You are on page 1of 237

Quidway S5700 Series Ethernet Switches

V100R006C00

Configuration Guide - Basic
Configuration

Issue 01
Date 2011-07-15

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: http://www.huawei.com
Email: support@huawei.com

Issue 01 (2011-07-15) Huawei Proprietary and Confidential i
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration About This Document

About This Document

Intended Audience
This document provides the basic concepts, basic configuration procedures, and configuration
examples supported by the S5700.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers

Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level of risk, which if not
avoided, will result in death or serious injury.
DANGER

Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
WARNING

Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
CAUTION
performance degradation, or unexpected results.
TIP Indicates a tip that may help you solve a problem or save
time.

NOTE Provides additional information to emphasize or supplement
important points of the main text.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential ii
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration About This Document

Command Conventions
The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by
vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by
vertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated by
vertical bars. A minimum of one item or a maximum of all
items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by
vertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.

Changes in Issue 01 (2011-07-15)
Initial commercial release.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential iii
Copyright © Huawei Technologies Co., Ltd.

..............................................................................................................Basic Configuration Contents Contents About This Document...........................................3............................................................................................ii 1 Logging In to Switch....................................................................................................3 Command Views..................................9 2 CLI Overview......................................22 Issue 01 (2011-07-15) Huawei Proprietary and Confidential iv Copyright © Huawei Technologies Co.............................................................................................................................................1.............................2 Online Help...........1 Introduction.......................3 1.........................6 1..........2.4 Logging In to the Device.................................2 Command Levels........................................................................................................3.................................................................................................................2 1.........................4 Logging In from the Telnet Client............................................4...................................................4.....18 2.............................15 2....................4 Configuration Examples..............................17 2...............................2 Displaying............3.....3................................................1 CLI Introduction................................................................................1..................................6 1...11 2...............................................................2...................................................................................................................................2 1.........................................................................3 1............................1 Establishing the Configuration Task.....3 Logging In to Device Through Telnet..............6 1...........................................................................4 1.......16 2..................................................................2 Establishing the Physical Connection....1 Login Through the Console............................................4 History Commands................ Ltd...................17 2...........................................................18 2...................................................1............................................................................................................................................1 1..........................1.........2 Logging In to the Device Through the Console Port......................................2 1..............................................................................................................2.................................................................................16 2.....................................3.................................2 1...................12 2...................................2..................................................................................1 Editing..2 Example for Logging In Through Telnet....5 1............................1 Establishing the Configuration Task.........................................................................2 Partial Help....................................................................2 Login Through Telnet.................................12 2.......................................1 Command Line Interface..................................................................1 Example for Logging In Through the Console Port.4 1.........................3 Features of Command Line Interface..2...................................................15 2............................................................1..............................................................................................................................2 Establishing the Physical Connection.......................................................................................................2........6 1.......3.................................................................1 Full Help.........................................................3...........3 Configuring Login User Parameters.............................................................3 Regular Expressions......................................3.4 1............................................Quidway S5700 Series Ethernet Switches Configuration Guide .........3 Configuring Terminals.............................................................. ....5 1....................................12 2.........................................2...................................................................13 2.................................3 Error Messages of the Command Line Interface...................................................................................................................

.......4........1 Clearing Statistics Information on the Interface....1 Introduction to Interfaces..................................................31 3.............................................................................................................22 2.3........................................................................4.............2 Entering the Interface View........................3......................................3 Setting the System Clock...........................................................................................................1......................................................3 Configuring Basic User Environment.................................1 Basic Configuration Introduction....................................................................................................................................2.......2 Setting Basic Parameters of an Interface..........................................................................................................................................................................30 3.28 3................................................................41 4.......26 3........32 3.......43 5 User Management....................1 User Interface.........2 Configuring the Password for Switching User Levels.........................................................................Basic Configuration Contents 2.....................................................32 3.......40 4.....36 4....................................................................4........3..........................................................43 4........................................................................5............................................................................................2 Configuring the Basic System Environment................................................34 4 Basic Configuration.......1 Establishing the Configuration Task.............4 Maintaining the Interface...............1 Example for Using the Tab Key...................................42 4..................................45 5..32 3..........................................................................................................36 4..................3 Switching User Levels..............................................................................2 Debugging the Interface........5 Configuring Command Levels......................................................................................................2.......................................4 Shortcut Keys........33 3..1 Establishing the Configuration Task......2................................................................................... Ltd...3....44 5...............33 3................................30 3..........................................2..............................................................................................42 4.................................................................................24 3 How to Use Interfaces...............45 Issue 01 (2011-07-15) Huawei Proprietary and Confidential v Copyright © Huawei Technologies Co......3....................................................................................................................................................38 4.........1 Establishing the Configuration Task........39 4................................29 3..............4 Configuring the Description for an Interface.................6 Further Configuration an Interface.......................4.....................................................1 Displaying System Configuration...........30 3...................................................................................................................................................................................................... ...............................................2.................................................................22 2..................Quidway S5700 Series Ethernet Switches Configuration Guide .........................................2..34 3.3........................4 Displaying System Status Messages.23 2..2................25 3...........................................................................5 Configuration Examples...............................................................................................42 4....5 Starting and Shutting Down an Interface............2..................................................4............................40 4.......................................................................................................................35 4.......3 Configuring the Loopback Interface..........1 System Shortcut Keys................2...........................29 3.................................7 Checking the Configuration........37 4..........................................................................................................................34 3.......................................40 4.............................................................................................................................................4 Configuring a Header.......................................................37 4...........2................................1 User Management Introduction......................................................2 Configuring IPv4 Parameters of the Loopback Interface..............3 Checking the Configuration..........................2...................................................................4...................................................1 Establishing the Configuration Task........................................................................................3 Viewing All the Commands in the Interface View...3 Collecting System Diagnostic Information........................................................................36 4...............................................3.................................................2 Displaying System Status..............2 Configuring the Equipment Name.......................................................................................................4 Locking User Interfaces..........................................................................................................................................2.....................

.....................................................................3 Configuring Authentication Password.......4.............................62 5.................4 Configuring VTY Terminal Attributes................5..........................................6 Checking the Configuration..................................4..................................................3......................................................71 6....73 Issue 01 (2011-07-15) Huawei Proprietary and Confidential vi Copyright © Huawei Technologies Co.............1 Establishing the Configuration Task........................................4..........2 Restoring Storage Devices with File System Troubles........................................................................3 (Optional)Configuring Limits for Incoming Calls and Outgoing Calls..............................................3...............7................56 5..............................................................................................................................................7.6 Configuring User Priority......................................................................................................................4.............6 Checking the Configuration...........................................................6........................................................3 Setting Console Terminal Attributes................................57 5....48 5..........................................69 6 File System Management......67 5...................................1 Establishing the Configuration Task..............66 5.52 5.......................................................73 6...................................................57 5.................................3 Clearing Online User...........2 Managing a Storage Device....6..........................................................................46 5.......1 Establishing the Configuration Task.................................49 5........................................................................1 Establishing the Configuration Task............64 5...........58 5........59 5.................1 Example for Configuring Logging In to the Switch Through Password..............................5 Configuring User Authentication............................................................................................3...2.............................1 Establishing the Configuration Task.....5.................. ................................................................................2 Configuring Maximum VTY User Interfaces.........4..........................................................7 Checking the Configuration.................................................................................................................................................3..........................................................................2...................3 Configuring Console User Interface..............................................................65 5.............................................................54 5.................................62 5............................ Ltd.............................................................................................................66 5...............63 5..................6......3..................................................................................................................................68 5..........67 5....2 Configuring Console Interface Attributes.......5 Managing User Interfaces................................................................................4 Configuring VTY User Interface.........62 5..........................52 5..........................................................6...............................2 Example for Logging In to the Device Through AAA.............................................................2................72 6.............................................................................3........Quidway S5700 Series Ethernet Switches Configuration Guide .57 5.............................1 Establishing the Configuration Task............................................................6 Configuring User Management.........................................................1 Establishing the Configuration Task.....................2..................................................................................................................................................................................................63 5...............4 Checking the Configuration...........................................................................................64 5...........4 Setting Username and Password for AAA Local Authentication.......................................................................48 5........3 (Optional) Formatting a Storage Device................................5 Configuring User Authentication....65 5............................................................................................2 Logging In to the S5700 Through the Console Interface....................72 6.................................................................................1 Overview of the File System....5...........2...................4.....55 5.................................1........................................................................59 5...........................3.............Basic Configuration Contents 5.............64 5......................6.....5 Configuring Non-Authentication...........................2 User Authentication..................7 Configuration Examples..............6........53 5.....................2 Configuring Authentication Mode...............................................................73 6..................2 Logging In to the S5700 Through the Console Port......................................................2 Sending Messages to Other User Interfaces...............................................................4 Configuring User Priority...................................................................................................72 6.........................3 Managing the Directory...................6.....................................................................60 5......73 6....................................................68 5.................5..

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration Contents

6.3.2 Viewing the Current Directory................................................................................................................74
6.3.3 Switching a Directory..............................................................................................................................74
6.3.4 Displaying a Directory or File.................................................................................................................75
6.3.5 Creating a Directory................................................................................................................................75
6.3.6 Deleting a Directory................................................................................................................................75
6.4 Managing Files.................................................................................................................................................76
6.4.1 Establishing the Configuration Task.......................................................................................................76
6.4.2 Displaying Contents of Files...................................................................................................................77
6.4.3 Copying Files...........................................................................................................................................77
6.4.4 Moving Files............................................................................................................................................77
6.4.5 Renaming Files........................................................................................................................................78
6.4.6 Compressing Files...................................................................................................................................78
6.4.7 Deleting Files...........................................................................................................................................78
6.4.8 Deleting Files in the Recycle Bin............................................................................................................79
6.4.9 Undeleting Files.......................................................................................................................................79
6.4.10 Running Files in Batch..........................................................................................................................80
6.4.11 Configuring Prompt Modes...................................................................................................................80

7 Management of Configuration Files........................................................................................82
7.1 Management of Configuration Files Introduction............................................................................................83
7.1.1 Configuration Files..................................................................................................................................83
7.1.2 Configuration Files and Current Configurations.....................................................................................83
7.2 Managing Configuration Files..........................................................................................................................84
7.2.1 Establishing the Configuration Task.......................................................................................................84
7.2.2 Configuring System Software for a switch to Load for the Next Startup...............................................84
7.2.3 Configuring the Configuration File for Switch to Load for the Next Startup.........................................85
7.2.4 Saving Configuration File.......................................................................................................................85
7.2.5 Clearing a Configuration File..................................................................................................................86
7.2.6 Comparing Configuration Files...............................................................................................................86
7.2.7 Checking the Configuration.....................................................................................................................87

8 FTP and TFTP...............................................................................................................................89
8.1 FTP and TFTP Introduction.............................................................................................................................90
8.1.1 FTP..........................................................................................................................................................90
8.1.2 TFTP........................................................................................................................................................90
8.2 Configuring the Switch to be the FTP Server...................................................................................................90
8.2.1 Establishing the Configuration Task.......................................................................................................91
8.2.2 (Optional) Specifying a Port Number for the FTP Server.......................................................................91
8.2.3 Enabling the FTP Server..........................................................................................................................92
8.2.4 (Optional) Configuring the Timeout Period............................................................................................92
8.2.5 Configuring the Local Username and the Password...............................................................................93
8.2.6 Configuring the Service Type and Authorization Information................................................................93
8.2.7 Checking the Configuration.....................................................................................................................94
8.3 Configuring FTP ACL......................................................................................................................................94

Issue 01 (2011-07-15) Huawei Proprietary and Confidential vii
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration Contents

8.3.1 Establishing the Configuration Task.......................................................................................................94
8.3.2 Enabling the FTP Server..........................................................................................................................95
8.3.3 Configuring a Basic ACL........................................................................................................................95
8.3.4 Configuring the Basic FTP ACL.............................................................................................................96
8.3.5 Checking the Configuration.....................................................................................................................96
8.4 Configuring the Switch to Be the FTP Client...................................................................................................97
8.4.1 Establishing the Configuration Task.......................................................................................................97
8.4.2 Logging In to the FTP Server..................................................................................................................98
8.4.3 Configuring Data Type and Transmission Mode for the File.................................................................99
8.4.4 (Optional) Viewing Online Help of the FTP Command.........................................................................99
8.4.5 Uploading or Downloading Files..........................................................................................................100
8.4.6 Managing Directories............................................................................................................................100
8.4.7 Managing Files......................................................................................................................................101
8.4.8 (Optional) Changing Login Users.........................................................................................................101
8.4.9 Disconnecting from the FTP Server......................................................................................................102
8.5 Configuring the Switch to Be the TFTP Client..............................................................................................102
8.5.1 Establishing the Configuration Task.....................................................................................................103
8.5.2 (Optional) Configuring a Source IP Address for a TFTP Client...........................................................103
8.5.3 Downloading Files Through TFTP........................................................................................................104
8.5.4 Uploading Files Through TFTP............................................................................................................104
8.6 Limiting the Access to the TFTP Server........................................................................................................105
8.6.1 Establishing the Configuration Task.....................................................................................................105
8.6.2 Configuring the Basic ACL...................................................................................................................105
8.6.3 Configuring the Basic TFTP ACL.........................................................................................................106
8.7 Configuration Examples.................................................................................................................................106
8.7.1 Example for Configuring the FTP Server..............................................................................................106
8.7.2 Example for Configuring an ACL of the FTP Server...........................................................................109
8.7.3 Example for Configuring the FTP Client..............................................................................................110
8.7.4 Example for Configuring the TFTP Client............................................................................................113

9 Telnet and SSH..........................................................................................................................115
9.1 Telnet and SSH Introduction..........................................................................................................................116
9.1.1 Overview of User Login........................................................................................................................116
9.1.2 Telnet Terminal Services.......................................................................................................................116
9.1.3 SSH Terminal Services..........................................................................................................................117
9.2 Configuring Telnet Terminal Services...........................................................................................................118
9.2.1 Establishing the Configuration Task.....................................................................................................118
9.2.2 Enabling the Telnet Service...................................................................................................................119
9.2.3 Establishing a Telnet Connection..........................................................................................................120
9.2.4 (Optional) Configuring a Telnet Server Port Number...........................................................................121
9.2.5 (Optional) Scheduled Telnet Disconnection..........................................................................................121
9.2.6 Checking the Configuration...................................................................................................................122
9.3 Configuring SSH Users..................................................................................................................................122

Issue 01 (2011-07-15) Huawei Proprietary and Confidential viii
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration Contents

9.3.1 Establishing the Configuration Task.....................................................................................................122
9.3.2 Creating SSH User.................................................................................................................................123
9.3.3 Configuring SSH for the VTY User Interface.......................................................................................124
9.3.4 Generating a Local RSA Key Pair.........................................................................................................124
9.3.5 Configuring the Authentication Mode for SSH Users...........................................................................125
9.3.6 (Optional) Configuring the Basic Authentication Information for SSH Users.....................................126
9.3.7 (Optional) Authorizing SSH Users Through the Command Line.........................................................127
9.3.8 Configuring the Service Type of SSH Users.........................................................................................128
9.3.9 (Optional) Configuring the Authorized Directory of the SFTP Service for SSH Users.......................128
9.3.10 Checking the Configuration.................................................................................................................129
9.4 Configuring the SSH Server Function............................................................................................................129
9.4.1 Establishing the Configuration Task.....................................................................................................129
9.4.2 Enabling the STelnet Service................................................................................................................130
9.4.3 Enabling the SFTP Service....................................................................................................................130
9.4.4 Enabling SCP Services..........................................................................................................................131
9.4.5 (Optional) Enabling the Earlier Version - Compatible Function...........................................................131
9.4.6 (Optional) Configuring the Number of the Port Monitored by the SSH Server....................................132
9.4.7 (Optional) Configuring the Interval for Updating the Key Pair on the SSH Server..............................132
9.4.8 Checking the Configuration...................................................................................................................133
9.5 Configuring the STelnet Client Function.......................................................................................................133
9.5.1 Establishing the Configuration Task.....................................................................................................133
9.5.2 Enabling the First-Time Authentication on the SSH Client..................................................................134
9.5.3 (Optional) Assigning an RSA Public Key to the SSH Server...............................................................135
9.5.4 Enabling the STelnet Client...................................................................................................................136
9.5.5 Checking the Configuration...................................................................................................................137
9.6 Configuring the SFTP Client Function...........................................................................................................138
9.6.1 Establishing the Configuration Task.....................................................................................................138
9.6.2 Configuring the First-Time Authentication on the SSH Client.............................................................139
9.6.3 (Optional) Assigning an RSA Public Key to the SSH Server...............................................................139
9.6.4 Enabling the SFTP Client......................................................................................................................140
9.6.5 (Optional) Managing the Directory.......................................................................................................141
9.6.6 (Optional) Managing the File................................................................................................................142
9.6.7 (Optional) Displaying the SFTP Client Command Help.......................................................................144
9.6.8 Checking the Configuration...................................................................................................................144
9.7 Configuring the SCP Client............................................................................................................................145
9.7.1 Establishing the Configuration Task.....................................................................................................145
9.7.2 (Optional) Configuring a Source IP Address for the SCP Client..........................................................146
9.7.3 Copying Files.........................................................................................................................................146
9.7.4 Checking the Configuration...................................................................................................................147
9.8 Configuration Examples.................................................................................................................................147
9.8.1 Example for Configuring the Telnet Terminal Service.........................................................................147
9.8.2 Example for Configuring the PC as the STelnet Client to Connect to the SSH Server........................150

Issue 01 (2011-07-15) Huawei Proprietary and Confidential ix
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration Contents

9.8.3 Example for Configuring the Switch as the STelnet Client to Connect to the SSH Server .................153
9.8.4 Example for Connecting the SFTP Clinet and the SSH Server.............................................................159
9.8.5 Example for Configuring the SSH Server to Support the Access from Another Port...........................165
9.8.6 Example for Authenticating SSH Through RADIUS............................................................................172
9.8.7 Example for Configuring the SCP Client..............................................................................................177

10 Web System Configuration...................................................................................................180
10.1 Overview of Web System.............................................................................................................................181
10.2 Starting Web System....................................................................................................................................181
10.2.1 Logging In to the S5700 Through the Console Interface....................................................................181
10.2.2 Setting the Management IP Address of the S5700..............................................................................185
10.2.3 Uploading Web Page Files..................................................................................................................186
10.2.4 Loading a Web Page File.....................................................................................................................187
10.2.5 Creating a Web Account......................................................................................................................187
10.2.6 Logging In to the Web System............................................................................................................188

11 SSL Configuration...................................................................................................................190
11.1 SSL...............................................................................................................................................................191
11.2 SSL Features Supported by the S5700.........................................................................................................192
11.3 Configuring Login to an FTPS Server from a User Terminal......................................................................193
11.3.1 Establishing the Configuration Task...................................................................................................193
11.3.2 Configuring an SSL Policy and Loading a Digital Certificate............................................................194
11.3.3 Enabling the FTPS Function................................................................................................................195
11.3.4 Accessing an FTPS Server..................................................................................................................196
11.3.5 Checking the Configuration.................................................................................................................196
11.4 Configuring Login to an FTPS Server from an FTPS Client.......................................................................197
11.4.1 Establishing the Configuration Task...................................................................................................197
11.4.2 Configuring the FTPS Client...............................................................................................................198
11.4.3 Configuring the FTPS Server..............................................................................................................200
11.4.4 Accessing an FTPS Server..................................................................................................................201
11.4.5 Checking the Configuration.................................................................................................................203
11.5 Configuring Secure Web Network Management.........................................................................................204
11.5.1 Establishing the Configuration Task...................................................................................................205
11.5.2 Configuring an SSL Policy and Loading a Digital Certificate............................................................206
11.5.3 Loading a Web Page File.....................................................................................................................207
11.5.4 Enabling the HTTPS Function............................................................................................................207
11.5.5 Creating a Web Account......................................................................................................................208
11.5.6 Logging In to the Web System............................................................................................................209
11.5.7 Checking the Configuration.................................................................................................................209
11.6 Configuration Examples...............................................................................................................................210
11.6.1 Example for Configuring Login to an FTPS Server from a User Terminal........................................210
11.6.2 Example for Configuring Login to an FTPS Server from an FTPS Client.........................................214
11.6.3 Example for Configuring Secure Web Network Management............................................................222

Issue 01 (2011-07-15) Huawei Proprietary and Confidential x
Copyright © Huawei Technologies Co., Ltd.

2 Logging In to the Device Through the Console Port This section describes how to connect a terminal to a switch through the console port to establish the configuration environment. 1. you need to log in to the switch. configuration notes.Quidway S5700 Series Ethernet Switches Configuration Guide .3 Logging In to Device Through Telnet This section describes how to connect a terminal to a switch through Telnet to establish the configuration environment.4 Configuration Examples This section provides examples for configuring users to log in to the switch through the console port or Telnet together with the configuration flowchart. 1. Ltd.Basic Configuration 1 Logging In to Switch 1 Logging In to Switch About This Chapter Before configuring switches.1 Introduction You can log in to switches through console port or Telnet. 1. 1. The configuration examples explain networking requirements.. . Issue 01 (2011-07-15) Huawei Proprietary and Confidential 1 Copyright © Huawei Technologies Co. and configuration roadmap.

1. l None authentication: indicates that the login user need not enter the user name or password. Enter a command to check the running status of the switch or to configure the switch.Quidway S5700 Series Ethernet Switches Configuration Guide .1 Login Through the Console When a switch is powered on for the first time or a switch needs to be locally configured. l AAA local authentication: indicates that the login user should enter the correct user name and password. ensure that directly-connected or reachable switch exist between terminals and the switch. the user account. Ltd. you can log in to the switch through the console port.1 Introduction You can log in to switches through console port or Telnet. 1.1. 1. a switch can be configured only through the console port: l The switch is powered on for the first time. the authentication mode.Basic Configuration 1 Logging In to Switch 1. . a command line prompt such as <Quidway> appears on the Telnet client interface. NOTE Do not modify the IP address of the switch when you configure the switch through Telnet because the modification may terminate Telnet connection. and the incoming and outgoing call restriction through the console interface on the switch. Also.2 Logging In to the Device Through the Console Port This section describes how to connect a terminal to a switch through the console port to establish the configuration environment. l The subscriber cannot login through Telnet.1. The destination switch authenticates the user based on the configured parameters in three modes: l Password authentication: indicates that the login user should enter the correct password. If the login succeeds. you can log in to the switch through Telnet to perform local or remote configurations.2 Login Through Telnet If you know the IP address of a switch. set up the connection again after entering a new IP address. In the following cases. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 2 Copyright © Huawei Technologies Co. Otherwise. YYou need to pre-configure the IP addresses of interfaces. Enter "?" for help..

complete the following tasks: l Preparing the PC/terminal (including serial port and RS-232 cable) l Installing terminal emulation program on the PC (such as Windows XP HyperTerminal) Data Preparation To login the switch through the console port. the correct user name and password must be entered for a successful login.Quidway S5700 Series Ethernet Switches Configuration Guide . Ltd. Context Do as follows on the switch: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 3 Copyright © Huawei Technologies Co. This can help you complete the configuration task quickly and accurately. No. NOTE If you cannot log in to the switch through the telnet. complete the pre-configuration tasks. Data 1 Terminal communication parameters l Baud rate l Data bit l Parity l Stop bit l Flow-control mode 2 (Optional) User name and password to be entered for a successful login in AAA authentication mode 1. Applicable Environment If you log in to the switch for the first time or perform the local configuration. . you need to log in to the switch through the console port. and obtain the required data. familiarize yourself with the applicable environment. you need to log in to the switch through the console port..2.2.2 Establishing the Physical Connection This part describes how to physically connect a terminal to a switch before login to the switch through the console port. Pre-configuration Tasks Before configuring login to the switch through the console port. NOTE If the AAA authentication mode is configured for users to log in to the switch through the console interface.1 Establishing the Configuration Task Before configuring login to the switch through the console port. you need the following data.Basic Configuration 1 Logging In to Switch 1.

3 Configuring Terminals This part describes how to configure the terminal before login to the switch through the console port.3 Logging In to Device Through Telnet This section describes how to connect a terminal to a switch through Telnet to establish the configuration environment.. . Step 2 Power on all devices to perform a self-check. setting the communication parameters as follows: l Baud rate: 9600 bps l Data bit: 8 l Stop bit: 1 l Parity: none l Flow control: none ----End 1.2. Context Do as follows on the PC: Procedure Step 1 Press Enter until a command line prompt such as <Quidway> appears. Ltd.Quidway S5700 Series Ethernet Switches Configuration Guide . the correct user name and password must be entered for a successful login.2. Context Do as follows on the PC: Procedure Step 1 Run the terminal emulation program on the PC.4 Logging In to the Device This part describes how to log in to the switch through the console port. Now the user view is displayed for you to configure the switch. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 4 Copyright © Huawei Technologies Co. NOTE If the AAA or Password authentication mode is configured for users to log in to the switch through the console interface.Basic Configuration 1 Logging In to Switch Procedure Step 1 Connect the COM port on the PC and the console port on the switch by a cable. ----End 1. ----End 1.

3. No. complete the pre-configuration tasks.Basic Configuration 1 Logging In to Switch 1. Procedure Step 1 Connect the switch and the PC directly or connect the switch and the PC to the network through cables.2 Establishing the Physical Connection This part describes how to physically connect a terminal to a switch before login to the switch through Telnet.. Prerequisite Establishing the Physical Connection are complete. you can log in to the switch through Telnet for local or remote configuration.3. This can help you complete the configuration task quickly and accurately. Applicable Environment If you know the IP address of the switch. Ltd. Data 1 IP address of the PC 2 IP address of the Ethernet interface on the switch 3 User information accessed through Telnet: l User name l Password l Authentication mode 1. you need the following data. . ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 5 Copyright © Huawei Technologies Co.Quidway S5700 Series Ethernet Switches Configuration Guide . complete the following tasks: l Powering on devices and performing a self-check l Preparing the PC (including the serial port and Ethernet crossover/direct cable) Data Preparation To log in to the switch through Telnet.1 Establishing the Configuration Task Before configuring login to the switch through Telnet. familiarize yourself with the applicable environment. and obtain the required data. Pre-configuration Tasks Before configuring the switch through Telnet.

For details.. Step 2 Enter the user name and password in the login window. Networking Requirements Initialize the configuration of the switch when the switch is powered on for the first time. Ltd. and enter the IP address of the interface on the destination switch that provides the Telnet service. you can configure the PC so as to log in to the switch through the console port. The configuration examples explain networking requirements.6 Configuring User Management. Context Do as follows on the PC: Procedure Step 1 Run the Telnet program on the PC that functions as a client. ----End 1. see 5.4 Configuration Examples This section provides examples for configuring users to log in to the switch through the console port or Telnet together with the configuration flowchart. Step 2 Configure the authority limitation of login user. .4 Configuring VTY User Interface and 5. After authentication.Quidway S5700 Series Ethernet Switches Configuration Guide . configuration notes.3 Configuring Login User Parameters This part describes how to configure user parameters for login to the switch through Telnet. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 6 Copyright © Huawei Technologies Co.3. Context Do as follows on the switch: Procedure Step 1 Configure the authentication mode of login users.3. ----End 1.4. 1. a command line prompt such as <Quidway> appears.1 Example for Logging In Through the Console Port In this example. and configuration roadmap. Now enter the configuration environment in the user view.4 Logging In from the Telnet Client This part describes how to log in to the switch through Telnet.Basic Configuration 1 Logging In to Switch 1.

stop bit. Data Preparation To complete the configuration. and flow control). Log in to the switch. Connect the PC and the switch through the console port. Specify no parity and no flow control as shown from Figure 1-2 to Figure 1-4. 2. Figure 1-2 New connection Issue 01 (2011-07-15) Huawei Proprietary and Confidential 7 Copyright © Huawei Technologies Co. 3. .Quidway S5700 Series Ethernet Switches Configuration Guide . Configure the login on the PC end. stop bit to be 1. Set the terminal communication parameters to be 9600 bps. Ltd.Basic Configuration 1 Logging In to Switch Figure 1-1 Networking diagram of logging in through the console port PC Switch Configuration Roadmap The configuration roadmap is as follows: 1. you need the terminal communication parameters (including baud rate.. data bit to be 8. Step 2 Run the terminal emulation program on the PC. parity. data bit. The local configuration environment is established. Procedure Step 1 Connect the serial port of the PC (or terminal) to the console port of the switch through a standard RS-232 cable.

Ltd..Quidway S5700 Series Ethernet Switches Configuration Guide . .Basic Configuration 1 Logging In to Switch Figure 1-3 Setting the port Figure 1-4 Setting the port communication parameters Issue 01 (2011-07-15) Huawei Proprietary and Confidential 8 Copyright © Huawei Technologies Co.

Basic Configuration 1 Logging In to Switch Step 3 Power on the switch to perform a self-check and the system performs automatic configuration. you can configure user parameters so as to log in to the switch from the PC or other terminals through Telnet. Enter "?" for help. ----End 1. . Data Preparation To complete the configuration. Networking Requirements You can log in to the switch on other network segments through the PC or other terminals to perform remote maintenance. Configure user login parameters.4. and authentication mode) Procedure Step 1 Connect the PC and the switch to the network. Enter the command to check the running status of the switch or configure the switch. Ltd.2 Example for Logging In Through Telnet In this example.Quidway S5700 Series Ethernet Switches Configuration Guide . When the self-check ends.. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 9 Copyright © Huawei Technologies Co. you are prompted to press Enter until a command line prompt such as <Quidway> appears. you need the following data l IP address of the PC l IP address of the Ethernet interface on the switch l User information accessed through Telnet (including the user name. Figure 1-5 Establishing the configuration environment through WAN IP Network PC Switch Target Switch Configuration Roadmap The configuration roadmap is as follows: 1. 3. Log in to the switch from the client side. 2. Establish the physical connection. password.

0 [Quidway-vlanif10] quit # Configure login authentication mode [Quidway] aaa [Quidway-aaa] local-user huawei password cipher hello [Quidway-aaa] local-user huawei service-type telnet [Quidway-aaa] local-user huawei level 3 [Quidway-aaa] quit [Quidway] user-interface vty 0 4 [Quidway-ui-vty0-14] authentication-mode aaa Step 3 Configure the client login.255. Now enter the configuration environment in the user view.38.92 255. a command line prompt such as <Quidway> appears.160. Figure 1-6 Running the Telnet program on the PC Click OK. Enter the user name and password in the login window. After authentication. NOTE Before logging in to the switch.. ensure that the PC and switch can ping each other.Quidway S5700 Series Ethernet Switches Configuration Guide . # Configure the login address <Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] port link-type hybrid [Quidway-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [Quidway-GigabitEthernet0/0/1] port untagged vlan 10 [Quidway-GigabitEthernet0/0/1] quit [Quidway]interface vlanif 10 [Quidway-vlanif10] ip address 202. as shown in Figure 1-6.Basic Configuration 1 Logging In to Switch Step 2 Configure login user parameters on the target switch. Ltd. .0. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 10 Copyright © Huawei Technologies Co. Run the Telnet on the PC.

and invoke historical commands.Quidway S5700 Series Ethernet Switches Configuration Guide . display command lines. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 11 Copyright © Huawei Technologies Co. Ltd.2 Online Help When you enter command lines or configure services.. use the regular expression for command lines. 2. online help offers real-time help in addition to the configuration guide. 2. configure the device and perform routine maintenance. by entering command lines. .5 Configuration Examples This section provides several examples for using command lines. 2. 2. that is.1 CLI Introduction The command line interface (CLI) is the common tool for running commands. 2.Basic Configuration 2 CLI Overview 2 CLI Overview About This Chapter Users operate devices.3 Features of Command Line Interface You can edit command lines.4 Shortcut Keys Using the system shortcut keys makes it easier to enter commands.

l The telnet command for directly logging in to and manage other switch.1 Command Line Interface You can configure and manage a switch by using the CLI commands.Basic Configuration 2 CLI Overview 2.1. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 12 Copyright © Huawei Technologies Co. running the commands of the corresponding level. 2. Authorization and Accounting (AAA) to prevent the unauthorized user from accessing the switch. When the system is restarted.2 Command Levels The system adopts a hierarchical protection mode that has 16 command levels. the command may have more than 512 characters. . however. The system provides a series of configuration commands. The default command levels are as follows: l Level 0-Visit level: Commands of this level include commands of network diagnosis tool (such as ping and tracert) and commands that start from the local device and visit external device (such as Telnet client side). l Abundant debugging information to help in diagnosing the network. the incomplete command cannot be restored. l A command line interpreter provides intelligent command resolution methods such as key word fuzzy match and context conjunction. Therefore. l None authentication. that is. l A user interface view for specific configuration management. NOTE l The system supports the command with up to 512 characters. you enter the command line interface (CLI) and interact with switch through CLI. The characteristics of CLI are as follows: l Local configuration through console port. l The system saves the incomplete command to the configuration files in the complete form.. l Local or remote configuration through Telnet or Secure Shell (SSH). l Running a history command. 2. The command can be incomplete. like DosKey.1 CLI Introduction The command line interface (CLI) is the common tool for running commands. pay attention to the length of the incomplete command.Quidway S5700 Series Ethernet Switches Configuration Guide . You can configure and manage the switch by entering commands on CLI. l Entering "?" for online help at any time. l Hierarchical command protection for users of different levels. These methods make it easy for users to enter their commands.1. therefore. When a prompt appears. password authentication and Authentication. l FTP service for file uploading and downloading. Ltd. l Network testing commands such as tracert and ping for rapidly diagnosing a network.

2. The login users can use only the command of the levels that are equal to or lower than their own levels.Quidway S5700 Series Ethernet Switches Configuration Guide . and you can enter the AAA view. XModem downloading commands. You can run a command only when you enter the corresponding command view. <Quidway> # Type system-view. the display current- configuration and display saved-configuration commands are of the management level. l Level 3-Management level: Commands of this level are commands that influence the basic operation of the system and provide support to the service. For details of login user levels. including the display commands. To implement efficient management. including routing and network layer commands.1. see the Quidway S5700 Series Command Reference. <Quidway> system-view [Quidway] # Type aaa in the system view. backup board control commands. level setting commands. refer to Chapter 4 "Basic Configuration" Configuring Command Levels in the Quidway S5700 Series Configuration Guide . power supply control commands.Basic Configuration 2 CLI Overview l Level 1-Monitoring level: Commands of this level. and debugging commands that are used for fault diagnosis. CAUTION Not all display commands are of the monitoring level. are used for system maintenance and fault diagnosis. and you can enter the system view. They include file system commands. TFTP commands. All the commands must register in one or more command views. Basic Concepts of Command Views # Establish connection with the switch.. . user management commands. system internal parameter setting commands.3 Command Views The command line interface has different command views. configuration file switching commands. FTP commands.Basic Configurations. l Level 2-Configuration level: Commands of this level are service configuration commands that provide direct network service to the user. If the switch adopts the default configuration. For example. For the level of a command. you can increase the command levels to 0-15. [Quidway] aaa [Quidway-aaa] Issue 01 (2011-07-15) Huawei Proprietary and Confidential 13 Copyright © Huawei Technologies Co. refer to User Management. NOTE l The default command level may be higher than the command level defined according to the command rules in application. l Login users have the same 16 levels as the command levels. you can enter the user view with the prompt of <Quidway>. For the increase in the command levels. Ltd.

quit l System View Item Description Function Sets the system parameters of the S5700. Ltd. see the Quidway S5700 Command Reference.Basic Configuration 2 CLI Overview NOTE The prompt <Quidway> indicates the default switch name. For the methods of entering the command line views except the following views.. the functions that can be implemented are command view-specific. . Common Views The S5700 provides various command line views. The prompt <> indicates the user view and the prompt [] indicates other views. Entry command Enters the user view after the connection is set up. Entry command <Quidway> system-view Prompt upon [Quidway] entry Quit command [Quidway] quit Prompt upon <Quidway> quit l Ethernet Interface View – GE interface view Item Description Function Configures related parameters about the GE interfaces of the S5700 and manages the GE interfaces. l User View Item Description Function Displays the running status and statistics of the S5700. however.Quidway S5700 Series Ethernet Switches Configuration Guide . Some commands that are implemented in the system view can also be implemented in the other views. Prompt upon <Quidway> entry Quit command <Quidway>quit Prompt upon None. Entry [Quidway] interface GigabitEthernet X/Y/Z command Issue 01 (2011-07-15) Huawei Proprietary and Confidential 14 Copyright © Huawei Technologies Co. and enters other function views from this view.

<Quidway> ? l Enter a command and a ? separated by a space. the method of entering the 10GE interface view is the same as the method of entering the GE interface view.1 Full Help When you enter a command line. You can obtain full help from a command view in the following methods: l In a command view. you can view the description of keywords or parameters in the command line through the Full Help. enter ? to obtain all the commands in this command view and descriptions of the commands. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 15 Copyright © Huawei Technologies Co. the difference lies in the subcard where the 10GE interfaces reside. [Quidway-ui-vty0] authentication-mode ? aaa AAA authentication none Login without checking password Authentication through the password of a user terminal interface [Quidway-ui-vty0] authentication-mode aaa ? <cr> [Quidway-ui-vty0] authentication-mode aaa aaa.. If an LPU provides GE interfaces and 10GE interfaces. If an LPU provides only 10GE interfaces.Quidway S5700 Series Ethernet Switches Configuration Guide . online help offers real-time help in addition to the configuration guide. none and password are keywords.2. . Ltd. If a keyword is in place of the ?. all keywords and their descriptions are listed.Basic Configuration 2 CLI Overview Item Description Prompt upon [Quidway-GigabitEthernetX/Y/Z] entry Quit command [Quidway-GigabitEthernetX/Y/Z] quit Prompt upon [Quidway] quit NOTE X/Y/Z indicates the number of a GE interface that needs to be configured.2 Online Help When you enter command lines or configure services. Login without checking and Authentication through the password of a user terminal interface are the descriptions of the two keywords. Generally. 2. the sequence number of a 10GE interface is 1. Here is an example. Context The command line of S5700 provides three types of online help: l Full help l Partial help l Error Messages of the Command Line Interface 2. AAA authentication. It is in the format of slot number/sub card number/interface sequence number.

2 Partial Help When you enter a command line. l Enter a command and a ? separated by a space. <Quidway> d? debugging delete dir display l Enter a command and a character string with "?" closely following it to display all the key words that begin with this character string. Table 2-1 Common error messages of the command line Error messages Cause of the error Unrecognized command The command cannot be found The key word cannot be found Issue 01 (2011-07-15) Huawei Proprietary and Confidential 16 Copyright © Huawei Technologies Co. Otherwise.2. the system prompts an error message.3 Error Messages of the Command Line Interface If an entered command passes the syntax check. if you continue to press Tab. Otherwise.Basic Configuration 2 CLI Overview <cr> indicates that no key word or parameter is in this position and you can press Enter to repeat the command in the next command line. error messages are reported to the user. Context You can obtain the partial help of the command line in the following ways. You can select the needed key word.2. Procedure l Enter a character string with a "?" closely following it to display all commands that begin with this character string. Ltd. All the commands entered by the user are run correctly. Here is an example. you can obtain prompts on the keywords or parameters at the beginning of the string through the Partial Help. the system executes it..Quidway S5700 Series Ethernet Switches Configuration Guide . all parameters and their descriptions are listed. different key words are displayed. See Table 2-1 for the common error messages. Otherwise. if the grammar check has been passed. . <Quidway> display b? bfd bgp bootrom bpdu bpdu-tunnel buffer l Enter the first several letters of a key word in the command and then press Tab to display the complete key word on the condition that the letters uniquely identify the key word. If a parameter is in place of the ?. 2. <Quidway> system-view [Quidway] sysname ? TEXT Host name(1 to 246 characters) TEXT is a parameter and Host name (1 to 246 characters) is the description. ----End 2.

Otherwise. Left cursor key ← or Moves the cursor to the left by the space of a character. display command lines. an alarm is generated. Table 2-2 Keys for editing Key Function Common key Inserts a character in the current position of the cursor if the editing buffer is not full and the cursor moves to the right. When the Ctrl_B cursor reaches the head of the command. Keys for editing that are often used are shown in Table 2-2. When the cursor reaches the head of the command. The command line supports multi-line edition.Basic Configuration 2 CLI Overview Error messages Cause of the error Wrong parameter Parameter type error The parameter value exceeds the limit Incomplete command Incomplete command entered Too many parameters Too many parameters entered Ambiguous command Indefinite parameters entered 2.1 Editing The editing function of command lines helps you edit command lines or obtain help by using certain keys. Right cursor key → or Moves the cursor to the right by the space of a character.. an alarm is generated. 2. The maximum length of each command is 512 characters.3. Backspace Deletes the character on the left of the cursor that moves to the left. use the regular expression for command lines. When Ctrl_F the cursor reaches the end of the command. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 17 Copyright © Huawei Technologies Co. an alarm is generated. and invoke historical commands. an alarm is generated.Quidway S5700 Series Ethernet Switches Configuration Guide . .3 Features of Command Line Interface You can edit command lines. Ltd.

In this case. and then match the mode with the target object. Ltd. it provides the pause function.Basic Configuration 2 CLI Overview Key Function Tab Press Tab after typing the incomplete key word and the system runs the partial help: l If the matching key word is unique. the system replaces the typed one with the complete key word and displays it in a new line with the cursor a space behind. In this case. 2. the user has three choices as shown in Table 2-3. The regular expression is an expression that describes a set of strings. You can construct the matching mode based on certain rules. Enter Continues to display the information on the next line. The regular expression is a template according to which you can search for the required string.. the system displays the prefix first.2 Displaying All command lines have the same displaying feature. NOTE You can also press any of the keys except the spacebar and Enter key to stop the display and running of the command. l When the information displayed exceeds a full screen.3. press Tab and the word is displayed in a new line.3 Regular Expressions The regular expression is a mode matching tool. Then you can press Tab to view the matching key word one by one. the cursor closely follows the end of the word and you can type a space to enter the next word. . You can control the display of information on CLI as follows: l Display prompt and help information in both Chinese and English. You can construct the displaying mode as required. A regular expression can provide the following functions: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 18 Copyright © Huawei Technologies Co. l If there are several matches or no match at all. l If a wrong key word is entered. Table 2-3 Keys for displaying Key Function Ctrl_C Stops the display and running of the command. Space Continues to display the information on the next screen.Quidway S5700 Series Ethernet Switches Configuration Guide .3. It consists of common characters (such as letters from "a" to "z") and particular characters (also named metacharacters). 2.

oo matches "book". "1010". l Common characters Common characters are used to match themselves in a string. including all upper-case and lower-case letters. "100". + Matches the preceding element one 10+ matches "10". "1010". and @ matches the symbol "@" in "xxx@xxx. "10".. Ltd. Table 2-4 Description of particular characters Particul Syntax Example ar characte r \ Defines an escape character. "20.25.10.Basic Configuration 2 CLI Overview l Searching for and obtaining a sub-string that matches a rule in the string.10. ^ Matches the starting position of the ^10 matches "10. . (10)? matches "null" and "10".1". "100".10. "10". Formal Language Theory of the Regular Expression The regular expression consists of common characters and particular characters. . and or more times "1000".113. $ Matches the ending position of the 1$ matches "10.0 matches "0x0" and "020". Table 2-4 describes particular characters and their syntax. l Substituting a string according to a certain matching rule. and special symbols. * Matches the preceding element zero 10* matches "1".155". a matches the letter "a" in "abc". and "101010". "look".10. 202 matches the digit "202" in "202. . "1000". Matches any single character.10. For example.1" instead of string.10.1" instead of string. "10. and "101010". ? Matches the preceding element zero 10? matches "1" and "10". or one time. l Particular characters Particular characters are used together with common characters to match the complex or particular string combination. punctuations. (10)+ matches "10". 0.2".Quidway S5700 Series Ethernet Switches Configuration Guide . Issue 01 (2011-07-15) Huawei Proprietary and Confidential 19 Copyright © Huawei Technologies Co. and "tool". which \* matches "*". is used to mark the next character (common or particular) as the common character. and or more times.com".10. (10)* matches "null". digits.10.

. [xyz] Matches any single character in the [123] matches the character 2 in regular expression. Matches the starting position of the "(2008)". _ Matches a comma ". and "1334". "space right brace "}". for "1". [^xyz] Matches any character that is not [^123] matches any character except contained within the brackets. and "(2008}". characters. "{2008}".2008. degenerate to common characters. x|y Matches x or y. which can 100(200)+ matches "100200" and be null. NOTE Unless otherwise specified. +45 matches "+45" and abc(*def) matches "abc*def". Ltd. 100|200 matches "100" or "200". "1224". when being placed at the following positions in the regular expression. – The particular character "^" placed at any position except for the start of the regular expression. For example.. _2008_ matches "2008". input string. For example. abc^ matches "abc^". 2008 space". ". "+". "2". – The particular character "$" placed at any position except for the end of the regular expression. "space 2008". all characters in the preceding table are displayed on the screen. [^a-z] Matches any character beyond the [^0-9] matches all non-numeric specified range.Quidway S5700 Series Ethernet Switches Configuration Guide .Basic Configuration 2 CLI Overview Particul Syntax Example ar characte r () Defines a subexpression. l Degeneration of particular characters Certain particular characters. 1(2|3)4 matches "124" or "134". "2008 and right parenthesis ")".". Issue 01 (2011-07-15) Huawei Proprietary and Confidential 20 Copyright © Huawei Technologies Co. and "3". Both the expression and the "100200200". and "?" placed at the starting position of the regular expression. Matches the ending position of the input string. "255". For example. [a-z] Matches any character within the [0-9] matches any character ranging specified range. from 0 to 9." left brace "{". "14". space". left parenthesis "(". subexpression should be matched. – The particular characters following "\" is transferred to match particular characters themselves. Matches a space. instead of "1234". 12$2 matches "12$2". "{2008". – The particular characters "*".

l | exclude regular-expression: displays the information that excludes the lines that match regular expression. l /regular-expression: displays the information that begins with the line that matches regular expression. The parameter | count can be used together with other parameters. For example. The command can carry the parameter | count to display the number of matching entries.More ----". you can specify a filtering mode in the prompt "---. For the commands supporting regular expressions. the three filtering methods are as follows: l | begin regular-expression: displays the information that begins with the line that matches regular expression. l -regular-expression: displays the information that excludes lines that match regular expression.Quidway S5700 Series Ethernet Switches Configuration Guide . Specifying a Filtering Mode in Command CAUTION The Quidway S5700 Series uses a regular expression to implement the filtering function of the pipe character. l Combination of common and particular characters In actual application. When the output information is queried according to the filtering conditions. . Ltd.Basic Configuration 2 CLI Overview – The right bracket such as ")" or "]" being not paired with its corresponding left bracket "(" or "[". abc) matches "abc)" and 0-9] matches "0-9]". Issue 01 (2011-07-15) Huawei Proprietary and Confidential 21 Copyright © Huawei Technologies Co. NOTE Unless otherwise specified. NOTE The value of regular-expression is a string of 1 to 255 characters. l +regular-expression: displays the information that includes lines that match regular expression. a regular expression combines multiple common and particular characters to match certain strings. Specify a Filtering Mode when Information is Displayed When a lot of information is displayed. A display command supports the pipe character only when there is excessive output information. degeneration rules are applicable when preceding regular expressions serve as subexpressions within parentheses.. the first line of the command output starts with the information containing the regular expression. l | include regular-expression: displays the information that includes the lines that match regular expression.

NOTE On the HyperTerminal of Windows 9X. which can automatically save historical commands. you can replace the cursor key ↑ with Ctrl_P. l If the user runs the same command several times. You can invoke the historical commands saved on the command line interface at any time and run them again. only one history command is saved. history command commands. Access the next Down cursor key ↓ Display the next history command if there is a later history or Ctrl_N history command. cleared and a bell is generated. the earliest command is saved. The operations are as shown in Table 2-5. note the following: l The saved history commands are the same as that those entered by users. Ltd. Table 2-6 lists the system-defined shortcut keys. if the display ip routing-table command is run several times.. two history commands are saved. the saved command also is incomplete. the system saves 10 history commands at most for each user. 2.4 History Commands The command line interface provides a function similar to DosKey. Otherwise. Otherwise. For example. Display the history commands entered by users.Basic Configuration 2 CLI Overview 2. generated. In this case. 2. When you use the history commands. they are considered as different commands. a bell is command. the command is command. By default.3. If the disp ip routing command and the display ip routing-table command are run. .Quidway S5700 Series Ethernet Switches Configuration Guide . Issue 01 (2011-07-15) Huawei Proprietary and Confidential 22 Copyright © Huawei Technologies Co. cursor key ↑ is invalid as the HyperTerminals of Windows 9X define the keys differently.4 Shortcut Keys Using the system shortcut keys makes it easier to enter commands.4. if the user enters an incomplete command. Access the last Up cursor key↑ or Display the last history command if there is an history Ctrl_P earlier history command.1 System Shortcut Keys System-defined shortcut keys with fixed functions are defined by the system. If the command is entered in different forms. For example. Table 2-5 Access the history commands Action Key or Command Result Display the display history.

the shortcut keys on the terminal may be different from those listed in this section. CTRL_Y Deletes all the characters on the right of the cursor. ESC_D Deletes a word on the right of the cursor. CTRL_R Repeats the display of the information of the current line. CTRL_P Displays the previous command in the history command buffer. CTRL_E The cursor moves to the end of the current line. CTRL_X Deletes all the characters on the left of the cursor. ESC_P The cursor moves upward to the previous line. CTRL_] Terminates the inbound or redirection connections. CTRL_N Displays the next command in the history command buffer. CTRL_D Deletes the character where the cursor lies. ESC_B The cursor moves to the left by the space of a word. ESC_N The cursor moves downward to the next line. CTRL_B The cursor moves to the left by the space of a character. ESC_F The cursor moves to the right to the end of next word. CTRL_H Deletes one character on the left of the cursor. CTRL_W Deletes a character string or character on the left of the cursor. Table 2-6 System-defined shortcut keys Key Function CTRL_A The cursor moves to the beginning of the current line. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 23 Copyright © Huawei Technologies Co. CTRL_C Terminates the running function. . Therefore. CTRL_V Pastes the contents on the clipboard.Quidway S5700 Series Ethernet Switches Configuration Guide . CTRL_T Terminates the outbound connection. CTRL_Z Returns to the user view.. 2.Basic Configuration 2 CLI Overview NOTE Different terminal software defines these keys differently.5 Configuration Examples This section provides several examples for using command lines. CTRL_F The cursor moves to the right by the space of a character. CTRL_K Stops the creation of the outbound connection. Ltd.

Press Tab. There is only one space between the cursor and the end of the keyword. [Quidway] info-center log? logbuffer loghost 1. ..Quidway S5700 Series Ethernet Switches Configuration Guide . Press Tab. do as follows on the S5700.5. [Quidway] info-center loghost [Quidway] info-center logbuffer Stop pressing Tab when you find the required keyword logbuffer. 1. [Quidway] info- 2.1 Example for Using the Tab Key You can obtain prompts on keywords or check whether the entered keywords are correct by pressing Tab. Enter an incomplete keyword. [Quidway] info-center log 3. do as follows on the S5700. Continue to press Tab to display all the keywords. Enter a space and enter the next keyword channel. Enter an incomplete keyword. The system replaces the incomplete keyword with a complete keyword and displays the complete keyword in another line. The prefix in this example is log. # The keyword info-center can be followed by the following keywords. The system displays the prefix of all the matched keywords. Ltd. There is no space between the cursor and the end of the keywords. [Quidway] info-center l If more than one keyword contains the incomplete keyword. [Quidway] info-center l 2. [Quidway] info-center logbuffer channel ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 24 Copyright © Huawei Technologies Co. 4. Procedure l If only one keyword contains the incomplete keyword.Basic Configuration 2 CLI Overview 2.

3.3 Configuring the Loopback Interface This section describes how to configure the loopback interface.Basic Configuration 3 How to Use Interfaces 3 How to Use Interfaces About This Chapter This chapter describes the concept of the interface and the basic configuration about the interface. . 3.. The interfaces are provided by the S5700 to receive and send data. Ltd.2 Setting Basic Parameters of an Interface This section describes how to set the basic parameters of an interface. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 25 Copyright © Huawei Technologies Co.1 Introduction to Interfaces This section describes different types of interfaces. 3. 3.Quidway S5700 Series Ethernet Switches Configuration Guide .4 Maintaining the Interface This section describes how to maintain the interface.

NOTE A physical interface is sometimes called a port. Management Interface Management interfaces are used to manage and configure a device. . It is used to set up the onsite or remote configuration environment. The interfaces are provided by the S5700 to receive and send data. interfaces are classified into physical interfaces and logical interfaces based on their physical forms.Quidway S5700 Series Ethernet Switches Configuration Guide . The S5700 provides a console interface and an MEth interface as the management interface. Both physical interfaces and logical interfaces are called interfaces in this document.Basic Configuration 3 How to Use Interfaces 3. Table 3-2 Management interface numbers Name Number Console interface Console 0 MEth interface MEth 0/0/1 Issue 01 (2011-07-15) Huawei Proprietary and Confidential 26 Copyright © Huawei Technologies Co.. terminal.1 Introduction to Interfaces This section describes different types of interfaces. MEth The MEth interface complies with The MEth interface can be connected to interface the 10/100BASE-TX standard. the network interface of a configuration terminal or network management workstation. It is used to set up the onsite configuration environment. Ltd. Management interfaces do not transmit service data. Table 3-1 Description of management interfaces Name Description Usage Console The console interface complies The console interface is connected to the interface with the EIA/TIA-232 standard COM series port of a configuration and the interface type is DCE. The following table shows the rule for numbering management interfaces. Interfaces are classified into management interfaces and service interfaces based on their functions. You can log in to the S5700 through a management interface to configure and manage the S5700.

The value 1 indicates that the subcard is a front card.. The value is 0.Basic Configuration 3 How to Use Interfaces Classification of Service Interfaces Service interfaces are used to transmit service data. interfaces are numbered in the format slot ID/subcard ID/interface sequence number. The other interfaces are .. The value is 0 or 1.. numbered 1. . They are classified into 1 Gbit/s interfaces and 10 Gbit/s interfaces according to their rates. The S5700 has two rows of service interfaces with the lower-left interface .. l Interface sequence number: indicates the sequence number of an interface. For example.. interfaces are numbered in the format stack ID/subcard ID/interface sequence number. Ltd. l Interface sequence number: indicates the sequence number of an interface on the S5700. l Subcard ID: indicates the ID of a subcard. In a stack system. The value is 0 or 1. Physical interfaces include management interfaces and service interfaces. they are classified into electrical interfaces and optical interfaces according to their electrical properties. l Slot ID: indicates the slot where an interface is located. The value ranges from 0 to 8. and then from left to right.. The value 1 indicates that the subcard is a front card. Table 3-3 FE and GE interface numbering rule Figure of Interface Numbering Description 2 4 6 .. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 27 Copyright © Huawei Technologies Co. The S5700 supports the following physical interfaces: l Console interface l Eth interface l Gigabit Ethernet interface l 10 Gigabit Ethernet interface Logical Interfaces Logical interfaces do not exist and are set up by configurations. The rules for numbering service interfaces are as follows: In a single S5700. the upper-left interface numbered 0/0/2. Physical Interfaces Physical interfaces are interfaces that actually exist on the S5700. 1 3 5 numbered in ascending order from bottom to up. l Subcard ID: indicates the subcard where an interface is located. l Stack ID: indicates the ID of an S5700 in the stack system.Quidway S5700 Series Ethernet Switches Configuration Guide .

. if a packet matches no route during route selection.0. – Improved reliability: When a link fails. a VLANIF interface.0 as a loopback address. the packet is sent to the null interface. you can create a logical interface of the Virtual Local Area Network (VLAN) on the S5700. the label switching router (LSR) ID. For details about the configuration. When the system starts. it automatically creates an interface using the loopback address 127. For details. This ensures link reliability. The status of a loopback interface is always Up. 3. The TCP/IP protocol suite defines IP address 127..3 Configuring the Loopback Interface. The Eth-Trunk technique has the following advantages: – Increased bandwidth: The bandwidth of an Eth-Trunk is the total bandwidth of all member interfaces. see "Configuring the VLANIF Interface" in the Quidway S5700 Series Ethernet Switches Configuration Guide . l Loopback interface A loopback interface is a virtual interface. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 28 Copyright © Huawei Technologies Co. see "Configuring the Eth-Trunk" in the Quidway S5700 Series Ethernet Switches Configuration Guide . For example. You can assign IP addresses to VLANIF interfaces because VLANIF interfaces work at the network layer. or be land to a tunnel.Quidway S5700 Series Ethernet Switches Configuration Guide . This IP address has a 32-bit mask (to save IP addresses) and can be advertised by routing protocols. Null interfaces are used for route selection and policy-based routing (PBR).2 Setting Basic Parameters of an Interface This section describes how to set the basic parameters of an interface.0. Any data packets sent to a null interface are discarded. l VLANIF interface When the S5700 needs to communicate with devices at the network layer.0. traffic is automatically switched to other available links. The S5700 then communicates with devices at the network layer through VLANIF interfaces.Ethernet. For details about the Eth-Trunk configuration.1 to receive all data packets sent to the local device.0. namely. the IP address of the loopback interface can be used as the router ID.Basic Configuration 3 How to Use Interfaces The S5700 supports the following logical interfaces: l Eth-Trunk The Eth-Trunk consists of Ethernet links only. Some applications such as mutual access between virtual private networks need a local interface with a specified IP address without affecting the configuration of physical interfaces.Ethernet. Ltd. see 3. therefore. l Tunnel interface A tunnel interface can be used as the backup interface of other interfaces and used to set up Generic Routing Encapsulation (GRE) tunnels or Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) tunnels. l Null interface Null interfaces are similar to null devices supported by certain operating systems.

No.1 Establishing the Configuration Task Before configuring advanced functions of an interface such as the working mode and routes. configuring interface description. Ltd. you need to enter the interface view. Procedure Step 1 Run: system-view The system view is displayed. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 29 Copyright © Huawei Technologies Co. and disabling an interface.2. the S5700 provides interface views. Step 2 Run: interface interface-type interface-number The view of a specified interface is displayed. Data 1 Type and number of the interface to be configured 2 Description of the interface 3. Applicable Environment To facilitate the configuration and maintenance of an interface.2.Basic Configuration 3 How to Use Interfaces 3. Context Do as follows on the S5700. you need to complete the basic configuration of the interface. . The commands related to the interface are valid only in the interface views. enabling an interface. interface-type specifies the type of the interface and interface-number specifies the number of the interface.2 Entering the Interface View To configure an interface.Quidway S5700 Series Ethernet Switches Configuration Guide .. The basic interface configurations include entering an interface view. Pre-configuration Tasks Installing the LPU on the S5700 Data Preparation To set parameters of an interface. you need the following data.

2.Basic Configuration 3 How to Use Interfaces 3. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 30 Copyright © Huawei Technologies Co. shut down this interface to protect the interface against interference.Quidway S5700 Series Ethernet Switches Configuration Guide .3 Viewing All the Commands in the Interface View After entering the interface view. Step 2 Run: interface interface-type interface-number The view of a specified interface is displayed. ----End 3..4 Configuring the Description for an Interface The description configured for an interface on the S5700 helps you identify and memorize the usage of the interface. Step 2 Run: interface interface-type interface-number The view of a specified interface is displayed.5 Starting and Shutting Down an Interface When a physical interface is idle and is not connected to a cable. which facilitates the management. you can view all the commands in the interface view. . Ltd. Step 3 Run: description description The description is configured for the interface. you need to start the interface.2. ----End 3. Step 3 Run: ? All the commands in the view of the specified interface are displayed. Procedure Step 1 Run: system-view The system view is displayed. Procedure Step 1 Run: system-view The system view is displayed.2. To use a shutdown interface. Context Do as follows on the S5700.

an interface is enabled. Context When you access a network through an interface.. you need to further setting multiple parameters of the interface based on the networking requirements in addition to performing basic configurations on the interface. Run: interface interface-type interface-number The view of a specified interface is displayed. configure the interface as required. l Starting an interface Do as follows on the S5700. ----End 3. Run: system-view The system view is displayed. l A loopback interface is always Up and cannot be shut down by command. Run: system-view The system view is displayed. Run: shutdown The interface is shut down.Quidway S5700 Series Ethernet Switches Configuration Guide . 3. Further configurations of an interface include: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 31 Copyright © Huawei Technologies Co.6 Further Configuration an Interface After configuring basic parameters.2. 3. 2. Ltd. Run: undo shutdown The interface is started. Procedure l Shutting down the interface Do as follows on the S5700. 2. . 1. Run: interface interface-type interface-number The view of a specified interface is displayed.Basic Configuration 3 How to Use Interfaces Context NOTE l A null interface is always Up and cannot be shut down by command. NOTE By default. 1.

Applicable Environment Some applications such as mutual access between virtual private networks need to be configured with a local interface with a specified IP address when the configuration of a physical interface is not affected.IP Routing.Ethernet and Quidway S5700 Series Ethernet Switches Configuration Guide . please see the other configuration manuals of S5700. the loopback interface remains in the Up state until you delete it. the IP address of the local interface needs to be advertised by routing protocols. In this case. complete the following task: l Switching on the S5700 Issue 01 (2011-07-15) Huawei Proprietary and Confidential 32 Copyright © Huawei Technologies Co. you can use the display commands to check the configuration.1 Establishing the Configuration Task The users can create or delete a loopback interface. Pre-configuration Tasks Before configuring the loopback interface. 3. .2.Basic Configuration 3 How to Use Interfaces l Configuring the operation mode of an interface l Configuring routes For the detailed Configuration.Quidway S5700 Series Ethernet Switches Configuration Guide ..3. Loopback interfaces are used to improve the reliability of the configuration. 3. Step 4 Run the display ip interface brief [ interface-type interface-number ] command to check the brief state of the interface. For the detailed Configuration. please see Quidway S5700 Series Ethernet Switches Configuration Guide . When being created.3 Configuring the Loopback Interface This section describes how to configure the loopback interface. ----End 3. Ltd. Step 2 Run the display interface description command to check the brief information about the interface Step 3 Run the display ip interface [ interface-type interface-number ] command to check the main configurations of the interface. Procedure Step 1 Run the display interface [ interface-type [ interface-number ] ] command to check the running status of the interface and the statistics on the interface.7 Checking the Configuration After completing the basic configuration of an interface.

No. you need the following data.. Procedure Step 1 Run the display interface loopback [ number ] command to check the status of the loopback interface. and configured to check the source IPv4 addresses of packets. ----End 3.3 Checking the Configuration After configuring a loopback interface. Step 3 Run: ip address ip-address { mask | mask-length } [ sub ] An IPv4 address is assigned to the loopback interface. run the following commands to check the configuration. Procedure Step 1 Run: system-view The system view is displayed. .Basic Configuration 3 How to Use Interfaces Data Preparation To configure the loopback interface. The value of interface-number ranges from 0 to 1023. A maximum of 1024 loopback interfaces can be created. bound to a VPN instance.3.Quidway S5700 Series Ethernet Switches Configuration Guide . ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 33 Copyright © Huawei Technologies Co.2 Configuring IPv4 Parameters of the Loopback Interface A loopback interface can be assigned an IPv4 address. Data 1 Number of the loopback interface 2 IP address of the loopback interface 3. Step 2 Run: interface loopback interface-number A loopback interface is created.3. Step 4 (Optional) Run: ip verify source-address The loopback interface is configured to check the source IPv4 addresses of packets. Ltd.

3.Quidway S5700 Series Ethernet Switches Configuration Guide . So. Procedure Step 1 Run the reset counters interface [ interface-type [ interface-number ] ] command in the user view to clear the statistics on the interface. For details about debugging commands on an interface. For the description about debugging commands. ----End 3. So. confirm the action before you use the command. Context CAUTION Debugging affects the performance of the system. see the Quidway S5700 Series Ethernet Switches Debugging Reference. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 34 Copyright © Huawei Technologies Co. after debugging.4.. run the undo debugging all command to disable it immediately.4 Maintaining the Interface This section describes how to maintain the interface. you can debug the interface.Basic Configuration 3 How to Use Interfaces 3.2 Debugging the Interface When an interface works abnormally.1 Clearing Statistics Information on the Interface The statistics on the interface cannot be restored after you clear them. .4. Ltd. see the following chapters.

1 Basic Configuration Introduction This section describes the meaning and scope of the basic configuration.2 Configuring the Basic System Environment This section describes how to configure the basic system environment according to user habits or the requirements of the actual environment. 4. .. 4. 4.Quidway S5700 Series Ethernet Switches Configuration Guide . Issue 01 (2011-07-15) Huawei Proprietary and Confidential 35 Copyright © Huawei Technologies Co. 4.3 Configuring Basic User Environment This section describes the configuration of the basic user environment for user level switching.4 Displaying System Status Messages This section describes the display commands that are used for displaying basic system configurations. Ltd.Basic Configuration 4 Basic Configuration 4 Basic Configuration About This Chapter This chapter describes how to configure the basic system environment and the basic user environment.

monitoring level. host name. If the user needs to define more levels. and command level for actual environment. complete the following task: l Powering on the switch Data Preparation To configure basic system environment. you need the following data. Applicable Environment Before configuring the services. and obtain the required data. complete the pre-configuration tasks. . 4. This can help you complete the configuration task quickly and accurately.2. system time.. 4. the S5700 supports commands of Level 0 to Level 3.1 Basic Configuration Introduction This section describes the meaning and scope of the basic configuration. l Basic user environment: includes password for changing levels and the terminal lock.Basic Configuration 4 Basic Configuration 4.1 Establishing the Configuration Task Before configuring the basic system environment. By default. Ltd.Quidway S5700 Series Ethernet Switches Configuration Guide . Before configuring services. Pre-configuration Tasks Before configuring basic system environment. users often need to perform basic configurations for actual operation and maintenance. you need to configure the basic system environments to meet the requirements of the actual environments. and management level. visit level. or refine management privileges on the device. the user can extend the range of command line level from the range of Level 0 to Level 3 to the range of Level 0 to Level 15. familiarize yourself with the applicable environment. Data 1 System time 2 Host name Issue 01 (2011-07-15) Huawei Proprietary and Confidential 36 Copyright © Huawei Technologies Co. namely.2 Configuring the Basic System Environment This section describes how to configure the basic system environment according to user habits or the requirements of the actual environment. No. system name. header text. The S5700 provides configurations of two kinds of basic environments: l Basic system environment: includes the language mode. configuration level.

Basic Configuration 4 Basic Configuration No. By default. the host name of the switch is Quidway. NOTE UTC indicates the Universal Time Coordinated.Quidway S5700 Series Ethernet Switches Configuration Guide . ----End 4.2.. Do as follows on the switch: Procedure Step 1 Run: clock datetime HH:MM:SS YYYY-MM-DD Issue 01 (2011-07-15) Huawei Proprietary and Confidential 37 Copyright © Huawei Technologies Co. Data 3 Login information 4 Command level 4.2 Configuring the Equipment Name You can change the equipment name as required.2. The new equipment name takes effect immediately. Context You need to set the system time properly to ensure the cooperation between the S5700 and other devices. Context Do as follows on the switch: Procedure Step 1 Run: system-view The system view is displayed. Ltd.3 Setting the System Clock To ensure that devices on the network work with the same clock. You can change the name of the switch that appears in the command prompt. Step 2 Run: sysname host-name The equipment name is set. . The S5700 supports the configurations of the time zone and the daylight saving time. you need to set or change the system clock.

the set time zone name can be displayed. During the configuration of the daylight saving time. you can configure a header that the system displays during login or after login. NOTE When the current time is within the daylight saving time. see clock daylight-saving-time. For details. l If add is configured. the default UTC time plus offset is equal to the time of time-zone-name. That is. the time zone name. Step 3 Run: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 38 Copyright © Huawei Technologies Co.Basic Configuration 4 Basic Configuration The current date and time is set. the current time is the UTC time minus the time offset.2. Step 3 Run: clock daylight-saving-time time-zone-name one-year start-time start-date end-time end-date offset or clock daylight-saving-time time-zone-name repeating start-time { { first | second | third | fourth | last } weekday month | start-date } end-time { { first | second | third | fourth | last } weekday month | end-date } offset [ start-year [ end-year ] ] The daylight saving time is set. week+week.. Context Do as follows on the switch: Procedure Step 1 Run: system-view The system view is displayed. running the clock timezone time-zone-name { add | minus } offset command can successfully set the time zone name. you can configure the start time and end time in one of the following modes: date+date. Step 2 Run: clock timezone time-zone-name { add | minus } offset The time zone is set. Step 2 Run: header login { information text | file file-name } The header displayed during login is set. however. is displayed as the name of the daylight saving time. l If minus is configured. the default UTC time minus offset is equal to the time of time-zone-name. date+week. That is. the current time is the UTC time plus the time offset. ----End 4. Ltd. If the display clock command is run to view the time zone name at the moment. After the daylight saving time ends. .4 Configuring a Header If you need to provide information for login users. and week+date.Quidway S5700 Series Ethernet Switches Configuration Guide .

NOTE The updation of command Level 2 to Level 10 and Level 3 to Level 15 is not a two-step process but one- step by batch. the system asks if the user wants to continue to update the command line level. l If a user logs in to the switch by using SSH2.X. This results in the user not logging in through the Console port and failing to update the level. If you select "Y". Step 3 Run: command-privilege level level view view-name command-key Issue 01 (2011-07-15) Huawei Proprietary and Confidential 39 Copyright © Huawei Technologies Co.0. The header provides detailed instruction. NOTE l If a user logs in to the switch by using SSH1.5 Configuring Command Levels By default. When no password is configured for a Level 15 user. the command level can be updated in batch directly. .. ----End 4. just select "N" to set a password. the system prompts the user to set a super- password for the level 15 user. Then. If refined rights management is required. but the shell header is displayed after login. from Level 0 to Level 15.Quidway S5700 Series Ethernet Switches Configuration Guide . A header is a system prompt displayed when a user logs in to the switch or starts interactive configuration with the switch.Basic Configuration 4 Basic Configuration header shell { information text | file file-name } The header displayed after login is set. At the same time. l No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. both login and shell headers are displayed. Ltd. all originally-registered command lines adjust automatically according to the following rules: l The commands of Level 0 and Level 1 remain unchanged. the login header is not displayed during login. l The command Level 2 is updated to Level 10 and Level 3 is updated to Level 15. that is.2. Context If the user does not adjust a command level separately. The user can adjust the command lines to these levels separately to refine the management of privilege. Do as follows on the switch: Procedure Step 1 Run: system-view The system view is displayed. after the command level is updated. you can divide commands in to 16 levels. Step 2 Run: command-privilege level rearrange Update the command level in batch. commands are registered in the sequence of Level 0 to Level 3.

Context When users log in to the switch with a lower user level. Pre-configuration Tasks Before configuring the basic environment for the user. ----End 4. and obtain the required data.1 Establishing the Configuration Task Before configuring the basic user environment.Quidway S5700 Series Ethernet Switches Configuration Guide . you need the following data: No. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 40 Copyright © Huawei Technologies Co. they switch to a higher user level to perform advanced operations by entering the corresponding password. This can help you complete the configuration task quickly and accurately. 4. When the configuration is complicated. Data 1 Password for the user level switching 4. it requires the user to configure the basic environment for switching levels. familiarize yourself with the applicable environment. With the command. you can specify the level and view multiple commands at one time (command-key). Ltd.. You need not reconfigure them.3. The password needs to be configured in advance. Thus. .Basic Configuration 4 Basic Configuration The command level is configured.3.3 Configuring Basic User Environment This section describes the configuration of the basic user environment for user level switching. complete the pre-configuration tasks. Applicable Environment The user can log in to a switch with lower level to perform simple configurations or view configurations. All commands have default command views and levels.2 Configuring the Password for Switching User Levels Passwords need to be set for users that are switched from lower levels to higher levels. the user needs to switch to a high level. complete the following task: l Powering on the switch properly Data Preparation To configure the basic environment for the user.

Do as follows on the switch: Procedure Step 1 Run: system-view The system view is displayed. NOTE When the login user of lower level is switched to the user of higher level through the super command. cipher is used to save the password in encrypted text.. When the switched level is lower than that of the current level. ----End 4. Ltd. Save the password to avoid oblivion or miss. the user remains at the current login level and returns to the user view.3. the password is saved in the configuration files in simple text. If the password entered is correct.Basic Configuration 4 Basic Configuration CAUTION When simple is used. . Therefore. Login users with lower level can obtain the password by viewing the configuration. the user can switch to a higher level. Step 2 Follow the prompt and enter a password. the password cannot be resumed from the system. Do as follows on the switch: Procedure Step 1 Run: super [ level ] User levels are switched. If the pass word is set in cipher mode. If the user enters a password incorrectly for three consecutive times.3 Switching User Levels You need to enter the set password when being switched from a lower level to a higher level. the system only records the switchover in a log. Step 2 Run: super password [ level user-level ] { simple | cipher } password The password for switching user levels is configured. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 41 Copyright © Huawei Technologies Co. Context An accurate password must be entered when the user is switched from a lower level to a higher level. This may cause security problems.Quidway S5700 Series Ethernet Switches Configuration Guide . the system automatically sends trap messages and records the switchover in a log.

4. Do as follows on the switch: Procedure Step 1 Run: lock The user interface is locked. system time. ----End 4. l Displays the restart information about the main control board. original configuration. The display commands are classified according to the following functions: l Displays system configurations.4 Displaying System Status Messages This section describes the display commands that are used for displaying basic system configurations. Ltd..Basic Configuration 4 Basic Configuration 4. l Displays the running status of the system. You must enter a correct password to unlock the user interface. Step 2 Follow the system prompt and input an unlock password. and current configuration. and then confirm. The following only shows the system display commands. the system prompts that the user interface is locked. . Context You can use the display commands to collect information about the system status.Quidway S5700 Series Ethernet Switches Configuration Guide . Run the following commands in any view. See the related sections for display commands for protocols and interfaces. l Displays the diagnostic information about a system. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 42 Copyright © Huawei Technologies Co.4 Locking User Interfaces You can enter the set password to unlock the locked user interface. 4. <Quidway> lock Enter Password: Confirm Password: If the locking is successful.1 Displaying System Configuration You can view information about the system version. you can lock the user interface to prevent unauthorized users from operating the interface.3. Context When you leave the operation terminals for a moment.

you have to run different display commands to collect all information. Procedure Step 1 Run: display diagnostic-information [ file-name ] The system diagnosis information is displayed. Procedure l Run the display this command to display the configuration of the current view. Ltd.Basic Configuration 4 Basic Configuration Prerequisite Basic Configuration are complete.2 Displaying System Status You can view the configuration of the current view. display cpu-usage. and so on.4. display saved-configuration. When the system fails or performs the routine maintenance. you can use the display diagnostic-information command to collect all information about the current running modules in the system. The display diagnostic-information command collects all information collected by running the following commands. display interface. Procedure l Run the display version command to display the system version. ----End 4. Context Basic configuration is complete.Quidway S5700 Series Ethernet Switches Configuration Guide . l Run the display saved-configuration command to display the original configuration. ----End 4. . display current-configuration.3 Collecting System Diagnostic Information You can view the system diagnosis information. display history- command.4.. including display clock. l Run the display clock command to display the system time. l Run the display current-configuration command to display the current configuration. In this case. Prerequisite Basic configuration are complete. Then. display version. you need to collect a lot of information to locate faults. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 43 Copyright © Huawei Technologies Co.

These configuration examples explain networking requirements. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 44 Copyright © Huawei Technologies Co. configuration roadmap. you can create users for switchs. Ltd.6 Configuring User Management Through user management.3 Configuring Console User Interface You can configure the console user interface so as to maintain a switch on the local device.2 Logging In to the S5700 Through the Console Port This section describes how to log in to the S5700 through the console port. 5. 5.4 Configuring VTY User Interface You can configure the VTY user interface to maintain a remote switch. and manage users.Basic Configuration 5 User Management 5 User Management About This Chapter This chapter describes user interfaces and the configuration of users' login. set user passwords.Quidway S5700 Series Ethernet Switches Configuration Guide . 5. 5. 5.5 Managing User Interfaces You need to configure user management to ensure that the operator manages switchs safely. 5..1 User Management Introduction This section describes basic concepts of user interfaces and user management. and configuration notes.7 Configuration Examples This section provides examples for configuring users to log in to a switch in different modes. . 5.

You can enter a specific user interface view by entering any of these numbers. you can configure the parameters on all physical and logical interfaces that work in asynchronous and interactive modes. you can manage. In this manner.1 User Management Introduction This section describes basic concepts of user interfaces and user management. authenticate. 5. When you log in to the S5700 through Telnet. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 45 Copyright © Huawei Technologies Co. Types of User Interfaces Table 5-1 describes the types of user interfaces supported by the S5700. The format of the relative numbering is: user interface type + number. Numbering of User Interfaces You can number a user interface in the following ways: l Relative numbering Relative numbering indicates that the interfaces of the same type are numbered. The relative numbering uniquely specifies a user interface of a specified type. a VTY connection is set up. vty2. and vty4 l Absolute numbering The S5700 uniquely specifies the default numbers of 0. and authorize the login users.Quidway S5700 Series Ethernet Switches Configuration Guide . . Each device provides a console interface. FTP. Ltd.. VTY Local or remote login It is a virtual interface and indicates a logical terminal through Telnet or SSH line. It must comply with the following rules: – Number of the CON interface: console0 – Default number of the VTY: vty0.Basic Configuration 5 User Management 5. l Mapping between relative numbering and absolute numbering Figure 5-1 shows the mapping between relative and absolute numbering of a user interface. 34… 38 for the user interfaces of CON and VTY. Table 5-1 Types of user interfaces Type Purpose Description CON Local login through the It is a linear interface conforming to the EIA/TIA-232 console interface standard. The type of the interface is DCE.1 User Interface A user interface (UI) enables users to log in to the S5700. Through a user interface. or SSH. vty3. vty1.1.

the login user must be authenticated for the sake of security. the absolute number can be 0 or 34 to 48. you can log in to the S5700 through the console interface without being authenticated.1. When the S5700 is switched on for the first time. If the authentication succeeds. Table 5-2 Types of login users User Type Description Authentication Super users Logs in to the S5700 through the console interface Not authenticated for and have all rights. the first login but recommended later Issue 01 (2011-07-15) Huawei Proprietary and Confidential 46 Copyright © Huawei Technologies Co. In this case. If a user logs in to the S5700 through Telnet on an Ethernet interface. Ltd. console 0 and 0 indicate the same user interface. the user can log in to the S5700 to configure and maintain the S5700. no authentication information for login is available in the system. the S5700 authenticates the user according to the configuration to ensure system security.Quidway S5700 Series Ethernet Switches Configuration Guide .. vty1 and 35 indicate the same user interface. . 5.2 User Authentication When a user logs in to the S5700. NOTE On the S5700. these users are assigned with passwords and classified into different levels.Basic Configuration 5 User Management Figure 5-1 Numbering of user interfaces on the S5700 Types ofset Relative Obsolute interface numbering numbering CON console0 0 …… vty0 34 vty1 35 VTY vty2 36 vty3 37 vty4 38 In the figure. To manage users that try to log in to the S5700. Classifying Login Users Login users on the S5700 are classified according to service types and assigned rights assigned. as shown in Table 5-2.

An FTP connection is set up between the user terminal and the S5700. users of level 2 can access commands of levels 0. SSH users Logs in to the S5700 through the Ethernet interface Recommended using SSH and have limited rights. and FTP depend on the priorities of the user interfaces through which they log in to. The S5700 provides three authentication modes. The S5700 provides multiple services for a user. users are classified into 16 levels numbered 0 to 15. Assuming that user levels 0 to 3 are used in the system. The greater the number. the four default user levels are used. The level of the command that a user can run is determined by the level of this user. l In the case of non-authentication or password authentication. levels 0 to 3. Ltd. as shown in Table 5-3. and 2. An SSH connection is set up between the user terminal and the S5700. Priorities of Users The system manages super users and Telnet users according to user levels. the higher the user level. A Telnet connection is set up between the user terminal and the S5700. 1. SSH. l In the case of AAA authentication. login users must be classified.Quidway S5700 Series Ethernet Switches Configuration Guide . FTP users Logs in to the S5700 through FTP on the Ethernet Recommended interface and have limited rights. To ensure login convenience and security. . and users of level 3 can access commands at all levels. The rights that can be obtained by users logging in to the S5700 through Telnet.. Authenticating Login Users After users are configured on the S5700. NOTE If the user levels are not set. the system authenticates the users when they log in to the S5700. the level of the command that the user can run depends on the level of the user interface. Users of a level can access the commands of this level or lower levels. the command that the user can run depends on the level of the local user specified in AAA configuration. Similar to the command levels. namely. and then assigned levels. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 47 Copyright © Huawei Technologies Co.Basic Configuration 5 User Management User Type Description Authentication Telnet users Logs in to the S5700 through the Ethernet interface Recommended using Telnet and have limited rights.

5. Switch is an S5700. 5.1 Establishing the Configuration Task Applicable Environment You need to log in to the S5700 through the console interface. you can log in to the S5700 through the console interface only. Password Users can log in to the S5700 by entering only the password. This further improves security. AAA Users need to enter both the user name and password to log in to the authentication S5700.. In the figure.2 Logging In to the S5700 Through the Console Port This section describes how to log in to the S5700 through the console port. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 48 Copyright © Huawei Technologies Co. It applies to the users logging in to the S5700 through the console interface and Telnet users. Ltd. complete the following tasks: l Connecting the PC and the S5700 correctly l Starting the S5700 normally Data Preparation None. Pre-configuration Tasks Before logging in to the S5700 through the console interface. authentication There is a great potential security risk. as shown in Figure 5-2. security is ensured. In this authentication manner.Quidway S5700 Series Ethernet Switches Configuration Guide . Figure 5-2 Logging in to the S5700 through the console interface RS-232 serial interface Console interface PC Switch NOTE If the S5700 is switched on for the first time and you need to manage and configure the S5700.Basic Configuration 5 User Management Table 5-3 Authentication modes of login users Authenticatio Description n Mode Non. Users can log in to the S5700 without entering the user name and password. The S5700 then authenticates the users according to the configured user information. .2.

and click OK.2 Logging In to the S5700 Through the Console Interface Context When setting up a local configuration environment through the console interface. Figure 5-3 Setting up a new connection Step 3 Set the connection port. enter the name of the new connection in the Name text box and choose an icon. Ltd. Choose Start > All Programs > Accessories > Communications > HyperTerminal to start the HyperTerminal. Procedure Step 1 Enable the HyperTerminal on the PC. Select COM1 in this case. Step 2 Set up a new connection.. After entering the Connect window as shown in Figure 5-4. select a serial port from the Connect drop-down list box according to the port used by the PC or the configuration terminal. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 49 Copyright © Huawei Technologies Co. Click OK. . As shown in Figure 5-3.Quidway S5700 Series Ethernet Switches Configuration Guide . you can connect the PC and the S5700 through the Windows HyperTerminal.Basic Configuration 5 User Management 5.2.

Flow control may be described as Traffic control. Ltd.Basic Configuration 5 User Management Figure 5-4 Setting the connection port Step 4 Set communication parameters. set the communication parameters according to the description in Table 5-4. After entering the COM1 Properties window as shown in Figure 5-5. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 50 Copyright © Huawei Technologies Co.Quidway S5700 Series Ethernet Switches Configuration Guide .. Bits per second may be described as Baud rate. . NOTE In other Windows operating systems.

. Choose the Setting tab. Click OK to complete the setting. Ltd..Basic Configuration 5 User Management Figure 5-5 Setting communication parameters for the port Table 5-4 Communication parameters Parameter Value Bit per second (Baud rate) 9600 Data bit 8 Parity check None Stop bit 1 Flow control (Traffic control) None Step 5 After the HyperTerminal is started. select Auto detect or VT100 from the Emulation drop-down list box. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 51 Copyright © Huawei Technologies Co.Quidway S5700 Series Ethernet Switches Configuration Guide . select File Attributes to enter the Connect Properties window as shown in Figure 5-6.

and obtain the required data. 5. press Enter. . This can help you complete the configuration task quickly and accurately. Pre-configuration Tasks Before configuring a console interface. familiarize yourself with the applicable environment. If the prompt <Quidway> is displayed. it indicates that you have logged in to the S5700. complete the pre-configuration tasks.Basic Configuration 5 User Management Figure 5-6 Selecting a terminal type After the preceding steps are complete. At this time. ----End 5.Quidway S5700 Series Ethernet Switches Configuration Guide .3 Configuring Console User Interface You can configure the console user interface so as to maintain a switch on the local device.3.1 Establishing the Configuration Task Before configuring a console interface. Applicable Environment A console user interface is required for maintaining the local switch.. Ltd. complete the following tasks: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 52 Copyright © Huawei Technologies Co. you can enter the command to configure and manage the S5700.

5. Step 3 (Optional) Run: speed speed-value The baud rate is set. and data bit 2 Idle timeout period. flow control mode. Step 2 Run: user-interface console interface-number The console user interface view is displayed. Data 1 Baud rate.2 Configuring Console Interface Attributes You can configure the rate. parity. By default. stop bit. have default values and do not need to be configured additionally.3. number of lines displayed in a terminal screen. Step 4 (Optional) Run: flow-control { hardware | none | software } Issue 01 (2011-07-15) Huawei Proprietary and Confidential 53 Copyright © Huawei Technologies Co. . the baud rate is 9600 bit/s. stop bit.Basic Configuration 5 User Management l Powering on the switch l Connecting a PC to the switch Data Preparation To configure a console interface. and password NOTE All the configuration items of the switch. flow-control mode. No. Ltd. excluding the user name and password.. parity mode. user name.Quidway S5700 Series Ethernet Switches Configuration Guide . you need the following data. number of characters in each line displayed in a terminal screen.and the size of history command buffer 3 User priority 4 User authentication method. Context Do as follows on the switch that the user logs in to: Procedure Step 1 Run: system-view The system view is displayed. and data bit for the console port.

Basic Configuration 5 User Management The flow control mode is set. By default. Step 6 (Optional) Run: stopbits { 1. the data bit is 8. the value is 1 bit.. By default. By default. .Quidway S5700 Series Ethernet Switches Configuration Guide . the user cannot log in to the switch.3 Setting Console Terminal Attributes You can configure the timeout period for idle users. Otherwise. ----End 5. Step 5 (Optional) Run: parity { even | mark | none | odd | space } The parity mode is set. Ltd.5 | 1 | 2 } The stop bit is set. NOTE When the user logs in to a switch through a console port. Step 3 Run: shell The terminal service is started. the value is none. and the size of historical command buffer for the console interface. the flow-control mode is none.3. Step 4 Run: idle-timeout minutes [ seconds ] Issue 01 (2011-07-15) Huawei Proprietary and Confidential 54 Copyright © Huawei Technologies Co. Step 7 (Optional) Run: databits { 5 | 6 | 7 | 8 } The data bit is set. By default. the configured attributes for the console port on the HyperTerminal should be in accordance with the attributes of the interface on the switch. Step 2 Run: user-interface console interface-number The console interface view is displayed. maximum number of lines to displayed on each screenor the maximum number of characters in each line. Context Do as follows on the switch to which a user logs in: Procedure Step 1 Run: system-view The system view is displayed.

By default.. You can run the screen-length screen-length temporary command to specify the number of lines that a terminal displays on each screen. Step 5 Run: screen-length screen-length The number of lines to be displayed on each screen is set. A user can only use the command of the level corresponding to the user level. Step 2 Run: user-interface console interface-number The console user interface view is displayed. By default. By default. the timeout period for idle users is 10 minutes.Basic Configuration 5 User Management The timeout period for idle users is set.the history command buffer on a user interface can cache a maximum of 10 commands. Step 7 Run: history-command max-size size-value The buffer of the history command is set. .Quidway S5700 Series Ethernet Switches Configuration Guide . This process is to set the priority for a user who logs in through the console port. a terminal displays 24 lines on each screen. Context Do as follows on the switch that the user logs in to: Procedure Step 1 Run: system-view The system view is displayed. By default.4 Configuring User Priority You can set the priority for a user who logs in through the console port. each line displayed on a terminal screen has a maximum of 80 characters. Ltd.3. ----End 5. Step 3 Run: user privilege level level The priority of the user is set. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 55 Copyright © Huawei Technologies Co. Step 6 Run: screen-width screen-width The maximum number of characters in each line displayed on a terminal screen is set.

6. 5.Quidway S5700 Series Ethernet Switches Configuration Guide . Issue 01 (2011-07-15) Huawei Proprietary and Confidential 56 Copyright © Huawei Technologies Co.Basic Configuration 5 User Management For more information about the command priority. 2. 4. Run: quit Exit from the console user interface view. Run: authentication-mode password You can set the authentication mode as password authentication. Run: aaa The AAA view is displayed. see "Command Level" in Chapter 3 "CLI Overview". Procedure l Configuring AAA Authentication 1. Run: authentication-mode aaa The authentication mode is set to AAA. Run: user-interface console interface-number The console user interface view is displayed.. 3. Ltd. Run: system-view The system view is displayed.3. 3. Run: local-user user-name password { simple | cipher } password Name and password of the local user are created. namely. AAA. Run: user-interface console interface-number The console user interface view is displayed. .5 Configuring User Authentication The system provides three authentication modes. and none. l Configuring Password Authentication 1. ----End 5. Run: set authentication password { cipher | simple } password A password for authentication is set. 2. 4. password. Run: system-view The system view is displayed.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 User Management

l Configuring Non-Authentication
1. Run:
system-view

The system view is displayed.
2. Run:
user-interface console interface-number

The console user interface view is displayed.
3. Run:
authentication-mode none

The authentication mode is set to non-authentication.

----End

5.3.6 Checking the Configuration
After configuring the console user interface, you can view the usage information of the user
interface, physical attributes and configurations of the user interface, local user list, and online
users.

Prerequisite
The configurations of the User Management function are complete.

Procedure
l Run the display users [ all ] command to check information about user interface.
l Run the display user-interface console ui-number1 [ summary ] command to check
physical attributes and configurations of the user interface.
l Run the display local-user command to check the local user list.
l Run the display access-user command to check online users.

----End

5.4 Configuring VTY User Interface
You can configure the VTY user interface to maintain a remote switch.

5.4.1 Establishing the Configuration Task
Before configuring a VTY interface, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.

Applicable Environment
If you want to log in to the switch using Telnet or SSH to perform management or configuration
operations, .a VTY interface is required.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 57
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 User Management

Pre-configuration Tasks
Before configuring a VTY user interface, complete the following tasks:

l Powering on the switch
l Connecting a PC to the switch correctly

Data Preparation
To configure a VTY user interface, you need the following data.

No. Data

1 Maximum VTY user interfaces

2 (Optional) Number of the ACL for limiting incoming and outgoing calls of users
logging in using VTY user interfaces

3 Timeout period for idle users, maximum number of lines to be displayed on each
screen , maximum number of characters in each line, and the size of the history
command buffer

4 User authentication mode, user name, and password

5.4.2 Configuring Maximum VTY User Interfaces
You can configure the maximum number of VTY user interfaces through which users log in to
a switch.

Context
Do as follows on the switch that the user logs in to:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
user-interface maximum-vty number

The maximum VTY user interfaces that can log in to the switch is set.

NOTE

When the maximum number of VTY user interfaces is set to zero, any user including the NMS user cannot
log in to a switch.

If the maximum number of VTY user interfaces to be configured is smaller than the maximum
number of current interfaces, other parameters need not be configured.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 58
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 User Management

If the maximum number of VTY user interfaces to be configured is larger than the maximum
number of current interfaces, the authentication mode and password need to be configured for
newly added user interfaces.

For newly added user interfaces, the system applies password authentication by default.

For example, a maximum of five users are allowed online. To allow 15 VTY users online at the
same time, you need to run the authentication-mode command and the set authentication
password command to configure authentication modes and passwords for user interfaces from
VTY 5 to VTY 14. The command is run as follows:
<Quidway> system-view
[Quidway] user-interface maximum-vty 15
[Quidway] user-interface vty 5 14
[Quidway-ui-vty5-14] authentication-mode password
[Quidway-ui-vty5-14] set authentication password cipher huawei

----End

5.4.3 (Optional)Configuring Limits for Incoming Calls and
Outgoing Calls
You can set the limit on incoming and outgoing calls for VTY user interfaces.

Context
Do as follows on the switch that the user logs in to:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.

Step 3 Run:
acl acl-number { inbound | outbound }

The limits to calling in/out of VTY are configured.

When you need to prevent a user of certain address or segment address from logging in to the
switch, use the inbound command; when you need to prevent a user who logs in to a switch
from accessing other switchs, use the outbound command.

----End

5.4.4 Configuring VTY Terminal Attributes
You can configure the timeout period for idle users, maximum number of lines to be displayed
on each screenor the maximum number of characters in each line, and the size of the historical
command buffer for a VTY interface.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 59
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 User Management

Context
Do as follows on the switch:

Procedure
Step 1 Run:
system-view

The system view is displayed.
Step 2 Run:
user-interface vty number1 [ number2 ]

The VTY interface view is displayed.
Step 3 Run:
shell

Terminal services are enabled.
Step 4 Run:
idle-timeout minutes [ seconds ]

The timeout period for idle users is set.
Step 5 Run:
screen-length screen-length

The maximum number of lines to be displayed on each screen is set.
By default, a maximum of 24 lines are displayed on each screen.
You can run the screen-length screen-length temporary command to specify the maximum
number of lines to be temporarily displayed on each terminal screen.
Step 6 Run:
screen-width screen-width

The maximum number of characters in each line displayed on a terminal screen is set.
By default, each line displayed on a terminal screen has a maximum of 80 characters.
Step 7 Run:
history-command max-size size-value

The size of the history command buffer is set.
By default, the history command buffer on a user interface can cache a maximum of 10
commands.

----End

5.4.5 Configuring User Authentication
The system provides three authentication modes, namely, AAA, password, and none.

Context
The switch supports user authentication of three types:

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 60
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 User Management

l AAA authentication: requires the user name and password.
l Password authentication: requires no user name but a password must be set. Otherwise, the
user can log in to the switch only through the console interface.
l None: requires neither user name nor password. No authentication is needed when the user
logs in to the switch.

Procedure
l Configuring AAA Authentication
1. Run:
system-view

The system view is displayed.
2. Run:
user-interface vty number1 [ number2 ]

The VTY user interface view is displayed.
3. Run:
authentication-mode aaa

The authentication mode is set to AAA.
4. Run:
quit

Exit from the VTY user interface view.
5. Run:
aaa

The AAA view is displayed.
6. Run:
local-user user-name password { simple | cipher } password

Name and password of the local user are created.
l Configuring Password Authentication
1. Run:
system-view

The system view is displayed.
2. Run:
user-interface vty number1 [ number2 ]

The VTY user interface view is displayed.
3. Run:
authentication-mode password

Set the authentication mode as password.
4. Run:
set authentication password { cipher | simple } password

A password for this authentication mode is set.
l Configuring Non-Authentication
1. Do as follows on the switch, run:

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 61
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 User Management

system-view

The system view is displayed.
2. Run:
user-interface vty number1 [ number2 ]

The VTY user interface view is displayed.
3. Run:
authentication-mode none

The authentication mode is set to none.

----End

5.4.6 Checking the Configuration
After configuring the VTY user interface, you can view the usage information of the user
interface, the maximum number of VTY user interfaces, and physical attributes and
configurations of the user interface.

Prerequisite
The configuration of VTY User Interface are complete.

Procedure
l Run the display users [ all ] command to check the usage information of the user interface.
l Run the display user-interface maximum-vty command to check the number of maximum
VTY user interfaces.
l Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ]
command to check the physical attributes and configurations of the user interface.

----End

5.5 Managing User Interfaces
You need to configure user management to ensure that the operator manages switchs safely.

5.5.1 Establishing the Configuration Task
Before configuring user management interfaces, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.

Applicable Environment
To ensure that the operator managesswitchs safely, you need to send messages between user
interfaces and clear designated user.

Pre-configuration Tasks
Before managing the user interface, complete the following tasks:

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 62
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 User Management

l Powering on the switch
l Connecting the PC with the switch properly

Data Preparations
To manage the user interface, you need the following data:

No. Data

1 Type and number of the user interface

2 Contents of the message to be sent

5.5.2 Sending Messages to Other User Interfaces
You can configure messaging between user interfaces.

Context
Do as follows on the switch:

Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }

You can enable message sending between user interfaces.

Step 2 Following the prompt, you can enter the message to be sent. You can press Ctrl_Z or Enter to
end, and press Ctrl_C to abort.

----End

5.5.3 Clearing Online User
You can clear specified online users.

Context
Do as follows on the switch:

Procedure
Step 1 Run:
free user-interface { ui-number | ui-type ui-number1 }

Online users are cleared.

Step 2 On receiving the prompts, you can confirm whether the designated online users have to be
cleared.

----End

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 63
Copyright © Huawei Technologies Co., Ltd.

and obtain the required data. Data 1 Authentication mode 2 User name and password 3 User priority Issue 01 (2011-07-15) Huawei Proprietary and Confidential 64 Copyright © Huawei Technologies Co.4 Checking the Configuration After configuring user management interfaces. set user passwords. you can view the usage information of user interfaces. familiarize yourself with the applicable environment.. complete the pre-configuration tasks. Applicable Environment After the IP address is assigned to the main control board or the interface board. or connect the switch through PPP to access networks. No. Pre-configuration Tasks Before configuring a user. .1 Establishing the Configuration Task Before configuring user management. This can help you complete the configuration task quickly and accurately.Basic Configuration 5 User Management 5. This compromises the security.5. complete the following tasks: l Powering on the switch l Connecting the PC with the switch properly Data Preparation To configure a user. To ensure network security and ease user management.6. you can create users for switchs. Prerequisite The configuration of User Interfaces are complete.6 Configuring User Management Through user management. Procedure Step 1 Run the display users [ all ] command to check the usage information of the user interface. any remote user can use Telnet to log in to the switch. 5. you need the following data. ----End 5. and manage users. configure a user name and the user password for the switch.Quidway S5700 Series Ethernet Switches Configuration Guide . Ltd.

6. namely. Step 3 Run: authentication-mode { aaa | password | none } The user authentication mode is configured. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view is displayed. Step 4 Run: set authentication password { cipher | simple } password The authentication password is configured. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 65 Copyright © Huawei Technologies Co. Context Do as follows on the switch that the user logs in to: Procedure Step 1 Run: system-view The system view is displayed. AAA local authentication. password authentication. Step 3 Run: authentication-mode password The authentication mode is set to Password..2 Configuring Authentication Mode The system provides three authentication modes. Ltd. and none authentication. ----End 5.6.Quidway S5700 Series Ethernet Switches Configuration Guide . Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view is displayed. .Basic Configuration 5 User Management 5.3 Configuring Authentication Password You can configure a plain or cipher text password for authentication. Context Do as follows on the switch that the user logs in to: Procedure Step 1 Run: system-view The system view is displayed.

.6. Step 4 Run: quit Return to the system view. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view is displayed. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 66 Copyright © Huawei Technologies Co. ----End 5.4 Setting Username and Password for AAA Local Authentication You can configure a plain or cipher text password for AAA local authentication. Step 6 Run: local-user user-name password { simple | cipher } password The local username and the password are configured. ----End 5.Basic Configuration 5 User Management NOTE The default authentication mode is the password authentication. Context Do as follows on the switch that the user logs in to: Procedure Step 1 Run: system-view The system view is displayed.5 Configuring Non-Authentication You can configure users to log in to a switch without being authenticated. Step 3 Run: authentication-mode aaa The authentication mode is set to AAA. Step 5 Run: aaa The AAA view is displayed.Quidway S5700 Series Ethernet Switches Configuration Guide . Ltd.6. .

----End 5. . Step 3 Run: authentication-mode none The non-authentication mode is configured.6. Context Refer to the Quidway S5700 Series Configuration Guide .Quidway S5700 Series Ethernet Switches Configuration Guide . 5.Security. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view is displayed.6. the priority of the user- interface determines the command level that the users can access.6 Configuring User Priority You can configure the user priority. Prerequisite The configuration of User Management are complete. NOTE l If the authentication mode is non-authentication or password authentication. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 67 Copyright © Huawei Technologies Co.. l If the authentication mode needs the username and the password.7 Checking the Configuration After configuring user management. the priority of the user determines the command level that the users can access.Basic Configuration 5 User Management Context CAUTION Configuring the non-authentication mode may cause security problems of the switch. local user list. Ltd. and online users. you can view the usage information of user interfaces. Do as follows on the switch that the user logs in to: Procedure Step 1 Run: system-view The system view is displayed. Procedure l Run the display users [ all ] command to check the user information.

After login.7 Configuration Examples This section provides examples for configuring users to log in to a switch in different modes.7. Users need to enter the password Huawei to log in successfully.. Set the priority of VTY0 to 2 and authenticate the passwords of users. Data Preparation To complete the configuration. Context CAUTION After the first and second configuration examples are complete. These configuration examples explain networking requirements. and configuration notes. Networking Requirements The COM port of the PC is connected with the Console port. authentication mode. . Ensure that users can log in to theswitch in other methods to delete configurations. l Run the display access-user command to check online users. Ltd.1 Example for Configuring Logging In to the Switch Through Password In this example.Quidway S5700 Series Ethernet Switches Configuration Guide . ----End 5. which enables users to log in to the switch through a password. the commands with priorities higher than 2 cannot be run if the current user is VTY0. it means that the user-interface is disconnected from the switch. 2. and configure the priority of VTY0 as 2. Enter the user interface. Configure the simple authentication and the disconnect time. the VTY0 priority. and disconnection time are configured. you need the following data: l The password of the authentication mode l The disconnect time Issue 01 (2011-07-15) Huawei Proprietary and Confidential 68 Copyright © Huawei Technologies Co. configuration roadmap. if the operations are not carried out in 30 minutes.Basic Configuration 5 User Management l Run the display local-user command to check the local user list. 5. Configuration Roadmap The configuration roadmap is as follows: 1.

if the user does not operate the switch within 30 minutes.. perform AAA authentication on the user that logs in through VTY0. .2 Example for Logging In to the Device Through AAA In this example. [Quidway-ui-vty0] authentication-mode password [Quidway-ui-vty0] set authentication password simple huawei [Quidway-ui-vty0] idle-timeout 30 ----End Configuration Files # sysname Quidway # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default # user-interface vty 0 user privilege level 2 set authentication password simple huawei idle-timeout 30 # return 5. 3. the connection with the switch is disabled. Networking Requirements The COM port of the PC and the console port of the switch are connected. Configuration Roadmap The configuration roadmap is as follows: 1. Ltd. the password. The login user must enter the username "huawei" and the password "huawei". After login.Quidway S5700 Series Ethernet Switches Configuration Guide . Enter the AAA view to configure the username. the VTY0 priority and disconnection time are configured and the idle-out function is enabled for local users. <Quidway> system-view [Quidway] user-interface vty0 [Quidway-ui-vty0] user privilege level 2 Step 2 Configuring password and disconnect time.7. Data Preparation To complete the configuration. you need the following data: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 69 Copyright © Huawei Technologies Co. which enables users to log in to the switch through AAA authentication. Enter the user interface view to configure the priority of VTY0 to be 2 and the disconnection time. and the user level.Basic Configuration 5 User Management Procedure Step 1 Configure the priority of VTY0 to be 2 on the Switch. Configure the priority of VTY0 to be 2. 2. Switch on the idle timeout for the local user in the AAA view.

. [Quidway] aaa [Quidway-aaa] local-user huawei password cipher huawei [Quidway-aaa] local-user huawei privilege level 2 ----End Configuration Files # sysname Quidway # aaa local-user huawei password cipher N`C55QK<`=/Q=^Q`MAF4<1!! local-user huawei privilege level 2 local-user huawei idle-cut # authorization-scheme default # accounting-scheme default # domain default # user-interface vty 0 authentication-mode aaa user privilege level 2 idle-timeout 30 # return Issue 01 (2011-07-15) Huawei Proprietary and Confidential 70 Copyright © Huawei Technologies Co.Quidway S5700 Series Ethernet Switches Configuration Guide . the password. <Quidway> system-view [Quidway] user-interface vty0 [Quidway-ui-vty0] user privilege level 2 [Quidway-ui-vty0] authentication-mode aaa [Quidway-ui-vty0] idle-timeout 30 [Quidway-ui-vty0] quit Step 2 Configuring the local username. .Basic Configuration 5 User Management l Username and password for authentication l Disconnect time Procedure Step 1 Configure the priority of VTY0 to be 2 and the disconnection time within 30 minutes. Ltd. and user level.

6.Quidway S5700 Series Ethernet Switches Configuration Guide . and storage devices. and rename files.4 Managing Files You can view. . 6. create..3 Managing the Directory You can manage directories to logically store files in hierarchy.Basic Configuration 6 File System Management 6 File System Management About This Chapter This chapter describes the basic knowledge of the file system.1 Overview of the File System This section describes the concepts of the file system. 6. directories. 6. delete.2 Managing a Storage Device This section describes how to format a storage device. Ltd. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 71 Copyright © Huawei Technologies Co. including the methods of managing files.

. File A file stores and manages information. 6. Data 1 Device name Issue 01 (2011-07-15) Huawei Proprietary and Confidential 72 Copyright © Huawei Technologies Co. Directory A directory collects and organizes files. Currently.1 Establishing the Configuration Task Pre-configuration Tasks Before managing a storage device. modify. delete. you need the following data. and view contents of a file.2.Basic Configuration 6 File System Management 6. In the file system. Basic Concepts of the File System A file system allows you to manage files and directories on the storage devices. No.1 Overview of the File System This section describes the concepts of the file system. Different products support different storage devices. complete the following tasks: l Installing the S5700 and switching it on properly l Client logging in to the S5700 Data Preparation To manage a storage device. 6.Quidway S5700 Series Ethernet Switches Configuration Guide . Ltd.2 Managing a Storage Device This section describes how to format a storage device. . It is a logical container of files. the S5700 supports the flash memory. and rename a file or a directory. you can create. The file system provides the following functions: l Managing the files that are stored on the storage devices l Managing the storage devices Storage Device A storage device is a hardware device used to store data.

complete the pre-configuration tasks.2 Restoring Storage Devices with File System Troubles When the file system on a storage device fails.3 Managing the Directory You can manage directories to logically store files in hierarchy. ----End 6. This can help you complete the configuration task quickly and accurately.3. familiarize yourself with the applicable environment. 6. confirm the action before you use the command. if the prompt that the system should be repaired is still received. NOTE After this command is run. ..Basic Configuration 6 File System Management 6. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 73 Copyright © Huawei Technologies Co. the files and directories in the Flash are cleared and cannot be restored. and obtain the required data. Context Do as follows on the switch: Procedure Step 1 Run: fixdisk device-name The storage devices with file system troubles is repaired. ----End 6.3 (Optional) Formatting a Storage Device Context CAUTION After the format flash: command is run.1 Establishing the Configuration Task Before managing directories.2. So. the terminal of the switch prompts you to rectify the fault. Ltd. it indicates that the physical medium may be damaged.Quidway S5700 Series Ethernet Switches Configuration Guide .2. Procedure Step 1 Run the following command in the user view: format flash: The flash is formatted.

3. Data 1 Directory name to be created 2 Directory name to be deleted 6. Context Do as follows on the switch: Procedure Step 1 Run: cd directory Issue 01 (2011-07-15) Huawei Proprietary and Confidential 74 Copyright © Huawei Technologies Co. complete the following tasks: l Powering on the switch l Connecting the client with the server correctly Data Preparation To configure a management directory.3 Switching a Directory You can switch the current directory to another directory.Quidway S5700 Series Ethernet Switches Configuration Guide .3. Context Do as follows on the switch.Basic Configuration 6 File System Management Applicable Environment When you need to transfer files between the client and the server. No. Pre-configuration Tasks Before configuring the management directory. ----End 6. configure the directory by using the file system. Procedure Step 1 Run: pwd The current directory is displayed. Ltd. you need the following data. ..2 Viewing the Current Directory You can view the current directory to know its information.

----End 6. . ----End 6. Step 2 Run: mkdir directory The directory is created.3. Step 2 Run: dir [ /all ] [ filename | flash: ] The file and sub-directory list in the directory is displayed.6 Deleting a Directory You can delete an unneeded directory.Basic Configuration 6 File System Management A directory is specified.4 Displaying a Directory or File You can view a directory or files in the directory. Context Do as follows on the switch: Procedure Step 1 Run: cd directory A directory is specified and the specified directory is displayed. Context Do as follows on the switch: Procedure Step 1 Run: cd directory The parent directory of the directory to be created is displayed.. Ltd. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 75 Copyright © Huawei Technologies Co.3.3.5 Creating a Directory You can create a directory in the specified directory on a specified storage device. Step 2 Run: pwd The current directory is displayed.Quidway S5700 Series Ethernet Switches Configuration Guide . ----End 6. Either the absolute path or relative path is applicable.

Data 1 File name to be viewed 2 File name to be deleted 3 File name to be renamed Issue 01 (2011-07-15) Huawei Proprietary and Confidential 76 Copyright © Huawei Technologies Co.4 Managing Files You can view. Step 2 Run: rmdir directory The directory is deleted. you need to configure files using the file system. complete the following tasks: l Powering on the switch l Connecting the client with the server correctly Data Preparation To configure a file system. Applicable Environment To view. delete. you need the following data. Pre-configuration Tasks Before configuring the file system.. or rename files on the switch. and rename files.Basic Configuration 6 File System Management Context Do as follows on the switch: Procedure Step 1 Run: cd directory The parent directory of the directory to be deleted is displayed. . delete. create. This can help you complete the configuration task quickly and accurately. No. complete the pre- configuration tasks. 6.Quidway S5700 Series Ethernet Switches Configuration Guide . Ltd.1 Establishing the Configuration Task Before managing files.4. and obtain the required data. familiarize yourself with the applicable environment. ----End 6.

Step 2 Run: more filename The content of the file is displayed.4. ----End 6. Context Do as follows on the switch: Procedure Step 1 Run: cd directory The directory of the file is displayed.. Step 2 Run: copy source-filename destination-filename The file is copied. Ltd.4. the operation fails.4. NOTE The file to be copied must be larger than 0 bytes. Context Do as follows on the switch: Procedure Step 1 Run: cd directory The directory of the file is displayed.Quidway S5700 Series Ethernet Switches Configuration Guide . .4 Moving Files You can move files to a specified directory. Otherwise.2 Displaying Contents of Files You can view the contents of a file. Context Do as follows on the switch: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 77 Copyright © Huawei Technologies Co. which are displayed in texts.Basic Configuration 6 File System Management 6. ----End 6.3 Copying Files You can copy files.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 78 Copyright © Huawei Technologies Co. Ltd. Step 2 Run: move source-filename destination-filename The file is moved. Context Do as follows on the switch. .5 Renaming Files You can rename files.Basic Configuration 6 File System Management Procedure Step 1 Run: cd directory The directory of the file is displayed. ----End 6. Context Do as follows on the switch: Procedure Step 1 Run: cd directory The directory of the file is displayed. Procedure Step 1 Run: zip source-filename destination-filename The file is compressed.. ----End 6.4.4. Step 2 Run: rename source-filename destination-filename The file is renamed.Quidway S5700 Series Ethernet Switches Configuration Guide .6 Compressing Files You can compress files to reduce the size of the files.7 Deleting Files You can delete unneeded files. ----End 6.4.

----End 6. Step 2 Run: delete [ /unreserved ] filename The file is deleted.Quidway S5700 Series Ethernet Switches Configuration Guide .. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 79 Copyright © Huawei Technologies Co. the file cannot be restored after being deleted. . Context Do as follows on the switch: Procedure Step 1 Run: reset recycle-bin [ filename ] The file is deleted.4.Basic Configuration 6 File System Management Context Do as follows on the switch: Procedure Step 1 Run: cd directory The directory of the file is displayed. NOTE l If the current directory is not the parent directory.8 Deleting Files in the Recycle Bin You can permanently delete files in the recycle bin.9 Undeleting Files You can undelete files. you must operate the file by using the absolute path. l If you use the parameter [ /unreserved ] in the delete command. Context Do as follows on the switch: Procedure Step 1 Run: undelete filename The deleted file is recovered. ----End 6.4. Ltd.

complete the following tasks: l Powering on the switch l Logging in to the switchfrom the client end Context The data may be lost or damaged during the process. Step 2 Run: file prompt { alert | quiet } The prompt mode of the file system is configured.4. Prerequisite Before configuring a file system. Procedure Step 1 Run: system-view The system view is displayed.4. Prerequisite Uploading the batched files on the client end to the switch. Step 2 Run: execute filename The batched file is executed.11 Configuring Prompt Modes The system displays prompts or warning messages when you operate the device. .Basic Configuration 6 File System Management 6. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 80 Copyright © Huawei Technologies Co. ----End 6. and the prompt is required. you can run the batch file to implement routine tasks automatically.. Procedure Step 1 Run: system-view The system view is displayed. Ltd.10 Running Files in Batch You can upload the files and then process the files in batches. Context When the batch file is created.Quidway S5700 Series Ethernet Switches Configuration Guide . If you need to change the prompt mode for file operations. you can configure the prompt mode of the file system.

----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 81 Copyright © Huawei Technologies Co. . the prompt mode is alert. Ltd. no prompt appears for data lossdue to maloperation..Basic Configuration 6 File System Management By default. CAUTION If the prompt is in the quiet mode.Quidway S5700 Series Ethernet Switches Configuration Guide .

. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 82 Copyright © Huawei Technologies Co. detection of master/slave configuration consistency.Basic Configuration 7 Management of Configuration Files 7 Management of Configuration Files About This Chapter This chapter describes current configurations. Ltd.. 7.2 Managing Configuration Files You can manage configuration files to ensure that the switch starts normally.1 Management of Configuration Files Introduction The configuration file is the add-in configuration item when restarting the switch this time or next time. 7.Quidway S5700 Series Ethernet Switches Configuration Guide . and configuration recovery. configuration files.

. Therefore. the switch uses the default parameters. physical interface configuration.. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 83 Copyright © Huawei Technologies Co. routing protocol configuration and so on. see following sections. logic interface configuration. If not. NOTE l The system can run the command with the maximum length of 512 characters. l If the configuration is in the incomplete form. When the system restarts. l To save space." l It is saved in the command format. For the default values of the configuration parameters. In this case. Every two command sections are separated by one or several blank lines or comment lines (beginning with "#"). the system processes the configuration file in the same way as earlier configuration file. Use the save command to save the current configuration to the configuration file of the default storage devices.1. l The sequence of command sections is global configuration.2 Configuration Files and Current Configurations The part describes basic concepts of configuration files and current configurations. All commands of the identical command view are grouped into a section. NOTE l Before loading the configuration file to V200R006C00. these commands cannot be restored. the switch retrieves the configuration files from a default save path to initiate itself. l Commands are organized on the basis of the command view. the command is saved in complete form. and the current configuration becomes the initial configuration of the switch when the switch is powered on next time. l Current configurations: indicates the effective configurations of the currently running switch.Basic Configuration 7 Management of Configuration Files 7. l Initial configurations: On powering on.Quidway S5700 Series Ethernet Switches Configuration Guide .1 Configuration Files This part describes basic concepts of configuration files. The configuration file is a text file in the following formats: l The configuration file of V200R006C00 must begin with the message like "!Software Version V200R006C00. Ltd. including the command in an incomplete form. If configuration files do not exist in the default save path. the command length in the configuration file may exceed 512 characters. check whether the configuration file contains the preceding message. l Users can modify the current configurations of the switch through the command line interface. some configurations may not function properly. 7. 7. The configuration file is the add-in configuration item when restarting the switch this time or next time.1. default parameters are not saved.1 Management of Configuration Files Introduction The configuration file is the add-in configuration item when restarting the switch this time or next time.

you need to save the modified contents. complete the following task: l Installing the switch and starting it properly Data Preparation To manage configuration files.2 Managing Configuration Files You can manage configuration files to ensure that the switch starts normally.2.Basic Configuration 7 Management of Configuration Files 7. complete the pre-configuration tasks. Data 1 S5700 System software and its file name 2 Configuration file and its name 3 The number of the start line from which the comparison of the configuration files begins 7. familiarize yourself with the applicable environment.Quidway S5700 Series Ethernet Switches Configuration Guide . Pre-configuration Tasks Before managing configuration files. No.1 Establishing the Configuration Task Before managing configuration files. Ltd. . Context Do as follows on the switch: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 84 Copyright © Huawei Technologies Co. you need to manage configuration files: l To start the switch normally. and obtain the required data. l After modifying current configurations. you can specify the S5700 system software to be loaded for the next startup. 7.2.. you need the following data. l You need to view the configuration of the switch. This can help you complete the configuration task quickly and accurately.2 Configuring System Software for a switch to Load for the Next Startup To upgrade the system software of a switch. you need to select the correct S5700 system software and configuration file for the switch to load. Applicable Environment In one of the following situations.

zip. If the BootROM version of next startup software that you specify is different from the current BootROM version. The system startup configuration file must be saved in the root directory of a storage device.Basic Configuration 7 Management of Configuration Files Procedure Step 1 Run: startup system-software system-file [ slave-board ] The S5700 system software for the switch to load next time when it starts is configured. the configuration in this configuration file is called initial configuration. When the switch turns on. ----End 7. Context Do as follows on the switch: Procedure Step 1 Run: startup saved-configuration configuration-file Configuration file is saved for the switch to load next time on startup. If no configuration file is saved in the flash.zip. The system software package must use .2. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 85 Copyright © Huawei Technologies Co.cfg or .4 Saving Configuration File The system can save the configuration files in real-time to prevent data loss when the switch is powered off or accidentally restarted.Quidway S5700 Series Ethernet Switches Configuration Guide . The filename extension of the configuration file must be . the system prompts you to upgrade the BootRom..2. Ltd. . The filename extension of the configuration file must be . you can specify the configuration files that are loaded for the next startup. The effective configuration when a switch is working is called current configuration. Thus.cc as the extension and be saved to the root directory of the flash memory.3 Configuring the Configuration File for Switch to Load for the Next Startup Before restarting a switch.cfg or . the switch initiates with default parameters. ----End 7. Procedure l Run: save [ all ] [ configuration-file ] The current configurations are saved. and must be stored in the root directory of a storage device. it initiates by reading the configuration file from the flash memory by default.

to the default directory. you can use the save command to save the current configuration in the flash memory.5 Clearing a Configuration File You can clear the configuration file that has been loaded to a device. – If the configuration file of the switch used for the current startup is the same as that used for the next startup. If you do not run the startup saved-configuration configuration-file command to specify a new correct configuration file. You can use the save all command to save all the current configurations. Procedure l Clear the currently loaded configuration file. l The configuration file is destroyed or an incorrect configuration file has been loaded. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 86 Copyright © Huawei Technologies Co. including the configurations of the boards that are not inserted. Ltd.Quidway S5700 Series Ethernet Switches Configuration Guide . running the reset saved-configuration command will clear the configuration file used for the current startup.2. Context The configuration file stored in the flash memory needs to be cleared in the following cases: l The system software does not match the configuration file after the switch has been upgraded. ----End 7. Run the reset saved-configuration command to clear the currently loaded configuration file. . – If the configuration file of the switch used for the current startup is empty. if you do not specify the optional parameter configuration-file. the switch asks you whether to save the file as "vrpcfg. The switch will uses the default configuration file for the next startup. the system will prompt you that the configuration file does not exist after you run the reset saved- configuration command. – If the configuration file of the switch used for the current startup is different from that used at the next startup.Basic Configuration 7 Management of Configuration Files The user can modify the current configuration through the command line interface. NOTE When saving the configuration file for the first time. the switch will use the default configuration file at the next startup. To set the current configuration as initial configuration when the switch starts next time. ----End 7.zip" or not..6 Comparing Configuration Files You can compare the current configuration with the initial configuration. or do not run the save command to save the configuration file after the configuration file is cleared.2. running the reset saved-configuration command will clear both the configuration files.

l Run the display startup command to check the file information used by the device upon start. if the configuration file for next startup is unavailable or its contents are null. ----End 7. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 87 Copyright © Huawei Technologies Co. and files in the storage device. . If the number of characters from the first different line to the end is less than 150.2. run the preceding commands. current- line-number and save-line-number are used to continue the comparison by ignoring the differences between the configuration files. the system displays the contents of the current configuration file and saved configuration file from the first different line. Procedure l Run the display current-configuration command to check current configuration files. Ltd. the contents after the first different line are all displayed.Basic Configuration 7 Management of Configuration Files Context Do as follows on the switch: Procedure Step 1 Run: compare configuration [ configuration-file ] [ current-line-number save-line- number ] The current configuration is compared with the configuration file for next startup. ----End Example After the configurations succeed. l Run the dir [ /all ] [ filename ] command to check check the file information in storage device. When comparing differences between the configuration files.7 Checking the Configuration After managing configuration files. the system prompts that reading files fails.Quidway S5700 Series Ethernet Switches Configuration Guide . In comparing the current configurations with the configuration file for next startup. configuration files for the next startup. the comparison begins with the first lines of configuration files. Prerequisite The configuration of Managing Configuration Files are complete. l Run the display saved-configuration [ last ] command to check the configuration file that the switch loads the next time when it starts. information about files for device startup. By default. If no parameter is set. you can view the current configuration files.. and you can find the following results: l The current configuration of the switch is correct without any redundant configuration. 150 characters are displayed for each configuration file.

Basic Configuration 7 Management of Configuration Files l The current configuration of the switch is saved in the storage device.Quidway S5700 Series Ethernet Switches Configuration Guide . Ltd. l The S5700 system software and configuration file that are to be loaded on the switch next time are correct and they are saved in the root directory of the storage device. .. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 88 Copyright © Huawei Technologies Co.

.2 Configuring the Switch to be the FTP Server After a switch is configured with basic functions of the FTP server.Basic Configuration 8 FTP and TFTP 8 FTP and TFTP About This Chapter This chapter describes the fundamentals. Ltd. 8.Quidway S5700 Series Ethernet Switches Configuration Guide .1 FTP and TFTP Introduction This section describes the basic concepts of FTP and TFTP. and then access files on the switch. configuration notes. 8.3 Configuring FTP ACL You can configure the FTP ACL on a switch to allow only specified users to log in to the switch. you can run the FTP client application to log in to the switch. The configuration examples explain networking requirements.7 Configuration Examples This section provides several configuration examples for FTP and TFTP together with the configuration flowchart. 8.4 Configuring the Switch to Be the FTP Client You can configure a switch to be an FTP client and then log in to the FTP server. configuration procedures and configuration examples of FTP and TFTP. . 8. 8. and configuration roadmap.5 Configuring the Switch to Be the TFTP Client You can configure a switch to be an FTP client and then log in to the FTP server. 8. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 89 Copyright © Huawei Technologies Co. 8.6 Limiting the Access to the TFTP Server You can configure the maximum number of TFTP servers that a TFTP client can access to determine which TFTP servers the TFTP client can log in to.

The client initiates the TFTP transfer. TFTP is applicable when there is no complex interaction between the client and server.Basic Configuration 8 FTP and TFTP 8.1. the S5700 serves only as the TFTP client and transfers files in the binary format. receives packets from the server. the client sends a read request packet to the TFTP server.1 FTP You can transfer files between local and remote hosts through FTP. you can run the FTP client application to log in to the switch.1. For example. File Transfer Protocol (FTP) is an application layer protocol in the TCP/IP protocol suite. sends packets to the server. and configuration saving. l The ASCII format: transfers text files. To download files. Ltd. 8.. The switch provides the following FTP services: l FTP server service. TFTP is used to obtain the memory image of the system when the system starts up. and sends acknowledgement to the server. and receives acknowledgement from the server. FTP is commonly used in version upgrade. and then access files on the switch. Compared with FTP. It implements file transfer between local and remote hosts based on related file systems. At present. To upload files. . 8. Enter an FTP command to connect with the remote FTP server and access the files on the remote host. TFTP does not have a complex interactive access interface and authentication control.1 FTP and TFTP Introduction This section describes the basic concepts of FTP and TFTP. file transfer. TFTP is implemented based on the User Datagram Protocol (UDP). l FTP client service. TFTP transfers the files in two formats: l The binary format: transfers program files. log downloading.Quidway S5700 Series Ethernet Switches Configuration Guide . Users can establish a connection with the switch by running a terminal emulation program or a Telnet program on a PC. 8. The Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 90 Copyright © Huawei Technologies Co. the client sends a write request packet to the TFTP server. The FTP protocol is implemented based on corresponding file system. Users can run the FTP client program to log in to the switch and access the files on the switch.2 Configuring the Switch to be the FTP Server After a switch is configured with basic functions of the FTP server. TFTP is applicable in an environment where there is no complex interaction between the client and the server.2 TFTP TFTP does not have a complex interactive access interface and authentication control.

. familiarize yourself with the applicable environment. Context If the FTP is not enabled. perform step 2. complete the following tasks: l Powering on the switch l Connecting the FTP client to the server Data Preparation To configure the switch as the FTP server.Basic Configuration 8 FTP and TFTP 8.Quidway S5700 Series Ethernet Switches Configuration Guide . No.2 (Optional) Specifying a Port Number for the FTP Server You can configure or change the monitoring port number of the FTP server. which guarantees the security.. run the undo ftp server command to disable the FTP service. you need the following data. Pre-configuration Tasks Before configuring the switch as the FTP server. and obtain the required data. the user can transfer files between the client and the server. Applicable Environment When the switch serves as the FTP server.2. After the port number is changed. This can help you complete the configuration task quickly and accurately. and then change the FTP port. Ltd. change the FTP port as required.1 Establishing the Configuration Task Before configuring a switch to be the FTP server. after the client logs in to the switch through FTP.2. Data 1 (Optional) Listening port number specified on the FTP server 2 (Optional) Timeout period of the disconnection from the FTP server 3 FTP username and password 4 File directory authorized to the FTP user 8. NOTE For FTP secure server connection. Procedure Step 1 Run: system-view Issue 01 (2011-07-15) Huawei Proprietary and Confidential 91 Copyright © Huawei Technologies Co. complete the pre-configuration tasks. only the user knows the current port number. If the FTP service is enabled.

Step 2 Run: ftp timeout minutes The timeout period of the FTP server is configured.Basic Configuration 8 FTP and TFTP The system view is displayed.2. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 92 Copyright © Huawei Technologies Co.2. NOTE When the file operation between clients and the switch ends. ----End 8.. By default. Step 2 Run: ftp [ ipv6 ] server enable The FTP server is enabled. the number of the port monitored by the FTP server is 21. Procedure Step 1 Run: system-view The system view is displayed. the timeout value is 10 minutes. This ensures the security of the switch. Procedure Step 1 Run: system-view The system view is displayed. the FTP server interrupts all the FTP connections and monitors the port of the new number. .4 (Optional) Configuring the Timeout Period This section describes how to configure the timeout period of the FTP server. ----End 8. If a new number of a monitored port is configured. Ltd. run the undo ftp [ ipv6 ] server command to disable the FTP server function. the connection is removed from the FTP server.3 Enabling the FTP Server This section describes how to enable FTP server. Context If the client is idle for the configured time. By default. Step 2 Run: ftp [ ipv6 ] server port port-number The port number of the FTP server is configured.Quidway S5700 Series Ethernet Switches Configuration Guide .

Step 2 Run: aaa The AAA view is displayed. Step 2 (Optional) Run: set default ftp-directory directory The default FTP working directory is configured. In this case. Ltd. Step 4 Run: local-user user-name service-type ftp Issue 01 (2011-07-15) Huawei Proprietary and Confidential 93 Copyright © Huawei Technologies Co..Basic Configuration 8 FTP and TFTP 8. Context Do as follows on the switch that serves as the FTP server: Procedure Step 1 Run: system-view The system view is displayed.2.2.5 Configuring the Local Username and the Password You can configure the authentication information for FTP users. which guarantees the security. Context Do as follows on the switch that serves as the FTP server: Procedure Step 1 Run: system-view The system view is displayed. Step 3 Run: local-user user-name password { simple | cipher } password The local username and the password are configured.Quidway S5700 Series Ethernet Switches Configuration Guide . unauthorized users cannot access the restricted directory. ----End 8. .6 Configuring the Service Type and Authorization Information You can configure the authorization mode and authorization directory for FTP users. Step 3 Run: aaa The AAA view is displayed. which prevents unauthorized users from performing operations on the device and thus guarantees the security.

Procedure l Run the display [ ipv6 ] ftp-server the configuration and running information about the FTP server. Prerequisite The configuration of the Switch to be the FTP Server are complete. Ltd. You can view that the parameters of the current FTP server. port number. ----End 8. <Quidway> display ftp-users username host port idle topdir zll 100.1 Establishing the Configuration Task Before configuring the FTP ACL. ----End Example After configuring the FTP server.3 Configuring FTP ACL You can configure the FTP ACL on a switch to allow only specified users to log in to the switch.Quidway S5700 Series Ethernet Switches Configuration Guide .7 Checking the Configuration After configuring a switch to be the FTP server.3.150. . familiarize yourself with the applicable environment. and obtain the required data. you can view the configuration and status of the FTP server as well as information about login FTP users.226 1383 3 flash: 8.. 8.Basic Configuration 8 FTP and TFTP The FTP service type is configured.2. Step 5 Run: local-user user-name ftp-directory directory The authorization directory about the FTP user is configured. <Quidway> display ftp-server FTP server is running Max user number 5 User count 0 Timeout value(in minute) 30 Listening Port 1080 Acl number 0 Run the display ftp-users command to view the user name. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 94 Copyright © Huawei Technologies Co. l Run the display ftp-users command to check the login FTP user. authorization directory of the FTP user configured presently. complete the pre-configuration tasks.2. run the display [ ipv6 ] ftp-server command. This can help you complete the configuration task quickly and accurately.

complete the following tasks: l Powering on the switch l Connecting the FTP client with the server Data Preparation To configure the FTP ACL. ----End 8. Context Do as follows on the switch that serves as the FTP server: Procedure Step 1 Run: system-view The system view is displayed.3.Quidway S5700 Series Ethernet Switches Configuration Guide . you can configure the switch by the access control list (ACL) to be accessed by only those clients that meet the matching conditions. Step 2 Run: ftp [ ipv6 ] server enable The FTP server is started.3. Context Do as follows on the switch that serves as the FTP server: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 95 Copyright © Huawei Technologies Co. . you need the following data. No. Pre-configuration Tasks Before configuring the FTP ACL..3 Configuring a Basic ACL You can configure a basic ACL and define rules by specifying the source IP address. Data 1 ACL number 8. You need to enable the FTP server before using FTP functions. Ltd. for security.Basic Configuration 8 FTP and TFTP Applicable Environment When the switch serves as the FTP server.2 Enabling the FTP Server The FTP server is disabled by default.

----End 8. Step 2 Run: acl acl-number The ACL view is displayed. Step 2 Run: ftp [ ipv6 ] acl acl-number The basic FTP ACL is configured. NOTE FTP supports only the basic ACL. Ltd.4 Configuring the Basic FTP ACL You can configure the basic FTP ACL. .5 Checking the Configuration After configuring the FTP ACL.3. Prerequisite The configuration of FTP ACL are complete. you can view the configuration and status of the FTP server as well as information about login FTP users. ----End 8. Context Do as follows on the switch that serves as the FTP server: Procedure Step 1 Run: system-view The system view is displayed.3.. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 96 Copyright © Huawei Technologies Co.Quidway S5700 Series Ethernet Switches Configuration Guide . Step 3 Run: rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address source-wildcard | any } | time-range time-name ] * The ACL rule is configured.Basic Configuration 8 FTP and TFTP Procedure Step 1 Run: system-view The system view is displayed.

3 and 4. perform step 2. and obtain the required data. ----End Example After configuring an FTP server.4 Configuring the Switch to Be the FTP Client You can configure a switch to be an FTP client and then log in to the FTP server. Ltd.Basic Configuration 8 FTP and TFTP Procedure l Run the display ftp-server [ ] command to check the configuration and status of the FTP server..1 Establishing the Configuration Task Before configuring a switch to be an FTP client. 8. No. you can log in to the FTP server through the switch and then transmit files or manage server directory. you need the following data. familiarize yourself with the applicable environment.4. This can help you complete the configuration task quickly and accurately. Pre-configuration Tasks Before configuring the switch as an FTP client.Quidway S5700 Series Ethernet Switches Configuration Guide . . you can run the display ftp-server command and view that the ACL number allocated for the FTP server is 2345. <Quidway> display ftp-server FTP server is running Max user number 5 User count 0 Timeout value(in minute) 30 Listening Port 1080 Acl number 2345 SSL security status Disabled 8. NOTE For FTP secure server connection. Applicable Environment When a switch serves as an FTP client. complete the pre-configuration tasks. Data 1 Host name or IP address of the FTP server 2 Port number of connecting FTP Issue 01 (2011-07-15) Huawei Proprietary and Confidential 97 Copyright © Huawei Technologies Co. complete the following tasks: l Powering on the switch l Connecting the FTP client to the server Data Preparation To configure the switch as an FTP client.

do as follows: – In the user view. l If the IP address of the server is an IPv6 address. Run: open host [ port-number ] [ public-net | vpn-instance vpn-instance-name ] The switch is connected to the FTP server. Context Do as follows on the switch that serves as the client: Procedure Step 1 Run the following commands according to types of the server IP address. NOTE Before logging in to the FTP server.Basic Configuration 8 FTP and TFTP No. 2. Run: ftp Issue 01 (2011-07-15) Huawei Proprietary and Confidential 98 Copyright © Huawei Technologies Co. do as follows: – In the user view. establish a connection to the FTP server. – In the FTP view. – In the FTP view. 1. Data 3 FTP protocol command 4 Local file name and file name on the remote FTP server 5 Working directory name of the remote FTP server.2 Logging In to the FTP Server You can log in to the FTP server in the user view or the FTP view. or directory name of the remote FTP server 6 Login username and password 8.Quidway S5700 Series Ethernet Switches Configuration Guide . the default VPN instance is used in the FTP operation. l If the IP address of the server is an IPv4 address. establish a connection to the FTP server.4. Run: ftp The FTP view is displayed. Run: ftp [ host [ port-number ] [ public-net | vpn-instance vpn-instance-name ] ] The switch is connected to the FTP server. Ltd. establish a connection to the FTP server.. 1. Run: ftp ipv6 host [ port-number ] The switch is connected to the FTP server. . After that. you can run the set net-manager vpn-instance command to configure a default VPN instance. establish a connection to the FTP server. local working directory of the FTP client.

4 (Optional) Viewing Online Help of the FTP Command This section describes how to view the online help of the FTP command. After file transmission.Quidway S5700 Series Ethernet Switches Configuration Guide . ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 99 Copyright © Huawei Technologies Co. Run: open ipv6 host [ port-number ] The switch is connected to the FTP server.4. NOTE FTP server supports ascii mode for data transmission.. Procedure Step 1 Run: remotehelp command The online help of the FTP command is displayed. ----End 8. all FTP responses are displayed. But in Quidway S5700 Series. the statistics about transmission efficiency will be displayed. user has to switch to binary mode for data transfer. Context This configuration provides help information for protocol commands. ----End 8. When verbose is enabled. Step 3 Run: verbose The verbose mode for FTP is enabled.3 Configuring Data Type and Transmission Mode for the File This section describes how to configure the data type and transmission mode for the file. Ltd. Context Do as follows on the switch that serves as the client: Procedure Step 1 Run: ascii | binary The data type of the file to be transmitted is ascii or binary mode. . Step 2 Run: passive The passive file transfer mode is configured.Basic Configuration 8 FTP and TFTP The FTP view is displayed.4. 2.

Context Do as follows on the switch that serves as the client: Procedure Step 1 Upload or download files. on the FTP server.5 Uploading or Downloading Files You can upload local files to a remote FTP server.Basic Configuration 8 FTP and TFTP 8.. l Run: put local-filename [ remote-filename ] The local file is uploaded to the remote FTP server. l Run: get remote-filename [ local-filename ] The FTP file is downloaded from the FTP server and saved to the local file. l Run: cd pathname The working path of the remote FTP server is specified.Quidway S5700 Series Ethernet Switches Configuration Guide . . l Run: lcd [ local-directory ] The directory of the FTP client is displayed or changed.4. Context Do as follows on the switch that serves as the client: Procedure Step 1 Run one or more commands in the following order to manage directories. l Run: mkdir remote-directory A directory is created on the FTP server. Ltd. l Run: cdup The working path of the FTP server is switched to the upper-level directory.4. and save the files on the local device. l Run: pwd The specified directory of the FTP server is displayed. such as creating and deleting directories.6 Managing Directories You can perform management operations. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 100 Copyright © Huawei Technologies Co. download files of the FTP server. ----End 8.

Prerequisite This configuration must be performed in FTP view. If the directory name is not specified when a specific remote file is selected. ?. Context Do as follows on the switch that serves as the client: Procedure Step 1 Run one or more commands in the following to manage directories. If the directory name is not specified when a specific remote file is selected. .Quidway S5700 Series Ethernet Switches Configuration Guide . you create a sub-directory named "abc". but not special characters such as <. l Run: dir [ remote-filename ] [ local-filename ] The specified directory or file on the local FTP server is displayed. \ and :. ----End 8.7 Managing Files You can view a specified directory or file on the remote FTP server or delete a specified file from the FTP server. related information about the file can be downloaded locally..8 (Optional) Changing Login Users This section describes how to change the username and password for remote login. l Run: ls [ remote-filename ] [ local-filename ] The specified directory or file on the remote FTP server is displayed.Basic Configuration 8 FTP and TFTP l Run: rmdir remote-directory A directory is removed from the FTP server. the system searches the working directory for the specific file. l Run: delete remote-filename The specified file on the FTP server is deleted. If the directory name is not specified when a specific remote file is selected. Ltd. When local-filename is set. NOTE l The directory to be created can comprise letters and digits. >. the system searches the working directory for the specific file.4. l When running the mkdir /abc command.4. the system searches the working directory for the specific file. ----End 8. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 101 Copyright © Huawei Technologies Co.

Ltd. ----End 8. Step 2 Run: close or disconnect The client switch is disconnected from the FTP server.4. The string length for username must be in the range of 1 to 85 case-insensitive characters and password must be in the range of 1 to 16 case-insensitive characters. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 102 Copyright © Huawei Technologies Co.9 Disconnecting from the FTP Server This section describes how the client switch disconnects from FTP server.5 Configuring the Switch to Be the TFTP Client You can configure a switch to be an FTP client and then log in to the FTP server.. . Return to the user view. ----End 8. Prerequisite The configurations must be performed in the FTP view.Basic Configuration 8 FTP and TFTP Context The username and password are of string data type.Quidway S5700 Series Ethernet Switches Configuration Guide . Procedure Step 1 Run: bye or quit The client switch is disconnected from the FTP server. Procedure Step 1 Run: user username [ password ] The current login user is changed and the user logs in again. This command terminates the FTP session.

familiarize yourself with the applicable environment. Pre-configuration Tasks Before configuring TFTP. and obtain the required data.. you need the following data. Data 1 IP address of the TFTP server 2 Name of the specific file in the TFTP server 3 File directory 8. Then.1 Establishing the Configuration Task Before configuring TFTP. Ltd.5.Basic Configuration 8 FTP and TFTP 8. Context Do as follows on a switch that functions as a TFTP client. Procedure Step 1 Run: system-view The system view is displayed.2 (Optional) Configuring a Source IP Address for a TFTP Client You can configure a source IP address for a TFTP client. Step 2 Run: tftp client-source { -a source-ip-address | -i interface-type interface-number } A source IP address of a TFTP client is configured.5. This can help you complete the configuration task quickly and accurately. No. complete the following tasks: l Powering on the switch l Connecting the TFTP client with the server Data Preparation To configure TFTP. complete the pre-configuration tasks. . Issue 01 (2011-07-15) Huawei Proprietary and Confidential 103 Copyright © Huawei Technologies Co. you can set up a TFTP connection from the TFTP client to the server through a specific route by using this source IP address. Applicable Environment You can transfer files through TFTP between the server and the client in a simple interaction environment.Quidway S5700 Series Ethernet Switches Configuration Guide .

----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 104 Copyright © Huawei Technologies Co. l The IP address of the server is IPv4 address. run: tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ public-net | vpn-instance vpn-instance-name ] get source-filename [ destination-filename ] The switch is configured to download files through TFTP. ----End 8. Context Do as follows on the switch that serves as the TFTP client: Procedure Step 1 Run the following commands according to the type of the server IP addresses. Ltd.Quidway S5700 Series Ethernet Switches Configuration Guide . l The IP address of the server is IPv6 address. ----End 8. l The IP address of the server is IPv4 address.4 Uploading Files Through TFTP You can upload files from the TFTP client to the TFTP server. run: tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type interface-number ] get source-filename [ destination-filename ] The switch is configured to download files through TFTP.5. run: tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ public-net | vpn-instance vpn-instance-name ] put source-filename [ destination-filename ] The switch is configured to upload files through TFTP.5. the source IP address of the TFTP client displayed on the TFTP server must be the same as the configured one.Basic Configuration 8 FTP and TFTP After the configuration.3 Downloading Files Through TFTP You can download files from the TFTP server to the TFTP client. l The IP address of the server is IPv6 address. run: tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type interface-number ] put source-filename [ destination-filename ] The switch is configured to upload files through TFTP. Context Do as follows on the switch that serves as the TFTP client: Procedure Step 1 Run the following commands according to the type of the server IP addresses. ..

This can help you complete the configuration task quickly and accurately. No. complete the pre-configuration tasks.2 Configuring the Basic ACL You can configure ACL rules. you need the following data.6 Limiting the Access to the TFTP Server You can configure the maximum number of TFTP servers that a TFTP client can access to determine which TFTP servers the TFTP client can log in to.. familiarize yourself with the applicable environment.Basic Configuration 8 FTP and TFTP 8.6. Pre-configuration Tasks Before configuring a limit to access the TFTP server. complete the following tasks: l Powering on the switch l Connecting the TFTP client to the server Data Preparation To configure a limit to access to the TFTP server. . you can control the TFTP server to which the device can log in through TFTP. Applicable Environment When the switch serves as the TFTP client.6. Context NOTE TFTP supports only the basic ACL. 8. Data 1 IP address of the TFTP server 2 ACL number 8. you can configure the ACL on the switch. After the configuration.Quidway S5700 Series Ethernet Switches Configuration Guide . and obtain the required data. Ltd. Do as follows on the switch that serves as the TFTP client: Procedure Step 1 Run: system-view Issue 01 (2011-07-15) Huawei Proprietary and Confidential 105 Copyright © Huawei Technologies Co.1 Establishing the Configuration Task Before configuring a limit to access TFTP servers.

7. l For IPv4 addresses. Run the tftp-server acl acl-number command.Quidway S5700 Series Ethernet Switches Configuration Guide . You can use the ACL to limit the access to the TFTP server.Basic Configuration 8 FTP and TFTP The system view is displayed. 8. a PC connected to a switch logs in to the FTP server by entering the correct user name and password through FTP.6. You can use the ACL to limit the access to the TFTP server. Step 3 Run: rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address source-wildcard | any } | time-range time-name ] * The ACL rule is configured. Step 2 According to the address type of the TFTP server. Run the tftp-server ipv6 acl acl6-number command. configuration notes. ----End 8. Ltd.7 Configuration Examples This section provides several configuration examples for FTP and TFTP together with the configuration flowchart. and then downloads files to the memory of the switch.1 Example for Configuring the FTP Server In this example. ----End 8.3 Configuring the Basic TFTP ACL You can configure the basic TFTP ACL. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 106 Copyright © Huawei Technologies Co. Context Do as follows on the switch that serves as the TFTP client: Procedure Step 1 Run: system-view The system view is displayed.. The configuration examples explain networking requirements. and configuration roadmap. l For IPv6 addresses. select and run one of the following two commands. Step 2 Run: acl acl-number The ACL view is displayed. .

Quidway S5700 Series Ethernet Switches Configuration Guide . The Switch acts as the FTP server. .1.2/24 Configuration Roadmap The configuration roadmap is as follows: 1. you need the following data: l IP address of the FTP server l Name of the FTP user set as u1 and the password set as ftppwd on the server l Correct path of the source file on the PC l Name of the destination file and position where the destination files are located on the Switch Procedure Step 1 Create VLAN 10 on the Switch and assign the IP address 10.1. Ltd. VLAN 10 is created on the Switch and GigabitEthernet0/0/1 is added to VLAN 10. Data Preparation To complete the configuration. The PC uploads files to the Switch.Basic Configuration 8 FTP and TFTP Networking Requirements As shown in Figure 8-1. Figure 8-1 Networking diagram of the Switch functioning as the FTP server VLAN10 FTP Client FTP Session FTP Server Ethernet L2 Switch Ethernet Switch PC Switch Interface VLANIF interface IP address FTP Server GigabitEthernet0/0/1 VLANIF 10 10.. 2.1.1.1. Log in to the Switch through FTP from the PC.1. Set the correct FTP user name and password on the Switch that functions as the FTP server.1/24. 3. <Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [Quidway-GigabitEthernet0/0/1] port hybrid untagged vlan 10 Issue 01 (2011-07-15) Huawei Proprietary and Confidential 107 Copyright © Huawei Technologies Co. Upload files to the FTP server. the local PC functions as the FTP client of which the IP address is 10.2/24 is assigned to VLANIF 10. The IP address 10.1.1.2/24 to VLANIF 10.

2 24 Step 2 Start the FTP server on the Switch. 150 Opening BINARY mode data connection for vrpcfg.cc and vrpcfg.1. ftp> put d006.1.255.1.1.255. [Quidway] ftp server enable [Quidway] aaa [Quidway-aaa] local-user u1 password simple ftppwd [Quidway-aaa] local-user u1 service-type ftp [Quidway-aaa] local-user u1 ftp-directory flash:/ [Quidway-aaa] return Step 3 On the PC.1. C:\WINDOWS\Desktop> ftp 10.Quidway S5700 Series Ethernet Switches Configuration Guide .1.Basic Configuration 8 FTP and TFTP [Quidway-GigabitEthernet0/0/1] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10. ftp> binary 200 Type set to I.2 Connected to 10. and set the FTP user name to u1 and password to ftpwd.2 255. User (10. Use Windows XP on the FTP client to illustrate the preceding operations.cfg. 150 Opening BINARY mode data connection for d006.0 # interface GigabitEthernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # aaa local-user u1 password simple ftppwd local-user u1 ftp-directory flash:/ local-user u1 service-type ftp # Return Issue 01 (2011-07-15) Huawei Proprietary and Confidential 108 Copyright © Huawei Technologies Co. . ftp> put vrpcfg.1.. ftp> Step 4 Set the mode of transferring files to binary and the local directory on the PC.cfg vrpcfg.1. initiate a connection to the Switch with the user name u1 and the password ftppwd. Ltd.cc d006.cfg 200 Port command okay.1.cc.cc 200 Port command okay. Step 5 Upload d006.cfg to the Switch on the PC.1:(none)): u1 331 Password required for u1 Password: 230 User logged in. 220 FTP service ready.1. ftp> lcd c:\temp Local directory now C:\temp.2. ftp> quit C:\WINDOWS\Desktop> ----End Configuration Files # sysname Quidway # FTP server enable # vlan batch 10 # interface Vlanif10 ip address 10.

you need the following data: l Name of the FTP user set as u1 and password set as huawei on the server l Number of the ACL Procedure Step 1 Configure basic FTP functions. For details.1 Example for Configuring the FTP Server. Configure the ACL on the FTP server. 2. .104.104.16.0.16.7.16. The routes between PC1.104.104. the IP address of the FTP server is 172.111 to download and upload files through FTP. and PC2 should not connect to the FTP server after the ACL is configured. Perform basic configurations on the FTP server.16. PC2. Figure 8-2 Networking diagram for configuring an ACL of the FTP server FTP Server 172. Networking Requirements As shown in Figure 8-2.111/24 PC1 PC2 Configuration Roadmap The configuration roadmap is as follows: 1.111 0.111/24 172. it is required that the FTP server should permit only PC1 with the IP address as 172.105.16.110/24 172. and FTP server are reachable.2 Example for Configuring an ACL of the FTP Server In this example.110/24.Quidway S5700 Series Ethernet Switches Configuration Guide . an ACL is configured to allow only a certain host to log in to the FTP server.. Data Preparation To complete the configuration.16.104.7. On the S5700 that functions as the FTP server. <Quidway> system-view [Quidway] acl number 2001 [Quidway-acl-basic-2001] rule permit source 172.Basic Configuration 8 FTP and TFTP 8.0. Step 2 Configure an ACL.0 Issue 01 (2011-07-15) Huawei Proprietary and Confidential 109 Copyright © Huawei Technologies Co. see 8. Ltd.

104..150.111 0 # vlan batch 10 # interface Vlanif10 ip address 10.104. User (100. c:\ ftp 172.40:(none)):u1 331 Password required for u1 Password: 230 User logged in.16. This step needs to be performed on the DOS of the PC.110.16.16.7.255. 220 FTP service ready. ----End Configuration Files Configuration file of the FTP server # sysname Quidway # FTP server enable FTP acl 2001 # acl number 2001 rule 5 permit source 172. c:\ ftp 172.3 Example for Configuring the FTP Client In this example.104.2. Ltd.Quidway S5700 Series Ethernet Switches Configuration Guide . a switch is configured to be an FTP client. the switch logs in to the FTP server and downloads system software and configuration software.0 # interface GigabitEthernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default local-user u1 password simple huawei local-user u1 ftp-directory flash:/ local-user u1 service-type ftp # return 8. [Quidway] ftp acl 2001 Step 4 Connect PC1 to the FTP server.104.16. ftp> Step 5 Connect PC2 to the FTP server.110 Connected to 172. Then. Info:Connection was denied by remote host according to ACL! Connection closed by remote host.1.16.110 Connected to 172.110.255.1.Basic Configuration 8 FTP and TFTP [Quidway-acl-basic-2001] quit Step 3 Configure the ACL supported by the FTP server. This step needs to be performed on the DOS of the PC. . Issue 01 (2011-07-15) Huawei Proprietary and Confidential 110 Copyright © Huawei Technologies Co.2 255.104.

Download files from the server to the storage device of the client. the remote server at 10. Step 2 Create VLAN 10 on the Switch and assign the IP address 10..1. The Switch acts as the FTP client. Data Preparation To complete the configuration. Log in to the FTP server from the FTP client. Add an FTP user named u1 and set the password to ftppwd.Quidway S5700 Series Ethernet Switches Configuration Guide .2 serves as the FTP server. 2. .1. The Switch has a reachable route to the FTP server.1. Interfaces ranging from GigabitEthernet0/0/1 to GigabitEthernet0/0/4 can be used to set up FTP connections and they share the IP address 10.1 to VLANIF10. you need the following data: l IP address of the FTP server l Name of the destination file and position where the destination files are located on the Switch l Name of the FTP user set as u1 and the password set as ftppwd on the client Procedure Step 1 Enable FTP on the remote FTP server.1.1.Basic Configuration 8 FTP and TFTP Networking Requirements As shown in Figure 8-3. Figure 8-3 Networking diagram of the Switch functioning as the FTP client FTP session configuration PC cable FTP Client FTP Server Configuration Roadmap The configuration roadmap is as follows: 1. Ltd.1. <Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [Quidway-GigabitEthernet0/0/1] port hybrid untagged vlan 10 [Quidway-GigabitEthernet0/0/1] quit [Quidway] interface gigabitethernet 0/0/2 [Quidway-GigabitEthernet0/0/2] port hybrid pvid vlan 10 [Quidway-GigabitEthernet0/0/2] port hybrid untagged vlan 10 [Quidway-GigabitEthernet0/0/2] quit [Quidway] interface gigabitethernet 0/0/3 Issue 01 (2011-07-15) Huawei Proprietary and Confidential 111 Copyright © Huawei Technologies Co. The Switch and the FTP server are directly connected and on the same network segment. The Switch downloads files from the FTP server.1.

94Kbyte(s)/sec. [ftp] quit <Quidway> ----End Configuration Files # sysname Quidway # vlan batch 10 # interface Vlanif10 ip address 10.1.1.cfg 200 Port command okay.1.2:(none)):u1 331 Password required for u1. 220 FTP service ready.cfg file from the remote FTP server on the Switch.100 second(s) 2.1.3 255.Basic Configuration 8 FTP and TFTP [Quidway-GigabitEthernet0/0/3] port hybrid pvid vlan 10 [Quidway-GigabitEthernet0/0/3] port hybrid untagged vlan 10 [Quidway-GigabitEthernet0/0/3] quit [Quidway] interface gigabitethernet 0/0/4 [Quidway-GigabitEthernet0/0/4] port hybrid pvid vlan 10 [Quidway-GigabitEthernet0/0/4] port hybrid untagged vlan 10 [Quidway-GigabitEthernet0/0/4] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.cfg vrpcfg.1. initiate a connection to the FTP server with the user name tpuser and the password ftppwd. Step 5 Download the vrpcfg. [ftp] binary 200 Type set to I.2. Press CTRL+K to abort Connected to 10.1.. FTP: 9124 byte(s) received in 3.2 Trying 10.0 # interface GigabitEthernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # interface GigabitEthernet0/0/2 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # interface GigabitEthernet0/0/3 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # interface GigabitEthernet0/0/4 port hybrid pvid vlan 10 port hybrid untagged vlan 10 Issue 01 (2011-07-15) Huawei Proprietary and Confidential 112 Copyright © Huawei Technologies Co. 150 Opening BINARY mode data connection for vrpcfg.1. [ftp] get vrpcfg. [ftp] Step 4 On the Switch.3 24 Step 3 On the Switch.255. Enter password: 230 User logged in. [ftp] lcd flash:/ The current local directory is flash:.1. 226 Transfer complete.255.1.cfg.1. set the mode of transferring files to binary and the flash directory.. .1. Ltd. User(10.1.2 .Quidway S5700 Series Ethernet Switches Configuration Guide . <Quidway> ftp 10..

Step 2 Create VLAN 10 on the Switch and assign the IP address 10. <Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 0/0/1 Issue 01 (2011-07-15) Huawei Proprietary and Confidential 113 Copyright © Huawei Technologies Co. you can upload and download files. Run the TFTP software on the TFTP server and set the position where the source file is located on the Switch. Data Preparation To complete the configuration. The IP address 10. VLAN 10 is created on the Switch. The remote server at 10.7. the TFTP application is run on the TFTP server and the location of the source file on the server is set. Ltd. Figure 8-4 Networking diagram for configuring TFTP TFTP session configuration PC cable TFTP Client TFTP Server Configuration Roadmap The configuration roadmap is as follows: 1.1.1/24 to VLANIF 10.1.4 Example for Configuring the TFTP Client In this example. The Switch acts as a TFTP client. 2. you need the following data: l TFTP software installed on the TFTP server l Path of the source file on the TFTP server l Name of the destination file and position where the destination file is located on the Switch Procedure Step 1 Enable TFTP on the remote server to ensure that the TFTP application software is started.1.1. Networking Requirements As shown in Figure 8-4. After that. the Switch cannot function as the TFTP server.1. .1. Download files through TFTP commands on the Switch.1/24 is assigned to VLANIF 10.2 functions as the TFTP server.Quidway S5700 Series Ethernet Switches Configuration Guide .. The Switch downloads files from the TFTP server.Basic Configuration 8 FTP and TFTP # return 8. and GigabitEthernet0/0/1 is added to VLAN 10.

cc Info: Transfer file in binary mode. <Quidway> tftp 10. ----End Configuration Files # sysname Quidway # vlan batch 10 # interface Vlanif10 ip address 10.1.1.1 24 Step 3 On the Switch.. initiate a connection to the TFTP server and download the 8031. . Ltd.cc 8031new.255.255. Downloading the file from the remote tftp server.0 # interface GigabitEthernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # Return Issue 01 (2011-07-15) Huawei Proprietary and Confidential 114 Copyright © Huawei Technologies Co.Basic Configuration 8 FTP and TFTP [Quidway-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [Quidway-GigabitEthernet0/0/1] port hybrid untagged vlan 10 [Quidway-GigabitEthernet0/0/1] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.1 255.1.Quidway S5700 Series Ethernet Switches Configuration Guide . please wait.2 get 8031.1.1.cc file..1..

The authentication and bidirectional data encryption of the SFTP client can be manually configured. 9. 9. and configuration roadmap. 9.1 Telnet and SSH Introduction This section explains basic concepts of user login by means of Telnet and SSH.5 Configuring the STelnet Client Function This section describes how to configure the STelnet client. 9. .6 Configuring the SFTP Client Function This section explains how to configure the SFTP client. The SCP client sets up a secure connection with the SCP server so that the client can upload files to the server or download files from the server. 9.8 Configuration Examples This section provides configuration examples for Telnet and SSH along with a configuration flowchart. STelnet or SFTP must first be enabled on the SSH server. Ltd.Quidway S5700 Series Ethernet Switches Configuration Guide .4 Configuring the SSH Server Function This section describes how to configure the SSH server. configuration notes. The configuration examples explain networking requirements.2 Configuring Telnet Terminal Services This section explains how to log in to a switch by means of Telnet and configure the switch. 9.3 Configuring SSH Users SSH users must be configured to ensure that STelnet or SFTP clients are able to log in to SSH servers. A secure connection between the client and server can be established through negotiation. which will ensure secure file transmission on the network. and the client will be able to log in to the server similarly to using Telnet services.. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 115 Copyright © Huawei Technologies Co. 9.Basic Configuration 9 Telnet and SSH 9 Telnet and SSH About This Chapter Telnet and SSH can provide a terminal which enables users to remotely log in to and access a server. 9.7 Configuring the SCP Client This section describes how to configure the SCP client.

The S5700 provides the following Telnet services: l Telnet server: You can run the Telnet client program on a PC to log in to the switch. . you need to configure the user interface. and maintain the local or remote S5700. The switch acts as a Telnet server. The user interface provides a login plane.1 Telnet and SSH Introduction This section explains basic concepts of user login by means of Telnet and SSH. With the telnet command.2 Telnet Terminal Services The S5700 provides Telnet services including Telnet server and Telnet client. configure and manage it. It provides remote login and a virtual terminal service through the network. Telnet..1. Telnet Services Telnet is an application layer protocol in the TCP/IP protocol suite. The S5700 supports the following login methods: l Login through the console port l Local or remote login through Telnet or SSH 9. The user management guarantees the login security and the terminal service provides related processes of login protocol.1 Overview of User Login You can locally or remotely log in to a switch through the console port. l Telnet client: You can run the terminal emulation program or the Telnet client program on a PC to connect with the switch. or SSH. Ltd.Quidway S5700 Series Ethernet Switches Configuration Guide . As shown in Figure 9-1. you can log in to other switchs to configure and manage them. monitor. and the terminal service. 9.Basic Configuration 9 Telnet and SSH 9. To configure. Switch A serves as both the Telnet server and the Telnet client. Figure 9-1 Telnet client services Telnet Session 1 Telnet Session2 Telnet Server PC SwitchA SwitchB Issue 01 (2011-07-15) Huawei Proprietary and Confidential 116 Copyright © Huawei Technologies Co.1. the user management.

1. can be connected to multiple PCs that function as SSH clients. The insecure access results in malicious attacks including DoS attacks. In the actual networking. SSH guarantees security and provides authentication for transmitted information. Ltd. client function.3 SSH Terminal Services The S5700 supports the basic SSH protocol. A Layer 2 switch may exist between the PC and the SSH server. as the SSH server. Figure 9-2 Establishing a local SSH connection between the PC and the S5700 VLAN1 SSH Telnet Session SSH Client Server PC Ethernet L2 Switch Ethernet Switch SSH adopts the client/server model and sets up multiple secure transmission channels. SSH provides secure remote access on the network without security guaranteed. Switch is an S5700.Quidway S5700 Series Ethernet Switches Configuration Guide . Advantages of SSH The applications of SSH include STelnet and SFTP. STelnet protocol and SCP. The Switch. The advantages of SSH are described as follows: l STelnet client functions There is a potential risk on security for login through Telnet because there is no authentication and the data transmitted through TCP is in plain text. SSH provides remote login and virtual terminal on the network where security is guaranteed. Introduction to SSH SSH works at the application layer in the TCP/IP protocol suite. SSH provides secure remote access on an insecure network by supporting the following functions: – Supporting Revest-Shamir-Adleman Algorithm (RSA) authentication Issue 01 (2011-07-15) Huawei Proprietary and Confidential 117 Copyright © Huawei Technologies Co. Based on TCP connections.. IP spoofing attacks. preventing the following attacks shown in Figure 9-2: l IP spoofing l Interception of the password in plain text l Denial of Service (DoS) In the figure. Different from Telnet and FTP terminal services. . and route spoofing attacks. a route is required to be reachable between the PC and the Switch.Basic Configuration 9 Telnet and SSH 9. SFTP protocol.

Authenticating the user identity 4. Negotiating the SSH version 2. complete the pre-configuration tasks. the following information is transmitted with security between the SSH client and the SSH server: – Key – User name or password – Interactive data l SFTP client functions SFTP provides the following types of applications: – By using SFTP. Ltd.2. Data transfer in this mode is much safer for remote system update. familiarize yourself with the applicable environment. SCP provides the client function so that a local device can log in to a remote device for secure data transfer. Performing the interactive session 9. In addition. and obtain the required data. In this manner. SCP simplifies the file transfer process by combing user authentication and file transfer. After the public key and the private key are generated according to the encryption principle of the asymmetric encryption system. thus improving the configuration efficiency. l SCP client SCP enables you to log in to the device securely from a remote device to upload or download files.1 Establishing the Configuration Task Before configuring Telnet terminal services. – The S5700 can function as the client to log in to the remote device through FTP to transfer files with security. Unlike SFTP. Negotiating the key 3. This can help you complete the configuration task quickly and accurately. Setting Up an SSH Connection The procedure for setting up an SSH connection is as follows: 1. the security of data transmission is improved when files need to be transferred during the upgrade of the remote system. .Quidway S5700 Series Ethernet Switches Configuration Guide .Basic Configuration 9 Telnet and SSH – Supporting Data Encryption Standard (DES) and 3DES – Supporting the encrypted transfer of the user name or password – Supporting the encrypted transfer of interactive data SSH adopts RSA. you can securely log in to the S5700 to manage files from the remote device.2 Configuring Telnet Terminal Services This section explains how to log in to a switch by means of Telnet and configure the switch. Initiating a session request 5. 9. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 118 Copyright © Huawei Technologies Co..

Run: system-view The system view is displayed. you need to enable the Telnet service.2 Enabling the Telnet Service Before establishing a Telnet connection with the server. complete the following tasks: l Ensuring that the switch runs normally l Ensuring that the IP addresses of interfaces on the switch are configured correctly l Configuring the user account. .Quidway S5700 Series Ethernet Switches Configuration Guide . No.2. you need the following data.. Data 1 IP address of the switch 2 Name of the VPN instance 3 IPv4/IPv6 address or host name of the remote switch 4 Number of the TCP port that is used by the remote switch to provide Telnet services 5 (Optional) Timeout period after which the server terminates the connection with the user interface 6 (Optional) Source IP address or source interface of the device functioning as an Telnet client 9. Pre-configuration Tasks Before configuring Telnet terminal services. Procedure l For the IPv4 network 1. and call-in and call-out restriction l Ensuring that reachable routes exist between the terminal and the switch Data Preparation To configure Telnet terminal services. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 119 Copyright © Huawei Technologies Co. correct login authentication mode. Select and perform one of the following two steps for IPv4 or IPv6.Basic Configuration 9 Telnet and SSH Applicable Environment To remotely log in to the switch through the Telnet protocol for maintenance and management. Ltd. Context Do as follows on the switch that serves as an Telnet server. you need to configure Telnet terminal services.

Quidway S5700 Series Ethernet Switches Configuration Guide .Basic Configuration 9 Telnet and SSH 2. NOTE l By default. l If the telnet ipv6 server enable command is run when Telnet login is in progress. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 120 Copyright © Huawei Technologies Co. Procedure l Run: telnet [ vpn-instance vpn-instance-name ] host-name [ port-number ] Log in to the switch and manage other switchs. the function of the Telnet server is enabled.. l Run: telnet ipv6 host-name [ port-number ] Log in to the switch and manage other switchs. . ----End 9. Run: telnet server enable The Telnet service is enabled. l For the IPv6 network 1. l After the Telnet server function is disabled. Run: system-view The system view is displayed. the command does not take effect. Ltd. 2. you can log in to the device only through SSH or an asynchronous serial interface rather than through Telnet.3 Establishing a Telnet Connection You can log in to and manage a switch through Telnet. l After the Telnet server function is disabled. NOTE l By default. Run: telnet ipv6 server enable The Telnet service is enabled. Context Do as follows on the switch that serves as a Telnet client: Select and perform one of the following two steps for IPv4 or IPv6.2. the command does not take effect. you can log in to the device only through SSH or an asynchronous serial interface rather than through Telnet. the function of the Telnet server is enabled. l If the undo telnet server enable command is run when Telnet login is in progress.

Step 3 Run: idle-timeout minutes [ seconds ] The scheduled Telnet disconnection is enabled. If a new port number is set. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 121 Copyright © Huawei Technologies Co..Quidway S5700 Series Ethernet Switches Configuration Guide . . and then uses the new port number to listen to new requests for Telnet connections. Step 2 Run: telnet server port port-number A Telnet server port number is set. In this manner. ----End 9.4 (Optional) Configuring a Telnet Server Port Number A user can configure or change the Telnet server port number.Basic Configuration 9 Telnet and SSH 9. if the Telnet connections keep idle during the specified period.5 (Optional) Scheduled Telnet Disconnection You can set the idle-timeout period for Telnet connections. After the port number is changed. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view is displayed. Context Do as follows on the switch that serves as a Telnet client: Procedure Step 1 Run: system-view The system view is displayed. the Telnet server terminates all established Telnet connections. By default. Context Do as follows on the switch that functions as a Telnet server: Procedure Step 1 Run: system-view The system view is displayed. only the user knows the port number. the system automatically terminates the Telnet connections. Ltd.2. improving security.2. the Telnet server port number is 23.

Procedure l Run the display users command to check information about connected users. connection status of each user interface.99:23 10.Quidway S5700 Series Ethernet Switches Configuration Guide .1 Establishing the Configuration Task Before configuring SSH users.2.0:0 0 Closed 32af9074 59 /1 0.Basic Configuration 9 Telnet and SSH 9.164.6 Checking the Configuration After configuring Telnet terminal services.164. l Run the display telnet server status command to check the configuration and status of the Telnet server. Prerequisite The configuration of Telnet Terminal Services are complete. This can help you complete the configuration task quickly and accurately.0.3 Configuring SSH Users SSH users must be configured to ensure that STelnet or SFTP clients are able to log in to SSH servers.0.0:21 0. and obtain the required data. In the command output.3.0:0 0. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 122 Copyright © Huawei Technologies Co.13:1147 0 Established Run the display telnet server status command to view the configuration and status of the Telnet server.0. you can view the connection status of the current user interface. ----End Example Run the display tcp status command to view TCP connections. Established indicates that a TCP connection has been established.0.0. 9.0.0.39. <Quidway> display telnet server status TELNET IPV4 server :Enable TELNET IPV6 server :Enable TELNET server port :23 9. complete the pre-configuration tasks. and status of all established TCP connections.. Ltd. familiarize yourself with the applicable environment.6. <Quidway> display tcp status TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State 39952df8 36 /1509 0.0. l Run the display tcp status command to check TCP connections.0:0 14849 Listening 34042c80 73 /17 10. including connected and disconnected users. l Run the display users all command to check information about all users. .

Context NOTE Besides creating an SSH user separately. you need to create a local user with the same name in the AAA view. When password authentication is adopted. you need to create an SSH user.Quidway S5700 Series Ethernet Switches Configuration Guide . Step 2 Run: ssh user user-name Issue 01 (2011-07-15) Huawei Proprietary and Confidential 123 Copyright © Huawei Technologies Co. Pre-configuration Tasks Before configuring SSH users. No. complete the following tasks: l Creating a local user l Configuring an RSA public key for the SSH client on the SSH server Data Preparation To configure SSH users. Therefore.. Data 1 Name and password of SSH users 2 Authentication mode of SSH users 3 Service type of SSH users 4 Name of the peer RSA public key assigned to SSH users 5 Operating directory of the SFTP service for SSH users 9. when RSA authentication or password- rsa authentication is adopted. Ltd.2 Creating SSH User AAA does not support RSA authentication. . you can also create an SSH user when you configure the following.Basic Configuration 9 Telnet and SSH Applicable Environment The STelnet or SFTP client can log in to the SSH server to perform operations only after SSH users are correctly configured on the SSH server.3. l Configuring the Authentication Mode for SSH Users l Configuring the Service Type of SSH Users Do as follows on the switch that serves as an SSH server: Procedure Step 1 Run: system-view The system view is displayed. you need the following data.

----End 9. Context Do as follows on the switchs that serve as a client or a server: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 124 Copyright © Huawei Technologies Co. Context Do as follows on the switch that serves as an SSH server: Procedure Step 1 Run: system-view The system view is displayed. the protocol inbound ssh command cannot be configured successfully.3. ----End 9. Step 2 Run: user-interface [ vty ] first-ui-number [ last-ui-number ] The VTY user interface is displayed. 1. . 2.3 Configuring SSH for the VTY User Interface You can configure SSH for the VTY user interface.Quidway S5700 Series Ethernet Switches Configuration Guide . NOTE The authentication mode of the VTY user interface must be set to AAA.. Run: local-user user-name password { simple | cipher } password Name and password of the local user are created. Step 4 Run: protocol inbound ssh The VTY is configured to support SSH.3. Ltd.4 Generating a Local RSA Key Pair You need to create an RSA key before configuring SSH. Otherwise.Basic Configuration 9 Telnet and SSH If you want to create an SSH user in the password authentication mode. you need to create a local user with the same name in the AAA view. Run: aaa The AAA view is displayed. Step 3 Run: authentication-mode aaa The AAA authentication mode is configured.

1. . Run: ssh user user-name authentication-type rsa Issue 01 (2011-07-15) Huawei Proprietary and Confidential 125 Copyright © Huawei Technologies Co.3. adoptthe later command to simplify the configuration. NOTE To log in to an SSH server. Step 2 Run: ssh user user-name authentication-type { password | rsa | password-rsa | all } The authentication mode for SSH users is configured. Ltd. Before performing the other SSH configurations. – Run: ssh authentication-type default password The default password authentication is configured for the SSH user. Step 2 Run: rsa local-key-pair create A local RSA key pair is generated.Basic Configuration 9 Telnet and SSH Procedure Step 1 Run: system-view The system view is displayed. For the local authentication or HWTACACS authentication. you must configure the rsa local-key-pair create command to generate a local key pair. the local RSA key pair must be configured and generated first. Perform the following as required: l Authenticate the SSH user through the password. if the number of SSH users is small.5 Configuring the Authentication Mode for SSH Users You can configure the password or RSA authentication mode for SSH users. ----End 9. l Authenticate the SSH user through RSA. – Run: ssh user user-name authentication-type password The password authentication is configured for the SSH user. Context Do as follows on the switch that serves as an SSH server: Procedure Step 1 Run: system-view The system view is displayed.Quidway S5700 Series Ethernet Switches Configuration Guide . you can adopt the former command. if the number of SSH users is large..

the public key cannot be generated after the peer-public- key end command is run. The public key must be a string of hexadecimal alphanumeric characters. You can run the display rsa local-key-pair public command to view a generated public key. and retry times of the SSH authentication. the SSH server must be configured and the peer RSA public key must be the RSA public key of the SSH client. the system prompts that the key does not exist after the peer-public-key end command is run and the system view is displayed. If the specified hex-data is invalid.Basic Configuration 9 Telnet and SSH The RSA authentication is configured for the SSH user.6 (Optional) Configuring the Basic Authentication Information for SSH Users You can configure the interval for updating the server key pair.. 7. the RSA public key generated on the client can be sent to the server. . Run: peer-public-key end Return to the system view from the public key view. Run: hex-data The public key is edited. 3. ----End 9. Run: public-key-code begin The public key editing view is displayed. 4. 5. 6. Run: rsa peer-public-key key-name The public key view is displayed.Quidway S5700 Series Ethernet Switches Configuration Guide . timeout period of the SSH authentication. Ltd. Run: ssh user user-name assign rsa-key key-name The public key is assigned to the SSH user. l Before the peer RSA public key is assigned to the SSH users. Context Do as follows on the switch that serves as an SSH server: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 126 Copyright © Huawei Technologies Co. NOTE l After the public key editing view is displayed. 2. Run: public-key-code end Quit the public key editing view. Copy the RSA public key to the switch that serves as the SSH server. It is automatically generated by an SSH client. If the specified key-name is deleted in other views.3.

Step 4 Run: ssh server authentication-retries times The number of retry times of the SSH authentication is set. Context NOTE There are four authentication modes for an SSH user. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 127 Copyright © Huawei Technologies Co. rsa. refer to the chapter "AAA and User Management" in the Quidway S5700 Series Configuration Guide . By default. Step 3 Run: ssh server timeout seconds The timeout period of the SSH authentication is set. password-rsa. Ltd. Step 2 Run: ssh user user-name authorization-cmd aaa The command line authorization is configured for the specified SSH user. the retry times is 3. By default. ----End 9. you need to configure command line authorization for SSH users. password.Security.. the timeout period is 60 seconds.Quidway S5700 Series Ethernet Switches Configuration Guide . By default. . Do as follows on the switch that serves as an SSH server: Procedure Step 1 Run: system-view The system view is displayed.Basic Configuration 9 Telnet and SSH Procedure Step 1 Run: system-view The system view is displayed. the interval for updating the key pair of the SSH server is 0 that indicates no updating.3. namely.7 (Optional) Authorizing SSH Users Through the Command Line If RSA authentication is adopted. and all. Step 2 Run: ssh server rekey-interval interval The interval for updating the server key pair is configured. For details of the configuration of the command line authorization for password authentication. This section describes how to configure the command line authorization for RSA authentication.

the authorized directory of the SFTP service for SSH users is Flash..Quidway S5700 Series Ethernet Switches Configuration Guide . Otherwise. or all. Step 2 Run: ssh user username sftp-directory directoryname The authorized directory of the SFTP service for SSH users is configured. Context Do as follows on the switch that functions as an SSH server: Procedure Step 1 Run: system-view The system view is displayed.3. By default. ----End 9. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 128 Copyright © Huawei Technologies Co. the command line authorization for the SSH user does not take effect. 9.9 (Optional) Configuring the Authorized Directory of the SFTP Service for SSH Users You can configure a directory as an authorized directory to allow SSH users to use SFTP services. Context Do as follows on the switch that serves as an SSH server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ssh user username service-type { sftp | stelnet | all } The service type for the SSH user is configured.8 Configuring the Service Type of SSH Users You can set the service type of SSH users to SFTP.3. you have to configure the AAA authorization. Ltd. the service type of the SSH user is not configured. By default. .Basic Configuration 9 Telnet and SSH Follow-up Procedure After configuring the authorization through command lines for the SSH user to perform RSA authentication. STelnet.

3.4.. l Run the display ssh user-information username command to check the information about the specified SSH client on the SSH server. It shows that the SSH user named clinet001 is authenticated by password. This can help you complete the configuration task quickly and accurately. Applicable Environment Before configuring the SSH server. . Procedure l Run the display ssh user-information command to check the information about the SSH client on the SSH server. and its service type is sftp.Basic Configuration 9 Telnet and SSH 9.10 Checking the Configuration After configuring SSH users. 9. and obtain the required data. complete the following tasks: l Connecting the SSH client to the SSH server correctly l Ensuring that the SSH client and the SSH server are routable Issue 01 (2011-07-15) Huawei Proprietary and Confidential 129 Copyright © Huawei Technologies Co. SFTP. You can change the number of the port monitored by the SSH server to other port numbers. This can prevent attackers from accessing standard ports of the SSH server and thus save bandwidth and system resources. you can view SSH user information. STelnet or SFTP must first be enabled on the SSH server. ----End Example Run the display ssh user-information username command.1 Establishing the Configuration Task Before configuring the SSH server. Ltd.Quidway S5700 Series Ethernet Switches Configuration Guide .4 Configuring the SSH Server Function This section describes how to configure the SSH server. Prerequisite The configuration of SSH Users are complete. familiarize yourself with the applicable environment. [Quidway] display ssh user-information client001 User Name : client001 Authentication-type : password User-public-key-name : - Sftp-directory : - Service-type : sftp Authorization-cmd : No 9. or SCP on the SSH server. you must enable STelnet. complete the pre-configuration tasks. Pre-configuration Tasks Before configuring the SSH server.

you need to enable it.Quidway S5700 Series Ethernet Switches Configuration Guide . Step 2 Run: stelnet server enable The STelnet service is enabled. you need to enable it. you need the following data.3 Enabling the SFTP Service Before enjoying the STelnet service.4.4.Basic Configuration 9 Telnet and SSH l Configuring the VTY interface on the SSH server to support SSH l Configuring the SSH client on the SSH server l Creating the local RSA key pair on the SSH server Data Preparation To configure the SSH server. By default. Context Do as follows on the switch that serves as an SSH server: Procedure Step 1 Run: system-view The system view is displayed. No. Ltd. STelnet services are disabled.2 Enabling the STelnet Service Before enjoying the STelnet service.. Data 1 Number of the port monitored by the SSH server 9. . ----End 9. Step 2 Run: sftp server enable Issue 01 (2011-07-15) Huawei Proprietary and Confidential 130 Copyright © Huawei Technologies Co. Context Do as follows on the switch that serves as an SSH server: Procedure Step 1 Run: system-view The system view is displayed.

99) is denied access to log in.X. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 131 Copyright © Huawei Technologies Co. you can run the undo ssh server compatible-ssh1x enable command to disable the switch to be compatible with the earlier protocol version.4.Compatible Function You can configure whether SSH of earlier versions are compatible. Context Do as follows on the S5700 functioning as the SCP server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ssh server compatible-ssh1x enable The earlier version-compatible function is enabled. SCP services are disabled. Step 2 Run: scp server enable SCP services are enabled.4 Enabling SCP Services SCP services become available only after being enabled. .3 to SSH1.5 (Optional) Enabling the Earlier Version . If the client of SSH1.4. ----End 9. the server configured with the SSH2. By default. the SFTP service is disabled. ----End 9. Ltd.Quidway S5700 Series Ethernet Switches Configuration Guide ..Basic Configuration 9 Telnet and SSH The SFTP service is enabled.99 (protocol version ranges from 1.3 to 1. Context Do as follows on the switch that serves as an SSH server: Procedure Step 1 Run: system-view The system view is displayed. By default. By default.0 protocol is compatible with the server configured with SSH1.

If a new number of a monitored port is configured..Basic Configuration 9 Telnet and SSH NOTE l Compared with SSH1. the number of the port monitored by the SSH server is 22. After the port number is changed.7 (Optional) Configuring the Interval for Updating the Key Pair on the SSH Server You can configure the interval for updating the key pair of the SSH server. SSH2. only the user knows the current port number.0. which guarantees the security. the SSH server interrupts all the STelnet and SFTP connections and monitors the port of the new number.3 to version 2. Context Do as follows on the switch that serves as an SSH server: Procedure Step 1 Run: system-view The system view is displayed. ----End 9. l The S5700 supports the SSH protocol of version 1. Step 2 Run: ssh server rekey-interval interval Issue 01 (2011-07-15) Huawei Proprietary and Confidential 132 Copyright © Huawei Technologies Co.4.Quidway S5700 Series Ethernet Switches Configuration Guide .0 is extended in structure to more authentication modes and key exchange modes with higher service capability. ----End 9.6 (Optional) Configuring the Number of the Port Monitored by the SSH Server You can configure or change the monitoring port number of the SSH server. which can guarantee the security. Context Do as follows on the switch that serves as an SSH server: Procedure Step 1 Run: system-view The system view is displayed. By default.4. such as SFTP. Ltd.X. Step 2 Run: ssh server port port-number The number of the port monitored by the SSH server is configured. .

. and obtain the required data. and the client will be able to log in to the server similarly to using Telnet services. ----End Example Run the display ssh server status command. information about the currently monitored port will not be displayed. 9. ----End 9. This can help you complete the configuration task quickly and accurately. Applicable Environment STelnet is a secure Telnet protocol. complete the pre-configuration tasks. Prerequisite The configurations of the SSH server are complete.. familiarize yourself with the applicable environment.Basic Configuration 9 Telnet and SSH The interval for updating the key pair is set. the interval for updating the key pair of the SSH server is 0. which means that the key pair is never updated. <Quidway> display ssh server status SSH version : 1. By default.1 Establishing the Configuration Task Before configuring an STelnet client. you can view the global configuration of the SSH server. and the times for re-establishing the SSH session is 5. and you can view that the SSH version of the SSH session is 1.5 Configuring the STelnet Client Function This section describes how to configure the STelnet client.4. Procedure Step 1 Run the display ssh server status command to view the global configuration of the SSH server. 9. Ltd. A secure connection between the client and server can be established through negotiation. The SSH user can use the STelnet service in the same manner as using the Telnet service.99.99 SSH connection timeout : 60 seconds SSH server key generating interval : 2 hours SSH Authentication retries : 5 times SFTP server : Enable Stelnet server : Enable Scp server : Enable SSH server port : 55535 NOTE If the number of the monitored port is the default number.Quidway S5700 Series Ethernet Switches Configuration Guide .5. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 133 Copyright © Huawei Technologies Co.8 Checking the Configuration After configuring the SSH server.

.Basic Configuration 9 Telnet and SSH Pre-configuration Tasks Before connecting the STelnet client to the SSH server.5. complete the following tasks: l Generating the local RSA key pair on the SSH server l Configuring the STelnet user on the SSH server l Enabling the STelnet service on the SSH server Data Preparation To connect the STelnet client to the SSH server.Quidway S5700 Series Ethernet Switches Configuration Guide . the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time. After the login.2 Enabling the First-Time Authentication on the SSH Client After the first-time authentication on the SSH client is enabled. the system automatically allocates the RSA public key and saves it for authentication in next login. Context If the first-time authentication on the SSH client is enabled. you need the following data: No. To simplify user operations. Ltd. the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time. . Do as follows on the switch that serves as an SSH client: Procedure Step 1 Run: system-view Issue 01 (2011-07-15) Huawei Proprietary and Confidential 134 Copyright © Huawei Technologies Co. you are recommended to enable the first-time authentication on the SSH client. Data 1 Name of the SSH server 2 Number of the port monitored by the SSH server 3 Preferred encrypted algorithm from the STelnet client to the SSH server 4 Preferred encrypted algorithm from the SSH server to the STelnet client 5 Preferred HMAC algorithm from the STelnet client to the SSH server 6 Preferred HMAC algorithm from the SSH server to the STelnet client 7 Preferred algorithm of key exchange 8 Name of the outgoing interface 9 Source address 9.

----End 9. By default. Step 3 Run: public-key-code begin The public key editing view is displayed. the STelnet client fails to pass the check on the RSA public key validity and cannot log in to the server. NOTE l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first time. .5. the first-time authentication on the SSH client is disabled. The check is skipped because the STelnet server has not saved the RSA public key of the SSH server. Step 2 Run: rsa peer-public-key key-name The public key view is displayed. Ltd.3 (Optional) Assigning an RSA Public Key to the SSH Server You can assign an RSA public key to the SSH server. you need to allocate an RSA public key to the SSH server before the STelnet client logs in to the SSH server.Quidway S5700 Series Ethernet Switches Configuration Guide . Step 4 Run: hex-data The public key is edited. Do as follows on the switch that serves as an SSH client: Procedure Step 1 Run: system-view The system view is displayed. Context If the first-time authentication on the SSH client is disabled. l If the first-time authentication is not enabled on the SSH client.. when the STelnet client logs in to the SSH server for the first time. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 135 Copyright © Huawei Technologies Co. Step 2 Run: ssh client first-time enable The first-time authentication on the SSH client is enabled.Basic Configuration 9 Telnet and SSH The system view is displayed. TIP To ensure that the STelnet client can log in to the SSH server at the first attempt. you can assign the RSA public key in advance to the SSH server on the SSH client in addition to enabling the first-time authentication on the SSH client.

5. Step 2 According to the address type of the SSH server. Step 5 Run: public-key-code end Quit the public key editing view. ----End 9.. Ltd. the system prompts that the key does not exist after the peer-public-key end command is run and the system view is displayed. Do as follows on the switch that serves as an SSH client: Procedure Step 1 Run: system-view The system view is displayed. run the undo ssh client servername assign rsa-key command to cancel the association between the SSH client and the SSH server. You can run the display rsa local-key-pair public command to view a generated public key. . encryption algorithm. NOTE l Before being assigned to the SSH server. the assigned peer RSA public key must be obtained from the SSH server and must be configured on the SSH client. Then. l If the RSA public key stored on the SSH client becomes invalid. Step 7 Run: ssh client servername assign rsa-key keyname The RSA public key is assigned to the SSH server. select and run one of the following two commands. run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH server.. Context NOTE When accessing an SSH server.Quidway S5700 Series Ethernet Switches Configuration Guide . the STelnet client can carry the source address and the VPN instance name and choose the key exchange algorithm. the public key cannot be generated after the peer-public- key end command is run. If the specified key-name is deleted in other views. and configure the keepalive function. If the specified hex-data is invalid.Basic Configuration 9 Telnet and SSH The public key must be a string of hexadecimal alphanumeric characters. the STelnet client client can successfully undergo the validity check on the RSA public key of the SSH server. Step 6 Run: peer-public-key end Return to the system view from the public key view. or HMAC algorithm.4 Enabling the STelnet Client You can log in to the SSH server from the SSH client through STelnet. Then. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 136 Copyright © Huawei Technologies Co. It is automatically generated by an SSH client.

You can log in to the SSH server through STelnet. Prerequisite The configuration of the STelnet Client Function are complete.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password Issue 01 (2011-07-15) Huawei Proprietary and Confidential 137 Copyright © Huawei Technologies Co. you can view that the client logs in from VTY3. You can log in to the SSH server through STelnet. Ltd. with Stelent service by password authentication..Basic Configuration 9 Telnet and SSH l For IPv4 addresses. ----End 9. . l For IPv6 addresses. ----End Example When running the display ssh server session command. Run the stelnet ipv6 host-ipv6 [ -i interface-type interface-number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]command. l Run the display ssh server session command to check the session of the SSH client on the SSH server. Run the stelnet host-ipv4 [ port ] [ [ -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. Procedure l Run the display ssh server-info command to check the mapping between the RSA public key and the SSH client on the SSH client. <Quidway> display ssh server session Session 1: Conn : VTY 3 Version : 2.5 Checking the Configuration After configuring the STelnet client.Quidway S5700 Series Ethernet Switches Configuration Guide .5. you can view the global configuration of the SSH server.

. which will ensure secure file transmission on the network. .6.1 Establishing the Configuration Task Before configuring the SFTP client. This improves the security of data transmission for the remote end to update its system. complete the pre-configuration tasks. familiarize yourself with the applicable environment.6 Configuring the SFTP Client Function This section explains how to configure the SFTP client. No. The authentication and bidirectional data encryption of the SFTP client can be manually configured. complete the following tasks: l Creating a local RSA key pair on an SSH server l Configuring an SFTP client on the SSH server l Enabling the SFTP service on the SSH server Data Preparation To connect an SFTP client to an SSH server. you need the following data. and obtain the required data. The SFTP client function also enables you to log in to the remote device through SFTP for the secure file transmission. This can help you complete the configuration task quickly and accurately.Quidway S5700 Series Ethernet Switches Configuration Guide . Ltd. 9. Applicable Environment SFTP enables users to log in to the device from a secure remote end to manage files.Basic Configuration 9 Telnet and SSH 9. Data 1 Name of the SSH server 2 Number of the port monitored by the SSH server 3 Preferred encrypted algorithm from the SFTP client to the SSH server 4 Preferred encrypted algorithm from the SFTP server to the SSH client 5 Preferred HMAC algorithm from the SFTP client to the SSH server 6 Preferred HMAC algorithm from the SFTP server to the SSH client 7 Preferred algorithm of key exchange 8 Name of the outgoing interface 9 Directory name 10 File name Issue 01 (2011-07-15) Huawei Proprietary and Confidential 138 Copyright © Huawei Technologies Co. Pre-configuration Tasks Before connecting the SFTP client to the SSH server.

when the SFTP client logs in to the SSH server for the first time. Step 2 Run: ssh client first-time enable Enable the SSH client with the first authentication. you are recommended to enable the first-time authentication on the SSH client. first-time authentication is disabled on SSH clients. Do as follows on the switch that serves as an SSH client: Procedure Step 1 Run: system-view The system view is displayed.3 (Optional) Assigning an RSA Public Key to the SSH Server You can assign an RSA public key on the SSH client to the SSH server. the SFTP client fails to pass the check on the RSA public key validity and cannot log in to the server. Do as follows on the switch that serves as an SSH client: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 139 Copyright © Huawei Technologies Co. the SFTP client can assign the RSA public key in advance to the SSH server on the SSH client to log in to the server successfully for the first time. . The check is skipped because the SFTP server has not saved the RSA public key of the SSH server. NOTE l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity of the RSA public key of the SSH server when the SFTP client logs in to the SSH server for the first time. Context If the first-time authentication on the SSH client is disabled. l If the first-time authentication is not enabled on the SSH client.Quidway S5700 Series Ethernet Switches Configuration Guide . the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time. Ltd.Basic Configuration 9 Telnet and SSH 9. TIP Except for enabling the first-time authentication on the SSH client. By default. the system automatically allocates the RSA public key and saves it for authentication in next login..6.6. ----End 9. the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time. After the login. To simplify user operations. you need to assign an RSA public key to the SSH server before the STelnet client logs in to the SSH server. Context If the first-time authentication on the SSH client is enabled.2 Configuring the First-Time Authentication on the SSH Client After the first-time authentication on the SSH client is enabled.

4 Enabling the SFTP Client You can log in to the SSH server from the SSH client through SFTP.Basic Configuration 9 Telnet and SSH Procedure Step 1 Run: system-view The system view is displayed. run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH server. If the specified key-name is deleted in other views. Ltd. Step 2 Run: rsa peer-public-key key-name The public key view is displayed. . ----End 9. NOTE l Before being assigned to the SSH server. Step 6 Run: peer-public-key end Return to the system view from the public key view. Step 3 Run: public-key-code begin The public key editing view is displayed. Then. The public key must be a string of hexadecimal alphanumeric characters. the SFTP client can successfully undergo the validity check on the RSA public key of the SSH server. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 140 Copyright © Huawei Technologies Co. l If the RSA public key stored on the SSH client becomes invalid.. the public key cannot be generated after the peer-public- key end command is run. run the undo ssh client servername assign rsa-key command to cancel the association between the SSH client and the SSH server. If the specified hex-data is invalid. the assigned peer RSA public key must be obtained from the SSH server and must be configured on the SSH client. It is automatically generated by an SSH client.6. the system prompts that the key does not exist after the peer-public-key end command is run and the system view is displayed.Quidway S5700 Series Ethernet Switches Configuration Guide . Then. Step 4 Run: hex-data The public key is edited. Step 5 Run: public-key-code end Quit the public key editing view. Step 7 Run: ssh client servername assign rsa-key keyname Assign a public key to the SSH server. You can run the display rsa local-key-pair public command to view a generated public key.

Step 2 According to the address type of the SSH server. display the current operating directory and information about a specified directory and its files. the SFTP can carry the source address and choose the key exchange algorithm.Basic Configuration 9 Telnet and SSH Context NOTE The command of enabling the SFTP client is similar to that of the STelnet. Procedure Step 1 Run: system-view The system view is displayed. When accessing the SSH server. you can log in to the SSH server to create or delete directories on the SSH server.5 (Optional) Managing the Directory On the SFTP client. Context NOTE After the SFTP client logs in to the SSH server. l For IPv6 addresses. l For IPv4 addresses. . Ltd. the SFTP client can create or delete the directory on the SSH server. select and perform one of the two configurations below.Quidway S5700 Series Ethernet Switches Configuration Guide .6. Do as follows on the switch that serves as an SSH client: Procedure Step 1 Run: system-view Issue 01 (2011-07-15) Huawei Proprietary and Confidential 141 Copyright © Huawei Technologies Co. encrypted algorithm and HMAC algorithm.. and configure the keepalive function. Do as follows on the switch that serves as an SSH client. Run: sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface- number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] ----End 9. Run: sftp [ -a source-address ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn- instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] You can log in to the SSH server through SFTP.

Basic Configuration 9 Telnet and SSH The system view is displayed. Run: sftp [ -a source-address ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn- instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] You can log in to the SSH server through SFTP. Ltd. l Run: cdup The operating directory of users is switched to the upper-level directory. l Run: pwd The current operating directory of users is displayed. l For IPv4 addresses.6 (Optional) Managing the File On the SFTP client.Quidway S5700 Series Ethernet Switches Configuration Guide . ----End 9. l For IPv6 addresses. select and perform one of the two configurations below. Step 2 According to the address type of the SSH server. you can view specified remote directories or files on the SFTP server or delete specified files on the SFTP server. l Run: dir / ls [ remote-directory ] The file list in the specified directory is displayed. l Run: rmdir remote-directory & <1-10> l The directory on the server is deleted. Run: sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface- number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] Step 3 Perform the following as required: l Run: cd [ remote-directory ] The current operating directory of users is changed.6. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 142 Copyright © Huawei Technologies Co.. l Run: mkdir remote-directory A directory is created on the server. .

l For IPv6 addresses. Step 2 According to the address type of the SSH server. upload and download files on the SFTP server. Ltd.. select and perform one of the two configurations below. l Run: remove remote-filename The file on the server is removed. l Run: get remote-filename [local-filename] The file on the remote server is downloaded. Run: sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface- number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] Step 3 Run the command. Procedure Step 1 Run: system-view The system view is displayed. l For IPv4 addresses. Do as follows on the login switch.Quidway S5700 Series Ethernet Switches Configuration Guide . Run: sftp [ -a source-address ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn- instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] You can log in to the SSH server through SFTP. l Run: rename old-name new-name The name of the specified file on the server is changed. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 143 Copyright © Huawei Technologies Co.Basic Configuration 9 Telnet and SSH Context NOTE After the SFTP client logs in to the SSH server. delete files. display the file list. . SFTP client can change file names. l Run: put local-filename [remote-filename] The local file is uploaded to the remote server.

Run: sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface- number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] Step 3 Run: help [all | command-name ] The SFTP client command help is displayed.8 Checking the Configuration After configuring the SFTP client. .6. select and perform one of the two configurations below.Quidway S5700 Series Ethernet Switches Configuration Guide . Ltd.Basic Configuration 9 Telnet and SSH 9. Run: sftp [ -a source-address ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn- instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] You can log in to the SSH server through SFTP. Context Do as follows on the login switch: Procedure Step 1 Run: system-view The system view is displayed. l For IPv4 addresses. Prerequisite The configuration of the SFTP Client Function are complete. you can view the global configuration of the SSH server.7 (Optional) Displaying the SFTP Client Command Help You can view the SFTP client command help. ----End 9. l For IPv6 addresses.. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 144 Copyright © Huawei Technologies Co. Procedure l Run the display ssh server-info command to check the mapping between the SSH server and the RSA public key on the SSH client. Step 2 According to the address type of the SSH server.6.

1 Establishing the Configuration Task Before configuring the SCP client. complete the pre-configuration tasks. you need the following data. ----End Example Run the display ssh server session command. Applicable Environment SCP is a secure file transfer method based on SSH2. and you can view that the client logs in from the VTY4 through the sftp service in rsa authentication mode. 9.0. [Quidway] display ssh server session Session 2: Conn : VTY 4 Version : 2. .7.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : rsa 9. Pre-configuration Tasks Before configuring the SCP client. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 145 Copyright © Huawei Technologies Co.Basic Configuration 9 Telnet and SSH l Run the display ssh server session command to check the session of the SSH client on the SSH server.7 Configuring the SCP Client This section describes how to configure the SCP client. SCP allows file uploading or downloading without user authentication and public key assignment. Unlike SFTP. and obtain the data required for the configuration. familiarize yourself with the applicable environment. Ltd.. The SCP client sets up a secure connection with the SCP server so that the client can upload files to the server or download files from the server. This will help you complete the configuration task quickly and accurately. complete the following tasks: l Generating a local RSA key pair on the SCP server l Configuring SCP users on the SCP server l Enabling SCP services on the SCP server Data Preparation To configure the SCP client.Quidway S5700 Series Ethernet Switches Configuration Guide . and also supports file uploading or downloading in batches.

and use the specified source IP address to set up an SCP connection between the client and server.Quidway S5700 Series Ethernet Switches Configuration Guide . Issue 01 (2011-07-15) Huawei Proprietary and Confidential 146 Copyright © Huawei Technologies Co. source files to be uploaded or downloaded. the available source interface must be a loobpack interface. and select an encryption algorithm. the SCP client can carry source IP address and VPN instance name. Do as follows on the switch functioning as the SCP client: Procedure Step 1 Run: system-view The system view is displayed. Context NOTE When logging in to the SCP server. and destination files to be uploaded or downloaded 9.Basic Configuration 9 Telnet and SSH No. .7.3 Copying Files You can use SCP to upload files from the client to the server or download files from the server to the client. Context Do as follows on the switch functioning as the SCP client: Procedure Step 1 Run: system-view The system view is displayed.. ----End 9.7. At present. encryption algorithm for uploading or downloading files.2 (Optional) Configuring a Source IP Address for the SCP Client It is more secure to configure a source IP address for the SCP client. A loopback interface is recommended to improve network security. Data 1 (Optional) Source IPv4 or IPv6 address and source interface of the local switch 2 Port number of the remote SCP server. Ltd. VPN instance name. Step 2 Run: scp client-source { -a source-ip-address | -i interface-type interface-number } A source IP address or a source interface is configured for the SCP client.

9. configuration notes.8 Configuration Examples This section provides configuration examples for Telnet and SSH along with a configuration flowchart. the user logs in to Switch B through Telnet by using the default interface 23.1. and you can view the source IP address of the SCP client. The configuration examples explain networking requirements. Prerequisite The configurations of the SCP client are complete.1 Example for Configuring the Telnet Terminal Service In this example. l Basing on IPv4 address scp [ -port port-number | public-net | vpn-instance vpn-instance-name | -a sourceaddress | -i interface-type interface-number | -r | -cipher { des | 3des | aes128 } | -c ]* sourcefile destinationfile l Basing on IPv6 address scp ipv6 [ -port port-number | public-net | vpn-instance vpn-instance-name | -a sourceipv6address | -r | -cipher { des | 3des | aes128 } | -c ]* sourcefile destinationfile [ -i interface-type interface-number ] ----End 9.7. Ltd. and configuration roadmap.1. <Quidway> display scp-client The source of SCP ipv4 client: 1. Context l Run the display scp-client command to view the source IP address or source interface of the SCP client. after logging in to Switch A.8.Basic Configuration 9 Telnet and SSH Step 2 Files are uploaded from the SCP client to the remote SCP server or downloaded from the remote SCP server to the SCP client.4 Checking the Configuration After the SCP client is successfully configured. Networking Requirements As shown in Figure 9-3.Quidway S5700 Series Ethernet Switches Configuration Guide . you can view configurations of the SCP connection.. . Issue 01 (2011-07-15) Huawei Proprietary and Confidential 147 Copyright © Huawei Technologies Co. Example Run the display scp-client command. the authentication mode and password are configured for users to log in to the switch through Telnet.1 The source of SCP ipv6 client: -- 9.

10.255. <SwitchA> system-view [SwitchA] vlan 2 [SwitchA-vlan2] quit [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 2 [SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 2 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface vlanif 2 [SwitchA-Vlanif2] ip address 10.10.10. Ltd.255.10. Log in to Switch B from Switch A.8/24 SwitchB GigabitEthernet0/0/1 VLANIF 2 10. Assign IP addresses to Switch A and Switch B. 3.9/24 Configuration Roadmap The configuration roadmap is as follows: 1. <SwitchB> system-view [SwitchB] vlan 2 [SwitchB-vlan2] quit Issue 01 (2011-07-15) Huawei Proprietary and Confidential 148 Copyright © Huawei Technologies Co.. Data Preparation To complete the configuration.10.Quidway S5700 Series Ethernet Switches Configuration Guide . you need the following data: l ID of the VLAN l IP address and number of the interface on the Switch A that functions as the Telnet client l IP address and number of the interface on the Switch B that functions as the Telnet server l Authentication mode and the password for a user to log in to Switch B through Telnet Procedure Step 1 Assign IP addresses.10. # Assign IP address to Switch A that functions as the Telnet client.Basic Configuration 9 Telnet and SSH Figure 9-3 Networking diagram of the remote login of the Ethernet user PC SwitchA SwitchB 10.0 [SwitchA-Vlanif2] quit [SwitchA] # Assign an IP address to Switch B that functions as the Telnet server. Configure an authentication mode and password on Switch B.10. 2.9/24 Switch Interface VLANIF interface IP address SwitchA GigabitEthernet0/0/1 VLANIF 2 10.8 255.8/24 10. .10.10.10.

10. <SwitchB> ----End Configuration Files l Configuration file of Switch A # sysname SwitchA # vlan batch 2 # interface Vlanif2 ip address 10.9 Trying 10. <SwitchA> telnet 10. [SwitchB] user-interface vty 0 4 [SwitchB-ui-vty0-4] authentication-mode password [SwitchB-ui-vty0-4] set authentication password simple 123456 [SwitchB-ui-vty0-4] quit [SwitchB] Step 3 Verify the configuration.10. Press CTRL+K to abort Connected to 10. Ltd.10..255..0 # interface GigabitEthernet0/0/1 port hybrid pvid vlan 2 port hybrid untagged vlan 2 # return l Configuration file of Switch B # sysname SwitchB # vlan batch 2 # interface Vlanif2 ip address 10.10.255..10.10.Basic Configuration 9 Telnet and SSH [SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] port hybrid pvid vlan 2 [SwitchB-GigabitEthernet0/0/1] port hybrid untagged vlan 2 [SwitchB-GigabitEthernet0/0/1] quit [SwitchB] interface vlanif 2 [SwitchB-Vlanif2] ip address 10.255.9 . Login authentication Password: info: The max number of VTY users is 20.Quidway S5700 Series Ethernet Switches Configuration Guide .0 [SwitchB-Vlanif2] quit [SwitchB] Step 2 Configure the authentication mode and password for Switch B.0 # interface GigabitEthernet0/0/1 port hybrid pvid vlan 2 port hybrid untagged vlan 2 # user-interface vty 0 4 set authentication password simple 123456 # return Issue 01 (2011-07-15) Huawei Proprietary and Confidential 149 Copyright © Huawei Technologies Co.8 255. # Log in to Switch B on Switch A through Telnet.255..255..10. and the current number of VTY users on line is 1.255.9 255.10.10.9 255.10.9 . .10.10.

the STelnet client can log in to the SSH server with the password. In this example. Data Preparation To complete the configuration. The IP address of the SSH server is 192. or all authentication mode. Figure 9-4 Networking diagram of configuring the PC as the STelnet client to connect to the SSH server IP Network SSH Client SSH Server Configuration Roadmap The configuration roadmap is as follows: 1..2 Example for Configuring the PC as the STelnet Client to Connect to the SSH Server This part provides an example for configuring the PC as the STelnet client to connect to the SSH server. <Quidway> system-view Issue 01 (2011-07-15) Huawei Proprietary and Confidential 150 Copyright © Huawei Technologies Co. The user interface supports only SSH. RSA. . 3. configuring the name and password of the SSH user on the SSH server. you need the following data: l Name and the authentication mode of the SSH user l Password of the SSH user l Name of the SSH server Procedure Step 1 Generate a local key pair on the server.8. password-rsa. Configure password authentication as the default authentication mode on the SSH server. Networking Requirements As shown in Figure 9-4.Basic Configuration 9 Telnet and SSH 9. Configure Client001 with the password as huawei and adopt the password authentication. you can connect the Stelnet client to the SSH server. and enabling the STelnet service on the SSH server. Configure Client001 on the SSH server.1. Ltd. after the STelnet service is enabled on the SSH server. 2. Enable STelnet service on the SSH server.1.168.Quidway S5700 Series Ethernet Switches Configuration Guide . after generating the local key pair on the SSH server.

....168.. [SSH Server] stelnet server enable [SSH Server] ssh authentication-type default password Step 5 Verify the configuration.++++++++ ... # Log in to the device through the software putty.. the S5700 automatically disables Telnet..... Step 3 Configure the password of the SSH user Client001 to huawei.. and specify the IP address of the device being 192...... It will take a few minutes.. [SSH Server] aaa [SSH Server-aaa] local-user client001 password cipher huawei [SSH Server-aaa] local-user client001 privilege level 3 [SSH Server-aaa] local-user client001 service-type ssh [SSH Server-aaa] quit Step 4 Enable the STelnet service on the SSH server. [SSH Server] user-interface vty 0 4 [SSH Server-ui-vty0-4] authentication-mode aaa [SSH Server-ui-vty0-4] protocol inbound ssh [SSH Server-ui-vty0-4] quit NOTE If SSH is configured as the login protocol..... ... Ltd..1..... NOTES: If the key modulus is greater than 512.. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 151 Copyright © Huawei Technologies Co...... Input the bits in the modulus[default = 512]: 768 Generating keys...++++++++++++ .. ...Basic Configuration 9 Telnet and SSH [Quidway] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: Quidway_Host The range of public key size is (512 ~ 2048)..........++++++++++++ .Quidway S5700 Series Ethernet Switches Configuration Guide ..1 and the login protocol being SSH....++++++++ Step 2 Configure the VTY user interface....

.Quidway S5700 Series Ethernet Switches Configuration Guide . Issue 01 (2011-07-15) Huawei Proprietary and Confidential 152 Copyright © Huawei Technologies Co. Ltd.Basic Configuration 9 Telnet and SSH # Log in to the device through the software putty. . and enter the user name client001 and the password huawei.

with the password as rsakey001 and the authentication mode as RSA The user interface supports only the SSH protocol.3 Example for Configuring the Switch as the STelnet Client to Connect to the SSH Server In this example.Basic Configuration 9 Telnet and SSH ----End Configuration Files l Configuration file of the SSH server # sysname SSH Server # aaa local-user client001 password cipher N`C55QK<`=/Q=^Q`MAF4<1!! local-user client001 privilege level 3 local-user client001 service-type ssh # stelnet server enable ssh authentication-type default password # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # return 9.8.. password-rsa. Networking Requirements When you need to log in from a switch to other switches to configure the switches. or all. the STelnet client can log in to the SSH server in the authentication mode of password. you can configure the switch as an STelnet client. after the STelnet service is enabled on the SSH server. In this manner. the STelnet client can connect to the SSH server. As shown in Figure 9-5. with the password as huawei and the authentication mode as password l Client002.Quidway S5700 Series Ethernet Switches Configuration Guide . . RSA. The following login users need to be configured. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 153 Copyright © Huawei Technologies Co. l Client001. the local key pairs are generated on the STelnet client and the SSH server. Ltd. the public RSA key is generated on the SSH server and then bound to the STelnet client.

220/24 Client002 GigabitEthernet0/0/1 VLANIF 10 10. Data Preparation To complete the configuration.39.Basic Configuration 9 Telnet and SSH Figure 9-5 Networking diagram of connecting the STelnet client and the SSH server SSH Server 10.164..164. 5.39.39. 2.220/24 10.39.164.39. Ltd.Quidway S5700 Series Ethernet Switches Configuration Guide .39. Create a local key pair on the STelnet client and SSH server separately. 4. Enable the STelnet service on the SSH server. Client001 and Client002 log in to the SSH server through STelnet. Generate an RSA public key on the SSH server and bind the RSA public key of the SSH client to Client002.164.221/24 Configuration Roadmap The configuration roadmap is as follows: 1.164.164. Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface. . 3. Configure Client001 and Client002 on the SSH server.222/24 to interface VLANIF10. Create VLAN 10 on the Switch that functions as the server and assign IP address 10.222/24 10.222/24 Client001 GigabitEthernet0/0/1 VLANIF 10 10. 6.39.221/24 Client001 Client002 Switch Interface VLANIF interface IP address SSH server GigabitEthernet0/0/1 VLANIF 10 10. <Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] quit Issue 01 (2011-07-15) Huawei Proprietary and Confidential 154 Copyright © Huawei Technologies Co. as shown in Figure 9-5 l SSH user name and authentication mode l Password or RSA public key l SSH server name Procedure Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.164. you need the following data: l IP addresses of the FTP server and client.

[Quidway] ssh user client002 [Quidway] ssh user client002 authentication-type rsa Step 4 Configure the RSA public key on the server. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 155 Copyright © Huawei Technologies Co... password-rsa.. l Before configuring the authentication mode of password or password-rsa. you must copy the RSA public key of the SSH client to the server.... password-rsa. It will take a few minutes. RSA.++++++++ ...... NOTE SSH users can be authenticated in four modes: password. [Quidway] user-interface vty 0 4 [Quidway-ui-vty0-4] authentication-mode aaa [Quidway-ui-vty0-4] protocol inbound ssh [Quidway-ui-vty0-4] quit l Create an SSH user named Client001. Ltd.222 24 Assigning an IP address to the Switch that functions as Client001 or Client002 is the same as assigning an IP address to VLANIF 10. Input the bits in the modulus[default = 512]: Generating keys.. # Create an SSH user named Client001 and configure the authentication mode as password for the user.. <Quidway> system-view [Quidway] rsa local-key-pair create The key name will be: Quidway_Host The range of public key size is (512 ~ 2048)....++++++++++++ .. # Configure a VTY user interface...... you must configure a local user.... Step 2 Create a local key pair on the SSH server. NOTES:If the key modulus is greater than 512.. l Before configuring the authentication mode of RSA.... .++++++++ Step 3 Create an SSH user on the server.. ... # Create a local key pair on the client......Quidway S5700 Series Ethernet Switches Configuration Guide .... or all. [Quidway] aaa [Quidway-aaa] local-user client001 password simple huawei [Quidway-aaa] local-user client001 service-type ssh l # Create an SSH user named Client002 and configure the authentication mode as RSA for the user... and all.... [Quidway] ssh user client001 [Quidway] ssh user client001 authentication-type password # Set the password of Client001 to huawei.. <Quidway> system-view [Quidway] sysname client002 [client002] rsa local-key-pair create # Check the RSA public key generated on the client.++++++++++++ .39....164........ and is not mentioned here..Basic Configuration 9 Telnet and SSH [Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [Quidway-GigabitEthernet0/0/1] port hybrid untagged vlan 10 [Quidway-GigabitEthernet0/0/1] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.

. . [Quidway] rsa peer-public-key RsaKey001 Enter "RSA public key" view. return last view with "public-key-code end".END SSH2 PUBLIC KEY ---- Public key code for pasting into OpenSSH authorized_keys file : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001 [client002] # Send the RSA public key generated on the client to the server. Ltd. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 156 Copyright © Huawei Technologies Co. # Enable the STelnet service.Quidway S5700 Series Ethernet Switches Configuration Guide .BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7 yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b ---. [Quidway] ssh user client002 assign rsa-key RsaKey001 Step 6 Enable the STelnet service on the SSH server. [Quidway-rsa-key-code] 3047 [Quidway-rsa-key-code] 0240 [Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 [Quidway-rsa-key-code] 1D7E3E1B [Quidway-rsa-key-code] 0203 [Quidway-rsa-key-code] 010001 [Quidway-rsa-key-code] public-key-code end [Quidway-rsa-public-key] peer-public-key end Step 5 Bind the RSA public key of the SSH client to Client002.Basic Configuration 9 Telnet and SSH [client002] display rsa local-key-pair public ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 Host public key for PEM format code: ---. [Quidway] stelnet server enable Step 7 Set the service type of Client001 and Client002 to STelnet. return system view with "peer-public-key end". [Quidway-rsa-public-key] public-key-code begin Enter "RSA key code" view.

164.222 Please input the username:client001 Trying 10.39. [client001] ssh client first-time enable [client002] ssh client first-time enable # Client001 logs in to the SSH server in password authentication mode by entering the user name and password. and that the STelnet client logs in to the server successfully... # You must enable the initial authentication on the SSH client for the first login.Basic Configuration 9 Telnet and SSH [Quidway] ssh user client001 service-type stelnet [Quidway] ssh user client002 service-type stelnet Step 8 Connect the STelnet and the SSH server. <client002> system-view [client002] stelnet 10...39.222 .222 . [Quidway] display ssh server session Session 1: Conn: VTY 3 Version: 2.222..99 SSH connection timeout :60 seconds SSH server key generating interval :0 hours SSH Authentication retries :3 times SFTP server :Disable Stelnet server :Enable Scp server :Disable # Check the connection of the SSH server..164.164.0 State: started Issue 01 (2011-07-15) Huawei Proprietary and Confidential 157 Copyright © Huawei Technologies Co.. Ltd.. <Quidway> # Client002 logs in to the SSH server in RSA authentication mode. and the current number of VTY users on line is 1.222 .Quidway S5700 Series Ethernet Switches Configuration Guide .164.39.164.39.. After the configuration.. <Quidway> Step 9 Verify the configuration. <client001> system-view [client001] stelnet 10. The server is not authenticated.39. run the commands of display ssh server status and display ssh server session on the SSH server. and the current number of VTY users on line is 1.39. *********************************************************** info: The max number of VTY users is 20. and information indicating that the login succeeds is displayed as follows: info: The max number of VTY users is 20.222 . Press CTRL+K to abort Connected to 10.164. # Check the status of the SSH server.39. Please wait. [Quidway] display ssh server status SSH version :1.. .222 Please input the username: client002 Trying 10.164. You can view that the STelnet service is enabled. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y The server's public key will be saved with the name: 10. Enter password: Enter the password huawei. Press CTRL+K to abort Connected to 10.

255. Ltd.0 # rsa peer-public-key rsakey001 public-key-code begin 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password simple huawei local-user client001 service-type ssh # Issue 01 (2011-07-15) Huawei Proprietary and Confidential 158 Copyright © Huawei Technologies Co.. .255.164. [Quidway] display ssh user-information User 1: User Name: client001 Authentication-type: password User-public-key-name: - Sftp-directory: - Service-type: stelnet Authorization-cmd: No User 2: User Name: client002 Authentication-type: rsa User-public-key-name: RsaKey001 Sftp-directory: - Service-type: stelnet Authorization-cmd: No ----End Configuration Files l Configuration file of the Quidway.Quidway S5700 Series Ethernet Switches Configuration Guide .39. the SSH server # sysname Quidway # vlan batch 10 # interface Vlanif10 ip address 10.0 State: started Username: client002 Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: stelnet Authentication Type: rsa # Check information about the SSH user.Basic Configuration 9 Telnet and SSH Username: client001 Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: stelnet Authentication Type: password Session 1: Conn: VTY 4 Version: 2.222 255.

Basic Configuration 9 Telnet and SSH stelnet server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type stelnet # interface GigabitEthernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # return l Configuration file of Client001.221 255.. In this manner. password-rsa.255. the SFTP client can log in to the SSH server in the authentication mode of password. the local key pairs are generated on the SFTP client and the SSH server respectively. the SSH client # sysname client002 # vlan batch 10 # interface Vlanif10 ip address 10.Quidway S5700 Series Ethernet Switches Configuration Guide .255. the SFTP client can connect to the SSH server. Ltd. after the SFTP service is enabled on the SSH server.39. Networking Requirements As shown in Figure 9-6. .164.255.0 # ssh client first-time enable # interface GigabitEthernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # return 9.4 Example for Connecting the SFTP Clinet and the SSH Server In this example. the public RSA key is generated on the SSH server and bind the RSA public key to the SFTP client. the SSH client # sysname client001 # vlan batch 10 # interface Vlanif10 ip address 10.0 # ssh client first-time enable # interface GigabitEthernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # return l Configuration file of Client002.39.255.164.8. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 159 Copyright © Huawei Technologies Co. RSA. or all.220 255.

Create an RSA public key on the SSH server and bind the RSA public key of the SSH client to Client002. Enable the SFTP service on the SSH server.164.164. Create a local key pair on the SFTP client and SSH server separately. Data Preparation To complete the configuration.164. Configure Client001 and Client002 on the SSH server.164. Create VLAN 10 on the S5700 that functions as the server and assign IP address 10.Basic Configuration 9 Telnet and SSH Figure 9-6 Networking diagram for connecting the SFTP client and the SSH server SSH Server 10. you need the following data: l IP addresses of the FTP server and client. Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.39. 7.164.39. . as shown in Figure 9-6 l SSH user name and authentication mode l Password or RSA public key of the SSH user l SSH server name Procedure Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface. 4.Quidway S5700 Series Ethernet Switches Configuration Guide .222/24 10. 5.220/24 Client002 GigabitEthernet0/0/1 VLANIF 10 10. Ltd.39. <Quidway> system-view [Quidway] vlan 10 Issue 01 (2011-07-15) Huawei Proprietary and Confidential 160 Copyright © Huawei Technologies Co.39.221/24 Client001 Client002 Switch Interface VLANIF interface IP address SSH server GigabitEthernet0/0/1 VLANIF 10 10.. 6.164.222/24 to VLANIF 10. Configure the type of service and authenticated directory for the SSH user. Client001 and Client002 log in to the SSH server through SFTP.221/24 Configuration Roadmap The configuration roadmap is as follows: 1. 2.164.39. 3.220/24 10.39.222/24 Client001 GigabitEthernet0/0/1 VLANIF 10 10.39.

# Create a local key pair on the client. password-rsa.. <Quidway> system-view [Quidway] rsa local-key-pair create The key name will be: Quidway_Host The range of public key size is (512 ~ 2048). <Quidway> system-view [Quidway] sysname client002 [client002] rsa local-key-pair create # Check the RSA public key created on the client.. .....++++++++ .39... # Configure a VTY user interface. Step 2 Create a local key pair on the SSH server...... [Quidway] user-interface vty 0 4 [Quidway-ui-vty0-4] authentication-mode aaa [Quidway-ui-vty0-4] protocol inbound ssh [Quidway-ui-vty0-4] quit l Create an SSH user named Client001.164..++++++++++++ ... l In password or password-rsa authentication mode..++++++++++++ . Ltd..... and all.. It will take a few minutes...... you must configure a local user. Input the bits in the modulus[default = 512]: Generating keys.222 24 Assigning an IP address to the S5700 that functions as Client001 or Client002 is the same as assigning an IP address to VLANIF 10....++++++++ Step 3 Create an SSH user on the server... and is not mentioned here... [client002] display rsa local-key-pair public Issue 01 (2011-07-15) Huawei Proprietary and Confidential 161 Copyright © Huawei Technologies Co. [Quidway] aaa [Quidway-aaa] local-user client001 password simple huawei [Quidway-aaa] local-user client001 service-type ssh l # Create an SSH user named Client002 and configure the authentication mode as RSA for the user.. . l In RSA or all authentication mode. NOTE SSH users can be authenticated in four modes: password.. you must copy the RSA public key of the SSH client to the server.. [Quidway] ssh user client002 [Quidway] ssh user client002 authentication-type rsa Step 4 Configure the RSA public key on the server. [Quidway] ssh user client001 [Quidway] ssh user client001 authentication-type password # Set the password of Client001 to huawei.Quidway S5700 Series Ethernet Switches Configuration Guide . RSA...... # Create an SSH user named Client001 and configure the authentication mode as password for the user.Basic Configuration 9 Telnet and SSH [Quidway] quit [Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [Quidway-GigabitEthernet0/0/1] port hybrid untagged vlan 10 [Quidway-GigabitEthernet0/0/1] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10. NOTES: If the key modulus is greater than 512.

Quidway S5700 Series Ethernet Switches Configuration Guide . return system view with "peer-public-key end".Basic Configuration 9 Telnet and SSH ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 Host public key for PEM format code: ---.BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7 yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b ---. [Quidway-rsa-key-code] 3047 [Quidway-rsa-key-code] 0240 [Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 [Quidway-rsa-key-code] 1D7E3E1B [Quidway-rsa-key-code] 0203 [Quidway-rsa-key-code] 010001 [Quidway-rsa-key-code] public-key-code end [Quidway-rsa-public-key] peer-public-key end Step 5 Bind the RSA public key of the SSH client to Client002.. [Quidway] ssh user client002 assign rsa-key RsaKey001 Step 6 Enable the SFTP service on the SSH server. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 162 Copyright © Huawei Technologies Co. . Two SSH users are configured on the SSH server: Client001 in the password authentication mode and Client002 in the RSA authentication mode. # Enable the SFTP service. return last view with "public-key-code end". [Quidway-rsa-public-key] public-key-code begin Enter "RSA key code" view. Ltd. set the type of service for the SSH user and the authorized directory.END SSH2 PUBLIC KEY ---- Public key code for pasting into OpenSSH authorized_keys file : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001 [client] # Send the RSA public key created on the client to the server. [Quidway] rsa peer-public-key RsaKey001 Enter "RSA public key" view. [Quidway] sftp server enable Step 7 On the SSH server.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Telnet and SSH

[Quidway] ssh user client001 service-type sftp
[Quidway] ssh user client001 sftp-directory flash:/
[Quidway] ssh user client002 service-type sftp
[Quidway] ssh user client002 sftp-directory flash:/

Step 8 Connect the SFTP client and the SSH server.
# You must enable the initial authentication on the SSH client for the first login.
[client001] ssh client first-time enable
[client002] ssh client first-time enable

# Client001 logs in to the SSH server in password authentication mode.
<client001> system-view
[client001] sftp 10.164.39.222
Input Username:client001
Trying 10.164.39.222 ...
Press CTRL+K to abort
Enter password:
sftp-client>

# Client002 logs in to the SSH server in RSA authentication mode.
<client002> system-view
[client002] sftp 10.164.39.222
Input Username: client002
Trying 10.164.39.222 ...
Press CTRL+K to abort
sftp-client>

Step 9 Verify the configuration.
After the configuration, run the display ssh server status and display ssh server session
commands on the SSH server. You can view that the SFTP service is enabled, and that the SFTP
client logs in to the server successfully.
# Check the status of the SSH server.
[Quidway] display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH Authentication retries :3 times
SFTP server :Enable
Stelnet server :Disable
Scp server :Disable

# Check the connection of the SSH server.
[Quidway] display ssh server session
Session 1:
Conn: VTY 3
Version: 2.0
State: started
Username: client001
Retry: 1
CTOS Cipher: aes128-cbc
STOC Cipher: aes128-cbc
CTOS Hmac: hmac-sha1-96
STOC Hmac: hmac-sha1-96
Kex: diffie-hellman-group1-sha1
Service Type: sftp
Authentication Type: password
Session 2:
Conn: VTY 4
Version: 2.0
State: started
Username: client002

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 163
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Telnet and SSH

Retry: 1
CTOS Cipher: aes128-cbc
STOC Cipher: aes128-cbc
CTOS Hmac: hmac-sha1-96
STOC Hmac: hmac-sha1-96
Kex: diffie-hellman-group1-sha1
Service Type: sftp
Authentication Type: rsa

# Check information about the SSH user.
[Quidway] display ssh user-information
User 1:
User Name: client001
Authentication-type: password
User-public-key-name: -
Sftp-directory: flash:
Service-type: sftp
Authorization-cmd: No
User 2:
User Name: client002
Authentication-type: rsa
User-public-key-name: RsaKey001
Sftp-directory: flash:
Service-type: sftp
Authorization-cmd: No

----End

Configuration Files
l Configuration file of the Quidway, the SSH server
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password simple huawei
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type sftp
ssh user client002 service-type sftp
ssh user client001 sftp-directory flash:/
ssh user client002 sftp-directory flash:/
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 10

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 164
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Telnet and SSH

port hybrid untagged vlan 10
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return

l Configuration file of Client001, the SSH client
#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
ssh client first-time enable
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return

l Configuration file of Client002, the SSH client
#
sysname client002
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.221 255.255.255.0
#
ssh client first-time enable
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return

9.8.5 Example for Configuring the SSH Server to Support the Access
from Another Port
In this example, the monitoring port number of the SSH server is set to a port number other than
the standard monitoring port number so that only valid users can set up connections with the
SSH server.

Networking Requirements
The standard listening port is numbered 22, as defined in the SSH protocol. If attackers access
the standard port continuously, the bandwidth is consumed and the performance of the server is
degraded. As a result, other valid users cannot access the port.

If the listening port on the SSH server is changed to a non-default one, attackers will not aware
of this change and continue to send a request for the socket connection to port 22. In this case,
the SSH server detects that it is not the listening port, and then denies the the request for
establishing the socket connection.

Therefore, only valid users can use the specified listening port to set up a socket connection
through the following procedures:

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 165
Copyright © Huawei Technologies Co., Ltd.

Quidway S5700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Telnet and SSH

l Negotiating the version of the SSH protocol
l Negotiating the algorithm
l Generating the session key
l Authenticating
l Sending a request for a session
l Performing the interactive session

Figure 9-7 Networking diagram for configuring the SSH server to support the access from
another port
SSH Server

10.164.39.222/24

10.164.39.220/24 10.164.39.221/24
Client001 Client002

Switch Interface VLANIF interface IP address

SSH server GigabitEthernet0/0/1 VLANIF 10 10.164.39.222/24

Client001 GigabitEthernet0/0/1 VLANIF 10 10.164.39.220/24

Client002 GigabitEthernet0/0/1 VLANIF 10 10.164.39.221/24

Configuration Roadmap
The configuration roadmap is as follows:

1. Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2. Configure Client001 and Client002 on the SSH server.
3. Create a local key pair on the SFTP client and SSH server separately.
4. Generate an RSA public key on the SSH server and bind the RSA public key of the SSH
client to Client002.
5. Enable the STelnet and SFTP services on the SSH server.
6. Configure the type of the service and authenticated directory for the SSH user.
7. Set the listening port number on the SSH server.
8. Client001 and Client002 log in to the SSH server through STelnet and SFTP separately.

Data Preparation
To complete the configuration, you need the following data:

l IP addresses of the FTP server and client, as shown in Figure 9-7

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 166
Copyright © Huawei Technologies Co., Ltd.

....++++++++ .... and is not mentioned here... NOTES: If the key modulus is greater than 512.164....222 24 Assigning an IP address to theSwitch that functions as Client001 or Client002 is the same as assigning an IP address to VLANIF 10.....++++++++++++ ..... <Quidway> system-view [Quidway] sysname client002 [client002] rsa local-key-pair create # Check the RSA public key generated on the client. Ltd.....222/24 to VLANIF 10.......39.. [client002] display rsa local-key-pair public ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 Issue 01 (2011-07-15) Huawei Proprietary and Confidential 167 Copyright © Huawei Technologies Co..Quidway S5700 Series Ethernet Switches Configuration Guide .++++++++++++ .. Step 2 A local key pair generated on the SSH server <Quidway> system-view [Quidway] rsa local-key-pair create The key name will be: Quidway_Host The range of public key size is (512 ~ 2048). Create VLAN 10 on the Switch that functions as the server and assign IP address 10... # Create a local key pair on the client. ... .++++++++ Step 3 Configure the RSA public key on the server. Input the bits in the modulus[default = 512]: Generating keys.. <Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [Quidway-GigabitEthernet0/0/1] port hybrid untagged vlan 10 [Quidway-GigabitEthernet0/0/1] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.. It will take a few minutes.Basic Configuration 9 Telnet and SSH l SSH user name and authentication mode l Password or RSA public key of the SSH user l Server name l Listening port number on the SSH server Procedure Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.39....164.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 168 Copyright © Huawei Technologies Co. . # Configure a VTY user interface. and configure the authentication mode as password for the user. and all. password-rsa. you must configure a local user. [Quidway] ssh user client001 [Quidway] ssh user client001 authentication-type password # Set the password of Client001 to huawei. [Quidway-rsa-public-key] public-key-code begin Enter "RSA key code" view.BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7 yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b ---. you must copy the RSA public key of the SSH client to the server. NOTE SSH users can be authenticated in four modes: password.Quidway S5700 Series Ethernet Switches Configuration Guide . l Before configuring the authentication mode of password or password-rsa. [Quidway] rsa peer-public-key RsaKey001 Enter "RSA public key" view.Basic Configuration 9 Telnet and SSH Host public key for PEM format code: ---. or all. password-rsa. [Quidway-rsa-key-code] 3047 [Quidway-rsa-key-code] 0240 [Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 [Quidway-rsa-key-code] 1D7E3E1B [Quidway-rsa-key-code] 0203 [Quidway-rsa-key-code] 010001 [Quidway-rsa-key-code] public-key-code end [Quidway-rsa-public-key] peer-public-key end Step 4 Create an SSH user on the server.. Ltd.END SSH2 PUBLIC KEY ---- Public key code for pasting into OpenSSH authorized_keys file : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001 [client002] # Send the RSA public key generated on the client to the server. l Before configuring the authentication mode of RSA. [Quidway] user-interface vty 0 4 [Quidway-ui-vty0-4] authentication-mode aaa [Quidway-ui-vty0-4] protocol inbound ssh [Quidway-ui-vty0-4] quit # Create an SSH user named Client001. RSA. return last view with "public-key-code end". return system view with "peer-public-key end".

222 .39.222. The server is not authenticated. # You must enable the initial authentication on the SSH client for the first login. and configure the authentication mode as RSA for the user.Basic Configuration 9 Telnet and SSH [Quidway] aaa [Quidway-aaa] local-user client001 password simple huawei [Quidway-aaa] local-user client001 service-type ssh [Quidway-aaa] quit # Set the type of service of Client001 to STelnet.164. Press CTRL+K to abort Connected to 10.222 1025 Please input the username:client001 Trying 10.. Do you continue to access it?(Y/N):y Do you want to update the server's public key we cached?(Y/N):y sftp-client> Step 8 Verify the configuration. Attackers fail to log in to the SSH server by using port 22.164.222 . [client001] stelnet 10.39. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):y The server's public key will be saved with the name: 10.164. The server is not authenticated. Please wait. and information indicating that the login succeeds is displayed as follows: info: The max number of VTY users is 20. [Quidway] ssh server port 1025 Step 7 Connect the SSH client and the SSH server. <Quidway> # The SFTP client logs in to the SSH server by using the new listening port..164. [Quidway] ssh user client002 [Quidway] ssh user client002 authentication-type rsa [Quidway] ssh user client002 assign rsa-key RsaKey001 # Set the type of service of Client002 to SFTP and the authorized directory as flash:/. [client002]sftp 10...39. Press CTRL+K to abort The server's public key does not match the one we cached.. [Quidway] ssh user client001 service-type stelnet # Create an SSH user named Client002. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 169 Copyright © Huawei Technologies Co..39.164. and the current number of VTY users on line is 1. Bind the RSA public key of the SSH client to Client002. [Quidway] stelnet server enable [Quidway] sftp server enable Step 6 Configure the new listening port number on the SSH server. ..222 1025 Please input the username:client002 Trying 10.39..Quidway S5700 Series Ethernet Switches Configuration Guide .39. Ltd. [client001] ssh client first-time enable [client002] ssh client first-time enable # The STelnet client logs in to the SSH server by using the new listening port..164. Enter password: Enter the password huawei.222 . [Quidway] ssh user client002 service-type sftp [Quidway] ssh user client002 sftp-directory flash:/ Step 5 Enable the STelnet and SFTP services on the SSH server.

164.39.255. .39.0 State: started Username: client002 Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: sftp Authentication Type: rsa ----End Configuration Files l Configuration file of the Quidway. Press CTRL+K to abort Can't establish tcp connection to server After the configuration.0 # rsa peer-public-key rsakey001 public-key-code begin 3047 Issue 01 (2011-07-15) Huawei Proprietary and Confidential 170 Copyright © Huawei Technologies Co. run the commands of display ssh server status and display ssh server session on the SSH server.. and that the STelnet or SFTP client logs in to the server successfully. [Quidway] display ssh server session Session 1: Conn: VTY 3 Version: 2.222 . [Quidway] display ssh server status SSH version :1.Basic Configuration 9 Telnet and SSH [client002] sftp 10. # Check the status of the SSH server.222 255.164. You can check the current listening port number on the SSH server.255.222 Please input the username:client002 Trying 10. the SSH server # sysname Quidway # vlan batch 10 # interface Vlanif10 ip address 10.164.99 SSH connection timeout :60 seconds SSH server key generating interval :0 hours SSH Authentication retries :3 times SFTP server :Enable Stelnet server :Enable Scp server :Disable SSH server port :1025 # Check the connection of the SSH server.Quidway S5700 Series Ethernet Switches Configuration Guide ..0 State: started Username: client001 Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: stelnet Authentication Type: password Session 2: Conn: VTY 4 Version: 2. Ltd..39.

Basic Configuration 9 Telnet and SSH 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password simple huawei local-user client001 service-type ssh # sftp server enable stelnet server enable ssh server port 1025 ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type sftp ssh user client002 sftp-directory flash:/ # interface GigabitEthernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # return l Configuration file of Client001.0 # ssh client first-time enable # interface GigabitEthernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # return Issue 01 (2011-07-15) Huawei Proprietary and Confidential 171 Copyright © Huawei Technologies Co.255.. .255.0 # ssh client first-time enable # interface GigabitEthernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # return l Configuration file of Client002. the SSH client # sysname client002 # vlan batch 10 # interface Vlanif10 ip address 10.255.39.164.221 255. Ltd.255.164. the SSH client # sysname client001 # vlan batch 10 # interface Vlanif10 ip address 10.Quidway S5700 Series Ethernet Switches Configuration Guide .220 255.39.

164. 5. Generate the local key pair on the client and SSH server . The SSH server determines whether the SSH client is allowed to set up a connection according to the authentication result. Generate the local key pair on STelnet client and SSH server respectively. Create a user on the RADIUS server.6.com log in to the SSH server through STelnet and SFTP respectively. Ltd. 3. .Basic Configuration 9 Telnet and SSH 9. 8.. Enable the STelnet and SFTP services on the SSH server. the SSH server sends the user name and password of the SSH client to the RADIUS server (compatible with the TACACS server) for authentication. 6.164. Data Preparation To complete the configuration. Networking Requirements When an RADIUS user is connected to an SSH server.221/24 10. 4.6 Example for Authenticating SSH Through RADIUS In this example. Configure the service mode and authorization directory of the SSH user. you need the following data: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 172 Copyright © Huawei Technologies Co. 9. If the authentication is successful. and the SSH server determines whether to set up a connection with the user according to the authentication result. The SSH server monitors the port number. the user level is sent along with the result. The RADIUS server authenticates the user and sends the result (passed or failed) back to the SSH server.39. Figure 9-8 shows the networking diagram. 2.Quidway S5700 Series Ethernet Switches Configuration Guide .com and ssh2@ssh. Figure 9-8 Networking diagram of authenticating the SSH through RADIUS 10.49/24 SSH Client SSH Server Radius Server Configuration Roadmap The configuration roadmap is as follows: 1. 7.164. Generate the RSA public key on SSH server and bind the RSA public key of the SSH client to ssh2@ssh. Configure the RADIUS template on the SSH server.222/24 10. a user that attempts to access the SSH server is authenticated by the RADIUS server.com.39.8. Users ssh1@ssh. Configure a domain on the SSH server.

++++++++ Step 2 Configure the RSA public key of the server......... Input the bits in the modulus[default = 512]: 768 Generating keys...++++++++ .... It will take a few minutes.....Quidway S5700 Series Ethernet Switches Configuration Guide .. NOTES: If the key modulus is greater than 512.........END SSH2 PUBLIC KEY ---- Public key code for pasting into OpenSSH authorized_keys file : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: Quidway_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 Issue 01 (2011-07-15) Huawei Proprietary and Confidential 173 Copyright © Huawei Technologies Co...BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7 yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b ---... l RADIUS authentication l Name of the RADIUS template l Name of the RADIUS domain l Name and password of the RADIUS user Procedure Step 1 Generate a local key pair on the SSH server........Basic Configuration 9 Telnet and SSH l Configure the password authentication for the two SSH users .++++++++++++ . . # Generate a local key pair of client on the client....... ...........++++++++++++ ... [client] display rsa local-key-pair public ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: Quidway_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 Host public key for PEM format code: ---. <Quidway> system-view [Quidway] sysname client [client] rsa local-key-pair create # View the RSA public key generated on the client. Ltd. <Quidway> system-view [Quidway] rsa local-key-pair create The key name will be: Quidway_Host The range of public key size is (512 ~ 2048)...

Quidway S5700 Series Ethernet Switches Configuration Guide .222 and the key huawei. add two users named ssh1@ssh.com [Quidway] ssh user ssh2@ssh.Basic Configuration 9 Telnet and SSH 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001 [client] # Send the RSA public key generated on the client to the server. [Quidway-rsa-public-key] public-key-code begin Enter "RSA key code" view. # Configure the authentication scheme newscheme and authentication mode RADIUS. [Quidway-radius-ssh] radius-server shared-key huawei [Quidway-radius-ssh] quit Issue 01 (2011-07-15) Huawei Proprietary and Confidential 174 Copyright © Huawei Technologies Co. [Quidway-rsa-key-code] 3047 [Quidway-rsa-key-code] 0240 [Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 [Quidway-rsa-key-code] 1D7E3E1B [Quidway-rsa-key-code] 0203 [Quidway-rsa-key-code] 010001 [Quidway-rsa-key-code] public-key-code end [Quidway-rsa-public-key] peer-public-key end Step 3 Create the SSH user.com and ssh2@ssh.com [Quidway] ssh user ssh1@ssh. On the RADIUS server. return system view with "peer-public-key end".com on the SSH server.. return last view with "public-key-code end".49 1812 # Configure the key of RADIUS server as huawei.39. in addition. [Quidway] ssh user ssh1@ssh.164.6. [Quidway] rsa peer-public-key RsaKey001 Enter "RSA public key" view.com authentication-type password [Quidway] ssh user ssh1@ssh.com service-type sftp [Quidway] ssh user client001 sftp-directory flash:/ Step 4 Configure the RADIUS template. designate the NAS address 10.164. [Quidway] radius-server template ssh # Configure the IP address as 10. .com and ssh2@ssh.com .49 and port of the RADIUS authentication server as 1812. Ltd. [Quidway] aaa [Quidway-aaa] authentication-scheme newscheme [Quidway-aaa-authen-newscheme] authentication-mode radius [Quidway-aaa-authen-newscheme] quit # Configure the RADIUS template of SSH server as ssh.com authentication-type password [Quidway] ssh user ssh2@ssh.com service-type stelnet [Quidway] ssh user ssh2@ssh. The NAS address refers to the address of the SSH server that connects to the RADIUS server.6. # Configure the VTY user interface on the SSH server.164. [Quidway] user-interface vty 0 4 [Quidway-ui-vty0-4] authentication-mode aaa [Quidway-ui-vty0-4] protocol inbound ssh [Quidway-ui-vty0-4] quit # Create SSH users asssh1@ssh. [Quidway-radius-ssh] radius-server authentication 10.

and the current number of VTY users on line is 2.164.39.. Enter password: sftp-client> Step 7 Verify the configuration. [Quidway-aaa] display radius-server configuration ------------------------------------------------------------------- Server-template-name : ssh Protocol-version : standard Traffic-unit : B Issue 01 (2011-07-15) Huawei Proprietary and Confidential 175 Copyright © Huawei Technologies Co. [client] ssh client first-time enable [client] quit # Connect the STelnet client to the SSH server in the RADIUS authentication. [Quidway] stelnet server enable [Quidway] sftp server enable # For the first login.39..39..222 .222 . <Quidway> # Connect the SFTP client to the SSH server in the RADIUS authentication.222..Basic Configuration 9 Telnet and SSH Step 5 Configure RADIUS domain name. <client> system-view [client] stelnet 10.com Trying 10.com] quit [Quidway-aaa] quit Step 6 Connect the SSH client and the SSH server.. You can also view that the STelnet or SFTP client is connected to the SSH server successfully with RADIUS authentication.. # Enable STelnet and SFTP services on the SSH server.164. # Configure the RADIUS domain of SSH server as ssh. Ltd..222 . Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):y he server's public key will be saved with the name: 10.39...com [Quidway-aaa-domain-ssh.Quidway S5700 Series Ethernet Switches Configuration Guide . # Display the configuration of the RADIUS server.222 . [Quidway] aaa [Quidway-aaa] domain ssh. <client> system-view [client] sftp 10.39.com] radius-server ssh [Quidway-aaa-domain-ssh.com Trying 10.. Press CTRL+K to abort Connected to 10.222 Please input the username: ssh1@ssh. Enter password: Enter the password Huawei and view as follows: Info: The max number of VTY users is 10..164.39. Please wait.164.39. . Press CTRL+K to abort Connected to 10. After the configuration. run the display radius-server configuration and display ssh server session commands on the SSH server. You can view the configuration of the RADIUS server on the SSH server.164.222 Please input the username: ssh2@ssh. you need to enable the first authentication on SSH client.164. applying authentication scheme newscheme and RADIUS template ssh.com] authentication-scheme newscheme [Quidway-aaa-domain-ssh.com.164. he server is not authenticated.

com Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password Session 2: Conn : VTY 1 Version : 2.0.0 :0 LoopBack:NULL Secondary-authentication-server : 0.0.0 :0 LoopBack:NULL Secondary-accounting-server : 0.0.0 State : started Username : ssh2@ssh.0.Quidway S5700 Series Ethernet Switches Configuration Guide .Basic Configuration 9 Telnet and SSH Shared-secret-key : huawei Timeout-interval(in second) : 5 Primary-authentication-server : 10.0..0 State : started Username : ssh1@ssh. .6.0.49 1812 # rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end # aaa authentication-scheme newscheme authentication-mode radius # Issue 01 (2011-07-15) Huawei Proprietary and Confidential 176 Copyright © Huawei Technologies Co.49 :1812 LoopBack:NULL Primary-accounting-server : 0.164. Ltd.6.0 :0 LoopBack:NULL Retransmission : 3 Domain-included : YES Calling-station-id MAC-format : xxxx-xxxx-xxxx ------------------------------------------------------------------- Total of radius template :1 # Display the connection of the SSH server. [Quidway] display ssh server session Session 1: Conn : VTY 0 Version : 2.164.com Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : password ----End Configuration Files Configuration file of the SSH server # sysname Quidway # radius-server template ssh radius-server authentication 10.

com authentication-type password ssh user ssh2@ssh..com service-type sftp ssh user client001 sftp-directory flash:/ # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # Return 9.1/32 SCP Client Configuration Roadmap The configuration roadmap is as follows: 1. 3. the SCP client accesses the SCP server to download files.8. 4. Create an SSH user on the SSH server. 2.7 Example for Configuring the SCP Client This section provides an example for configuring the SCP client.16.com authentication-scheme newscheme radius-server ssh # # sftp server enable stelnet server enable ssh user ssh1@ssh. .com ssh user ssh1@ssh. Networking Requirements As shown in Figure 9-9. Create a local RSA key pair on the SSH server.Quidway S5700 Series Ethernet Switches Configuration Guide . Ltd.com ssh user ssh2@ssh. Enable first-time authentication on the SSH client.110/24 1. In this example.Basic Configuration 9 Telnet and SSH domain ssh. Figure 9-9 Networking diagram of the SCP client SCP Server 172.104.com assign rsa-key RsaKey001 ssh user ssh1@ssh. the switch functioning as the SCP client has a reachable route to the SCP server.1.1.com service-type stelnet ssh user ssh2@ssh. Enable SCP services on the SSH server. and can download files from the SCP server.com authentication-type password ssh user ssh2@ssh. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 177 Copyright © Huawei Technologies Co.

Data Preparation To complete the configuration. # For the first login...++++++++ .. authentication mode.... # Configure the VTY user interface..++++++++++++ .. It will take a few minutes. you need to enable the first authentication on SSH client. [SSH Server] scp server enable Step 4 Download files from the SCP server to the SCP client...... [SSH Server] user-interface vty 0 4 [SSH Server-ui-vty0-4] authentication-mode aaa [SSH Server-ui-vty0-4] protocol inbound ssh [SSH Server-ui-vty0-4] quit # Configure the password authentication for the SSH user Client001........ Procedure Step 1 Create a local RSA key pair on the SSH server.++++++++++++ . .Basic Configuration 9 Telnet and SSH 5....++++++++ Step 2 Create an SSH user on the SCP server. <Quidway> system-view [Quidway] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: SSH Server_Host The range of public key size is (512 ~ 2048).. and authentication password l IP address of the source interface on the SCP client l The name and path of the destination files and the source files... Download files from the SSH server to the SCP client... Ltd.... [SSH Server] aaa [SSH Server-aaa] local-user client001 password cipher huawei [SSH Server-aaa] local-user client001 service-type ssh [SSH Server-aaa] quit # Configure the service type for the SSH users Client001 to all..... <Quidway> system-view [Quidway] sysname SCP Client [SCP Client] ssh client first-time enable Issue 01 (2011-07-15) Huawei Proprietary and Confidential 178 Copyright © Huawei Technologies Co. . [SSH Server] ssh user client001 service-type all Step 3 Enable SCP services on the SCP server. [SSH Server] ssh user client001 [SSH Server] ssh user client001 authentication-type password # Configure the password of the SSH user Client001 to huawei..Quidway S5700 Series Ethernet Switches Configuration Guide . Configure an IP address of the source interface on the SCP client... NOTES: If the key modulus is greater than 512.... 6.. Input the bits in the modulus[default = 512]: 512 Generating keys. you need the following data: l SSH user name.....

1. . ----End Configuration Files l Configuration file of the SCP server # sysname SSH Server # aaa local-user client001 password simple huawei local-user client001 service-type ssh # scp server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type all # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # return l Configuration file of the SCP client # sysname SCP Client # ssh client first-time enable scp client-source 1.1 of a loopback interface as the source IP address for the SCP client.Basic Configuration 9 Telnet and SSH # Configure the IP address 1. Ltd.1.txt license. Run the display scp-client command on the SCP client.1.16.1.txt Step 5 Verify the configuration.1 The IP address of the source interface on the SCP client is 1. and then download the file to the local working directory from the remote SCP server with the IP address of 172.1.104.1.16.1.1 -cipher 3des client001@172.txt.1. [SCP Client] scp -a 1.1.1 # Use 3des to encrypt the file license. [SCP Client] scp client-source -a 1.1 # return Issue 01 (2011-07-15) Huawei Proprietary and Confidential 179 Copyright © Huawei Technologies Co.1.1. The command output is as follows: <Quidway> display scp-client The source of SCP ipv4 client: 1.104.Quidway S5700 Series Ethernet Switches Configuration Guide .110:license..110.1.1.

10. 10.Quidway S5700 Series Ethernet Switches Configuration Guide . users can manage and maintain the S5700 in the graphical user interface (GUI). Ltd.2 Starting Web System This topic describes how to load the Web system and create an account of the Web system.1 Overview of Web System Through the Web system..Basic Configuration 10 Web System Configuration 10 Web System Configuration About This Chapter Before configuring the S5700 in Web mode. you need to configure the S5700 as the Web server. . Issue 01 (2011-07-15) Huawei Proprietary and Confidential 180 Copyright © Huawei Technologies Co.

Huawei develops the Web system for S5700. Ltd. Thus.2 Starting Web System This topic describes how to load the Web system and create an account of the Web system.2. The S5700 is installed with a built-in Web server. the terminal (such as a PC) connected to the S5700 can access the S5700 through the Web browser. Figure 10-1 Running environment of the Web System Switch HTTP Connection PC 10. To facilitates the use and maintenance of the S5700 . .Quidway S5700 Series Ethernet Switches Configuration Guide .. 10. users can manage and maintain the S5700 in the graphical user interface (GUI). Issue 01 (2011-07-15) Huawei Proprietary and Confidential 181 Copyright © Huawei Technologies Co. Figure 10-1 shows the running environment of the Web system. Procedure Step 1 Enable the HyperTerminal on the PC. you can connect the PC and the S5700 through the Windows HyperTerminal.Basic Configuration 10 Web System Configuration 10.1 Overview of Web System Through the Web system.1 Logging In to the S5700 Through the Console Interface Context When setting up a local configuration environment through the console interface.

Ltd. Step 2 Set up a new connection. . Figure 10-2 Setting up a new connection Step 3 Set the connection port.Quidway S5700 Series Ethernet Switches Configuration Guide . enter the name of the new connection in the Name text box and choose an icon. Click OK. and click OK. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 182 Copyright © Huawei Technologies Co. Select COM1 in this case. As shown in Figure 10-2. select a serial port from the Connect drop-down list box according to the port used by the PC or the configuration terminal.Basic Configuration 10 Web System Configuration Choose Start > All Programs > Accessories > Communications > HyperTerminal to start the HyperTerminal. After entering the Connect window as shown in Figure 10-3..

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 183 Copyright © Huawei Technologies Co. set the communication parameters according to the description in Table 10-1. Flow control may be described as Traffic control. Ltd. After entering the COM1 Properties window as shown in Figure 10-4.. Bits per second may be described as Baud rate. .Basic Configuration 10 Web System Configuration Figure 10-3 Setting the connection port Step 4 Set communication parameters.Quidway S5700 Series Ethernet Switches Configuration Guide . NOTE In other Windows operating systems.

Choose the Setting tab. Click OK to complete the setting. . select File Attributes to enter the Connect Properties window as shown in Figure 10-5.Basic Configuration 10 Web System Configuration Figure 10-4 Setting communication parameters for the port Table 10-1 Communication parameters Parameter Value Bit per second (Baud rate) 9600 Data bit 8 Parity check None Stop bit 1 Flow control (Traffic control) None Step 5 After the HyperTerminal is started. Ltd. select Auto detect or VT100 from the Emulation drop-down list box..Quidway S5700 Series Ethernet Switches Configuration Guide . Issue 01 (2011-07-15) Huawei Proprietary and Confidential 184 Copyright © Huawei Technologies Co.

2 Setting the Management IP Address of the S5700 This section describes how to configure the management IP address of the S5700.Basic Configuration 10 Web System Configuration Figure 10-5 Selecting a terminal type After the preceding steps are complete. Step 3 Run: ip address ip-address { mask | mask-length } [ sub ] Issue 01 (2011-07-15) Huawei Proprietary and Confidential 185 Copyright © Huawei Technologies Co. you can enter the command to configure and manage the S5700.Quidway S5700 Series Ethernet Switches Configuration Guide . At this time. ----End 10. Step 2 Run: interface meth 0/0/1 The MEth interface view is displayed. it indicates that you have logged in to the S5700. Ltd.2.. . If the prompt <Quidway> is displayed. press Enter. Procedure Step 1 Run: system-view The system view is displayed.

Procedure Step 1 Run: system-view The system view is displayed. Prerequisite To obtain the Web page file of the S5700. Step 6 Run: local-user user-name service-type ftp The service type of an FTP login user is set. see 8. The Web page file is contained in the software package. copy the Web page file to the client from which you log in to the S5700. For details.zip. . log in to http://support. The file name is Product Name + the Version of Software. Step 5 Run: local-user user-name ftp-directory directory The directory is set for the FTP client. Step 4 Run: local-user user-name password { simple | cipher } password An FTP client is configured and the password is set to huawei.Quidway S5700 Series Ethernet Switches Configuration Guide .3 Downloading Files Through TFTP. Step 2 Run: ftp server enable The FTP server is enabled. In this case.com.huawei.2.Basic Configuration 10 Web System Configuration The IP address of the interface is configured. and the terminal that stores the Web files functions as the TFTP server. ----End 10.3 Uploading Web Page Files This section describes how to obtain the Web page files and upload them to the S5700 through FTP. Before uploading the Web page file.web. Context NOTE You can also download Web files through TFTP. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 186 Copyright © Huawei Technologies Co.5. Step 3 Run: aaa The AAA view is displayed. the S5700 functions as the TFTP client. Ltd. Download the software package of the current version. and then choose Software Center > Version Software > Data Communication Product Line > Ethernet Switch > S23&33&53&CX200D Series..

ftp> Step 8 Run the following command in the FTP view: put local-filename The web.1. ftp> put web.5 Creating a Web Account Before logging in to the S5700 in Web mode.2. Context Before loading the Web page file. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 187 Copyright © Huawei Technologies Co.1.zip file is uploaded from the PC to the S5700. ----End 10. The PC can log in to the S5700.1.1. ftp> ----End 10. User (10. C:\>ftp 10.2. ftp: 251047 bytes sent in 3.132.132 Connected to 10. Password: 230 User logged in.Basic Configuration 10 Web System Configuration Step 7 Run the following command in the cmd view of the PC: ftp ip-address The user name and password are displayed. 220 FTP service ready. . Procedure Step 1 Run: system-view The system view is displayed.Quidway S5700 Series Ethernet Switches Configuration Guide . Context Before enabling the HTTP server. Step 2 Run: http server load file-name The Web page file is loaded to the S5700. 150 Opening ASCII mode data connection for web. upload it to the S5700. Ltd. you need to create a Web account on the S5700.36Seconds 74.1.zip.132:(none)): client 331 Password required for client.load the Web Page File to S5700.4 Loading a Web Page File This section describes how to load a Web file.. 226 Transfer complete.1.74Kbytes/sec.zip 200 Port command okay.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 188 Copyright © Huawei Technologies Co. As shown in Figure 10-6.2. Ltd. Step 6 Run: quit Return to the system view. Step 3 Run: aaa The AAA view is displayed. Procedure Step 1 Open the Web browser on the PC. and then enter the management address of the S5700 in the address bar (the PC and the S5700 have reachable routes to each other). Step 4 Run: local-user user-name password { simple | cipher } password An HTTP client is configured and the password of the client is set. the timeout period of an HTTP connection is 20 minutes. Step 2 Run: http server enable The HTTP server is enabled. NOTE You are recommended to set the password in the cipher text.6 Logging In to the Web System This section describes how to log in to the S5700 in Web mode.. press Enter to display the Login dialog box. ----End 10. enter the pre-set Web user name.Quidway S5700 Series Ethernet Switches Configuration Guide . password and verify code. By default. Simple user name and password should not be used for the sake of security. Step 5 Run: local-user user-name service-type http The access type of the user named admin is set to HTTP. Step 7 (Optional) Run: http timeout timeout The timeout period of an HTTP connection is set. Then. .Basic Configuration 10 Web System Configuration Procedure Step 1 Run: system-view The system view is displayed. and then choice the language.

. You can configure the S5700 after logging in to the Web system.Quidway S5700 Series Ethernet Switches Configuration Guide . see the Quidway S5700 Series Ethernet Switches Web Network Management System Client Operation Guide. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 189 Copyright © Huawei Technologies Co.Basic Configuration 10 Web System Configuration Figure 10-6 Login NOTE If you select Save my password before clicking Login. Ltd. . For details on how to configure the S5700 on the Web system. you do not need to enter the password at next login. Step 2 Click Login or press enter to display the homepage of the Web system.

FTPS implements security management of devices. . The digital certificate is used by a client to verify the identity of the server. SSL is only used for FTPS and HTTPS applications (secure Web network management is an HTTPS application). 11. improving access security. 11.1 SSL Currently.Quidway S5700 Series Ethernet Switches Configuration Guide .. SSL is only used for the File Transfer Protocol-SSL (FTPS) and the Hypertext Transfer Protocol-SSL (HTTPS) applications (secure Web network management is an HTTPS application).2 SSL Features Supported by the S5700 Currently.3 Configuring Login to an FTPS Server from a User Terminal FTPS that adds support for SSL is an extension to the commonly used FTP. 11. 11. 11.Basic Configuration 11 SSL Configuration 11 SSL Configuration About This Chapter The Secure Sockets Layer (SSL) protocol is used to authenticate the identities of a client and a server and encrypt data transmitted between the client and the server. 11.6 Configuration Examples Issue 01 (2011-07-15) Huawei Proprietary and Confidential 190 Copyright © Huawei Technologies Co. Ltd. SSL ensures that only authorized users can log in to the server.4 Configuring Login to an FTPS Server from an FTPS Client The FTPS client and FTPS server authenticate each other's identities to ensure that only authorized users can access the FTPS server.5 Configuring Secure Web Network Management An SSL policy is configured on and a digital certificate is loaded to an HTTP server. Using SSL to authenticate the identities of the client and server and encrypt data to be transmitted.

Finally. Overview SSL is a cryptographic protocol that provides communication security over the Internet. Currently. SSL is originally designed for securing World Wide Web traffic. SSL has become a world-wide communications standard for authenticating Web site and Web page users and encrypting data transmitted between browser users and Web servers. manages. The world-wide trusted CA is called a root CA.Basic Configuration 11 SSL Configuration 11. authentication. signs digital certificates to prevent eavesdropping and tampering. and manages certificates and keys. If authentication succeeds. For example. Figure 11-1 shows the certificate issuing and authentication processes. l Encrypts data transmitted between a client and a server for data transmission security and computes a digest for data integrity. which prevents unauthorized users from attacking the device. The CA3 certificate is used to authenticate the server certificate. Server certificate authentication succeeds only when the CA2 certificate has been authenticated by the CA1 certificate. . It uses data encryption. SSL has the following advantages: l Provides high security assurance. The root CA can authorize other CAs as subordinate CAs. until CAn issues the final server certificate.1 SSL Currently. the CA1 certificate is used to authenticate the CA2 certificate. The CA identity is described in a trusted-CA file. and a message integrity check to ensure secure data transmission over the network. l Supports various application layer protocols. and abolishes digital certificates. which implements security management for devices. SSL improves device security from the following aspects: l Helps authorized users to securely access servers and prevents unauthorized users from accessing servers. CA1 functions as the root CA and issues a certificate for CA2. l Is easy to deploy. it secures data transmission based on TCP connections for any application layer protocol. CA2 then issues a certificate for CA3 and so on. A CA checks the validity of digital certificate owners. As SSL functions between the application layer and the transport layer. l Defines an access control policy on a device based on certificate attributes to control the access rights of clients. Ltd. certificate authentication on the client starts from server certificate authentication. the CA2 certificate is used to authenticate the CA3 certificate.Quidway S5700 Series Ethernet Switches Configuration Guide . Issue 01 (2011-07-15) Huawei Proprietary and Confidential 191 Copyright © Huawei Technologies Co. If CA3 issues the server certificate. It allows a client and a server to communicate across a network in a way designed to prevent eavesdropping by authenticating the server or the client. SSL is only used for the File Transfer Protocol-SSL (FTPS) and the Hypertext Transfer Protocol-SSL (HTTPS) applications (secure Web network management is an HTTPS application).. Basic Concepts l Certificate Authority (CA) A CA is an entity that issues.

After the CEL expires.2 SSL Features Supported by the S5700 Currently. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 192 Copyright © Huawei Technologies Co. l Login to an FTPS server from a user terminal an SSL policy is configured on the FTP server. After a certificate in a CRL expires. you can log in to the server from a terminal on which the SSL-capable FTP client software is installed to securely operate files transmitted between the terminal and the server. improving communication reliability. the key pair defined in the certificate can no longer be used even if the digital certificate does not expire. . A CA can revoke a digital certificate to shorten its lifetime. l Certificate Revocation List (CRL) A CRL is a list of certificates that have been revoked. FTPS provides a secure FTP server access. and check message integrity. and validity period of the digital certificate. public key. Using SSL to authenticate the identities of the client and server. A user must obtain the public key certificate of the information sender in advance to decrypt and authenticate information in the certificate. The digital certificate includes information such as the name of a person or an organization that applies for the certificate. the client checks the CRL. A digital certificate validates the identities of two communicating parties. it is automatically deleted from the CRL. encrypt data to be transmitted.Quidway S5700 Series Ethernet Switches Configuration Guide . digital-signed signature of the CA that issues the digital certificate. The lifetime of a CRL is usually shorter than the lifetime of certificates in the CRL. Ltd. Before using a digital certificate.Basic Configuration 11 SSL Configuration Figure 11-1 Schematic diagram for certificate issuing and authentication Certificate issuing CA1 CA2 CAn Server's certificate Certificate authentication l Digital certificate A digital certificate is an electronic document which uses a digital signature to bind a public key with an identity.. FTPS FTPS that adds support for SSL is an extension to the commonly used FTP. the certificate is deleted from the CRL to shorten the CRL. and adds a certificate expiration list (CEL) when issuing a new CRL. If the digital certificate is in the CRL. SSL is only used for FTPS and HTTPS applications (secure Web network management is an HTTPS application). After a digital certificate is loaded and the FTPS server function is enabled on the server. The lifetime of a digital certificate is limited. The CRL is issued by a CA. 11. If a CA revokes a digital certificate. In addition. and therefore should not be relied upon. the user also needs the CA certificate of the information sender to verify the identity of the information sender. the corresponding CA marks the digital certificate as expired.

familiarize yourself with the applicable environment. Applicable Environment Traditional FTP does not have a security mechanism. the FTP server can authenticate clients. Ltd.3. and manage the certificate and key. Using SSL to authenticate the identities of the client and server.1 Establishing the Configuration Task Before configuring login to an FTPS server from a user terminal. HTTPS HTTPS that adds support for SSL is an extension to the commonly used HTTP. improving data transmission security. encrypt data to be transmitted.3 Configuring Login to an FTPS Server from a User Terminal FTPS that adds support for SSL is an extension to the commonly used FTP. bringing security threats. It transmits data in plain text. – An SSL policy needs to be configured on and a digital certificate needs to be loaded to an FTP server to verify the validity of the trusted-CA file. If the FTP server is configured with login user names and passwords. SSL provides secure connections for the FTP server. 11. SSL allows data encryption. 11. users can log in to the server to remotely manage the server using Web pages. greatly improving security of the FTP server. After a digital certificate is loaded to and the HTTPS server function is enabled on the server. . and message integrity verification. sign a digital certificate to prevent eavesdropping and tampering.An SSL policy can be configured on the FTP server to improve security. In addition. This will help you complete the configuration task quickly and accurately. but the clients cannot authenticate the server. This ensures that only authorized clients can log in to the server. After a digital certificate is loaded and the FTPS server function is enabled on the server. and obtain the data required for the configuration. and check message integrity. an SSL policy is configured on the FTP server. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 193 Copyright © Huawei Technologies Co.Quidway S5700 Series Ethernet Switches Configuration Guide . Transmitted data is easy to be tampered. an SSL policy is configured on the device that functions as an HTTP server.Basic Configuration 11 SSL Configuration l Login to an FTPS server from an FTPS client – An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP client to verify the identify of the certificate owner. HTTPS provides a secure Web access. As shown in Figure 11-2.. you can log in to the server from a terminal on which the SSL-capable FTP client software is installed to securely operate files transmitted between the terminal and the server. identity authentication. complete the pre-configuration tasks. FTPS implements security management of devices. Using SSL to authenticate the identities of the client and server and encrypt data to be transmitted.

pem. Data 1 SSL policy name and digital certificate 2 IP address of the FTPS server 11. No. or PFX format. The file name extension of an ASN1 digital certificate is .der. The ASN1 format is the default format for most browsers. The client that will access the server needs the CA certificate from the CA to verify the validity of the digital certificate of the server. The PEM format is applicable to text transmission between systems.2 Configuring an SSL Policy and Loading a Digital Certificate A client uses a digital certificate to authenticate the identity of a server for secure communication.pfx. The file name extension of a PFX digital certificate is . l The ASN1 format is a universal digital certificate format. The file name extension of a PEM digital certificate is . Details are as follows: l The PEM format is most commonly used. l The PFX format is a universal digital certificate format. ASN1. complete the following tasks: l Loading a digital certificate to the sub-directory named security of the system directory on the FTPS server l Installing the SSL-capable FTP client software on the PC Data Preparation To configure login to an FTPS server from a user terminal. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 194 Copyright © Huawei Technologies Co.0. Ltd. . NOTE A CA is responsible for issuing and managing digital certificates.. A digital certificate can be in the PEM. Context The FTPS server needs to obtain a digital certificate from a CA.3.Basic Configuration 11 SSL Configuration Figure 11-2 Networking diagram for a PC to log in to an FTPS server VLANIF10 192.Quidway S5700 Series Ethernet Switches Configuration Guide .1/24 Network PC FTP-Server Pre-configuration Tasks Before configuring login to an FTPS server from a user terminal. The digital certificate to be loaded to the FTPS server must be obtained from a corresponding CA.168. you need the following data.

the device functions as an FTPS server to provide SSL-based FTP services.3. ----End 11. . Perform the following steps on the device that functions as an FTPS server: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 195 Copyright © Huawei Technologies Co.Quidway S5700 Series Ethernet Switches Configuration Guide . l Run: certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code | key-file key-filename } auth-code auth-code A PFX digital certificate is loaded..Basic Configuration 11 SSL Configuration The PFX format is a binary format that can be converted into the PEM or ASN1 format. Step 3 Load a digital certificate.3 Enabling the FTPS Function After a device is configured with an SSL policy and enabled with the FTPS server function. unload the certificate or certificate chain before loading a new certificate or certificate chain. l Run: certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key- filename auth-code auth-code A PEM digital certificate chain is loaded. NOTE Only one certificate or certificate chain can be loaded to an SSL policy. l Run: certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key- filename An ASN1 digital certificate is loaded. disable the FTP server function. Context NOTE Before enabling the FTPS server function. Perform the following steps on the device that functions as an FTPS server: Procedure Step 1 Run: system-view The system view is displayed. Run one of the following commands as required: l Run: certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key- filename auth-code auth-code A PEM digital certificate is loaded. Step 2 Run: ssl policy policy-name An SSL policy is configured and the SSL policy view is displayed. Ltd. If a certificate or certificate chain has been loaded.

4 Accessing an FTPS Server You can use a PC with the SSL-capable FTP client software or an FTPS client to access an FTPS server for secure management of files on the FTPS server.. digital certificate. you can view the SSL policy.3. Step 2 Run: ftp secure-server ssl-policy policy-name An SSL policy is configured for the device. Procedure l Run the display ssl policy command to check the configured SSL policy and loaded digital certificate. l Run the display ftp-server command to check the SSL policy name and the FTPS server status. ----End Example Run the display ssl policy command on the FTPS server. . Prerequisite The configurations of login to an FTPS server from a user terminal are complete. Ltd. 11. and then use a third-party software to log in to the FTPS server from the PC to securely manage files on the FTPS server.3. the FTPS server function is disabled.5 Checking the Configuration After the configuration of login to an FTPS server from a user terminal is complete. <Quidway> display ssl policy SSL Policy Name: ftp_server Policy Applicants: FTP secure-server Key-pair Type: RSA Certificate File Type: PEM Certificate Type: certificate Issue 01 (2011-07-15) Huawei Proprietary and Confidential 196 Copyright © Huawei Technologies Co. The command output shows detailed information about the configured SSL policy and loaded digital certificate. install the SSL-capable FTP client software on a PC. By default. ----End 11.Basic Configuration 11 SSL Configuration Procedure Step 1 Run: system-view The system view is displayed.Quidway S5700 Series Ethernet Switches Configuration Guide . Step 3 Run: ftp secure-server enable The FTPS server function is enabled. Before accessing an FTPS server. and status of the FTPS server.

0. sign a digital certificate to prevent eavesdropping and tampering. <Quidway> display ftp-server FTP server is stopped Max user number 5 User count 1 Timeout value(in minute) 30 Listening port 21 Acl number 0 FTP server's source address 0. As shown in Figure 11-3. This ensures that only authorized clients can log in to the server. but the clients cannot authenticate the server.0. perform the following steps on the FTP client and server: l Configure an SSL policy on the FTP client and load a trusted-CA file to the client.Quidway S5700 Series Ethernet Switches Configuration Guide . Ltd..4 Configuring Login to an FTPS Server from an FTPS Client The FTPS client and FTPS server authenticate each other's identities to ensure that only authorized users can access the FTPS server. The command output shows that the SSL policy name is ftp_server and the FTPS server is running. 11.pem Auth-code: 123456 MAC: CRL File: Trusted-CA File: Run the display ftp-server command on the FTP server. familiarize yourself with the applicable environment. Applicable Environment Traditional FTP does not have a security mechanism. The client uses the trusted-CA file and digital certificate to authenticate the server so that the authorized client can access the correct server. l Configure an SSL policy on the FTP server and load a digital certificate to the server. If the FTP server is configured with login user names and passwords. bringing security threats. complete the pre-configuration tasks.Basic Configuration 11 SSL Configuration Certificate Filename: 1_servercert_pem_rsa.1 Establishing the Configuration Task Before configuring login to an FTPS server from an FTPS client. It transmits data in plain text. This will help you complete the configuration task quickly and accurately. and obtain the data required for the configuration. and manage the certificate and key. To improve security. .0 FTP SSL policy ftp_server FTP Secure-server is running 11. Transmitted data is easy to be tampered. l An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP client to verify the identify of the certificate owner. improving access security.4. the FTP server can authenticate clients. l An SSL policy needs to be configured on and a digital certificate needs to be loaded to an FTP server to verify the validity of the trusted-CA file. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 197 Copyright © Huawei Technologies Co.pem Key-file Filename: 1_serverkey_pem_rsa.

4.0. No. Pre-configuration Tasks Before configuring login to an FTPS server from an FTPS client. . you can log in to the FTPS server from the FTPS client to remotely manage files. complete the following tasks: l Loading a trusted-CA file to the sub-directory named security of the system directory on the FTPS client l Loading a digital certificate to the sub-directory named security of the system directory on the FTPS server Data Preparation To configure login to an FTPS server from an FTPS client.Basic Configuration 11 SSL Configuration Figure 11-3 Accessing an FTPS server from an FTPS client FTP-Client FTP-Server VLANIF20 VLANIF30 1. The FTPS client can use the trusted-CA file to authenticate an FTPS server to ensure that only authorized users can log in to the FTPS server. you need the following data.2 Configuring the FTPS Client An SSL policy needs to be configured on and a trusted-CA file needs to be loaded to an FTP client. or PFX format.168. trusted-CA file. ASN1.1. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 198 Copyright © Huawei Technologies Co.0. Context A trusted-CA file can be in the PEM.1. The file name extension of a PEM digital certificate is .1.2/24 192. Ltd. and IP address of the FTPS client 2 Digital certificate and IP address of the FTPS server 11.2/24 Network VLANIF40 VLANIF10 192. Data 1 SSL policy name.Quidway S5700 Series Ethernet Switches Configuration Guide .1/24 PC1 PC2 If the FTPS client and server are routable.. Details are as follows: l The PEM format is most commonly used.168.pem. (optional) CRL file.1.1/24 1.

Ltd. If multiple trusted-CA files are loaded. A CRL file can be in either the ASN1 or PEM format. Procedure Step 1 Run: system-view The system view is displayed. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 199 Copyright © Huawei Technologies Co. A maximum of four trusted-CA files can be loaded to an SSL policy. l Run: trusted-ca load asn1-ca ca-filename An ASN1 trusted-CA file is loaded.der. l If a certificate chain is configured on the FTPS server. configure all the trusted-CA certificates of upper levels to the root CA certificate on the client. If multiple CRL files are loaded. The file name extension of a PFX digital certificate is . . these files will be added to the existing CRL file list. A maximum of two CRL files can be loaded to an SSL policy. Step 2 Run: ssl policy policy-name An SSL policy is configured and the SSL policy view is displayed. These two formats represent the same contents. NOTE l If the trusted-CA file configured on the FTPS server contains only one certificate. Run one of the following commands as required: l Run: trusted-ca load pem-ca ca-filename A PEM trusted-CA file is loaded.Basic Configuration 11 SSL Configuration l The ASN1 format is a universal digital certificate format.Quidway S5700 Series Ethernet Switches Configuration Guide . Step 4 (Optional) Run: crl load { pem-crl | asn1-crl } crl-filename A CRL is loaded. Step 3 Load a trusted-CA file. The file name extension of an ASN1 digital certificate is . l The PFX format is a universal digital certificate format.pfx. these files will be added to the existing trusted-CA file list.. l Run: trusted-ca load pfx-ca ca-filename auth-code auth-code A PFX trusted-CA file is loaded. configure only the root CA certificate on the client.

. The file name extension of a PFX digital certificate is . Using SSL to authenticate the identities of the client and server and encrypt data to be transmitted. l The ASN1 format is a universal digital certificate format.Basic Configuration 11 SSL Configuration 11.4. Step 2 Run: ssl policy policy-name An SSL policy is configured and the SSL policy view is displayed. A digital certificate can be in the PEM.der. Ltd. The file name extension of a PEM digital certificate is . l Run: certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key- filename An ASN1 digital certificate is loaded. NOTE A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the FTPS server must be obtained from a corresponding CA.pfx. ASN1. The ASN1 format is the default format for most browsers. Context The FTPS server needs to obtain a digital certificate from a CA. The PEM format is applicable to text transmission between systems. FTPS implements security management of devices. The file name extension of an ASN1 digital certificate is . Step 3 Load a digital certificate. The PFX format is a binary format that can be converted into the PEM or ASN1 format. l The PFX format is a universal digital certificate format. Run one of the following commands as required: l Run: certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key- filename auth-code auth-code A PEM digital certificate is loaded.pem. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 200 Copyright © Huawei Technologies Co. . Perform the following steps on the device that functions as an FTPS server: Procedure Step 1 Run: system-view The system view is displayed. Details are as follows: l The PEM format is most commonly used.Quidway S5700 Series Ethernet Switches Configuration Guide . The client that will access the server needs the CA certificate from the CA to verify the validity of the digital certificate of the server. or PFX format.3 Configuring the FTPS Server FTPS that adds support for SSL is an extension to the commonly used FTP.

----End 11.4 Accessing an FTPS Server You can use specified commands to log in to an FTPS server from an FTPS client to remotely manage the FTPS server. Ltd. run: ftp ssl-policy policy-name ipv6 host [ port-number ] A control connection is established with a remote FTPS server and the FTP client view is displayed. l On an IPv6 network: In the user view. the FTPS server function is disabled. Step 4 Run: ftp secure-server ssl-policy policy-name An SSL policy is configured for the device. l Run: certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key- filename auth-code auth-code A PEM digital certificate chain is loaded. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 201 Copyright © Huawei Technologies Co.Quidway S5700 Series Ethernet Switches Configuration Guide .. Procedure l On an IPv4 network: In the user view. disable the FTP server function. . By default. NOTE Only one certificate or certificate chain can be loaded to an SSL policy.Basic Configuration 11 SSL Configuration l Run: certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code | key-file key-filename } auth-code auth-code A PFX digital certificate is loaded. Step 5 Run: ftp secure-server enable The FTPS server function is enabled. If a certificate or certificate chain has been loaded. run: ftp ssl-policy policy-name [ [ -a source-ip-address | -i interface-type interface-number ] host [ port-number ] [ public-net | vpn-instance vpn- instance-name ] ] A control connection is established with a remote FTPS server and the FTP client view is displayed. NOTE Before enabling the FTPS server function.4. unload the certificate or certificate chain before loading a new certificate or certificate chain.

After file transfer is complete. Enabling the file l If the prompt command is run in the FTP client view to transfer prompt enable the file transfer prompt function. statistics about the transmission rate are displayed. the ASCII type is used. l Run the mget remote-filenames command to download files from a remote server and save the files on the local device. l If the prompt command is run again in the FTP client view. all FTP response information is displayed.Quidway S5700 Series Ethernet Switches Configuration Guide . The FTP file type is determined by the client. l Run the mput local-filenames command to upload files from the local device to a remote server. By default. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 202 Copyright © Huawei Technologies Co.Basic Configuration 11 SSL Configuration Follow-up Procedure The client can log in to the server only after the entered user name and password are authenticated by the server. Table 11-1 lists file operations on an FTP server. you can operate files on the FTPS server in the same way as that on an FTP server. mode l Run the undo passive command to set the data connection mode to PORT. Ltd. By default. the file transfer prompt function is disabled.. the PASV mode is used. If the local device has the files to be downloaded by running the mget command. Enabling the FTP Run the verbose command. NOTE The prompt command is applicable to the scenario where the mput or mget command is used to upload or download files. After logging in to the FTPS server. Configuring the l Run the passive command to set the data connection data connection mode to PASV. . Table 11-1 File operations File Operation Operation Managin Configuring the l Run the ascii command to set the file type to ASCII. Uploading files l Run the put local-filename [ remote-filename ] command to upload a file from the local device to a remote server. the system prompts you whether to override the existing ones regardless of whether the file transfer prompt function is enabled. verbose function After the verbose function is enabled. Downloading l Run the get remote-filename [ local-filename ] command files to download a file from a remote server and save the file on the local device. g files file type l Run the binary command to set the file type to binary. the system function prompts you to confirm the uploading or downloading operation during file uploading or downloading.

. changing the The lcd command displays the local working path of the FTP working path of an client. whereas the pwd command displays the working path FTP client of the remote FTP server. ">". Creating a Run the mkdir remote-directory command. Prerequisite The configurations of login to an FTPS server from an FTPS client are complete. Displaying a Run the ls [ remote-directory [ local-filename ] ] command. the directory and If no path name is specified for a specified remote file. FTP command Changing an FTP user Run the user username [ password ] command. system will search the file in the authorized directory of the directories user. FTP server excluding special characters such as "<". "\".Basic Configuration 11 SSL Configuration File Operation Operation Managin Changing the Run the cd pathname command. Ltd. specified remote directory or file on an FTP server Displaying or Run the lcd [ directory ] command. or ":". SSL policy configured on the FTPS server. working path of an FTP server to the parent directory Displaying the Run the pwd command. the the list of sub. Deleting a Run the rmdir remote-directory command. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 203 Copyright © Huawei Technologies Co.5 Checking the Configuration After the configuration of login to an FTPS server from an FTPS client is complete. trusted-CA file loaded to the FTPS client.. you can view the FTPS client. directory from an FTP server Displaying online help for an Run the remotehelp [ command ] command. working path of an FTP server Displaying files in Run the dir [ remote-directory [ local-filename ] ] command. directory on an The directory can be a combination of letters and numbers. and digital certificate loaded to the FTPS server. 11.4.Quidway S5700 Series Ethernet Switches Configuration Guide . g working path of a directori remote FTP server es Changing the Run the cdup command. "?".

pem Auth-code: 123456 MAC: CRL File: Trusted-CA File: Run the display ftp-server command on the FTP server.0 FTP SSL policy ftp_server FTP Secure-server is running 11. The command output shows that the SSL policy name is ftp_server and the FTPS server is running. l Run the display ftp-server command to check the SSL policy name and the FTPS server status.pem Trusted-CA File 2: Format = PEM.Basic Configuration 11 SSL Configuration Procedure l Run the display ssl policy command to check the SSL policy configured on and trusted- CA certificate loaded to the FTPS client as well as the SSL policy configured on and digital certificate loaded to the FTPS server.0. Filename = 1_cacert_pem_rsa. . ----End Example Run the display ssl policy command on the FTPS client. Filename = 1_rootcert_pem_rsa. The command output shows detailed information about the configured SSL policy and loaded trusted-CA file. The command output shows detailed information about the configured SSL policy and loaded digital certificate. Ltd.pem Key-file Filename: 1_serverkey_pem_rsa.Quidway S5700 Series Ethernet Switches Configuration Guide . The digital certificate is used by a client to verify the identity of the server. <Quidway> display ssl policy SSL Policy Name: ftp_server Policy Applicants: FTP secure-server Key-pair Type: RSA Certificate File Type: PEM Certificate Type: certificate Certificate Filename: 1_servercert_pem_rsa.0.pem Run the display ssl policy command on the FTPS server. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 204 Copyright © Huawei Technologies Co.5 Configuring Secure Web Network Management An SSL policy is configured on and a digital certificate is loaded to an HTTP server. <Quidway> display ftp-server FTP server is stopped Max user number 5 User count 1 Timeout value(in minute) 30 Listening port 21 Acl number 0 FTP server's source address 0.. <Quidway> display ssl policy SSL Policy Name: ftp_client Policy Applicants: Key-pair Type: Certificate File Type: Certificate Type: Certificate Filename: Key-file Filename: Auth-code: MAC: CRL File: Trusted-CA File: Trusted-CA File 1: Format = PEM.

Ltd. complete the pre-configuration tasks. Web page file. and Web account of the HTTPS server Issue 01 (2011-07-15) Huawei Proprietary and Confidential 205 Copyright © Huawei Technologies Co. HTTP does not provide a mechanism that allows users to authenticate a Web server or protects privacy of data transmission. After a digital certificate is loaded to and the HTTPS server function is enabled on the server. you need the following data. and obtain the data required for the configuration.1/24 Network PC HTTP-Server Pre-configuration Tasks Before configuring an HTTPS server. users can log in to the server to remotely manage the server using Web pages.0. you can configure HTTPS on the device. Figure 11-4 Networking diagram for accessing another device by using HTTPS VLANIF10 192. To address this problem.5. Users can log in to the device using HTTP and use Web pages to access and control the device. Data 1 SSL policy name and digital certificate 2 IP address. As shown in Figure 11-4. SSL allows the client and server to authenticate each other and encrypts data to be transmitted.. Applicable Environment After a device that supports Web network management is enabled with the HTTP function. an SSL policy is configured on the device that functions as an HTTP server.Basic Configuration 11 SSL Configuration 11. This will help you complete the configuration task quickly and efficiently. HTTPS that adds support for SSL is an extension to the commonly used HTTP. familiarize yourself with the applicable environment.Quidway S5700 Series Ethernet Switches Configuration Guide .1 Establishing the Configuration Task Before configuring an HTTPS server. the device can function as a Web server. No.168. . complete the following tasks: l Uploading a digital certificate to a device that will function as an HTTPS server and copying the certificate to the sub-directory named security of the system directory on the HTTPS server l Installing a Web browser on a PC Data Preparation To configure an HTTPS server.

. The digital certificate to be loaded to the HTTPS server can be generated using a third-party tool such as OpenSSL. see the OpenSSL usage guide. The ASN1 format is the default format for most browsers. An ANS1 certificate contains only a public key but not a private key.. The PEM format is applicable to text transmission between systems. Context Before using HTTPS to securely manage files. or PFX format. the receiver owns all the certificates on the chain. and the public key is usually encrypted. Step 3 Load a digital certificate. After receiving a certificate chain. OpenSSL can be considered as a CA. The file name extension of an ASN1 digital certificate is .Quidway S5700 Series Ethernet Switches Configuration Guide . public key.2 Configuring an SSL Policy and Loading a Digital Certificate A digital certificate is used to authenticate the identities of both the user terminal and the HTTPS server to ensure secure communication. and the public key is not encrypted. A digital certificate can be in the PEM. and validity period of the digital certificate. This ensures that only authorized clients can log in to the HTTPS server. The file name extension of a PEM digital certificate is . The digital certificate includes information such as the name of a person or an organization that applies for the certificate. For the procedure for generating a digital certificate.der.Basic Configuration 11 SSL Configuration 11. Ltd. Procedure Step 1 Run: system-view The system view is displayed.5. The digital certificate is used to authenticate clients. digital-signed signature of the CA that issues the digital certificate. Run one of the following commands as required: l Run: certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key- filename auth-code auth-code Issue 01 (2011-07-15) Huawei Proprietary and Confidential 206 Copyright © Huawei Technologies Co. A PEM certificate contains only a public key but not a private key. l The PFX format is a universal digital certificate format. A CA can issue a certificate chain along with a digital certificate. Step 2 Run: ssl policy policy-name An SSL policy is configured. and the key is usually encrypted. l The ASN1 format is a universal digital certificate format. A PFX certificate can contain a private key. ASN1. Details are as follows: l The PEM format is most commonly used.pfx. NOTE A CA is responsible for issuing and managing digital certificates. The file name extension of a PFX digital certificate is .pem. The PFX format is a binary format that can be converted into the PEM or ASN1 format. the HTTPS server needs to obtain a digital certificate from a CA.

3 Loading a Web Page File To manage and maintain a device on a graphical user interface (GUI). Ltd. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 207 Copyright © Huawei Technologies Co.Quidway S5700 Series Ethernet Switches Configuration Guide . l Run: certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code | key-file key-filename } auth-code auth-code A PFX digital certificate is loaded. l Run: certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key- filename An ASN1 digital certificate is loaded. Procedure Step 1 Run: system-view The system view is displayed. Context NOTE Before enabling the HTTPS server function.4 Enabling the HTTPS Function After a device is configured with an SSL policy and enabled with the HTTPS function. Before using the Web network management function. load the related Web page file. ----End 11. the device functions as an HTTPS server to provide SSL-based HTTP services. .5.. If a certificate or certificate chain has been loaded. l Run: certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key- filename auth-code auth-code A PEM digital certificate chain is loaded. disable the HTTP server function. you can configure the Web network management function.Basic Configuration 11 SSL Configuration A PEM digital certificate is loaded. ----End 11.5. NOTE Only one certificate or certificate chain can be loaded to an SSL policy. unload the certificate or certificate chain before loading a new certificate or certificate chain. Step 2 Run: http server load file-name A Web page file is loaded.

Ltd. .5 Creating a Web Account Setting the HTTP user name and password is recommended for secure login to a Web server. the HTTPS server function is disabled. run this command to change the listening port number of the HTTPS server. affecting performance of the server. Procedure Step 1 Run: system-view The system view is displayed.5. NOTE Setting the password in cipher text is recommended. Step 2 Run: http secure-server ssl-policy policy-name An SSL policy is configured for a device.Basic Configuration 11 SSL Configuration Procedure Step 1 Run: system-view The system view is displayed. By default.. attackers are deprived of information about the newly configured listening port number. The default listening port number of the HTTPS server is 443. Step 4 Run: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 208 Copyright © Huawei Technologies Co. Step 4 (Optional) Run: http secure-server port port-number The listening port number is configured for the HTTPS server. After that. Step 3 Run: http secure-server enable The HTTPS server function is enabled. Step 2 Run: aaa The AAA view is displayed. To improve security. you do not need to specify the port number in commands. Step 3 Run: local-user user-name password { simple | cipher } password The HTTP user name and password are set. Attackers may access the default listening port. consuming bandwidth. Simple user names and passwords are insecure. and the HTTPS server is thus well protected. When using the default listening port number to access and control the HTTPS server. ----End 11.Quidway S5700 Series Ethernet Switches Configuration Guide . and causing authorized users unable to access the server.

5. you can manage and maintain a device on a GUI.6 Logging In to the Web System After logging in to the Web system. l Run the display http server command to check the SSL policy name and the HTTPS server status. password. Press Enter and the dialog box shown in Figure 11-5 is displayed. Enter the IP address of the HTTPS server in the address bar. Ltd.7 Checking the Configuration After secure Web network management is configured. 11. and verification code. .Quidway S5700 Series Ethernet Switches Configuration Guide .5. Procedure l Run the display ssl policy command to check the configured SSL policy and loaded digital certificate. you can view the configured SSL policy and loaded digital certificate on the HTTPS server as well as the HTTPS server status. Open the Web browser on the PC. Prerequisite The configurations of secure Web network management are complete. Figure 11-5 Login GUI Enter the HTTP user name. ----End 11.. Click Login or press Enter to enter the Web system. ----End Issue 01 (2011-07-15) Huawei Proprietary and Confidential 209 Copyright © Huawei Technologies Co.Basic Configuration 11 SSL Configuration local-user user-name service-type http HTTP is configured as the service type.

Quidway S5700 Series Ethernet Switches Configuration Guide . Networking Requirements Traditional FTP does not have a security mechanism. SSL allows data encryption. After a digital certificate is loaded and the FTPS server function is enabled on the server. The command output shows detailed information about the configured SSL policy and loaded digital certificate. .1 Example for Configuring Login to an FTPS Server from a User Terminal You can use a terminal on which the SSL-capable FTP client software is installed to log in to an FTPS server to securely operate files transmitted between the terminal and the server. As shown in Figure 11-6.6 Configuration Examples 11. bringing security threats. an SSL policy is configured on the FTP server. In addition. identity authentication.pem Auth-code: 123456 MAC: CRL File: Trusted-CA File: Run the display http server command.. If the FTP server is configured with login user names and passwords. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 210 Copyright © Huawei Technologies Co. but the clients cannot authenticate the server. SSL provides secure connections for the FTP server. The command output shows the SSL policy name and the HTTPS server status. the FTP server can authenticate clients.pem Key-file Filename: 1_serverkey_pem_rsa.An SSL policy can be configured on the FTP server to improve security. <Quidway> display http server HTTP Server Status : disabled HTTP Server Port : 80(80) HTTP Timeout Interval : 20 Current Online Users : 0 Maximum Users Allowed : 5 HTTP Secure-server Status : enabled HTTP Secure-server Port : 443(443) HTTP SSL Policy : http_server 11.Basic Configuration 11 SSL Configuration Example Run the display ssl policy command.6. greatly improving security of the FTP server. <Quidway> display ssl policy SSL Policy Name: http_server Policy Applicants: WEB secure-server Key-pair Type: RSA Certificate File Type: PEM Certificate Type: certificate Certificate Filename: 1_servercert_pem_rsa. you can log in to the server from a terminal on which the SSL-capable FTP client software is installed to securely operate files transmitted between the terminal and the server. and message integrity verification. Ltd. Transmitted data is easy to be tampered. It transmits data in plain text. improving data transmission security.

Upload the digital certificate saved on the PC to the FTP server. configure an SSL policy. Enable the FTPS server function.1/24 Network PC FTP-Server Configuration Roadmap The configuration roadmap is as follows: 1. [FTP-Server] aaa [FTP-Server-aaa] local-user huawei password simple huawei [FTP-Server-aaa] local-user huawei service-type ftp Issue 01 (2011-07-15) Huawei Proprietary and Confidential 211 Copyright © Huawei Technologies Co.Basic Configuration 11 SSL Configuration Figure 11-6 Operating files using FTPS VLANIF10 192. 2. Copy the digital certificate from the system directory of the FTP server to the sub-directory named security. and authorized directory for an FTP user on the FTP server. you need the following data: l IP address of the FTP server l FTP user name and password l SSL digital certificate Procedure Step 1 Upload a digital certificate. <Quidway> system-view [Quidway] sysname FTP-Server [FTP-Server] interface gigabitethernet0/0/1 [FTP-Server-GigabitEthernet0/0/1] port link-type access [FTP-Server-GigabitEthernet0/0/1] quit [FTP-Server] vlan 10 [FTP-Server-vlan10] port gigabitethernet0/0/1 [FTP-Server-vlan10] quit [FTP-Server] interface vlanif 10 [FTP-Server-Vlanif10] ip address 192. 3. 4. Load the digital certificate.168.0.Quidway S5700 Series Ethernet Switches Configuration Guide . Install the SSL-capable FTP client software on the PC Data Preparation To complete the configuration.0. authorization mode.. # Configure an IP address for the FTP server so that the PC and FTP server are routable.1 24 [FTP-Server-Vlanif10] quit # Enable the FTP server function. Upload a digital certificate.168. Ltd. [FTP-Server] ftp server enable # Configure the authentication information. . and load the digital certificate.

Basic Configuration 11 SSL Configuration [FTP-Server-aaa] local-user huawei ftp-directory flash: [FTP-Server-aaa] quit [FTP-Server] quit # Run the ftp ftp-server-address commands at the Windows command prompt. Ltd.. . as shown in Figure 11-8. as shown in Figure 11-7. Enter the correct user name and password to set up an FTP connection to the FTP server. Figure 11-7 Logging in to an FTP server from a user terminal Upload the digital certificate saved on the user terminal to the FTP server. Figure 11-8 Uploading a digital certificate Issue 01 (2011-07-15) Huawei Proprietary and Confidential 212 Copyright © Huawei Technologies Co.Quidway S5700 Series Ethernet Switches Configuration Guide .

575 May 10 2011 05:05:53 private-data. 1.292 KB total (303. 446 May 10 2011 05:05:51 vrpcfg.. NOTE Before enabling the FTPS server function. The command output shows detailed information about the loaded certificate.Quidway S5700 Series Ethernet Switches Configuration Guide . see the help document about the third-party software.pem auth-code 123456 [FTP-Server-ssl-policy-ftp_server] quit Step 3 Enable the FTPS server function.292 KB total (303. # Run the display ssl policy command on the FTPS server. <FTP-Server> mkdir security/ <FTP-Server> copy 1_servercert_pem_rsa. disable the FTP server function.302 May 10 2011 05:32:05 1_servercert_pem_rsa. 524.pem 304.pem key-pair rsa key-file 1_serverkey_pem_rsa. May 10 2011 05:05:40 src 1 -rw.Basic Configuration 11 SSL Configuration After the preceding configurations are complete. 1. 951 May 10 2011 05:45:22 1_serverkey_pem_rsa. 951 May 10 2011 05:32:44 1_serverkey_pem_rsa. <FTP-Server> cd security/ <FTP-Server> dir Directory of flash:/security/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw. # Create a sub-directory named security and copy the digital certificate to this sub-directory.pem Issue 01 (2011-07-15) Huawei Proprietary and Confidential 213 Copyright © Huawei Technologies Co.pem 1 -rw.zip 3 -rw.txt 2 -rw. Ltd. <FTP-Server> system-view [FTP-Server] ssl policy ftp_server [FTP-Server-ssl-policy-ftp_server] certificate load pem-cert 1_servercert_pem_rsa. run the dir command on the FTP server. [FTP-Server] undo ftp server [FTP-Server] ftp secure-server ssl-policy ftp_server [FTP-Server] ftp secure-server enable Step 4 Install the SSL-capable FTP client software on the PC.770 KB free) Step 2 Configure an SSL policy and load the digital certificate. run the dir command in the security sub- directory on the FTP server. For details about the operation procedure. .766 KB free) # Create an SSL policy and load the PEM digital certificate.pem 4 -rw. . Step 5 Verify the configuration. <FTP-Server> dir Directory of flash:/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 drw.pem 304. [FTP-Server] display ssl policy SSL Policy Name: ftp_server Policy Applicants: FTP secure-server Key-pair Type: RSA Certificate File Type: PEM Certificate Type: certificate Certificate Filename: 1_servercert_pem_rsa.302 May 10 2011 05:44:34 1_servercert_pem_rsa. The command output shows that the digital certificate has been successfully uploaded to the server. The command output shows that the digital certificate has been successfully uploaded to the server.pem security/ After the preceding configurations are complete.pem security/ <FTP-Server> copy 1_serverkey_pem_rsa.

[FTP-Server] display ftp-server FTP server is stopped Max user number 5 User count 1 Timeout value(in minute) 30 Listening port 21 Acl number 0 FTP server's source address 0.0.pem key-pair rsa key-file 1_serverkey_pem_rsa. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 214 Copyright © Huawei Technologies Co.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 # return 11. The command output shows that the configured SSL policy name is ftp_server and the FTPS server is running.pem auth-code 123456 # aaa authentication-scheme default authorization-scheme default accounting-scheme default local-user huawei password simple huawei local-user huawei service-type ftp local-user huawei ftp-directory flash:/ # interface Vlanif10 ip address 192.Basic Configuration 11 SSL Configuration Key-file Filename: 1_serverkey_pem_rsa. ----End Configuration Files Configuration file of the FTPS server # sysname FTP-Server # FTP secure-server enable ftp secure-server ssl-policy ftp_server # vlan batch 10 # ssl policy ftp_server certificate load pem-cert 1_servercert_pem_rsa.168.0.255.0.255.2 Example for Configuring Login to an FTPS Server from an FTPS Client You can log in to an FTPS server from an FTPS client to operate files transmitted between the server and the client. Ltd.pem Auth-code: 123456 MAC: CRL File: Trusted-CA File: # Run the display ftp-server command on the FTPS server. .Quidway S5700 Series Ethernet Switches Configuration Guide .6.0 FTP SSL policy ftp_server FTP Secure-server is running You can establish a connection with the FTPS server using the SSL-capable FTP client software and upload files to and download files from the server..1 255.

168. If the FTP server is configured with login user names and passwords.An SSL policy can be configured on the FTP server to improve security.0.0.1.1.Quidway S5700 Series Ethernet Switches Configuration Guide .1. and load the digital certificate. and load the trusted-CA file. Transmitted data is easy to be tampered. configure an SSL policy. l Upload the digital certificate saved on PC2 to the FTP server. SSL allows data encryption. and message integrity verification. l An SSL policy needs to be configured on and a digital certificate needs to be loaded to an FTP server to verify the validity of the trusted-CA file. Ltd. the FTP server can authenticate clients.. Load the certificates and configure SSL policies. As shown in Figure 11-9. . configure an SSL policy. you can log in to the FTPS server from the FTPS client to remotely manage files. 3. Enable the FTPS server function on the FTP server. l Copy the digital certificate from the system directory of the FTP server to the security sub-directory.168.1/24 1.2/24 Network VLANIF40 VLANIF10 192. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 215 Copyright © Huawei Technologies Co. 2. In addition. It transmits data in plain text. identity authentication. Configuration Roadmap The configuration roadmap is as follows: 1.1. and manage the certificate and key.Basic Configuration 11 SSL Configuration Networking Requirements Traditional FTP does not have a security mechanism. bringing security threats. sign a digital certificate to prevent eavesdropping and tampering. This ensures that only authorized clients can log in to the server. l Upload the trusted-CA file saved on PC1 to the FTP client. greatly improving security of the FTP server.1/24 PC1 PC2 If the FTPS client and server are routable. but the clients cannot authenticate the server. l An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP client to verify the identify of the certificate owner. improving data transmission security. SSL provides secure connections for the FTP server.2/24 192. Upload certificates. Figure 11-9 Accessing an FTPS server from an FTPS client FTP-Client FTP-Server VLANIF20 VLANIF30 1. l Copy the trusted-CA file from the system directory of the FTP client to the security sub-directory.

. [FTP-Server] ftp server enable # Configure the authentication information.168. you need the following data: l IP addresses of the FTP client and server l FTP user name and password l SSL trusted-CA file and digital certificate Procedure Step 1 Upload certificates. Configure IP addresses for the interfaces that interconnect the FTP client and server to ensure that the client and server are routable. <Quidway> system-view [Quidway] sysname FTP-Server [FTP-Server] interface gigabitethernet0/0/1 [FTP-Server-GigabitEthernet0/0/1] port link-type access [FTP-Server-GigabitEthernet0/0/1] quit [FTP-Server] vlan 10 [FTP-Server-vlan10] port gigabitethernet0/0/1 [FTP-Server-vlan10] quit [FTP-Server] interface vlanif 10 [FTP-Server-Vlanif10] ip address 192. Data Preparation To complete the configuration. 5. Ltd. Enter the correct user name and password to set up an FTP connection to the FTP server.Basic Configuration 11 SSL Configuration 4. authorization mode. Issue 01 (2011-07-15) Huawei Proprietary and Confidential 216 Copyright © Huawei Technologies Co. as shown in Figure 11-10. Run the ftp command on the FTP client to log in to the FTPS server to remotely manage files.1 24 [FTP-Server-Vlanif10] quit # Enable the FTP server function.Quidway S5700 Series Ethernet Switches Configuration Guide .0. [FTP-Server] aaa [FTP-Server-aaa] local-user huawei password simple huawei [FTP-Server-aaa] local-user huawei service-type ftp [FTP-Server-aaa] local-user huawei ftp-directory flash: [FTP-Server-aaa] quit [FTP-Server] quit # Run the ftp ftp-server-address commands at the Windows command prompt. l Perform the following steps on the FTP server: # Configure an IP address for the FTP server so that the PC and FTP server are routable. and authorized directory for an FTP user on the FTP server. .

. as shown in Figure 11-11.txt 2 -rw.Quidway S5700 Series Ethernet Switches Configuration Guide . The command output shows that the digital certificate has been successfully uploaded to the server.zip Issue 01 (2011-07-15) Huawei Proprietary and Confidential 217 Copyright © Huawei Technologies Co. Ltd. Figure 11-11 Uploading a digital certificate After the preceding configurations are complete. . . run the dir command on the FTP server. May 10 2011 05:05:40 src 1 -rw. 524. <FTP-Server> dir Directory of flash:/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 drw. 446 May 10 2011 05:05:51 vrpcfg.575 May 10 2011 05:05:53 private-data.Basic Configuration 11 SSL Configuration Figure 11-10 Logging in to an FTP server from a user terminal Upload the digital certificate saved on the user terminal to the FTP server.

[FTP-Server] display ssl policy SSL Policy Name: ftp_server Policy Applicants: FTP secure-server Key-pair Type: RSA Certificate File Type: PEM Issue 01 (2011-07-15) Huawei Proprietary and Confidential 218 Copyright © Huawei Technologies Co.766 KB free) # Create an SSL policy and load the PEM digital certificate. 524. May 10 2011 05:43:39 security 304.pem auth- code 123456 [FTP-Server-ssl-policy-ftp_server] quit After the preceding configurations are complete. The command output shows detailed information about the loaded certificate. <FTP-Server> mkdir security/ <FTP-Server> copy 1_servercert_pem_rsa. 951 May 10 2011 05:45:22 1_serverkey_pem_rsa. . 1.270 KB free) Step 2 Load the certificates and configure SSL policies.Quidway S5700 Series Ethernet Switches Configuration Guide .pem 304.pem security/ After the preceding configurations are complete. .Basic Configuration 11 SSL Configuration 3 -rw. see the configuration file of the FTP client in this example.237 May 10 2011 05:55:33 1_cacert_pem_rsa.292 KB total (303.302 May 10 2011 05:32:05 1_servercert_pem_rsa. <FTP-Server> cd security/ <FTP-Server> dir Directory of flash:/security/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw.766 KB free) l Perform the following steps on the FTP client: The procedure for uploading the trusted-CA file to the FTP client is similar to the procedure for uploading the digital certificate to the FTP server. run the dir command in the security sub- directory on the FTP server. After the trusted-CA file is uploaded to the FTP client.292 KB total (300. .zip 6 drw. Apr 13 2011 11:37:40 lam 304. <FTP-Client> dir Directory of flash:/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw. Ltd.. <FTP-Server> system-view [FTP-Server] ssl policy ftp_server [FTP-Server-ssl-policy-ftp_server] certificate load pem-cert 1_servercert_pem_rsa. 421 Apr 09 2011 19:46:14 vrpcfg.txt 8 drw. Apr 11 2011 16:18:53 security 9 drw.pem 4 -rw.zip 5 -rw. 1.302 May 10 2011 05:44:34 1_servercert_pem_rsa. 1. .292 KB total (303. 4 Apr 19 2011 04:24:28 snmpnotilog.pem key-pair rsa key-file 1_serverkey_pem_rsa.478 Apr 14 2011 19:22:45 web. run the display ssl policy command on the FTP server. 1. Apr 09 2011 19:46:14 src 4 -rw.pem 2 -rw.pem 1 -rw.pem security/ <FTP-Server> copy 1_serverkey_pem_rsa. . 951 May 10 2011 05:32:44 1_serverkey_pem_rsa. run the dir command on the FTP client. The command output shows that the trusted-CA file has been successfully uploaded to the FTP client. Apr 10 2011 01:35:54 logfile 7 -rw.txt 1 -rw.pem 5 drw.558 May 10 2011 04:50:39 private-data. . For detailed configurations. 1. The command output shows that the digital certificate has been successfully uploaded to the server. l Perform the following steps on the FTP server: # Create a sub-directory named security and copy the digital certificate to this sub-directory.pem 3 drw.308.241 May 10 2011 05:55:44 1_rootcert_pem_rsa.

# Create a sub-directory named security and copy the trusted-CA file to this sub-directory.241 May 10 2011 05:57:29 1_rootcert_pem_rsa. Filename = 1_rootcert_pem_rsa. disable the FTP server function. The configuration procedure is similar to that on the FTP server.292 KB total (300.pem [FTP-Client-ssl-policy-ftp_client] trusted-ca load pem-ca 1_rootcert_pem_rsa. The command output shows detailed information about the trusted-CA file. 1.pem Trusted-CA File 2: Format = PEM. [FTP-Server] interface gigabitethernet 0/0/2 [FTP-Server-GigabitEthernet0/0/2] port link-type access [FTP-Server-GigabitEthernet0/0/2] quit [FTP-Server] vlan 30 Issue 01 (2011-07-15) Huawei Proprietary and Confidential 219 Copyright © Huawei Technologies Co. Ltd. For detailed configurations. .pem Step 3 Enable the FTPS server function. Filename = 1_cacert_pem_rsa. <FTP-Client> system-view [FTP-Client] ssl policy ftp_client [FTP-Client-ssl-policy-ftp_client] trusted-ca load pem-ca 1_cacert_pem_rsa.pem Auth-code: 123456 MAC: CRL File: Trusted-CA File: l Configure the FTP client. see the configuration file of the FTP client in this example.pem Key-file Filename: 1_serverkey_pem_rsa. run the dir command in this sub-directory.pem 1 -rw. <FTP-Client> cd security/ <FTP-Client> dir Directory of flash:/security/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw. [FTP-Server] undo ftp server [FTP-Server] ftp secure-server ssl-policy ftp_server [FTP-Server] ftp secure-server enable Step 4 Configure IP addresses for the interfaces that interconnect the FTP client and server. After the trusted-CA file is copied to the security sub-directory.237 May 10 2011 05:57:15 1_cacert_pem_rsa.266 KB free) # Create an SSL policy and load the trusted-CA file.Basic Configuration 11 SSL Configuration Certificate Type: certificate Certificate Filename: 1_servercert_pem_rsa.. The command output shows that the trusted-CA file has been successfully copied to this sub-directory. [FTP-Client] display ssl policy SSL Policy Name: ftp_client Policy Applicants: Key-pair Type: Certificate File Type: Certificate Type: Certificate Filename: Key-file Filename: Auth-code: MAC: CRL File: Trusted-CA File: Trusted-CA File 1: Format = PEM. run the display ssl policy command on the FTP client.Quidway S5700 Series Ethernet Switches Configuration Guide .pem 304. 1. NOTE Before enabling the FTPS server function. # Configure the FTP server.pem [FTP-Client-ssl-policy-ftp_client] quit After the preceding configurations are complete.

Ltd.1.1.1. # Run the display ftp-server command on the FTPS server. [FTP-Client] interface gigabitethernet 0/0/2 [FTP-Client-GigabitEthernet0/0/2] port link-type access [FTP-Client-GigabitEthernet0/0/2] quit [FTP-Client] vlan 20 [FTP-Client-vlan20] port gigabitethernet 0/0/2 [FTP-Client-vlan20] quit [FTP-Client] interface vlanif 20 [FTP-Client-Vlanif20] ip address 1.1.2.2 Trying 1. 200 Data channel security level is changed to private. .1. [ftp] The client can log in to the FTP server only after the correct user name and password are entered.1. 220 FTP service ready.1.0..0. User(1.2 .. Step 6 Verify the configuration.1.1 24 [FTP-Client-Vlanif20] quit [FTP-Client] quit Step 5 Run the ftp command on the FTP client to log in to the FTPS server to remotely manage files.Basic Configuration 11 SSL Configuration [FTP-Server-vlan30] port gigabitethernet 0/0/2 [FTP-Server-vlan30] quit [FTP-Server] interface vlanif 30 [FTP-Server-Vlanif30] ip address 1. 200 PBSZ is ok.1..2 24 [FTP-Server-Vlanif30] quit # Configure the FTP client. 234 AUTH command successfully.0 FTP SSL policy ftp_server FTP Secure-server is running You can use the FTP client to remotely manage files on the FTPS server. [FTP-Server] display ftp-server FTP server is stopped Max user number 5 User count 1 Timeout value(in minute) 30 Listening port 21 Acl number 0 FTP server's source address 0.1. Security mechanism accepted. <FTP-Client> ftp ssl-policy ftp_client 1. The command output shows that the configured SSL policy name is ftp_server and the FTPS server is running.1.2:(none)):huawei 331 Password required for huawei.Quidway S5700 Series Ethernet Switches Configuration Guide . Press CTRL+K to abort Connected to 1.1. Enter password: 230 User logged in. ----End Configuration Files l Configuration file of the FTP server # sysname FTP-Server # FTP secure-server enable ftp secure-server ssl-policy ftp_server # vlan batch 10 30 Issue 01 (2011-07-15) Huawei Proprietary and Confidential 220 Copyright © Huawei Technologies Co.

0 # interface Vlanif40 ip address 192.1 255.255.255.255.pem auth-code 123456 # aaa authentication-scheme default authorization-scheme default accounting-scheme default local-user huawei password simple huawei local-user huawei service-type ftp local-user huawei ftp-directory flash:/ # interface Vlanif10 ip address 192..255.1 255.pem trusted-ca load pem-ca 1_rootcert_pem_rsa.2 255.pem key-pair rsa key-file 1_serverkey_pem_rsa.0.pem # aaa authentication-scheme default authorization-scheme default accounting-scheme default local-user huawei password simple huawei local-user huawei service-type ftp local-user huawei ftp-directory flash:/ # interface Vlanif20 ip address 1.168.255.Basic Configuration 11 SSL Configuration # ssl policy ftp_server certificate load pem-cert 1_servercert_pem_rsa.1.168.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 # interface GigabitEthernet0/0/2 port link-type access port default vlan 30 # return l Configuration file of the FTP client # sysname FTP-Client # FTP server enable # vlan batch 20 40 # ssl policy ftp_client trusted-ca load pem-ca 1_cacert_pem_rsa.1.2 255.255.255.1. .0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 40 # interface GigabitEthernet0/0/2 port link-type access port default vlan 20 # return Issue 01 (2011-07-15) Huawei Proprietary and Confidential 221 Copyright © Huawei Technologies Co.1.0. Ltd.0 # interface Vlanif30 ip address 1.255.Quidway S5700 Series Ethernet Switches Configuration Guide .

Create a Web account. and check message integrity. . Figure 11-12 Networking diagram for accessing another device by using HTTPS VLANIF10 192. Load the Web page file. 4. SSL allows the client and server to authenticate each other and encrypts data to be transmitted. As shown in Figure 11-12.Basic Configuration 11 SSL Configuration 11. configure an SSL policy. an SSL policy is configured on the device that functions as an HTTP server. Networking Requirements After a device that supports Web network management is enabled with the HTTP function.Quidway S5700 Series Ethernet Switches Configuration Guide .3 Example for Configuring Secure Web Network Management Using SSL to authenticate the identities of the client and server. Upload the digital certificate and Web page file saved on the PC to the device that functions as an HTTP server. you can configure HTTPS on the device. 5. Ltd. and load the digital certificate.0. the device can function as a Web server.1/24 Network PC HTTP-Server Configuration Roadmap The configuration roadmap is as follows: 1. HTTP does not provide a mechanism that allows users to authenticate a Web server or protects privacy of data transmission. 3. you need the following data: l IP addresses of the HTTP server l HTTP user name and password l SSL digital certificate Issue 01 (2011-07-15) Huawei Proprietary and Confidential 222 Copyright © Huawei Technologies Co. Users can log in to the device using HTTP and use Web pages to access and control the device.6. Upload a digital certificate and a Web page file. encrypt data to be transmitted. Data Preparation To complete the configuration. Log in to the Web system. users can log in to the server to remotely manage the server using Web pages. 2. secure Web network management provides a secure Web access. After a digital certificate is loaded to and the HTTPS server function is enabled on the server. To address this problem.168.. HTTPS that adds support for SSL is an extension to the commonly used HTTP. Copy the digital certificate from the system directory of the HTTP server to the security sub-directory. Load the digital certificate.

Quidway S5700 Series Ethernet Switches Configuration Guide . and authorized directory for FTP users.Basic Configuration 11 SSL Configuration l Web account l Web page file Procedure Step 1 Upload the digital certificate and Web page file.. Figure 11-13 Uploading a digital certificate Issue 01 (2011-07-15) Huawei Proprietary and Confidential 223 Copyright © Huawei Technologies Co.168. Ltd. as shown in Figure 11-13. <Quidway> system-view [Quidway] sysname HTTP-Server [HTTP-Server] interface gigabitethernet0/0/1 [HTTP-Server-GigabitEthernet0/0/1] port link-type access [HTTP-Server-GigabitEthernet0/0/1] quit [HTTP-Server] vlan 10 [HTTP-Server-vlan10] port gigabitethernet0/0/1 [HTTP-Server-vlan10] quit [HTTP-Server] interface vlanif 10 [HTTP-Server-Vlanif10] ip address 192. .0. [HTTP-Server] ftp server enable # Configure the authentication information. authorization mode. [HTTP-Server] aaa [HTTP-Server-aaa] local-user huawei password simple huawei [HTTP-Server-aaa] local-user huawei service-type ftp [HTTP-Server-aaa] local-user huawei ftp-directory flash: [HTTP-Server-aaa] quit [HTTP-Server] quit # Upload the digital certificate and Web page file from the PC to the HTTP server. # Configure an IP address for the device that functions as an HTTP server so that the PC and HTTP server are routable.1 24 [HTTP-Server-Vlanif10] quit # Enable the FTP server function.

pem 3 drw. <HTTP-Server> cd security/ <HTTP-Server> dir Directory of flash:/security/ Idx Attr Size(Byte) Date Time(LMT) FileName 1 -rw. 4 Apr 14 2011 04:56:35 snmpnotilog. The command output shows detailed information about the loaded certificate. Apr 09 2011 19:46:14 src 4 -rw. . 421 Apr 09 2011 19:46:14 vrpcfg.pem 304.pem Key-file Filename: 1_serverkey_pem_rsa.Basic Configuration 11 SSL Configuration After the preceding configurations are complete. [HTTP-Server] display ssl policy SSL Policy Name: http_server Policy Applicants: WEB secure-server Key-pair Type: RSA Certificate File Type: PEM Certificate Type: certificate Certificate Filename: 1_servercert_pem_rsa.558 Apr 14 2011 16:24:39 private-data. <HTTP-Server> system-view [HTTP-Server] ssl policy http_server [HTTP-Server-ssl-policy-http_server] certificate load pem-cert 1_servercert_pem_rsa.292 KB total (303.Quidway S5700 Series Ethernet Switches Configuration Guide .pem 2 -rw.478 Apr 14 2011 19:22:45 web.pem Auth-code: 123456 MAC: Issue 01 (2011-07-15) Huawei Proprietary and Confidential 224 Copyright © Huawei Technologies Co.308.782 KB free) Step 2 Configure an SSL policy and load the digital certificate. . 1.txt 1 -rw.zip 6 drw.txt 8 drw. Apr 13 2011 11:37:40 lam 304. run the dir command on the HTTP server. run the display ssl policy command on the HTTP server. Apr 10 2011 01:35:54 logfile 7 -rw. <HTTP-Server> mkdir security/ <HTTP-Server> copy 1_servercert_pem_rsa.302 Apr 13 2011 14:29:31 1_servercert_pem_rsa. run the dir command in the security sub- directory on the HTTP server.292 KB total (300.zip 5 -rw. .pem security/ After the preceding configurations are complete. . Ltd.302 Apr 14 2011 19:22:30 1_servercert_pem_rsa. 1. The command output shows that the digital certificate has been successfully uploaded to the server. # Create a sub-directory named security and copy the digital certificate to this sub-directory. 951 Apr 14 2011 19:22:35 1_serverkey_pem_rsa. Apr 11 2011 16:18:53 security 9 drw. . 524. 951 Apr 13 2011 14:29:49 1_serverkey_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa..404 KB free) # Create an SSL policy and load the PEM digital certificate.pem 2 -rw. 1.pem auth-code 123456 [HTTP-Server-ssl-policy-http_server] quit After the preceding configurations are complete. <HTTP-Server> dir Directory of flash:/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw. The command output shows that the digital certificate and Web page file have been successfully uploaded to the server.pem <HTTP-Server> copy 1_serverkey_pem_rsa.

Open the Web browser on the PC. . NOTE Before enabling the HTTPS server function. Click Login or press Enter to enter the Web system. [HTTP-Server] undo http server enable [HTTP-Server] http secure-server ssl-policy http_server [HTTP-Server] http secure-server enable # Configure authentication information and authorization mode for HTTP users. [HTTP-Server] display http-server HTTP Server Status : disabled HTTP Server Port : 80(80) Issue 01 (2011-07-15) Huawei Proprietary and Confidential 225 Copyright © Huawei Technologies Co.Quidway S5700 Series Ethernet Switches Configuration Guide . [HTTP-Server] aaa [HTTP-Server-aaa] local-user http password simple http [HTTP-Server-aaa] local-user http service-type http [HTTP-Server-aaa] quit Step 5 Log in to the Web system. Figure 11-14 Login GUI Enter the HTTP user name. # Run the display http server command on the HTTPS server.Basic Configuration 11 SSL Configuration CRL File: Trusted-CA File: Step 3 Load the Web page file. Enter the IP address of the HTTP server in the address bar. Step 6 Verify the configuration. [HTTP-Server] http server load web. password. The command output shows the SSL policy name and the HTTPS server status. Ltd.. Press Enter and the dialog box shown in Figure 11-14 is displayed. # Enable the HTTPS server function. disable the HTTP server function. and verification code.zip Step 4 Create a Web account.

pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code 123456 # aaa authentication-scheme default authorization-scheme default accounting-scheme default local-user http password simple http local-user http service-type http local-user huawei password simple huawei local-user huawei service-type ftp local-user huawei ftp-directory flash: # interface Vlanif10 ip address 192..255.Quidway S5700 Series Ethernet Switches Configuration Guide .0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 # return Issue 01 (2011-07-15) Huawei Proprietary and Confidential 226 Copyright © Huawei Technologies Co.zip http secure-server ssl-policy http_server http secure-server enable # vlan batch 10 # ssl policy http_server certificate load pem-cert 1_servercert_pem_rsa. . Ltd.168.0.1 255.Basic Configuration 11 SSL Configuration HTTP Timeout Interval : 20 Current Online Users : 0 Maximum Users Allowed : 5 HTTP Secure-server Status : enabled HTTP Secure-server Port : 443(443) HTTP SSL Policy : http_server ----End Configuration Files Configuration file of the HTTPS server # sysname FTP-Server # FTP server enable # undo http server enable http server load web.255.