You are on page 1of 274

S6700 Series Ethernet Switches

V200R001C00

Configuration Guide - Basic


Configuration

Issue 05
Date 2013-04-10

HUAWEI TECHNOLOGIES CO., LTD.


Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: http://enterprise.huawei.com

Issue 05 (2013-04-10) Huawei Proprietary and Confidential i


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration About This Document

About This Document

Intended Audience
This document provides the basic concepts, basic configuration procedures, and configuration
examples supported by the S6700.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers

Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level of risk, which if not


avoided, will result in death or serious injury.
DANGER

Indicates a hazard with a medium or low level of risk, which


if not avoided, could result in minor or moderate injury.
WARNING

Indicates a potentially hazardous situation, which if not


avoided, could result in equipment damage, data loss,
CAUTION
performance degradation, or unexpected results.
TIP Indicates a tip that may help you solve a problem or save
time.

NOTE Provides additional information to emphasize or supplement


important points of the main text.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential ii


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration About This Document

Command Conventions
The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by


vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by


vertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated by


vertical bars. A minimum of one item or a maximum of all
items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by


vertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Interface Numbering Conventions


Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.

Password Setting Conventions


l If a password is set in plain text mode, the password is saved as the plain text in the
configuration file, which brings security risks. Therefore, the cipher text mode is
recommended for password setting. You are advised to change passwords regularly to
ensure device security.
l If a password is set to a valid cipher text (can be decrypted on the device) string that starts
and ends both with %$%$, the same cipher text is displayed when you check the
configuration file on the device. Therefore, this password setting method is not
recommended.

Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential iii


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration About This Document

Changes in Issue 05 (2013-04-10)


The fifth commercial release has the following updates:
l 6.5.2 Configuring an SSL Policy and Loading a Digital Certificate.

Changes in Issue 04 (2012-10-20)


The fourth commercial release has the following updates:
l 10 Web System Configuration.

Changes in Issue 03 (2012-07-03)


The third commercial release has the following updates:
l Some contents in this document are optimized.

Changes in Issue 02 (2012-05-23)


The second commercial release has the following updates:
l Some contents are modified according to updates in the product such as features and
commands.
l Output information of some commands is modified.

Changes in Issue 01 (2012-03-15)


Initial commercial release.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential iv


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration Contents

Contents

About This Document.....................................................................................................................ii


1 Logging In to the System for the First Time............................................................................1
1.1 Introduction........................................................................................................................................................2
1.2 Logging In to the Device Through the Console Port..........................................................................................2
1.2.1 Establishing the Configuration Task.........................................................................................................2
1.2.2 Establishing the Physical Connection........................................................................................................3
1.2.3 Logging In to the Device...........................................................................................................................3

2 CLI Overview.................................................................................................................................6
2.1 CLI Introduction.................................................................................................................................................7
2.1.1 Command Line Interface...........................................................................................................................7
2.1.2 Command Levels.......................................................................................................................................7
2.1.3 Command Views.......................................................................................................................................8
2.2 Online Help.......................................................................................................................................................10
2.2.1 Full Help..................................................................................................................................................10
2.2.2 Partial Help..............................................................................................................................................11
2.2.3 Error Messages of the Command Line Interface.....................................................................................11
2.3 CLI Features.....................................................................................................................................................12
2.3.1 Editing.....................................................................................................................................................12
2.3.2 Displaying................................................................................................................................................13
2.3.3 Regular Expressions................................................................................................................................13
2.3.4 Previously-Used Commands...................................................................................................................17
2.4 Shortcut Keys...................................................................................................................................................18
2.4.1 System Shortcut Keys..............................................................................................................................18
2.5 Configuration Examples...................................................................................................................................19
2.5.1 Example for Using the Tab Key..............................................................................................................20

3 How to Use Interfaces.................................................................................................................21


3.1 Introduction to Interfaces..................................................................................................................................22
3.2 Setting Basic Parameters of an Interface..........................................................................................................24
3.2.1 Establishing the Configuration Task.......................................................................................................25
3.2.2 Entering the Interface View.....................................................................................................................25
3.2.3 Viewing All the Commands in the Interface View.................................................................................26
3.2.4 Configuring the Description for an Interface...........................................................................................26

Issue 05 (2013-04-10) Huawei Proprietary and Confidential v


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration Contents

3.2.5 Starting and Shutting Down an Interface................................................................................................26


3.2.6 Completing Advanced Configurations on an Interface...........................................................................27
3.2.7 Checking the Configuration.....................................................................................................................28
3.3 Configuring the Loopback Interface.................................................................................................................28
3.3.1 Establishing the Configuration Task.......................................................................................................28
3.3.2 Configuring IPv4 Parameters of the Loopback Interface........................................................................29
3.3.3 Checking the Configuration.....................................................................................................................29
3.4 Maintaining the Interface..................................................................................................................................29
3.4.1 Clearing Statistics Information on the Interface......................................................................................30

4 Basic Configuration.....................................................................................................................31
4.1 Configuring the Basic System Environment....................................................................................................32
4.1.1 Establishing the Configuration Task.......................................................................................................32
4.1.2 Configuring the Equipment Name...........................................................................................................32
4.1.3 Setting the System Clock.........................................................................................................................33
4.1.4 Configuring a Header..............................................................................................................................39
4.1.5 Configuring Command Levels................................................................................................................40
4.2 Displaying System Status Messages.................................................................................................................41
4.2.1 Displaying System Configuration...........................................................................................................41
4.2.2 Displaying System Status........................................................................................................................42
4.2.3 Collecting System Diagnostic Information.............................................................................................42

5 Configuring User Interfaces......................................................................................................43


5.1 User Interface Overview...................................................................................................................................44
5.2 Configuring the Console User Interface...........................................................................................................46
5.2.1 Establishing the Configuration Task.......................................................................................................46
5.2.2 Setting Physical Attributes of the Console User Interface......................................................................46
5.2.3 Setting Terminal Attributes of the Console User Interface.....................................................................48
5.2.4 Configuring User Privilege of the Console User Interface......................................................................49
5.2.5 Configuring the User Authentication Mode of the Console User Interface............................................49
5.2.6 Checking the Configurations...................................................................................................................51
5.3 Configuring the VTY User Interface................................................................................................................52
5.3.1 Establishing the Configuration Task.......................................................................................................52
5.3.2 Configuring the Maximum Number of VTY User Interfaces.................................................................53
5.3.3 (Optional) Setting Restrictions for Incoming and Outgoing Calls on VTY User Interfaces...................54
5.3.4 Setting Terminal Attributes of the VTY User Interface..........................................................................54
5.3.5 Setting User Priority of the VTY User Interface.....................................................................................55
5.3.6 Setting the User Authentication Mode of the VTY User Interface.........................................................56
5.3.7 Checking the Configurations...................................................................................................................58
5.4 Configuration Examples...................................................................................................................................59
5.4.1 Example for Configuring Console User Interface...................................................................................59
5.4.2 Example for Configuring a VTY User Interface.....................................................................................61

6 Configuring User Login.............................................................................................................63

Issue 05 (2013-04-10) Huawei Proprietary and Confidential vi


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration Contents

6.1 Overview of User Login...................................................................................................................................64


6.2 Logging in to the Devices Through the Console Port......................................................................................67
6.2.1 Establishing the Configuration Task.......................................................................................................67
6.2.2 (Optional) Configuring the Console User Interface................................................................................67
6.2.3 Logging In to the Device Using a Console Port......................................................................................68
6.2.4 Checking the Configurations...................................................................................................................70
6.3 Logging in to Devices Using Telnet.................................................................................................................71
6.3.1 Establishing the Configuration Task.......................................................................................................71
6.3.2 Configuring the User Access Level and User Authentication Mode of the VTY User Interface...........72
6.3.3 Enabling the Telnet Service.....................................................................................................................74
6.3.4 Logging in to the Device Using Telnet...................................................................................................75
6.3.5 (Optional) Configuring Listening Port Number for Telnet Server..........................................................76
6.3.6 Checking the Configurations...................................................................................................................77
6.4 Logging in to Devices Using STelnet...............................................................................................................78
6.4.1 Establishing the Configuration Task.......................................................................................................78
6.4.2 Configuring the User Access Level and User Authentication Mode of the VTY User Interface...........79
6.4.3 Configuring SSH for the VTY User Interface.........................................................................................81
6.4.4 Configuring an SSH User and Specifying the Service Types.................................................................82
6.4.5 Enabling the STelnet Server Function.....................................................................................................86
6.4.6 Logging in to the Device Using STelnet.................................................................................................87
6.4.7 (Optional) Configuring the STelnet Server Parameters...........................................................................88
6.4.8 Checking the Configurations...................................................................................................................90
6.5 Logging in to the Devices by Using Secure Web Network Management (HTTPS Mode)..............................91
6.5.1 Establishing the Configuration Task.......................................................................................................91
6.5.2 Configuring an SSL Policy and Loading a Digital Certificate................................................................92
6.5.3 Loading a Web Page File.........................................................................................................................94
6.5.4 Enabling the HTTPS Function................................................................................................................94
6.5.5 Creating a Web Account..........................................................................................................................95
6.5.6 Logging In to the Web System................................................................................................................95
6.5.7 Checking the Configurations...................................................................................................................96
6.6 Common Operations After Login.....................................................................................................................97
6.6.1 Establishing the Configuration Task.......................................................................................................97
6.6.2 Switching User Levels.............................................................................................................................98
6.6.3 Locking User Interfaces...........................................................................................................................99
6.6.4 Sending Messages to Other User Interfaces............................................................................................99
6.6.5 Displaying Login Users...........................................................................................................................99
6.6.6 Clearing Logged-in Users......................................................................................................................100
6.6.7 Configuring Configuration Locking......................................................................................................100
6.7 Configuration Examples.................................................................................................................................101
6.7.1 Example for Configuring User Login Using a Console Port.................................................................101
6.7.2 Example for Configuring User Login Through Telnet..........................................................................104
6.7.3 Example for Configuring User Login by Using STelnet.......................................................................107

Issue 05 (2013-04-10) Huawei Proprietary and Confidential vii


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration Contents

6.7.4 Example for Configuring User Login by Using Secure Web Network Management...........................110

7 Managing the File System.......................................................................................................116


7.1 File System Overview....................................................................................................................................117
7.1.1 File System............................................................................................................................................117
7.1.2 Methods of File Management................................................................................................................117
7.2 Managing Files Using the File System...........................................................................................................118
7.2.1 Establishing the Configuration Task.....................................................................................................119
7.2.2 Managing Storage Devices....................................................................................................................119
7.2.3 Managing Directories............................................................................................................................120
7.2.4 Managing Files......................................................................................................................................120
7.3 Managing Files Using FTP.............................................................................................................................123
7.3.1 Establishing the Configuration Task.....................................................................................................123
7.3.2 Configuring a Local FTP User..............................................................................................................123
7.3.3 (Optional) Specifying a Port Number for the FTP Server.....................................................................124
7.3.4 Enabling the FTP Server........................................................................................................................125
7.3.5 (Optional) Configuring the FTP Server Parameters..............................................................................126
7.3.6 (Optional) Configuring an FTP ACL....................................................................................................126
7.3.7 Accessing the System by Using FTP.....................................................................................................127
7.3.8 Managing Files Using FTP Commands.................................................................................................128
7.3.9 Checking the Configurations.................................................................................................................130
7.4 Managing Files Using SFTP...........................................................................................................................131
7.4.1 Establishing the Configuration Task.....................................................................................................131
7.4.2 Configuring VTY User Interface...........................................................................................................132
7.4.3 Configuring SSH for the VTY User Interface.......................................................................................132
7.4.4 Configuring an SSH User and Specifying SFTP as One of Service Types...........................................133
7.4.5 Enabling the SFTP Service....................................................................................................................137
7.4.6 (Optional) Configuring the SFTP Server Parameters............................................................................138
7.4.7 Accessing the System Using SFTP.......................................................................................................139
7.4.8 Managing Files Using SFTP..................................................................................................................140
7.4.9 Checking the Configurations.................................................................................................................142
7.5 Performing File Operations by Means of FTPS.............................................................................................143
7.5.1 Establishing the Configuration Task.....................................................................................................143
7.5.2 Configuring an SSL Policy and Loading a Digital Certificate..............................................................144
7.5.3 Enabling the FTPS Function..................................................................................................................145
7.5.4 Accessing an FTPS Server....................................................................................................................146
7.5.5 Checking the Configurations.................................................................................................................146
7.6 Configuration Examples.................................................................................................................................147
7.6.1 Example for Managing Files Using FTP...............................................................................................147
7.6.2 Example for Managing Files Using SFTP.............................................................................................149
7.6.3 Example for Performing File Operations by Means of FTPS...............................................................151

8 Configuring System Startup....................................................................................................157


8.1 System Startup Overview...............................................................................................................................158

Issue 05 (2013-04-10) Huawei Proprietary and Confidential viii


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration Contents

8.1.1 System Software....................................................................................................................................158


8.1.2 Configuration Files................................................................................................................................158
8.1.3 Configuration Files and Current Configurations...................................................................................158
8.2 Managing Configuration Files........................................................................................................................159
8.2.1 Establishing the Configuration Task.....................................................................................................159
8.2.2 Saving Configuration Files....................................................................................................................160
8.2.3 Clearing a Configuration File................................................................................................................161
8.2.4 Comparing Configuration Files.............................................................................................................162
8.2.5 Backing Up the Configuration Files......................................................................................................163
8.2.6 Restoring the Configuration Files..........................................................................................................164
8.2.7 Checking the Configurations.................................................................................................................165
8.3 Specifying a File for System Startup..............................................................................................................166
8.3.1 Establishing the Configuration Task.....................................................................................................166
8.3.2 Configuring System Software for a switch to Load for the Next Startup.............................................167
8.3.3 Configuring the Configuration File for Switch to Load at the Next Startup.........................................167
8.3.4 Checking the Configurations.................................................................................................................168
8.4 Configuration Examples.................................................................................................................................168
8.4.1 Example for Configuring System Startup.............................................................................................168

9 Accessing Another Device.......................................................................................................171


9.1 Accessing Another Device.............................................................................................................................173
9.1.1 Telnet Method........................................................................................................................................173
9.1.2 FTP Method...........................................................................................................................................175
9.1.3 TFTP Method........................................................................................................................................175
9.1.4 SSH Method..........................................................................................................................................175
9.1.5 SSL Mode..............................................................................................................................................176
9.1.6 SCP Mode..............................................................................................................................................179
9.2 Logging in to Other Devices Using Telnet.....................................................................................................179
9.2.1 Establishing the Configuration Task.....................................................................................................179
9.2.2 (Optional) Configuring a Source IP Address for a Telnet Client..........................................................180
9.2.3 Logging in to Another Device by Using Telnet....................................................................................180
9.2.4 Checking the Configurations.................................................................................................................181
9.3 Logging in to Another Device Using STelnet................................................................................................182
9.3.1 Establishing the Configuration Task.....................................................................................................182
9.3.2 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication on
the SSH Client)...............................................................................................................................................183
9.3.3 Configuring the First Successful Login to Another Device (Allocating a Public Key to the SSH Server)
........................................................................................................................................................................183
9.3.4 Logging in to Another Device Using STelnet.......................................................................................185
9.3.5 Checking the Configurations.................................................................................................................185
9.4 Accessing Files on Another Device Using TFTP...........................................................................................186
9.4.1 Establishing the Configuration Task.....................................................................................................186
9.4.2 (Optional) Configuring a Source IP Address for a TFTP Client...........................................................187
9.4.3 (Optional) Configuring TFTP Access Authority...................................................................................187

Issue 05 (2013-04-10) Huawei Proprietary and Confidential ix


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration Contents

9.4.4 Downloading Files Using TFTP............................................................................................................188


9.4.5 Uploading Files Using TFTP.................................................................................................................189
9.4.6 Checking the Configurations.................................................................................................................189
9.5 Accessing Files on Another Device Using FTP.............................................................................................190
9.5.1 Establishing the Configuration Task.....................................................................................................190
9.5.2 (Optional) Configuring the Source IP Address and Interface of the FTP Client...................................191
9.5.3 Connecting to Other Devices Using FTP Commands...........................................................................191
9.5.4 Managing Files Using FTP Commands.................................................................................................192
9.5.5 Changing Login Users...........................................................................................................................195
9.5.6 Disconnecting from the FTP Server......................................................................................................195
9.5.7 Checking the Configurations.................................................................................................................196
9.6 Accessing Files on Another Device Using SFTP...........................................................................................196
9.6.1 Establishing the Configuration Task.....................................................................................................196
9.6.2 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication on
the SSH Client)...............................................................................................................................................197
9.6.3 Configuring the First Successful Login to Another Device (Allocating a Public Key to the SSH Server)
........................................................................................................................................................................198
9.6.4 Connecting to Other Devices by Using SFTP.......................................................................................199
9.6.5 Managing Files Using SFTP Commands..............................................................................................200
9.6.6 Checking the Configurations.................................................................................................................201
9.7 Accessing Files on Another Device by Using FTPS......................................................................................202
9.7.1 Establishing the Configuration Task.....................................................................................................202
9.7.2 Configuring the FTPS Client.................................................................................................................203
9.7.3 Configuring the FTPS Server................................................................................................................205
9.7.4 Accessing an FTPS Server....................................................................................................................206
9.7.5 Checking the Configurations.................................................................................................................209
9.8 Accessing Files on Another Device by Using SCP........................................................................................210
9.8.1 Establishing the Configuration Task.....................................................................................................210
9.8.2 Configuring the SCP Server..................................................................................................................211
9.8.3 Configuring the SCP Client...................................................................................................................215
9.8.4 Checking the Configurations.................................................................................................................215
9.9 Configuration Examples.................................................................................................................................216
9.9.1 Example for Logging in to Another Device by Using Telnet...............................................................216
9.9.2 Example for Configuring the Device as the STelnet Client to Connect to the SSH Server..................218
9.9.3 Example for Accessing Files on Another Device by Using TFTP........................................................225
9.9.4 Example for Accessing Files on Another Device by Using FTP..........................................................226
9.9.5 Example for Accessing Files on Another Device by Using SFTP........................................................228
9.9.6 Example for Accessing Files on Another Device by Using FTPS........................................................235
9.9.7 Example for Accessing Files on Another Device by Using SCP..........................................................242
9.9.8 Example for Configuring the SSH Server to Support the Access from Another Port...........................244
9.9.9 Example for Authenticating SSH Through RADIUS............................................................................251

10 Web System Configuration...................................................................................................256


10.1 Overview of Web System.............................................................................................................................257

Issue 05 (2013-04-10) Huawei Proprietary and Confidential x


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration Contents

10.2 Starting Web System....................................................................................................................................257


10.2.1 Setting the Management IP Address of the Device.............................................................................257
10.2.2 Uploading Web Page Files..................................................................................................................258
10.2.3 Loading a Web Page File.....................................................................................................................259
10.2.4 Creating a Web Account......................................................................................................................260
10.2.5 Logging In to the Web System............................................................................................................261

Issue 05 (2013-04-10) Huawei Proprietary and Confidential xi


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 1 Logging In to the System for the First Time

1 Logging In to the System for the First Time

About This Chapter

You can log in to a new switch through the console port to configure the switch.

1.1 Introduction
You can configure a device that is powered on for the first time by logging in through the console
port.
1.2 Logging In to the Device Through the Console Port
This section describes how to establish the configuration environment by using the console port
to connect a terminal to a switch.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 1


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 1 Logging In to the System for the First Time

1.1 Introduction
You can configure a device that is powered on for the first time by logging in through the console
port.

The console port is a linear port on the main control board.

A main control board provides a console port To configure a device, connect the user terminal
serial port to the device console port.

1.2 Logging In to the Device Through the Console Port


This section describes how to establish the configuration environment by using the console port
to connect a terminal to a switch.

1.2.1 Establishing the Configuration Task


Before logging in to the switch through the console port, familiarize yourself with the usage
scenario, complete the pre-configuration tasks, and obtain any data required for the
configuration.

Applicable Environment
When the switch is powered on for the first time, you could use the console port to log in to the
switch to configure and manage the switch.

Pre-configuration Tasks
Before logging in to the switch through the console port, complete the following tasks:

l Install terminal emulation program on the PC (for example, Windows XP HyperTerminal).


l Prepare the RS-232 cable.

Data Preparation
To log in to the switch through the console port, you need the following data.

No. Data

1 Terminal communication parameters


l Baud rate
l Data bit
l Parity
l Stop bit
l Flow-control mode

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 2


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 1 Logging In to the System for the First Time

NOTE
The system automatically uses default parameter values for the first login.

1.2.2 Establishing the Physical Connection


The console port of the switch must be connected to the COM port of a terminal using a console
cable.

Procedure
Step 1 Power on all devices to perform a self-check.

Step 2 Connect the COM port on the PC and the console port on the switch by a cable.

----End

1.2.3 Logging In to the Device


To manage a switch that is powered on for the first time, you can log in to it using the console
port.

Context
PC terminal attributes, including the transmission rate, data bit, parity bit, stop bit, and flow
control mode must be configured to match those configured for the console port. Default values
for terminal attributes are used during the first login to the device.

Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 1-1.

Figure 1-1 Connection creation

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 3


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 1 Logging In to the System for the First Time

Step 2 Set an interface, as shown in Figure 1-2.

Figure 1-2 Interface settings

Step 3 Set communication parameters to match the switch defaults, as shown in Figure 1-3.

Figure 1-3 Communication parameter settings

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 4


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 1 Logging In to the System for the First Time

Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system
automatically saves the set password.
Please configure the login password (maximum length 16)
Enter Password:
Confirm Password:

NOTE

l After the password for the user interface is set successfully during the first login, you must enter this
password for authentication when you relog in to the system in password authentication mode using
this user interface.

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 5


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

2 CLI Overview

About This Chapter

The command line interface (CLI) is used to configure and maintain devices.

2.1 CLI Introduction


After you log in to the switch, a prompt is displayed and you can use the command line interface
(CLI). Users can interact with the switch through the CLI.
2.2 Online Help
When inputting command lines or configuring services, you can use the online help to obtain
real-time help.
2.3 CLI Features
The CLI provides several features to help users flexibly use it.
2.4 Shortcut Keys
System or user-defined shortcut keys make it easier to enter commands.
2.5 Configuration Examples
This section provides several examples that illustrate the use of command lines.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 6


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

2.1 CLI Introduction


After you log in to the switch, a prompt is displayed and you can use the command line interface
(CLI). Users can interact with the switch through the CLI.

2.1.1 Command Line Interface


You can use CLI commands to configure and manage the switch.
The CLI provides users access to a number of features and capabilities:
l Local configuration through the console port.
l Local or remote configuration through Telnet or Secure Shell (SSH).
l The telnet command for directly logging in to and managing other switchs.
l FTP service for file uploads and downloads.
l A user interface view for specific configuration management.
l Hierarchical command protection structure giving certain levels of users permission to run
certain levels of commands.
l Entering "?" for online help at any time.
l Two authentication modes are supported, namely, password authentication, and
Authentication, Authorization, and Accounting (AAA) authentication. Password and AAA
authentication protect system security by prohibiting unauthorized users from logging in
to the switch.
l A command line interpreter provides intelligent text entry methods such as key word fuzzy
match and context conjunction. These methods help users to enter commands easily and
correctly.
l Network test commands such as tracert and ping for fast network diagnostics.
l Abundant debugging information to with network diagnostics.
l Running a command used previously on the device, like DosKey.
NOTE

l The system supports commands that contain a maximum of 510 characters. A command does not have
to be entered in full, as long as the part of the command entered is unique within the system. For
example, to use the display current-configuration command, entering d cu, di cu, or dis cu will run
the command. Entering d c or dis c will not run the command, because these entries are not unique to
the command.
l The system saves the complete form of incomplete commands to configuration files. Saved commands
may have more than 510 characters. When the system is restarted, incomplete commands cannot be
restored. Therefore, pay attention to the length of incomplete commands before saving them.

2.1.2 Command Levels


The system structures access to command functions hierarchically to protect system security.
The system administrator sets user access levels that grant specific users access to specific
command levels.

By default, the command level of a user is a value ranging from 0 to 3, and the user access level
is a value ranging from 0 to 15. Table 2-1 lists the association between user access levels and
command levels.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 7


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

Table 2-1 Association between user access levels and command levels
User Com Level Description
Level man Name
d
Level

0 0 Visit This level gives access to commands that run network diagnostic
level tools (such as ping and tracert) and commands that start from a
local device, visit external devices (such as Telnet client side ),
and a part of display commands.

1 0 and Monitor This level gives access to commands, like the display command,
1 ing that are used for system maintenance and fault diagnosis.
level NOTE
Some display commands are not at this level. For example, the display
current-configuration and display saved-configuration commands
are at level 3. For details about command level, see S6700 Series
Command Reference.

2 0, 1, Configu This level gives access to commands that configure network


and 2 ration services provided directly to users, including routing and
level network layer commands.

3-15 0, 1, Manage This level gives access to commands that control basic system
2, and ment operations and provide support for services. These commands
3 level include file system commands, FTP commands, TFTP
commands, configuration file switching commands, power
supply control commands, backup board control commands,
user management commands, level setting commands, and
debugging commands for fault diagnosis.

To implement efficient management, you can increase the command levels to 0-15. For the
increase in the command levels, refer to Chapter 4 "Basic Configuration" Configuring
Command Levels in the S6700 Series Configuration Guide - Basic Configurations.

NOTE

l The default command level may be higher than the command level defined according to the command
rules in application.
l Login users have 16 levels. The login users can use only the command of the levels that are equal to
or lower than their own levels. The user privilege level level command sets the user level.

2.1.3 Command Views


The command line interface has different command views. All the commands must register in
one or more command views. You can run a command only when you enter the corresponding
command view.

Basic Concepts of Command Views


# Establish connection with the switch. If the switch adopts the default configuration, you can
enter the user view with the prompt of <Quidway>.
<Quidway>

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 8


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

# Type system-view, and you can enter the system view.


<Quidway> system-view
[Quidway]

# Type aaa in the system view, and you can enter the AAA view.
[Quidway] aaa
[Quidway-aaa]

NOTE

The prompt <Quidway> indicates the default switch name. The prompt <> indicates the user view and the
prompt [] indicates other views.

Some commands that are implemented in the system view can also be implemented in the other
views; however, the functions that can be implemented are command view-specific.

Common Views
The S6700 provides various command line views. For the methods of entering the command
line views except the following views, see the Quidway S6700 Series Ethernet Switches
Command Reference.

l User View

Item Description

Function Displays the running status and statistics of the S6700.

Entry command Enters the user view after the connection is set up.

Prompt upon <Quidway>


entry

Quit command <Quidway>quit

Prompt upon None.


quit

l System View

Item Description

Function Sets the system parameters of the S6700, and enters other function
views from this view.

Entry command <Quidway> system-view

Prompt upon [Quidway]


entry

Quit command [Quidway] quit

Prompt upon <Quidway>


quit

l Ethernet Interface View

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 9


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

– XGE interface view


Item Description

Function Sets parameters related to XGE interfaces of the S6700 and


manages the XGE interfaces.

Entry [Quidway] interface XGigabitEthernet X/Y/Z


command

Prompt upon [Quidway-XGigabitEthernetX/Y/Z]


entry

Quit command [Quidway-XGigabitEthernetX/Y/Z] quit

Prompt upon [Quidway]


quit

NOTE

X/Y/Z indicates the number of a XGE interface that needs to be configured. It is in the format of
slot number/sub card number/interface sequence number.

2.2 Online Help


When inputting command lines or configuring services, you can use the online help to obtain
real-time help.

2.2.1 Full Help


When you enter a command line, you can view the description of keywords or parameters in the
command line through the Full Help.
You can obtain full help from a command view in the following methods:
l In a command view, enter ? to obtain all the commands in this command view and
descriptions of the commands.
<Quidway> ?

l Enter a command and a ? separated by a space. If a keyword is in place of the ?, all keywords
and their descriptions are listed. Here is an example.
[Quidway-ui-vty0] authentication-mode ?
aaa AAA authentication
password Authentication through the password of a user terminal interface
[Quidway-ui-vty0] authentication-mode aaa ?
<cr>
[Quidway-ui-vty0] authentication-mode aaa

aaa and password are keywords. AAA authentication and Authentication through the
password of a user terminal interface are the descriptions of the two keywords.
<cr> indicates that no key word or parameter is in this position and you can press Enter to
repeat the command in the next command line.
l Enter a command and a ? separated by a space. If a parameter is in place of the ?, all
parameters and their descriptions are listed. Here is an example.
<Quidway> system-view
[Quidway] sysname ?

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 10


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

TEXT Host name(1 to 246 characters)

TEXT is a parameter and Host name (1 to 246 characters) is the description.

2.2.2 Partial Help


If you enter only the first or first several characters of a command, partial help provides keywords
that begin with this character or character string.

Procedure
l Use any of the following methods to obtain partial help from a command line.
– Enter a character string followed directly by a question mark (?) to display all commands
that begin with this character string.
<Quidway> d?
debugging delete
dir display

– Enter a command and a character string followed directly by a question mark (?) to
display all key words that begin with this character string.
<Quidway> display b?
bfd bgp
bootrom bpdu
bpdu-tunnel bridge
buffer

– Enter the first several letters of a key word in the command and then press Tab to display
a complete key word. A complete keyword is displayed only if the partial string of letters
uniquely identifies a specific key word. If they do not identify a specific key work,
continuing to press Tab will display different key words. You can select the needed key
word.

----End

2.2.3 Error Messages of the Command Line Interface


If a command is entered and passes the syntax check, the system executes it. Otherwise, the
system reports an error message.

Table 2-2 lists common error messages.

Table 2-2 Common error messages of the command line

Error messages Cause of the error

Error: Unrecognized command The command cannot be found


found at '^' position.
The key word cannot be found

Error: Wrong parameter found Parameter type error


at '^' position.
Parameter value out of range

Error:Incomplete command Incomplete command entered


found at '^' position.

Error: Too many parameters Too many parameters entered


found at '^' position.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 11


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

Error messages Cause of the error

Error:Ambiguous command Ambiguous parameters entered


found at '^' position.

2.3 CLI Features


The CLI provides several features to help users flexibly use it.

2.3.1 Editing
The command line editing function allows you to edit command lines or obtain help by using
certain keys.

The command line of S6700 supports multi-line edition. The maximum length of each command
is 510 characters.

Keys for editing that are often used are shown in Table 2-3.

Table 2-3 Keys for editing

Key Function

Common key Inserts a character at the current position of the cursor if the editing
buffer is not full. The cursor then moves to the right. If the buffer
is full, an alarm is generated.

Backspace Moves the cursor to the left and deletes the character at that
position. When the cursor reaches the head of the command, an
alarm is generated.

Left cursor key ← or Moves the cursor to the left a single space at a time. When the
Ctrl_B cursor reaches the head of the command, an alarm is generated.

Right cursor key → or Moves the cursor to the right a single space at a time. When the
Ctrl_F cursor reaches the end of the command, an alarm is generated.

Tab Press Tab after typing a partial key word and the system runs
partial help:
l If the matching key word is unique, the system replaces the
typed character string with a complete key word and displays
it in a new line with the cursor placed at the end of the word.
l If there are several matches or no match, the system displays
the prefix first. Then you can press Tab to view any matching
key words one at a time. The cursor directly follows the end of
the word. You can press the spacebar to enter the next word.
l If a non-existent or incorrect key word is entered, press Tab
and the word is displayed on a new line.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 12


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

2.3.2 Displaying
Command lines have a feature to control how they are displayed. You can set the command line
display mode as required.
You can control the display of information on the CLI as follows:
l If output information cannot be displayed on a full screen, you have three viewing options,
as shown in Table 2-4.

Table 2-4 Display keys


Key Function

Ctrl_C Stops the display and the running of a command.


NOTE
You can also press any of the keys except the spacebar and Enter key
to stop the display and the running of a command.

Space Allows information to be displayed on the next screen.

Enter Allows information to be displayed on the next line.

2.3.3 Regular Expressions


A regular expression describes a set of strings. It consists of common characters (such as letters
from "a" to "z") and special characters (called metacharacters). The regular expression is a
template upon which you can base to search for required strings. Users can use regular
expressions to filter output to locate needed information quickly.
A regular expression provides the following functions:
l Search for sub-strings that match a rule in the main string.
l String substitution based on specific matching rules.

Formal Language Theory of the Regular Expression


A regular expression consists of common characters and special characters.
l Common characters
Common characters, including all upper-case and lower-case letters, digits, punctuation
marks, and special symbols, match themselves in a string. For example, "a" matches the
letter "a" in "abc", "202" matches the digit "202" in "202.113.25.155", and "@" matches
the symbol "@" in "xxx@xxx.com".
l Special characters
Special characters are used together with common characters to match complex or special
string combination. Table 2-5 describes special characters and their syntax.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 13


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

Table 2-5 Description of special characters


Special Syntax Example
characte
r

\ Defines an escape character, which \* matches "*".


is used to mark the next character
(common or special) as the common
character.

^ Matches the starting position of the ^10 matches "10.10.10.1" instead of


string. "20.10.10.1".

$ Matches the ending position of the 1$ matches "10.10.10.1" instead of


string. "10.10.10.2".

* Matches the preceding element zero 10* matches "1", "10", "100", and
or more times. "1000".
(10)* matches "null", "10", "1010",
and "101010".

+ Matches the preceding element one 10+ matches "10", "100", and
or more times "1000".
(10)+ matches "10", "1010", and
"101010".

? Matches the preceding element zero 10? matches "1" and "10".
or one time. (10)? matches "null" and "10".
NOTE
Huawei datacom devices do not support
regular expressions with ?. When
regular expressions with ? are entered
on Huawei datacom devices, helpful
information is provided.

. Matches any single character. 0.0 matches "0x0" and "020".


.oo matches "book", "look", and
"tool".

() Defines a subexpression, which can 100(200)+ matches "100200" and


be null. Both the expression and the "100200200".
subexpression should be matched.

x|y Matches x or y. 100|200 matches "100" or "200".


1(2|3)4 matches "124" or "134",
instead of "1234", "14", "1224", and
"1334".

[xyz] Matches any single character in the [123] matches the character 2 in
regular expression. "255".

[^xyz] Matches any character that is not [^123] matches any character except
contained within the brackets. for "1", "2", and "3".

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 14


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

Special Syntax Example


characte
r

[a-z] Matches any character within the [0-9] matches any character ranging
specified range. from 0 to 9.

[^a-z] Matches any character beyond the [^0-9] matches all non-numeric
specified range. characters.

_ Matches a comma "," left brace "{", _2008_ matches "2008", "space
right brace "}", left parenthesis "(", 2008 space", "space 2008", "2008
and right parenthesis ")". space", ",2008,", "{2008}",
Matches the starting position of the "(2008)", "{2008", and "(2008}".
input string.
Matches the ending position of the
input string.
Matches a space.

NOTE

Unless otherwise specified, all characters in the preceding table are displayed on the screen.
l Degeneration of special characters
Special characters are characters listed in Table 2-5. A special character becomes a
common character when following \. In the following situations, the special characters
listed in Table 2-6 function as common characters.
– The special characters "*", "+", and "?" placed at the starting position of the regular
expression, a special character becomes a common character. For example, +45 matches
"+45" and abc(*def) matches "abc*def".
– The special character "^" placed at any position except for the start of the regular
expression, a special character becomes a common character. For example, abc^
matches "abc^".
– The special character "$" placed at any position except for the end of the regular
expression, a special character becomes a common character. For example, 12$2
matches "12$2".
– A right parenthesis ")" or right bracket "]" is not paired with a corresponding left
parenthesis "(" or bracket "[", a special character becomes a common character. For
example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE

Unless otherwise specified, degeneration rules also apply when preceding regular expressions are
subexpressions within parentheses.
l Combinations of common and special characters
In actual usage, regular expressions combine multiple common and special characters to
match certain strings.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 15


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

Regular Expression Examples


The key to using regular expressions is to design accurate regular expressions. Table 2-6 shows
how to design regular expressions using special characters and describes the meaning of those
regular expressions.

Table 2-6 Regular expression examples

Regular Description
Expression

^100 Matches strings beginning with 100, for example, 100085.

200$ Matches strings ending with 200, for example, 255.255.100.200.

[0-9]+ Matches strings of repeated digits ranging from 0 to 9, for example,


007

(abc)* Matches strings with abc occurring zero or more times, for example,
d and dabc.

^100([0-9]+)*200$ Matches strings beginning with 100 and ending with 200, and with
zero or several digits in the middle, for example, 100200.

Windows_(95|98| Matches Windows 95, Windows 98, Windows 2000, or Windows XP.
2000|XP))

100[^0-9]? Matches strings beginning with 100 followed by zero or one non-digit
character, for example, 100 or 100@.

.\.\* Matches a string beginning with a single character except \n followed


by . and *, for example, 1.* or a.*.

^172\.18\.(10)\. Matches an IP address in a line, for example, 172.18.10.X.


([0-9]+)$

Specifying a Filtering Mode in a Command

CAUTION
The S6700 Series uses a regular expression to implement the pipe character filtering function.
A display command supports the pipe character only when there is excessive output information.
When filtering conditions are set to query output, the first line of the command output starts with
information containing the regular expression.

Some commands can carry the parameter | count to display the number of matching entries. The
parameter | count can be used together with other parameters.

For commands that support regular expressions, three filtering methods are as follows:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 16


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

l | begin regular-expression: displays information that begins with the line that matches
regular expression.
l | exclude regular-expression: displays information that excludes the lines that match
regular expression.
l | include regular-expression: displays information that includes the lines that match regular
expression.
NOTE

The value of regular-expression is a string of 1 to 255 characters.

Specify a Filtering Mode When Information Is Displayed Screen by Screen


NOTE

When the output of the following commands is displayed screen by screen, you can specify a filtering
mode:
l display current-configuration
l display interface
l display arp

When a lot of information is displayed screen by screen, you can specify a filtering mode in the
prompt "---- More ----".
l /regular-expression: displays the information that begins with the line that matches regular
expression.
l -regular-expression: displays the information that excludes lines that match regular
expression.
l +regular-expression: displays the information that includes lines that match regular
expression.

2.3.4 Previously-Used Commands


The CLI provides a function similar to DosKey that automatically saves any command used on
the device. If you need to run a command that has been previously executed, you can use this
function to call up the command.

By default, the system saves 10 previously-used commands for each user. You can run the
history-command max-size size-value command in the user view to set the number of
previously-used commands saved by the system. A maximum of 256 previously-used commands
can be saved.

NOTE
Setting the number of saved previously-used commands to a reasonably low value is recommended. If a
large number of previously-used commands are saved, locating a command can be time-consuming and
affect efficiency.

The operations are shown in Table 2-7

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 17


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

Table 2-7 Access the previously-used commands


Action Key or Command Result

Display display history- Display previously-used commands entered by


previously- command [ all- users.
used users ]
commands.

Access the last Up cursor key (↑) or Display the last previously-used command if there
previously- Ctrl_P is an earlier previously-used command. Otherwise,
used an alarm is generated.
command.

Access the next Down cursor key Display the next previously-used command if there
previously- (↓) or Ctrl_N is a later previously-used command. Otherwise, the
used command is cleared and an alarm is generated.
command.

NOTE

Windows 9X defines keys differently and the cursor key ↑ cannot be used with Windows 9X
HyperTerminals. You may use Ctrl_P instead.

When you use previously-used commands, note the following points:


l Previously-used commands are saved exactly as they are entered by users. For example, if
a user enters an incomplete command, the saved command is also incomplete.
l A command is saved the first time it is run and subsequent runnings are not saved. If a
command is entered in different forms or with different parameters, each entry is considered
to be a different command.
For example, if the display ip routing-table command is run several times, only one
previously-used command is saved. If the disp ip routing command and the display ip
routing-table command are run, two previously-used commands are saved.

2.4 Shortcut Keys


System or user-defined shortcut keys make it easier to enter commands.

2.4.1 System Shortcut Keys


System-defined shortcut keys with fixed functions are defined by the system. Table 2-8 lists the
system-defined shortcut keys.

NOTE

Different terminal software defines these keys differently. The shortcut keys on your terminal may be
different than those listed in this section.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 18


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

Table 2-8 System-defined shortcut keys


Key Function

CTRL_A The cursor moves to the beginning of the current line.

CTRL_B The cursor moves to the left one space at a time.

CTRL_C Terminates the running function.

CTRL_D Deletes the character where the cursor lies.

CTRL_E The cursor moves to the end of the current line.

CTRL_F The cursor moves to the right one space at a time.

CTRL_H Deletes one character to the left of the cursor.

CTRL_K Stops the creation of the outbound connection.

CTRL_N Displays the next command in the previously-used command


buffer.

CTRL_P Displays the previous command in the previously-used


command buffer.

CTRL_R Repeats the display of the information of the current line.

CTRL_T Terminates the outbound connection.

CTRL_V Pastes the contents on the clipboard.

CTRL_W Deletes a character string or character to the left of the cursor.

CTRL_X Deletes all the characters to the left of the cursor.

CTRL_Y Deletes all the characters to the right of the cursor.

CTRL_Z Returns to the user view.

CTRL_] Terminates the inbound or redirection connections.

ESC_B The cursor moves to the left by one word.

ESC_D Deletes a word to the right of the cursor.

ESC_F The cursor moves to the right to the end of next word.

ESC_N The cursor moves downward to the next line.

ESC_P The cursor moves upward to the previous line.

ESC_SHIFT_< Sets the position of the cursor to the beginning of the clipboard.

ESC_SHIFT_> Sets the position of the cursor to the end of the clipboard.

2.5 Configuration Examples


This section provides several examples that illustrate the use of command lines.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 19


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 2 CLI Overview

2.5.1 Example for Using the Tab Key


You can obtain prompts on keywords or check whether the entered keywords are correct by
pressing Tab.

Procedure
l If only one keyword contains the incomplete keyword,
do as follows on the S6700.
1. Enter an incomplete keyword.
[Quidway] info-

2. Press Tab.
The system replaces the incomplete keyword with a complete keyword and displays
the complete keyword in another line. There is only one space between the cursor and
the end of the keyword.
[Quidway] info-center

l If more than one keyword contains the incomplete keyword,


do as follows on the S6700.
# The keyword info-center can be followed by the following keywords.
[Quidway] info-center log?
logbuffer loghost

1. Enter an incomplete keyword.


[Quidway] info-center l

2. Press Tab.
The system displays the prefix of all the matched keywords. The prefix in this example
is log.
[Quidway] info-center log

3. Continue to press Tab to display all the keywords. There is no space between the
cursor and the end of the keywords.
[Quidway] info-center loghost
[Quidway] info-center logbuffer

Stop pressing Tab when you find the required keyword logbuffer.
4. Enter a space and enter the next keyword channel.
[Quidway] info-center logbuffer channel

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 20


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 3 How to Use Interfaces

3 How to Use Interfaces

About This Chapter

This chapter describes the concept of the interface and the basic configuration about the interface.

3.1 Introduction to Interfaces


This section describes different types of interfaces. The interfaces are provided by the S6700 to
receive and send data.
3.2 Setting Basic Parameters of an Interface
This section describes how to set the basic parameters of an interface.
3.3 Configuring the Loopback Interface
This section describes how to configure the loopback interface.
3.4 Maintaining the Interface
This section describes how to maintain the interface.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 21


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 3 How to Use Interfaces

3.1 Introduction to Interfaces


This section describes different types of interfaces. The interfaces are provided by the S6700 to
receive and send data.
Interfaces are classified into management interfaces and service interfaces based on their
functions; interfaces are classified into physical interfaces and logical interfaces based on their
physical forms.

NOTE

A physical interface is sometimes called a port. Both physical interfaces and logical interfaces are called
interfaces in this document.

Management Interface
Management interfaces are used to manage and configure a device. You can log in to the
S6700 through a management interface to configure and manage the S6700. Management
interfaces do not transmit service data.
The S6700 provides a console interface and an MEth interface as the management interface.

Table 3-1 Description of management interfaces


Name Description Usage

Console The console interface complies The console interface is connected to the
interface with the EIA/TIA-232 standard COM series port of a configuration
and the interface type is DCE. terminal. It is used to set up the onsite
configuration environment.

MEth The MEth interface complies with The MEth interface can be connected to
interface the 10/100BASE-TX standard. the network interface of a configuration
terminal or network management
workstation. It is used to set up the onsite
or remote configuration environment.

The following table shows the rule for numbering management interfaces.

Table 3-2 Management interface numbers


Name Number

Console interface Console 0

MEth interface MEth 0/0/1

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 22


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 3 How to Use Interfaces

Classification of Service Interfaces


Service interfaces are used to transmit service data. They are classified into 100 Mbit/s interfaces,
1 Gbit/s interfaces and 10 Gbit/s interfaces according to their rates; they are classified into
electrical interfaces and optical interfaces according to their electrical properties.

The rules for numbering service interfaces are as follows:

In a single switch, interfaces are numbered in the format slot ID/subcard ID/interface sequence
number.
l Slot ID: indicates the slot where an interface is located. The value is 0.
l Subcard ID: indicates the subcard where an interface is located. The value is 0 or 1.
The value 1 indicates that the subcard is a front card.
l Interface sequence number: indicates the sequence number of an interface.

In a stack system, interfaces are numbered in the format stack ID/subcard ID/interface sequence
number.
l Stack ID: indicates the ID of the switch in the stack system. The value ranges from 0 to 8.
l Subcard ID: indicates the ID of a subcard. The value is 0 or 1.
The value 1 indicates that the subcard is a front card.
l Interface sequence number: indicates the sequence number of an interface on the switch.

NOTE

For the device models that support the CSS function, see "Stacking" in the S6700 Series Ethernet Switches
Configuration Guide - Device Management.

Table 3-3 FE and GE interface numbering rule

Figure of Interface Numbering Description

2 4 6 ... The S6700 has two rows of service


interfaces with the lower-left interface
...
numbered 1. The other interfaces are
...
1 3 5 numbered in ascending order from
bottom to up, and then from left to right.
For example, the upper-left interface
numbered 0/0/2.

Physical Interfaces
Physical interfaces are interfaces that actually exist on the S6700.

Physical interfaces include management interfaces and service interfaces.

The S6700 supports the following physical interfaces:

l Console interface
l MEth interface
l 10 Gigabit Ethernet interface

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 23


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 3 How to Use Interfaces

Logical Interfaces
Logical interfaces do not exist and are set up by configurations.
The S6700 supports the following logical interfaces:
l Eth-Trunk
The Eth-Trunk consists of Ethernet links only.
The Eth-Trunk technique has the following advantages:
– Increased bandwidth: The bandwidth of an Eth-Trunk is the total bandwidth of all
member interfaces.
– Improved reliability: When a link fails, traffic is automatically switched to other
available links. This ensures link reliability.
For details about the Eth-Trunk configuration, see "Configuring the Eth-Trunk" in the
S6700 Series Ethernet Switches Configuration Guide - Ethernet.
l Loopback interface
A loopback interface is a virtual interface. The TCP/IP protocol suite defines IP address
127.0.0.0 as a loopback address. When the system starts, it automatically creates an
interface using the loopback address 127.0.0.1 to receive all data packets sent to the local
device.
Some applications such as mutual access between virtual private networks need a local
interface with a specified IP address without affecting the configuration of physical
interfaces. This IP address has a 32-bit mask (to save IP addresses) and can be advertised
by routing protocols.
The status of a loopback interface is always Up; therefore, the IP address of the loopback
interface can be used as the router ID, the label switching router (LSR) ID, or be land to a
tunnel.
For details, see 3.3 Configuring the Loopback Interface.
l Null interface
Null interfaces are similar to null devices supported by certain operating systems. Any data
packets sent to a null interface are discarded. Null interfaces are used for route selection
and policy-based routing (PBR). For example, if a packet matches no route during route
selection, the packet is sent to the null interface.
l Tunnel interface
Tunnel interfaces are used to establish IPv6 over IPv4 tunnels.
l VLANIF interface
When the S6700 needs to communicate with devices at the network layer, you can create
a logical interface of the Virtual Local Area Network (VLAN) on the S6700, namely, a
VLANIF interface. You can assign IP addresses to VLANIF interfaces because VLANIF
interfaces work at the network layer. The S6700 then communicates with devices at the
network layer through VLANIF interfaces.
For details about the configuration, see "Creating a VLANIF Interface" in the S6700
Series Ethernet Switches Configuration Guide - Ethernet.

3.2 Setting Basic Parameters of an Interface


This section describes how to set the basic parameters of an interface.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 24


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 3 How to Use Interfaces

3.2.1 Establishing the Configuration Task


Before configuring advanced functions of an interface such as the working mode and routes,
you need to complete the basic configuration of the interface.

Applicable Environment
To facilitate the configuration and maintenance of an interface, the S6700 provides interface
views. The commands related to the interface are valid only in the interface views.

The basic interface configurations include entering an interface view, configuring interface
description, enabling an interface, and disabling an interface.

Pre-configuration Tasks
Installing the LPU on the S6700

Data Preparation
To set parameters of an interface, you need the following data.

No. Data

1 Type and number of the interface to be configured

2 Description of the interface

3.2.2 Entering the Interface View


To configure an interface, you need to enter the interface view.

Context
Do as follows on the S6700.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
interface interface-type interface-number

The view of a specified interface is displayed.

interface-type specifies the type of the interface and interface-number specifies the number of
the interface.

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 25


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 3 How to Use Interfaces

3.2.3 Viewing All the Commands in the Interface View


After entering the interface view, you can view all the commands in the interface view.

Context
Do as follows on the S6700.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
interface interface-type interface-number

The view of a specified interface is displayed.

Step 3 Run:
?

All the commands in the view of the specified interface are displayed.

----End

3.2.4 Configuring the Description for an Interface


The description configured for an interface on the S6700 helps you identify and memorize the
usage of the interface, which facilitates the management.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
interface interface-type interface-number

The view of a specified interface is displayed.

Step 3 Run:
description description

The description is configured for the interface.

----End

3.2.5 Starting and Shutting Down an Interface


When a physical interface is idle and is not connected to a cable, shut down this interface to
protect the interface against interference. To use a shutdown interface, you need to start the
interface.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 26


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 3 How to Use Interfaces

Context
NOTE

l A null interface is always Up and cannot be shut down by command.


l A loopback interface is always Up and cannot be shut down by command.

Procedure
l Shutting down the interface
Do as follows on the S6700.
1. Run:
system-view

The system view is displayed.


2. Run:
interface interface-type interface-number

The view of a specified interface is displayed.


3. Run:
shutdown

The interface is shut down.


NOTE

By default, an interface is enabled.


l Starting an interface
Do as follows on the S6700.
1. Run:
system-view

The system view is displayed.


2. Run:
interface interface-type interface-number

The view of a specified interface is displayed.


3. Run:
undo shutdown

The interface is started.


----End

3.2.6 Completing Advanced Configurations on an Interface


After configuring basic parameters on an interface, configure other interface parameters as
required.

Context
To access a network through an interface, configure advanced interface parameters based on the
networking requirements in addition to basic configurations on the interface.
Advanced configurations of an interface include:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 27


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 3 How to Use Interfaces

l Working mode
l Routing configuration
For details about advanced configurations of an interface, see the S6700 Series Ethernet Switches
Configuration Guide - Ethernet and S6700 Series Ethernet Switches Configuration Guide - IP
Routing.

3.2.7 Checking the Configuration


After completing the basic configuration of an interface, you can use the display commands to
check the configuration.

Procedure
Step 1 Run the display interface [ interface-type [ interface-number ] ] command to check the running
status of the interface and the statistics on the interface.
Step 2 Run the display interface description command to check the brief information about the
interface
Step 3 Run the display ip interface [ interface-type interface-number ] command to check the main
configurations of the interface.
Step 4 Run the display ip interface brief [ interface-type interface-number ] command to check the
brief state of the interface.

----End

3.3 Configuring the Loopback Interface


This section describes how to configure the loopback interface.

3.3.1 Establishing the Configuration Task


The users can create or delete a loopback interface. When being created, the loopback interface
remains in the Up state until you delete it.

Applicable Environment
Some applications such as mutual access between virtual private networks need to be configured
with a local interface with a specified IP address when the configuration of a physical interface
is not affected. In this case, the IP address of the local interface needs to be advertised by routing
protocols. Loopback interfaces are used to improve the reliability of the configuration.

Pre-configuration Tasks
Before configuring the loopback interface, complete the following task:
l Switching on the S6700

Data Preparation
To configure the loopback interface, you need the following data.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 28


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 3 How to Use Interfaces

No. Data

1 Number of the loopback interface

2 IP address of the loopback interface

3.3.2 Configuring IPv4 Parameters of the Loopback Interface


A loopback interface can be assigned an IPv4 address, bound to a VPN instance, and configured
to check the source IPv4 addresses of packets.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
interface loopback interface-number

A loopback interface is created.

The value of interface-number ranges from 0 to 1023. A maximum of 1024 loopback interfaces
can be created.

Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]

An IPv4 address is assigned to the loopback interface.

Step 4 (Optional) Run:


ip verify source-address

The loopback interface is configured to check the source IPv4 addresses of packets.

----End

3.3.3 Checking the Configuration


After configuring a loopback interface, run the following commands to check the configuration.

Procedure
Step 1 Run the display interface loopback [ number ] command to check the status of the loopback
interface.

----End

3.4 Maintaining the Interface


This section describes how to maintain the interface.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 29


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 3 How to Use Interfaces

3.4.1 Clearing Statistics Information on the Interface


The statistics on the interface cannot be restored after you clear them. So, confirm the action
before you use the command.

Procedure
Step 1 Run the reset counters interface [ interface-type [ interface-number ] ] command in the user
view to clear the statistics on the interface.

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 30


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 4 Basic Configuration

4 Basic Configuration

About This Chapter

This chapter describes how to configure the switch to work properly in the network environment
and to suit your needs.

4.1 Configuring the Basic System Environment


This section describes how to configure the basic system environment.
4.2 Displaying System Status Messages
This section describes how to use display commands to check basic system configurations.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 31


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 4 Basic Configuration

4.1 Configuring the Basic System Environment


This section describes how to configure the basic system environment.

4.1.1 Establishing the Configuration Task


Before configuring the basic system environment, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain any data required for the configuration.

Applicable Environment
Before configuring services, you need to configure the basic system environment (for example,
the language mode, system time, device name, login information, and command level) to meet
environmental requirements.

Pre-configuration Tasks
Before configuring the basic system environment, power on the switch.

Data Preparation
To configure the basic system environment, you need the following data.

No. Data

1 System time

2 Host name

3 Login information

4 Command level

4.1.2 Configuring the Equipment Name


If multiple devices on a network need to be managed, set equipment names to identify each
device.

Context
New equipment names take effect immediately.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 32


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 4 Basic Configuration

Step 2 Run:
sysname host-name

The equipment name is set.


By default, the equipment name of the switch is Quidway.
You can change the name of the switch that appears in the command prompt.

----End

4.1.3 Setting the System Clock


The system clock must be correctly set to ensure synchronization with other devices.

Context
The system clock is the time indicated by the system timestamp. Because the rules governing
local time differ in different regions, the system clock can be configured to comply with the
rules of any given region.
The system clock is calculated using the following formula: System clock = Coordinated
Universal Time (UTC) + Time zone offset + Daylight saving time offset.
Set the system clock to the correct time to ensure that the device operates properly with other
devices.
Setting the system clocks of all the devices on a network manually is time-consuming and cannot
ensure the clock accuracy. Network Time Protocol (NTP) can address this problem by
synchronizing all clocks of devices on the network so that the devices can provide uniform time-
based applications.

NOTE

A local system running NTP can be synchronized by other clock sources or acts as a clock source to
synchronize other clocks. In addition, mutual synchronization can be implemented through NTP packet
exchanges.

By default, the system clock of NTP-enabled devices is UTC. The time zone and daylight saving
time vary with the country and region, and if a time zone and daylight saving time are configured
on an NTP server, the same time zone and daylight saving time must be configured on NTP
clients.
Perform the following steps in the user view to set the system clock:

Procedure
Step 1 Run:
clock datetime HH:MM:SS YYYY-MM-DD

The current date and time are set.

NOTE

If the time zone has not been configured or is set to 0, the date and time set by this command are considered
to be UTC. Set the time zone and UTC correctly.

Step 2 Run:
clock timezone time-zone-name { add | minus } offset

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 33


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 4 Basic Configuration

The time zone is set.


l If add is configured, the current time is the UTC time plus the time offset. That is, the default
UTC time plus offset is equal to the time of time-zone-name.
l If minus is configured, the current time is the UTC time minus the time offset. That is, the
default UTC time minus offset is equal to the time of time-zone-name.
NOTE

UTC stands for the Universal Time Coordinated.

Step 3 Run:
clock daylight-saving-time time-zone-name one-year start-time start-date end-time
end-date offset

or
clock daylight-saving-time time-zone-name repeating start-time { { first | second
| third | fourth | last } weekday month | start-date } end-time { { first |
second | third | fourth | last } weekday month | end-date } offset [ start-year
[ end-year ] ]

Daylight saving time is set.


By default, daylight saving time is not set.
The start time is the local mean time (LMT), and the end time is the daylight saving time (DST).
The start time and end time can be set to date+data, week+week, date+week, or week+date
format. To configure the daylight saving time, run the clock daylight-saving-time command.

----End

System Clock Display


The system clock is determined by the clock datetime, clock timezone, and clock daylight-
saving-time commands.
l If none of the preceding three commands have been run, the original system time will be
displayed after running the display clock command.
l The preceding three commands can also be run in combination with one another to
configure the system clock, as listed in Table 4-1.
In the following examples, the original system time is 08:00:00 January 1, 2010.
l 1: The clock datetime command is run to set the current date and time to date-time.
l 2: The clock timezone command is run to configure the time zone with the time zone offset
zone-offset.
l 3: The clock daylight-saving-time command is run to configure the daylight saving time
with the offset offset.
l [1]: The clock datetime command configuration is optional.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 34


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 4 Basic Configuration

Table 4-1 System clock configuration examples


Operation Configured System Example
Time

1 date-time Run the clock datetime 8:0:0 2011-11-12


command.
Configured system time:
2011-11-12 08:00:03
Saturday
Time Zone(DefaultZoneName): UTC

2 Original system time +/- Run the clock timezone BJ add 8 command.
zone-offset Configured system time:
2010-01-01 16:00:20+08:00
Friday
Time Zone(BJ): UTC+08:00

1, 2 date-time +/- zone-offset Run the clock datetime 8:0:0 2011-11-12 and
clock timezone BJ add 8 commands.
Configured system time:
2011-11-12 16:00:13+08:00
Saturday
Time Zone(BJ): UTC+08:00

[1], 2, 1 date-time Run the lock timezone NJ add 8 and clock


datetime 9:0:0 2011-11-12 commands.
Configured system time:
2011-11-12 09:00:02+08:00
Saturday
Time Zone(NJ): UTC+08:00

3 Original system time if Run the clock daylight-saving-time BJ one-year


the original system time 6:0 2011-8-1 6:0 2011-10-01 1 command.
is not during the Configured system time:
configured daylight 2010-01-01 08:00:51
saving time period Friday
Time Zone(DefaultZoneName): UTC
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 08-01 06:00:00
End time : 10-01 06:00:00
Saving time : 01:00:00

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 35


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 4 Basic Configuration

Operation Configured System Example


Time

Original system time + Run the clock daylight-saving-time BJ one-year


offset if the original 6:0 2011-1-1 6:0 2011-9-1 2 command.
system time is during the Configured system time:
configured daylight 2010-01-01 10:00:34 DST
saving time period Friday
Time Zone(BJ): UTC
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 01-01 06:00:00
End time : 09-01 06:00:00
Saving time : 02:00:00

1, 3 date-time if date-time is Run the clock datetime 9:0:0 2011-11-12 and


not during the configured clock daylight-saving-time BJ one-year 6:0
daylight saving time 2012-8-1 6:0 2012-10-01 1 commands.
period Configured system time:
2011-11-12 09:00:26
Saturday
Time Zone(DefaultZoneName): UTC
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2012
End year : 2012
Start time : 08-01 06:00:00
End time : 10-01 06:00:00
Saving time : 01:00:00

date-time + offset if date- Run the clock datetime 9:0:0 2011-11-12 and
time is during the clock daylight-saving-time BJ one-year 9:0
configured daylight 2011-11-12 6:0 2011-12-01 2 commands.
saving time period Configured system time:
2011-11-12 11:02:21 DST
Saturday
Time Zone(BJ): UTC
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 11-12 09:00:00
End time : 12-01 06:00:00
Saving time : 02:00:00

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 36


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 4 Basic Configuration

Operation Configured System Example


Time

[1], 3, 1 date-time if date-time is Run the clock daylight-saving-time BJ one-year


not during the configured 6:0 2012-8-1 6:0 2012-10-01 1 and clock datetime
daylight saving time 9:0 2011-11-12 commands.
period Configured system time:
2011-11-12 09:00:02
Saturday
Time Zone(DefaultZoneName): UTC
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2012
End year : 2012
Start time : 08-01 06:00:00
End time : 10-01 06:00:00
Saving time : 01:00:00

date-time if date-time is Run the clock daylight-saving-time BJ one-year


during the configured 1:0 2011-1-1 1:0 2011-9-1 2 and clock datetime
daylight saving time 3:0 2011-1-1 commands.
period Configured system time:
2011-01-01 03:00:19 DST
Saturday
Time Zone(BJ): UTC
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 01-01 01:00:00
End time : 09-01 01:00:00
Saving time : 02:00:00

2, 3 or 3, 2 Original system time +/- Run the clock timezone BJ add 8 and clock
zone-offset if the value of daylight-saving-time BJ one-year 6:0 2011-1-1
Original system time +/- 6:0 2011-9-1 2 commands.
zone-offset is not during Configured system time:
the configured daylight 2010-01-01 16:01:29+08:00
saving time period Friday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 01-01 06:00:00
End time : 09-01 06:00:00
Saving time : 02:00:00

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 37


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 4 Basic Configuration

Operation Configured System Example


Time

Original system time +/- Run the clock daylight-saving-time BJ one-year


zone-offset +/- offset if 1:0 2010-1-1 1:0 2010-9-1 2 and clock timezone
the value of Original BJ add 8 commands.
system time +/- zone- Configured system time:
offset is during the 2010-01-01 18:05:31+08:00 DST
configured daylight Friday
saving time period Time Zone(BJ): UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2010
End year : 2010
Start time : 01-01 01:00:00
End time : 09-01 01:00:00
Saving time : 02:00:00

1, 2, 3, or 1, date-time +/- zone-offset Run the clock datetime 8:0:0 2011-11-12, clock
3, 2 if the value of date-time timezone BJ add 8, and clock daylight-saving-
+/- zone-offset is not time BJ one-year 6:0 2012-1-1 6:0 2012-9-1 2
during the configured commands.
daylight saving time Configured system time:
period 2011-11-12 16:01:40+08:00
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2012
End year : 2012
Start time : 01-01 06:00:00
End time : 09-01 06:00:00
Saving time : 02:00:00

date-time +/- zone-offset Run the clock datetime 8:0:0 2011-1-1, clock
+ offset if the value of daylight-saving-time BJ one-year 6:0 2011-1-1
date-time +/- zone-offset 6:0 2011-9-1 2, and clock timezone BJ add 8
is during the configured commands.
daylight saving time Configured system time:
period 2011-01-01 18:00:43+08:00 DST
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 01-01 06:00:00
End time : 09-01 06:00:00
Saving time : 02:00:00

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 38


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 4 Basic Configuration

Operation Configured System Example


Time

[1], 2, 3, 1 date-time if date-time is Run the clock daylight-saving-time BJ one-year


or [1], 3, 2, not during the configured 6:0 2012-1-1 6:0 2012-9-1 2, clock timezone BJ
1 daylight saving time add 8, and clock datetime 8:0:0 2011-11-12
period commands.
Configured system time:
2011-11-12 08:00:03+08:00
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2012
End year : 2012
Start time : 01-01 06:00:00
End time : 09-01 06:00:00
Saving time : 02:00:00

date-time if date-time is Run the clock timezone BJ add 8, clock daylight-


during the configured saving-time BJ one-year 1:0 2011-1-1 1:0
daylight saving time 2011-9-1 2, and clock datetime 3:0:0 2011-1-1
period commands.
Configured system time:
2011-01-01 03:00:03+08:00 DST
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 01-01 01:00:00
End time : 09-01 01:00:00
Saving time : 02:00:00

4.1.4 Configuring a Header


If you need to provide information for users logging in, you can configure a header that the
system displays during or after login.

Context
A header is a text message displayed by the system at the time a user logs in to the switch.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
header login { information text | file file-name }

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 39


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 4 Basic Configuration

A header displayed during login is set.

Step 3 Run:
header shell { information text | file file-name }

A header displayed after login is set.

To display the header when the terminal connection has been activated but the user has not been
authenticated, configure the parameter login.

To display the header after the user has logged in, configure the parameter shell.

CAUTION
l The header message starts and ends with the same character. Enter the first character of the
header and press Enter. An interactive interface for setting the header is displayed. Input the
required information and end the header by entering the first character when you are finished.
The system then exits from the interactive interface.
l If a user logs in to the switch using SSH1.X, the login header is not displayed during login,
but the shell header is displayed after login.
l If a user logs in to the switch using SSH2.0, both login and shell headers are displayed.

----End

4.1.5 Configuring Command Levels


This section describes how to configure command levels to ensure device security or allow low-
level users to run high-level commands. By default, commands are registered in the sequence
of Level 0 to Level 3. If refined rights management is required, you can divide commands in to
16 levels, that is, from Level 0 to Level 15.

Context
If the user does not adjust a command level separately, after the command level is updated, all
originally-registered command lines adjust automatically according to the following rules:

l The commands of Level 0 and Level 1 remain unchanged.


l The commands of Level 2 are updated to Level 10 and the commands of Level 3 are updated
to Level 15.
l No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust
the command lines to these levels separately to refine the management of privilege.

CAUTION
Changing the default level of a command is not recommended. If the default level of a command
is changed, some users may be unable to use the command any longer.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 40


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 4 Basic Configuration

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
command-privilege level rearrange

Update the command level in batches.


When no password is configured for a Level 15 user, the system prompts the user to set a super-
password for the level 15 user. At the same time, the system asks if the user wants to continue
with the update of command line level. Then, just select "N" to set a password. If you select "Y",
the command level can be updated in batches directly. This results in the user not logging in
through the Console port and failing to update the level.
Step 3 Run:
command-privilege level level view view-name command-key

The command level is configured. With the command, you can specify the level and view
multiple commands at one time (command-key).
All commands have default command views and levels. You do not need to reconfigure them.

----End

4.2 Displaying System Status Messages


This section describes how to use display commands to check basic system configurations.

Context
You can use display commands to collect information about system status. The display
commands perform the following functions:

l Display system configurations.


l Display system running status.
l Display diagnostic information about a system.
l Displays the restart information about the main control board.
See related sections concerning display commands for information on protocols and interfaces.
This section only shows system-level display commands.
Run the following commands in any view.

4.2.1 Displaying System Configuration


This section describes how to use command lines to check the system version, system time,
original configuration, and current configuration.

Procedure
l Run the display version command to display the system version.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 41


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 4 Basic Configuration

l Run the display clock [ utc ] command to display the system time.
l Run the display calendar command to display system calendar.
l Run the display saved-configuration command to display the original configuration.
l Run the display current-configuration command to display the current configuration.
NOTE

l The original configuration refers to information about configuration files used by the device when
it is powered on and initialized. The current configuration refers to the configuration files that
take effect when the device is in use. For details, see the chapter "Configuring System Startup"
in the S6700 Basic-Configuration.

----End

4.2.2 Displaying System Status


This section describes how to use command lines to check system operating status (the
configuration of the current view).

Procedure
l Run the display this command to display the configuration of the current view.
----End

4.2.3 Collecting System Diagnostic Information


This section describes how to collect information about system modules.

Context
If you cannot perform routine maintenance, you must run the various display commands to
collect information needed to locate faults. The display diagnostic-information command
gathers information about all system modules currently running.

Procedure
l Run:
display diagnostic-information [ file-name ]

System diagnostic information is displayed.


The display diagnostic-information command collects the same information as the
display clock, display version, display cpu-usage, display interface, display current-
configuration, display saved-configuration, display history-command, and other
commands gather.
----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 42


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

5 Configuring User Interfaces

About This Chapter

When a user uses a console port, Telnet, or SSH (STelnet) to log in to the switch, the system
manages the session between the user and the switchon the corresponding user interface.
5.1 User Interface Overview
The system supports console and VTY user interfaces.
5.2 Configuring the Console User Interface
If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.
5.3 Configuring the VTY User Interface
If you need to log in to the switch using Telnet or SSH to perform local or remote maintenance,
you can configure the VTY user interface as needed.
5.4 Configuration Examples
This section provides examples for configuring console and VTY user interfaces. These
configuration examples explain networking requirements, and provide configuration roadmaps
and configuration notes.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 43


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

5.1 User Interface Overview


The system supports console and VTY user interfaces.
Each user interface has a user interface view. A user interface view is a command line view
provided by the system. It is used to configure and manage all the physical and logical interfaces
in asynchronous mode.

User Interfaces Supported by the System


l Console port (CON)
The console port is a serial port provided by the main control board of the device.
The main control board provides one EIA/TIA-232 DCE console port. A terminal can use
this port to connect directly to a device in order to perform local configurations.
l Virtual type terminal (VTY)
A VTY is a logical terminal line. A VTY connection is set up when a device uses Telnet
to connect to a terminal by means of Telnet. This kind of connection is used for local or
remote access to a device. A maximum of 15 users can use the VTY user interface to log
in to the device.

Numbering of a User Interface


After a user logs in to the device, the system assigns the lowest numbered idle user interface to
the user. The type of interface assigned depends on the user's login mode. There are two ways
to number user interfaces:
l Relative numbering
Relative numbering uses a user interface type + number format.
Relative numbering is used to specify user interfaces of a particular type. It can be used to
number single user interfaces or user interface groups and must adhere to the following
rules:
– Number of the console port: CON 0
– Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on
l Absolute numbering
Absolute numbering is used to give a single user interface or a group of user interfaces a
unique number.
Absolute numbering starts with 0. Ports are numbered in a sequence beginning with CON
-> VTY. There is only one console port and 0-20 VTY interfaces (VTY interfaces 0 to 14
are reserved for Telnet/SSH users and VTY interfaces 16 to 20 are reserved for network
management users). You can use the user-interface maximum-vty command to set the
maximum number of user interfaces. The default number is five.
Table 5-1 shows absolute numbers for user interfaces in this system.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 44


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

Table 5-1 Description of absolute and relative numbers for user interfaces

User Description Absolute Relative Number


interface Number

Console user Manages and 0 0


interface monitors users
logging in through
the console port.

VTY user Manages and 34 to 48, and 50 l Absolute numbers 34 to


interface monitors users to 54 48 correspond to relative
logging in using Among the numbers TTY 0 to TTY
Telnet or SSH. absolute 14.
numbers, 49 is l Absolute numbers 50 to
reserved for 54 correspond to relative
future use and numbers TTY 16 to TTY
50 to 54 are 20.
reserved for the Among the relative numbers,
network VTY 15 is reserved for
management future use and VTY 16 to
system. VTY 20 are reserved for the
network management
system.

NOTE

The absolute numbers allocated for VTY interfaces are device-specific.

Run the display user-interface command to view the absolute number of user interfaces.

Authentication of a User Interface


After a user is configured, the system authenticates the user during user login.

There are two user authentication modes: password and AAA, which are described as follows:

l Password authentication: Users must enter a password, but not a username, during the login
process.
l AAA authentication: Users must enter a password and a username during the login process.
Telnet users are usually authenticated in this mode.

Priority of a User Interface


Users logged in to the switch are managed according to their levels.

Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher the
user level.

A user's level determines the level of commands that the user is authorized to run.

l In the case of password authentication, the level of the command that the user can run is
determined by the level of the user interface.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 45


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

l In the case of AAA authentication, the command that the user can use is determined by the
level of the local user specified in the AAA configuration.

5.2 Configuring the Console User Interface


If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.

5.2.1 Establishing the Configuration Task


Before configuring the console user interface, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain any data required for the configuration.

Applicable Environment
If you need to log in to the switch through a console port to perform local maintenance, you can
configure the corresponding console user interface, including the physical attributes, terminal
attributes, user priority, and user authentication mode. These parameters have default values that
require no additional configuration, but you may modify these parameters as needed.

Pre-configuration Tasks
Before configuring a console user interface, log in to the switch with a terminal.

Data Preparation
To configure a console user interface, you need the following data.

No. Data

1 Baud rate, flow-control mode, parity, stop bit, and data bit

2 Idle timeout period, terminal screen length, number of characters in each line
displayed in a terminal screen, and the size of history command buffer

3 User priority

4 User authentication method, username, and password

NOTE

All the default values (excluding the password and username) are stored on the switch and do not need
additional configuration.

5.2.2 Setting Physical Attributes of the Console User Interface


You can configure the rate, flow control mode, parity mode, stop bit, and data bit for the console
port.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 46


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

Context
Physical attributes of a console port have default values on the switch and no additional
configuration is needed.

NOTE

When a user logs in to a switch through a console port, the physical attributes set for the console port on
the HyperTerminal must be consistent with the attributes of the console user interface on the switch, or the
user will not be able to log in.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
user-interface console interface-number

The console user interface view is displayed.

Step 3 Run:
speed speed-value

The baud rate is set.

By default, the baud rate is 9600 bit/s.

Step 4 Run:
flow-control { hardware | none | software }

The flow control mode is set. By default, the flow-control mode is none.

Step 5 Run:
parity { even | mark | none | odd | space }

The parity mode is set.

By default, the value is none.

Step 6 Run:
stopbits { 1.5 | 1 | 2 }

The stop bit is set.

By default, the value is 1 bit.

Step 7 Run:
databits { 5 | 6 | 7 | 8 }

The data bit is set.

By default, the data bit is 8.

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 47


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

5.2.3 Setting Terminal Attributes of the Console User Interface


This section describes how to set terminal attributes of the console user interface, including the
user timeout disconnection function, number of lines or number of characters in each line
displayed in a terminal screen, and size of the history command buffer.

Context
Terminal attributes of the console user interface have default values on the switch that you may
modify as needed.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
user-interface console interface-number

The console user interface view is displayed.


Step 3 Run:
shell

The terminal service is started.


Step 4 Run:
idle-timeout minutes [ seconds ]

The idle timeout period is set.


If a connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the idle timeout period on the user interface is 10 minutes.
Step 5 Run:
screen-length screen-length [temporary]

The terminal screen length is set.


The parameter temporary is used to display the number of lines to be temporarily displayed on
a terminal screen.
By default, the terminal screen length is 24 lines.
Step 6 Run:
screen-widthscreen-width

The maximum number of characters in each line displayed on a terminal screen is set.
By default, each line displayed on a terminal screen has a maximum of 80 characters.
Step 7 Run:
history-command max-size size-value

The history command buffer is set.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 48


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

By default, the size of history command buffer is 10 entries.

----End

5.2.4 Configuring User Privilege of the Console User Interface


This section describes how to control a user' authority to log in to the switch and how to improve
switch security by configuring user priority.

Context
l Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
l This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see "Command Level".

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
user-interface console interface-number

The console user interface view is displayed.

Step 3 Run:
user privilege level level

The user privilege is set.

NOTE

l By default, users logging in through the console user interface can use commands at level 3, and users
logging in through other user interfaces can use commands at level 0.
l If the command level and user level are inconsistent, the user level takes precedence.

----End

5.2.5 Configuring the User Authentication Mode of the Console


User Interface
The system provides two authentication modes: AAA, password. Configuring user
authentication modes improves switch security.

Context
The system provides two authentication modes as shown in Table 5-2.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 49


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

Table 5-2 Authentication Modes


Authen Advantage Disadvantage
tication
Mode

AAA AAA provides user authentication with high The configuration is complex.
security. The user name and password for
The user name and password must be entered AAA authentication must be
for login. created.

Passwor Password authentication is based on VTY It provides lower security


d channels, providing security. The compared with AAA.
authenti configuration is simple and only the login All users can log in to a device
cation password is needed. using the login password for the
device.

CAUTION
If the user authentication mode for the console user interface is password authentication or AAA
authentication, a password or user name must be set.

Procedure
l Configuring AAA authentication
1. Run:
system-view

The system view is displayed.


2. Run:
aaa

The AAA view is displayed.


3. Run:
local-user user-name password cipher password

A user name and password for the local user are created.
4. Run:
quit

Exit from the AAA view.


5. Run:
user-interface console interface-number

The console user interface view is displayed.


6. Run:
authentication-mode aaa

The authentication mode is set to AAA authentication.


l Configuring password authentication

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 50


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

1. Run:
system-view

The system view is displayed.


2. Run:
user-interface console interface-number

The console user interface view is displayed.


3. Run:
authentication-mode password

The authentication mode is set to password authentication.


4. Run:
set authentication password [ cipher password ]

A password for password authentication is set.


----End

5.2.6 Checking the Configurations


After configuring the console user interface, you can view information about the user interface,
physical attributes and configurations of the user interface, local user list, and online users.

Prerequisites
The user management function has been configured.

Procedure
l Run the display users [ all ] command to check information about the user interface.
l Run the display user-interface console ui-number1 [ summary ] command to check
physical attributes and configurations of the user interface.
l Run the display local-user command to check the local user list.
l Run the display access-user command to check online users.
----End

Example
Run the display users command to view information about the current user interface.
<Quidway> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
0 CON 0 00:00:44 pass no
Username : Unspecified

Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<Quidway> display user-interface console 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
0 CON 0 9600 - 3 - N -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 51


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

ActualPrivi: The actual privilege of user-interface.


Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.

Run the display local-user command to view the local user list.
<Quidway> display local-user
----------------------------------------------------------------------------
User-name State AuthMask AdminLevel
----------------------------------------------------------------------------
aa A S -
admin A H -
huawei A F -
----------------------------------------------------------------------------
Total 3 user(s)

5.3 Configuring the VTY User Interface


If you need to log in to the switch using Telnet or SSH to perform local or remote maintenance,
you can configure the VTY user interface as needed.

5.3.1 Establishing the Configuration Task


Before configuring a VTY user interface, familiarize yourself with the usage scenario, complete
the pre-configuration tasks, and obtain any data required for the configuration.

Applicable Environment
If you need to log in to the switch using Telnet or SSH to perform local or remote maintenance,
you can configure a VTY user interface. You can configure the maximum number of VTY user
interfaces, restrictions on incoming and outgoing calls, terminal property, user priority, and user
authentication mode. The preceding parameters have default values on the switch. You can
modify these parameters as needed.

Pre-configuration Tasks
Before configuring a VTY user interface, log in to the switch by using a terminal.

Data Preparation
To configure a VTY user interface, you need the following data.

No. Data

1 Maximum VTY user interfaces

2 (Optional) ACL code to restrict incoming and outgoing calls on VTY user interfaces

3 Idle timeout period, number of characters in each line displayed on a terminal screen,
and the size of history command buffer

4 User priority

5 User authentication method, username, and password

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 52


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

NOTE

All the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user
interfaces, user authentication method, username, and password) have default values that require no
additional configuration.

5.3.2 Configuring the Maximum Number of VTY User Interfaces


This section describes how to limit the number of users logging in to the switch by configuring
the maximum number of VTY user interfaces.

Context
The maximum number of VTY user interfaces equals the total number of users allowed to log
in to the switch using Telnet or SSH.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
user-interface maximum-vty number

The maximum number of VTY user interfaces is set.

NOTE

When the maximum number of VTY user interfaces is set to zero, no user (including the network
administrator) can use a VTY user interface to log in to the switch.

If the set maximum number of VTY user interfaces is smaller than the maximum number of
online users, a message is displayed indicating that the configuration failed.

If the set maximum number of VTY user interfaces is greater than the maximum number of
current interfaces, the authentication mode and password must be set for newly added user
interfaces.

Consider, for example, a system that allows a maximum of five users to be online. To allow 15
VTY users online at the same time, you must run the authentication-mode command to
configure authentication modes for VTY user interfaces from 5 to 14. The commands are run
as follows:
<Quidway> system-view
[Quidway] user-interface maximum-vty 15
[Quidway] user-interface vty 5 14
[Quidway-ui-vty5-14] authentication-mode password

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 53


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

5.3.3 (Optional) Setting Restrictions for Incoming and Outgoing


Calls on VTY User Interfaces
This section describes how to configure an ACL to restrict access of incoming and outgoing
calls on a VTY user interface to specific IP addresses or address segments.

Context
Before setting restrictions for incoming and outgoing calls on a VTY user interface, run the
acl command in the system view to create an ACL. Enter the ACL view and run the rule
command to add rules to the ACL.

NOTE

l The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging
from 3000 to 3999.
l For ACL configuration details, refer to the S6700 Series Ethernet Switches Configuration Guide -
Security.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.

Step 3 Run:
acl acl-number { inbound | outbound }

Restrictions for incoming and outgoing calls on the VTY interface are configured.

l If you want to prevent a user with a specific address or segment address from logging in to
the switch, use the inbound command.
l If you want to prevent a user who logs in to a switch from accessing other switchs, use the
outbound command.

----End

5.3.4 Setting Terminal Attributes of the VTY User Interface


This section describes how to configure terminal attributes of a VTY user interface, including
user idle timeout, number of lines or number of characters in each line displayed in a terminal
screen, and size of the history command buffer.

Context
Terminal attributes of a VTY user interface have default values on the switch and you can set
them as needed.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 54


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
user-interface vty number1 [ number2 ]

The VTY user interface view is displayed.


Step 3 Run:
shell

VTY terminal service is enabled.


Step 4 Run:
idle-timeout minutes [ seconds ]

User idle timeout is enabled.


If the connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the timeout period is 10 minutes.
Step 5 Run:
screen-length screen-length [temporary]

The terminal screen length is set.


The parameter temporary is used to display the number of lines to be temporarily displayed on
a terminal screen.
By default, the terminal screen length is 24 lines.
Step 6 Run:
history-command max-size size-value

Set the size of the history command buffer.


By default, a maximum number of 10 commands can be cached in the history command buffer.

----End

5.3.5 Setting User Priority of the VTY User Interface


This section describes how to control a user' authority to log in to the switch and how to improve
switch security by configuring user priority.

Context
l Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
l This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see "Command Level".

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 55


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
user-interface vty interface-number

The VTY user interface view is displayed.

Step 3 Run:
user privilege level level

The user priority is set.

By default, users logging in through the VTY user interface can use commands at level 0.

NOTE

If the command level configured in the VTY user interface view and user priority are inconsistent, user
priority takes precedence.

----End

5.3.6 Setting the User Authentication Mode of the VTY User


Interface
The system provides two authentication modes: AAA, password. Configuring user
authentication modes improves switch security.

Context
The system provides two authentication modes as shown in Table 5-3.

Table 5-3 Authentication Modes

Authen Advantage Disadvantage


tication
Mode

AAA AAA provides user authentication with high The configuration is complex.
security. The user name and password for
The user name and password must be entered AAA authentication must be
for login. created.

Passwor Password authentication is based on VTY It provides lower security


d channels, providing security. The compared with AAA.
authenti configuration is simple and only the login All users can log in to a device
cation password is needed. using the login password for the
device.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 56


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

CAUTION
l By default, the user authentication mode of the VTY user interface is not configured.
Administrators must manually set a user authentication mode for the VTY user interface. If
no user authentication mode is set for the VTY user interface, users cannot log in to the device
using the VTY user interface.
l If the user authentication mode of the VTY user interface is password authentication or AAA
authentication, a password or user name must be set for logging in to the system. In this case,
without password or user name set, users cannot log in to the device using the VTY user
interface.

CAUTION
If the user authentication mode for the VTY user interface is password or AAA, you must set
the password or user name for logging in to the device.

Procedure
l Configuring AAA authentication
1. Run:
system-view

The system view is displayed.


2. Run:
user-interface vty number1 [ number2 ]

The VTY user interface view is displayed.


3. Run:
authentication-mode aaa

The authentication mode is set to AAA authentication.


4. Run:
quit

Exit from the VTY user interface view.


5. Run:
aaa

The AAA view is displayed.


6. Run:
local-user user-name password cipher password

A user name and password for the local user are created.
l Configuring password authentication
1. Run:
system-view

The system view is displayed.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 57


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

2. Run:
user-interface vty number1 [ number2 ]

The VTY user interface view is displayed.


3. Run:
authentication-mode password

The authentication mode is set to password authentication.


4. Run:
set authentication password [ cipher password ]

A password in the encrypted text for password authentication is set.


----End

5.3.7 Checking the Configurations


After configuring a VTY user interface, you can view information about user interfaces, the
maximum number of VTY user interfaces, and physical attributes and configurations of user
interfaces.

Prerequisites
The VTY user interface has been configured.

Procedure
l Run the display users [ all ] command to check information about user interfaces.
l Run the display user-interface maximum-vty command to check the maximum number
of VTY user interfaces.
l Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ]
command to check the physical attributes and configurations of user interfaces.
l Run the display local-user command to check the local user list.
l Run the display vty mode command to check the VTY mode.
----End

Example
Run the display users command to view information about current user interfaces.
<Quidway> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
34 VTY 0 00:00:12 TEL 10.138.77.38 no
Username : Unspecified
+ 35 VTY 1 00:00:00 TEL 10.138.77.57 no
Username : Unspecified

Run the display user-interface maximum-vty command to view the maximum number of VTY
user interfaces.
<Quidway> display user-interface maximum-vty
Maximum of VTY user:15

Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check
the physical attributes and configurations of user interfaces.
<Quidway> display user-interface vty 0

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 58


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int


+ 34 VTY 0 - 14 14 N -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.

Run the display local-user command to view the local user list.
<Quidway> display local-user
----------------------------------------------------------------------------
User-name State AuthMask AdminLevel
----------------------------------------------------------------------------
aa A S -
admin A H -
huawei A F -
----------------------------------------------------------------------------
Total 3 user(s)

Run the display vty mode command to view the message indicating that the machine-to-machine
interface is enabled. For example:
<Quidway> display vty mode
current VTY mode is Machine-Machine interface

5.4 Configuration Examples


This section provides examples for configuring console and VTY user interfaces. These
configuration examples explain networking requirements, and provide configuration roadmaps
and configuration notes.

5.4.1 Example for Configuring Console User Interface


In this example, a console user interface is configured to allow a user in password authentication
mode to log in to the switch. The physical attributes, terminal attributes, user priority, user
authentication mode, and password are set for the interface.

Networking Requirements
A user uses the console user interface to log in to the switch to initialize switch configurations
or perform local router maintenance. You can set console user interface attributes as needed (for
example, security considerations) to allow user logins.

In the console user interface view, the user priority is set to 15, and the password authentication
mode is set (the password is huawei).

If there is no user activity and a connection is idle for more than 30 minutes after login, the
connection is torn down.

Configuration Roadmap
The configuration roadmap is as follows:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 59


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

1. Enter the interface view and set physical attributes of the console user interface.
2. Set terminal attributes of the console user interface.
3. Set the user priority of the console user interface.
4. Set the user authentication mode and password of the console user interface.

Data Preparation
To complete the configuration, you need the following data:

l Transmission rate of the console user interface: 4800 bit/s


l Flow control mode of the console user interface: None
l Parity of the console user interface: even
l Stop bit of the console user interface: 2
l Data bit of the console user interface: 6
l Timeout period for disconnecting from the console user interface: 30 minutes
l Number of lines that a terminal screen displays: 30
l Number of characters that a terminal screen displays: 60
l Size of the history command buffer: 20
l User priority: 15
l User authentication mode: password (password: huawei@123)

Procedure
Step 1 Set physical attributes of the console user interface.
<Quidway> system-view
[Quidway] user-interface console 0
[Quidway-ui-console0] speed 4800
[Quidway-ui-console0] flow-control none
[Quidway-ui-console0] parity even
[Quidway-ui-console0] stopbits 2
[Quidway-ui-console0] databits 6

Step 2 Set terminal attributes of the console user interface.


[Quidway-ui-console0] shell
[Quidway-ui-console0] idle-timeout 30
[Quidway-ui-console0] screen-length 30
[Quidway-ui-console0] screen-width 60
[Quidway-ui-console0] history-command max-size 20

Step 3 Set the user priority of the console user interface.


[Quidway-ui-console0] user privilege level 15

Step 4 Set the user authentication mode in the console user interface to password.
[Quidway-ui-console0] authentication-mode password
[Quidway-ui-console0] set authentication password cipher huawei
[Quidway-ui-console0] quit

After the console user interface is configured, a user in password authentication mode can use
a console port to log in and perform local maintenance on the switch. For details on how a user
logs in to the switch, see the 6 Configuring User Login.

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 60


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

Configuration Files
#
sysname Quidway
#
user-interface con 0
authentication-mode password
user privilege level 15
set authentication password cipher %$%$>tGNLl~,2=8vhc%-9O_B:[RI^3}]Ln;
[qJRbm_OzqGiLhaXS%$%$
history-command max-size 20
idle-timeout 30 0
screen-length 30
databits 6
parity even
stopbits 2
speed 9600
#
return

5.4.2 Example for Configuring a VTY User Interface


In this example, a VTY user interface is configured to allow a user in password authentication
mode to use Telnet to log in to the switch. The maximum number of VTY user interfaces allowed,
restrictions for incoming and outgoing calls, terminal attributes, authentication mode, and
password are set for the interface.

Networking Requirements
A user uses Telnet to log in to the switch using a VTY channel. You can set VTY user interface
attributes as needed (for example, security considerations) to allow user logins.
In the VTY user interface, the user priority is set to 15, the authentication mode is set to password
authentication, with the password of "huawei", and a user with the IP address of 10.1.1.1 is
prohibited from logging in to the switch.
If there is no user activity and a connection is idle for more than 30 minutes after login, the
connection is torn down.

Configuration Roadmap
The configuration roadmap is as follows:
1. Enter the interface view and set the maximum number of VTY user interfaces to 15.
2. Set restrictions for incoming and outgoing calls on the VTY user interface to prevent an IP
address or an IP address segment for accessing the switch.
3. Set terminal attributes of the VTY user interface.
4. Set the user priority of the VTY user interface.
5. Set the authentication mode and password of the VTY user interface.

Data Preparation
To complete the configuration, you need the following data:
l Maximum number of VTY user interfaces: 15
l ACL applied to restrict incoming calls on the VTY user interface: 2000
l Timeout period for disconnecting from the VTY user interface: 30 minutes

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 61


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 5 Configuring User Interfaces

l Number of lines that a terminal screen displays: 30


l Number of characters that a terminal screen displays: 60
l Size of the history command buffer: 20
l User priority: 15
l User authentication mode: password, password: huawei

Procedure
Step 1 Set the maximum number of VTY user interfaces.
<Quidway> system-view
[Quidway] user-interface maximum-vty 15

Step 2 Set the limit on call-in and call-out in the VTY user interface.
[Quidway] acl 2000
[Quidway-acl-basic-2000] rule deny source 10.1.1.1 0
[Quidway-acl-basic-2000] quit
[Quidway] user-interface vty 0 14
[Quidway-ui-vty0-14] acl 2000 inbound

Step 3 Set terminal attributes of the VTY user interface.


[Quidway-ui-vty0-14] shell
[Quidway-ui-vty0-14] idle-timeout 30
[Quidway-ui-vty0-14] screen-length 30
[Quidway-ui-vty0-14] screen-width 60
[Quidway-ui-vty0-14] history-command max-size 20

Step 4 Set the user priority of the VTY user interface.


[Quidway-ui-vty0-14] user privilege level 15

Step 5 Set the authentication mode and password of the VTY user interface.
[Quidway-ui-vty0-14] authentication-mode password
[Quidway-ui-vty0-14] set authentication password cipher huawei
[Quidway-ui-vty0-14] quit

After the VTY user interface is configured, a user authenticated in password mode can use Telnet
to log in to the switch and perform local or remote maintenance on the switch. For details on
how a user logs in to the switch, see the 6 Configuring User Login.

----End

Configuration Files
#
sysname Quidway
#
acl number 2000
rule 5 deny source 10.1.1.1 0
rule permit source any
#
user-interface maximum-vty 15
user-interface vty 0 14
acl 2000 inbound
user privilege level 15
authentication-mode password
set authentication password cipher %$%$>tGNLl~,2=8vhc%-9O_B:[RI^3}]Ln;
[qJRbm_OzqGiLhaXS%$%$
history-command max-size 20
idle-timeout 30 0
screen-length 30
#
return

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 62


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

6 Configuring User Login

About This Chapter

A user can log in to the switch through a console port, or by using Telnet or SSH (STelnet). The
user can maintain the switch locally or remotely after login.

6.1 Overview of User Login


When the device works as the server, a user can log in to the device through a console port,
Telnet, STelnet, or web.
6.2 Logging in to the Devices Through the Console Port
When a user needs to configure a switch that is powered on for the first time or maintain a
switch locally, the user can log in through a console port.
6.3 Logging in to Devices Using Telnet
When multiple switchs need to be configured and managed, there is no need to maintain each
switch locally. Instead, you can use Telnet to log in to the switchs remotely to perform
maintenance. This greatly facilitates device management.
6.4 Logging in to Devices Using STelnet
STelnet provides secure remote access over an insecure network. After the client/server
negotiation is complete and a secure connection is established, STelnet login is similar to Telnet
login.
6.5 Logging in to the Devices by Using Secure Web Network Management (HTTPS Mode)
An SSL policy is configured on and a digital certificate is loaded to an HTTP server. The digital
certificate is used by a client to verify the identity of the server.
6.6 Common Operations After Login
After logging in to the switch, you can perform user priority switching, terminal window locking,
and other operations as needed.
6.7 Configuration Examples
This section provides several examples describing how to configure users to log in through a
console port, Telnet, or STelnet. The configuration examples provide information and diagrams
for networking requirements, configuration notes, and configuration roadmaps.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 63


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

6.1 Overview of User Login


When the device works as the server, a user can log in to the device through a console port,
Telnet, STelnet, or web.
Table 6-1 lists the modes by which a user can log in to the device to configure and manage it.

Table 6-1 User login modes


Login Mode Applicable Scenario Remarks

6.2 Logging in to A user logs in to the device By default, a user can directly log in to
the Devices using the console port on the the device using the console port. The
Through the user terminal to power on authentication mode is password
Console Port and configure the device for authentication, indicating that a
the first time. password is required for authentication.
l If a user cannot access The command access level is 3.
the device remotely, the
user can log in to the
device locally using the
console port.
l A user can log in using
the console port to
diagnose a fault if the
device fails to start or to
enter the BootROM to
upgrade the system.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 64


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Login Mode Applicable Scenario Remarks

6.3 Logging in to A user accesses the network By default, a user cannot log in to the
Devices Using using a user terminal and device directly using Telnet. To enable
Telnet logs in to the device using Telnet login, log in to the device locally
Telnet to perform local or using the console port and perform the
remote configuration. The following configuration tasks:
target device authenticates l Configure the IP address of the
the user using the management network port on the
configured login device and ensure that a reachable
parameters. route exists between the user terminal
The Telnet login mode and the device. By default, an IP
facilitates remote device address is not configured on the
management and device.
maintenance. l Configure the user authentication
mode of the VTY user interface. (By
default, the user authentication mode
of the VTY user interface is not
configured. Administrators must
manually set a user authentication
mode for the VTY user interface.)
l Configure the user access level of the
VTY user interface. By default, the
user access level of the VTY user
interface is 0.
l Enable the Telnet server function. By
default, the Telnet server function is
enabled.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 65


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Login Mode Applicable Scenario Remarks

6.4 Logging in to A user accesses the network By default, a user cannot log in to the
Devices Using using a user terminal. If the device directly using STelnet. To enable
STelnet network is insecure, use the STelnet login, log in to the device locally
Secure Shell (SSH) protocol using the console port and perform the
to increase the security of following configuration tasks:
the transmission and utilize l Configure the IP address of the
a powerful authentication management network port on the
mechanism. SSH protects device and ensure that a reachable
the device system against route exists between the user terminal
attacks, such as IP proofing and the device. By default, an IP
and plain text password address is not configured on the
interception. device.
The STelnet login mode l Configure the user authentication
better ensures the security of mode of the VTY user interface. (By
the exchanged data. default, the user authentication mode
of the VTY user interface is not
configured. Administrators must
manually set a user authentication
mode for the VTY user interface.)
l Configure the user access level of the
VTY user interface. By default, the
user access level of the VTY user
interface is 0.
l Configure the VTY user interface to
support the SSH protocol. By default,
the VTY user interface supports the
Telnet protocol.
l Configure the SSH user and specify
STelnet as a service mode. By default,
the SSH user is not configured on the
device, and the service mode of SSH
users is null (no service mode is
supported).
l Enable the STelnet server function.
By default, the STelnet server
function is disabled.

NOTE

Logging in using Telnet is insecure because a secure authentication mechanism is not used and data is
transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts data in
both directions to guarantee secure transmissions on a conventional insecure network. SSH supports
security Telnet (STelnet).
For detailed information about SSH, see S6700 Feature Description - Basic Configurations.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 66


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

6.2 Logging in to the Devices Through the Console Port


When a user needs to configure a switch that is powered on for the first time or maintain a
switch locally, the user can log in through a console port.

6.2.1 Establishing the Configuration Task


Before configuring user login through a console port, familiarize yourself with the usage
scenario, complete the pre-configuration tasks, and obtain any data required for the
configuration.

Applicable Environment
A user can log in to a device locally through a console port. The user can log in through a console
port when a device is powered on for the first time.

l If a user cannot access the device remotely, the user can log in to the device locally using
the console port.
l A user can log in using the console port to diagnose a fault if the device fails to start or to
enter the BootROM to upgrade the system.

Pre-configuration Tasks
Before configuring user login through a console port, complete the following tasks:

l Configure the PC/terminal (including the serial port and RS-232 cable).
l Install the terminal emulator (for example, the Windows XP HyperTerminal) to the PC.

Data Preparation
To configure user login through a console port, you need the following data.

No. Data

1 l Transmission rate, flow control mode, parity mode, stop bit, data bit
l Number of lines displayed in a terminal screen, number of characters displayed
in a terminal screen, size of the history command buffer
l User priority
l User authentication mode, username, and password

6.2.2 (Optional) Configuring the Console User Interface


If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 67


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Context
Console user interface attributes have default values on the device, and generally need no
modification. To meet specific user requirements or ensure network security, you can modify
console user interface attributes, such as terminal attributes and user authentication mode.
For detailed settings, see Configuring Console User Interface.

NOTE

Changes to console user interface attributes take effect immediately. Therefore, the connection may be
interrupted if console user interface attributes are modified when logged in to the device through the console
port. For this reason, logging into the device using another login mode is recommended when modifying
console user interface attributes. To log in to the device through the console port after changing the default
console user interface attributes, ensure that the configuration of the terminal emulator running on the PC
is consistent with the console user interface attributes configured on the device.

6.2.3 Logging In to the Device Using a Console Port


A user can log in by connecting a terminal to the device using a console port.

Context
l Communication parameters of the user terminal must match physical attribute parameters
of the console user interface on the device.
l A user authentication mode must be configured on the console user interface, a user can
log in to the device only after being successfully authenticated. Authentication enhances
network security.

Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 6-1.

Figure 6-1 Connection creation

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 68


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Step 2 Set an interface, as shown in Figure 6-2.

Figure 6-2 Interface settings

Step 3 Set communication parameters to match the switch defaults, as shown in Figure 6-3.

Figure 6-3 Communication parameter settings

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 69


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system
automatically saves the set password.
Please configure the login password (maximum length 16)
Enter Password:
Confirm Password:

NOTE

l After the password for the user interface is set successfully during the first login, you must enter this
password for authentication when you relog in to the system in password authentication mode using
this user interface.

----End

6.2.4 Checking the Configurations


After logging in through a console port, a user can view the usage information, physical attributes
and configurations, local user list, and online users on the console user interface.

Prerequisites
Configurations for user login through a console port are complete.

Procedure
l Run the display users [ all ] command to check information about the user interface.
l Run the display user-interface console ui-number1 [ summary ] command to check
physical attributes and configurations of the user interface.
l Run the display local-user command to check the local user list.
l Run the display access-user command to check online users.
----End

Example
Run the display users command to view information about the current user interface.
<Quidway> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
0 CON 0 00:00:44 pass no
Username : Unspecified

Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<Quidway> display user-interface console 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
0 CON 0 9600 - 3 - N -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 70


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Run the display local-user command to view the local user list.
<Quidway> display local-user
----------------------------------------------------------------------------
User-name State AuthMask AdminLevel
----------------------------------------------------------------------------
aa A S -
admin A H -
huawei A F -
----------------------------------------------------------------------------
Total 3 user(s)

6.3 Logging in to Devices Using Telnet


When multiple switchs need to be configured and managed, there is no need to maintain each
switch locally. Instead, you can use Telnet to log in to the switchs remotely to perform
maintenance. This greatly facilitates device management.

6.3.1 Establishing the Configuration Task


Before configuring user login using Telnet, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain any data required for configuration.

Applicable Environment
If you know the IP address of a remote switch, you can use Telnet to log in to the switch from
a local terminal. Telnet login allows you to maintain multiple remote switchs from one local
terminal, greatly facilitating device management.
Note that switch IP addresses must be preset through console ports.

Pre-configuration Tasks
Before configuring users to log in using Telnet, you must log in to the device through the console
port to change the default configurations on the device, so that users can remotely log in to the
device using Telnet to manage and maintain the device. The following default configurations
must be changed:
l Configuring the IP address of the management network port on the device and ensuring
that a reachable route exists between the user terminal and the device
l 6.3.2 Configuring the User Access Level and User Authentication Mode of the VTY
User Interface for remote device management and maintenance
l 6.3.3 Enabling the Telnet Service so that users can remotely log in to the device through
Telnet

Data Preparation
BBefore configuring Telnet user login, you need the following data.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 71


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

No. Data

1 l User priority
l User authentication mode, username, password
l (Optional) Maximum number of VTY user interfaces allowed
l (Optional) ACL to restrict incoming and outgoing calls on VTY user interfaces
l (Optional) Connection timeout period of terminal users, number of lines displayed
in a terminal screen, number of characters displayed in a terminal screen and size
of the history command buffer

2 IPv4/IPv6 address or host name of the switch

3 TCP port number used by the remote device to provide Telnet services, VPN instance
name

6.3.2 Configuring the User Access Level and User Authentication


Mode of the VTY User Interface
By default, the user access level of the VTY user interface is 0. To enable a user terminal to log
in to the device remotely using Telnet for maintenance and management, log in to the device
using the console port, change the user access level and , and set a user authentication mode for
the VTY user interface.

Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see Configuring the VTY User
Interface.

Procedure
l Configure the user access level of the VTY user interface.
1. Run:
system-view

The system view is displayed.


2. Run:
user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.


3. Run:
user privilege level level

The user access level is set.


By default, the user access level of the VTY user interface is 0. Table 6-2 describes
the relationship between the user access levels and command levels.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 72


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Table 6-2 Association between user access levels and command levels
User Co Level Description
Lev mm Name
el and
Lev
el

0 0 Visit This level gives access to commands that run network


level diagnostic tools (such as ping and tracert) and commands
that start from a local device and visit external devices
(such as Telnet client side).

1 0 and Monit This level gives access to commands, like the display
1 oring command, that are used for system maintenance and fault
level diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display saved-
configuration commands are at level 3. For details about
command level, see S6700 Series Command Reference.

2 0, 1, Config This level gives access to commands that configure


and 2 uration network services provided directly to users, including
level routing and network layer commands.

3-15 0, 1, Manag This level gives access to commands that control basic
2, ement system operations and provide support for services. These
and 3 level commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
backup board control commands, user management
commands, level setting commands, and debugging
commands for fault diagnosis.

NOTE

l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level lower than or equal to the command
level of the user. This ensures the security of the device to some extent.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
l Configure the user authentication mode of the VTY user interface.
Two authentication modes are available: password authentication, and AAA
authentication. Select one of them as needed.
– Configuring Password Authentication
1. Run:
system-view

The system view is displayed.


2. Run:
user-interface vty first-ui-number [ last-ui-number ]

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 73


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

The VTY user interface view is displayed.


3. Run:
authentication-mode password

The authentication mode is set to password authentication.


4. Run:
set authentication password [ cipher password ]

A password in the encrypted text for password authentication is set.


– Configuring AAA Authentication
When the user authentication mode of the VTY user interface is set to AAA
authentication, the access type of the local user must be specified.
1. Run:
system-view

The system view is displayed.


2. Run:
aaa

The AAA view is displayed.


3. Run:
local-user user-name password cipher password

A username and password for the local user are created.


4. Run:
local-user user-name service-type telnet

The access type of the local user is set to Telnet.


5. Run:
quit

Exit from the AAA view.


6. Run:
user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.


7. Run:
authentication-mode aaa

The authentication mode is set to AAA authentication.


----End

6.3.3 Enabling the Telnet Service


Before a user terminal establishes a Telnet connection with the device, log in to the device
through the console interface to enable the Telnet server function on the device, so that the user
terminal can remotely log in to the device using Telnet.

Context
By default, the Telnet server function is enabled.
Perform the following steps on the device that serves as a Telnet server.
Select and perform one of the following two steps for IPv4 or IPv6.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 74


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Procedure
l For the IPv4 network
1. Run:
system-view

The system view is displayed.


2. Run:
telnet server enable

The Telnet service is enabled.


l For the IPv6 network
1. Run:
system-view

The system view is displayed.


2. Run:
telnet ipv6 server enable

The Telnet service is enabled.

NOTE

l If the undo telnet [ ipv6 ] server enable command is run when a user logs in by using
Telnet, the command does not take effect.
l After the Telnet server function is disabled, you can log in to the device only using SSH
or an asynchronous serial port rather than using Telnet.

----End

6.3.4 Logging in to the Device Using Telnet


After a remote device is configured, use Telnet to log in to the device from a terminal and perform
remote maintenance on the device.

Context
Use either the Windows CLI or third-party software in the terminal to log in to the switch through
Telnet. This section describes use of the Windows command line prompt.
Perform the following steps on the user terminal:

Procedure
Step 1 Open the Windows CLI.
Step 2 Run the telnet ip-address command to telnet the device.
1. Input the IP address of the Telnet server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 75


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Figure 6-4 Windows CLI

2. Press Enter to display the command line prompt, such as <HUAWEI>, for the system
view. This indicates that you have accessed the Telnet server.
If the password or AAA authentication mode has been set on the device, you must enter
the login user name and password, and press Enter. The command line prompt of the user
view is displayed, as shown in Figure 6-5.

Figure 6-5 Login

----End

6.3.5 (Optional) Configuring Listening Port Number for Telnet


Server
A user can configure or change the listening port number of a Telnet server. Changing the
listening port number ensures network security, because only the user that knows the current
listening port number can log in to the switch.

Context
By default, the listening port number of a Telnet server is 23. Users can directly log in to the
switch using the default listening port number. Attackers may access the default listening port,
consuming bandwidth, deteriorating server performance, and causing authorized users unable
to access the server. After the listening port number of the Telnet server is changed, attackers

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 76


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

do not know the new listening port number. This effectively prevents attackers from accessing
the listening port.
Perform the following steps on the switch that functions as a Telnet server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
telnet server port port-number

The listening port number of the Telnet server is set.


If a new listening port number is set, the Telnet server terminates all established Telnet
connections, and then uses the new port number to listen to new requests for Telnet connections.

----End

6.3.6 Checking the Configurations


After logging in to the system using Telnet, you can view the connection status of each user
interface including the current user interface, and status of all established TCP connections.

Prerequisites
Configurations for Telnet logins are complete.

Procedure
l Run the display users [ all ] command to check information about users logged in to user
interfaces.
l Run the display tcp status command to check TCP connections.
l Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End

Example
Run the display users command to view information about the currently-used user interface.
<Quidway> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
34 VTY 0 00:00:12 TEL 10.138.77.38 no
Username : Unspecified
+ 35 VTY 1 00:00:00 TEL 10.138.77.57 no
Username : Unspecified

Run the display tcp status command to view TCP connections. In the command output,
Established indicates that a TCP connection has been established.
<Quidway> display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID
State
39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 77


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Closed
32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849
Listening
34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0
Established

Run the display telnet server status command to view the configuration and status of the Telnet
server.
<Quidway> display telnet server status
TELNET IPV4 server :Enable
TELNET IPV6 server :Enable
TELNET server port :23

6.4 Logging in to Devices Using STelnet


STelnet provides secure remote access over an insecure network. After the client/server
negotiation is complete and a secure connection is established, STelnet login is similar to Telnet
login.

6.4.1 Establishing the Configuration Task


Before configuring users to log in using STelnet, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain any data required for the configuration.

Applicable Environment
Telnet logins bring security risks because no secure authentication mechanism exists and data
is transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts
data in both directions to guarantee secure transmissions on a conventional insecure network.
SSH supports STelnet, SCP, and SFTP.

STelnet is a secure Telnet protocol. SSH users can use the STelnet service in the same way they
use the Telnet service.

Pre-configuration Tasks
Before configuring users to log in using STelnet, you must log in to the device through the
console port to change the default configurations on the device, so that users can remotely log
in to the device using Telnet to manage and maintain the device. The following default
configurations must be changed:
l Configuring the IP address of the management network port on the device and ensuring
that a reachable route exists between the user terminal and the device
l Configuring the user access level and authentication mode of the VTY user
interface for remote device management and maintenance.
l Configuring the VTY user interface to support the SSH protocol, configuring the SSH
user and specify STelnet as a service mode for the SSH user, and enabling the STelnet
server function so that the user can remotely log in to the device through STelnet

Data Preparation
To configure users to log in using STelnet, you need the following data:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 78


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

No. Data

1 user authentication mode, username, and password, (optional)Maximum number of


VTY user interfaces allowed, (optional) ACL for restricting incoming and outgoing
calls on VTY user interfaces, (optional)connection timeout period for terminal users,
number of rows displayed in a terminal screen, size of the history command buffer

2 Username, password, authentication mode, and service type of an SSH user and
remote public RSA or DSA key pair allocated to the SSH user

3 (Optional) Name of an SSH server, number of the port monitored by the SSH server,
preferred encryption algorithm from the STelnet client to the SSH server, preferred
encryption algorithm from the SSH server to the STelnet client, preferred HMAC
algorithm from the STelnet client to the SSH server, preferred HMAC algorithm from
the SSH server to the STelnet client, preferred algorithm for key exchange

6.4.2 Configuring the User Access Level and User Authentication


Mode of the VTY User Interface
By default, the user access level is 0. Before logging in to the device using STelnet for
maintenance and management, you must log in to the device through the console port to change
the user access level and , and set a user authentication mode.

Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see Configuring the VTY User
Interface.

Procedure
l Configure the user access level of the VTY user interface.
1. Run:
system-view

The system view is displayed.


2. Run:
user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.


3. Run:
user privilege level level

The user access level is set.


By default, the user access level of the VTY user interface is 0. Table 6-3 describes
the relationship between the user access levels and command levels.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 79


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Table 6-3 Association between user access levels and command levels

User Co Level Description


Lev mm Name
el and
Lev
el

0 0 Visit This level gives access to commands that run network


level diagnostic tools (such as ping and tracert) and commands
that start from a local device and visit external devices
(such as Telnet client side).

1 0 and Monit This level gives access to commands, like the display
1 oring command, that are used for system maintenance and fault
level diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display saved-
configuration commands are at level 3. For details about
command level, see S6700 Series Command Reference.

2 0, 1, Config This level gives access to commands that configure


and 2 uration network services provided directly to users, including
level routing and network layer commands.

3-15 0, 1, Manag This level gives access to commands that control basic
2, ement system operations and provide support for services. These
and 3 level commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
backup board control commands, user management
commands, level setting commands, and debugging
commands for fault diagnosis.

NOTE

l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level lower than or equal to the command
level of the user. This ensures the security of the device to some extent.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
l Configure the user authentication mode of the VTY user interface.
– Configuring AAA Authentication
When the authentication mode of the VTY user interface is set to AAA authentication,
the access type of the local user must be specified.
1. Run:
system-view

The system view is displayed.


2. Run:
aaa

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 80


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

The AAA view is displayed.


3. Run:
local-user user-name password cipher password

A username and password for the local user are created.


4. Run:
local-user user-name service-type ssh

The access type of the local user is set to SSH.


5. Run:
quit

Exit from the AAA view.


6. Run:
user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.


7. Run:
authentication-mode aaa

The authentication mode is set to AAA authentication.

----End

6.4.3 Configuring SSH for the VTY User Interface


For users to log in to the device using STelnet, VTY user interfaces must be configured to support
SSH.

Context
By default, user interfaces support Telnet. A user interface must be configured to support SSH
for users to log in to the device using STelnet.

NOTE

A VTY user interface configured to support SSH must also be configured with AAA authentication.
Otherwise, the protocol inbound ssh command cannot be configured.

Perform the following steps on the switch that serves as an SSH server:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]

The VTY user interface is displayed.

Step 3 Run:
authentication-mode aaa

The AAA authentication mode is configured.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 81


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Step 4 Run:
protocol inbound ssh

The VTY user interface is configured to support SSH.

----End

6.4.4 Configuring an SSH User and Specifying the Service Types


To implement STelnet access, configure a Secure Shell (SSH) user, create a local Revist-Shamir-
Adleman algorithm (RSA) or digital signature algorithm (DSA) key pair, configure a user
authentication mode, and specify a service type for the SSH user.

Context
l There are six SSH user authentication modes: RSA, DSA, password, password-RSA,
password-DSA, and all. Password authentication depends on Authentication,
Authorization and Accounting (AAA). Before a user logs in to the device in password,
password-RSA, or password-DSA authentication mode, you must create a local user with
the specified username in the AAA view.
– Password-RSA authentication depends on both password authentication and RSA
authentication.
– Password-DSA authentication depends on both password authentication and DSA
authentication.
– All authentication depends on either of the following authentications: password
authentication, or DSA authentication and RSA authentication.
l The device must be configured to generate local RSA or DSA key pairs, which are a key
part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSA or DSA key pair. If an
SSH user logs in to an SSH server in RSA or DSA authentication mode, configure both the
server and the client to generate local RSA or DSA key pairs.
RSA key and DSA key are an algorithm for user authentication in SSH, respectively.
Compared with RSA authentication, DSA authentication adopts the DSA encryption mode
and is widely used. In many cases, SSH only supports DSA to authenticate the server and
the client. When the RSA or DSA authentication mode is used, the priority of users depends
on the priority of the VTY user interfaces used for login.

Perform the following operations on the switch that functions as an SSH server:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ssh user user-name

An SSH user is created.

If password or password-RSA authentication, or password-DSA is configured for the SSH user,


create the same SSH user in the AAA view and set the local user access type to SSH.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 82


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

1. Run the aaa command to enter the AAA view.


2. Run the local-user user-name password cipher password command to set the local user
access type to SSH.
Step 3 Create an RSA or DSA key pair.
l Run the rsa local-key-pair create command to create a local RSA key pair.
NOTE

l You must configure the rsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The minimum length of the server key pair and the host key
pair is 512 bits, and the maximum length is 2048 bits.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local
RSA key-pairs, including the local key-pair and server key-pair.
Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair
destroy command. The rsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.
l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
NOTE

l You must configure the dsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 512 bits, 1,024 bits and 2,048 bits. By default, the length of the key pair is 512 bits.
l After a local key pair is generated, you can run the display dsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local
DSA key-pairs, including the local key-pair and server key-pair.
Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair
destroy command. The dsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.

Step 4 Perform the operations as described in Table 6-4 based on the configured SSH user
authentication mode.

Table 6-4 Configuring an authentication mode for the SSH user


Operation Command Description

Configure Run the ssh user user-name If local or HWTACACS


Password authentication-type password authentication is used and there
Authentication command are only a few users, use password
authentication.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 83


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Operation Command Description

Configure the Run the ssh authentication-type When you log in using SSH and
Default Password default password command use a TACACS server for
Authentication authentication, the network
administrator needs to specify the
information about an SSH user on
the TACACS server. In most
cases, however, the SSH server
cannot obtain the user
information from the TACACS
server. To resolve this problem,
you can run the ssh
authentication-type default
password command to set the
authentication mode as password
authentication. Then, you can log
in to the device on the SSH server
safely.

Configure RSA 1, Run the ssh user user-name -


authentication authentication-type rsa command
to configure RSA authentication.

2, Run the rsa peer-public-key key- -


name command to enter the public
key view.

3, Run the public-key-code begin -


command to enter the public key
edit view.

4, Enter hex-data to edit the public l In the public key edit view,
key. only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.

5, Run the public-key-code end -


command to exit from the public
key edit view.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 84


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Operation Command Description

6, Run the peer-public-key end l Running the peer-public-key


command to return to the system end command generates a key
view. only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.

7, Run the ssh user user-name -


assign rsa-key key-name command
to assign the SSH user a public key.

Configure DSA 1, Run the ssh user user-name -


authentication authentication-type dsa command
to configure DSA authentication.

2. Run the dsa peer-public-key -


key-name encoding-type { der |
pem } command to configure an
encoding format for a DSA public
key and enter the DSA public key
view.

3, Run the public-key-code begin -


command to enter the public key
edit view.

4, Enter hex-data to edit the public l In the public key edit view,
key. only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.

5, Run the public-key-code end -


command to exit from the public
key edit view.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 85


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Operation Command Description

6, Run the peer-public-key end l Running the peer-public-key


command to return to the system end command generates a key
view. only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.

7, Run the ssh user user-name -


assign dsa-key key-name command
to assign the SSH user a public key.

Step 5 (Optional) Authorize SSH users using command lines.

Run:
ssh user user-name authorization-cmd aaa

The command line authorization is configured for the specified SSH user.

After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.

Step 6 Run:
ssh user username service-type { stelnet | all }

The service type for the SSH user is configured.

By default, the service type of the SSH user is not configured.

----End

6.4.5 Enabling the STelnet Server Function


By default, the STelnet server function is disabled. Before a user terminal logs in to the device
using STelnet, you must log in to the device through the console interface to enable the STelnet
server function on the device.

Context
By default, no device is enabled with the STelnet server function. Users can establish connections
to the device using STelnet only after the device is enabled with the STelnet server function.

Perform the following steps on the device that serves as an SSH server:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 86


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
stelnet server enable

The STelnet server function is enabled.


By default, the STelnet server function is disabled.

----End

6.4.6 Logging in to the Device Using STelnet


After you log in to the device through the console interface to complete relevant configurations,
users can remotely log in to the device using the Secure Shell (SSH) protocol from remote user
terminals to remotely maintain the device.

Context
Third-party software can be used on a terminal for STelnet login. This section describes the use
of third-party software OpenSSH and the Windows CLI.
After installing OpenSSH on the user terminal, do as follows on the user terminal:

NOTE

For details on how to install OpenSSH, refer to the software installation guide.
For details about how to use OpenSSH commands to log in to the system, see the help document of the
software.

Procedure
Step 1 Open the Windows CLI.
Step 2 Run relevant OpenSSH commands to log in to the switch in STelnet mode.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 87


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Figure 6-6 Logging in to the device in STelnet mode

----End

6.4.7 (Optional) Configuring the STelnet Server Parameters


You can configure a device to be compatible with earlier versions of the SSH protocol, configure
or change the listening port number of an SSH server, set an interval at which the key pair of
the SSH server is updated.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Perform one or both of the operations shown in Table 6-5 as needed.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 88


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Table 6-5 Server parameters


Server Command Description
parameters

Configure the Run the ssh server rekey-interval You can set an interval at which the
interval at interval command. key pair of an SSH server is updated.
which the key By default, the interval is 0, When the timer expires, the key pair
pair of the indicating that the key is never is automatically updated, improving
SSH server is updated. security.
updated

Configure the Run the ssh server timeout If a user fails to log in when the
timeout seconds command. timeout period of SSH
period of SSH By default, the timeout period is 60 authentication expires, the system
authentication seconds. disconnects the current connection
to ensure the system security.

Configure the Run the ssh server authentication- The number of times that SSH
number of retries times command. authentication is retried is set to deny
times that By default, SSH authentication access of unauthorized users.
SSH retries a maximum of 3 times.
authentication
is retried

Configure Run the ssh server compatible- There are two SSH versions:
earlier SSH ssh1x enable command. SSH1.X (earlier than SSH2.0) and
version By default, an SSH server running SSH2.0. SSH2.0 has an extended
compatibility SSH2.0 is compatible with SSH1.X. structure and supports more
To prevent clients running SSH1.3 to authentication modes and key
SSH1.99 from logging in, run the exchange methods than SSH1.X,
undo ssh server compatible-ssh1x SSH 2.0 can eliminate the security
enable command to disable support risks that SSH 1.X has. SSH 2.0 is
for earlier SSH protocol versions. more secure and therefore is
recommended. SSH2.0 also
supports more advanced services
such as SFTP. The S6700 Series
supports SSH versions ranging from
1.3 to 2.0.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 89


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Server Command Description


parameters

Configure the Run the ssh server port port- The default listening port number of
listening port number command. an SSH server is 22. Users can log in
number of the By default, the listening port number to the device by using the default
SSH server is 22. listening port number. Attackers
may access the default listening port,
If a new listening port is set, the SSH consuming bandwidth, deteriorating
server cuts off all established STelnet server performance, and causing
and SFTP connections, and uses the authorized users unable to access the
new port number to listen to server. After the listening port
connection requests. number of the SSH server is
changed, attackers do not know the
new port number. This effectively
prevents attackers from accessing
the listening port and improves
security.

----End

6.4.8 Checking the Configurations


After configuring users to log in using STelnet, you can view the SSH server configuration.

Prerequisites
Configurations for STelnet login are complete.

Procedure
l Run the display ssh user-information username command on the SSH server to check
information about SSH users.
l Run the display ssh server status command on the SSH server to check its configurations.
l Run the display ssh server session command on the SSH server to check sessions for SSH
users.
----End

Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<Quidway> display ssh user-information client001
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : RSA
Sftp-directory : -
Service-type : stelnet
Authorization-cmd : Yes

If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 90


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Run the display ssh server status command to view configurations of an SSH server.
<Quidway> display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Disable
Stelnet server :Enable
Scp server : Enable

Run the display ssh server session command. The command output shows information about
a session between the SSH server and client.
<Quidway> display ssh server session
Session 1:
Conn : VTY 3
Version : 2.0
State : started
Username : client001
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
Kex : diffie-hellman-group-exchange-sha1
Service Type : stelnet
Authentication Type : password

6.5 Logging in to the Devices by Using Secure Web Network


Management (HTTPS Mode)
An SSL policy is configured on and a digital certificate is loaded to an HTTP server. The digital
certificate is used by a client to verify the identity of the server.

6.5.1 Establishing the Configuration Task


Before configuring users to log in using secure web network management (HTTPS Mode),
familiarize yourself with the usage scenario, complete the pre-configuration tasks, and obtain
the data required for the configuration. This will help you complete the configuration task quickly
and efficiently.

Applicable Environment
After a device that supports web network management is enabled with the HTTP function, the
device can function as a web server. Users can log in to the device using HTTP and use web
pages to access and control the device. HTTP does not provide a mechanism that allows users
to authenticate a web server or protects privacy of data transmission. To address this problem,
you can configure HTTPS on the device. HTTPS that adds support for SSL is an extension to
the commonly used HTTP. SSL allows the client and server to authenticate each other and
encrypts data to be transmitted.

As shown in Figure 6-7, an SSL policy is configured on the device that functions as an HTTP
server. After a digital certificate is loaded to and the HTTPS server function is enabled on the
server, users can log in to the server to remotely manage the server using web pages.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 91


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Figure 6-7 Networking diagram for accessing another device by using HTTPS

VLANIF10
192.168.0.1/24
Network

PC HTTP-Server

Pre-configuration Tasks
Before configuring users to log in using secure web network management (HTTPS Mode),
complete the following tasks:
l Upload a digital certificate to a device that will function as an HTTPS server and copying
the certificate to the sub-directory named security of the system directory on the HTTPS
server.
l Install a Web browser on a PC.

Data Preparation
To configure users to log in using secure web network management (HTTPS Mode), you need
the following data.

No. Data

1 SSL policy name and digital certificate

2 IP address, Web page file, and Web account of the HTTPS server

6.5.2 Configuring an SSL Policy and Loading a Digital Certificate


A digital certificate is used to authenticate the identities of both the user terminal and the HTTPS
server to ensure secure communication.

Context
Before using HTTPS to securely manage files, the HTTPS server needs to obtain a digital
certificate from a CA. The digital certificate is used to authenticate clients. This ensures that
only authorized clients can log in to the HTTPS server.
NOTE

A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the
HTTPS server can be generated using a third-party tool such as OpenSSL. OpenSSL can be considered as
a CA. For the procedure for generating a digital certificate, see the OpenSSL usage guide.

The digital certificate includes information such as the name of a person or an organization that
applies for the certificate, public key, digital-signed signature of the CA that issues the digital
certificate, and validity period of the digital certificate. A CA can issue a certificate chain along
with a digital certificate. After receiving a certificate chain, the receiver owns all the certificates
on the chain.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 92


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Upload the server digital certificate and private key file to the security directory on the device
in FTP, SFTP, or SCP mode. If no security directory exists on the device, run the mkdir
security command to create one.

A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:
l The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem. A PEM certificate contains only a public key but not a private key, and
the public key is usually encrypted.
The PEM format is applicable to text transmission between systems.
l The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der. An ANS1 certificate contains only a public key but not a
private key, and the public key is not encrypted.
The ASN1 format is the default format for most browsers.
l The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx. A PFX certificate can contain a private key, and the key is usually
encrypted.
The PFX format is a binary format that can be converted into the PEM or ASN1 format.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ssl policy policy-name

An SSL policy is configured.

Step 3 Load a digital certificate.

Run one of the following commands as required:


l Run:
certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-
filename auth-code auth-code

A PEM digital certificate is loaded.


l Run:
certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-
filename

An ASN1 digital certificate is loaded.


l Run:
certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code |
key-file key-filename } auth-code auth-code

A PFX digital certificate is loaded.


l Run:
certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-
filename auth-code auth-code

A PEM digital certificate chain is loaded.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 93


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

NOTE

Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain
has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate
chain.

----End

6.5.3 Loading a Web Page File


To manage and maintain a device on a graphical user interface (GUI), you can configure the
Web network management function. Before using the Web network management function, load
the related Web page file.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
http server load file-name

A Web page file is loaded.

----End

6.5.4 Enabling the HTTPS Function


After a device is configured with an SSL policy and enabled with the HTTPS function, the device
functions as an HTTPS server to provide SSL-based HTTP services.

Context
NOTE

Before enabling the HTTPS server function, disable the HTTP server function.

Procedure
Step 1 Run:
system-view policy-name

The system view is displayed.


Step 2 Run:
http secure-server ssl-policy policy-name

An SSL policy is configured for a device.


Step 3 Run:
http secure-server enable

The HTTPS server function is enabled.


By default, the HTTPS server function is disabled.
Step 4 (Optional) Run:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 94


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

http secure-server port port-number

The listening port number is configured for the HTTPS server.

The default listening port number of the HTTPS server is 443. When using the default listening
port number to access and control the HTTPS server, you do not need to specify the port number
in commands. Attackers may access the default listening port, consuming bandwidth, affecting
performance of the server, and causing authorized users unable to access the server. To improve
security, run this command to change the listening port number of the HTTPS server. After that,
attackers are deprived of information about the newly configured listening port number, and the
HTTPS server is therefore well protected.

----End

6.5.5 Creating a Web Account


Setting the HTTP user name and password is recommended for secure login to a web server.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
aaa

The AAA view is displayed.

Step 3 Run:
local-user user-name password cipher password

The HTTP user name and password are set.

Step 4 Run:
local-user user-name service-type http

HTTP is configured as the service type.

Step 5 Run:
local-user user-name privilege level level

The HTTP user level is set.

NOTE

Setting the HTTP user level to 3 or higher is recommended so that the HTTP user can have management-
level rights. Users at levels 0, 1 and 2 have only visit-level rights.

----End

6.5.6 Logging In to the Web System


After logging in to the Web system, you can manage and maintain a device on a GUI.

Open the Web browser on the PC. Enter the IP address of the HTTPS server in the address bar.
Press Enter and the dialog box shown in Figure 6-8 is displayed.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 95


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Figure 6-8 Login GUI

Enter the HTTP user name, password, and verification code. Click Login or press Enter to enter
the Web system.

6.5.7 Checking the Configurations


After logging in to the devices by using secure web network management (HTTPS Mode) is
configured, you can view the configured SSL policy and loaded digital certificate on the HTTPS
server as well as the HTTPS server status.

Prerequisites
Login to the devices by using secure web network management (HTTPS Mode) has been
configured.

Procedure
l Run the display ssl policy command to check the configured SSL policy and loaded digital
certificate.
l Run the display http server command to check the information about the current HTTP
server.
l Run the display http user [ username username ] command to check the information about
current online users.
----End

Example
Run the display ssl policy command. The command output shows detailed information about
the configured SSL policy and loaded digital certificate.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 96


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

<Quidway> display ssl policy


SSL Policy Name: http_server
Policy Applicants: WEB secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:

Run the display http server command to view information about the current HTTP server.
<Quidway> display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 3
Maximum Users Allowed : 5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : http_server

Run the display http user command to view information about current online users.
<Quidway> display http user
Total online users: 1
------------------------------------------------------
User name Client IP Address Login Date
------------------------------------------------------
admin 192.168.0.1 2012-03-23 15:30:55+00:00

6.6 Common Operations After Login


After logging in to the switch, you can perform user priority switching, terminal window locking,
and other operations as needed.

6.6.1 Establishing the Configuration Task


Before performing operations after login, familiarize yourself with the usage scenario, complete
the pre-configuration tasks, and obtain any data required for the configuration.

Applicable Environment
Configure user level switching and enable messaging between user interfaces to ensure that
operators can manage switchs safely.

Pre-configuration Tasks
Before performing operations after login, connect the terminal to the switch.

Data Preparations
Before performing operations after login, you need the following data:

No. Data

1 Password used for switching user levels

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 97


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

No. Data

2 Type and number of the user interface

3 Contents of the message to be sent

6.6.2 Switching User Levels


A user who wants to upgrade from a lower to a higher level after logging in to the switch must
have a password already configured.

Context
A password is required to increase user level. This prevents unauthorized users from gaining
access to high-level commands.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
super password [ level user-level ] [ cipher password ]

The password for switching user levels is configured.

By default, the password for the user is set to Level 3.

Step 3 Run:
quit

Return to the user view.

Step 4 Run:
super [ level ]

User levels are switched.

By default, the level is 3.

Step 5 Follow the prompt and enter a password.

If the password entered is correct, the user can switch to a higher level. If an incorrect password
is entered three times in a row, the user is returned to the user view at the original level.

NOTE

When the super command is used to switch a user from a lower to a higher level, the system automatically
sends trap messages and records the switchover in a log. When a user is switched from a higher to a lower
level, the system only records the switchover in a log.

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 98


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

6.6.3 Locking User Interfaces


If you must be away from your work area, you can lock the user interface on a terminal to prevent
unauthorized access.

Context
The user interface can be a console user interface or a VTY user interface.

Procedure
Step 1 Run:
lock

The user interface is locked.

Step 2 Follow the system prompts and input a password to unlock the user interface.
<Quidway> lock
Enter Password:
Confirm Password:

If the locking is successful, the system prompts that the user interface is locked.

You must enter the password previously set to unlock the user interface.

----End

6.6.4 Sending Messages to Other User Interfaces


Users logged in to different interfaces can send messages to each other.

Context
Users logged in to the switch can send messages from their user interface to users on other user
interfaces.

Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }

You can enable message sending between user interfaces.

Step 2 Follow the prompt to view the message to be sent. You can press Ctrl_Z or Enter to end the
display, and press Ctrl_C to abort the display.

----End

6.6.5 Displaying Login Users


You can query information about login users.

Context
User name, address, and authentication and authorization information can be queried.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 99


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Procedure
l Run the display users [ all ] command to view information about logged-in users.
If all is configured, information about users logged in to all user interfaces is displayed.
----End

6.6.6 Clearing Logged-in Users


If you want to force a logged-in user to log out of the switch, you can tear down the connection
between the switch and the user.

Context
You can run the display users command to view users logging in to the switch.

Procedure
Step 1 Run:
kill user-interface { ui-number | ui-type ui-number1 }

Online users are cleared.


Step 2 Based on displayed information, you can confirm whether specified logged-in users have been
cleared.

----End

6.6.7 Configuring Configuration Locking


When multiple users log in to the switch to configure the device, configuration conflict may
occur. To prevent configuration conflict from affecting services, you can enable the function of
configuration locking. This allows only one user to configure the device at a time.

Context
Before configuring configuration locking, check whether the configuration set is locked by
another user. If no user locks the configuration set, you can exclusively lock the configuration.

Procedure
Step 1 Run:
configuration exclusive

The user obtains exclusive configuration access.


After enabling the configuration locking function, you can exclusively enjoy the configuration
authority in an explicit manner.

NOTE

This command can be run in any view.


You can run the display configuration-occupied user command to check information about the user who
locks the configuration set at the moment.
If the configuration set is already locked, a prompt message is displayed after this command is run.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 100


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Step 2 Run:
system-view

The system view is displayed.


Step 3 Run:
configuration-occupied timeout timeout-value

The timeout period for automatically unlocking the configuration set is set.
After the timeout period expires, the configuration set is automatically unlocked, allowing other
users to configure the device.
By default, the timeout period is 30s.

NOTE

l When a user without exclusive configuration access runs this command, the system prompts an error
message.
l If the configuration set is locked by another user, this command cannot be configured, and the system
prompts an error message.
l If the configuration set is locked by the current user, the current user can run this command.

----End

6.7 Configuration Examples


This section provides several examples describing how to configure users to log in through a
console port, Telnet, or STelnet. The configuration examples provide information and diagrams
for networking requirements, configuration notes, and configuration roadmaps.

6.7.1 Example for Configuring User Login Using a Console Port


This example describes how to configure user login using a console port. Login settings that
enable access to the switch using a console port are configured on a PC.

Networking Requirements
If default values for console user interface parameters are modified, corresponding parameters
on the PC must be reset before another login to the switch can be implemented.

Figure 6-9 Networking diagram of user login using a console port

PC Switch

Configuration Roadmap
1. Connect a PC to the switch through a console port.
2. Set login parameters on the PC.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 101


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

3. Log in to the switch.


NOTE

In this example, a terminal emulator is used.

Data Preparation
Communication parameters for the PC (baud rate: 4800 bps, data bit: 6, parity: even, stop bit:
2, flow control mode: none)

Procedure
Step 1 Use a standard RS-232 cable to connect the serial port of the PC to the console port of the
switch.
Step 2 Run the terminal emulator on the PC. As shown in Figure 6-10, set communication parameters
for the PC to Figure 6-12. Set the transmission rate to 4800 bit/s, data bit to 6, parity bit to even,
stop bit to 2, and flow control mode to none.

Figure 6-10 Connection creation

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 102


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Figure 6-11 Interface setting

Figure 6-12 Communication parameter settings

Step 3 Power on the switch. The system starts an automatic configuration and a self-check. After the
self-check is complete, at the prompt "Password:," enter the correct authentication password and

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 103


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

press Enter. If the message (such as <Quidway>) is displayed, the login in to the system
succeeds.

Then, you can enter a command to view the operating status of the switch or configure the
switch.

----End

6.7.2 Example for Configuring User Login Through Telnet


This example describes how to set parameters for using Telnet to log in to the switch. In this
configuration example, a user logs in to the switch after setting the VTY user interface and user
login parameters.

Networking Requirements
You can use a PC or other terminal to log in to the a switch on another network segments through
the PC or other terminals to perform remote maintenance.

Figure 6-13 Networking diagram for login using Telnet

VLANIF 2
10.137.217.221/16
NetWork

PC Switch

After a Telnet user logs in to the switch in AAA authentication mode, the Telnet user is prohibited
from logging in to another switch through the switch.

Configuration Roadmap
1. Establish a physical connection.
2. Assign IP addresses to interfaces on the switch.
3. Set parameters of the VTY user interface, including limit on call-in and call-out.
4. Set user login parameters.
5. Log in to the switch.

Data Preparation
To complete the configuration, you need the following data:

l IP address of the PC
l IP address of the the switch: 10.137.217.221/16
l Maximum number of VTY user interfaces: 10
l Number of the ACL that is used to prohibit users from logging into another switch: 3001
l Timeout period for disconnecting from the VTY user interface: 20 minutes
l Number of lines that a terminal screen displays: 30

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 104


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

l Size of the history command buffer: 20


l Telnet user information (authentication mode: AAA, username: huawei, password: hello)

Procedure
Step 1 Respectively connect the PC and the switch to the network.

Step 2 Configure a login address.


<Quidway> system-view
[Quidway] vlan 2
[Quidway-vlan2] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 2
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 2
[Quidway-XGigabitEthernet0/0/1] quit
[Quidway] interface vlanif 2
[Quidway-Vlanif2] ip address 10.137.217.221 255.255.0.0
[Quidway-Vlanif2] quit
[Quidway]

Step 3 Configure the VTY user interface on the switch.

# Set the maximum number of VTY user interfaces.


[Quidway] user-interface maximum-vty 10

# Configure an ACL that is used to prohibit users from logging into another switch.
[Quidway]acl 3001
[Quidway-acl-adv-3001]rule deny tcp source any destination-port eq telnet
[Quidway-acl-adv-3001]quit
[Quidway] user-interface vty 0 9
[Quidway-ui-vty0-9] acl 3001 outbound

# Set terminal attributes of the VTY user interface.


[Quidway-ui-vty0-9] shell
[Quidway-ui-vty0-9] idle-timeout 20
[Quidway-ui-vty0-9] screen-length 30
[Quidway-ui-vty0-9] history-command max-size 20

# Set the user authentication mode of the VTY user interface.


[Quidway-ui-vty0-9] authentication-mode aaa
[Quidway-ui-vty0-9] quit

Step 4 Set user login parameters on the switch.

# Specify the user authentication mode.


[Quidway] aaa
[Quidway-aaa] local-user huawei password cipher hello
[Quidway-aaa] local-user huawei service-type telnet
[Quidway-aaa] local-user huawei privilege level 3
[Quidway-aaa] quit

Step 5 # Configure user login.

Use the windows command line to telnet the switch. The Telnet login window is shown in the
following figure.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 105


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Figure 6-14 Telnet login window on the PC

Press Enter, and then input the username and password in the login window. If user
authentication succeeds, a command line prompt of the system view is displayed. It indicates
that you have entered the user view.

Figure 6-15 Window after login of the switch

----End

Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
acl number 3001
rule 5 deny tcp destination-port eq telnet
#
vlan batch 2
#
interface Vlanif2
ip address 10.137.217.221 255.255.0.0
#
interface xgigabitethernet 0/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
aaa

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 106


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

local-user huawei password cipher %$%$}twU5v;.BOKdou5Ry'L$-XOF%$%$


local-user huawei service-type telnet
local-user huawei privilege level 3
#
user-interface maximum-vty 10
user-interface con 0
user-interface vty 0 9
acl 3001 outbound
authentication-mode aaa
history-command max-size 20
idle-timeout 20 0
screen-length 30
#
return

6.7.3 Example for Configuring User Login by Using STelnet


This example describes how to configure user login through STelnet. After generating the local
key pair, configuring the SSH user name and password, and enabling the STelnet service on the
SSH server, you can connect the Stelnet client to the SSH server.

Networking Requirements
As shown in Figure 6-16, after the STelnet service is enabled on the SSH server, an STelnet
client can use any authentication mode (password, RSA, password-rsa, or all) to log in to the
SSH server.

This example uses the password authentication mode.

Figure 6-16 Networking diagram of configuring user login through STelnet

VLANIF 2
10.164.39.210/24
Network

PC SSH Server

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure a local key pair on the SSH server for secure data exchange between the STelnet
client and the SSH server.
2. Configure a VTY user interface on the SSH server.
3. Configure an SSH client, which involves setting a user authentication mode, a username,
and a password.
4. Enable the STelnet server function on the SSH server and configure a user service type.

Data Preparation
To complete the configuration, you need the following data:

l SSH user authentication mode: password, username: client001, password: huawei

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 107


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

l User level of client001: 3


l IP address of the SSH server: 10.164.39.210

Procedure
Step 1 Generate a local key pair on the server.
<Quidway> system-view
[Quidway] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++

Step 2 Configure a VTY user interface.


[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit

Step 3 Configure the password of the SSH user Client001 as huawei.


[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher huawei
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit

Step 4 Enable the STelnet service on the SSH server.


[SSH Server] ssh user client001 service-type stelnet
[SSH Server] stelnet server enable
[SSH Server] ssh user client001 authentication-type password
[SSH Server] quit

Step 5 Verify the configuration.


# Log in to the device through the software putty, and specify the IP address of the device being
10.164.39.210 and the login protocol being SSH.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 108


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Figure 6-17 Putty configuration

# Log in to the device through the software putty, and enter the username client001 and the
password huawei.

Figure 6-18 Log in to the device through the software putty

----End

Configuration Files
l SSH server configuration file
#
sysname SSH Server

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 109


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

#
vlan batch 2
#
interface Vlanif2
ip address 10.164.39.210 255.255.255.0
#
interface xgigabitethernet 0/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
aaa
local-user client001 password cipher %$%$PoPK$x&v~12^g\0]Y$u3"'{r%$%$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
stelnet server enable
ssh user client001 authentication-type password
ssh user client001
ssh user client001 service-type stelnet
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return

6.7.4 Example for Configuring User Login by Using Secure Web


Network Management
SSL can be used to authenticate the identities of the client and server, encrypt data to be
transmitted, and check message integrity. In this manner, secure web network management can
be ensured, providing secure web access.

Networking Requirements
After a device that supports web network management is enabled with the HTTP function, the
device can function as a web server. Users can log in to the device using HTTP and use web
pages to access and control the device. HTTP does not provide a mechanism that allows users
to authenticate a web server or protects privacy of data transmission. To address this problem,
you can configure HTTPS on the device. HTTPS that adds support for SSL is an extension to
the commonly used HTTP. SSL allows the client and server to authenticate each other and
encrypts data to be transmitted.

As shown in Figure 6-19, an SSL policy is configured on the device that functions as an HTTP
server. After a digital certificate is loaded to and the HTTPS server function is enabled on the
server, users can log in to the server to remotely manage the server using web pages.

Figure 6-19 Networking diagram for accessing another device by using HTTPS

VLANIF10
192.168.0.1/24
Network

PC HTTP-Server

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 110


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Configuration Roadmap
The configuration roadmap is as follows:
1. Upload a digital certificate and a web page file.
Upload the digital certificate and web page file saved on the PC to the device that functions
as an HTTP server.
2. Load the digital certificate.
Copy the digital certificate from the system directory of the HTTP server to the security
sub-directory, configure an SSL policy, and load the digital certificate.
3. Load the web page file.
4. Create a web account.
5. Log in to the web system.

Data Preparation
To complete the configuration, you need the following data:
l IP addresses of the HTTP server
l HTTP user name and password
l SSL digital certificate
l Web account
l Web page file

Procedure
Step 1 Upload the digital certificate and web page file.
# Configure an IP address for the device that functions as an HTTP server so that the PC and
HTTP server are reachable.
<Quidway> system-view
[Quidway] sysname HTTP-Server
[HTTP-Server] interface xgigabitethernet0/0/1
[HTTP-Server-XGigabitEthernet0/0/1] port link-type access
[HTTP-Server-XGigabitEthernet0/0/1] quit
[HTTP-Server] vlan 10
[HTTP-Server-vlan10] port xgigabitethernet0/0/1
[HTTP-Server-vlan10] quit
[HTTP-Server] interface vlanif 10
[HTTP-Server-Vlanif10] ip address 192.168.0.1 24
[HTTP-Server-Vlanif10] quit

# Enable the FTP server function.


[HTTP-Server] ftp server enable

# Configure the authentication information, authorization mode, and authorized directory for
FTP users.
[HTTP-Server] aaa
[HTTP-Server-aaa] local-user huawei password cipher huawei
[HTTP-Server-aaa] local-user huawei service-type ftp
[HTTP-Server-aaa] local-user huawei privilege level 15
[HTTP-Server-aaa] local-user huawei ftp-directory flash:
[HTTP-Server-aaa] quit
[HTTP-Server] quit

# Upload the digital certificate and web page file from the PC to the HTTP server, as shown in
Figure 6-20.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 111


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Figure 6-20 Uploading a digital certificate

After the preceding configurations are complete, run the dir command on the HTTP server. The
command output shows that the digital certificate and web page file have been successfully
uploaded to the server.
<HTTP-Server> dir
Directory of flash:/

Idx Attr Size(Byte) Date Time(LMT) FileName


0 -rw- 524,558 Apr 14 2011 16:24:39 private-data.txt
1 -rw- 1,302 Apr 14 2011 19:22:30 1_servercert_pem_rsa.pem
2 -rw- 951 Apr 14 2011 19:22:35 1_serverkey_pem_rsa.pem
3 drw- - Apr 09 2011 19:46:14 src
4 -rw- 421 Apr 09 2011 19:46:14 vrpcfg.zip
5 -rw- 1,308,478 Apr 14 2011 19:22:45 web.zip
6 drw- - Apr 10 2011 01:35:54 logfile
7 -rw- 4 Apr 14 2011 04:56:35 snmpnotilog.txt
8 drw- - Apr 11 2011 16:18:53 security
9 drw- - Apr 13 2011 11:37:40 lam

304,292 KB total (300,782 KB free)

Step 2 Configure an SSL policy and load the digital certificate.


# Create a sub-directory named security and copy the digital certificate to this sub-directory.
<HTTP-Server> mkdir security/
<HTTP-Server> copy 1_servercert_pem_rsa.pem
<HTTP-Server> copy 1_serverkey_pem_rsa.pem security/

After the preceding configurations are complete, run the dir command in the security sub-
directory on the HTTP server. The command output shows that the digital certificate has been
successfully uploaded to the server.
<HTTP-Server> cd security/

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 112


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

<HTTP-Server> dir
Directory of flash:/security/

Idx Attr Size(Byte) Date Time(LMT) FileName


1 -rw- 1,302 Apr 13 2011 14:29:31 1_servercert_pem_rsa.pem
2 -rw- 951 Apr 13 2011 14:29:49 1_serverkey_pem_rsa.pem

304,292 KB total (303,404 KB free)

# Create an SSL policy and load the PEM digital certificate.


<HTTP-Server> system-view
[HTTP-Server] ssl policy http_server
[HTTP-Server-ssl-policy-http_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code
123456
[HTTP-Server-ssl-policy-http_server] quit

After the preceding configurations are complete, run the display ssl policy command on the
HTTP server. The command output shows detailed information about the loaded certificate.
[HTTP-Server] display ssl policy
SSL Policy Name: http_server
Policy Applicants: WEB secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:

Step 3 Load the web page file.


[HTTP-Server] http server load web.zip

Step 4 Create a web account.


# Enable the HTTPS server function.

NOTE

Before enabling the HTTPS server function, disable the HTTP server function.
[HTTP-Server] undo http server enable
[HTTP-Server] http secure-server ssl-policy http_server
[HTTP-Server] http secure-server enable

# Configure authentication information and authorization mode for HTTP users.


[HTTP-Server] aaa
[HTTP-Server-aaa] local-user http password cipher http
[HTTP-Server-aaa] local-user http service-type http
[HTTP-Server-aaa] local-user http privilege level 15
[HTTP-Server-aaa] quit

Step 5 Log in to the web system.


Open the Web browser on the PC. Enter the IP address of the HTTP server in the address bar.
Press Enter and the dialog box shown in Figure 6-21 is displayed.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 113


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

Figure 6-21 Login GUI

Enter the HTTP user name, password, and verification code. Click Login or press Enter to enter
the Web system.
Step 6 Verify the configuration.
# Run the display http server command on the HTTPS server. The command output shows the
SSL policy name and the HTTPS server status.
[HTTP-Server] display http server
HTTP Server Status : disabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 0
Maximum Users Allowed : 5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : http_server

----End

Configuration Files
Configuration file of the HTTPS server
#
sysname HTTP-Server
#
FTP server enable
#
undo http server enable
http server load web.zip
http secure-server ssl-policy http_server
http secure-server enable
#
vlan batch 10
#
ssl policy http_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 114


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 6 Configuring User Login

1_serverkey_pem_rsa.pem auth-code 123456


#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
local-user http password cipher %$%$D/[nJdkW1WDY6^Ek83G;-\SJ%$%$
local-user http service-type http
local-user http privilege level 15
local-user huawei password cipher %$%$6\ZH#;zYJ*HXE["UyioO-vmd%$%$
local-user huawei service-type ftp
local-user huawei privilege level 15
local-user huawei ftp-directory flash:

#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface XGigabitEthernet0/0/1
port link-type access
port default vlan 10
#
return

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 115


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

7 Managing the File System

About This Chapter

The file system manages the files and directories on the storage devices of the switch. It can
move or delete a file or directory, or display the contents of a file.

7.1 File System Overview


The switch uses the file system to manage all files.
7.2 Managing Files Using the File System
You can use the file system to manage storage devices, directories, and files.
7.3 Managing Files Using FTP
FTP can transmit files between local and remote hosts. It is widely used for version upgrade,
log downloading, file transmission, and configuration saving.
7.4 Managing Files Using SFTP
SFTP allows you to log in to the switch securely from a remote device to manage files. This
makes transmission of data to the remote end more secure.
7.5 Performing File Operations by Means of FTPS
FTPS that adds support for SSL is an extension to the commonly used FTP. Using SSL to
authenticate the identities of the client and server and encrypt data to be transmitted, FTPS
implements security management of devices.
7.6 Configuration Examples
The examples in this section show how to use FTP, SFTP or FTPS to access the system and
manage files. These configuration examples explain networking requirements and provide
configuration roadmaps and configuration notes.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 116


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

7.1 File System Overview


The switch uses the file system to manage all files.

7.1.1 File System


The file system manages files and directories on the storage devices. It can create, delete, modify,
or rename a file or directory, or display the contents of a file.

The file system has two functions: managing storage devices and managing the files that are
stored on those devices.

Managing Files Using the File System


After logging in to the switch by using the console port, Telnet, or STelnet, you can manage
storage devices, directories, and files.

l Storage devices
Storage devices are hardware devices for storing data.
Different products support different storage devices. Currently, the S6700 supports the flash
memory.
l Files
A file is resources for storing and managing data.
l Directories
A directory is a logical container that the system uses to organize files.

7.1.2 Methods of File Management


You can use the FTP, SFTP or FTPS to manage files.

Managing Files Using FTP


FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transfer
files between local clients and remote servers. FTP uses two TCP connections to copy a file
from one system to another. The TCP connections are usually established in client-server mode,
one for control (the server port number is 21) and the other for data transmission (the server port
number is 20).
l Control connection: issues commands from the client to the server and transmits replies
from the server to the client, minimizing the transmission delay.
l Data connection: transmits data between the client and server, maximizing the throughput.

FTP has two file transfer modes:


l Binary mode: is used to transfer program files, such as .app, .bin, and .btm files.
l ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.

The device provides the following FTP functions:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 117


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

l FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to
the device, and run the ftp command to establish a connection between the device and a
remote FTP server to access and operate files on the server.
l FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.

Managing Files Using SFTP


SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely
log in to the device to manage and transfer files. On the other hand, users can use the device
functioning as a client to log in to a remote server and transfer files securely.
When the SFTP server or the connection between the server and the client fails, the client needs
to detect the fault in time and removes the connection proactively. To help the client detect such
a fault in time, configure an interval at which Keepalive packets are sent if no packet is received
and the maximum number of times that the server does not respond for the client:
l If the client does not receive any packet within the specified period, the client sends a
Keepalive packet to the server.
l If the maximum number of times that the server does not respond exceeds the specified
value, the client proactively releases the connection.

Managing Files Using FTPS


FTPS that adds support for SSL is an extension to the commonly used FTP. Using SSL to
authenticate the identities of the client and server and encrypt data to be transmitted, FTPS
implements security management of devices.
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats. An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.
By default, a user cannot log in to the device using FTPS. To log into the device using FTPS,
perform the following steps:
l Logging in to the device through the console port and loading a digital certificate to the
sub-directory named security of the system directory on the FTPS server
l Installing the FTP client software that supports SSL on the PC

7.2 Managing Files Using the File System


You can use the file system to manage storage devices, directories, and files.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 118


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

7.2.1 Establishing the Configuration Task


Before using the file system to manage files, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration tasks quickly and correctly.

Applicable Environment
Use the file system to manage files or directories on the switch. If the switch is unable to save
or obtain data, log in to the file system to repair the faulty storage devices.

Pre-configuration Tasks
Before logging in to the file system to manage files, connect the client with the server correctly.

Data Preparation
To manage files by logging in to the file system, you need the following data:

No. Data

1 Storage device name

2 Directory name

3 File name

7.2.2 Managing Storage Devices


When a storage device file system on the switch does not function properly, you must repair and
format the file system before managing the storage device.

Context
When the file system on a storage device fails, the terminal of the switch prompts you to rectify
the fault.
You can format a storage device if you are unable to repair the file system or do not need any
data saved on the storage device. After Formatting the storage devices, the files and directories
in the specified storage device are cleared and cannot be restored.

CAUTION
Formatting storage devices can lead to data loss. Exercise caution when performing this
operation.

Procedure
l Run:
fixdisk device-name

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 119


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

A storage device with file system problems is repaired.

NOTE

If, after running this command, the prompt still says the system should be repaired, there may be
damage to the physical storage medium.
l Run:
format device-name

The storage device is formatted.

NOTE

If the storage device does not work after you run this command, there may be a hardware fault.

----End

7.2.3 Managing Directories


You can manage directories to store files in logical hierarchy.

Context
You can manage directories by changing or displaying directories, displaying files in directories
or sub-directories, and creating or deleting directories.

Procedure
l Run:
cd directory

A directory is specified.
l Run:
pwd

The current directory is displayed.


l Run:
dir [ /all ] [ filename | flash: ]

A list of files and sub-directories in the directory is displayed..

Either the absolute path or relative path is applicable.


l Run:
mkdir directory

The directory is created.


l Run:
rmdir directory

The directory is deleted.

----End

7.2.4 Managing Files


You can log in to the file system to view, delete, or rename files on the switch.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 120


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Context
l Managing files includes: displaying contents, copying, moving, renaming, compressing,
deleting, undeleting, deleting files in the recycle bin, running files in batch and configuring
prompt modes.
l You can run the cd directory command to enter the directory you want from the current
directory.

Procedure
l Run:
more file-name [ offset ] [ all ]

The content of a file is displayed.

Specify parameters in the more command for file viewing options:


– Running the more file-name command to view the file named file-name. Contents of a
text file are displayed screen by screen. Hold and press the spacebar on the current
terminal to display all contents of the current file.
Two preconditions must be set to display the contents of a text file screen by screen:
– The value configured by screen-length screen-length temporary command must
be larger than 0.
– The total number of lines in the file must be greater than the value configured by
screen-length command.
– Running the more file-name offset command to view the file named file-name. Contents
of a text file are displayed screen by screen beginning with the line specified by offset.
Hold and press the spacebar on the current terminal to display all contents of the current
file.
Two preconditions must be met to display the contents of a text file screen by screen:
– The value configured by screen-length screen-length command must be greater than
0.
– The result difference between the number of file characters subtracted and the value
of offset must be greater than the value configured by the screen-length command.
– Running the more file-name all command to view the file named file-name. Contents
of a text file are completely displayed without pausing after each screen of information.
l Run:
copy source-filename destination-filename

The file is copied.


l Run:
move source-filename destination-filename

The file is moved.


l Run:
rename source-filename destination-filename

The file is renamed.


l Run:
zip source-filename destination-filename

The file is compressed.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 121


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

l Run:
delete [ /unreserved ] [ /quiet ] { filename | device-name }

The file is deleted.

CAUTION
If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored
after being deleted.

l Run:
undelete filename

The deleted file is recovered.


l Run:
reset recycle-bin [ filename ]

The file is deleted.

You can use this command to permanently delete files in the recycle bin.
l Running Files in Batches

You can process uploaded files in batches. The edited batch files need to be saved to a
storage device on the switch.

You can create and run a batch file to implement routine tasks.

1. Run:
system-view

The system view is displayed.


2. Run:
execute filename

The batched file is executed.


l Configuring Prompt Modes

The system displays prompts or warning messages when you operate the device (especially
if these operations lead to data loss). If you need to change the prompt mode for file
operations, you can configure the file system prompt mode.

1. Run:
system-view

The system view is displayed.


2. Run:
file prompt { alert | quiet }

The file system prompt mode is configured.

The default prompt mode is alert.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 122


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

CAUTION
If the prompt mode is set to quiet, no prompt appears when data is lost due to
inappropriate operating procedures.

----End

7.3 Managing Files Using FTP


FTP can transmit files between local and remote hosts. It is widely used for version upgrade,
log downloading, file transmission, and configuration saving.

7.3.1 Establishing the Configuration Task


Before using FTP to manage files, familiarize yourself with the usage scenario, complete the
pre-configuration tasks, and obtain any data required for the configuration.

Applicable Environment
When an FTP client logs in to a switch serving as an FTP server, the user can transfer files
between the client and the server.

Pre-configuration Tasks
Before using FTP to manage files, connect the FTP client to the server.

Data Preparation
To use FTP to manage files, you need the following data:

No. Data

1 FTP username and password, and authorized FTP file directory name

2 (Optional) Listening port number specified on the FTP server

3 (Optional) Source IP address or source interface of the FTP server


(Optional) Timeout period for disconnection from the FTP server

4 IP address or host name of the FTP server

7.3.2 Configuring a Local FTP User


You can configure a user authorization mode and an authorized directory for FTP users to access.
Unauthorized users cannot access the specified directory, reducing security risks.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 123


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Context
To use FTP to manage files, you must configure a local username and a password on the
switch and specify a service type and the directories that can be accessed.

Perform the following operations on the switch that functions as the FTP server:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
set default ftp-directory directory

The default FTP working directory is configured.

NOTE

The configuration in this step takes effect only with TACACS users.

Step 3 Run:
aaa

The AAA view is displayed.

Step 4 Run:
local-user user-name password cipher password

The local user name and password are configured.

Step 5 Run:
local-user user-name service-type ftp

The FTP service type is configured.

Step 6 Run:
local-user user-name privilege level level

The local user level is set.

NOTE

The local user level must be set to 3 or higher.

Step 7 Run:
local-user user-name ftp-directory directory

The authorized directory for the FTP user is configured.

----End

7.3.3 (Optional) Specifying a Port Number for the FTP Server


You can configure or change the listening port number for an FTP server. After the port number
is changed, only the user knows the current port number and this protects system security.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 124


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Context
The default listening port number for an FTP server is 21. Users can log in to the switch directly
by using the default listening port number. Attackers can also access the default listening port
to launch attacks that reduce available bandwidth and affect server performance, preventing
valid users from accessing the server. Changing the FTP server listening port number effectively
prevents attackers from accessing the server through the listening port.

NOTE

If FTP is not enabled, change the FTP port as required.


If FTP is enabled, run the undo ftp server command to disable FTP, and then change the FTP port.

Perform the following steps on the switch that serves as the FTP server:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ftp [ ipv6 ] server port port-number

The port number of the FTP server is configured.

Once a new listening port number is configured, the FTP server interrupts all existing FTP
connections and begins to use the new listening port.

----End

7.3.4 Enabling the FTP Server


You must enable an FTP server on the switch before using FTP to manage files.

Context
The FTP server is disabled by default on the switch. It must be enabled before FTP can be used.

Perform the following steps on the switch that serves as the FTP server:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ftp [ ipv6 ] server enable

The FTP server is enabled.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 125


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

NOTE

When file operations between clients and the switch are complete, run the undo ftp [ ipv6 ] server command
to disable the FTP server function. This protects switch security.

----End

7.3.5 (Optional) Configuring the FTP Server Parameters


FTP server parameters include the FTP server source address and the timeout period for FTP
connections.

Context
l You can configure a source IP address for the FTP server. The FTP client can only access
this address and this protects system security.
l You can configure the timeout period for FTP connections on the FTP server. When the
timeout period for an FTP connection expires, the system terminates the connection to
release resources.
Perform the following steps on the switch that serves as the FTP server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ftp server-source { -a ip-address | -i
interface-type interface-number }

The source IP address and source interface of an FTP server is configured.


To log in to the FTP server, you must specify the source IP address for the server in the ftp
command, or you cannot log in to the FTP server.
Step 3 Run:
ftp [ ipv6 ] timeout minutes

The timeout period for the FTP server is configured.


If the client is idle for the configured time, the connection to the FTP server is terminated.
By default, the timeout value is 30 minutes.

----End

7.3.6 (Optional) Configuring an FTP ACL


After an FTP ACL is configured, only specified clients can access the deviceswitch.

Context
When the switchfunctions as an FTP server, you can configure an ACL to allow the clients that
meet matching rules to access the FTP server.
Perform the following steps on the switch that serves as the FTP server:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 126


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
acl acl-number

The ACL view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address
source-wildcard | any } | time-range time-name ] *

The ACL rule is configured.

NOTE

FTP supports only the basic ACL.

Step 4 Run:
quit

The system view is displayed.

Step 5 Run:
ftp [ ipv6 ] acl acl-number

The basic FTP ACL is configured.

----End

7.3.7 Accessing the System by Using FTP


After the FTP server is configured, you can use FTP to access the switch from a PC and manage
the files on the switch.

Context
You can use either the Windows command line prompt or third-party software to log in to the
switch. The example here uses the Windows command line prompt as an example.

Perform the following steps on the PC:

Procedure
Step 1 Open the Windows CLI.

Step 2 Run the ftp ip-address command to log in to the switch using FTP.

Enter a username and password at the prompt, and press Enter. When the Windows command
line prompt are displayed in the FTP client view, such as ftp>, you have entered the working
directory of the FTP server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 127


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Figure 7-1 Using FTP to log in to the device

----End

7.3.8 Managing Files Using FTP Commands


After logging in to the switch that functions as an FTP server using FTP, you can upload and
download files to and from the switch, or manage the directories on the switch.

Context
After logging in to the FTP server, you can perform the following operations:
l Configuring data type for the file
l Uploading or downloading files
l Creating directories or deleting directories on the FTP server
l Displaying information about a specific remote directory or a file of the FTP server, or
deleting a specific file from the FTP server
After logging in to the FTP server and entering the FTP client view, you can perform the
following operations:

Procedure
l Configuring the data type and transmission mode for a file
– Run:
ascii or binary

The data type of the file to be transmitted is ascii or binary.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 128


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

NOTE

FTP supports ASCII and the binary files. The difference the two is:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
An FTP transmission mode can be set for each client. The system uses ASCII transmission mode
by default, but a mode switch command can switch a client between ASCII and binary modes.
The ASCII mode is used to transmit .txt files and the binary mode is used to transmit binary files.
l Uploading or downloading files
– Upload or download a file.
– Run:
put local-filename [ remote-filename ]

The local file is uploaded to the remote FTP server.


– Run:
get remote-filename [ local-filename ]

The FTP file is downloaded from the FTP server and saved to the local file.
– Upload or download multiple files.
– Run the mput local-filenames command to upload multiple local files
synchronously to the remote FTP server.
– Run the mget remote-filenames command to download multiple files from the FTP
server and save them locally.
NOTE

l When you are uploading or downloading files, and the prompt command is run in the FTP client
view to enable the file transmission prompt function, the system will prompt you to confirm the
uploading or downloading operation.
l If the prompt command is run again in the FTP client view, the file transmission prompt function
will be disabled.
l Running one or more of the following commands to manage directories
– Run:
cd pathname

The working path of the remote FTP server is specified.


– Run:
pwd

The specified directory of the FTP server is displayed.


– Run:
lcd [ local-directory ]

The directory of the FTP client is displayed or changed.


– Run:
mkdir remote-directory

A directory is created on the FTP server.


– Run:
rmdir remote-directory

A directory is removed from the FTP server.


l Running one or more of the following commands to manage files

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 129


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

– Run:
ls [ remote-filename ] [ local-filename ]

The specified directory or file on the remote FTP server is displayed.


If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
– Run:
dir [ remote-filename ] [ local-filename ]

The specified directory or file on the local FTP server is displayed.


If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
– Run:
delete remote-filename

The specified file on the FTP server is deleted.


If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.

When local-filename is set, related information about the file can be downloaded locally.

NOTE

If you need more information about FTP operations, run the help [ command ] command in the
Windows CLI.

----End

7.3.9 Checking the Configurations


After the configuration is complete, you can view the configuration and status of the FTP server
as well as login information about FTP users.

Prerequisites
Managing files using FTP has been configured.

Procedure
l Run the display [ ipv6 ] ftp-server command to check the configuration of the FTP server.
l Run the display ftp-users command to check how many users are currently logged in FTP
server.

----End

Example
Run the display [ ipv6 ] ftp-server to view the status of the FTP server.
<Quidway> display ftp-server
FTP server is running
Max user number 5
User count 1
Timeout value(in minute) 30
Listening Port 1080
Acl number 0
FTP SSL policy
FTP Secure-server is stopped

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 130


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Run the display ftp-users command to view the username, port number, authorization directory
of the FTP user configured.
<Quidway> display ftp-users
username host port idle topdir
zll 100.2.150.226 1383 3 flash:

7.4 Managing Files Using SFTP


SFTP allows you to log in to the switch securely from a remote device to manage files. This
makes transmission of data to the remote end more secure.

7.4.1 Establishing the Configuration Task


Before using SFTP to manage files, familiarize yourself with the usage scenario, complete the
pre-configuration tasks, and obtain any data required for the configuration.

Applicable Environment
SSH authenticates clients and encrypts data in both directions to guarantee secure data
transmission on conventional networks. SSH supports SFTP.

SFTP is a secure FTP service that enables users to log in to the FTP server for data transmission.

Pre-configuration Tasks
Before using SFTP to manage files, configure reachable routes between the terminal and the
device.

Data Preparation
Before using SFTP to manage files, you need the following data.

No. Data

1 Maximum number of VTY user interfaces, (optional) ACL for restricting incoming
and outgoing calls on VTY user interfaces, connection timeout period of terminal
users, number of rows displayed in a terminal screen, size of the history command
buffer, user authentication mode, username, and password

2 Username, password, authentication mode, and service type of an SSH user, remote
public RSA or DSA key pair allocated to the SSH user, and SFTP working directory
of the SSH user

3 (Option) Number of the port monitored by the SSH server


(Option) The interval for updating the key pair on the SSH server

4 Name of the SSH server, number of the port monitored by the SSH server, preferred
encryption algorithm from the SFTP client to the SSH server, preferred encryption
algorithm from the SSH server to the SFTP client, preferred HMAC algorithm from
the SFTP client to the SSH server, preferred HMAC algorithm from the SSH server
to the SFTP client, preferred algorithm of key exchange, name of the outgoing
interface, source address

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 131


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

No. Data

5 Directory name and File name

7.4.2 Configuring VTY User Interface


To allow a user to log in to the device by using SFTP, you need to configure attributes of the
VTY user interface.

Context
Before a user logs in to the device by using SFTP, the user authentication mode in the VTY user
interface must be set. Otherwise, the user cannot log in to the device.

In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see Configuring the VTY User
Interface.

7.4.3 Configuring SSH for the VTY User Interface


Before users can log in to the switch using SFTP, you must configure VTY user interfaces to
support SSH.

Context
By default, user interfaces support Telnet. If no user interface is configured to support SSH, you
cannot log in to the switch using SFTP.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]

The VTY user interface is displayed.

Step 3 Run:
authentication-mode aaa

The AAA authentication mode is configured.

Step 4 Run:
protocol inbound ssh

The VTY user interface is configured to support SSH.

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 132


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

7.4.4 Configuring an SSH User and Specifying SFTP as One of


Service Types
Before logging in to the switch using SFTP, you must configure an SSH user, configure the
switch to generate a local RSA or DSA key pair, configure a user authentication mode, and
specify a service type and authorized directory for the SSH user.

Context
l There are six SSH user authentication modes: RSA, DSA, password, password-RSA,
password-DSA, and all. Password authentication depends on Authentication,
Authorization and Accounting (AAA). Before a user logs in to the device in password,
password-RSA, or password-DSA authentication mode, you must create a local user with
the specified username in the AAA view.
– Password-RSA authentication depends on both password authentication and RSA
authentication.
– Password-DSA authentication depends on both password authentication and DSA
authentication.
– All authentication depends on either of the following authentications: password
authentication, or DSA authentication and RSA authentication.
l The device must be configured to generate local RSA or DSA key pairs, which are a key
part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSA or DSA key pair. If an
SSH user logs in to an SSH server in RSA or DSA authentication mode, configure both the
server and the client to generate local RSA or DSA key pairs.
RSA key and DSA key are an algorithm for user authentication in SSH, respectively.
Compared with RSA authentication, DSA authentication adopts the DSA encryption mode
and is widely used. In many cases, SSH only supports DSA to authenticate the server and
the client. When the RSA or DSA authentication mode is used, the priority of users depends
on the priority of the VTY user interfaces used for login.
Perform the following operations on the switch that functions as an SSH server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ssh user user-name

An SSH user is created.


If password or password-RSA authentication, or password-DSA is configured for the SSH user,
create the same SSH user in the AAA view and set the local user access type to SSH.
1. Run the aaa command to enter the AAA view.
2. Run the local-user user-name password cipher password command to set the local user
access type to SSH.
Step 3 Run:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 133


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

local-user user-name privilege level level

The SSH user level is set.

NOTE

The SSH user level must be set to 3 or higher.

Step 4 Create an RSA or DSA key pair.


l Run the rsa local-key-pair create command to create a local RSA key pair.
NOTE

l You must configure the rsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The minimum length of the server key pair and the host key
pair is 512 bits, and the maximum length is 2048 bits.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local
RSA key-pairs, including the local key-pair and server key-pair.
Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair
destroy command. The rsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.
l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
NOTE

l You must configure the dsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 512 bits, 1,024 bits and 2,048 bits. By default, the length of the key pair is 512 bits.
l After a local key pair is generated, you can run the display dsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local
DSA key-pairs, including the local key-pair and server key-pair.
Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair
destroy command. The dsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.

Step 5 Perform the operations as described in Table 7-1 based on the configured SSH user
authentication mode.

Table 7-1 Configuring an authentication mode for the SSH user


Operation Command Description

Configure Run the ssh user user-name If local or HWTACACS


Password authentication-type password authentication is used and there
Authentication command are only a few users, use password
authentication.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 134


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Operation Command Description

Configure the Run the ssh authentication-type When you log in using SSH and
Default Password default password command use a TACACS server for
Authentication authentication, the network
administrator needs to specify the
information about an SSH user on
the TACACS server. In most
cases, however, the SSH server
cannot obtain the user
information from the TACACS
server. To resolve this problem,
you can run the ssh
authentication-type default
password command to set the
authentication mode as password
authentication. Then, you can log
in to the device on the SSH server
safely.

Configure RSA 1, Run the ssh user user-name -


authentication authentication-type rsa command
to configure RSA authentication.

2, Run the rsa peer-public-key key- -


name command to enter the public
key view.

3, Run the public-key-code begin -


command to enter the public key
edit view.

4, Enter hex-data to edit the public l In the public key edit view,
key. only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.

5, Run the public-key-code end -


command to exit from the public
key edit view.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 135


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Operation Command Description

6, Run the peer-public-key end l Running the peer-public-key


command to return to the system end command generates a key
view. only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.

7, Run the ssh user user-name -


assign rsa-key key-name command
to assign the SSH user a public key.

Configure DSA 1, Run the ssh user user-name -


authentication authentication-type dsa command
to configure DSA authentication.

2. Run the dsa peer-public-key -


key-name encoding-type { der |
pem } command to configure an
encoding format for a DSA public
key and enter the DSA public key
view.

3, Run the public-key-code begin -


command to enter the public key
edit view.

4, Enter hex-data to edit the public l In the public key edit view,
key. only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.

5, Run the public-key-code end -


command to exit from the public
key edit view.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 136


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Operation Command Description

6, Run the peer-public-key end l Running the peer-public-key


command to return to the system end command generates a key
view. only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.

7, Run the ssh user user-name -


assign dsa-key key-name command
to assign the SSH user a public key.

Step 6 (Optional) Authorize SSH users using command lines.


Run:
ssh user user-name authorization-cmd aaa

The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Step 7 Run:
ssh user username service-type { SFTP | all }

The service type of an SSH user is set to SFTP or all.


By default, the service type of the SSH user is not configured.
Step 8 Run:
ssh user username sftp-directory directoryname

The authorized directory of the SFTP service for the SSH user is configured.
By default, the authorized directory of the SFTP service for the SSH user is flash:.

----End

7.4.5 Enabling the SFTP Service


The STelnet service must be enabled before it can be used.

Context
By default, the SFTP server function is not enabled on the switch. You can use SFTP to establish
connections with the router only after the SFTP server function is enabled on the switch.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 137


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Perform the following steps on the switch that serves as an SSH server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
sftp server enable

The SFTP service is enabled.


By default, the SFTP service is disabled.

----End

7.4.6 (Optional) Configuring the SFTP Server Parameters


You can configure a device to be compatible with earlier versions of the SSH protocol, configure
or change the listening port number of an SSH server, set an interval at which the key pair of
the SSH server is updated.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Perform one or both of the operations shown in Table 7-2 as needed.

Table 7-2 Server parameters


Server Command Description
parameters

Configure the Run the ssh server rekey-interval You can set an interval at which the
interval at interval command. key pair of an SSH server is updated.
which the key By default, the interval is 0, When the timer expires, the key pair
pair of the indicating that the key is never is automatically updated, improving
SSH server is updated. security.
updated

Configure the Run the ssh server timeout If a user fails to log in when the
timeout seconds command. timeout period of SSH
period of SSH By default, the timeout period is 60 authentication expires, the system
authentication seconds. disconnects the current connection
to ensure the system security.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 138


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Server Command Description


parameters

Configure the Run the ssh server authentication- The number of times that SSH
number of retries times command. authentication is retried is set to deny
times that By default, SSH authentication access of unauthorized users.
SSH retries a maximum of 3 times.
authentication
is retried

Configure Run the ssh server compatible- There are two SSH versions:
earlier SSH ssh1x enable command. SSH1.X (earlier than SSH2.0) and
version By default, an SSH server running SSH2.0. SSH2.0 has an extended
compatibility SSH2.0 is compatible with SSH1.X. structure and supports more
To prevent clients running SSH1.3 to authentication modes and key
SSH1.99 from logging in, run the exchange methods than SSH1.X,
undo ssh server compatible-ssh1x SSH 2.0 can eliminate the security
enable command to disable support risks that SSH 1.X has. SSH 2.0 is
for earlier SSH protocol versions. more secure and therefore is
recommended. SSH2.0 also
supports more advanced services
such as SFTP. The S6700 Series
supports SSH versions ranging from
1.3 to 2.0.

Configure the Run the ssh server port port- The default listening port number of
listening port number command. an SSH server is 22. Users can log in
number of the By default, the listening port number to the device by using the default
SSH server is 22. listening port number. Attackers
may access the default listening port,
If a new listening port is set, the SSH consuming bandwidth, deteriorating
server cuts off all established STelnet server performance, and causing
and SFTP connections, and uses the authorized users unable to access the
new port number to listen to server. After the listening port
connection requests. number of the SSH server is
changed, attackers do not know the
new port number. This effectively
prevents attackers from accessing
the listening port and improves
security.

----End

7.4.7 Accessing the System Using SFTP


After the configuration is complete, you can use SFTP to log in to the switch from a user terminal
and manage files on the switch.

Context
Third-party software can be used to access the switch from the user terminal using SFTP. The
example here uses third-party software OpenSSH and the Windows CLI.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 139


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Install OpenSSH on the user terminal and then do as follows:

NOTE

For details on how to install OpenSSH, see the software installation guide.
For details on how to use OpenSSH commands to log in to the switch, see help documentation for the
software.

Procedure
Step 1 Open the Windows CLI.

Step 2 Run relevant OpenSSH commands to log in to the switch in SFTP mode.

When a command line prompt, such as sftp>, is displayed in the SFTP client view, you have
entered the working directory of the SFTP server.

Figure 7-2 Using SFTP to log in to the device

----End

7.4.8 Managing Files Using SFTP


You can log in to the SSH server from an SFTP client to create or delete directories on the SSH
server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 140


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Context
After logging in to the SFTP server, you can perform the following operations:
l Displaying the SFTP client command help
l Managing directories on the SFTP server
l Managing files on the SFTP server
After logging in to the SFTP server and entering the SFTP client view, you can perform one or
more of the following operations.

Procedure
l Run:
help [ all | command-name ]

The SFTP client command help is displayed.


l Perform one or multiple of the following operations as required.
– Run:
cd [ remote-directory ]

The current operating directory of users is changed.


– Run:
pwd

The current operating directory of users is displayed.


– Run:
dir/ls [ path ]

A list of files in the specified directory is displayed.


– Run:
rmdir remote-directory &<1-10>

The directory on the server is deleted.


– Run:
mkdir remote-directory

A directory is created on the server.


l Perform one or multiple of the following operations as required.
– Run:
rename old-name new-name

The name of the specified file on the server is changed.


– Run:
get remote-filename [ local-filename ]

The file on the remote server is downloaded.


– Run:
put local-filename [ remote-filename ]

The local file is uploaded to the remote server.


– Run:
rmdir remote-directory &<1-10>

The file on the server is removed.


----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 141


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

7.4.9 Checking the Configurations


After using SFTP to manage files, you can view SSH user information and global configurations
for the SSH server.

Prerequisites
SSH users have been configured.

Procedure
l Run the display ssh user-information username command on the SSH server to check
information about the SSH client.
l Run the display ssh server status command on the SSH server to check its global
configurations.
l Run the display ssh server session command on the SSH server to check information about
connection sessions with SSH clients.
----End

Example
Run the display ssh user-information username command. It shows that the SSH user named
clinet001 is authenticated by password.
[Quidway] display ssh user-information client001
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : RSA
Sftp-directory : -
Service-type : sftp
Authorization-cmd : Yes

If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view global configurations of an SSH server.
<Quidway> display ssh server status
<Quidway> display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 2 hours
SSH Authentication retries : 5 times
SFTP server : Enable
Stelnet server : Enable
Scp server : Enable
SSH server port : 55535

NOTE

If the default interception port is in use, information about the current interception port is not displayed.

Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
<Quidway> display ssh server session
Session 2:
Conn : VTY 4
Version : 2.0
State : started

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 142


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Username : client002
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
Kex : diffie-hellman-group-exchange-sha1
Service Type : sftp
Authentication Type : password

7.5 Performing File Operations by Means of FTPS


FTPS that adds support for SSL is an extension to the commonly used FTP. Using SSL to
authenticate the identities of the client and server and encrypt data to be transmitted, FTPS
implements security management of devices.

7.5.1 Establishing the Configuration Task


Before using FTPS to manage files, familiarize yourself with the usage scenario, complete the
pre-configuration tasks, and obtain any data required for the configuration.

Applicable Environment
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats. An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.

As shown in Figure 7-3, an SSL policy is configured on the FTP server. After a digital certificate
is loaded and the FTPS server function is enabled on the server, you can log in to the server from
a terminal on which the SSL-capable FTP client software is installed to securely operate files
transmitted between the terminal and the server.

Figure 7-3 Networking diagram for a PC to log in to an FTPS server

VLANIF10
192.168.0.1/24
Network

PC FTP-Server

Pre-configuration Tasks
Before using FTPS to manage files, complete the following tasks:

l Configure an FTP user on the FTPS server.


l Load a digital certificate to the sub-directory named security of the system directory on
the FTPS server.
l Install the SSL-capable FTP client software on the PC.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 143


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Data Preparation
Before using FTPS to manage files, you need the following data.

No. Data

1 SSL policy name and digital certificate

2 IP address of the FTPS server

7.5.2 Configuring an SSL Policy and Loading a Digital Certificate


A client uses a digital certificate to authenticate the identity of a server for secure communication.

Context
The FTPS server needs to obtain a digital certificate from a CA. The client that will access the
server needs the CA certificate from the CA to verify the validity of the digital certificate of the
server.

NOTE

A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the
FTPS server must be obtained from a corresponding CA.

A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:
l The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem.
The PEM format is applicable to text transmission between systems.
l The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der.
The ASN1 format is the default format for most browsers.
l The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx.
The PFX format is a binary format that can be converted into the PEM or ASN1 format.
Perform the following steps on the device that functions as an FTPS server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ssl policy policy-name

An SSL policy is configured and the SSL policy view is displayed.


Step 3 Load a digital certificate.
Run one of the following commands as required:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 144


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

l Run:
certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-
filename auth-code auth-code

A PEM digital certificate is loaded.


l Run:
certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-
filename

An ASN1 digital certificate is loaded.


l Run:
certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code |
key-file key-filename } auth-code auth-code

A PFX digital certificate is loaded.


l Run:
certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-
filename auth-code auth-code

A PEM digital certificate chain is loaded.


NOTE

Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain
has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate
chain.

----End

7.5.3 Enabling the FTPS Function


After a device is configured with an SSL policy and enabled with the FTPS server function, the
device functions as an FTPS server to provide SSL-based FTP services.

Context
NOTE

Before enabling the FTPS server function, disable the FTP server function.

Perform the following steps on the device that functions as an FTPS server:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ftp secure-server ssl-policy policy-name

An SSL policy is configured for the device.


Step 3 Run:
ftp secure-server enable

The FTPS server function is enabled.


By default, the FTPS server function is disabled.

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 145


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

7.5.4 Accessing an FTPS Server


You can use a PC with the SSL-capable FTP client software or an FTPS client to access an FTPS
server for secure management of files on the FTPS server.

Before accessing an FTPS server, install the SSL-capable FTP client software on a PC, and then
use a third-party software to log in to the FTPS server from the PC to securely manage files on
the FTPS server.

7.5.5 Checking the Configurations


After the configuration of login to an FTPS server from a user terminal is complete, you can
view the SSL policy, digital certificate, and status of the FTPS server.

Prerequisites
Login to the devices by using FTPS has been configured.

Procedure
l Run the display ssl policy command to check the configured SSL policy and loaded digital
certificate.
l Run the display ftp-server command to check the SSL policy name and the FTPS server
status.

----End

Example
Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the configured SSL policy and loaded digital certificate.
<Quidway> display ssl policy
SSL Policy Name: ftp_server
Policy Applicants: FTP secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:

Run the display ftp-server command on the FTP server. The command output shows that the
SSL policy name is ftp_server and the FTPS server is running.
<Quidway> display ftp-server
FTP server is stopped
Max user number 5
User count 1
Timeout value(in minute) 30
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy ftp_server
FTP Secure-server is running

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 146


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

7.6 Configuration Examples


The examples in this section show how to use FTP, SFTP or FTPS to access the system and
manage files. These configuration examples explain networking requirements and provide
configuration roadmaps and configuration notes.

7.6.1 Example for Managing Files Using FTP


This example shows how to use FTP to manage files. In the example, a user uses FTP to log in
to the switch from a PC and then download files to the FTP client.

Networking Requirements
As shown in Figure 7-4, the local PC functions as the FTP client of which the IP address is
10.1.1.1/24.
The Switch acts as the FTP server, and IP address of the FTP server is 10.1.1.2/24.
The PC uploads files to the Switch.

Figure 7-4 Networking diagram of the Switch functioning as the FTP server

VLAN10
FTP Client FTP Session FTP Server

Ethernet L2 Switch Ethernet Switch


PC

Switch Interface VLANIF interface IP address

FTP Server XGigabitEthernet0/0/1 VLANIF 10 10.1.1.2/24

Configuration Roadmap
The configuration roadmap is as follows:
1. Set the correct FTP user name and password on the Switch that functions as the FTP server.
2. Log in to the Switch through FTP from the PC.
3. Upload files to the FTP server.

Data Preparation
To complete the configuration, you need the following data:

l IP address of the FTP server


l Name of the FTP user set as u1 and the password set as ftppwd on the server

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 147


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

l Correct path of the source file on the PC


l Name of the destination file and position where the destination files are located on the
Switch

Procedure
Step 1 Create VLAN 10 on the Switch and assign the IP address 10.1.1.2/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/1] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.1.1.2 24

Step 2 Start the FTP server on the Switch, and set the FTP user name to u1 and password to ftpwd.
[Quidway] ftp server enable
[Quidway] aaa
[Quidway-aaa] local-user u1 password cipher ftppwd
[Quidway-aaa] local-user u1 service-type ftp
[Quidway-aaa] local-user u1 privilege level 15
[Quidway-aaa] local-user u1 ftp-directory flash:/
[Quidway-aaa] return

Step 3 On the PC, initiate a connection to the Switch with the user name u1 and the password
ftppwd.
Use Windows XP on the FTP client to illustrate the preceding operations.
C:\WINDOWS\Desktop> ftp 10.1.1.2
Connected to 10.1.1.2.
220 FTP service ready.
User (10.1.1.1:(none)): u1
331 Password required for u1
Password:
230 User logged in.
ftp>

Step 4 Set the mode of transferring files to binary and the local directory on the PC.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now C:\temp.

Step 5 Upload d006.cc and vrpcfg.cfg to the Switch on the PC.


ftp> put d006.cc d006.cc
200 Port command okay.
150 Opening BINARY mode data connection for d006.cc.
ftp> put vrpcfg.cfg vrpcfg.cfg
200 Port command okay.
150 Opening BINARY mode data connection for vrpcfg.cfg.
ftp> quit
C:\WINDOWS\Desktop>

----End

Configuration Files
#
sysname Quidway
#
FTP server enable

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 148


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
aaa
local-user u1 password cipher %$%$}twU5v;.BOKdou5Ry'L$-XOF%$%$
local-user u1 privilege level 15
local-user u1 ftp-directory flash:/
local-user u1 service-type ftp
#
Return

7.6.2 Example for Managing Files Using SFTP


This example shows how to use SFTP to manage files. In the example, a local key pair, and a
username and a password are configured on the SSH server for an SSH user. After SFTP services
are enabled on the server and the SFTP client is connected to the server, you can manage files
between the client and the server.

Networking Requirements
As shown in Figure 7-5, after SFTP services are enabled on the switch functioning as an SSH
server, you can log in to the server from an SFTP client PC in password, RSA, password-rsa,
DSA, password-DSA or all authentication mode.
Configure a user to log in to the SSH server in password authentication mode.

Figure 7-5 Networking diagram for managing files using SFTP

VLANIF 2
10.164.39.210/24
Network

PC SSH Server

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a local key pair on the SSH server to exchange data securely between the SFTP
client and the SSH server.
2. Configure VTY user interfaces on the SSH server.
3. Configure an SSH user, including user authentication mode, username, password, and
authorization directory.
4. Enable SFTP services on the SSH server and configure a user service type.

Data Preparation
To complete the configuration, you need the following data:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 149


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

l SSH user authentication mode: password, username: client001, password: huawei


l User level of client001: 3
l IP address of the SSH server: 10.137.217.225

Procedure
Step 1 Configure a local key pair on the SSH server.
<Quidway> system-view
[Quidway] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++

Step 2 Configure VTY user interfaces on the SSH server.


[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit

Step 3 Configure the SSH username and password on the SSH server.
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher
huawei
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit

Step 4 Enable SFTP and configure the user service type to be SFTP.
[SSH Server] sftp server enable
[SSH Server] ssh user client001 authentication-type password
[SSH Server] ssh user client001 service-type sftp

Step 5 Configure the authorization directory for the SSH user.


[SSH Server] ssh user client001 sftp-directory flash:

Step 6 Verify the configurations.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 150


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Figure 7-6 Access interface

----End

Configuration Files
l Configuration file of the SSH server
#
sysname SSH Server
#
vlan batch 10
#
aaa
local-user client001 password cipher %$%$PoPK$x&v~12^g\0]Y$u3"'{r%$%$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
interface Vlanif10
ip address 10.137.217.225 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return

7.6.3 Example for Performing File Operations by Means of FTPS


You can use a terminal on which the SSL-capable FTP client software is installed to log in to
an FTPS server to securely operate files transmitted between the terminal and the server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 151


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Networking Requirements
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats. An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.
As shown in Figure 7-7, an SSL policy is configured on the FTP server. After a digital certificate
is loaded and the FTPS server function is enabled on the server, you can log in to the server from
a terminal on which the SSL-capable FTP client software is installed to securely operate files
transmitted between the terminal and the server.

Figure 7-7 Operating files using FTPS

VLANIF10
192.168.0.1/24
Network

PC FTP-Server

Configuration Roadmap
The configuration roadmap is as follows:
1. Upload a digital certificate.
Upload the digital certificate saved on the PC to the FTP server.
2. Load the digital certificate.
Copy the digital certificate from the system directory of the FTP server to the sub-directory
named security, configure an SSL policy, and load the digital certificate.
3. Enable the FTPS server function.
4. Install the SSL-capable FTP client software on the PC

Data Preparation
To complete the configuration, you need the following data:
l IP address of the FTP server
l FTP user name and password
l SSL digital certificate

Procedure
Step 1 Upload a digital certificate.
# Configure an IP address for the FTP server so that the PC and FTP server are reachable.
<Quidway> system-view
[Quidway] sysname FTP-Server

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 152


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

[FTP-Server] vlan 10
[FTP-Server-vlan10] quit
[FTP-Server] interface xgigabitethernet0/0/1
[FTP-Server-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[FTP-Server-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[FTP-Server-XGigabitEthernet0/0/1] quit
[FTP-Server] interface vlanif 10
[FTP-Server-Vlanif10] ip address 192.168.0.1 24
[FTP-Server-Vlanif10] quit

# Enable the FTP server function.


[FTP-Server] ftp server enable

# Configure the authentication information, authorization mode, and authorized directory for an
FTP user on the FTP server.
[FTP-Server] aaa
[FTP-Server-aaa] local-user huawei password cipher huawei
[FTP-Server-aaa] local-user huawei service-type ftp
[FTP-Server-aaa] local-user huawei privilege level 15
[FTP-Server-aaa] local-user huawei ftp-directory flash:
[FTP-Server-aaa] quit
[FTP-Server] quit

# Run the ftp ftp-server-address commands at the Windows command prompt. Enter the correct
user name and password to set up an FTP connection to the FTP server, as shown in Figure
7-8.

Figure 7-8 Logging in to an FTP server from a user terminal

Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure
7-9.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 153


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

Figure 7-9 Uploading a digital certificate

After the preceding configurations are complete, run the dir command on the FTP server. The
command output shows that the digital certificate has been successfully uploaded to the server.
<FTP-Server> dir
Directory of flash:/

Idx Attr Size(Byte) Date Time(LMT) FileName


0 drw- - May 10 2011 05:05:40 src
1 -rw- 524,575 May 10 2011 05:05:53 private-data.txt
2 -rw- 446 May 10 2011 05:05:51 vrpcfg.zip
3 -rw- 1,302 May 10 2011 05:32:05 1_servercert_pem_rsa.pem
4 -rw- 951 May 10 2011 05:32:44 1_serverkey_pem_rsa.pem

304,292 KB total (303,770 KB free)

Step 2 Configure an SSL policy and load the digital certificate.


# Create a sub-directory named security and copy the digital certificate to this sub-directory.
<FTP-Server> mkdir security/
<FTP-Server> copy 1_servercert_pem_rsa.pem security/
<FTP-Server> copy 1_serverkey_pem_rsa.pem security/

After the preceding configurations are complete, run the dir command in the security sub-
directory on the FTP server. The command output shows that the digital certificate has been
successfully uploaded to the server.
<FTP-Server> cd security/
<FTP-Server> dir
Directory of flash:/security/

Idx Attr Size(Byte) Date Time(LMT) FileName


0 -rw- 1,302 May 10 2011 05:44:34 1_servercert_pem_rsa.pem
1 -rw- 951 May 10 2011 05:45:22 1_serverkey_pem_rsa.pem

304,292 KB total (303,766 KB free)

# Create an SSL policy and load the PEM digital certificate.


<FTP-Server> system-view
[FTP-Server] ssl policy ftp_server
[FTP-Server-ssl-policy-ftp_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code
123456

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 154


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

[FTP-Server-ssl-policy-ftp_server] quit

Step 3 Enable the FTPS server function.


NOTE

Before enabling the FTPS server function, disable the FTP server function.
[FTP-Server] undo ftp server
[FTP-Server] ftp secure-server ssl-policy ftp_server
[FTP-Server] ftp secure-server enable

Step 4 Install the SSL-capable FTP client software on the PC.


For details about the operation procedure, see the help document about the third-party software.
Step 5 Verify the configuration.
# Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the loaded certificate.
[FTP-Server] display ssl policy
SSL Policy Name: ftp_server
Policy Applicants: FTP secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:

# Run the display ftp-server command on the FTPS server. The command output shows that
the configured SSL policy name is ftp_server and the FTPS server is running.
[FTP-Server] display ftp-server
FTP server is stopped
Max user number 5
User count 1
Timeout value(in minute) 30
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy ftp_server
FTP Secure-server is running

You can establish a connection with the FTPS server using the SSL-capable FTP client software
and upload files to and download files from the server.

----End

Configuration Files
Configuration file of the FTPS server
#
sysname FTP-Server
#
FTP secure-server enable
ftp secure-server ssl-policy ftp_server
#
vlan batch 10
#
ssl policy ftp_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
1_serverkey_pem_rsa.pem auth-code 123456
#
aaa

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 155


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 7 Managing the File System

authentication-scheme default
authorization-scheme default
accounting-scheme default
local-user huawei password cipher %$%$}twU5v;.BOKdou5Ry'L$-XOF%$%$
local-user huawei service-type ftp
local-user huawei privilege level 15
local-user huawei ftp-directory flash:/
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 156


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

8 Configuring System Startup

About This Chapter

When the switch is powered on, system software starts and configuration files are loaded. To
ensure smooth running of the switch, you need to manage system software and configuration
files efficiently.

8.1 System Startup Overview


When the switch is powered on, system software starts and configuration files are loaded.
8.2 Managing Configuration Files
You can manage the configuration files for the current and next startup operations on the
switch.
8.3 Specifying a File for System Startup
You can specify a file to be used for system startup by specifying the system software and
configuration file for the next startup of the switch.
8.4 Configuration Examples
The example in this section shows how to configure system startup. The example explains
networking requirements, and provides a configuration roadmap and configuration notes.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 157


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

8.1 System Startup Overview


When the switch is powered on, system software starts and configuration files are loaded.

8.1.1 System Software


System software provides an operating system for the switch. System software must be set up
correctly for the switch to run properly and provide services.
The extension for the system software file is .cc. The file must be saved in the root directory of
the storage device.

8.1.2 Configuration Files


The configuration file is the add-in configuration item when restarting the switch this time or
next time.
The configuration file is a text file in the following formats:
l The configuration file of V200R001 must begin with the message like "!Software Version
V200R001C00."
l It is saved in the command format.
l To save space, default parameters are not saved.
l Commands are organized on the basis of the command view. All commands of the identical
command view are grouped into a section. Every two command sections are separated by
one or several blank lines or comment lines (beginning with "#").
l The sequence of command sections is global configuration, physical interface
configuration, logic interface configuration, routing protocol configuration and so on.
l The file name extension of the configuration file must be .cfg or .zip, and must be stored
in the root directory of a storage device.
NOTE

l The system can run the command with the maximum length of 510 characters, including the command
in an incomplete form.
l If the configuration is in the incomplete form, the command is saved in complete form. Therefore, the
command length in the configuration file may exceed 510 characters. When the system restarts, these
commands cannot be restored.
l A configuration file can contain 30000 command lines. If more than 30000 commands are configured,
some commands may be lost after an upgrade.

8.1.3 Configuration Files and Current Configurations


When the switch is running, current configurations differ from configuration files.
The concepts of configuration files and current configurations are as follows.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 158


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

Concept Identifying Method

Configuration files Initial configurations: When l Run the display startup


powered on, the switch command to view the
retrieves configuration files configuration files for the
from a default save path to current startup and next
initialize itself. If startup on the switch.
configuration files do not l Run the display saved-
exist in the default save path, configuration command
the switch uses default to view the configuration
initialization parameters. file for the next startup on
the switch.

Current configurations Current configurations: Run the display current-


indicates the configurations configuration command to
in effect on the switch when it view current configurations
is actually running. on the switch.

You can use the command line interface to modify current switch configurations. Use the
save command to save modified configurations to the configuration file on the default storage
devices. This configuration file will be used to initialize the switch when the switch is powered
on next time.

8.2 Managing Configuration Files


You can manage the configuration files for the current and next startup operations on the
switch.

8.2.1 Establishing the Configuration Task


Before managing configuration files, familiarize yourself with the usage scenario, complete the
pre-configuration tasks, and obtain any data required for the configuration.

Applicable Environment
Configuration files can be saved, cleared, compared, backed up, and restored. Configuration file
management is required to upgrade the switch, take preventive measures, repair configuration
files, and view configurations after the switch starts.

Pre-configuration Tasks
Before managing configuration files, install and powering on the switch.

Data Preparation
To manage configuration files, you need the following data.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 159


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

No. Data

1 Configuration file and its name

2 Configuration file saving interval and delay interval

3 Number of the start line from which the comparison of the configuration files
begins

8.2.2 Saving Configuration Files


The configurations completed by using command lines are valid for only the current operation
on the switch. To allow the configurations to be valid for the next startup, you need to save the
current configurations to configuration files before restarting the switch.

Context
Configuration files can be saved on demand or the system can be set to save configuration files
at regular intervals. This prevents data loss if the switch restarts without warning or when it is
powered off.
Run one of the following commands to save configuration files.

Procedure
l Run:
1. system-view

The system view is displayed.


2. set save-configuration [ interval interval | cpu-limit cpu-usage |delay
delay-interval ] *

The configuration file is saved at intervals.


After the parameter interval interval is specified, the system saves the current
configuration if the configuration has changed; if the configuration has not changed,
the system does not save the current configuration.
– If the set save-configuration command is not run, the system does not
automatically save configurations.
– If the set save-configuration command without specified interval is run, the
system automatically saves configurations at an interval of 30 minutes.
When you configure the automatic saving function, to prevent that function from
affecting system performance, you can set the upper limit of the CPU usage for the
system during automatic saving. When automatic saving is triggered by the expiry of
the timer, the CPU usage is checked. If the CPU usage is higher than the set upper
limit, automatic saving will be canceled.
After delay delay-interval is specified, if the configuration is changed, the device
automatically saves the configuration after the specified delay.
After automatic saving of configurations is configured, the system automatically saves
the changed configurations to the configuration file for the next startup and
configuration files are changed accordingly with the saved configurations.
Before configuring the automatic configure file saving on the server, you need to run
the set save-configuration backup-to-server server server-ip [ transport-type

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 160


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

{ ftp | sftp } ] user user-name password password [ path folder ] or set save-
configuration backup-to-server server server-ip transport-type tftp [ path
folder ] command to configure the server, including the IP address, username,
password of the server, destination path, and mode of transporting the configuration
file to the server.
NOTE
If TFTP is used, run the tftp client-source command to configure a loopback interface address as a
client source IP address on the switch, improving security.
l Run:
save [ all ] [ configuration-file ]

The current configurations are saved.

The extension for the configuration file must be .cfg or .zip. The system startup
configuration file must be saved in the root directory of a storage device.

You can modify the current configuration through the CLI. To set the current configuration
as initial configuration when the switch starts next time, you can use the save command to
save the current configuration in the flash memory.

You can use the save all command to save all the current configurations, including the
configurations of the boards that have not been inserted, to the next startup configuration
file.

NOTE

When saving the configuration file for the first time, if you do not specify the optional parameter
configuration-file, the switch asks you whether to save the file as "vrpcfg.zip" or not. "vrpcfg.zip" is
the default configuration file and initially contains no configuration.

----End

8.2.3 Clearing a Configuration File


This section describes how to clear the content of the configuration file that has been loaded to
a device or how to delete configurations on an interface to restore the default configurations.

Context
The configuration file stored in the flash memory needs to be cleared in the following cases:

l The system software does not match the configuration file after the switch has been
upgraded.
l The configuration file is destroyed or an incorrect configuration file has been loaded.

Perform the following operations to clear the content of a configuration file:

Procedure
l Clear the currently loaded configuration file.
Run the reset saved-configuration command to clear the currently loaded configuration
file.
– If the configuration file used for the current startup of the switch is the same as the file
to be used for the next startup, running the reset saved-configuration command clears
both files. The switch will use the default configuration file for the next startup.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 161


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

– If the configuration file used for the current startup of the switch is different from the
file to be used for the next startup, running the reset saved-configuration command
clears the configuration file used for the current startup.
– If you run the reset saved-configuration command and the configuration file used for
the current startup of the switch is empty, the system will prompt that the configuration
file does not exist.

CAUTION
l Exercise caution when running this command. If necessary, do it under the guidance of
Huawei technical support personnel.
l After the contents of a configuration file are cleared, the empty configuration file with
the original file name is left.
l After the configuration file is cleared, if you do not run the startup saved-
configuration configuration-file command to specify a new configuration file, or do
not run the save command to save the configuration file, the switch will use the default
configuration file at the next startup.

l Clear the configurations of a specified interface.


1. Run the system-view command to enter the system view.
2. Run the clear configuration interface interface-type interface-number command to
clear the configurations of the specified interface.
----End

8.2.4 Comparing Configuration Files


You can determine whether the current configuration file is the same as the one for the next
startup or a specified one on the switch by comparing them.

Context
You can determine whether to specify the current configuration file as the one for the next startup
by comparing the current configuration file with the one for the next startup.

Procedure
l Run:
compare configuration [ configuration-file ] [ current-line-number save-line-
number ]

The current configuration is compared with the configuration file for next startup.
– If configuration-file is configured, the system checks whether the current configuration
file is the same as the specified configuration file.
– If no parameter is set, the comparison begins with the first lines of configuration files.
If values for current-line-number and save-line-number are set, the comparison
continues by ignoring differences between the configuration files.
The system begins to display the content of a current and a saved configuration file from
the first line of the two files that is different. Beginning with this line, 150 characters are

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 162


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

displayed by default for each of the files. If there are fewer than 150 characters remaining
after the first line with a difference, all remaining content in the files is displayed.

NOTE

When trying to compare configuration files, if the configuration file for next startup is unavailable
or its content is empty, the system prompts that reading files fails.

----End

8.2.5 Backing Up the Configuration Files


Context
You can back up the configuration files by using the following ways:

Procedure
l Copying the screen directly
In the CLI, run the display current-configuration command. Copy all the display to txt
documents, then back up the configuration files to the hard disk of the maintenance terminal.
l Backing up the configuration files through TFTP
1. Copy the configuration files in the Flash directly.
This action is to back up the current configuration files that are stored in the Flash of
the device.
After startup of the device, use the following commands to back up the configuration
files in the Flash of the device.
<Quidway> save flash:/config.cfg
The current configuration will be written to the device.
Are you sure to continue?[Y/N]:y
Now saving the current configuration to the slot 0.
Info: Save the configuration successfully.
<Quidway> copy config.cfg flash:/backup.cfg
Copy flash:/config.cfg to flash:/backup.cfg?[Y/N]:y
100% complete/
Info: Copied file flash:/config.cfg to flash:/backup.cfg...Done.

2. Assign an IP address for the device.


The device acts as the TFTP client.
Connect the device to the maintenance terminal. Establish the Telnet environment and
assign an IP addresses for the interface. A reachable route must exist between the
TFTP client and the TFTP server.
3. Start the TFTP server application program.
Start the TFTP server application in the PC. Set the path, the IP address, and the port
number of the TFTP server to download the configuration files.
4. Transfer the configuration files.
In the user view, run the tftp command.
<Quidway> tftp 10.110.24.209 put config.cfg
Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait.../
TFTP: Uploading the file successfully.
3501 bytes send in 1 second.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 163


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

l Backing up the configuration files through FTP


1. Connect the device to the maintenance terminal, establish the Telnet environment and
assign an IP address for the interface.
2. Start the FTP service.

The device acts as the FTP server.

Start the FTP server on the device. Create an FTP user whose username is huawei and
password is huawei.The user level must be set to 3 or higher. Authorize the user to
visit flash:\.
<Quidway> system-view
[Quidway] ftp server enable
[Quidway] aaa
[Quidway-aaa] local-user huawei password cipher huawei
[Quidway-aaa] local-user huawei privilege level 3
[Quidway-aaa] local-user huawei ftp-directory flash:/
[Quidway-aaa] local-user huawei service-type ftp

3. Initiate an FTP connection to the device from the maintenance terminal.

On the PC, establish an FTP connection with the device through the FTP client. For
example, the IP address of the device is 10.110.24.254.
C:\Documents and Setting\Administrator> ftp 10.110.24.254
Connected to 10.110.24.254.
220 FTP service ready.
User (10.110.24.254:(none)): huawei
331 Password required for huawei.
Password:
230 User logged in.

4. Set the parameters.

After the FTP user passes authentication, the FTP client prompts "ftp>". Enter
binary and specify the directory for storing the configuration files on the FTP client.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now C:\temp.

5. Transfer the configuration files.

Run the get command on the PC to download the configuration files to the local
specified directory and save them as backup.cfg.
ftp> get config.cfg backup.cfg
200 Port command okay.
150 Opening ASCII mode data connection for config.cfg.
226 Transfer complete.
ftp: 1021 bytes received in 0.06Seconds 60.02Kbytes/sec.
ftp>

6. Check whether the config.cfg and backup.cfg files are of the same size. If they are
of the same size, the backup is successful.

----End

8.2.6 Restoring the Configuration Files

Context
You can restore the configuration files through the following ways:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 164


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

NOTE

After restoring the configuration files, restart the device to make the configuration files take effect. Run
the startup saved-configuration command to specify the configuration file for next startup. If the
configuration file name is unchanged, you do not need to run this command. Then run the reboot command
to restart the device.

Procedure
l Restoring the configuration files saved in the Flash

This operation is to restore the configuration files saved in the Flash of the device as the
configuration files of the current system.

Run the following commands when the device works normally.


<Quidway> copy flash:/backup.cfg flash:/vrpcfg.zip
Copy flash:/backup.cfg to flash:/vrpcfg.zip?[Y/N]:y
100% complete/
Info: Copied file flash:/backup.cfg to flash:/vrpcfg.zip...Done.

l Restoring the configuration files saved in the PC through TFTP

The device works as the TFTP client. The restoration procedure is similar to that of backing
up the configuration files through TFTP. Run the tftp get command to download the
configuration files saved in the PC to the Flash of the device.
l Restoring the configuration files saved in the PC through FTP

The device acts as the FTP server. The restoration procedure is similar to that of backing
up the configuration files through FTP. Run the put command to upload the
configuration files saved in the PC to the Flash of the device.

----End

8.2.7 Checking the Configurations


After managing configuration files, you can view the current configuration files and files in the
storage device.

Prerequisites
Managing configuration files has been configured.

Procedure
l Run the display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] or display
current-configuration [ all | inactive ]command to check current configurations.
l Run the display startup command to check files for startup.
l Run the dir [ /all ] [ filename ] command to check files saved in the storage device.
l Run the display saved-configuration configuration command to view configurations of
the autosave function, including the status of the autosave function, time for autosave check,
threshold for the CPU usage, and period during which configurations are unchanged (when
the period expires, configurations are automatically saved).

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 165


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

l Run the display changed-configuration time command to check the time of the last
configuration change.

----End

Example
Run the display startup command to check files for startup.
<Quidway> display startup
MainBoard:
Configured startup system software: flash:/S6700v200r001.cc
Startup system software: flash:/S6700v200r001.cc
Next startup system software: flash:/S6700v200r001.cc
Startup saved-configuration file: flash:/vrpcfg1.cfg
Next startup saved-configuration file: flash:/vrpcfg1.cfg
Startup paf file: NULL
Next startup paf file: NULL
Startup license file: NULL
Next startup license file: NULL
Startup patch package: NULL
Next startup patch package: NULL

8.3 Specifying a File for System Startup


You can specify a file to be used for system startup by specifying the system software and
configuration file for the next startup of the switch.

8.3.1 Establishing the Configuration Task


Before specifying a file for system startup, familiarize yourself with the usage scenario, complete
the pre-configuration tasks, and obtain any data required for the configuration.

Applicable Environment
To enable the switch to provide user-defined configurations during the next startup, you need
to correctly specify the system software and configuration file for the next startup.

Pre-configuration Tasks
Before specifying a file for system startup, install the switch and powering it on properly.

Data Preparation
To specify a file for system startup, you need the following data.

No. Data

1 System software and its file name on the S6700

2 Configuration file and its file name on the device

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 166


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

8.3.2 Configuring System Software for a switch to Load for the Next
Startup
If you need to upgrade system software of a switch, you can specify the switch system software
to be loaded at the next startup.

Context
The system will continue to load the current system software at each startup until different system
software is specified for the next system startup. To change system software for the next startup,
you need to specify the system software you require.

The file name extension of the system software must be .cc and the file must be stored in the
root directory of a storage device.

Procedure
Step 1 Run:
startup system-software system-file [ slave-board ]

The S6700 system software to be loaded at the next startup of the switch is configured.

The system software package must use .cc as the extension and be saved to the root directory of
the flash memory.

If the BootROM version of next startup software that you specify is different from the current
BootROM version, the system prompts you to upgrade the BootRom.

----End

8.3.3 Configuring the Configuration File for Switch to Load at the


Next Startup
Before restarting a switch, you can specify which configuration files will be loaded at the next
startup.

Context
Run the display startup command on the switch to check whether a specific configuration file
is set to be loaded at the next startup. If a specific configuration file is not specified, the default
configuration file will be loaded at the next startup.

The file name extension of the configuration file must be .cfg or .zip, and the file must be stored
in the root directory of a storage device.

When the switch is powered on, it reads the configuration file from the flash memory by default
to initialize. The data in this configuration file is the initial configuration. If no configuration
file is saved in the flash memory, the switch uses default parameters to initiate.

Procedure
l Run:
startup saved-configuration configuration-file

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 167


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

A configuration file is saved for the switch to load at next startup.

----End

8.3.4 Checking the Configurations


After specifying a configuration file for system startup, you can check the content of the
configuration file and information about the files to be used at the next startup on the switch.

Prerequisites
A configuration file has been specified for system startup.

Procedure
l Run the display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] command to
check current configurations.
l Run the display saved-configuration [ last | time | configuration ] command to check the
contents of the configuration file to be loaded at next startup.
l Run the display startup command to check information about the files to be used at next
startup.

----End

Example
Run the display startup command to check information about the files to be used at next startup.
<Quidway> display startup
MainBoard:
Configured startup system software: flash:/S6700v200r001.cc
Startup system software: flash:/S6700v200r001.cc
Next startup system software: flash:/S6700v200r001.cc
Startup saved-configuration file: flash:/vrpcfg1.cfg
Next startup saved-configuration file: flash:/vrpcfg1.cfg
Startup paf file: NULL
Next startup paf file: NULL
Startup license file: NULL
Next startup license file: NULL
Startup patch package: NULL
Next startup patch package: NULL

8.4 Configuration Examples


The example in this section shows how to configure system startup. The example explains
networking requirements, and provides a configuration roadmap and configuration notes.

8.4.1 Example for Configuring System Startup


This example shows how to configure system startup. In the example, a configuration file is
saved and the system software and configuration file to be loaded at the next startup are specified
so that the switch can start in a required manner.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 168


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

Networking Requirements
After the switch is configured, new configurations take effect at next system startup.

Configuration Roadmap
The configuration roadmap is as follows:
1. Save the current configuration.
2. Specify the configuration file to be loaded at the next startup of the switch.
3. Specify the system software to be loaded at the next startup of the switch.

Data Preparation
To complete the configuration, you need the following data:
l Name of the configuration file
l File name of the system software

Procedure
Step 1 Check the configuration file and system software that were used during the current startup.
<Quidway> display startup
MainBoard:
Configured startup system software: flash:/S6700v200r001c00b01.cc
Startup system software: flash:/S6700v200r001c00b01.cc
Next startup system software: flash:/S6700v200r001c00b01.cc
Startup saved-configuration file: flash:/test.cfg
Next startup saved-configuration file: flash:/test.cfg
Startup paf file: NULL
Next startup paf file: NULL
Startup license file: NULL
Next startup license file: NULL
Startup patch package: NULL
Next startup patch package: NULL

Step 2 Save the current configuration to the specified file.


<Quidway> save vrpcfg.cfg

The system asks you whether you want to save the current configuration to the file named
vrpcfg.cfg. Enter y to save the configuration.
Step 3 Specify the configuration file to be loaded at the next startup of the switch.
<Quidway> startup saved-configuration vrpcfg.cfg

Step 4 Specify the system software to be loaded at the next startup of the switch.
<Quidway> startup system-software S6700v200r001c00.cc

Step 5 Verify the configuration.


After the configuration is complete, run the following command to check which configuration
file and system software will be loaded at the next startup of the switch.
<Quidway> display startup
MainBoard:
Configured startup system software: flash:/S6700v200r001c00b01.cc
Startup system software: flash:/S6700v200r001c00b01.cc
Next startup system software: flash:/S6700v200r001c00.cc
Startup saved-configuration file: flash:/test.cfg
Next startup saved-configuration file: flash:/vrpcfg.cfg

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 169


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 8 Configuring System Startup

Startup paf file: NULL


Next startup paf file: NULL
Startup license file: NULL
Next startup license file: NULL
Startup patch package: NULL
Next startup patch package: NULL

----End

Configuration Files
None.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 170


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

9 Accessing Another Device

About This Chapter

To manage configurations or operate files of another device, you can access the device by using
Telnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to.

9.1 Accessing Another Device


To manage configurations or use files on a device other than the device you are logged in to,
you can use Telnet, FTP, TFTP, or SSH to access that device.
9.2 Logging in to Other Devices Using Telnet
On most networks, multiple switchs need to be managed and maintained, but it may be
impossible to connect some of these switchs to a PC terminal. In other cases, there may be no
reachable route between a router and a PC terminal. You can log in to a local switch and then
use Telnet to log in to remote switchs to complete management and maintenance tasks.
9.3 Logging in to Another Device Using STelnet
STelnet provides secure Telnet services. You can use STelnet to log in to another switch from
the switch that you have logged in to and manage the device remotely.
9.4 Accessing Files on Another Device Using TFTP
You can configure the switch as a TFTP client, and log in to the TFTP server to upload and
download files.
9.5 Accessing Files on Another Device Using FTP
This section describes how to configure a switch as an FTP client to log in to a FTP server, and
to upload files to or download files from the server.
9.6 Accessing Files on Another Device Using SFTP
SFTP is a secure FTP service. After the switch is configured as an SFTP client, the SFTP server
authenticates the client and encrypts data in both directions to provide secure data transmission.
9.7 Accessing Files on Another Device by Using FTPS
The FTPS client and FTPS server authenticate each other's identities to ensure that only
authorized users can access the FTPS server, improving access security.
9.8 Accessing Files on Another Device by Using SCP
The SCP client sets up a secure connection with the SCP server so that the client can upload
files to the server or download files from the server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 171


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

9.9 Configuration Examples


This section describes examples for access another device. The examples explain networking
requirements, configuration notes, and configuration roadmap.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 172


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

9.1 Accessing Another Device


To manage configurations or use files on a device other than the device you are logged in to,
you can use Telnet, FTP, TFTP, or SSH to access that device.

Figure 9-1 Networking diagram for accessing another device from the switch

Network Network Server

PC Client

As shown in Figure 9-1, when you run a terminal emulation or Telnet program on a PC to
connect to the switch, the switch can still function as a client to access another device on the
network. There are several ways to accomplish this.

9.1.1 Telnet Method


To configure and manage a remote device on the network, you can use the switch that you have
logged in to as a client to log in to that device.

Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login and
a virtual terminal service.

The S6700 provides the following Telnet services:

l Telnet server: You can run the Telnet client program on a PC to log in to a switch to complete
configuration and management tasks. The switch acts as a Telnet server.
l Telnet client: You can run the terminal emulation program or the Telnet client program on
a PC to connect with the switch. You can then run the telnet command to log in to other
switchs to configure and manage them. As shown in Figure 9-2,Switch A serves as both
a Telnet server and a Telnet client.

Figure 9-2 Telnet client services


Telnet Session 1 Telnet Session2

Telnet Server

PC SwitchA SwitchB

l Interruption of Telnet services


In Telnet connection, two shortcut key combinations can terminate the connection.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 173


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

As shown in Figure 9-3, Switch A logs in to Switch B through Telnet, and Switch B logs
in to Switch C through Telnet. Therefore, a cascade network is formed. In this case, Switch
A is the client of Switch B and Switch B is the client of Switch C. Figure 9-3 illustrates
the usage of shortcut keys.

Figure 9-3 Usage of Telnet shortcut keys


Telnet Session 1 Telnet Session2

Telnet Telnet
Client Server

SwitchA SwitchB SwitchC

Ctrl_]: The server interrupts the connection.


If the network connection is normal and you press Ctrl_], the Telnet server terminates the
current Telnet connection. For example:
<SwitchC>

Press Ctrl_] to return to the prompt of Switch B.


Info: The max number of VTY users is 20, and the number
of current VTY users on line is 2.
Info: The connection was closed by the remote host.
<SwitchB>

Press Ctrl_] to return to the prompt of Switch A.


Info: The max number of VTY users is 20, and the number
of current VTY users on line is 2.
Info: The connection was closed by the remote host.
<SwitchA>

NOTE

If a router becomes disconnected from the network, these shortcut keys are invalid. Instructions
cannot be sent to the server.
Ctrl_]: The client interrupts the connection.
If the server fails and the client is unaware of the failure, the client continues to transmit
data but the server does not respond. In this case, press Ctrl_T to terminate the Telnet
connection.
For example:
<SwitchC>

Press Ctrl_T to terminate and quit a Telnet connection.


<SwitchA>

CAUTION
If remote login users are using all of the maximum number of VTY user interfaces allowed,
the system prompts that all user interfaces are in use and does not allow additional Telnet
logins.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 174


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

9.1.2 FTP Method


To access files on a remote FTP server, you can use FTP to establish a connection between the
switch that you have logged in to and the remote FTP server.
FTP can transmit files between hosts and it provides users with common FTP commands for file
system management. That is, using an FTP client program not residing on the switch, you can
upload or download the files and access the directories on the router; using an FTP client program
residing on the switch, you can transfer files to the FTP servers of other devices.
FTP can transmit files between local and remote hosts, and is widely used for version upgrade,
log downloading, file transmission, and configuration saving.

9.1.3 TFTP Method


If network client/server interaction requirements are relatively simple, you can enable the TFTP
service on the switch that functions as a TFTP client to access files on a TFTP server.
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.
Unlike FTP, TFTP does not have a complex interactive access interface and authentication
control. TFTP is for use in environments where there is no complex interaction between the
client and the server. For example, TFTP is used to obtain a memory image of the system when
the system starts up.
Implementation of TFTP is based on the User Datagram Protocol (UDP).
The client initiates a TFTP transfer. To download files, the client sends a read request packet to
the TFTP server, receives packets from the server, and returns an acknowledgement to the server.
To upload files, the client sends a write request packet to the TFTP server, sends packets to the
server, and receives acknowledgement from the server.
TFTP uses two formats for file transfer:
l Binary format: transfers program files.
l ASCII format: transfers text files.
At present, the S6700 can only serve as a TFTP client and can only transfer files in binary format.

9.1.4 SSH Method


Logging in to a remote device using SSH (including STelnet, SFTP and SCP) provides secure
communications between the remote device and the switch you are logged in to.

SSH Overview
When users on an insecure network use Telnet to log in to the switch, the Secure Shell (SSH)
feature provides authentication and keeps data secure. SSH defends the switch from IP address
spoofing and other such attacks, and protects the switch against the interception of plain text
passwords.
The SSH client function allows users to establish SSH connections with switchs serving as SSH
servers or with UNIX hosts.

SSH Client Function


The S6700 supports the STelnet client function, SCP client function, and SFTP client function.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 175


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

l STelnet client
STelnet is short for Secure Telnet.
Telnet does not provide secure authentication and TCP transmits data in plain text. This
creates security vulnerabilities. Denial of service (DOS) attacks, host IP address spoofing,
and route spoofing also threaten system security. Telnet services are vulnerable to network
attacks.
SSH implements secure remote access on insecure networks and has the following
advantages compared with Telnet:
– SSH supports Remote Subscriber Access (RSA) authentication and Digital Signature
Algorithm authentication (DSA). SSH uses RSA authentication or DSA authentication
to generate and exchange public and private keys compliant with an asymmetric
encryption system that protects session security.
– SSH supports Data Encryption Standard (DES), 3DES, and AES authentications.
– SSH usernames and the passwords are encrypted in communication between an SSH
client and server. This prevents password interception.
– SSH encrypts transmitted data.
If the STelnet server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at a configured time interval. If there is no reply from the server to a configured number of
keepalive packets, the client determines that there is a fault and releases the connection.
l SFTP client
SFTP is short for Secure FTP. You can log in to a device from a secure remote end to
manage files. This improves data transmission security when the remote system is updated.
The client function allows you to use SFTP to log in to the remote device for secure file
transmission.
If the SFTP server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at a configured time interval. If there is no reply from the server to a configured number of
keepalive packets, the client determines that there is a fault and releases the connection.
l SCP client
SCP allows you to log in to the device securely from a remote device to upload or download
files. Data transfer in this mode is much safer for remote system update. In addition, SCP
provides the client function so that a local device can log in to a remote device for secure
data transfer.
Unlike SFTP, SCP simplifies the file transfer process by combing user authentication and
file transfer, therefore improving configuration efficiency.

9.1.5 SSL Mode


Logging in to a remote device using SSL provides secure communications between the remote
FTPS server and the local device you are logged in to.

Overview
SSL is a cryptographic protocol that provides communication security over the Internet. It allows
a client and a server to communicate across a network in a way designed to prevent
eavesdropping by authenticating the server or the client. SSL has the following advantages:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 176


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

l Provides high security assurance. It uses data encryption, authentication, and a message
integrity check to ensure secure data transmission over the network.
l Supports various application layer protocols. SSL is originally designed for securing World
Wide Web traffic. As SSL functions between the application layer and the transport layer,
it secures data transmission based on TCP connections for any application layer protocol.
l Is easy to deploy. Currently, SSL has become a world-wide communications standard for
authenticating Web site and Web page users and encrypting data transmitted between
browser users and Web servers.

SSL improves device security from the following aspects:

l Helps authorized users to securely access servers and prevents unauthorized users from
accessing servers.
l Encrypts data transmitted between a client and a server for data transmission security and
computes a digest for data integrity, which implements security management for devices.
l Defines an access control policy on a device based on certificate attributes to control the
access rights of clients, which prevents unauthorized users from attacking the device.

Basic Concepts
l Certificate Authority (CA)
A CA is an entity that issues, manages, and abolishes digital certificates. A CA checks the
validity of digital certificate owners, signs digital certificates to prevent eavesdropping and
tampering, and manages certificates and keys. The world-wide trusted CA is called a root
CA. The root CA can authorize other CAs as subordinate CAs. The CA identity is described
in a trusted-CA file.
For example, CA1 functions as the root CA and issues a certificate for CA2, CA2 then
issues a certificate for CA3 and so on, until CAn issues the final server certificate.
If CA3 issues the server certificate, certificate authentication on the client starts from server
certificate authentication. The CA3 certificate is used to authenticate the server certificate.
If authentication succeeds, the CA2 certificate is used to authenticate the CA3 certificate.
Finally, the CA1 certificate is used to authenticate the CA2 certificate. Server certificate
authentication succeeds only when the CA2 certificate has been authenticated by the CA1
certificate.
Figure 9-4 shows the certificate issuing and authentication processes.

Figure 9-4 Schematic diagram for certificate issuing and authentication

l Digital certificate
A digital certificate is an electronic document which uses a digital signature to bind a public
key with an identity. The digital certificate includes information such as the name of a
person or an organization that applies for the certificate, public key, digital-signed signature
of the CA that issues the digital certificate, and validity period of the digital certificate. A

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 177


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

digital certificate validates the identities of two communicating parties, improving


communication reliability.
A user must obtain the public key certificate of the information sender in advance to decrypt
and authenticate information in the certificate. In addition, the user also needs the CA
certificate of the information sender to verify the identity of the information sender.
l Certificate Revocation List (CRL)
A CRL is a list of certificates that have been revoked, and therefore should not be relied
upon. The CRL is issued by a CA.
The lifetime of a digital certificate is limited. A CA can revoke a digital certificate to shorten
its lifetime. The lifetime of a CRL is usually shorter than the lifetime of certificates in the
CRL. If a CA revokes a digital certificate, the key pair defined in the certificate can no
longer be used even if the digital certificate does not expire. After a certificate in a CRL
expires, the certificate is deleted from the CRL to shorten the CRL.
Before using a digital certificate, the client checks the CRL. If the digital certificate is in
the CRL, the corresponding CA marks the digital certificate as expired, and adds a
certificate expiration list (CEL) when issuing a new CRL. After the CEL expires, it is
automatically deleted from the CRL.

Application
Currently, SSL is only used for FTPS and HTTPS applications (secure Web network
management is an HTTPS application).

l FTPS
FTPS that adds support for SSL is an extension to the commonly used FTP.
Using SSL to authenticate the identities of the client and server, encrypt data to be
transmitted, and check message integrity, FTPS provides a secure FTP server access.
– Login to an FTPS server from a user terminal
an SSL policy is configured on the FTP server. After a digital certificate is loaded and
the FTPS server function is enabled on the server, you can log in to the server from a
terminal on which the SSL-capable FTP client software is installed to securely operate
files transmitted between the terminal and the server.
– Login to an FTPS server from an FTPS client
– An SSL policy needs to be configured and a trusted-CA file needs to be loaded to
an FTP client to verify the identity of the certificate owner, sign a digital certificate
to prevent eavesdropping and tampering, and manage the certificate and key.
– An SSL policy needs to be configured on and a digital certificate needs to be loaded
to an FTP server to verify the validity of the trusted-CA file. This ensures that only
authorized clients can log in to the server.
l HTTPS
HTTPS that adds support for SSL is an extension to the commonly used HTTP.
Using SSL to authenticate the identities of the client and server, encrypt data to be
transmitted, and check message integrity, HTTPS provides a secure Web access.
an SSL policy is configured on the device that functions as an HTTP server. After a digital
certificate is loaded to and the HTTPS server function is enabled on the server, users can
log in to the server to remotely manage the server using web pages.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 178


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

9.1.6 SCP Mode


Secure Copy Protocol(SCP) is based on SSH2.0. It guarantees secure file transfer on a traditional
insecure network by authenticating the client and encrypting data in bidirectional mode.
SCP is a technology used to remotely and securely copy files, including uploading and
downloading files. SCP commands are easy to run, improving the efficiency of network
maintenance.
SCP is developed based on the Remote Copy Protocol (RCP). RCP transmits data in plain text
mode, which is of low security. SCP is developed based on SSH, therefore enhancing the security
of data transmission.
SCP enables you to log in to the device securely from a remote device to upload or download
files. Data transfer in this mode is much safer for remote system update. In addition, SCP
provides the client function so that a local device can log in to a remote device for secure data
transfer.
Unlike SFTP, SCP simplifies the file transfer process by combing user authentication and file
transfer, therefore improving the configuration efficiency.

9.2 Logging in to Other Devices Using Telnet


On most networks, multiple switchs need to be managed and maintained, but it may be
impossible to connect some of these switchs to a PC terminal. In other cases, there may be no
reachable route between a router and a PC terminal. You can log in to a local switch and then
use Telnet to log in to remote switchs to complete management and maintenance tasks.

9.2.1 Establishing the Configuration Task


Before configuring login to another device from the device that you have logged in to, familiarize
yourself with the usage scenario, complete the pre-configuration tasks, and obtain any data
required for the configuration.

Applicable Environment

Figure 9-5 Networking diagram for accessing another device from the device that you have
logged in to

Network Network

PC SwitchA SwitchB

As shown in Figure 9-5, you can use Telnet to log in to Switch A from a PC. You cannot,
however, manage Switch B remotely, because there is no reachable route between the PC and
Switch B. To manage Switch B remotely, you must use Telnet to log in to it from Switch A.
In this situation, Switch A functions as a Telnet client and Switch B functions as a server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 179


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Pre-configuration Tasks
Before using Telnet to log in to another device on the network, complete the following tasks:

l 6.3 Logging in to Devices Using Telnet.


l Configure a reachable route between the client and Telnet server.

Data Preparation
To log in to another device by using Telnet, you need the following data:

No. Data

1 IP address or host name of SwitchB

2 Number of the TCP port used by the SwitchB to provide Telnet services

9.2.2 (Optional) Configuring a Source IP Address for a Telnet Client


You can configure a source IP address for a Telnet client and then use this address to set up a
Telnet connection from the client to server along a specific route.

Context
An IP address is configured for an interface on the switch and functions as the source IP address
of a Telnet connection. This allows for implementation of security checks.

The source of a client can be a source interface or a source IP address.

Perform the following steps on a switch that functions as a Telnet client.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
telnet client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address of a Telnet client is configured.

After the configuration, the source IP address of the Telnet client displayed on the Telnet server
must be the same as the configured one.

----End

9.2.3 Logging in to Another Device by Using Telnet


You can use Telnet to log in to and manage another switch.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 180


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Context
Telnet provides an interactive CLI for users to log in to a remote server. Users can first use Telnet
to log in to a host, and then remotely use Telnet again to log in to a remote host. This host can
then be remotely configured and managed. Not all hosts need to be connected directly to a
hardware terminal.

Perform the following steps on the switch that serves as a Telnet client:

Procedure
l Select and perform one of the following two steps for IPv4 or IPv6.
– Run:
telnet [ vpn-instance vpn-instance-name ] [ -a source-ip-address | -i
interface-type interface-number ] host-name [ port-number ]

Log in to the switch and manage other switchs.


– Run:
telnet ipv6 [ -a source-ip-address ] host-name [ -oi interface-type
interface-number ] [ port-number ]

Log in to the switch and manage other switchs.

----End

9.2.4 Checking the Configurations


When you log in to another switch successfully from the switch that you have logged in to, you
can check information about the established TCP connection.After you have logged in to another
switch from the switch that you have logged in to, you can check information about the
established TCP connection.

Prerequisites
Logging in to another device has been configured.

Procedure
l Run the display tcp status command to check the status of all TCP connections.

----End

Example
Run the display tcp status command to view the status of TCP connections. The Established
status indicates that a TCP connection has been established.
<Quidway> display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0
Closed
32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849
Listening
34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0
Established

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 181


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

9.3 Logging in to Another Device Using STelnet


STelnet provides secure Telnet services. You can use STelnet to log in to another switch from
the switch that you have logged in to and manage the device remotely.

9.3.1 Establishing the Configuration Task


Before configuring login to another device using Stelnet, familiarize yourself with the usage
scenario, complete the pre-configuration tasks, and obtain any date required for the
configuration.

Applicable Environment
Telnet logins are insecure because no secure authentication mechanism is available and data is
transmitted over TCP connections in plain text mode.
STelnet is a secure Telnet protocol. STelnet is based on SSH. SSH users can use STelnet services
in place of ordinary Telnet services.
In this configuration, the device that you have logged in to functions as a Telnet client, and the
device that you want to log in to functions as an SSH server.

Pre-configuration Tasks
Before logging in to another device by using STelnet, complete the following tasks:
l 6.4 Logging in to Devices Using STelnet.
l Configure a reachable route between the client and SSH server.

Data Preparation
To log in to another device using STelnet, you need the following data.

No. Data

1 Name of the SSH server, and public key that is assigned by the client to the SSH server

2 IPv4 or IPv6 address or host name of the SSH server, number of the port monitored
by the SSH server, preferred encryption algorithm for data from the SFTP client to
the SSH server, preferred encryption algorithm for data from the SSH server to the
SFTP client, preferred HMAC algorithm for data from the SFTP client to the SSH
server, preferred HMAC algorithm for data from the SSH server to the SFTP client,
preferred algorithm of key exchange
The user information for logging in to the SSH server

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 182


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

9.3.2 Configuring the First Successful Login to Another Device


(Enabling the First-Time Authentication on the SSH Client)
After first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the RSA or DSA public key when logging in to the SSH server for the first time.

Context
If first-time authentication on the SSH client is enabled, the STelnet client does not check the
validity of the RSA or DSA public key when logging in to the SSH server for the first time.
After the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at next login.
Perform the following steps on the switch that serves as an SSH client:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ssh client first-time enable

First-time authentication on the SSH client is enabled.


By default, first-time authentication on the SSH client is disabled.

NOTE

l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the check of the RSA or DSA public key validity and
cannot log in to the server.
TIP

To ensure that an STelnet client can log in to an SSH server at the first attempt, you can assign an RSA or
DSA public key in advance to the SSH server on the SSH client in addition to enabling first-time
authentication on the SSH client.

----End

9.3.3 Configuring the First Successful Login to Another Device


(Allocating a Public Key to the SSH Server)
To configure the first successful login to another device on an SSH client, you must allocate an
RSA or DSA public key to the SSH server before the login.

Context
If first-time authentication is not enabled on the SSH client, when the STelnet client logs in to
the SSH server for the first time, the STelnet client fails to pass the RSA or DSA public key

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 183


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

validity check and cannot log in to the server. You must allocate an RSA or DSA public key to
the SSH server before the STelnet client logs in to the SSH server.

Perform the following steps on the switch that serves as an SSH client:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
rsa peer-public-key key-name or dsa peer-public-key key-name encoding-type { der |
pem }

The public key view is displayed.

Step 3 Run:
public-key-code begin

The public key editing view is displayed.

Step 4 Run:
hex-data

The public key is edited.

The public key is a string of hexadecimal alphanumeric characters automatically generated by


an SSH client.

NOTE

l The RSA or DSA public key assigned to the SSH server must be generated on the server. Otherwise,
the validity check for the RSA or DSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA public key generated on the server to
the switch that functions as the client.

Step 5 Run:
public-key-code end

Quit the public key editing view.

l If the specified hex-data is invalid, the public key cannot be generated after the peer-public-
key end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does not
exist after the peer-public-key end command is run and the system view is displayed.

Step 6 Run:
peer-public-key end

Return to the system view from the public key view.

Step 7 Run:
ssh client servername assign { rsa-key | dsa-key } keyname

The RSA or DSA public key is assigned to the SSH server

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 184


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

NOTE

If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key } command to cancel the association between the SSH client and the SSH server.
Then, run the ssh client servername assign { rsa-key | dsa-key } keyname command to allocate a new
RSA or DSA public key to the SSH server.

----End

9.3.4 Logging in to Another Device Using STelnet


You can use STelnet to log in to an SSH server from an SSH client.

Context
When accessing an SSH server, an STelnet client can carry the source address and the VPN
instance name, can choose the key exchange algorithm, encryption algorithm, or HMAC
algorithm, and can configure the keepalive function.
Perform the following steps on the switch that serves as an SSH client:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 According to the address type of the SSH server, select and run one of the following two
commands.
For IPv4 addresses,
Run the stelnet host-ipv4 [ port ] [ [ -vpn-instance vpn-instance-name ] | [ identity-key { dsa
| rsa } ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des |
3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1
| sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ -
ki aliveinterval ] | [ -kc alivecountmax ] ] * command. You can log in to the SSH server through
STelnet.
For IPv6 addresses,
Run the stelnet ipv6 host-ipv6 [ -oi interface-type interface-number ] [ port ] [ [ identity-key
{ dsa | rsa } ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher
{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac
{ sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 |
md5_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] * command. You can log in to the SSH
server through STelnet.

----End

9.3.5 Checking the Configurations


After configuring login to another device using STelnet, you can check the mappings between
all SSH servers of the STelnet client and the RSA or DSA public keys on the client, the global
configurations of the SSH servers, and information about sessions between the SSH servers and
the STelnet client.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 185


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Prerequisites
Logging in to another device by using STelnet has been configured.

Procedure
l Run the display ssh server-info command to check the mappings between all SSH servers
of the SSH client and the RSA or DSA public keys on the client.

----End

Example
Run the display ssh server-info to view the mappings between all servers of the SSH client and
the RSA or DSA public keys on the SSH client.
<Quidway> display ssh server-info
Server Name(IP) Server Public Key Type Server public key name
______________________________________________________________________________

10.137.128.216 RSA 10.137.128.216


10.137.128.217 RSA 10.137.128.217
10.137.128.217 DSA
sdfasdfasdfasdfasdfasdfadfasdf
127.0.0.1 RSA 127.0.0.1
127.0.0.1 DSA 10.137.128.217
1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1
RSA 1fff:00ffff:00ffff:
0ffff:ffff:
1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA 1fff:00ffff:ffff:00ffff:
000fff
1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA 1fff:ffff:ffff:00ffff:
000ffff:
1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1
RSA
1fff:ffff:ffff:ffff:ffff:ffff:
8.1.1.2 RSA 8.1.1.2

9.4 Accessing Files on Another Device Using TFTP


You can configure the switch as a TFTP client, and log in to the TFTP server to upload and
download files.

9.4.1 Establishing the Configuration Task


Before configuring access to another device using TFTP, familiarize yourself with the usage
scenario, complete the pre-configuration tasks, and obtain any data required for the
configuration.

Applicable Environment
You can use TFTP to in a simple interaction environment to transfer files between a server and
a client.

The current Switch functions as a TFTP client, and theSwitch to be accessed functions as a TFTP
server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 186


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Pre-configuration Tasks
Before configuring access to another device using TFTP, configure a reachable route between
the client and TFTP server.

Data Preparation
To access another device using TFTP, you need the following data.

No. Data

1 (Optional) Source address or source interface of the switch that functions as a TFTP
client

2 IP address or host name of the TFTP server

3 Name of the specific file in the TFTP server and the file directory

9.4.2 (Optional) Configuring a Source IP Address for a TFTP Client


You can configure a source IP address for a TFTP client and then use the source IP address to
set up a TFTP connection from the TFTP client to the server along a specific route.

Context
An IP address is configured for an interface on the switch and functions as the source IP address
of a TFTP connection. This allows implementation of security checks.

The source address of a client can be configured as a source interface or a source IP address.

Perform the following steps on a switch that functions as a TFTP client.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
tftp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address of a TFTP client is configured.

After the configuration, the source IP address of the TFTP client displayed on the TFTP server
must be the same as the configured one.

----End

9.4.3 (Optional) Configuring TFTP Access Authority


This section describes how to use an ACL rule to specify which TFTP servers can be accessed
by using TFTP from the switch that you have logged in to.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 187


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Context
An Access Control List (ACL) is a set of sequential rules. Rule descriptions are based on the
source addresses, destination addresses, and port numbers of packets. Switchs use ACL rules to
filter packets. When a rule is applied to an interface on a switch, the switch permits or denies
packets based on the rule.

An ACL can define multiple rules. ACL rules are classified into the interface ACL, basic ACL,
and advanced ACL based on the functions of ACL rules.

NOTE

TFTP supports only the basic ACL (whose number ranges from 2000 to 2999).

Perform the following steps on the switch that serves as the TFTP client:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
acl acl-number

The ACL view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address
source-wildcard | any } | time-range time-name ] *

The ACL rule is configured.

Step 4 Run:
quit

The system view is displayed.

Step 5 According to the address type of the TFTP server, select and run one of the following two
commands.
l For IPv4 addresses,
Run the tftp-server acl acl-number command. You can use the ACL to limit the access to
the TFTP server.
l For IPv6 addresses,
Run the tftp-server ipv6 acl acl6-number command. You can use the ACL to limit the access
to the TFTP server.

----End

9.4.4 Downloading Files Using TFTP


You can download files from a TFTP server to a TFTP client.

Perform the following steps on the switch that serves as the TFTP client:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 188


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Procedure
l Run the following commands according to the type of the server IP addresses.
– The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-
server [ public-net | vpn-instance vpn-instance-name ] get source-filename
[ destination-filename ]

The switch is configured to download files through TFTP.


– The IP address of the server is IPv6 address, run:
tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ interface-type
interface-number ] get source-filename [ destination-filename ]

The switch is configured to download files using TFTP.

----End

9.4.5 Uploading Files Using TFTP


You can upload files from a TFTP client to a TFTP server.

Perform the following steps on the switch that serves as the TFTP client:

Procedure
l Run the following commands according to the type of the server IP addresses.
– The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-
server [ public-net | vpn-instance vpn-instance-name ] put source-filename
[ destination-filename ]

The switch is configured to upload files using TFTP.


– The IP address of the server is IPv6 address, run:
tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -oi interface-type
interface-number ] put source-filename [ destination-filename ]

The switch is configured to upload files using TFTP.

----End

9.4.6 Checking the Configurations


When a device is configured as a TFTP client, you can check the source address of the client
and the configured ACL rule.

Prerequisites
Configurations for using the device as a TFTP client are complete.

Procedure
l Run the display tftp-client command to check the device address that is set to the source
address of the TFTP client.
l Run the display acl { name acl-name | acl-number | all } command to check the ACL rule
that is configured on the TFTP client.

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 189


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Example
Run the display tftp-client command to view the source address of the TFTP client.
<Quidway> display tftp-client
The source address of TFTP client is 1.1.1.1.

Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured
on the TFTP client.
<Quidway> display acl 2001
Basic ACL 2001, 2 rules,
Acl's step is 5
rule 5 permit
rule 10 permit source 2.2.2.2 0

9.5 Accessing Files on Another Device Using FTP


This section describes how to configure a switch as an FTP client to log in to a FTP server, and
to upload files to or download files from the server.

9.5.1 Establishing the Configuration Task


Before configuring the use of FTP to access files on another device, familiarize yourself with
the usage scenario, complete the pre-configuration tasks, and obtain any data required for the
configuration.

Applicable Environment
Before transmitting files between a client and a remote FTP server or managing directories on
the server, you can configure the switch that you have logged in to as an FTP client. You can
then use FTP to access the FTP server for file transmission or directory management.

Pre-configuration Tasks
Before configuring the use of FTP to access files on another device, configure a reachable route
between the switch and the FTP server.

Data Preparation
To configure the use of FTP to access files on another device, you need the following data:

No. Data

1 (Optional) Source IP address or source interface of the switch functioning as an FTP


client

2 Host name or IP address of the FTP server, port number of connecting FTP, login
username and password

3 Local file names and file names on the remote FTP server, name of the working
directory on the remote FTP server, name of the working directory on the local FTP
client, or directory name of the remote FTP server

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 190


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

9.5.2 (Optional) Configuring the Source IP Address and Interface


of the FTP Client
This section describes how to configure the source IP address and interface of an FTP client to
connect to an FTP server.

Prerequisites
An IP address is configured for an interface on the switch and functions as the source IP address
for an FTP connection. This allows implementation of security checks.
The source of a client can be a source interface or a source IP address.
Configuring a source interface as the source for a client is possible only if the system has a
loopback interface.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ftp client-source { -a source-ip-address | -i interface-type interface-number }

The source address of the FTP client is configured.


After the source address of the FTP client is configured, you can run the display ftp-users
command on the FTP server to check that the displayed source address of the FTP client is the
same as the configured one.

----End

9.5.3 Connecting to Other Devices Using FTP Commands


You can run FTP commands to log in to other devices from the switch that functions as the FTP
client.

Context
You can log in to the FTP server in the user view or the FTP view.
Perform the following steps on the switch that serves as the client:

Procedure
Step 1 Run the following commands according to types of the server IP address.
l If the IP address of the server is an IPv4 address, do as follows:
– In the user view, establish a connection to the FTP server.
Run:
ftp [ -a source-ip-address | -i interface-type interface-number ] host [ port-
number ] [ public-net | vpn-instance vpn-instance-name ]

The switch is connected to the FTP server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 191


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

– In the FTP view, establish a connection to the FTP server.


1. In the user view,Run:
ftp

The FTP view is displayed.


2. Run:
open [ -a source-ip-address | -i interface-type interface-number ] host
[ port-number ] [ public-net | vpn-instance vpn-instance-name ]

The switch is connected to the FTP server.


NOTE

Before logging in to the FTP server, you can run the set net-manager vpn-instance
command to configure a default VPN instance. After a default VPN instance is configured,
it will be used for FTP operations.
l If the IP address of the server is an IPv6 address, do as follows:
– In the user view, establish a connection to the FTP server.
Run:
ftp ipv6 host [ port-number ]

The switch is connected to the FTP server.


– In the FTP view, establish a connection to the FTP server.
1. In the user view,Run:
ftp

The FTP view is displayed.


2. Run:
open ipv6 host-ipv6-address [ port-number ]

The switch is connected to the FTP server.

----End

9.5.4 Managing Files Using FTP Commands


After logging in to an FTP server, you can use FTP commands to manage files. File operations
include configuring a file transmission method, checking online help about FTP commands,
uploading or downloading files, and managing directories and files.

Context
After logging in to an FTP server, you can perform the following operations:

l Configure a data type for transmission files and a file transmission method.
l Check the online help about FTP commands in the FTP client view.
l Upload local files to the remote FTP server, or download files from the FTP server and
save them locally.
l Create directories on or delete directories from the FTP server.
l Display information about a specified remote directory or a file of the FTP server, or delete
a specified file from the FTP server.

After logging in to the switch that functions as a client and entering the FTP client view, you
can perform the following steps:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 192


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Procedure
l Configuring data type and transmission mode for the file.
– Run:
ascii | binary

The data type of the file to be transmitted is ascii or binary mode.


NOTE

FTP supports both ASCII and binary files. Their differences are as follows:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
Clients can select an FTP transmission mode ad required. The system defaults to the ASCII
transmission mode. The client can use a mode switch command to switch between the ASCII
mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary mode is
used to transmit binary files.
– Run:
passive

The passive file transfer mode is configured.


– Run:
verbose

The verbose mode for FTP is enabled.


When verbose is enabled, all FTP responses are displayed. After file transmission
efficiency statistics will be displayed.
l View online help for FTP commands.
remotehelp [ command ]

The online help of the FTP command is displayed.


l Upload or download files.
– Upload or download a file.
– Run:
put local-filename [ remote-filename ]

The local file is uploaded to the remote FTP server.


– Run:
get remote-filename [ local-filename ]

The FTP file is downloaded from the FTP server and saved to the local file.
– Upload or download multiple files.
– Run the mput local-filenames command to upload multiple local files
synchronously to the remote FTP server.
– Run the mget remote-filenames command to download multiple files from the FTP
server and save them locally.
NOTE

l When you are uploading or downloading files, and the prompt command is run in the FTP client
view to enable the file transmission prompt function, the system will prompt you to confirm the
uploading or downloading operation.
l If the prompt command is run again in the FTP client view, the file transmission prompt function
will be disabled.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 193


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

l Run one or more of the following commands order to manage directories.


– Run:
cd pathname

The working path of the remote FTP server is specified.


– Run:
cdup

The working path of the FTP server is switched to the upper-level directory.
– Run:
pwd

The specified directory of the FTP server is displayed.


– Run:
lcd [ local-directory ]

The directory of the FTP client is displayed or changed.


– Run:
mkdir remote-directory

A directory is created on the FTP server.


– Run:
rmdir remote-directory

A directory is removed from the FTP server.


NOTE

l A directory name can use letters and digits, but not special characters such as <, >, ?, \ and :.
l When running the mkdir /abc command, you create a sub-directory named "abc".
l Run one or more of the following commands to manage files.
– Run:
ls [ remote-filename ] [ local-filename ]

The specified directory or file on the remote FTP server is displayed.


If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
If local-filename is configured, the remote file can be saved in another local file.
– Run:
dir [ remote-filename ] [ local-filename ]

The specified directory or file on the local FTP server is displayed.


If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
If local-filename is configured, the remote file can be saved in another local file.
– Run:
delete remote-filename

The specified file on the FTP server is deleted.


If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 194


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

9.5.5 Changing Login Users


After logging in to an FTP server, you can change the username on the client and re-log in to
the server with the new username.

Context
If you are logged in to the S6700 functioning as an FTP client, you can switch to a different
username and log in to the FTP server without logging out of the FTP client view. The FTP
connection established in this way is identical to that established by running the ftp command.

Perform the following steps on the switch that functions as a client:

Procedure
l Run:
user user-name [ password ]

The user that logged in to the FTP server earlier is changed and the new user logs in to the
server.

When the username that is used to log in to the FTP server is changed, the original
connection between the user and the FTP server is interrupted.

----End

9.5.6 Disconnecting from the FTP Server


You can terminate the connection with an FTP server and return to the user view or FTP view.

Context
Various commands can be used from the FTP client view to terminate a connection with an FTP
server.

Perform the following steps on the switch that serves as the client.

Procedure
l Run one of the following commands depending on your system configurations.
– Run:
bye

Or,
quit

The client switch is disconnected from the FTP server.


Return to the user view.
– Run:
close

Or,
disconnect

The client switch is disconnected from the FTP server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 195


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Return to the FTP view.

----End

9.5.7 Checking the Configurations


After the configurations for accessing other devices using FTP are complete, you can view the
source parameters configured on the FTP client.

Prerequisites
Accessing other devices using FTP has been configured.

Procedure
l Run the display ftp-client command to view the source parameters of the FTP client.

----End

Example
Run the display ftp-client command to view the source parameters of the FTP client.
<Quidway> display ftp-client
The source address of FTP client is 1.1.1.1.

9.6 Accessing Files on Another Device Using SFTP


SFTP is a secure FTP service. After the switch is configured as an SFTP client, the SFTP server
authenticates the client and encrypts data in both directions to provide secure data transmission.

9.6.1 Establishing the Configuration Task


Before configuring the use of SFTP to access files on another device, familiarize yourself with
the usage scenario, complete the pre-configuration tasks, and obtain any data required for the
configuration.

Applicable Environment
SFTP is a secure FTP protocol. SFTP is based on SSH. It allows users to log in to a remote
device and transmit or manage files securely. You can log in to a remote SSH server from the
switch that functions as an SFTP client.

Pre-configuration Tasks
Before configuring the use of SFTP to access files on another device, configure a reachable route
between the client and SSH server.

Data Preparation
To use SFTP to access files on another device, you need the following data:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 196


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

No. Data

1 (Optional) Name of the SSH server

2 (Optional) Public key that is assigned by the client to the SSH server

3 IPv4 or IPv6 address or host name of the SSH server

4 Number of the port monitored by the SSH server, preferred encryption algorithm for
data from the SFTP client to the SSH server, preferred encryption algorithm for data
from the SSH server to the SFTP client, preferred HMAC algorithm for data from the
SFTP client to the SSH server, preferred HMAC algorithm for data from the SSH
server to the SFTP client, preferred algorithm of key exchange, name of the outgoing
interface, source address
User information for logging in to the SSH server

5 Name and directory of a specified file on the SSH server

9.6.2 Configuring the First Successful Login to Another Device


(Enabling the First-Time Authentication on the SSH Client)
After first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the RSA or DSA public key when logging in to the SSH server for the first time.

Context
If first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the RSA or DSA public key when logging in to the SSH server for the first time.
After the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at next login.
Perform the following steps on the switch that serves as an SSH client:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ssh client first-time enable

First-time authentication on the SSH client is enabled.


By default, first-time authentication on the SSH client is disabled.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 197


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

NOTE

l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the check of the RSA or DSA public key validity and
cannot log in to the server.
TIP

To ensure that an STelnet client can log in to an SSH server at the first attempt, you can assign an RSA or
DSA public key in advance to the SSH server on the SSH client in addition to enabling first-time
authentication on the SSH client.

----End

9.6.3 Configuring the First Successful Login to Another Device


(Allocating a Public Key to the SSH Server)
To configure the first successful login to another device on an SSH client, you must allocate an
RSA or DSA public key to the SSH server before the login.

Context
If first-time authentication is not enabled on an SSH client, when the SFTP client logs in to an
SSH server for the first time, the SFTP client fails to pass the RSA or DSA public key validity
check and cannot log in to the server.

Perform the following steps on the switch functioning as an SSH client:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
rsa peer-public-key key-name or dsa peer-public-key key-name encoding-type { der |
pem }

The public key view is displayed.

Step 3 Run:
public-key-code begin

The public key editing view is displayed.

Step 4 Run:
hex-data

The public key is edited.

The public key is a string of hexadecimal alphanumeric characters automatically generated by


an SSH client.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 198


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

NOTE

l The RSA or DSA public key assigned to the SSH server must be generated on the server. Otherwise,
the validity check for the RSA or DSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA public key generated on the server to
the switch that functions as the client.

Step 5 Run:
public-key-code end

Quit the public key editing view.

l If the specified hex-data is invalid, the public key cannot be generated after the peer-public-
key end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does not
exist after the peer-public-key end command is run and the system view is displayed.

Step 6 Run:
peer-public-key end

Return to the system view from the public key view.

Step 7 Run:
ssh client servername assign { rsa-key | dsa-key } keyname

The RSA or DSA public key is assigned to the SSH server

NOTE

If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key } command to cancel the association between the SSH client and the SSH server.
Then, run the ssh client servername assign { rsa-key | dsa-key } keyname command to allocate a new
RSA or DSA public key to the SSH server.

----End

9.6.4 Connecting to Other Devices by Using SFTP


You can use SFTP to log in to an SSH server from an SSH client.

Context
The command for enabling an SFTP client is similar to that of STelnet. When accessing an SSH
server, SFTP can carry the source address and the name of the VPN instance and choose the key
exchange algorithm, encryption algorithm, and HMAC algorithm, and configure the keepalive
function.

Perform the following steps on the switch that serves as an SSH client.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 According to the address type of the SSH server, select and perform one of the two configurations
below.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 199


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

l For IPv4 addresses,


Run:
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4
[ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex
{ dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des |
aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac
{ sha1 | sha1_96 | md5 | md5_96 } ] | [ -ki aliveinterval ] | [ -kc
alivecountmax ] | [ identity-key { dsa | rsa } ] ] *

You can log in to the SSH server through SFTP.


l For IPv6 addresses,
Run:
sftp ipv6 [[ -a source-address | -oi interface-type interface-number ] |
[ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des |
3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac
{ sha1 | sha1_96 | md5 | md5_96 } ] | [ -ki aliveinterval] |[ -kc
alivecountmax ] | [ identity-key { dsa | rsa } ] ]* host-ipv6 [ port ]

----End

9.6.5 Managing Files Using SFTP Commands


You can use an SFTP client to manage directories and files on the SSH server, and check the
command help on the SFTP client.

Context
After logging in to an SSH server from an SFTP client, you can use the SFTP client to perform
the following operations:

l Create or delete directories on the SSH server, display the current working directory, or
display the specified directory and information about the file in the specified directory.
l Change file names, delete files, display a file list, and upload or download files.
l Display the SFTP client command help.

After logging in to the switch that functions as an SSH client and entering the SFTP client view,
you can perform the following steps:

Procedure
l Manage directories.

Perform the following steps as required:

– Run:
cd [ remote-directory ]

The current operating directory of users is changed.


– Run:
cdup

The view is switched to a directory one level up.


– Run:
pwd

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 200


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

The current operating directory of users is displayed.


– Run:
dir / ls [ remote-directory ]

A list of files in the specified directory is displayed.


– Run:
rmdir remote-directory & <1-10>

– The directory on the server is deleted.


– Run:
mkdir remote-directory

A directory is created on the server.


l Manage files.

Perform the following steps as required:

– Run:
rename old-name new-name

The name of the specified file on the server is changed.


– Run:
get remote-filename [local-filename]

The file on the remote server is downloaded.


– Run:
put local-filename [remote-filename]

The local file is uploaded to the remote server.


– Run:
remove remote-filename

The file on the server is removed.


l Display the SFTP client command help.
help [all | command-name ]

The SFTP client command help is displayed.

----End

9.6.6 Checking the Configurations


After using SFTP to log in to another device, you can view the source address of the SSH client,
mappings between all SSH servers and the RSA, or DSA public keys on the client, global
configurations of the SSH servers, and sessions between the SSH servers and the client.

Prerequisites
The configuration for using SFTP to access files on another device is complete.

Procedure
l Run the display ssh server-info command to check the mapping between the SSH server
and the RSA or DSA public key on the SSH client.

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 201


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Example
Run the display ssh server-info command to view the mappings between all servers and the
RSA or DSA public keys on the SSH client.
<Quidway> display ssh server-info
Server Name(IP) Server Public Key Type Server public key name
______________________________________________________________________________

10.137.128.216 RSA 10.137.128.216


10.137.128.217 RSA 10.137.128.217
10.137.128.217 DSA
sdfasdfasdfasdfasdfasdfadfasdf
127.0.0.1 RSA 127.0.0.1
127.0.0.1 DSA 10.137.128.217
1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1
RSA 1fff:00ffff:00ffff:
0ffff:ffff:
1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA 1fff:00ffff:ffff:00ffff:
000fff
1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA 1fff:ffff:ffff:00ffff:
000ffff:
1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1
RSA
1fff:ffff:ffff:ffff:ffff:ffff:
8.1.1.2 RSA 8.1.1.2
Server Name(IP) Server Public Key Type Server public key name
______________________________________________________________________________

10.1.1.1 RSA key1

9.7 Accessing Files on Another Device by Using FTPS


The FTPS client and FTPS server authenticate each other's identities to ensure that only
authorized users can access the FTPS server, improving access security.

9.7.1 Establishing the Configuration Task


Before configuring the use of FTPS to access files on another device, familiarize yourself with
the usage scenario, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.

Applicable Environment
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats.
l Configure an SSL policy on the FTP client and load a trusted-CA file to the client.
l Configure an SSL policy on the FTP server and load a digital certificate to the server.

The client uses the trusted-CA file and digital certificate to authenticate the server so that the
authorized client can access the correct server.

As shown in Figure 9-6,

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 202


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

l An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP
client to verify the identity of the certificate owner, sign a digital certificate to prevent
eavesdropping and tampering, and manage the certificate and key.
l An SSL policy needs to be configured on and a digital certificate needs to be loaded to an
FTP server to verify the validity of the trusted-CA file. This ensures that only authorized
clients can log in to the server.

Figure 9-6 Accessing Files on Another Device by Using FTPS

FTP-Client FTP-Server
VLANIF20 VLANIF30
1.1.1.1/24 1.1.1.2/24
Network

VLANIF40
192.168.0.2/24

PC1

If the FTPS client and server are routable, you can log in to the FTPS server from the FTPS
client to remotely manage files.

Pre-configuration Tasks
Before configuring the use of FTPS to access files on another device, complete the following
tasks:
l Load a trusted-CA file to the sub-directory named security of the system directory on the
FTPS client.
l Load a digital certificate to the sub-directory named security of the system directory on
the FTPS server.

Data Preparation
To use FTPS to access files on another device, you need the following data:

No. Data

1 SSL policy name, trusted-CA file, (optional) CRL file, and IP address of the FTPS
client

2 Digital certificate and IP address of the FTPS server

9.7.2 Configuring the FTPS Client


An SSL policy needs to be configured on and a trusted-CA file needs to be loaded to an FTP
client. The FTPS client can use the trusted-CA file to authenticate an FTPS server to ensure that
only authorized users can log in to the FTPS server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 203


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Context
A trusted-CA file can be in the PEM, ASN1, or PFX format. Details are as follows:
l The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem.
l The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der.
l The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx.

A CRL file can be in either the ASN1 or PEM format. These two formats represent the same
contents.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ssl policy policy-name

An SSL policy is configured and the SSL policy view is displayed.

Step 3 Load a trusted-CA file.

Run one of the following commands as required:

l Run:
trusted-ca load pem-ca ca-filename

A PEM trusted-CA file is loaded.


l Run:
trusted-ca load asn1-ca ca-filename

An ASN1 trusted-CA file is loaded.


l Run:
trusted-ca load pfx-ca ca-filename auth-code auth-code

A PFX trusted-CA file is loaded.

A maximum of four trusted-CA files can be loaded to an SSL policy. If multiple trusted-CA
files are loaded, these files will be added to the existing trusted-CA file list.

NOTE

l If the trusted-CA file configured on the FTPS server contains only one certificate, configure all the
trusted-CA certificates of upper levels to the root CA certificate on the client.
l If a certificate chain is configured on the FTPS server, configure only the root CA certificate on the
client.

Step 4 (Optional) Run:


crl load { pem-crl | asn1-crl } crl-filename

A CRL is loaded.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 204


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

A maximum of two CRL files can be loaded to an SSL policy. If multiple CRL files are loaded,
these files will be added to the existing CRL file list.

----End

9.7.3 Configuring the FTPS Server


FTPS that adds support for SSL is an extension to the commonly used FTP. Using SSL to
authenticate the identities of the client and server and encrypt data to be transmitted, FTPS
implements security management of devices.

Context
The FTPS server needs to obtain a digital certificate from a CA. The client that will access the
server needs the CA certificate from the CA to verify the validity of the digital certificate of the
server.

NOTE

A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the
FTPS server must be obtained from a corresponding CA.

A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:
l The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem.
The PEM format is applicable to text transmission between systems.
l The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der.
The ASN1 format is the default format for most browsers.
l The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx.
The PFX format is a binary format that can be converted into the PEM or ASN1 format.

Perform the following steps on the device that functions as an FTPS server:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ssl policy policy-name

An SSL policy is configured and the SSL policy view is displayed.

Step 3 Load a digital certificate.

Run one of the following commands as required:


l Run:
certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-
filename auth-code auth-code

A PEM digital certificate is loaded.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 205


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

l Run:
certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-
filename

An ASN1 digital certificate is loaded.


l Run:
certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code |
key-file key-filename } auth-code auth-code

A PFX digital certificate is loaded.


l Run:
certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-
filename auth-code auth-code

A PEM digital certificate chain is loaded.


NOTE

Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain
has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate
chain.

Step 4 Run:
quit

Return to the system view.


Step 5 Run:
ftp secure-server ssl-policy policy-name

An SSL policy is configured for the device.


Step 6 Run:
ftp secure-server enable

The FTPS server function is enabled.


By default, the FTPS server function is disabled.

NOTE

Before enabling the FTPS server function, disable the FTP server function.

----End

9.7.4 Accessing an FTPS Server


You can use specified commands to log in to an FTPS server from an FTPS client to remotely
manage the FTPS server.

Procedure
l On an IPv4 network:
In the user view, run:
ftp ssl-policy policy-name [ [ -a source-ip-address | -i interface-type
interface-number ] host [ port-number ] [ public-net | vpn-instance vpn-
instance-name ] ]

A control connection is established with a remote FTPS server and the FTP client view is
displayed.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 206


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

l On an IPv6 network:
In the user view, run:
ftp ssl-policy policy-name ipv6 host [ port-number ]

A control connection is established with a remote FTPS server and the FTP client view is
displayed.
----End

Follow-up Procedure
The client can log in to the server only after the entered user name and password are authenticated
by the server. After logging in to the FTPS server, you can operate files on the FTPS server in
the same way as that on an FTP server. Table 9-1 lists file operations on an FTP server.

Table 9-1 File operations


File Operation Operation

Managin Configuring the l Run the ascii command to set the file type to ASCII.
g files file type l Run the binary command to set the file type to binary.
The FTP file type is determined by the client. By default,
the ASCII type is used.

Configuring the l Run the passive command to set the data connection
data connection mode to PASV.
mode l Run the undo passive command to set the data
connection mode to PORT.
By default, the PASV mode is used.

Uploading files l Run the put local-filename [ remote-filename ]


command to upload a file from the local device to a
remote server.
l Run the mput local-filenames command to upload files
from the local device to a remote server.

Downloading l Run the get remote-filename [ local-filename ] command


files to download a file from a remote server and save the file
on the local device.
l Run the mget remote-filenames command to download
files from a remote server and save the files on the local
device.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 207


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

File Operation Operation

Enabling the file l If the prompt command is run in the FTP client view to
transfer prompt enable the file transfer prompt function, the system
function prompts you to confirm the uploading or downloading
operation during file uploading or downloading.
l If the prompt command is run again in the FTP client
view, the file transfer prompt function is disabled.
NOTE
The prompt command is applicable to the scenario where the
mput or mget command is used to upload or download files. If the
local device has the files to be downloaded by running the mget
command, the system prompts you whether to override the existing
ones regardless of whether the file transfer prompt function is
enabled.

Enabling the FTP Run the verbose command.


verbose function After the verbose function is enabled, all FTP response
information is displayed. After file transfer is complete,
statistics about the transmission rate are displayed.

Managin Changing the Run the cd pathname command.


g working path of a
directori remote FTP server
es
Changing the Run the cdup command.
working path of an
FTP server to the
parent directory

Displaying the Run the pwd command.


working path of an
FTP server

Displaying files in Run the dir [ remote-directory [ local-filename ] ] command.


the directory and If no path name is specified for a specified remote file, the
the list of sub- system will search the file in the authorized directory of the
directories user.

Displaying a Run the ls [ remote-directory [ local-filename ] ] command.


specified remote
directory or file on
an FTP server

Displaying or Run the lcd [ directory ] command.


changing the The lcd command displays the local working path of the FTP
working path of an client, whereas the pwd command displays the working path
FTP client of the remote FTP server.

Creating a Run the mkdir remote-directory command.


directory on an The directory can be a combination of letters and numbers,
FTP server excluding special characters such as "<", ">", "?", "\", or ":".

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 208


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

File Operation Operation

Deleting a Run the rmdir remote-directory command.


directory from an
FTP server

Displaying online help for an Run the remotehelp [ command ] command.


FTP command

Changing an FTP user Run the user username [ password ] command.

9.7.5 Checking the Configurations


After using FTPS to log in to another device, you can view the FTPS client, SSL policy
configured on the FTPS server, trusted-CA file loaded to the FTPS client, and digital certificate
loaded to the FTPS server.

Prerequisites
The configuration for using FTPS to access files on another device is complete.

Procedure
l Run the display ssl policy command to check the SSL policy configured on and trusted-
CA certificate loaded to the FTPS client as well as the SSL policy configured on and digital
certificate loaded to the FTPS server.
l Run the display ftp-server command to check the SSL policy name and the FTPS server
status.
----End

Example
Run the display ssl policy command on the FTPS client. The command output shows detailed
information about the configured SSL policy and loaded trusted-CA file.
<Quidway> display ssl policy
SSL Policy Name: ftp_client
Policy Applicants:
Key-pair Type:
Certificate File Type:
Certificate Type:
Certificate Filename:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem

Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the configured SSL policy and loaded digital certificate.
<Quidway> display ssl policy
SSL Policy Name: ftp_server
Policy Applicants: FTP secure-server
Key-pair Type: RSA

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 209


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Certificate File Type: PEM


Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:

Run the display ftp-server command on the FTP server. The command output shows that the
SSL policy name is ftp_server and the FTPS server is running.
<Quidway> display ftp-server
FTP server is stopped
Max user number 5
User count 1
Timeout value(in minute) 30
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy ftp_server
FTP Secure-server is running

9.8 Accessing Files on Another Device by Using SCP


The SCP client sets up a secure connection with the SCP server so that the client can upload
files to the server or download files from the server.

9.8.1 Establishing the Configuration Task


Before configuring the use of SCP to access files on another device, familiarize yourself with
the usage scenario, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.

Applicable Environment
SCP is a secure file transfer method based on SSH2.0. Unlike SFTP, SCP allows file uploading
or downloading without user authentication and public key assignment, and also supports file
uploading or downloading in batches.

Pre-configuration Tasks
Before configuring the use of SCP to access files on another device, configure a reachable route
between the client and SCP server.

Data Preparation
To configure the use of SCP to access files on another device, you need the following data.

No. Data

1 Username, password, authentication mode, and service type of an SSH user

2 Port number of the SCP server, encryption algorithm for uploading or downloading
files, source files to be uploaded or downloaded, and destination files to be uploaded
or downloaded, (Optional) Source IPv4 or IPv6 address and source interface of the
local device

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 210


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

9.8.2 Configuring the SCP Server


This section describes how to configure the SCP server by configuring an SSH user, creating a
local RSA or DSA key pair, enabling the SCP service, and establishing a secure connection
between the client and server to ensure secure remote access on an insecure network.

Context
SCP is a secure file transfer method based on SSH2.0. By default, user interfaces support Telnet.
A user interface must be configured to support SSH for users to log in to the device using SCP.
l There are four SSH user authentication modes: RSA, DSA, password, password-RSA,
password-DSA, and all. Password authentication depends on Authentication,
Authorization and Accounting (AAA). Before a user logs in to the device in password,
password-RSA, or password-DSA authentication mode, you must create a local user with
the specified username in the AAA view.
l The device must be configured to generate local RSA or DSA key pairs, which are a key
part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSA or DSA key pair. If an
SSH user logs in to an SSH server in RSA or DSA authentication mode, configure both the
server and the client to generate local RSA or DSA key pairs.
You can perform the following steps to configure the SCP server:
1. Configure a VTY user interface to support SSH.
2. Configure an SSH user to ensure that the SCP client can log in to the SCP server.
a. Create an SSH user.
b. Generate a local RSA or DSA key pair.
c. Configure an authentication mode for the SSH user.
d. Configure a service type for the SSH user.
NOTE

For configurations about the basic SSH authentication item and command line authorization, see Step
5 and Step 6 in Configuring an SSH User and Specifying the Service Type.
3. Enable the SCP service to allow the SCP client to log in to the SCP server.

Procedure
Step 1 Configuring SSH for the VTY User Interface
1. Run:
system-view

The system view is displayed.


2. Run:
user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface is displayed.


3. Run:
authentication-mode aaa

The AAA authentication mode is configured.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 211


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

NOTE

A VTY user interface configured to support SSH must also be configured with AAA authentication.
Otherwise, the protocol inbound ssh command cannot be configured.
4. Run:
protocol inbound ssh

The VTY user interface is configured to support SSH.


5. Run:
quit

Return to the system view from the VTY user interface view.
Step 2 Configuring an SSH User
Table 9-2 shows how to configure an SSH user.

Table 9-2 Configuring an SSH User


Proc Operation Description
edur
e

1 Run the ssh user user-name -


command to create SSH user in
the system view.

2 Run the rsa local-key-pair After generating a local key pair, you can run the
create or dsa local-key-pair display rsa local-key-pair public , display dsa
createcommand to generate the local-key-pair public command to view the
local RSA, DSAkey pair in the public key in the local key pair.
system view.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 212


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Proc Operation Description


edur
e

3 Run the ssh user user-name l Configure password authentication for the SSH
authentication-type user.
{ password | rsa | password- – Run:
rsa | all | dsa | password-dsa } ssh user user-name authentication-
command to configure the type password

Password authentication is configured.


– Run:
ssh authentication-type default
password

The default password authentication is


configured.
For the local authentication or
HWTACACS authentication, if the number
of SSH users is small, you can adopt the
former command; if the number of SSH
users is large, adopt the later command to
simplify the configuration.
l Configure RSA or DSA authentication for the
SSH user.
1. Run:
ssh user user-name authentication-
type { rsa | dsa

RSA or DSA authentication is configured.


2. Run:
rsa peer-public-key key-nameor dsa
peer-public-key key-name encoding-
type { der | pem }

The public key view is displayed.


3. Run:
public-key-code begin

The public key editing view is displayed.


4. Run:
hex-data
The public key is edited.
NOTE
l Only strings complying with the public key
format can be typed in the public key view.
Each string is randomly generated on an
SSH client. For detailed procedures, see
manuals for SSH client software.
l After the public key editing view is
displayed, an RSA or DSA public key
generated on the client can be sent to the
server. Copy the RSA or DSA public key to
the switch that serves as the SSH server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 213


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Proc Operation Description


edur
e

authentication mode for SSH 5. Run:


users. public-key-code end

Quit the public key editing view.


– If the specified hex-data is invalid, the
public key cannot be generated after the
peer-public-key end command is run.
– If the specified key-name is deleted in
other views and the peer-public-key
end command is then run and the system
view is displayed, the system prompts
that the key does not exist.
6. Run:
peer-public-key end

Return to the system view from the public


key view.
7. Run:
ssh user user-name assign { rsa-key |
dsa-key } key-name

The public key is assigned to the SSH user.


NOTE
An SSH user is created. If password, password-DSA or
password-RSA authentication is configured for the SSH
user, create the same SSH user in the AAA view and set
the local user access type to SSH.
1. Run the aaa command to enter the AAA view.
2. Run the local-user user-name password cipher
password command to configure a local username
and a password.
3. Run the local-user user-name service-type ssh
command to set the local user access type to SSH.
By default, a local user can use any access type. You can
specify an access type to allow only users configured
with the specified access type to log in to the device.

4 Run the ssh user username By default, the service type of the SSH user is not
service-type { sftp | all } configured.
command to configure the
service type for the SSH user.

Step 3 Run:
scp server enable

SCP services are enabled.

By default, SCP services are disabled.

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 214


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

9.8.3 Configuring the SCP Client


The SCP client sets up a secure connection with the SCP server so that the client can upload
files to the server or download files from the server.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 (Optional) Run:
scp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address or a source interface is configured for the SCP client.


It is more secure to configure a source IP address for the SCP client, and use the specified source
IP address to set up an SCP connection between the client and server.At present, the available
source interface must be a loobpack interface.
Step 3 Files are uploaded from the SCP client to the remote SCP server or downloaded from the remote
SCP server to the SCP client.
l Basing on IPv4 address
scp [ -port port-number | { public-net | vpn-instance vpn-instance-name } | { -a source-ip-
address | -i interface-type interface-number } | -r | identity-key { dsa | rsa } | -cipher
{ des | 3des | aes128 } | -c ] * source-filename destination-filename
l Basing on IPv6 address
scp ipv6 [ -port port-number | { public-net | vpn-instance vpn-instance-name } | -a source-
ip-address | -r | identity-key { dsa | rsa } | -cipher { des | 3des | aes128 } | -c ]* source-
filename destination-filename [ -oi interface-type interface-number ]

----End

9.8.4 Checking the Configurations


After using SCP to log in to another device, you can view the source IP address of the SCP client.

Prerequisites
The configuration for using SCP to access files on another device is complete.

Procedure
l Run the display scp-client command to view the source IP address or source interface of
the SCP client.
----End

Example
Run the display scp-client command, and you can view the source IP address of the SCP client.
<Quidway> display scp-client
The source of SCP ipv4 client: 1.1.1.1

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 215


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

9.9 Configuration Examples


This section describes examples for access another device. The examples explain networking
requirements, configuration notes, and configuration roadmap.

9.9.1 Example for Logging in to Another Device by Using Telnet


This section provides an example for logging in to another device by using Telnet.In this
example, the authentication mode and password are configured for users to log in through Telnet.

Networking Requirements
As shown in Figure 9-7, after logging in to Switch A, the user logs in to Switch B through Telnet
by using the default interface 23.

Figure 9-7 Networking diagram of the remote login of the Ethernet user

PC SwitchA SwitchB
10.10.10.8/24 10.10.10.9/24

Switch Interface VLANIF interface IP address

SwitchA XGigabitEthernet0/0/1 VLANIF 2 10.10.10.8/24

SwitchB XGigabitEthernet0/0/1 VLANIF 2 10.10.10.9/24

Configuration Roadmap
The configuration roadmap is as follows:

1. Assign IP addresses to Switch A and Switch B.


2. Configure an authentication mode and password on Switch B.
3. Log in to Switch B from Switch A.

Data Preparation
To complete the configuration, you need the following data:

l ID of the VLAN
l IP address and number of the interface on the Switch A that functions as the Telnet client
l IP address and number of the interface on the Switch B that functions as the Telnet server
l Authentication mode and the password for a user to log in to Switch B through Telnet

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 216


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Procedure
Step 1 Assign IP addresses.
# Assign IP address to Switch A that functions as the Telnet client.
<SwitchA> system-view
[SwitchA] vlan 2
[SwitchA-vlan2] quit
[SwitchA] interface xgigabitethernet 0/0/1
[SwitchA-XGigabitEthernet0/0/1] port hybrid pvid vlan 2
[SwitchA-XGigabitEthernet0/0/1] port hybrid untagged vlan 2
[SwitchA-XGigabitEthernet0/0/1] quit
[SwitchA] interface vlanif 2
[SwitchA-Vlanif2] ip address 10.10.10.8 255.255.255.0
[SwitchA-Vlanif2] quit
[SwitchA]

# Assign an IP address to Switch B that functions as the Telnet server.


<SwitchB> system-view
[SwitchB] vlan 2
[SwitchB-vlan2] quit
[SwitchB] interface xgigabitethernet 0/0/1
[SwitchB-XGigabitEthernet0/0/1] port hybrid pvid vlan 2
[SwitchB-XGigabitEthernet0/0/1] port hybrid untagged vlan 2
[SwitchB-XGigabitEthernet0/0/1] quit
[SwitchB] interface vlanif 2
[SwitchB-Vlanif2] ip address 10.10.10.9 255.255.255.0
[SwitchB-Vlanif2] quit
[SwitchB]

Step 2 Configure the authentication mode and password for Switch B.


[SwitchB] user-interface vty 0 4
[SwitchB-ui-vty0-4] authentication-mode password
[SwitchB-ui-vty0-4] set authentication password cipher huawei
[SwitchB-ui-vty0-4] quit
[SwitchB]

Step 3 Verify the configuration.


# Log in to Switch B on Switch A through Telnet.
<SwitchA> telnet 10.10.10.9
Trying 10.10.10.9 ...
Press CTRL+K to abort
Connected to 10.10.10.9 ...

Login authentication

Password:
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 2.
The current login time is 2012-03-20 11:04:45.
<SwitchB>

----End

Configuration Files
l Configuration file of Switch A
#
sysname SwitchA
#
vlan batch 2
#

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 217


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

interface Vlanif2
ip address 10.10.10.8 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
return

l Configuration file of Switch B


#
sysname SwitchB
#
vlan batch 2
#
interface Vlanif2
ip address 10.10.10.9 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
user-interface vty 0 4
authentication-mode password
set authentication password cipher %$%$axs[$3*Q;+hUY:0YxNS;X.%
y]:elTpar].gl2eHPIZEDE4+&%$%$
#
return

9.9.2 Example for Configuring the Device as the STelnet Client to


Connect to the SSH Server
This section provides an example for logging in to another device by using STelnet.In this
example, the local key pairs are generated on the STelnet client and the SSH server; the public
RSA key is generated on the SSH server and then bound to the STelnet client. In this manner,
the STelnet client can connect to the SSH server.

Networking Requirements
As shown in Figure 9-8, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, or all authentication
mode. In this example, the Huawei switch functions as an SSH server.
The following login users need to be configured.
l Client001, with the password as huawei and the authentication mode as password
l Client002, with the password as rsakey001 and the authentication mode as RSA
The user interface supports only the SSH protocol.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 218


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Figure 9-8 Networking diagram for logging in to another device by Using STelnet
SSH Server

10.164.39.222/24

10.164.39.220/24 10.164.39.221/24
Client001 Client002

Switch Interface VLANIF interface IP address

SSH server XGigabitEthernet0/0/1 VLANIF 10 10.164.39.222/24

Client001 XGigabitEthernet0/0/1 VLANIF 10 10.164.39.220/24

Client002 XGigabitEthernet0/0/1 VLANIF 10 10.164.39.221/24

Configuration Roadmap
The configuration roadmap is as follows:

1. Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2. Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.
3. Create a local RSA key pair on the STelnet client Client002 and the SSH server, and bind
the client client002 to an RSA key to authenticate the client when the client attempts to log
in to the server.
4. Enable STelnet service on the SSH server.
5. Set the service type of Client001 and Client002 to STelnet.
6. Enable first-time authentication on the SSH client.
7. Users Client001 and Client002 log in to the SSH server through STelnet.

Data Preparation
To complete the configuration, you need the following data:

l IP addresses of the FTP server and client, as shown in Figure 9-8


l Client001 with the password as huawei and adopt the password authentication.
l Client002, adopt the RSA authentication and assign the public key RsaKey001 to
Client002.
l IP address of the SSH server is 10.164.39.222.

Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 219


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Create VLAN 10 on the Switch that functions as the server and assign IP address
10.164.39.222/24 to interface VLANIF10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/1] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.164.39.222 24

Assigning an IP address to the Switch that functions as Client001 or Client002 is the same as
assigning an IP address to VLANIF 10, and is not mentioned here.
Step 2 Create a local key pair on the SSH server.
<Quidway> system-view
[Quidway] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES:If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++

Step 3 Create an SSH user on the server.


NOTE

SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA
public key of the SSH client to the server.

# Configure a VTY user interface.


[Quidway] user-interface vty 0 4
[Quidway-ui-vty0-4] authentication-mode aaa
[Quidway-ui-vty0-4] protocol inbound ssh
[Quidway-ui-vty0-4] quit

l Create an SSH user named Client001.


# Create an SSH user named Client001 and configure the authentication mode as
password for the user.
[Quidway] ssh user client001
[Quidway] ssh user client001 authentication-type password

# Set the password of Client001 to huawei.


[Quidway] aaa
[Quidway-aaa] local-user client001 password cipher huawei
[Quidway-aaa] local-user client001 service-type ssh

l # Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.
[Quidway] ssh user client002
[Quidway] ssh user client002 authentication-type rsa

Step 4 Configure the RSA public key on the server.


# Create a local key pair on the client.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 220


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

<Quidway> system-view
[Quidway] sysname client002
[client002] rsa local-key-pair create

# Check the RSA public key generated on the client.


[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001

Host public key for PEM format code:


---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ----

Public key code for pasting into OpenSSH authorized_keys file :


ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]

# Send the RSA public key generated on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] 0240
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] 0203
[Quidway-rsa-key-code] 010001
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end

Step 5 Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002 assign rsa-key RsaKey001

Step 6 Enable the STelnet service on the SSH server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 221


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

# Enable the STelnet service.


[Quidway] stelnet server enable

Step 7 Set the service type of Client001 and Client002 to STelnet.


[Quidway] ssh user client001 service-type stelnet
[Quidway] ssh user client002 service-type stelnet

Step 8 Connect the STelnet and the SSH server.


# You must enable the initial authentication on the SSH client for the first login.
Enabling the first authentication on Client001.
<Quidway> system-view
[Quidway] sysname client001
[client001] ssh client first-time enable

Enabling the first authentication on Client002.


[client002] ssh client first-time enable

# Client001 logs in to the SSH server in password authentication mode by entering the user
name and password.
<client001> system-view
[client001] stelnet 10.164.39.222
Please input the username:client001
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name: 10.164.39.222. Please wait...

Enter password:

Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 1.
<Quidway>

# Client002 logs in to the SSH server in RSA authentication mode.


<client002> system-view
[client002] stelnet 10.164.39.222
Please input the username: client002
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.137.217.202. Please wait.
..

Info: The max number of VTY users is 20, and the number
of current VTY users on line is 2.
<Quidway>

Step 9 Verify the configuration.


After the configuration, run the commands of display ssh server status and display ssh server
session on the SSH server. You can view that the STelnet service is enabled, and that the STelnet
client logs in to the server successfully.
# Check the status of the SSH server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 222


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

[Quidway] display ssh server status


SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Disable
Stelnet server :Enable
Scp server :Disable

# Check the connection of the SSH server.


[Quidway] display ssh server session
Session 1:
Conn : VTY 1
Version : 2.0
State : started
Username : client001
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
CTOS Compress : none
STOC Compress : none
Kex : diffie-hellman-group1-sha1
Service Type : stelnet
Authentication Type : password
Session 2:
Conn : VTY 2
Version : 2.0
State : started
Username : client002
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
CTOS Compress : none
STOC Compress : none
Kex : diffie-hellman-group1-sha1
Service Type : stelnet
Authentication Type : rsa

# Check information about the SSH user.


[Quidway] display ssh user-information
User 1:
User Name : client001
Authentication-type : password
User-public-key-name : -
Sftp-directory : -
Service-type : stelnet
Authorization-cmd : No
User 2:
User Name : client002
Authentication-type : rsa
User-public-key-name : RsaKey001
Sftp-directory : -
Service-type : stelnet
Authorization-cmd : No

----End

Configuration Files
l Configuration file of the Quidway, the SSH server
#
sysname Quidway

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 223


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B 0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %$%$6\ZH#;zYJ*HXE["UyioO-vmd%$%$
local-user client001 service-type ssh
#
stelnet server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type stelnet
ssh user client002 service-type stelnet
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
l Configuration file of Client001, the SSH client
#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
ssh client first-time enable
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
l Configuration file of Client002, the SSH client
#
sysname client002
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.221 255.255.255.0
#
ssh client first-time enable
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 224


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

port hybrid untagged vlan 10


#
return

9.9.3 Example for Accessing Files on Another Device by Using TFTP


In this example, the TFTP application is run on the TFTP server and the location of the source
file on the server is set. After that, you can upload and download files.

Networking Requirements
As shown in Figure 9-9, The remote server at 10.1.1.2 functions as the TFTP server.
The Switch acts as a TFTP client,and the IP address is 10.1.1.1/24.
The Switch downloads files from the TFTP server.

Figure 9-9 Networking diagram for accessing files on another device by using TFTP
TFTP session

configuration
PC cable TFTP Client TFTP Server

Configuration Roadmap
The configuration roadmap is as follows:
1. Run the TFTP software on the TFTP server and set the position where the source file is
located on the Switch.
2. Download files through TFTP commands on the Switch.

Data Preparation
To complete the configuration, you need the following data:
l TFTP software installed on the TFTP server
l Path of the source file on the TFTP server
l Name of the destination file and position where the destination file is located on the Switch

Procedure
Step 1 Enable TFTP on the remote server to ensure that the TFTP application software is started.
Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/1] quit

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 225


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

[Quidway] interface vlanif 10


[Quidway-Vlanif10] ip address 10.1.1.1 24

Step 3 On the Switch, initiate a connection to the TFTP server and download the 8031.cc file.
<Quidway> tftp 10.1.1.2 get 8031.cc 8031new.cc
Info: Transfer file in binary mode.
Downloading the file from the remote tftp server, please wait...

----End

Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
Return

9.9.4 Example for Accessing Files on Another Device by Using FTP


This section provides an example for accessing files on another device by using FTP. In this
example, a user logs in to the FTP server from the switch to download system software and
configuration software from the FTP server.

Networking Requirements
As shown in Figure 9-10, the remote server at 10.1.1.2 serves as the FTP server. The Switch
and the FTP server are directly connected and on the same network segment. The Switch has a
reachable route to the FTP server.

The Switch acts as the FTP client. Interfaces ranging from XGigabitEthernet0/0/1 to
XGigabitEthernet0/0/4 can be used to set up FTP connections and they share the IP address
10.1.1.1.

The Switch downloads files from the FTP server.

Figure 9-10 Networking diagram for accessing files on another device by using FTP
FTP session

configuration
PC cable FTP Client FTP Server

Configuration Roadmap
The configuration roadmap is as follows:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 226


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

1. Log in to the FTP server from the FTP client.


2. Download files from the server to the storage device of the client.

Data Preparation
To complete the configuration, you need the following data:

l IP address of the FTP server


l Name of the destination file and position where the destination files are located on the
Switch
l Name of the FTP user set as u1 and the password set as ftppwd on the client

Procedure
Step 1 Enable FTP on the remote FTP server. Add an FTP user named u1 and set the password to
ftppwd.

Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1 to VLANIF10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/1] quit
[Quidway] interface xgigabitethernet 0/0/2
[Quidway-XGigabitEthernet0/0/2] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/2] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/2] quit
[Quidway] interface xgigabitethernet 0/0/3
[Quidway-XGigabitEthernet0/0/3] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/3] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/3] quit
[Quidway] interface xgigabitethernet 0/0/4
[Quidway-XGigabitEthernet0/0/4] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/4] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/4] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.1.1.3 24

Step 3 On the Switch, initiate a connection to the FTP server with the user name tpuser and the password
ftppwd.
<Quidway> ftp 10.1.1.2
Trying 10.1.1.2 ...
Press CTRL+K to abort
Connected to 10.1.1.2.
220 FTP service ready.
User(10.1.1.2:(none)):u1
331 Password required for u1.
Enter password:
230 User logged in.

[ftp]

Step 4 On the Switch, set the mode of transferring files to binary and the flash directory.
[ftp] binary
200 Type set to I.
[ftp] lcd flash:/
The current local directory is flash:.

Step 5 Download the vrpcfg.cfg file from the remote FTP server on the Switch.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 227


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

[ftp] get vrpcfg.cfg vrpcfg.cfg


200 Port command okay.
150 Opening BINARY mode data connection for vrpcfg.cfg.

226 Transfer complete.


FTP: 9124 byte(s) received in 3.100 second(s) 2.94Kbyte(s)/sec.
[ftp] quit
<Quidway>

----End

Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.3 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface XGigabitEthernet0/0/2
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface XGigabitEthernet0/0/3
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface XGigabitEthernet0/0/4
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return

9.9.5 Example for Accessing Files on Another Device by Using SFTP


In this example, the local key pairs are generated on the SFTP client and the SSH server
respectively; the public RSA key is generated on the SSH server and bind the RSA public key
to the SFTP client. In this manner, the SFTP client can connect to the SSH server.

Networking Requirements
As shown in Figure 9-11, after the SFTP service is enabled on the SSH server, the SFTP Client
can log in to the SSH server with the password, RSA, password-rsa, or all authentication. In this
example, the Huawei switch functions as an SSH server.
Two users client001 and client002 are configured to log in to the SSH server in the authentication
mode of password and RSA respectively.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 228


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Figure 9-11 Networking diagram for accessing files on another device by using SFTP
SSH Server

10.164.39.222/24

10.164.39.220/24 10.164.39.221/24
Client001 Client002

Switch Interface VLANIF interface IP address

SSH server XGigabitEthernet0/0/1 VLANIF 10 10.164.39.222/24

Client001 XGigabitEthernet0/0/1 VLANIF 10 10.164.39.220/24

Client002 XGigabitEthernet0/0/1 VLANIF 10 10.164.39.221/24

Configuration Roadmap
The configuration roadmap is as follows:

1. Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2. Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.
3. Create a local RSA key pair on the client Client002 and the SSH server, and bind the client
client002 to an RSA key to authenticate the client when the client attempts to log in to the
server.
4. Enable the SFTP service on the SSH server.
5. Configure the service mode and authorization directory for the SSH user.
6. Client001 and Client002 log in to the SSH server by using SFTP to access files on the
server.

Data Preparation
To complete the configuration, you need the following data:

l IP addresses of the FTP server and client, as shown in Figure 9-11


l Client001 with the password as huawei and adopt the password authentication.
l Client002, adopt the RSA authentication and assign the public key RsaKey001 to
Client002.
l IP address of the SSH server is 10.164.39.222.

Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 229


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Create VLAN 10 on the S6700 that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/1] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.164.39.222 24

Assigning an IP address to the S6700 that functions as Client001 or Client002 is the same as
assigning an IP address to VLANIF 10, and is not mentioned here.

Step 2 Create a local key pair on the SSH server.


<Quidway> system-view
[Quidway] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++

Step 3 Create an SSH user on the server.


NOTE

SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l In password ,password-rsa or password-dsa authentication mode, you must configure a local user.
l In RSA,DSA,password-rsa,password-dsa or all authentication mode, you must copy the RSA or DSA
public key of the SSH client to the server.

# Configure a VTY user interface.


[Quidway] user-interface vty 0 4
[Quidway-ui-vty0-4] authentication-mode aaa
[Quidway-ui-vty0-4] protocol inbound ssh
[Quidway-ui-vty0-4] user privilege level 3
[Quidway-ui-vty0-4] quit

l Create an SSH user named Client001.


# Create an SSH user named Client001 and configure the authentication mode as
password for the user.
[Quidway] ssh user client001
[Quidway] ssh user client001 authentication-type password

# Set the password of Client001 to huawei.


[Quidway] aaa
[Quidway-aaa] local-user client001 password cipher huawei
[Quidway-aaa] local-user client001 privilege level 3
[Quidway-aaa] local-user client001 service-type ssh

l # Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.
[Quidway] ssh user client002
[Quidway] ssh user client002 authentication-type rsa

Step 4 Configure the RSA public key on the server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 230


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

# Create a local key pair on the client.


<Quidway> system-view
[Quidway] sysname client002
[client002] rsa local-key-pair create

# Check the RSA public key created on the client.


[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]

# Send the RSA public key created on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] 0240
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] 0203
[Quidway-rsa-key-code] 010001
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end

Step 5 Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002 assign rsa-key RsaKey001

Step 6 Enable the SFTP service on the SSH server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 231


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

# Enable the SFTP service.


[Quidway] sftp server enable

Step 7 On the SSH server, set the type of service for the SSH user and the authorized directory.
Two SSH users are configured on the SSH server: Client001 in the password authentication
mode and Client002 in the RSA authentication mode.
[Quidway] ssh user client001 service-type sftp
[Quidway] ssh user client001 sftp-directory flash:/
[Quidway] ssh user client002 service-type sftp
[Quidway] ssh user client002 sftp-directory flash:/

Step 8 Connect the SFTP client and the SSH server.


# You must enable the initial authentication on the SSH client for the first login.
Enabling the first authentication on Client001.
<Quidway> system-view
[Quidway] sysname client001
[client001] ssh client first-time enable

Enabling the first authentication on Client002.


[client002] ssh client first-time enable

# Client001 logs in to the SSH server in password authentication mode.


<client001> system-view
[client001] sftp 10.164.39.222
Please input the username:client001
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.137.217.207. Please wait.
..

Enter password:
sftp-client>

# Client002 logs in to the SSH server in RSA authentication mode.


<client002> system-view
[client002] sftp 10.164.39.222
Please input the username: client002
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.137.217.207 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.137.217.207. Please wait.
..

sftp-client>

Step 9 Verify the configuration.


After the configuration, run the display ssh server status and display ssh server session
commands on the SSH server. You can view that the SFTP service is enabled, and that the SFTP
client logs in to the server successfully.
# Check the status of the SSH server.
[Quidway] display ssh server status
SSH version :1.99

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 232


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

SSH connection timeout :60 seconds


SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Enable
Stelnet server :Disable
Scp server :Disable

# Check the connection of the SSH server.


[Quidway] display ssh server session
Session 1:
Conn : VTY 1
Version : 2.0
State : started
Username : client001
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
CTOS Compress : none
STOC Compress : none
Kex : diffie-hellman-group1-sha1
Public Key : rsa
Service Type : sftp
Authentication Type : password
Session 2:
Conn : VTY 2
Version : 2.0
State : started
Username : client002
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
CTOS Compress : none
STOC Compress : none
Kex : diffie-hellman-group1-sha1
Public Key : rsa
Service Type : sftp
Authentication Type : rsa

# Check information about the SSH user.


[Quidway] display ssh user-information
User 1:
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory : flash:/
Service-type : sftp
Authorization-cmd : No
User 2:
User Name : client002
Authentication-type : rsa
User-public-key-name : RsaKey001
User-public-key-type : rsa
Sftp-directory : flash:/
Service-type : sftp
Authorization-cmd : No

----End

Configuration Files
l Configuration file of the Quidway, the SSH server

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 233


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %$%$6\ZH#;zYJ*HXE["UyioO-vmd%$%$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type sftp
ssh user client002 service-type sftp
ssh user client001 sftp-directory flash:/
ssh user client002 sftp-directory flash:/
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
#
return
l Configuration file of Client001, the SSH client
#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
ssh client first-time enable
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
l Configuration file of Client002, the SSH client
#
sysname client002
#
vlan batch 10
#
interface Vlanif10

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 234


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

ip address 10.164.39.221 255.255.255.0


#
ssh client first-time enable
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return

9.9.6 Example for Accessing Files on Another Device by Using FTPS


You can log in to an FTPS server from an FTPS client to operate files transmitted between the
server and the client.

Networking Requirements
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats. An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.

As shown in Figure 9-12,


l An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP
client to verify the identity of the certificate owner, sign a digital certificate to prevent
eavesdropping and tampering, and manage the certificate and key.
l An SSL policy needs to be configured on and a digital certificate needs to be loaded to an
FTP server to verify the validity of the trusted-CA file. This ensures that only authorized
clients can log in to the server.

Figure 9-12 Accessing Files on Another Device by Using FTPS

FTP-Client FTP-Server
VLANIF20 VLANIF30
1.1.1.1/24 1.1.1.2/24
Network

VLANIF40
192.168.0.2/24

PC1

If the FTPS client and server are routable, you can log in to the FTPS server from the FTPS
client to remotely manage files.

Configuration Roadmap
The configuration roadmap is as follows:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 235


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

1. Upload certificates.
l Upload the digital certificate saved on PC2 to the FTP server.
l Upload the trusted-CA file saved on PC1 to the FTP client.
2. Load the certificates and configure SSL policies.
l Copy the digital certificate from the system directory of the FTP server to the
security sub-directory, configure an SSL policy, and load the digital certificate.
l Copy the trusted-CA file from the system directory of the FTP client to the security
sub-directory, configure an SSL policy, and load the trusted-CA file.
3. Enable the FTPS server function on the FTP server.
4. Configure IP addresses for the interfaces that interconnect the FTP client and server to
ensure that the client and server are routable.
5. Run the ftp command on the FTP client to log in to the FTPS server to remotely manage
files.

Data Preparation
To complete the configuration, you need the following data:

l IP addresses of the FTP client and server


l FTP user name and password
l SSL trusted-CA file and digital certificate

Procedure
Step 1 Upload certificates.
l Perform the following steps on the FTP server:
# Configure an IP address for the FTP server so that the PC and FTP server are reachable.
<Quidway> system-view
[Quidway] sysname FTP-Server
[FTP-Server] vlan 10
[FTP-Server-vlan10] quit
[FTP-Server] interface xgigabitethernet0/0/1
[FTP-Server-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[FTP-Server-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[FTP-Server-XGigabitEthernet0/0/1] quit
[FTP-Server] interface vlanif 10
[FTP-Server-Vlanif10] ip address 192.168.0.1 24
[FTP-Server-Vlanif10] quit

# Enable the FTP server function.


[FTP-Server] ftp server enable

# Configure the authentication information, authorization mode, and authorized directory for
an FTP user on the FTP server.
[FTP-Server] aaa
[FTP-Server-aaa] local-user huawei password cipher huawei
[FTP-Server-aaa] local-user huawei service-type ftp
[FTP-Server-aaa] local-user huawei privilege level 15
[FTP-Server-aaa] local-user huawei ftp-directory flash:
[FTP-Server-aaa] quit
[FTP-Server] quit

# Run the ftp ftp-server-address commands at the Windows command prompt. Enter the
correct user name and password to set up an FTP connection to the FTP server, as shown in
Figure 9-13.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 236


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Figure 9-13 Logging in to an FTP server from a user terminal

Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure
9-14.

Figure 9-14 Uploading a digital certificate

After the preceding configurations are complete, run the dir command on the FTP server.
The command output shows that the digital certificate has been successfully uploaded to the
server.
<FTP-Server> dir
Directory of flash:/

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 237


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Idx Attr Size(Byte) Date Time(LMT) FileName


0 drw- - May 10 2011 05:05:40 src
1 -rw- 524,575 May 10 2011 05:05:53 private-data.txt
2 -rw- 446 May 10 2011 05:05:51 vrpcfg.zip
3 -rw- 1,302 May 10 2011 05:32:05 1_servercert_pem_rsa.pem
4 -rw- 951 May 10 2011 05:32:44 1_serverkey_pem_rsa.pem
5 drw- - May 10 2011 05:43:39 security

304,292 KB total (303,766 KB free)

l Perform the following steps on the FTP client:


The procedure for uploading the trusted-CA file to the FTP client is similar to the procedure
for uploading the digital certificate to the FTP server. For detailed configurations, see the
configuration file of the FTP client in this example.
After the trusted-CA file is uploaded to the FTP client, run the dir command on the FTP
client. The command output shows that the trusted-CA file has been successfully uploaded
to the FTP client.
<FTP-Client> dir
Directory of flash:/

Idx Attr Size(Byte) Date Time(LMT) FileName


0 -rw- 524,558 May 10 2011 04:50:39 private-data.txt
1 -rw- 1,237 May 10 2011 05:55:33 1_cacert_pem_rsa.pem
2 -rw- 1,241 May 10 2011 05:55:44 1_rootcert_pem_rsa.pem
3 drw- - Apr 09 2011 19:46:14 src
4 -rw- 421 Apr 09 2011 19:46:14 vrpcfg.zip
5 -rw- 1,308,478 Apr 14 2011 19:22:45 web.zip
6 drw- - Apr 10 2011 01:35:54 logfile
7 -rw- 4 Apr 19 2011 04:24:28 snmpnotilog.txt
8 drw- - Apr 11 2011 16:18:53 security
9 drw- - Apr 13 2011 11:37:40 lam

304,292 KB total (300,270 KB free)

Step 2 Load the certificates and configure SSL policies.


l Perform the following steps on the FTP server:
# Create a sub-directory named security and copy the digital certificate to this sub-directory.
<FTP-Server> mkdir security/
<FTP-Server> copy 1_servercert_pem_rsa.pem security/
<FTP-Server> copy 1_serverkey_pem_rsa.pem security/

After the preceding configurations are complete, run the dir command in the security sub-
directory on the FTP server. The command output shows that the digital certificate has been
successfully uploaded to the server.
<FTP-Server> cd security/
<FTP-Server> dir
Directory of flash:/security/

Idx Attr Size(Byte) Date Time(LMT) FileName


0 -rw- 1,302 May 10 2011 05:44:34 1_servercert_pem_rsa.pem
1 -rw- 951 May 10 2011 05:45:22 1_serverkey_pem_rsa.pem

304,292 KB total (303,766 KB free)

# Create an SSL policy and load the PEM digital certificate.


<FTP-Server> system-view
[FTP-Server] ssl policy ftp_server
[FTP-Server-ssl-policy-ftp_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-
code 123456
[FTP-Server-ssl-policy-ftp_server] quit

After the preceding configurations are complete, run the display ssl policy command on the
FTP server. The command output shows detailed information about the loaded certificate.
[FTP-Server] display ssl policy

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 238


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

SSL Policy Name: ftp_server


Policy Applicants: FTP secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:

l Configure the FTP client.


# Create a sub-directory named security and copy the trusted-CA file to this sub-directory.
The configuration procedure is similar to that on the FTP server. For detailed configurations,
see the configuration file of the FTP client in this example.
After the trusted-CA file is copied to the security sub-directory, run the dir command in this
sub-directory. The command output shows that the trusted-CA file has been successfully
copied to this sub-directory.
<FTP-Client> cd security/
<FTP-Client> dir
Directory of flash:/security/

Idx Attr Size(Byte) Date Time(LMT) FileName


0 -rw- 1,237 May 10 2011 05:57:15 1_cacert_pem_rsa.pem
1 -rw- 1,241 May 10 2011 05:57:29 1_rootcert_pem_rsa.pem

304,292 KB total (300,266 KB free)

# Create an SSL policy and load the trusted-CA file.


<FTP-Client> system-view
[FTP-Client] ssl policy ftp_client
[FTP-Client-ssl-policy-ftp_client] trusted-ca load pem-ca 1_cacert_pem_rsa.pem
[FTP-Client-ssl-policy-ftp_client] trusted-ca load pem-ca 1_rootcert_pem_rsa.pem
[FTP-Client-ssl-policy-ftp_client] quit

After the preceding configurations are complete, run the display ssl policy command on the
FTP client. The command output shows detailed information about the trusted-CA file.
[FTP-Client] display ssl policy
SSL Policy Name: ftp_client
Policy Applicants:
Key-pair Type:
Certificate File Type:
Certificate Type:
Certificate Filename:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem

Step 3 Enable the FTPS server function.


NOTE

Before enabling the FTPS server function, disable the FTP server function.
[FTP-Server] undo ftp server
[FTP-Server] ftp secure-server ssl-policy ftp_server
[FTP-Server] ftp secure-server enable

Step 4 Configure IP addresses for the interfaces that interconnect the FTP client and server.

# Configure the FTP server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 239


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

[FTP-Server] vlan 30
[FTP-Server-vlan30] quit
[FTP-Server] interface xgigabitethernet 0/0/2
[FTP-Server-XGigabitEthernet0/0/2] port hybrid pvid vlan 30
[FTP-Server-XGigabitEthernet0/0/2] port hybrid untagged vlan 30
[FTP-Server-XGigabitEthernet0/0/2] quit
[FTP-Server] interface vlanif 30
[FTP-Server-Vlanif30] ip address 1.1.1.2 24
[FTP-Server-Vlanif30] quit

# Configure the FTP client.


[FTP-Client] vlan 20
[FTP-Client-vlan20] quit
[FTP-Client] interface xgigabitethernet 0/0/2
[FTP-Client-XGigabitEthernet0/0/2] port hybrid pvid vlan 20
[FTP-Client-XGigabitEthernet0/0/2] port hybrid untagged vlan 20
[FTP-Client-XGigabitEthernet0/0/2] quit
[FTP-Client] interface vlanif 20
[FTP-Client-Vlanif20] ip address 1.1.1.1 24
[FTP-Client-Vlanif20] quit
[FTP-Client] quit

Step 5 Run the ftp command on the FTP client to log in to the FTPS server to remotely manage files.
<FTP-Client> ftp ssl-policy ftp_client 1.1.1.2
Trying 1.1.1.2 ...
Press CTRL+K to abort
Connected to 1.1.1.2.
220 FTP service ready.
234 AUTH command successfully, Security mechanism accepted.
200 PBSZ is ok.
200 Data channel security level is changed to private.
User(1.1.1.2:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.

[ftp]

The client can log in to the FTP server only after the correct user name and password are entered.
Step 6 Verify the configuration.
# Run the display ftp-server command on the FTPS server. The command output shows that
the configured SSL policy name is ftp_server and the FTPS server is running.
[FTP-Server] display ftp-server
FTP server is stopped
Max user number 5
User count 1
Timeout value(in minute) 30
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy ftp_server
FTP Secure-server is running

You can use the FTP client to remotely manage files on the FTPS server.

----End

Configuration Files
l Configuration file of the FTP server
#
sysname FTP-Server
#

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 240


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

FTP secure-server enable


ftp secure-server ssl-policy ftp_server
#
vlan batch 10 30
#
ssl policy ftp_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
1_serverkey_pem_rsa.pem auth-code 123456
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
local-user huawei password cipher %$%$xl8:AIK&k*X.D6$JN#rF-\SJ%$%$
local-user huawei privilege level 15
local-user huawei ftp-directory flash:/
local-user huawei service-type ftp
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif30
ip address 1.1.1.2 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface XGigabitEthernet0/0/2
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
return

l Configuration file of the FTP client


#
sysname FTP-Client
#
FTP server enable
#
vlan batch 20 40
#
ssl policy ftp_client
trusted-ca load pem-ca 1_cacert_pem_rsa.pem
trusted-ca load pem-ca 1_rootcert_pem_rsa.pem
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
local-user huawei password cipher %$%$}twU5v;.BOKdou5Ry'L$-XOF%$%$
local-user huawei privilege level 15
local-user huawei ftp-directory flash:/
local-user huawei service-type ftp
#
interface Vlanif20
ip address 1.1.1.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.0.2 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 40
port hybrid untagged vlan 40
#
interface XGigabitEthernet0/0/2
port hybrid pvid vlan 20
port hybrid untagged vlan 20

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 241


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

#
return

9.9.7 Example for Accessing Files on Another Device by Using SCP


In this example, the SCP client accesses the SCP server to download files.

Networking Requirements
Unlike SFTP, SCP allows file uploading or downloading without user authentication and public
key assignment, and also supports file uploading or downloading in batches.

As shown in Figure 9-15, the device functioning as the SCP client has a reachable route to the
SCP server, and can download files from the SCP server.

Figure 9-15 Networking diagram for accessing files on another device by using SCP

SCP Server

172.16.104.110/24

1.1.1.1/32

SCP Client

Configuration Roadmap
The configuration roadmap is as follows:

1. Create a local RSA key pair on the SSH server.


2. Create an SSH user on the SSH server.
3. Enable SCP services on the SSH server.
4. Enable first-time authentication on the SSH client.
5. Configure an IP address of the source interface on the SCP client.
6. Download files from the SSH server to the SCP client.

Data Preparation
To complete the configuration, you need the following data:

l SSH user name, authentication mode, and authentication password


l IP address of the source interface on the SCP client
l The name and path of the destination files and the source files.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 242


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Procedure
Step 1 Create a local RSA key pair on the SSH server.
<Quidway> system-view
[Quidway] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 512
Generating keys...
.....++++++++++++
....++++++++++++
......++++++++
................................++++++++

Step 2 Create an SSH user on the SCP server.


# Configure the VTY user interface.
[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit

# Configure the password authentication for the SSH user Client001.


[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password

# Configure the password of the SSH user Client001 to huawei.


[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher huawei
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit

# Configure the service type for the SSH users Client001 to all.
[SSH Server] ssh user client001 service-type all

Step 3 Enable SCP services on the SCP server.


[SSH Server] scp server enable

Step 4 Download files from the SCP server to the SCP client.
# For the first login, you need to enable the first authentication on SSH client.
<Quidway> system-view
[Quidway] sysname SCP Client
[SCP Client] ssh client first-time enable

# Configure the IP address 1.1.1.1 of a loopback interface as the source IP address for the SCP
client.
[SCP Client] scp client-source -a 1.1.1.1

# Use 3des to encrypt the file license.txt, and then download the file to the local working
directory from the remote SCP server with the IP address of 172.16.104.110.
[SCP Client] scp -a 1.1.1.1 -cipher 3des client001@172.16.104.110:license.txt
license.txt

Step 5 Verify the configuration.


Run the display scp-client command on the SCP client. The command output is as follows:

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 243


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

<Quidway> display scp-client


The source of SCP ipv4 client: 1.1.1.1

The IP address of the source interface on the SCP client is 1.1.1.1.

----End

Configuration Files
l Configuration file of the SCP server
#
sysname SSH Server
#
aaa
local-user client001 password cipher %$%$}twU5v;.BOKdou5Ry'L$-XOF%$%$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
scp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type all
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return

l Configuration file of the SCP client


#
sysname SCP Client
#
ssh client first-time enable
scp client-source 1.1.1.1
#
return

9.9.8 Example for Configuring the SSH Server to Support the Access
from Another Port
In this example, the monitoring port number of the SSH server is set to a port number other than
the standard monitoring port number so that only valid users can set up connections with the
SSH server.

Networking Requirements
The standard listening port is numbered 22, as defined in the SSH protocol. If attackers access
the standard port continuously, the bandwidth is consumed and the performance of the server is
degraded. As a result, other valid users cannot access the port.
If the listening port on the SSH server is changed to a non-default one, attackers will not aware
of this change and continue to send a request for the socket connection to port 22. In this case,
the SSH server detects that it is not the listening port, and then denies the the request for
establishing the socket connection.
Therefore, only valid users can use the specified listening port to set up a socket connection
through the following procedures:
l Negotiating the version of the SSH protocol
l Negotiating the algorithm

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 244


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

l Generating the session key


l Authenticating
l Sending a request for a session
l Performing the interactive session

Figure 9-16 Networking diagram for configuring the SSH server to support the access from
another port
SSH Server

10.164.39.222/24

10.164.39.220/24 10.164.39.221/24
Client001 Client002

Switch Interface VLANIF interface IP address

SSH server XGigabitEthernet0/0/1 VLANIF 10 10.164.39.222/24

Client001 XGigabitEthernet0/0/1 VLANIF 10 10.164.39.220/24

Client002 XGigabitEthernet0/0/1 VLANIF 10 10.164.39.221/24

Configuration Roadmap
The configuration roadmap is as follows:

1. Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2. Configure Client001 and Client002 on the SSH server.
3. Create a local key pair on the SFTP client and SSH server separately.
4. Generate an RSA public key on the SSH server and bind the RSA public key of the SSH
client to Client002.
5. Enable the STelnet and SFTP services on the SSH server.
6. Configure the type of the service and authenticated directory for the SSH user.
7. Set the listening port number on the SSH server.
8. Client001 and Client002 log in to the SSH server through STelnet and SFTP separately.

Data Preparation
To complete the configuration, you need the following data:

l IP addresses of the FTP server and client, as shown in Figure 9-16


l SSH user name and authentication mode
l Password or RSA public key of the SSH user

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 245


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

l Server name
l Listening port number on the SSH server

Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.
Create VLAN 10 on the Switch that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/1] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.164.39.222 24

Assigning an IP address to theSwitch that functions as Client001 or Client002 is the same as


assigning an IP address to VLANIF 10, and is not mentioned here.
Step 2 A local key pair generated on the SSH server
<Quidway> system-view
[Quidway] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++

Step 3 Configure the RSA public key on the server.


# Create a local key pair on the client.
<Quidway> system-view
[Quidway] sysname client002
[client002] rsa local-key-pair create

# Check the RSA public key generated on the client.


[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001

Host public key for PEM format code:


---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 246


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ----

Public key code for pasting into OpenSSH authorized_keys file :


ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]

# Send the RSA public key generated on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] 0240
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] 0203
[Quidway-rsa-key-code] 010001
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end

Step 4 Create an SSH user on the server.

NOTE

SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA
public key of the SSH client to the server.

# Configure a VTY user interface.


[Quidway] user-interface vty 0 4
[Quidway-ui-vty0-4] authentication-mode aaa
[Quidway-ui-vty0-4] protocol inbound ssh
[Quidway-ui-vty0-4] user privilege level 3
[Quidway-ui-vty0-4] quit

# Create an SSH user named Client001, and configure the authentication mode as password
for the user.
[Quidway] ssh user client001
[Quidway] ssh user client001 authentication-type password

# Set the password of Client001 to huawei.


[Quidway] aaa
[Quidway-aaa] local-user client001 password cipher huawei

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 247


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

[Quidway-aaa] local-user client001 service-type ssh


[Quidway-aaa] quit

# Set the type of service of Client001 to STelnet.


[Quidway] ssh user client001 service-type stelnet

# Create an SSH user named Client002, and configure the authentication mode as RSA for the
user. Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002
[Quidway] ssh user client002 authentication-type rsa
[Quidway] ssh user client002 assign rsa-key RsaKey001

# Set the type of service of Client002 to SFTP and the authorized directory as flash:/.
[Quidway] ssh user client002 service-type sftp
[Quidway] ssh user client002 sftp-directory flash:/

Step 5 Enable the STelnet and SFTP services on the SSH server.
[Quidway] stelnet server enable
[Quidway] sftp server enable

Step 6 Configure the new listening port number on the SSH server.
[Quidway] ssh server port 1025

Step 7 Connect the SSH client and the SSH server.


# You must enable the initial authentication on the SSH client for the first login.
Enabling the first authentication on Client001.
<Quidway> system-view
[Quidway] sysname client001
[client001] ssh client first-time enable

Enabling the first authentication on Client002.


[client002] ssh client first-time enable

# The STelnet client logs in to the SSH server by using the new listening port.
[client001] stelnet 10.164.39.222 1025
Please input the username:client001
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.164.39.222. Please wait.
..

Enter password:

Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:

Info: The max number of VTY users is 20, and the number
of current VTY users on line is 1.
<Quidway>

# The SFTP client logs in to the SSH server by using the new listening port.
[client002]sftp 10.164.39.222 1025
Please input the username:client002
Trying 10.164.39.222 ...
Press CTRL+K to abort

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 248


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Connected to 10.164.39.222 ...


The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.164.39.222. Please wait.
..

sftp-client>

Step 8 Verify the configuration.


Attackers fail to log in to the SSH server by using port 22.
[client002] sftp 10.164.39.222
Please input the username:client002
Trying 10.164.39.222 ...
Press CTRL+K to abort
Can't establish tcp connection to server

After the configuration, run the commands of display ssh server status and display ssh server
session on the SSH server. You can check the current listening port number on the SSH server,
and that the STelnet or SFTP client logs in to the server successfully.
# Check the status of the SSH server.
[Quidway] display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Enable
Stelnet server :Enable
Scp server :Disable
SSH server port :1025

# Check the connection of the SSH server.


[Quidway] display ssh server session
Session 1:
Conn : VTY 3
Version : 2.0
State : started
Username : client001
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Service Type : stelnet
Authentication Type : password
Session 2:
Conn : VTY 4
Version : 2.0
State : started
Username : client002
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Service Type : sftp
Authentication Type : rsa

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 249


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Configuration Files
l Configuration file of the Quidway, the SSH server
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %$%$6\ZH#;zYJ*HXE["UyioO-vmd%$%$
local-user client001 service-type ssh
#
sftp server enable
stelnet server enable
ssh server port 1025
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type stelnet
ssh user client002 service-type sftp
ssh user client002 sftp-directory flash:/
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
#
return

l Configuration file of Client001, the SSH client


#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
ssh client first-time enable
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return

l Configuration file of Client002, the SSH client


#
sysname client002

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 250


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.221 255.255.255.0
#
ssh client first-time enable
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return

9.9.9 Example for Authenticating SSH Through RADIUS


In this example, a user that attempts to access the SSH server is authenticated by the RADIUS
server, and the SSH server determines whether to set up a connection with the user according
to the authentication result.

Networking Requirements
When an RADIUS user is connected to an SSH server, the SSH server sends the user name and
password of the SSH client to the RADIUS server (compatible with the TACACS server) for
authentication.

The RADIUS server authenticates the user and sends the result (passed or failed) back to the
SSH server. If the authentication is successful, the user level is sent along with the result. The
SSH server determines whether the SSH client is allowed to set up a connection according to
the authentication result.

Figure 9-17 shows the networking diagram.

Figure 9-17 Networking diagram of authenticating the SSH through RADIUS

10.164.39.221/24 10.164.6.41/24

10.164.39.222/24 10.164.6.49/24
SSH Client SSH Server Radius Server

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure the RADIUS template on the SSH server.


2. Configure a domain on the SSH server.
3. Create a user on the RADIUS server.
4. Generate the local key pair on SSH server respectively. The SSH server monitors the port
number.
5. Enable the STelnet and SFTP services on the SSH server.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 251


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

6. Configure the service mode and authorization directory of the SSH user.
7. Users ssh1@ssh.com and ssh2@ssh.com log in to the SSH server through STelnet and
SFTP respectively.

Data Preparation
To complete the configuration, you need the following data:
l Configure the password authentication for the two SSH users .
l RADIUS authentication
l Name of the RADIUS template
l Name of the RADIUS domain
l Name and password of the RADIUS user

Procedure
Step 1 Generate a local key pair on the SSH server.
<Quidway> system-view
[Quidway] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++

Step 2 Create the SSH user.


On the RADIUS server, add two users named ssh1@ssh.com and ssh2@ssh.com ; in addition,
designate the NAS address 10.164.39.222 and the key huawei. The NAS address refers to the
address of the SSH server that connects to the RADIUS server.
# Configure the VTY user interface on the SSH server.
[Quidway] user-interface vty 0 4
[Quidway-ui-vty0-4] authentication-mode aaa
[Quidway-ui-vty0-4] protocol inbound ssh
[Quidway-ui-vty0-4] user privilege level 3
[Quidway-ui-vty0-4] quit

# Create SSH users asssh1@ssh.com and ssh2@ssh.com on the SSH server.


[Quidway] ssh user ssh1@ssh.com
[Quidway] ssh user ssh1@ssh.com authentication-type password
[Quidway] ssh user ssh1@ssh.com service-type stelnet
[Quidway] ssh user ssh2@ssh.com
[Quidway] ssh user ssh2@ssh.com authentication-type password
[Quidway] ssh user ssh2@ssh.com service-type sftp
[Quidway] ssh user client001 sftp-directory flash:/

Step 3 Configure the RADIUS template.


# Configure the authentication scheme newscheme and authentication mode RADIUS.
[Quidway] aaa
[Quidway-aaa] authentication-scheme newscheme
[Quidway-aaa-authen-newscheme] authentication-mode radius

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 252


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

[Quidway-aaa-authen-newscheme] quit

# Configure the RADIUS template of SSH server as ssh.


[Quidway] radius-server template ssh

# Configure the IP address as 10.164.6.49 and port of the RADIUS authentication server as 1812.
[Quidway-radius-ssh] radius-server authentication 10.164.6.49 1812

# Configure the key of RADIUS server as huawei.


[Quidway-radius-ssh] radius-server shared-key huawei
[Quidway-radius-ssh] quit

Step 4 Configure RADIUS domain name.

# Configure the RADIUS domain of SSH server as ssh.com, applying authentication scheme
newscheme and RADIUS template ssh.
[Quidway] aaa
[Quidway-aaa] domain ssh.com
[Quidway-aaa-domain-ssh.com] authentication-scheme newscheme
[Quidway-aaa-domain-ssh.com] radius-server ssh
[Quidway-aaa-domain-ssh.com] quit
[Quidway-aaa] quit

Step 5 Connect the SSH client and the SSH server.

# Enable STelnet and SFTP services on the SSH server.


[Quidway] stelnet server enable
[Quidway] sftp server enable

# For the first login, you need to enable the first authentication on SSH client.
[client] ssh client first-time enable
[client] quit

# Connect the STelnet client to the SSH server in the RADIUS authentication.
<client> system-view
[client] stelnet 10.164.39.222
Please input the username:ssh1@ssh.com
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.164.39.222. Please wait.
..

Enter password:

Enter the password Huawei and view as follows:


Info: The max number of VTY users is 20, and the number
of current VTY users on line is 2.
<Quidway>

# Connect the SFTP client to the SSH server in the RADIUS authentication.
<client> system-view
[client] sftp 10.164.39.222
Please input the username:ssh2@ssh.com
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 253


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

Enter password:
sftp-client>

Step 6 Verify the configuration.


After the configuration, run the display radius-server configuration and display ssh server
session commands on the SSH server. You can view the configuration of the RADIUS server
on the SSH server. You can also view that the STelnet or SFTP client is connected to the SSH
server successfully with RADIUS authentication.
# Display the configuration of the RADIUS server.
[Quidway-aaa] display radius-server configuration
-------------------------------------------------------------------
Server-template-name : ssh
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : huawei
Timeout-interval(in second) : 5
Primary-authentication-server : 10.164.6.49 :1812 LoopBack:NULL
Primary-accounting-server : 0.0.0.0 :0 LoopBack:NULL
Secondary-authentication-server : 0.0.0.0 :0 LoopBack:NULL
Secondary-accounting-server : 0.0.0.0 :0 LoopBack:NULL
Retransmission : 3
Domain-included : YES
Calling-station-id MAC-format : xxxx-xxxx-xxxx
-------------------------------------------------------------------
Total of radius template :1

# Display the connection of the SSH server.


[Quidway] display ssh server session
Session 1:
Conn : VTY 0
Version : 2.0
State : started
Username : ssh1@ssh.com
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Service Type : stelnet
Authentication Type : password
Session 2:
Conn : VTY 1
Version : 2.0
State : started
Username : ssh2@ssh.com
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Service Type : sftp
Authentication Type : password

----End

Configuration Files
Configuration file of the SSH server
#
sysname Quidway

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 254


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 9 Accessing Another Device

#
radius-server template ssh
radius-server authentication 10.164.6.49 1812
#
aaa
authentication-scheme newscheme
authentication-mode radius
#
domain ssh.com
authentication-scheme newscheme
radius-server ssh
#
#
sftp server enable
stelnet server enable
ssh user ssh1@ssh.com
ssh user ssh2@ssh.com
ssh user ssh1@ssh.com authentication-type password
ssh user ssh2@ssh.com authentication-type password
ssh user ssh1@ssh.com service-type stelnet
ssh user ssh2@ssh.com service-type sftp
ssh user client001 sftp-directory flash:/
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
#
Return

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 255


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 10 Web System Configuration

10 Web System Configuration

About This Chapter

Before configuring the device in Web mode, you need to configure the device as the Web server.

10.1 Overview of Web System


Through the Web system, users can manage and maintain the device in the graphical user
interface (GUI).
10.2 Starting Web System
This topic describes how to load the Web system and create an account of the Web system.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 256


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 10 Web System Configuration

10.1 Overview of Web System


Through the Web system, users can manage and maintain the device in the graphical user
interface (GUI).
The device is installed with a built-in Web server. Thus, the terminal (such as a PC) connected
to the device can access the device through the Web browser.
Figure 10-1 shows the running environment of the Web system.

Figure 10-1 Running environment of the Web System


Switch

HTTP
Connection

PC

10.2 Starting Web System


This topic describes how to load the Web system and create an account of the Web system.

10.2.1 Setting the Management IP Address of the Device


This section describes how to configure the management IP address of the device. This IP address
is used by users to log in to the web network management system.

Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface meth 0/0/1

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 257


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 10 Web System Configuration

The MEth interface view is displayed.

Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]

The IP address of the interface is configured.

----End

10.2.2 Uploading Web Page Files


This section describes how to obtain the Web page files and upload them to the device through
FTP.

Prerequisites
The web page file has been saved on the S6700 before delivery, so you do not need to upload
this file when using the S6700 for the first time. (You still need to load the file). When the
S6700 is upgraded, upload the web page file to the S6700 again.

To obtain the Web page file of the device, log in to http://support.huawei.com/enterprise, and
then choose Software > Product Software > Enterprise Networking > Datacom Network >
Campus Switch. Download the software package based on the product name and version. The
Web page file is contained in the software package. The file name is Product Name - the
Version of Software.the Version of Web page file.web.zip.

Before uploading the Web page file, copy the Web page file to the client from which you log in
to the device.

Context
NOTE
You can also download Web files through TFTP. In this case, the device functions as the TFTP client, and
the terminal that stores the Web files functions as the TFTP server. For details, see 9.4.4 Downloading
Files Using TFTP.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ftp server enable

The FTP server is enabled.

Step 3 Run:
aaa

The AAA view is displayed.

Step 4 Run:
local-user user-name password cipher password

An FTP client is configured and the password is set to huawei.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 258


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 10 Web System Configuration

Step 5 Run:
local-user user-name privilege level level

The local user level is set.

NOTE

The local user level must be set to 3 or higher.

Step 6 Run:
local-user user-name ftp-directory directory

The directory is set for the FTP client.

Step 7 Run:
local-user user-name service-type ftp

The service type of an FTP login user is set.

Step 8 Run the following command in the cmd view of the PC:
ftp ip-address

The user name and password are displayed. The PC can log in to the device.
C:\>ftp 10.1.1.132
Connected to 10.1.1.132.
220 FTP service ready.
User (10.1.1.132:(none)): client
331 Password required for client.
Password:
230 User logged in.
ftp>

Step 9 Run the following command in the FTP view:


put local-filename

The web.zip file is uploaded from the PC to the device.


ftp> put web.zip
200 Port command okay.
150 Opening ASCII mode data connection for web.zip.
226 Transfer complete.
ftp: 251047 bytes sent in 3.36Seconds 74.74Kbytes/sec.
ftp>

----End

10.2.3 Loading a Web Page File


This section describes how to load a Web file.

Context
Before loading the Web page file, upload it to the device.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 259


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 10 Web System Configuration

Step 2 Run:
http server load file-name

The Web page file is loaded to the device.

----End

10.2.4 Creating a Web Account


Before logging in to the device in Web mode, you need to create a Web account on the device.

Context
Before enabling the HTTP server,load the Web Page File to device.

The device provides a default user account for logging in to the web network management
system, with the user name admin and password admin. You can use the default account to log
in to the web network management system.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
http server enable

The HTTP server is enabled.

NOTE
The HTTP server function can be enabled only when the Web page loaded exists.

Step 3 (Optional) Run:


http server port port-number

The monitoring port number of the HTTP server is set.

Step 4 Run:
aaa

The AAA view is displayed.

Step 5 Run:
local-user user-name password cipher password

An HTTP client is configured and the password of the client is set.

Step 6 Run:
local-user user-name privilege level level

The HTTP user level is set.

NOTE

Set the HTTP user level to 3 or higher so that the HTTP user can have management-level rights. Users at
levels 0, 1 and 2 have only visit-level rights.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 260


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 10 Web System Configuration

Step 7 Run:
local-user user-name service-type http

The access type of the user is set to HTTP.


Step 8 Run:
quit

Return to the system view.


Step 9 (Optional) Run:
http timeout timeout

The timeout period of an HTTP connection is set.


By default, the timeout period of an HTTP connection is 20 minutes.
Step 10 (Optional) Run:
free http user-id user-id

Release a web user of the VTY number.

----End

10.2.5 Logging In to the Web System


This section describes how to log in to the device in Web mode.

Procedure
Step 1 Open the Web browser on the PC, and then enter the management address of the device in the
address bar (the PC and the device have reachable routes to each other). Then, press Enter to
display the Login dialog box. As shown in Figure 10-2, enter the pre-set Web user name,
password and verify code, and then choice the language.

Figure 10-2 Login

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 261


Copyright © Huawei Technologies Co., Ltd.
S6700 Series Ethernet Switches
Configuration Guide - Basic Configuration 10 Web System Configuration

NOTE

If you select Save my password before clicking Login, you do not need to enter the password at next
login.

Step 2 Click Login or press enter to display the homepage of the Web system.
You can configure the device after logging in to the Web system. For details on how to configure
the device on the Web system, see the S6700 Series Ethernet Switches Web System Guide.

----End

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 262


Copyright © Huawei Technologies Co., Ltd.