Configuration Guide - Basic Configurations (V800R002C01 - 01) PDF

HUAWEI NetEngine5000E Core Router
V800R002C01
Configuration Guide - Basic

Configurations
Issue 01
Date 2011-10-15
HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2011-10-15) Huawei Proprietary and Confidential i

Copyright Huawei Technologies Co., Ltd.
Configuration Guide - Basic Configurations About This Document
About This Document
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the Basic Configurations feature supported by the
NE5000E device.
This document describes how to configure the Basic Configurations feature.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Related Versions (Optional)

The following table lists the product versions related to this document.
Product Name Version
HUAWEI NetEngine5000E V800R002C01

Core Router
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a hazard with a high level of risk, which if not

avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which

if not avoided, could result in minor or moderate injury.
Issue 01 (2011-10-15) Huawei Proprietary and Confidential ii

Configuration Guide - Basic Configurations About This Document
Symbol Description
Indicates a potentially hazardous situation, which if not

avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
Indicates a tip that may help you solve a problem or save time.
Provides additional information to emphasize or supplement

important points of the main text.
Command Conventions (Optional)

The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Changes in Issue 01 (2011-10-15)

The initial commercial release.
Issue 01 (2011-10-15) Huawei Proprietary and Confidential iii

Configuration Guide - Basic Configurations Contents
Contents
About This Document.....................................................................................................................ii

1 Logging In to the System for the First Time............................................................................1
1.1 Overview of Logging In to the System for the First Time.................................................................................2
1.2 Logging In to the router Through the Console Port...........................................................................................2
1.2.1 Logging In to the router Through the Console Port..................................................................................3
1.2.2 Logging In to the router.............................................................................................................................3
2 Configure the User Interface.......................................................................................................6

2.1 User Interface Overview.....................................................................................................................................7
2.2 Configuring the Console User Interface.............................................................................................................8
2.2.1 Configuring Physical Attributes for the Console User Interface...............................................................9
2.2.2 Configuring Terminal Attributes for the Console User Interface............................................................10
2.2.3 Configuring the User Priority for the Console User Interface.................................................................11
2.2.4 Configuring Authentication for the Console User Interface....................................................................12
2.2.5 Checking the Configuration.....................................................................................................................13
2.3 Configuring VTY User Interfaces....................................................................................................................14
2.3.1 Configuring the Maximum Number of VTY User Interfaces.................................................................15
2.3.2 Configuring the Limit on Incoming and Outgoing Calls for VTY User Interfaces................................16
2.3.3 Configuring Terminal Attributes for VTY User Interfaces.....................................................................16
2.3.4 Configuring the User Priority for a VTY User Interface.........................................................................17
2.3.5 Configuring Authentication for a VTY User Interface............................................................................18
2.4 Configuration Examples...................................................................................................................................21
2.4.1 Example for Configuring the Console User Interface.............................................................................21
2.4.2 Example for Configuring VTY User Interfaces......................................................................................23
3 Configuring User Login.............................................................................................................26

3.1 User Login Overview.......................................................................................................................................27
3.2 Logging In to the System Through the Console Port.......................................................................................30
3.2.1 Configuring the Console User Interface..................................................................................................30
3.2.2 Logging In to the System Through the Console Port..............................................................................31
3.3 Logging In to the System by Using Telnet.......................................................................................................32
3.3.1 Configuring VTY User Interfaces...........................................................................................................33
Issue 01 (2011-10-15) Huawei Proprietary and Confidential iv

3.3.2 (Optional) Configuring Local Telnet Users.............................................................................................33

3.3.3 Enabling the Telnet Server Function.......................................................................................................34
3.3.4 (Optional) Configuring the Listening Port Number for the Telnet Server..............................................35
3.3.5 Logging In to the System by Using Telnet..............................................................................................36
3.4 Logging In to the System by Using STelnet.....................................................................................................37
3.4.1 Configuring VTY User Interfaces...........................................................................................................38
3.4.2 Configuring VTY User Interfaces to Support SSH.................................................................................39
3.4.3 Configuring an SSH User and Specifying the Service Type...................................................................39
3.4.4 Enabling the STelnet Server Function.....................................................................................................42
3.4.5 (Optional) Configuring STelnet Server Parameters................................................................................42
3.4.6 Logging In to the System by Using STelnet............................................................................................43
3.5.1 Example for Logging In to the System Through the Console Port.........................................................46
3.5.2 Example for Logging In to the System by Using Telnet.........................................................................48
3.5.3 Example for Logging In to the System by Using STelnet.......................................................................51
4 Transferring Files........................................................................................................................55
4.1 File Transfer Overview.....................................................................................................................................56
4.2 File Transfer Modes Supported by the HUAWEI NetEngine5000E................................................................57
4.3 Operating Files After Logging In to the System..............................................................................................58
4.3.1 Managing Directories..............................................................................................................................59
4.3.2 Managing Files........................................................................................................................................59
4.4 Using FTP to Operate Files..............................................................................................................................61
4.4.1 Configuring a Local FTP User................................................................................................................62
4.4.2 (Optional) Changing the Listening Port Number of the FTP Server.......................................................63
4.4.3 Enabling the FTP Server Function..........................................................................................................63
4.4.4 (Optional) Configuring FTP Server Parameters......................................................................................64
4.4.5 (Optional) Configuring FTP Access Control...........................................................................................65
4.4.6 Using FTP to Access the System.............................................................................................................65
4.4.7 Using FTP to Operate Files.....................................................................................................................66
4.5 Using SFTP to Operate Files............................................................................................................................70
4.5.1 Configuring an SSH User and Specifying the Service Type...................................................................71
4.5.2 Enabling the SFTP Server Function........................................................................................................73
4.5.3 (Optional) Configuring SFTP Server Parameters....................................................................................74
4.5.4 Using SFTP to Access the System..........................................................................................................76
4.5.5 Using SFTP to Operate Files...................................................................................................................77
4.6.1 Example for Operating Files After Logging In to the System................................................................80
4.6.2 Example for Using FTP to Operate Files................................................................................................80
Issue 01 (2011-10-15) Huawei Proprietary and Confidential v

4.6.3 Example for Using SFTP to Operate Files..............................................................................................83
5 Accessing Other Devices............................................................................................................86

5.1 Overview..........................................................................................................................................................87
5.2 Using Telnet to Log In to Other Devices.........................................................................................................89
5.3 Using STelnet to Log In to Other Devices.......................................................................................................91
5.3.1 Configuring Login to Another Device for the First Time (Enabling First-Time Authentication on the SSH
Client)...............................................................................................................................................................92
5.3.2 Configuring Login to Another Device for the First Time (Binding the SSH Client to the RSA Public Key
Generated on the SSH Server)..........................................................................................................................93
5.3.3 Using STelnet to Log In to Other Devices..............................................................................................94
5.4 Using TFTP to Access Other Devices..............................................................................................................95
5.4.1 Configuring the Source Address for the TFTP Client.............................................................................96
5.4.2 Configuring TFTP Access Control..........................................................................................................96
5.4.3 Using TFTP to Download Files from Other Devices..............................................................................97
5.4.4 Using TFTP to Upload Files to Other Devices........................................................................................98
5.5 Using FTP to Access Other Devices................................................................................................................99
5.5.1 (Optional) Configuring the Source Address for the FTP Client............................................................100
5.5.2 Using FTP to Connect the FTP Client to Other Devices.......................................................................100
5.5.3 Using FTP to Operate Files...................................................................................................................101
5.5.4 (Optional) Changing the User Login.....................................................................................................103
5.5.5 Terminating a Connection to the FTP Server........................................................................................104
5.5.6 Checking the Configuration...................................................................................................................105
5.6 Using SFTP to Access Other Devices............................................................................................................105
5.6.1 (Optional) Configuring the Source Address for the SFTP Client.........................................................106
5.6.2 Configuring Login to Another Device for the First Time (Enabling First-Time Authentication on the SSH
Client).............................................................................................................................................................107
5.6.3 Configuring Login to Another Device for the First Time (Binding the SSH Client to the RSA Public Key
Generated on the SSH Server)........................................................................................................................107
5.6.4 Using SFTP to Connect the SSH Client to the SSH Server..................................................................109
5.6.5 Using SFTP to Operate Files.................................................................................................................109
5.7 Configuration Examples.................................................................................................................................111
5.7.1 Example for Using Telnet to Log In to Other Devices..........................................................................111
5.7.2 Example for Using STelnet to Log In to Other Devices.......................................................................113
5.7.3 Example for Using TFTP to Access Other Device................................................................................120
5.7.4 Example for Using FTP to Access Other Devices................................................................................123
5.7.5 Example for Using SFTP to Access Other Devices..............................................................................125
5.7.6 Example for Accessing the SSH Server by Using a Non-default Listening Port Number....................131
5.7.7 Example for Configuring SSH Clients on the Public Network to Access an SSH Server on a Private
Network..........................................................................................................................................................137
6 Using the Command Line Interface.......................................................................................148
Issue 01 (2011-10-15) Huawei Proprietary and Confidential vi

6.1 Overview of the Command Line Interface.....................................................................................................149

6.2 Establishing the Running Environment for the Command Line....................................................................149
6.2.1 Configuring the Login Alert..................................................................................................................150
6.2.2 Setting a Device Name..........................................................................................................................150
6.2.3 Configuring Command Levels..............................................................................................................151
6.2.4 Lock the User Interface.........................................................................................................................152
6.3 How to Use Command Lines..........................................................................................................................152
6.3.1 Entering a Command View...................................................................................................................153
6.3.2 Editing Command Lines........................................................................................................................153
6.3.4 Checking the Diagnostic Information....................................................................................................155
6.3.5 Display Mode of Command Lines.........................................................................................................155
6.3.6 Error Information in Command Lines...................................................................................................159
6.4 How to Obtain Command Help......................................................................................................................159
6.5 How to Use Shortcut Keys.............................................................................................................................160
6.5.1 Classification of Shortcut Keys.............................................................................................................161
6.5.2 Defining Shortcut Keys.........................................................................................................................161
6.5.3 Displaying Shortcut Keys and Their Functions.....................................................................................162
6.6.1 Example for Using Tab..........................................................................................................................163
6.6.2 Example for Defining Shortcut Keys....................................................................................................164
7 Device Upgrade..........................................................................................................................166
7.1 Overview of Device Upgrade.........................................................................................................................167
7.2 Upgrade Modes Supported by the NE5000E.................................................................................................167
8 Patch Installation.......................................................................................................................169
8.1 Overview........................................................................................................................................................170
8.2 Patch Installation Modes Supported by the NE5000E...................................................................................170
9 Configuration Management....................................................................................................171
9.1 Introduction to Configuration Management...................................................................................................172
9.2 Configuration Management Features that the NE5000E Supports................................................................173
9.3 Selecting a Configuration Validation Mode...................................................................................................173
9.3.1 Configuring Immediate Configuration Validation Mode......................................................................174
9.3.2 Configuring Two-Phase Configuration Validation Mode.....................................................................175
9.4 Managing Configuration Files........................................................................................................................177
9.4.1 Saving Configurations...........................................................................................................................178
9.4.2 Comparing Configuration Files.............................................................................................................179
9.4.3 Specifying the System Configuration File to Be Loaded at the Next Startup.......................................179
9.4.4 Clearing the System Configuration File Loaded at the Current Startup................................................180
9.5.1 Example for Configuring User Services in Immediate Configuration Validation Mode......................183
Issue 01 (2011-10-15) Huawei Proprietary and Confidential vii

9.5.2 Example for Configuring Services When Configurations Have Been Locked by Another User in Two-
Phase Configuration Validation Mode...........................................................................................................184
9.5.3 Example for Multiple Users to Configure a Same Service in Two-Phase Configuration Validation Mode
........................................................................................................................................................................186
9.5.4 Example for Multiple Users to Configure a Service in Two-Phase Configuration Validation Mode
........................................................................................................................................................................187
9.5.5 Example for Configuring Different Services by Multiple Users in Two-Phase Configuration Validation
Mode...............................................................................................................................................................189
9.5.6 Example for Managing Configuration Files..........................................................................................191
10 File System Management.......................................................................................................193

10.1 File System Overview..................................................................................................................................194
10.2 File System Supported by the NE5000E......................................................................................................194
10.3 Managing the Directory................................................................................................................................194
10.4 Managing Files.............................................................................................................................................195
10.5 Configuration Examples...............................................................................................................................197
10.5.1 Example for Managing a Directory.....................................................................................................197
10.5.2 Example for Managing Files...............................................................................................................198
11 Clock Synchronization Configuration................................................................................200

11.1 Clock Synchronization Overview.................................................................................................................201
11.2 Clock Synchronization Features Supported by the NE5000E(NE5000E-X16)...........................................202
11.3 Configuring an External BITS Clock Reference Source..............................................................................206
11.3.1 Configuring an External Clock Reference Source for the router and the Clock Signal Type.............207
11.3.2 Configuring a Mapping from an External Clock Reference Source to the Index of a User Clock Source
for the router...................................................................................................................................................207
11.3.3 Checking the Configuration.................................................................................................................208
11.4 Specifying a Clock Source Manually...........................................................................................................209
11.5 Configuring Automatic Clock Source Selection to Be Based on Priorities.................................................210
11.5.1 Configuring the System to Automatically Select a Clock Source.......................................................211
11.5.2 Configuring Clock Source Selection Not to Be Based on SSM Levels..............................................212
11.5.3 Setting the Priority of a Clock Source.................................................................................................212
11.6 Configuring Automatic Clock Source Selection to Be Based on SSM Levels............................................214
11.6.1 Configuring the System to Automatically Select a Clock Source.......................................................215
11.6.2 Configuring Clock Source Selection to Be Based on SSM Levels.....................................................216
11.6.3 (Optional) Setting the SSM Level of a 2.048 MHz BITS Clock Source.............................................216
11.6.4 Configuring SA Timeslots in 2.048 Mbit/s BITS Clock Source Signals to Bear SSM Levels...........217
11.7 Configuration Examples...............................................................................................................................219
11.7.1 Example for Configuring Protection Switching Among Clock Sources.............................................219
Issue 01 (2011-10-15) Huawei Proprietary and Confidential viii

Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time
1 Logging In to the System for the First Time
About This Chapter
To configure a new device, the device must be logged in to the console port.
1.1 Overview of Logging In to the System for the First Time

User can log in to a device that is powered on for the first time only through the console port.
Other login modes can be configured after the user logged in to the device for the first time.
1.2 Logging In to the router Through the Console Port
A terminal can be connected to the console port on the router to establish the configuration
environment.
Issue 01 (2011-10-15) Huawei Proprietary and Confidential 1

1.1 Overview of Logging In to the System for the First Time

User can log in to a device that is powered on for the first time only through the console port.
Other login modes can be configured after the user logged in to the device for the first time.
The console port is a linear port on the main control board. Each main control board provides
one console port that conforms to the EIA/TIA-232 standard. The console port is a type of Data
Connection Equipment (DCE) interface. Users can directly connect a serial interface from a
terminal to the console port to configure the device.
The console port has the following states:

l Connected: The console port is being connected.
l Disconnected: The console port is disconnected.
1.2 Logging In to the router Through the Console Port

environment.
Applicable Environment
When the router is powered on for the first time, you must use the console port to log in to the
router to configure and manage the router.
Pre-configuration Tasks
Before logging in to the router through the console port, complete the following tasks:
l Preparing a PC or a terminal, including a serial interface and an RS-232 cable

l Installing a terminal emulator on the PC, such as Windows XP HyperTerminal
Configuration Procedures
Figure 1-1 Logging in to the router through the console port
Establish a physical connection
Log in to the device
Mandatory procedure
Optional procedure

1.2.1 Logging In to the router Through the Console Port

environment.
When the router is powered on for the first time, you must use the console port to log in to the
router to configure and manage the router.
Before logging in to the router through the console port, complete the following tasks:

Figure 1-2 Logging in to the router through the console port
Establish a physical connection
Log in to the device
Mandatory procedure
Optional procedure
1.2.2 Logging In to the router

You can use a PC (connected to the console port on the router) to log in to the router that is
powered on for the first time to configure and manage the router.
Context
Configure physical attributes for the PC according to the attributes configured for the console
port on the router, including the transmission rate, data bits, parity bit, stop bits, and flow control
mode. As the router is logged in for the first time, terminal attributes use the default values.
Procedure
Step 1 Start a terminal emulator (such as HyperTerminal of Windows XP) on the PC to establish a
connection. Follow the instructions as shown in Figure 1-3 and click OK.

Figure 1-3 Establishing a connection
Step 2 Set the COM port. Follow the instructions as shown in Figure 1-4 and click OK.
Figure 1-4 Setting the COM port
Step 3 Set communication parameters for the COM port to the default values of the router, as shown
in Figure 1-5 and click OK.

Figure 1-5 Setting communication parameters
A command prompt such as <HUAWEI> appears, the user view is displayed, and you can start
the configuration on the HUAWEI device.
In the user view, configure the device or check its operating status, or enter a question mark (?)
for online help.
----End

Configuration Guide - Basic Configurations 2 Configure the User Interface
2 Configure the User Interface
About This Chapter
When a user logs in to the router through the console port or using Telnet or Secure Shell (SSH),
the system uses a corresponding user interface to manage and monitor the session between the
router and the user.
2.1 User Interface Overview

The system supports console and Virtual Type Terminal (VTY) user interfaces.
2.2 Configuring the Console User Interface
The console user interface manages and monitors users logging in to a device through the console
port.
2.3 Configuring VTY User Interfaces
VTY user interfaces manage and monitor users logging in to the device by using VTY.
2.4 Configuration Examples
This section provides examples for configuring console and VTY user interfaces. These
examples explain networking requirements, configuration roadmap, and configuration notes.

2.1 User Interface Overview

The system supports console and Virtual Type Terminal (VTY) user interfaces.
Users can log in to a device to configure, monitor, and maintain local or remote network devices
only after user interfaces, user management, and terminal services are configured. User
interfaces provide the login entrance. User management ensures login security. Terminal
services offer login protocols.
Each user interface has a corresponding user interface view. A network administrator can
configure a set of parameters in a user interface view to determine whether authentication is
required and the level of logged in users. This allows uniform management of various user
sessions.
Currently, the following user interfaces are supported:

l Console: manages and monitors users logging in through the console port.
The type of the console port is EIA/TIA-232 DCE.
l VTY: manages and monitors users logging in using VTY.
A VTY connection is set up when a user uses Telnet or SSH to log in to the device. A
maximum of 18 users can log in to the device by using VTY.
NOTE
A user using different login modes to log in is allocated different user interfaces. A user logging in several
times using the same way may be allocated different user interfaces.
User Interface Numbering

After a user logs in to a device, the system allocates an idle user interface with the smallest
number to the user based on the login mode of the user. The login process is restricted by the
configurations for the user interface.
User interface can be numbered in the following manners:
l Relative numbering
The relative numbering uniquely specifies a user interface or a group of user interfaces of
the same type.
The numbering format is user interface type + number, adhering to the following rules:
Console port numbering: CON0.
VTY user interface numbering: The first VTY is 0, the second VTY is 1, and so on.
l Absolute numbering
The absolute numbering uniquely specifies a user interface or a group of user interfaces.
The number starts with 0, increasing by 1. The console port is numbered before VTY user
interfaces.
There are 20 consoles and 18 VTY user interfaces. You can run the user-interface
maximum-vty command in the system view to set the maximum number of VTY user
interfaces. The default value is 5.
Table 2-1 shows the default absolute numbers of the console and VTY user interfaces.
Numbers 1 to 32 are reserved for TTY user interfaces.

Table 2-1 Example of absolute numbers for user interfaces
Absolute Number User Interface
0 CON0
34 VTY0: the first VTY
35 VTY1: the second VTY
36 VTY2: the third VTY
37 VTY3: the fourth VTY
38 VTY4: the fifth VTY
Authentication for User Interfaces

After authentication mode is configured for a user interface, the system authenticates users to
log in through this user interface. Authentication modes are as follows:
l No-authentication: Users can log in to the device without entering user names or passwords.
This mode is insecure and is not recommended.
l Password authentication: Users need to enter passwords but not user names for login.
l AAA authentication: Users must enter both user names and passwords for login. If either
a user name or a password is incorrect, the login fails. Telnet users are usually authenticated
in AAA mode.
User Priorities for User Interfaces

Users log in to the device are managed based on the user levels. Like command levels, users are
classified into 18 levels from 0 to 17. The greater the value, the higher the user level.
The level of commands that a user can use is determined by the user level.
l If no-authentication or password authentication is configured, the level of commands that

a user can use depends on the level of the user interface through which the user logs in.
l If AAA authentication is configured, the level of commands that a user can use depends
on the local user priority specified in the AAA configuration.
2.2 Configuring the Console User Interface

The console user interface manages and monitors users logging in to a device through the console
port.
If you need to log in to a device through the console port for local maintenance, configure the
console user interface, including the physical attributes, terminal attributes, user priority, and
user authentication mode. Configure parameters based on the use and security requirements.

Before configuring the console user interface, complete the following task:
l Logging In to the router Through the Console Port
Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.
2.2.1 Configuring Physical Attributes for the Console User Interface

Physical attributes of the console user interface include the baud rate, flow control mode, parity
bit, stop bits, and data bits for the console port.
Context
When a user logs in a device through the console port, physical attributes set on the
HyperTerminal for the console port must be consistent with the attributes of the console user
interface on the device. Otherwise, the user cannot log in to the device.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
user-interface console ui-number
The console user interface is displayed.

Step 3 Run:
speed line-speed
The transmission rate is set.

The value can be 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, or 115200, in bit/s.
By default, the value is 9600.
Step 4 Run:
flow-control { hardware | none | software }
The flow control mode is set.

By default, the value is none.
The none mode indicates that the flow control function does not take effect on the console port.
Step 5 Run:
parity { even | mark | none | odd | space }
The parity bit is set.

By default, the value is none.
Step 6 Run:
stopbits { 1.5 | 1 | 2 }

The stop bits are set.
By default the value is 1.
Step 7 Run:
databits { 5 | 6 | 7 | 8 }
The data bits are set.
Step 8 Run:
commit
The configuration is committed.
----End
2.2.2 Configuring Terminal Attributes for the Console User

Interface
Terminal attributes of the console user interface include the timeout period of an idle connection,
number of lines displayed on a terminal screen, and buffer size for previously used commands.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The console user interface view is displayed.
Step 3 Run:
shell
The terminal service is started.
Step 4 Run:
idle-timeout minutes [ seconds ]
The timeout period is set.
By default, idle timeout period on the user interface is 10 minutes.
Step 5 Run:
screen-length screen-length
Screen length of the console terminal is set.
By default, the length of a terminal screen is 24 rows.
Step 6 Run:
screen-width screen-width
Screen width of the console terminal is set.


Step 7 Run:
history-command max-size size-value
The buffer of the history command is set.

By default, the size of history command buffer on a user interface is 10 entries.
Step 8 Run:
commit
----End
2.2.3 Configuring the User Priority for the Console User Interface
You can set user priorities for user interfaces to manage users based on their levels. This section
describes how to set the user priority for the console user interface.
Context
User levels correspond to command levels. User can use commands of the corresponding level
or lower after log in to the system.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
user privilege level level
The user priority is set.

By default, users logging in through the console user interface can use commands at level 3, and
users logging in through other user interfaces can use commands at level 0.
NOTE
If the user priority configured for the user interface and the user priority configured for the user conflict,
the user level takes precedence.
For example, user 001 can use commands at level 3, and the user level configured in the user interface
view Console 0 for the user is 2. After user 001 logs in through Console 0, the user can use commands at
level 3 or lower.
Step 4 Run:
commit
----End

2.2.4 Configuring Authentication for the Console User Interface

The system provides three authentication modes: AAA, password authentication, and no-
authentication. Configuring authentication improves system security.
Procedure
l Configure AAA authentication.
1. Run:
system-view

2. Run:

3. Run:
authentication-mode aaa
The authentication mode is set to AAA.

4. Run:
quit
Exit from the console user interface.

5. Run:
aaa
The AAA view is displayed.

6. Run:
local-user user-name password { simple | cipher } password
The user name and password is set.
If the password is in the form of simple, the password must be in the plain text.
If the password is in the form of cipher, the password can be either in the encrypted
text or in the plain text. The result is determined by the input.
7. Run:
commit

l Configure password authentication.
1. Run:
system-view

2. Run:

3. Run:
authentication-mode password
Password authentication is set.

4. Run:
set authentication password { cipher | simple } password
Authentication password is set.
5. Run:
commit

l Configure no-authentication.
1. Run:
system-view

2. Run:

3. Run:
authentication-mode none
No-authentication is set.
4. Run:
commit
----End
2.2.5 Checking the Configuration

After configuring the console user interface, you can view user login information about the user
interface, physical attributes and configurations of the user interface, the local user list, and
online users.
Prerequisite
The configurations of the console user interface are complete.
Procedure
l Run the display users [ all ] command to check user login information about user interfaces.
l Run the display user-interface console 0 command to check physical attributes and
configurations of the user interface.
l Run the display local-user command to check the local user list.
l Run the display access-user command to check information about logged-in users.
----End

Example
Run the display users command to view user login information about the current user interface.
<HUAWEI> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
0 CON 0
Username : Unspecified
+ 258 VTY 0 00:00:00 TEL 10.164.6.15 pass no
Username : Unspecified 259 VTY 1
Run the display user-interface console 0 command to view physical attributes and
<HUAWEI> display user-interface console 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
0 CON 0 9600 - 3 - N -
1 CON 0 9600 - 3 - N -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Run the display local-user command to view the local user list.
<HUAWEI> display local-user
----------------------------------------------------------------------------
Username State Type Online
----------------------------------------------------------------------------
user123 Active All 0
ll Active F 0
user1 Active F 0
----------------------------------------------------------------------------
Total 3,3 printed
Run the display access-user command to view information about logged-in users.
<HUAWEI> display access-user
-----------------------------------------
User-name domain-name userid
-----------------------------------------------
root default 1
abcd default 2
-----------------------------------------------
Total users : 2
Wait authen-ack : 0
Authentication success : 2
2.3 Configuring VTY User Interfaces

VTY user interfaces manage and monitor users logging in to the device by using VTY.
If you need to log in to a device for local or remote configuration and maintenance by using
Telnet or SSH, configure VTY user interfaces, including the maximum number of VTY user
interfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and user
authentication mode. Configure parameters based on the user and security requirements.

Before configuring VTY user interfaces, complete the following task:
l Logging In to the router Through the Console Port
2.3.1 Configuring the Maximum Number of VTY User Interfaces

Configuring the maximum number of VTY user interfaces limits the number of simultaneous
login users.
Context
The maximum number of VTY user interfaces is the total number of users that use Telnet and
SSH to log in.
CAUTION
If the maximum number of VTY user interfaces is set to zero on a device, no user can log in to
the device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface maximum-vty number
The maximum number of VTY user interfaces is set.
l If the configured maximum number is smaller than the original, logged in users are not
affected and no additional configuration is needed.
l If the configured maximum number is greater than the original, configure the authentication
mode and password for additional users. The system uses password authentication to
authenticate users logging in through newly-added user interfaces.
For example, run the authentication-mode and set authentication password commands to
increase allowed login users to 18 from 5.
<HUAWEI> system-view
[~HUAWEI] user-interface maximum-vty 18
[~HUAWEI] user-interface vty 5 17
[~HUAWEI-ui-vty5-17] authentication-mode password
[~HUAWEI-ui-vty5-17] set authentication password cipher huawei
Step 3 Run:
commit

----End
2.3.2 Configuring the Limit on Incoming and Outgoing Calls for

VTY User Interfaces
An Access Control List (ACL) can be configured to limit incoming and outgoing calls for VTY
user interfaces.
Context
An ACL can be configured to either allow or deny Telnet connections based on source or
destination IP addresses:
l A basic ACL, with number ranging from 2000 to 2999, controls Telnet connections based
on source IP addresses.
l An advanced ACL, with number ranging from 3000 to 3999, controls Telnet connections
based on both source and destination IP addresses.
Before configuring the limit on incoming and outgoing calls for VTY user interfaces, run the
acl command in the system view to create an ACL and enter the ACL view. Then, run the
rule command to add rules to the ACL.
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]
A VTY user interface view is displayed.

Step 3 Run:
acl acl-number | name acl-name { inbound | outbound }
The limit on incoming and outgoing calls is set for the VTY user interface.
l Choose inbound if users at a specified IP address or within a specified address range are
either allowed to log in to the device or prohibited from logging in to the device.
l Choose outbound if logged-in users are either allowed to log in to other devices or prohibited
from logging in to other devices.
Step 4 Run:
commit
----End
2.3.3 Configuring Terminal Attributes for VTY User Interfaces

Terminal attributes of VTY user interfaces include the timeout period of an idle connection,
number of rows displayed on a terminal screen, and buffer size for previously-used commands.

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
shell
The VTY terminal service is enabled.
Step 4 Run:
idle-timeout minutes [ seconds ]
The timeout period of an idle connection is set.
If the connection is idle within the timeout period, the system automatically terminates the
connection when the timeout period expires.
By default, the timeout period is 10 minutes.
Step 5 Run:
screen-length screen-length
The number of rows displayed on a terminal screen is set.
By default, a terminal screen displays 24 rows.
Step 6 Run:
history-command max-size size-value
The buffer size is set for previously-used commands.
By default, a maximum of 10 previously-used commands can be cached in the buffer.
Step 7 Run:
commit
----End
2.3.4 Configuring the User Priority for a VTY User Interface

To improve security, user priorities can be set for user interfaces to manage users based on their
levels. This section describes how to set a user priority for a VTY user interface.
Context
User levels correspond to command levels. User can use commands of the corresponding level
or lower after log in to the system.

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
user privilege level level
The user priority is set.
By default, users logging in from a VTY user interface can use commands at level 0.
NOTE
If the user priority configured for the user interface and the user priority configured for the user conflict,
the user level takes precedence.
For example, a user can use commands at level 3, and the user level configured in the user interface view
VTY0 for the user is 2. After the user logs in through VTY0, the user can use commands at level 3 or lower.
Step 4 Run:
commit
----End
2.3.5 Configuring Authentication for a VTY User Interface

The system provides three authentication modes: AAA, password authentication, and no-
authentication. Configuring authentication improves system security.
Procedure
l Configure AAA authentication.
1. Run:
system-view

2. Run:

3. Run:
Authentication mode is set to AAA.

4. Run:
commit

5. Run:
quit
Exit from the VTY user interface view.

6. Run:
aaa

7. Run:
8. Run:
commit

1. Run:
system-view

2. Run:

3. Run:
Authentication mode is set to password authentication.

4. Run:
set authentication password { cipher | simple } password
Local authentication password is set.
5. Run:
commit

l Configure no-authentication.
1. Run:
system-view

2. Run:


3. Run:
authentication-mode none
Authentication mode is set to no-authentication.

4. Run:
commit

----End

After configuring the VTY user interfaces, you can view user login information about the VTY
user interfaces, the maximum number of the VTY user interfaces, and the physical attributes
and configuration of the VTY user interfaces.
Prerequisite
The configuration of VTY user interfaces are complete.
Procedure
l Run the display user-interface maximum-vty command to check the configured
maximum number of VTY user interfaces.
l Run the display user-interface vty ui-number command to check physical attributes and
configuration of the user interface.
l Run the display vty mode command to check the VTY mode.
----End
Example
0 CON 0
+ 258 VTY 0 00:00:00 TEL 10.164.6.15 pass no
Run the display user-interface maximum-vty command to view the configured maximum
number of VTY user interfaces.
<HUAWEI> display user-interface maximum-vty
Maximum of VTY user:15
Run the display user-interface vty command to view the configured user interface information.
<HUAWEI> display user-interface vty
+ 34 VTY 0 - 15 15 N -


-----------------------------------------
-----------------------------------------------
root default 1
abcd default 2
-----------------------------------------------
Total users : 2
Wait authen-ack : 0
Run the display vty mode command to view the configured VTY mode. For example:
<HUAWEI> display vty mode
current VTY mode is Human-Machine interface

This section provides examples for configuring console and VTY user interfaces. These
examples explain networking requirements, configuration roadmap, and configuration notes.
2.4.1 Example for Configuring the Console User Interface

In this configuration example, the physical attributes, terminal attributes, user priority, user
authentication mode, and password are set for the console user interface. This allows users to
log in to a device through the console port in password authentication mode.
Networking Requirements
To initialize the configurations of a new device or locally maintain the device, the device must
be logged in to through the console user interface. Attributes are set for the console user interface
based on user and security requirements.
Configuration Notes
By default, terminal services are enabled on all user interfaces. If terminal services are disabled,
use Telnet to log in to the system through the console port and run the shell command to enable
terminal services.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure physical attributes for the console user interface.
2. Configure terminal attributes for the console user interface.
3. Set the user priority.

4. Set the user authentication mode and password.

NOTE
The user name and password do not have default values. Other parameters have default values, which are
recommended.
Data Preparation
To complete the configuration, you need the following data:
l Transmission rate of a connection: 4800 bit/s

l Flow control mode: none
l Parity bit: even
l Stop bits: 2
l Data bits: 6
l Timeout period of an idle connection: 30 minutes
l Number of lines displayed on a terminal screen: 30
l Buffer size for previously-used commands: 20
l User priority value: 15
l User authentication mode: password (password is huawei)
Procedure
Step 1 Configure physical attributes for the console user interface.
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] speed 4800
[~HUAWEI-ui-console0] flow-control none
[~HUAWEI-ui-console0] parity even
[~HUAWEI-ui-console0] stopbits 2
[~HUAWEI-ui-console0] databits 6
[~HUAWEI-ui-console0] commit
Step 2 Configure terminal attributes for the console user interface.

[~HUAWEI-ui-console0] shell
[~HUAWEI-ui-console0] idle-timeout 30
[~HUAWEI-ui-console0] screen-length 30
[~HUAWEI-ui-console0] history-command max-size 20
Step 3 Set a user priority for the console user interface.

[~HUAWEI-ui-console0] user privilege level 15
Step 4 Configure password authentication for the console user interface.

[~HUAWEI-ui-console0] authentication-mode password
[~HUAWEI-ui-console0] set authentication password simple huawei
[~HUAWEI-ui-console0] quit
After the console user interface has been configured, users can log in to the device through the
console port in password authentication mode. For information about how to log in to the system
through the console port, see 3.2 Logging In to the System Through the Console Port.
Step 5 Verify the configuration.

After completing the configurations, run the display_user-interface command to view the
configuration of Console 0.
<HUAWEI> display user-interface 0
+0 CON 0 9600 - 3 - N -
+ : Current user-interface is active.
F : Current user-interface is active and work in async mode.
Idx : Absolute index of user-interface.
Type : Type and relative index of user-interface.
Privi : The privilege of user-interface.
ActualPrivi : The actual privilege of user-interface.
Auth : The authentication mode of user-interface.
A : Authenticate use AAA.
N : Current user-interface need not authentication.
P : Authenticate use current UI's password.
----End
Configuration Files
#
sysname HUAWEI
#
user-interface con 0
user privilege level 15
set authentication password simple huawei
history-command max-size 20
idle-timeout 30 0
databits 6
parity even
stopbits 2
speed 4800
screen-length 30
#
admin
return
2.4.2 Example for Configuring VTY User Interfaces

In this configuration example, the maximum number of VTY user interfaces, limit on incoming
and outgoing calls, terminal attributes, authentication mode, and password are set. This allows
users to use Telnet or SSH (Stelnet) to log in to a device in password authentication mode.
If you need to log in to a device for local or remote configuration and maintenance by using
Telnet or SSH, configure VTY user interfaces, including the maximum number of VTY user
interfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and user
authentication mode. Configure parameters based on the user and security requirements.
1. Set the maximum number of VTY user interfaces.

2. Configure the limit on incoming and outgoing calls for VTY user interfaces.
3. Configure terminal attributes for VTY user interfaces.

4. Set user priorities for VTY user interfaces.

5. Configure the authentication mode and password for the VTY user interface.
Data Preparation
l Maximum number of VTY user interfaces: 18
l Number of the ACL applied to limit incoming calls on the VTY user interface: 2000
l Timeout period of an idle connection: 30 minutes
l User priority: 15
l User authentication mode: password (password is huawei)
NOTE
The ACL number for limiting incoming and outgoing calls in VTY user interfaces, password, and user name
do not have default values. Other parameters have default values, which are recommended.
Procedure
Step 1 Set the maximum number of VTY user interfaces.
[~HUAWEI] user-interface maximum-vty 18
[~HUAWEI] commit
Step 2 Configure the limit on incoming and outgoing calls for VTY user interfaces.
[~HUAWEI] acl 2000
[~HUAWEI-acl-basic-2000] rule deny source 10.1.1.1 0
[~HUAWEI-acl-basic-2000] quit
[~HUAWEI] user-interface vty 0 17
[~HUAWEI-ui-vty0-17] acl 2000 inbound
[~HUAWEI-ui-vty0-17] commit
Step 3 Configure terminal attributes for VTY user interfaces.

[~HUAWEI-ui-vty0-17] shell
[~HUAWEI-ui-vty0-17] idle-timeout 30
[~HUAWEI-ui-vty0-17] screen-length 30
[~HUAWEI-ui-vty0-17] history-command max-size 20
Step 4 Set user priorities for VTY user interfaces.

[~HUAWEI-ui-vty0-17] user privilege level 15
Step 5 Configure the authentication mode and password for VTY user interfaces.
[~HUAWEI-ui-vty0-17] authentication-mode password
[~HUAWEI-ui-vty0-17] set authentication password simple huawei
[~HUAWEI-ui-vty0-17] quit
After a VTY user interface is configured, a user can use Telnet or SSH to log in to the device in
password authentication mode to maintain the device locally or remotely. For information about
how to use Telnet or SSH to log in to a device, see 3.3 Logging In to the System by Using
Telnet or 3.4 Logging In to the System by Using STelnet.

After completing the configurations, run the display user-interface command to view the
configurations of VTY user interfaces.
Use VTY14 as an example:
[~HUAWEI] display user-interface vty 14
+ 34 VTY 14 - 15 15 password -
----End
Configuration Files
#
sysname HUAWEI
#
user-interface maximum-vty 18
#
acl number 2000
rule 5 deny source 10.1.1.1 0
#
user-interface vty 0 17
set authentication password simple huawei
idle-timeout 30 0
screen-length 30
acl 2000 inbound
#
admin
return

Configuration Guide - Basic Configurations 3 Configuring User Login
3 Configuring User Login
About This Chapter
A user can log in to a device by using the console port, Telnet, or SSH (STelnet) to maintain the
device locally or remotely.
3.1 User Login Overview

Users can log in to devices by using the console port, Telnet, or STelnet.
3.2 Logging In to the System Through the Console Port
To configure a device that is powered on for the first time or locally maintain the device, log in
to the device through the console port.
3.3 Logging In to the System by Using Telnet
Telnet allows users to log in to remote devices to manage and maintain the devices.
3.4 Logging In to the System by Using STelnet
STelnet based on SSH2 provides secure remote access over an insecure network.
This section provides configuration examples for logging in to the system through the console
port or by using Telnet or STelnet. These configuration examples explain networking
requirements, configuration roadmap, and precautions.

3.1 User Login Overview

Users can log in to devices by using the console port, Telnet, or STelnet.
Users can log in to devices to configure, monitor, and maintain the devices locally or remotely
only after user interfaces, user management, and terminal services have been configured.
User interfaces provide the login entrance. User management ensures login security. Terminal
services offer login protocols.
Users can log in by using any of the login modes listed in Table 3-1 to configure and manage
the router.
Table 3-1 User login modes

Login Mode Application
Logging In to the Users log in through the console port to configure a device locally.
System Through the This login mode is required when a device is powered on for the
Console Port first time.
Logging In to the Users log in by using Telnet to maintain a device locally or

System by Using remotely. Telnet helps users maintain remote devices but brings
Telnet security threats.
Logging In to the STelnet provides protection for users logging in to a device to

System by Using maintain the device locally or remotely.
STelnet
Console Port Overview

For information about the console port, see Overview of Logging In to the System for the
First Time.
Telnet Overview
Telnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote login
and virtual terminal services. The NE5000E provides the following Telnet services:
l Telnet server: A user runs the Telnet client program on a PC to log in to the router to
configure and manage the router. The router functions as a Telnet server.
l Telnet client: After using the terminal emulator or Telnet client program on a PC to connect
to the router, a user runs the telnet command to log in to another device for configuration
and management. The router functions as a Telnet client. In Figure 3-1, the CE functions
as both a Telnet server and a Telnet client.

Figure 3-1 Telnet server providing the Telnet client service
Telnet session 1 Telnet session 2
PC CE PE
Telnet server
l Telnet service interruption
Figure 3-2 Usage of Telnet shortcut keys
P1 P2 P3
Telnet client Telnet server
Two pairs of shortcut keys can be used to interrupt Telnet connections. As shown in Figure
3-2, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2. P2 is the
Telnet client of P3. The usage of shortcut keys is described as follows:
Ctrl_]: Instructs the server to disconnect a Telnet connection.
If the shortcut keys Ctrl_] are used when the network works properly, the Telnet server
interrupts the current Telnet connection.
For example, enter Ctrl_] on P3, and the P2 prompt is displayed.
<P3> Select Ctrl_] to return to the prompt of P2
The connection was closed by the remote host.
<P2> Ctrl_]
<P1>
NOTE
If the network connection is disconnected, shortcut keys do not take effect.

Ctrl_K: Instructs the client to disconnect the connection.
When the server fails and the client is unaware of the failure, the server does not respond
to the client for input. In this case, if you select Ctrl_K, the Telnet client interrupts the
connection and quits the Telnet connection.
For example, select Ctrl_K on P3 to quit the Telnet connection.
<P3> Select Ctrl_K to abort
<P1>

CAUTION
When the number of remote login users reaches the maximum number of VTY user
interfaces, the system prompts subsequent users with a message, indicating that all user
interfaces are in use and no more Telnet connections are allowed.
STelnet Overview
NOTE
Currently, a device running SSH1 or SSH2 can function as an SSH server. Only devices running SSH2
can function as SSH clients. STelnet is based on SSH2. When the client and the server set up a secure
connection after negotiation, the client can log in to the server in the same way as using Telnet.
Logins using Telnet add security risks because Telnet does not provide any secure authentication
mechanism and data is transmitted using TCP in plain text. Telnet connections are vulnerable
to Denial of Service (DoS) attacks, IP address spoofing, and route spoofing.
SSH provides secure remote access on an insecure network by supporting the following
functions:
l Remote Subscriber Access (RSA) authentication: Public and private keys are generated
according to the encryption principle of the asymmetric encryption system to implement
secure key exchange and ensure a secure session.
l Data encryption standards: Data Encryption Standard (DES), 3DES, and Advanced
Encryption Standard (AES).
l User name and password encryption: This prevents the user name and password from being
intercepted during the communication between the client and the server.
l Encryption of transmitted data
A device serving as an SSH server can accept connection requests from multiple SSH clients.
The device can also serve as an SSH client, helping users establish SSH connections with an
SSH server. This allows users to use SSH to log in to remote devices from the local device.
l Local connection
As shown in Figure 3-3, an SSH channel is established for a local connection.
Figure 3-3 Establishing an SSH channel on a local area network (LAN)
Server
Ethernet 100BASE-TX
Server LapTop PC
PC running SSH Client

l Wide area network (WAN) connection

As shown in Figure 3-4, an SSH channel is established for a connection on a WAN.
Figure 3-4 Establishing an SSH channel on a WAN

Local LAN Remote LAN
Router
WAN
SSH Router
PC running SSH Client PC
3.2 Logging In to the System Through the Console Port

To configure a device that is powered on for the first time or locally maintain the device, log in
to the device through the console port.
A device can be logged in to only through the console port when the device is powered on for
the first time.
Before logging in to the system through the console port, complete the following tasks:
Figure 3-5 Logging in to the system through the console port

Configure the console user
interface
Log in to the system through

the console port
Mandatory procedure
Optional procedure
3.2.1 Configuring the Console User Interface

To allow users to log in to the system through the console port, configure attributes for the
console user interface.

Context
If you need to log in to a device through the console port for local maintenance, configure the
console user interface, including the physical attributes, terminal attributes, user priority, and
user authentication mode. Configure parameters based on the use and security requirements.
For configurations of the console user interface, see Configuring the Console User
Interface.
3.2.2 Logging In to the System Through the Console Port

Users can connect a terminal to the console port on a device, and then log in to the device.
Context
NOTE
l Communication parameters of the user terminal must be consistent with the physical attributes of the
console user interface on the device.
l After a user authentication mode is specified in the console user interface, a user can log in to the device
only after authentication succeeds. This enhances network security.
For information about logging in to the system through the console port, see Logging In to the
router Through the Console Port.

After logging in to the system through the console port, you can view information about the
console user interface, such as the usage, physical attributes and configurations, local user list,
and logged-in users.
Prerequisite
Configurations of user login through the console port are complete.
Procedure
l Run the display user-interface console 0 command to check physical attributes and
l Run the display access-user command to check information about logged-in users.
----End
Example
0 CON 0
+ 258 VTY 0 00:00:00 TEL 10.164.6.15 pass no
Run the display user-interface console 0 command to view physical attributes and

<HUAWEI> display user-interface console 0

0 CON 0 9600 - 3 - N -
1 CON 0 9600 - 3 - N -
Run the display local-user command to view the local user list.
<HUAWEI> display local-user
----------------------------------------------------------------------------
Username State Type Online
----------------------------------------------------------------------------
user123 Active All 0
ll Active F 0
user1 Active F 0
----------------------------------------------------------------------------
Total 3,3 printed
-----------------------------------------
-----------------------------------------------
root default 1
abcd default 2
-----------------------------------------------
Total users : 2
Wait authen-ack : 0
3.3 Logging In to the System by Using Telnet

Telnet allows users to log in to remote devices to manage and maintain the devices.
If one or more devices need to be configured and managed, you do not need to connect each of
the devices to a terminal to maintain the devices locally. If you have obtained the IP address of
a device and logged in to the device before, you can use Telnet to log in to the device to remotely
configure the device. This allows you to maintain multiple devices on one terminal, greatly
facilitating device management.
NOTE
The IP address of a device needs to be preset through the console port.
Before using Telnet to log in to the system, complete the following task:
l Configuring a route between a terminal and a device

Figure 3-6 Logging in to the system by using Telnet
Configure VTY user interfaces
Configure local Telnet users
Enable the Telnet server function
Configure the listening port

number of the Telnet server
Use Telnet to log in to the system

from terminals
Mandatory procedure
Optional procedure
3.3.1 Configuring VTY User Interfaces

If you need to use Telnet or SSH to log in to a device to locally or remotely maintain the device,
configure VTY user interfaces based on user and security requirements.
Context
The default user authentication mode for VTY user interfaces is password authentication. Before
using Telnet or SSH to log in to a device, configure a user authentication mode for VTY user
interfaces. Otherwise, you cannot log in to the device.
NOTE
Authentication mode can be configured for VTY user interfaces by logging in to a device through the
console port.
For configurations about VTY user interfaces, see Configuring VTY User Interfaces.
3.3.2 (Optional) Configuring Local Telnet Users

If the user authentication mode of VTY user interfaces is no-authentication or password
authentication, the following configuration is not required.
Context
By default, a local user can use any access type. After the user access mode has been specified,
only users using the specified access mode can log in to the system.

Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:

l If the password is in the form of simple, the password must be in the plain text.
l If the password is in the form of cipher, the password can be either in the encrypted text or
in the plain text. The result is determined by the input.
Step 4 Run:
local-user user-name service-type Telnet
The access mode of local users is set to Telnet.

Step 5 Run:
commit
----End
3.3.3 Enabling the Telnet Server Function

The Telnet server can be connected only after the Telnet server function has been enabled.
Choose either of the following steps based on the network protocol:
Procedure
l IPv4:
1. Run:
system-view

2. Run:
telnet server enable
The Telnet server function is enabled.

3. Run:
commit

l IPv6:
1. Run:
system-view


2. Run:
telnet ipv6 server enable
The Telnet server function is enabled.

3. Run:
commit

NOTE
l If the undo telnet [ ipv6 ] server enable command is run to disable the Telnet server function
when there are users logging in by using Telnet, the command does not take effect.
l After the Telnet server function is disabled, established Telnet connections are not interrupted,
and no new Telnet connection is allowed. In this situation, users can log in to the system by using
SSH or through the console port.
----End
3.3.4 (Optional) Configuring the Listening Port Number for the

Telnet Server
The listening port number of the Telnet server can be configured and changed to ensure network
security. After the listening port number is changed, only users who know the current listening
port number can log in to the router.
Context
By default, the listening port number of the Telnet server is 23. Users can log in to the router
without specifying the listening port number. Attackers may access the default listening port,
reducing available bandwidth, affecting performance of the server, and causing valid users
unable to access the server. After the listening port number of the Telnet server is changed,
attackers do not know the new listening port number. This effectively prevents attackers from
accessing the listening port.
Procedure
Step 1 Run:
system-view

Step 2 Run:
telnet [ ipv6 ] server port port-number
The listening port number is set for the Telnet server.

If a new listening port number is set, the Telnet server terminates all established Telnet
connections, and then uses the new port number to listen to new requests for Telnet connections.
Step 3 Run:
commit
----End

3.3.5 Logging In to the System by Using Telnet

After the device is configured, you can use Telnet to log in to the device from a terminal to
remotely maintain the device.
Context
If you need to log in to the system by using Telnet, use either the Windows Command Prompt
or third-party software on the terminal. Use the Windows Command Prompt as an example.
Do as follows on the PC:
Procedure
Step 1 Enter the Windows Command Prompt window.
Step 2 Run the telnet ip-address command to use Telnet to log in to the device.
1. Input the IP address of the Telnet server.
Figure 3-7 Schematic diagram 1 for login by using Telnet
2. Press Enter, and the command prompt of the user view is displayed, such as
<HUAWEI>. This indicates that you have accessed the Telnet server.
Figure 3-8 Schematic diagram 2 for login by using Telnet
----End


After logging in to the system by using Telnet, you can view information about the current user
interface, every user interface, and established TCP connections.
Prerequisite
The configurations of logging in to the system by using Telnet are complete.
Procedure
l Run the display users [ all ] command to check information about user interfaces.
l Run the display tcp status command to check established TCP connections.
l Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display users command to view information about the current user interface.
<HUAWEI]> display users
34 VTY 0 00:00:12 TEL 1.1.1.1 no
+ 35 VTY 1 00:00:00 TEL 1.1.1.2 no
Run the display tcp status command to view TCP connections. Established in the command
output indicates that a TCP connection has been established.
<HUAWEI> display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0 Closed
32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849 LISTEN
34042c80 73 /17 10.1.1.1:23 10.2.2.2:1147 0 Established
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<HUAWEI> display telnet server status
Session 1:
Source ip address : 10.137.217.221
VTY Index : 14
Current number of sessions : 1
3.4 Logging In to the System by Using STelnet

STelnet based on SSH2 provides secure remote access over an insecure network.
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, log in to other devices by
using Telnet from the device that you have logged in to. Login by using Telnet brings security

risk because Telnet does not provide any secure authentication mechanism and data is
transmitted by using TCP in plain text.
STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and
authentication and protects devices against attacks such as IP address spoofing and plain text
password interception.
Before logging in to the system by using STelnet, complete the following task:
l Configuring a route between a terminal and a device
Figure 3-9 Logging in to the system by using STelnet
Configure VTY user interfaces
Configure VTY user interfaces to

support SSH
Configure an SSH user and

specify Stelnet as the service
type
Enable the Stelnet server

function
Configure Stelnet server

parameters
Use Stelnet to log in to the

system from a terminal
Mandatory procedure
Optional procedure
3.4.1 Configuring VTY User Interfaces

If you need to use Telnet or SSH to log in to a device to locally or remotely maintain the device,
configure VTY user interfaces based on user and security requirements.
Context
The default user authentication mode for VTY user interfaces is password authentication. Before
using Telnet or SSH to log in to a device, configure a user authentication mode for VTY user
interfaces. Otherwise, you cannot log in to the device.

NOTE
Authentication mode can be configured for VTY user interfaces by logging in to a device through the
console port.
For configurations about VTY user interfaces, see Configuring VTY User Interfaces.
3.4.2 Configuring VTY User Interfaces to Support SSH

STelnet is based on SSH2. When the client and the server set up a secure connection after
negotiation, the client can log in to the server the same way as using Telnet.
Context
By default, user interfaces support Telnet. If no user interface is enabled with SSH, users cannot
log in to the device by using STelnet.
Do as follows on the device that functions as an SSH server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
AAA authentication is set.
Step 4 Run:
protocol inbound ssh
SSH is enabled on the VTY user interface.
NOTE
Before configuring a user interface to support SSH, set the authentication mode of the user interface to
AAA. Otherwise, the protocol inbound ssh command does not take effect.
Step 5 Run:
commit
----End
3.4.3 Configuring an SSH User and Specifying the Service Type

To allow users to use STelnet to log in to a device, configure an SSH user, configure the device
to generate a local RSA key pair, configure a user authentication mode, and specify a service
type for the SSH user.

Context
l SSH users can be authenticated in four modes: RSA, password, password-RSA, and All.
Password authentication depends on AAA. Before a user log in to the device with password
or password-RSA authentication mode, a local user with the same user name must be
created in the AAA view.
l Configuring the system to generate a local RSA key pair is a key step for SSH login. If an
SSH user log in to an SSH server with password authentication mode, configure the server
to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Password-RSA authentication requires success of both password authentication and RSA authentication.
The All authentication mode requires success of either password authentication or RSA authentication.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh user user-name
An SSH user is created.

If password or password-RSA authentication is configured for the SSH user, create the same
SSH user in the AAA view and set the local user access type to SSH.
1. Run the aaa command to enter the AAA view.
2. Run the local-user user-name password { simple | cipher } password command to
configure a local user name and a password.
3. Run the local-user user-name service-type ssh command to set the local user access type
to SSH.
4. Run the quit command to exit from the AAA view and enter the system view.
By default, a local user can use any access type. You can specify an access type to allow only
users configured with the specified access type to log in to the device.
Step 3 Run:
rsa local-key-pair create
A local RSA key pair is generated.
NOTE
l The rsa local-key-pair create command must be used to create a local RSA key pair before other SSH-
related configuration.
l After the key pair is generated, run the display rsa local-key-pair public command to view information
about the public key in the local key pair.
Step 4 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }

An authentication mode is set for the SSH user.

Perform either of the following operations as needed:
Run the ssh user user-name authentication-type password command to configure
password authentication.
Run the ssh authentication-type default password command to configure default
If local or HWTACACS authentication is used and there are only a few users, use password
authentication. If there are a large number of users, use default password authentication to
simplify configuration.
l Configure RSA authentication.
1. Run the ssh user user-name authentication-type rsa command to configure RSA
authentication.
2. Run the rsa peer-public-key key-name command to enter the public key view.
3. Run the public-key-code begin command to enter the public key edit view.
4. Enter hex-data to edit the public key.
NOTE
l In the public key edit view, only hexadecimal strings complying with the public key format can
be typed in. Each string is randomly generated on an SSH client. For detailed operations, see
manuals for SSH client software.
l After entering the public key edit view, paste the RSA public key generated on the client to the
server.
5. Run the public-key-code end command to exit from the public key edit view.
l Running the peer-public-key end command generates a key only after a valid hex-
data complying with the public key format is entered.
l If the peer-public-key end command is used after the key key-name specified in Step
b is deleted in another window, the system prompts a message, indicating that the key
does not exist, and the system view is displayed.
6. Run the peer-public-key end command to return to the system view.
7. Run the ssh user user-name assign rsa-key key-name command to assign the SSH user a
public key.
Step 5 (Optional) Configure basic authentication information for the SSH user.
1. Run the ssh server rekey-interval hours command to set an interval at which the key of
the server is updated.
By default, the interval is 0, indicating that the key is never updated.
2. Run the ssh server timeout seconds command to set the timeout period for SSH
authentication.
By default, the timeout period is 60 seconds.
3. Run the ssh server authentication-retries times command to set the retry times of SSH
authentication.
By default, SSH authentication retries a maximum of 3 times.
Step 6 Run:
ssh user username service-type { stelnet | sftp | all }

The service type of an SSH user is set to STelnet, SFTP or all.
By default, the service type of an SSH user is none. That is, no service is supported.
Step 7 Run:
commit
----End
3.4.4 Enabling the STelnet Server Function

The STelnet server can be connected only when the STelnet server function is enabled.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stelnet server enable
The STelnet server function is enabled.
After the STelnet server function is disabled, all STelnet clients are disconnected.
Step 3 Run:
commit
----End
3.4.5 (Optional) Configuring STelnet Server Parameters

You can configure a device to support the SSH protocol of earlier versions, configure or change
the listening port number of an SSH server, and set an interval at which the key pair of the SSH
server is updated.
Context
l The SSH protocol has the following versions: SSH1.X and SSH2.0. Compared with
SSH1.X, SSH2.0 is extended in structure and supports more authentication modes and key
exchange methods. In addition, SSH2.0 supports more advanced services such as SFTP.
The NE5000E supports SSH whose version number ranges from 1.3 to 2.0.
l The default listening port number of an SSH server is 22. When the default listening port
number is used, users can directly log in to a device without specifying the listening port
number. Attackers may access the default listening port, consuming bandwidth, affecting
performance of the server, and causing valid users unable to access the server. After the
listening port number of the SSH server is changed, attackers do not know the new port
number. This effectively prevents attackers from accessing the listening port, improving
security.

l An interval at which the key pair of an SSH server is updated can be set. When the timer
expires, the key pair is automatically updated to improve security.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh server compatible-ssh1x enable
The system is enabled to support earlier SSH protocol versions.

By default, an SSH server running SSH2.0 is compatible with SSH1.X. To prevent clients
running SSH1.3 to SSH1.99 from logging in, run the undo ssh server compatible-ssh1x
enable command to disable the system from supporting SSH protocol versions.
Step 3 Run:
ssh server port port-number
The listening port number is set for the SSH server is set.
By default, the listening port number is 22.
If a new listening port is set, the SSH server cuts off all established STelnet and SFTP
connections, and then uses the new port number to listen to connection requests.
Step 4 Run:
ssh server rekey-interval hours
The interval at which the key pair of the SSH server is updated is set.
By default, the interval is zero, indicating that the key pair will never be updated.
Step 5 Run:
commit
----End
3.4.6 Logging In to the System by Using STelnet

After the preceding configuration is complete, a user can log in to the system from a terminal
by using STelnet to remotely maintain the device.
Context
Third-party software can be used to implement an STelnet login. Use the third-party software
OpenSSH and Windows Command Prompt as an example.
After installing OpenSSH on a PC, do as follows on the PC:
NOTE
For details about how to install OpenSSH, see the software installation guide.
For details about how to use OpenSSH commands to log in to the device, see the software help document.

Procedure
Step 2 Run OpenSSH commands to log in to the device by using STelnet, as shown in Figure 3-10.
Figure 3-10 Schematic diagram for login by using STelnet
----End

After you log in to the system by using STelnet, you can view configuration of the SSH server.
Prerequisite
The configuration of logging in to the system by using STelnet are complete.
Procedure
l Run the display ssh user-information username command on the SSH server to check
information about SSH users.
l Run the display ssh server status command on the SSH server to check its configuration.
l Run the display ssh server session command on the SSH server to check information about
sessions between the SSH server and SSH clients.
l Run the display ssh server statistics command on the SSH server to view information
about the total number of connections accepted, denied, closed and total online connections.
----End

Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<HUAWEI> display ssh user-information client001
------------------------------
User Name : client001
Authentication-Type : password
User-public-key-name : -
Sftp-directory : -
Service-type : stelnet
-----------------------------------
Total 1, 1 printed
If no SSH user is specified, information about all SSH users logging in to the SSH server is
displayed.
Run the display ssh server status command to view configuration of the SSH server.
<HUAWEI> display ssh server status
------------------------------------------
SSH Version : 1.99
SSH authentication timeout : 60 Seconds
SSH authentication retries : 3 Times
SSH server key generating interval : 0 Hours
SSH version 1.x compatibility : ENABLED
SSH server keep alive : DISABLED
SFTP server : DISABLED
STELNET server : DISABLED
SNETCONF server : DISABLED
SSH server port : 22
------------------------------------------------
Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
<HUAWEI> display ssh server session
Session : 1
Conn : VTY 3
Version : 2.0
State : started
Username : client001
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
Kex : diffie-hellman-group-exchange-sha1
Service Type : stelnet
Authentication Type : password
Run the display ssh server statistics command to view the current statistics information of the
SSH server.
<HUAWEI> display ssh server statistics
----------------------------------
Total connection accepted : 1
Total connection denied by ACL : 2
Total connection denied by CLI : 0
Total connection denied by AAA : 3
Total connection denied by Netconf : 1
Total connection closed by CLI : 1
Total connection closed by Netconf : 4
Total connection closed by sock : 3
Total online connection : 5
----------------------------------------


This section provides configuration examples for logging in to the system through the console
port or by using Telnet or STelnet. These configuration examples explain networking
requirements, configuration roadmap, and precautions.
3.5.1 Example for Logging In to the System Through the Console

Port
In this example, a PC is set to allow a user to log in to the router through the console port.
If the default parameter values for the console user interface on the router are changed, the
parameters must be set accordingly on the user terminal before the next login through the console
port.
Figure 3-11 Networking diagram for login through the console port
PC Router
1. Connect a PC to the console port on the router.
2. Set parameters on the PC for login.
3. Log in to the router.
Data Preparation
Communication parameters of the PC (transmission rate: 4800 bps, data bits: 6, parity bit: even,
stop bits: 2, flow control mode: none).
Procedure
Step 1 Establish the configuration environment. Connect the serial interface on the user terminal to the
console port on the router through a standard RS-232 cable.
Step 2 Run the terminal emulator on the PC.
Set communication parameters for the PC, as shown in Figure 3-12 to Figure 3-14. Set the
transmission rate to 4800 bit/s, data bit to 6, parity bit to even, stop bit to 2, and flow control
mode to none.

Figure 3-12 Establishing a connection
Figure 3-13 Setting connected ports

Figure 3-14 Setting communication parameters
Step 3 Power on the router and wait for the completion of the self-check. After the router starts properly
and finishes the self-check, the system prompts you to press Enter, and the command prompt
<HUAWEI> is displayed.
Use commands to view the operating status of the router or configure the router.
----End
3.5.2 Example for Logging In to the System by Using Telnet

In this example, VTY user interfaces are configured to allow users to log in to the device from
the client.
A user can use a user terminal to log in to the router on another network segment to remotely
maintain the router.
Figure 3-15 Networking diagram for logging in to the system by using Telnet
GE0/0/0
10.137.217.221/16
NetWork
PC P1

Precautions
If a user has passed AAA authentication and logged in to the router by using Telnet, the user is
prohibited from logging in to other routers on the network.
1. Establish a physical connection.
2. Assign an IP address to the MEth interface on P1.
3. Configure VTY user interfaces, including the limit on incoming and outgoing calls.
4. Configure Telnet user information.
Data Preparation
l IP address of the MEth interface on P1
l Maximum number of VTY user interfaces: 10
l Number of the ACL that is used to prohibit users from logging into another router: 3001
l Timeout period of a user connection: 20 minutes
l Telnet user information (authentication mode: AAA, user name: huawei, password: hello)
Procedure
Step 1 Connect the PC and the router to the network.
Step 2 Assign an IP address to the MEth interface on P1.
<HUAWEI> sysname P1
<HUAWEI> commit
[~P1] interface gigabitethernet 0/0/0
[~P1-GigabitEthernet0/0/0] undo shutdown
[~P1-GigabitEthernet0/0/0] ip address 10.137.217.221 255.255.0.0
[~P1-GigabitEthernet0/0/0] commit
[~P1-GigabitEthernet0/0/0] quit
Step 3 Configure VTY user interfaces on the router.

# Set the maximum number of VTY user interfaces.
[~P1] user-interface maximum-vty 10
[~P1] commit
# Configure an ACL to restrict users from logging in to another router.

[~P1]acl 3001
[~P1-acl-adv-3001]rule deny tcp source any destination-port eq telnet
[~P1-acl-adv-3001]quit
[~P1] user-interface vty 0 9
[~P1-ui-vty0-9] acl 3001 outbound
# Set terminal attributes of VTY user interfaces.

[~P1-ui-vty0-9] shell
[~P1-ui-vty0-9] idle-timeout 20
[~P1-ui-vty0-9] screen-length 30
[~P1-ui-vty0-9] history-command max-size 20
# Set a user authentication mode for VTY user interfaces.

[~P1-ui-vty0-9] authentication-mode aaa
[~P1-ui-vty0-9] commit
[~P1-ui-vty0-9] quit
Step 4 Set Telnet user information on the router.

# Specify the login authentication mode.
[~P1] aaa
[~P1-aaa] local-user huawei password cipher hello
[~P1-aaa] local-user huawei service-type telnet
[~P1-aaa] local-user huawei level 3
[~P1-aaa] commit
[~P1-aaa] quit
Step 5 # Configure user login.

Enter the Windows Command Prompt window and run the relevant command to telnet to the
device, as shown in Figure 3-16.
Figure 3-16 Telnet login window on the PC
Press Enter, and input the user name and password in the login window. After user
authentication succeeds, a command prompt of the user view is displayed, as shown in Figure
3-17. This indicates that you have entered the user view.
Figure 3-17 Window displayed after login to the router

----End
Configuration file of P1
sysname P1
#
#
acl number 3001
rule 5 deny tcp destination-port eq telnet
#
aaa
local-user huawei password cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
local-user huawei level 3
local-user huawei service-type telnet
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.137.217.221 255.255.0.0
#
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
idle-timeout 20 0
screen-length 30
acl 2000 inbound
acl 3001 outbound
#
admin
return
3.5.3 Example for Logging In to the System by Using STelnet

In this example, a local key pair is generated on an SSH server, and a user name and a password
are configured on the server for an SSH user. After the STelnet server function is enabled on
the server, the STelnet client is connected to the server.
STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and
authentication and protects devices against attacks such as IP address spoofing and plain text
password interception.

As shown in Figure 3-18, after the STelnet server function is enabled on the router functioning
as an SSH server, STelnet clients can log in to the SSH server in password, RSA, password-
RSA, or All authentication mode.
Figure 3-18 Networking diagram for logging in to the system by using STelnet
GE0/0/0
10.137.217.225/16
Network
PC SSH Server
1. Assign an IP address to the MEth interface on the SSH server.
2. Configure a local key pair on the SSH server, allowing secure data transmission between
the STelnet client and the SSH server.
3. Configure VTY user interfaces on the SSH server.
4. Configure an SSH user, including the authentication mode, user name, and password.
5. Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
l IP address of the MEth interface on the SSH server
l SSH user authentication mode: password; user name: client001; password: huawei
l User level of client001: 3
l IP address of the SSH server: 10.137.217.223
Procedure
Step 1 Configure a login address.
[~HUAWEI] sysname SSH Server
[~HUAWEI] commit
[~SSH Server] interface gigabitethernet 0/0/0
[~SSH Server-GigabitEthernet0/0/0] undo shutdown
[~SSH Server-GigabitEthernet0/0/0] ip address 10.137.217.225 255.255.0.0
[~SSH Server-GigabitEthernet0/0/0] commit
[~SSH Server-GigabitEthernet0/0/0] quit
Step 2 Configure a local key pair on the server.

[~SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTE: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus [default = 512] :

Step 3 Configure VTY user interfaces on the SSH server.

[~SSH Server] user-interface vty 0 4
[~SSH Server-ui-vty0-4] authentication-mode aaa
[~SSH Server-ui-vty0-4] protocol inbound ssh
[~SSH Server-ui-vty0-4] commit
[~SSH Server-ui-vty0-4] quit
NOTE
If SSH is configured as the login protocol, the NE5000E automatically disables the Telnet function.
Step 4 Configure the SSH user name and password on the SSH server.
[~SSH Server] aaa
[~SSH Server-aaa] local-user client001 password cipher huawei
[~SSH Server-aaa] local-user client001 level 3
[~SSH Server-aaa] local-user client001 service-type ssh
[~SSH Server-aaa] commit
[~SSH Server-aaa] quit
Step 5 Enable the STelnet server function, and configure STelnet as the service type.
[~SSH Server] stelnet server enable
[~SSH Server] ssh authentication-type default password
[~SSH Server] commit

# Access the STelnet server by using the OpenSSH software.
Figure 3-19 Schematic diagram for accessing the SFTP server by using the OpenSSH software
----End
Configuration Files
l Configuration file of the SSH server
#
sysname SSH Server

#
rsa local-key-pair create 512
rsa local-key-pair host-key begin
AC010000ABABABAB00486F73740000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000DB07020B
0D0008370200849A356ACBBAC7DBCAB38BA7E9B9B44BDA92208B805287743DD3786B98E2388985
8D07DC8E2B8B371D8C0FC889D7ACD4AA43456973B3EB990E4C93965180EAD43A5F0D8DBAEF607B
2642C968EC4E3DF61D5FE326DDAECC9AAE4FF7D1C9A4810045EBB574B618BFFC038555F3F9D989
6B2B58ED0B92C551C7223B20646DBF6F5369B2BDF0D4B61208D8B52156A095D11EFCD901C85D4A
21332249A63107F7AD3D13885CCC79D5480B4114E0EE984BEE8E9DA4F11945201D0F9DED9A36CC
CFC40FDB07D6F746F0060F95B4C802ACE64E72EBF656AC34335526E4182ABA809C0402A110D932
FA65167199A4F504AF0503DEC1F10A5807A2C9643C09FD1B127199D3AC6E609F9EA78EF6341CDD
C9B45D84AC83C1C383558841346B893D2F6322E1562DE58F947D6F769E525A05376B70F8C39599
F4228A468916C617B61AF1864D4E574C17FC23EA6818A0F68E00D124AD2488E89C2379777BD4
rsa local-key-pair host-key end
#
ssh authentication-type default password
#
undo shutdown
ip address 10.137.217.225 255.255.255.0
#
#
aaa
local-user client001 password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user client001 level 3
local-user client001 service-type ssh
#
admin
return

Configuration Guide - Basic Configurations 4 Transferring Files
4 Transferring Files
About This Chapter
File transfer protocols help file transmission between PCs.
4.1 File Transfer Overview

The File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), and Secure File
Transfer Protocol (SFTP) can be used to operate and manage files.
4.2 File Transfer Modes Supported by the HUAWEI NetEngine5000E
This section describes file transfer modes supported by the HUAWEI NetEngine5000E based
on usage scenarios. Familiarizing yourself with the usage scenarios helps you rapidly and
accurately complete the configurations.
4.3 Operating Files After Logging In to the System
Users can operate files after logging in to the system, including managing storage devices,
directories, and files.
4.4 Using FTP to Operate Files
FTP is used to transfer files between local clients and remote servers.
4.5 Using SFTP to Operate Files
SFTP enables users to log in to a remote device securely from PCs to manage files. This improves
the security of data transmission for remote upgrade.
This section provides configuration examples for operating files after logging in to the system
or by using FTP or SFTP. These configuration examples explain networking requirements,
configuration roadmap, and precautions.

4.1 File Transfer Overview

The File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), and Secure File
Transfer Protocol (SFTP) can be used to operate and manage files.
FTP
FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transfer
files between local clients and remote servers. FTP uses two TCP connections to copy a file
from one system to another. The TCP connections are usually established in client-server mode,
one for control (the server port number is 21) and the other for data transmission (the sever port
number is 20).
l Control connection: issues commands from the client to the server and transmits replies
from the server to the client, minimizing the transmission delay.
l Data connection: transmits data between the client and server, maximizing the throughput.
FTP has two file transfer modes:

l Binary mode: is used to transfer program files, such as .app, .bin, and .btm files.
l ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
The device provides the following FTP functions:

l FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to
the device, and run the ftp command to establish a connection between the device and a
remote FTP server to access and operate files on the server.
l FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP) connections. It uses
the UDP port number 69 to transfer files between local hosts and remote servers. Unlike FTP,
TFTP is simple, providing no authentication. It is applicable to scenarios where complicated
interactions between clients and the server are not required.
TFTP supports both binary and ASCII file transfer modes, which are also supported by FTP.
NOTE
l Currently, the HUAWEI NetEngine5000E supports only the binary mode for TFTP.
l Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not a TFTP server.
TFTP transfer requests are initiated by clients:

l When a TFTP client needs to download files from the server, the client sends a read request
to the TFTP server. The server sends data packets to the client, and the client acknowledges
the data packets.
l When a TFTP client needs to upload a file to the server, the client sends a write request
and then data to the server, and receives acknowledgments from the server.

SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely
log in to the device to manage and transfer files. On the other hand, users can use the device
functioning as a client to log in to a remote server and transfer files securely.
When the SFTP server or the connection between the server and the client fails, the client needs
to detect the fault in time and removes the connection proactively. To help the client detect such
a fault in time, configure an interval at which Keepalive packets are sent if no packet is received
and the maximum number of times that the server does not respond for the client:
l If the client does not receive any packet within the specified period, the client sends a
Keepalive packet to the server.
l If the maximum number of times that the server does not respond exceeds the specified
value, the client proactively releases the connection.
4.2 File Transfer Modes Supported by the HUAWEI

NetEngine5000E
This section describes file transfer modes supported by the HUAWEI NetEngine5000E based
on usage scenarios. Familiarizing yourself with the usage scenarios helps you rapidly and
accurately complete the configurations.
Table 4-1 lists file transfer modes supported by the HUAWEI NetEngine5000E.
NOTE
The file to be uploaded must be less than 2 GB. Uploading a file larger than 2 GB causes the device unable
to display information.
Table 4-1 Usage scenarios for file transfer modes

File Advantage Disadvantage Usage Scenario
Transfer
Mode
FTP l Is based on TCP l FTP commands are FTP can be used on

connections, having complicated and networks that have
all TCP various. delays, packet loss, and
characteristics. l FTP requires more jitters.
l Supports memory resources FTP is used for version
authentication and than TFTP. upgrade and file
authorization. l Data and even user transfer.
l Supports file transfer names and passwords
between different are transmitted in
file system hosts. plain text, bringing
security risks.

File Advantage Disadvantage Usage Scenario

Transfer
Mode
TFTP l Is based on UDP l TFTP supports only TFTP can be used to

connections. file transfer but not load and upgrade
l TFTP requires fewer interaction. software on a local area
memory resources l TFTP does not allow network (LAN) in a
than FTP. users to list laboratory where the
directories or network is in good
negotiate with the conditions.
server to determine TFTP is applicable to
files that can be networks where
obtained. complicated
l TFTP does not interactions between
provide clients and the server are
authentication and not required.
authorization. It For details, see 5.4
transmits data in Using TFTP to Access
plain text. This adds Other Devices.
security risks and
renders the device
vulnerable to attacks
and network viruses.
SFTP Data are encrypted and l Data transmission SFTP is applicable to

the integrity is efficiency is low. networks that have high
guaranteed. SFTP l Terminals must be security requirements.
boasts of high security. installed with third-
party software to
support SFTP.
4.3 Operating Files After Logging In to the System

Users can operate files after logging in to the system, including managing storage devices,
directories, and files.
When a device fails to save or obtain data, you can log in to the system to repair the faulty storage
device or manage files or directories on the device.
This file operation mode is used when storage devices need to be managed.
After logging in to the system, complete the following tasks before operating the files:
l 3 Configuring User Login

Figure 4-1 Operating files after logging in to the system
Manage directories
Manage files
Mandatory procedure
Optional procedure
4.3.1 Managing Directories

You can manage directories to logically save files in hierarchies.
Context
You can change and display directories, display files in directories and sub-directory lists, and
create and delete directories.
Perform one or multiple of the following operations as required:
Procedure
l Run:
cd directory
The current directory of the device is changed.

l Run:
pwd
The current directory of the device is displayed.

l Run:
dir [ /all ] [ filename ]
Files in the directory and the list of sub-directories are displayed.

l Run:
mkdir directory
A directory is created.
l Run:
rmdir directory
A directory is deleted.
----End
4.3.2 Managing Files

Files on a device can be deleted or renamed by logging in to the file system.
Files can be viewed, copied, moved, deleted, or renamed.

Perform one or multiple operations shown in Table 4-2 as needed.
Table 4-2 File management

File Operation
Management
Displaying a file Run the more file-name command.

file-name is in the [ drive ][ path ][ file-name ] format, ranging from 1 to
128 characters. An absolute path name ranges from 1 to 128 characters,
supporting a maximum of 8-level directories. If the file needs to be copied
to another chassis, slot, or CF card, the file path must contain the chassis
ID, slot number, or CF card information.
Copying a file Run the copy source-filename destination-filename command.

source-filename destination-filename is in the [ drive ][ path ][ file-name ]
format, ranging from 1 to 128 characters. An absolute path name ranges
from 1 to 128 characters, supporting a maximum of 8-level directories.
If the file needs to be copied to another chassis, slot, or CF card, the file
path must contain the chassis ID, slot number, or CF card information.
Moving a file Run the move source-filename destination-filename command.

source-filename destination-filename is in the [ drive ][ path ][ file-name ]
format, and can be a wildcard (*). The file name ranges from 1 to 128
characters. An absolute path name ranges from 1 to 128 characters,
supporting a maximum of 8-level directories. If the file needs to be copied
to another chassis, slot, or CF card, the file path must contain the chassis
ID, slot number, or CF card information.
When destination-filename is a directory name, the source file is moved
to this directory, the file name remaining unchanged.
Deleting a file Run the delete [ /unreserved ] filename command.

/unreserved deletes a specified file thoroughly. The deleted file cannot
be restored.
Restoring a Run the undelete filename command.

deleted file l If a file is deleted mistakenly, run the undelete command to restore
the file. If a file is deleted by using the delete /unreserved command,
the file cannot be restored.
l If the current directory is not a root directory, use the absolute path
when operating files.
Removing a file Run the reset recycle-bin [ /f | filename ] command.

from the recycle /f deletes all files from the recycle bin without confirming with the user
bin about whether to delete files one by one.
NOTE
This command deletes files from the recycle bin thoroughly, and the deleted file
cannot be restored. Exercise cautions when using this command.
Renaming a file Run the rename source-filename destination-filename command.

4.4 Using FTP to Operate Files

FTP is used to transfer files between local clients and remote servers.
As devices operate stably and are deployed in large scopes, more and more devices need to be
maintained and upgraded remotely. Online software upgrade, as a new upgrade method by
loading software packages remotely, facilitates remote online upgrade, reduces upgrade
expenditure, shortens the time that customers wait for upgrade, and improves customers'
satisfaction. In real world situations, the delay, packet loss, and jitter affect data transmission
on networks. To guarantee the quality of online upgrade and data transmission, use FTP to
perform online upgrade and transfer files based on TCP connections.
Before operating files by using FTP, complete the following task:
Figure 4-2 File operation by using FTP
Configure local FTP users
Configure the listening port

number of the FTP server
Enable the FTP server function
Configure FTP server parameters
Configure FTP access control
Use the FTP software to access

the system
Use FTP commands to operate

files
Mandatory procedure
Optional procedure

4.4.1 Configuring a Local FTP User

Authentication information, authorization mode, and authorization directory can be configured
for an FTP user to prevent unauthorized users from accessing the specified directory.
Context
To operate files by using FTP, configure local user name and password on a device serving as
an FTP server, and specify the service type and the directory that the user can access. Otherwise,
the user cannot access the FTP server.
Perform the following steps on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
local-user user-name password simple password
l If the password is in the form of simple, the password must be in the plain text.
l If the password is in the form of cipher, the password can be either in the encrypted text or
in the plain text. The result is determined by the input.
Step 4 Run:
local-user user-name service-type ftp
FTP is configured as a service type for the FTP user.
Step 5 Run:
local-user user-name ftp-directory directory
The authorization directory is configured for the FTP user.
CAUTION
If the directory is not configured, the user is automatically redirected to cfcard:/.
Step 6 Run:
commit
----End

4.4.2 (Optional) Changing the Listening Port Number of the FTP

Server
After the listening port number of the FTP server is changed, only users that know the new port
number can access the server, ensuring security.
Context
By default, the listening port number of the FTP server is 21. Users can directly log in to a device
functioning as an FTP server by using the default listening port number. Attackers may access
the default listening port, consuming bandwidth, affecting performance of the server, and
causing valid users unable to access the server. After the listening port number of the FTP server
is changed, attackers do not know the new listening port number. This effectively prevents
attackers from accessing the listening port.
NOTE
If the FTP server is already enabled while changing the port number, then FTP server gets restarted.
Do as follows on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ftp [ ipv6 ] server port port-number
The listening port number of the FTP server is changed.
If a new listening port number is set, the FTP server terminates all established FTP connections,
and then uses the new port number to listen to new FTP connection attempts.
Step 3 Run:
commit
----End
4.4.3 Enabling the FTP Server Function

Before using FTP to operate files, enable the FTP sever function on the device.
Context
By default, the FTP server function is disabled. Therefore, you must enable the FTP server
function before using FTP.

Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp [ ipv6 ] server enable
The FTP server function is enabled.
NOTE
After files are successfully transferred between the client and the server, run the undo ftp [ ipv6 ] server
command to disable the FTP server function in time for security.
Step 3 Run:
commit
----End
4.4.4 (Optional) Configuring FTP Server Parameters

Configuring proper parameters for the FTP server guarantees device security and maximizes the
resource usage.
Context
The FTP server parameters include the source address of the FTP server and the timeout period
of an idle FTP connection.
l Specifying the source address of the FTP server restricts the destination address accessed
by clients, ensuring security.
l After the timeout period of an idle FTP connection is configured, if a client and the server
do not exchange messages within the specified timeout period, the server terminates the
connection and releases the FTP connection resource.
Perform the following steps on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view

Step 2 Configure the following FTP server parameters as required:
l Run the ftp server-source { -a source-ip-address | -i interface-type interface-number }
command to configure the source address of the FTP server.
By default, the source IP address of an FTP server is 0.0.0.0. The source address must be a
loopback address, and the source interface must be a loopback interface.
After the source address is configured, the address specified in the ftp command for login to
the FTP server must be the configured source address. Otherwise, the login fails.

l Run the ftp timeout minutes command to set the timeout period of an idle FTP connection.
By default, the timeout period of an idle FTP connection is 30 minutes.
Step 3 Run:
commit
----End
4.4.5 (Optional) Configuring FTP Access Control

An ACL can be configured to allow only specified clients to access an FTP server.
Context
When a device functions as an FTP server, you can configure an ACL to allow only the clients
that meet the rules specified in the ACL to access the FTP server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
The ACL view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | fragment-type fragment-type-name |
logging | source { source-ip-address source-wildcard | any } | time-range time-
name | vpn-instance vpn-instance-name ] *
A rule is configured.
NOTE
FTP supports only basic ACLs whose numbers range from 2000 to 2999.
Step 4 Run:
ftp acl { acl-number | acl-name acl-name }
A basic ACL is configured to filter FTP users.

Step 5 Run:
commit
----End
4.4.6 Using FTP to Access the System

After an FTP server is configured, you can access the server from a PC by using FTP to manage
the files on the server.

Context
To log in to the FTP server from the PC, use either the Windows Command Prompt or third-
party software. Use the Windows Command Prompt as an example.
Do as follows on the PC:
Procedure
Step 2 Run the ftp ip-address command to log in to the server by using FTP.
Enter the user name and password at the prompt, and press Enter. When the command prompt
of the FTP client view is displayed, such as ftp>, you have entered the working path of the FTP
server, as shown in Figure 4-3.
Figure 4-3 Schematic diagram for the working path of the FTP server
----End
4.4.7 Using FTP to Operate Files

After logging in to a device that functions as an FTP server by using FTP, you can upload files
to or download files from the device, and manage the directories of the device.
Context
Table 4-3 lists FTP file attributes.
Table 4-3 File attributes
File Attribute Description
FTP file type l ASCII type

A file is transmitted in ASCII characters. In this type, the Enter
key cannot be used to separate lines.
l Binary type

File Attribute Description
FTP data connection The following data connection mode can be set for the FTP server:
mode l ACTIVE mode: The server proactively connects clients during
connection establishment.
l PASV mode: The server waits to be connected by clients during
connection establishment.
During connection establishment, the FTP client determines the mode
to be either ACTIVE or PASV.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of IP address of the server:
l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip
[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to
establish a connection to the FTP server and enter the FTP client view.
l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ]
command to use an IPv6 address to establish a connection to the FTP server and enter the
FTP client view.
Step 2 Perform one or more operations shown in Table 4-4 as needed.
Table 4-4 File operations

File Operation Description
Managin Configuring the l Run the ascii command to set the file type to ASCII.
g files file type l Run the binary command to set the file type to binary.
The FTP file type is determined by the client. By default,
the ASCII type is used.
Configuring the l Run the passive command to set the data connection
data connection mode to PASV.
mode l Run the undo passive command to set the data
connection mode to ACTIVE.
By default, the PASV mode is used.
Uploading files l Run the put local-filename [ remote-filename ]

command to upload a file from the local device to a
remote server.
l Run the mput local-filenames command to upload files
from the local device to a remote server.

Downloading l Run the get remote-filename [ local-filename ] command

files to download a file from a remote server and save the file
on the local device.
l Run the mget remote-filenames command to download
files from a remote server and save the files on the local
device.
Enabling the file l If the prompt command is run in the FTP client view to
transfer prompt enable the file transfer prompt function, the system
function prompts you to confirm the uploading or downloading
operation during file uploading or downloading.
l If the prompt command is run again in the FTP client
view, the file transfer prompt function is disabled.
NOTE
The prompt command is applicable to the scenario where the
mput or mget command is used to upload or download files. If the
local device has the files to be downloaded by running the mget
command, the system prompts you to override the existing ones
regardless of whether the file transfer prompt function is enabled.
Enabling the FTP Run the verbose command.

verbose function After the verbose function is enabled, all FTP response
information is displayed. After file transfer is complete,
statistics about the transmission rate are displayed.
Managin Changing the Run the cd pathname command.

g working path of a
directori remote FTP server
es
Changing the Run the cdup command.
working path of an
FTP server to the
parent directory
Displaying the Run the pwd command.

working path of an
FTP server
Displaying files in Run the dir [ remote-directory [ local-filename ] ] command.

a directory and the If no path name is specified for a specified remote file, the
list of sub- system will search the file in the authorized directory of the
directories user.
Displaying a Run the ls [ remote-directory [ local-filename ] ] command.

specified remote
directory or file on
an FTP server
Displaying or Run the lcd [ directory ] command.

changing the The lcd command displays the local working path of the FTP
working path of an client, while the pwd command displays the working path
FTP client of the remote FTP server.

Creating a Run the mkdir remote-directory command.

directory on an The directory can be a combination of letters and numbers,
FTP server excluding special characters such as "<", ">", "?", "\", or ":".
Deleting a Run the rmdir remote-directory command.

directory from an
FTP server
Displaying online help for an Run the remotehelp [ command ] command.

FTP command
Changing an FTP user Run the user username [ password ] command.
Step 3 Perform either of the following operations as needed to terminate an FTP connection.
l Run the bye/quit command to terminate the connection to the FTP server and return to the
user view.
l Run the close/disconnect command to terminate both the connection to the FTP server and
the FTP session but remain in the FTP client view.
Step 4 Run:
commit
----End

After completing the configurations of file operation by using FTP, you can view the
configuration and status of the FTP server as well as information about logged-in FTP users.
Prerequisite
The configurations of file operation by using FTP are complete.
Procedure
l Run the display ftp-server command to check the configuration and status of the FTP
server.
l Run the display ftp-users command to check information about logged-in FTP users.
----End
Example
Run the display ftp-server command to view the configuration and status of the FTP server.
<HUAWEI> display ftp-server
--------------------------------------------------------------------------
Server State : enabled
IPv6 server State : enabled
Timeout value (mins) : 30
Listen port : 21

IPv6 listen port : 21

ACL 4 name :
ACL 4 number : 0
Current user count : 0
Max user number : 15
Source IPv4 address : 0.0.0.0
Source interface :
--------------------------------------------------------------------------
Run the display ftp-users command to view information about logged-in FTP users, including
the user name, port number, and authorized directory.
<HUAWEI> display ftp-users
-----------------------------------------------------------
User Name : root
Host Address : 2607:F0D0:1002:11::126
Control Port : 20465
Idle Time (mins) : 1
Root Directory :cfcard:/
User Name : root
Host Address : 10.18.26.139
Control Port : 28783
Idle Time (mins) : 0
Root Directory :cfcard:/
-----------------------------------------------------------
4.5 Using SFTP to Operate Files

the security of data transmission for remote upgrade.
satisfaction. FTP is usually used to transmit data for online upgrade. FTP transmits data and
even user names and passwords in plain text, bringing security risks.
the security of data transmission for remote upgrade. In addition, the device can function as an
SFTP client. This allows users that have logged in to the device to access other remote devices
to transfer files and perform online upgrade by using SFTP.
Before operating files by using SFTP, complete the following task:
l Configuring User Login

Figure 4-4 Operating files by using SFTP
Configure an SSH user and

specify SFTP as the service type
Enable the SFTP server function
Configure SFTP server parameters
Use SFTP to access the system
Use SFTP commands to operate

files
Mandatory procedure
Optional procedure
4.5.1 Configuring an SSH User and Specifying the Service Type

To allow users to log in to the device by using SFTP, configure an SSH user, configure the device
to generate a local RSA key pair, configure a user authentication mode, and specify a service
type for the SSH user.
Context
l SSH users can be authenticated in four modes: RSA, password, password-RSA, and All.
Password authentication depends on AAA. Before a user log in to the device with password
or password-RSA authentication mode, a local user with the same user name must be
created in the AAA view.
l Configuring the system to generate a local RSA key pair is a key step for SSH login. If an
SSH user log in to an SSH server with password authentication mode, configure the server
to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Password-RSA authentication requires success of both password authentication and RSA authentication.
The All authentication mode requires success of either password authentication or RSA authentication.

Procedure
Step 1 Run:
system-view
Step 2 Run:
ssh user user-name
An SSH user is created.
If password or password-RSA authentication is configured for the SSH user, create the same
SSH user in the AAA view and set the local user access type to SSH.
1. Run the aaa command to enter the AAA view.

2. Run the local-user user-name password { simple | cipher } password command to
configure a local user name and a password.
3. Run the local-user user-name service-type ssh command to set the local user access type
to SSH.
4. Run the quit command to exit from the AAA view and enter the system view.
By default, a local user can use any access type. You can specify an access type to allow only
users configured with the specified access type to log in to the device.
Step 3 Run:
rsa local-key-pair create
A local RSA key pair is generated.
NOTE
l The rsa local-key-pair create command must be used to create a local RSA key pair before other SSH-
related configuration.
l After the key pair is generated, run the display rsa local-key-pair public command to view information
about the public key in the local key pair.
Step 4 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
An authentication mode is set for the SSH user.
Perform either of the following operations as needed:

Run the ssh user user-name authentication-type password command to configure
Run the ssh authentication-type default password command to configure default
If local or HWTACACS authentication is used and there are only a few users, use password
authentication. If there are a large number of users, use default password authentication to
simplify configuration.
l Configure RSA authentication.
1. Run the ssh user user-name authentication-type rsa command to configure RSA
authentication.

2. Run the rsa peer-public-key key-name command to enter the public key view.
3. Run the public-key-code begin command to enter the public key edit view.
4. Enter hex-data to edit the public key.
NOTE
l In the public key edit view, only hexadecimal strings complying with the public key format can
be typed in. Each string is randomly generated on an SSH client. For detailed operations, see
manuals for SSH client software.
l After entering the public key edit view, paste the RSA public key generated on the client to the
server.
5. Run the public-key-code end command to exit from the public key edit view.
l Running the peer-public-key end command generates a key only after a valid hex-
data complying with the public key format is entered.
l If the peer-public-key end command is used after the key key-name specified in Step
b is deleted in another window, the system prompts a message, indicating that the key
does not exist, and the system view is displayed.
6. Run the peer-public-key end command to return to the system view.
7. Run the ssh user user-name assign rsa-key key-name command to assign the SSH user a
public key.
Step 5 (Optional) Configure basic authentication information for the SSH user.
1. Run the ssh server rekey-interval hours command to set an interval at which the key of
the server is updated.
By default, the interval is 0, indicating that the key is never updated.

2. Run the ssh server timeout seconds command to set the timeout period for SSH
authentication.
By default, the timeout period is 60 seconds.

3. Run the ssh server authentication-retries times command to set the retry times of SSH
authentication.
By default, SSH authentication retries a maximum of 3 times.
Step 6 Run:
ssh user username service-type { sftp | all }
The service type of an SSH user is set to SFTP or all.
By default, the service type of an SSH user is none. That is, no service is supported.
Step 7 Run:
commit
----End
4.5.2 Enabling the SFTP Server Function

Before using SFTP to access a device, enable the SFTP server function on the device.

Context
By default, the device is not enabled with the SFTP server function. Users can use SFTP to
establish connections to the device only after the SFTP server function is enabled on the device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
sftp server enable
The SFTP server function is enabled.

By default, the SFTP server function is disabled.
Step 3 Run:
commit
----End
4.5.3 (Optional) Configuring SFTP Server Parameters

You can configure a device to support the SSH protocol of earlier versions, configure or change
the listening port number of an SFTP server, and set an interval at which the key pair of the
SFTP server is updated.
Context
Table 4-5 lists SFTP server parameters.
Table 4-5 Description of SFTP server parameters

SFTP Server Description
Parameter
Earlier SSH SSH has two versions: SSH1.X (earlier than SSH2.0) and SSH2.0.
version Compared with SSH1.X, SSH2.0 is extended in structure and supports
compatibility more authentication modes and key exchange methods. In addition,
SSH2.0 supports more advanced services such as SFTP. The HUAWEI
NetEngine5000E supports SSH with version number ranging from 1.3 to
2.0.

SFTP Server Description

Parameter
Listening port The default listening port number of an SFTP server is 22. Users can log
number of an in to the device by using the default listening port number. Attackers may
SFTP server access the default listening port, consuming bandwidth, affecting
performance of the server, and causing valid users unable to access the
server. After the listening port number of the SFTP server is changed,
attackers do not know the new port number. This effectively prevents
attackers from accessing the listening port and improves security.
Interval at After the interval is set, the key pair of the SFTP server is updated
which the key periodically to improve security.
pair of the SFTP
server is
updated
Timeout period If a connection is idle within the timeout period, the system automatically
of an idle cuts off the connection when the timeout period expires. This effectively
connection prevents users from occupying connection resources for a long time,
without any operation required.
Maximum If the specified maximum number is smaller than the number of clients
number of that are being connected to the server, the logged-in users will not be forced
clients that can offline, and the server no longer accepts new connection requests.
be connected to
the server
Procedure
Step 1 Run:
system-view

Table 4-6 Configurations of SFTP server parameters

SFTP Server Operation
Parameter
Earlier SSH version Run the ssh server compatible-ssh1x enable command.
compatibility By default, an SFTP server running SSH2.0 is compatible with
SSH1.X. To prevent clients running SSH1.3 to SSH1.99 to log in,
run the undo ssh server compatible-ssh1x enable command to
disable the system from supporting earlier SSH protocol versions.

SFTP Server Operation

Parameter
Listening port number Run the ssh server port port-number command.
of the SFTP server If a new listening port is set, the SFTP server cuts off all established
STelnet and SFTP connections, and then uses the new port number
to listen to connection requests. By default, the listening port
number is 22.
Interval at which the Run the ssh server rekey-interval hours command.
key pair of the SFTP By default, the interval is 0, indicating that the key pair will never
server is updated be updated.
Timeout period of an Run the ssh server timeout seconds command.

idle connection By default, the timeout period is 60 seconds.
Step 3 Run:
commit
----End
4.5.4 Using SFTP to Access the System

After the configuration is complete, users can log in to the device from the PC by using SFTP
to manage files on the device.
Context
The third-party software can be used to access the device from the PC by using SFTP. Use the
third-party software OpenSSH and Windows Command Prompt as an example.
After installing OpenSSH on a PC, do as follows on the PC:
NOTE
For details about how to install OpenSSH, see the installation guide of the software.
For details on how to use OpenSSH commands to log in to the system, see the help document of the software.
Procedure
Step 2 Run relevant OpenSSH commands to log in to the device in SFTP mode.
When the command prompt of the SFTP client view is displayed, such as sftp>, you have entered
the working path of the SFTP server, as shown in Figure 4-5.

Figure 4-5 Schematic diagram for the working path of the FTP server
----End
4.5.5 Using SFTP to Operate Files

After logging in to the SFTP server, you can manage directories and files on the server.
Context
After logging in to the SFTP server, you can perform the following operations:
l Obtain command helps on the SFTP client.
l Manage directories on the SFTP server.
l Manage files on the SFTP server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ]
[ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 |
dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] |
[ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 |
sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ]
* [ -ki aliveinterval [ -kc alivecountmax ] ]

The SFTP client view is displayed. You have successfully logged in to the SSH server by using
SFTP.
Table 4-7 File operation
Managing Changing the user's Run the cd [ remote-directory ] command.

directories working directory
Changing the user's Run the cdup command.

working directory to the
parent directory
Displaying the user's Run the pwd command.

working directory
Displaying files in the Run the dir / ls [ remote-directory ] command.

directory and the list of
sub-directories
Deleting directories on Run the rmdir remote-directory & <1-10>

the server command.
Creating a directory on Run the mkdir remote-directory command.

the server
Managing Renaming a file on the Run the rename old-name new-name command.
files server
Downloading files from Run the get remote-filename [ local-filename ]

a remote server command.
Uploading files to a Run the put local-filename [ remote-filename ]

remote server command.
Deleting files from the Run the remove path &<1-10> command.
server
Displaying command helps on the Run the help [ all | command-name ] command.
SFTP client
----End

After completing the configuration of file operation by using SFTP, you can view information
about SSH users and the configuration of the SSH server.
Prerequisite
The configuration of file operation by using SFTP are complete.

Procedure
l Run the display ssh user-information username command on the SSH server to check
information about SSH users.
l Run the display ssh server status command on the SSH server to check its configuration.
l Run the display ssh server session command on the SSH server to check information about
sessions between the SSH server and SSH clients.
l Run the display ssh server statistics command on the SSH server to view information
about the total number of connections accepted, denied, closed and total online connections.
----End
Example
Run the display ssh user-information client001 command to view the authentication mode set
for the SSH user client001 is password and the service type is sftp.
<HUAWEI> display ssh user-information client001
--------------------------------------
Authentication-type : password
Sftp-directory : cfcard:/home
Service-type : sftp
Authorization-cmd : Yes
---------------------------------------------
Total 1, 1 printed
Run the display ssh server status command to view configuration of the SSH server.
<HUAWEI> display ssh server status
SSH version : 2.0
SSH authentication timeout : 110 seconds
SSH server key generating interval : 2 hours
SSH version 1.x compatibility : Disable
SSH server keep alive : Enable
SFTP server : Disable
STELNET server : Enable
SNETCONF server : Disable
NOTE
If the default listening port is in use, information about the current listening port is not displayed.
Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
<HUAWEI> display ssh server session
Session : 2
Conn : SFTP 0
Version : 2.0
State : started
Retry : 1
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
Service Type : sftp
Run the display ssh server statistics command to view the current statistics information of the
SSH server.

<HUAWEI> display ssh server statistics

----------------------------------
----------------------------------------

This section provides configuration examples for operating files after logging in to the system
or by using FTP or SFTP. These configuration examples explain networking requirements,
configuration roadmap, and precautions.
4.6.1 Example for Operating Files After Logging In to the System

This example describes how to log in to the system to view directories and copy files.
For detailed configurations about operating files after logging in to the system, see Operating
Files After Logging In to the System.
4.6.2 Example for Using FTP to Operate Files

Files can be uploaded and downloaded by using FTP.
satisfaction. In real world situations, the delay, packet loss, and jitter affect data transmission
on networks. To guarantee the quality of online upgrade and data transmission, use FTP to
perform online upgrade and transfer files based on TCP connections.
As shown in Figure 4-6, after the FTP server function is enabled on the router, you can log in
to the FTP server from the HyperTerminal to upload or download files.
Figure 4-6 Networking diagram for operating files by using FTP
GE0/0/0
Network 10.137.217.221/16
PC FTP Server
Precautions
The IP address of the FTP server must be configured on the MEth interface.

1. Configure the IP address of the FTP server.
2. Enable the FTP server function.
3. Configure the authentication information, authorization mode, and directories to be
accessed for an FTP user.
4. Log in to the FTP server by using the correct user name and password.
5. Upload files to or download files from the FTP server.
Data Preparation
l IP address of the FTP server: 10.137.217.221
l FTP user information (user name: huawei, password: huawei)
l Path on which the file to be uploaded is saved and the path on which the file to be
downloaded is saved
Procedure
Step 1 Configure the IP address of the FTP server.
[~HUAWEI] sysname server
[~HUAWEI] commit
[~server] interface gigabitethernet0/0/0
[~server-GigabitEthernet0/0/0] undo shutdown
[~server-GigabitEthernet0/0/0] ip address 10.137.217.221 255.255.0.0
[~server-GigabitEthernet0/0/0] quit
[~server] commit
Step 2 Enable the FTP server function.

[~server] ftp server enable
[~server] commit
Step 3 Configure the authentication information, authorization mode, and authorized directories for an
FTP user on the FTP server.
[~server] aaa
[~server-aaa] local-user huawei password simple huawei
[~server-aaa] local-user huawei service-type ftp
[~server-aaa] local-user huawei ftp-directory cfcard:/
[~server-aaa] quit
[~server] commit
Step 4 Run the ftp commands at the Windows Command Prompt, and enter the correct user name and
password to set tup an FTP connection to the FTP server, as shown in Figure 4-7.

Figure 4-7 Logging in to the FTP server
Step 5 Upload a file from the terminal to the server and downloading a file from the server, as shown
in Figure 4-8.
Figure 4-8 Operating files by using FTP
NOTE
You can run the dir command before downloading a file or after uploading a file to view the detailed
information about the file.
----End
Configuration Files
l Configuration file of the FTP server
#
sysname server
#
aaa
local-user huawei password simple huawei
local-user huawei ftp-directory cfcard:/
local-user huawei service-type ftp
#
#
#

#
undo shutdown
ip address 10.137.217.221 255.255.0.0
#
ftp server enable
#
admin
return
4.6.3 Example for Using SFTP to Operate Files

In this example, a local key pair is configured on the SSH server, and a user name and a password
are configured on the server for an SSH user. After the SFTP server function is enabled on the
server and the SFTP client is connected to the server, you can operate files between the client
and the server.
satisfaction. FTP is usually used to transmit data for online upgrade. FTP transmits data and
even user names and passwords in plain text, bringing security risks.
the security of data transmission for remote upgrade. In addition, the device can function as an
SFTP client. This allows users that have logged in to the device to access other remote devices
to transfer files and perform online upgrade by using SFTP.
As shown in Figure 4-9, after the SFTP server function is enabled on the router that functions
as an SSH server, you can log in to the server in password, RSA, password-RSA, or all
authentication mode from a PC that functions as an SFTP client.
Figure 4-9 Networking diagram for operating files by using SFTP
GE0/0/0
Network 10.137.217.225/16
PC SSH Server
Precautions
The IP address of the SSH server must be configured on the MEth interface.
1. Configure a local key pair on the SSH server, allowing secure data transmission between
the client and the server.
2. Configure VTY user interfaces on the SSH server.

3. Configure an SSH user, including the user authentication mode, user name, password, and
authorized directory.
4. Enable the SFTP server function on the SSH server and configure the service type.
Data Preparation
l SSH user authentication mode: password; user name: client001; password: huawei
l User level of client001: 3
Procedure
Step 1 Configure the IP address of the FTP server.
[~HUAWEI] commit
[~SSH Server] interface gigabitethernet0/0/0
[~SSH Server-GigabitEthernet0/0/0] undo shutdown
[~SSH Server-GigabitEthernet0/0/0] ip address 10.137.217.225 255.255.0.0
[~SSH Server-GigabitEthernet0/0/0] quit
Step 2 Configure a local key pair on the SSH server.

Step 3 Configure the SSH user name and password on the SSH server.
[~SSH Server] aaa
[~SSH Server-aaa] local-user client001 password cipher huawei
[~SSH Server-aaa] local-user client001 level 3
Step 4 Enable the SFTP server function and set the service type to SFTP.
[~SSH Server] sftp server enable
[~SSH Server] ssh user client001 authentication-type password
Step 5 Configure the authorized directory for the SSH user.

[~SSH Server] ssh user client001 service-type sftp

# Access the SFTP server by using the OpenSSH software.

Figure 4-10 Schematic diagram for accessing the SFTP server by using the OpenSSH software
----End
Configuration file of the SSH server

#
sysname SSH Server
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
#
aaa
local-user client001 password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user client001 level 3
#
#
#
#
domain default
#
undo shutdown
ip address 10.137.217.225 255.255.0.0
#
#
admin
return

Configuration Guide - Basic Configurations 5 Accessing Other Devices
5 Accessing Other Devices
About This Chapter
To operate files on other devices, and manage or configure these devices, access the device by
using Telnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to.
5.1 Overview
You can log in to one device and access another device by using Telnet, FTP, TFTP, or SFTP.
5.2 Using Telnet to Log In to Other Devices
Telnet helps users to log in to remote devices to manage and maintain the devices.
5.3 Using STelnet to Log In to Other Devices
STelnet provides secure Telnet services. You can use STelnet to log in to other devices from the
device that you have logged in to, and manage the remote devices.
5.4 Using TFTP to Access Other Devices
TFTP is used to transfer files between remote server and local hosts. Unlike FTP, TFTP is simple,
providing no authentication. It is applicable to scenarios without complicated interactions
between the client and the server.
5.5 Using FTP to Access Other Devices
You can log in to an FTP server on the network from the device that functions as an FTP client
to upload files to or download files from the server.
5.6 Using SFTP to Access Other Devices
SFTP provides a secure FTP service. The device is configured as an SFTP client. The SFTP
server authenticates the client and encrypts data in both directions to provide secure file transfer.
This section provides examples for configuring one device to access other devices. These
configuration examples explain networking requirements, configuration roadmap, and
precautions.

5.1 Overview
You can log in to one device and access another device by using Telnet, FTP, TFTP, or SFTP.
As shown in Figure 5-1, after you use the terminal emulator or Telnet program on a PC to
connect to the router successfully, the router can still function as a client to help you access other
devices on the network by using Telnet, FTP, TFTP, or SFTP.
Figure 5-1 Schematic diagram for accessing other devices
User IP
Network Network
PC Telnet client Telnet server
Telnet Overview
Telnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote login
and virtual terminal services. The NE5000E provides the following Telnet services:
l Telnet server: A user runs the Telnet client program on a PC to log in to the router to
configure and manage the router. The router functions as a Telnet server.
l Telnet client: After using the terminal emulator or Telnet client program on a PC to connect
to the router, a user runs the telnet command to log in to another device for configuration
and management. The router functions as a Telnet client. In Figure 5-2, the CE functions
as both a Telnet server and a Telnet client.
Figure 5-2 Telnet server providing the Telnet client service
PC CE PE
Telnet server
l Telnet service interruption
Figure 5-3 Usage of Telnet shortcut keys
P1 P2 P3

Two pairs of shortcut keys can be used to interrupt Telnet connections. As shown in Figure
5-3, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2. P2 is the
Telnet client of P3. The usage of shortcut keys is described as follows:
Ctrl_]: Instructs the server to disconnect a Telnet connection.
If the shortcut keys Ctrl_] are used when the network works properly, the Telnet server
interrupts the current Telnet connection.
For example, enter Ctrl_] on P3, and the P2 prompt is displayed.
<P2> Ctrl_]
<P1>
NOTE
If the network connection is disconnected, shortcut keys do not take effect.

Ctrl_K: Instructs the client to disconnect the connection.
When the server fails and the client is unaware of the failure, the server does not respond
to the client for input. In this case, if you select Ctrl_K, the Telnet client interrupts the
connection and quits the Telnet connection.
For example, select Ctrl_K on P3 to quit the Telnet connection.
<P3> Select Ctrl_K to abort
<P1>
CAUTION
When the number of remote login users reaches the maximum number of VTY user
interfaces, the system prompts subsequent users with a message, indicating that all user
interfaces are in use and no more Telnet connections are allowed.
FTP
FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transfer
files between local clients and remote servers. FTP uses two TCP connections to copy a file
from one system to another. The TCP connections are usually established in client-server mode,
one for control (the server port number is 21) and the other for data transmission (the sever port
number is 20).
l Control connection: issues commands from the client to the server and transmits replies
from the server to the client, minimizing the transmission delay.
l Data connection: transmits data between the client and server, maximizing the throughput.
FTP has two file transfer modes:
l Binary mode: is used to transfer program files, such as .app, .bin, and .btm files.
l ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
The device provides the following FTP functions:
l FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to
the device, and run the ftp command to establish a connection between the device and a
remote FTP server to access and operate files on the server.

l FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP) connections. It uses
the UDP port number 69 to transfer files between local hosts and remote servers. Unlike FTP,
TFTP is simple, providing no authentication. It is applicable to scenarios where complicated
interactions between clients and the server are not required.
TFTP supports both binary and ASCII file transfer modes, which are also supported by FTP.
NOTE
l Currently, the HUAWEI NetEngine5000E supports only the binary mode for TFTP.
l Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not a TFTP server.
TFTP transfer requests are initiated by clients:

l When a TFTP client needs to download files from the server, the client sends a read request
to the TFTP server. The server sends data packets to the client, and the client acknowledges
the data packets.
l When a TFTP client needs to upload a file to the server, the client sends a write request
and then data to the server, and receives acknowledgments from the server.
SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely
log in to the device to manage and transfer files. On the other hand, users can use the device
functioning as a client to log in to a remote server and transfer files securely.
When the SFTP server or the connection between the server and the client fails, the client needs
to detect the fault in time and removes the connection proactively. To help the client detect such
a fault in time, configure an interval at which Keepalive packets are sent if no packet is received
and the maximum number of times that the server does not respond for the client:
l If the client does not receive any packet within the specified period, the client sends a
Keepalive packet to the server.
l If the maximum number of times that the server does not respond exceeds the specified
value, the client proactively releases the connection.
5.2 Using Telnet to Log In to Other Devices

Telnet helps users to log in to remote devices to manage and maintain the devices.
device and the terminal. To manage and maintain remote devices, you can log in to other devices
by using Telnet from the device that you have logged in to.

As shown in Figure 5-4, the PC can use Telnet to log in to the Telnet client. As the PC does not
have a reachable route to the Telnet server, you cannot manage the Telnet server remotely. To
manage the Telnet server remotely, you can use the Telnet client to telnet to the Telnet server.
Figure 5-4 Networking diagram for accessing other devices
User IP
Network Network
PC Telnet client Telnet server
Before logging in to other devices by using Telnet, complete the following task:
l Logging In to the System by Using Telnet.
l Configuring a route to ensure that the Telnet client and server are routable.
Context
Telnet provides an interactive interface for users to log in to a remote server. You can log in to
one device, and then telnet to other devices on the network to configure and manage these remote
devices, instead of connecting a terminal to each of the devices.
An IP address can be configured for an interface on the device and specified as the source IP
address of an FTP connection for security checks.
After the source IP address is configured for the Telnet client, the source IP address of the Telnet
client displayed on the server is the same as the configured one.
Perform either of the following operations based on the type of the source IP address:
Procedure
l If the source address is an IPv4 address:
Run the telnet [ -a source-ip-address | -i interface-type interface-number ] [ vpn-
instance vpn-instance-name ] host-name [ port-number ] command to log in to and manage
other devices.
l If the source address is an IPv6 address:
Run the telnet ipv6 ipv6-address [ -i interface-type interface-number ] [ port-number ]
command to log in to and manage other devices.
----End
Checking the Configuration

After logging in to other devices by using Telnet, do as follows to check the configuration.
Run the display tcp status command to view TCP connections.Established in the command
output indicates that a TCP connection has been established.
<HUAWEI> display tcp status

--------------------------------------------------------------------------------
Pid/SocketID Local Addr:Port Foreign Addr:Port VPNID
State
--------------------------------------------------------------------------------
0x80C8272F/2 0.0.0.0:23 0.0.0.0:0 42949 LISTEN
0x80932727/4 0.0.0.0:22 0.0.0.0:0 42949 LISTEN
0x30666bb4/9 10.137.217.222:23 10.137.217.223:53930 0 Established
--------------------------------------------------------------------------------
5.3 Using STelnet to Log In to Other Devices

STelnet provides secure Telnet services. You can use STelnet to log in to other devices from the
device that you have logged in to, and manage the remote devices.
STelnet provides secure Telnet services based on SSH connections. Providing encryption and
authentication, SSH protects devices against attacks of IP address spoofing and plain text
password interception. As shown in Figure 5-5, the HUAWEI NetEngine5000E supports the
SSH function. You can log in to a remote device in SSH mode to manage and maintain the
device. In this situation, the device that you have logged in functions as the client, and the remote
device to be logged in is an SSH server.
Figure 5-5 Networking diagram for logging in to other devices by using STelnet
IP network
Before logging in to other devices by using STelnet, complete the following task:
l 3.4 Logging In to the System by Using STelnet

Figure 5-6 Logging in to other devices by using STelnet
Bind the SSH client to the RSA

Enable first-time authentication on
public key generated on the SSH
the SSH client to allow users to
server to allow users to
successfully log in to other devices
successfully log in to other devices
at the first time
at the first time
Use Stelnet to log in to other Use Stelnet to log in to other

devices devices
Mandatory procedure
Optional procedure
5.3.1 Configuring Login to Another Device for the First Time

(Enabling First-Time Authentication on the SSH Client)
After first-time authentication is enabled on the SSH client, the validity of the RSA public key
of the SSH server is not checked when the STelnet client logs in to the SSH server for the first
time.
Context
of the SSH server is not checked when the STelnet client logs in to the SSH server for the first
time. After the first login, the system automatically allocates an RSA public key and saves the
key for authentication during subsequent logins.
If first-time authentication is disabled, the STelnet client cannot log in to the SSH server because
the validity check of the RSA public key fails. If the STelnet client must successfully log in to
the SSH server at the first time, you can enable first-time authentication or configure the client
to assign an RSA public key to the server in advance. For details, see 5.3.2 Configuring Login
to Another Device for the First Time (Binding the SSH Client to the RSA Public Key
Generated on the SSH Server)
Do as follows on the router that functions as an SSH client:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssh client first-time enable
Enable first-time authentication on the SSH client.
By default, first-time authentication is disabled for an SSH client.

Step 3 Run:
commit
----End

(Binding the SSH Client to the RSA Public Key Generated on the
SSH Server)
To allow the SSH client to successfully log in to the SSH server at the first time, configure the
SSH client to assign an RSA public key to the SSH server before the login if first-time
authentication is disabled.
Context
If first-time authentication is disabled, the SSH client cannot log in to the SSH server because
the validity check of the RSA public key fails. An RSA public key needs to be assigned to the
server before the SSH client logs in to the server.
The RSA public key assigned to the SSH server must be generated on the server. Otherwise, the
validity check for the RSA public key on the SSH client cannot succeed.
Procedure
Step 1 Run:
system-view
Step 2 Run:
rsa peer-public-key key-name
The public key view is displayed.
Step 3 Run:
public-key-code begin
The public key edit view is displayed.
Step 4 Enter hex-data to edit the public key.
The input public key must be a hexadecimal string complying with the public key format. The
public key is generated randomly on the SSH server.
NOTE
After entering the public key edit view, copy and paste the RSA public key generated on the server to the
client.
Step 5 Run:
public-key-code end
Exit from the public key edit view.

If the configured public key contains invalid characters or does not comply with the public key
format, a prompt is displayed, and the configured public key is discarded. The configuration
fails. If the configured public key is valid, the key will be saved into the client public key chain
table.
l If no valid hex-data is specified, no public key will be generated.
l If key-name specified in Step 2 has been deleted in another window, the system prompts an
error and returns to the system view.
Step 6 Run:
peer-public-key end
Exit from the public key view, and the system view is displayed.
Step 7 Run:
ssh client server-ip-address assign rsa-key key-name
The RSA public key is bound to the SSH client.
NOTE
If the public key saved on the SSH client becomes invalid, run the undo ssh client server-ip-address
assign rsa-key command to cancel the binding between the SSH client from the server, and then run the
ssh client server-ip-address assign rsa-key key-name command to assign an RSA public key to the client.
Step 8 Run:
commit
----End
5.3.3 Using STelnet to Log In to Other Devices

You can log in to the SSH server from the SSH client by using STelnet to configure and manage
the server.
Context
The SSH client can log in to the server without specifying the listening port number only when
the listening port number of the server is 22. Otherwise, the listening port number must be
specified.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stelnet [ -a source-address | -i interface-type interface-number ] host-ip-
address [port-number ] [ [ prefer-kex { dh-group1 | dh-exchange-group } ] [ prefer-
ctos-cipher { des | 3des | aes128 } ] [ prefer-stoc-cipher { des | 3des | aes128 } ]
[ prefer-ctos-hmac { sha1 | sha1-96| md5 | md5-96 } ] [ prefer-stoc-hmac { sha1 |
sha1-96 | md5 | md5-96 } ] [ -vpn-instance vpn-instance-name ] [ -ki interval [ -
kc count ] ] ]*

The client logged in to the SSH server by using STelnet.
----End

After completing the configuration of log in to another device by using STelnet, you can view
mappings between SSH servers and RSA public keys on the SSH client, global configuration
of SSH servers, and sessions between SSH servers and the client.
Prerequisite
The configuration for logging in to another device by using STelnet is complete.
Procedure
l Run the display ssh server-info command to check mappings between SSH servers and
RSA public keys on the client.
----End
Example
Run the display ssh server-info command to view mappings between SSH servers and RSA
public keys on the client.
<HUAWEI> display ssh server-info
Server Name(IP) Server public key name
________________________________________________________________________
1000::1 1000::1
10.164.39.223 10.164.39.223
11.11.11.23 11.11.11.23
10.164.39.204 10.164.39.204
10.164.39.222 10.164.39.222
5.4 Using TFTP to Access Other Devices

TFTP is used to transfer files between remote server and local hosts. Unlike FTP, TFTP is simple,
providing no authentication. It is applicable to scenarios without complicated interactions
between the client and the server.
In the TCP/IP protocol suite, FTP is frequently used to transfer files. However, FTP brings
complicated interactions between terminals and servers, which is hard to implement on terminals
that are not installed with advanced operating systems. TFTP is designed for file transfer that
does not need complicated interactions between terminals and servers. It is simple, requiring a
few costs. TFTP can be used only for simple file transfer without authentication.
NOTE
Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not as TFTP server.
Before using TFTP to access other devices, complete the following task:

You can choose one or more configuration tasks (excluding "Checking the Configuration") as
required.
5.4.1 Configuring the Source Address for the TFTP Client

You can configure a source address for a TFTP client and use the source address to establish a
TFTP connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on the TFTP client and use this IP address as the
source address to establish a TFTP connection. This ensures the security of file transfer.
Do as follows on the router that functions as a TFTP client:
Procedure
Step 1 Run:
system-view
Step 2 Run:
tftp client-source { -a ip-address | -i interface-type interface-number }
The source address of the TFTP client is configured.
NOTE
The interface type specified by interface-type must be loopback.

After configuring the source address of the TFTP client, you can find that the source address of the TFTP
client displayed on the server is the same as the configured one.
Step 3 Run:
commit
----End
5.4.2 Configuring TFTP Access Control

An ACL can be configured to allow the TFTP client to access specified TFTP servers.
Context
An ACL is a set of sequential rules. These rules are described based on source addresses,
destination addresses, and port numbers of packets. ACL rules are used to filter packets. After
ACL rules are applied to a device, the device permits or denies packets based on the ACL rules.
Multiple rules can be defined for one ACL. ACL rules are classified into interface ACL, basic
ACL, and advanced ACL rules based on their functions.

NOTE
TFTP supports only basic ACLs (from ACL 2000 to ACL 2999).
Do as follows on the router that functions as a TFTP client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
The ACL view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ [ fragment | fragment-type fragment-type-
name ] | logging | source { source-ip-address source-wildcard | any } | time-range
time-name | vpn-instance vpn-instance-name ] *
An ACL rule is configured.

Step 4 Run:
quit

Step 5 Run:
tftp-server acl acl-number
The ACL is applied to the TFTP client to control its access to TFTP servers.
Step 6 Run:
commit
----End
5.4.3 Using TFTP to Download Files from Other Devices

You can use a specified TFTP command to download files from a remote server to the local
device.
Context
A Virtual Private Network (VPN) is a private network. Network devices and terminals on a VPN
can be connected over the internet. After a TFTP session is established, you can specify vpn-
instance-name in the TFTP command to connect to a remote TFTP server.
To download a file, the TFTP client sends a read request to the TFTP server. After receiving
data, the TFTP client sends an acknowledgment to the server.
Procedure
l Run:

tftp [ -a source-address | -i interface-type interface-number ] host-ip-

address [ vpn-instance vpn-instance-name ] get } source-filename [ destination-
filename ]
A file is downloaded by using TFTP.

----End
5.4.4 Using TFTP to Upload Files to Other Devices

You can use TFTP commands to upload files to remote servers.
Context
To upload a file, the TFTP client sends a write request to the TFTP server. After receiving data,
the TFTP client sends an acknowledgment to the server.
Procedure
l Run:
tftp [ -a source-address | -i interface-type interface-number ] host-ip-
address [ vpn-instance vpn-instance-name ] put } source-filename [ destination-
filename ]
A file is uploaded by using TFTP.

----End

After completing the configuration of using TFTP to access another device, you can view the
source address of the TFTP client and configured ACL rules.
Prerequisite
The configurations of using TFTP to access other devices are complete.
Procedure
l Run the display tftp-client command to check the source address of the TFTP client.
l Run the display acl { acl-number | all } command to check ACL rules configured on the
TFTP client.
----End
Example
Run the display tftp-client command to view the source address of the TFTP client.
<HUAWEI> display tftp-client
----------------------------------------------------------------------
acl4Number : 0
SrcIPv4Addr : 0.0.0.0
Interface Name : LoopBack0
----------------------------------------------------------------------

Run the display acl { acl-number | all } command to view ACL rules configured on the TFTP
client.
<HUAWEI> display acl 2001
Basic acl 2001, 2 rules
Acl's step is 5
Acl's match-order is config
rule 5 permit ip source 1.1.1.1 0 (2 times matched)
rule 10 permit ip source 9.9.9.9 0 (3 times matched)
5.5 Using FTP to Access Other Devices

You can log in to an FTP server on the network from the device that functions as an FTP client
to upload files to or download files from the server.
When you need to transfer files with a remote FTP server or manage directories of the server,
you can configure the current device as an FTP client and then access the FTP server by using
FTP.
Before using FTP to access another device, complete the following task:
l Configuring User Login
Figure 5-7 Using FTP to operate files

Configure the source address for
the FTP client
Use FTP commands to connect to

other devices
Use FTP commands to operate

files
Change the logged-in user
Terminate the connection to the

FTP server
Mandatory procedure
Optional procedure

5.5.1 (Optional) Configuring the Source Address for the FTP Client
You can configure a source address for an FTP client and use the source address to establish an
FTP connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on the router and use this IP address as the source
address to establish an FTP connection. This ensures the security of file transfer.
Do as follows on the router that functions as an FTP client:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ftp client-source { -a ip-address | -i interface-type interface-number }
The source address is configured.
The value of interface-type must be loopback.
After the source address of the FTP client is configured, you can run the display ftp-users
command on the FTP server to check that the displayed source address of the FTP client is the
same as the configured one.
Step 3 Run:
commit
----End
5.5.2 Using FTP to Connect the FTP Client to Other Devices

FTP commands can be used to log in to other devices from the FTP client.
Context
Commands can be run in the user or FTP client view to establish connections with remote FTP
servers.
NOTE
l If the ftp command without any parameters is used in the user view to establish a control connection
to an FTP server, the FTP client view is displayed but the connection is not established.
l When using the ftp command in the user view or the open command in the FTP client view to establish
a control connection to a remote FTP server, if the listening port number of the FTP server is the default
one, you do not need to specify the listening port number in the command; otherwise, you must specify
the listening port number in the command.
Perform either of the following operations on the FTP client based on the type of IP address of
the server:

Procedure
l If the server has an IPv4 address, use commands listed in Table 5-1 to connect the client
to other devices.
Table 5-1 Using FTP commands to connect the FTP client to other devices
View Operation
User view Run the ftp [ [ -a source-ip-address | -i interface-type interface-

number ] host-ip [ port-number ] [ vpn-instance vpn-instance-name ] ]
command to establish a connection to the FTP server.
FTP client Run the open { -a source-ip | -i interface-type interface-number } host-

view ip-address [ port-number ] [ vpn-instance vpn-instace-name ] command
to establish a connection to the FTP server.
l If the server has an IPv6 address, use commands listed in Table 5-2 to connect the client
to other devices.
Table 5-2 Using FTP commands to connect the FTP client to other devices
View Operation
User view Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address

[ port-number ] command to establish a connection to the FTP server.
FTP client Run the open ipv6 [ -i interface-type interface-number ] host-ipv6-

view address [ port-number ] command to establish a connection to the FTP
server.
----End
5.5.3 Using FTP to Operate Files

After logging in to an FTP server, you can use FTP commands to operate files, including
configuring the file transfer mode, viewing online helps about FTP commands, uploading files,
managing directories, and managing files.
Procedure
FTP client view.

Table 5-3 File operations

Managin Configuring the l Run the ascii command to set the file type to ASCII.
g files file type l Run the binary command to set the file type to binary.
The FTP file type is determined by the client. By default,
the ASCII type is used.
Configuring the l Run the passive command to set the data connection
data connection mode to PASV.
mode l Run the undo passive command to set the data
connection mode to ACTIVE.
By default, the PASV mode is used.
Uploading files l Run the put local-filename [ remote-filename ]

command to upload a file from the local device to a
remote server.
l Run the mput local-filenames command to upload files
from the local device to a remote server.
Downloading l Run the get remote-filename [ local-filename ] command

files to download a file from a remote server and save the file
on the local device.
l Run the mget remote-filenames command to download
files from a remote server and save the files on the local
device.
Enabling the file l If the prompt command is run in the FTP client view to
transfer prompt enable the file transfer prompt function, the system
function prompts you to confirm the uploading or downloading
operation during file uploading or downloading.
l If the prompt command is run again in the FTP client
view, the file transfer prompt function is disabled.
NOTE
The prompt command is applicable to the scenario where the
mput or mget command is used to upload or download files. If the
local device has the files to be downloaded by running the mget
command, the system prompts you to override the existing ones
regardless of whether the file transfer prompt function is enabled.
Enabling the FTP Run the verbose command.

verbose function After the verbose function is enabled, all FTP response
information is displayed. After file transfer is complete,
statistics about the transmission rate are displayed.
Managin Changing the Run the cd pathname command.

g working path of a
directori remote FTP server
es

Changing the Run the cdup command.

working path of an
FTP server to the
parent directory
Displaying the Run the pwd command.

working path of an
FTP server
Displaying files in Run the dir [ remote-directory [ local-filename ] ] command.

a directory and the If no path name is specified for a specified remote file, the
list of sub- system will search the file in the authorized directory of the
directories user.
Displaying a Run the ls [ remote-directory [ local-filename ] ] command.

specified remote
directory or file on
an FTP server
Displaying or Run the lcd [ directory ] command.

changing the The lcd command displays the local working path of the FTP
working path of an client, while the pwd command displays the working path
FTP client of the remote FTP server.
Creating a Run the mkdir remote-directory command.

directory on an The directory can be a combination of letters and numbers,
FTP server excluding special characters such as "<", ">", "?", "\", or ":".
Deleting a Run the rmdir remote-directory command.

directory from an
FTP server
Displaying online help for an Run the remotehelp [ command ] command.

FTP command
Changing an FTP user Run the user username [ password ] command.
----End
5.5.4 (Optional) Changing the User Login

You can allow users with different rights to log in.
Context
After the device function as an FTP client and establish a connection to an FTP server, you can
change the logged-in user to allow users with different rights to access the server. Changing
logged-in users does not affect established FTP connections. FTP control and data connections
and the connection status do not change.
If the input user name or password of the new user is incorrect, established connections is
disconnected. To access the server, the user must again log in to the FTP client.

NOTE
After logging in to the HUAWEI NetEngine5000E, you can log in to the FTP server by using another user
name without logging out of the FTP client view. The established FTP connection is identical with that
established by running the ftp command.
Procedure
FTP client view.
Step 2 Run:
user user-name [ password ]
The logged-in user is changed. Another user logs in to access the FTP server.
After the logged-in user is changed, the connection between the original user and the FTP server
is disconnected.
Step 3 Run:
commit
----End
5.5.5 Terminating a Connection to the FTP Server

To save system resources and ensure successful logins of valid users to the FTP server, terminate
connections to the FTP server.
Context
After the number of users logging in to an FTP server reaches the upper limit, no more valid
users can log in. To allow valid users to log in to the FTP server, terminate idle connections to
the FTP server.
Procedure
FTP client view.
Step 2 Perform either of the following operations as needed to terminate an FTP connection.

l Run the bye/quit command to terminate the connection to the FTP server and return to the
user view.
l Run the close/disconnect command to terminate both the connection to the FTP server and
the FTP session but remain in the FTP client view.
----End

After completing the configuration of accessing other devices by using FTP, you can view the
parameters configured on the FTP client.
Prerequisite
The configurations of accessing other devices by using FTP are complete.
Procedure
l Run the display ftp-client command to check the source address of the FTP client.
----End
Example
After configuring the source IP address of the FTP client, run the display ftp-client command
to view the configuration.
<HUAWEI> display ftp-client
-----------------------------------------
Interface Name :
-----------------------------------------
After configuring the loopback interface of the FTP client, run the display ftp-client command
to view the configuration.
<HUAWEI> display ftp-client
-----------------------------------------
Interface Name : LoopBack0
-----------------------------------------
5.6 Using SFTP to Access Other Devices

SFTP provides a secure FTP service. The device is configured as an SFTP client. The SFTP
server authenticates the client and encrypts data in both directions to provide secure file transfer.
SFTP is short for SSH FTP. Based on SSH, SFTP ensures that users log in to a remote device
securely to manage and transfer files, enhancing secure file transfer. As the device can function
as an SFTP client, you can log in to a remote SSH server from the device to transfer files securely.
Before using SFTP to access other devices, complete the following task:

l Configuring a route between the client and the server to make them routable
Figure 5-8 Using SFTP to access other devices

Configure the source address for the Configure the source address for the
SFTP client SFTP client
Enable first-time authentication on the Bind the RSA public key generated on
SSH client to allow users to the SSH server to the SSH client to allow
successfully log in to the system at users to successfully log in to the system
the first time at the first time
Use SFTP to log in to other devices Use SFTP to log in to other devices
Use SFTP commands to operate files Use SFTP commands to operate files
Mandatory procedure
Optional procedure
5.6.1 (Optional) Configuring the Source Address for the SFTP

Client
You can configure a source address for an SFTP client and use the source address to establish
an SFTP connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on the SFTP client and use this IP address as the
source address to establish an SFTP connection. This ensures the security of file transfer
The source address for an SFTP client can be a source interface or a source IP address.
Do as follows on the device functioning as an SFTP client:
Procedure
Step 1 Run:
system-view
Step 2 Run:
sftp client-source { -a source-ip-address | -i interface-type interface-number }
The source address of the SFTP client is configured.

Step 3 Run:
commit
----End

(Enabling First-Time Authentication on the SSH Client)
of the SSH server is not checked when the SFTP client logs in to the SSH server for the first
time.
Context
of the SSH server is not checked when the SFTP client logs in to the SSH server for the first
time. After the first login, the system automatically allocates an RSA public key and saves the
key for authentication during subsequent logins.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Enable first-time authentication on the SSH client.

By default, first-time authentication is disabled for an SSH client.
Step 3 Run:
commit
----End

(Binding the SSH Client to the RSA Public Key Generated on the
SSH Server)
If first-time authentication is disabled on the SSH client, assign an RSA public key to the SSH
server before the SFTP (SSH) client logs in to the server.
Context
If first-time authentication is disabled, the SFTP client cannot log in to the SSH server because
the validity check of the RSA public key fails. Therefore, you need to assign an RSA public key
to the server before the SFTP client logs in to the server.

Procedure
Step 1 Run:
system-view

Step 2 Run:
rsa peer-public-key key-name
The public key view is displayed.

Step 3 Run:
The public key edit view is displayed.

Step 4 Enter hex-data to edit the public key.
The input public key must be a hexadecimal string complying with the public key format. The
public key is generated randomly on the SSH server.
NOTE
After entering the public key edit view, copy and paste the RSA public key generated on the server to the
client.
Step 5 Run:
public-key-code end
Exit from the public key edit view.

If the configured public key contains invalid characters or does not comply with the public key
format, a prompt is displayed, and the configured public key is discarded. The configuration
fails. If the configured public key is valid, the key will be saved into the client public key chain
table.
l If no valid hex-data is specified, no public key will be generated.
l If key-name specified in Step 2 has been deleted in another window, the system prompts an
error and returns to the system view.
Step 6 Run:
peer-public-key end
Exit from the public key view, and the system view is displayed.
Step 7 Run:
ssh client server-ip-address assign rsa-key key-name
The RSA public key is bound to the SSH client.
NOTE
If the public key saved on the SSH client becomes invalid, run the undo ssh client server-ip-address
assign rsa-key command to cancel the binding between the SSH client from the server, and then run the
ssh client server-ip-address assign rsa-key key-name command to assign an RSA public key to the client.
Step 8 Run:
commit

----End
5.6.4 Using SFTP to Connect the SSH Client to the SSH Server
You can log in to an SSH server from an SSH client by using SFTP.
Context
The command used to enable the SFTP client is similar to the command used to enable the
STelnet client. Both commands can carry the source address, key exchange algorithm,
encryption algorithm, HMAC algorithm, and Keepalive interval.
Do as follows on the device that functions as an SSH client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
SFTP.
Step 3 Run:
commit
----End
5.6.5 Using SFTP to Operate Files

You can manage directories and files of the SSH server on the SFTP client, and view help for
all SFTP commands on the SFTP client.
Context
After logging in to the SSH server from the SFTP client, you can perform the following
operations on the SFTP client:
l Create and delete directories of the SSH server; view the current working directory; view
files in a directory and the list of sub-directories.
l Rename, delete, upload, and download files.
l View command help on the SFTP client.

Procedure
Step 1 Run:
system-view
Step 2 Run:
SFTP.
Table 5-4 File operation
Managing Changing the user's Run the cd [ remote-directory ] command.

directories working directory
Changing the user's Run the cdup command.

working directory to the
parent directory
Displaying the user's Run the pwd command.

working directory
Displaying files in the Run the dir / ls [ remote-directory ] command.

directory and the list of
sub-directories
Deleting directories on Run the rmdir remote-directory & <1-10>

the server command.
Creating a directory on Run the mkdir remote-directory command.

the server
Managing Renaming a file on the Run the rename old-name new-name command.
files server
Downloading files from Run the get remote-filename [ local-filename ]

a remote server command.
Uploading files to a Run the put local-filename [ remote-filename ]

remote server command.
Deleting files from the Run the remove path &<1-10> command.
server
Displaying command helps on the Run the help [ all | command-name ] command.
SFTP client

----End

After completing the configuration of using SFTP to access other devices, you can view the
source address of the SSH client, mappings between SSH servers and RSA public keys on the
client, global configurations of the SSH servers, and sessions between the SSH servers and the
client.
Prerequisite
The configurations of using SFTP to access other devices are complete.
Procedure
l Run the display sftp-client command to check the source address of the SSH client.
l Run the display ssh server-info command to check mappings between SSH servers and
RSA public keys on the client.
----End
Example
Run the display sftp-client command on the client to view parameters about the SFTP client.
<HUAWEI> display sftp-client
The source address of SFTP client is 1.1.1.1
Run the display ssh server-info command to view mappings between servers and RSA public
keys on the client.
<HUAWEI> display ssh server-info
Server Name(IP) Server public key name
________________________________________________________________________
1000::1 1000::1
10.1.1.1 10.1.1.1
100.1.1.23 100.1.1.23
10.164.1.1 10.164.1.1
10.164.1.2 10.164.1.2

This section provides examples for configuring one device to access other devices. These
configuration examples explain networking requirements, configuration roadmap, and
precautions.
5.7.1 Example for Using Telnet to Log In to Other Devices

This example shows how to log in to another device by using Telnet. You can configure the user
authentication mode and password to log in to another device by using Telnet.

device and the terminal. To manage and maintain remote devices, you can log in to other devices
by using Telnet from the device that you have logged in to.
As shown in Figure 5-9, a user can telnet to P1 but cannot directly telnet to P2. P1 and P2 are
routable. The user logs in to P1, and then telnet to P2 to remotely configure and manage P2.
Figure 5-9 Networking diagram for using Telnet to log in to another device
Session Session
GE1/0/1 GE1/0/1
1.1.1.1/24 2.1.1.1/24
Network Network
PC P1 P2
Precautions
l P1 and P2 must be routable.
l The user must be able to log in to P1.
1. Configure the Telnet authentication mode and password on P2.
2. Log in to P2 from P1.
Data Preparation
l Host address of P2: 2.1.1.1
l Authentication mode: password (password: hello)
Procedure
Step 1 Configure the Telnet authentication mode and password.
[~HUAWEI] sysname P2
[~HUAWEI] commit
[~P2-ui-vty0-4] authentication-mode password
[~P2-ui-vty0-4] set authentication password simple hello
If an ACL is configured to access other devices by using Telnet, do as follows on P2:

[~P2] acl 2000
[~P2-acl-basic-2000] rule permit source 1.1.1.1 0

[~P2-acl-basic-2000] quit
[~P2-ui-vty0-4] acl 2000 inbound
NOTE
It is optional to configure an ACL for Telnet services.
After the configurations are complete, the user can telnet from P1 to P2.
[~HUAWEI] sysname P1
[~HUAWEI] commit
[~P1] quit
<P1> telnet 2.1.1.1
Trying 2.1.1.1
Press CTRL+K to abort
Connected to 2.1.1.1
Username: root
Password:
<P2>
----End
Configuration Files
l Configuration file of P1
#
sysname P1
#
interface gigabitethernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
admin
return
l Configuration file of P2
#
sysname P2
#
acl number 2000
rule 5 permit source 1.1.1.1 0
#
interface gigabitethernet1/0/1
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
set authentication password simple hello
acl 2000 inbound
#
admin
return
5.7.2 Example for Using STelnet to Log In to Other Devices

This example shows how to log in to another device by using STelnet. To allow the STelnet
client to connect to the SSH server, configure the client and server to generate local key pairs,
configure the server to generate an RSA public key, and bind the public key to the client.

STelnet provides secure Telnet services based on SSH connections. Providing encryption and
authentication, SSH protects devices against attacks of IP address spoofing and plain text
password interception. As shown in Figure 5-10, after the STelnet server function is enabled
on the SSH server, the STelnet client can log in to the SSH server in the authentication mode of
password, RSA, password-RSA, or all.
Figure 5-10 Networking diagram for logging in to another device by using STelnet
SSH Server
GE0/0/0
1.1.1.1/16
GE0/0/0 GE0/0/0
1.1.2.2/16 1.1.3.3/16
Client 001 Client 002
Precautions
Two users client001 and client002 are configured to log in to the SSH server in the authentication
mode of password and RSA respectively.
1. Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the RSA public key of the SSH server to authenticate the client when the client attempts to
log in to the server.
3. Enable the STelnet server function on the SSH server.
4. Set the service type of client001 and client002 to STelnet.
5. Enable first-time authentication on the SSH client.
6. Client001 and client002 log in to the SSH server by using STelnet.
Data Preparation

l Client001: password authentication (password: huawei)

l Client002: RSA authentication (public key: RsaKey001)
Procedure
Step 1 Configure the server to generate a local key pair.
[~HUAWEI] commit
Input the bits in the modulus [default = 512] : 1024
Step 2 Create SSH users on the server.

NOTE
There are four authentication modes for SSH users: password, RSA, password-RSA, and all.
l If the authentication mode is password or password-RSA, configure a local user on the server with the
same user name.
l If the authentication mode is RSA, password-RSA, or all, save the RSA public key generated on the
SSH client to the server.
# Configure VTY user interfaces.

[~SSH Server-ui-vty0-4] user privilege level 5
l Create an SSH user named client001.

# Create an SSH user named client001 and configure password authentication for the user.
[~SSH Server] ssh user client001
# Set the password of client001 to huawei.

[~SSH Server] aaa
[~SSH Server-aaa] local-user client001 password simple huawei

# Create an SSH user named client002 and configure RSA authentication for the user.
[~SSH Server] ssh user client002 authentication-type rsa
Step 3 Configure an RSA public key for the server.

# Configure client002 to generate a local key pair.
[~HUAWEI] sysname client002
[~HUAWEI] commit
[~client002] rsa local-key-pair create

The key name will be: client002_Host

[~client002] commit
# Check the RSA public key generated on the client.

[~client002] display rsa local-key-pair public
======================Host Key==========================
Time of Key pair created : 13:22:1 2010/10/25
Key Name : VRPV8_Host
Key Type : RSA Encryption Key
========================================================
Key Code:
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203
010001
Host Public Key for PEM format Code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw98
25XYSkri89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn
+8J1LffkxRmHF4uMNk1X3QqiSqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIX
GJb7H/w4zQ==
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw9825XYSkri
89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn+8J1LffkxRmHF4uMNk1X3Qqi
SqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIXGJb7H/w4zQ== rsa-key
Host Public key for SSH1 format code:

1024 65537 125048203250833642388841080101906750228075076456213955541037945628567
57310398880086451511608221218821171562865637463140847157102422109476944363593619
24637760514734544191988044752471924402237145321162849626052751701862381759745461
33321165741031171160914926309797395278974490949461701171569544048167828558985421
======================Server Key========================
Key Name : VRPV8_Server
========================================================
Key Code:
3067
0260
BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F
E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23
7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26
B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3
2B1BBA18 A96FFC29 EF70069D DD1EE053
0203
010001
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key rsakey001
Enter "RSA public key" view, return system view with "peer-public-key end".

[~SSH Server-rsa-public-key] public-key-code begin

Enter "RSA key code" view, return last view with "public-key-code end".
[~SSH Server-rsa-public-key-rsa-key-code] 308188
[~SSH Server-rsa-public-key-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0
006BB1BB
[~SSH Server-rsa-public-key-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7
36FDFD5F
[~SSH Server-rsa-public-key-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A
7336150B
[~SSH Server-rsa-public-key-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275
2DF7E4C5
[~SSH Server-rsa-public-key-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931
[~SSH Server-rsa-public-key-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153
7FB7D5B2
[~SSH Server-rsa-public-key-rsa-key-code] 171896FB 1FFC38CD
[~SSH Server-rsa-public-key-rsa-key-code] public-key-code end
[~SSH Server-rsa-public-key] peer-public-key end
Step 4 Bind the RSA public key to client002.

[~SSH Server] ssh user client002 assign rsa-key RsaKey001
Step 5 Enable the STelnet server function on the SSH server.

# Enable the STelnet server function.
Step 6 Set the service type of client001 and client002 to STelnet.

[~SSH Server] ssh user client001 service-type stelnet
Step 7 Connect STelnet clients to the SSH server.

# If the client logs in to the server for the first time, enable first-time authentication on the client.
Enable first-time authentication on client001.
[~HUAWEI] commit
[~client001] ssh client first-time enable
[~client001] commit

[~client002] commit
# Client001 logs in to the SSH server in password authentication mode by entering the user name
and password.
[~client001] stelnet 1.1.1.1
Please input the username:client001
Trying 1.1.1.1 ...
Connected to 1.1.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 1.1.1.1. Please wait...
Enter password:

Enter the password huawei, and information indicating a successful login is displayed as
follows:
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 6.
The current login time is 2011-01-06 11:42:42.
<SSH Server>
# Client002 logs in to the SSH server in RSA authentication mode.

[~client002] stelnet 1.1.1.1
Please input the username: client002
Trying 1.1.1.1 ...
The current login time is 2011-01-06 11:42:42.
<SSH Server>
If the login succeeds, the user view is displayed. If the login fails, the message Session is
disconnected is displayed.
After the configuration is complete, run the display ssh server status, display ssh server
session and display ssh server statistics commands on the SSH server. You can find that the
STelnet server function has been enabled, and the STelnet client has logged in to the server
successfully.
# Check the status of the SSH server.
[~SSH Server] display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH Authentication retries : 3 times
SFTP server : Disable
Stelnet server : Enable
# Check the connection to the SSH server.

[~SSH Server] display ssh server session
Session : 1
Conn : VTY 3
Version : 2.0
State : started
Retry : 1
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Session : 2
Conn : VTY 4
Version : 2.0
State : started
Retry : 1


Authentication Type : rsa
# Check the current statistics information of the SSH server.

[~SSH Server] display ssh server statistics
----------------------------------
---------------------------------------
# Check information about SSH users.

[~SSH Server] display ssh user-information
----------------------------------------------------
Sftp-directory : cfcard:
Authentication-type : rsa
User-public-key-name : rsakey001
Sftp-directory : -
----------------------------------------------------
----End
Configuration Files
#
sysname SSH Server
#
rsa peer-public-key rsakey001
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
ssh user client001
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign rsa-key rsakey001
ssh user client002 authentication-type rsa
#

aaa
local-user client001 password simple huawei
#
#
#
#
domain default
#
#
admin
return
l Configuration file of client001

#
sysname client001
#
ip address 1.1.2.2 255.255.255.0
#
#
admin
return

#
sysname client002
#
ip address 1.1.3.3 255.255.255.0
#
#
admin
return
5.7.3 Example for Using TFTP to Access Other Device

You can run the TFTP software on the TFTP server and set the directory of source files on the
server to upload and download files.
In the TCP/IP protocol suite, FTP is frequently used to transfer files. However, FTP brings
complicated interactions between terminals and servers, which is hard to implement on terminals
that are not installed with advanced operating systems. TFTP is designed for file transfer that
does not need complicated interactions between terminals and servers. It is simple, requiring a
few costs. TFTP can be used only for simple file transfer without authentication.
As shown in Figure 5-11, a user logs in to the TFTP client from a PC, and upload files to and
download files from the TFTP server.

Figure 5-11 Networking diagram for accessing another device by using TFTP
10.111.16.160/24
PC TFTP Client TFTP Server
1. Run the TFTP software on the TFTP server and set the directory of source files on the
server.
2. Use TFTP commands on the TFTP client to download files.
3. Use TFTP commands on the TFTP client to upload files.
Data Preparation
l TFTP software to be installed on the TFTP server
l Name of the file to be downloaded and path of the file on the TFTP server
l Name of the file to be uploaded and path of the file on the TFTP client
Procedure
Step 1 Enable the TFTP server function.
Enter the directory in which the file to be downloaded resides on the TFTP server in the Current
Directory column, as shown in Figure 5-12.
Figure 5-12 Setting the current directory on the TFTP server

NOTE
The displayed window may vary with the TFTP software.
Run the tftpservermt command on the client to enter the TFTP server path and run the following
command:
/home/tftpservermt # ./tftpserver -v -i tftpserver.ini
TFTP Server MultiThreaded Version 1.61 Unix Built 1611
starting TFTP...
username: root
alias / is mapped to /home/
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 3
file read allowed: Yes
file create allowed: Yes
file overwrite allowed: Yes
thread pool size: 1
listening on: 0.0.0.0:69
Accepting requests..
Step 2 Log in to the TFTP client from the HyperTerminal to download a file.
<HUAWEI> tftp 10.18.26.141 get a.txt cfcard:/b.txt
Warning: cfcard:/b.txt exists, overwrite? Please select
[Y/N]:y
Transfer file in binary mode.
Please wait for a while...
/
3338 bytes transferred
File transfer completed
Run the dir command on the TFTP client to view the directory in which the downloaded file is
saved.
<HUAWEI> dir
Directory of 0/17#cfcard:/
Idx Attr Size(Byte) Date Time(LMT) FileName

0 -rw- 3,338 Jan 25 2011 09:27:41 b.txt
1 -rw- 103,265,123 Jan 25 2011 06:49:07 VRPV800R002C00B020D0123.cc
2 -rw- 92,766,274 Jan 25 2011 06:49:10
VRPV800R002C00SPC007B008D1012.cc
109,867,396 KB total (102,926,652 KB free)
Step 4 Log in to the TFTP client from the HyperTerminal to upload a file.
<HUAWEI> tftp 10.111.16.160 put sample.txt
Info: Transfer file in binary mode.
Please wait for a while...
\ 100% [***********]
File transfer completed
----End
Configuration Files
None.

5.7.4 Example for Using FTP to Access Other Devices

You can log in to the FTP server from the FTP client to download system software from the FTP
server and configuration the software on the client.
When you need to transfer files with a remote FTP server or manage directories of the server,
you can configure the current device as an FTP client and then access the FTP server by using
FTP.
As shown in Figure 5-13, the FTP client and server are routable. You can log in to the FTP
server from the FTP client to download system software from the FTP server and configure the
software on the client.
Figure 5-13 Networking diagram for accessing another device by using FTP
GE1/0/1 GE1/0/1
2.1.1.1/24 1.1.1.1/24
Network
FTP Client FTP Server
1. Configure the user name and password for an FTP user to log in to the FTP server and the
directory that the user will access.
2. Enable the FTP server function.
3. Run login commands to log in to the FTP server.
4. Configure the file transfer mode and working directory to allow the client to download files
from the server.
Data Preparation
l User name: huawei; password: 123
l IP address of the FTP server: 1.1.1.1
l Name of the file to be downloaded and directory of the file
Procedure
Step 1 Configure an FTP user on the FTP server.
[~HUAWEI] aaa
[~HUAWEI-aaa] local-user huawei password simple 123
[~HUAWEI-aaa] local-user huawei service-type ftp
[~HUAWEI-aaa] local-user huawei ftp-directory cfcard:/

[~HUAWEI-aaa] commit
[~HUAWEI-aaa] quit
Step 2 Enable the FTP server function.

[~HUAWEI] ftp server enable
[~HUAWEI] commit
[~HUAWEI] quit
Step 3 Log in to the FTP server from the FTP client.

<HUAWEI> ftp 1.1.1.1
Trying 1.1.1.1 ...
Connected to 1.1.1.1.
220 FTP service ready.
User(1.1.1.1:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
Step 4 Set the file transfer mode to dir and the working directory to new_dir:/ on the FTP client.
[ftp] binary
200 Type set to I.
[ftp] lcd new_dir:/
The current local directory is new_dir:.
[ftp] commit
Step 5 Download the latest system software from the FTP server on the FTP client.
[ftp] get VRPV800R002C00B020D0123.cc
200 Port command okay.
150 Opening BINARY mode data connection for VRPV800R002C00B020D0123.cc.
226 Transfer complete.
FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.
[ftp] quit
Run the dir command to check whether the required file has been downloaded to the client.
----End
Configuration Files
l Configuration file on the FTP server
#
aaa
local-user huawei password simple 123
local-user huawei ftp-directory cfcard:/
local-user huawei service-type ftp
#
#
#
#
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
ftp server enable
#
admin
return
l Configuration file on the FTP client

#

undo shutdown
ip address 2.1.1.1 255.255.255.0
#
admin
return
5.7.5 Example for Using SFTP to Access Other Devices

To allow the SFTP client to connect to the SSH server, configure the client and server to generate
local key pairs, configure the client to generate an RSA public key, send the public key to the
server, and bind the public key to the client.
SFTP is based on SSH connections. SFTP ensures that users log in to a remote device securely
to manage and transfer files, enhancing secure file transfer. As the device can function as an
SFTP client, you can log in to a remote SSH server from the device to transfer files securely.
As shown in Figure 5-14, after the SFTP server function is enabled on the SSH server, the SFTP
client can log in to the SSH server in the authentication mode of password, RSA, password-
RSA, or all.
Figure 5-14 Networking diagram for access another device by using SFTP
SSH Server
GE0/0/0
1.1.1.1/16
GE0/0/0 GE0/0/0
1.1.2.2/16 1.1.3.3/16
3. Enable the SFTP server function on the SSH server.
4. Configure the service type and authorized directory for the SSH users.
5. Client001 and client002 log in to the SSH server chain SFTP mode to obtain files on the
server.
Data Preparation


Procedure
[~HUAWEI] commit

NOTE
same user name.

[~SSH Server] aaa

# Create an SSH user named client002 and configure RSA authentication for the user.
Step 3 Configure the RSA public key on the server.

# Configure the client to generate a local key pair.
[~HUAWEI] commit
[~client002] commit


======================Host Key==========================
Key Name : VRPV8_Host
========================================================
Key Code:
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203
010001
Host Public Key for PEM format Code:

AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw98
25XYSkri89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn
+8J1LffkxRmHF4uMNk1X3QqiSqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIX
GJb7H/w4zQ==
Public key code for pasting into OpenSSH authorized_keys file:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw9825XYSkri
89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn+8J1LffkxRmHF4uMNk1X3Qqi
SqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIXGJb7H/w4zQ== rsa-key
Host Public key for SSH1 format code:

1024 65537 125048203250833642388841080101906750228075076456213955541037945628567
57310398880086451511608221218821171562865637463140847157102422109476944363593619
24637760514734544191988044752471924402237145321162849626052751701862381759745461
33321165741031171160914926309797395278974490949461701171569544048167828558985421
======================Server Key========================
Key Name : VRPV8_Server
========================================================
Key Code:
3067
0260
BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F
E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23
7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26
B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3
2B1BBA18 A96FFC29 EF70069D DD1EE053
0203
010001
[~SSH Server] rsa peer-public-key RsaKey001
[~SSH Server-rsa-key-code] 3047
[~SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[~SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[~SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[~SSH Server-rsa-key-code] 1D7E3E1B


[~SSH Server-rsa-key-code] public-key-code end
Step 4 Bind the RSA public key to client002.

Step 5 Enable the SFTP server function on the SSH server.

# Enable the SFTP server function.
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password authentication mode
and client002 in RSA authentication mode.
[~SSH Server] ssh user client001 sftp-directory cfcard:
Step 7 Connect the SFTP client to the SSH server.

[~HUAWEI] commit
[~client001] commit

[~client002] commit
# Client001 logs in to the SSH server in password authentication mode.

[~client001] sftp 1.1.1.1
Trying 1.1.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] : y
The server's public key will be saved with the name 1.1.1.1. Please wait
Enter password:
# Client002 logs in to the SSH server in RSA authentication mode.

Please input the username: client002
Trying 1.1.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 1.1.1.1. Please wait.

session and display ssh server statistics commands on the SSH server. You can find that the
SFTP server function has been enabled, and the SFTP client has logged in to the server.


SSH version : 1.99
SFTP server: Enable
Stelnet server: Disable

Session : 1
Conn : SFTP 3
Version : 2.0
State : started
Retry : 1
Service Type : sftp
Session : 2
Conn : SFTP 4
Version : 2.0
State : started
Retry : 1
Service Type : sftp

----------------------------------
---------------------------------------
# Check information about SSH users.

[~SSH Server] display ssh user-information
----------------------------------------------------
Sftp-directory : cfcard:
Service-type : sftp
Authentication-type : rsa
User-public-key-name : rsakey001
Sftp-directory : -

Service-type : sftp
----------------------------------------------------
----End
Configuration Files
#
sysname SSH Server
#
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
sftp server enable
ssh user client001
ssh user client001 sftp-directory cfcard:
ssh user client002
#
aaa
#
#
#
#
undo shutdown
ip address 1.1.1.1 255.255.0.0
#
#
admin
return

#
sysname client001
#
undo shutdown
ip address 1.1.2.2 255.255.0.0
#
#
admin
return

#
sysname client002
#
undo shutdown
ip address 1.1.3.3 255.255.0.0
#
#
admin
return
5.7.6 Example for Accessing the SSH Server by Using a Non-default

Listening Port Number
A non-default listening port number can be configured for the SSH server to allow only valid
users to establish SSH connections with the server.
The default SSH listening port number is 22. If attackers continuously access this port, bandwidth
resources are consumed and performance of the server deteriorates. As a result, valid users
cannot access the server.
If the listening port number of the SSH server is changed to a non-default one, attackers do not
know the change and continue to send requests for socket connections to port 22. The SSH server
denies the connection requests because the listening port number is incorrect.
Valid users can set up socket connections with the SSH server by using the new listening port
number to implement the following functions: negotiate the version of the SSH protocol,
negotiate the algorithm, generate the session key, authenticate, send the session request, and
attend the session.
Figure 5-15 Example for accessing the SSH server by using a non-default listening port number
SSH Server
GE0/0/0
1.1.1.1/16
GE0/0/0 GE0/0/0
1.1.2.2/16 1.1.3.3/16

3. Enable the STelnet and SFTP server functions on the SSH server.
4. Configure the service type and authorized directory for the SSH users.
5. Configure a non-default listening port number of the SSH server to allow only valid users
to access the server.
6. Client001 and client002 log in to the SSH server by using STelnet and SFTP respectively.
Data Preparation
l Client001: password authentication (password: huawei) and STelnet service type
l Client002: RSA authentication (public key: RsaKey001) and SFTP service type
l Listening port number of the SSH server: 1025
Procedure
[~HUAWEI] rsa local-key-pair create

[~HUAWEI] commit
[~client002] commit

=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:

AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Key name: client002_Server
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[~SSH Server] rsa peer-public-key RsaKey001
[~SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[~SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[~SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[~SSH Server-rsa-key-code] 1D7E3E1B
[~SSH Server-rsa-key-code] public-key-code end
[~SSH Server-rsa-public-key] commit

NOTE
same user name.



[~SSH Server] aaa


# Set the service type of client001 to STelnet.


# Create an SSH user named client002, configure RSA authentication for the user, and bind
the RSA public key to client002.
# Set the service type of client002 to SFTP and configure the authorized directory for the
user.
Step 4 Enable the STelnet and SFTP server functions on the SSH server.
Step 5 Configure a new listening port number on the SSH server.

[~SSH Server] ssh server port 1025
Step 6 Connect the SSH client and the SSH server.

[~HUAWEI] commit
[~client001] commit

[~client002] commit
# The STelnet client logs in to the SSH server by using the new listening port number.
[~client001] stelnet 1.1.1.1 1025
Trying 1.1.1.1 ...
Enter password:
follows:
<SSH Server>
# The SFTP client logs in to the SSH server by using the new listening port number.
[~client002] sftp 1.1.1.1 1025


Trying 1.1.1.1 ...
The server's public key will be saved with the name 1.1.1.1. Please wait.
..
sftp-client>

Attackers fail to log in to the SSH server using the default listening port number 22.
Trying 1.1.1.1 ...
Error: Failed to connect to the server.
session and display ssh server statistics commands on the SSH server. The current listening
port number of the SSH server can be displayed in the command output. The command output
also shows that the STelnet or SFTP client has logged in to the server successfully.
SSH version : 1.99
SFTP server : Enable
STELNET server : Enable

Session : 1
Conn : VTY 3
Version : 2.0
State : started
Retry : 1
Kex : diffie-hellman-group1-sha1
Session : 2
Conn : VTY 4
Version : 2.0
State : started
Retry : 1
Service Type : sftp


----------------------------------
---------------------------------------
----End
Configuration Files
#
sysname SSH Server
#
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
ssh server port 1025
sftp server enable
ssh user client001
ssh user client002
#
aaa
#
#
#
#
domain default
#
undo shutdown
ip address 1.1.1.1 255.255.0.0
#
#
admin
return


#
sysname client001
#
undo shutdown
ip address 1.1.2.2 255.255.0.0
#
#
admin
return

#
sysname client002
#
undo shutdown
ip address 1.1.3.3 255.255.0.0
#
#
admin
return
5.7.7 Example for Configuring SSH Clients on the Public Network

to Access an SSH Server on a Private Network
This example shows how to configure an SSH client on the public network to access an SSH
server on a private network. You can configure SSH-related attributes for public users to allow
them to access devices on private networks in STelnet or SFTP mode.
As shown in Figure 5-16, PE1 is an SSH client located on the MPLS backbone network, and
CE1 functions as an SSH server located on the private network with the AS number of 65410.
It is required that public network users securely access and manage CE1 after logging in to PE1.

Figure 5-16 Networking diagram for configuring an SSH client on the public network to access
an SSH server on a private network
MPLS Backbone
AS:100
Loopback1 Loopback1 Loopback1

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
POS1/0/1 POS1/0/1
PE1 100.1.1.1/30 200.1.1.2/30
(SSH PE2
POS1/0/1 POS1/0/2
Client) GE1/0/1 100.1.1.2/30 200.1.1.1/30 GE1/0/1
P
10.1.1.2/24 10.1.2.2/24
GE1/0/1 GE1/0/1
CE1 10.1.1.1/24 10.1.2.1/24
(SSH CE2
server)
VPN Site VPN Site
1. Configure a VPN instance on PE1 to allow CE1 to access PE1.

2. Set up EBGP peer relationships between PEs and CEs and import VPN routes.
4. Enable the STelnet and SFTP server functions on the SSH server.
5. Configure client001 to access CE1 by using STelnet and client002 by using SFTP.
Data Preparation
l Name of the VPN instance on the PEs: vpn1

l VPN target on the PEs: 111:1
l IP address of PE1: 10.1.1.2; IP address of PE2: 10.1.2.2
l IP address of CE1: 10.1.1.1
Procedure
Step 1 Configure the MPLS backbone network.

Configure an IGP to allow PEs and the P on the MPLS backbone network to communicate with
each other. Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on
the MPLS backbone network.
For detailed configurations, see the configuration files in this example.
Step 2 Configure VPN instances on PEs and connect CEs to PEs.
# Configure PE1.
[~PE1] ip vpn-instance vpn1
[~PE1-vpn-instance-vpn1] route-distinguisher 100:1
[~PE1-vpn-instance-vpn1] vpn-target 111:1 both
[~PE1-vpn-instance-vpn1] quit
[~PE1] interface gigabitethernet 1/0/1
[~PE1-GigabitEthernet1/0/1] ip binding vpn-instance vpn1
[~PE1-GigabitEthernet1/0/1] undo shutdown
[~PE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24
[~PE1-GigabitEthernet1/0/1] quit
[~PE1] commit
# Configure PE2.
[~PE2] ip vpn-instance vpn1
[~PE2-vpn-instance-vpn1] route-distinguisher 200:1
[~PE2-vpn-instance-vpn1] vpn-target 111:1 both
[~PE2-vpn-instance-vpn1] quit
[~PE2] interface gigabitethernet 1/0/1
[~PE2-GigabitEthernet1/0/1] ip binding vpn-instance vpn1
[~PE2-GigabitEthernet1/0/1] undo shutdown
[~PE2-GigabitEthernet1/0/1] ip address 10.1.2.2 24
[~PE2-GigabitEthernet1/0/1] quit
[~PE2] commit
# Configure IP addresses for interfaces on CEs based on Figure 5-16. The configuration details
are not provided here.
After the configuration is complete, run the display ip vpn-instance verbose command on PEs.
You can view the configurations of VPN instances. Each PE can successfully ping its connected
CE.
NOTE
When there are multiple interfaces on a PE bound to the same VPN instance, specify the source address in
the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping the CE
connected to the peer PE. Otherwise, the ping may fail.
Use the display on PE1 and CE1 as an example.

[~PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpn1, 1
Create date : 2007/06/08 11:42:58
Up time : 0 days, 00 hours, 03 minutes and 27 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label policy : label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : uniform
Interfaces : GigabitEthernet2/0/0
[~PE1] ping -vpn-instance vpn1 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=260 ms


--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/108/260 ms
Step 3 Establish EBGP peer relationships between the PEs and the CEs to import VPN routes.
# Configure CE1.
[~CE1] bgp 65410
[~CE1-bgp] peer 10.1.1.2 as-number 100
[~CE1-bgp] import-route direct
[~CE1-bgp] quit
[~CE1] commit
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance vpn1
[~PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[~PE1-bgp-vpn1] import-route direct
[~PE1-bgp-vpn1] quit
[~PE1-bgp] quit
[~PE1] commit
# Configure CE2.
[~CE2] bgp 65420
[~CE2-bgp] peer 10.1.2.2 as-number 100
[~CE2-bgp] import-route direct
[~CE2-bgp] quit
[~CE2-bgp] commit
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] ipv4-family vpn-instance vpn1
[~PE2-bgp-vpn1] peer 10.1.2.1 as-number 65420
[~PE2-bgp-vpn1] import-route direct
[~PE2-bgp-vpn1] quit
[~PE2-bgp] quit
[~PE2-bgp] commit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on PEs. You can find that the EBGP peer relationships between PEs and the CEs are in the
Established state.
Use the peer relationship between PE1 and CE1 as an example.
[~PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 3 3 0 00:00:37 Established 1
# Set up an MP-IBGP peer relationship between PEs.

For detailed configurations, see the configuration files in this example.
[~CE1] rsa local-key-pair create
The key name will be: CE1_Host
NOTES: If the key modulus is greater than 512,

Input the bits in the modulus[default = 512]: 768

Generating keys...
[~CE1] commit

[~PE1] rsa local-key-pair create
The key name will be: PE1_Host
NOTES: If the key modulus is greater than 512,
Input the bits in the modulus[default = 512]: 768
Generating keys...
[~PE1] commit

[~PE1] display rsa local-key-pair public
=====================================================
Key name: PE1_Host
=====================================================
Key code:
3047
0240
BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695
8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D
E2EE8EB5
0203
010001
Host public key for PEM format code:
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg7
2x/w0h8F2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61
Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg72x/w0h8F
2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61 rsa-key
=====================================================
Key name: PE1_Server
=====================================================
Key code:
3067
0260
9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F
23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40
278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437
D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4
970B8CC9 C8684678 CF0682F3 6301F5F3
0203
010001
[~CE1] rsa peer-public-key RsaKey001
[~CE1-rsa-public-key] public-key-code begin
[~CE1-rsa-key-code] 3067
[~CE1-rsa-key-code] BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
[~CE1-rsa-key-code] 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695
[~CE1-rsa-key-code] 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D
[~CE1-rsa-key-code] E2EE8EB5

[~CE1-rsa-key-code] public-key-code end
[~CE1-rsa-public-key] peer-public-key end
[~CE1-rsa-public-key] quit
[~CE1] commit

NOTE
same user name.

[~CE1] user-interface vty 0 4
[~CE1-ui-vty0-4] authentication-mode aaa
[~CE1-ui-vty0-4] protocol inbound ssh
[~CE1-ui-vty0-4] commit
[~CE1-ui-vty0-4] quit

[~CE1] ssh user client001
[~CE1] ssh user client001 authentication-type password

[~CE1] aaa
[~CE1-aaa] local-user client001 password simple huawei
[~CE1-aaa] local-user client001 service-type ssh
[~CE1-aaa] quit
# Set the service type of client001 to STelnet.

[~CE1] ssh user client001 service-type stelnet
l # Create an SSH user named client002, configure RSA authentication for the user, and bind
the RSA public key to client002.
[~CE1] ssh user client002
[~CE1] ssh user client002 authentication-type rsa
[~CE1] ssh user client002 assign rsa-key RsaKey001
# Set the service type of client002 to SFTP and configure the authorized directory for the
user.
[~CE1] ssh user client002 service-type sftp
[~CE1] ssh user client002 sftp-directory cfcard:
[~CE1] commit
Step 7 Enable the STelnet and SFTP server functions on the SSH server.
[~CE1] stelnet server enable
[~CE1] sftp server enable
[~CE1] commit
Step 8 Configure PE1 (the SSH client) to log in to CE1 (the SSH server).
[~PE1] ssh client first-time enable
[~PE1] commit
# Use STelnet to log in to the SSH server.

[~PE1] stelnet 10.1.1.1 -vpn-instance vpn1


Trying 10.1.1.1 ...
The server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y
The server's public key will be saved with the name:10.1.1.1. Please wait...
Enter password:
follows:
Info: The max number of VTY users is 10, and the current number
of VTY users on line is 1.
<CE1>
# Use SFTP to log in to the SSH server.

[~PE1] sftp 10.1.1.1 -vpn-instance vpn1
Trying 10.1.1.1 ...
The server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y
The server's public key will be saved with the name:10.1.1.1. Please wait...
After the login succeeds, the following information is displayed, and you can operate files by
using FTP.
<sftp-client>
After the configuration is complete, run the display this command in the interface view on PE1.
You can find that the VPN instance has been successfully configured. Run the display ssh server
session and display ssh server statistics command on CE1. You can find that the STelnet or
SFTP client has been successfully connected to the SSH server.

[~PE1] display ssh server session
Session : 1
Conn : VTY 0
Version : 2.0
State : started
Retry : 1

[~PE1] display ssh server statistics
----------------------------------


---------------------------------------
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
3067
0260
9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5
419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8
9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3
0203
010001
public-key-code end
peer-public-key end
#
sftp server enable
ssh user client001
ssh user client002
#
aaa
#
#
#
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
#
admin
return
l Configuration file of PE1

#
sysname PE1
#
ip vpn-instance vpn1

ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
aaa
#
#
#
#
domain default
#
undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/1
undo shutdown
link-protocol ppp
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface NULL0
#
bgp 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.255
#
#
admin
return
l Configuration file of the P
#
sysname P
#
mpls lsr-id 2.2.2.9
#

mpls
#
mpls ldp
#
aaa
#
#
#
#
domain default
#
interface Pos1/0/1
undo shutdown
link-protocol ppp
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos1/0/2
undo shutdown
link-protocol ppp
ip address 200.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.1.0 0.0.0.255
network 200.1.1.0 0.0.0.255
#
admin
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.2.2 255.255.255.0
#
interface Pos1/0/1
undo shutdown
link-protocol ppp
ip address 200.1.1.2 255.255.255.0
mpls
mpls ldp
#

interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 200.1.1.0 0.0.0.255
#
admin
return
l Configuration file of CE2

#
sysname CE2
#
undo shutdown
ip address 10.1.2.1 255.255.255.0
#
bgp 65420
#
ipv4-family unicast
import-route direct
peer 10.1.2.2 enable
#
admin
return

Configuration Guide - Basic Configurations 6 Using the Command Line Interface
6 Using the Command Line Interface
About This Chapter
This chapter describes the command line interface that is used to maintain the device routinely.
After users edit and configure a command line in a certain view, the system displays certain
information or error prompts.
6.1 Overview of the Command Line Interface

The command line interface (CLI) is the common tool for running commands. You can configure
and manage the router by using the CLI commands.
6.2 Establishing the Running Environment for the Command Line
You can set the running environment of the command line to an accustomed interface before
using the command line.
6.3 How to Use Command Lines
The command lines are used to configure and process the command view, editing function of
the command line, command line template, displayed information and error information.
6.4 How to Obtain Command Help
When you enter command lines or configure services, command help offers real-time help in
addition to the configuration guide.
6.5 How to Use Shortcut Keys
You can use the system shortcut keys or user-defined shortcut keys to enter the corresponding
commands. This simplifies operations.
This section describes how to use command lines with configuration examples.

6.1 Overview of the Command Line Interface

The command line interface (CLI) is the common tool for running commands. You can configure
and manage the router by using the CLI commands.
Command Line Interface

After you log in to the router, the displayed command line prompt indicates that you have entered
the CLI. The CLI is an interface through which you can interact with the router.
You can enter the commands provided by the system through the CLI to configure and manage
the router.
The CLI has the following features:
l Supports local configurations through the console interface.

l Supports local or remote configurations through Telnet or Secure Shell (SSH).
l Supports the customized management of various terminal users in the user interface view.
l Supports the command-based hierarchical protection that users of different levels can run
only the commands of corresponding levels.
l Supports the local, password, and AAA authentication modes to ensure system security by
preventing unauthorized users from invading the router.
l Supports the configuration that users can type in a question mark "?" to obtain online help.
l Provides network testing commands, such as the tracert and ping commands, for quickly
diagnosing network connectivity.
l Provides detailed debugging information of various types to help diagnose network faults.
l Supports the configuration of logging in to and managing other routers through the
telnet command.
l Provides the FTP service that facilitates the upload and download of files.
l Provides the DosKey-like function to run a historical command.
l Provides multiple intelligent command resolution methods through the command line
interpreter, such as partial match and context-sensitive, which facilitates the entry of users.
NOTE
l The system supports the command with a maximum of 1024 characters including incomplete form.
l If a command in an incomplete form is run, the system saves the command to the configuration file as
a command in a complete form, which may cause the command to have more than 1024 characters. In
this case, the command in an incomplete form cannot be restored after the system restarts. So, pay
attention to the length of the command in an incomplete form.
6.2 Establishing the Running Environment for the

Command Line
You can set the running environment of the command line to an accustomed interface before
using the command line.

Before using the command line to configure services, you can establish the basic running
environment for the command line to meet the requirements of the actual environment.
Before establishing the running environment for the command line, complete the following
tasks:
l Installing the router and powering it on properly
l Logging in to the router as a client
To establish the running environment for the command line, perform the following procedures.
6.2.1 Configuring the Login Alert

When you access the router, a prompt is displayed. You can set the content of the prompt as you
like.
Context
The login alert refers to the prompt that is displayed at the time after you access the router or
after you pass the authentication and before you start to exchange configurations with the system.
The login alert is configured to provide explicit indication for your login.
Procedure
Step 1 Run:
system-view

Step 2 Run:
header login { information text | file file-name }
The alert displayed during the login is configured.

Step 3 Run:
header shell { information text | file file-name }
The alert displayed after the login is configured.

Step 4 Run:
commit
----End
6.2.2 Setting a Device Name

The name of a device is displayed in the command prompt. You can modify the name of a device
as required.

Procedure
Step 1 Run:
system-view

Step 2 Run:
sysname host-name
The name of the device is set.

Step 3 Run:
commit
----End
6.2.3 Configuring Command Levels

This section describes how to configure command levels to ensure device security or allow low-
level users to run high-level commands. By default, commands are registered in the sequence
of Level 0 to Level 3. If refined rights management is required, you can divide commands in to
16 levels, that is, from Level 0 to Level 15.
Context
If the user does not adjust a command level separately, after the command level is updated, all
originally-registered command lines adjust automatically according to the following rules:
l The commands of Level 0 and Level 1 remain unchanged.
l The commands of Level 2 are updated to Level 10 and the commands of Level 3 are updated
to Level 15.
l No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust
the command lines to these levels separately to refine the management of privilege.
CAUTION
Changing the default level of a command is not recommended. If the default level of a command
is changed, some users may be unable to use the command any longer.
Procedure
Step 1 Run:
system-view

Step 2 Run:
command-privilege level rearrange
Update the command level in batches.

When no password is configured for a Level 15 user, the system prompts the user to set a super-
password for the level 15 user. At the same time, the system asks if the user wants to continue
with the update of command line level. Then, just select "N" to set a password. If you select "Y",
the command level can be updated in batches directly. This results in the user not logging in
through the Console port and failing to update the level.
Step 3 Run:
command-privilege level level view view-name command-key
All commands have default command views and levels. You do not need to reconfigure them.
----End
6.2.4 Lock the User Interface

In order to prevent unauthorized user access to the interface, you can lock the current user
interface.
Procedure
Step 1 Run:
lock
The current user interface is locked.

The user interface can be the console interface and VTY interface.
After running the lock command, you need to enter a password twice as prompted to activate
the screen save mode. When entering the same password twice, you successfully lock the current
user interface.
After the system is locked, if you attempt to log in to the system, press Enter and then input the
correct password as prompted. In this manner, you can unlock the user interface and log in to
the system.
You cannot log in to the system if forgetting the password. In this case, you must retrieve the
password from the administrator or reconfigure a password.
----End
6.3 How to Use Command Lines

The command lines are used to configure and process the command view, editing function of
the command line, command line template, displayed information and error information.
Before configuring services through command lines, you need to understand the basic operations
of command lines.
Before using command lines, complete the following tasks:

l Logging in to the router as a client.
To use command lines, perform the following procedures as required.
6.3.1 Entering a Command View

The CLI has multiple command views. All the commands are registered in one or more command
views. In general, you can run a command only after enter its command view.
# Set up a connection with the router. If the default configuration is adopted on the router, enter
the user view. The prompt on the screen is displayed as follows:
<HUAWEI>
# Enter system-view and press Enter to enter the system view.

[~HUAWEI]
l # Enter aaa in the system view to enter the AAA view.

[~HUAWEI] aaa
[~HUAWEI-aaa]
l # Enter diagnose in the system view to enter the diagnose view.

[~HUAWEI] diagnose
[~HUAWEI-diagnose]
NOTE
The command line prompt "HUAWEI" is the default host name , and it can be specified by the sysname
command. The current view can be determined according to the prompt. For example, "<>" indicates the
user view; "[]" indicates any view except the user view.
You can run the quit command to quit the current view and enter a view of a lower level. If the
current view is the user view, the system can be existed.
You can run the return command to quit the current view and enter the user view. If the current
view is the user view, the user view is still displayed.
Certain commands that can be run in the system view can also be run in other views. The function
that can be realized through a command, however, is determined by the command view where
the command is run. For example, the mpls command is run to enable MPLS. If the mpls
command is run in the system view, it indicates that MPLS is enabled globally; if the mpls
command is run in the interface view, it indicates that MPLS is enabled on the corresponding
interface.
6.3.2 Editing Command Lines

The editing function of command lines enables you to edit command lines or obtain help through
certain keys.
The CLI on the NE5000E provides the basic editing function of command lines and supports
multi-line editing. Each command can contain up to 1024 characters.
The common editing functions are described in Table 6-1.

Table 6-1 List of editing functions
Key Function
Common key Presses the key to insert a character in the place of the cursor and
moves the cursor to the right if the editing buffer is not fully
occupied.
BackSpace Deletes a character before the cursor and moves the cursor to the
left. If the cursor reaches the head of the command, the system
does not make any response.
Up cursor key or Access the last historical command. Display the last historical
Ctrl_P command if there is an earlier historical command.
Down cursor key or Access the next historical command. Display the next historical
Ctrl_N command if there is a later historical command. Otherwise, the
command is cleared.
Tab Presses Tab after entering an incomplete keyword and the

system runs the partial help.
l If the keyword matching the entered one is unique, the system
replaces the entered one with the complete keyword and
displays it in a new line with the cursor a space behind.
l If there are several matches or no match at all, the system
displays the prefix first. You can press Tab to switch from
one matched keyword to another. In this case, the cursor
closely follows the end of a word and you can press the
spacebar and enter the next word.
l If an incorrect keyword is entered, press Tab and it is
displayed in a new line without being changed.
NOTE
On the HyperTerminal of Windows 9X, cursor key is invalid as the HyperTerminals of Windows 9X
define the keys differently. In this case, you can replace the cursor key with Ctrl_P.
Follow-up Procedure
A device automatically saves the typed historical command that is a piece of keyboard entry
ending with Enter or "?".The display history-command command displays commands that
were run recently and help you to search information.

After completing a set of configurations, you can run the following command to check the
previous configuration.
Context
The basic configuration is complete.

Procedure
l Run:
display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | interface interface-type [ interface-number ] ]
The current configuration is displayed.

l Run:
display this
The configurations of the system in the current view is displayed.
The effective parameters the same as the default parameters are not displayed. The set
parameters that do not take effect are neither displayed.
----End
6.3.4 Checking the Diagnostic Information

When a fault occurs in the system, if it is difficult to determine the module that causes the fault,
you can use this command to collect diagnostics information for locating the fault.
Procedure
Step 1 Run:
display diagnostic-information [ file-name ]
The diagnostic information about the current system is displayed.
By default, the file path is cfcard:, and the extension of the file is .txt.
The display diagnostic-information command combines the functions of multiple common

display commands, such as the display clock, display version, and display current-
configuration commands. Running this command equals to the running of these display
commands.
----End
6.3.5 Display Mode of Command Lines

All the commands share the same display feature. You can flexibly specify the display mode as
required.
Display Feature
When the information cannot be completely displayed on one screen, you can adopt the pause
function. You have three choices as listed in Table 6-2.
Table 6-2 List of display functions
Key Function
Ctrl+C Stops displaying information and running

commands.

Key Function
Space Continues to display the information on the next

screen.
Enter Continues to display the information in the next

line.
Regular Expression
The regular expression describes a pattern that matches a set of character strings. It consists of
common characters (such as characters a to z) and special characters (or called metacharacters).
The regular expression functions as a template to match a character pattern with the searched
character string.
The regular expression features the following functions:
l Checks and obtains the sub-character string that matches a certain rule in the character
string.
l Replaces the character string according to the matching rule.
The regular expression consists of common characters and special characters.
l Common character
Common characters match common characters in the character string, including all the
uppercase letters, lowercase letters, numbers, punctuation marks, and special symbols. For
example, "a" matches "a" in "abc"; "202" matches "202" in "202.113.25.155"; "@" matches
"@" in "xxx@xxx.com".
l Special character
Special characters, together with common characters, match complicated or special
character strings. For example, "^10" matches "10.10.10.1" instead of "20.10.10.1".
Table 6-3 describes special characters and their syntax.
Table 6-3 Description of special characters
special Syntax Example

characte
r
\ Defines an escape character, which \* matches "*".

is used to mark the next character
(common or special) as the common
character.
^ Matches the starting position of the ^10 matches "10.10.10.1" instead of

string. "20.10.10.1".
$ Matches the ending position of the 1$ matches "10.10.10.1" instead of

string. "10.10.10.2".

special Syntax Example

characte
r
* Matches the preceding element zero 10* matches "1", "10", "100", and
or more times. "1000".
(10)* matches "null", "10", "1010",
and "101010".
+ Matches the preceding element one 10+ matches "10", "100", and
or more times "1000".
(10)+ matches "10", "1010", and
"101010".
? Matches the preceding element zero 10? matches "1" and "10".
or one time. (10)? matches "null" and "10".
. Matches any single character. 0.0 matches "0x0" and "020".

.oo matches "book", "look", and
"tool".
() Defines a subexpression, which can 100(200)+ matches "100200" and

be null. Both the expression and the "100200200".
subexpression should be matched.
x|y Matches x or y. 100|200 matches "100" or "200".

1(2|3)4 matches "124" or "134",
instead of "1234", "14", "1224", and
"1334".
[xyz] Matches any single character in the [123] matches the character 2 in
regular expression. "255".
[^xyz] Matches any character that is not [^123] matches any character except
contained within the brackets. for "1", "2", and "3".
[a-z] Matches any character within the [0-9] matches any character ranging
specified range. from 0 to 9.
[^a-z] Matches any character beyond the [^0-9] matches all non-numeric
specified range. characters.
_ Matches a comma "," left brace "{", _2008_ matches "2008", "space
right brace "}", left parenthesis "(", 2008 space", "space 2008", "2008
and right parenthesis ")". space", ",2008,", "{2008}",
Matches the starting position of the "(2008)", "{2008", and "(2008}".
input string.
Matches the ending position of the
input string.
Matches a space.

NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
l Degeneration of special characters
Certain special characters, when being placed at the following positions in the regular
expression, degenerate to common characters.
The special characters following "\" is transferred to match special characters
themselves.
The special characters "*", "+", and "?" placed at the starting position of the regular
expression. For example, +45 matches "+45" and abc(*def) matches "abc*def".
The special character "^" placed at any position except for the start of the regular
expression. For example, abc^ matches "abc^".
The special character "$" placed at any position except for the end of the regular
expression. For example, 12$2 matches "12$2".
The right bracket such as ")" or "]" being not paired with its corresponding left bracket
"(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules are applicable when preceding regular expressions
serve as subexpressions within parentheses.
l Combination of common characters and special characters
In actual application, multiple common characters and special characters instead of one
common character and one special character are often combined to match a special character
string.
The NE5000E supports the following filtering modes based on regular expressions.
For the commands supporting the regular expression, you can choose one of the following
filtering modes:
l | begin regular-expression
Outputs all the lines following the line that matches the regular expression. That is, the
system displays both the line that contains the specified character string (case sensitive)
and all the following lines to the terminal.
l | exclude regular-expression
Outputs all the lines that do not match the regular expression. That is, the system displays
only the lines that do not contain the specified character string (case sensitive) to a terminal.
If no line matches the rule, the output is null.
l | include regular-expression
Outputs only the lines that match the regular expression. That is, the system displays only
the lines that contain the specified character string (case sensitive) to a terminal. If no line
matches the rule, the output is null.
When you run the display command with filtering rules set to query configurations, note the
following:
l The first line in the output begins with the entire line contains the specified character string
rather beings with the specified character string.
l For some functions, though you have configured them but the configurations do not take
effect, the output of the display command is null.

The NE5000E supports the redirection of the output of the display command to a specified file.
There are two redirection modes:
l > filename
The output of the display command is redirected to a specified file. If the file already exists,
the content of the file is overwritten.
l >> filename
The output of the display command is appended to a specified file, with the original content
of the file unchanged.
6.3.6 Error Information in Command Lines

If an entered command passes the validation check, the command is executed correctly.
Otherwise, the system prompts error information.
Common error information is shown in Table 6-4.
Table 6-4 Common error information in command lines

Error Information Cause
Unrecognized command Indicates that no command is found.
Indicates that no keyword is found.
Wrong parameter Indicates that the parameter type is incorrect.
Indicates that the parameter value exceeds the limit.
Incomplete command Indicates that the input command is incomplete.
Too many parameters Indicates that the input parameters are excessive.
Ambiguous command Indicates that the input command is ambiguous.
6.4 How to Obtain Command Help

When you enter command lines or configure services, command help offers real-time help in
addition to the configuration guide.
The CLI on the NE5000E provides the following online help.
Full Help
You can obtain full help in any of the following methods:
l Enter a "?" in any command view to obtain all the commands and their simple descriptions.
<HUAWEI> ?
l Enter a command followed by a space and a "?". If the position of "?" is for a keyword, all
the keywords and their brief description are listed. Take the following command output as
an example:
<HUAWEI> terminal ?
debugging Debug information to terminal
logging Log information to terminal

The words "debugging" and "logging" are keywords, while "Debug information to
terminal" and "Log information to terminal" are their descriptions.
l Enter a command followed by a space and a "?". If the position of "?" is for a parameter,
the value range and function of the parameter are listed. Take the following command
output as an example:
[~HUAWEI] ftp timeout ?
INTEGER<1-35791> The value of FTP timeout (in minutes)
[~HUAWEI] ftp timeout 35 ?
<cr>
In the command output, "INTEGER<1-35791>" indicates the value range, and "The value
of FTP timeout (in minutes)" is the brief description of the parameter function. "<cr>"
indicates that no parameter is in the position. In this case, press Enter to run the command.
Partial Help
You can obtain partial help in any of the following methods:
l Enter a string followed by a "?", and then the system lists all the keywords that start with
the string.
<HUAWEI> d?
debugging delete
dir display
l Enter a command followed by a "?" if there are several matches for the keyword. Then, all
the keywords start with the string are listed.
<HUAWEI> display c?
car clock
configuration control-flap
cpu-defend cpu-monitor
cpu-usage current-configuration
l Enter the initial letters of a keyword in a command line and press Tab. Then, the complete
keyword is displayed. If there are several matches for the keyword, you can press Tab
repeatedly. Then, various keywords are displayed, and you can choose the one you need.

You can use the system shortcut keys or user-defined shortcut keys to enter the corresponding
commands. This simplifies operations.
When configuring services through command lines, you can define shortcut keys to rapidly enter
the frequently-used commands.
Before using shortcut keys, complete the following tasks:

l Logging in to the router as a client

To use shortcut keys, perform the following procedures.
Related Tasks
6.6.1 Example for Using Tab
6.6.2 Example for Defining Shortcut Keys
6.5.1 Classification of Shortcut Keys

Shortcut keys consist of user-defined shortcut keys and system shortcut keys. After
understanding the classification of shortcut keys, you can use shortcut keys quickly and
accurately.
Shortcut keys in the system are classified into two groups:
l You can define five shortcut keys: Ctrl+G, Ctrl+L, Ctrl+O, Ctrl+T and Ctrl+U. You
can associate each shortcut key with any command. When you use a shortcut key, the system
automatically runs the corresponding command. For details, see 6.5.2 Defining Shortcut
Keys.
l System shortcut keys are fixed. They provide fixed functions and cannot be defined by
users. The main system shortcut keys are listed in Table 6-5.
NOTE
Different terminal software defines shortcut keys differently. Therefore, the shortcut keys on a terminal
may be different from those listed in this section.
Table 6-5 System shortcut keys

Key Function
Ctrl+C Stops the running function.
Ctrl+K Closes the connections for outgoing calls.
Ctrl+N Displays the next command in the history

command buffer.
Ctrl+P Displays the previous command in the history

command buffer.
Ctrl+Z Returns to the user view.
Ctrl+] Closes the connections for incoming calls or

redirects the connection.
6.5.2 Defining Shortcut Keys

Only users of the management level have the right to define shortcut keys.

Procedure
Step 1 Run:
system-view
Step 2 Run:
hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U } command-text
The shortcut keys are defined.
The default values of the shortcut keys Ctrl+G, Ctrl+L, and Ctrl+O are as follows:
l Ctrl+G: corresponds to the display current-configuration command.

l Ctrl+L: corresponds to the display ip routing-table command.
l Ctrl+O: corresponds to the undo debugging all command.
The default values of the other shortcut keys are null.
Step 3 Run:
commit
----End
6.5.3 Displaying Shortcut Keys and Their Functions

You can use shortcut keys at any position where a command can be entered. After you use
shortcut keys, the system displays the corresponding command on the screen. The result is the
same as that of entering a complete command.
Context
If you enter an incomplete command and do not press Enter, the entered characters are cleared
and the corresponding command is displayed on the screen if you use shortcut keys at this time.
The result is the same as that of entering a complete command.
Like the use of commands, the use of shortcut keys also makes the system record the original
command in the command buffer and logs for further fault detection and query.
Procedure
Step 1 Run:
display hotkey
The shortcut keys supported by the system and their functions are displayed.
NOTE
The function of shortcut keys may be affected by the terminal in use. For example, when the user-defined
shortcut keys conflict with the system shortcut keys on the router, the shortcut keys are to be intercepted
by the terminal programs if entered and the corresponding command line cannot be run.
----End


This section describes how to use command lines with configuration examples.
6.6.1 Example for Using Tab

You can press Tab to make the system prompt the associated keywords or check whether the
keywords are correct.
Any router on the network is required.
Configuration Notes
None.
1. If there is only one match for the incomplete keyword, enter the incomplete keyword and
press Tab.
2. If there are several matches for the keyword, enter the incomplete keyword and press
Tab repeatedly until the desired keyword is detected.
3. Enter the incorrect keyword and press Tab. In this case, the incorrect keyword remains
unchanged.
Data Preparation
None.
The use of Tab is described as follows:
If There Is Only One Match for an Incomplete keyword

1. Enter an incomplete keyword.
[~HUAWEI] ip rout
2. Press Tab.
The system replaces the entered keywords with the complete keywords followed by a space.
[~HUAWEI] ip route-static
If There Are Several Matches for an Incomplete keyword

# The keyword ip route-static can be followed by the following keywords:
[~HUAWEI] ip route-static ?
X.X.X.X Destination IP address
bfd BFD configuration information
default-bfd Default BFD parameter
default-preference Preference-value for IPv4 static-routes
frr Fast Reroute

selection-rule Selection rule

topology Specify topology information
vpn-instance VPN-Instance route information
1. Enter an incomplete keyword.

[~HUAWEI] ip route-static d
2. Press Tab.
The system first displays the prefixes of all the matched keywords. In this example, the
prefix is "default".
[~HUAWEI] ip route-static default-
Press Tab to switch from one matched keyword to another. In this case, the cursor closely
follows the end of a word.
[~HUAWEI] ip route-static default-bfd
[~HUAWEI] ip route-static default-preference
Stop pressing Tab when the desired keyword is detected.

3. Enter the next word 10.
[~HUAWEI] ip route-static default-preference 10
Pressing Tab After an Incorrect keyword Is Entered

1. Enter an incorrect keyword.
[~HUAWEI] ip route-static default-pe
2. Press Tab.
The system displays the output in a new line. The entered keyword remains unchanged.
[~HUAWEI] ip route-static default-pe
Configuration Files
None.
Related Tasks
6.6.2 Example for Defining Shortcut Keys

If shortcut keys are defined on the router, all users can use the shortcut keys regardless of the
user levels.
Any router on the network is required.
Configuration Notes
If a user does not have the right to execute the command associated with a defined shortcut key,
the system makes no response when the user presses this shortcut key.

1. Define the keyword Ctrl+U and associate it with the display ip routing-table command.
2. Press Ctrl+U at the prompt of [~HUAWEI].
Data Preparation
To define shortcut keys, you need the following data.
l Names of shortcut keys
l Names of the commands that are to be associated with shortcut keys
Procedure
Step 1 Define the shortcut key Ctrl+U, associate it with the display ip routing-table command, and
run it.
[~HUAWEI] hotkey ctrl_u display ip routing-table
Step 2 Press Ctrl+U at the prompt of [~HUAWEI].

[~HUAWEI] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
51.51.51.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0
100.2.0.0/16 Direct 0 0 D 100.2.150.51 GigabitEthernet0/0/0
----End
Configuration Files
None.
Related Tasks

Configuration Guide - Basic Configurations 7 Device Upgrade
7 Device Upgrade
About This Chapter
7.1 Overview of Device Upgrade

7.2 Upgrade Modes Supported by the NE5000E

7.1 Overview of Device Upgrade

A device is upgraded when new features need to be added, existing performance needs to be
optimized, and existing problems in the current version need to be solved.
Application Scenario of Device Upgrade

To perform the following actions, you need to upgrade the NE5000E:
l Adding new features
l Optimizing the existing performance
l Solving existing problems in the current version
Note
Before upgrading the NE5000E, pay attention to the following items:
l When upgrading the NE5000E at the site, prepare a spare part for each board.
l Obtain the new system software, the Product Adaptive File (PAF) or license file, and the
corresponding documents of the new version from Huawei.
l Back up configuration files, and collect and save service configurations.
l Enable the log function to record all the operations during the upgrade process.
l Check software versions of all modules on each board, including versions of the BootROM,
Firmware, and MonitorBus.
7.2 Upgrade Modes Supported by the NE5000E

At present, the NE5000E can be upgraded by using the command line, mobile storage device,
or BootROM.
Upgrade by Using the Command Line

This mode is applicable for the following situations. For operation details, refer to the
"NE5000E V800R002C01 Version Upgrade Instructions" of the corresponding system
software version.
l The NE5000E works properly and uses FTP/TFTP for the upgrade. Other devices can
perform remote login to the NE5000E.
l The NE5000E is upgraded for the first time and has been loaded with the system software
package. Other devices can log in to the NE5000E through the serial interface to configure
the IP address.
Upgrade by Using a Mobile Storage Device ( CF card )

Upgrading the NE5000E by using the CF card is mainly used during the engineering stage or
troubleshooting process. Before the upgrade, prepare two CF cards.
In this mode, the NE5000E is upgraded by replacing the CF card on the master and slave MPU
with CF cards containing the system software package. For operation details, refer to the


software version.
Upgrade by Using BootROM

This mode is applicable for the following situations. For operation details, refer to the
software version:
l The NE5000E is upgraded for the first time, but the system software package of the
NE5000E does not exist or is incorrect.
l After the NE5000E is upgraded and restarted, both the master and slave MPUs cannot be
registered.
l After the NE5000E is upgraded, the master MPU can be registered but the slave MPUs
cannot be registered.
l The MPU is replaced.
l Other devices cannot log in to the NE5000E through Telnet.

Configuration Guide - Basic Configurations 8 Patch Installation
8 Patch Installation
About This Chapter
8.1 Overview
8.2 Patch Installation Modes Supported by the NE5000E

Configuration Guide - Basic Configurations 8 Patch Installation
8.1 Overview
A patch can be installed on a device to improve device performance.
Patch Installation Requirements

During device operation, the system software may need to be modified to rectify system bugs
or meet new function requirements. The traditional way is to upgrade system software after
powering off the device. This, however, interrupts services and affects QoS. Loading a patch
onto the system software allows the system software to be upgraded without interrupting services
on the device. This also improves QoS.
Precautions
Note the following points when loading a patch on the NE5000E:
l It is normal that the patch file is loaded to boards asynchronously.
l When installing or uninstalling a patch, ensure that all boards that are in use on the device
have registered with the system. If any LPU on the device is starting during patch
installation or uninstallation, patch installation or uninstallation probably fails on this LPU.
Do not remove or reinstall boards or close the VTP interface during patch installation.
l If the patch contains subcard patches, patch installation may last longer. Wait for at least
60 seconds after patch installation if you intend to delete the installed patch. This ensures
that the same type of subcards on an LPU are in the same status.
l If the startup patch command has been used to specify the patch to be loaded at the next
startup, run the patch-state run all command to activate the patch before restarting the
device.
8.2 Patch Installation Modes Supported by the NE5000E

Currently, the NE5000E supports only patch installation using commands. For details on patch
installation procedures, see the Patch Notes matching the software version.

Configuration Guide - Basic Configurations 9 Configuration Management
9 Configuration Management
About This Chapter
To ensure reliable user configurations, the system provides two configuration validation modes.
Context
As increasingly new types of services emerge, higher requirements are imposed on devices. For
example, it is required that services take effect after being configured, invalid configurations be
discarded, and impact on the existing services be minimized.
To ensure reliable user configurations, the system allows two-phase configuration validation.
In the first phase, the system performs syntax and semantics checks. In the second phase,
configurations takes effect and are used for services.
9.1 Introduction to Configuration Management
The system supports two configuration validation modes, namely, immediate validation and
two-phase validation. By default, the two-phase configuration validation mode takes effect.
9.2 Configuration Management Features that the NE5000E Supports
Configuration management features allow users to lock, preview, and discard configurations,
and to save the configuration file used at the current startup and the configuration file to be
loaded at the next startup of the system.
9.3 Selecting a Configuration Validation Mode
According to different reliability requirements, you can select either of two configuration
validation modes, namely, immediate validation and two-phase validation.
9.4 Managing Configuration Files
You can set the configuration file to be loaded at the next startup and save the configuration file.
This section provides an example for configuring a configuration management networking. You
can understand the configuration procedures by referring to the configuration flowchart. The
configuration example provides information about the networking requirements, configuration
notes, and configuration roadmap.

9.1 Introduction to Configuration Management

The system supports two configuration validation modes, namely, immediate validation and
two-phase validation. By default, the two-phase configuration validation mode takes effect.
l The immediate configuration validation mode is a traditional configuration validation
mode.
In this mode, the system-view immediately command is used to enter the system view.
After a user enters a command line and presses Enter, the system performs the syntax check.
The configuration takes effect as soon as it passes the syntax check.
l In the two-phase configuration validation mode, the system configuration process is divided
into two phases:
In this mode, the system-view command is used to enter the system view. In the first phase,
a user enters a configuration command, and then the system performs syntax and semantics
checks on the candidate database. If an incorrect clause is found, the system displays a
message on the command line terminal, indicating the fault and the cause. After entering
a series of command lines to complete a configuration, you can run the commit command
to commit the configuration, and the system enters the second phase, that is, configuration
commit phase. In the second phase, the system delivers the configuration in the candidate
database to the corresponding service module. If the configuration takes effect, the system
adds it to the running database. If the same configuration is added, the system prompts a
message.
The following table lists advantages and disadvantages of the immediate configuration
validation and two-phase configuration validation modes.
Configuration Validation Advantage Disadvantage

Mode
Immediate configuration The configuration impact on Incorrect configurations will

validation mode services can be detected immediately affect services.
immediately. In this case, you have to
delete incorrect
configurations one by one
because deleting services as a
whole is not allowed.

Two-phase configuration l All configurations takes The commit command needs

validation mode effect at the same time. to be run to validate
l Configurations in the configurations.
candidate database can be
previewed.
l When users find that a
configuration in the
candidate database is
incorrect or does not meet
their expectations, they
can immediately clear the
configurations that have
not taken effect.
l The impacts of service
configurations on current
services can be
minimized.
9.2 Configuration Management Features that the NE5000E

Supports
Configuration management features allow users to lock, preview, and discard configurations,
and to save the configuration file used at the current startup and the configuration file to be
loaded at the next startup of the system.
The NE5000E supports the following configuration management features:
l configuration in two-phase configuration validation mode

l configuration in immediate configuration validation mode
l manual configuration saving
l automatic configuration saving
l configuration clearance
l specification of the configuration file to be loaded at the next startup

According to different reliability requirements, you can select either of two configuration
validation modes, namely, immediate validation and two-phase validation.
Deployment Scenario
Before configuring a service, you must enter a configuration view. After the configuration view
is displayed, the system initiates the corresponding configuration flow according to the set
configuration validation mode. If configurations need to be validated immediately, you can use
the immediate configuration validation mode. If configurations need to be validated after being
configured, you can use the two-phase configuration validation mode.

Before managing configuration files, complete the following tasks:
l Allowing the user to log in to the device and enter the user view.
A user can select either the immediate configuration validation mode or the two-phase
configuration validation mode at a time.
Related Tasks
9.5.1 Example for Configuring User Services in Immediate Configuration Validation Mode
9.5.2 Example for Configuring Services When Configurations Have Been Locked by Another
User in Two-Phase Configuration Validation Mode
9.5.3 Example for Multiple Users to Configure a Same Service in Two-Phase Configuration
Validation Mode
9.5.4 Example for Multiple Users to Configure a Service in Two-Phase Configuration Validation
Mode
9.5.5 Example for Configuring Different Services by Multiple Users in Two-Phase
Configuration Validation Mode
9.3.1 Configuring Immediate Configuration Validation Mode

To validate configurations immediately after they are configured, enable the immediate
configuration validation mode.
Context
Before configuring a service, you must enter the system view. After the system view is displayed,
the configuration validation mode can be specified. In immediate configuration validation mode,
after a user enters a command line and presses Enter, the system performs the syntax check. The
configuration takes effect as soon as it passes the syntax check.
Procedure
Step 1 (Optional) Run:
lock configuration
Configurations are locked in the user view.

To use the running database exclusively, lock configurations on the device to prevent other users
from configuring services and submitting configurations. Other users can configure services in
the running database only if you unlock configurations.

CAUTION
After locking configurations, you can edit and submit configurations. Other users can view and
edit configurations but cannot submit configurations.
They can configure services in the running database only if you unlock configurations.
Step 2 Run:
system-view immediately
The immediate configuration validation mode is enabled.
NOTE
To prevent a service from being affected, you can lock the configuration of a service as soon as the
corresponding service process is initiated. When the configuration is being locked, configurations cannot
be submitted. The configuration of the service is keeping locked until the service process is successfully
started. During this period, the configuration cannot be modified but can be queried.
If the configuration fails to be submitted, waiting for 30 seconds and submitting configuration again are
recommended. If configuration submit fails again, it indicates that the configuration is locked by a user.
In the immediate validation mode, the command prompt is as follows:
<HUAWEI> system-view immediately
[HUAWEI]
Step 3 (Optional) If a configuration has been locked, run:

1. quit
The user view is displayed.

2. undo lock configuration
The configuration is unlocked.
CAUTION
After locking a configuration, you must unlock it after completing the configuration. Otherwise,
configurations of other users cannot take effect.
----End
9.3.2 Configuring Two-Phase Configuration Validation Mode

If you need to validate configurations after the configurations are complete, you can use the two-
phase configuration validation mode.
Context
The two-phase configuration validation mode enhances security and reliability of configurations
and minimizes the impact of configurations on services. If the configuration of a service that
has taken effect does not meet expectations, the system can roll back to the status before the
configuration is committed. Figure 9-1 shows the procedures in two-phase configuration
validation mode.

Figure 9-1 Flowchart of configuration commit
Lock the configuration
Set the two-phase validation mode and

edit the configuration
Preview the configuration
Discard the uncommitted configuration
Commit the configuration
Unlock the configuration
M andatory procedure
O ptionalprocedure
Procedure
lock configuration
Configurations are locked in the user view.

from configuring services and submitting configurations. Other users can configure services in
the running database only if you unlock configurations.
CAUTION
After locking configurations, you can edit and commit configurations. Other users can view and
edit configurations but cannot commit configurations.
They can configure services in the running database only if you unlock configurations.
Step 2 Run:
system-view
The two-phase configuration validation Mode is set and configurations can be edited.

NOTE
In the two-phase validation mode, the command prompt is as follows:

[~HUAWEI]

preview all configuration
Configurations in the candidate database can be previewed, including uncommitted and

committed ones.
Before committing configurations, you can continue editing uncommitted configurations.

clear candidate-configuration
All configurations that are not committed are cleared.
If you do not need to validate uncommitted configurations, you can discard them.
Step 5 Run:
commit
NOTE
To prevent a service from being affected, you can lock the configuration of a service as soon as the
corresponding service process is initiated. When the configuration is being locked, configurations cannot
be committed. The configuration of the service is keeping locked until the service process is successfully
started. During this period, the configuration cannot be committed but can be queried.
If the configuration fails to be committed, waiting for 30 seconds and committing configuration again are
recommended. If configuration commit fails again, it indicates that the configuration is locked by a user.
Step 6 (Optional) If a configuration has been locked, run:

1. quit
The user view is displayed.

2. undo lock configuration
The configuration is unlocked.
CAUTION
After locking a configuration, you must unlock it after completing the configuration. Otherwise,
configurations of other users cannot take effect.
----End

You can set the configuration file to be loaded at the next startup and save the configuration file.

Current configurations are saved into the configuration file. After the system is restarted,
configurations can be restored.
Before managing configuration files, complete the following tasks:
l Installing the router and powering it on properly.

l Configuring user accounts and log-in authentication mode
l Configuring reachable routes between the router and the terminal.
l Allowing a user to log in to the device
Related Tasks
9.5.6 Example for Managing Configuration Files
9.4.1 Saving Configurations

Configurations can be saved in a configuration file either automatically or manually.
Context
To avoid configuration loss on the router due to power-off or abnormal reset, the system supports
automatic or manual configuration saving.
To enable the system to automatically save configurations or to save configurations manually,

perform the following steps on the router.
Procedure
l Automatic configuration saving
1. Run the system-view command to enter the system view.
2. Run the set save-configuration [ interval interval | cpu-limit cpu-usage | delay
delay-interval ] * command to enable the system to automatically save configurations.
The system automatically saves configurations when the set interval interval
expires regardless of whether some configurations have changed during this
period. If interval is not specified, the system automatically saves configurations
every 30 minutes.
If the automatic configuration saving timer expires and the CPU usage of the
system is detected to be higher than the set cpu-limit cpu-usage, the system cancels
the current automatic configuration saving operation.
If delay delay-interval is specified, the system waits a specified delay before
automatically saving configurations when configurations change.

After automatic configuration saving is configured, the system automatically saves

configurations to the configuration file to be loaded at the next startup. The contents
in the configuration file change along with configuration changes.
l Manual configuration saving
Run the save command to save the current configuration.
The extension name of a configuration file must be .cfg or .zip.
----End
9.4.2 Comparing Configuration Files

You can compare the current configuration file with the next startup configuration file or the
specified configuration file.
Context
NOTE
The compared filename extension of the configuration file must be .cfg or .zip.
Procedure
Step 1 Run:
compare configuration [ configuration-file ]
The current configuration is compared with the configuration file for next startup or the specified
configuration file.
The comparison begins with the first lines of configuration file.
When comparing differences between the configuration files, the system displays the contents
of the current configuration file and saved configuration file from the first different line. By
default, 150 characters are displayed for each configuration file. If the number of characters from
the first different line to the end is less than 150, the contents after the first different line are all
displayed.
In comparing the current configurations with the configuration file for next startup, if the
configuration file for next startup is unavailable or its contents are null, the system prompts that
reading files fails.
----End
9.4.3 Specifying the System Configuration File to Be Loaded at the

Next Startup
You can specify a required configuration file to be loaded at the next startup of the system.
Context
After the system is restarted, you can specify a configuration file to restore system
configurations.

Procedure
Step 1 Run:
startup saved-configuration configuration-file
The configuration file to be used at the next startup is specified.
The extension of the configuration file name must be .db, .zip, or .cfg, and the file must be saved
in the root directory of the storage device.
----End
9.4.4 Clearing the System Configuration File Loaded at the Current

Startup
You can clear the configuration file that is loaded at the current startup of the system.
Context
The configuration file needs to be cleared in the following situations:
l The system software does not match the configuration file after the router is upgraded.
l The configuration file is destroyed or an incorrect configuration file is loaded.
Procedure
Step 1 Run:
reset saved-configuration
The configuration file that is loaded at the current startup is cleared.
NOTE
Before clearing the configuration file of the router, the system compares the configuration file loaded at
the current startup with that to be loaded at the next startup of the system.
l If the two configuration files are consistent with each other, they are both cleared. At this time, the
configuration file to be loaded at the next startup must be configured on the router. Otherwise, there is
no configuration file on the device after the next startup.
l If the two configuration files are inconsistent with each other, the configuration file loaded at the current
startup is cleared.
l If the configuration file loaded at the current startup of the router is empty, the system will notify users
that the configuration file does not exist after the reset saved-configuration command is run.
WARNING
Exercise caution when using this command, and you are recommended to use this command
under the supervision of technical support personnel.
----End


You can check the list of configuration file loaded at the current startup and the configuration
file to be loaded at the next startup, configuration information about configuration files, and the
configuration file that is running currently.
Prerequisite
The file for the next startup has been loaded..
Procedure
l Run the display configuration configuration-file command to check configuration
information about a specified configuration file.
l Run the display saved-configuration last command to check the configuration file loaded
at the current startup of the system.
l Run the display saved-configuration command to check the configuration file to be loaded
at the next startup of the system.
l Run the display startup command to check the names of system software, and the names
of the configuration file loaded at the current startup and the configuration file to be loaded
at the next startup.
----End
Example
# Display configuration information about specified configuration files.
<HUAWEI> display configuration vrpcfg.db
#
info-center loghost source LoopBack0
info-center loghost 10.1.1.1
info-center loghost 10.1.1.2
#
alarm
suppression name hwBfdSessReachLimit cause-period 5
suppression name hwBfdSessReachLimit clear-period 15
alarm name hwBfdSessReachLimit severity Critical
snmp target-host target-host1 mask name mask1
#
mask name mask1
mask severity Minor
mask severity Warning
mask alarm-name PmThresholdAlarm
#
#
efm enable
#
aaa
local-user ftp password cipher 0E0`_:6&/NGQ=^Q`MAF4<1!!
local-user ftp ftp-directory cfcard:/
local-user ftp service-type ftp
#
interface Ethernet3/0/1
description Don't Shutdown! It's Management Port!
undo shutdown
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#

set authentication password cipher OUM!K%F<+$[Q=^Q`MAF4<1!!
#
idle-timeout 0 0
#
return
# Display the configuration file loaded at the current startup.

<HUAWEI> display saved-configuration last
#
aaa
#
undo shutdown
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
#
idle-timeout 0 0
#
return
# Display the configuration file to be loaded at the next startup.

<HUAWEI> display saved-configuration
#
aaa
#
undo shutdown
#
#
idle-timeout 0 0
#
return
Display the names of system software, and the names of the configuration file loaded at the
current startup and the configuration file to be loaded at the next startup.
<HUAWEI> display startup
MainBoard :
Configured startup system software : VRPV800R002C00SPC001B003.rpg
Startup system software : VRPV800R002C00SPC001B003.rpg
Next startup system software : VRPV800R002C00SPC001B003.rpg
Startup saved-configuration file : cfcard:/v1.cfg
Next startup saved-configuration file : cfcard:/v2.cfg
Startup paf file : default

Next startup paf file : default

Startup patch package : NULL
Next startup patch package : NULL
SlaveBoard :
Configured startup system software : VRPV800R002C00SPC001B003.rpg
Startup system software : VRPV800R002C00SPC001B003.rpg
Next startup system software : VRPV800R002C00SPC001B003.rpg
Startup saved-configuration file : cfcard:/v1.cfg
Next startup saved-configuration file : cfcard:/v2.cfg
Startup paf file : default
Next startup paf file : default
Startup patch package : NULL
Next startup patch package : NULL

This section provides an example for configuring a configuration management networking. You
can understand the configuration procedures by referring to the configuration flowchart. The
configuration example provides information about the networking requirements, configuration
notes, and configuration roadmap.
9.5.1 Example for Configuring User Services in Immediate

Configuration Validation Mode
This section describes how to configure user services on the router in immediate configuration
validation mode.
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For
the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface
number. The slot number is chassis ID/slot ID.
As shown in Figure 9-2, a user logs in to the Router.
Figure 9-2 Networking of configuring services in immediate configuration validation mode

Router User
IP
Network
To enable services to take effect immediately after they are configured, configure the services
in immediate configuration validation mode.
After you enter a command line and presses Enter, the system performs the syntax check. The
configuration takes effect as soon as it passes the syntax check.

1. Choose the immediate configuration validation mode
2. Configure a service.
Data Preparation
Interface IP address
Procedure
Step 1 Choose the immediate configuration validation mode.
<HUAWEI> system-view immediately
Step 2 Configure a service.

# Configure the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.
[HUAWEI] interface GigabitEthernet 4/0/6
[HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24
----End
Configuration Files
#
sysname HUAWEI
#
undo shutdown
ip address 12.1.1.1 255.255.255.0
#
Related Tasks
9.5.2 Example for Configuring Services When Configurations Have

Been Locked by Another User in Two-Phase Configuration
Validation Mode
This section provides an example for configuring services on the router after configurations on
the device are by another user.
CAUTION

As shown in Figure 9-3, user A and user B log in to the Router at the same time. After user A
locks configurations on the Router, user B attempts to configure services on the device.
Figure 9-3 Networking of configuring services when configurations have been locked by
another user in two-phase configuration validation mode
UserA
Router
IP
Network UserB
from configuring services and submitting configurations. When configurations are locked by a
user and other users attempt to configure services, the system will notify them that configurations
have been locked. Other users can configure services in the running database only if the user
unlocks configurations.
1. User A locks configurations.
2. User B configures a service. The system will notify user B that the current configuration
fails because configurations have been locked by another user.
Data Preparation
Procedure
Step 1 User A locks configurations.
<HUAWEI> lock configuration
Step 2 User B configures a service.

[~HUAWEI] interface GigabitEthernet 4/0/6
[~HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24
[~HUAWEI-GigabitEthernet4/0/6] commit
Error: The configuration is locked by other user. [Session ID = 407]
----End
Configuration Files
#
sysname HUAWEI
#
undo shutdown
#

Related Tasks
9.5.3 Example for Multiple Users to Configure a Same Service in

Two-Phase Configuration Validation Mode
This section provides an example for multiple users to configure a same service on one router
in two-phase configuration validation mode.
CAUTION
configures a service on the Router, user B performs the same configuration for the service on
the device.
Figure 9-4 Networking of multiple users to configure a same service in two-phase configuration
validation mode
UserA
Router
IP
Network UserB
When user B submits the configuration that is the same as the configuration submitted by user
A, the system will notify user B that the configuration conflicts with an existing configuration.
1. Allow user A and user B to configure a same service successively .
2. User A submits the configuration.
3. User B submits the configuration.
Data Preparation

Procedure
Step 1 Allow user A and user B to configure a same service successively.
l User A configures the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.
l User B configures the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.

Step 2 User A submits the configuration.

Step 3 User B submits the configuration.
The system prompts user B that the configuration of user B conflicts with that of user A.
ip address 12.1.1.1 24
Error: The address already exists.
Commit canceled, the configuration conflicted with other user, you can modify
the configuration and commit again.
----End
Configuration Files
#
sysname HUAWEI
#
undo shutdown
ip address 12.1.1.1 255.255.255.0
#
Related Tasks
9.5.4 Example for Multiple Users to Configure a Service in Two-

Phase Configuration Validation Mode
This section provides an example for multiple users to configure a service on one router.
CAUTION

configures a service on the Router, user B configures the service on the device. For example,
users A and B both configure different IP addresses on the same interface.
Figure 9-5 Networking of multiple users to configure a service in two-phase configuration

validation mode
UserA
Router
IP
Network UserB
When user B submits the configuration, it will overwrite the configuration submitted by user A.
1. Configure a service as user A and user B.
2. Submit the configuration of user A.
3. Submit the configuration of user B.
Data Preparation
Different interface IP addresses
Procedure
Step 1 Configure a service as user A and user B.
l Configure the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router as user A.
l Configure the IP address of GigabitEthernet 4/0/6 to be 12.1.1.2 on the router as user B.

Step 2 Submit the configuration of user A.

Step 3 Submit the configuration of user B.

The following information indicates that the configuration of user B overwrites the configuration
submitted by user A.
[~HUAWEI-GigabitEthernet4/0/6] display this
#

undo shutdown
ip address 12.1.1.2 255.255.255.0
return
----End
Configuration Files
#
sysname HUAWEI
#
undo shutdown
ip address 12.1.1.2 255.255.255.0
#
Related Tasks
9.5.5 Example for Configuring Different Services by Multiple Users

in Two-Phase Configuration Validation Mode
This section provides an example for configuring different services on one router.
CAUTION
As shown in Figure 9-6, user A and user B log in to the Router at the same time. User A and
user B configure different services on the Router.
Figure 9-6 Networking of configuring different services by multiple users in two-phase

configuration validation mode
UserA
Router
IP
Network UserB
If user A and user B submit two configurations of different services, both configurations take
effect.

1. Allow user A and user B to configure different services.

2. User A submits the configuration.
3. User B submits the configuration.
Data Preparation
Procedure
Step 1 Allow user A and user B to configure different services.
l User A configures the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.
l User B enables the FTP service.

Step 2 User A submits the configuration.

Step 3 User B submits the configuration.

After user B commits configurations, the system adds new configurations on the basis of original
configurations.
<HUAWEI> display current-configuration
#
ftp server enable
#
undo shutdown
ip address 12.1.1.1 255.255.255.0
----End
Configuration Files
#
sysname HUAWEI
#
undo shutdown
ip address 12.1.1.1 255.255.255.0
#
ftp server enable
#
return
Related Tasks

9.5.6 Example for Managing Configuration Files

This example shows you how to save configurations and set the configuration file to be loaded
at the next startup.
CAUTION
As shown in Figure 9-7, a user logs in to the Router.
Figure 9-7 Managing Configuration Files

Router User
IP
Network
Precautions
None.
1. Change configurations.
2. Save configurations in a configuration file.
3. Specify the configuration file to be loaded at the next startup.
4. After system upgrade, compare the current running configuration with that defined in the
configuration file loaded at system startup to check whether configurations are lost.
Data Preparation
None.
Procedure
Step 1 Change configurations.
For example, enable the FTP service.


[~HUAWEI] commit
[~HUAWEI] quit
Step 2 Save configurations to the file vrpcfg.cfg.

<HUAWEI> save vrpcfg.cfg
Warning: Are you sure to save the configuration to vrpcfg.cfg? [Y/N]: y
Now saving the current configuration to the device.
Save the configuration successfully.
Step 3 Specify the configuration file to be loaded at the next startup.

<HUAWEI> startup saved-configuration vrpcfg.cfg
Step 4 After system upgrade, compare the current running configuration with that defined in the
configuration file loaded at system startup to check whether configurations are lost.
<HUAWEI> compare configuration
The current configuration is the same as the next startup configuration file.
----End
Configuration Files
#
sysname HUAWEI
#
ftp server enable
Related Tasks

Configuration Guide - Basic Configurations 10 File System Management
10 File System Management
About This Chapter
The file system can help you manage files and directories on a storage device.
10.1 File System Overview

The file system helps you manage files and directories on a storage device so that you can view,
create, rename, or delete a directory, or copy, move, rename, or delete a file.
10.2 File System Supported by the NE5000E
The NE5000E supports the file system, including storage devices, directories, and files.
10.3 Managing the Directory
You can manage directories to logically store files in hierarchy.
10.4 Managing Files
You can log in to the file system to view, delete, or rename the files on the router.
This section provides examples for using the file system. Each configuration example consists
of the networking requirements, configuration notes, configuration roadmap, configuration
procedures, and configuration files.

10.1 File System Overview

The file system helps you manage files and directories on a storage device so that you can view,
create, rename, or delete a directory, or copy, move, rename, or delete a file.
10.2 File System Supported by the NE5000E

The NE5000E supports the file system, including storage devices, directories, and files.
Storage Devices
Storage devices are hardware devices for storing messages.
At present, the router supports the storage devices such as flash memory, and compact flash (CF)
card.
Directories
The directory is a mechanism with which the system integrates and organizes the file, serving
as a logical container of the file.
Files
The file is a mechanism with which the system stores and manages messages.

You can manage directories to logically store files in hierarchy.
Context
You can manage directories by changing and displaying directories, displaying files in
directories and sub-directories, and creating and deleting directories.
Procedure
l Run:
cd directory
A directory is specified.
l Run:
pwd
The current directory is displayed.

l Run:
dir [ /all ] [ filename ]
The file and sub-directory list in the directory is displayed.

Either the absolute path or relative path is applicable.

l Run:
mkdir directory
The directory is created.

l Run:
rename source-filename destination-filename
The directory is renamed.

l Run:
rmdir directory
The directory is deleted.

----End
Related Tasks
10.5.1 Example for Managing a Directory
10.4 Managing Files

You can log in to the file system to view, delete, or rename the files on the router.
Context
l Managing files include: displaying contents, copying, moving, renaming, compressing,
deleting, undeleting, deleting files in the recycle bin, running files in batch and configuring
prompt modes.
l You can run the cd directory command to enter the required directory from the current
directory.
Procedure
l Run:
more filename
The content of the file is displayed.

l Run:
copy source-filename destination-filename
The file is copied.
NOTE
The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.
l Run:
move source-filename destination-filename
The file is moved.

l Run:
rename source-filename destination-filename
The file is renamed.

l Run:
zip source-filename destination-filename

The file is compressed.

l Run:
delete [ /unreserved ] filename
The file is deleted.
If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored
after being deleted.
l Run:
undelete filename
The deleted file is recovered.
NOTE
If the current directory is not the parent directory, you must operate the file by using the absolute
path. If you use the parameter /unreserved in the delete command, the file cannot be restored after
being deleted.
l Run:
reset recycle-bin [ /f | filename ]
The file is deleted.
You can permanently delete files in the recycle bin./f specifies that you can delete all files
from the recycle bin without prompting whether to delete the files.
l Running Files in Batch
You can upload the files and then process the files in batches. The edited batch files need
to be saved in the storage devices on the router.
When the batch file is created, you can run the batch file to implement routine tasks
automatically.
1. Run:
system-view

2. Run:
execute filename
The batched file is executed.

l Configuring Prompt Modes
The system displays prompts or warning messages when you operate the device (especially
the operations leading to data loss). If you need to change the prompt mode for file
operations, you can configure the prompt mode of the file system.
1. Run:
system-view

2. Run:
file prompt { alert | quiet }
The prompt mode of the file system is configured.
By default, the prompt mode is alert.

CAUTION
If the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation.
----End
Related Tasks
10.5.2 Example for Managing Files

This section provides examples for using the file system. Each configuration example consists
of the networking requirements, configuration notes, configuration roadmap, configuration
procedures, and configuration files.
10.5.1 Example for Managing a Directory

This section describes how to manage a directory.
The router on which you need to manage a directory is correctly configured.
Configuration Notes
None.
1. View the current directory.
2. Create a new directory.
3. Check that the new directory is successfully created.
Data Preparation
l Name of the directory to be created
Procedure
Step 1 Display the current directory.
<HUAWEI> dir
Directory of cfcard:/
0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
1 -rw- 524,575 Jan 25 2010 10:03:33 private-data.txt
2 drw- - Sep 09 2009 09:42:52 src

3 drw- - Sep 09 2009 09:42:53 logfile

4 -rw- 280 Sep 09 2009 09:42:53 $_patch_rollback_state
5 -rw- 11,772 Nov 25 2009 16:56:55 $_patchstate_a
6 -rw- 4 Jan 19 2010 03:09:32 snmpnotilog.txt
7 drw- - Sep 09 2009 09:43:00 lam
8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg
9 drw- - Jan 21 2010 11:09:21 logfilelogfile
180,862 KB total (305,358 KB free)
Step 2 Create a new directory in the root directory.

<HUAWEI> mkdir abc
Info:Create directory cfcard:/abc......Done.
Step 3 Display the current directory. You can view that the new directory is successfully created.
<HUAWEI> dir
0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
2 drw- - Sep 09 2009 09:42:52 src
3 drw- - Sep 09 2009 09:42:53 logfile
7 drw- - Sep 09 2009 09:43:00 lam
8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg
10 drw- - Jan 23 2010 11:10:42 abc
180,862 KB total (305,358 KB free)
----End
Related Tasks
10.5.2 Example for Managing Files

This section provides an example for managing files.
By configuring the file system of the router, a user can operate the router through the console
port and copy files to the specified directory.
The file path in the storage device must be correct. If the user does not specify a target file name,
the source file name is the name of the target file by default.
Configuration Notes
None.
1. Check the files under a certain directory.
2. Copy a file to this directory.
3. Check this directory and view that the file is copied successfully to the specified directory.

Data Preparation
l Source file name and target file name
l Source file path and target file path
Procedure
Step 1 Display the file information in the current directory.
<HUAWEI> dir
0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
2 drw- - Sep 09 2009 09:42:52 src
3 drw- - Sep 09 2009 09:42:53 logfile
7 drw- - Sep 09 2009 09:43:00 lam
8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg
180,862 KB total (305,358 KB free)
Step 2 Copy files from slave#cfcard2:/sample.txt to cfcard:/sample.txt.

<HUAWEI> copy slave#cfcard2:/sample.txt cfcard:/sample1.txt
Copy slave#cfcard2:/sample.txt to cfcard:/sample1.txt?[Y/N]: y
.100% complete
Info:Copied file slave#cfcard2:/sample.txt to cfcard:/sample1.txt...Done.
Step 3 Display the file information about the current directory, and you can view that the file is copied
to the specified directory.
<HUAWEI> dir
0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg
2 drw- - Sep 09 2009 09:42:52 src
3 drw- - Sep 09 2009 09:42:53 logfile
7 drw- - Sep 09 2009 09:43:00 lam
8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg
10 drw- 1,605 Jan 23 2010 14:30:32 sample1.txt
180,864 KB total (305,356 KB free)
----End
Related Tasks
10.4 Managing Files

Configuration Guide - Basic Configurations 11 Clock Synchronization Configuration
11 Clock Synchronization Configuration
About This Chapter
11.1 Clock Synchronization Overview

On a digital communication network (DCN), clock synchronization ensures the normal
communication between the sender and receiver by enabling the sender to send and the receiver
to obtain digital pulse signals in the same timeslots.
11.2 Clock Synchronization Features Supported by the NE5000E(NE5000E-X16)
Before configuring clock synchronization, familiarize yourself with the concepts of the BITS
clock signal, POS line clock signal, clock source selection mode, and so on. This will help you
complete the configuration task quickly and efficiently.
11.3 Configuring an External BITS Clock Reference Source
You can configure a device to trace different types of external BITS clock reference sources.
(This configuration can be done on the NE5000E-X16 or the NE5000E using the new clock
board CR52CLKB.)
11.4 Specifying a Clock Source Manually
In manual mode, you can specify a certain clock source for the clock board to trace.
11.5 Configuring Automatic Clock Source Selection to Be Based on Priorities
When a device has multiple clock sources but does not perform clock source switching based
on SSM levels, you can set different priorities for the clock sources. When the clock source with
the highest priority fails, the clock board switches to use the clock source with the second highest
priority.
11.6 Configuring Automatic Clock Source Selection to Be Based on SSM Levels
When there are multiple clock sources, the clock board uses the clock source with the highest
SSM level. When the clock source with the highest SSM level fails, the clock board uses the
clock source with the second highest SSM level.
This section describes how to configure protection switching among clocks with an example. In
this configuration example, the networking requirements, configuration notes, and configuration
roadmap are provided.

11.1 Clock Synchronization Overview

On a digital communication network (DCN), clock synchronization ensures the normal
communication between the sender and receiver by enabling the sender to send and the receiver
to obtain digital pulse signals in the same timeslots.
Concepts
Clock synchronization refers to the maintenance of a strict relationship between the frequencies
or signal phases of all the devices on a network. This means that signals are transmitted at the
same average rate during a valid period, which allows all the devices on the network to work at
the same rate.
On a digital communication network, the send end sends digital pulse signals in specific
timeslots, and the receive end extracts pulses from these timeslots. In this manner, the send end
and the receive end can communicate with each other. The clocks of the send end and the receive
end must be synchronized, which is the prerequisite for normal communication between the two
ends. Clock synchronization can ensure that the clocks on the send end and the receive end are
synchronized.
Purpose
Clock synchronization is a technique that limits the difference in terms of the clock frequency
or phase between the network elements (NEs) on digital networks to be within a certain range.On
a digital communication network, discrete pulses obtained from Pulse Code Modulation (PCM)-
coded information are transmitted. If the clock frequencies of two digital switching devices
differ, or digital bit streams are corrupted due to interference during transmission, phase drift or
jitter occurs. Consequently, the buffer of the digital switching system experiences data loss or
duplication, resulting in incorrect transmission of the bit streams. If the frequency difference or
phase difference is beyond the allowed range, error codes and jitter may occur, which causes
network transmission performance to deteriorate.
Classification and Numbering of Clock Sources

A device that provides clock signals for another device is called the clock source. A device may
have multiple clock sources. The following table shows the classification and numbering of
clock sources.
Table 11-1 Classification and numbering of clock sources

Type Description Number
Internal clock The reference clock provided by the clock 0

source board of a device is used as the clock of the
device.

On the NE5000E using On the NE5000E using

the clock board the clock board
Currently,
CR52CLKA: CR52CLKA:
Synchronous
Digital l The clock interface on l The number of BITS0
Hierarchy the MPU receives and clock source is 1.
(SDH) or traces the clock of a l The number of BITS1
Plesiochronous higher level. clock source is 2.
Digital
Hierarchy On the NE5000E-X16 or On the NE5000E-X16
(PDH) uses the the NE5000E using the or the NE5000E using
Building new clock board the new clock board
BITS clock Integrated CR52CLKB: CR52CLKB:
source Timing Supply l The clock bits-type l The clock bits-map
System (BITS) command can be used command can be used
to build up a to configure a device to to map an external
digital trace different types of clock reference source
synchronization external BITS clock to the index of a user
network and reference sources. clock reference
form a NOTE source.
hierarchical The signal types supported
timing by the interfaces are
allocation described in Table 11-2 of
system. Clock Synchronization
Features Supported by the
NE5000E(NE5000E-X16).
Line clock The clock board of a device extracts the clock Slot ID of an LPU + 2
source signal from the STM-N line signal as the clock For example, the number
of the device. of the clock source on the
LPU in slot 1 is 3 and the
number of the clock
source on the LPU in slot
2 is 4.
11.2 Clock Synchronization Features Supported by the

NE5000E(NE5000E-X16)
Before configuring clock synchronization, familiarize yourself with the concepts of the BITS
clock signal, POS line clock signal, clock source selection mode, and so on. This will help you
complete the configuration task quickly and efficiently.
Tracing or Outputting BITS Clock Signals Through Clock Interfaces

NOTE
Limited by the lengths of clock cables, the mode of tracing or outputting BITS clock signals through clock
interfaces is applicable to the interfaces on a site. For the limit on the clock cable length, see the "Clock
Cable" in the section "Cables" in the HUAWEI NetEngine5000E Core Router Hardware Description -
NE5000E-X16 Hardware Description.
On the NE5000E using the clock board CR52CLKA:

l The BITS clocks that devices can obtain from a BITS clock device are classified into two
types: 2.048 MHz clocks and 2.048 Mbit/s clocks. The input modes of BITS clocks are
classified into BITS0 and BITS1. A router obtains a clock through a clock interface on the
MPU.
l The MPU on the NE5000E provides four clock interfaces. Two of them are input interfaces,
which are connected to BITS devices to obtain clock signals. The other two are output
interfaces, which are connected to the clock input interfaces on downstream devices to
provide time signals to the downstream devices.
NOTE
The difference between the 2.048 MHz clock and 2.048 Mbit/s clock is that the 2.048 MHz clock
can provide only pulse signals for clock synchronization, and the 2.048 MHz clock can provide
signals bearing services in addition to pulse signals for clock synchronization.
On the NE5000E-X16 or the NE5000E using the new clock board CR52CLKB:
l The MPU provides four clock interfaces, CLK/TOD0, CLK/TOD1, CLK/1PPS, and CLK/
Serial.
NOTE
For the schematic diagram of the clock interfaces on the MPU, see the section "Control Plane" in the
chapter "NE5000E-X16 CLC" in the HUAWEI NetEngine5000E Core Router Hardware
Description - NE5000E-X16 Hardware Description.
l CLK/TOD0 and CLK/TOD1 are also called BITS0 and BITS1 respectively. CLK/1PPS
and CLK/Serial, as two SMB interfaces, are bound together to form BITS2. A BITS
interface transmits only one type of signal at a time.
l RJ45 interfaces and SMB interfaces must be connected to dedicated clock cables to input
and output clock signals. For the description of the clock cable, see the "Clock Cable" in
the section "Cables" in the HUAWEI NetEngine5000E Core Router Hardware Description
- NE5000E-X16 Hardware Description.
l The NE5000E-X16 or the NE5000E using the new clock board CR52CLKB can be
configured to trace different types of external BITS clock reference sources by using the
clock bits-type command.
l An external clock reference source can be mapped to the index of a user clock reference
source by using the clock bits-map command.
The signal types supported by clock interfaces are listed in the following table.

Table 11-2 Signal input or output on BITS interfaces
Interface Interface Name Interface Type of Input or Output Signals

Name on the Identified by Type
Clock Board Software
CLK/TOD0 BITS0 RJ45 Clock signals:

l 2.048 Mbit/s clock signals
l 2.048 MHz clock signals
Time signals:
l 1PPS (RS422)+ASCII (RS422)
time signals
l Two DCLS clock channels (one
channel for input, and the other
channel for output)
CLK/TOD1 BITS1 RJ45 Clock signals:

Time signals:
l 1PPS (RS422)+ASCII (RS422)
time signals
l Two DCLS clock channels (one
channel for input, and the other
channel for output)
CLK/1PPS BITS2 SMB Clock signals:

CLK/Serial SMB
Time signals:
l 1PPS (TTL)+ASCII (RS232) time
signals
l If a BITS interface transmits 2.048 Mbit/s, 2.048 MHz, or two channels of DCLS time
signals, you do not need to configure input or output to specify signal input or output. It
is because these types of clock signals are both input and output on the same interface. For
example, if BITS0 transmits 2.048 Mbit/s time signals, BITS0 inputs and outputs 2.048
Mbit/s clock signals.
l If a BITS interface transmits 1PPS+ASCII time signals, signal input or output must be
specified. It is because 1PPS+ASCII time signals can be either input or output at a time on
an interface.
l If BITS2 is used to transmit 1PPS+ASCII time signals (RS232), both the two SMB
interfaces either input or output the time signals. If BITS2 transmits clock signals, CLK/
1PPS is always used to input signals and CLK/Serial is always used to output signals.
The limitations on the output of different types of time signals on a device are as follows:
l If only one channel of time signals needs to be output, the signals can be successfully output.

l If two channels of 1PPS+ASCII signals need to be output at the same time, they can be
successfully output.
l If one channel of 1PPS+ASCII signals and one channel of DCLS signals need to be output
at the same time, only the 1PPS+ASCII signals can be successfully output.
Sending or Receiving Clock Signals Through POS Interfaces or 10GE WAN

Interface
Information about the master clock is contained in STM-N signals. After receiving STM-N
signals through LPUs, the clock boards of the MPUs on other devices extract the clock
information from the STM-N signals, and then synchronize with the master clock. Sending or
receiving clock signals through POS interfaces is a commonly used clock synchronization mode.
In this mode, POS, Asynchronous Transfer Mode (ATM), and Resilient Packet Ring (RPR) links
can be used to implement clock synchronization, and thus no clock synchronization network
needs to be built up. The NE5000E can send or receive clock signals through a POS interface
or 10GE WAN Interface.
Clock Source Selection Mode

On a digital communication network, every router traces the same primary clock level by level
according to clock synchronization paths to implement clock synchronization on the network.
Usually, one router has more than one path for clock tracing, and has multiple available clock
sources. These clock sources may originate from either the same master clock or reference clocks
of different qualities. Keeping the clocks of all routers synchronous is very important for a digital
communication network. Dynamic clock source selection can be used to prevent the failure of
one clock synchronization path from affecting the entire network.
Currently, the NE5000E supports two modes of clock source selection: the manual mode and
the automatic mode.
l Manual mode
This mode allows you to configure the clock board to always trace a specified clock source
and not to trace another one even if the specified clock source fails.
l Automatic mode
In this mode, clock source selection is based on either priorities of clock sources or
Synchronous Status Message (SSM) levels of clock sources.
An SSM is a group of codes used to indicate the level of clock quality on a synchronization
network. For details about each SSM level, see Chapter "Clock Synchronization" in the
HUAWEI NetEngine5000E Core Router Feature Description - Basic Configurations.
Automatic clock source selection based on priorities: A clock board selects the clock
source with the highest priority. If the clock source with the highest priority is lost, the
clock board automatically switches to trace the clock source with the second highest
priority. If the clock source with the highest priority recovers, the clock board traces the
clock source again. SSM levels are not involved. Clock source priorities are
configurable. If a clock source priority defaults to 19, the clock source will not be
selected during protection switching.
NOTE
Clock source priorities are locally valid, and are not sent to downstream devices by clock signals.
Automatic clock source selection based on SSM levels: A clock board selects the clock
source with the highest SSM level. If the SSM levels of the clock sources are the same,
the clock board selects a clock source among the clock sources based on their priorities.

If the clock source with the highest SSM level is lost, the clock board automatically
switches to trace the clock source with the second highest SSM level. If the original
clock source with the highest SSM level recovers, the clock board traces the clock source
again. The SSM level of a clock source can be specified or obtained from clock signals
sent from an upstream device. If the SSM level of a clock source is DNU and automatic
clock source selection based on SSM levels is adopted, the clock source is not selected
during protection switching.
NOTE
For BITS clock source signals received by the system, if the signal type is 2.048 Mbit/s, the SSM
level is extracted by the clock module from signals; if the signal type is 2.048 MHz, the SSM
level needs to be configured.
1. On the NE5000E using the clock board CR52CLKA, configure the types of the BITS input
and output clocks; on the NE5000E-X16 or the NE5000E using the new clock board
CR52CLKB, configure the external BITS clock reference source.
2. Manually configure the clock source as needed.
3. Configure the system to automatically select a clock source based on the SSM levels or
priorities of clock sources.
11.3 Configuring an External BITS Clock Reference Source

You can configure a device to trace different types of external BITS clock reference sources.
(This configuration can be done on the NE5000E-X16 or the NE5000E using the new clock
board CR52CLKB.)
On a synchronization Ethernet network, if there is a BITS clock on the same site as the router,
the router must be configured to trace the BITS clock. The router serves as the master clock to
provide primary clock signals for the entire network.
The BITS signal type may be 2.048 MHz, 2.048 Mbit/s, 1PPS, or DCLS, which can be configured
on the clock board by using commands.
None.
Figure 11-1 Flowchart for configuring an external BITS clock reference source
Configuring an External Clock Reference Source for

the Router and the Clock Signal Type
Configuring a Mapping from an External Clock

Reference Source to the Index of a User Clock
Source for the Router
Mandatory step
Optionalstep

11.3.1 Configuring an External Clock Reference Source for the

router and the Clock Signal Type
The NE5000E-X16 or the NE5000E using the new clock board CR52CLKB supports three
external clock source types, which are BITS0, BITS1, and BITS2, and four clock signal types,
which are 2.048 MHz, 2.048 Mbit/s, DCLS, and 1PPS.
Context
Do as follows on all the routers in the clock synchronization network:
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock bits-type
An external BITS clock reference source and its signal type are configured.
For information about the available clock reference source IDs and signal types, see the HUAWEI
NetEngine5000E Core Router Command Reference.
Step 3 Run:
commit
----End
11.3.2 Configuring a Mapping from an External Clock Reference

Source to the Index of a User Clock Source for the router
On the NE5000E-X16 or the NE5000E using the new clock board CR52CLKB, BITS0, BITS1,
or BITS2 can be mapped to the index of a user clock source. The index will be used in manual
selection of a clock source.
Context
During the configuration of clock synchronization, the indexes of user clock sources are required
in the selection of clock sources. Therefore, each clock source must be mapped to the index of
a user clock source.
Do as follows on all the routers in the clock synchronization network:
Procedure
Step 1 Run:
system-view

Step 2 Run:
clock bits-map { bits0 | bits1 | bits2 } source source-value
An external clock reference source is mapped to the index of a user clock source.
Step 3 Run:
commit
----End

After external BITS clock reference sources are configured for the device, you can check the
status of the sources and whether the mappings between the external BITS clock reference
sources and the indexes of user clock reference sources have taken effect.
Context
Run the following commands to check the previous configurations:
Procedure
l Run the display clock bits-type command to check external reference clock sources on
the clock board and their signal types.
l Run the display clock source command to check whether external clock reference sources
are successfully mapped to the indexes of user clock reference sources.
----End
Example
Check the external clock reference sources on the clock board and their signal types.
<HUAWEI>display clock bits-type
bits0: 2mbps
bits1: 2mbps
bits2: 2mbps
Check the configured mappings between external clock reference sources and indexes of user
clock reference sources.
<HUAWEI>display clock source
Master clock source:
------------------------------------------------------------------------------
Source Description Priority Sa-bit Input SSM Forcessm Sourcestate
------------------------------------------------------------------------------
* 1 BITS0 13 sa4 lnc on abnormal
2 BITS1 19 sa4 unknown on abnormal
------------------------------------------------------------------------------
Slave clock source:
------------------------------------------------------------------------------
------------------------------------------------------------------------------
1 BITS0 13 sa4 lnc on abnormal
------------------------------------------------------------------------------

11.4 Specifying a Clock Source Manually

In manual mode, you can specify a certain clock source for the clock board to trace.
If it is determined that a device always traces a certain clock source and does not need perform
protection switching, you can specify a clock source for the device. When the specified clock
source fails, the system, however, does not switch to trace another clock source. Therefore, the
mode of specifying a clock source for a device is not recommended.
In manual mode, you can specify a certain clock source for the clock board to trace. In this mode,
only one clock source can be specified. If the specified clock source is lost, the system enters
the hold-in state. When the precision of the clock in the hold-in state decreases, the device enters
the free running state. In this case, the clock frequency of the device may be different from that
of other devices.
NOTE
In the mode of automatically selecting a clock source, the clock source specified manually does not take
effect.
Before manually specifying a clock source, complete the following tasks: Ensuring that the
device can normally receive clock source signals from the outside and select the manually
specified BITS clock source or line clock source based on the type of the received external clock
source signals.
Procedure
Step 1 Manually configure the clock board to use the BITS clock reference source.
1. Run:
system-view

2. Run:
clock manual source source-value
The device is configured to use the BITS clock source received through the clock interface.
3. Run:
commit
Step 2 Manually configure the clock board to use the line clock source.
1. Run:
system-view

2. Run:
clock source lpuport slot slot-id card card-number port port-number

The specified POS interface is enabled to report received clock source signals to the clock
board.
3. Run:
clock manual source source-value
The device is configured to use the line clock source received through the clock interface.
The value of source-value can be only the reference source to which the installed LPU. The
number of the line clock source is equal to the slot ID of the LPU plus 2.
4. Run:
commit
----End
Checking the Configuration

Run the following commands to check the previous configuration.
Run the display clock config command, and you can view the information about manually
specified clock sources. For example:
<HUAWEI>display clock config
display clock config
Current source : 9
Workmode : manual
SSM control : off
Primary source : 9
Output SSM Level : bits0: unknown bits1: sets bits2:-- bits3: unknown
PLL state : Current source step into pull-in range
Run mode : Clock is in lock mode
11.5 Configuring Automatic Clock Source Selection to Be

Based on Priorities
When a device has multiple clock sources but does not perform clock source switching based
on SSM levels, you can set different priorities for the clock sources. When the clock source with
the highest priority fails, the clock board switches to use the clock source with the second highest
priority.
Where there are multiple clock sources, you can set priorities for the clock sources based on
their quality. In normal situations, a clock board uses the clock source with the highest priority.
When the clock source with the highest priority fails, the clock board uses the clock source with
the second highest priority. When the default priority (19) of a clock reference source is used,
the clock board does not select the clock reference source during protection switching.
If you configure protection switching according to the priorities of clock sources, you need to
configure clock source selection not to be based on SSM levels.
Before configuring automatic clock source selection based on priorities, complete the following
task:

l Ensuring that a device can normally receive multiple clock source signals from another
device
Figure 11-2 Flowchart for configuring automatic clock source selection based on priorities
Configure the system to

automatically select a clock
source.
Configuring SSM levels not to

participate in protection switching
Set the priority of the clock source.
Mandatory step
Optional step
11.5.1 Configuring the System to Automatically Select a Clock

Source
By default, the system automatically selects a clock source unless you specify a clock source
for the system.
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view

Step 2 Run:
clock auto
The system is configured to automatically select a clock source.

Step 3 Run:
commit
----End

11.5.2 Configuring Clock Source Selection Not to Be Based on SSM

Levels
If you configure protection switching according to the priorities of clock sources, you need to
configure clock source selection not to be based on SSM levels.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
clock ssm-control off
Clock source selection is configured not to be based on SSM levels.
NOTE
When clock source selection is not based on SSM levels, the system selects a clock source according to
the priorities of clock sources.
Step 3 Run:
commit
----End
11.5.3 Setting the Priority of a Clock Source

Setting the priorities of clock sources is a mandatory step for configuring automatic clock source
selection according to priorities. Therefore, you need to perform the configuration on all routers
on a DCN.
Context
To ensure that the system can select a high-quality clock source, you need to the set priorities
of the clock sources received by the device based on the quality of the clock sources. The smaller
the priority value of a clock source, the higher the priority.
Procedure
Step 1 Run:
system-view

Step 2 Run:
clock priority priority-value source source-value

The priority of a clock source is set.
To set the priorities for multiple clock sources, repeat Step 2.
NOTE
l If the priority of a reference source is 19 (default value), this reference source is not chosen during
protection switching. The smaller the priority value, the higher the priority.
l In Step 2, you can set the same priority for multiple clock sources. When clock source selection is
performed based on priorities but the priorities of the clock sources are the same, clock source selection
is performed based on the sequence numbers of clock sources in an ascending order.
l If the clock interface on the MPU is not connected to any external clock source, the system ignores
BITS0 and BITS1 when automatically selecting a clock source according to the priorities of clock
sources. Instead, the system directly selects a clock source from the line clock sources of an LPU.
Step 3 Run:
commit
----End

By viewing the priority of each clock source, you can determine whether the configuration is
successful.
Prerequisite
All the configurations for automatic clock selection based on priorities are complete.
Procedure
l Run the display clock source command to check the priority of each clock source.
----End
Example
Run the display clock source command, and you can view the priority of each clock source.
For example:
------------------------------------------------------------------------------
------------------------------------------------------------------------------
* 1 BITS0 13 sa4 lnc on abnormal
9 LPU7 19 -- unknown on abnormal
------------------------------------------------------------------------------
Slave clock source:
------------------------------------------------------------------------------
------------------------------------------------------------------------------
1 BITS0 13 sa4 lnc on abnormal
------------------------------------------------------------------------------

11.6 Configuring Automatic Clock Source Selection to Be

Based on SSM Levels
When there are multiple clock sources, the clock board uses the clock source with the highest
SSM level. When the clock source with the highest SSM level fails, the clock board uses the
clock source with the second highest SSM level.
During automatic clock source selection based on priorities, the priorities of clock sources are
set. If the priorities of clock sources are not set based on the quality of the clock sources, the
device may select a clock source of low quality. The SSM levels are defined based on
international standard protocols. The higher the precision of a clock source, the higher the SSM
level of the clock source. When the switching among clock sources is performed based on SSM
levels, the device can select a clock source of higher precision.
When a device has multiple clock sources, the device selects a clock source based on the SSM
levels of the clock sources. The higher the clock precision, the higher the SSM level. In normal
situations, a clock board uses the clock source with the highest SSM level. When the clock source
with the highest SSM level fails, the clock board uses the clock source with the second highest
SSM level.
When a clock board is powered on, the SSM level of all clock sources defaults to Unknown.
The sequence of the SSM levels is Primary Reference Clock (PRC), Transit Node Clock (TNC),
Local Node Clock (LNC), Synchronous Equipment Timing Source (SETS), Unknown, and Do
not use for synchronization (DNU) in a descending order. If the SSM level of a clock source is
DNU and clock source selection is not based on the SSM levels of clock sources, the clock source
is not selected during protection switching.
The SSM level of a clock source can be obtained in either of the following modes:
l Automatically extracting the SSM levels of clock sources from the received clock source
signals: If the clock source signals received from an upstream device contain SSM levels,
the SSM levels can be used and you do not need to specify SSM levels for the clock sources.
l Manually specifying the SSM levels of BITS clock sources: If clock source signals received
from an upstream device do not contain any SSM level, you need to specify the SSM level
for each BITS clock source manually.
NOTE
In actually applications, the clock source signals received from lines contain SSM levels. Therefore, it is
not recommended to specify the SSM levels for line clock sources.
BITS clock sources have two types of signals. When the rate of a clock signal is 2.048 Mbit/s, the clock
board can extract the SSM level of the clock source from the clock signal if the clock signal contains the
SSM level of the clock source. In addition, you can manually specify the SSM level for the clock source
if the clock signal does not contain the SSM level of the clock source. When the frequency of a clock signal
of a clock source is 2.048 MHz, you must manually specify an SSM level for the clock source.
Before configuring automatic clock source selection based on SSM levels, complete the
following task:

l Ensuring that a device can normally receive multiple clock source signals from another
device
Figure 11-3 Flowchart for configuring automatic clock source selection based on SSM levels
Configure the system to
automatically select a clock
source.
Configuring Clock Source

Selection to Be Based on SSM
Levels
Setting the SSM Level of a 2.048

MHz BITS Clock Source
Configure the 2.048-Mbit/s BITS

clock source to bear SSM
timeslots.
Mandatory step
Optional step
11.6.1 Configuring the System to Automatically Select a Clock

Source
By default, the system automatically selects a clock source unless you specify a clock source
for the system.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock auto
The system is configured to automatically select a clock source.
Step 3 Run:
commit

----End
11.6.2 Configuring Clock Source Selection to Be Based on SSM

Levels
Setting the SSM levels of clock sources is a mandatory step for configuring dynamic clock source
selection based on SSM levels. Therefore, you need to perform the configuration on all routers
on a DCN.
Context
After the following configurations, the router can select a clock source and perform switching
protection based on the SSM levels of received clock sources.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock ssm-control on
Clock source selection is configured to be based on SSM levels.

Step 3 Run:
commit
----End
11.6.3 (Optional) Setting the SSM Level of a 2.048 MHz BITS Clock
Source
You need to the configure clock source selection based on SSM levels of 2.048 MHz BITS clock
sources on routers connected to an external BITS clock.
Context
Because the 2.048 MHz BITS clock source signals received by a device do not contain any SSM
level, you need to specify the SSM levels for the clock sources to ensure that clock source
selection is based on SSM levels of the clock sources.
Procedure
Step 1 Run:
system-view

Step 2 Run:
clock source { 1 | 2 } force ssm on
The function of setting an SSM level for a clock source is configured.
Step 3 Run:
clock source { 1 | 2 } ssm { unknown | prc | tnc | lnc | sets | dnu }
An SSM level is specified for a 2.048 MHz BITS clock source.
NOTE
source-value: Specifies the index of a user clock source.
l For the NE5000E, the index of the external clock source BITS0 is 1 and the index of the external clock
source BITS2 is 2.
l For the NE5000E-X16, the mapping relationship between an external clock source and the index of a
user clock source must be established by using the clock bits-map { bits0 | bits1 | bits2 } source
source-value command.
Step 4 Run:
commit
----End
11.6.4 Configuring SA Timeslots in 2.048 Mbit/s BITS Clock Source

Signals to Bear SSM Levels
Configuring clock source selection based on SSM levels is optional and can be performed on a
router connected to a 2.048 Mbit/s BITS clock.
Context
BITS clock sources have two types of clock signals. When the clock signal type is 2.048 Mbit/
s, the clock board can extract an SSM level from the SA timeslot if the SA timeslot contains the
SSM level of the clock source. The default SA timeslots containing SSM levels in the clock
signals generated by the clock devices of different manufacturers are different. Therefore, to
ensure that the NE5000E can correctly extract the SSM levels contained in clock signals, you
need to configure the SA timeslots in 2.048 Mbit/s BITS clock source signals to bear SSM levels
on the NE5000E.
Do as follows on the router connected to an external BITS clock:
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock sa-bit { sa4 | sa5 | sa6 | sa7 | sa8 } source source-value
The SA timeslots in 2.048 Mbit/s BITS clock source signals are configured to bear SSM levels.

Step 3 Run:
commit
----End

By viewing the SSM level of each clock source, you can determine whether the configuration
is successful.
Prerequisite
All the configurations of automatic clock source selection based on SSM levels are complete.
Procedure
l Run the display clock config command to check the SSM level of the clock source being
used by the system.
l Run the display clock source command to check the SSM levels of all clock sources of
the system.
----End
Example
Run the display clock config command, and you can view the SSM level of the clock source
being used by the system. For example:
<HUAWEI>display clock config
Current source : 1
Workmode : auto
SSM control : on
Output SSM Level : lnc
PLL state : Current source step into pull-in range
Run mode : Clock is in lock mode
Run the display clock source command, and you can view the SSM levels of all clock sources
of the system. For example:
----------------------------------------------------------------------------------
-----
----------------------------------------------------------------------------------
-----
* 2 BITS1 19 sa4 lnc on normal
----------------------------------------------------------------------------------
-----
Slave clock source:
----------------------------------------------------------------------------------
-----
----------------------------------------------------------------------------------
-----
2 BITS1 19 sa4 lnc on normal

----------------------------------------------------------------------------------
-----

This section describes how to configure protection switching among clocks with an example. In
this configuration example, the networking requirements, configuration notes, and configuration
roadmap are provided.
11.7.1 Example for Configuring Protection Switching Among Clock

Sources
When there are multiple clock sources, you can set different priorities for them. In normal
situations, a clock board uses the clock source with the highest priority. When the clock source
with the highest priority fails, the clock board uses the clock source with the second highest
priority.
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number; a slot is numbered in the format of chassis ID/
slot number.
As shown in Figure 11-4, BITS clock signals enter Router A and Router D through clock
interfaces. The two external BITS clocks satisfy the requirements for the signal quality of the
G.812 local clock. Normally, the devices on the entire network synchronize with the external
BITS clock of Router A.
When the link between any two routers except the link between Router D and Router E is faulty,
the protection switching among clock sources is performed as follows:
l When the external BITS clock of Router A becomes faulty, all routers trace the external
BITS clock of Router D.
l When the external BITS clock of Router D becomes faulty, all routers trace the external
BITS clock of Router A.
l When the external BITS clock of Router A becomes faulty and then the external BITS clock
of Router D becomes faulty, all routers trace the internal clock of Router D.
l When the external BITS clock of Router D becomes faulty and then the external BITS clock
of Router A becomes faulty, all routers trace the internal clock of Router A.

Figure 11-4 Networking diagram for configuring protection switching among clock sources
BITS
POS1/0/0 POS2/0/0
W E 10.1.1.1
POS1/0/0 E POS2/0/0
RouterA W 10.1.1.2
RouterB RouterF
POS2/0/0 W E POS1/0/0
20.1.1.1
POS2/0/0 E W POS1/0/0
50.1.1.1 20.1.1.2
RouterC RouterE
POS1/0/0W RouterD
E POS2/0/0
40.1.1.2 30.1.1.1
POS1/0/0 E W POS2/0/0
40.1.1.1 30.1.1.2
BITS
Configuration Notes
None.
1. Configure the type of the external BITS clock to which Router A and Router D are
connected to 2.048 Mbit/s.
2. Configure the priority of the clock source on each router. This ensures that the protection
switchover of clock sources is performed based on priorities when a fault occurs.
Data Preparation
To complete the configuration, you need the following data: ID and priority of the clock source
of each router, as shown in Table 11-3.
Table 11-3 Clock sources and their priorities of each router
router Clock Available Clock ID Priority

Source in Source
Use
Router A BITS0 BITS0 1 1

router Clock Available Clock ID Priority

Source in Source
Use
Router A BITS0 LPU2 4 2
Router A BITS0 LPU1 3 3
Router A BITS0 Internal clock 0 4
Router B LPU1 LPU1 3 1
Router B LPU1 LPU2 4 2
Router B LPU1 Internal clock 0 3
Router C LPU2 LPU2 4 1
Router C LPU2 LPU1 3 2
Router C LPU2 Internal clock 0 3
Router D LPU1 LPU1 3 1
Router D LPU1 LPU2 4 2
Router D LPU1 BITS1 2 3
Router D LPU1 Internal clock 0 4
Router E LPU1 LPU1 3 1
Router E LPU1 LPU2 4 2
Router E LPU1 Internal clock 0 3
Router F LPU2 LPU2 4 1
Router F LPU2 LPU1 3 2
Router F LPU2 Internal clock 0 3
Procedure
Step 1 Set the type of the external BITS clock sources of Router A and Router D to 2.048 Mbit/s.
Step 2 Connect BITS clock cables to each router, as shown in Figure 11-4.
Step 3 Configure the IP addresses for interfaces on each router. The configuration details are not
mentioned here.
Step 4 Set priorities of clock sources of each router, as shown in Figure 11-4.
# Configure Router A.
<RouterA> system-view
[~RouterA] clock auto
[~RouterA] clock ssm-control off
[~RouterA] clock priority 1 source 1


[~RouterA] commit
# Configure Router B.
<RouterB> system-view
[~RouterB] clock auto
[~RouterB] clock ssm-control off
[~RouterB] clock priority 1 source 3
[~RouterB] clock priority 2 source 4
[~RouterB] commit
# Configure Router C.
<RouterC> system-view
[~RouterC] clock auto
[~RouterC] clock ssm-control off
[~RouterC] clock priority 1 source 4
[~RouterC] clock priority 2 source 3
[~RouterC] commit
# Configure Router D.
<RouterD> system-view
[~RouterD] clock auto
[~RouterD] clock ssm-control off
[~RouterD] clock priority 1 source 3
[~RouterD] commit
# Configure Router E.
<RouterE> system-view
[~RouterE] clock auto
[~RouterE] clock ssm-control off
[~RouterE] clock priority 1 source 3
[~RouterE] clock priority 2 source 4
[~RouterE] commit
# Configure Router F.
<RouterF> system-view
[~RouterF] clock auto
[~RouterF] clock ssm-control off
[~RouterF] clock priority 1 source 4
[~RouterF] clock priority 2 source 3
[~RouterF] commit
Step 5 Check the attributes of the clock source of Router A.

<RouterA> display clock source

----------------------------------------------------------------------------------
-
----------------------------------------------------------------------------------
-
* 1 BITS0 1 sa4 unknown on normal
3 LPU1 3 -- unknown on normal
----------------------------------------------------------------------------------
-
Slave clock source:
----------------------------------------------------------------------------------
-
1 BITS0 1 sa4 unknown on normal


----------------------------------------------------------------------------------
-
NOTE
"*" indicates that the clock source functions as the master clock source. The master clock source here is
BITS0.
Step 6 Check the attributes of the clock sources of other routers.

# The command output of Router B, Router C, Router D, Router E, and Router F is similar. The
following takes the command output of Router B as an example.
<RouterB> display clock source

----------------------------------------------------------------------------------
-
----------------------------------------------------------------------------------
-
* 3 LPU1 1 -- unknown on normal
----------------------------------------------------------------------------------
-
Slave clock source:
----------------------------------------------------------------------------------
-
----------------------------------------------------------------------------------
-
----------------------------------------------------------------------------------
-

If the link between any two routers is disconnected or the BITS clock source is lost, protection
switching is performed automatically. Therefore, all routers trace the same clock source to
achieve clock synchronization.
The follows takes disconnecting the BITS clock of Router A as an example. Router A, Router
B, Router C, Router E, and Router F trace the BITS clock of Router D. Take the command output
of Router A as an example.
# Run the following command on Router A.
<RouterA> display clock source
----------------------------------------------------------------------------------
-
----------------------------------------------------------------------------------
-
* 4 LPU2 2 -- unknown on normal
----------------------------------------------------------------------------------
-
Slave clock source:
----------------------------------------------------------------------------------

-
----------------------------------------------------------------------------------
-
----------------------------------------------------------------------------------
-
After the BITS clock source of Router A is lost, it is found that the status of BITS0 clock source
on is Router A is abnormal and the clock source used by the system is Source 4.
# After the BITS clock of Router A is lost, all routers perform protection switching based on the
priorities of clock sources. Figure 11-5 shows the clock source tracing after the BITS clock
source of Router A is lost.
Figure 11-5 Networking diagram of the clock source tracing after the BITS clock source of
Router A is lost
W E
E RouterA W
RouterB RouterF
W E
E W
RouterC RouterE
W E
RouterD
E W
BITS
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 60.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp

ip address 10.1.1.1 255.255.255.0

#
clock priority 1 source 1
#
return
l Configuration file of Router B

#
sysname RouterB
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 60.1.1.1 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 50.1.1.2 255.255.255.0
#
#
return
l Configuration file of Router C

#
sysname RouterC
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 40.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 50.1.1.1 255.255.255.0
#
#
return
l Configuration file of Router D

#
sysname RouterD
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 40.1.1.1 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.2 255.255.255.0
#
#
return
l Configuration file of Router E

#
sysname RouterE

#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.1 255.255.255.0
#
#
return
l Configuration file of Router F

#
sysname RouterF
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.1 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
#
#
return


Configuration Guide - Basic Configurations (V800R002C01 - 01) PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuration Guide - Basic Configurations (V800R002C01 - 01) PDF

Uploaded by

Copyright:

Available Formats

HUAWEI NetEngine5000E Core Router

Configuration Guide - Basic

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential i

About This Document

Related Versions (Optional)

Product Name Version

HUAWEI NetEngine5000E V800R002C01

Indicates a hazard with a high level of risk, which if not

Indicates a hazard with a medium or low level of risk, which

Issue 01 (2011-10-15) Huawei Proprietary and Confidential ii

Indicates a potentially hazardous situation, which if not

Provides additional information to emphasize or supplement

Command Conventions (Optional)

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

# A line starting with the # sign is comments.

Changes in Issue 01 (2011-10-15)

Issue 01 (2011-10-15) Huawei Proprietary and Confidential iii

About This Document.....................................................................................................................ii

2 Configure the User Interface.......................................................................................................6

3 Configuring User Login.............................................................................................................26

Issue 01 (2011-10-15) Huawei Proprietary and Confidential iv

3.3.2 (Optional) Configuring Local Telnet Users.............................................................................................33

Issue 01 (2011-10-15) Huawei Proprietary and Confidential v

4.6.3 Example for Using SFTP to Operate Files..............................................................................................83

5 Accessing Other Devices............................................................................................................86

6 Using the Command Line Interface.......................................................................................148

Issue 01 (2011-10-15) Huawei Proprietary and Confidential vi

6.1 Overview of the Command Line Interface.....................................................................................................149

Issue 01 (2011-10-15) Huawei Proprietary and Confidential vii

10 File System Management.......................................................................................................193

11 Clock Synchronization Configuration................................................................................200

Issue 01 (2011-10-15) Huawei Proprietary and Confidential viii

1 Logging In to the System for the First Time

About This Chapter

1.1 Overview of Logging In to the System for the First Time

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 1

1.1 Overview of Logging In to the System for the First Time

The console port has the following states:

1.2 Logging In to the router Through the Console Port

l Preparing a PC or a terminal, including a serial interface and an RS-232 cable

Figure 1-1 Logging in to the router through the console port

Establish a physical connection

Log in to the device

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 2

1.2.1 Logging In to the router Through the Console Port

l Preparing a PC or a terminal, including a serial interface and an RS-232 cable

Figure 1-2 Logging in to the router through the console port

Establish a physical connection

Log in to the device

1.2.2 Logging In to the router

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 3

Figure 1-3 Establishing a connection

Figure 1-4 Setting the COM port

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 4