server
#
FTP server enable
#
undo http server enable
http server load web.zip
http secure-server ssl-policy http_server
http secure-server enable
#
vlan batch 10
#
ssl policy http_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
1_serverkey_pem_rsa.pem auth-code 123456
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
local-user http password simple http
local-user http service-type http
local-user huawei password simple huawei
local-user huawei service-type ftp
local-user huawei ftp-directory flash:
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
return
Issue 01 (2011-07-15)
226