Professional Documents
Culture Documents
AR2200 Basic Config Guide PDF
AR2200 Basic Config Guide PDF
V200R001C01
02
Date
2011-10-15
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 02 (2011-10-15)
Commissioning engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
Issue 02 (2011-10-15)
TIP
NOTE
ii
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
8.8.5 Example for Connecting the SFTP Client to the SSH Server
iii
Contents
Contents
About This Document.....................................................................................................................ii
1 Logging In to the System for the First Time............................................................................1
1.1 Introduction........................................................................................................................................................2
1.2 Logging In to the Device Through the Console Port or Mini USB Port............................................................2
1.2.1 Establishing the Configuration Task.........................................................................................................2
1.2.2 Establishing the Physical Connection........................................................................................................3
1.2.3 Logging in to the router.............................................................................................................................3
2 CLI Overview.................................................................................................................................6
2.1 CLI Introduction.................................................................................................................................................7
2.1.1 Command Line Interface...........................................................................................................................7
2.1.2 Command Levels.......................................................................................................................................7
2.1.3 Command Line Views.............................................................................................................................10
2.2 Online Help.......................................................................................................................................................11
2.2.1 Full Help..................................................................................................................................................11
2.2.2 Partial Help..............................................................................................................................................12
2.2.3 Error Messages of the Command Line Interface.....................................................................................12
2.3 CLI Features.....................................................................................................................................................13
2.3.1 Editing.....................................................................................................................................................13
2.3.2 Displaying................................................................................................................................................14
2.3.3 Regular Expressions................................................................................................................................14
2.3.4 Previously-Used Commands...................................................................................................................17
2.4 Shortcut Keys...................................................................................................................................................18
2.4.1 Classifying Shortcut Keys.......................................................................................................................18
2.4.2 Defining Shortcut Keys...........................................................................................................................19
2.4.3 Use of Shortcut Keys...............................................................................................................................20
2.5 Configuration Examples...................................................................................................................................20
2.5.1 Example for Using Tab............................................................................................................................21
2.5.2 Example for Using Shortcut Keys...........................................................................................................22
3 Basic Configuration.....................................................................................................................23
3.1 Configuring the Basic System Environment....................................................................................................24
3.1.1 Establishing the Configuration Task.......................................................................................................24
3.1.2 Configuring the Equipment Name...........................................................................................................24
Issue 02 (2011-10-15)
iv
Contents
Contents
vi
Contents
vii
Contents
viii
Contents
ix
Contents
Issue 02 (2011-10-15)
Issue 02 (2011-10-15)
1.1 Introduction
You can log in to the device that is powered on for the first time through the console port or mini
USB port to configure the device.
A main control board provides a console port and a mini USB port. To configure a device,
connect the serial port of your terminal to the console port of the device or connect the USB port
of the user terminal to the mini USB port of the device.
NOTE
l If a device is powered on for the first time, you must log in to it through the console port or mini USB
port before logging in to the device using other login modes. For example, before configuring an IP
address to log in to a device using Telnet, log in to the device through the console port or mini USB
port.
l Before logging in to a device through the mini USB port, install the drive application of the mini USB
port on the user terminal.
l The mini USB port and console port cannot be used together.
Applicable Environment
When the router is powered on for the first time, you need to use the console port or mini USB
port to log in to the router to configure and manage the router.
Pre-configuration Tasks
Before logging in to the router through the console port or mini USB port, complete the following
tasks:
l
To log in to the device through the mini USB interface, install the drive program on the user terminal.
Data Preparation
To log in to the router through the console port or mini USB port, you need the following data.
Issue 02 (2011-10-15)
No.
Data
l Baud rate
l Data bit
l Parity
l Stop bit
l Flow-control mode
NOTE
When the router is logged in for the first time, the system automatically uses default parameter values.
Procedure
Step 1 Power on all devices to perform a self-check.
Step 2 Connect the console port of the router to the COM port of a PC, or connect the mini USB port
of the router to the USB port of the PC through cables.
NOTE
The mini USB port and console port cannot be used together.
----End
Context
You need to configure terminal attributes for the PC according to the attributes configured for
the console port, including the transmission rate, data bit, parity bit, stop bit, and flow control
mode. As the router is logged in for the first time, every terminal attribute uses the default value
of the router.
Procedure
Step 1 Start a terminal emulator on the PC, and create a new connection, as shown in Figure 1-1.
Issue 02 (2011-10-15)
Step 3 Set communication parameter, same as the default of router,as shown in Figure 1-3.
Issue 02 (2011-10-15)
Step 4 Press Enter. A command line prompt such as <Huawei> appears, and the system asks you to
configure the router. You can enter a command to configure the router. Enter a question mark
(?) whenever you need help.
NOTE
When you connect to the Console port of a AR2200 that does not have a startup configuration file, the
system displays "Warning: Auto-Config is working. Do you want to stop Auto-Config? [y/n]:"
l To continue Auto-Config, enter n and press Enter.
l To stop Auto-Config, choose y and press Enter.
CAUTION
If you choose n but still perform configurations through the Console port, the DHCP, routing, DNS,
and VTY configurations that you have performed will be lost.
----End
Issue 02 (2011-10-15)
2 CLI Overview
CLI Overview
Issue 02 (2011-10-15)
2 CLI Overview
The telnet command for directly logging in to and managing other routers.
Hierarchical command protection for users of different levels, that is, running the
commands of the corresponding levels.
A command line interpreter provides intelligent command resolution methods such as key
word fuzzy match and context conjunction. These methods make it easy for users to enter
their commands.
Network testing commands such as tracert and ping for rapidly diagnosing a network.
l The system supports the command with a maximum of 512 characters. The command can be
incomplete. You can enter one or more initial characters of the command to match the whole command.
The incomplete command, however, must be unique in the system. For example, to use the display
current-configuration command, enter d cu, di cu, or dis cu. You cannot enter d c or dis c because
they are not unique in the system.
l The system saves the incomplete command to the configuration files in complete form; therefore, the
command may have more than 512 characters. When the system is restarted, however, the incomplete
command cannot be restored. Therefore, pay attention to the length of the incomplete command.
2 CLI Overview
Name
Description
Visit level
Monitoring level
Configuration
level
Management level
NOTE
l The default command level may be higher than the command level defined according to the command
rules in application.
l The level of the command that a user can run is determined by the level of this user.
l Login users have the same 16 levels as the command levels. The login users can use only the command
of the levels that are equal to or lower than their own levels. The user privilege level level command
sets the user level.
2.
Click the "Search" tab. The search window will be displayed as shown in Figure 2-1.
Issue 02 (2011-10-15)
2 CLI Overview
3.
Issue 02 (2011-10-15)
Enter a desired command level in the "Type in the word(s) to search for" textbox and click
"List Topics". All commands of the specified level will be displayed as shown in Figure
2-2.
2 CLI Overview
# Run the aaa command in the system view to enter the AAA view.
[Huawei] aaa
[Huawei-aaa]
Issue 02 (2011-10-15)
10
2 CLI Overview
NOTE
The prompt indicates a specific view. For example, "<HUAWEI>" indicates the user view, and
"[HUAWEI-ui-console0]" indicates the console user interface view.
Some commands can be used in both system and other views, but have different effects.
Procedure
l
You can obtain the full help of a command line in the following manners.
Enter a question mark (?) in any command line view to display all the commands and
their simple descriptions.
<Huawei> ?
User view commands:
arp-ping
ping
autosave
group
backup
information
cd
directory
clock
clock
cls
...
...
Enter a command and a question mark (?) separated by a space. If the key word is at
this position, all key words and their simple descriptions are displayed. For example:
[Huawei] interface ?
Bridge-if
interface
Cellular
...
...
Bridge-if
Cellular interface
Bridge-if and Cellular are keywords; Bridge-if interface and Cellular interface
describe the keywords respectively.
Enter a command and a question mark (?) separated by a space, and if a parameter is at
this position, the related parameter names and parameter descriptions are displayed. For
example:
[Huawei] ftp timeout ?
INTEGER<1-35791> The value of FTP timeout (in minutes)
[Huawei] ftp timeout 35 ?
<cr> Please press ENTER to execute command
[Huawei] ftp timeout 35
11
2 CLI Overview
<cr> indicates that no parameter is at this position. The command is repeated in the next
command line. You can press Enter to run the command.
----End
Procedure
l
You can obtain the partial help of a command line in the following manners.
Enter a character string with a question mark (?) closely following it to display all
commands that begin with this character string.
<Huawei> d?
debugging
group
delete
file
dialer
Dialer
dir
filesystem
display
List files on a
Display information
Enter a command and a character string with a question mark (?) closely following it
to display all the key words that begin with this character string.
<Huawei> display b?
bfd
Detection
information
bgp
information
bootp
bridge
BGP
Bootstrap Protocol
<Group> bridge command group
Enter the first several letters of a key word in the command and then press Tab to display
the complete key word on the condition that the letters uniquely identify the key word.
Otherwise, if you continue to press Tab, different key words are displayed. You can
select the needed key word.
----End
Issue 02 (2011-10-15)
12
2 CLI Overview
2.3.1 Editing
The editing function of command lines helps you edit command lines or obtain help by using
certain keys.
The command line supports multi-line edition. The maximum length of each command is 512
characters.
Keys for editing that are often used are shown in Table 2-3.
Table 2-3 Keys for editing
Issue 02 (2011-10-15)
Key
Function
Common key
Backspace
Deletes the character on the left of the cursor that moves to the
left. When the cursor reaches the head of the command, an alarm
is generated.
Moves the cursor to the left by the space of a character. When the
cursor reaches the head of the command, an alarm is generated.
13
2 CLI Overview
Key
Function
Tab
Press Tab after typing the incomplete key word and the system
runs the partial help:
l If the matching key word is unique, the system replaces the
typed one with the complete key word and displays it in a new
line with the cursor a space behind.
l If there are several matches or no match at all, the system
displays the prefix first. Then you can press Tab to view the
matching key word one by one. In this case, the cursor closely
follows the end of the word and you can type a space to enter
the next word.
l If a wrong key word is entered, press Tab and the word is
displayed in a new line.
2.3.2 Displaying
All command lines have the same displaying feature. You can construct the displaying mode as
required.
You can control the display of information on the CLI as follows:
l
If output information cannot be displayed on a full screen, you have three options to view
the information, as shown in Table 2-4.
Function
Ctrl_C
Space
Enter
Searching for and obtaining a sub-string that matches a rule in the string.
Issue 02 (2011-10-15)
14
2 CLI Overview
Common characters
Common characters are used to match themselves in a string, including all upper-case and
lower-case letters, digits, punctuation, and special symbols. For example, a matches the
letter "a" in "abc", 202 matches the digit "202" in "202.113.25.155", and @ matches the
symbol "@" in "xxx@xxx.com".
Particular characters
Particular characters are used together with common characters to match the complex or
particular string combination. Table 2-5 describes particular characters and their syntax.
Table 2-5 Description of particular characters
Particul
ar
characte
r
Syntax
Example
\* matches "*".
Issue 02 (2011-10-15)
15
2 CLI Overview
Particul
ar
characte
r
Syntax
Example
x|y
Matches x or y.
[xyz]
[^xyz]
[a-z]
[^a-z]
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Issue 02 (2011-10-15)
16
2 CLI Overview
NOTE
Unless otherwise specified, degeneration rules are applicable when preceding regular expressions
serve as subexpressions within parentheses.
CAUTION
The Huawei AR2200 Series uses a regular expression to implement the filtering function of the
pipe character. A display command supports the pipe character only when there is excessive
output information.
When the output information is queried according to the filtering conditions, the first line of the
command output starts with the information containing the regular expression.
The command can carry the parameter | count to display the number of matching entries. The
parameter | count can be used together with other parameters.
For the commands supporting regular expressions, the three filtering methods are as follows:
l
| begin regular-expression: displays the information that begins with the line that matches
regular expression.
| exclude regular-expression: displays the information that excludes the lines that match
regular expression.
| include regular-expression: displays the information that includes the lines that match
regular expression.
NOTE
Setting the number of saved previously-used commands to a proper value is recommended. If a large
number of previously-used commands are saved, it will take a long time to locate a needed previouslyused command, affecting efficiency.
17
2 CLI Overview
Key or Command
Result
Display
previouslyused
commands.
display historycommand
NOTE
On the HyperTerminal of Windows 9X, cursor key is invalid as the HyperTerminals of Windows 9X
define the keys differently. In this case, you can replace the cursor key with Ctrl_P.
The saved previously-used commands are the same as that those entered by users. For
example, if the user enters an incomplete command, the saved command also is incomplete.
If the user runs the same command several times, the earliest command is saved. If the
command is entered in different forms, they are considered as different commands.
For example, if the display ip routing-table command is run several times, only one
previously-used command is saved. If the display current-configuration command and
the display ip routing-table command are run, two previously-used commands are saved.
User-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, and CTRL_U. The user can
correlate these shortcut keys with any commands. When the shortcut keys are pressed, the
system automatically runs the corresponding command. For details of defining the shortcut
keys, see 2.4.2 Defining Shortcut Keys.
System-defined shortcut keys: These shortcut keys with fixed functions are defined by the
system. Table 2-7 lists the system-defined shortcut keys.
Issue 02 (2011-10-15)
18
2 CLI Overview
NOTE
Different terminal software defines these keys differently. Therefore, the shortcut keys on the terminal may
be different from those listed in this section.
Function
CTRL_A
CTRL_B
CTRL_C
CTRL_D
CTRL_E
CTRL_F
CTRL_H
CTRL_N
CTRL_P
CTRL_W
CTRL_X
CTRL_Y
Deletes all the characters on the place of the cursor and the right
of the cursor.
CTRL_Z
CTRL_]
ESC_B
ESC_D
ESC_F
Issue 02 (2011-10-15)
19
2 CLI Overview
Action
Command
NOTE
When defining the shortcut keys, use double quotation marks to define the command if this command
contains several commands words, that is, if spaces exist in the command.
Using the undo hotkey command, you can restore the default.
If you have typed part of a command and have not pressed Enter, you can press the shortcut
keys to clear the entered command and display the full corresponding command. This
operation has the same effect as that of deleting all commands and then re-entering the
complete command.
The shortcut keys are run as the commands, the syntax is recorded to the command buffer
and log for fault location and querying.
NOTE
The terminal in use may affect the functions of the shortcut keys. For example, if the customized shortcut
keys of the terminal conflict with those of the router, the input shortcut keys are captured by the terminal
program and hence the shortcut keys do not function.
Run the following command in any view to display the use of shortcut keys.
Action
Command
display hotkey
Issue 02 (2011-10-15)
20
2 CLI Overview
Context
Usually, you do not need to input complete keywords. Instead, you can just input one or a few
beginning characters of a keyword and press Tab to complete the keyword. The Tab key helps
search for and use commands.
Procedure
l
2.
Press Tab.
The system replaces the input one with the complete key word and displays it in a
new line with the cursor leaving a space behind.
[Huawei] info-center
There are several matches or no match after the incomplete key word is input.
# The keyword info-center can be followed by the following prefixes beginning with
log.
[Huawei] info-center log?
logbuffer
logfile
group
loghost
1.
2.
Press Tab.
The system first displays the prefix log.
[Huawei] info-center logbuffer
Press Tab repeatedly to select a keyword. The cursor is closely following the end
of the keyword.
[Huawei] info-center logfile
[Huawei] info-center loghost
Stop pressing Tab after the keyword logfile that you need is displayed.
3.
Input an incorrect keyword and press Tab to check the correctness of the keyword.
1.
2.
Press Tab.
[Huawei] info-center loglog
Issue 02 (2011-10-15)
21
2 CLI Overview
The system displays information in a new line, but the keyword loglog remains
unchanged and there is no space between the cursor and the keyword, indicating
that this keyword is inexistent.
----End
Context
If the login router is defined with shortcut keys, the shortcut keys can be used by any user
regardless of the user level.
Procedure
Step 1 Correlate Ctrl_U with the display local-user command and run the shortcut keys.
<Huawei> system-view
[Huawei] hotkey ctrl_u "display local-user"
NOTE
When defining shortcut keys for a command, use double quotation marks to quote the command if the
command consisting of multiple words, which are separated by spaces. No double quotation marks are
required for single-word commands.
----End
Issue 02 (2011-10-15)
22
3 Basic Configuration
Basic Configuration
Issue 02 (2011-10-15)
23
3 Basic Configuration
Applicable Environment
Before configuring services, you need to configure the basic system environment (such as time
and device name) to meet the environment requirement.
Pre-configuration Tasks
Before configuring the basic system environment, complete the following task:
l
Data Preparation
To configure the basic system environment, you need the following data.
No.
Data
System time
Host name
Login information
Command level
Context
The new equipment name takes effect immediately.
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
24
3 Basic Configuration
Context
The system clock displays the current time and date of the system, time zone to which the system
belongs, and daylight saving time. The AR2200 supports the configurations of the time zone
and the daylight saving time.
Do as follows in the user view:
Procedure
Step 1 Run:
clock datetime HH:MM:SS YYYY-MM-DD
or
clock daylight-saving-time time-zone-name repeating start-time { { first | second
| third | fourth | last } weekday month | start-date } end-time { { first |
second | third | fourth | last } weekday month | end-date } offset [ start-year
[ end-year ] ]
25
3 Basic Configuration
During the configuration of the daylight saving time, you can configure the starting time and
ending time in one of the following modes: date+date, week+week, date+week, and week+date.
For details, see clock daylight-saving-time.
NOTE
When the daylight saving time is used, the clock timezone time-zone-name { add | minus } offset command
can be executed to set the time zone name. The display clock command displays the daylight saving time
name. After the daylight saving time is complete, the original time zone name is displayed.
----End
Context
A header text is a message displayed by the system when and after a user is logging in to the
router.
If you need to provide information for login users, you can configure a header that the system
displays during login or after login.
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
26
3 Basic Configuration
CAUTION
l The header text starts and ends with the same character. After a character is input and
Enter is pressed, an interactive interface is displayed. You can input the required information
ended with the first character. The system then exits from the interactive interface.
l If file is specified, save the file containing the header in the root directory of the default
storage medium. If the file is saved in another directory, specify the full path in the file name;
otherwise, the configuration fails.
l If a user logs in to the router by using SSH1.X, the login header is not displayed during login,
but the shell header is displayed after login.
l If a user logs in to the router by using SSH2.0, both login and shell headers are displayed.
----End
Context
If the user allows the undo command to automatically match the previous view and the user
runs the undo command that is not registered in the current view, the system searches the
undo command in the previous view.
Procedure
Step 1 Run:
system-view
l The matched upper-view command is valid for current login users who run this command.
l It is not recommended that you configure the undo command to automatically match the upper level
view, unless necessary.
----End
27
3 Basic Configuration
Context
You can use the display commands to collect information about the system status. The display
commands are classified according to the following functions:
l
See the related sections for display commands for protocols and interfaces. The following part
only shows the system-level display commands.
Run the following commands in any view.
Prerequisite
Basic configuration are complete.
Procedure
l
l The display version command can be used to display the software version of the system, the
chassis type, and the information about the main control board and interface board.
When a user runs the display current-configuration command to display configuration
information, other users cannot run the same command until all the command output is displayed.
l The original configuration refers to information about configuration files used by the device when
the device has been powered on and is being initialized. The current configuration refers to the
configuration files taking effect during the device operation. For details, see the chapter
"Configuring System Startup" in the AR2200 Basic-Configuration.
----End
Prerequisite
Basic configurations are complete.
Procedure
l
Issue 02 (2011-10-15)
Run the display this command to display the configuration of the current view.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
28
3 Basic Configuration
NOTE
When a user runs the display this command to display system status information, other users cannot
run the same command until all the command output is displayed.
----End
Context
When the system fails to perform routine maintenance, you need to collect a lot of information
to locate faults. Then, you have to run different display commands to collect all information. In
this case, you can use the display diagnostic-information command to collect all information
about the current running modules in the system.
Procedure
l
Run:
display diagnostic-information
Issue 02 (2011-10-15)
29
Issue 02 (2011-10-15)
30
TTY
The TTY is used to manage and monitor login users.
The TTY mode is the login mode by using the asynchronous serial port.
Relative numbering
The relative numbering is in the format of user interface type + number.
The relative numbering is available for interfaces of a specific type. It is used only to specify
one or a group of user interfaces of a specified type. Relative numbering must comply with
the following rules:
Number of the console port: CON 0
Number of the TTY: TTY 0 for the first line, TTY 1 for the second line, and so on
Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on
Absolute numbering
The absolute numbering is used to uniquely specify a user interface or a group of user
interfaces.
The number starts with 0. The ports are numbered in the sequence of CON TTY
VTY. There is only one console port and 0-20 VTY interfaces (VTY interfaces 0 to 14 are
provided for Telnet/SSH users and VTY interfaces 16 to 20 are provided for network
management users). You can use the user-interface maximum-vty command to set the
maximum number of user interfaces. The default number is five.
By default, the system supports three types of user interfaces: CON, TTY, and VTY.
Table 4-1 shows the absolute numbers of the user interfaces in this system.
Issue 02 (2011-10-15)
31
User-interface
CON0
129
130
131
132
133
NOTE
The absolute numbers allocated for TTY and VTY interfaces are device-specific.
The numbers from 1 to 32 are reserved for the TTY user interfaces.
Run the display user-interface command to view the absolute number of user interfaces.
Non-authentication: In this mode, users can log in to the router without entering usernames
or passwords. For security, this mode is not recommended.
Password authentication: In this mode, users need to enter passwords, not usernames,
during the login process.
AAA authentication: In this mode, users need to enter passwords and usernames during the
login process. Telnet users are usually authenticated in this mode.
32
In the case of non-authentication or password authentication, the level of the command that
the user can run is determined by the level of the user interface.
In the case of AAA authentication, the command that the user can run is determined by the
level of the local user specified in the AAA configuration.
Applicable Environment
If you need to log in to the router for local maintenance by using a console port, you can configure
the corresponding console user interface, including the physical attributes, terminal attributes,
user priority, and user authentication mode. The preceding parameters have default values on
the router and additional configuration is not needed. You can configure these parameters as
needed.
Pre-configuration Tasks
Before configuring a console user interface, complete the following tasks:
l
Data Preparation
To configure a console user interface, you need the following data.
No.
Data
Baud rate, flow-control mode, parity, stop bit, and data bit
Idle timeout period, number of lines displayed in a terminal screen, and the size of
history command buffer
User priority
NOTE
All the default values (excluding the password and username) are stored on the router and do not need
additional configuration.
Issue 02 (2011-10-15)
33
Context
Physical attributes of a console port have default values on the router and no additional
configuration is needed.
NOTE
When a user logs in to a router through a console port, the physical attributes set for the console port on
the HyperTerminal should be consistent with the attributes of the console user interface on the router.
Otherwise, the user cannot log in to the router.
Procedure
Step 1 Run:
system-view
The flow control mode is set. By default, the flow-control mode is none.
Step 5 Run:
parity { even | none | odd }
34
Context
Terminal attributes of the console user interface have default values on the router and you can
set them as needed.
Procedure
Step 1 Run:
system-view
35
Context
l
Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater
the number, the higher the user level.
This process is to set the priority for a user who logs in through the console port. A user
can only use the commands with the level corresponding to the user level.
For details about command levels, see "Command Level" in the chapter "CLI Overview" of
the Configuration Guide - Basic Configuration.
Procedure
Step 1 Run:
system-view
l By default, users logging in through the console user interface can use commands at level 15, and users
logging in through other user interfaces can use commands at level 0.
l If the command level is inconsistent with the user level, the user level takes precedence.
----End
Context
By default, the user authentication mode of the console user interface is non-authentication.
Procedure
l
Run:
system-view
Issue 02 (2011-10-15)
36
Run:
user-interface console interface-number
Run:
authentication-mode aaa
Run:
quit
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
Run:
system-view
Run:
user-interface console interface-number
Run:
authentication-mode password
Run:
set authentication password { cipher | simple } password
Configuring Non-Authentication
1.
Run:
system-view
Run:
user-interface console interface-number
Run:
authentication-mode none
37
Prerequisite
The configurations of the user management function are complete.
Procedure
l
Run the display users [ all ] command to check information about the user interface.
Run the display local-user command to check the local user list.
----End
Example
Run the display users command, and you can view information about the current user interface.
<Huawei> display users
User-Intf
Delay
0
CON 0
00:00:44
Username : Unspecified
Type
Network Address
AuthenStatus
pass
AuthorcmdFlag
no
Run the display user-interface console ui-number1 [ summary ] command, and you can view
the physical attributes and configurations of the user interface.
<Huawei> display user-interface console 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
0
CON 0
9600
3
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Int
-
Run the display local-user command, and you can view the local user list.
<Huawei> display local-user
---------------------------------------------------------------------------User-name
State AuthMask AdminLevel
---------------------------------------------------------------------------admin
A
H
ftp
A
F
guest
A
A
15
---------------------------------------------------------------------------Total 3 user(s)
38
Applicable Environment
If you need to log in to the router for local or remote maintenance by using Telnet or SSH, you
can configure the corresponding VTY user interface, including the maximum number of VTY
user interfaces, limit of incoming and outgoing calls, user priority, and user authentication mode.
The preceding parameters have default values on the router. You can also set these parameters
as needed.
Pre-configuration Tasks
Before configuring VTY user interface, complete the following tasks:
l
Data Preparation
To configure a VTY user interface, you need the following data.
No.
Data
(Optional) ACL code to limit VTY user interface to call in and out
Idle timeout period, number of characters in each line displayed in a terminal screen
User priority
NOTE
All the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user
interfaces, password, and user name) have default values on the router, and no additional configuration is
needed.
Context
The maximum number of VTY user interfaces is the total number of users logging in to the
router by using Telnet and SSH.
Issue 02 (2011-10-15)
39
Procedure
Step 1 Run:
system-view
The maximum VTY user interfaces that can log in to the router is set. By default, the maximum
number of VTY users is 5.
NOTE
When the maximum number of VTY user interfaces is set to zero, any user (including the NMS user) cannot
log in to the router by using a VTY user interface.
If the maximum number of VTY user interfaces to be configured is smaller than the maximum
number of current interfaces, current online users will not be affected and no addition
configuration is needed.
If the maximum number of VTY user interfaces to be configured is larger than the maximum
number of current interfaces, the authentication mode and password need to be configured for
newly added user interfaces.
For newly added user interfaces, the system defaults to password authentication.
For example, a maximum of five users are allowed online. To allow 15 VTY users online at the
same time, you need to run the authentication-mode command and the set authentication
password command to configure authentication modes and passwords for user interfaces from
VTY 5 to VTY 14. The command is run as follows:
<Huawei> system-view
[Huawei] user-interface maximum-vty 15
[Huawei] user-interface vty 5 14
[Huawei-ui-vty5-14] authentication-mode password
[Huawei-ui-vty5-14] set authentication password cipher huawei
----End
Context
Before setting the limit on incoming and outgoing calls of the VTY user interface, run the acl
command in the system view to create an ACL and enter the ACL view. Then, run the rule
command to add rules to the ACL.
NOTE
l The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging
from 3000 to 3999.
l For details of ACL configuration, refer to the Huawei AR2200 Series Enterprise Routers Configuration
Guide - Security.
Issue 02 (2011-10-15)
40
Procedure
Step 1 Run:
system-view
Context
Terminal attributes of the VTY user interface have default values on the router and you can set
them as needed.
Procedure
Step 1 Run:
system-view
41
Context
l
Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater
the number, the higher the user level.
This process is to set the priority for a user who logs in through the console port. A user
can only use the commands with the level corresponding to the user level.
For details about command levels, see "Command Level" in the chapter "CLI Overview" of
the Configuration Guide - Basic Configuration.
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
42
NOTE
If the command level configured in the VTY user interface view is inconsistent with the user priority, the
user priority takes effect.
----End
Context
By default, the user authentication mode of the VTY user interface is password authentication.
Procedure
l
Run:
system-view
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
authentication-mode aaa
Run:
quit
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
Run:
system-view
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
43
authentication-mode password
Run:
set authentication password { cipher | simple } password
Configuring Non-Authentication
1.
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
authentication-mode none
Prerequisite
The configurations of the VTY user interface are complete.
Procedure
l
Run the display users [ all ] command to check information about user interfaces.
Run the display user-interface maximum-vty command to check the maximum number
of VTY user interfaces.
Run the display local-user command to check the local user list.
Run the display vty mode command to check the VTY mode.
----End
Example
Run the display users command, and you can view information about the current user interfaces.
<Huawei> display users
User-Intf
Delay
Type
34 VTY 0
00:00:12 TEL
Username : Unspecified
+ 35 VTY 1
00:00:00 TEL
Username : Unspecified
Issue 02 (2011-10-15)
Network Address
10.138.77.38
AuthenStatus
10.138.77.57
AuthorcmdFlag
no
no
44
Run the display user-interface maximum-vty command, and you can view the maximum
number of VTY user interfaces.
<Huawei> display user-interface maximum-vty
Maximum of VTY user:15
Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check
the physical attributes and configurations of user interfaces.
<Huawei> display user-interface vty 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
+ 34
VTY 0
14
14
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Int
-
Run the display local-user command, and you can view the local user list.
<Huawei> display local-user
---------------------------------------------------------------------------User-name
State AuthMask AdminLevel
---------------------------------------------------------------------------admin
A
H
ftp
A
F
guest
A
A
15
---------------------------------------------------------------------------Total 3 user(s)
Run the display vty mode command, and you can view the prompt message indicating that the
machine-to-machine interface is enabled. For example:
<Huawei> display vty mode
current VTY mode is Machine-Machine interface
Applicable Environment
If you need to log in to the router for local maintenance by using a asynchronous serial port, you
can configure the corresponding TTY user interface, including the physical attributes, terminal
attributes, and user priority. The preceding parameters have default values on the router and
additional configuration is not needed. You can configure these parameters as needed.
Issue 02 (2011-10-15)
45
Pre-configuration Tasks
Before configuring a TTY user interface, complete the following tasks:
l
Data Preparation
To configure a TTY user interface, you need the following data.
No.
Data
Baud rate, flow-control mode, parity, stop bit, and data bit
Idle timeout period, number of lines displayed in a terminal screen, and the size of
history command buffer
User priority
NOTE
All the default values (excluding the password and username) are stored on the router and do not need
additional configuration.
Context
Physical attributes of an asynchronous serial port have default values on a router and no
additional configuration is needed.
NOTE
l If you need to log in to a router through an asynchronous serial port, install an SA or SA board on the
router. If an SA board installed, set the interface working mode to asynchronous mode on the SA board.
l The Hyper Terminal and router must use the same physical attributes, including the baud rate, flow
control mode, parity mode, stop bit, and data bit. If values of any attributes are different, you cannot
log in to the router.
Procedure
Step 1 Run:
system-view
46
After a board registers successfully and a serial port on the board is configured to work in
asynchronous mode, the router generates a random TTY number for the asynchronous serial
port. To view the TTY number, run the display user-interface command.
Step 3 Run:
speed speed-value
The flow control mode is set. By default, the flow-control mode is none.
Step 5 Run:
parity { even | none | odd }
Context
Terminal attributes of the TTY user interface have default values on the router and you can set
them as needed.
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
47
Context
l
Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater
the number, the higher the user level.
This process is to set the priority for a user who logs in through the asynchronous serial
port. A user can only use the commands with the level corresponding to the user level.
For details about command levels, see "Command Level" in the chapter "CLI Overview" of
the Configuration Guide - Basic Configuration.
Procedure
Step 1 Run:
system-view
48
l By default, users logging in through the TTY user interface can use commands at level 3, and users
logging in through other user interfaces can use commands at level 0.
l If the command level is inconsistent with the user level, the user level takes precedence.
----End
Procedure
l
Run:
system-view
Run:
user-interface tty first-ui-number [ last-ui-number ]
Run:
authentication-mode aaa
Run:
quit
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
Run:
system-view
49
2.
Run:
user-interface tty first-ui-number [ last-ui-number ]
Run:
authentication-mode password
Run:
set authentication password { cipher | simple } password
Configuring non-authentication
1.
Run:
system-view
Run:
user-interface tty first-ui-number [ last-ui-number ]
Run:
authentication-mode none
Prerequisite
The configurations of the user management function are complete.
Procedure
l
Run the display users [ all ] command to check information about the user interface.
Run the display user-interface tty ui-number1 [ summary ] command to check physical
attributes and configurations of the user interface.
----End
Example
Run the display users command, and you can view information about the current user interface.
<Huawei> display users
User-Intf
Delay
0
TTY 0
00:00:44
Username : Unspecified
Type
Network Address
AuthenStatus
AuthorcmdFlag
Run the display user-interface tty ui-number1 [ summary ] command, and you can view the
physical attributes and configurations of the user interface.
Issue 02 (2011-10-15)
50
Networking Requirements
To initialize configurations of the router or locally maintain the router, a user can log in to the
router through a console user interface. To allow the user to log in, you can set attributes of the
console user interface as needed (for security reasons, for example).
In the console user interface view, the password authentication mode is set (the password is
huawei).
After a user logs in, if the user takes no action on the router for more than 30 minutes, the
connection between the user and the router is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enter the interface view and set physical attributes of the console user interface.
2.
3.
4.
Set the user authentication mode and password of the console user interface.
By default, the terminal service is enabled on all the user interfaces. If the terminal service is
disabled, run the shell command to enable the terminal service.
Data Preparation
To complete the configuration, you need the following data:
Issue 02 (2011-10-15)
51
Timeout period for disconnecting from the console user interface: 30 minutes
Procedure
Step 1 Set physical attributes of the console user interface.
<Huawei> system-view
[Huawei] user-interface console 0
[Huawei-ui-console0] speed 4800
[Huawei-ui-console0] flow-control none
[Huawei-ui-console0] parity even
[Huawei-ui-console0] stopbits 2
[Huawei-ui-console0] databits 8
shell
idle-timeout 30
screen-length 30
history-command max-size 20
Step 3 Set the user authentication mode in the console user interface to password.
[Huawei-ui-console0] authentication-mode password
[Huawei-ui-console0] set authentication password simple huawei
[Huawei-ui-console0] quit
After the console user interface is configured, a user in password authentication mode can log
in to the router through a console port, implementing local maintenance of the router. For details
on how a user logs in to the router, see the 5 Configuring User Login.
----End
Configuration Files
#
sysname Huawei
#
user-interface con 0
authentication-mode password
user privilege level 15
set authentication password simple huawei
history-command max-size 20
idle-timeout 30 0
screen-length 30
databits 8
parity even
stopbits 2
speed 4800
screen-length 30
#
return
Issue 02 (2011-10-15)
52
Networking Requirements
A user logs in to the router through a VTY channel by using Telnet or SSH. To allow the user
login, an operator can set attributes of the VTY user interface as needed (for security reasons,
for example).
In the VTY user interface, the user priority is set to 15, the authentication mode is set to password,
with the password of "huawei", and the user with the IP address of 10.1.1.1 is prohibitted from
logging in to the router.
After logging in, if the user takes no action on the router for more than 30 minutes, the connection
between the user and the router is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enter the interface view and set the maximum number of VTY user interfaces to 15.
2.
Set the call-in and call-out limit of the VTY user interface, limiting the access of an IP
address or an IP address segment to the router.
3.
4.
5.
Set the authentication mode and password in the VTY user interface.
Data Preparation
To complete the configuration, you need the following data:
l
Timeout period for disconnecting from the VTY user interface: 30 minutes
User priority: 15
Procedure
Step 1 Set the maximum number of VTY user interfaces.
<Huawei> system-view
[Huawei] user-interface maximum-vty 15
Step 2 Set the limit on call-in and call-out in the VTY user interface.
[Huawei] acl 2000
Issue 02 (2011-10-15)
53
[Huawei-acl-basic-2000]
[Huawei-acl-basic-2000]
[Huawei-acl-basic-2000]
[Huawei] user-interface
[Huawei-ui-vty0-14] acl
shell
idle-timeout 30
screen-length 30
history-command max-size 20
Step 5 Set the authentication mode and password in the VTY user interface.
[Huawei-ui-vty0-14] authentication-mode password
[Huawei-ui-vty0-14] set authentication password simple huawei
[Huawei-ui-vty0-14] quit
After the VTY user interface is configured, a user authenticated in password mode can log in to
the router by using Telnet or SSH (Stelnet), implementing local or remote maintenance of the
router. For details on how a user logs in to the router, see the 5 Configuring User Login.
----End
Configuration Files
#
sysname Huawei
#
acl number 2000
rule 5 deny source 10.1.1.1 0
#
user-interface maximum-vty 15
user-interface vty 0 14
acl 2000 inbound
user privilege level 15
set authentication password simple huawei
history-command max-size 20
idle-timeout 30 0
screen-length 30
#
return
Networking Requirements
To initialize configurations of the router or locally maintain the router, a user can log in to the
router through a TTY user interface. To allow the user to log in, you can set attributes of the
TTY user interface.
After a user logs in, if the user takes no action on the router for more than 30 minutes, the
connection between the user and the router is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
Issue 02 (2011-10-15)
54
1.
Enter the interface view and set physical attributes of the TTY user interface.
2.
3.
By default, the terminal service is enabled on all user interfaces. If the terminal service is disabled, run the
shell command to enable the terminal service.
Data Preparation
To complete the configuration, you need the following data:
l
Timeout period for disconnecting from the TTY user interface: 30 minutes
Procedure
Step 1 Set physical attributes of the TTY user interface.
<Huawei> system-view
[Huawei] user-interface tty 0
[Huawei-ui-tty1] speed 4800
[Huawei-ui-tty1] flow-control none
[Huawei-ui-tty1] parity even
[Huawei-ui-tty1] stopbits 2
[Huawei-ui-tty1] databits 6
shell
idle-timeout 30
screen-length 30
history-command max-size 20
----End
Configuration Files
#
sysname Huawei
#
user-interface TTY 1
user privilege level 15
history-command max-size 20
idle-timeout 30 0
screen-length 30
databits 6
parity even
stopbits 2
speed 4800
Issue 02 (2011-10-15)
55
screen-length 30
#
return
Issue 02 (2011-10-15)
56
Issue 02 (2011-10-15)
57
Application
Console port
Users log in to the router through the console port to configure the router
locally. Login through the console port is required when the router is
powered on for the first time.
Telnet
Users log in to the router by using Telnet for local and remote maintenance.
Telnet helps users maintain remote devices but brings security threats.
SSH (STelnet)
NOTE
Logins by using Telnet bring security risks because no secure authentication mechanism is available and
data is transmitted by using TCP in plain text mode. Unlike Telnet, SSH guarantees secure data transmission
on a conventional insecure network by authenticating the client and encrypting data in both directions. SSH
supports security Telnet (STelnet).
For detailed information about SSH, see the AR2200 Feature Description - Basic Configurations.
58
Applicable Environment
A user can log in to the router locally through a console port. If the router is powered on for the
first time, the user has to log in through a console port.
Pre-configuration Tasks
Before configuring user login through a console port, complete the following tasks:
l
Configuring the PC/terminal (including the serial port and RS-232 cable)
Data Preparation
To configure user login through a console port, you need the following data.
No.
Data
l Transmission rate, flow control mode, parity mode, stop bit, data bit
l Number of lines displayed in a terminal screen, size of the history command buffer
l User priority
l User authentication mode, user name, and password
Context
Attributes of an console user interface have default values on the router, and generally need no
additional settings. To meet specific application requirements or ensure network security, you
can set attributes of the console user interface, such as terminal attributes and user authentication
mode.
For detailed settings, see Configuring Console User Interface.
Context
For details, see Login Through the Console Portrouter.
NOTE
l Communication parameters of the user terminal must be consistent with the physical attribute
parameters of the console user interface on the router.
l If a user authentication mode is specified in the console user interface, a user can log in to the router
only after passing the authentication. This enhances network security.
Issue 02 (2011-10-15)
59
Prerequisite
Configurations of user login through a console port are complete.
Procedure
l
Run the display users [ all ] command to check information about the user interface.
Run the display local-user command to check the local user list.
----End
Example
Run the display users command, and you can view information about the current user interface.
<Huawei> display users
User-Intf
Delay
0
CON 0
00:00:44
Username : Unspecified
Type
Network Address
AuthenStatus
pass
AuthorcmdFlag
no
Run the display user-interface console ui-number1 [ summary ] command, and you can view
the physical attributes and configurations of the user interface.
<Huawei> display user-interface console 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
0
CON 0
9600
3
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Int
-
Run the display local-user command, and you can view the local user list.
<Huawei> display local-user
---------------------------------------------------------------------------User-name
State AuthMask AdminLevel
---------------------------------------------------------------------------admin
A
H
ftp
A
F
guest
A
A
15
---------------------------------------------------------------------------Total 3 user(s)
60
using Telnet. This implements remote maintenance of the router and greatly facilitates device
management.
Applicable Environment
If you have known the IP address of the router to be accessed, you can log in to the router from
a terminal by using Telnet, and remotely maintain the device. This allows you to maintain
multiple routers on the same terminal, greatly facilitating device management.
Note that IP addresses of the routers need to be preset through console ports.
Pre-configuration Tasks
Before configuring user login in Telnet mode, complete the following tasks:
l
Data Preparation
Before configuring user login in Telnet mode, you need the following data.
No.
Data
TCP port number for the remote router to provide Telnet services, VPN instance name
Context
By default, the user authentication mode in the VTY user interface is password. Therefore, before
a user logs in to the router by using Telnet, the user authentication mode in the VTY user interface
must be set. Otherwise, the user cannot log in to the router.
Issue 02 (2011-10-15)
61
You can log in to the router through a console port to set the user authentication mode in the
VTY user interface.
Other attributes of the VTY user interface in the router, such as terminal attributes and user
priorities, can also be set as needed. These attributes, however, generally do not need to be set
because they have default values.
For detailed settings, see Configuring VTY User Interface.
Context
If the user authentication mode of the VTY user interface is non-authentication or password
authentication, the following configurations are not needed.
By default, a local user can apply for any access type. You can specify an access type to allow
only users configured with the specified access type to log in to the router.
Do as follows on the router that functions as a Telnet server:
Procedure
Step 1 Run:
system-view
Context
By default, the function of the Telnet server is enabled.
Do as follows on the router that serves as an Telnet server.
Issue 02 (2011-10-15)
62
Procedure
Step 1 For the IPv4 network
1. Run:
system-view
2.
2.
l If the undo telnet [ipv6] server enable command is run when a user logs in by using Telnet, the
command does not take effect.
l After the Telnet server function is disabled, you can log in to the device only using SSH or an
asynchronous serial port rather than using Telnet.
----End
Context
If you need to log in to the router by using Telnet, you can use either windows command lines
or a third-party software in the terminal. In this part, the windows command line prompt is used.
Do as follows on the user terminal:
Procedure
Step 1 Use the windows command line.
Step 2 Run the telnet ip-address command to telnet the router.
1.
Issue 02 (2011-10-15)
63
2.
Press "Enter" to display the command line prompt of the system view, such as
<HUAWEI>. This indicates that you have accessed the Telnet server.
----End
Prerequisite
Configurations of logins by using Telnet are complete.
Procedure
l
Run the display users [ all ] command to check information about logged-in users on user
interfaces.
Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display users command to view information about the currently-used user interface.
<Huawei> display users
User-Intf
Delay
34 VTY 0
00:00:12
Username : Unspecified
+ 35 VTY 1
00:00:00
Username : Unspecified
Type
TEL
Network Address
10.138.77.38
TEL
10.138.77.57
AuthenStatus
AuthorcmdFlag
no
no
Run the display tcp status command to view TCP connections. In the command output,
Established indicates that a TCP connection has been established.
Issue 02 (2011-10-15)
64
Foreign Add:port
VPNID
0.0.0.0:0
0.0.0.0:0
14849
10.164.6.13:1147
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<Huawei> display telnet server status
Telnet IPV4 server
Telnet server port
:Enable
:23
Applicable Environment
Logins by using Telnet bring security risks because no secure authentication mechanism is
available and data is transmitted by using TCP in plain text mode. Unlike Telnet, SSH guarantees
secure data transmission on a conventional insecure network by authenticating the client and
encrypting data in both directions.
STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the same manner
as using the Telnet service.
Pre-configuration Tasks
Before configuring users to log in by using STelnet, complete the following task:
l
Data Preparation
To configure users to log in by using STelnet, you need the following data:
Issue 02 (2011-10-15)
No.
Data
Maximum number of VTY user interfaces, (optional) ACL for limiting call-in and
call-out in VTY user interfaces, connection timeout period of terminal users, number
of rows displayed in a terminal screen, size of the history command buffer, user
authentication mode, user name, and password
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
65
No.
Data
User name, password, authentication mode, and service type of an SSH user and
remote public RSA key pair allocated to the SSH user
(Optional) Name of an SSH server, number of the port monitored by the SSH server,
preferred encryption algorithm from the STelnet client to the SSH server, preferred
encrypted algorithm from the SSH server to the STelnet client, preferred HMAC
algorithm from the STelnet client to the SSH server, preferred HMAC algorithm from
the SSH server to the STelnet client, preferred algorithm of key exchange, name of
the outgoing interface, and source address
Context
By default, the user authentication mode in the VTY user interface is password. Therefore, before
a user logs in to the router by using STelnet, the user authentication mode in the VTY user
interface must be set. Otherwise, the user cannot log in to the router.
You can log in to the router through a console port to set the user authentication mode in the
VTY user interface.
Other attributes of the VTY user interface in the router, such as terminal attributes and user
priorities, can also be set as needed. These attributes, however, generally do not need to be set
because they have default values.
For detailed settings, see Configuring VTY User Interface.
Context
By default, user interfaces support Telnet. If no user interface is configured to support SSH,
users cannot log in to the router by using STelnet.
Do as follows on the router that serves as an SSH server:
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
66
If a VTY user interface is configured to support SSH, the VTY user interface must be configured with
AAA authentication. Otherwise, the protocol inbound ssh command cannot be configured.
----End
Context
l
SSH users can be authenticated in four modes: RSA, password, password-rsa, and all. You
must create a local user with the specified user name in the AAA view.
Configuring the router to generate a local RSA key pair is a key step for SSH login. If an
SSH user logs in to an SSH server in password authentication mode, configure the server
to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Password-rsa authentication requires success of both password authentication and RSA authentication. The
all authentication mode requires success of either password authentication or RSA authentication.
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
67
l Before performing the other SSH configurations, you must configure the rsa local-key-pair create
command to generate a local key pair.
l After generating the local key pair,you can perform the display rsa local-key-pair public command
to view the public key in the local key pair.
Step 6 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
Run:
ssh user user-name authentication-type rsa
Run:
rsa peer-public-key key-name
Run:
public-key-code begin
Run:
hex-data
l In the public key view, only hexadecimal strings complying with the public key format can be
typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals
for SSH client software.
l After the public key editing view is displayed, the RSA public key generated on the client can
be sent to the server. Copy the RSA public key to the router that serves as the SSH server.
5.
Run:
public-key-code end
Issue 02 (2011-10-15)
68
Run:
peer-public-key end
Run:
ssh user user-name assign rsa-key key-name
Run:
ssh server rekey-interval interval
Run:
ssh server auth-timeout timeout_interval
Run:
ssh server authentication-retries auth-times
Context
By default, no router is enabled with the STelnet server function. Users can establish connections
to the router by using STelnet only after the router is enabled with the STelnet server function.
Do as follows on the router that serves as an SSH server:
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
69
Context
Table 5-2 lists server parameters.
Table 5-2 Server parameters
Server
Parameter
Description
Earlier SSH
version
compatibility
SSH has two versions: SSH1.X (earlier than SSH2.0) and SSH2.0. Compared
with SSH1.X, SSH2.0 is extended in structure and supports more
authentication modes and key exchange methods. SSH2.0 also supports more
advanced services such as SFTP. The Huawei AR2200 Series supports SSH
versions ranging from 1.3 to 2.0.
Interval at
which the key
pair of the
SSH server is
updated
After the interval is set, the key pair of the SSH server is updated periodically
to improve security.
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
70
Operation
Earlier SSH
version
compatibility
Interval at
which the key
pair of the
SSH server is
updated
----End
Context
In STelnet login mode, a third-party software can be used in the terminal. In this part, the thirdparty software OpenSSH and windows command line are used.
After installing OpenSSH in the user terminal, do as follows on the user terminal:
NOTE
For details on how to install OpenSSH, refer to the installation guide of the software.
For details on how to use OpenSSH commands to log in to the router, refer to the help document of the
software.
Procedure
Step 1 Use the windows command line.
Step 2 Run relevant OpenSSH commands to log in to the router in STelnet mode.
Issue 02 (2011-10-15)
71
----End
Prerequisite
Configurations of logins by using STelnet are complete.
Procedure
l
Run the display ssh user-information username command on the SSH server to check
information about SSH users.
Run the display ssh server status command on the SSH server to check its configurations.
Run the display ssh server session command on the SSH server to check sessions for SSH
users.
----End
Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<Huawei> display ssh user-information client001
Issue 02 (2011-10-15)
72
------------------------------------------------------------------------------Username
Auth-type
User-public-key-name
------------------------------------------------------------------------------guest
password
null
rsa
rsa
RsaKey001
password
password
null
-------------------------------------------------------------------------------
If no SSH user is specified, information about all SSH users logging in to an SSH server will be
displayed.
Run the display ssh server status command to view configurations of an SSH server.
<Huawei> display ssh server status
SSH version
:1.99
SSH connection timeout
:60 seconds
SSH server key generating interval :0 hours
SSH Authentication retries
:3 times
SFTP Server
:Enable
Stelnet server
:Enable
Run the display ssh server session command. The command output shows that the session
information between SSH server and client.
<Huawei> display ssh server
Session 1:
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
session
:
:
:
:
:
:
:
:
:
:
:
:
VTY 3
2.0
started
client001
1
aes128-cbc
aes128-cbc
hmac-md5
hmac-md5
diffie-hellman-group-exchange-sha1
stelnet
password
Applicable Environment
To ensure that the operator manages routers safely, you need to configure the switching of user
levels, and enable message sending between user interfaces.
Pre-configuration Tasks
Before performing operations after login, complete the following tasks:
l
Issue 02 (2011-10-15)
73
Data Preparations
Before performing operations after login, you need the following data:
No.
Data
Context
To prevent an unauthorized user from using high-level commands, a password is required to
increase the user level.
Procedure
Step 1 Run:
system-view
CAUTION
If simple is configured, the password is saved in the configuration file in plain text. This means
that low-level login users can easily obtain and change the password by checking the
configuration file, compromising the network security. Therefore, selecting cipher to save the
password in the cipher text is recommended.
If cipher is used to set the password, the password cannot be obtained from the system. Save
the password to avoid oblivion or missing.
Step 3 Run:
quit
74
super [ level ]
When the login user of lower level is switched to the user of higher level through the super command, the
system automatically sends trap messages and records the switchover in a log. When the switched level
is lower than that of the current level, the system only records the switchover in a log.
----End
Context
The user interface can be classified into the Console user interface and VTY user interface.
Procedure
Step 1 Run:
lock
If the locking is successful, the system prompts that the user interface is locked.
You must enter a correct password to unlock the user interface.
----End
Context
Users logging in to the router can send messages from the current user interface to users in other
user interfaces as needed.
Issue 02 (2011-10-15)
75
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
Context
User information includes the user name, address, and authentication and authorization
information.
Procedure
l
Run the display users [ all ] command to view information about logged-in users.
If all is configured, information about logged-in users on all user interfaces is displayed.
----End
Networking Requirements
If a user modifies default values of certain parameters in the console user interface, the user
needs to reset corresponding parameters in the PC when logging in to the router through the
console port next time.
Figure 5-1 Networking diagram of user login through a console port
PC
Issue 02 (2011-10-15)
Router
76
Configuration Roadmap
1.
2.
3.
Data Preparation
Communication parameters of the PC (baud rate: 4800 bps, data bit: 6, parity: even, stop bit: 2,
flow control mode: none)
Procedure
Step 1 Establish the configuration environment by connecting the serial port of the PC to the console
port of the router through standard RS-232 cable.
Step 2 Start a terminal emulator on the PC, and set the communication parameters of the PC, as shown
in Figure 5-2 to Figure 5-4.
Figure 5-2 Connection creation
Issue 02 (2011-10-15)
77
Step 3 Power on the router and wait for the completion of the self-check. After the router starts normally
and finishes the self-check, the system prompts you to press Enter.
Issue 02 (2011-10-15)
78
Wait till the prompt (mostly the <Huawei>) appears, and then you can use a command to view
the running status of the router or configure the router.
----End
Networking Requirements
You can log in to the router on other network segments through the PC or other terminals to
perform remote maintenance.
Figure 5-5 Establishing the configuration environment over the WAN
Eth1/0/0
202.38.160.92/16
WAN
PC
Router
Target
Router
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data
l
IP address of the PC
User information (including the user name, password, and authentication mode)
Procedure
Step 1 Connect the PC and the router to the network.
Step 2 Set login user parameters on the target router.
# Configure the login address.
Issue 02 (2011-10-15)
79
<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] ip address 202.38.160.92 255.255.0.0
[Huawei-GigabitEthernet1/0/0] quit
Click OK.
Enter the user name and password in the login window. After authentication, a command line
prompt such as <Huawei> appears. Enter the configuration environment in the user view.
----End
Networking Requirements
As shown in Figure 5-7, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, or all authentication
mode.
In this configuration example, the password authentication mode is used.
Issue 02 (2011-10-15)
80
N e tw o rk
G E 1 /0 /0
1 0 .1 3 7 .2 1 7 .2 2 3 /1 6
PC
S S H S e rv e r
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure a local key pair on the SSH server for secure data exchange between the STelnet
client and the SSH server.
2.
3.
Configure an SSH client, which involves the setting of the user authentication mode, user
name, and password.
4.
Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
To complete the configuration, you need the following data:
l
SSH user authentication mode: password, user name: client001, password: huawei
Procedure
Step 1 Generate a local key pair on the server.
<Huawei> system-view
[Huawei] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Huawei_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
NOTE
If SSH is configured as the login protocol, the AR2200 automatically disables Telnet.
Issue 02 (2011-10-15)
81
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
----End
Configuration Files
l
Issue 02 (2011-10-15)
82
Issue 02 (2011-10-15)
83
Storage Devices
Storage devices are hardware devices for storing messages.
At present, the router supports the storage devices such as flash memory, USB disk, and
SD card.
Files
The file is a mechanism with which the system stores and manages messages.
Directories
The directory is a mechanism with which the system integrates and organizes the file,
serving as a logical container of the file.
Issue 02 (2011-10-15)
84
Implementation
FTP
SFTP
Applicable Environment
When the router fails to save or obtain data, you can log in to the file system to repair the faulty
storage devices or manage files or directories on the router. You can especially manage storage
devices by logging in to the file system.
Pre-configuration Tasks
Before performing file operations by logging in to the file system, complete the following tasks:
l
Data Preparation
To perform file operations by logging in to the file system, you need the following data:
Issue 02 (2011-10-15)
No.
Data
Directory name
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
85
No.
Data
File name
Context
When the file system on a storage device fails, the terminal of the router prompts you to rectify
the fault.
NOTE
The storage devices can be flash memory, SD card, or USB flash drive. The router has a built-in flash
memory and a built-in SD card (in slot sd1).
The router provides two reserved USB slots (usb0 and usb1) and an SD card slot (sd0).
Only Huawei-certified storage devices can be used.
You can format a storage device when you fail to repair the file system or you do not need any
data saved on the storage device.
CAUTION
Formatting storage devices may lead to data loss. Therefore, exercise caution when perform this
operation.
Procedure
l
Run:
fixdisk device-name
After this command is run, if the prompt that the system should be repaired is still received, it indicates
that the physical medium may be damaged.
Run:
format device-name
If the storage device cannot work after running the format device-name command, a fault may occur
to the hardware.
----End
Issue 02 (2011-10-15)
86
Context
You can manage directories by changing and displaying directories, displaying files in
directories and sub-directories, and creating and deleting directories.
Procedure
l
Run:
cd { directory | device-name }
A directory is specified.
l
Run:
pwd
Run:
dir [ /all ] [ filename ] [ device-name ]
Run:
mkdir { directory | device-name }
Run:
rmdir { directory | device-name }
Context
l
You can run the cd { directory | device-name } command to enter the required directory
from the current directory.
Run:
Procedure
more [ /binary ] { filename | device-name } [ offset ] [ all ]
87
By running the more file-name command, you can view the file named file-name.
Contents of a text file are displayed screen after screen. If you hold and press the
spacebar on the current terminal, all contents of the current file can be displayed.
There are two preconditions if you want to display the contents of a text file screen after
screen:
The value configured by screen-length screen-length temporary command must
be larger than 0.
The total lines of the file must be larger than the value configured by screenlength command.
By running the more file-name offset command, you can view the file named filename. Contents of a text file are displayed from the line specified by offset screen after
screen. If you hold and press the spacebar on the current terminal, all contents of the
current file can be displayed.
There are two preconditions if you want to display the contents of a text file screen after
screen:
The value configured by screen-length screen-length command must be larger than
0.
The result of the number of file characters subtracted by the value of offset must be
larger than the value configured by screen-length command.
By running the more file-name all command, you can view the file named file-name.
Contents of a text file are completely displayed without pausing after each screenful of
information.
l
Run:
copy source-filename destination-filename
The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.
Run:
move source-filename destination-filename
Run:
rename source-filename destination-filename
Run:
zip source-filename destination-filename
Run:
delete [ /unreserved ] [ /force ] { filename | device-name } [ all ]
Run:
undelete filename
88
NOTE
If the current directory is not the parent directory, you must operate the file by using the absolute
path.
Run:
reset recycle-bin [ filename ]
Run:
system-view
Run:
execute filename
Run:
system-view
Run:
file prompt { alert | quiet }
CAUTION
If the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation.
----End
Issue 02 (2011-10-15)
89
Applicable Environment
When the router serves as the FTP server, after the client logs in to the router through FTP, the
user can transfer files between the client and the server.
Pre-configuration Tasks
Before performing file operations by means of FTP, complete the following task:
l
Data Preparation
To perform file operations by means of FTP, you need the following data:
NOTE
No.
Data
FTP user name and password, File directory authorized to the FTP user
Context
To perform file operations by means of FTP, you need to configure a local user name and a
password on the router and specify the service type and the directories that can be accessed.
Otherwise, you cannot access the router by using FTP.
Do as follows on the router that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
90
Step 3 Run:
aaa
Context
By default, the listening port number of an FTP server is 21. Users can directly log in to the
router by using the default listening port number. Attackers probably access the default listening
port, reducing available bandwidth, affecting performance of the server, and causing valid users
unable to access the server. After the listening port number of the FTP server is changed, attackers
do not know the new listening port number. This effectively prevents attackers from accessing
the listening port.
NOTE
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
91
Context
By default, the FTP server is disabled on the router. Therefore, you must enable the FTP server
before using FTP.
Do as follows on the router that serves as the FTP server:
Procedure
Step 1 Run:
system-view
When the file operation between clients and the router ends, run the undo ftp server command to disable
the FTP server function. This ensures the security of the router.
----End
Context
l
You can configure a source IP address for the FTP server. This limits the destination address
that the client can access and therefore guarantee the security.
You can configure the timeout period for FTP connections on the FTP server. When the
timeout period of an FTP connection expires, the system breaks the connection to release
resources.
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
92
Context
When the routerdevice functions as an FTP server, you can configure an ACL to allow the clients
that meet the matching rules to access the FTP server.
Do as follows on the router that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Step 4 Run:
quit
93
Step 5 Run:
ftp acl acl-number
Context
If you need to log in to the router by using FTP, you can use either windows command line
prompt or a third-party software. Here uses the windows command line prompt as an example.
Do as follows on the PC:
Procedure
Step 1 Use the windows command line.
Step 2 Run the ftp ip-address command to log in to the router by using FTP.
Enter the user name and password at the prompt, and press Enter. When the windows command
line prompts are displayed in the FTP client view, such as ftp>, you have entered the working
directory of the FTP server.
----End
94
Context
After logging in to the FTP server, you can perform the following operations:
l
Displaying information about a specified remote directory or a file of the FTP server, or
deleting a specified file from the FTP server
After logging in to the FTP server and entering the FTP client view, you can perform the
following one or more operations:
Procedure
l
FTP supports the ASCII type and the binary type. Their differences are as follows:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
The selection of the FTP transmission mode is client-customized. The system defaults to the
ASCII transmission mode. The client can use a mode switch command to switch between the
ASCII mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary
mode is used to transmit binary files.
The FTP file is downloaded from the FTP server and saved to the local file.
l
95
Run:
mkdir remote-directory
If you need other FTP operations,you can perform the help [ command ] command to get help in the
Windows command line.
----End
Prerequisite
The configuration of the Router to be the FTP Server are complete.
Procedure
l
Run the display ftp-server the configuration and running information about the FTP server.
Run the display ftp-users command to check the login FTP user.
----End
Example
After configuring the FTP server, run the display ftp-server command. You can view that the
FTP server is working.
Issue 02 (2011-10-15)
96
5
0
30
21
0
1.1.1.1
Run the display ftp-users command to view the user name, port number, authorization directory
of the FTP user configured presently.
<Huawei> display ftp-users
username host
zll
100.2.150.226
port
1383
idle
3
topdir
flash:
Applicable Environment
SSH guarantees secure data transmission on a conventional insecure network by authenticating
the client and encrypting data in both directions. SSH supports SFTP.
SFTP is a secure FTP service and enables users to log in to the FTP server for data transmission.
Pre-configuration Tasks
Before performing file operations by using SFTP, complete the following task:
l
Data Preparation
Before performing file operations by using SFTP, you need the following data.
Issue 02 (2011-10-15)
No.
Data
Maximum number of VTY user interfaces, (optional) ACL for limiting call-in and
call-out in VTY user interfaces, connection timeout period of terminal users, number
of rows displayed in a terminal screen, size of the history command buffer, user
authentication mode, user name, and password
User name, password, authentication mode, and service type of an SSH user and
remote public RSA key pair allocated to the SSH user, SFTP working directory of
the SSH user
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
97
No.
Data
(Option) The interval for updating the key pair on the SSH server
4
Name of the SSH server,Number of the port monitored by the SSH server,Preferred
encrypted algorithm from the SFTP client to the SSH server,Preferred encrypted
algorithm from the SSH server to the SFTP client,Preferred HMAC algorithm from
the SFTP client to the SSH server,Preferred HMAC algorithm from the SSH server
to the SFTP client,Preferred algorithm of key exchange,Name of the outgoing
interface,Source address
Context
By default, the user authentication mode in the VTY user interface is password. Therefore, before
a user logs in to the router by using SFTP, the user authentication mode in the VTY user interface
must be set. Otherwise, the user cannot log in to the router.
Other attributes of the VTY user interface in the router, such as terminal attributes and user
priorities, can also be set as needed. These attributes, however, generally do not need to be set
because they have default values.
For detailed settings, see Configuring VTY User Interface.
Context
By default, user interfaces support Telnet. If no user interface is configured to support SSH,
users cannot log in to the router by using SFTP.
Procedure
Step 1 Run:
system-view
98
Step 3 Run:
authentication-mode aaa
If a VTY user interface is configured to support SSH, the VTY user interface must be configured with
AAA authentication. Otherwise, the protocol inbound ssh command cannot be configured.
----End
Context
l
SSH users can be authenticated in four modes: RSA, password, password-rsa, and all. You
must create a local user with the specified user name in the AAA view.
Configuring the router to generate a local RSA key pair is a key step for SSH login. If an
SSH user logs in to an SSH server in password authentication mode, configure the server
to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Password-rsa authentication requires success of both password authentication and RSA authentication. The
all authentication mode requires success of either password authentication or RSA authentication.
Procedure
Step 1 Run:
system-view
99
Step 4 Run:
rsa local-key-pair create
l Before performing the other SSH configurations, you must configure the rsa local-key-pair create
command to generate a local key pair.
l After generating the local key pair,you can perform the display rsa local-key-pair public command
to view the public key in the local key pair.
Step 5 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
Run:
ssh user user-name authentication-type rsa
Run:
rsa peer-public-key key-name
Run:
public-key-code begin
Run:
hex-data
l In the public key view, only hexadecimal strings complying with the public key format can be
typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals
for SSH client software.
l After the public key editing view is displayed, the RSA public key generated on the client can
be sent to the server. Copy the RSA public key to the router that serves as the SSH server.
5.
Run:
public-key-code end
100
l If the specified key-name is deleted in other views, the system prompts that the key does
not exist after the peer-public-key end command is run and the system view is
displayed.
6.
Run:
peer-public-key end
Run:
ssh user user-name assign rsa-key key-name
Run:
ssh server rekey-interval interval
Run:
ssh server auth-timeout timeout_interval
Run:
ssh server authentication-retries auth-times
Context
By default, the router is not enabled with the SFTP server function. Users can establish
connections with the router by using SFTP only after the router is enabled with the SFTP server
function.
Do as follows on the router that serves as an SSH server:
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
101
Context
The third-party software can be used to access the router from the user terminal by using SFTP.
Here uses the third-party software OpenSSH and windows command line as an example.
After installing OpenSSH on the user terminal, do as follows on the user terminal:
NOTE
For details on how to install OpenSSH, see the installation guide of the software.
For details on how to use OpenSSH commands to log in to the router, see the help document of the software.
Procedure
Step 1 Use the windows command line.
Step 2 Run relevant OpenSSH commands to log in to the router in SFTP mode.
When the command line prompt is displayed in the SFTP client view, such as sftp>, users have
entered the working directory of the SFTP server.
Issue 02 (2011-10-15)
102
----End
Context
After logging in to the SFTP server, you can perform the following operations:
l
After logging in to the SFTP server and entering the SFTP client view, you can perform the
following one or more operations.
Procedure
l
Run:
help [ all | command-name ]
Issue 02 (2011-10-15)
103
Prerequisite
The configuration of SSH Users are complete.
Procedure
l
Run the display ssh user-information username command to check the information about
the SSH client on the SSH server.
Run the display ssh server status command on the SSH server to check its global
configurations.
Run the display ssh server session command on the SSH server to check information about
connection sessions with SSH clients.
----End
Example
Run the display ssh user-information username command. It shows that the SSH user named
clinet001 is authenticated by password, and its service type is sftp.
[Huawei] display ssh user-information client001
------------------------------------------------------------------------------Username
Auth-type
User-public-key-name
------------------------------------------------------------------------------client001
password
null
-------------------------------------------------------------------------------
If no SSH user is specified, information about all SSH users logging in to an SSH server will be
displayed.
Run the display ssh server status command to view configurations of an SSH server.
<Huawei> display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH Authentication retries
SFTP Server
Issue 02 (2011-10-15)
:
:
:
:
1.99
60 seconds
2 hours
5 times
: Enable
104
NOTE
If the default interception port is in use, information about the current interception port is not displayed.
Run the display ssh server session command. The command output shows that the session
information between SSH server and client.
<Huawei> display ssh server session
Session 2:
Conn
: VTY 4
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-md5
STOC Hmac
: hmac-md5
Kex
: diffie-hellman-group-exchange-sha1
Authentication Type
: password
Networking Requirements
You can log in to the router through the Console interface, Telnet, or STelnet to perform file
operations on the router.
The file path in the storage device must be correct. If the user does not specify a target file name,
the source file name is the name of the target file by default.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Check this directory and view that the file is copied successfully to the specified directory.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 02 (2011-10-15)
105
Procedure
Step 1 Display the file information in the current directory, flash:/ is the flash memory identifier.
<Huawei> dir
Directory of flash:/
Idx Attr
Size(Byte)
0 -rw1,241
1 -rw2,688
2 -rw396
3 -rw540
4 -rw705
5 -rw88,942
6 -rw80,783
7 -rw56,523
Date
Jun 16
Apr 27
Mar 21
Mar 21
Apr 13
Jul 01
Jul 01
Jun 15
2011
2011
2011
2011
2011
2011
2011
2011
Time(LMT)
09:15:58
17:06:50
08:25:25
08:25:43
11:23:45
15:18:22
16:28:32
10:43:50
FileName
rootcert.pem
pat1.pat
rsa_host_key.efs
rsa_server_key.efs
iascfg.zip
creat_vlanif.bat
undovlanif.bat
mon_file.txt
Step 3 Display the file information about the current directory, and you can view that the file is copied
to the specified directory.
<Huawei> dir
Directory of flash:/
Idx
0
1
2
3
4
5
6
7
8
Attr
-rw-rw-rw-rw-rw-rw-rw-rw-rw-
Size(Byte)
1,241
2,688
396
540
705
88,942
80,783
56,523
1,605
Date
Jun 16
Apr 27
Mar 21
Mar 21
Apr 13
Jul 01
Jul 01
Jun 15
Jun 15
2011
2011
2011
2011
2011
2011
2011
2011
2011
Time(LMT)
09:15:58
17:06:50
08:25:25
08:25:43
11:23:45
15:18:22
16:28:32
10:43:50
10:43:50
FileName
rootcert.pem
pat1.pat
rsa_host_key.efs
rsa_server_key.efs
iascfg.zip
creat_vlanif.bat
undovlanif.bat
mon_file.txt
sample1.txt
----End
Networking Requirements
As shown in Figure 6-1, after the FTP server is enabled on the router, you can log in to the FTP
server from the HyperTerminal to upload or download files.
Issue 02 (2011-10-15)
106
Network
GE1/0/0
10.137.217.221/16
PC
FTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Log in to the FTP server by using the correct user name and password.
5.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the IP address of the FTP server.
[server] interface gigabitethernet1/0/0
[server-GigabitEthernet1/0/0] ip address 10.137.217.221 255.255.0.0
[server-GigabitEthernet1/0/0] quit
system-view
sysname server
ftp server enable
ftp timeout 20
Step 3 Configure the authentication information, authorization mode, and authorized directories for an
FTP user on the FTP server.
[server] aaa
[server-aaa]
[server-aaa]
[server-aaa]
[server-aaa]
Issue 02 (2011-10-15)
107
Step 4 Run the FTP commands at the windows command line prompt, and enter the correct user name
and password to set up an FTP connection with the FTP server.
Figure 6-2 Logging in to the FTP Server
NOTE
You can run the dir command before downloading a file or after uploading a file to view the detailed
information of the file.
----End
Configuration Files
l
Issue 02 (2011-10-15)
108
#
FTP server enable
#
interface GigabitEthernet1/0/0
ip address 10.137.217.221 255.255.0.0
#
aaa
local-user huawei password simple Huawei
local-user huawei service-type ftp
local-user huawei ftp-directory flash:
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
return
Networking Requirements
As shown in Figure 6-4, after SFTP services are enabled on the router functioning as an SSH
server, you can log in to the server in password, RSA, password-rsa, or all authentication mode
from a PC on the SFTP client.
Configure a user to log in to the SSH server in password authentication mode.
Figure 6-4 Networking diagram for operating files by using SFTP
Network
GE1/0/0
10.137.217.225/16
PC
SSH Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure a local key pair on the SSH server to securely exchange data between the SFTP
client and the SSH server.
2.
3.
4.
Enable SFTP services on the SSH server and configure a user service type.
Issue 02 (2011-10-15)
109
Data Preparation
To complete the configuration, you need the following data:
l
SSH user authentication mode: password, user name: client001, password: huawei
Procedure
Step 1 Configure a local key pair on the SSH server.
<Huawei> system-view
[Huawei] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 3 Configure the SSH user name and password on the SSH server.
[SSH
[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
local-user
local-user
local-user
local-user
quit
client001
client001
client001
client001
Issue 02 (2011-10-15)
110
----End
Configuration Files
l
Issue 02 (2011-10-15)
111
Issue 02 (2011-10-15)
112
Identifying Method
Configuration Files
Current Configurations
Initial configurations: On
powering on, the router
retrieves the configuration
files from a default save path
to initiate itself. If
configuration files do not
exist in the default save path,
the router uses the default
parameters.
Current configurations:
indicates the effective
configurations of the
currently running router.
Users can modify the current configurations of the router through the command line interface.
Use the save command to save the current configuration to the configuration file of the default
storage devices, and the current configuration becomes the initial configuration of the router
when the router is powered on next time.
Issue 02 (2011-10-15)
113
Applicable Environment
You can manage configuration files by saving, clearing, and comparing configuration files. To
upgrade the router, take preventive measures, repair configuration files, and view configurations
after the router starts, you need to manage configuration files.
Pre-configuration Tasks
Before managing configuration files, complete the following task:
l
Data Preparation
To manage configuration files, you need the following data.
No.
Data
The number of the start line from which the comparison of the configuration files
begins
Context
Run one of the following commands to save configuration files.
Procedure
l
WARNING
If an LPU is not running on the router, related configurations may be lost when the system
automatically saves the configuration file.
Issue 02 (2011-10-15)
114
1.
Run:
autosave interval { time } | { value } | { configuration time }
Context
The configuration file needs to be cleared in the following cases:
l
The system software does not match the configuration file after the router has been
upgraded.
The configuration file is destroyed or an incorrect configuration file has been loaded.
Run the reset saved-configuration command to clear the currently loaded configuration
file.
Procedure
If the configuration file of the router used for the current startup is the same as that used
for the next startup, running the reset saved-configuration command will clear both
the configuration files. The router will uses the default configuration file for the next
startup.
If the configuration file of the router used for the current startup is different from that
used at the next startup, running the reset saved-configuration command will clear the
configuration file used for the current startup.
If the configuration file of the router used for the current startup is empty, the system
will prompt you that the configuration file does not exist after you run the reset savedconfiguration command.
Issue 02 (2011-10-15)
115
Context
Do as follows on the router:
Procedure
Step 1 Run:
compare configuration [ configuration-file [ current-line-number save-linenumber ] ]
The current configuration is compared with the configuration file for next startup.
If no parameter is set, the comparison begins with the first lines of configuration files. currentline-number and save-line-number are used to continue the comparison by ignoring the
differences between the configuration files.
When comparing differences between the configuration files, the system displays the contents
of the current configuration file and saved configuration file from the first different line. By
default, 120 characters are displayed for each configuration file. If the number of characters from
the first different line to the end is less than 120, the contents after the first different line are all
displayed.
In comparing the current configurations with the configuration file for next startup, if the
configuration file for next startup is unavailable or its contents are null, the system prompts that
reading files fails.
----End
Prerequisite
The configuration of managing configuration files are complete.
Procedure
l
Issue 02 (2011-10-15)
116
Run the dir [ /all ] [ filename ] [ device-name ] command to check files saved in the storage
device.
Run the display autosave configuration command to view configurations of the autosave
function, including the status of the autosave function and time for autosave check.
Run the display this command to view configurations in the current view.
----End
Example
Run the display startup command to check files for startup.
<Huawei> display startup
MainBoard:
Startup system software:
Next startup system software:
Backup system software for next startup:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
Startup voice-files:
Next startup voice-files:
usb0:/ar0210_30735_1220.cc
usb0:/ar0210_30735_1220.cc
null
flash:/arcfg.cfg
flash:/arcfg.cfg
null
null
null
null
null
null
Applicable Environment
To enable the router to provide user-defined configurations during the next startup, you need to
correctly specify the system software and configuration file for the next startup.
Pre-configuration Tasks
Before specifying a file for the system startup, complete the following task:
l
Data Preparation
To specify a file for system startup, you need the following data.
Issue 02 (2011-10-15)
117
No.
Data
7.3.2 Configuring System Software for a router to Load for the Next
Startup
To upgrade the system software of a router, you can specify the AR2200 system software to be
loaded for the next startup.
Context
If no system software is specified for the next startup operation of the router, the system software
loaded this time will be started during the next startup operation. To change system software for
the next startup operation, you need to specify the required one.
The filename extension of the system software must be .cc and must be stored in the root directory
of a storage device.
Procedure
Step 1 Run:
startup system-software filename
The AR2200 system software for the router to load next time when it starts is configured.
----End
7.3.3 Configuring the Configuration File for Router to Load for the
Next Startup
Before restarting a router, you can specify the configuration files that are loaded for the next
startup.
Context
You can run the display startup command on the router to check whether the configuration file
to be loaded during the next startup operation is specified. If no configuration file is specified,
the default configuration file is loaded during the next startup operation.
The filename extension of the configuration file must be .cfg or .zip, and must be stored in the
root directory of a storage device.
When the router turns on, it initiates by reading the configuration file from the flash memory by
default. Thus, the configuration in this configuration file is called initial configuration. If no
configuration file is saved in the flash, the router initiates with default parameters.
Issue 02 (2011-10-15)
118
Procedure
l
Run:
startup saved-configuration configuration-file
Configuration file is saved for the router to load next time on startup.
----End
Prerequisite
The file has been specified for system startup.
Procedure
l
Run the display saved-configuration [ last | time ] command to check the contents of the
configuration file to be loaded during the next startup.
Run the display startup command to check information about the files to be used during
the next startup.
----End
Example
Run the display startup command to check information about the files to be used during the
next startup.
<Huawei> display startup
MainBoard:
Startup system software:
Next startup system software:
Backup system software for next startup:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
Startup voice-files:
Next startup voice-files:
usb0:/ar0210_30735_1220.cc
usb0:/ar0210_30735_1220.cc
null
flash:/arcfg.zip
flash:/arcfg.zip
null
null
null
null
null
null
Issue 02 (2011-10-15)
119
Networking Requirements
After the router is configured, new configurations take effect after the system restarts.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Specify the configuration file to be loaded during the next startup of the router.
3.
Specify the system software to be loaded during the next startup of the router.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Check the configuration file and system software that are used during the current startup.
<Huawei> display startup
MainBoard:
Startup system software:
Next startup system software:
Backup system software for next startup:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
Startup voice-files:
Next startup voice-files:
usb0:/ar0312.cc
usb0:/ar0312.cc
null
flash:/iascfg.zip
flash:/iascfg.zip
null
null
null
null
null
null
The system prompts you whether to save the current configuration to the file named vrpcfg.cfg
on the main control board. After entering y at the prompt, you save the configuration
successfully.
Step 3 Specify the configuration file to be loaded during the next startup of the router.
<Huawei> startup saved-configuration usb0:/arcfg.cfg
Step 4 Specify the system software to be loaded during the next startup of the router.
Specify the system software to be loaded during the next startup of the main control board.
<Huawei> startup system-software usb0:/arsoft.cc
Issue 02 (2011-10-15)
120
NOTE
The software package arsoft.cc has been loaded to the AR2200. For details on how to upload the software
package, see 6.3 Performing File Operations by Means of FTP.
usb0:/ar0312.cc
usb0:/arsoft.cc
null
flash:/iascfg.zip
usb0:/arcfg.cfg
null
null
null
null
null
null
----End
Configuration Files
None.
Issue 02 (2011-10-15)
121
122
Network
Server
Network
Client
PC
As shown in Figure 8-1, when you run the terminal emulation program or Telnet program on a
PC to connect to the router successfully, the router can still function as a client to access another
device on the network by using the following one or more methods.
Telnet server: You can run the Telnet client program on a PC to log in to the router,
configure and manage it. The router acts as a Telnet server.
Telnet client: You can run the terminal emulation program or the Telnet client program on
a PC to connect with the router. With the telnet command, you can log in to other routers
to configure and manage them. As shown in Figure 8-2,Router A serves as both the Telnet
server and the Telnet client.
Figure 8-2 Telnet client services
Telnet Session2
Telnet Session 1
Telnet Server
PC
Issue 02 (2011-10-15)
RouterA
RouterB
Redirection terminal services: You can run the Telnet client program on a PC to log in to
the router through a specified port number. Then connect with the serial interface devices
that are connected with the asynchronous interface of the router, as shown in Figure 8-3.
The typical application is to connect the asynchronous interface of the router with multiple
devices for their remote configuration and maintenance.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
123
Ethernet
Router
Async0
Async3
Async1
Router1
Async2
Modem
Switch
Router2
NOTE
Only the devices that provide the asynchronous interface support the Telnet redirection service.
Telnet Session2
Telnet
Client
Telnet
Server
RouterA
RouterB
RouterC
Issue 02 (2011-10-15)
124
NOTE
If the network disconnects, the shortcut keys become invalid. The instruction cannot be sent to the
server.
Press <Ctrl_T> to directly interrupt the connection and quit Telnet connection.
<RouterA>
CAUTION
When the number of remote login users reaches to the maximum number of VTY user
interfaces, the system prompts that all user interfaces are in use and you cannot use Telnet
to log in.
125
At present, the AR2200 serves only as the TFTP client and transfers files in the binary format.
SSH Overview
When users on an insecure network log in to the router through Telnet, the Secure Shell (SSH)
feature ensures information security and authentication. It protects the router from attacks such
as IP address spoofing and interception of plain text password.
The SSH client function allows users to establish SSH connections with router serving as SSH
server or with UNIX hosts.
STelnet client
The Telnet protocol does not provide secure authentication. The TCP transmits data in plain
text. This leads to security problems. The system also faces serious threats from DOS
(Denial of Service) attacks, the host IP address spoofing, and routing spoofing. Telnet
services are prone to network attacks.
SSH implements secure remote access on insecure networks and it has the following
advantages compared with Telnet:
SSH supports Remote Subscriber Access (RSA) authentication. In RSA authentication,
SSH generates and exchanges public and private keys compliant with asymmetric
encipherment system to ensure the session security.
SSH supports Data Encryption Standard (DES), 3DES, and AES authentications.
The user name and the password are both encrypted in the communication between the
SSH client and the SSH server. This prevents password interception.
SSH encrypts the transmitted data.
When the STelnet server or the connection to the client is faulty, the client must detect the
fault in time and release the connection voluntarily. To implement this, when logging in to
the server through Stelnet, the client must be configured with the interval for sending the
keepalive packet and the number of times for no reply restriction on the server if no packet
is received by the client. If a client does not receive any packet within specified period, the
client sends a keepalive packet to the server. If the number of times of no reply restriction
exceeds the specified number, the client releases the connection voluntarily.
SFTP client
SFTP is short for Secure FTP. You can log in to a device from the secure remote end to
manage files. This improves the security of data transmission when the remote system is
updated. Meanwhile, the client function enables you to log in to the remote device through
SFTP for secure file transmission.
When the SFTP server or the connection between it and the client is faulty, the client must
detect the fault in time and releases the connection voluntarily. To implement this, when
Issue 02 (2011-10-15)
126
logging in to the server through SFTP, the client must be configured with the period of
sending the keepalive packet and the number of times for no reply restriction on the server
if no packet is received by the client. If a client does not receive any packet within specified
period, the client sends a keepalive packet to the server. If the number of times of no reply
restriction exceeds the specified number, the client takes the initiative to release the
connection.
Applicable Environment
Figure 8-5 Networking diagram for accessing another device from the router that you have
logged in to
Network
PC
Network
RouterA
RouterB
As shown in Figure 8-5, you can log in to Router A from a PC by using Telnet, but cannot
manage Router B remotely. This is because there is no reachable route between the PC and
Router B. To manage Router B remotely, you can log in to it from Router A by using Telnet.
In this situation, Router A functions as a Telnet client, and Router B that you attempt to log in
to functions as a server.
Pre-configuration Tasks
Before logging in to another device on the network by using Telnet, complete the following
tasks:
l
Ensuring that the router that you attempt to log in to works properly, and enabling Telnet
services on the device
Ensuring that there is a reachable route between the router that you have logged into and
the router that you attempt to log in to
Issue 02 (2011-10-15)
127
Data Preparation
To log in to another device by using Telnet, you need the following data:
No.
Data
Number of the TCP port used by the RouterB to provide Telnet services
Context
An IP address is configured for an interface on the router and functions as the source IP address
of an telnet connection. In this manner, security checks can be implemented.
The source address of a client can be configured as a source interface or a source IP address.
Do as follows on a router that functions as an Telnet client.
Procedure
Step 1 Run:
system-view
Context
Telnet provides an interactive CLI for users to log in to a remote server. Users can log in to a
host, and then remotely log in to another host by using Telnet to configure and manage the remote
host. In this manner, not each host is required to connect to a hardware terminal.
Do as follows on the router that serves as a Telnet client:
Issue 02 (2011-10-15)
128
Procedure
l
Run:
telnet [ vpn-instance vpn-instance-name ] [-a source-ip-address ] host-name
[ port-number ]
Prerequisite
All configurations for logging in to another device are complete.
Procedure
l
Run the display tcp status command to check the status of all TCP connections.
----End
Example
Run the display tcp status command to view the status of TCP connections. The Established
status indicates that a TCP connection has been established.
<Huawei> display tcp status
TCPCB
Tid/Soid
Local Add:port
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established
Foreign Add:port
0.0.0.0:0
VPNID
0
0.0.0.0:0
14849
10.164.6.13:1147
State
Applicable Environment
To manage a remote device that can transmit data only through a serial interface, configure the
redirection function on the AR2200.
Issue 02 (2011-10-15)
129
A remote device can be a router, a switch, an electricity terminal, a finance terminal, or other
terminals that use serial interfaces to transmit data.
l
PC
Ethernet
Router
Async0
Async1
Router1
Switch1
Async3
Async2
Switch2
Router2
As shown in Figure 8-6, there are two routers and two switches connected to the Router
(an AR2200). To manage these devices through their serial interfaces, connect
asynchronous serial interfaces of the Router to serial interfaces of the devices, and configure
the redirection function on the Router. After the configuration is complete, you can use an
operation terminal to manage and maintain these devices remotely.
l
Issue 02 (2011-10-15)
Managing terminals such intelligent electricity meters, intelligent water meters, and
automatic teller machines
130
Nework
Monitor
Device
Router
Async0
Async1
Async3
Async2
Pre-configuration Tasks
Before configuring the redirection function, complete the following tasks:
l
Directly connecting the remote devices to the 8AS board of the router through asynchronous
serial cables and ensuring that the 8AS board has registered successfully and the
asynchronous serial interfaces are in Up state
Data Preparation
To configure the redirection function, you need the following data.
Issue 02 (2011-10-15)
No.
Data
131
Prerequisite
The 8AS board on the router has registered successfully and the asynchronous serial interfaces
are in Up state.
Context
Do as follows on the router.
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
132
l The terminal attributes of a TTY user interface must be the same as the physical attributes of the terminal
connected to the corresponding asynchronous serial interface. For details on how to configure terminal
attributes of a TTY user interface, see 4.4.3 Setting Terminal Attributes of TTY User Interface.
l If the modem function is enabled on a TTY user interface, the redirection function does not take effect.
----End
Follow-up Procedure
Run the telnet host-name port-number command to log in to a remote device. In the command,
host-name is the IP address or host name of the router with the redirection function enabled, and
port-number is the default port number or the port number configured by running the redirect
listen-port command.
Prerequisite
All configurations of the redirection function are complete.
Context
l
Run the display tcp status command to check the status of the current TCP connection.
Example
Run the display tcp status to check the TCP connection status.
<Huawei>
TCPCB
1973f250
1973f0ec
1973ef88
1a16a204
1973e9f8
1a169c74
Issue 02 (2011-10-15)
Foreign Add:port
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
10.138.77.61:2120
VPNID
23553
23553
23553
23553
0
0
State
Listening
Listening
Listening
Listening
Listening
Established
133
Applicable Environment
Logins by using Telnet bring security risks because no secure authentication mechanism is
available and data is transmitted by using TCP in plain text mode.
STelnet is short for SSH Telnet that is a secure Telnet protocol. STelnet is on the basis of SSH.
SSH users can use STelnet services as Telnet services.
In this configuration, the Router that you have logged in to functions as a Telnet client, and
theRouter that you attempt to log in to functions as an SSH server.
Pre-configuration Tasks
Before logging in to another device by using STelnet, complete the following tasks:
l
Data Preparation
To log in to another device by using STelnet, you need the following data:
No.
Data
Name of the SSH server,Public key that is assigned by the client to the SSH server
IPv4 address or host name of the SSH server,Number of the port monitored by the
SSH server,Preferred encrypted algorithm from the SFTP client to the SSH
server,Preferred encrypted algorithm from the SSH server to the SFTP
client,Preferred HMAC algorithm from the SFTP client to the SSH server,Preferred
HMAC algorithm from the SSH server to the SFTP client,Preferred algorithm of key
exchange
The user information for logging in to the SSH server
134
Context
If the first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the RSA public key when logging in to the SSH server for the first time. After
the login, the system automatically allocates the RSA public key and saves it for authentication
in next login.
Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view
l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity
of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first
time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH
server.
l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to the
SSH server for the first time, the STelnet client fails to pass the check on the RSA public key validity
and cannot log in to the server.
TIP
To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSA
public key in advance to the SSH server on the SSH client in addition to enabling the first-time
authentication on the SSH client.
----End
Context
If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in
to the SSH server for the first time, the STelnet client fails to pass the check on the RSA public
key validity and cannot log in to the server.So you need to allocate an RSA public key to the
SSH server before the STelnet client logs in to the SSH server.
Do as follows on the router that serves as an SSH client:
Issue 02 (2011-10-15)
135
Procedure
Step 1 Run:
system-view
Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSH
server and must be configured on the SSH client. Then, the STelnet client client can successfully undergo
the validity check on the RSA public key of the SSH server.
Step 5 Run:
public-key-code end
Context
When accessing an SSH server, the STelnet client can carry the source address and the VPN
instance name and choose the key exchange algorithm, encryption algorithm, or HMAC
algorithm, and configure the keepalive function.
Issue 02 (2011-10-15)
136
Procedure
Step 1 Run:
system-view
Prerequisite
The configurations for logging in to another device by using STelnet are complete.
Procedure
l
Run the display ssh server status command to view the status of the SSH server.
----End
Example
Run the display ssh server status to view the status of the SSH server.
<Huawei> display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH Authentication retries
SFTP Server
:1.99
:60 seconds
:0 hours
:3 times
:Enable
137
Applicable Environment
You can transfer files through TFTP between the server and the client in a simple interaction
environment.
The current Router functions as a TFTP client, and theRouter to be accessed functions as a TFTP
server.
Pre-configuration Tasks
Before accessing another device by using TFTP, complete the following tasks:
l
Data Preparation
To access another device by using TFTP, you need the following data.
No.
Data
(Optional) Source address or source interface of the router that functions as a TFTP
client
Name of the specific file in the TFTP server and the file directory
Context
An IP address is configured for an interface on the router and functions as the source IP address
of a TFTP connection. In this manner, security checks can be implemented.
The source address of a client can be configured as a source interface or a source IP address.
Do as follows on a router that functions as a TFTP client.
Procedure
Step 1 Run:
system-view
138
After the configuration, the source IP address of the TFTP client displayed on the TFTP server
must be the same as the configured one.
----End
Context
An Access Control List (ACL) is a set of sequential rules. These rules are described based on
the source address, destination address, and port number of a packet. Routers use the ACL rules
to filter packets. With the rule applied to the interface on a router, the router permits or denies
the packets.
Each ACL can define multiple rules. ACL rules are classified into the interface ACL, basic ACL,
and advanced ACL based on the functions of ACL rules.
NOTE
TFTP supports only the basic ACL (whose number ranges from 2000 to 2999).
Procedure
Step 1 Run:
system-view
139
Procedure
l
Run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] get source-filename
[ destination-filename ]
Procedure
l
Run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] put source-filename
[ destination-filename ]
Prerequisite
Configurations of using the device as a TFTP client are complete.
Procedure
l
Run the display tftp-client command to check the device address that is set to the source
address of the TFTP client.
Run the display acl { name acl-name | acl-number | all } command to check the ACL rule
that is configured on the TFTP client.
----End
Example
Run the display tftp-client command to view the source address of the TFTP client.
<Huawei> display tftp-client
Info: The source address of TFTP client is 1.1.1.1.
Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured
on the TFTP client.
<Huawei> display acl 2001
Basic acl 2001, 2 rules,
Acl's step is 5
rule 5 permit
Issue 02 (2011-10-15)
140
Applicable Environment
Before transmitting files between a client and a remote FTP server, or managing directories of
the server, you can configure the router that you have logged in to as an FTP client. Then, you
can access the FTP server by using FTP for file transmission or directory management.
Pre-configuration Tasks
Before establishing the configuration task of accessing files on another device by using FTP,
complete the following tasks:
l
Configuring a reachable route between the router and the FTP server
Data Preparation
To establish the configuration task of accessing files on another device by using FTP, you need
the following data:
No.
Data
Host name or IP address of the FTP server, port number of connecting FTP, login
username and password
Local file name and file name on the remote FTP server,working directory name of
the remote FTP server, local working directory of the FTP client, or directory name
of the remote FTP server
141
Prerequisite
An IP address is configured for an interface on the router and functions as the source IP address
of an FTP connection. In this manner, security checks can be implemented.
The source address of a client can be configured as a source interface or a source IP address.
The interface configuration is possible, only if the system has a loopback interface.
Procedure
Step 1 Run:
system-view
Then, run the display ftp-client command on the router to view the current configuration of the FTP client.
----End
Context
You can log in to the FTP server in the user view or the FTP view.
Do as follows on the router that serves as the client:
Procedure
l
142
2.
Run:
open [ -a source-ip-address | -i interface-type interface-number ] host
[ port-number ] [ vpn-instance vpn-instance-name ]
Before logging in to the FTP server, you can run the set net-manager vpn-instance command to
configure a default VPN instance. After that, the default VPN instance is used in the FTP operation.
----End
Context
After logging in to the FTP server, you can perform the following operations:
l
Configure a data type for transmission files and a file transmission method.
Check the online help about FTP commands in the FTP client view.
Upload local files to the remote FTP server, or download files from the FTP server and
save them locally.
Display information about a specified remote directory or a file of the FTP server, or delete
a specified file from the FTP server.
After logging in to the router that functions as a client and entering the FTP client view, you can
perform the following steps:
Procedure
l
FTP supports the ASCII type and the binary type. Their differences are as follows:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
The selection of the FTP transmission mode is client-customized. The system defaults to the
ASCII transmission mode. The client can use a mode switch command to switch between the
ASCII mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary
mode is used to transmit binary files.
Run:
passive
143
Run:
verbose
The FTP file is downloaded from the FTP server and saved to the local file.
l
The working path of the FTP server is switched to the upper-level directory.
Run:
pwd
l The directory to be created can comprise letters and digits, but not special characters such as
<, >, ?, \ and :.
l When running the mkdir /abc command, you create a sub-directory named "abc".
144
If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
Run:
dir [ remote-filename ] [ local-filename ]
Context
From the AR2200 (an FTP client) that you have logged in to, you can log in to the FTP server
by using another username without logging out of the FTP client view. The established FTP
connection is identical with that established by running the ftp command.
Perform the following steps on the router that functions as a client:
Procedure
l
Run:
user user-name [ password ]
The user that have logged in to the FTP server is changed and the new user logs in to the
server.
When the username that is used to log in to the FTP server is changed, the original
connection between the user and the FTP server is interrupted.
----End
Context
You can select different commands to terminate the connection with the FTP server in the FTP
client view.
Do as follows on the router that serves as the client.
Issue 02 (2011-10-15)
145
Procedure
l
Or,
quit
Or,
disconnect
Prerequisite
The configurations of accessing other devices by using FTP are complete.
Procedure
l
Run the display ftp-client command to view the source parameters of the FTP client.
----End
Example
Run the display ftp-client command to view the source parameters of the FTP client.
<Huawei> display ftp-client
Info: The source address of FTP client is 1.1.1.1.
146
Applicable Environment
SFTP is short for SSH FTP that is a secure FTP protocol. SFTP is on the basis of SSH. It ensures
that users can log in to a remote device securely for file management and transmission, and
enhances the security in data transmission. In addition, you can log in to a remote SSH server
from the router that functions as an SFTP client.
Pre-configuration Tasks
Before establishing the configuration task of accessing files on another device by using SFTP,
complete the following tasks:
l
Data Preparation
To access files on another device by using SFTP, you need the following data:
No.
Data
(Optional) Source address of the device that functions as the SFTP client
(Optional) Public key that is assigned by the client to the SSH server
Number of the port monitored by the SSH server,Preferred encrypted algorithm from
the SFTP client to the SSH server,Preferred encrypted algorithm from the SSH server
to the SFTP client,Preferred HMAC algorithm from the SFTP client to the SSH
server,Preferred HMAC algorithm from the SSH server to the SFTP client,Preferred
algorithm of key exchange,Name of the outgoing interface,Source address
The user information for logging in to the SSH server
Context
An IP address is configured for an interface on the router and functions as the source IP address
of an FTP connection. In this manner, security checks can be implemented.
The source address of a client can be configured as a source interface or a source IP address.
Do as follows on a router that functions as an SFTP client.
Issue 02 (2011-10-15)
147
Procedure
Step 1 Run:
system-view
Context
If the first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the RSA public key when logging in to the SSH server for the first time. After the
login, the system automatically allocates the RSA public key and saves it for authentication in
next login.
Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view
l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity
of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first
time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH
server.
l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to the
SSH server for the first time, the STelnet client fails to pass the check on the RSA public key validity
and cannot log in to the server.
TIP
To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSA
public key in advance to the SSH server on the SSH client in addition to enabling the first-time
authentication on the SSH client.
----End
Issue 02 (2011-10-15)
148
Context
If the first-time authentication is not enabled on the SSH client, when the SFTP client logs in to
the SSH server for the first time, the SFTP client fails to pass the check on the RSA public key
validity and cannot log in to the server.
Do as follows on the router functioning as an SSH client:
Procedure
Step 1 Run:
system-view
Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSH
server and must be configured on the SSH client. Then, the STelnet client client can successfully undergo
the validity check on the RSA public key of the SSH server.
Step 5 Run:
public-key-code end
149
peer-public-key end
Context
The command of enabling the SFTP client is similar to that of the STelnet. When accessing the
SSH server, the SFTP can carry the source address and the name of the VPN instance and choose
the key exchange algorithm, encrypted algorithm and HMAC algorithm, and configure the
keepalive function.
Do as follows on the router that serves as an SSH client.
Procedure
Step 1 Run:
system-view
Context
After logging in to the SSH server from the SFTP client, you can perform the following
operations on the SFTP client:
l
Create or delete a directory on the SSH server, and display the current working directory,
the specified directory and information about the file in the specified directory.
Change a file name, delete a file, display a file list, and upload or download a file.
After logging in to the router that functions as an SSH client and entering the SFTP client view,
you can perform the following steps:
Issue 02 (2011-10-15)
150
Procedure
l
151
Prerequisite
The configuration of accessing files on another device by using SFTP is complete.
Procedure
l
Run the display sftp-client command to check the source IP address of the SFTP client on
the SSH client.
----End
Example
Run the display sftp-client command on the client to view the source parameters of the device
functioning as an SFTP client.
<Huawei> display sftp-client
Info: The source address of SFTP client is 1.1.1.1
Networking Requirements
As shown in Figure 8-8, Router A and Router B can ping each other successfully. A user logs
in to Router B from Router A using Telnet.
Figure 8-8 Networking diagram for configuring Telnet services
GE1/0/0
1.1.1.1/24
RouterA
GE1/0/0
1.1.1.2/24
RouterB
Configuration Roadmap
The configuration roadmap is as follows:
Issue 02 (2011-10-15)
152
1.
On Router B, configure the authentication mode and password for VTY0 to VTY4.
2.
Configure users to use passwords to log in to Router B from Router A using Telnet.
3.
Configure a Telnet server port number on Router B to ensure that users log in through this
port only.
Data Preparation
To complete the configuration, you need the following data:
l
User level 15
Procedure
Step 1 Configure IP addresses.
# Configure Router A.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] quit
# Configure Router B.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] interface gigabitethernet1/0/0
[RouterB-GigabitEthernet1/0/0] ip address 1.1.1.2 24
[RouterB-GigabitEthernet1/0/0] quit
Step 2 Configure the authentication mode and password for Telnet services on Router B.
[RouterB] user-interface vty 0 4
[RouterB-ui-vty0-4] authentication-mode password
[RouterB-ui-vty0-4] set authentication password simple hello
[RouterB-ui-vty0-4] quit
To configure an ACL for Telnet services, run the following commands on Router B.
[RouterB] acl 2000
[RouterB-acl-basic-2000] rule permit source 1.1.1.1 0
[RouterB-acl-basic-2000] quit
[RouterB] user-interface vty 0 4
[RouterB-ui-vty0-4] acl 2000 inbound
NOTE
Issue 02 (2011-10-15)
153
>>User password:
Huawei Integrated Access SoftwareAR.
Copyright(C) Huawei Technologies Co., Ltd. 2010-2011. All rights reserved.
<RouterB>
Step 5 Use the port number 1028 to log in to Router B from Router A using Telnet.
<RouterA> telnet 1.1.1.2 1028
Press CTRL_] to quit telnet mode
Trying 1.1.1.2 ...
Connected to 1.1.1.2 ...
User Access Verification
>>User password:
Huawei Integrated Access SoftwareAR.
Copyright(C) Huawei Technologies Co., Ltd. 2010-2011. All rights reserved.
<RouterB>
----End
Configuration Files
l
Issue 02 (2011-10-15)
154
Networking Requirements
As shown in Figure 8-9, RouterB fails and users can only log in to it through the console port.
Only users in VPN instance vpna are allowed to log in to RouterB. There is a reachable route
between vpna and RouterA.
Connect the console port of RouterB to an asynchronous serial interface of RouterA, enable the
redirection function on RouterA, and associate the redirection function with vpna. The users in
vpna can use a specified port number to log in to RouterB.
Figure 8-9 Networking diagram for redirection configuration
Session
Network
GE0/0/1
10.1.1.1/24
vpna
Async2/0/1
RouterA
PC
Console
RouterB
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the asynchronous serial interface to work in flow mode.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface async 5/0/1
[RouterA-Async5/0/1] async mode flow
Step 2 Obtain the TTY user interface number corresponding to the asynchronous serial interface.
[RouterA] display user-interface
Idx Type
Tx/Rx
Modem
0
CON 0
9600
41
TTY 41
9600
input
F 42
TTY 42
9600
-
Issue 02 (2011-10-15)
Privi
15
0
0
ActualPrivi
-
Auth
N
N
N
Int
5/0/0
5/0/1
155
TTY
TTY
TTY
TTY
TTY
TTY
VTY
VTY
VTY
VTY
VTY
VTY
VTY
VTY
VTY
VTY
43
44
45
46
47
48
0
1
2
3
4
16
17
18
19
20
9600
9600
9600
9600
9600
9600
0
0
0
0
0
0
15
15
15
15
15
0
0
0
0
0
4
-
N
N
N
N
N
N
N
N
N
N
N
P
P
P
P
P
5/0/2
5/0/3
5/0/4
5/0/5
5/0/6
5/0/7
-
Step 3 Enable the redirection function on RouterA and associate the redirection function with the VPN
instance vpna.
[RouterA] user-interface tty 42
[RouterA-ui-tty42] undo shell
[RouterA-ui-tty42] redirect enable
[RouterA-ui-tty42] redirect binding vpn-instance vpna
[RouterA-ui-tty42] quit
[RouterA] quit
NOTE
If the redirection function is not associated with the VPN instance to which the private users belong, all
users on public and private networks can log in to RouterB.
Step 4 Check the port number allocated to the TTY user interface.
<RouterA> display
TCPCB
Tid/Soid
19fde824 9 /2
19fde6c0 9 /1
19fde130 109/1
19fdef18 9 /4
19fde55c 7 /1
19fdf07c 9 /9
19fdf344 9 /10
tcp status
Local Add:port
0.0.0.0:22
0.0.0.0:23
0.0.0.0:80
0.0.0.0:2042
0.0.0.0:7547
10.137.217.211:23
10.137.217.211:23
Foreign Add:port
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
10.138.77.61:2567
10.138.77.69:2824
VPNID State
23553 Listening
23553 Listening
23553 Listening
23553 Listening
0
Listening
0
Established
0
Time_Wait
----End
Configuration Files
l
Issue 02 (2011-10-15)
156
extcommunity
#
interface Async5/0/1
async mode flow
#
interface GigabitEthernet 0/0/1
ip binding vpn-instance vpna
ip address 10.1.1.1 255.255.255.0
#
user-interface tty 42
undo shell
redirect enable
redirect binding vpn-instance vpna
#
return
Networking Requirements
As shown in Figure 8-10, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, or all authentication
mode.
Configure two login clients:
l
Configure Client001 with the password as huawei and adopt the password authentication.
Configure Client002, adopt the RSA authentication and assign the public key RsaKey001
to Client002.
SSH Server
GE1/0/0
10.164.39.222/24
GE1/0/0
10.164.39.220/24
Client001
GE1/0/0
10.164.39.221/24
Client002
Configuration Roadmap
The configuration roadmap is as follows:
Issue 02 (2011-10-15)
157
1.
2.
Generate the local key pairs on the STelnet client and the SSH server respectively.
3.
Generate the RSA public key on SSH server and bind the RSA public key of SSH client to
Client002.
4.
5.
Users Client001 and Client002 log in to the SSH server through STelnet.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Generate a local key pair on the SSH server.
<Huawei> system-view
[Huawei] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Server] aaa
Server-aaa] local-user client001 password cipher huawei
Server-aaa] local-user client001 service-type ssh
Server-aaa] quit
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server] ssh
158
Step 4 Bind the RSA public key of the SSH client to Client002.
[SSH Server] ssh user client002 assign rsa-key RsaKey001
Issue 02 (2011-10-15)
159
# Log in to the SSH server from Client001 in password authentication mode by entering the user
name and password.
<client001> system-view
[client001] stelnet 10.164.39.222
Please input the username:client001
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
Enter password:
Enter the password huawei. The following information indicates that the login succeeds.
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 6.
The current login time is 2010-09-06 11:42:42.
<SSH Server>
Issue 02 (2011-10-15)
160
client002
rsa
RsaKey001
-------------------------------------------------------------------------------
----End
Configuration Files
l
Issue 02 (2011-10-15)
161
Networking Requirements
As shown in Figure 8-11, the IP address of the TFTP server is 10.111.16.160/24.
Log in to the router from the HyperTerminal and then download the file ar.cc from the TFTP
server.
Figure 8-11 Networking diagram of configuring TFTP
10.111.16.160/24
PC
TFTP Client
TFTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
Run the TFTP application on the TFTP server, and set the location of the file on the server.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Start the TFTP server, and set its Current Directory as the directory where the ar.cc file resides.
Figure 8-12shows the interface.
Issue 02 (2011-10-15)
162
NOTE
The display may be different depending on different TFTP server applications run in the computer.
Step 2 Log in to the router from the computer HyperTerminal and enter the following command to
download the file.
<Huawei> tftp 10.111.16.160 get ar.cc sd1:/
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...
69143936 bytes received in 42734
second.
TFTP: Downloading the file successfully.
Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory
on the router.
<Huawei> dir sd1:/
Directory of sd1:/
Idx
0
1
2
3
4
5
6
7
8
9
10
11
12
Attr
-rw-rw-rw-rw-rw-rw-rwdrw-rw-rw-rw-rw-rw-
Size(Byte)
1,738,816
396
540
1,498
525,337
1,215
1,703,936
69,143,936
8,996
5,602
220
1,686
Date
Mar 28
Feb 11
Feb 11
Apr 01
Apr 01
Mar 26
Feb 27
Mar 07
Mar 28
Apr 07
May 27
Mar 28
Mar 28
2011
2008
2008
2011
2011
2011
2008
2008
2008
2008
2011
2011
2011
Time(LMT)
17:00:24
14:34:17
14:35:10
09:49:37
09:50:00
11:32:27
10:00:10
15:44:46
07:34:54
14:56:24
13:59:31
16:51:16
17:04:53
FileName
web.zip
rsa_host_key.efs
rsa_server_key.efs
iascfg.zip
private-data.txt
iascfg_autobackup.zip
ar_smk2.cc
dd
ar.cc
1.cap
ab.cap
elab.txt
lic_ar.dat
Step 4 Log in to the router from the computer HyperTerminal and enter the following command to
upload the file.
Issue 02 (2011-10-15)
163
----End
8.8.5 Example for Connecting the SFTP Client to the SSH Server
In this example, the local key pairs are generated on the SFTP client and the SSH server
respectively; the public RSA key is generated on the SSH server and bind the RSA public key
to the SFTP client. In this manner, the SFTP client can connect to the SSH server.
Networking Requirements
As shown in Figure 8-13, after the SFTP service is enabled on the SSH server, the SFTP Client
can log in to the SSH server with the password, RSA, password-rsa, or all authentication.
Figure 8-13 Networking diagram of connecting the SFTP client to the SSH server
SSH Server
GE1/0/0
10.164.39.222/24
GE1/0/0
10.164.39.220/24
Client001
GE1/0/0
10.164.39.221/24
Client002
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Generate the local key pairs on the SFTP client and SSH server .
3.
Generate the RSA public key on the SSH server and bind the RSA public key of SSH client
to Client002.
4.
5.
Configure the service mode and authorization directory for the SSH user.
6.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 02 (2011-10-15)
164
Procedure
Step 1 Generate a local key pair on the SSH server.
<Huawei> system-view
[Huawei] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.........++++++++
......................++++++++
......................+++++++++
.....+++++++++
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Server] ssh
Issue 02 (2011-10-15)
165
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
=====================================================
Time of Key pair created: 2007-12-29 16:20:05+08:00
Key name: Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]
Step 4 Bind the RSA public key of the SSH client to Client002.
[SSH Server] ssh user client002 assign rsa-key RsaKey001
Issue 02 (2011-10-15)
166
:1.99
:60 seconds
:0 hours
:3 times
:Enable
----End
Configuration Files
l
Issue 02 (2011-10-15)
167
#
aaa
local-user client001 password simple huawei
local-user client001 service-type ssh
local-user client001 ftp-directory flash:
local-user client002 ftp-directory flash:
#
sftp server enable
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
Return
Networking Requirements
When an RADIUS user is connected to an SSH server, the SSH server sends the user name and
password of the SSH client to the RADIUS server (compatible with the TACACS server) for
authentication.
The RADIUS server authenticates the user and sends the result (passed or failed) back to the
SSH server. If the authentication is successful, the user level is sent along with the result. The
SSH server determines whether the SSH client is allowed to set up a connection according to
the authentication result.
Figure 8-14 shows the networking diagram.
Issue 02 (2011-10-15)
168
SSH Client
SSH Server
10.164.6.49/24
Radius Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Generate the local key pair on STelnet client and SSH server respectively.
5.
Generate the local key pair on the client and SSH server .
6.
Generate the RSA public key on SSH server and bind the RSA public key of the SSH client
to ssh2@ssh.com.
7.
8.
Configure the service mode and authorization directory of the SSH user.
9.
Users ssh1@ssh.com and ssh2@ssh.com log in to the SSH server through STelnet and
SFTP respectively.
Data Preparation
To complete the configuration, you need the following data:
l
RADIUS authentication
Procedure
Step 1 Generate a local key pair on the SSH server.
<Huawei> system-view
[Huawei] rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Issue 02 (2011-10-15)
169
Issue 02 (2011-10-15)
170
# Create users ssh1@ssh.com and ssh2@ssh.com on the SSH server and set the authentication
mode.
[Huawei] aaa
[Huawei-aaa] local-user ssh1@ssh.com password cipher huawei
[Huawei-aaa] local-user ssh2@ssh.com password cipher huawei
[Huawei-aaa] quit
# Specify the RADIUS server at 10.164.6.49 as the RADIUS authentication and set the
authentication port number to 1812.
[Huawei-radius-ssh] radius-server authentication 10.164.6.49 1812
# Enable initial authentication on the SSH client if it logs in for the first time.
[client] ssh client first-time enable
[client] quit
# Log in to the SSH server from the STelnet client in RADIUS authentication mode.
<client> system-view
[client] stelnet 10.164.39.222
Please input the username: ssh1@ssh.com
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
The server is not authenticated. Do you continue to access it?(Y/N):y
Save the server's public key? [Y/N] :y
Issue 02 (2011-10-15)
171
The server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:
Enter the password huawei. The following information indicates that the login succeeds.
Info: The max number of VTY users is 10, and the current number
of VTY users on line is 2.
<Huawei>
# Log in to the SSH server from the SFTP client in RADIUS authentication mode.
<client> system-view
[client] sftp 10.164.39.222
Please input the username: ssh2@ssh.com
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
Enter password:
sftp-client>
----End
Configuration Files
Configuration file of the SSH server
#
radius-server template ssh
radius-server authentication 10.164.6.49 1812
#
rsa peer-public-key rsakey001
public-key-code begin
3047
Issue 02 (2011-10-15)
172
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
authentication-scheme newscheme
authentication-mode radius
#
domain ssh.com
authentication-scheme newscheme
radius-server ssh
#
sftp server enable
ssh user ssh1@ssh.com
ssh user ssh2@ssh.com
ssh user ssh2@ssh.com assign rsa-key RsaKey001
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
Issue 02 (2011-10-15)
173
Issue 02 (2011-10-15)
174
Remote downloading
Local downloading
Issue 02 (2011-10-15)
Patch Status
Description
None
175
Patch Status
Description
Running
Patch Status:
none
Upload and
Run patch
Delete patch
Patch Status:
running
Immediate restart
Scheduled restart
176
Applicable Environment
l
Before activating a GTL license file, check that the GTL license file is suffixed with .dat. After
obtaining a GTL license file, use a notepad program to check whether the ESN on the MPU is
the same as that in the GTL license file.
NOTE
A GTL license file has two versions, namely, Demo and Comm.
Version
Period of Validity
Reservation Period
COMM
As defined in a contract
DEMO
The reservation period refers to the number of days for which you can continue to use a function
after the relevant license expires. The system prompts you with a message in the reservation
period. If you intend to continue to use the GTL license file, apply for a new GTL license.
Issue 02 (2011-10-15)
177
Pre-configuration Tasks
Before activating a GTL license file, complete the following tasks:
l
Data Preparation
To activate a GTL license file, you need the following data.
No.
Data
Context
Before uploading a GTL license file, run the dir command to check the remaining space of the
storage media on the device. Make sure that there is enough space in the storage media to store
the GTL license file.
Procedure
Step 1 Run:
dir device-name
l A user who uses the GTL license for the first time must buy the GTL license from Huawei, and then
load the GTL license file to the main control board.
l A user who wants to upgrade the GTL license needs to run the license revoke command to obtain an
invalidation code, and then apply to Huawei for a new GTL license by using the invalidation code. The
user also needs to load the new GTL license file to the main control board.
----End
Context
Before activating the GTL license, run the dir *.dat command to verify that the license file has
been loaded to the USB flash drive, sd card, or flash memory..
Issue 02 (2011-10-15)
178
Procedure
l
Run:
license active file-name
If you use the GTL license for the first time, buy the GTL license file from Huawei.
Run:
license revoke
Apply to Huawei for a new GTL license by using the invalidation code.
2.
Run:
license active file-name
Context
The Emergency state of a GTL license module can be enabled on the router in any of the
following situations:
l
The GTL license file of the Comm version has been activated and is in the Normal state.
The GTL license file of the Demo version has been activated and is in the Demo state.
The Emergency state can be enabled again only on the last day of the previous enabling
operation.
Procedure
Step 1 Run:
license emergency
----End
Issue 02 (2011-10-15)
179
Prerequisite
The configurations of activating the GTL license file are complete.
Procedure
l
Run the display license command to check information about the GTL license file on the
master and slave MPUs.
Run the display license state command to check the license type.
----End
Example
<Huawei> display license
<Huawei> display license
Active License on master board: flash:/LIC_ON77076_A6D2CE1AEC3_AR.dat
Active license
License state
Revoke ticket
Product
Product
License
23456789
License
Creator
Created
Country
Custom
Office
name
version
file ESN
: flash:/LIC_ON77076_A6D2CE1AEC3_AR.dat
: Demo
: No ticket
: AR
: V200R001
: AR00050123456789,AR00060123456789,AR00070123456789,AR000801
Serial No :
:
Time
:
:
:
:
LIC20110309010210
Huawei Technologies Co., Ltd.
2011-03-09 19:36:14
China
R&D of Huawei Technologies Co., Ltd.
Shenzhen
Feature name
Authorize type
Expired date
Trial days
:
:
:
:
ACCESS
DEMO
2011-06-07
60
Item name
Item type
Control value
Used value
Item state
Item expired date
Item trial days
Description
:
:
:
:
:
:
:
:
LLE0IPPBX01
Function
1
1
Normal
2011-06-07
60
LLE0IPPBX01
180
Applicable Environment
Before upgrading system software, you can select resource files as needed.
NOTE
Obtain the new system software and relevant documents for the upgrade from Huawei.
Refer to the related Upgrade Guide officially released by Huawei when upgrading a device, because
system software versions differ in different types of products.
Enable the logging function to record all operations during the upgrade. This facilitates fault analysis
and location in case of an upgrade failure.
If the device is restarted due to improper resource file configurations, the device will automatically
roll the resource file back to the source version after the device has been restarted.
Pre-configuration Tasks
Before upgrading system software, complete the following task:
l
Making sure that the router to be upgraded is working properly, and logging in to the
router successfully
Data Preparation
To upgrade system software, you need the following data.
No.
Data
(Optional) New system software, configuration files, PAF file, license file, and patch
file
Procedure
Step 1 Prepare hardware as needed, for example, clear memory space to store new system software and
related upgrade files.
Step 2 Check whether a new GTL license file needs to be applied for. If it is needed, obtain it from
Huawei.
NOTE
l A new GTL License needs to be applied for when a device is upgraded to a new R version or V version.
l The obtained new GTL license file is consistent with the system software.
Issue 02 (2011-10-15)
181
To view GTL license-controlled features, use the Text Editor to open the GTL license file. The
contents in the Resource and Function fields are the resource and function items controlled by
the GTL license file.
Step 3 Obtain software required for the upgrade. The new system software (.cc file) and relevant
documents for the upgrade must be obtained from Huawei.
Step 4 In the user view, run the display version command to view the current system software. If the
current system software is the same as or later than new system software, the software upgraded
is not needed.
Step 5 Run the following commands to check the device operation status:
Run the display memory-usage command in the user view to check the memory usage of MPUs
to ensure that the MPUs are working properly.
Run the display health command in the user view and record the command output. If you cannot
locate faults that have occurred during the upgrade, provide the information to Huawei technical
personnel for troubleshooting.
Step 6 Set up an environment where software upgrade can be performed by means of TFTP or FTP.
This helps to back up the original resource files before the upgrade and upload the new resource
files required for the upgrade.
When the system software is upgraded by means of FTP:
l If the device to be upgraded functions as a client and a PC functions as a server, you need to
install the FTP server software on the PC. You need to purchase and install the FTP server
software yourself, because the device is not installed with such software by default.
l If the device to be upgraded functions as a server and a PC functions as a client, you do not
need to install the FTP server software on the PC. By default, the FTP server function on the
device to be upgraded is disabled. To enable the function, run the ftp server enable
command.
When the system software is upgraded by means of TFTP, the device to be upgraded can only
function as a client and does not provide the TFTP server function. In this case, you must install
the TFTP server software on the PC.
Step 7 Back up the important data stored in the storage media on the device to be upgraded.
Step 8 Check the remaining space of the storage media to make sure that there is enough space to store
the new system software and related upgrade files.
----End
Context
You can download resource files to the router by using the serial port of a computer or the
Ethernet port of the router.
This section describes how to download resource files to the router using the serial port.
Issue 02 (2011-10-15)
182
Procedure
Step 1 Log in to the router from the console port. For details, see 1.2 Logging In to the Device Through
the Console Port or Mini USB Port.
Step 2 Restart the router. Press Ctrl+B to enter the BootROM menu when the following information
is displayed.
Sep 16 2011,17:14:28
Copying Data : Done
Uncompressing : Done
Initializing SMI Bus:OK
Init flash, please wait......
Base Address: 0xfffffffffc000000
Size is: 0x20000000OK
flash drv init.
Initializing FlashPiece Module:
FlashPiece start offset at: 0x300000
FlashPiece size is: 0x100000
Initializing FlashDynamic Module:
FlashDynamic start offset at: 0x400000
FlashDynamic size is: 0x200000
Initializing I2C Bus:OK
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc
EHCI Controller found.
Waiting to attach to USBD...0xbfffdf0 (tRootTask): usb1_base = 0xbff22000Done.
0xbfffdf0 (tRootTask): usbBulkDevInit() returned OK
Press Ctrl+B to break auto startup ... Attached TCP/IP interface to teth1.
NOTE
l If a password is configured, you must enter the password after pressing Ctrl+B to display the BootROM
menu (the default password is huawei ).
l You can change the password under the BootROM menu. Make a note of your password and keep it
in a safe place. The password cannot be restored if it is lost.
Default Startup
Serial Menu
Network Menu
Startup Select
File Manager
Reboot
Set the FTP type, resource file name, management interface address, FTP server address, and
FTP user name and password.
Issue 02 (2011-10-15)
183
NOTE
Step 5 After the system returns to the network menu, select choice 4 to download the specified resource
file from the local FTP server.
NetWork Menu
1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return
Enter your choice(1-10): 4
The device uses the flash and sd1 as default setting. sd1 is the built-in SD card of the device. The other
storage medium such as USB flash drive will be displayed only after they are installed.
Context
Before specifying the system software to be used at the next startup, perform the following
operations:
Upload the system software to the master and slave MPUs. For details, see the contents of
uploading and downloading files in Performing File Operations by Using FTP Commands.
Make sure that the storage media on the MPUs have sufficient space to store the system software.
NOTE
Verify the system software to be uploaded by checking its size and date.
Procedure
Step 1 In the user view, run:
startup system-software system-file
The system software to be used at the next startup is specified for the MPU.
Step 2 (Optional) If the upgraded system software needs a corresponding patch file, perform the
following operations:
Issue 02 (2011-10-15)
184
l Run:
startup patch file-name
A patch file to be used at the next startup is specified for the MPU.
Step 3 (Optional) Run:
startup saved-configuration configuration-file
The configuration file to be used at the next startup is specified for the MPUs.
Step 4 (Optional) Run:
startup license file-name
The license file to be used at the next startup is specified for the MPU.
----End
Context
If the storage device where the startup software package is stored is damaged, you can use the
backup software package to make the system start.
NOTE
l The file name extension of the system software package must be .cc and the package must be stored
in the root directory.
l The backup startup software package can be the same as or different from the current startup software
package, but it can be used to make the system start.
Procedure
Step 1 Run:startup system-software filename backupThe backup startup software package is
specified.
----End
Context
After the system software is upgraded successfully, you need to manually upgrade the BootROM
of the 2FE and 1GEC.
NOTE
Run the display device command to check whether the device is configured with the successfully registered
2FE or 1GEC.
Issue 02 (2011-10-15)
185
Procedure
Step 1 Run:
upgrade slot slot-id startup bootrom
Context
During the upgrade, the device must be restarted in the following situations:
l
The system software and configuration file to be used at the next startup have been specified.
CAUTION
Before restarting the router, run the save command to save the current configuration file.
The router restarts with the specified startup files. If the specified startup files are damaged, the
router restarts with the backup startup files. If the router fails to restart with the backup startup
files, it searches valid startup files on the storage devices in the sequence "Flash memory-> SD
card-> USB flash drive." When the router finds valid system software packages and
configuration files on the storage device, it selects a rollback version within 24 minutes and
restarts with the selected version. If the router does not find valid system software and
configuration file, it stops at the BootROM menu.
Procedure
l
186
Context
Before activating the GTL license, run the dir command to verify that the license file has been
loaded to the storage device (Flash memory, SD card, or USB flash drive).
Procedure
l
Run:
license active file-name
The GTL license file is activated, and the license-controlled features on the device can be
used.
----End
Prerequisite
The configurations of upgrading system software are complete.
Procedure
l
Run the display patch-information command to check information about all patches.
Run the display startup command to check that the values of the "Startup system software"
and "Startup saved-configuration file" fields in the command output are the needed ones.
----End
Example
After the patch is installed, run the display patch-information command. You can view the
patch status on each board.
<Huawei> display patch-information
Patch version
:
ARV200R001C00SPH100
Patch packet name:
sd1:/patch_lic2.pat
Run the display startup command. You can view the names of the system software and the
configuration file used at the startup. For example:
<Huawei> display startup
MainBoard:
Startup system software:
Next startup system software:
Backup system software for next startup:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
Startup voice-files:
Next startup voice-files:
Issue 02 (2011-10-15)
sd1:/ar0215_31345_1220.cc
sd1:/ar0215_31345_1220.cc
null
sd1:/iascfg.zip
sd1:/iascfg.zip
null
null
null
null
null
null
187
Applicable Environment
During patch installation, the patch is installed onto the MPU and all LPUs.
You can use either of the following methods to install patches:
l
Installing a patch file immediately: The patch file takes effect after a command is used to
run the patch file, without having to restart the device. For details, see Installing a
Patch.
Specifying a patch file to be used at the next startup: The patch file takes effect after the
device is restarted.
Pre-configuration Tasks
Before managing patches, complete the following tasks:
l
Data Preparation
To manage patches, you need the following data.
No.
Data
Patch file
Context
Only one patch file can be run in the system at a time. Therefore, display patch-information
run the command before patch installation to check information about all patches, including the
Issue 02 (2011-10-15)
188
running patches. If the command output shows that there is a running patch file in the system,
delete the running patch file.
In addition, perform the following operations before patch installation:
l
Upload a patch file to the master MPU. For details, see the contents of uploading and
downloading files in Performing File Operations by Using FTP Commands.
Procedure
Step 1 Enter the user view.
Step 2 Run:
patch load patchname all run
l The patch load patchname all run command can activate only one patch file each time.
l Each patch is developed incrementally based on the earlier version. If the incremental patch
patchB.pat is activated when the system is running the earlier version patchA.pat, patchB.pat takes
effect. To run patchA.pat again, run the patch delete all command to delete patches in the system,
and load and activate patchA.pat. Alternatively, run the startup patch command to specify
patchA.pat as the next startup patch, and then restart the device to make patchA.pat effective.
----End
Context
Before specifying a patch file to be used at the next startup, the following tasks must be
completed:
l
Upload the specified patch file to the storage medium on the master MPU. For details, see
the contents of uploading and downloading files in Performing File Operations by Using
FTP Commands.
Procedure
Step 1 In the use view, run:
startup patch file-name
The patch file (*.pat) to be used at the next startup is specified for the master and slave MPUs.
----End
Follow-up Procedure
After the patch file to be used at the next startup has been specified, run the display startup
command to view the value of the "Next startup patch package" field on the MPUs.
Issue 02 (2011-10-15)
189
Context
Only one patch file can be run in the system during patch installation. Therefore, delete the
running patch file from the patch area before loading and running a new patch file.
Procedure
Step 1 Enter the user view.
Step 2 Run:
patch delete all
Follow-up Procedure
After patch files have been deleted, run the following command to verify the configuration.
l
Prerequisite
The configurations of patch installation are complete.
Procedure
l
Run the display patch-information command to check information about all patches.
----End
Example
After a patch has been installed, run the display patch-information command. You can view
the patch status on each board.
<Huawei> display patch-information
Patch version
:
ARV200R001C00SPH100
Patch packet name:
sd1:/patch_lic2.pat
190
Applicable Environment
The CPU and memory are a key part of a device. A lot of routing information or fast route
algorithms in the system will consume a large number of CPU resources, affecting system
performance. As a result, the device is unable to process data in time, a lot of packets may be
lost, or the system may break down. All these will bring an incalculable loss to customers.
If alarms of high CPU and memory usage can be generated during data processing on the
router, the CPU and memory usage can be effectively monitored, and the system performance
can be optimized. This also allows the system to work properly.
Pre-configuration Tasks
Before setting CPU and memory usage thresholds, complete the following task:
l
Data Preparation
To set CPU and memory usage thresholds, you need the following data.
No.
Data
CPU usage thresholds, including an alarm threshold and a clear alarm threshold
Context
Two CPU usage thresholds are set:
l
Alarm threshold: indicates that the system generates an alarm when the CPU usage reaches
the alarm threshold.
Clear alarm threshold: indicates that the alarm is cleared when the CPU usage falls below
the clear alarm threshold.
Procedure
Step 1 Run:
system-view
Issue 02 (2011-10-15)
191
An alarm threshold and a clear alarm threshold are set for the CPU usage on an MPU or an LPU
in a specified slot.
NOTE
By default, the alarm threshold of CPU usage is 80%, and the clear alarm threshold of CPU usage is 75%.
----End
Context
Alarm threshold of memory usage: indicates that the system generates an alarm when the
memory usage reaches the alarm threshold.
Procedure
Step 1 Run:
system-view
Prerequisite
The configurations of CPU and memory usage are complete.
Issue 02 (2011-10-15)
192
Procedure
l
Run the display cpu-usage [ configuration ] [ slot slot-id ] command to check CPU usage.
----End
Applicable Environment
After the system software of the router is upgraded, the router must be restarted to make the
configuration take effect. To prevent the system from breaking down due to a large number of
temporary files, the router also must be restarted.
The AR2200 provides two methods of restarting the router:
l
Immediate restart
Scheduled restart
Pre-configuration Tasks
Before restarting the router, complete the following tasks:
l
Making sure that the local and remote connections are working properly
Data Preparation
To restart the router, you need the following data.
Issue 02 (2011-10-15)
No.
Data
193
Context
CAUTION
Running the reboot command is not recommended, because this will interrupt network services
in a short period. Before restarting the router, choose whether to save the configuration file of
the router.
Procedure
l
Run:
reboot [ fast ]
Context
Do as follows on the router that needs to restart as scheduled:
Procedure
Step 1 Run:
schedule reboot at exact-time
The router is configured to restart as scheduled, and the restart time is set.
Step 2 Run:
schedule reboot delay interval
The router is configured to restart as scheduled, and the wait time before the restart is set.
You can choose either Step 1 or Step 2 to configure the router to restart as scheduled. If you
need to perform other operations before the device restart, perform Step 2 to set the wait time
before the restart.
By default, the function of configuring a device to restart as scheduled is disabled.
----End
Issue 02 (2011-10-15)
194
Prerequisite
The configurations of restarting the router as scheduled are complete.
Procedure
l
Run the display schedule reboot command to check the parameters set for the scheduled
restart of the router.
----End
Example
# View the configuration of the router restart, with the restart time at 00:00.
<Huawei> display schedule reboot
Info:System will reboot at 00:00:00 2009/07/01 (in 12 hours and 33 minutes).
# View the configuration of the router restart, with the wait time of 12 hours before the restart.
<Huawei> display schedule reboot
Info:System will reboot at 23:27:14 2009/06/30 (in 11 hours and 59 minutes).
Networking Requirements
The current system software needs to be upgraded if it cannot provide additional features or
larger specifications required by customers.
As shown in Figure 9-2, the system software of the cannot meet customer's requirements and
needs to be upgraded. Huawei has provided related upgrade files for the customer to perform
software upgrade on the.
Figure 9-2 Networking diagram for upgrading system software
GE2/0/0
10.1.1.1/24
MPLS Core
PE
FTP Server
Issue 02 (2011-10-15)
PC
10.1.1.2/24
195
Precautions
l
The key data in the storage medium on the device must be backed up to the PC.
The remaining space of the storage media must be checked to make sure that there is enough
space to store new system software.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Specify FTP as the mode of uploading the system software, the device as the FTP server,
user 1 as the user name, and huawei as the user password.
2.
Specify the system software and configuration file to be used at the next startup.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
System software version before the upgrade, which is V200R001C00_ch.cc in this example
Procedure
Step 1 Upload the new system software.
# Configure the device as an FTP server.
<Huawei> system-view
[Huawei] sysname HuaWei
[HuaWei] ftp server enable
Info: Succeeded in starting the FTP server.
[HuaWei] aaa
[HuaWei-aaa] local-user user1 password simple huawei
info: A new user added
[HuaWei-aaa] local-user user1 service-type ftp
[HuaWei-aaa] local-user user1 ftp-directory sd1:/
[HuaWei-aaa] quit
[HuaWei] quit
After the preceding configurations are complete, run the display local-user command to check
information about the user.
<HuaWei> display local-user
---------------------------------------------------------------------------User-name
State AuthMask AdminLevel
---------------------------------------------------------------------------user1
A
H
user2
A
A
---------------------------------------------------------------------------Total 2 user(s)
# On the PC, specify the binary format as the file transfer mode, and c:\temp as the working
directory.
Issue 02 (2011-10-15)
196
NOTE
Store the uploaded file in the specified directory (C:\temp in this example). Choose Start >
Run and enter cmd. Then, press Enter. Enter FTP 10.1.1.1. At the prompt of "user", enter the
user name. At the prompt of "password", enter the password. The following configurations are
displayed:
C:\Documents and Settings\Administrator> ftp 10.1.1.1
Connect to 10.1.1.1.
220 FTP server ready.
User <10.1.1.1:<none>>:user1
331 Please specify the password.
Password:
230 User logged in.
Specify a directory and a file transfer mode on the FTP client to store the uploaded file.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now c:\temp.
# On the PC, upload the new system software (*.cc) to the device.
ftp> put V200R001C00_ch.cc
200 Port command okay.
226 Transfer complete.
Step 2 Specify the system software and configuration file to be used at the next startup.
# Specify the system software to be used at the next startup.
<HuaWei> startup system-software sd1:/V200R001C00_ch.cc
This operation will take several minutes, please wait..........
Info: Succeeded in setting the file for booting system
# View the system software and configuration file to be used at the next startup, and check that
the system software is the specified one.
<HuaWei> display startup
MainBoard
:
Startup system software :
Next startup system software :
Backup system software for next startup:
Startup saved-configuration file:
Next startup saved-configuration file :
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
Startup voice-files:
Next startup voice-files:
sd1:/V200R001C00_ch.cc
sd1:/V200R001C00_ch.cc
null
sd1:/iascfg.zip
sd1:/aa.cfg
null
null
null
null
null
null
Issue 02 (2011-10-15)
197
Issue 02 (2011-10-15)
198
PCB
MAB
Board
CPLD1
CPLD2
BootROM
Version
Version
Type
Version
Version
Version
AR01SDSA2A VER.A
0
1SA
0
0
906
----End
Networking Requirements
The device performance needs to be optimized without affecting the use of the current version
on the device.
As shown in Figure 9-3, the performance of the device needs to be optimized. Huawei has
provided a patch file for the customer to install.
Figure 9-3 Networking diagram for installing a patch file
GE2/0/0
10.1.1.1/24
MPLS Core
PE
FTP Server
PC
10.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Patch file storage path on the master MPU, which is sd1 in this example
Procedure
Step 1 Upload the patch file mapping the current system software.
# Upload the patch file mapping the current system software to the device from the PC.
ftp> put SPH-1.1.952.pat
200 Port command okay.
226 Transfer complete.
Issue 02 (2011-10-15)
199
----End
Issue 02 (2011-10-15)
200