Professional Documents
Culture Documents
V800R002C01
Issue 01
Date 2011-10-15
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the Basic Configurations feature supported by the
NE5000E device.
This document describes how to configure the Basic Configurations feature.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
Indicates a tip that may help you solve a problem or save time.
Convention Description
&<1-n> The parameter before the & sign can be repeated 1 to n times.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Contents
4 Transferring Files........................................................................................................................55
4.1 File Transfer Overview.....................................................................................................................................56
4.2 File Transfer Modes Supported by the HUAWEI NetEngine5000E................................................................57
4.3 Operating Files After Logging In to the System..............................................................................................58
4.3.1 Managing Directories..............................................................................................................................59
4.3.2 Managing Files........................................................................................................................................59
4.4 Using FTP to Operate Files..............................................................................................................................61
4.4.1 Configuring a Local FTP User................................................................................................................62
4.4.2 (Optional) Changing the Listening Port Number of the FTP Server.......................................................63
4.4.3 Enabling the FTP Server Function..........................................................................................................63
4.4.4 (Optional) Configuring FTP Server Parameters......................................................................................64
4.4.5 (Optional) Configuring FTP Access Control...........................................................................................65
4.4.6 Using FTP to Access the System.............................................................................................................65
4.4.7 Using FTP to Operate Files.....................................................................................................................66
4.4.8 Checking the Configuration.....................................................................................................................69
4.5 Using SFTP to Operate Files............................................................................................................................70
4.5.1 Configuring an SSH User and Specifying the Service Type...................................................................71
4.5.2 Enabling the SFTP Server Function........................................................................................................73
4.5.3 (Optional) Configuring SFTP Server Parameters....................................................................................74
4.5.4 Using SFTP to Access the System..........................................................................................................76
4.5.5 Using SFTP to Operate Files...................................................................................................................77
4.5.6 Checking the Configuration.....................................................................................................................78
4.6 Configuration Examples...................................................................................................................................80
4.6.1 Example for Operating Files After Logging In to the System................................................................80
4.6.2 Example for Using FTP to Operate Files................................................................................................80
7 Device Upgrade..........................................................................................................................166
7.1 Overview of Device Upgrade.........................................................................................................................167
7.2 Upgrade Modes Supported by the NE5000E.................................................................................................167
8 Patch Installation.......................................................................................................................169
8.1 Overview........................................................................................................................................................170
8.2 Patch Installation Modes Supported by the NE5000E...................................................................................170
9 Configuration Management....................................................................................................171
9.1 Introduction to Configuration Management...................................................................................................172
9.2 Configuration Management Features that the NE5000E Supports................................................................173
9.3 Selecting a Configuration Validation Mode...................................................................................................173
9.3.1 Configuring Immediate Configuration Validation Mode......................................................................174
9.3.2 Configuring Two-Phase Configuration Validation Mode.....................................................................175
9.4 Managing Configuration Files........................................................................................................................177
9.4.1 Saving Configurations...........................................................................................................................178
9.4.2 Comparing Configuration Files.............................................................................................................179
9.4.3 Specifying the System Configuration File to Be Loaded at the Next Startup.......................................179
9.4.4 Clearing the System Configuration File Loaded at the Current Startup................................................180
9.4.5 Checking the Configuration...................................................................................................................181
9.5 Configuration Examples.................................................................................................................................183
9.5.1 Example for Configuring User Services in Immediate Configuration Validation Mode......................183
9.5.2 Example for Configuring Services When Configurations Have Been Locked by Another User in Two-
Phase Configuration Validation Mode...........................................................................................................184
9.5.3 Example for Multiple Users to Configure a Same Service in Two-Phase Configuration Validation Mode
........................................................................................................................................................................186
9.5.4 Example for Multiple Users to Configure a Service in Two-Phase Configuration Validation Mode
........................................................................................................................................................................187
9.5.5 Example for Configuring Different Services by Multiple Users in Two-Phase Configuration Validation
Mode...............................................................................................................................................................189
9.5.6 Example for Managing Configuration Files..........................................................................................191
To configure a new device, the device must be logged in to the console port.
The console port is a linear port on the main control board. Each main control board provides
one console port that conforms to the EIA/TIA-232 standard. The console port is a type of Data
Connection Equipment (DCE) interface. Users can directly connect a serial interface from a
terminal to the console port to configure the device.
Applicable Environment
When the router is powered on for the first time, you must use the console port to log in to the
router to configure and manage the router.
Pre-configuration Tasks
Before logging in to the router through the console port, complete the following tasks:
Configuration Procedures
Mandatory procedure
Optional procedure
Applicable Environment
When the router is powered on for the first time, you must use the console port to log in to the
router to configure and manage the router.
Pre-configuration Tasks
Before logging in to the router through the console port, complete the following tasks:
Configuration Procedures
Mandatory procedure
Optional procedure
Context
Configure physical attributes for the PC according to the attributes configured for the console
port on the router, including the transmission rate, data bits, parity bit, stop bits, and flow control
mode. As the router is logged in for the first time, terminal attributes use the default values.
Procedure
Step 1 Start a terminal emulator (such as HyperTerminal of Windows XP) on the PC to establish a
connection. Follow the instructions as shown in Figure 1-3 and click OK.
Step 2 Set the COM port. Follow the instructions as shown in Figure 1-4 and click OK.
Step 3 Set communication parameters for the COM port to the default values of the router, as shown
in Figure 1-5 and click OK.
A command prompt such as <HUAWEI> appears, the user view is displayed, and you can start
the configuration on the HUAWEI device.
In the user view, configure the device or check its operating status, or enter a question mark (?)
for online help.
----End
When a user logs in to the router through the console port or using Telnet or Secure Shell (SSH),
the system uses a corresponding user interface to manage and monitor the session between the
router and the user.
Users can log in to a device to configure, monitor, and maintain local or remote network devices
only after user interfaces, user management, and terminal services are configured. User
interfaces provide the login entrance. User management ensures login security. Terminal
services offer login protocols.
Each user interface has a corresponding user interface view. A network administrator can
configure a set of parameters in a user interface view to determine whether authentication is
required and the level of logged in users. This allows uniform management of various user
sessions.
NOTE
A user using different login modes to log in is allocated different user interfaces. A user logging in several
times using the same way may be allocated different user interfaces.
l Relative numbering
The relative numbering uniquely specifies a user interface or a group of user interfaces of
the same type.
The numbering format is user interface type + number, adhering to the following rules:
Console port numbering: CON0.
VTY user interface numbering: The first VTY is 0, the second VTY is 1, and so on.
l Absolute numbering
The absolute numbering uniquely specifies a user interface or a group of user interfaces.
The number starts with 0, increasing by 1. The console port is numbered before VTY user
interfaces.
There are 20 consoles and 18 VTY user interfaces. You can run the user-interface
maximum-vty command in the system view to set the maximum number of VTY user
interfaces. The default value is 5.
Table 2-1 shows the default absolute numbers of the console and VTY user interfaces.
Numbers 1 to 32 are reserved for TTY user interfaces.
0 CON0
l No-authentication: Users can log in to the device without entering user names or passwords.
This mode is insecure and is not recommended.
l Password authentication: Users need to enter passwords but not user names for login.
l AAA authentication: Users must enter both user names and passwords for login. If either
a user name or a password is incorrect, the login fails. Telnet users are usually authenticated
in AAA mode.
The level of commands that a user can use is determined by the user level.
Applicable Environment
If you need to log in to a device through the console port for local maintenance, configure the
console user interface, including the physical attributes, terminal attributes, user priority, and
user authentication mode. Configure parameters based on the use and security requirements.
Pre-configuration Tasks
Before configuring the console user interface, complete the following task:
l Logging In to the router Through the Console Port
Configuration Procedures
Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.
Context
When a user logs in a device through the console port, physical attributes set on the
HyperTerminal for the console port must be consistent with the attributes of the console user
interface on the device. Otherwise, the user cannot log in to the device.
Procedure
Step 1 Run:
system-view
Step 7 Run:
databits { 5 | 6 | 7 | 8 }
Step 8 Run:
commit
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface console ui-number
Step 3 Run:
shell
Step 4 Run:
idle-timeout minutes [ seconds ]
Step 5 Run:
screen-length screen-length
Step 6 Run:
screen-width screen-width
----End
2.2.3 Configuring the User Priority for the Console User Interface
You can set user priorities for user interfaces to manage users based on their levels. This section
describes how to set the user priority for the console user interface.
Context
User levels correspond to command levels. User can use commands of the corresponding level
or lower after log in to the system.
Procedure
Step 1 Run:
system-view
NOTE
If the user priority configured for the user interface and the user priority configured for the user conflict,
the user level takes precedence.
For example, user 001 can use commands at level 3, and the user level configured in the user interface
view Console 0 for the user is 2. After user 001 logs in through Console 0, the user can use commands at
level 3 or lower.
Step 4 Run:
commit
----End
Procedure
l Configure AAA authentication.
1. Run:
system-view
If the password is in the form of simple, the password must be in the plain text.
If the password is in the form of cipher, the password can be either in the encrypted
text or in the plain text. The result is determined by the input.
7. Run:
commit
4. Run:
set authentication password { cipher | simple } password
If the password is in the form of simple, the password must be in the plain text.
If the password is in the form of cipher, the password can be either in the encrypted
text or in the plain text. The result is determined by the input.
5. Run:
commit
No-authentication is set.
4. Run:
commit
----End
Prerequisite
The configurations of the console user interface are complete.
Procedure
l Run the display users [ all ] command to check user login information about user interfaces.
l Run the display user-interface console 0 command to check physical attributes and
configurations of the user interface.
l Run the display local-user command to check the local user list.
l Run the display access-user command to check information about logged-in users.
----End
Example
Run the display users command to view user login information about the current user interface.
<HUAWEI> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
0 CON 0
Username : Unspecified
+ 258 VTY 0 00:00:00 TEL 10.164.6.15 pass no
Username : Unspecified 259 VTY 1
Username : Unspecified
Run the display user-interface console 0 command to view physical attributes and
configurations of the user interface.
<HUAWEI> display user-interface console 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
0 CON 0 9600 - 3 - N -
1 CON 0 9600 - 3 - N -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Run the display local-user command to view the local user list.
<HUAWEI> display local-user
----------------------------------------------------------------------------
Username State Type Online
----------------------------------------------------------------------------
user123 Active All 0
ll Active F 0
user1 Active F 0
----------------------------------------------------------------------------
Total 3,3 printed
Run the display access-user command to view information about logged-in users.
<HUAWEI> display access-user
-----------------------------------------
User-name domain-name userid
-----------------------------------------------
root default 1
abcd default 2
-----------------------------------------------
Total users : 2
Wait authen-ack : 0
Authentication success : 2
Applicable Environment
If you need to log in to a device for local or remote configuration and maintenance by using
Telnet or SSH, configure VTY user interfaces, including the maximum number of VTY user
interfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and user
authentication mode. Configure parameters based on the user and security requirements.
Pre-configuration Tasks
Before configuring VTY user interfaces, complete the following task:
Configuration Procedures
Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.
Context
The maximum number of VTY user interfaces is the total number of users that use Telnet and
SSH to log in.
CAUTION
If the maximum number of VTY user interfaces is set to zero on a device, no user can log in to
the device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface maximum-vty number
l If the configured maximum number is smaller than the original, logged in users are not
affected and no additional configuration is needed.
l If the configured maximum number is greater than the original, configure the authentication
mode and password for additional users. The system uses password authentication to
authenticate users logging in through newly-added user interfaces.
For example, run the authentication-mode and set authentication password commands to
increase allowed login users to 18 from 5.
<HUAWEI> system-view
[~HUAWEI] user-interface maximum-vty 18
[~HUAWEI] user-interface vty 5 17
[~HUAWEI-ui-vty5-17] authentication-mode password
[~HUAWEI-ui-vty5-17] set authentication password cipher huawei
Step 3 Run:
commit
----End
Context
An ACL can be configured to either allow or deny Telnet connections based on source or
destination IP addresses:
l A basic ACL, with number ranging from 2000 to 2999, controls Telnet connections based
on source IP addresses.
l An advanced ACL, with number ranging from 3000 to 3999, controls Telnet connections
based on both source and destination IP addresses.
Before configuring the limit on incoming and outgoing calls for VTY user interfaces, run the
acl command in the system view to create an ACL and enter the ACL view. Then, run the
rule command to add rules to the ACL.
Procedure
Step 1 Run:
system-view
The limit on incoming and outgoing calls is set for the VTY user interface.
l Choose inbound if users at a specified IP address or within a specified address range are
either allowed to log in to the device or prohibited from logging in to the device.
l Choose outbound if logged-in users are either allowed to log in to other devices or prohibited
from logging in to other devices.
Step 4 Run:
commit
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]
Step 3 Run:
shell
Step 4 Run:
idle-timeout minutes [ seconds ]
If the connection is idle within the timeout period, the system automatically terminates the
connection when the timeout period expires.
Step 5 Run:
screen-length screen-length
Step 6 Run:
history-command max-size size-value
Step 7 Run:
commit
----End
Context
User levels correspond to command levels. User can use commands of the corresponding level
or lower after log in to the system.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]
Step 3 Run:
user privilege level level
By default, users logging in from a VTY user interface can use commands at level 0.
NOTE
If the user priority configured for the user interface and the user priority configured for the user conflict,
the user level takes precedence.
For example, a user can use commands at level 3, and the user level configured in the user interface view
VTY0 for the user is 2. After the user logs in through VTY0, the user can use commands at level 3 or lower.
Step 4 Run:
commit
----End
Procedure
l Configure AAA authentication.
1. Run:
system-view
5. Run:
quit
If the password is in the form of simple, the password must be in the plain text.
If the password is in the form of cipher, the password can be either in the encrypted
text or in the plain text. The result is determined by the input.
8. Run:
commit
If the password is in the form of simple, the password must be in the plain text.
If the password is in the form of cipher, the password can be either in the encrypted
text or in the plain text. The result is determined by the input.
5. Run:
commit
Prerequisite
The configuration of VTY user interfaces are complete.
Procedure
l Run the display users [ all ] command to check user login information about user interfaces.
l Run the display user-interface maximum-vty command to check the configured
maximum number of VTY user interfaces.
l Run the display user-interface vty ui-number command to check physical attributes and
configuration of the user interface.
l Run the display local-user command to check the local user list.
l Run the display vty mode command to check the VTY mode.
----End
Example
Run the display users command to view user login information about the current user interface.
<HUAWEI> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
0 CON 0
Username : Unspecified
+ 258 VTY 0 00:00:00 TEL 10.164.6.15 pass no
Username : Unspecified 259 VTY 1
Username : Unspecified
Run the display user-interface maximum-vty command to view the configured maximum
number of VTY user interfaces.
<HUAWEI> display user-interface maximum-vty
Maximum of VTY user:15
Run the display user-interface vty command to view the configured user interface information.
<HUAWEI> display user-interface vty
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
+ 34 VTY 0 - 15 15 N -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Run the display access-user command to view information about logged-in users.
<HUAWEI> display access-user
-----------------------------------------
User-name domain-name userid
-----------------------------------------------
root default 1
abcd default 2
-----------------------------------------------
Total users : 2
Wait authen-ack : 0
Authentication success : 2
Run the display vty mode command to view the configured VTY mode. For example:
<HUAWEI> display vty mode
current VTY mode is Human-Machine interface
Networking Requirements
To initialize the configurations of a new device or locally maintain the device, the device must
be logged in to through the console user interface. Attributes are set for the console user interface
based on user and security requirements.
Configuration Notes
By default, terminal services are enabled on all user interfaces. If terminal services are disabled,
use Telnet to log in to the system through the console port and run the shell command to enable
terminal services.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure physical attributes for the console user interface.
2. Configure terminal attributes for the console user interface.
3. Set the user priority.
The user name and password do not have default values. Other parameters have default values, which are
recommended.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure physical attributes for the console user interface.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] speed 4800
[~HUAWEI-ui-console0] flow-control none
[~HUAWEI-ui-console0] parity even
[~HUAWEI-ui-console0] stopbits 2
[~HUAWEI-ui-console0] databits 6
[~HUAWEI-ui-console0] commit
After the console user interface has been configured, users can log in to the device through the
console port in password authentication mode. For information about how to log in to the system
through the console port, see 3.2 Logging In to the System Through the Console Port.
After completing the configurations, run the display_user-interface command to view the
configuration of Console 0.
<HUAWEI> display user-interface 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
+0 CON 0 9600 - 3 - N -
+ : Current user-interface is active.
F : Current user-interface is active and work in async mode.
Idx : Absolute index of user-interface.
Type : Type and relative index of user-interface.
Privi : The privilege of user-interface.
ActualPrivi : The actual privilege of user-interface.
Auth : The authentication mode of user-interface.
A : Authenticate use AAA.
N : Current user-interface need not authentication.
P : Authenticate use current UI's password.
Int : The physical location of UIs.
----End
Configuration Files
#
sysname HUAWEI
#
user-interface con 0
authentication-mode password
user privilege level 15
set authentication password simple huawei
history-command max-size 20
idle-timeout 30 0
databits 6
parity even
stopbits 2
speed 4800
screen-length 30
#
admin
return
Networking Requirements
If you need to log in to a device for local or remote configuration and maintenance by using
Telnet or SSH, configure VTY user interfaces, including the maximum number of VTY user
interfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and user
authentication mode. Configure parameters based on the user and security requirements.
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l Maximum number of VTY user interfaces: 18
l Number of the ACL applied to limit incoming calls on the VTY user interface: 2000
l Timeout period of an idle connection: 30 minutes
l Number of lines displayed on a terminal screen: 30
l Buffer size for previously-used commands: 20
l User priority: 15
l User authentication mode: password (password is huawei)
NOTE
The ACL number for limiting incoming and outgoing calls in VTY user interfaces, password, and user name
do not have default values. Other parameters have default values, which are recommended.
Procedure
Step 1 Set the maximum number of VTY user interfaces.
<HUAWEI> system-view
[~HUAWEI] user-interface maximum-vty 18
[~HUAWEI] commit
Step 2 Configure the limit on incoming and outgoing calls for VTY user interfaces.
[~HUAWEI] acl 2000
[~HUAWEI-acl-basic-2000] rule deny source 10.1.1.1 0
[~HUAWEI-acl-basic-2000] quit
[~HUAWEI] user-interface vty 0 17
[~HUAWEI-ui-vty0-17] acl 2000 inbound
[~HUAWEI-ui-vty0-17] commit
Step 5 Configure the authentication mode and password for VTY user interfaces.
[~HUAWEI-ui-vty0-17] authentication-mode password
[~HUAWEI-ui-vty0-17] set authentication password simple huawei
[~HUAWEI-ui-vty0-17] commit
[~HUAWEI-ui-vty0-17] quit
After a VTY user interface is configured, a user can use Telnet or SSH to log in to the device in
password authentication mode to maintain the device locally or remotely. For information about
how to use Telnet or SSH to log in to a device, see 3.3 Logging In to the System by Using
Telnet or 3.4 Logging In to the System by Using STelnet.
Step 6 Verify the configuration.
After completing the configurations, run the display user-interface command to view the
configurations of VTY user interfaces.
Use VTY14 as an example:
[~HUAWEI] display user-interface vty 14
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
+ 34 VTY 14 - 15 15 password -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
----End
Configuration Files
#
sysname HUAWEI
#
user-interface maximum-vty 18
#
acl number 2000
rule 5 deny source 10.1.1.1 0
#
user-interface vty 0 17
user privilege level 15
set authentication password simple huawei
history-command max-size 20
idle-timeout 30 0
screen-length 30
acl 2000 inbound
#
admin
return
A user can log in to a device by using the console port, Telnet, or SSH (STelnet) to maintain the
device locally or remotely.
Logging In to the Users log in through the console port to configure a device locally.
System Through the This login mode is required when a device is powered on for the
Console Port first time.
Telnet Overview
Telnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote login
and virtual terminal services. The NE5000E provides the following Telnet services:
l Telnet server: A user runs the Telnet client program on a PC to log in to the router to
configure and manage the router. The router functions as a Telnet server.
l Telnet client: After using the terminal emulator or Telnet client program on a PC to connect
to the router, a user runs the telnet command to log in to another device for configuration
and management. The router functions as a Telnet client. In Figure 3-1, the CE functions
as both a Telnet server and a Telnet client.
PC CE PE
Telnet server
P1 P2 P3
Telnet client Telnet server
Two pairs of shortcut keys can be used to interrupt Telnet connections. As shown in Figure
3-2, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2. P2 is the
Telnet client of P3. The usage of shortcut keys is described as follows:
Ctrl_]: Instructs the server to disconnect a Telnet connection.
If the shortcut keys Ctrl_] are used when the network works properly, the Telnet server
interrupts the current Telnet connection.
For example, enter Ctrl_] on P3, and the P2 prompt is displayed.
<P3> Select Ctrl_] to return to the prompt of P2
The connection was closed by the remote host.
<P2> Select Ctrl_] to return to the prompt of P1
<P2> Ctrl_]
The connection was closed by the remote host.
<P1>
NOTE
CAUTION
When the number of remote login users reaches the maximum number of VTY user
interfaces, the system prompts subsequent users with a message, indicating that all user
interfaces are in use and no more Telnet connections are allowed.
STelnet Overview
NOTE
Currently, a device running SSH1 or SSH2 can function as an SSH server. Only devices running SSH2
can function as SSH clients. STelnet is based on SSH2. When the client and the server set up a secure
connection after negotiation, the client can log in to the server in the same way as using Telnet.
Logins using Telnet add security risks because Telnet does not provide any secure authentication
mechanism and data is transmitted using TCP in plain text. Telnet connections are vulnerable
to Denial of Service (DoS) attacks, IP address spoofing, and route spoofing.
SSH provides secure remote access on an insecure network by supporting the following
functions:
l Remote Subscriber Access (RSA) authentication: Public and private keys are generated
according to the encryption principle of the asymmetric encryption system to implement
secure key exchange and ensure a secure session.
l Data encryption standards: Data Encryption Standard (DES), 3DES, and Advanced
Encryption Standard (AES).
l User name and password encryption: This prevents the user name and password from being
intercepted during the communication between the client and the server.
l Encryption of transmitted data
A device serving as an SSH server can accept connection requests from multiple SSH clients.
The device can also serve as an SSH client, helping users establish SSH connections with an
SSH server. This allows users to use SSH to log in to remote devices from the local device.
l Local connection
As shown in Figure 3-3, an SSH channel is established for a local connection.
Server
Ethernet 100BASE-TX
Server LapTop PC
PC running SSH Client
WAN
SSH Router
Applicable Environment
A device can be logged in to only through the console port when the device is powered on for
the first time.
Pre-configuration Tasks
Before logging in to the system through the console port, complete the following tasks:
l Preparing a PC or a terminal, including a serial interface and an RS-232 cable
l Installing a terminal emulator on the PC, such as Windows XP HyperTerminal
Configuration Procedures
Mandatory procedure
Optional procedure
Context
If you need to log in to a device through the console port for local maintenance, configure the
console user interface, including the physical attributes, terminal attributes, user priority, and
user authentication mode. Configure parameters based on the use and security requirements.
For configurations of the console user interface, see Configuring the Console User
Interface.
Context
NOTE
l Communication parameters of the user terminal must be consistent with the physical attributes of the
console user interface on the device.
l After a user authentication mode is specified in the console user interface, a user can log in to the device
only after authentication succeeds. This enhances network security.
For information about logging in to the system through the console port, see Logging In to the
router Through the Console Port.
Prerequisite
Configurations of user login through the console port are complete.
Procedure
l Run the display users [ all ] command to check user login information about user interfaces.
l Run the display user-interface console 0 command to check physical attributes and
configurations of the user interface.
l Run the display local-user command to check the local user list.
l Run the display access-user command to check information about logged-in users.
----End
Example
Run the display users command to view user login information about the current user interface.
<HUAWEI> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
0 CON 0
Username : Unspecified
+ 258 VTY 0 00:00:00 TEL 10.164.6.15 pass no
Username : Unspecified 259 VTY 1
Username : Unspecified
Run the display user-interface console 0 command to view physical attributes and
configurations of the user interface.
Run the display local-user command to view the local user list.
<HUAWEI> display local-user
----------------------------------------------------------------------------
Username State Type Online
----------------------------------------------------------------------------
user123 Active All 0
ll Active F 0
user1 Active F 0
----------------------------------------------------------------------------
Total 3,3 printed
Run the display access-user command to view information about logged-in users.
<HUAWEI> display access-user
-----------------------------------------
User-name domain-name userid
-----------------------------------------------
root default 1
abcd default 2
-----------------------------------------------
Total users : 2
Wait authen-ack : 0
Authentication success : 2
Applicable Environment
If one or more devices need to be configured and managed, you do not need to connect each of
the devices to a terminal to maintain the devices locally. If you have obtained the IP address of
a device and logged in to the device before, you can use Telnet to log in to the device to remotely
configure the device. This allows you to maintain multiple devices on one terminal, greatly
facilitating device management.
NOTE
Pre-configuration Tasks
Before using Telnet to log in to the system, complete the following task:
Configuration Procedures
Mandatory procedure
Optional procedure
Context
The default user authentication mode for VTY user interfaces is password authentication. Before
using Telnet or SSH to log in to a device, configure a user authentication mode for VTY user
interfaces. Otherwise, you cannot log in to the device.
NOTE
Authentication mode can be configured for VTY user interfaces by logging in to a device through the
console port.
For configurations about VTY user interfaces, see Configuring VTY User Interfaces.
Context
By default, a local user can use any access type. After the user access mode has been specified,
only users using the specified access mode can log in to the system.
Procedure
Step 1 Run:
system-view
----End
Procedure
l IPv4:
1. Run:
system-view
l If the undo telnet [ ipv6 ] server enable command is run to disable the Telnet server function
when there are users logging in by using Telnet, the command does not take effect.
l After the Telnet server function is disabled, established Telnet connections are not interrupted,
and no new Telnet connection is allowed. In this situation, users can log in to the system by using
SSH or through the console port.
----End
Context
By default, the listening port number of the Telnet server is 23. Users can log in to the router
without specifying the listening port number. Attackers may access the default listening port,
reducing available bandwidth, affecting performance of the server, and causing valid users
unable to access the server. After the listening port number of the Telnet server is changed,
attackers do not know the new listening port number. This effectively prevents attackers from
accessing the listening port.
Procedure
Step 1 Run:
system-view
----End
Context
If you need to log in to the system by using Telnet, use either the Windows Command Prompt
or third-party software on the terminal. Use the Windows Command Prompt as an example.
Do as follows on the PC:
Procedure
Step 1 Enter the Windows Command Prompt window.
Step 2 Run the telnet ip-address command to use Telnet to log in to the device.
1. Input the IP address of the Telnet server.
2. Press Enter, and the command prompt of the user view is displayed, such as
<HUAWEI>. This indicates that you have accessed the Telnet server.
----End
Prerequisite
The configurations of logging in to the system by using Telnet are complete.
Procedure
l Run the display users [ all ] command to check information about user interfaces.
l Run the display tcp status command to check established TCP connections.
l Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display users command to view information about the current user interface.
<HUAWEI]> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
34 VTY 0 00:00:12 TEL 1.1.1.1 no
Username : Unspecified
+ 35 VTY 1 00:00:00 TEL 1.1.1.2 no
Username : Unspecified
Run the display tcp status command to view TCP connections. Established in the command
output indicates that a TCP connection has been established.
<HUAWEI> display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0 Closed
32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849 LISTEN
34042c80 73 /17 10.1.1.1:23 10.2.2.2:1147 0 Established
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<HUAWEI> display telnet server status
Session 1:
Source ip address : 10.137.217.221
VTY Index : 14
Current number of sessions : 1
Applicable Environment
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, log in to other devices by
using Telnet from the device that you have logged in to. Login by using Telnet brings security
risk because Telnet does not provide any secure authentication mechanism and data is
transmitted by using TCP in plain text.
STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and
authentication and protects devices against attacks such as IP address spoofing and plain text
password interception.
Pre-configuration Tasks
Before logging in to the system by using STelnet, complete the following task:
Configuration Procedures
Mandatory procedure
Optional procedure
Context
The default user authentication mode for VTY user interfaces is password authentication. Before
using Telnet or SSH to log in to a device, configure a user authentication mode for VTY user
interfaces. Otherwise, you cannot log in to the device.
NOTE
Authentication mode can be configured for VTY user interfaces by logging in to a device through the
console port.
For configurations about VTY user interfaces, see Configuring VTY User Interfaces.
Context
By default, user interfaces support Telnet. If no user interface is enabled with SSH, users cannot
log in to the device by using STelnet.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]
Step 3 Run:
authentication-mode aaa
Step 4 Run:
protocol inbound ssh
NOTE
Before configuring a user interface to support SSH, set the authentication mode of the user interface to
AAA. Otherwise, the protocol inbound ssh command does not take effect.
Step 5 Run:
commit
----End
Context
l SSH users can be authenticated in four modes: RSA, password, password-RSA, and All.
Password authentication depends on AAA. Before a user log in to the device with password
or password-RSA authentication mode, a local user with the same user name must be
created in the AAA view.
l Configuring the system to generate a local RSA key pair is a key step for SSH login. If an
SSH user log in to an SSH server with password authentication mode, configure the server
to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Password-RSA authentication requires success of both password authentication and RSA authentication.
The All authentication mode requires success of either password authentication or RSA authentication.
Procedure
Step 1 Run:
system-view
NOTE
l The rsa local-key-pair create command must be used to create a local RSA key pair before other SSH-
related configuration.
l After the key pair is generated, run the display rsa local-key-pair public command to view information
about the public key in the local key pair.
Step 4 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
l In the public key edit view, only hexadecimal strings complying with the public key format can
be typed in. Each string is randomly generated on an SSH client. For detailed operations, see
manuals for SSH client software.
l After entering the public key edit view, paste the RSA public key generated on the client to the
server.
5. Run the public-key-code end command to exit from the public key edit view.
l Running the peer-public-key end command generates a key only after a valid hex-
data complying with the public key format is entered.
l If the peer-public-key end command is used after the key key-name specified in Step
b is deleted in another window, the system prompts a message, indicating that the key
does not exist, and the system view is displayed.
6. Run the peer-public-key end command to return to the system view.
7. Run the ssh user user-name assign rsa-key key-name command to assign the SSH user a
public key.
Step 5 (Optional) Configure basic authentication information for the SSH user.
1. Run the ssh server rekey-interval hours command to set an interval at which the key of
the server is updated.
By default, the interval is 0, indicating that the key is never updated.
2. Run the ssh server timeout seconds command to set the timeout period for SSH
authentication.
By default, the timeout period is 60 seconds.
3. Run the ssh server authentication-retries times command to set the retry times of SSH
authentication.
By default, SSH authentication retries a maximum of 3 times.
Step 6 Run:
ssh user username service-type { stelnet | sftp | all }
By default, the service type of an SSH user is none. That is, no service is supported.
Step 7 Run:
commit
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
stelnet server enable
After the STelnet server function is disabled, all STelnet clients are disconnected.
Step 3 Run:
commit
----End
Context
l The SSH protocol has the following versions: SSH1.X and SSH2.0. Compared with
SSH1.X, SSH2.0 is extended in structure and supports more authentication modes and key
exchange methods. In addition, SSH2.0 supports more advanced services such as SFTP.
The NE5000E supports SSH whose version number ranges from 1.3 to 2.0.
l The default listening port number of an SSH server is 22. When the default listening port
number is used, users can directly log in to a device without specifying the listening port
number. Attackers may access the default listening port, consuming bandwidth, affecting
performance of the server, and causing valid users unable to access the server. After the
listening port number of the SSH server is changed, attackers do not know the new port
number. This effectively prevents attackers from accessing the listening port, improving
security.
l An interval at which the key pair of an SSH server is updated can be set. When the timer
expires, the key pair is automatically updated to improve security.
Procedure
Step 1 Run:
system-view
The listening port number is set for the SSH server is set.
By default, the listening port number is 22.
If a new listening port is set, the SSH server cuts off all established STelnet and SFTP
connections, and then uses the new port number to listen to connection requests.
Step 4 Run:
ssh server rekey-interval hours
The interval at which the key pair of the SSH server is updated is set.
By default, the interval is zero, indicating that the key pair will never be updated.
Step 5 Run:
commit
----End
Context
Third-party software can be used to implement an STelnet login. Use the third-party software
OpenSSH and Windows Command Prompt as an example.
After installing OpenSSH on a PC, do as follows on the PC:
NOTE
For details about how to install OpenSSH, see the software installation guide.
For details about how to use OpenSSH commands to log in to the device, see the software help document.
Procedure
Step 1 Enter the Windows Command Prompt window.
Step 2 Run OpenSSH commands to log in to the device by using STelnet, as shown in Figure 3-10.
----End
Prerequisite
The configuration of logging in to the system by using STelnet are complete.
Procedure
l Run the display ssh user-information username command on the SSH server to check
information about SSH users.
l Run the display ssh server status command on the SSH server to check its configuration.
l Run the display ssh server session command on the SSH server to check information about
sessions between the SSH server and SSH clients.
l Run the display ssh server statistics command on the SSH server to view information
about the total number of connections accepted, denied, closed and total online connections.
----End
Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<HUAWEI> display ssh user-information client001
------------------------------
User Name : client001
Authentication-Type : password
User-public-key-name : -
Sftp-directory : -
Service-type : stelnet
-----------------------------------
Total 1, 1 printed
If no SSH user is specified, information about all SSH users logging in to the SSH server is
displayed.
Run the display ssh server status command to view configuration of the SSH server.
<HUAWEI> display ssh server status
------------------------------------------
SSH Version : 1.99
SSH authentication timeout : 60 Seconds
SSH authentication retries : 3 Times
SSH server key generating interval : 0 Hours
SSH version 1.x compatibility : ENABLED
SSH server keep alive : DISABLED
SFTP server : DISABLED
STELNET server : DISABLED
SNETCONF server : DISABLED
SSH server port : 22
------------------------------------------------
Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
<HUAWEI> display ssh server session
Session : 1
Conn : VTY 3
Version : 2.0
State : started
Username : client001
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
Kex : diffie-hellman-group-exchange-sha1
Service Type : stelnet
Authentication Type : password
Run the display ssh server statistics command to view the current statistics information of the
SSH server.
<HUAWEI> display ssh server statistics
----------------------------------
Total connection accepted : 1
Total connection denied by ACL : 2
Total connection denied by CLI : 0
Total connection denied by AAA : 3
Total connection denied by Netconf : 1
Total connection closed by CLI : 1
Total connection closed by Netconf : 4
Total connection closed by sock : 3
Total online connection : 5
----------------------------------------
Networking Requirements
If the default parameter values for the console user interface on the router are changed, the
parameters must be set accordingly on the user terminal before the next login through the console
port.
Figure 3-11 Networking diagram for login through the console port
PC Router
Configuration Roadmap
1. Connect a PC to the console port on the router.
2. Set parameters on the PC for login.
3. Log in to the router.
Data Preparation
Communication parameters of the PC (transmission rate: 4800 bps, data bits: 6, parity bit: even,
stop bits: 2, flow control mode: none).
Procedure
Step 1 Establish the configuration environment. Connect the serial interface on the user terminal to the
console port on the router through a standard RS-232 cable.
Set communication parameters for the PC, as shown in Figure 3-12 to Figure 3-14. Set the
transmission rate to 4800 bit/s, data bit to 6, parity bit to even, stop bit to 2, and flow control
mode to none.
Step 3 Power on the router and wait for the completion of the self-check. After the router starts properly
and finishes the self-check, the system prompts you to press Enter, and the command prompt
<HUAWEI> is displayed.
Use commands to view the operating status of the router or configure the router.
----End
Networking Requirements
A user can use a user terminal to log in to the router on another network segment to remotely
maintain the router.
Figure 3-15 Networking diagram for logging in to the system by using Telnet
GE0/0/0
10.137.217.221/16
NetWork
PC P1
Precautions
If a user has passed AAA authentication and logged in to the router by using Telnet, the user is
prohibited from logging in to other routers on the network.
Configuration Roadmap
1. Establish a physical connection.
2. Assign an IP address to the MEth interface on P1.
3. Configure VTY user interfaces, including the limit on incoming and outgoing calls.
4. Configure Telnet user information.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the MEth interface on P1
l Maximum number of VTY user interfaces: 10
l Number of the ACL that is used to prohibit users from logging into another router: 3001
l Timeout period of a user connection: 20 minutes
l Number of lines displayed on a terminal screen: 30
l Buffer size for previously-used commands: 20
l Telnet user information (authentication mode: AAA, user name: huawei, password: hello)
Procedure
Step 1 Connect the PC and the router to the network.
Step 2 Assign an IP address to the MEth interface on P1.
<HUAWEI> system-view
<HUAWEI> sysname P1
<HUAWEI> commit
[~P1] interface gigabitethernet 0/0/0
[~P1-GigabitEthernet0/0/0] undo shutdown
[~P1-GigabitEthernet0/0/0] ip address 10.137.217.221 255.255.0.0
[~P1-GigabitEthernet0/0/0] commit
[~P1-GigabitEthernet0/0/0] quit
[~P1-ui-vty0-9] shell
[~P1-ui-vty0-9] idle-timeout 20
[~P1-ui-vty0-9] screen-length 30
[~P1-ui-vty0-9] history-command max-size 20
Press Enter, and input the user name and password in the login window. After user
authentication succeeds, a command prompt of the user view is displayed, as shown in Figure
3-17. This indicates that you have entered the user view.
----End
Configuration file of P1
sysname P1
#
user-interface maximum-vty 10
#
acl number 3001
rule 5 deny tcp destination-port eq telnet
#
aaa
local-user huawei password cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
local-user huawei level 3
local-user huawei service-type telnet
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.137.217.221 255.255.0.0
#
user-interface vty 0 9
authentication-mode aaa
user privilege level 15
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
history-command max-size 20
idle-timeout 20 0
screen-length 30
acl 2000 inbound
acl 3001 outbound
#
admin
return
Networking Requirements
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, log in to other devices by
using Telnet from the device that you have logged in to. Login by using Telnet brings security
risk because Telnet does not provide any secure authentication mechanism and data is
transmitted by using TCP in plain text.
STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and
authentication and protects devices against attacks such as IP address spoofing and plain text
password interception.
As shown in Figure 3-18, after the STelnet server function is enabled on the router functioning
as an SSH server, STelnet clients can log in to the SSH server in password, RSA, password-
RSA, or All authentication mode.
Figure 3-18 Networking diagram for logging in to the system by using STelnet
GE0/0/0
10.137.217.225/16
Network
PC SSH Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Assign an IP address to the MEth interface on the SSH server.
2. Configure a local key pair on the SSH server, allowing secure data transmission between
the STelnet client and the SSH server.
3. Configure VTY user interfaces on the SSH server.
4. Configure an SSH user, including the authentication mode, user name, and password.
5. Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the MEth interface on the SSH server
l SSH user authentication mode: password; user name: client001; password: huawei
l User level of client001: 3
l IP address of the SSH server: 10.137.217.223
Procedure
Step 1 Configure a login address.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[~HUAWEI] commit
[~SSH Server] interface gigabitethernet 0/0/0
[~SSH Server-GigabitEthernet0/0/0] undo shutdown
[~SSH Server-GigabitEthernet0/0/0] ip address 10.137.217.225 255.255.0.0
[~SSH Server-GigabitEthernet0/0/0] commit
[~SSH Server-GigabitEthernet0/0/0] quit
NOTE
If SSH is configured as the login protocol, the NE5000E automatically disables the Telnet function.
Step 4 Configure the SSH user name and password on the SSH server.
[~SSH Server] aaa
[~SSH Server-aaa] local-user client001 password cipher huawei
[~SSH Server-aaa] local-user client001 level 3
[~SSH Server-aaa] local-user client001 service-type ssh
[~SSH Server-aaa] commit
[~SSH Server-aaa] quit
Step 5 Enable the STelnet server function, and configure STelnet as the service type.
[~SSH Server] stelnet server enable
[~SSH Server] ssh authentication-type default password
[~SSH Server] commit
Figure 3-19 Schematic diagram for accessing the SFTP server by using the OpenSSH software
----End
Configuration Files
l Configuration file of the SSH server
#
sysname SSH Server
#
rsa local-key-pair create 512
rsa local-key-pair host-key begin
AC010000ABABABAB00486F73740000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000DB07020B
0D0008370200849A356ACBBAC7DBCAB38BA7E9B9B44BDA92208B805287743DD3786B98E2388985
8D07DC8E2B8B371D8C0FC889D7ACD4AA43456973B3EB990E4C93965180EAD43A5F0D8DBAEF607B
2642C968EC4E3DF61D5FE326DDAECC9AAE4FF7D1C9A4810045EBB574B618BFFC038555F3F9D989
6B2B58ED0B92C551C7223B20646DBF6F5369B2BDF0D4B61208D8B52156A095D11EFCD901C85D4A
21332249A63107F7AD3D13885CCC79D5480B4114E0EE984BEE8E9DA4F11945201D0F9DED9A36CC
CFC40FDB07D6F746F0060F95B4C802ACE64E72EBF656AC34335526E4182ABA809C0402A110D932
FA65167199A4F504AF0503DEC1F10A5807A2C9643C09FD1B127199D3AC6E609F9EA78EF6341CDD
C9B45D84AC83C1C383558841346B893D2F6322E1562DE58F947D6F769E525A05376B70F8C39599
F4228A468916C617B61AF1864D4E574C17FC23EA6818A0F68E00D124AD2488E89C2379777BD4
rsa local-key-pair host-key end
#
stelnet server enable
ssh authentication-type default password
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.137.217.225 255.255.255.0
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
aaa
local-user client001 password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user client001 level 3
local-user client001 service-type ssh
#
admin
return
4 Transferring Files
FTP
FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transfer
files between local clients and remote servers. FTP uses two TCP connections to copy a file
from one system to another. The TCP connections are usually established in client-server mode,
one for control (the server port number is 21) and the other for data transmission (the sever port
number is 20).
l Control connection: issues commands from the client to the server and transmits replies
from the server to the client, minimizing the transmission delay.
l Data connection: transmits data between the client and server, maximizing the throughput.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP) connections. It uses
the UDP port number 69 to transfer files between local hosts and remote servers. Unlike FTP,
TFTP is simple, providing no authentication. It is applicable to scenarios where complicated
interactions between clients and the server are not required.
TFTP supports both binary and ASCII file transfer modes, which are also supported by FTP.
NOTE
l Currently, the HUAWEI NetEngine5000E supports only the binary mode for TFTP.
l Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not a TFTP server.
SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely
log in to the device to manage and transfer files. On the other hand, users can use the device
functioning as a client to log in to a remote server and transfer files securely.
When the SFTP server or the connection between the server and the client fails, the client needs
to detect the fault in time and removes the connection proactively. To help the client detect such
a fault in time, configure an interval at which Keepalive packets are sent if no packet is received
and the maximum number of times that the server does not respond for the client:
l If the client does not receive any packet within the specified period, the client sends a
Keepalive packet to the server.
l If the maximum number of times that the server does not respond exceeds the specified
value, the client proactively releases the connection.
NOTE
The file to be uploaded must be less than 2 GB. Uploading a file larger than 2 GB causes the device unable
to display information.
Applicable Environment
When a device fails to save or obtain data, you can log in to the system to repair the faulty storage
device or manage files or directories on the device.
This file operation mode is used when storage devices need to be managed.
Pre-configuration Tasks
After logging in to the system, complete the following tasks before operating the files:
l 3 Configuring User Login
Configuration Procedures
Manage directories
Manage files
Mandatory procedure
Optional procedure
Context
You can change and display directories, display files in directories and sub-directory lists, and
create and delete directories.
Perform one or multiple of the following operations as required:
Procedure
l Run:
cd directory
A directory is created.
l Run:
rmdir directory
A directory is deleted.
----End
Applicable Environment
As devices operate stably and are deployed in large scopes, more and more devices need to be
maintained and upgraded remotely. Online software upgrade, as a new upgrade method by
loading software packages remotely, facilitates remote online upgrade, reduces upgrade
expenditure, shortens the time that customers wait for upgrade, and improves customers'
satisfaction. In real world situations, the delay, packet loss, and jitter affect data transmission
on networks. To guarantee the quality of online upgrade and data transmission, use FTP to
perform online upgrade and transfer files based on TCP connections.
Pre-configuration Tasks
Before operating files by using FTP, complete the following task:
l 3 Configuring User Login
Configuration Procedures
Mandatory procedure
Optional procedure
Context
To operate files by using FTP, configure local user name and password on a device serving as
an FTP server, and specify the service type and the directory that the user can access. Otherwise,
the user cannot access the FTP server.
Perform the following steps on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
local-user user-name password simple password
l If the password is in the form of simple, the password must be in the plain text.
l If the password is in the form of cipher, the password can be either in the encrypted text or
in the plain text. The result is determined by the input.
Step 4 Run:
local-user user-name service-type ftp
Step 5 Run:
local-user user-name ftp-directory directory
CAUTION
If the directory is not configured, the user is automatically redirected to cfcard:/.
Step 6 Run:
commit
----End
Context
By default, the listening port number of the FTP server is 21. Users can directly log in to a device
functioning as an FTP server by using the default listening port number. Attackers may access
the default listening port, consuming bandwidth, affecting performance of the server, and
causing valid users unable to access the server. After the listening port number of the FTP server
is changed, attackers do not know the new listening port number. This effectively prevents
attackers from accessing the listening port.
NOTE
If the FTP server is already enabled while changing the port number, then FTP server gets restarted.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ftp [ ipv6 ] server port port-number
If a new listening port number is set, the FTP server terminates all established FTP connections,
and then uses the new port number to listen to new FTP connection attempts.
Step 3 Run:
commit
----End
Context
By default, the FTP server function is disabled. Therefore, you must enable the FTP server
function before using FTP.
Procedure
Step 1 Run:
system-view
NOTE
After files are successfully transferred between the client and the server, run the undo ftp [ ipv6 ] server
command to disable the FTP server function in time for security.
Step 3 Run:
commit
----End
Context
The FTP server parameters include the source address of the FTP server and the timeout period
of an idle FTP connection.
l Specifying the source address of the FTP server restricts the destination address accessed
by clients, ensuring security.
l After the timeout period of an idle FTP connection is configured, if a client and the server
do not exchange messages within the specified timeout period, the server terminates the
connection and releases the FTP connection resource.
Perform the following steps on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view
l Run the ftp timeout minutes command to set the timeout period of an idle FTP connection.
By default, the timeout period of an idle FTP connection is 30 minutes.
Step 3 Run:
commit
----End
Context
When a device functions as an FTP server, you can configure an ACL to allow only the clients
that meet the rules specified in the ACL to access the FTP server.
Do as follows on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view
A rule is configured.
NOTE
FTP supports only basic ACLs whose numbers range from 2000 to 2999.
Step 4 Run:
ftp acl { acl-number | acl-name acl-name }
----End
Context
To log in to the FTP server from the PC, use either the Windows Command Prompt or third-
party software. Use the Windows Command Prompt as an example.
Procedure
Step 1 Enter the Windows Command Prompt window.
Step 2 Run the ftp ip-address command to log in to the server by using FTP.
Enter the user name and password at the prompt, and press Enter. When the command prompt
of the FTP client view is displayed, such as ftp>, you have entered the working path of the FTP
server, as shown in Figure 4-3.
Figure 4-3 Schematic diagram for the working path of the FTP server
----End
Context
Table 4-3 lists FTP file attributes.
FTP data connection The following data connection mode can be set for the FTP server:
mode l ACTIVE mode: The server proactively connects clients during
connection establishment.
l PASV mode: The server waits to be connected by clients during
connection establishment.
During connection establishment, the FTP client determines the mode
to be either ACTIVE or PASV.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of IP address of the server:
l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip
[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to
establish a connection to the FTP server and enter the FTP client view.
l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ]
command to use an IPv6 address to establish a connection to the FTP server and enter the
FTP client view.
Step 2 Perform one or more operations shown in Table 4-4 as needed.
Managin Configuring the l Run the ascii command to set the file type to ASCII.
g files file type l Run the binary command to set the file type to binary.
The FTP file type is determined by the client. By default,
the ASCII type is used.
Configuring the l Run the passive command to set the data connection
data connection mode to PASV.
mode l Run the undo passive command to set the data
connection mode to ACTIVE.
By default, the PASV mode is used.
Enabling the file l If the prompt command is run in the FTP client view to
transfer prompt enable the file transfer prompt function, the system
function prompts you to confirm the uploading or downloading
operation during file uploading or downloading.
l If the prompt command is run again in the FTP client
view, the file transfer prompt function is disabled.
NOTE
The prompt command is applicable to the scenario where the
mput or mget command is used to upload or download files. If the
local device has the files to be downloaded by running the mget
command, the system prompts you to override the existing ones
regardless of whether the file transfer prompt function is enabled.
Step 3 Perform either of the following operations as needed to terminate an FTP connection.
l Run the bye/quit command to terminate the connection to the FTP server and return to the
user view.
l Run the close/disconnect command to terminate both the connection to the FTP server and
the FTP session but remain in the FTP client view.
Step 4 Run:
commit
----End
Prerequisite
The configurations of file operation by using FTP are complete.
Procedure
l Run the display ftp-server command to check the configuration and status of the FTP
server.
l Run the display ftp-users command to check information about logged-in FTP users.
----End
Example
Run the display ftp-server command to view the configuration and status of the FTP server.
<HUAWEI> display ftp-server
--------------------------------------------------------------------------
Server State : enabled
IPv6 server State : enabled
Timeout value (mins) : 30
Listen port : 21
Run the display ftp-users command to view information about logged-in FTP users, including
the user name, port number, and authorized directory.
<HUAWEI> display ftp-users
-----------------------------------------------------------
User Name : root
Host Address : 2607:F0D0:1002:11::126
Control Port : 20465
Idle Time (mins) : 1
Root Directory :cfcard:/
User Name : root
Host Address : 10.18.26.139
Control Port : 28783
Idle Time (mins) : 0
Root Directory :cfcard:/
-----------------------------------------------------------
Applicable Environment
As devices operate stably and are deployed in large scopes, more and more devices need to be
maintained and upgraded remotely. Online software upgrade, as a new upgrade method by
loading software packages remotely, facilitates remote online upgrade, reduces upgrade
expenditure, shortens the time that customers wait for upgrade, and improves customers'
satisfaction. FTP is usually used to transmit data for online upgrade. FTP transmits data and
even user names and passwords in plain text, bringing security risks.
SFTP enables users to log in to a remote device securely from PCs to manage files. This improves
the security of data transmission for remote upgrade. In addition, the device can function as an
SFTP client. This allows users that have logged in to the device to access other remote devices
to transfer files and perform online upgrade by using SFTP.
Pre-configuration Tasks
Before operating files by using SFTP, complete the following task:
l Configuring User Login
Configuration Procedures
Mandatory procedure
Optional procedure
Context
l SSH users can be authenticated in four modes: RSA, password, password-RSA, and All.
Password authentication depends on AAA. Before a user log in to the device with password
or password-RSA authentication mode, a local user with the same user name must be
created in the AAA view.
l Configuring the system to generate a local RSA key pair is a key step for SSH login. If an
SSH user log in to an SSH server with password authentication mode, configure the server
to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Password-RSA authentication requires success of both password authentication and RSA authentication.
The All authentication mode requires success of either password authentication or RSA authentication.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssh user user-name
If password or password-RSA authentication is configured for the SSH user, create the same
SSH user in the AAA view and set the local user access type to SSH.
By default, a local user can use any access type. You can specify an access type to allow only
users configured with the specified access type to log in to the device.
Step 3 Run:
rsa local-key-pair create
NOTE
l The rsa local-key-pair create command must be used to create a local RSA key pair before other SSH-
related configuration.
l After the key pair is generated, run the display rsa local-key-pair public command to view information
about the public key in the local key pair.
Step 4 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
2. Run the rsa peer-public-key key-name command to enter the public key view.
3. Run the public-key-code begin command to enter the public key edit view.
4. Enter hex-data to edit the public key.
NOTE
l In the public key edit view, only hexadecimal strings complying with the public key format can
be typed in. Each string is randomly generated on an SSH client. For detailed operations, see
manuals for SSH client software.
l After entering the public key edit view, paste the RSA public key generated on the client to the
server.
5. Run the public-key-code end command to exit from the public key edit view.
l Running the peer-public-key end command generates a key only after a valid hex-
data complying with the public key format is entered.
l If the peer-public-key end command is used after the key key-name specified in Step
b is deleted in another window, the system prompts a message, indicating that the key
does not exist, and the system view is displayed.
6. Run the peer-public-key end command to return to the system view.
7. Run the ssh user user-name assign rsa-key key-name command to assign the SSH user a
public key.
Step 5 (Optional) Configure basic authentication information for the SSH user.
1. Run the ssh server rekey-interval hours command to set an interval at which the key of
the server is updated.
Step 6 Run:
ssh user username service-type { sftp | all }
By default, the service type of an SSH user is none. That is, no service is supported.
Step 7 Run:
commit
----End
Context
By default, the device is not enabled with the SFTP server function. Users can use SFTP to
establish connections to the device only after the SFTP server function is enabled on the device.
Do as follows on the device that functions as an SSH server:
Procedure
Step 1 Run:
system-view
----End
Context
Table 4-5 lists SFTP server parameters.
Earlier SSH SSH has two versions: SSH1.X (earlier than SSH2.0) and SSH2.0.
version Compared with SSH1.X, SSH2.0 is extended in structure and supports
compatibility more authentication modes and key exchange methods. In addition,
SSH2.0 supports more advanced services such as SFTP. The HUAWEI
NetEngine5000E supports SSH with version number ranging from 1.3 to
2.0.
Listening port The default listening port number of an SFTP server is 22. Users can log
number of an in to the device by using the default listening port number. Attackers may
SFTP server access the default listening port, consuming bandwidth, affecting
performance of the server, and causing valid users unable to access the
server. After the listening port number of the SFTP server is changed,
attackers do not know the new port number. This effectively prevents
attackers from accessing the listening port and improves security.
Interval at After the interval is set, the key pair of the SFTP server is updated
which the key periodically to improve security.
pair of the SFTP
server is
updated
Timeout period If a connection is idle within the timeout period, the system automatically
of an idle cuts off the connection when the timeout period expires. This effectively
connection prevents users from occupying connection resources for a long time,
without any operation required.
Maximum If the specified maximum number is smaller than the number of clients
number of that are being connected to the server, the logged-in users will not be forced
clients that can offline, and the server no longer accepts new connection requests.
be connected to
the server
Procedure
Step 1 Run:
system-view
Earlier SSH version Run the ssh server compatible-ssh1x enable command.
compatibility By default, an SFTP server running SSH2.0 is compatible with
SSH1.X. To prevent clients running SSH1.3 to SSH1.99 to log in,
run the undo ssh server compatible-ssh1x enable command to
disable the system from supporting earlier SSH protocol versions.
Listening port number Run the ssh server port port-number command.
of the SFTP server If a new listening port is set, the SFTP server cuts off all established
STelnet and SFTP connections, and then uses the new port number
to listen to connection requests. By default, the listening port
number is 22.
Interval at which the Run the ssh server rekey-interval hours command.
key pair of the SFTP By default, the interval is 0, indicating that the key pair will never
server is updated be updated.
Step 3 Run:
commit
----End
Context
The third-party software can be used to access the device from the PC by using SFTP. Use the
third-party software OpenSSH and Windows Command Prompt as an example.
After installing OpenSSH on a PC, do as follows on the PC:
NOTE
For details about how to install OpenSSH, see the installation guide of the software.
For details on how to use OpenSSH commands to log in to the system, see the help document of the software.
Procedure
Step 1 Enter the Windows Command Prompt window.
Step 2 Run relevant OpenSSH commands to log in to the device in SFTP mode.
When the command prompt of the SFTP client view is displayed, such as sftp>, you have entered
the working path of the SFTP server, as shown in Figure 4-5.
Figure 4-5 Schematic diagram for the working path of the FTP server
----End
Context
After logging in to the SFTP server, you can perform the following operations:
l Obtain command helps on the SFTP client.
l Manage directories on the SFTP server.
l Manage files on the SFTP server.
Procedure
Step 1 Run:
system-view
The SFTP client view is displayed. You have successfully logged in to the SSH server by using
SFTP.
Managing Renaming a file on the Run the rename old-name new-name command.
files server
Deleting files from the Run the remove path &<1-10> command.
server
Displaying command helps on the Run the help [ all | command-name ] command.
SFTP client
----End
Prerequisite
The configuration of file operation by using SFTP are complete.
Procedure
l Run the display ssh user-information username command on the SSH server to check
information about SSH users.
l Run the display ssh server status command on the SSH server to check its configuration.
l Run the display ssh server session command on the SSH server to check information about
sessions between the SSH server and SSH clients.
l Run the display ssh server statistics command on the SSH server to view information
about the total number of connections accepted, denied, closed and total online connections.
----End
Example
Run the display ssh user-information client001 command to view the authentication mode set
for the SSH user client001 is password and the service type is sftp.
<HUAWEI> display ssh user-information client001
--------------------------------------
Username : client001
Authentication-type : password
User-public-key-name : -
Sftp-directory : cfcard:/home
Service-type : sftp
Authorization-cmd : Yes
---------------------------------------------
Total 1, 1 printed
Run the display ssh server status command to view configuration of the SSH server.
<HUAWEI> display ssh server status
SSH version : 2.0
SSH authentication timeout : 110 seconds
SSH server key generating interval : 2 hours
SSH version 1.x compatibility : Disable
SSH server keep alive : Enable
SFTP server : Disable
STELNET server : Enable
SNETCONF server : Disable
SSH server port : 1025
NOTE
If the default listening port is in use, information about the current listening port is not displayed.
Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
<HUAWEI> display ssh server session
Session : 2
Conn : SFTP 0
Version : 2.0
State : started
Username : client002
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
Kex : diffie-hellman-group-exchange-sha1
Service Type : sftp
Authentication Type : password
Run the display ssh server statistics command to view the current statistics information of the
SSH server.
Networking Requirements
As devices operate stably and are deployed in large scopes, more and more devices need to be
maintained and upgraded remotely. Online software upgrade, as a new upgrade method by
loading software packages remotely, facilitates remote online upgrade, reduces upgrade
expenditure, shortens the time that customers wait for upgrade, and improves customers'
satisfaction. In real world situations, the delay, packet loss, and jitter affect data transmission
on networks. To guarantee the quality of online upgrade and data transmission, use FTP to
perform online upgrade and transfer files based on TCP connections.
As shown in Figure 4-6, after the FTP server function is enabled on the router, you can log in
to the FTP server from the HyperTerminal to upload or download files.
GE0/0/0
Network 10.137.217.221/16
PC FTP Server
Precautions
The IP address of the FTP server must be configured on the MEth interface.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the IP address of the FTP server.
2. Enable the FTP server function.
3. Configure the authentication information, authorization mode, and directories to be
accessed for an FTP user.
4. Log in to the FTP server by using the correct user name and password.
5. Upload files to or download files from the FTP server.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the FTP server: 10.137.217.221
l FTP user information (user name: huawei, password: huawei)
l Path on which the file to be uploaded is saved and the path on which the file to be
downloaded is saved
Procedure
Step 1 Configure the IP address of the FTP server.
<HUAWEI> system-view
[~HUAWEI] sysname server
[~HUAWEI] commit
[~server] interface gigabitethernet0/0/0
[~server-GigabitEthernet0/0/0] undo shutdown
[~server-GigabitEthernet0/0/0] ip address 10.137.217.221 255.255.0.0
[~server-GigabitEthernet0/0/0] quit
[~server] commit
Step 3 Configure the authentication information, authorization mode, and authorized directories for an
FTP user on the FTP server.
[~server] aaa
[~server-aaa] local-user huawei password simple huawei
[~server-aaa] local-user huawei service-type ftp
[~server-aaa] local-user huawei ftp-directory cfcard:/
[~server-aaa] quit
[~server] commit
Step 4 Run the ftp commands at the Windows Command Prompt, and enter the correct user name and
password to set tup an FTP connection to the FTP server, as shown in Figure 4-7.
Step 5 Upload a file from the terminal to the server and downloading a file from the server, as shown
in Figure 4-8.
NOTE
You can run the dir command before downloading a file or after uploading a file to view the detailed
information about the file.
----End
Configuration Files
l Configuration file of the FTP server
#
sysname server
#
aaa
local-user huawei password simple huawei
local-user huawei ftp-directory cfcard:/
local-user huawei service-type ftp
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.137.217.221 255.255.0.0
#
ftp server enable
#
admin
return
Networking Requirements
As devices operate stably and are deployed in large scopes, more and more devices need to be
maintained and upgraded remotely. Online software upgrade, as a new upgrade method by
loading software packages remotely, facilitates remote online upgrade, reduces upgrade
expenditure, shortens the time that customers wait for upgrade, and improves customers'
satisfaction. FTP is usually used to transmit data for online upgrade. FTP transmits data and
even user names and passwords in plain text, bringing security risks.
SFTP enables users to log in to a remote device securely from PCs to manage files. This improves
the security of data transmission for remote upgrade. In addition, the device can function as an
SFTP client. This allows users that have logged in to the device to access other remote devices
to transfer files and perform online upgrade by using SFTP.
As shown in Figure 4-9, after the SFTP server function is enabled on the router that functions
as an SSH server, you can log in to the server in password, RSA, password-RSA, or all
authentication mode from a PC that functions as an SFTP client.
GE0/0/0
Network 10.137.217.225/16
PC SSH Server
Precautions
The IP address of the SSH server must be configured on the MEth interface.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a local key pair on the SSH server, allowing secure data transmission between
the client and the server.
2. Configure VTY user interfaces on the SSH server.
3. Configure an SSH user, including the user authentication mode, user name, password, and
authorized directory.
4. Enable the SFTP server function on the SSH server and configure the service type.
Data Preparation
To complete the configuration, you need the following data:
l SSH user authentication mode: password; user name: client001; password: huawei
l User level of client001: 3
l IP address of the SSH server: 10.137.217.225
Procedure
Step 1 Configure the IP address of the FTP server.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[~HUAWEI] commit
[~SSH Server] interface gigabitethernet0/0/0
[~SSH Server-GigabitEthernet0/0/0] undo shutdown
[~SSH Server-GigabitEthernet0/0/0] ip address 10.137.217.225 255.255.0.0
[~SSH Server-GigabitEthernet0/0/0] quit
[~SSH Server] commit
Step 3 Configure the SSH user name and password on the SSH server.
[~SSH Server] aaa
[~SSH Server-aaa] local-user client001 password cipher huawei
[~SSH Server-aaa] local-user client001 level 3
[~SSH Server-aaa] local-user client001 service-type ssh
[~SSH Server-aaa] quit
[~SSH Server] commit
Step 4 Enable the SFTP server function and set the service type to SFTP.
[~SSH Server] sftp server enable
[~SSH Server] ssh user client001 authentication-type password
[~SSH Server] commit
Figure 4-10 Schematic diagram for accessing the SFTP server by using the OpenSSH software
----End
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
admin
return
To operate files on other devices, and manage or configure these devices, access the device by
using Telnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to.
5.1 Overview
You can log in to one device and access another device by using Telnet, FTP, TFTP, or SFTP.
5.2 Using Telnet to Log In to Other Devices
Telnet helps users to log in to remote devices to manage and maintain the devices.
5.3 Using STelnet to Log In to Other Devices
STelnet provides secure Telnet services. You can use STelnet to log in to other devices from the
device that you have logged in to, and manage the remote devices.
5.4 Using TFTP to Access Other Devices
TFTP is used to transfer files between remote server and local hosts. Unlike FTP, TFTP is simple,
providing no authentication. It is applicable to scenarios without complicated interactions
between the client and the server.
5.5 Using FTP to Access Other Devices
You can log in to an FTP server on the network from the device that functions as an FTP client
to upload files to or download files from the server.
5.6 Using SFTP to Access Other Devices
SFTP provides a secure FTP service. The device is configured as an SFTP client. The SFTP
server authenticates the client and encrypts data in both directions to provide secure file transfer.
5.7 Configuration Examples
This section provides examples for configuring one device to access other devices. These
configuration examples explain networking requirements, configuration roadmap, and
precautions.
5.1 Overview
You can log in to one device and access another device by using Telnet, FTP, TFTP, or SFTP.
As shown in Figure 5-1, after you use the terminal emulator or Telnet program on a PC to
connect to the router successfully, the router can still function as a client to help you access other
devices on the network by using Telnet, FTP, TFTP, or SFTP.
User IP
Network Network
PC Telnet client Telnet server
Telnet Overview
Telnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote login
and virtual terminal services. The NE5000E provides the following Telnet services:
l Telnet server: A user runs the Telnet client program on a PC to log in to the router to
configure and manage the router. The router functions as a Telnet server.
l Telnet client: After using the terminal emulator or Telnet client program on a PC to connect
to the router, a user runs the telnet command to log in to another device for configuration
and management. The router functions as a Telnet client. In Figure 5-2, the CE functions
as both a Telnet server and a Telnet client.
PC CE PE
Telnet server
P1 P2 P3
Telnet client Telnet server
Two pairs of shortcut keys can be used to interrupt Telnet connections. As shown in Figure
5-3, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2. P2 is the
Telnet client of P3. The usage of shortcut keys is described as follows:
Ctrl_]: Instructs the server to disconnect a Telnet connection.
If the shortcut keys Ctrl_] are used when the network works properly, the Telnet server
interrupts the current Telnet connection.
For example, enter Ctrl_] on P3, and the P2 prompt is displayed.
<P3> Select Ctrl_] to return to the prompt of P2
The connection was closed by the remote host.
<P2> Select Ctrl_] to return to the prompt of P1
<P2> Ctrl_]
The connection was closed by the remote host.
<P1>
NOTE
CAUTION
When the number of remote login users reaches the maximum number of VTY user
interfaces, the system prompts subsequent users with a message, indicating that all user
interfaces are in use and no more Telnet connections are allowed.
FTP
FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transfer
files between local clients and remote servers. FTP uses two TCP connections to copy a file
from one system to another. The TCP connections are usually established in client-server mode,
one for control (the server port number is 21) and the other for data transmission (the sever port
number is 20).
l Control connection: issues commands from the client to the server and transmits replies
from the server to the client, minimizing the transmission delay.
l Data connection: transmits data between the client and server, maximizing the throughput.
FTP has two file transfer modes:
l Binary mode: is used to transfer program files, such as .app, .bin, and .btm files.
l ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
The device provides the following FTP functions:
l FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to
the device, and run the ftp command to establish a connection between the device and a
remote FTP server to access and operate files on the server.
l FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP) connections. It uses
the UDP port number 69 to transfer files between local hosts and remote servers. Unlike FTP,
TFTP is simple, providing no authentication. It is applicable to scenarios where complicated
interactions between clients and the server are not required.
TFTP supports both binary and ASCII file transfer modes, which are also supported by FTP.
NOTE
l Currently, the HUAWEI NetEngine5000E supports only the binary mode for TFTP.
l Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not a TFTP server.
SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely
log in to the device to manage and transfer files. On the other hand, users can use the device
functioning as a client to log in to a remote server and transfer files securely.
When the SFTP server or the connection between the server and the client fails, the client needs
to detect the fault in time and removes the connection proactively. To help the client detect such
a fault in time, configure an interval at which Keepalive packets are sent if no packet is received
and the maximum number of times that the server does not respond for the client:
l If the client does not receive any packet within the specified period, the client sends a
Keepalive packet to the server.
l If the maximum number of times that the server does not respond exceeds the specified
value, the client proactively releases the connection.
Applicable Environment
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, you can log in to other devices
by using Telnet from the device that you have logged in to.
As shown in Figure 5-4, the PC can use Telnet to log in to the Telnet client. As the PC does not
have a reachable route to the Telnet server, you cannot manage the Telnet server remotely. To
manage the Telnet server remotely, you can use the Telnet client to telnet to the Telnet server.
User IP
Network Network
PC Telnet client Telnet server
Pre-configuration Tasks
Before logging in to other devices by using Telnet, complete the following task:
l Logging In to the System by Using Telnet.
l Configuring a route to ensure that the Telnet client and server are routable.
Context
Telnet provides an interactive interface for users to log in to a remote server. You can log in to
one device, and then telnet to other devices on the network to configure and manage these remote
devices, instead of connecting a terminal to each of the devices.
An IP address can be configured for an interface on the device and specified as the source IP
address of an FTP connection for security checks.
After the source IP address is configured for the Telnet client, the source IP address of the Telnet
client displayed on the server is the same as the configured one.
Perform either of the following operations based on the type of the source IP address:
Procedure
l If the source address is an IPv4 address:
Run the telnet [ -a source-ip-address | -i interface-type interface-number ] [ vpn-
instance vpn-instance-name ] host-name [ port-number ] command to log in to and manage
other devices.
l If the source address is an IPv6 address:
Run the telnet ipv6 ipv6-address [ -i interface-type interface-number ] [ port-number ]
command to log in to and manage other devices.
----End
--------------------------------------------------------------------------------
Pid/SocketID Local Addr:Port Foreign Addr:Port VPNID
State
--------------------------------------------------------------------------------
0x80C8272F/2 0.0.0.0:23 0.0.0.0:0 42949 LISTEN
0x80932727/4 0.0.0.0:22 0.0.0.0:0 42949 LISTEN
0x30666bb4/9 10.137.217.222:23 10.137.217.223:53930 0 Established
--------------------------------------------------------------------------------
Applicable Environment
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, log in to other devices by
using Telnet from the device that you have logged in to. Login by using Telnet brings security
risk because Telnet does not provide any secure authentication mechanism and data is
transmitted by using TCP in plain text.
STelnet provides secure Telnet services based on SSH connections. Providing encryption and
authentication, SSH protects devices against attacks of IP address spoofing and plain text
password interception. As shown in Figure 5-5, the HUAWEI NetEngine5000E supports the
SSH function. You can log in to a remote device in SSH mode to manage and maintain the
device. In this situation, the device that you have logged in functions as the client, and the remote
device to be logged in is an SSH server.
Figure 5-5 Networking diagram for logging in to other devices by using STelnet
IP network
Pre-configuration Tasks
Before logging in to other devices by using STelnet, complete the following task:
l 3.4 Logging In to the System by Using STelnet
Configuration Procedures
Mandatory procedure
Optional procedure
Context
After first-time authentication is enabled on the SSH client, the validity of the RSA public key
of the SSH server is not checked when the STelnet client logs in to the SSH server for the first
time. After the first login, the system automatically allocates an RSA public key and saves the
key for authentication during subsequent logins.
If first-time authentication is disabled, the STelnet client cannot log in to the SSH server because
the validity check of the RSA public key fails. If the STelnet client must successfully log in to
the SSH server at the first time, you can enable first-time authentication or configure the client
to assign an RSA public key to the server in advance. For details, see 5.3.2 Configuring Login
to Another Device for the First Time (Binding the SSH Client to the RSA Public Key
Generated on the SSH Server)
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssh client first-time enable
Step 3 Run:
commit
----End
Context
If first-time authentication is disabled, the SSH client cannot log in to the SSH server because
the validity check of the RSA public key fails. An RSA public key needs to be assigned to the
server before the SSH client logs in to the server.
The RSA public key assigned to the SSH server must be generated on the server. Otherwise, the
validity check for the RSA public key on the SSH client cannot succeed.
Procedure
Step 1 Run:
system-view
Step 2 Run:
rsa peer-public-key key-name
Step 3 Run:
public-key-code begin
The input public key must be a hexadecimal string complying with the public key format. The
public key is generated randomly on the SSH server.
NOTE
After entering the public key edit view, copy and paste the RSA public key generated on the server to the
client.
Step 5 Run:
public-key-code end
If the configured public key contains invalid characters or does not comply with the public key
format, a prompt is displayed, and the configured public key is discarded. The configuration
fails. If the configured public key is valid, the key will be saved into the client public key chain
table.
l If no valid hex-data is specified, no public key will be generated.
l If key-name specified in Step 2 has been deleted in another window, the system prompts an
error and returns to the system view.
Step 6 Run:
peer-public-key end
Exit from the public key view, and the system view is displayed.
Step 7 Run:
ssh client server-ip-address assign rsa-key key-name
NOTE
If the public key saved on the SSH client becomes invalid, run the undo ssh client server-ip-address
assign rsa-key command to cancel the binding between the SSH client from the server, and then run the
ssh client server-ip-address assign rsa-key key-name command to assign an RSA public key to the client.
Step 8 Run:
commit
----End
Context
The SSH client can log in to the server without specifying the listening port number only when
the listening port number of the server is 22. Otherwise, the listening port number must be
specified.
Do as follows on the router that functions as an SSH client:
Procedure
Step 1 Run:
system-view
----End
Prerequisite
The configuration for logging in to another device by using STelnet is complete.
Procedure
l Run the display ssh server-info command to check mappings between SSH servers and
RSA public keys on the client.
----End
Example
Run the display ssh server-info command to view mappings between SSH servers and RSA
public keys on the client.
<HUAWEI> display ssh server-info
Server Name(IP) Server public key name
________________________________________________________________________
1000::1 1000::1
10.164.39.223 10.164.39.223
11.11.11.23 11.11.11.23
10.164.39.204 10.164.39.204
10.164.39.222 10.164.39.222
Applicable Environment
In the TCP/IP protocol suite, FTP is frequently used to transfer files. However, FTP brings
complicated interactions between terminals and servers, which is hard to implement on terminals
that are not installed with advanced operating systems. TFTP is designed for file transfer that
does not need complicated interactions between terminals and servers. It is simple, requiring a
few costs. TFTP can be used only for simple file transfer without authentication.
NOTE
Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not as TFTP server.
Pre-configuration Tasks
Before using TFTP to access other devices, complete the following task:
Configuration Procedures
You can choose one or more configuration tasks (excluding "Checking the Configuration") as
required.
Context
You can assign an IP address to an interface on the TFTP client and use this IP address as the
source address to establish a TFTP connection. This ensures the security of file transfer.
Procedure
Step 1 Run:
system-view
Step 2 Run:
tftp client-source { -a ip-address | -i interface-type interface-number }
NOTE
Step 3 Run:
commit
----End
Context
An ACL is a set of sequential rules. These rules are described based on source addresses,
destination addresses, and port numbers of packets. ACL rules are used to filter packets. After
ACL rules are applied to a device, the device permits or denies packets based on the ACL rules.
Multiple rules can be defined for one ACL. ACL rules are classified into interface ACL, basic
ACL, and advanced ACL rules based on their functions.
NOTE
TFTP supports only basic ACLs (from ACL 2000 to ACL 2999).
Procedure
Step 1 Run:
system-view
The ACL is applied to the TFTP client to control its access to TFTP servers.
Step 6 Run:
commit
----End
Context
A Virtual Private Network (VPN) is a private network. Network devices and terminals on a VPN
can be connected over the internet. After a TFTP session is established, you can specify vpn-
instance-name in the TFTP command to connect to a remote TFTP server.
To download a file, the TFTP client sends a read request to the TFTP server. After receiving
data, the TFTP client sends an acknowledgment to the server.
Procedure
l Run:
Context
To upload a file, the TFTP client sends a write request to the TFTP server. After receiving data,
the TFTP client sends an acknowledgment to the server.
Procedure
l Run:
tftp [ -a source-address | -i interface-type interface-number ] host-ip-
address [ vpn-instance vpn-instance-name ] put } source-filename [ destination-
filename ]
Prerequisite
The configurations of using TFTP to access other devices are complete.
Procedure
l Run the display tftp-client command to check the source address of the TFTP client.
l Run the display acl { acl-number | all } command to check ACL rules configured on the
TFTP client.
----End
Example
Run the display tftp-client command to view the source address of the TFTP client.
<HUAWEI> display tftp-client
----------------------------------------------------------------------
acl4Number : 0
SrcIPv4Addr : 0.0.0.0
Interface Name : LoopBack0
----------------------------------------------------------------------
Run the display acl { acl-number | all } command to view ACL rules configured on the TFTP
client.
<HUAWEI> display acl 2001
Basic acl 2001, 2 rules
Acl's step is 5
Acl's match-order is config
rule 5 permit ip source 1.1.1.1 0 (2 times matched)
rule 10 permit ip source 9.9.9.9 0 (3 times matched)
Applicable Environment
When you need to transfer files with a remote FTP server or manage directories of the server,
you can configure the current device as an FTP client and then access the FTP server by using
FTP.
Pre-configuration Tasks
Before using FTP to access another device, complete the following task:
l Configuring User Login
Configuration Procedures
Mandatory procedure
Optional procedure
5.5.1 (Optional) Configuring the Source Address for the FTP Client
You can configure a source address for an FTP client and use the source address to establish an
FTP connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on the router and use this IP address as the source
address to establish an FTP connection. This ensures the security of file transfer.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ftp client-source { -a ip-address | -i interface-type interface-number }
After the source address of the FTP client is configured, you can run the display ftp-users
command on the FTP server to check that the displayed source address of the FTP client is the
same as the configured one.
Step 3 Run:
commit
----End
Context
Commands can be run in the user or FTP client view to establish connections with remote FTP
servers.
NOTE
l If the ftp command without any parameters is used in the user view to establish a control connection
to an FTP server, the FTP client view is displayed but the connection is not established.
l When using the ftp command in the user view or the open command in the FTP client view to establish
a control connection to a remote FTP server, if the listening port number of the FTP server is the default
one, you do not need to specify the listening port number in the command; otherwise, you must specify
the listening port number in the command.
Perform either of the following operations on the FTP client based on the type of IP address of
the server:
Procedure
l If the server has an IPv4 address, use commands listed in Table 5-1 to connect the client
to other devices.
Table 5-1 Using FTP commands to connect the FTP client to other devices
View Operation
l If the server has an IPv6 address, use commands listed in Table 5-2 to connect the client
to other devices.
Table 5-2 Using FTP commands to connect the FTP client to other devices
View Operation
----End
Procedure
Step 1 Perform either of the following steps on the client, based on the type of IP address of the server:
l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip
[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to
establish a connection to the FTP server and enter the FTP client view.
l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ]
command to use an IPv6 address to establish a connection to the FTP server and enter the
FTP client view.
Managin Configuring the l Run the ascii command to set the file type to ASCII.
g files file type l Run the binary command to set the file type to binary.
The FTP file type is determined by the client. By default,
the ASCII type is used.
Configuring the l Run the passive command to set the data connection
data connection mode to PASV.
mode l Run the undo passive command to set the data
connection mode to ACTIVE.
By default, the PASV mode is used.
Enabling the file l If the prompt command is run in the FTP client view to
transfer prompt enable the file transfer prompt function, the system
function prompts you to confirm the uploading or downloading
operation during file uploading or downloading.
l If the prompt command is run again in the FTP client
view, the file transfer prompt function is disabled.
NOTE
The prompt command is applicable to the scenario where the
mput or mget command is used to upload or download files. If the
local device has the files to be downloaded by running the mget
command, the system prompts you to override the existing ones
regardless of whether the file transfer prompt function is enabled.
----End
Context
After the device function as an FTP client and establish a connection to an FTP server, you can
change the logged-in user to allow users with different rights to access the server. Changing
logged-in users does not affect established FTP connections. FTP control and data connections
and the connection status do not change.
If the input user name or password of the new user is incorrect, established connections is
disconnected. To access the server, the user must again log in to the FTP client.
NOTE
After logging in to the HUAWEI NetEngine5000E, you can log in to the FTP server by using another user
name without logging out of the FTP client view. The established FTP connection is identical with that
established by running the ftp command.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of IP address of the server:
l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip
[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to
establish a connection to the FTP server and enter the FTP client view.
l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ]
command to use an IPv6 address to establish a connection to the FTP server and enter the
FTP client view.
Step 2 Run:
user user-name [ password ]
The logged-in user is changed. Another user logs in to access the FTP server.
After the logged-in user is changed, the connection between the original user and the FTP server
is disconnected.
Step 3 Run:
commit
----End
Context
After the number of users logging in to an FTP server reaches the upper limit, no more valid
users can log in. To allow valid users to log in to the FTP server, terminate idle connections to
the FTP server.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of IP address of the server:
l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip
[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to
establish a connection to the FTP server and enter the FTP client view.
l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ]
command to use an IPv6 address to establish a connection to the FTP server and enter the
FTP client view.
Step 2 Perform either of the following operations as needed to terminate an FTP connection.
l Run the bye/quit command to terminate the connection to the FTP server and return to the
user view.
l Run the close/disconnect command to terminate both the connection to the FTP server and
the FTP session but remain in the FTP client view.
----End
Prerequisite
The configurations of accessing other devices by using FTP are complete.
Procedure
l Run the display ftp-client command to check the source address of the FTP client.
----End
Example
After configuring the source IP address of the FTP client, run the display ftp-client command
to view the configuration.
<HUAWEI> display ftp-client
-----------------------------------------
SrcIPv4Addr : 10.1.1.1
Interface Name :
-----------------------------------------
After configuring the loopback interface of the FTP client, run the display ftp-client command
to view the configuration.
<HUAWEI> display ftp-client
-----------------------------------------
SrcIPv4Addr : 0.0.0.0
Interface Name : LoopBack0
-----------------------------------------
Applicable Environment
SFTP is short for SSH FTP. Based on SSH, SFTP ensures that users log in to a remote device
securely to manage and transfer files, enhancing secure file transfer. As the device can function
as an SFTP client, you can log in to a remote SSH server from the device to transfer files securely.
Pre-configuration Tasks
Before using SFTP to access other devices, complete the following task:
l Configuring a route between the client and the server to make them routable
Configuration Procedures
Enable first-time authentication on the Bind the RSA public key generated on
SSH client to allow users to the SSH server to the SSH client to allow
successfully log in to the system at users to successfully log in to the system
the first time at the first time
Use SFTP to log in to other devices Use SFTP to log in to other devices
Use SFTP commands to operate files Use SFTP commands to operate files
Mandatory procedure
Optional procedure
Context
You can assign an IP address to an interface on the SFTP client and use this IP address as the
source address to establish an SFTP connection. This ensures the security of file transfer
The source address for an SFTP client can be a source interface or a source IP address.
Procedure
Step 1 Run:
system-view
Step 2 Run:
sftp client-source { -a source-ip-address | -i interface-type interface-number }
Step 3 Run:
commit
----End
Context
After first-time authentication is enabled on the SSH client, the validity of the RSA public key
of the SSH server is not checked when the SFTP client logs in to the SSH server for the first
time. After the first login, the system automatically allocates an RSA public key and saves the
key for authentication during subsequent logins.
Do as follows on the router that functions as an SSH client:
Procedure
Step 1 Run:
system-view
----End
Context
If first-time authentication is disabled, the SFTP client cannot log in to the SSH server because
the validity check of the RSA public key fails. Therefore, you need to assign an RSA public key
to the server before the SFTP client logs in to the server.
Procedure
Step 1 Run:
system-view
NOTE
After entering the public key edit view, copy and paste the RSA public key generated on the server to the
client.
Step 5 Run:
public-key-code end
Exit from the public key view, and the system view is displayed.
Step 7 Run:
ssh client server-ip-address assign rsa-key key-name
NOTE
If the public key saved on the SSH client becomes invalid, run the undo ssh client server-ip-address
assign rsa-key command to cancel the binding between the SSH client from the server, and then run the
ssh client server-ip-address assign rsa-key key-name command to assign an RSA public key to the client.
Step 8 Run:
commit
----End
5.6.4 Using SFTP to Connect the SSH Client to the SSH Server
You can log in to an SSH server from an SSH client by using SFTP.
Context
The command used to enable the SFTP client is similar to the command used to enable the
STelnet client. Both commands can carry the source address, key exchange algorithm,
encryption algorithm, HMAC algorithm, and Keepalive interval.
Do as follows on the device that functions as an SSH client:
Procedure
Step 1 Run:
system-view
The SFTP client view is displayed. You have successfully logged in to the SSH server by using
SFTP.
Step 3 Run:
commit
----End
Context
After logging in to the SSH server from the SFTP client, you can perform the following
operations on the SFTP client:
l Create and delete directories of the SSH server; view the current working directory; view
files in a directory and the list of sub-directories.
l Rename, delete, upload, and download files.
l View command help on the SFTP client.
Do as follows on the router that functions as an SSH client:
Procedure
Step 1 Run:
system-view
Step 2 Run:
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ]
[ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 |
dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] |
[ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 |
sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ]
* [ -ki aliveinterval [ -kc alivecountmax ] ]
The SFTP client view is displayed. You have successfully logged in to the SSH server by using
SFTP.
Managing Renaming a file on the Run the rename old-name new-name command.
files server
Deleting files from the Run the remove path &<1-10> command.
server
Displaying command helps on the Run the help [ all | command-name ] command.
SFTP client
----End
Prerequisite
The configurations of using SFTP to access other devices are complete.
Procedure
l Run the display sftp-client command to check the source address of the SSH client.
l Run the display ssh server-info command to check mappings between SSH servers and
RSA public keys on the client.
----End
Example
Run the display sftp-client command on the client to view parameters about the SFTP client.
<HUAWEI> display sftp-client
The source address of SFTP client is 1.1.1.1
Run the display ssh server-info command to view mappings between servers and RSA public
keys on the client.
<HUAWEI> display ssh server-info
Server Name(IP) Server public key name
________________________________________________________________________
1000::1 1000::1
10.1.1.1 10.1.1.1
100.1.1.23 100.1.1.23
10.164.1.1 10.164.1.1
10.164.1.2 10.164.1.2
Networking Requirements
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, you can log in to other devices
by using Telnet from the device that you have logged in to.
As shown in Figure 5-9, a user can telnet to P1 but cannot directly telnet to P2. P1 and P2 are
routable. The user logs in to P1, and then telnet to P2 to remotely configure and manage P2.
Figure 5-9 Networking diagram for using Telnet to log in to another device
Session Session
GE1/0/1 GE1/0/1
1.1.1.1/24 2.1.1.1/24
Network Network
PC P1 P2
Precautions
l P1 and P2 must be routable.
l The user must be able to log in to P1.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the Telnet authentication mode and password on P2.
2. Log in to P2 from P1.
Data Preparation
To complete the configuration, you need the following data:
l Host address of P2: 2.1.1.1
l Authentication mode: password (password: hello)
Procedure
Step 1 Configure the Telnet authentication mode and password.
<HUAWEI> system-view
[~HUAWEI] sysname P2
[~HUAWEI] commit
[~P2] user-interface vty 0 4
[~P2-ui-vty0-4] authentication-mode password
[~P2-ui-vty0-4] set authentication password simple hello
[~P2-ui-vty0-4] commit
[~P2-ui-vty0-4] quit
[~P2-acl-basic-2000] quit
[~P2] user-interface vty 0 4
[~P2-ui-vty0-4] acl 2000 inbound
[~P2-ui-vty0-4] commit
[~P2-ui-vty0-4] quit
NOTE
After the configurations are complete, the user can telnet from P1 to P2.
<HUAWEI> system-view
[~HUAWEI] sysname P1
[~HUAWEI] commit
[~P1] quit
<P1> telnet 2.1.1.1
Trying 2.1.1.1
Press CTRL+K to abort
Connected to 2.1.1.1
Username: root
Password:
<P2>
----End
Configuration Files
l Configuration file of P1
#
sysname P1
#
interface gigabitethernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
admin
return
l Configuration file of P2
#
sysname P2
#
acl number 2000
rule 5 permit source 1.1.1.1 0
#
interface gigabitethernet1/0/1
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
user-interface vty 0 4
set authentication password simple hello
acl 2000 inbound
#
admin
return
Networking Requirements
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, log in to other devices by
using Telnet from the device that you have logged in to. Login by using Telnet brings security
risk because Telnet does not provide any secure authentication mechanism and data is
transmitted by using TCP in plain text.
STelnet provides secure Telnet services based on SSH connections. Providing encryption and
authentication, SSH protects devices against attacks of IP address spoofing and plain text
password interception. As shown in Figure 5-10, after the STelnet server function is enabled
on the SSH server, the STelnet client can log in to the SSH server in the authentication mode of
password, RSA, password-RSA, or all.
Figure 5-10 Networking diagram for logging in to another device by using STelnet
SSH Server
GE0/0/0
1.1.1.1/16
GE0/0/0 GE0/0/0
1.1.2.2/16 1.1.3.3/16
Precautions
Two users client001 and client002 are configured to log in to the SSH server in the authentication
mode of password and RSA respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the RSA public key of the SSH server to authenticate the client when the client attempts to
log in to the server.
3. Enable the STelnet server function on the SSH server.
4. Set the service type of client001 and client002 to STelnet.
5. Enable first-time authentication on the SSH client.
6. Client001 and client002 log in to the SSH server by using STelnet.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[~HUAWEI] commit
[~SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTE: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus [default = 512] : 1024
There are four authentication modes for SSH users: password, RSA, password-RSA, and all.
l If the authentication mode is password or password-RSA, configure a local user on the server with the
same user name.
l If the authentication mode is RSA, password-RSA, or all, save the RSA public key generated on the
SSH client to the server.
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203
010001
======================Server Key========================
Time of Key pair created : 13:22:1 2010/10/25
Key Name : VRPV8_Server
Key Type : RSA Encryption Key
========================================================
Key Code:
3067
0260
BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F
E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23
7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26
B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3
2B1BBA18 A96FFC29 EF70069D DD1EE053
0203
010001
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key rsakey001
Enter "RSA public key" view, return system view with "peer-public-key end".
# Client001 logs in to the SSH server in password authentication mode by entering the user name
and password.
[~client001] stelnet 1.1.1.1
Please input the username:client001
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 1.1.1.1. Please wait...
Enter password:
Enter the password huawei, and information indicating a successful login is displayed as
follows:
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 6.
The current login time is 2011-01-06 11:42:42.
<SSH Server>
If the login succeeds, the user view is displayed. If the login fails, the message Session is
disconnected is displayed.
Step 8 Verify the configuration.
After the configuration is complete, run the display ssh server status, display ssh server
session and display ssh server statistics commands on the SSH server. You can find that the
STelnet server function has been enabled, and the STelnet client has logged in to the server
successfully.
# Check the status of the SSH server.
[~SSH Server] display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP server : Disable
Stelnet server : Enable
Session : 2
Conn : VTY 4
Version : 2.0
State : started
Username : client002
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
Username : client002
Authentication-type : rsa
User-public-key-name : rsakey001
Sftp-directory : -
Service-type : stelnet
----------------------------------------------------
----End
Configuration Files
l Configuration file of the SSH server
#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign rsa-key rsakey001
ssh user client002 authentication-type rsa
ssh user client002 service-type stelnet
#
aaa
local-user client001 password simple huawei
local-user client001 service-type ssh
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
admin
return
Networking Requirements
In the TCP/IP protocol suite, FTP is frequently used to transfer files. However, FTP brings
complicated interactions between terminals and servers, which is hard to implement on terminals
that are not installed with advanced operating systems. TFTP is designed for file transfer that
does not need complicated interactions between terminals and servers. It is simple, requiring a
few costs. TFTP can be used only for simple file transfer without authentication.
As shown in Figure 5-11, a user logs in to the TFTP client from a PC, and upload files to and
download files from the TFTP server.
Figure 5-11 Networking diagram for accessing another device by using TFTP
10.111.16.160/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Run the TFTP software on the TFTP server and set the directory of source files on the
server.
2. Use TFTP commands on the TFTP client to download files.
3. Use TFTP commands on the TFTP client to upload files.
Data Preparation
To complete the configuration, you need the following data:
l TFTP software to be installed on the TFTP server
l Name of the file to be downloaded and path of the file on the TFTP server
l Name of the file to be uploaded and path of the file on the TFTP client
Procedure
Step 1 Enable the TFTP server function.
Enter the directory in which the file to be downloaded resides on the TFTP server in the Current
Directory column, as shown in Figure 5-12.
NOTE
Run the tftpservermt command on the client to enter the TFTP server path and run the following
command:
/home/tftpservermt # ./tftpserver -v -i tftpserver.ini
TFTP Server MultiThreaded Version 1.61 Unix Built 1611
starting TFTP...
username: root
alias / is mapped to /home/
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 3
file read allowed: Yes
file create allowed: Yes
file overwrite allowed: Yes
thread pool size: 1
listening on: 0.0.0.0:69
Accepting requests..
Step 2 Log in to the TFTP client from the HyperTerminal to download a file.
<HUAWEI> tftp 10.18.26.141 get a.txt cfcard:/b.txt
Warning: cfcard:/b.txt exists, overwrite? Please select
[Y/N]:y
Transfer file in binary mode.
Please wait for a while...
/
3338 bytes transferred
File transfer completed
Run the dir command on the TFTP client to view the directory in which the downloaded file is
saved.
<HUAWEI> dir
Directory of 0/17#cfcard:/
Step 4 Log in to the TFTP client from the HyperTerminal to upload a file.
<HUAWEI> tftp 10.111.16.160 put sample.txt
Info: Transfer file in binary mode.
Please wait for a while...
\ 100% [***********]
File transfer completed
----End
Configuration Files
None.
Networking Requirements
When you need to transfer files with a remote FTP server or manage directories of the server,
you can configure the current device as an FTP client and then access the FTP server by using
FTP.
As shown in Figure 5-13, the FTP client and server are routable. You can log in to the FTP
server from the FTP client to download system software from the FTP server and configure the
software on the client.
Figure 5-13 Networking diagram for accessing another device by using FTP
GE1/0/1 GE1/0/1
2.1.1.1/24 1.1.1.1/24
Network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the user name and password for an FTP user to log in to the FTP server and the
directory that the user will access.
2. Enable the FTP server function.
3. Run login commands to log in to the FTP server.
4. Configure the file transfer mode and working directory to allow the client to download files
from the server.
Data Preparation
To complete the configuration, you need the following data:
l User name: huawei; password: 123
l IP address of the FTP server: 1.1.1.1
l Name of the file to be downloaded and directory of the file
Procedure
Step 1 Configure an FTP user on the FTP server.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] local-user huawei password simple 123
[~HUAWEI-aaa] local-user huawei service-type ftp
[~HUAWEI-aaa] local-user huawei ftp-directory cfcard:/
[~HUAWEI-aaa] commit
[~HUAWEI-aaa] quit
Step 4 Set the file transfer mode to dir and the working directory to new_dir:/ on the FTP client.
[ftp] binary
200 Type set to I.
[ftp] lcd new_dir:/
The current local directory is new_dir:.
[ftp] commit
Step 5 Download the latest system software from the FTP server on the FTP client.
[ftp] get VRPV800R002C00B020D0123.cc
200 Port command okay.
150 Opening BINARY mode data connection for VRPV800R002C00B020D0123.cc.
226 Transfer complete.
FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.
[ftp] quit
Run the dir command to check whether the required file has been downloaded to the client.
----End
Configuration Files
l Configuration file on the FTP server
#
aaa
local-user huawei password simple 123
local-user huawei ftp-directory cfcard:/
local-user huawei service-type ftp
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
ftp server enable
#
admin
return
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
admin
return
Networking Requirements
SFTP is based on SSH connections. SFTP ensures that users log in to a remote device securely
to manage and transfer files, enhancing secure file transfer. As the device can function as an
SFTP client, you can log in to a remote SSH server from the device to transfer files securely.
As shown in Figure 5-14, after the SFTP server function is enabled on the SSH server, the SFTP
client can log in to the SSH server in the authentication mode of password, RSA, password-
RSA, or all.
Figure 5-14 Networking diagram for access another device by using SFTP
SSH Server
GE0/0/0
1.1.1.1/16
GE0/0/0 GE0/0/0
1.1.2.2/16 1.1.3.3/16
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the RSA public key of the SSH server to authenticate the client when the client attempts to
log in to the server.
3. Enable the SFTP server function on the SSH server.
4. Configure the service type and authorized directory for the SSH users.
5. Client001 and client002 log in to the SSH server chain SFTP mode to obtain files on the
server.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[~HUAWEI] commit
[~SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTE: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus [default = 512] :
There are four authentication modes for SSH users: password, RSA, password-RSA, and all.
l If the authentication mode is password or password-RSA, configure a local user on the server with the
same user name.
l If the authentication mode is RSA, password-RSA, or all, save the RSA public key generated on the
SSH client to the server.
l Create an SSH user named client001.
# Create an SSH user named client001 and configure password authentication for the user.
[~SSH Server] ssh user client001
[~SSH Server] ssh user client001 authentication-type password
[~SSH Server] commit
======================Host Key==========================
Time of Key pair created : 13:22:1 2010/10/25
Key Name : VRPV8_Host
Key Type : RSA Encryption Key
========================================================
Key Code:
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203
010001
======================Server Key========================
Time of Key pair created : 13:22:1 2010/10/25
Key Name : VRPV8_Server
Key Type : RSA Encryption Key
========================================================
Key Code:
3067
0260
BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F
E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23
7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26
B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3
2B1BBA18 A96FFC29 EF70069D DD1EE053
0203
010001
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[~SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[~SSH Server-rsa-key-code] 3047
[~SSH Server-rsa-key-code] 0240
[~SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[~SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[~SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[~SSH Server-rsa-key-code] 1D7E3E1B
[~SSH Server-rsa-key-code] 0203
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password authentication mode
and client002 in RSA authentication mode.
[~SSH Server] ssh user client001 service-type sftp
[~SSH Server] ssh user client001 sftp-directory cfcard:
[~SSH Server] ssh user client002 service-type sftp
[~SSH Server] ssh user client002 sftp-directory cfcard:
Session : 2
Conn : SFTP 4
Version : 2.0
State : started
Username : client002
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group-exchange-sha1
Service Type : sftp
Authentication Type : rsa
Username : client002
Authentication-type : rsa
User-public-key-name : rsakey001
Sftp-directory : -
Service-type : sftp
----------------------------------------------------
----End
Configuration Files
l Configuration file of the SSH server
#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 sftp-directory cfcard:
ssh user client001 service-type sftp
ssh user client002
ssh user client002 assign rsa-key rsakey001
ssh user client002 authentication-type rsa
ssh user client002 sftp-directory cfcard:
ssh user client002 service-type sftp
#
aaa
local-user client001 password simple huawei
local-user client001 service-type ssh
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 1.1.1.1 255.255.0.0
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
admin
return
#
sysname client002
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 1.1.3.3 255.255.0.0
#
ssh client first-time enable
#
admin
return
Networking Requirements
The default SSH listening port number is 22. If attackers continuously access this port, bandwidth
resources are consumed and performance of the server deteriorates. As a result, valid users
cannot access the server.
If the listening port number of the SSH server is changed to a non-default one, attackers do not
know the change and continue to send requests for socket connections to port 22. The SSH server
denies the connection requests because the listening port number is incorrect.
Valid users can set up socket connections with the SSH server by using the new listening port
number to implement the following functions: negotiate the version of the SSH protocol,
negotiate the algorithm, generate the session key, authenticate, send the session request, and
attend the session.
Figure 5-15 Example for accessing the SSH server by using a non-default listening port number
SSH Server
GE0/0/0
1.1.1.1/16
GE0/0/0 GE0/0/0
1.1.2.2/16 1.1.3.3/16
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the RSA public key of the SSH server to authenticate the client when the client attempts to
log in to the server.
3. Enable the STelnet and SFTP server functions on the SSH server.
4. Configure the service type and authorized directory for the SSH users.
5. Configure a non-default listening port number of the SSH server to allow only valid users
to access the server.
6. Client001 and client002 log in to the SSH server by using STelnet and SFTP respectively.
Data Preparation
To complete the configuration, you need the following data:
l Client001: password authentication (password: huawei) and STelnet service type
l Client002: RSA authentication (public key: RsaKey001) and SFTP service type
l IP address of the SSH server: 1.1.1.1
l Listening port number of the SSH server: 1025
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname client002
[~HUAWEI] rsa local-key-pair create
The key name will be: client002_Host
The range of public key size is (512 ~ 2048).
NOTE: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus [default = 512] : 1024
[~SSH Server] commit
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[~SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[~SSH Server-rsa-key-code] 3047
[~SSH Server-rsa-key-code] 0240
[~SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[~SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[~SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[~SSH Server-rsa-key-code] 1D7E3E1B
[~SSH Server-rsa-key-code] 0203
[~SSH Server-rsa-key-code] 010001
[~SSH Server-rsa-key-code] public-key-code end
[~SSH Server-rsa-public-key] peer-public-key end
[~SSH Server-rsa-public-key] commit
There are four authentication modes for SSH users: password, RSA, password-RSA, and all.
l If the authentication mode is password or password-RSA, configure a local user on the server with the
same user name.
l If the authentication mode is RSA, password-RSA, or all, save the RSA public key generated on the
SSH client to the server.
# Set the service type of client002 to SFTP and configure the authorized directory for the
user.
[~SSH Server] ssh user client002 service-type sftp
[~SSH Server] ssh user client002 sftp-directory cfcard:
[~SSH Server] commit
Step 4 Enable the STelnet and SFTP server functions on the SSH server.
[~SSH Server] stelnet server enable
[~SSH Server] sftp server enable
[~SSH Server] commit
# The STelnet client logs in to the SSH server by using the new listening port number.
[~client001] stelnet 1.1.1.1 1025
Please input the username:client001
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 1.1.1.1. Please wait...
Enter password:
Enter the password huawei, and information indicating a successful login is displayed as
follows:
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
<SSH Server>
# The SFTP client logs in to the SSH server by using the new listening port number.
[~client002] sftp 1.1.1.1 1025
After the configuration is complete, run the display ssh server status, display ssh server
session and display ssh server statistics commands on the SSH server. The current listening
port number of the SSH server can be displayed in the command output. The command output
also shows that the STelnet or SFTP client has logged in to the server successfully.
# Check the status of the SSH server.
[~SSH Server] display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP server : Enable
STELNET server : Enable
SSH server port : 1025
Session : 2
Conn : VTY 4
Version : 2.0
State : started
Username : client002
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Service Type : sftp
Authentication Type : rsa
----------------------------------
Total connection accepted : 1
Total connection denied by ACL : 2
Total connection denied by CLI : 0
Total connection denied by AAA : 3
Total connection denied by Netconf : 1
Total connection closed by CLI : 1
Total connection closed by Netconf : 4
Total connection closed by sock : 3
Total online connection : 5
---------------------------------------
----End
Configuration Files
l Configuration file of the SSH server
#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
ssh server port 1025
stelnet server enable
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign rsa-key rsakey001
ssh user client002 authentication-type rsa
ssh user client002 sftp-directory cfcard:
ssh user client002 service-type sftp
#
aaa
local-user client001 password simple huawei
local-user client001 service-type ssh
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 1.1.1.1 255.255.0.0
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
admin
return
Networking Requirements
As shown in Figure 5-16, PE1 is an SSH client located on the MPLS backbone network, and
CE1 functions as an SSH server located on the private network with the AS number of 65410.
It is required that public network users securely access and manage CE1 after logging in to PE1.
Figure 5-16 Networking diagram for configuring an SSH client on the public network to access
an SSH server on a private network
MPLS Backbone
AS:100
GE1/0/1 GE1/0/1
CE1 10.1.1.1/24 10.1.2.1/24
(SSH CE2
server)
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure the MPLS backbone network.
Configure an IGP to allow PEs and the P on the MPLS backbone network to communicate with
each other. Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on
the MPLS backbone network.
For detailed configurations, see the configuration files in this example.
Step 2 Configure VPN instances on PEs and connect CEs to PEs.
# Configure PE1.
[~PE1] ip vpn-instance vpn1
[~PE1-vpn-instance-vpn1] route-distinguisher 100:1
[~PE1-vpn-instance-vpn1] vpn-target 111:1 both
[~PE1-vpn-instance-vpn1] quit
[~PE1] interface gigabitethernet 1/0/1
[~PE1-GigabitEthernet1/0/1] ip binding vpn-instance vpn1
[~PE1-GigabitEthernet1/0/1] undo shutdown
[~PE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24
[~PE1-GigabitEthernet1/0/1] quit
[~PE1] commit
# Configure PE2.
[~PE2] ip vpn-instance vpn1
[~PE2-vpn-instance-vpn1] route-distinguisher 200:1
[~PE2-vpn-instance-vpn1] vpn-target 111:1 both
[~PE2-vpn-instance-vpn1] quit
[~PE2] interface gigabitethernet 1/0/1
[~PE2-GigabitEthernet1/0/1] ip binding vpn-instance vpn1
[~PE2-GigabitEthernet1/0/1] undo shutdown
[~PE2-GigabitEthernet1/0/1] ip address 10.1.2.2 24
[~PE2-GigabitEthernet1/0/1] quit
[~PE2] commit
# Configure IP addresses for interfaces on CEs based on Figure 5-16. The configuration details
are not provided here.
After the configuration is complete, run the display ip vpn-instance verbose command on PEs.
You can view the configurations of VPN instances. Each PE can successfully ping its connected
CE.
NOTE
When there are multiple interfaces on a PE bound to the same VPN instance, specify the source address in
the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping the CE
connected to the peer PE. Otherwise, the ping may fail.
Step 3 Establish EBGP peer relationships between the PEs and the CEs to import VPN routes.
# Configure CE1.
[~CE1] bgp 65410
[~CE1-bgp] peer 10.1.1.2 as-number 100
[~CE1-bgp] import-route direct
[~CE1-bgp] quit
[~CE1] commit
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance vpn1
[~PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[~PE1-bgp-vpn1] import-route direct
[~PE1-bgp-vpn1] quit
[~PE1-bgp] quit
[~PE1] commit
# Configure CE2.
[~CE2] bgp 65420
[~CE2-bgp] peer 10.1.2.2 as-number 100
[~CE2-bgp] import-route direct
[~CE2-bgp] quit
[~CE2-bgp] commit
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] ipv4-family vpn-instance vpn1
[~PE2-bgp-vpn1] peer 10.1.2.1 as-number 65420
[~PE2-bgp-vpn1] import-route direct
[~PE2-bgp-vpn1] quit
[~PE2-bgp] quit
[~PE2-bgp] commit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on PEs. You can find that the EBGP peer relationships between PEs and the CEs are in the
Established state.
Use the peer relationship between PE1 and CE1 as an example.
[~PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 3 3 0 00:00:37 Established 1
# Copy the RSA public key generated on the client to the server.
[~CE1] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[~CE1-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[~CE1-rsa-key-code] 3067
[~CE1-rsa-key-code] 0240
[~CE1-rsa-key-code] BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
[~CE1-rsa-key-code] 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695
[~CE1-rsa-key-code] 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D
[~CE1-rsa-key-code] E2EE8EB5
[~CE1-rsa-key-code] 0203
[~CE1-rsa-key-code] 010001
[~CE1-rsa-key-code] public-key-code end
[~CE1-rsa-public-key] peer-public-key end
[~CE1-rsa-public-key] quit
[~CE1] commit
There are four authentication modes for SSH users: password, RSA, password-RSA, and all.
l If the authentication mode is password or password-RSA, configure a local user on the server with the
same user name.
l If the authentication mode is RSA, password-RSA, or all, save the RSA public key generated on the
SSH client to the server.
l # Create an SSH user named client002, configure RSA authentication for the user, and bind
the RSA public key to client002.
[~CE1] ssh user client002
[~CE1] ssh user client002 authentication-type rsa
[~CE1] ssh user client002 assign rsa-key RsaKey001
# Set the service type of client002 to SFTP and configure the authorized directory for the
user.
[~CE1] ssh user client002 service-type sftp
[~CE1] ssh user client002 sftp-directory cfcard:
[~CE1] commit
Step 7 Enable the STelnet and SFTP server functions on the SSH server.
[~CE1] stelnet server enable
[~CE1] sftp server enable
[~CE1] commit
Step 8 Configure PE1 (the SSH client) to log in to CE1 (the SSH server).
# If the client logs in to the server for the first time, enable first-time authentication on the client.
[~PE1] ssh client first-time enable
[~PE1] commit
Enter the password huawei, and information indicating a successful login is displayed as
follows:
Info: The max number of VTY users is 10, and the current number
of VTY users on line is 1.
<CE1>
After the login succeeds, the following information is displayed, and you can operate files by
using FTP.
<sftp-client>
After the configuration is complete, run the display this command in the interface view on PE1.
You can find that the VPN instance has been successfully configured. Run the display ssh server
session and display ssh server statistics command on CE1. You can find that the STelnet or
SFTP client has been successfully connected to the SSH server.
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
rsa peer-public-key rsakey001
public-key-code begin
3067
0260
9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5
419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8
9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3
0203
010001
public-key-code end
peer-public-key end
#
stelnet server enable
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign rsa-key rsakey001
ssh user client002 authentication-type rsa
ssh user client002 sftp-directory cfcard:
ssh user client002 service-type sftp
#
aaa
local-user client001 password simple huawei
local-user client001 service-type ssh
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
admin
return
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
interface GigabitEthernet1/0/1
undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/1
undo shutdown
link-protocol ppp
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface NULL0
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
peer 10.1.1.1 as-number 65410
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.255
#
ssh client first-time enable
#
admin
return
l Configuration file of the P
#
sysname P
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
interface Pos1/0/1
undo shutdown
link-protocol ppp
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos1/0/2
undo shutdown
link-protocol ppp
ip address 200.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.1.0 0.0.0.255
network 200.1.1.0 0.0.0.255
#
admin
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/1
undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.2.2 255.255.255.0
#
interface Pos1/0/1
undo shutdown
link-protocol ppp
ip address 200.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
peer 10.1.2.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 200.1.1.0 0.0.0.255
#
admin
return
This chapter describes the command line interface that is used to maintain the device routinely.
After users edit and configure a command line in a certain view, the system displays certain
information or error prompts.
You can enter the commands provided by the system through the CLI to configure and manage
the router.
l The system supports the command with a maximum of 1024 characters including incomplete form.
l If a command in an incomplete form is run, the system saves the command to the configuration file as
a command in a complete form, which may cause the command to have more than 1024 characters. In
this case, the command in an incomplete form cannot be restored after the system restarts. So, pay
attention to the length of the command in an incomplete form.
Applicable Environment
Before using the command line to configure services, you can establish the basic running
environment for the command line to meet the requirements of the actual environment.
Pre-configuration Tasks
Before establishing the running environment for the command line, complete the following
tasks:
l Installing the router and powering it on properly
l Logging in to the router as a client
Configuration Procedures
To establish the running environment for the command line, perform the following procedures.
Context
The login alert refers to the prompt that is displayed at the time after you access the router or
after you pass the authentication and before you start to exchange configurations with the system.
The login alert is configured to provide explicit indication for your login.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
----End
Context
If the user does not adjust a command level separately, after the command level is updated, all
originally-registered command lines adjust automatically according to the following rules:
l The commands of Level 0 and Level 1 remain unchanged.
l The commands of Level 2 are updated to Level 10 and the commands of Level 3 are updated
to Level 15.
l No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust
the command lines to these levels separately to refine the management of privilege.
CAUTION
Changing the default level of a command is not recommended. If the default level of a command
is changed, some users may be unable to use the command any longer.
Procedure
Step 1 Run:
system-view
When no password is configured for a Level 15 user, the system prompts the user to set a super-
password for the level 15 user. At the same time, the system asks if the user wants to continue
with the update of command line level. Then, just select "N" to set a password. If you select "Y",
the command level can be updated in batches directly. This results in the user not logging in
through the Console port and failing to update the level.
Step 3 Run:
command-privilege level level view view-name command-key
All commands have default command views and levels. You do not need to reconfigure them.
----End
Procedure
Step 1 Run:
lock
----End
Applicable Environment
Before configuring services through command lines, you need to understand the basic operations
of command lines.
Pre-configuration Tasks
Before using command lines, complete the following tasks:
Configuration Procedures
To use command lines, perform the following procedures as required.
# Set up a connection with the router. If the default configuration is adopted on the router, enter
the user view. The prompt on the screen is displayed as follows:
<HUAWEI>
NOTE
The command line prompt "HUAWEI" is the default host name , and it can be specified by the sysname
command. The current view can be determined according to the prompt. For example, "<>" indicates the
user view; "[]" indicates any view except the user view.
You can run the quit command to quit the current view and enter a view of a lower level. If the
current view is the user view, the system can be existed.
You can run the return command to quit the current view and enter the user view. If the current
view is the user view, the user view is still displayed.
Certain commands that can be run in the system view can also be run in other views. The function
that can be realized through a command, however, is determined by the command view where
the command is run. For example, the mpls command is run to enable MPLS. If the mpls
command is run in the system view, it indicates that MPLS is enabled globally; if the mpls
command is run in the interface view, it indicates that MPLS is enabled on the corresponding
interface.
The CLI on the NE5000E provides the basic editing function of command lines and supports
multi-line editing. Each command can contain up to 1024 characters.
Key Function
Common key Presses the key to insert a character in the place of the cursor and
moves the cursor to the right if the editing buffer is not fully
occupied.
BackSpace Deletes a character before the cursor and moves the cursor to the
left. If the cursor reaches the head of the command, the system
does not make any response.
Up cursor key or Access the last historical command. Display the last historical
Ctrl_P command if there is an earlier historical command.
Down cursor key or Access the next historical command. Display the next historical
Ctrl_N command if there is a later historical command. Otherwise, the
command is cleared.
NOTE
On the HyperTerminal of Windows 9X, cursor key is invalid as the HyperTerminals of Windows 9X
define the keys differently. In this case, you can replace the cursor key with Ctrl_P.
Follow-up Procedure
A device automatically saves the typed historical command that is a piece of keyboard entry
ending with Enter or "?".The display history-command command displays commands that
were run recently and help you to search information.
Context
The basic configuration is complete.
Procedure
l Run:
display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | interface interface-type [ interface-number ] ]
The effective parameters the same as the default parameters are not displayed. The set
parameters that do not take effect are neither displayed.
----End
Procedure
Step 1 Run:
display diagnostic-information [ file-name ]
By default, the file path is cfcard:, and the extension of the file is .txt.
----End
Display Feature
When the information cannot be completely displayed on one screen, you can adopt the pause
function. You have three choices as listed in Table 6-2.
Key Function
Key Function
Regular Expression
The regular expression describes a pattern that matches a set of character strings. It consists of
common characters (such as characters a to z) and special characters (or called metacharacters).
The regular expression functions as a template to match a character pattern with the searched
character string.
l Checks and obtains the sub-character string that matches a certain rule in the character
string.
l Replaces the character string according to the matching rule.
l Common character
Common characters match common characters in the character string, including all the
uppercase letters, lowercase letters, numbers, punctuation marks, and special symbols. For
example, "a" matches "a" in "abc"; "202" matches "202" in "202.113.25.155"; "@" matches
"@" in "xxx@xxx.com".
l Special character
Special characters, together with common characters, match complicated or special
character strings. For example, "^10" matches "10.10.10.1" instead of "20.10.10.1".
Table 6-3 describes special characters and their syntax.
* Matches the preceding element zero 10* matches "1", "10", "100", and
or more times. "1000".
(10)* matches "null", "10", "1010",
and "101010".
+ Matches the preceding element one 10+ matches "10", "100", and
or more times "1000".
(10)+ matches "10", "1010", and
"101010".
? Matches the preceding element zero 10? matches "1" and "10".
or one time. (10)? matches "null" and "10".
[xyz] Matches any single character in the [123] matches the character 2 in
regular expression. "255".
[^xyz] Matches any character that is not [^123] matches any character except
contained within the brackets. for "1", "2", and "3".
[a-z] Matches any character within the [0-9] matches any character ranging
specified range. from 0 to 9.
[^a-z] Matches any character beyond the [^0-9] matches all non-numeric
specified range. characters.
_ Matches a comma "," left brace "{", _2008_ matches "2008", "space
right brace "}", left parenthesis "(", 2008 space", "space 2008", "2008
and right parenthesis ")". space", ",2008,", "{2008}",
Matches the starting position of the "(2008)", "{2008", and "(2008}".
input string.
Matches the ending position of the
input string.
Matches a space.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
l Degeneration of special characters
Certain special characters, when being placed at the following positions in the regular
expression, degenerate to common characters.
The special characters following "\" is transferred to match special characters
themselves.
The special characters "*", "+", and "?" placed at the starting position of the regular
expression. For example, +45 matches "+45" and abc(*def) matches "abc*def".
The special character "^" placed at any position except for the start of the regular
expression. For example, abc^ matches "abc^".
The special character "$" placed at any position except for the end of the regular
expression. For example, 12$2 matches "12$2".
The right bracket such as ")" or "]" being not paired with its corresponding left bracket
"(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules are applicable when preceding regular expressions
serve as subexpressions within parentheses.
l Combination of common characters and special characters
In actual application, multiple common characters and special characters instead of one
common character and one special character are often combined to match a special character
string.
The NE5000E supports the following filtering modes based on regular expressions.
For the commands supporting the regular expression, you can choose one of the following
filtering modes:
l | begin regular-expression
Outputs all the lines following the line that matches the regular expression. That is, the
system displays both the line that contains the specified character string (case sensitive)
and all the following lines to the terminal.
l | exclude regular-expression
Outputs all the lines that do not match the regular expression. That is, the system displays
only the lines that do not contain the specified character string (case sensitive) to a terminal.
If no line matches the rule, the output is null.
l | include regular-expression
Outputs only the lines that match the regular expression. That is, the system displays only
the lines that contain the specified character string (case sensitive) to a terminal. If no line
matches the rule, the output is null.
When you run the display command with filtering rules set to query configurations, note the
following:
l The first line in the output begins with the entire line contains the specified character string
rather beings with the specified character string.
l For some functions, though you have configured them but the configurations do not take
effect, the output of the display command is null.
The NE5000E supports the redirection of the output of the display command to a specified file.
There are two redirection modes:
l > filename
The output of the display command is redirected to a specified file. If the file already exists,
the content of the file is overwritten.
l >> filename
The output of the display command is appended to a specified file, with the original content
of the file unchanged.
Too many parameters Indicates that the input parameters are excessive.
Full Help
You can obtain full help in any of the following methods:
l Enter a "?" in any command view to obtain all the commands and their simple descriptions.
<HUAWEI> ?
l Enter a command followed by a space and a "?". If the position of "?" is for a keyword, all
the keywords and their brief description are listed. Take the following command output as
an example:
<HUAWEI> terminal ?
debugging Debug information to terminal
logging Log information to terminal
The words "debugging" and "logging" are keywords, while "Debug information to
terminal" and "Log information to terminal" are their descriptions.
l Enter a command followed by a space and a "?". If the position of "?" is for a parameter,
the value range and function of the parameter are listed. Take the following command
output as an example:
[~HUAWEI] ftp timeout ?
INTEGER<1-35791> The value of FTP timeout (in minutes)
[~HUAWEI] ftp timeout 35 ?
<cr>
In the command output, "INTEGER<1-35791>" indicates the value range, and "The value
of FTP timeout (in minutes)" is the brief description of the parameter function. "<cr>"
indicates that no parameter is in the position. In this case, press Enter to run the command.
Partial Help
You can obtain partial help in any of the following methods:
l Enter a string followed by a "?", and then the system lists all the keywords that start with
the string.
<HUAWEI> d?
debugging delete
dir display
l Enter a command followed by a "?" if there are several matches for the keyword. Then, all
the keywords start with the string are listed.
<HUAWEI> display c?
car clock
configuration control-flap
cpu-defend cpu-monitor
cpu-usage current-configuration
l Enter the initial letters of a keyword in a command line and press Tab. Then, the complete
keyword is displayed. If there are several matches for the keyword, you can press Tab
repeatedly. Then, various keywords are displayed, and you can choose the one you need.
Applicable Environment
When configuring services through command lines, you can define shortcut keys to rapidly enter
the frequently-used commands.
Pre-configuration Tasks
Before using shortcut keys, complete the following tasks:
Configuration Procedures
To use shortcut keys, perform the following procedures.
Related Tasks
6.6.1 Example for Using Tab
6.6.2 Example for Defining Shortcut Keys
Different terminal software defines shortcut keys differently. Therefore, the shortcut keys on a terminal
may be different from those listed in this section.
Procedure
Step 1 Run:
system-view
Step 2 Run:
hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U } command-text
The default values of the shortcut keys Ctrl+G, Ctrl+L, and Ctrl+O are as follows:
Step 3 Run:
commit
----End
Context
If you enter an incomplete command and do not press Enter, the entered characters are cleared
and the corresponding command is displayed on the screen if you use shortcut keys at this time.
The result is the same as that of entering a complete command.
Like the use of commands, the use of shortcut keys also makes the system record the original
command in the command buffer and logs for further fault detection and query.
Procedure
Step 1 Run:
display hotkey
The shortcut keys supported by the system and their functions are displayed.
NOTE
The function of shortcut keys may be affected by the terminal in use. For example, when the user-defined
shortcut keys conflict with the system shortcut keys on the router, the shortcut keys are to be intercepted
by the terminal programs if entered and the corresponding command line cannot be run.
----End
Networking Requirements
Any router on the network is required.
Configuration Notes
None.
Configuration Roadmap
The configuration roadmap is as follows:
1. If there is only one match for the incomplete keyword, enter the incomplete keyword and
press Tab.
2. If there are several matches for the keyword, enter the incomplete keyword and press
Tab repeatedly until the desired keyword is detected.
3. Enter the incorrect keyword and press Tab. In this case, the incorrect keyword remains
unchanged.
Data Preparation
None.
The use of Tab is described as follows:
2. Press Tab.
The system replaces the entered keywords with the complete keywords followed by a space.
[~HUAWEI] ip route-static
2. Press Tab.
The system first displays the prefixes of all the matched keywords. In this example, the
prefix is "default".
[~HUAWEI] ip route-static default-
Press Tab to switch from one matched keyword to another. In this case, the cursor closely
follows the end of a word.
[~HUAWEI] ip route-static default-bfd
[~HUAWEI] ip route-static default-preference
2. Press Tab.
The system displays the output in a new line. The entered keyword remains unchanged.
[~HUAWEI] ip route-static default-pe
Configuration Files
None.
Related Tasks
6.5 How to Use Shortcut Keys
Networking Requirements
Any router on the network is required.
Configuration Notes
If a user does not have the right to execute the command associated with a defined shortcut key,
the system makes no response when the user presses this shortcut key.
Configuration Roadmap
The configuration roadmap is as follows:
1. Define the keyword Ctrl+U and associate it with the display ip routing-table command.
2. Press Ctrl+U at the prompt of [~HUAWEI].
Data Preparation
To define shortcut keys, you need the following data.
l Names of shortcut keys
l Names of the commands that are to be associated with shortcut keys
Procedure
Step 1 Define the shortcut key Ctrl+U, associate it with the display ip routing-table command, and
run it.
<HUAWEI> system-view
[~HUAWEI] hotkey ctrl_u display ip routing-table
----End
Configuration Files
None.
Related Tasks
6.5 How to Use Shortcut Keys
7 Device Upgrade
Note
Before upgrading the NE5000E, pay attention to the following items:
l When upgrading the NE5000E at the site, prepare a spare part for each board.
l Obtain the new system software, the Product Adaptive File (PAF) or license file, and the
corresponding documents of the new version from Huawei.
l Back up configuration files, and collect and save service configurations.
l Enable the log function to record all the operations during the upgrade process.
l Check software versions of all modules on each board, including versions of the BootROM,
Firmware, and MonitorBus.
8 Patch Installation
8.1 Overview
8.2 Patch Installation Modes Supported by the NE5000E
8.1 Overview
A patch can be installed on a device to improve device performance.
Precautions
Note the following points when loading a patch on the NE5000E:
l It is normal that the patch file is loaded to boards asynchronously.
l When installing or uninstalling a patch, ensure that all boards that are in use on the device
have registered with the system. If any LPU on the device is starting during patch
installation or uninstallation, patch installation or uninstallation probably fails on this LPU.
Do not remove or reinstall boards or close the VTP interface during patch installation.
l If the patch contains subcard patches, patch installation may last longer. Wait for at least
60 seconds after patch installation if you intend to delete the installed patch. This ensures
that the same type of subcards on an LPU are in the same status.
l If the startup patch command has been used to specify the patch to be loaded at the next
startup, run the patch-state run all command to activate the patch before restarting the
device.
9 Configuration Management
To ensure reliable user configurations, the system provides two configuration validation modes.
Context
As increasingly new types of services emerge, higher requirements are imposed on devices. For
example, it is required that services take effect after being configured, invalid configurations be
discarded, and impact on the existing services be minimized.
To ensure reliable user configurations, the system allows two-phase configuration validation.
In the first phase, the system performs syntax and semantics checks. In the second phase,
configurations takes effect and are used for services.
9.1 Introduction to Configuration Management
The system supports two configuration validation modes, namely, immediate validation and
two-phase validation. By default, the two-phase configuration validation mode takes effect.
9.2 Configuration Management Features that the NE5000E Supports
Configuration management features allow users to lock, preview, and discard configurations,
and to save the configuration file used at the current startup and the configuration file to be
loaded at the next startup of the system.
9.3 Selecting a Configuration Validation Mode
According to different reliability requirements, you can select either of two configuration
validation modes, namely, immediate validation and two-phase validation.
9.4 Managing Configuration Files
You can set the configuration file to be loaded at the next startup and save the configuration file.
9.5 Configuration Examples
This section provides an example for configuring a configuration management networking. You
can understand the configuration procedures by referring to the configuration flowchart. The
configuration example provides information about the networking requirements, configuration
notes, and configuration roadmap.
Deployment Scenario
Before configuring a service, you must enter a configuration view. After the configuration view
is displayed, the system initiates the corresponding configuration flow according to the set
configuration validation mode. If configurations need to be validated immediately, you can use
the immediate configuration validation mode. If configurations need to be validated after being
configured, you can use the two-phase configuration validation mode.
Pre-configuration Tasks
Before managing configuration files, complete the following tasks:
l Allowing the user to log in to the device and enter the user view.
Configuration Procedures
A user can select either the immediate configuration validation mode or the two-phase
configuration validation mode at a time.
Related Tasks
9.5.1 Example for Configuring User Services in Immediate Configuration Validation Mode
9.5.2 Example for Configuring Services When Configurations Have Been Locked by Another
User in Two-Phase Configuration Validation Mode
9.5.3 Example for Multiple Users to Configure a Same Service in Two-Phase Configuration
Validation Mode
9.5.4 Example for Multiple Users to Configure a Service in Two-Phase Configuration Validation
Mode
9.5.5 Example for Configuring Different Services by Multiple Users in Two-Phase
Configuration Validation Mode
Context
Before configuring a service, you must enter the system view. After the system view is displayed,
the configuration validation mode can be specified. In immediate configuration validation mode,
after a user enters a command line and presses Enter, the system performs the syntax check. The
configuration takes effect as soon as it passes the syntax check.
Procedure
Step 1 (Optional) Run:
lock configuration
CAUTION
After locking configurations, you can edit and submit configurations. Other users can view and
edit configurations but cannot submit configurations.
They can configure services in the running database only if you unlock configurations.
Step 2 Run:
system-view immediately
NOTE
To prevent a service from being affected, you can lock the configuration of a service as soon as the
corresponding service process is initiated. When the configuration is being locked, configurations cannot
be submitted. The configuration of the service is keeping locked until the service process is successfully
started. During this period, the configuration cannot be modified but can be queried.
If the configuration fails to be submitted, waiting for 30 seconds and submitting configuration again are
recommended. If configuration submit fails again, it indicates that the configuration is locked by a user.
In the immediate validation mode, the command prompt is as follows:
<HUAWEI> system-view immediately
[HUAWEI]
CAUTION
After locking a configuration, you must unlock it after completing the configuration. Otherwise,
configurations of other users cannot take effect.
----End
Context
The two-phase configuration validation mode enhances security and reliability of configurations
and minimizes the impact of configurations on services. If the configuration of a service that
has taken effect does not meet expectations, the system can roll back to the status before the
configuration is committed. Figure 9-1 shows the procedures in two-phase configuration
validation mode.
M andatory procedure
O ptionalprocedure
Procedure
Step 1 (Optional) Run:
lock configuration
CAUTION
After locking configurations, you can edit and commit configurations. Other users can view and
edit configurations but cannot commit configurations.
They can configure services in the running database only if you unlock configurations.
Step 2 Run:
system-view
The two-phase configuration validation Mode is set and configurations can be edited.
NOTE
If you do not need to validate uncommitted configurations, you can discard them.
Step 5 Run:
commit
NOTE
To prevent a service from being affected, you can lock the configuration of a service as soon as the
corresponding service process is initiated. When the configuration is being locked, configurations cannot
be committed. The configuration of the service is keeping locked until the service process is successfully
started. During this period, the configuration cannot be committed but can be queried.
If the configuration fails to be committed, waiting for 30 seconds and committing configuration again are
recommended. If configuration commit fails again, it indicates that the configuration is locked by a user.
CAUTION
After locking a configuration, you must unlock it after completing the configuration. Otherwise,
configurations of other users cannot take effect.
----End
Applicable Environment
Current configurations are saved into the configuration file. After the system is restarted,
configurations can be restored.
Pre-configuration Tasks
Before managing configuration files, complete the following tasks:
Configuration Procedures
Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.
Related Tasks
9.5.6 Example for Managing Configuration Files
Context
To avoid configuration loss on the router due to power-off or abnormal reset, the system supports
automatic or manual configuration saving.
Procedure
l Automatic configuration saving
1. Run the system-view command to enter the system view.
2. Run the set save-configuration [ interval interval | cpu-limit cpu-usage | delay
delay-interval ] * command to enable the system to automatically save configurations.
The system automatically saves configurations when the set interval interval
expires regardless of whether some configurations have changed during this
period. If interval is not specified, the system automatically saves configurations
every 30 minutes.
If the automatic configuration saving timer expires and the CPU usage of the
system is detected to be higher than the set cpu-limit cpu-usage, the system cancels
the current automatic configuration saving operation.
If delay delay-interval is specified, the system waits a specified delay before
automatically saving configurations when configurations change.
----End
Context
NOTE
The compared filename extension of the configuration file must be .cfg or .zip.
Procedure
Step 1 Run:
compare configuration [ configuration-file ]
The current configuration is compared with the configuration file for next startup or the specified
configuration file.
When comparing differences between the configuration files, the system displays the contents
of the current configuration file and saved configuration file from the first different line. By
default, 150 characters are displayed for each configuration file. If the number of characters from
the first different line to the end is less than 150, the contents after the first different line are all
displayed.
In comparing the current configurations with the configuration file for next startup, if the
configuration file for next startup is unavailable or its contents are null, the system prompts that
reading files fails.
----End
Context
After the system is restarted, you can specify a configuration file to restore system
configurations.
Procedure
Step 1 Run:
startup saved-configuration configuration-file
The extension of the configuration file name must be .db, .zip, or .cfg, and the file must be saved
in the root directory of the storage device.
----End
Context
The configuration file needs to be cleared in the following situations:
l The system software does not match the configuration file after the router is upgraded.
l The configuration file is destroyed or an incorrect configuration file is loaded.
Procedure
Step 1 Run:
reset saved-configuration
NOTE
Before clearing the configuration file of the router, the system compares the configuration file loaded at
the current startup with that to be loaded at the next startup of the system.
l If the two configuration files are consistent with each other, they are both cleared. At this time, the
configuration file to be loaded at the next startup must be configured on the router. Otherwise, there is
no configuration file on the device after the next startup.
l If the two configuration files are inconsistent with each other, the configuration file loaded at the current
startup is cleared.
l If the configuration file loaded at the current startup of the router is empty, the system will notify users
that the configuration file does not exist after the reset saved-configuration command is run.
WARNING
Exercise caution when using this command, and you are recommended to use this command
under the supervision of technical support personnel.
----End
Prerequisite
The file for the next startup has been loaded..
Procedure
l Run the display configuration configuration-file command to check configuration
information about a specified configuration file.
l Run the display saved-configuration last command to check the configuration file loaded
at the current startup of the system.
l Run the display saved-configuration command to check the configuration file to be loaded
at the next startup of the system.
l Run the display startup command to check the names of system software, and the names
of the configuration file loaded at the current startup and the configuration file to be loaded
at the next startup.
----End
Example
# Display configuration information about specified configuration files.
<HUAWEI> display configuration vrpcfg.db
#
info-center loghost source LoopBack0
info-center loghost 10.1.1.1
info-center loghost 10.1.1.2
#
alarm
suppression name hwBfdSessReachLimit cause-period 5
suppression name hwBfdSessReachLimit clear-period 15
alarm name hwBfdSessReachLimit severity Critical
snmp target-host target-host1 mask name mask1
#
mask name mask1
mask severity Minor
mask severity Warning
mask alarm-name PmThresholdAlarm
#
user-interface maximum-vty 15
#
efm enable
#
aaa
local-user ftp password cipher 0E0`_:6&/NGQ=^Q`MAF4<1!!
local-user ftp ftp-directory cfcard:/
local-user ftp service-type ftp
#
interface Ethernet3/0/1
description Don't Shutdown! It's Management Port!
undo shutdown
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
user-interface con 0
set authentication password cipher OUM!K%F<+$[Q=^Q`MAF4<1!!
history-command max-size 30
#
user-interface vty 0 14
user privilege level 3
idle-timeout 0 0
#
return
Display the names of system software, and the names of the configuration file loaded at the
current startup and the configuration file to be loaded at the next startup.
<HUAWEI> display startup
MainBoard :
Configured startup system software : VRPV800R002C00SPC001B003.rpg
Startup system software : VRPV800R002C00SPC001B003.rpg
Next startup system software : VRPV800R002C00SPC001B003.rpg
Startup saved-configuration file : cfcard:/v1.cfg
Next startup saved-configuration file : cfcard:/v2.cfg
Startup paf file : default
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For
the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface
number. The slot number is chassis ID/slot ID.
To enable services to take effect immediately after they are configured, configure the services
in immediate configuration validation mode.
After you enter a command line and presses Enter, the system performs the syntax check. The
configuration takes effect as soon as it passes the syntax check.
Configuration Roadmap
The configuration roadmap is as follows:
1. Choose the immediate configuration validation mode
2. Configure a service.
Data Preparation
Interface IP address
Procedure
Step 1 Choose the immediate configuration validation mode.
<HUAWEI> system-view immediately
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet4/0/6
undo shutdown
ip address 12.1.1.1 255.255.255.0
#
Related Tasks
9.3 Selecting a Configuration Validation Mode
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For
the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface
number. The slot number is chassis ID/slot ID.
As shown in Figure 9-3, user A and user B log in to the Router at the same time. After user A
locks configurations on the Router, user B attempts to configure services on the device.
Figure 9-3 Networking of configuring services when configurations have been locked by
another user in two-phase configuration validation mode
UserA
Router
IP
Network UserB
To use the running database exclusively, lock configurations on the device to prevent other users
from configuring services and submitting configurations. When configurations are locked by a
user and other users attempt to configure services, the system will notify them that configurations
have been locked. Other users can configure services in the running database only if the user
unlocks configurations.
Configuration Roadmap
The configuration roadmap is as follows:
1. User A locks configurations.
2. User B configures a service. The system will notify user B that the current configuration
fails because configurations have been locked by another user.
Data Preparation
Interface IP address
Procedure
Step 1 User A locks configurations.
<HUAWEI> lock configuration
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet4/0/6
undo shutdown
#
Related Tasks
9.3 Selecting a Configuration Validation Mode
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For
the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface
number. The slot number is chassis ID/slot ID.
As shown in Figure 9-4, user A and user B log in to the Router at the same time. After user A
configures a service on the Router, user B performs the same configuration for the service on
the device.
Figure 9-4 Networking of multiple users to configure a same service in two-phase configuration
validation mode
UserA
Router
IP
Network UserB
When user B submits the configuration that is the same as the configuration submitted by user
A, the system will notify user B that the configuration conflicts with an existing configuration.
Configuration Roadmap
The configuration roadmap is as follows:
1. Allow user A and user B to configure a same service successively .
2. User A submits the configuration.
3. User B submits the configuration.
Data Preparation
Interface IP address
Procedure
Step 1 Allow user A and user B to configure a same service successively.
l User A configures the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 4/0/6
[~HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24
The system prompts user B that the configuration of user B conflicts with that of user A.
[~HUAWEI-GigabitEthernet4/0/6] commit
ip address 12.1.1.1 24
Error: The address already exists.
Commit canceled, the configuration conflicted with other user, you can modify
the configuration and commit again.
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet4/0/6
undo shutdown
ip address 12.1.1.1 255.255.255.0
#
Related Tasks
9.3 Selecting a Configuration Validation Mode
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For
the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface
number. The slot number is chassis ID/slot ID.
As shown in Figure 9-5, user A and user B log in to the Router at the same time. After user A
configures a service on the Router, user B configures the service on the device. For example,
users A and B both configure different IP addresses on the same interface.
Router
IP
Network UserB
When user B submits the configuration, it will overwrite the configuration submitted by user A.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a service as user A and user B.
2. Submit the configuration of user A.
3. Submit the configuration of user B.
Data Preparation
Different interface IP addresses
Procedure
Step 1 Configure a service as user A and user B.
l Configure the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router as user A.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 4/0/6
[~HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24
The following information indicates that the configuration of user B overwrites the configuration
submitted by user A.
[~HUAWEI-GigabitEthernet4/0/6] display this
#
interface GigabitEthernet4/0/6
undo shutdown
ip address 12.1.1.2 255.255.255.0
return
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet4/0/6
undo shutdown
ip address 12.1.1.2 255.255.255.0
#
Related Tasks
9.3 Selecting a Configuration Validation Mode
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For
the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface
number. The slot number is chassis ID/slot ID.
As shown in Figure 9-6, user A and user B log in to the Router at the same time. User A and
user B configure different services on the Router.
Router
IP
Network UserB
If user A and user B submit two configurations of different services, both configurations take
effect.
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
Interface IP address
Procedure
Step 1 Allow user A and user B to configure different services.
l User A configures the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 4/0/6
[~HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24
After user B commits configurations, the system adds new configurations on the basis of original
configurations.
<HUAWEI> display current-configuration
#
ftp server enable
#
interface GigabitEthernet4/0/6
undo shutdown
ip address 12.1.1.1 255.255.255.0
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet4/0/6
undo shutdown
ip address 12.1.1.1 255.255.255.0
#
ftp server enable
#
return
Related Tasks
9.3 Selecting a Configuration Validation Mode
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For
the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface
number. The slot number is chassis ID/slot ID.
Precautions
None.
Configuration Roadmap
The configuration roadmap is as follows:
1. Change configurations.
2. Save configurations in a configuration file.
3. Specify the configuration file to be loaded at the next startup.
4. After system upgrade, compare the current running configuration with that defined in the
configuration file loaded at system startup to check whether configurations are lost.
Data Preparation
None.
Procedure
Step 1 Change configurations.
For example, enable the FTP service.
<HUAWEI> system-view
Step 4 After system upgrade, compare the current running configuration with that defined in the
configuration file loaded at system startup to check whether configurations are lost.
<HUAWEI> compare configuration
The current configuration is the same as the next startup configuration file.
----End
Configuration Files
#
sysname HUAWEI
#
ftp server enable
Related Tasks
9.4 Managing Configuration Files
The file system can help you manage files and directories on a storage device.
Storage Devices
Storage devices are hardware devices for storing messages.
At present, the router supports the storage devices such as flash memory, and compact flash (CF)
card.
Directories
The directory is a mechanism with which the system integrates and organizes the file, serving
as a logical container of the file.
Files
The file is a mechanism with which the system stores and manages messages.
Context
You can manage directories by changing and displaying directories, displaying files in
directories and sub-directories, and creating and deleting directories.
Procedure
l Run:
cd directory
A directory is specified.
l Run:
pwd
l Run:
mkdir directory
Related Tasks
10.5.1 Example for Managing a Directory
Context
l Managing files include: displaying contents, copying, moving, renaming, compressing,
deleting, undeleting, deleting files in the recycle bin, running files in batch and configuring
prompt modes.
l You can run the cd directory command to enter the required directory from the current
directory.
Procedure
l Run:
more filename
NOTE
The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.
l Run:
move source-filename destination-filename
If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored
after being deleted.
l Run:
undelete filename
NOTE
If the current directory is not the parent directory, you must operate the file by using the absolute
path. If you use the parameter /unreserved in the delete command, the file cannot be restored after
being deleted.
l Run:
reset recycle-bin [ /f | filename ]
You can permanently delete files in the recycle bin./f specifies that you can delete all files
from the recycle bin without prompting whether to delete the files.
l Running Files in Batch
You can upload the files and then process the files in batches. The edited batch files need
to be saved in the storage devices on the router.
When the batch file is created, you can run the batch file to implement routine tasks
automatically.
1. Run:
system-view
The system displays prompts or warning messages when you operate the device (especially
the operations leading to data loss). If you need to change the prompt mode for file
operations, you can configure the prompt mode of the file system.
1. Run:
system-view
CAUTION
If the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation.
----End
Related Tasks
10.5.2 Example for Managing Files
Networking Requirements
The router on which you need to manage a directory is correctly configured.
Configuration Notes
None.
Configuration Roadmap
The configuration roadmap is as follows:
1. View the current directory.
2. Create a new directory.
3. Check that the new directory is successfully created.
Data Preparation
To complete the configuration, you need the following data:
l Name of the directory to be created
Procedure
Step 1 Display the current directory.
<HUAWEI> dir
Directory of cfcard:/
Idx Attr Size(Byte) Date Time(LMT) FileName
0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
1 -rw- 524,575 Jan 25 2010 10:03:33 private-data.txt
2 drw- - Sep 09 2009 09:42:52 src
Step 3 Display the current directory. You can view that the new directory is successfully created.
<HUAWEI> dir
Directory of cfcard:/
Idx Attr Size(Byte) Date Time(LMT) FileName
0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
1 -rw- 524,575 Jan 25 2010 10:03:33 private-data.txt
2 drw- - Sep 09 2009 09:42:52 src
3 drw- - Sep 09 2009 09:42:53 logfile
4 -rw- 280 Sep 09 2009 09:42:53 $_patch_rollback_state
5 -rw- 11,772 Nov 25 2009 16:56:55 $_patchstate_a
6 -rw- 4 Jan 19 2010 03:09:32 snmpnotilog.txt
7 drw- - Sep 09 2009 09:43:00 lam
8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg
9 drw- - Jan 21 2010 11:09:21 logfilelogfile
10 drw- - Jan 23 2010 11:10:42 abc
180,862 KB total (305,358 KB free)
----End
Related Tasks
10.3 Managing the Directory
Networking Requirements
By configuring the file system of the router, a user can operate the router through the console
port and copy files to the specified directory.
The file path in the storage device must be correct. If the user does not specify a target file name,
the source file name is the name of the target file by default.
Configuration Notes
None.
Configuration Roadmap
The configuration roadmap is as follows:
1. Check the files under a certain directory.
2. Copy a file to this directory.
3. Check this directory and view that the file is copied successfully to the specified directory.
Data Preparation
To complete the configuration, you need the following data:
l Source file name and target file name
l Source file path and target file path
Procedure
Step 1 Display the file information in the current directory.
<HUAWEI> dir
Directory of cfcard:/
Idx Attr Size(Byte) Date Time(LMT) FileName
0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
1 -rw- 524,575 Jan 25 2010 10:03:33 private-data.txt
2 drw- - Sep 09 2009 09:42:52 src
3 drw- - Sep 09 2009 09:42:53 logfile
4 -rw- 280 Sep 09 2009 09:42:53 $_patch_rollback_state
5 -rw- 11,772 Nov 25 2009 16:56:55 $_patchstate_a
6 -rw- 4 Jan 19 2010 03:09:32 snmpnotilog.txt
7 drw- - Sep 09 2009 09:43:00 lam
8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg
9 drw- - Jan 21 2010 11:09:21 logfilelogfile
Step 3 Display the file information about the current directory, and you can view that the file is copied
to the specified directory.
<HUAWEI> dir
Directory of cfcard:/
Idx Attr Size(Byte) Date Time(LMT) FileName
0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
1 -rw- 524,575 Jan 25 2010 10:03:33 private-data.txt
2 drw- - Sep 09 2009 09:42:52 src
3 drw- - Sep 09 2009 09:42:53 logfile
4 -rw- 280 Sep 09 2009 09:42:53 $_patch_rollback_state
5 -rw- 11,772 Nov 25 2009 16:56:55 $_patchstate_a
6 -rw- 4 Jan 19 2010 03:09:32 snmpnotilog.txt
7 drw- - Sep 09 2009 09:43:00 lam
8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg
9 drw- - Jan 21 2010 11:09:21 logfilelogfile
10 drw- 1,605 Jan 23 2010 14:30:32 sample1.txt
----End
Related Tasks
10.4 Managing Files
Concepts
Clock synchronization refers to the maintenance of a strict relationship between the frequencies
or signal phases of all the devices on a network. This means that signals are transmitted at the
same average rate during a valid period, which allows all the devices on the network to work at
the same rate.
On a digital communication network, the send end sends digital pulse signals in specific
timeslots, and the receive end extracts pulses from these timeslots. In this manner, the send end
and the receive end can communicate with each other. The clocks of the send end and the receive
end must be synchronized, which is the prerequisite for normal communication between the two
ends. Clock synchronization can ensure that the clocks on the send end and the receive end are
synchronized.
Purpose
Clock synchronization is a technique that limits the difference in terms of the clock frequency
or phase between the network elements (NEs) on digital networks to be within a certain range.On
a digital communication network, discrete pulses obtained from Pulse Code Modulation (PCM)-
coded information are transmitted. If the clock frequencies of two digital switching devices
differ, or digital bit streams are corrupted due to interference during transmission, phase drift or
jitter occurs. Consequently, the buffer of the digital switching system experiences data loss or
duplication, resulting in incorrect transmission of the bit streams. If the frequency difference or
phase difference is beyond the allowed range, error codes and jitter may occur, which causes
network transmission performance to deteriorate.
Line clock The clock board of a device extracts the clock Slot ID of an LPU + 2
source signal from the STM-N line signal as the clock For example, the number
of the device. of the clock source on the
LPU in slot 1 is 3 and the
number of the clock
source on the LPU in slot
2 is 4.
Limited by the lengths of clock cables, the mode of tracing or outputting BITS clock signals through clock
interfaces is applicable to the interfaces on a site. For the limit on the clock cable length, see the "Clock
Cable" in the section "Cables" in the HUAWEI NetEngine5000E Core Router Hardware Description -
NE5000E-X16 Hardware Description.
l The BITS clocks that devices can obtain from a BITS clock device are classified into two
types: 2.048 MHz clocks and 2.048 Mbit/s clocks. The input modes of BITS clocks are
classified into BITS0 and BITS1. A router obtains a clock through a clock interface on the
MPU.
l The MPU on the NE5000E provides four clock interfaces. Two of them are input interfaces,
which are connected to BITS devices to obtain clock signals. The other two are output
interfaces, which are connected to the clock input interfaces on downstream devices to
provide time signals to the downstream devices.
NOTE
The difference between the 2.048 MHz clock and 2.048 Mbit/s clock is that the 2.048 MHz clock
can provide only pulse signals for clock synchronization, and the 2.048 MHz clock can provide
signals bearing services in addition to pulse signals for clock synchronization.
On the NE5000E-X16 or the NE5000E using the new clock board CR52CLKB:
l The MPU provides four clock interfaces, CLK/TOD0, CLK/TOD1, CLK/1PPS, and CLK/
Serial.
NOTE
For the schematic diagram of the clock interfaces on the MPU, see the section "Control Plane" in the
chapter "NE5000E-X16 CLC" in the HUAWEI NetEngine5000E Core Router Hardware
Description - NE5000E-X16 Hardware Description.
l CLK/TOD0 and CLK/TOD1 are also called BITS0 and BITS1 respectively. CLK/1PPS
and CLK/Serial, as two SMB interfaces, are bound together to form BITS2. A BITS
interface transmits only one type of signal at a time.
l RJ45 interfaces and SMB interfaces must be connected to dedicated clock cables to input
and output clock signals. For the description of the clock cable, see the "Clock Cable" in
the section "Cables" in the HUAWEI NetEngine5000E Core Router Hardware Description
- NE5000E-X16 Hardware Description.
l The NE5000E-X16 or the NE5000E using the new clock board CR52CLKB can be
configured to trace different types of external BITS clock reference sources by using the
clock bits-type command.
l An external clock reference source can be mapped to the index of a user clock reference
source by using the clock bits-map command.
The signal types supported by clock interfaces are listed in the following table.
l If a BITS interface transmits 2.048 Mbit/s, 2.048 MHz, or two channels of DCLS time
signals, you do not need to configure input or output to specify signal input or output. It
is because these types of clock signals are both input and output on the same interface. For
example, if BITS0 transmits 2.048 Mbit/s time signals, BITS0 inputs and outputs 2.048
Mbit/s clock signals.
l If a BITS interface transmits 1PPS+ASCII time signals, signal input or output must be
specified. It is because 1PPS+ASCII time signals can be either input or output at a time on
an interface.
l If BITS2 is used to transmit 1PPS+ASCII time signals (RS232), both the two SMB
interfaces either input or output the time signals. If BITS2 transmits clock signals, CLK/
1PPS is always used to input signals and CLK/Serial is always used to output signals.
The limitations on the output of different types of time signals on a device are as follows:
l If only one channel of time signals needs to be output, the signals can be successfully output.
l If two channels of 1PPS+ASCII signals need to be output at the same time, they can be
successfully output.
l If one channel of 1PPS+ASCII signals and one channel of DCLS signals need to be output
at the same time, only the 1PPS+ASCII signals can be successfully output.
If the clock source with the highest SSM level is lost, the clock board automatically
switches to trace the clock source with the second highest SSM level. If the original
clock source with the highest SSM level recovers, the clock board traces the clock source
again. The SSM level of a clock source can be specified or obtained from clock signals
sent from an upstream device. If the SSM level of a clock source is DNU and automatic
clock source selection based on SSM levels is adopted, the clock source is not selected
during protection switching.
NOTE
For BITS clock source signals received by the system, if the signal type is 2.048 Mbit/s, the SSM
level is extracted by the clock module from signals; if the signal type is 2.048 MHz, the SSM
level needs to be configured.
Configuration Procedures
1. On the NE5000E using the clock board CR52CLKA, configure the types of the BITS input
and output clocks; on the NE5000E-X16 or the NE5000E using the new clock board
CR52CLKB, configure the external BITS clock reference source.
2. Manually configure the clock source as needed.
3. Configure the system to automatically select a clock source based on the SSM levels or
priorities of clock sources.
Applicable Environment
On a synchronization Ethernet network, if there is a BITS clock on the same site as the router,
the router must be configured to trace the BITS clock. The router serves as the master clock to
provide primary clock signals for the entire network.
The BITS signal type may be 2.048 MHz, 2.048 Mbit/s, 1PPS, or DCLS, which can be configured
on the clock board by using commands.
Pre-configuration Tasks
None.
Configuration Procedures
Figure 11-1 Flowchart for configuring an external BITS clock reference source
Mandatory step
Optionalstep
Context
Do as follows on all the routers in the clock synchronization network:
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock bits-type
An external BITS clock reference source and its signal type are configured.
For information about the available clock reference source IDs and signal types, see the HUAWEI
NetEngine5000E Core Router Command Reference.
Step 3 Run:
commit
----End
Context
During the configuration of clock synchronization, the indexes of user clock sources are required
in the selection of clock sources. Therefore, each clock source must be mapped to the index of
a user clock source.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock bits-map { bits0 | bits1 | bits2 } source source-value
An external clock reference source is mapped to the index of a user clock source.
Step 3 Run:
commit
----End
Context
Run the following commands to check the previous configurations:
Procedure
l Run the display clock bits-type command to check external reference clock sources on
the clock board and their signal types.
l Run the display clock source command to check whether external clock reference sources
are successfully mapped to the indexes of user clock reference sources.
----End
Example
Check the external clock reference sources on the clock board and their signal types.
<HUAWEI>display clock bits-type
bits0: 2mbps
bits1: 2mbps
bits2: 2mbps
Check the configured mappings between external clock reference sources and indexes of user
clock reference sources.
<HUAWEI>display clock source
Master clock source:
------------------------------------------------------------------------------
Source Description Priority Sa-bit Input SSM Forcessm Sourcestate
------------------------------------------------------------------------------
* 1 BITS0 13 sa4 lnc on abnormal
2 BITS1 19 sa4 unknown on abnormal
------------------------------------------------------------------------------
Slave clock source:
------------------------------------------------------------------------------
Source Description Priority Sa-bit Input SSM Forcessm Sourcestate
------------------------------------------------------------------------------
1 BITS0 13 sa4 lnc on abnormal
2 BITS1 19 sa4 unknown on abnormal
------------------------------------------------------------------------------
Applicable Environment
If it is determined that a device always traces a certain clock source and does not need perform
protection switching, you can specify a clock source for the device. When the specified clock
source fails, the system, however, does not switch to trace another clock source. Therefore, the
mode of specifying a clock source for a device is not recommended.
In manual mode, you can specify a certain clock source for the clock board to trace. In this mode,
only one clock source can be specified. If the specified clock source is lost, the system enters
the hold-in state. When the precision of the clock in the hold-in state decreases, the device enters
the free running state. In this case, the clock frequency of the device may be different from that
of other devices.
NOTE
In the mode of automatically selecting a clock source, the clock source specified manually does not take
effect.
Pre-configuration Tasks
Before manually specifying a clock source, complete the following tasks: Ensuring that the
device can normally receive clock source signals from the outside and select the manually
specified BITS clock source or line clock source based on the type of the received external clock
source signals.
Procedure
Step 1 Manually configure the clock board to use the BITS clock reference source.
1. Run:
system-view
The device is configured to use the BITS clock source received through the clock interface.
3. Run:
commit
Step 2 Manually configure the clock board to use the line clock source.
1. Run:
system-view
The specified POS interface is enabled to report received clock source signals to the clock
board.
3. Run:
clock manual source source-value
The device is configured to use the line clock source received through the clock interface.
The value of source-value can be only the reference source to which the installed LPU. The
number of the line clock source is equal to the slot ID of the LPU plus 2.
4. Run:
commit
----End
Applicable Environment
Where there are multiple clock sources, you can set priorities for the clock sources based on
their quality. In normal situations, a clock board uses the clock source with the highest priority.
When the clock source with the highest priority fails, the clock board uses the clock source with
the second highest priority. When the default priority (19) of a clock reference source is used,
the clock board does not select the clock reference source during protection switching.
If you configure protection switching according to the priorities of clock sources, you need to
configure clock source selection not to be based on SSM levels.
Pre-configuration Tasks
Before configuring automatic clock source selection based on priorities, complete the following
task:
l Ensuring that a device can normally receive multiple clock source signals from another
device
Configuration Procedures
Figure 11-2 Flowchart for configuring automatic clock source selection based on priorities
Mandatory step
Optional step
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
NOTE
When clock source selection is not based on SSM levels, the system selects a clock source according to
the priorities of clock sources.
Step 3 Run:
commit
----End
Context
To ensure that the system can select a high-quality clock source, you need to the set priorities
of the clock sources received by the device based on the quality of the clock sources. The smaller
the priority value of a clock source, the higher the priority.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
NOTE
l If the priority of a reference source is 19 (default value), this reference source is not chosen during
protection switching. The smaller the priority value, the higher the priority.
l In Step 2, you can set the same priority for multiple clock sources. When clock source selection is
performed based on priorities but the priorities of the clock sources are the same, clock source selection
is performed based on the sequence numbers of clock sources in an ascending order.
l If the clock interface on the MPU is not connected to any external clock source, the system ignores
BITS0 and BITS1 when automatically selecting a clock source according to the priorities of clock
sources. Instead, the system directly selects a clock source from the line clock sources of an LPU.
Step 3 Run:
commit
----End
Prerequisite
All the configurations for automatic clock selection based on priorities are complete.
Procedure
l Run the display clock source command to check the priority of each clock source.
----End
Example
Run the display clock source command, and you can view the priority of each clock source.
For example:
<HUAWEI>display clock source
Master clock source:
------------------------------------------------------------------------------
Source Description Priority Sa-bit Input SSM Forcessm Sourcestate
------------------------------------------------------------------------------
* 1 BITS0 13 sa4 lnc on abnormal
2 BITS1 19 sa4 unknown on abnormal
9 LPU7 19 -- unknown on abnormal
------------------------------------------------------------------------------
Slave clock source:
------------------------------------------------------------------------------
Source Description Priority Sa-bit Input SSM Forcessm Sourcestate
------------------------------------------------------------------------------
1 BITS0 13 sa4 lnc on abnormal
2 BITS1 19 sa4 unknown on abnormal
9 LPU7 19 -- unknown on abnormal
------------------------------------------------------------------------------
Applicable Environment
During automatic clock source selection based on priorities, the priorities of clock sources are
set. If the priorities of clock sources are not set based on the quality of the clock sources, the
device may select a clock source of low quality. The SSM levels are defined based on
international standard protocols. The higher the precision of a clock source, the higher the SSM
level of the clock source. When the switching among clock sources is performed based on SSM
levels, the device can select a clock source of higher precision.
When a device has multiple clock sources, the device selects a clock source based on the SSM
levels of the clock sources. The higher the clock precision, the higher the SSM level. In normal
situations, a clock board uses the clock source with the highest SSM level. When the clock source
with the highest SSM level fails, the clock board uses the clock source with the second highest
SSM level.
When a clock board is powered on, the SSM level of all clock sources defaults to Unknown.
The sequence of the SSM levels is Primary Reference Clock (PRC), Transit Node Clock (TNC),
Local Node Clock (LNC), Synchronous Equipment Timing Source (SETS), Unknown, and Do
not use for synchronization (DNU) in a descending order. If the SSM level of a clock source is
DNU and clock source selection is not based on the SSM levels of clock sources, the clock source
is not selected during protection switching.
The SSM level of a clock source can be obtained in either of the following modes:
l Automatically extracting the SSM levels of clock sources from the received clock source
signals: If the clock source signals received from an upstream device contain SSM levels,
the SSM levels can be used and you do not need to specify SSM levels for the clock sources.
l Manually specifying the SSM levels of BITS clock sources: If clock source signals received
from an upstream device do not contain any SSM level, you need to specify the SSM level
for each BITS clock source manually.
NOTE
In actually applications, the clock source signals received from lines contain SSM levels. Therefore, it is
not recommended to specify the SSM levels for line clock sources.
BITS clock sources have two types of signals. When the rate of a clock signal is 2.048 Mbit/s, the clock
board can extract the SSM level of the clock source from the clock signal if the clock signal contains the
SSM level of the clock source. In addition, you can manually specify the SSM level for the clock source
if the clock signal does not contain the SSM level of the clock source. When the frequency of a clock signal
of a clock source is 2.048 MHz, you must manually specify an SSM level for the clock source.
Pre-configuration Tasks
Before configuring automatic clock source selection based on SSM levels, complete the
following task:
l Ensuring that a device can normally receive multiple clock source signals from another
device
Configuration Procedures
Figure 11-3 Flowchart for configuring automatic clock source selection based on SSM levels
Configure the system to
automatically select a clock
source.
Mandatory step
Optional step
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock auto
Step 3 Run:
commit
----End
Context
Do as follows on the router:
After the following configurations, the router can select a clock source and perform switching
protection based on the SSM levels of received clock sources.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
clock ssm-control on
----End
11.6.3 (Optional) Setting the SSM Level of a 2.048 MHz BITS Clock
Source
You need to the configure clock source selection based on SSM levels of 2.048 MHz BITS clock
sources on routers connected to an external BITS clock.
Context
Because the 2.048 MHz BITS clock source signals received by a device do not contain any SSM
level, you need to specify the SSM levels for the clock sources to ensure that clock source
selection is based on SSM levels of the clock sources.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock source { 1 | 2 } force ssm on
Step 3 Run:
clock source { 1 | 2 } ssm { unknown | prc | tnc | lnc | sets | dnu }
NOTE
source-value: Specifies the index of a user clock source.
l For the NE5000E, the index of the external clock source BITS0 is 1 and the index of the external clock
source BITS2 is 2.
l For the NE5000E-X16, the mapping relationship between an external clock source and the index of a
user clock source must be established by using the clock bits-map { bits0 | bits1 | bits2 } source
source-value command.
Step 4 Run:
commit
----End
Context
BITS clock sources have two types of clock signals. When the clock signal type is 2.048 Mbit/
s, the clock board can extract an SSM level from the SA timeslot if the SA timeslot contains the
SSM level of the clock source. The default SA timeslots containing SSM levels in the clock
signals generated by the clock devices of different manufacturers are different. Therefore, to
ensure that the NE5000E can correctly extract the SSM levels contained in clock signals, you
need to configure the SA timeslots in 2.048 Mbit/s BITS clock source signals to bear SSM levels
on the NE5000E.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock sa-bit { sa4 | sa5 | sa6 | sa7 | sa8 } source source-value
The SA timeslots in 2.048 Mbit/s BITS clock source signals are configured to bear SSM levels.
Step 3 Run:
commit
----End
Prerequisite
All the configurations of automatic clock source selection based on SSM levels are complete.
Procedure
l Run the display clock config command to check the SSM level of the clock source being
used by the system.
l Run the display clock source command to check the SSM levels of all clock sources of
the system.
----End
Example
Run the display clock config command, and you can view the SSM level of the clock source
being used by the system. For example:
<HUAWEI>display clock config
Current source : 1
Workmode : auto
SSM control : on
Output SSM Level : lnc
PLL state : Current source step into pull-in range
Run mode : Clock is in lock mode
Run the display clock source command, and you can view the SSM levels of all clock sources
of the system. For example:
<HUAWEI>display clock source
Master clock source:
----------------------------------------------------------------------------------
-----
Source Description Priority Sa-bit Input SSM Forcessm Sourcestate
----------------------------------------------------------------------------------
-----
1 BITS0 10 sa4 unknown on abnormal
* 2 BITS1 19 sa4 lnc on normal
3 LPU1 19 -- unknown on abnormal
----------------------------------------------------------------------------------
-----
Slave clock source:
----------------------------------------------------------------------------------
-----
Source Description Priority Sa-bit Input SSM Forcessm Sourcestate
----------------------------------------------------------------------------------
-----
1 BITS0 10 sa4 unknown on abnormal
2 BITS1 19 sa4 lnc on normal
3 LPU1 19 -- unknown on abnormal
----------------------------------------------------------------------------------
-----
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number; a slot is numbered in the format of chassis ID/
slot number.
As shown in Figure 11-4, BITS clock signals enter Router A and Router D through clock
interfaces. The two external BITS clocks satisfy the requirements for the signal quality of the
G.812 local clock. Normally, the devices on the entire network synchronize with the external
BITS clock of Router A.
When the link between any two routers except the link between Router D and Router E is faulty,
the protection switching among clock sources is performed as follows:
l When the external BITS clock of Router A becomes faulty, all routers trace the external
BITS clock of Router D.
l When the external BITS clock of Router D becomes faulty, all routers trace the external
BITS clock of Router A.
l When the external BITS clock of Router A becomes faulty and then the external BITS clock
of Router D becomes faulty, all routers trace the internal clock of Router D.
l When the external BITS clock of Router D becomes faulty and then the external BITS clock
of Router A becomes faulty, all routers trace the internal clock of Router A.
Figure 11-4 Networking diagram for configuring protection switching among clock sources
BITS
POS1/0/0 POS2/0/0
W E 10.1.1.1
POS1/0/0 E POS2/0/0
RouterA W 10.1.1.2
RouterB RouterF
POS2/0/0 W E POS1/0/0
20.1.1.1
POS2/0/0 E W POS1/0/0
50.1.1.1 20.1.1.2
RouterC RouterE
POS1/0/0W RouterD
E POS2/0/0
40.1.1.2 30.1.1.1
POS1/0/0 E W POS2/0/0
40.1.1.1 30.1.1.2
BITS
Configuration Notes
None.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the type of the external BITS clock to which Router A and Router D are
connected to 2.048 Mbit/s.
2. Configure the priority of the clock source on each router. This ensures that the protection
switchover of clock sources is performed based on priorities when a fault occurs.
Data Preparation
To complete the configuration, you need the following data: ID and priority of the clock source
of each router, as shown in Table 11-3.
Procedure
Step 1 Set the type of the external BITS clock sources of Router A and Router D to 2.048 Mbit/s.
Step 2 Connect BITS clock cables to each router, as shown in Figure 11-4.
Step 3 Configure the IP addresses for interfaces on each router. The configuration details are not
mentioned here.
Step 4 Set priorities of clock sources of each router, as shown in Figure 11-4.
# Configure Router A.
<RouterA> system-view
[~RouterA] clock auto
[~RouterA] clock ssm-control off
[~RouterA] clock priority 1 source 1
[~RouterA] clock priority 2 source 4
# Configure Router B.
<RouterB> system-view
[~RouterB] clock auto
[~RouterB] clock ssm-control off
[~RouterB] clock priority 1 source 3
[~RouterB] clock priority 2 source 4
[~RouterB] commit
# Configure Router C.
<RouterC> system-view
[~RouterC] clock auto
[~RouterC] clock ssm-control off
[~RouterC] clock priority 1 source 4
[~RouterC] clock priority 2 source 3
[~RouterC] commit
# Configure Router D.
<RouterD> system-view
[~RouterD] clock auto
[~RouterD] clock ssm-control off
[~RouterD] clock priority 1 source 3
[~RouterD] clock priority 2 source 4
[~RouterD] clock priority 3 source 2
[~RouterD] commit
# Configure Router E.
<RouterE> system-view
[~RouterE] clock auto
[~RouterE] clock ssm-control off
[~RouterE] clock priority 1 source 3
[~RouterE] clock priority 2 source 4
[~RouterE] commit
# Configure Router F.
<RouterF> system-view
[~RouterF] clock auto
[~RouterF] clock ssm-control off
[~RouterF] clock priority 1 source 4
[~RouterF] clock priority 2 source 3
[~RouterF] commit
NOTE
"*" indicates that the clock source functions as the master clock source. The master clock source here is
BITS0.
-
Source Description Priority Sa-bit Input SSM Forcessm Sourcestate
----------------------------------------------------------------------------------
-
1 BITS0 1 sa4 unknown on abnormal
2 BITS1 19 sa4 unknown on abnormal
3 LPU1 3 -- unknown on normal
4 LPU2 2 -- unknown on normal
----------------------------------------------------------------------------------
-
After the BITS clock source of Router A is lost, it is found that the status of BITS0 clock source
on is Router A is abnormal and the clock source used by the system is Source 4.
# After the BITS clock of Router A is lost, all routers perform protection switching based on the
priorities of clock sources. Figure 11-5 shows the clock source tracing after the BITS clock
source of Router A is lost.
Figure 11-5 Networking diagram of the clock source tracing after the BITS clock source of
Router A is lost
W E
E RouterA W
RouterB RouterF
W E
E W
RouterC RouterE
W E
RouterD
E W
BITS
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 60.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.1 255.255.255.0
#
clock priority 1 source 3
clock priority 2 source 4
#
return