Professional Documents
Culture Documents
Format
abort trial [ session session-id ]
Parameters
Parameter Description Value
session session-id Specifies the ID of a session for which the trial running of the -
configuration is to be disabled.
Views
All views (excluding the user view)
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
After the two-phase configuration validation mode is configured and a command is run, run
the commit trial command to enable the trial running of the configuration. You can specify
the time parameter in the commit trial command to set the timeout period for the trial
running. After the trial running of the configuration times out, the system automatically rolls
the configuration back to the configuration state before the trial running. To disable the trial
running of the configuration before the trial running times out, run the abort trial command
to roll the system configuration back to the configuration state before the trial running.
Prerequisites
The commit trial command has been run for a configuration.
Configuration Impact
After the trial running of the configuration is disabled, the system configuration rolls back to
the configuration state before the trial running.
Precautions
The abort trial command must be run in the two-phase configuration validation mode.
Example
# Disable the trial running of a configuration.
<HUAWEI> system-view
[~HUAWEI] sysname rollback
[*HUAWEI] commit trial 120
[~rollback] abort trial
Warning: The trial configuration will be rolled back. Continue? [Y/N]:y
Info: The trial configuration rollback succeeded.
[~HUAWEI]
3.1.2 alias
Function
The alias command creates an alias for a command.
Format
alias alias-string [ parameter parameter & <1-32> ] command command
undo alias alias-string
Parameters
Parameter Description Value
alias-string Specifies an alias The value is a string of 1 to 63 case-insensitive
string. characters, supporting letters, digits, and hyphens
(-). It must start with a letter and cannot contain
spaces between characters.
parameter Specifies a parameter The value is a string of 2 to 63 case-insensitive
parameter for an alias. characters, supporting letters, digits, and hyphens
(-). It must start with the $ sign.
command Specifies a command The value is a string of 1 to 511 characters. If a
for which an alias is to space exists in the command, the character string
be created. of command must be enclosed in double
quotation marks (").
Views
Command alias view
Level
3: Management level
Usage Guidelines
Usage Scenario
The alias command can be used in the following scenarios:
l Configure an easy-to-rember string of characters as the alias for a command. Then, you
can just enter the alias string when you need to run the command. For example, define
the alias for display as show. You can enter the alias show to substitute display.
l Change the order of parameters. For example, after you configure the alias showif
parameter $ifnum $iftype command "display interface $iftype $ifnum" command,
you can enter showif 1 Eth-Trunk to substitute display interface Eth-Trunk 1.
Precautions
l A command can still be used after an alias is configured for it.
l The character string of command must reference all the parameters defined in parameter
in sequence, and each parameter can be referenced only once.
l When the character string of command starts referencing the parameters defined in
parameter, only parameters beginning with the $ sign rather than any command keyword
can be included. For example, command configuration like alias showif parameter
$ifnum $iftype command "display interface $iftype iftype $ifnum verbose" is
incorrect.
l If the alias definitions include loop nesting or the nesting level is more than 16 layers,
the alias is invalid and cannot substitute a command.
l The alias configured by the alias command can take effect only when the command alias
function is enabled using the terminal command alias command. By default, the
command alias function is enabled.
Example
# Create an alias for a command.
<HUAWEI> system-view
[~HUAWEI] command alias
[*HUAWEI-cmdalias] alias show command display
Function
The clear configuration candidate command clears an uncommitted configuration.
Format
clear configuration candidate
Parameters
None
Views
All views except the user view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
This command clears a configuration that has not been committed in the two-stage mode.
Prerequisites
Precautions
Example
# Clear the configuration that has not been committed.
<HUAWEI> system-view
[~HUAWEI] clear configuration candidate
Function
The command alias command creates and enters the command alias view.
The undo command alias command deletes all alias configured on the device.
Format
command alias
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To enter the command alias view, run the command alias command.
Precautions
The undo command alias command deletes all alias configured on the device as well as the
command alias view.
Follow-up Procedure
Run the alias command to configure an alias for a command.
Example
# Enter the command alias view.
<HUAWEI> system-view
[~HUAWEI] command alias
[~HUAWEI-cmdalias]
Format
command-privilege level level view view-name command-key
undo command-privilege [ level level ] view view-name command-key
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The system divides commands into four levels and sets the command level in the specified
view. The device administrator can change the command level as required, so that a lower-
level user can use some high-level commands. The device administrator can also change the
command level to a larger value to improve device security.
A login user can configure commands according to the configured privilege corresponding to
the user name (through the user privilege level command).
The command lines are classified into visit level (0), monitoring level (1), configuration level
(2), and management level (3) in an ascending order without command-privilege level
rearrange.
1 Visit Commands of this level are used for system maintenance, including
level(0) display commands.
, NOTE
Monito Some display commands are not at this level. For example, the display
ring current-configuration and display saved-configuration commands are at
level(1) level 3. For details about command levels, see the CloudEngine 8800, 7800,
6800, and 5800 Series SwitchesCommand Reference.
2 Visit Commands of this level are used for service configuration to provide
level(0) direct network services, including routing commands and commands
, of each network layer.
Monito
ring
level(1)
,
Config
uration
level(2)
3 Visit Commands of this level are used for basic system operations,
level(0) including file system, FTP, TFTP download, user management,
, command level configuration, and debugging.
Monito
ring
level(1)
,
Config
uration
level(2)
,
Manag
ement
level(3)
Precautions
You are not advised to change the default command level. If you need to change it, consult
with professional personnel to ensure that routine operation and maintenance are not affected
and security risk is avoided.
The command-key parameter specifies the command of which the level is to be changed. The
view view-name parameter specifies the view to which the command belongs. The command
matching rule is prefix-based matching. For example, the command-privilege level 2 view
shell display interface command changes the level of all commands starting with display
interface in the user view to level 2.
In versions earlier than V100R006C00, the user level ranges from 0 to 15. If the system
software is upgraded to V100R006C00 or a later version, and the command-privilege level
command is not configured, the levels of level-0 and level-1 users remain unchanged, and
those of level-3 to level-15 users change to 3.
Example
# Set the privilege level of the save command to 5.
<HUAWEI> system-view
[~HUAWEI] command-privilege level 5 view shell save
Function
The command-privilege level rearrange command upgrades command levels in batches.
The undo command-privilege level rearrange command restores the default command
levels in batches.
By default, the command levels assigned by the system during registration are used.
Format
command-privilege level rearrange
undo command-privilege level rearrange
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a command registers on the device, it is assigned with a default level–0, level–1, level–
2, or level–3, corresponding to the visit level, monitoring level, configuration level, and
management level respectively. You can run the command-privilege level rearrange
command to upgrade all the level-2 and level-3 commands to level-10 and level-15
commands in batches. The levels of level-0 and level-1 commands remain unchanged.
Changing the command-privilege level rearrange command configuration affects the value
of level in the user privilege, command-privilege level, adminuser-priority, and local-user
level commands. For details, see the "Parameters" table in the corresponding sections.
Precautions
l The command-privilege level command has a higher priority than the command-
privilege level rearrange command as follows:
– During batch command level upgrade, the levels of commands that are separately
changed using the command-privilege level command remain unchanged.
– You can only restore the levels of the commands that are upgraded in batches. The
levels of commands that are separately changed using the command-privilege level
command remain unchanged.
l Before running the command-privilege level rearrange or undo command-privilege
level rearrange command, ensure that your level is the highest (level 3 or 15);
otherwise, you cannot run the command. For an AAA authentication user, you can run
the display aaa access-user self command and view the User level field to check the
user's level.
l After the levels of the commands are upgraded in batches and before the levels of the
commands are restored, the operation of upgrading the levels of the commands is invalid
and does not change the status of the commands.
Example
# Change the levels of the current commands in batches.
<HUAWEI> system-view
3.1.7 commit
Function
The commit command commits a configuration and generates a configuration rollback point.
Format
commit [ trial [ time ] ] [ label label ] [ description description ]
Parameters
Parameter Description Value
trial time Specifies the timeout period The value is an integer ranging from 60
for the trial running of a to 65535, in seconds. The default value
configuration. is 600 seconds.
label label Specifies the user label of a The value is a string of 1 to 256 case-
configuration rollback point. sensitive characters without spaces. It
must start with a letter and cannot be a
hyphen (-).
description Specifies the description of a The value is a string of 1 to 60 case-
description configuration rollback point. sensitive characters with spaces.
Views
All views (excluding the user view)
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
When performing configurations in two-stage mode, perform the following operations:
l Edit a configuration in the first stage.
l Run the commit command to commit the configuration in the second stage. The new
configuration then takes effect in the current system.
If you want to add descriptions about configuration rollback, run the commit description
description command in two-stage mode. Run the display configuration commit list
verbose command to view the descriptions.
To enable the trial running of a configuration, run the trial command. This configuration
enables the trial running of new functions and services without interrupting the services
running on the live network, which improves network reliability. The time parameter specifies
the timeout period for the trial running of a configuration. When the trial running time
expires, the configuration that has been run in trial rolls back automatically. The system
NOTE
During the trial running of a configuration, other users cannot perform any configuration on the device,
and if the local user performs an operation and runs the commit command to commit the configuration,
the configuration in trial running is also committed and the system exits from the trial running status and
enters the normal configuration mode.
You can run the display configuration trial status command to check whether a system
configuration is in the trial running status and the remaining time of the trial running. If you
want to end the trial running status in advance, run the abort trial command to disable the
trial running of a configuration.
Prerequisites
You can edit a configuration only after you have run the system-view command to enter a
system view in two-stage mode.
Precautions
The system configurations change, including the configurations in two-stage mode.
You do not need to run the commit command to make the commands executed in the user
view to take effect.
In two-phase validation mode, you must run the commit command for the configuration to
take effect. However, you do not need to run the commit command in the following cases:
l Query commands (such as display interface) are run.
l Maintenance commands (such as slave switchover, dual-active restore, stack upgrade
fast rollback-timer, stack upgrade fast stack member, switch mode, and reset
keepalive packets count) are run.
l Commands are run to enter the existing views (such as the stack view and physical
interface view) on a physical device. For example, the interface 10ge1/0/1 command is
run.
l The existing configurations on a device are reconfigured.
Example
# Edit a configuration and commit it to make the change take effect.
<HUAWEI> system-view
[~HUAWEI] vlan 7
[*HUAWEI-vlan7] commit
3.1.8 diagnose
Function
The diagnose command enters the diagnostic view from the system view.
Format
diagnose
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Diagnostic commands are mainly used for fault diagnosis. However, running some commands
may cause device faults or service interruptions. Therefore, use these commands under the
instruction of technical support personnel.
Example
# Enter the diagnostic view.
<HUAWEI> system-view
[~HUAWEI] diagnose
[~HUAWEI-diagnose]
Format
display command alias
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
To view configuration information of command alias on a device, run the display command
alias command.
Example
# Display configuration information of the command alias.
<HUAWEI> display command alias
show = display
showif $ifnum $iftype = display interface $iftype $ifnum
Function
The display configuration candidate command displays uncommitted configurations or all
configurations in the system.
Format
display configuration candidate [ merge ]
Parameters
Parameter Description Value
merge Displays all the configurations in the system, including committed –
configurations and uncommitted configurations.
If you do not specify this keyword, the command displays only
uncommitted configurations.
Views
All views in two-stage configuration mode
Default Level
2: Configuration level
NOTE
If the merge parameter is used, the default level of the command is the management level.
Usage Guidelines
Usage Scenario
You can run the display configuration candidate command to check whether a configuration
to be committed is correct and whether it conflicts with existing configurations.
Prerequisites
A configuration has been edited in two-stage mode.
Example
# Display uncommitted configurations.
<HUAWEI> system-view
[~HUAWEI] ftp server enable
[*HUAWEI] display configuration candidate
ftp server enable
Format
display history-command [ all-users ]
Parameters
Parameter Description Value
all-users Displays information about all successfully matched commands the -
users executed.
If the parameter is not specified, successfully matched historical
commands the current user executed are displayed.
Views
All views
Default Level
0: Visit level
NOTE
If the all-users parameter is used, the default level of the command is the management level.
Usage Guidelines
Usage Scenario
You can run this command to check historical commands the user has executed recently. This
command facilitates information search. Historical commands are recorded in circular mode.
Precautions
All the historical commands entered by a user are automatically saved on the terminal, that is,
any input that ends with Enter is saved as a historical command.
NOTE
l Historical commands are saved in the same format as that used in the input. If a command that is
entered by a user is in an incomplete format, the saved historical command is also in the incomplete
format.
l If a user runs a command several times, only the latest command is saved on the device. If the
command is entered in different formats, they are considered as different commands.
l To view the previous historical command, press the Up arrow key or Ctrl+P.
If there is an earlier historical command, the earlier historical command is displayed.
l To view the next historical command, press the Down arrow key or Ctrl+N.
If there is a new historical command, the new historical command is displayed.
NOTE
Access to historical commands using the Up arrow key does not apply to Windows 9X. The Up arrow
key has different functions in Windows 9X and needs to be replaced by shortcut keys Ctrl+P.
Example
# Display the historical commands that have been executed on the current terminal.
<HUAWEI> display history-command
system-view
user-interface vty 0 4
user privilege level 15
quit
Function
The display hotkey command displays the status of the defined, undefined, and system
hotkeys.
Format
display hotkey
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
After you understand the defined, undefined, and system hotkeys in the system, you can use
hotkeys to quickly enter commands. To redefine hotkeys for a command, run the hotkey
command.
The system allows hotkeys in places where commands can be entered, and displays the
commands corresponding to hotkeys. You can run the display hotkey command to view the
commands corresponding to hotkeys.
Example
# Display defined, undefined, and system hotkeys.
<HUAWEI> display hotkey
----------------- HOTKEY -----------------
=Defined hotkeys=
Hotkeys Command
CTRL_G display current-configuration
CTRL_L display ip routing-table
CTRL_O undo debugging all
=Undefined hotkeys=
Hotkeys Command
CTRL_U NULL
=System hotkeys=
Hotkeys Function
CTRL_A Move the cursor to the beginning of the current line.
CTRL_B Move the cursor one character left.
CTRL_C Stop current command function.
CTRL_D Erase current character.
CTRL_E Move the cursor to the end of the current line.
CTRL_F Move the cursor one character right.
CTRL_H Erase the character left of the cursor.
CTRL_K Kill outgoing connection when connecting.
CTRL_N Display the next command from the history buffer.
CTRL_P Display the previous command from the history buffer.
CTRL_R Redisplay the current line.
CTRL_T Kill outgoing connection.
CTRL_V Paste text from the clipboard.
CTRL_W Delete the word left of the cursor.
CTRL_X Delete all characters up to the cursor.
CTRL_Y Delete all characters after the cursor.
CTRL_Z Return to the user view.
CTRL_] Kill incoming connection or redirect connection.
ESC_B Move the cursor one word back.
ESC_D Delete remainder of word.
ESC_F Move the cursor forward one word.
ESC_N Move the cursor down a line.
ESC_P Move the cursor up a line.
ESC_< Specify the beginning of clipboard.
ESC_> Specify the end of clipboard.
Format
display language character-set [ test ]
Parameters
Parameter Description Value
test Displays the character set in the system and Chinese character set -
supported on the terminal login software.
If this parameter is not specified, only the character set in the system is
displayed.
Views
All views
Default Level
0: Visit level
Usage Guidelines
The system and terminal login software must use the same character set; otherwise, Chinese
characters may be displayed as garbled characters. You can run the display language
character-set [ test ] command to view the character set in the system and Chinese character
set supported on the terminal login software.
Example
# Display the character set in the system.
<HUAWEI> display language character-set
Current language character set encode : GBK
Format
display sysname
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
The host name determines the command interface prompt. For example, if the host name is
HUAWEI, the user interface prompt is <HUAWEI>.
You can run this command to view the host name of the current device.
Example
# Display the device host name.
<HUAWEI> display sysname
HUAWEI
Format
display terminal command alias
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
You can run the terminal command alias command to enable the command alias function for
the current terminal. To view whether the command alias function is enabled for the current
terminal, run the display terminal command alias command.
Example
# After the command alias function is enabled, display the status of the current terminal.
<HUAWEI> display terminal command alias
Info: Current terminal command alias feature is enable.
# After the command alias function is disabled, display the status of the current terminal.
<HUAWEI> display terminal command alias
Info: Current terminal command alias feature is disable.
Function
The display this command displays the running configuration in the current view.
Format
display this [ include-default ]
Parameters
Parameter Description Value
include-default Displays both the configurations that users have performed and -
default configurations.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
After the configurations are complete in a certain view, run the display this command to
check the current configurations.
If include-default is not specified, the display this command displays only configurations
that users have performed. If include-default is specified, the display this command displays
both default configurations and configurations that users have performed.
Precautions
l If a configuration parameter uses the default value, this parameter is not displayed. The
set parameters that do not be committed successfully are neither displayed by display
this.
l If you run the display this command in an interface view, configuration of the interface
view is displayed. If you run this command in a protocol view, configuration of the
protocol view is displayed.
l Configuration information marked with * in the front in the command output indicates
the offline configuration.
Example
# Display the running configuration in the current view.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] display this
#
interface 10GE1/0/1
port link-type trunk
#
return
# Display the configurations that take effect in the current view on the system and default
configurations. (The command output is not all listed.)
<HUAWEI> system-view
[~HUAWEI] display this include-default
#
sysname HUAWEI
#
undo command-privilege level rearrange
#
FTP server enable
FTP server port 21
...
Function
The display configuration trial status command displays the trial running status of a system
configuration.
Format
display configuration trial status
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
To view the trial running status of a system configuration, run the display configuration trial
status command.
Trial running is initiated by NETCONF. If the trial running packets carry the persistency
mark, the trial running status information of a system configuration contains the persistency
mark.
Example
# Display the trial running status of a system configuration.
<HUAWEI> display configuration trial status
Trial status: ACTIVE
Trial time left (sec): 51
# Display the trial running status of a system configuration when trial running is initiated by
NETCONF and the trial running packets carry the persistency mark whose value is IQ,d4668.
<HUAWEI> system-view
[~HUAWEI] display configuration trial status
Trial status: ACTIVE
Persist id: IQ,d4668
Trial time left (sec): 30
3.1.18 header
Function
The header command configures header information displayed on a terminal when users log
in to a connected device.
The undo header command deletes header information displayed on a terminal when users
log in to a connected device.
By default, no header information is displayed on a terminal when users log in to a connected
device.
Format
header { login | shell } { information text | file file-name }
undo header { login | shell }
Parameters
Parameter Description Value
login Indicates header information -
displayed on a terminal when a
user logs in to the device and a
connection between the
terminal and the device is
activated.
shell Indicates the header displayed -
on a terminal when the session
is set up after the user logs in to
the connected device.
information Specifies the header The value is a string. The maximum
text information and content. length of the string that can be entered at
one time is 480 characters. The value can
contain spaces, and starts and ends with
the same character that is not displayed.
file file-name Specifies the file name that the The value is a string. The maximum
header uses. length of the string is 64 characters. The
file name must be in the [drive] [path]
[file name] format, where [path] is the
absolute path of the file. The maximum
header file size is 2 KB. If the file size is
greater than 2 KB, only the first 2 KB
file information can be displayed.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To provide some prompts or alarms to users, you can use the header command to configure a
title on the device. If a user logs in to the device, the title is displayed.
You can directly define header information by specifying the information text parameter, or
configure the content of a specified file as header information by specifying the file file-name
parameter.
l If the information parameter is specified, the header content must start and end with the
same case-insensitive letter. For example, the header content abcda starts and ends with
a, and header information displayed on the terminal is bcd. You cannot press Enter to
enter information in the next line.
l If the file file-name parameter is specified, all the header content is header information
displayed on the terminal without any start or end character, and you can press Enter to
enter information in the next line.
When a terminal connection is activated and you attempt to log in (for example, before
entering the user name and password), the terminal displays the content of the title that is set
using the header login command. After the successful login, the terminal displays the content
of the title that is configured using the header shell command.
Precautions
l Before setting the login parameter, you must set login authentication parameters;
otherwise, no header information about authentication is displayed.
l Before setting the file parameter, ensure that the file containing the header exists;
otherwise, the file name cannot be obtained.
l If the header command is configured several times, only the latest configuration takes
effect.
l After the login title is configured, any user that logs in to the system can view the title.
Example
# Configure a shell header "Hello!".
<HUAWEI> system-view
[~HUAWEI] header shell information "Hello!"
[*HUAWEI] commit
[~HUAWEI] quit
<HUAWEI> quit // Log off.
# Press Enter. The shell header is displayed when the user logs in again.
Hello!
<HUAWEI>
<HUAWEI> system-view
[~HUAWEI] header login file flash:/header-file.txt
3.1.19 hotkey
Function
The hotkey command sets a shortcut key for a command.
The undo hotkey restores the system shortcut keys to the default values.
By default, the system sets the default values for three shortcut keys CTRL+G, CTRL+L, and
CTRL+O, while does not set default value for CTRL+U.
Format
hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U } command-text
Parameters
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
You can set a shortcut key for a command that is often used; you can also change the default
value of the shortcut key that is defined by the system according to your requirements.
Four shortcut keys are customized by users: CTRL+G, CTRL+L, CTRL+O, and CTRL+U.
l By default, the shortcut key CTRL+G corresponds to the display current-
configuration command which displays current configuration.
l By default, the shortcut key CTRL+L corresponds to the display ip routing-table
command which displays routing table information.
l By default, the shortcut key CTRL+O corresponds to the undo debugging all command
which stops the output of all debugging information.
When specifying command-text, you can enter the abbreviation form of a command. For
example, you can enter the hotkey CTRL_G "display cur" command instead of the hotkey
CTRL_G "display current-configuration" command. These commands in two formats
function the same.
After you use the hotkey command to set a shortcut key for a command, you can run the
command by pressing the shortcut key or entering a command.
Configuration Impact
One shortcut key can be associated with only one command. If you run this command for a
number of times to associate a shortcut key with multiple commands, the last association
takes effect.
One shortcut key can be set for only one command. If you set a shortcut key for multiple
commands, only the latest configuration takes effect.
Example
# Assign the display tcp status command for the shortcut key CTRL+L.
<HUAWEI> system-view
[~HUAWEI] hotkey ctrl_l "display tcp status"
[*HUAWEI] commit
[~HUAWEI] display hotkey
----------------- HOTKEY -----------------
=Defined hotkeys=
Hotkeys Command
CTRL_G display current-configuration
CTRL_L display tcp status
CTRL_O undo debugging all
=Undefined hotkeys=
Hotkeys Command
CTRL_U NULL
=System hotkeys=
Hotkeys Function
CTRL_A Move the cursor to the beginning of the current line.
CTRL_B Move the cursor one character left.
CTRL_C Stop current command function.
CTRL_D Erase current character.
CTRL_E Move the cursor to the end of the current line.
CTRL_F Move the cursor one character right.
CTRL_H Erase the character left of the cursor.
Format
language character-set character
undo language character-set
Parameters
Parameter Description Value
character Specifies the character set in the Currently, the system supports the
system. following character sets: GBK, UTF-8, and
ISO8859-1.
Views
System view
Default Level
3: Management level
Usage Guidelines
You can configure the character set so that the system supports Chinese or English input. The
character set facilitates device identification and management, for example, configured
Chinese device name and VLAN description.
Currently, the system supports the following character sets: GBK, UTF-8, and ISO8859-1.
GBK and UTF-8 support both English and Chinese input, whereas ISO8859-1 supports only
English input. To enter Chinese characters on the device, configure GBK or UTF-8 according
to the character set supported on the terminal login software. You can run the display
language character-set test command to view the character sets in the system and on the
terminal login software.
NOTE
If the character sets in the system and on the terminal login software are different, Chinese characters
may be displayed as garbled characters.
Example
# Configure GBK as the character set in the system.
<HUAWEI> system-view
[~HUAWEI] language character-set GBK
Change language character-set, confirm? [Y/N]:y
3.1.21 quit
Function
The quit command returns from the current view to a lower-level view. If the current view is
the user view, this command exits from the system.
Format
quit
Parameters
None
Views
All views
Default Level
0: Visit level
Usage Guidelines
Usage Scenario
Three types of views are available and they are listed as follows from a lower level to a higher
level:
l User view
l System view
l Service view, such as interface view
Run the quit command to return to a lower-level command view from the current view. If you
are in the user view currently, after you run the quit command, you quit from the system.
In two-phase mode, if some configurations are not committed, a message is displayed when
the quit command is run to return to the user view from the system view. You can enter Y, N,
or C after the message is displayed.
l Y: Configurations not committed are saved in the current configuration file, and the user
view is displayed.
l N: Configurations not committed are discarded, and the user view is displayed.
l C: Configurations not committed remain unchanged, and the current view is kept.
Example
# Return to the system view from the AAA view, and then return to the user view. After this,
quit the system.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] quit
[~HUAWEI] quit
<HUAWEI> quit
Function
The reset history-command command deletes history commands entered by the current user
in the system.
Format
reset history-command
Parameters
None
Views
User view
Default Level
0: Visit level
Usage Guidelines
This command can be used to delete history commands entered only by the current user but
not by other users. The deleted history commands cannot be displayed.
Example
# Delete history commands entered by the current user.
<HUAWEI> reset history-command
Function
The reset history-command all-users command deletes the historical commands of all users
in the system.
Format
reset history-command all-users
Parameters
None
Views
User view
Level
3: Management level
Usage Guidelines
The reset history-command all-users command deletes only the query results of the display
history-command all-users command. Query results of the display history-command
command are not affected.
Example
# Delete the historical commands of all users.
<HUAWEI> reset history-command all-users
3.1.24 return
Function
The return command returns to the user view from other views except the user view.
Format
return
Parameters
None
Views
All views
Default Level
0: Visit level
Usage Guidelines
In other views, you can use the return command to return to the user view.
l Run this command to return to the user view if the current view is another view except
the user view.
l If the current view is the user view, no change occurs after running this command.
l The shortcut keys<Ctrl+Z> have the same function as the return command.
Example
# Return to the user view from the user interface view.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0
[~HUAWEI-ui-vty0] return
<HUAWEI>
3.1.25 system-view
Function
The system-view command enables you to enter the system view from the user view.
Format
system-view [ immediately ]
Parameters
Parameter Description Value
immediately Indicates that the configuration takes effect immediately. -
Views
User view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
You must configure the device in the system view. Run this command in the user view to
enter the system view.
The system supports two configuration validation modes: immediate validation and two-phase
validation.
l You can run the system-view command to enter the system view and edit the
configuration in two-phase validation mode. In two-phase validation mode, the
configuration takes effect after you run the commit command.
l You can run the system-view immediately command to enter the system view and edit
the configuration in immediate validation mode. In immediate validation mode, after you
input a command line and press Enter, the configuration takes effect immediately.
Precautions
In a command line prompt, HUAWEI is the default device name. The prompt indicates the
current view. <HUAWEI> indicates the user view. [HUAWEI] indicates the immediate
validation mode of the system view. [~HUAWEI] indicates the two-phase validation mode of
the system view.
Example
# Enter the system view.
<HUAWEI> system-view
Enter system view, return user view with return command.
[~HUAWEI]
Function
The terminal command alias command enables the command alias function for the current
terminal.
Format
terminal command alias
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
The alias configured by the alias command can take effect only when the command alias
function is enabled.
If you run the undo terminal command alias command to disable the command alias
function for the current terminal, the command alias function can still be configured, and the
configuration information of command alias is not deleted, but the alias configured cannot
take effect.
Precautions
The terminal command alias command takes effect only on the current terminal.
Example
# Disable the command alias function for the current terminal.
<HUAWEI> undo terminal command alias
Function
The timestamp enable command enables the timestamp function for a system.
Format
timestamp enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
After the timestamp function is enabled, the system adds the query time to the output of the
display command.
Example
# Enable the timestamp function for the system.
<HUAWEI> system-view
[~HUAWEI] timestamp enable
[*HUAWEI] commit
[~HUAWEI] display this
2014-08-19
14:39:39.227
sysname
HUAWEI
vlan batch
10
dldp
enable
lldp
enable
user-interface maximum-vty
15
timestamp
enable
return
Function
The display system ztp command displays whether the system completes deployment
through ZTP or whether the system starts the ZTP process at the next startup without
configuration.
Format
display system ztp
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
None
Example
# Check whether the system completes deployment through ZTP.
<HUAWEI> display system ztp
---------------------------------------------------------
Slot Last startup ZTP status Next startup ZTP status
---------------------------------------------------------
1 disable enable
---------------------------------------------------------
Item Description
Item Description
Next startup ZTP status Whether the system starts the ZTP process
at the next startup without configuration:
l enable: yes
l disable: no
Function
The set ztp enable command enables the ZTP function on the device.
The set ztp disable command disables the ZTP function on the device.
Format
set ztp enable
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
By default, the ZTP function is enabled so that an unconfigured device can start the ZTP
process during a startup. To disable an unconfigured device from starting the ZTP process
during a startup, disable the ZTP function on the device.
Example
# Disable the ZTP function.
<HUAWEI> set ztp disable
Format
set device usb-deployment disable
undo set device usb-deployment disable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
After the USB-based deployment function is enabled on a device, the device can be upgraded
once a qualified USB flash drive is connected to the device. After the USB-based deployment
function takes effect, to enhance device security and avoid service interruption caused by
unnecessary version upgrades, disable the USB-based deployment function. After the USB-
based deployment function is disabled, the device cannot be upgraded using any qualified
USB flash drive.
Example
# Enable the USB-based deployment function.
<HUAWEI> system-view
[~HUAWEI] undo set device usb-deployment disable
Format
set device usb-deployment password [ password ]
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
During USB-based deployment, you can check the HMAC of the configuration file to be
loaded to ensure validity of the configuration file. After an authentication password is
configured, the device uses the password as the key to calculate the HMAC of the
configuration file to be loaded based on the HMAC-SHA256 algorithm and compares the
calculated HMAC with the value of the HMAC field in the index file. If the two HMAC
values are the same, the device considers the configuration file valid, and USB-based
deployment can be performed. Otherwise, the device considers the configuration file invalid,
and USB-based deployment cannot be performed.
Example
# Set the authentication password for USB-based deployment to Pwd123456.
<HUAWEI> system-view
[~HUAWEI] set device usb-deployment password Pwd123456
Format
clock datetime [ utc ] HH:MM:SS YYYY-MM-DD
Parameters
Parameter Description Value
utc Indicates the UTC time. -
HH:MM:SS Specifies the current HH specifies the hour, which is an integer
time on the switch. ranging from 0 to 23. MM specifies the minute,
which is an integer ranging from 0 to 59. SS
specifies the second, which is an integer ranging
from 0 to 59.
YYYY-MM-DD Specifies the current YYYY specifies the year, which is an integer
date (year, month, and ranging from 2000 to 2037. MM specifies the
day) on the switch. month, which is an integer ranging from 1 to 12.
DD specifies the day, which is an integer ranging
from 1 to 31.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
In the scenario where accurate absolute time is required, the current date and time must be set
on the switch.
Prerequisite
The time zone and daylight saving time have been configured using the clock timezone and
clock daylight-saving-time commands. If the time zone and daylight saving time are not
configured, the clock datetime command sets a UTC time.
Precautions
l The specified time must be in 24-hour format. If you do not specify MM and SS, their
values are 0. You must enter at least one digit to specify HH. For example, when you
enter 0, the time is 00:00:00.
l The specified year must be a four-digit number and the specified month and day can be a
one-digit number. For example, when you enter 2012-9-1, the time is 2012-09-01.
l If the device is configured to restart at a specified time and if the system time is changed
to be more than 10 minutes later than the specified restart time, the scheduled restart
function will be disabled.
Example
# Set the current time and date of the system to 0:0:0 2012-01-01.
<HUAWEI> clock datetime 0:0:0 2012-01-01
Function
The clock date-format command sets the date format on a device.
The undo clock date-format command restores the default date format on a device.
By default, the date format of a device is YYYY-MM-DD.
Format
clock date-format { MM-DD-YYYY | YYY-MM-DD }
undo clock date-format
Parameters
Parameter Description Value
MM-DD-YYYY Indicates that the date format is MM-DD-YYYY, standing for -
month-day-year.
YYYY-MM-DD Indicates that the date format is YYYY-MM-DD, standing for -
year-month-day.
Views
All views
Default Level
3: Management level
Usage Guidelines
To change the date format on a device, run the clock date-format command.
Example
# Set the date format to MM-DD-YYYY.
<HUAWEI> clock date-format MM-DD-YYYY
Format
clock daylight-saving-time time-zone-name one-year start-time start-date end-time end-date
offset
clock daylight-saving-time time-zone-name repeating start-time { first | second | third |
fourth | last } weekday month end-time { first | second | third | fourth | last } weekday
month offset [ start-year [ end-year ] ]
clock daylight-saving-time time-zone-name repeating start-time start-date1 end-time end-
date1 offset [ start-year [ end-year ] ]
undo clock daylight-saving-time
Parameters
Parameter Description Value
start-time Specifies the DST start The start time is in 24-hour format hh:mm. hh
time. specifies the hour, which is an integer ranging
from 0 to 23. mm specifies the minute, which is
an integer ranging from 0 to 59. If mm is not
specified, DST starts on the hour. You must
enter at least one digit to specify hh. For
example, when you enter 0, the start time is
00:00.
start-date Specifies the DST start The start date is in the format YYYY-MM-DD.
date. YYYY specifies the year, which is an integer
ranging from 2000 to 2037, MM specifies the
month, which is an integer ranging from 1 to
12, and DD specifies the day, which is an
integer ranging from 1 to 31.
end-time Specifies the DST end The end time is in 24-hour format hh:mm. hh
time. specifies the hour, which is an integer ranging
from 0 to 23. mm specifies the minute, which is
an integer ranging from 0 to 59. If mm is not
specified, DST starts on the hour. You must
enter at least one digit to specify hh. For
example, when you enter 0, the start time is
00:00.
end-date Specifies the DST end The end date is in the format YYYY-MM-DD.
date. YYYY specifies the year, which is an integer
ranging from 2000 to 2037, MM specifies the
month, which is an integer ranging from 1 to
12, and DD specifies the day, which is an
integer ranging from 1 to 31.
NOTE
The start and end months must be different, and the
value obtained by deducting the start time from the
end time must be greater than the offset value.
weekday Specifies a day of the The value is Mon, Tue, Wed, Thu, Fri, Sat, or
week. Sun.
month Specifies a month. The value is Jan, Feb, Mar, Apr, May, Jun,
Jul, Aug, Sep, Oct, Nov, or Dec.
start-date1 Specifies the DST start The start date is in the format MM-DD. MM
date. specifies the month, which is an integer
ranging from 1 to 12, and DD specifies the day,
which is an integer ranging from 1 to 31.
end-date1 Specifies the DST end The end date is in the format MM-DD. MM
date. specifies the month, which is an integer
ranging from 1 to 12, and DD specifies the day,
which is an integer ranging from 1 to 31.
offset Specifies the DST offset. The value is in the format of HH:MM, where
HH indicates the hour and MM indicates the
minute. The value ranges from 00:01 to 02:00.
start-year Specifies the start year. The start year is in the format YYYY and ranges
from 2000 to 2037.
end-year Specifies the end year. The end year is in the format YYYY and ranges
from 2000 to 2037.
Views
User view, system view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
DST, also referred to as summer time, is a convention intended to save resources. In high
latitude areas, sunrise time is earlier in summer than in winter. To reduce use of incandescent
lighting in the evenings and save energy, clocks are adjusted forward one hour.
Users can customize the DST zone according to their countries' or regions' convention. In
addition, users can set how far ahead clocks are adjusted forward, usually an hour. With DST
enabled, when it is time to start DST, the system time is adjusted according to the user-
specified DST. When it is time to end DST, the system time automatically returns to the
original time.
Configuration Impact
Precautions
l The DST is configured in the summer. The DST duration ranges from one day to one
year.
l You can configure the start time and end time for periodic DST in one of the following
modes: date+date and week+week.
Example
# Set periodic DST.
<HUAWEI> system-view
[~HUAWEI] clock daylight-saving-time bj repeating 0 first sun jan 0 first sun apr
2 2009 2009
Function
The clock timezone command sets the local time zone.
The undo clock timezone command deletes the local time zone.
If you do not specify the time zone name, the system uses DefaultZoneName.
Format
clock timezone time-zone-name { add | minus } offset
Parameters
Views
User view, System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The system clock is the time indicated by the system timestamp. Because the rules governing
local time differ in different regions, the system clock can be configured to comply with the
rules of any given region.
To ensure normal communication between devices, set an accurate system clock. You can run
the clock timezone and clock daylight-saving-time commands to set the time zone and DST
offsets.
Precautions
l The specified time must be in 24-hour format. If you do not specify MM and SS, their
values are 0. You must enter at least one digit to specify HH. For example, when you
enter 0, the time is 00:00:00.
l After configuring the local time zone, run the display clock command to view the
configuration. The time in logs and diagnostic information uses the local time adjusted
based on the time zone and DST.
Example
# Set the local time zone name for Beijing China to BJ.
If the default UTC is London time 2012-12-01 00:00:00, Beijing time is London time plus
08:00 because the offset from UTC is 8 hours.
<HUAWEI> clock datetime 0:0:0 2012-12-01
<HUAWEI> clock timezone BJ add 08:00:00
Function
The display clock command displays the current date and clock setting.
Format
display clock [ utc ]
Parameters
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
You can run the display clock command to view the system date and clock setting and adjust
the setting if necessary.
Precautions
The system clock is set using the clock datetime, clock timezone, and clock daylight-
saving-time commands.
l If the three commands are not used, the original system clock is displayed after you run
the display clock command.
l You can use any combination of the three commands to configure the system time. Table
3-6 lists the formats of the configured time.
The table assumes that the original system time is 08:00:00 on January 1, 2010.
l 1: indicates that the clock datetime command is used, in which the current time and date
is date-time.
l 2: indicates that the clock timezone command is used, in which the time zone parameter
is set and the time offset is zone-offset.
l 3: indicates that the clock daylight-saving-time command is used, in which the DST
parameters are set and the time offset is offset.
l [1]: indicates that the clock datetime command is optional.
Saturday
Friday
Daylight saving
time :
Name :
BJ
Start year :
2011
End year :
2011
Daylight saving
time :
Name :
BJ
Start year :
2010
End year :
2010
Saturday
Daylight saving
time :
Name :
BJ
Start year :
2012
End year :
2012
Saturday
Daylight saving
time :
Name :
BJ
Start year :
2011
End year :
2011
Saturday
Daylight saving
time :
Name :
BJ
Start year :
2012
End year :
2012
Saturday
Daylight saving
time :
Name :
BJ
Start year :
2011
End year :
2011
Example
# Display the current system date and time.
<HUAWEI> display clock
2011-01-01 03:00:05+10:00
Saturday
Time Zone(BJ) : UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 2011-01-01 01:00:00
End time : 2011-09-01 01:00:00
Saving Time : 02:00:00
3.4.6 sysname
Function
The sysname command sets the device host name.
The undo sysname command restores the default device host name.
By default, the device host name is HUAWEI.
Format
sysname host-name
undo sysname
Parameters
Parameter Description Value
host-name Specifies the host The value is a string of 1 to 246 case-sensitive characters
name. with spaces.
NOTE
When configuring a system name, do not use the following special
characters: \ " , ! @ [ ] ' If these characters are used, the save-as
function and NE explorer of an NMS are opened slowly after the
name is synchronized to the NMS.
Views
System view
Default Level
3: Management level
Usage Guidelines
Changing the host name affects the command interface prompt. For example, if the host name
is HUAWEI, the user interface prompt is <HUAWEI>.
Example
# Set the host name to HUAWEIA.
<HUAWEI> system-view
[~HUAWEI] sysname HUAWEIA
[*HUAWEI] commit
[~HUAWEIA]
Function
The acl command uses an ACL to restrict login rights of users on a terminal.
Format
acl [ ipv6 ] { acl-number | acl-name } { inbound | outbound }
Parameters
Parameter Description Value
ipv6 Indicates an ACL6 number. -
acl-number Specifies the number of an ACL. The value is an integer ranging from 2000
to 3999.
l 2000-2999: restricts the source
address using the basic ACL.
l 3000-3999: restricts the source and
destination addresses using the
advanced ACL.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command restricts the login rights of a user interface based on the source IP address,
destination IP address, source port, or destination port. You can use this command to permit or
deny access to a destination or from a source.
Prerequisites
Before running this command, run the acl (system view) in the system view and run the rule
(ACL view) command to configure an ACL.
If no rule is configured, login rights on the user interface are not restricted when the acl
command is executed.
Precautions
After the configurations of the ACL take effect, all users on the user interface are restricted by
the ACL.
You can configure all of the following ACL types: IPv4 inbound, IPv4 outbound, IPv6
inbound, and IPv6 outbound on a user interface. Only one ACL of each type can be
configured on a user interface, and only the latest configuration of an ACL takes effect.
Example
# Restrict the Telnet login rights on user interface VTY 0.
<HUAWEI> system-view
[~HUAWEI] acl 3001
[*HUAWEI-acl4-advance-3001] rule deny tcp source any destination-port eq telnet
[*HUAWEI-acl4-advance-3001] quit
[*HUAWEI] user-interface vty 0
[*HUAWEI-ui-vty0] acl 3001 outbound
# Remove the restriction on the Telnet login rights on user interface VTY 0.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0
[*HUAWEI-ui-vty0] undo acl outbound
Function
The activate vty ip-block ip-address command unlocks the IP address of a user that fails the
authentication through the VTY user interface.
Format
activate vty ip-block ip-address ip-address [ vpnname vpn-name ]
Parameters
Parameter Description Value
ip-address Specifies a locked IP l For IPv4 address, the value is in the decimal
address. format.
l For IPv6 address, the value is a 32-digit
hexadecimal number, in the format of
X:X:X:X:X:X:X:X.
vpnname vpn- Specifies the name of a The value is a string of 1 to 31 case-sensitive
name VPN to which the characters.
locked user belongs.
NOTE
When quotation marks are used around the string,
spaces are allowed in the string.
Views
User view
Default Level
3: Management level
Usage Guidelines
In the VTY user interface, if a user enters incorrect passwords for six consecutive times in 5
minutes, the IP address of this user is locked for 5 minutes. To unlock the IP address of this
user in advance, run the activate vty ip-block ip-address command.
Example
# Unlock the IP address 10.1.2.3.
<HUAWEI> activate vty ip-block ip-address 10.1.2.3
Format
activate ssh server ip-block ip-address ip-address [ vpn-instance vpn-name ]
Parameters
Parameter Description Value
ip-address Specifies a locked IP l For IPv4 address, the value is in the decimal
address. format.
l For IPv6 address, the value is a 32-digit
hexadecimal number, in the format of
X:X:X:X:X:X:X:X.
vpn-instance Specifies the name of a The value is a string of 1 to 31 case-sensitive
vpn-name VPN to which the characters.
locked user belongs.
NOTE
When quotation marks are used around the string,
spaces are allowed in the string.
Views
User view
Default Level
3: Management level
Usage Guidelines
In an SSH connection, if a user enters incorrect passwords for six consecutive times in 5
minutes, the IP address of this user will be blocked for 5 minutes. To unlock the IP address of
this user in advance, run the activate ssh server ip-block ip-address command.
Example
# Unlock the IP address 10.1.2.3.
<HUAWEI> activate ssh server ip-block ip-address 10.1.2.3
Function
The authentication-mode command configures the authentication mode for accessing the
user interface.
The undo authentication-mode command deletes the authentication mode for accessing the
user interface.
By default, no authentication method is configured for the user interface. For the users
logging in to the VTY interface, an authentication method must be configured; otherwise,
users cannot log in.
Format
authentication-mode { aaa | password | none }
undo authentication-mode
Parameters
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a user logs in to the device using the console interface for the first time, the system
prompts the user to set the login password. After the user logs in to the device, the user can
run the authentication-mode command to change the authentication mode. The none mode
is not recommended because system security is low. It is recommended that you configure
AAA or password authentication to enhance system security.
Before Telnet or SSH users log in to the device using VTY user interface, they must run the
authentication-mode command to configure the authentication mode.
If SSH is configured for the user interface using the protocol inbound ssh command, you
must configure the authentication-mode aaa authentication mode to ensure successful
logins. If the password authentication mode is configured, the protocol inbound ssh
command cannot be executed.
Precautions
The authentication mode must be configured for login through the VTY user interface;
otherwise, users cannot log in to the device.
For the users logging in to the VTY interface, an authentication method must be configured;
otherwise, users cannot log in.
l After you set the authentication mode for accessing a user interface to password, run the
set authentication password command to configure an authentication password. Keep
the password safe. You need to enter the password when logging in to the device. The
levels of commands accessible to a user depend on the level configured for the user
interface to which the user logs in.
l When the authentication mode is set to aaa, the authentication password is deleted at the
same time. Users are required to enter the login user name and password to log in to the
device. After login, the level of the commands the user can run depends on the level of
the local user specified in AAA configuration.
l When you run the undo authentication-mode command to delete the authentication
mode, the system asks you whether to delete the authentication mode.
l If the AAA authentication mode is used, run the local-user user-name password
command to configure the local user account and login password. Otherwise, user login
fails.
Example
# Configure the authentication mode for accessing the user interface.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0
[~HUAWEI-ui-vty0] authentication-mode aaa
3.5.5 databits
Function
The databits command sets the number of data bits of the user interface.
The undo databits command restores the default number of data bits.
Format
databits { 5 | 6 | 7 | 8 }
undo databits
Parameters
Parameter Description Value
5 Indicates that the number of data bits is 5. -
6 Indicates that the number of data bits is 6. -
7 Indicates that the number of data bits is 7. -
8 Indicates that the number of data bits is 8. -
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Use this command only when necessary. If the number of data bits of a device's user interface
is changed, ensure that the same number of data bits is set on the HyperTerminal used for
login.
The setting is valid only when the serial port is configured to work in asynchronous mode.
Example
# Set the number of data bits to 5.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] databits 5
Function
The display ssh server ip-block all command displays information about the IP addresses of
all the clients that fail to pass authentication.
Format
display ssh server ip-block all
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
To check information about the IP addresses of all the clients that fail to pass authentication,
run the display ssh server ip-block all command. The command output includes the names
of VPN instances to which the IP addresses belong, IP address status, numbers of
authentication failures, and the IP addresses that fails to pass authentication will not be
adopted to make invalid authentication.
If a user logs in using SSH, the user's IP address will be locked for 5 minutes upon 6 incorrect
password attempts within 5 minutes. After the IP address is locked, the IP address status
displayed in the display ssh server ip-block all command output changes from AUTH
FAILED to BLOCKED.
Example
# Display information about the IP addresses of all the clients that fail to pass authentication.
Table 3-8 Description of the display ssh server ip-block all command output
Item Description
Function
The display ssh server ip-block list command displays information about client IP addresses
that are locked because of authentication failures.
Format
display ssh server ip-block list
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
To check information about client IP addresses that are locked because of authentication
failures, run the display ssh server ip-block list command. The command output includes the
names of VPN instances to which the locked client IP addresses belong and the remaining
locking period.
Example
# Display information about client IP addresses that are locked because of authentication
failures.
<HUAWEI> display ssh server ip-block list
----------------------------------------------------------------------------------
---
IP Address VPN Name UnBlock
Interval(Seconds)
----------------------------------------------------------------------------------
---
192.168.10.1 _public_
36
----------------------------------------------------------------------------------
---
Table 3-9 Description of the display ssh server ip-block list command output
Item Description
Function
The display user-interface command displays information about a user interface.
Format
display user-interface [ ui-type ui-number1 | ui-number ] [ summary ]
Parameters
Parameter Description Value
ui-type Displays information about a The value can be Console, VTY, RPC, or
specified user interface. NCA.
ui-number1 Displays information about a user The minimum value is 0. The maximum
interface with a specified relative value is smaller by 1 than the number of
number. user interfaces the system supports.
ui-number Displays information about a user The value is an integer ranging from 0 to
interface with a specified absolute 104. The value varies according to the
number. device type.
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display user-interface command to view detailed configuration information
about all user interfaces or a specified user interface. To obtain the relative number and
absolute number of a user interface, run the display users command and view the User-Intf
field in the command output.
Example
# Display detailed information about the user interface with the absolute number 0.
<HUAWEI> display user-interface 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
+ 0 CON 0 9600 - 15 15 - 6
UI(s) not in async mode -or- with no hardware support:
20-32
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
34 VTY 0 - 15 - A -
35 VTY 1 - 15 - A -
36 VTY 2 - 15 - A -
37 VTY 3 - 15 - A -
38 VTY 4 - 15 - A -
39 VTY 5 - 15 - - -
+ 40 VTY 6 - 15 15 N -
41 VTY 7 - 15 - - -
42 VTY 8 - 15 - - -
43 VTY 9 - 15 - - -
+ 44 VTY 10 - 15 15 N -
+ 45 VTY 11 - 15 15 N -
+ 46 VTY 12 - 15 15 N -
+ 47 VTY 13 - 15 15 N -
+ 48 VTY 14 - 15 15 N -
100 NCA 0 - - - A -
+ 101 NCA 1 - - 3 A -
+ 102 NCA 2 - - 3 A -
103 NCA 3 - - - A -
104 NCA 4 - - - A -
UI(s) not in async mode -or- with no hardware support:
21-32
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Parameter Description
Function
The display user-interface maximum-vty command displays the maximum number of VTY
users.
Format
display user-interface maximum-vty
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display user-interface maximum-vty command to view the maximum
number of users who connect to the device using Telnet or SSH. By default, the total number
of Telnet users and SSH users is five maximum.
Example
# Display the maximum number of VTY users.
<HUAWEI> display user-interface maximum-vty
Maximum of VTY user : 5
Parameter Description
Function
The display users command displays login information for each user interface.
Format
display users [ all ]
Parameters
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
You can run this command to view information about users who are connected to the device.
The information includes the user name, IP address, and authentication and authorization
information.
Example
# Run the display users command to view information about users who log in to the device
through the user interface.
<HUAWEI> display users
NOTE:
User-Intf: The absolute number and the relative number of user interface
Authen: Whether the authentication passes
Author: Command line authorization flag
--------------------------------------------------------------------------------
User-Intf Delay Type Network Address Authen Author Username
--------------------------------------------------------------------------------
34 VTY 0 16:07:36 TEL 10.135.34.246 pass yes root123
Item Description
User-Intf The number in the first column indicates the absolute number of the
user interface, and the number in the second column indicates the
relative number of the user interface.
l CON: indicates that the user logs in to the device through the
console interface.
l VTY: indicates that the user logs in to the device using Telnet or
STelnet.
l NCA: indicates that the user logs in to the device using
NETCONF.
Delay Interval from the user's latest input to the current time, in seconds.
Type Connection type. If the all parameter is specified and this field is
empty, the user interface is not used. If the all parameter is not
specified:
l An empty field or -- indicates the console type.
l TEL indicates the Telnet type.
l SSH indicates the SSH type.
Network Address l Console user interface: The value is the slot ID of the main control
card.
l VTY user interface: The value is the IP address of the login user.
Username User name for logging in to the device. If the user name is not
specified, Unspecified is displayed.
Function
The display vty ip-block vty-password-mode all command displays all IP addresses that fail
to be authenticated.
Format
display vty ip-block vty-password-mode all
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
To check IP addresses that fail to be authenticated, run the display vty ip-block vty-
password-mode all command.
Example
# Display all IP addresses that fail to be authenticated.
<HUAWEI> system-view
[~HUAWEI] diagnose
[~HUAWEI-diagnose] display vty ip-block vty-password-mode all
----------------------------------------------------------------------------------
---
IP Address VPN Name State Auth-fail
Count
----------------------------------------------------------------------------------
----
192.168.10.1 _public_ BLOCKED
6
----------------------------------------------------------------------------------
----
Table 3-13 Description of the display vty ip-block vty-password-mode all command output
Item Description
Item Description
Format
display vty ip-block vty-password-mode list
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
To check information, such as the remaining block time, about IP addresses that are blocked
due to authentication failures, run the display vty ip-block vty-password-mode list
command.
Example
# Display IP addresses that are blocked due to authentication failures.
<HUAWEI> display vty ip-block vty-password-mode list
----------------------------------------------------------------------------------
---
IP Address VPN Name UnBlock
Interval(Seconds)
----------------------------------------------------------------------------------
---
192.168.10.1 _public_
36
----------------------------------------------------------------------------------
---
Table 3-14 Description of the display vty ip-block vty-password-mode list command output
Item Description
3.5.13 flow-control
Function
The flow-control command configures a flow control mode.
The undo flow-control command restores the default flow control mode.
By default, the flow control mode is set to none, indicating that traffic is not controlled.
Format
flow-control { hardware | none | software }
undo flow-control
Parameters
Views
Console user interface view
Default Level
2: Configuration level
Usage Guidelines
The configuration is valid only when the serial port works in the console user interface view.
Example
# In the console user interface view, configure software-based flow control.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[*HUAWEI-ui-console0] flow-control software
Function
The kill user-interface command disconnects the device from a specified user interface.
Format
kill user-interface { ui-number | ui-type ui-number1 }
Parameters
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If a user logs in to the device and does not perform any operation or you want to forbid a user
from performing operations on the device, you can run the kill user-interface command to
delete a specified user. After the command is executed, the user logs out from the device.
Precautions
The kill user-interface command cannot be executed on the current user interface. If the
current user interface is VTY 2, the kill user-interface vty 2 fails to be executed.
Example
# Disconnect the VTY3 user's terminal from the device.
<HUAWEI> kill user-interface vty 3
Warning: User interface VTY3 will be freed. Do you want to continue? [Y/N]:y
Info: User interface VTY3 is free.
Format
history-command max-size size-value
undo history-command max-size
Parameters
Parameter Description Value
size-value Specifies the size of the historical The value is an integer ranging from 0
command buffer. to 256.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
The CLI can automatically save the historical commands that you enter. This function is
similar to that of Doskey. You can invoke and run the historical commands at any time.
Example
# Set the size of the historical command buffer to 20.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] history-command max-size 20
3.5.16 idle-timeout
Function
The idle-timeout command sets the timeout duration for disconnection from a user interface.
By default, the timeout duration is 10 minutes in vty user interface view, and 5 minutes in
console user interface view.
Format
idle-timeout minutes [ seconds ]
undo idle-timeout
Parameters
Parameter Description Value
minutes Specifies the idle timeout The value is an integer that ranges from 0 to
duration, in minutes. 35791 in the VTY user interface view and from 1
to 1440 in the console user interface view, in
minutes.
seconds Specifies the idle timeout The value is an integer ranging from 0 to 59, in
duration, in seconds. seconds.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If a user logs in to the device and does not perform an operation, the user interface is occupied
unnecessarily. You can run the idle-timeout command to disconnect the user's terminal from
the device.
Precautions
l If you set the time to zero, then the line connection remains alive until you close it.
l If the user interface disconnection function is not configured, other users may fail to log
in to the device.
l If the idle timeout interval is set to 0 or a large value, the terminal will remain in the
login state, resulting in security risks. You are advised to run the lock command to lock
the current connection.
l You are advised to set the timeout duration to 10-15 minutes.
l In versions earlier than V200R002C50, the timeout period configured using the idle-
timeout command for a user connection in the console user interface view ranges from 0
to 35791. If the timeout period is set to 0 minutes or is greater than 1440 minutes in a
version earlier than V200R002C50, it is automatically set to 1440 minutes after the
system software is upgraded to V200R002C50 or a later version.
Example
# Set the timeout duration to 1 minute and 30 seconds.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] idle-timeout 1 30
Format
ip-block vty-password-mode disable
undo ip-block vty-password-mode disable
Parameters
None
Views
Security password view
Default Level
3: Management level
Usage Guidelines
If the function of blocking IP addresses in VTY access scenarios is enabled, the device blocks
IP addresses that fail to be authenticated and rejects VTY access requests that use the blocked
IP addresses. The device also records the blocked IP addresses in a list.
After the function is disabled, the device deletes the blocked IP addresses from the list and
does not record new IP addresses that fail to be authenticated. To disable the function, run the
ip-block vty-password-mode disable command.
Example
# Disable the function of blocking IP addresses in VTY access scenarios.
<HUAWEI> system-view
[~HUAWEI] security password
[*HUAWEI-security-password] ip-block vty-password-mode disable
Warning: It is not recommended to disable ip block feature. This operation may
result in system becoming vulnerable to security threats.
Function
The mmi-mode enable command enters the machine-to-machine mode.
Format
mmi-mode enable
Parameters
None
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
After you enter the machine-to-machine mode using the mmi-mode enable command, the
command output is displayed in one screen.
After you enter the machine-to-machine mode using the mmi-mode enable command, some
important commands that you need to use with caution can be used directly. In human-to-
machine mode, use this command with caution.
Example
# Enter the machine-to-machine mode.
<HUAWEI> mmi-mode enable
3.5.19 parity
Function
The parity command sets the check bit of a user interface.
The undo parity command restores the default check bit of a user interface.
By default, no check is performed.
Format
parity { even | mark | none | odd | space }
undo parity
Parameters
Parameter Description Value
even Sets the transmission check bit to even parity. -
mark Sets the transmission check bit to mark check. -
none Sets the transmission check bit to no check. -
odd Sets the transmission check bit to odd parity. -
space Sets the transmission check bit to space check. -
Views
Console user interface view
Default Level
2: Configuration level
Usage Guidelines
By default, no transmission check is performed. To prevent transmission errors, run the parity
command to configure the check bit of the specified user interface to improve data
transmission correctness.
Example
# Set the transmission check bit on the console port to odd parity.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[*HUAWEI-ui-console0] parity odd
Function
The protocol inbound command specifies the protocols that the VTY user interface supports.
The undo protocol inbound command restores the default protocols that the VTY user
interface supports.
Format
protocol inbound { all | ssh | telnet }
Parameters
Parameter Description Value
all Indicates that all protocols including SSH and Telnet are supported. -
ssh Indicates that only SSH is supported. -
telnet Indicates that only Telnet is supported. -
Views
VTY user interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To manage and monitor login users, configure the VTY user interface for login users and run
the protocol inbound command to configure the protocols that the VTY user interface
supports.
Prerequisites
If SSH is configured for the user interface using the protocol inbound command, you must
configure the authentication-mode aaa authentication mode to ensure successful logins. If
the password authentication mode is configured, the protocol inbound ssh command cannot
be executed.
Precautions
l The configuration takes effect at the next login.
l Telnet is an insecure protocol. Using SSH is recommended.
l When SSH is specified for the VTY user interface, if the SSH server has been enabled
and the RSA/DSA/ECC key is not configured then the users can log in to the SSH server
using temporary key.
NOTE
You are advised to use a securer ECC authentication algorithm for higher security.
Example
# Configure SSH for user interfaces VTY0 to VTY4.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] authentication-mode aaa
[*HUAWEI-ui-vty0-4] protocol inbound ssh
3.5.21 screen-length
Function
The screen-length command sets the number of lines on each terminal screen after you run a
command.
The undo screen-length command restores the default configuration.
By default, the number of lines to be displayed on a terminal screen is 24.
Format
In the user interface view:
screen-length screen-length [ temporary ]
undo screen-length [ temporary ]
In the user view:
screen-length screen-length temporary
undo screen-length temporary
Parameters
Parameter Description Value
screen-length Specifies the number of lines The value is an integer that ranges
displayed on a terminal screen. from 0 to 512. The value 0 indicates
that all command output is displayed
on one screen.
temporary Specifies the number of lines -
temporarily displayed on a terminal
screen.
Views
User interface view, user view
Default Level
3: Management level
Usage Guidelines
If you run a command and its output is displayed in more lines than you can see on one
screen, you can reduce the number of lines displayed on each screen.
In general, you do not need to change the number of lines displayed on each screen. Setting
the number of lines to 0 is not recommended. The configuration takes effect after you log in
to the system again.
NOTE
In the user view, the temporary parameter is mandatory and this command is at the Management level.
Example
# Set the number of lines on each screen of the terminal to 30.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] screen-length 30
Format
set authentication password [ cipher password ]
undo set authentication password
Parameters
Parameter Description Value
cipher Specifies the l When cipher is not entered, password input is in man-
password password for the machine interaction mode, and the system does not
user interface. display the entered password.
The password is a string of 8 to 16 case-sensitive
characters. The password must contain at least two of
the following characters: upper-case character, lower-
case character, digit, and special character.
Special character except the question mark (?) and
space. However, when double quotation marks are used
around the password, spaces are allowed in the
password.
– Double quotation marks cannot contain double
quotation marks if spaces are used in a password.
– Double quotation marks can contain double
quotation marks if no space is used in a password.
For example, the password "a123"45"" is valid, but the
password "a 123"45"" is invalid.
l When cipher is entered, the password is displayed in
either plaintext or ciphertext during input.
– When being input in plaintext, the password
requirements are the same as those when cipher is
not entered. When you input a password in simple
text, the system displays the password in simple text
mode, which brings risks.
– When being input in ciphertext, the password must
be a string of 48 to 128 consecutive characters.
The password is displayed in ciphertext in the
configuration file regardless of whether it is input in
plaintext or cipher text.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If password authentication is configured for users, you can run the set authentication
password command to change the password or set a password in cipher text.
If cipher password is not specified, the password is entered in interactive mode and can
contain 8 to 16 characters. The requirements for the password are the same as the
requirements for the plaintext password when you specify the cipher password. The password
you enter will not be displayed on the screen.
NOTE
If you enter the plaintext password when specifying cipher password, security risks exist. The
interactive mode is recommended when users enter the password.
Pre-configuration Tasks
Before running the set authentication password command, run the authentication-mode
password command to set the authentication mode of the user interface to password
authentication; otherwise, the set authentication password command cannot be configured.
Precautions
l If a password in cipher text is configured, users must obtain the password in plain text
that is required for identity authentication.
l If the password authentication is configured but the password is not configured for the
user interface, the user cannot log in to the device.
l If the set authentication password command is executed multiple times, the latest
configuration overrides the previous ones. You can run the set authentication password
command to change the local authentication password. After the password is changed, a
user who wants to log in to the device must enter the latest password for identity
authentication.
l Users can press CTRL_C to cancel password modification in the interaction mode.
Example
# Set the local authentication password for the user interfaces VTY 0-4.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] set authentication password
Warning: The "password" authentication mode is not secure, and it is strongly
recommended to use "aaa" authentication mode.
Please configure the login password (8-16)
Enter Password:
Confirm Password:
[*HUAWEI-ui-vty0-4]
# Set the local authentication password for the user interfaces VTY 0-4.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] set authentication password cipher Huawei@123
3.5.23 shell
Function
The shell command enables terminal services on a user interface.
The undo shell command disables terminal services on a user interface.
By default, terminal services are enabled on all user interfaces.
Format
shell
undo shell
Parameters
None
Views
VTY user interface view
Default Level
3: Management level
Usage Guidelines
You can use the shell command on a user interface to enable terminal services. This command
enables users to enter commands through this interface to query device information and
configure the device.
You can use the undo shell command on the user interface to disable terminal services. This
command does not allow users to perform any operations through this interface. After using
the undo shell command in the VTY view, this user interface does not provide Telnet and
STelnet access.
NOTE
Example
# Disable terminal services on VTY 0 to VTY 4.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] undo shell
Warning: ui-vty0-4 will be disabled. Do you want to continue? [Y/N]:y
Function
The speed command sets the baud rate of a user interface.
The undo speed command restores the default baud rate of a user interface.
Format
speed speed-value
undo speed
Parameters
Parameter Description Value
speed-value Specifies the baud rate of The value is expressed in bit/s.
a user interface.
The asynchronous serial interface supports the
following baud rates:
l 1200
l 2400
l 4800
l 9600
l 19200
l 38400
l 57600
l 115200
Views
Console user interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a user logs in to the switch through the console interface, the baud rate on the
HyperTerminal must be the same as that configured on the switch; otherwise, the user cannot
log in to the switch.
The setting is valid only when the serial port is configured to work in asynchronous mode.
Precautions
In V200R003C00, this command does not take effect on all switches before the
V200R003SPH005 patch is loaded, and users log in to the switch through the serial interface
using the default baud rate 9600 bit/s. After the V200R003SPH005 patch is loaded, all baud
rates can be configured on the CE6870-24S6CQ-EI and CE6870-48S6CQ-EI, the speed 300
or speed 600 command does not take effect on the CE8850-32CQ-EI, and you are advised to
configure other baud rates on the CE8850-32CQ-EI. For other switches excluding the
preceding two models, this command does not take effect, and users log in to the switch
through the serial interface using the default baud rate 9600 bit/s.
In V200R002C50:
l For switches excluding the CE6860EI, CE6870-48T6CQ-EI, CE8850-32CQ-EI,
CE6880EI, CE5810EI, and CE5850HI, this command does not take effect before the
V200R002C50SPH012 patch is loaded, and users log in to the switch through the serial
interface using the default baud rate 9600 bit/s; all baud rates can be configured after the
V200R002C50SPH012 patch is installed.
l For the CE6860EI, CE6870-48T6CQ-EI, and CE8850-32CQ-EI, this command does not
take effect before the V200R002C50SPH013 patch is loaded, and users log in to the
switch through the serial interface using the default baud rate 9600 bit/s; after the
V200R002C50SPH013 patch is loaded, the speed 300 or speed 600 command does not
take effect, and you are advised to configure other baud rates.
l For the CE6880EI, CE5810EI, and CE5850HI, this command does not take effect and
users log in to the switch through the serial interface using the default baud rate 9600
bit/s.
In V200R001C00 and earlier versions, the speed 300 or speed 600 command does not take
effect on the CE5810EI and CE5850HI, and you are advised to use other baud rates.
Example
# Set the baud rate of a user interface to 115200 bit/s.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] speed 115200
Function
The ssh server ip-block disable command disables an SSH server from locking client IPv4
or IPv6addresses.
The undo ssh server ip-block disable command enables an SSH server to lock client IPv4
and IPv6 addresses.
Format
ssh server ip-block disable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
l If an SSH server is enabled to lock client IP addresses, locked client IP addresses fail to
pass authentication and are displayed in the display ssh server ip-block list command
output.
l If an SSH server is disabled from locking client IP addresses, the display ssh server ip-
block list command does not display any client IP address that is locked because of
authentication failures.
l The operation to disable an SSH server from locking client IP addresses poses system
risks and is thereby not recommended.
Example
# Disable an SSH server from locking client IP addresses.
<HUAWEI> system-view
[~HUAWEI] ssh server ip-block disable
Warning: It is not recommended to disable IP block feature. This operation may
result in system becoming vulnerable to security threats.
3.5.26 stopbits
Function
The stopbits command sets the stop bit of a user interface.
The undo stopbits command restores the default stop bit of a user interface.
Format
stopbits { 1.5 | 1 | 2 }
undo stopbits
Parameters
Parameter Description Value
1.5 Sets the stop bit to 1.5. -
1 Sets the stop bit to 1. -
2 Sets the stop bit to 2. -
Views
Console user interface view
Default Level
3: Management level
Usage Guidelines
When a user logs in to the switch through the console interface, the stop bit on the
HyperTerminal must be the same as that configured on the switch; otherwise, the user cannot
log in to the switch.
The stop bit and the data bit configured using the databits command are related.
l If the stop bit is 1, the corresponding data bit is 8.
l If the stop bit is 1.5, the corresponding data bit is 5.
l If the stop bit is 2, the corresponding data bit is 6, 7, or 8.
The setting is valid only when the serial port is configured to work in asynchronous mode.
Example
# Set the stop bit of a user interface to 2.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] stopbits 2
Function
The user privilege command configures the user level.
The undo user privilege command restores the default user level.
By default, the command level for the console port on the user interface is 15 when the
command-privilege level rearrange command is run, while is 3 when the command-
privilege level rearrange command is not run, and other users are at level 0.
Format
user privilege level level
Parameters
Parameter Description Value
level level Specifies the user If the command-privilege level rearrange command is
level. configured, the value of level ranges from 0 to 15.
NOTE
The larger the If the command-privilege level rearrange command is not
value, the higher configured, the value of level ranges from 0 to 3.
the priority.
NOTE
If the command-privilege level rearrange command
configuration is changed, the value of level changes based on the
level mapping.
l If the command-privilege level rearrange command
configuration is added, the levels of level-0 and level-1
commands remain unchanged, the level of level-2 commands is
upgraded to 10, and that of level-3 commands is upgraded to
15.
l If the command-privilege level rearrange command
configuration is deleted, the level of level-0 commands remains
unchanged, the levels of level-1 to level-9 commands are
downgraded to 1, the levels of level-10 to level-14 commands
are downgraded to 2, and the level of level-15 commands is
downgraded to 3.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The system manages users at levels to control their access permissions. Users who log in to
the device can use only commands at the same or lower level than their own levels.
Commands are classified into the visit level, monitoring level, configuration level, and
management level that map levels 0, 1, 2, and 3 without command-privilege level
rearrange, as listed in Table 3-15.
1 Visit Commands of this level are used for system maintenance, including
level(0) display commands.
, NOTE
Monito Some display commands are not at this level. For example, the display
ring current-configuration and display saved-configuration commands are at
level(1) level 3. For details about command levels, see the CloudEngine 8800, 7800,
6800, and 5800 Series SwitchesCommand Reference.
2 Visit Commands of this level are used for service configuration to provide
level(0) direct network services, including routing commands and commands
, of each network layer.
Monito
ring
level(1)
,
Config
uration
level(2)
3 Visit Commands of this level are used for basic system operations,
level(0) including file system, FTP, TFTP download, user management,
, command level configuration, and debugging.
Monito
ring
level(1)
,
Config
uration
level(2)
,
Manag
ement
level(3)
If the command level configured for a user interface conflicts with that of a user, the
command level of the user takes precedence. For example, if the user 001 can use commands
at level 3 and the command level configured for the user interface VTY 0 is 2, the user 001
can use commands at level 3 and lower levels when logging in to the system through the user
interface VTY 0.
You can run the display user-interface command to view detailed information about a user
interface.
Precautions
Example
# Set the user level on the VTY0 user interface to 2.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0
[~HUAWEI-ui-vty0] user privilege level 2
[*HUAWEI-ui-vty0] commit
3.5.28 user-interface
Function
The user-interface command displays one or more user interface views.
Format
user-interface ui-type first-ui-number [ last-ui-number ]
Parameters
Parameter Description Value
ui-type The value can be console or
Specifies the type of a user interface.
vty.
first-ui- Specifies the number of the first user interface. l If ui-type is set to
number console, the first-ui-
number value is 0.
l If ui-type is set to vty,
the first-ui-number
value ranges from 0 to
the maximum number
of VTY user interfaces.
Views
System view
Default Level
3: Management level
Usage Guidelines
When the network administrator logs in to the device using the console interface, Telnet, or
SSH, the system manages and monitors the session between the user and the device on the
corresponding user interface. Each user interface corresponds a user interface view. The
network administrator can set parameters such as authentication and user level to manage
sessions in a unified manner.
After you log in to the device, you can run the display user-interface command to view the
supported user interfaces and the corresponding relative.
Example
# Enter the Console 0 user interface.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0]
Function
The user-interface maximum-vty command configures the maximum number of login users.
The undo user-interface maximum-vty command restores the default maximum number of
login users.
Format
user-interface maximum-vty number
Parameters
Parameter Description Value
number Specifies the maximum number of The value is an integer ranging from
Telnet and SSH users. 0 to 21.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The user-interface maximum-vty command configures the maximum number of login users.
If the VTY channels are fully occupied after the configuration is committed, new connections
are not allowed and the current users are not terminated.
Precautions
l The maximum number of login users set by the user-interface maximum-vty command
is the total number of Telnet and SSH (STelnet) users.
l If the maximum number of login users is set to 0, no user is allowed to log in to the
device using Telnet or SSH.
Example
# Set the maximum number of Telnet users to 7.
<HUAWEI> system-view
[~HUAWEI] user-interface maximum-vty 7
Format
user-interface vty security-policy disable
undo user-interface vty security-policy disable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
The undo user-interface vty security-policy disable command clears a user authentication
request that has been pending for a long time to access the VTY user interface. For example,
if the number of existing user authentication requests has already reached the upper limit but a
new authentication request is received, the system clears the authentication request of the user
that fails to pass the authentication within 15 seconds and starts authenticating the new user.
The user-interface vty security-policy disable command cannot clear any user
authentication request that has been pending for a long time to access the VTY user interface.
NOTE
It is recommended that you enable the security policy to harden the VTY user interface's security.
Example
# Disable the VTY user interface's security policy.
<HUAWEI> system-view
[~HUAWEI] user-interface vty security-policy disable
Format
configuration exclusive
undo configuration exclusive
Parameters
None
Views
All views
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
The device allows simultaneous access and configuration by multiple users, which may cause
configuration conflicts and service exceptions. To prevent service exceptions, run this
command to lock and modify the configuration while allowing other users to only query the
configuration.
To unlock the configuration, do either of the following:
l Run the undo configuration exclusive command.
l Do not modify the configuration in the configured maximum lock interval. The system
then automatically unlocks the configuration. To configure the maximum lock interval,
run configuration exclusive timeout.
Precautions
l After you run the configuration exclusive command, other users cannot modify the
system configuration, so confirm your action before running this command.
l Before you run the configuration exclusive command, run the configuration exclusive
timeout command to configure the maximum lock interval so that the system can
automatically unlock the configuration after this interval.
l Only one user can lock the configuration at a time. After the user logs out, the
configuration is unlocked automatically.
Example
# Lock the current system configuration.
<HUAWEI> configuration exclusive
Format
client ssl-policy policy-name
undo client ssl-policy
Parameters
Parameter Description Value
policy-name Specifies the name of an SSL policy. The name of an SSL policy must
already exist.
Views
HTTP view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Legacy HTTP does not have any security mechanism. It transmits data in simple text and does
not verify the identities of communicating parties. Therefore, data transmitted over HTTP
may be tampered with. In applications that require high security, such as e-commerce and
online banking, HTTP is inapplicable. To enhance security, run the client ssl-policy command
to configure an SSL policy for an HTTP client.
Configuration Impact
HTTP security is enhanced with the SSL security mechanisms, such as data encryption,
identity verification, and message integrity check.
Prerequisites
1. An SSL policy has been created and the SSL policy view is displayed using the ssl
policy command in the system view.
2. A digital certificate or certificate chain has been loaded using the certificate load
command in the SSL policy view.
Precautions
An HTTP client can only have one SSL policy configured. If the client ssl-policy command is
run more than once, the latest configuration overrides the previous one.
Example
# Configure an SSL policy named policy1 for an HTTP client.
<HUAWEI> system-view
[~HUAWEI] ssl policy policy1
[*HUAWEI-ssl-policy-policy1] certificate load pem-cert
a_servercertchain2_pem_dsa.pem key-pair dsa key-file
a_serverkeychain2_pem_dsa.pem auth-code cipher 123456
[*HUAWEI-ssl-policy-policy1] commit
[~HUAWEI-ssl-policy-policy1] quit
[~HUAWEI] http
[*HUAWEI-http] client ssl-policy policy1
Function
The client ssl-verify peer command configures an HTTP client to perform SSL verification
on HTTP servers.
The undo client ssl-verify command disables an HTTP client from performing SSL
verification on HTTP servers.
By default, an HTTP client does not perform SSL verification on HTTP servers.
Format
client ssl-verify peer
Parameters
None
Views
HTTP view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To configure an HTTP client to perform SSL verification on HTTP servers, run the client ssl-
verify peer command. After the HTTP client is granted an SSL digital certificate by a server,
the client can verify the validity of the server. This prevents the client from accessing invalid
servers, enhancing security.
Precautions
This command takes effect only if the client ssl-policy command has also been run to
configure an SSL policy for the client.
Example
# Configure an HTTP client to perform SSL verification on HTTP servers.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] client ssl-verify peer
Function
The configuration exclusive by-user-name command enables a user to lock the system
configuration.
The undo configuration exclusive by-user-name command enables a user to unlock the
system configuration.
By default, the system configuration is not locked.
Format
configuration exclusive by-user-name user-name
undo configuration exclusive by-user-name user-name
Parameters
Parameter Description Value
user-name Specifies the name of a user. The value is a string of 1 to 253 characters.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
Multiple users can access a device and manage it. A user can be a controller or another type of
user. If the configuration of a forwarder is modified by a non-controller user, the
configurations of the controller and forwarder may be inconsistent. The configuration
exclusive by-user-name command can be used to specify the controller to lock the system
configuration of a forwarder to avoid the inconsistency.
When multiple users manage a device at the same time, you can specify a user to lock the
device. Only this user can modify the device configuration, while others cannot.
Configuration Impact
After the system configuration is locked by a user, only this user can perform configuration
operations. Other users can view, edit, maintain, and save the configuration but cannot
commit the configuration. If another user needs to commit the configuration, run the undo
configuration exclusive by-user-name user-name command to unlock the configuration
first.
When this command is run, ensure that the user-name value is that specified when the
configuration exclusive by-user-name command is run.
Precautions
l Only one user can lock the system configuration at a time.
l The user that runs the configuration exclusive by-user-name user-name command to
lock the system configuration can be different from the user-name in this command.
For example, User-A can run the configuration exclusive by-user-name User-B
command to specify User-B to lock the system configuration.
l Only users of the management user level can lock and unlock the system configuration.
Users of the management user level include:
– Users of levels 3 to 15 when the command-privilege level rearrange command
configuration exists
– Users of level 3 when the command-privilege level rearrange command
configuration does not exist
l The configuration exclusive by-user-name command locks the device configuration
based on the user name. Only the same user name can be used to unlock the device. The
configuration exclusive command locks a device based on the session. The device can
be unlocked only by the current session. After the session is logged out, the device is
unlocked automatically.
Example
# Enable user root123 to lock the system configuration.
<HUAWEI> system-view
[~HUAWEI] configuration exclusive by-user-name root123
Format
configuration exclusive timeout timeout-value
undo configuration exclusive timeout
Parameters
Parameter Description Value
timeout-value Specifies the timeout period The value is an integer ranging from 1 to
before the system automatically 7200, in seconds. By default, the timeout
unlocks the configuration set. period is 30 seconds.
Views
System view
Default Level
3: Management level
Usage Guidelines
Running the configuration exclusive timeout command can set an allowable maximum
period when no commands are delivered by the user that locks the configuration set. After the
timeout period expires, the configuration set is automatically unlocked and other users can
normally run commands.
You can run the configuration exclusive timeout command in one of the following
scenarios:
l When a user without configuration access runs this command, the system prompts an
error message.
l If the configuration set is locked by another user, this command becomes invalid, and the
system prompts an error message when the command is run.
l If the configuration set is locked by the current user, the current user can run this
command.
NOTE
Example
# Set the timeout period before the system automatically unlocks the configuration set to 120
seconds.
<HUAWEI> system-view
[~HUAWEI] configuration exclusive timeout 120
Function
The display configuration exclusive by-user-name command displays lock information of
the system configuration locked based on user name.
Format
display configuration exclusive by-user-name
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
To view system configuration lock information, run the display configuration exclusive by-
user-name command. The command output includes the name of a user who locks or unlocks
the system configuration, time when the system configuration is locked or unlocked, and lock
ID.
If no system configuration is locked, no command output is displayed after the display
configuration exclusive by-user-name command is run.
Example
# Display lock information after the system configuration is locked.
<HUAWEI> display configuration exclusive by-user-name
Lock User Name: root123
Lock Time: 2018-03-07 20:13:31+04:00 DST
Identifier: 13
Lock User Name Name of a user who locks the system configuration
Format
display configuration exclusive user
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display configuration exclusive user command to query the user that
obtains configuration access.
Example
# Display the user that locks the configuration set.
<HUAWEI> display configuration exclusive user
User Index: 34
User Session Name: VTY 0
User Name: root
IP Address: 10.135.38.234
Locked Time: 2013-03-06 21:09:36
Last Configuration Time: 2013-03-06 21:09:36
The configuration right was locked and timeout duration is: 30 second(s)
Table 3-17 Description of the display configuration exclusive user command output
Item Description
Last Configuration Time Time when the user runs the last command
The configuration right was locked and Time when the configuration right is locked
timeout duration is
Function
The display dsa key-pair command displays information about the DSA key pair with a
label.
Format
display dsa key-pair [ brief | label label-name ]
Parameters
Parameter Description Value
brief Displays brief information about all DSA key -
pairs with labels.
label label-name Displays information about the DSA key pair with Label name of the
a specific label. key pair.
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display dsa key-pair command to check information about the DSA key pair
with a label. The information varies when you specify different parameters in the command.
l If brief is specified, you can view brief information about all DSA key pairs with labels.
l If label label-name is specified, you can view information about the DSA key pair with a
specific label.
l When neither label nor brief is specified, you can view information about all DSA key
pairs with labels.
Example
# Display information about all DSA key pairs with labels.
<HUAWEI> display dsa key-pair
=====================================
Label name: abc
Modulus: 2048
Time of Key pair created: 2014-01-13 07:41:46
=====================================
Key :
30820325
02820101
00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60
BE8B9E36 D3E4EB9C D6EB7FD2 10219AC0 F41AD47B
F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891
2E60452B 37CA17D6 11C2EE4C 46B4BC77 2654C268
56A99ECF A5D80036 7B31A905 22F13949 6F4182DB
FDAAB599 739AB021 85856A88 1F919736 8B92DBF6
849D1C74 6BA27E12 F98A28E4 B6D0587D 655979A7
505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35
A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714
B6326B7D B6067EBF 153CC1A7 20B0E1A7 E39C13FE
B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F
BB8F05D4 16B2B5DD 72E3629B B59244BF 9FA29C4F
Item Description
Label name Label name. To specify the label name, run the dsa
key-pair label command.
Time of Key pair created Time when the key pair is generated.
Function
The display dsa local-key-pair public command displays the public key in the local DSA
key pair of the device.
Format
display dsa local-key-pair public
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
This command displays the public key in the local DSA key pair. You can copy the public key
in the command output to the DSA public key of the SSH server to ensure that the public keys
on the client and server are consistent and that the client can be authenticated by the server.
Example
# Display the public key in the client DSA key pair.
<HUAWEI> display dsa local-key-pair public
========================================================
Time of key pair created : 2017-08-02 16:45:00
Key name : HUAWEI_Host_DSA
Key modulus : 2048
Key type : DSA encryption key
========================================================
Key code:
30820324
02820101
00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60
BE8B9E36 D3E4EB9C D6EB7FD2 10219AC0 F41AD47B
F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891
2E60452B 37CA17D6 11C2EE4C 46B4BC77 2654C268
56A99ECF A5D80036 7B31A905 22F13949 6F4182DB
FDAAB599 739AB021 85856A88 1F919736 8B92DBF6
849D1C74 6BA27E12 F98A28E4 B6D0587D 655979A7
505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35
A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714
B6326B7D B6067EBF 153CC1A7 20B0E1A7 E39C13FE
B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F
BB8F05D4 16B2B5DD 72E3629B B59244BF 9FA29C4F
CD4EA0EE 501FC669 5D03D68D 519324E4 93
0215
00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE
BB
02820100
3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD
96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42
21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6
5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4
2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7
4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7
9A56E32E C15A0659 3D17C407 29F587C7 74959017
62B08070 24564B2E E79C6E1D 86793548 76CC662A
1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278
26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976
4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62
A915EE63 F660C092 360C5D2D 796AF230 DB7461F7
C15B6DBA 65C9EFAB 247DB13D 4942E2FF
02820100
Table 3-19 Description of the display dsa local-key-pair public command output
Item Description
Time of key pair created Time when the public key is created.
Item Description
Host public key for PEM format code PEM code of the public key.
Public key code for pasting into OpenSSH Public key format in the OpenSSH file.
authorized_keys file
Format
display dsa peer-public-key [ brief | name key-name ]
Parameters
Parameter Description Value
brief Displays the brief information. -
name key-name Displays the DSA public key with the The key-name must
specified name. already exist.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command displays the DSA public key for you to check whether the local and peer
public keys are consistent.
Precautions
You must complete the DSA public key configuration before running this command.
Example
# Display the DSA public key with the specified name.
Item Description
Function
The display ecc key-pair command displays information about the ECC key pair with a
label.
Format
display ecc key-pair [ brief | label label-name ]
Parameters
Parameter Description Value
brief Displays brief information about all ECC key -
pairs with labels.
label label-name Displays information about the ECC key pair with Label name of the
a specific label. key pair.
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display ecc key-pair command to check information about the ECC key pair
with a label. The information varies when you specify different parameters in the command.
l If brief is specified, you can view brief information about all ECC key pairs with labels.
l If label label-name is specified, you can view information about the ECC key pair with a
specific label.
l When neither label nor brief is specified, you can view information about all ECC key
pairs with labels.
Example
# Display information about all ECC key pairs with labels.
<HUAWEI> display ecc key-pair
=====================================
Label name: abc123
Modulus: 521
Time of Key pair created: 2014-01-13 08:01:02
=====================================
Key :
0400B83D B5796B8F 28060F9E 6AA444C6 17F904D5 DE1D25D1 DF86CC94
5B30D58B A8BEA1D6 405D7928 AADCF587 ECCCFEE0 AE4235FE 3F78485C
BA72121D 5C76B902 34C0BC00 6815A445 F3EE1F36 9E7F9646 8E0EDA8D
51EF14B3 164C4742 970A158D 0807FBE6 FC9D9277 31CFF900 75600A8C
BA99BE37 366FFFFB 883C73EA 0970553C F2032738 3D
=====================================
Label name Label name. To specify the label name, run the ecc
key-pair label command.
Item Description
Time of Key pair created Time when the key pair is generated.
Format
display ecc local-key-pair public
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display ecc local-key-pair public command to check information about the
public key in the local ECC key pair on a client and then copy the public key to the server.
The public key enables a server to authenticate users and ensures the login of authorized
users.
Example
# Display information about the public key in the local ECC key pair on a client.
<HUAWEI> display ecc local-key-pair public
========================================================
Time of key pair created : 2013-12-30 11:11:20
Key name : HUAWEI_Host_ECC
Key modulus : 521
Key type : ECC encryption key
========================================================
Key code:
04012998 DFDD74C4 3F58DF73 C9CED003 8BB308ED
8353FD26 BAF2F836 5EFDCC2A D26E185F 6F6E2E19
683FF161 9141A7C2 3EEA52E3 9801E245 D33079A2
B12DAF27 1DF59401 E5068456 C54FE0E0 5DD99CEB
98C527DB B3CE0707 7863DC59 34EE830C 8AACBDB3
5EA697C4 9A660DD8 1049A330 7DC7ED5A 905184AC
Table 3-22 Description of the display ecc local-key-pair public command output
Item Description
Time of key pair created Time when the public key in the local ECC key
pair is generated, in the format of YYYY-MM-
DD HH:MM:SS.
Key name Name of the public key in the local ECC key
pair.
Key modulus Length of the public key in the local ECC key
pair.
Key type Type of the public key in the local ECC key
pair.
Key code Code of the public key in the local ECC key
pair configured using the ecc local-key-pair
command.
Host public key for PEM format code PEM code of the public key in the local ECC
key pair.
Function
The display ecc peer-public-key command displays information about the ECC public key
configured on the remote end.
Format
display ecc peer-public-key [ brief | name key-name ]
Parameters
Parameter Description Value
brief Displays brief information about the ECC public -
key configured on the remote end.
name key-name Displays the ECC public key with the specified The key-name must
name. already exist.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to check detailed information about the ECC public key and
whether the local and peer public keys are the same.
Precautions
You must complete the ECC public key configuration before running this command.
Example
# Display brief information about all the ECC public keys.
<HUAWEI> display ecc peer-public-key brief
------------------------------------------
Bits Name
------------------------------------------
521 sat
------------------------------------------
# Display detailed information about the ECC public key named sat.
<HUAWEI> display ecc peer-public-key name sat
=====================================
Key name: sat
=====================================
Key code:
040020D4 5436AC31 BB1501EE 54CB84B6 AD9D5DB5 1B65EA59 9B5409A9 045D12A5
9133AF2C A7E9E80E 344E95DA D166E270 77B67702 72F9B94F FB78E487 1C2928C9
5437CE00 93AD2608 0D940547 8D6B84AB DDD30FE1 75B2C790 884B4F91 5DEE668F
08EE50CE 1CAE6D54 1A1DC28C 1936C451 ECBB7AB0 B7F2F09B 8F699940 CF81C7C7
906A40F4 7D
Format
display rsa key-pair [ brief | label label-name ]
Parameters
Parameter Description Value
brief Displays brief information about all RSA key -
pairs with labels.
label label-name Displays information about the RSA key pair with Label name of the
a specific label. key pair.
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display rsa key-pair command to check information about the RSA key pair
with a label. The information varies when you specify different parameters in the command.
l If brief is specified, you can view brief information about all RSA key pairs with labels.
l If label label-name is specified, you can view information about the RSA key pair with a
specific label.
l When neither label nor brief is specified, you can view information about all RSA key
pairs with labels.
Example
# Display information about all RSA key pairs with labels.
<HUAWEI> display rsa key-pair
=====================================
Label name : a01
Modulus : 2048
Time of key pair created : 2013-12-31 01:47:14
=====================================
Key :
3082010A 02820101 00E788C5 7BE23271 71E4ACFE 2AC67BD1 5B6F2B1B 98B9B530
8C3A5635 2CA667E9 685537FB 7CFC6F7E B6834F92 3EB55305 AC37A137 A797318B
164873EE 9E156132 9CE6B060 E737C8EC C6B7B4B8 D79885EB B3710E69 D6420B5A
554573B6 B381E159 162601B7 2CA4DFD0 16899329 79EC1DE4 A23B0232 496E3373
Label name Label name. To specify the label name, run the rsa
key-pair label command.
Time of key pair created Time when the key pair is generated.
Format
display rsa local-key-pair public
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run this command on the client and configure the client public key in the command
output to the SSH server, which ensures that the SSH client validity check by the SSH server
is successful and enables the secure data exchange between the SSH server and client.
Example
# Display the public key in the local key pair.
3082010A
02820101
00C4D569 631EC1E2 833E315D 5DED65F3 498F2ED0
9B04F901 DEC806AA 0941AC43 3BB7422B B1D6E754
26B36B48 9F40A1CE AAF31314 5B729DFB 931BDBD8
81EBF078 54D8570D B4BFDCF8 90091546 76CDED0A
5FAAA330 9F4D6186 DE41AFBE A2FA67D7 EB3FC5E9
FD80859D 4E7B1C12 21198FFA 231B8048 A6E6F0D3
205557D6 B0580D81 ADFD2B6D 3256FBAE 9E81ABA6
0E8FA794 5DB0AA13 FB4ACA36 E3D75918 C40E68C6
9F6CA0C8 7FAD471C AF7F0BD5 4469C4A7 CF8BC85B
EA735E02 5FAC972C 7BCD818C 3C8E3EAB DB830026
D6CDBA62 F00C8928 4A04A67C A597207E 23D91EF3
183E2466 F8D06754 CEE5EB2B 937E8516 AA1485D7
79B7CB6B 5AB299AB FFB1E1BF A0353DD3 97
0203
010001
======================Server key========================
Time of key pair created : 2013-12-30 08:55:14
Key name : HUAWEI_Server
Key type : RSA encryption key
========================================================
Key code:
3081B9
0281B1
00EA73D0 8787CAC7 01F5B1C3 BB526E42 18B4E740
C26250C8 E6453106 A22CC86D 9D702D5A A7192FFA
19ECBEAF C7AD3C56 89900E35 30D11766 4683E827
960AB080 6D1D5403 BB9553FC 57046006 D2A12AEA
086D0066 C7D81278 CC2720A9 7FF3F006 85EB945F
8306A451 D2795842 8FDAC528 0EAE9D23 8E7D0B28
BE4AA3BF 16F8282A 4C087B9E 87FBDF5D 7F2EB809
Table 3-25 Description of the display rsa local-key-pair public command output
Item Description
Time of key pair created Time and date when the public key is created.
Key name The value can be the host or server public key.
The server public key is saved only when the
key type is RSA.
Function
The display rsa peer-public-key command displays the peer public key saved on the local
host. If no parameter is specified, the command displays detailed information about all peer
public keys.
Format
display rsa peer-public-key [ brief | name key-name ]
Parameters
Parameter Description Value
brief Displays the brief information about all peer -
public keys.
name key-name Specifies the key name. The key-name must
already exist.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to check detailed information about the RSA public key and
whether the local and peer public keys are the same.
Precautions
Before running the display rsa peer-public-key command, run the rsa peer-public-key
command to generate the peer public key.
Example
# Display the brief information about all RSA public keys.
<HUAWEI> display rsa peer-public-key brief
------------------------------------------
Bits Name
------------------------------------------
1024 rsakey001
------------------------------------------
Table 3-26 Description of the display rsa peer-public-key brief command output
Item Description
# Display the detailed information about the RSA public key named rsakey001.
<HUAWEI> display rsa peer-public-key name rsakey001
=====================================
Key name : rsakey001
Encoding type : DER
=====================================
Key code:
308188
028180
739A291A BDA704F5 D93DC8FD F84C4274 631991C1 64B0DF17 8C55FA83 3591C7D4
7D5381D0 9CE82913 D7EDF9C0 8511D83C A4ED2B30 B809808E B0D1F52D 045DE408
61B74A0E 135523CC D74CAC61 F8E58C45 2B2F3F2D A0DCC48E 3306367F E187BDD9
44018B3B 69F3CBB0 A573202C 16BB2FC1 ACF3EC8F 828D55A3 6F1CDDC4 BB45504F
0203
010001
Table 3-27 Description of the display rsa peer-public-key name command output
Item Description
Format
display ssh client session
Parameters
Parameter Description Value
session Displays current session status information of the SSH client. -
Views
All views
Default Level
3: Management level
Usage Guidelines
To view current session connection information of the SSH client, run the display ssh client
session command.
Example
# Display current status information about the SSH client.
<HUAWEI> display ssh client session
--------------------------------------------------------------------------
Session : 1
Version : 2.0
CTOS Cipher : aes256-ctr
STOC Cipher : aes256-ctr
CTOS Hmac : hmac-sha2-256
STOC Hmac : hmac-sha2-256
CTOS Compress : none
STOC Compress : none
Total Packet Number : 152
Packet Number after Rekey : 152
Total Data(MB) : 0
Data after Rekey(MB) : 0
Time after Session Established(Minute) : 2
Time after Rekey(Minute) : 2
--------------------------------------------------------------------------------
Table 3-28 Description of the display ssh client session command output
Item Description
Packet Number after Rekey Total number of SSH session packets after key re-
negotiation
Data after Rekey(MB) Total data volume of the SSH session connection
after key re-negotiation, in MB
Function
The display ssh server command displays the SSH server information.
Format
display ssh server { status | session }
Parameters
Views
All views
Default Level
3: Management level
Usage Guidelines
After configuring the SSH attributes, you can run this command to view the configuration or
session connection information on the SSH server to verify that the SSH connection has been
established.
Example
# Display the global configuration on the SSH server.
<HUAWEI> display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) : 3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Disable
SSH server keepalive : Enable
SFTP IPv4 server : Enable
SFTP IPv6 server : Enable
STELNET IPv4 server : Enable
STELNET IPv6 server : Enable
SNETCONF IPv4 server : Disable
SNETCONF IPv6 server : Disable
SNETCONF IPv4 server port(830) : Disable
SNETCONF IPv6 server port(830) : Disable
SCP IPv4 server : Enable
SCP IPv6 server : Enable
SSH server DES : Enable
SSH IPv4 server port : 22
SSH IPv6 server port : 22
SSH server source address : 0.0.0.0
SSH ipv6 server source address : 0::0
SSH ipv6 server source vpnName :
ACL name : --
ACL number : --
ACL6 name : --
ACL6 number : --
SSH server ip-block : Enable
Table 3-29 Description of the display ssh server status command output
Item Description
SSH Version Protocol version used for the SSH session connection.
Item Description
SSH authentication retries Number of times for retrying the SSH session connection.
(Times) Run the ssh server authentication-retries command to set
this item.
SSH server key Interval for generating an SSH server password, in hours.
generating interval Run the ssh server rekey-interval command to set this item.
(Hours)
SSH version 1.x SSH 1.x version compatibility, and the value can be Enable or
compatibility Disable.
Run the ssh server compatible-ssh1x enable command to set
this item.
SSH server keepalive Keepalive state of the SSH server. The value can be Enable or
Disable.
Run the ssh server keepalive disable command to set this
item.
SFTP IPv4 server/SFTP Status of the SFTP server. The value can be Enable or
IPv6 server Disable.
Run the sftp server enable command to set this item.
STELNET IPv4 server/ Status of the STelnet server. The value can be Enable or
STELNET IPv6 server Disable.
Run the stelnet server enable command to set this item.
SNETCONF IPv4 server/ Status of the SNETCONF server. The value can be Enable or
SNETCONF IPv6 server Disable.
Run the snetconf server enable command to set this item.
SCP IPv4 server/SCP Status of the SCP server. The value can be Enable or Disable.
IPv6 server Run the scp server enable command to set this item.
ACL name Name of the ACL rule bound to the SSH server.
Run the ssh server acl acl-name command to set this item.
ACL number Number of the ACL rule bound to the SSH server.
Run the ssh server acl acl-number command to set this item.
Item Description
ACL6 name Name of the ACL6 rule bound to the SSH server.
Run the ssh ipv6 server acl acl-number command to set this
item.
ACL6 number Number of the ACL6 rule bound to the SSH server.
Run the ssh ipv6 server acl acl-number command to set this
item.
SSH ipv6 server source VPN name of the SSH IPv6 server.
vpnName
SSH server ip-block Status of the SSH server from locking client IP addresses. It
can be any one of the following:
l Enable: SSH server is enabled to lock client IP addresses.
l Disable: SSH server is disabled to lock client IP addresses.
Table 3-30 Description of the display ssh server session command output
Item Description
Item Description
Connect type Connection used by the SSH session. The options are as
follows:
l VTY: connection used by the STelnet user
l NCA: connection used by the SNetconf user
l SFTP: connection used by the SFTP user
Client to Server cipher Encryption algorithm name from the client to the server.
Server to Client cipher Encryption algorithm name from the server to the client.
Client to Server HMAC HMAC algorithm name from the client to the server.
Server to Client HMAC HMAC algorithm name from the server to the client.
Client to Server Name of the compression algorithm from the client to the
compression server.
Server to Client Name of the compression algorithm from the server to the
compression client.
Public key Public key algorithm used for server authentication, which can
be RSA, DSA, or ECC.
NOTE
You are advised to use a securer ECC authentication algorithm for
higher security.
Service type Service type for an SSH user. The options are as follows:
l sftp
l stelnet
l snetconf
Run the ssh user service-type command to set this item.
Item Description
Authentication type Authentication mode for an SSH user. The options are as
follows:
l password
l rsa
l dsa
l ecc
l password-rsa (password and RSA)
l password-dsa (password and DSA)
l password-ecc (password and ECC)
l all (password, DSA, ECC, or RSA)
Run the ssh user authentication-type command to set this
item.
Packet Number after Total number of SSH session packets after key re-negotiation.
Rekey
Total Data(MB) Total data volume of the SSH session connection, in MB.
Data after Rekey(MB) Total data volume of the SSH session connection after key re-
negotiation, in MB.
Time after Session Connection duration after the SSH session connection is
Established(Minute) activated, in minutes.
Time after Rekey(Minute) Connection duration after the SSH session connection is
activated and the key is re-negotiated, in minutes.
Format
display ssh server-info
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
When the SSH client needs to authenticate the server, the server public key saved in the local
host is used to authenticate the connected SSH server. If the authentication fails, you can run
the display ssh server-info command to verify that the server public key is correct.
Example
# Display all bindings between the SSH server and public keys on the SSH client.
<HUAWEI> display ssh server-info
----------------------------------------------------------------------------------
-------------------------------
Server Name(IP) Server public key name
Server public key type State
----------------------------------------------------------------------------------
-------------------------------
192.168.1.120 192.168.1.120
RSA CONFIGURE
192.168.1.110 192.168.1.110
RSA CONFIGURE
----------------------------------------------------------------------------------
-------------------------------
Item Description
Server Public Key Type Type of the public key on the SSH server.
Server public key name Name of the public key on the SSH server.
Function
The display ssh user-information command displays the configuration of all SSH users.
Format
display ssh user-information [ username ]
Parameters
Views
All views
Default Level
3: Management level
Usage Guidelines
This command displays the SSH user name, bound RSA, DSA, or ECC public key name, and
service type.
Example
# Display the configuration of all SSH users.
<HUAWEI> display ssh user-information
--------------------------------------------------------------------------------
User Name : client001
Authentication type : password
User public key name : --
User public key type : --
Sftp directory : flash:
Service type : sftp
Item Description
Item Description
Authentication type Authentication mode for an SSH user. The options are as
follows:
l password
l rsa
l dsa
l ecc
l password-rsa (password and RSA)
l password-dsa (password and DSA)
l password-ecc (password and ECC)
l all (password, DSA, ECC, or RSA)
Run the ssh user authentication-type command to set this
item.
User public key name Peer RSA, DSA, or ECC public key assigned to an SSH user.
Run the rsa peer-public-key, dsa peer-public-key, or ecc
peer-public-key command to set this item.
User public key type Type of the public key allocated to the SSH user:
l RSA: indicates that the type is RSA.
l DSA: indicates that the type is DSA.
l ECC: indicates that the type is ECC.
l --: indicates that no public key type is specified.
Service type Service type for an SSH user. The options are as follows:
l sftp: indicates that the service type is SFTP.
l stelnet: indicates that the service type is STelnet.
l snetconf: indicates that the service type is SNetConf.
l --: indicates that no service type is specified.
Run the ssh user service-type command to set this item.
Function
The display telnet server status command displays the configuration of the current Telnet
server.
Format
display telnet server
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
When you fail to log in to a server using Telnet, run the display telnet server command to
check the configuration of the Telnet server. The command output can help you find the cause
of the login failure.
Example
# Display the basic configuration of the Telnet server.
<HUAWEI> display telnet server
Telnet server : Enable
Telnet server port : 23
Telnet IPv6 server : Disable
Telnet IPv6 server port : 23
Telnet server source address : 0.0.0.0
TELNET ipv6 server source address : 0::0
TELNET ipv6 server source vpnName :
ACL name : --
ACL number : --
ACL6 name : --
ACL6 number : --
Telnet server Status of the Telnet server. The value can be Enable
or Disable.
Run the telnet server disable command to set this
item.
Telnet IPv6 server Status of the Telnet IPv6 server. The value can be
Enable or Disable.
Run the telnet ipv6 server disable command to set
this item.
Telnet IPv6 server port Port number of the Telnet IPv6 server.
Run the telnet server port command to set this
item.
Item Description
TELNET ipv6 server source Source IP address of the Telnet IPv6 server.
address
TELNET ipv6 server source Source VPN instance name of the Telnet IPv6
vpnName server.
Function
The display telnet server status command displays the connection of the Telnet server.
Format
display telnet server status
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run this command to check the source IP address of the Telnet server and the source
address carried in a connection request.
If the Telnet connection does not exist, no information is displayed after you run this
command.
Example
# Display the status of the Telnet server.
<HUAWEI> display telnet server status
Session 1:
Source ip address : 192.168.1.3
VTY Index : 0
Session 2:
Source ip address : 192.168.1.4
VTY Index : 1
Session 3:
Source ip address : 192.168.1.5
VTY Index : 2
Session 4:
Source ip address : 192.168.1.6
VTY Index : 3
Current number of sessions : 4
Table 3-34 Description of the display telnet server status command output
Item Description
Function
The display telnet client command displays the number of current telnet connections.
Format
display telnet client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
An administrator can use the display telnet client command to check how many users have
logged in to a server through Telnet.
Example
# Display the number of current connections.
<HUAWEI> display telnet client
---------------------------------------
Current user count : 2
Source IPv4 address : 10.1.1.2
---------------------------------------
Format
dsa key-pair label label-name [ modulus modulus-bits ]
dsa key-pair label load private private-key public public-key
undo dsa key-pair label label-name
Parameters
Parameter Description Value
label-name Specifies the label name of a The value is a string of 1 to 35 case-
DSA key pair. insensitive characters. The string can
contain only letters, digits, and
underscores (_).
load private Specifies the private key in The private-key must already exist.
private-key the key pair.
public public-key Specifies the public key in The public-key must already exist.
the key pair.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to generate a DSA key pair for user authentication. The DSA key
pair improves authentication security. You can run the dsa key-pair label command to
generate multiple DSA key pairs, and the key pairs are identified by different labels.
Precautions
You can run the dsa key-pair label command to generate multiple DSA key pairs with labels.
The maximum number of DSA key pairs is specified by the dsa key-pair maximum
command. By default, the device can generate a maximum of 20 DSA key pairs with labels.
Example
# Generate the DSA key pair with the label name ssh_host.
<HUAWEI> system-view
[~HUAWEI] dsa key-pair label ssh_host
Function
The dsa key-pair maximum command configures the maximum number of DSA key pairs
with labels that can be generated.
The undo dsa key-pair maximum command restores the maximum number of DSA key
pairs with labels to the default value.
By default, the device can generate a maximum of 20 DSA key pairs with labels.
Format
dsa key-pair maximum max-keys
undo dsa key-pair maximum
Parameters
Parameter Description Value
max-keys Specifies the maximum number of DSA The value is an integer that ranges
key pairs with labels. from 1 to 20.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Saving DSA key pairs consumes system memory and file resources. Therefore, you can adjust
the maximum number of DSA key pairs as required to ensure that they do not occupy too
many system resources.
Configuration Impact
The device fails to generate DSA key pairs with labels when the number of DSA key pairs
reaches the upper limit specified by this command.
Example
# Set the maximum number of DSA key pairs with labels to 15.
<HUAWEI> system-view
[~HUAWEI] dsa key-pair maximum 15
Function
The dsa local-key-pair create command generates a local DSA key pair.
By default, a local DSA key pair is not configured.
Format
dsa local-key-pair create
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Compared with RSA, Digital Signature Algorithm (DSA) has a wider application range in the
SSH protocol. According to the encryption principle of the asymmetric encryption system, the
public and private keys are generated to implement secure key exchange. This ensures the
secure session process.
The prerequisite for a user to successfully log in to the SSH server using DSA authentication
is to generate a local DSA key pair. A local DSA key pair can be generated in the following
two methods:
l Configuration: You can run the dsa local-key-pair create command to generate a local
DSA key pair.
l Automatic generation: If an SSH client logs in to a device and the SSH server has no
DSA key pair, the system automatically generates a DSA key pair.
Key pairs generated in the two methods are the same in terms of function, security, query, and
deletion. It is recommended that you run the dsa local-key-pair create command to generate
a local DSA key pair.
When you run this command, the system prompts you to confirm whether to change the
original key if the DSA key exists. The key in the new key pair is named device
name_Host_DSA, for example, HUAWEI_Host_DSA.
After you enter the command, the device prompts you to enter the number of bits in the host
key. The length of a host key pair is 2048.
After a successful login, run the save command to save configurations. The generated key
pair then is saved on the device and is not lost after the device restarts.
Precautions
This command is not saved in a configuration file and can take effect immediately after being
executed. After the device restarts, you do not need to run the command again.
Example
# Generate a local DSA key pair on the device.
<HUAWEI> system-view
[~HUAWEI] dsa local-key-pair create
Info: The key name will be: HUAWEI_Host_DSA
Info: The key modulus can be any one of the following : 2048.
Info: Key pair generation will take a short while.
Function
The dsa local-key-pair destroy command deletes local DSA host key pairs.
Format
dsa local-key-pair destroy
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
DSA applies to SSH verification. According to the encryption principle of the asymmetric
encryption system, the public and private keys are generated to implement secure key
exchange. This ensures the secure session process. You can run the dsa local-key-pair create
command to generate local DSA keys. When local DSA keys are unnecessary, you can run the
dsa local-key-pair destroy command to delete these keys.
Prerequisite
Precautions
After you run this command, it takes effect and is not saved in a configuration file.
Example
# Delete local DSA keys.
<HUAWEI> system-view
[~HUAWEI] dsa local-key-pair destroy
Info: The name of the key which will be destroyed is
HUAWEI_Host_DSA.
Warning: These keys will be destroyed. Continue? Please select [Y/
N]:y
Info: Succeeded in destroying the DSA host keys.
Format
dsa local-key-pair load hostkey file-name
Parameters
Parameter Description Value
hostkey Loads the local DSA key pair. -
file-name Specifies the name of the file from which key The name of the file must
pairs are loaded. already exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a user is upgraded from a low level to a high level and wants to use DSA key
configuration of the low level, run the dsa local-key-pair load command to load the local
DSA and server key pairs from a specified file.
Prerequisites
The file that contains the DSA key pair already exists.
Example
# Load the local DSA key pair.
<HUAWEI> system-view
[~HUAWEI] dsa local-key-pair load hostkey flash:/hostkey_dsa
Format
dsa peer-public-key key-name encoding-type { der | openssh | pem }
undo dsa peer-public-key key-name
Parameters
Parameter Description Value
key-name Specifies the public key name. The value is a string of 1
to 40 case-sensitive
characters without space.
NOTE
When double quotation
marks are used around the
string, spaces are allowed
in the string.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When you use a DSA public key for authentication, you must specify the public key of the
corresponding client for an SSH user on the server. When the client logs in to the server, the
server uses the specified public key to authenticate the client. You can also save the public
key generated on the server to the client. Then the client can be successfully authenticated by
the server when it logs in to the server for the first time.
Huawei data communications devices support the DER, OpenSSH and PEM formats for DSA
keys. If you use a DSA key in non-DER/OpenSSH/PEM format, use a third-party tool to
convert the key into a key in DER, OpenSSH or PEM format.
Because a third-party tool is not released with Huawei system software, DSA usability is
unsatisfactory. In addition to DER and PEM, DSA keys need to support the OpenSSH format
to improve DSA usability.
Third-party software, such as SecureCRT, PuTTY, OpenSSH, and OpenSSL, can be used to
generate DSA keys in different formats. The details are as follows:
l The SecureCRT and PuTTY generate DSA keys in PEM format.
l The OpenSSH generates DSA keys in OpenSSH format.
l The OpenSSL generates DSA keys in DER format.
OpenSSL is an open source software. You can download related documents at http://
www.openssl.org/.
After you configure an encoding format for a DSA public key, Huawei data communications
device automatically generates a DSA public key in the configured encoding format and
enters the DSA public key view. Then you can run the public-key-code begin command and
manually copy the DSA public key generated on the peer device to the local device.
Follow-up Procedure
After you copy the DSA public key generated on the peer device to the local device, perform
the following operations to exit the DSA public key view:
1. Run the public-key-code end command to return to the DSA public key view.
2. Run the peer-public-key end command to exit the DSA public key view and return to
the system view.
Precautions
If a DSA public key has assigned to an SSH client, release the binding relationship between
the public key and the SSH client. If you do not release the binding relationship between
them, the undo dsa peer-public-key command will fail to delete the DSA public key.
If an DSA public key has been assigned to an SSH user, run the undo ssh user user-name
assign dsa-key command to delete the mapping between the DSA public key and the SSH
user. If you do not delete the mapping, the undo dsa peer-public-key command cannot delete
the DSA public key.
Example
# Configure an encoding format for a DSA public key and enter the DSA public key view.
<HUAWEI> system-view
[~HUAWEI] dsa peer-public-key 23 encoding-type der
[*HUAWEI-dsa-public-key]
Function
The ecc key-pair label command generates an ECC key pair with a label.
The undo ecc key-pair label command deletes an ECC key pair with a label.
Format
ecc key-pair label label-name [ modulus modulus-bits ]
Parameters
Parameter Description Value
label-name Specifies the label name The value is a string of 1 to 35 case-insensitive
of an ECC key pair. characters. It can contain digits, letters, and
underscores (_) only.
modulus Specifies the modulus of The value can be 256, 384, or 521, in bits. The
modulus-bits the ECC key pair. default value is 521.
A larger modulus indicates higher security.
However, it takes a long time to generate and
use such a key pair.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to generate an ECC key pair for user authentication. The ECC key
pair improves authentication security. You can run the ecc key-pair label command to
generate multiple ECC key pairs, and the key pairs are identified by different labels.
Precautions
You can run the ecc key-pair label command to generate multiple ECC key pairs with labels.
The maximum number of ECC key pairs is specified by the ecc key-pair maximum
command. By default, the device can generate a maximum of 20 ECC key pairs with labels.
Example
# Generate an ECC key pair with a label named ecc_key_pair.
<HUAWEI> system-view
[~HUAWEI] ecc key-pair label ecc_key_pair
Format
ecc key-pair maximum max-keys
undo ecc key-pair maximum
Parameters
Parameter Description Value
max-keys Specifies the maximum number of ECC The value is an integer that ranges
key pairs with labels. from 1 to 20.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Saving ECC key pairs consumes system memory and file resources. Therefore, you can adjust
the maximum number of ECC key pairs as required to ensure that they do not occupy too
many system resources.
Configuration Impact
The device fails to generate ECC key pairs with labels when the number of ECC key pairs
reaches the upper limit specified by this command.
Example
# Set the maximum number of ECC key pairs with labels to 15.
<HUAWEI> system-view
[~HUAWEI] ecc key-pair maximum 15
Function
The ecc local-key-pair create command generates a local ECC key pair.
The ecc local-key-pair destroy command deletes the local ECC key.
Format
ecc local-key-pair create
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
A local key pair is a prerequisite to a successful SSH login. Compared with the RSA
algorithm used by the rsa local-key-pair create command, the ECC algorithm shortens the
key length, accelerates the encryption, and improves the security. The length of the server key
pair can be 256 bits, 384 bits, and 521 bits. By default, the length of the key pair is 521 bits.
If you no longer need the local ECC key pairs, run the ecc local-key-pair destroy command
to delete them.
The prerequisite for a user to successfully log in to the SSH server using ECC authentication
is to generate a local ECC key pair. A local ECC key pair can be generated in the following
two methods:
l Configuration: You can run the ecc local-key-pair create command to generate a local
ECC key pair.
l Automatic generation: If an SSH client logs in to a device and the SSH server has no
ECC key pair, the system automatically generates an ECC key pair.
Key pairs generated in the two methods are the same in terms of function, security, query, and
deletion. It is recommended that you run the ecc local-key-pair create command to generate
a local ECC key pair.
After a successful login, run the save command to save configurations. The generated key
pair then is saved on the device and is not lost after the device restarts.
Precautions
l The generated ECC host key pair is named in the format of switch name_Host_ECC,
such as HUAWEI_Host_ECC.
l The ecc local-key-pair create and ecc local-key-pair destroy commands are not saved
in the configuration file. They only need to be run once and take effect even after the
switch restarts.
l Do not delete the ECC key file from the switch.
Example
# Generate a local ECC key pair.
<HUAWEI> system-view
[~HUAWEI] ecc local-key-pair create
Info: The key name will be: HUAWEI_Host_ECC
Info: The key modulus can be any one of the following: 256, 384, 521.
Info: Key pair generation will take a short while.
Please input the modulus [default=521]:
Format
ecc peer-public-key key-name [ encoding-type der ]
undo ecc peer-public-key key-name
Parameters
Parameter Description Value
key-name Specifies the ECC public key name. The value is a string of 1 to 40
case-sensitive characters without
spaces.
NOTE
When quotation marks are used
around the string, spaces are
allowed in the string.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When you use an ECC public key for authentication, specify the public key on the server for
the client of SSH users. When the client logs in to the server, the server uses the specified
public key to authenticate the client.
After you enter the ECC public key view, run the public-key-code begin command, and copy
the ECC public key to the server.
NOTE
A maximum of 20 ECC public keys can be configured.
Follow-up Procedure
After you copy the ECC public key generated on the client to the server, perform the
following operations to exit the ECC public key view:
1. Run the public-key-code end command to return to the ECC public key view.
2. Run the peer-public-key end command to exit the ECC public key view and return to
the system view.
Precautions
The public key on the client is randomly generated by the client software.
If an ECC public key has been assigned to an SSH user, run the undo ssh user user-name
assign ecc-key command to delete the mapping between the ECC public key and the SSH
user. If you do not delete the mapping, the undo ecc peer-public-key command cannot delete
the ECC public key.
Example
# Create an ECC public key and enter the ECC public key view.
<HUAWEI> system-view
[~HUAWEI] ecc peer-public-key ecckey001
[*HUAWEI-ecc-public-key]
Format
ftp server login-failed threshold-alarm upper-limit report-times lower-limit resume-times
period period-time
undo ftp server login-failed threshold-alarm [ upper-limit report-times lower-limit
resume-times period period-time ]
Parameters
Parameter Description Value
upper-limit report- Specifies the number of times authentication The value is an integer
times failure alarms are reported. If the value is 0, ranging from 0 to 100.
no authentication failure alarm is reported.
The default value is 30.
lower-limit Specifies the number of times authentication
The value is an integer
resume-times failure clear alarms are reported. The default
ranging from 0 to 45.
value is 20.
period period-time Specifies the period in which failure alarms
The value is an integer
are counted. The default value is 5, in
ranging from 1 to 120.
minutes.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If an FTP management user frequently fails to log in within a short period, the device
generates a management security alarm and reports it to administrators for their intervention.
To configure alarm reporting and clearance thresholds within a specified period, run the ftp
server login-failed threshold-alarm command.
The command takes effect for both ipv4 and ipv6 FTP servers.
Example
# Configure 40 as the alarm reporting threshold and 25 as the alarm clearance threshold
within 10 minutes.
<HUAWEI> system-view
[*HUAWEI] ftp server login-failed threshold-alarm upper-limit 40 lower-limit 25
period 10
3.6.35 http
Function
The http command displays the HTTP view.
The undo http command deletes the HTTP view and all configurations in this view.
Format
http
undo http
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
HTTP is an application-layer protocol that transports hypertext from WWW servers to local
browsers. HTTP uses the client/server model in which requests and replies are exchanged.
Before configuring HTTP, run the http command to enter the HTTP view.
Example
# Display the HTTP view.
<HUAWEI> system-view
[~HUAWEI] http
3.6.36 lock
Function
The lock command locks the current user interface to prevent unauthorized users from
operating the interface.
By default, the system does not automatically lock the current user interface.
Format
lock
Parameters
None
Views
User view
Default Level
0: Visit level
Usage Guidelines
Usage Scenario
Lock the current user interface using this command to prevent other users from operating the
interface. The user interfaces consist of console ports, and Virtual Type Terminals (VTYs).
After using the lock command, you are prompted to input the password twice. If you input the
correct password for twice, the user interface is locked.
Precautions
l The passwords must meet the specified requirements.
– When password complexity check is supported, the requirements are as follows:
n The password is a string of 8 to 128 case-sensitive characters.
n The password must contain at least two of the following characters: upper-case
character, lower-case character, digit, and special character.
Special characters except the question mark (?) and space.
– If you run the undo local-user policy security-enhance command in the AAA
view to disable the local account security policy and then run the lock command,
the password does not need to meet the complexity requirement. In this case, the
requirements are as follows:
n The password is a string of 1 to 128 case-sensitive characters.
The character string does not include the special character question mark (?)
and space.
l Password entered in interactive mode is not displayed on the screen.
l When you run the lock command to lock the user interface and set a locking password,
you can press CTRL_C to cancel the operation.
l To unlock the user interface, press Enter, and then input the correct password as
prompted by the system.
Example
# Lock the current user interface after logging in through the console port.
<HUAWEI> lock
Enter Password:
Confirm Password:
Info: The terminal is locked.
# To log in to the system after the system is locked, you must press Enter. The following
information is displayed:
Enter Password:
Format
peer-public-key end
Parameters
None
Views
Public key view
Default Level
3: Management level
Usage Guidelines
You must save the public key generated on the remote host to the local host, which ensures
that the validity check on the remote end is successful. After editing a public key in the public
key view, you can run this command to return to the system view.
Example
# Return to the system view from the public key view.
<HUAWEI> system-view
[~HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[*HUAWEI-dsa-public-key] public-key-code begin
[*HUAWEI-dsa-public-key-dsa-key-code] 308188
[*HUAWEI-dsa-public-key-dsa-key-code] 028180
[*HUAWEI-dsa-public-key-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*HUAWEI-dsa-public-key-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[*HUAWEI-dsa-public-key-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[*HUAWEI-dsa-public-key-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[*HUAWEI-dsa-public-key-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[*HUAWEI-dsa-public-key-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[*HUAWEI-dsa-public-key-dsa-key-code] 171896FB 1FFC38CD
[*HUAWEI-dsa-public-key-dsa-key-code] 0203
[*HUAWEI-dsa-public-key-dsa-key-code] 010001
[*HUAWEI-dsa-public-key-dsa-key-code] public-key-code end
[*HUAWEI-dsa-public-key] peer-public-key end
[*HUAWEI]
Format
public-key-code begin
Parameters
None
Views
Public key view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You must save the public key generated on the remote host to the local host, which ensures
that the validity check on the remote end is successful. Run the public-key-code begin
command to display the public key editing view, and enter the key data. The key characters
can contain spaces. You can press Enter to enter data in another line.
Prerequisite
A key name has been specified by running the rsa peer-public-key, dsa peer-public-key, or
ecc peer-public-key command.
For security purposes, it is not recommended that you use RSA as the public key.
Precautions
l The content of a key does not support Chinese characters.
l The public key must be a hexadecimal character string in the public key encoding
format, and generated by the client or server that supports SSH.
l The public keys displayed by running the display rsa local-key-pair public, display
dsa local-key-pair public, or display ecc local-key-pair public command can be used
as the key data to enter.
l You can successfully edit the public key in a public key pair by entering the public key in
the server key pair or client key pair. In SSH application, only the public key in the client
key pair can be entered as key data. If you enter the public key in the server key pair,
authentication fails during SSH login.
Example
# Display the public key editing view and enter the key data.
<HUAWEI> system-view
[~HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[*HUAWEI-dsa-public-key] public-key-code begin
[*HUAWEI-dsa-public-key-dsa-key-code] 308188
[*HUAWEI-dsa-public-key-dsa-key-code] 028180
[*HUAWEI-dsa-public-key-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*HUAWEI-dsa-public-key-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[*HUAWEI-dsa-public-key-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[*HUAWEI-dsa-public-key-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[*HUAWEI-dsa-public-key-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[*HUAWEI-dsa-public-key-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[*HUAWEI-dsa-public-key-dsa-key-code] 171896FB 1FFC38CD
[*HUAWEI-dsa-public-key-dsa-key-code] 0203
[*HUAWEI-dsa-public-key-dsa-key-code] 010001
[*HUAWEI-dsa-public-key-dsa-key-code] public-key-code end
[*HUAWEI-dsa-public-key] peer-public-key end
[*HUAWEI]
Format
public-key-code end
Parameters
None
Views
Public key editing view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After this command is run, the process of editing the public key ends. Before saving the
public key, the system will check the validity of the key.
l If there are illegal characters in the public key character string configured by the user, the
system will display a relevant error prompt. The public key previously configured by the
user is discarded. As a result, the configuration fails.
l If the public key configured is valid, it is saved in the public key chain table of the client.
Precautions
l Generally, in the public key view, only the public-key-code end command can be used
to exit. Thus, in this instance the quit command cannot be used.
l If the legal key coding is not input, the key cannot be generated after the public-key-
code end command is used. The system prompts that generating the incorrect key fails.
l If the key is deleted in another window, the system prompts that the key does not exist
and returns to the system view directly after you run the public-key-code end command.
Example
# Exit from the RSA public key editing view and saves the RSA key configuration.
<HUAWEI> system-view
[~HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[*HUAWEI-dsa-public-key] public-key-code begin
[*HUAWEI-dsa-public-key-dsa-key-code] 308188
[*HUAWEI-dsa-public-key-dsa-key-code] 028180
[*HUAWEI-dsa-public-key-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*HUAWEI-dsa-public-key-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
Format
rsa key-pair label label-name [ modulus modulus-bits ]
rsa key-pair label load private private-key public public-key
undo rsa key-pair label label-name
Parameters
Parameter Description Value
label-name Specifies the label name of an The value is a string of 1 to 35
RSA key pair. case-insensitive characters. It can
contain letters, digits, or
underscores (_) only.
modulus modulus- Specifies the modulus of the The value is 2048, in bits. The
bits RSA key pair. default value is 2048.
load private Specifies the private key in the The private-key must already exist.
private-key key pair.
public public-key Specifies the public key in the The public-key must already exist.
key pair.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The RSA key-pair is an algorithm for authenticating users in the SSH and ensures security of
user authentication. You can run the rsa key-pair label command to generate multiple RSA
key pairs, and the key pairs are identified by different labels.
Precautions
You can run the rsa key-pair label command to generate multiple RSA key pairs with labels.
The maximum number of RSA key pairs is specified by the rsa key-pair maximum
command. By default, the device can generate a maximum of 20 RSA key pairs with labels.
NOTE
To ensure high security, do not use the RSA key pair whose length is less than 2048 digits.
Example
# Generate an RSA key pair with a label named as ssh_host.
<HUAWEI> system-view
[~HUAWEI] rsa key-pair label ssh_host
Format
rsa key-pair maximum max-keys
undo rsa key-pair maximum
Parameters
Parameter Description Value
max-keys Specifies the maximum number of RSA The value is an integer that ranges
key pairs with labels. from 1 to 20.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Saving RSA key pairs consumes system memory and file resources. Therefore, you can adjust
the maximum number of RSA key pairs as required to ensure that they do not occupy too
many system resources.
Configuration Impact
The device fails to generate RSA key pairs with labels when the number of RSA key pairs
reaches the upper limit specified by this command.
Example
# Set the maximum number of RSA key pairs with labels to 15.
<HUAWEI> system-view
[~HUAWEI] rsa key-pair maximum 15
Format
rsa local-key-pair create
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To implement secure data exchange between the server and client, run this command to
generate a local key pair.
The prerequisite for a user to successfully log in to the SSH server using RSA authentication
is to generate a local RSA key pair. A local RSA key pair can be generated in the following
two methods:
l Configuration: You can run the rsa local-key-pair create command to generate a local
RSA key pair.
l Automatic generation: If an SSH client logs in to a device and the SSH server has no
RSA key pair, the system automatically generates an RSA key pair.
Key pairs generated in the two methods are the same in terms of function, security, query, and
deletion. It is recommended that you run the rsa local-key-pair create command to generate
a local RSA key pair.
After a successful login, run the save command to save configurations. The generated key
pair then is saved on the device and is not lost after the device restarts.
Precautions
If the RSA key pair exists, the system prompts you to confirm whether to replace the original
key pair. The keys in the new key pair are named device name_server and device
name_host, for example, HUAWEI_host and HUAWEI_server.
After inputting this command, you are prompted to enter the digit of the host key. The length
of the server key pair and the host key pair is 2048 digits. If there has been a key pair, you
should confirm whether to change it.
NOTE
The RSA key pair whose length is less than 2048 digits is insecure and therefore not recommended to
use.
Example
# Generate a local RSA key pair.
<HUAWEI> system-view
[~HUAWEI] rsa local-key-pair create
The key name will be: HUAWEI_Host
The range of public key size is (2048 ~ 2048).
NOTE: Key pair generation will take a short while.
Format
rsa local-key-pair destroy
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To delete the local key pair, run rsa local-key-pair destroy command. If the host key pair and
the service key pair of an SSH server are deleted, run the rsa local-key-pair create command
to create the host key pair and service key pair for the SSH server.
After you run this command, verify that all local RSA keys are deleted. This command is not
saved in a configuration file.
Prerequisite
Example
# Delete all RSA server keys.
<HUAWEI> system-view
[~HUAWEI] rsa local-key-pair destroy
% The name for the keys which will be destroyed is HUAWEI_Host.
% Confirm to destroy these keys? Please select [Y/N]: y
Function
The rsa local-key-pair load command loads the local RSA and server key pairs from a
specified file.
By default, the local RSA and server key pairs are not configured.
Format
rsa local-key-pair load { hostkey | serverkey } file-name
Parameters
Parameter Description Value
hostkey Loads the local RSA key pair. -
serverkey Loads the server key pair. -
file-name Specifies the name of the file from which key pairs The name of the file must
are loaded. already exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a user is upgraded from a low level to a high level and wants to use RSA key
configuration of the low level, run the rsa local-key-pair load command to load the local
RSA and server key pairs from a specified file.
Prerequisites
The file that contains the RSA key pair already exists.
Example
# Load the local RSA key pair.
<HUAWEI> system-view
[~HUAWEI] rsa local-key-pair load hostkey flash:/rsahostkey.dat
Function
The rsa peer-public-key command configures an encoding format for RSA public key and
enters the RSA public key view.
Format
rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]
Parameters
Parameter Description Value
key-name Specifies the public key name. The value is a string of 1
to 40 case-insensitive
characters without spaces.
NOTE
When double quotation
marks are used around the
string, spaces are allowed in
the string.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Run this command to display the public key view, and save the public key on the remote host
to the local host. This ensures that the remote device validity is checked in connection.
After you configure an encoding format for an RSA public key, Huawei data communications
device automatically generates an RSA public key in the configured encoding format and
enters the RSA public key view. Then you can run the public-key-code begin command and
manually copy the RSA public key generated on the peer device to the local device.
NOTE
A maximum of 20 RSA public keys can be configured. To ensure high security, do not use the RSA key
pair whose length is less than 2048 digits.
Prerequisite
The public key in hexadecimal notation on the remote host has been obtained and recorded.
Follow-up Procedure
After you copy the RSA public key generated on the peer device to the local device, perform
the following operations to exit the RSA public key view:
1. Run the public-key-code end command to return to the RSA public key view.
2. Run the peer-public-key end command to exit the RSA public key view and return to
the system view.
Precautions
If an RSA public key has been assigned to an SSH user, run the undo ssh user user-name
assign rsa-key command to delete the mapping between the RSA public key and the SSH
user. If you do not delete the mapping, the undo rsa peer-public-key command cannot delete
the RSA public key.
Example
# Display the public key view.
<HUAWEI> system-view
[~HUAWEI] rsa peer-public-key rsakey001
[*HUAWEI-rsa-public-key]
3.6.46 run
Function
The run command executes a user view command in the system view.
Format
run command-line
Parameters
Parameter Description Value
Views
System view
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
To run commands, which can be run only in the user view, in the system view, you must
return to the user view. After completing this configuration task, you can run the run
command to run such commands in the system view without returning to the user view.
Precautions
l The command specified in the run command must be able to be run in the user view.
l When you run the run command, the association help function is unavailable.
l When you check the command history on the device using the display history-
command command, only the commands that you enter are recorded. The command
format is run command-line.
l When you check log information using the CLI/5/CMDRECORD command, only the
commands that are actually executed are recorded in logs. The command format is run
command-line.
l run cannot be used to execute commands that involve configuration rollback or system
software behavior change, such as switch virtual-system vs-name, rollback
configuration to { commit-id commit-id | label label | file file-name } | last number-of-
commits }, quit, and patch load.
Example
# View .cfg files in the system view.
<HUAWEI> system-view
[~HUAWEI] run dir *.cfg
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName
0 -rw- 11,970 Mar 14 2012 19:11:22 31.cfg
1 -rw- 12,033 Apr 22 2012 17:10:30 31_new.cfg
509,256 KB total (118,784 KB free)
Format
ssh authentication-type default password
undo ssh authentication-type default password
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When there are multiple SSH users in the system, the default password authentication mode is
used to simplify the configuration.
When users request to log in to a device using SSH, if no SSH user is created using the ssh
user, ssh user authentication-type, and ssh user service-type commands, successful user
login depends on whether the ssh authentication-type default password command is run.
l If the ssh authentication-type default password command is run, users log in through
AAA authentication.
l If the ssh authentication-type default password command is not run, users cannot log
in.
If an SSH user has been created using the ssh user, ssh user authentication-type, and ssh
user service-type commands, authentication of the SSH user depends on whether the ssh
user authentication-type command is run. If the ssh user authentication-type command is
run, the user is authenticated using the authentication mode specified in this command. If the
ssh user authentication-type command is not run, the user cannot log in to the device.
Precautions
You can run the ssh user user-name authentication-type password command to configure
the password authentication mode for an SSH user. If the ssh user and ssh authentication-
type default password commands are configured simultaneously, the ssh user command
takes effect.
This command takes effect for both IPv4 and IPv6 users.
Example
# Configure the password authentication mode for an SSH user.
<HUAWEI> system-view
[~HUAWEI] ssh authentication-type default password
Format
ssh authorization-type default { aaa | root }
undo ssh authorization-type default
Parameters
Parameter Description Value
aaa Sets the authorization method for an SSH session as AAA. -
Views
System view
Default Level
3: Management level
Usage Guidelines
If the authorization type for an SSH connection is AAA, the privilege level of SSH user is that
configured in the AAA view.
If the authorization type for an SSH connection is root, the privilege level of SSH user is
different from that configured in the AAA view. In this situation, the privilege level is the
maximum value, 15 or 3.
This command takes effect for both ipv4 and ipv6 connections.
Example
# Set the authorization method for SSH session as AAA.
<HUAWEI> system-view
[~HUAWEI] ssh authorization-type default aaa
Function
The ssh client peer assign command specifies the host public key of the SSH server to
connect on the SSH client.
The undo ssh client peer assign command cancels the specified host public key of the SSH
server to connect on the SSH client.
By default, the host public key of the server to connect is not specified on the client.
Format
ssh client peer server-ip-address assign { rsa-key | dsa-key | ecc-key } key-name
Parameters
Parameter Description Value
server-ip-address Specifies the host name or IP address of the The SSH must already
SSH server. exist.
rsa-key Specifies the RSA public key. -
dsa-key Specifies the DSA public key. -
ecc-key Specifies the ECC public key. -
key-name Specifies the SSH server public key name that The SSH server public
has been configured on the SSH client. key name must already
exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the SSH client connects to the SSH server for the first time and the first authentication is
not enabled on the SSH client using the ssh client first-time enable command, the SSH client
rejects the access from unauthorized SSH servers. You need to specify the host public key of
the SSH server and the mapping between the key and SSH server on the SSH client. After
that, the client will determine whether the server is reliable using the correct public key based
on the mapping.
For security purposes, it is not recommended that you use RSA as the public key.
Precautions
The RSA, DSA, or ECC public key to be assigned to the SSH server must have been
configured on the SSH client using the rsa peer-public-key, dsa peer-public-key, or ecc
peer-public-key command. If the key has not been configured, the verification for the RSA,
DSA, or ECC public key of the SSH server on the SSH client fails.
Example
# Assign the DSA public key to the SSH server.
<HUAWEI> system-view
[~HUAWEI] ssh client peer 10.164.39.120 assign dsa-key sshdsakey01
Function
The ssh client cipher command configures an encryption algorithm list for an SSH client.
The undo ssh client cipher command restores the default encryption algorithm list of an SSH
client.
Format
ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr | aes256_ctr |
arcfour128 | arcfour256 | aes192_cbc | aes192_ctr | aes128_gcm | aes256_gcm } *
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an encryption algorithm for the packets
exchanged between them. You can run the ssh client cipher command to configure an
encryption algorithm list for the SSH client. After the list is configured, the server matches
the encryption algorithm list of a client against the local list after receiving a packet from the
client and selects the first encryption algorithm that matches the local list. If no encryption
algorithms in the list of the client match the local list, the negotiation fails.
Precautions
This command takes effect for both ipv4 and ipv6 SSH servers.
Example
# Configure CTR encryption algorithms for an SSH client.
<HUAWEI> system-view
[~HUAWEI] ssh client cipher aes128_ctr aes256_ctr
Function
The ssh client first-time enable command enables the first authentication on the SSH client.
The undo ssh client first-time enable command disables the first authentication on the SSH
client.
Format
ssh client first-time enable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When the SSH client accesses the SSH server for the first time and the public key of the SSH
server is not configured on the SSH client, you can enable the first authentication for the SSH
client to access the SSH server and save the public key on the SSH client. When the SSH
client accesses the SSH server next time, the saved public key is used to authenticate the SSH
server.
Precautions
You can run the ssh client peer assign command to pre-assign a public key to the SSH server.
In this manner, you can log in to the SSH server successfully at the first time.
This command takes effect for both ipv4 and ipv6 SSH clients.
Example
# Enable the first authentication on the SSH client.
<HUAWEI> system-view
[~HUAWEI] ssh client first-time enable
Function
The ssh client hmac command configures an HMAC authentication algorithm list for an SSH
client.
The undo ssh client hmac command restores the default HMAC authentication algorithm list
of an SSH client.
By default, an SSH client supports HMAC authentication algorithms including MD5,
MD5_96, SHA1, SHA1_96, SHA2_256,SHA2_512, and SHA2_256_96.
Format
ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 | sha2_512 } *
undo ssh client hmac
Parameters
Parameter Description Value
md5 Specifies the MD5 HMAC authentication algorithm. -
md5_96 Specifies the MD5_96 HMAC authentication algorithm. -
sha1 Specifies the SHA1 HMAC authentication algorithm. -
sha1_96 Specifies the SHA1_96 HMAC authentication algorithm. -
sha2_256 Specifies the SHA2_256 HMAC authentication algorithm. -
sha2_256_96 Specifies the SHA2_256_96 HMAC authentication algorithm. -
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an HMAC authentication algorithm for the
packets exchanged between them. You can run the ssh client hmac command to configure an
HMAC authentication algorithm list for the SSH client. After the list is configured, the server
matches the list of a client against the local list after receiving a packet from the client and
selects the first HMAC authentication algorithm that matches the local list. If no HMAC
authentication algorithms in the list of the client match the local list, the negotiation fails.
Precautions
sha2_256_96, sha1, sha1_96, md5, and md5_96 provide weak security. Therefore, they are
not recommended in the HMAC authentication algorithm list.
This command takes effect for both ipv4 and ipv6 SSH clients.
Example
# Configure the SHA2_256 HMAC authentication algorithm for an SSH client.
<HUAWEI> system-view
[~HUAWEI] ssh client hmac sha2_256
Function
The ssh client keepalive-interval command sets the interval for sending keepalive packets on
the SSH client.
The undo ssh client keepalive-interval command restores the default interval for sending
keepalive packets on the SSH client.
The default interval for sending keepalive packets on the SSH client is 0.
Format
ssh client keepalive-interval seconds
Parameters
Parameter Description Value
seconds Specifies the interval for The value is an integer ranging from 0 to 3600,
sending keepalive packets. in seconds. The value 0 indicates that keepalive
packets are not sent.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the SSH client does not receive any data packet from the SSH server within a period, the
client sends keepalive packets to the server. If the client does not receive any keepalive
response packet from the server, the client disconnects from the server.
Precautions
If the interval is restored to 0, the client does not send any keepalive packet to the server.
This command takes effect for both ipv4 and ipv6 SSH clients.
Example
# Set the interval for sending keepalive packets on the SSH client to 30 seconds.
<HUAWEI> system-view
[~HUAWEI] ssh client keepalive-interval 30
Function
The ssh client keepalive-maxcount command sets the maximum number of keepalive
packets sent by the SSH client.
The undo ssh client keepalive-maxcount command restores the default maximum number of
keepalive packets sent by the SSH client.
The default maximum number of keepalive packets is 3, indicating that the client sends three
keepalive packets to the server before disconnecting from the server.
Format
ssh client keepalive-maxcount count
undo ssh client keepalive-maxcount
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the SSH client does not receive any data packet from the server within a period, the client
sends the maximum number of keepalive packets to the server. If the client does not receive
any keepalive response packet from the server, the client disconnects from the server.
Precautions
The interval for sending keepalive packets on the client must be greater than the interval that
is set using the ssh client keepalive-interval command. If the client does not send any
keepalive packet (the interval is 0), the maximum number of keepalive packets does not take
effect.
This command takes effect for both ipv4 and ipv6 SSH clients.
Example
# Set the maximum number of keepalive packets on the SSH client to 5.
<HUAWEI> system-view
[~HUAWEI] ssh client keepalive-maxcount 5
Function
The ssh client key-exchange command configures a key exchange algorithm list on an SSH
client.
The undo ssh client key-exchange command restores the default configuration.
Format
ssh client key-exchange { dh_group14_sha1 | dh_group1_sha1 |
dh_group_exchange_sha1 | dh_group_exchange_sha256 | ecdh_sha2_nistp256 |
ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep } *
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The client and server negotiate the key exchange algorithm used for packet transmission. You
can run the ssh client key-exchange command to configure a key exchange algorithm list on
the SSH client. The SSH server compares the configured key exchange algorithm list with the
counterpart sent by the client and then selects the first matched key exchange algorithm for
packet transmission. If the key exchange algorithm list sent by the client does not match any
algorithm in the key exchange algorithm list configured on the server, the negotiation fails.
This command takes effect for both IPv4 and IPv6 SSH clients.
Precautions
For security purposes, do not use insecure key exchange algorithms such as dh_group1_sha1.
Example
# Configure key exchange algorithm dh_group_exchange_sha256 on the SSH client.
<HUAWEI> system-view
[~HUAWEI] ssh client key-exchange dh_group_exchange_sha256
Function
The ssh client publickey command enables or disables the public key algorithm function of
the SSH client.
The undo ssh client publickey command restores public key algorithms of the SSH client to
default values.
Format
ssh client publickey { dsa | ecc | rsa } *
Parameters
Parameter Description Value
dsa Indicates the DSA algorithm. -
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The command enables you to use a more secure public key algorithm to log in to the device,
with other public key algorithms rejected. This improves device security. You are advised to
use the ECC public key algorithm.
To allow a public key algorithm and deny other public key algorithms, run the ssh client
publickey + the specified public key algorithm command. For example, after the ssh client
publickey dsa command is run, the DSA algorithm is allowed but the RSA, ECC or RSA
algorithm is not. If this command is run for multiple times, the last configuration takes effect.
This command takes effect for both ipv4 and ipv6 SSH clients.
Precautions
l A public key algorithm can be used for login only after it is enabled on both the client
and server.
l When you run the undo ssh client publickey command with an algorithm specified,
ensure that the algorithm specified is the same as that configured using the ssh client
publickey command. Or you can run the undo ssh client publickey command with no
algorithm specified. Otherwise, the configuration restoration function does not take
effect.
l If the ssh client first-time enable command function is enabled, a message is displayed
asking you to save the server public key when you use the client to log in to the server.
During the saving process, the SSH client automatically selects a successfully negotiated
public key algorithm and allocates the algorithm to the SSH server based on the public
key algorithm configured using the ssh client publickey command.
l If the ssh client first-time enable command function is disabled, run the ssh client peer
assign command to allocate a public key to the SSH server. Ensure that the allocated
public key algorithm can successfully negotiate with the public key algorithm configured
using the ssh client publickey command. Otherwise, the SSH server's public key fails to
be authenticated by the SSH client.
Example
# Allow using of the ECC algorithm and deny other algorithms.
<HUAWEI> system-view
[~HUAWEI] ssh client publickey ecc
Format
ssh client rekey { data-limit data-limit | max-packet max-packet | time minutes } *
undo ssh client rekey { data-limit [ data-limit ] | max-packet [ max-packet ] | time
[ minutes ] } *
Parameters
Parameter Description Value
data-limit data- Specifies the maximum packet The value is an integer ranging
limit data volume that triggers key re- from 100 to 10000, in MB.
negotiation.
max-packet max- Specifies the maximum number The value is an integer ranging
packet of packets that triggers key re- from 268435456 to 2147483648.
negotiation.
time minutes Specifies the session duration The value is an integer in the range
that triggers key re-negotiation. of 30 to 1440, in minutes.
Views
System view
Default Level
3: Management level
Usage Guidelines
When an SSH session meets one or more of the following criteria, the system re-negotiates a
key and uses the new key to establish SSH session connections, improving system security.
l The number of interaction packets meets the configured key re-negotiation criterion.
l The accumulated packet data volume meets the configured key re-negotiation criterion.
l The session duration meets the configured key re-negotiation criterion.
l This command takes effect for both IPv4 and IPv6 SSH clients.
NOTE
A key re-negotiation request is initiated when either the SSH client or server meets the key re-
negotiation criteria, and the other party responds.
Example
# Configure key re-negotiation to be triggered on the SSH client when the total size of sent
and received packets reaches 10000 MB, the total number of sent and received packets
reaches 268435456, or the online duration reaches 1440 minutes.
<HUAWEI> system-view
[~HUAWEI] ssh client rekey data-limit 10000 max-packet 268435456 time 1440
Function
The ssh dscp command sets the DSCP priority of STelnet packets.
Format
ssh { client | server } dscp dscp-number
Parameters
Parameter Description Value
dscp-number Specifies the DSCP priority. The value is an integer that ranges from 0 to 63.
A greater DSCP value indicates a higher
priority.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to set the DSCP priority of STelnet packets. The DSCP priority of
STelnet packets sent by the switch is then changed to the configured value. When network
congestion occurs, you can appropriately reduce the DSCP priority of STelnet packets to
ensure proper forwarding of data packets.
The priority of this command is higher than that of the set priority dscp command. If a DSCP
value is configured using this command, the configured value takes effect. If a DSCP value is
configured using the set priority dscp command rather than this command, the value
configured using the set priority dscp command takes effect. If no DSCP value is configured
using the preceding commands, the default DSCP value is used.
When you run the undo ssh { client | server } dscp [ dscp-number ] command:
l If dscp-number is not specified, the DSCP field is restored to the default value.
l If dscp-number is 48, the DSCP field is restored to the default value.
l If dscp-number is set to non-48 value, the value must be the same as ssh { client |
server } dscp dscp-number command. Otherwise, the command execution fails.
Precautions
Example
# Set the DSCP priority of STelnet packets sent by the client to 40.
<HUAWEI> system-view
[~HUAWEI] ssh client dscp 40
Format
ssh [ ipv6 ] server acl { acl-number | acl-name }
undo ssh [ ipv6 ] server acl
Parameters
Parameter Description Value
acl-number Specifies the ACL The value is an integer that ranges from 2000 to
number. 3999.
acl-name Specifies the ACL The value is a string of 1 to 32 case-sensitive
name. characters except spaces. The value must start with a
letter or digit, and cannot contain only digits.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Configure the ACL for the following servers for access control:
l STelnet server: controls which clients can log in to this server through STelnet.
l SFTP server: controls which clients can log in to this server through SFTP.
l SNetconf server: controls which clients can log in to this server through SNetconf.
Prerequisites
Before running this command, run the acl (system view) in the system view and run the rule
(ACL view) command to configure an ACL.
Precautions
A basic ACL is configured to restrict source addresses and an advanced ACL is configured to
restrict source and destination addresses.
The command ssh server acl { acl-number | acl-name } only takes effect for ipv4 client.
Example
# Configure the ACL numbered 2000 on the SSH server.
<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule permit source 10.10.10.10 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] ssh server acl 2000
Format
ssh server assign { rsa-host-key | dsa-host-key | ecc-host-key } label-name
undo ssh server assign { rsa-server-key | rsa-host-key | dsa-host-key | ecc-host-key }
Parameters
Parameter Description Value
rsa-server-key Specifies an RSA server key. -
rsa-host-key Sets the key type to RSA host key. -
dsa-host-key Sets the key type to DSA host key. -
ecc-host-key Sets the key type to ECC host key. -
label-name Specifies the label name of the RSA host key, RSA The label name
server key, DSA host key, or ECC host key. must already exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to reference the generated RSA, DSA, or ECC key pair with a
label to ensure security of the SSH server.
NOTE
For security purposes, it is not recommended that you use RSA as the public key.
Table 3-36 describes the usage scenarios for different authentication modes.
Prerequisites
RSA, DSA, or ECC key pair with a label has been generated using the rsa key-pair label,
dsa key-pair label, or ecc key-pair label command before you run this command.
Configuration Impact
The RSA, DSA, or ECC key pair with a label assigned to the SSH server has a higher priority
than the key pair generated using the rsa local-key-pair create, dsa local-key-pair create, or
ecc local-key-pair create command. If this command is not configured, the SSH server uses
the key pair generated using the rsa local-key-pair create, dsa local-key-pair create, or ecc
local-key-pair create command for encryption.
Precautions
l After you delete the RSA, DSA, or ECC key pair with a label, the key pair assigned to
the SSH server is deleted simultaneously.
l This command takes effect for both ipv4 and ipv6 SSH server.
Example
# Assign the EC host key named ecckey to the SSH server.
<HUAWEI> system-view
[~HUAWEI] ecc key-pair label ecckey
[*HUAWEI] ssh server assign ecc-host-key ecckey
The undo ssh server authentication-retries command restores the default maximum number
of authentication retries for an SSH connection.
Format
ssh server authentication-retries times
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to configure the maximum number of authentication retries for an
SSH connection, which prevents server overload due to malicious access. When the number
of authentication retries exceeds the maximum number, the device instructs the remote host to
tear down the connection.
Precautions
The configured number of retries takes effect upon the next login.
The total number of RSA, DSA, ECC, and password authentication retries on the SSH client
cannot exceed the maximum number that is set using this command.
This command takes effect for both IPv4 and IPv6 connections.
Example
# Set the maximum number of times for retrying login authentication to 4.
<HUAWEI> system-view
[~HUAWEI] ssh server authentication-retries 4
Function
The ssh server authentication-type keyboard-interactive enable command enables
keyboard interactive authentication on an SSH server.
The undo ssh server authentication-type keyboard-interactive enable command disables
keyboard interactive authentication on the SSH server.
By default, keyboard interactive authentication is enabled on an SSH server.
Format
ssh server authentication-type keyboard-interactive enable
undo ssh server authentication-type keyboard-interactive enable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Keyboard interaction authentication is also called password card authentication. If you need to
log in to an SSH server in keyboard interactive authentication mode, run the ssh server
authentication-type keyboard-interactive enable command. Its function implementation
process is as follows: An SSH user enters the user name to log in to a device. After detecting
that the user is a password card authentication user, the TACACS server sends the user name
to the password card authentication server. The password card authentication server generates
a challenge code based on the user name and sends the challenge code to the TACACS server.
The TACACS server displays the challenge code on the device. The user enters the user
password and the received challenge code in the password card. The password card computes
a challenge response code. The user sends the challenge response code to the password card
authentication server using the device and TACACS server. The password card authentication
server checks whether the challenge response code is correct and returns the authentication
result to the user.
After this function is enabled, the system prompts the user to enter the challenge response
code.
If you need to log in to the SSH server in password authentication mode, run the undo ssh
server authentication-type keyboard-interactive enable command to disable keyboard
interactive authentication as required.
Example
# Enable keyboard interactive authentication on an SSH server.
<~HUAWEI> system-view
[~HUAWEI] ssh server authentication-type keyboard-interactive enable
Function
The ssh server compatible-ssh1x enable command enables the earlier version-compatible
function on an SSH server.
The undo ssh server compatible-ssh1x enable command disables the earlier version-
compatible function on the SSH server.
Format
ssh server compatible-ssh1x enable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Scenario
The earlier version-compatible function of an SSH server is applicable to the protocol version
negotiation between the client and server. The client negotiates the protocol version, by
comparing its own protocol version with the received packet. After a TCP connection is set up
between the client and server, the SSH client starts to negotiate with the server on the protocol
version by running which they can work normally.
By comparing the protocol versions, the server determines whether to work with the client.
l If the client runs a protocol version that is earlier than 1.3 or later than 2.0, version
negotiation fails and the server terminates the TCP connection with the client.
l If the client runs a protocol version that is between 1.3 and 1.99 (including V1.3), the
SSH1.5 server module is established when the "compatibility configuration option" of
SSH is SSH1.x-compatible. The system then proceeds with the SSH1.x process. The
server terminates the TCP connection with the client when the "compatibility
configuration option" of SSH is SSH1.x-incompatible.
l That is 1.99 or 2.0, the SSH2.0 server module is established. The system then proceeds
with the SSH2.0 process.
Precaution
l All the connections from the SSH 1.x client are dropped, if the compatibility with SSH
1.3 and 1.5 is disabled.
l If the SSH server is enabled to be compatible with earlier SSH versions, the system
prompts a security risk.
l SSHv1 is not secure, and SSHv2 is recommended.
l The configuration takes effect upon the next login.
Example
# Enable the compatibility with SSH 1.x version.
<HUAWEI> system-view
[~HUAWEI] ssh server compatible-ssh1x enable
Function
The ssh server cipher command configures an encryption algorithm list for an SSH server.
The undo ssh server cipher command restores the default encryption algorithm list of an
SSH server.
Format
ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr | aes256_ctr
| arcfour128 | arcfour256 | aes192_cbc | aes192_ctr | aes128_gcm | aes256_gcm |
blowfish_cbc } *
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an encryption algorithm for the packets
exchanged between them. You can run the ssh server cipher command to configure an
encryption algorithm list for the SSH server. After the list is configured, the server matches
the encryption algorithm list of a client against the local list after receiving a packet from the
client and selects the first encryption algorithm that matches the local list. If no encryption
algorithms in the list of the client match the local list, the negotiation fails.
Precautions
This command takes effect for both ipv4 and ipv6 SSH server.
Example
# Configure CTR encryption algorithms for an SSH server.
<HUAWEI> system-view
[~HUAWEI] ssh server cipher aes256_ctr aes128_ctr
Format
ssh server dh-exchange min-len min-len
undo ssh server dh-exchange min-len
Parameters
Parameter Description Value
min-len Specifies the minimum Diffie-hellman-group- The value can be either 1024
exchange key length supported on the SSH or 2048, in bits.
server.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the SSH client supports the Diffie-hellman-group-exchange key of more than 1024 bits, run
the ssh server dh-exchange min-len command to set the minimum key length to 2048 bits to
improve security.
Precautions
Security risks exist if the minimum Diffie-hellman-group-exchange key length is less than
2048 bits. You are advised to set the minimum key length to 2048 bits.
This command takes effect for both IPv4 and IPv6 SSH servers.
Example
# Set the minimum key length supported during Diffie-hellman-group-exchange key
exchange between the SSH server and client to 2048 bits.
<HUAWEI> system-view
[~HUAWEI] ssh server dh-exchange min-len 2048
Function
The ssh server hmac command configures an HMAC authentication algorithm list for an
SSH server.
The undo ssh server hmac command restores the default HMAC authentication algorithm
list of an SSH server.
Format
ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 | sha2_512 } *
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an HMAC authentication algorithm for the
packets exchanged between them. You can run the ssh server hmac command to configure an
HMAC authentication algorithm list for the SSH server. After the list is configured, the server
matches the list of a client against the local list after receiving a packet from the client and
selects the first HMAC authentication algorithm that matches the local list. If no HMAC
authentication algorithms in the list of the client match the local list, the negotiation fails.
Precautions
sha2_256_96, sha1, sha1_96, md5, and md5_96 provide weak security. Therefore, they are
not recommended in the HMAC authentication algorithm list.
This command takes effect for both ipv4 and ipv6 SSH servers.
Example
# Configure the SHA2_256 HMAC authentication algorithm for an SSH server.
<HUAWEI> system-view
[~HUAWEI] ssh server hmac sha2_256
Function
The ssh server keepalive disable command disables the keepalive function on the SSH
server.
The undo ssh server keepalive disable command enables the keepalive function on the SSH
server.
Format
ssh server keepalive disable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
If the keepalive function is disabled on the SSH server, the server will disconnect from the
SSH client when there is no data exchange, which causes server resource waste due to
reconnections. After the keepalive function is enabled on the SSH server, the server responds
when receiving keepalive packets from the SSH client. If the function is disabled, the SSH
server discards the received keepalive packets. When the SSH client does not receive any
keepalive response packet, the client disconnects from the server.
Example
# Enable the keepalive function on the SSH server.
<HUAWEI> system-view
[~HUAWEI] undo ssh server keepalive disable
Function
The ssh server key-exchange command configures a key exchange algorithm list on an SSH
server.
The undo ssh server key-exchange command restores the default configuration.
Format
ssh server key-exchange { dh_group14_sha1 | dh_group1_sha1 |
dh_group_exchange_sha1 | dh_group_exchange_sha256 | ecdh_sha2_nistp256 |
ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep } *
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
An SSH server and a client need to negotiate a key exchange algorithm for the packets
exchanged between them. You can run the ssh server key-exchange command to configure a
key exchange algorithm list for the SSH server. After the list is configured, the server matches
the key exchange algorithm list of a client against the local list after receiving a packet from
the client and selects the first key exchange algorithm that matches the local list. If no key
exchange algorithms in the list of the client match the local list, the negotiation fails.
NOTE
For security purposes, do not use insecure key exchange algorithms such as dh_group1_sha1.
Example
# Configure key exchange algorithm lists dh_group_exchange_sha1 and
dh_group_exchange_sha256 on the SSH server.
<HUAWEI> system-view
[~HUAWEI] ssh server key-exchange dh_group_exchange_sha1 dh_group_exchange_sha256
Function
The ssh server login-failed threshold-alarm command configures alarm generation and
clearance thresholds for SSH server login failures within a specified period.
The undo ssh server login-failed threshold-alarm command restores the default alarm
generation and clearance thresholds.
By default, an alarm is generated if the number of login failures reaches 30 within 5 minutes
and is cleared if the number of login failures falls below 20 within the same period.
Format
ssh server login-failed threshold-alarm upper-limit report-times lower-limit resume-times
period period-time
Parameters
period period- Specifies a statistics The value is an integer ranging from 1 to 120, in
time collection period. minutes. The default value is 5. If report-times is 0,
the period-time value specified does not take effect.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To manage frequent SSH server login failures within a specified period, run the ssh server
login-failed threshold-alarm command to configure alarm generation and clearance
thresholds for the login failures.
This command takes effect for both IPv4 and IPv6 SSH servers.
Precautions
The alarm generation threshold specified using report-times must be greater than or equal to
the alarm clearance threshold specified using resume-times.
Example
# Configure the device to generate an alarm when the number of SSH server login failures
within 3 minutes reaches 20 and clear the alarm when the number of SSH server login failures
within 3 minutes is less than 10.
<HUAWEI> system-view
[~HUAWEI] ssh server login-failed threshold-alarm upper-limit 20 lower-limit 10
period 3
Function
The ssh server port command changes the listening port number of the SSH server.
The undo ssh server port command restores the default listening port number of the SSH
server.
Format
ssh [ ipv4 | ipv6 ] server port port-number
Parameters
Parameter Description Value
ipv4 Specifies the IPv4 server port. -
ipv6 Specifies the IPv6 server port. -
port-number Specifies the listening port number of the The value is 22 or an integer
SSH server. ranging from 1025 to 65535.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Configure the listening port number of the SSH server to prevent from malicious access to the
SSH service standard port and ensure security.
Run ssh server port command can enable both IPv4 and IPv6 SSH server. Run ssh ipv4
server port command to enable IPv4 SSH server. Run ssh ipv6 server port command to
enable IPv6 SSH server.
Precautions
The SSH client can log in successfully with no port specified only when the server is listening
on port 22. If the server is listening on another port, the port number must be specified upon
login.
Before changing the current port number, disconnect all devices from the port. After the port
number is changed, the server starts to listen on the new port.
Example
# Set the listening port number of the SSH server is 1025.
<HUAWEI> system-view
[~HUAWEI] ssh server port 1025
Warning: The operation will disconnect all online users. Continue? [Y/N]: y
Function
The ssh server publickey command enables or disables the public key algorithm function of
the SSH server.
The undo ssh server publickey command restores public key algorithms of the SSH server to
default values.
Format
ssh server publickey { dsa | ecc | rsa } *
Parameters
Parameter Description Value
dsa Indicates the DSA algorithm. -
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The command enables you to use a more secure public key algorithm to log in to the device,
with other public key algorithms rejected. This improves device security. You are advised to
use the ECC public key algorithm.
To allow a public key algorithm and deny other public key algorithms, run the ssh server
publickey + the specified public key algorithm command. For example, after the ssh server
publickey dsa command is run, the DSA algorithm is allowed but the ECC or RSA algorithm
is not. If this command is run for multiple times, the last configuration takes effect.
Precautions
l A public key algorithm can be used for login only after it is enabled on both the client
and server.
l When you run the undo ssh server publickey command with an algorithm specified,
ensure that the algorithm specified is the same as that configured using the ssh server
publickey command. Or you can run the undo ssh server publickey command with no
algorithm specified. Otherwise, the configuration restoration function does not take
effect.
l If the ssh user authentication-type { password | rsa | dsa | ecc | password-rsa |
password-dsa | password-ecc | all } command is run to configure public key
authentication as the authentication mode of SSH users, the involved public key
algorithm must be consistent with that enabled in the ssh server publickey { dsa | ecc |
rsa } * command. Otherwise, device login fails. For example, if the ssh server
publickey ecc command is run, run the ssh user authentication-type { ecc | password-
ecc | all } command to set the authentication mode of SSH users to ECC, Password-
ECC, or All.
This command takes effect for both IPv4 and IPv6 SSH servers.
Example
# Allow using of the ECC algorithm and deny other algorithms.
<HUAWEI> system-view
[~HUAWEI] ssh server publickey ecc
Function
The ssh server rekey command sets the criteria that trigger SSH server key re-negotiation.
The undo ssh server rekey command restores the default values of criteria that trigger SSH
server key re-negotiation.
By default, key re-negotiation is triggered on the SSH server when one of the following
conditions is met:
l The total size of sent and received packets reaches 1000 MB.
l The total number of sent and received packets reaches 2147483648.
l The online duration reaches 60 minutes.
Format
ssh server rekey { data-limit data-limit | max-packet max-packet | time minutes } *
Parameters
time minutes Specifies the session duration The value is an integer in the range
that triggers key re-negotiation. of 30 to 1440, in minutes.
Views
System view
Default Level
3: Management level
Usage Guidelines
When an SSH session meets one or more of the following criteria, the system re-negotiates a
key and uses the new key to establish SSH session connections, improving system security.
l The number of interaction packets meets the configured key re-negotiation criterion.
l The accumulated packet data volume meets the configured key re-negotiation criterion.
l The session duration meets the configured key re-negotiation criterion.
l This command takes effect for both IPv4 and IPv6 SSH clients.
NOTE
A key re-negotiation request is initiated when either the SSH client or server meets the key re-
negotiation criteria, and the other party responds.
Example
# Configure key re-negotiation to be triggered on the SSH server when the total size of sent
and received packets reaches 10000 MB, the total number of sent and received packets
reaches 268435456, or the online duration reaches 1440 minutes.
<HUAWEI> system-view
[~HUAWEI] ssh server rekey data-limit 10000 max-packet 268435456 time 1440
The undo ssh server rekey-interval command restores the default interval for updating the
SSH server key pair.
The default interval for updating the SSH server key pair is 0, indicating that the key pair is
never updated.
Format
ssh server rekey-interval hours
undo ssh server rekey-interval
Parameters
Parameter Description Value
hours Specifies the interval for updating the The value is an integer that ranges from
server key pair. 0 to 24, in hours.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the server key pair is not updated for a long time, the key is easy to decrypt and the server is
insecure. After the interval for updating the SSH server key pair is set using this command,
the system will automatically update the key pair at intervals.
Precautions
If the client is connected to the server, the server public key on the client is not updated
immediately. This key is updated only when the client is reconnected to the server.
Example
# Set the interval for updating the SSH server key pair to 2 hours.
<HUAWEI> system-view
[~HUAWEI] ssh server rekey-interval 2
Format
ssh server timeout seconds
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If you have not logged in successfully at the timeout interval for SSH connection
authentication, the current connection is terminated to ensure security. You can run the
display ssh server command to query the current timeout interval.
Precautions
The setting for the timeout interval takes effect upon next login.
This command takes effect for both IPv4 and IPv6 connections.
Example
# Set the SSH connection authentication timeout interval to 90 seconds.
<HUAWEI> system-view
[~HUAWEI] ssh server timeout 90
Function
The ssh server-source command specifies a source interface for an SSH server.
Format
ssh server-source -i interface-type interface-number
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
By default, an SSH server receives connection requests from all interfaces so that the system
is vulnerable to attacks. To enhance system security, you can specify the source interface of
the SSH server. This sets a login condition and only authorized users can log in to the SSH
server.
Prerequisites
Before running this command to specify the source interface, ensure that the physical
interface exists on the device or the logical interface has been created successfully; otherwise,
this command cannot be run successfully.
Precautions
l After the source interface is specified, the system only allows SSH users to log in to the
SSH server through this source interface, and SSH users logging in through other
interfaces are denied. Note that setting this parameter only affects SSH users who
attempt to log in to the SSH server, and it does not affect SSH users who have logged in
to the server.
l After the source interface of an SSH server is specified using this command, ensure that
SSH users can access the source interface at Layer 3. Otherwise, the SSH users will fail
to log in to the SSH server.
l The configuration takes effect upon the next login. The system will prompt you to
determine whether to continue the operation.
l If the specified source interface has been bound to a VPN instance, the SSH server is
automatically bound to the same VPN instance.
l If the specified source interface has been bound to a VPN instance, for example, vpn1,
but a different VPN instance, for example, vpn2, is specified in the ssh ipv6 server-
source -a ipv6-address [ -vpn-instance vpn-instance-name ] command, vpn1 takes
effect for IPv4 users, and vpn2 takes effect for IPv6 users.
l After a bound VPN instance is deleted, the VPN configuration specified using the ssh
server-source command will not be cleared but does not take effect. In this case, the
SSH server uses a public IP address. If you configure the VPN instance with the same
name again, the VPN function restores.
l After a bound source interface is deleted, the interface configuration specified using the
ssh server-source command will not be cleared but does not take effect. If you configure
the source interface with the same name again, the interface configuration specified
using the ssh server-source command is updated and the function restores.
l For an IPv6 SSH server, you can run the ssh ipv6 server-source -a ipv6-address [ -vpn-
instance vpn-instance-name ] command to configure a user to log in to the server
through a specified IPv6 source address.
Example
# Specify Loopback0 as the source interface of the SSH server.
<HUAWEI> system-view
[~HUAWEI] interface loopback 0
[*HUAWEI-LoopBack0] ip address 10.1.1.1 24
[*HUAWEI-LoopBack0] quit
[*HUAWEI] ssh server-source -i loopback 0
Function
The ssh user command creates an SSH user.
Format
ssh user user-name
undo ssh user [ user-name ]
Parameters
Parameter Description Value
user-name Specifies the name of an The name is a string of 1 to 253 case-insensitive
SSH user. characters without spaces.
NOTE
When quotation marks are used around the string, spaces
are allowed in the string.
Views
System view
Default Level
3: Management level
Usage Guidelines
You can create a user using either of the following methods:
l Run the ssh user command.
l After the ssh user authentication-type, ssh user service-type, and ssh user sftp-
directory command are run, the system automatically create a user named user-name if
the system detects that the user named user-name does not exist.
Example
# Create an SSH user named testuser.
<HUAWEI> system-view
[~HUAWEI] ssh user testuser
Format
ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name
undo ssh user user-name assign { rsa-key | dsa-key | ecc-key }
Parameters
Parameter Description Value
user-name Specifies the SSH user name. The SSH must already exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When an SSH client needs to log in to the SSH server in RSA, DSA, or ECC mode, run this
command to assign a public key to the client. If the client has been assigned keys, the latest
assigned key takes effect.
For security purposes, it is not recommended that you use RSA as the public key.
Precautions
The newly configured public key takes effect upon next login.
If the user named user-name to whom a public key is assigned does not exist, the system
automatically creates an SSH user named user-name and performs the configured
authentication for the SSH user.
Example
# Assign key1 to a user named John.
<HUAWEI> system-view
[~HUAWEI] ssh user john assign rsa-key key1
Function
The ssh user authentication-type command configures the authentication mode for an SSH
user.
The undo ssh user authentication-type command deletes the configured authentication
mode.
Format
ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-
dsa | ecc | password-ecc | all }
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When you configure the authentication mode for an SSH user, the system automatically
creates an SSH user named user-name if the user-name user does not exist.
For security purposes, you are advised not to use the RSA authentication mode.
Table 3-37 describes the usage scenarios for different authentication modes.
Precautions
A new SSH user cannot log in to the SSH server unless being configured with an
authentication mode. The newly configured authentication mode takes effect upon next login.
Example
# Configure the password authentication mode for an SSH user John.
<HUAWEI> system-view
[~HUAWEI] ssh user john authentication-type password
# Set the authentication type to ECC to the SSH user named ssh_user1@dom1.
<HUAWEI> system-view
[~HUAWEI] ssh user ssh_user1@dom1 authentication-type ecc
Format
ssh user user-name service-type { { sftp | stelnet | snetconf } * | all }
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to determine the service type for connecting to devices. If the user-
name user does not exist, the system creates an SSH user named user-name and uses the
configured service type for the SSH user.
Precautions
If the SFTP service type is configured for an SSH user, you need to set the authorized
directory for the user. By default, the SFTP service authorized directory is flash: for the SSH
user. You can run the ssh user sftp-directory command to set the authorized directory.
If you run the ssh user user-name service-type sftp stelnet snetconf command, the ssh user
user-name service-type all command is saved in the configuration file.
Example
# Configure the all service type for an SSH user John.
<HUAWEI> system-view
[~HUAWEI] ssh user john service-type all
3.6.80 stelnet
Function
The stelnet command enables you to use the STelnet protocol to log in to another device from
the current device.
Format
# IPv4 address
# IPv6 address
Parameters
Parameter Description Value
-a source-ip-address Specifies the STelnet -
source IP address.
-i interface-type interface- Specifies the STelnet -
number source interface.
If the source interface
is specified using -i
interface-type
interface-number, the -
vpn-instance vpn-
instance-name
parameter is not
supported.
prefer_ctos_compress Specifies the preferred The value of this parameter can only
compress-type compression algorithm be set to zlib in the current version.
from the client to the
server.
prefer_stoc_compress Specifies the preferred The value of this parameter can only
compress-type compression algorithm be set to zlib in the current version.
from the server to the
client.
-vpn-instance vpn- Specifies the name of The VPN must already exist.
instance-name the VPN instance.
-ki aliveinterval Specifies the interval The value is an integer that ranges
for sending keepalive from 1 to 3600, in seconds.
packets when no packet
is received.
-kc alivecountmax Specifies the number of The value is an integer that ranges
times for no reply of from 1 to 30.The default value is 3.
keepalive packets.
user-identity-key Indicates the public key The public key algorithm can be one
for the user of the following:
authentication.
l dsa
l ecc
l rsa
The default public key algorithm is
ecc.
Views
User view, System view
Default Level
0: Visit level
Usage Guidelines
Usage Scenario
Logins through Telnet bring security risks because Telnet does not provide any authentication
mechanism and data is transmitted using TCP in plain text. Compared with Telnet, SSH
guarantees secure file transfer on a traditional insecure network by authenticating clients and
encrypting data in bidirectional mode. The SSH protocol supports STelnet. You can run this
command to use STelnet to log in to another device from the current device.
STelnet is a secure Telnet service. SSH users can use the STelnet service in the same way as
the Telnet service.
When a fault occurs in the connection between the client and server, the client needs to detect
the fault in real time and proactively release the connection. You need to set the interval for
sending keepalive packets and the maximum number of times on the client that logs in to the
server through STelnet.
l Interval for sending keepalive packets: If a client does not receive any packet within the
specified interval, the client sends a keepalive packet to the server.
l Maximum number of times the server has no response: If the number of times that the
server does not respond exceeds the specified value, the client proactively releases the
connection.
Precautions
l Enable the STelnet service on the SSH server by stelnet server enable command, before
connecting the SSH server by using the STelnet command.
l The SSH client can log in to the SSH server with no port specified only when the server
is listening on port 22. If the server is listening on another port, the port number must be
specified upon login.
Example
# Set keepalive parameters when the client logs in to the server through STelnet.
<HUAWEI> stelnet 10.164.39.209 -ki 10 -kc 4
Function
The stelnet server enable command enables the STelnet service on the SSH server.
The undo stelnet server enable command disables the STelnet service on the SSH server.
Format
stelnet [ ipv4 | ipv6 ] server enable
Parameters
Parameter Description Value
ipv4 Specifies IPv4 server. -
ipv6 Specifies IPv6 server. -
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To connect a client to the SSH server through STelnet, you must enable the STelnet service on
the SSH server.
Run the command stelnet server enable can enable both IPv4 and IPv6 STelnet server. Run
stelnet ipv4 server enable command to enable IPv4 STelnet server. Run stelnet ipv6 server
enable command to enable IPv6 STelnet server.
Precautions
After you disable the STelnet service on the SSH server, all clients that have logged in
through STelnet are disconnected.
In V200R002C50 and V200R003C00, you can run the stelnet [ ipv4 | ipv6 ] server enable
command to enable the STELNET function. If the current version is downgraded to
V200R001C00 or an earlier version, this configuration will be lost, so you need to run the
stelnet server enable command again. In V200R005C00, you can run the stelnet ipv4 server
enable command to enable the IPv4 STELNET function, or run the stelnet ipv6 server
enable command to enable the IPv6 STELNET function (IPv4 STELNET and IPv6
STELNET functions are not enabled simultaneously). If the current version is downgraded to
V200R001C00 or an earlier version, this configuration will be lost, so you need to run the
stelnet server enable command again.
Example
# Enable the STelnet service.
<HUAWEI> system-view
[~HUAWEI] stelnet server enable
3.6.82 telnet
Function
The telnet command enables you to use the Telnet protocol to log in to another device from
the current device.
Format
# Log in to another device through Telnet based on IPv4.
telnet [ [ vpn-instance vpn-instance-name ] -a source-ip-address | -i interface-type interface-
number ] host-ip [ port-number ]
# Log in to another device through Telnet based on IPv6.
telnet ipv6 [ vpn-instance vpn-instance-name ] host-ipv6 [ -oi interface-type interface-
number ] [ port-number ]
Parameters
Parameter Description Value
vpn-instance vpn- Specifies the VPN instance name of the device The VPN must
instance-name to log in through Telnet. already exist.
Views
User view
Default Level
0: Visit level
Usage Guidelines
Usage Scenario
If one or more devices on the network need to be configured and managed, you do not need to
connect each device to your terminal for local maintenance. If you have learned the IP address
of the device, you can run this command to log in to the device from your terminal for remote
device configuration. By doing this, you can use one terminal to maintain multiple devices on
the network.
You can press Ctrl+K to terminate an active connection between the local and remote
devices.
Prerequisites
The terminal communicates with the remote device using IP address and the Telnet server is
enabled on the remote device.
Precautions
l Before you run the telnet command to connect to the Telnet server, the Telnet client and
server must be able to communicate through Layer 3 and the Telnet service must be
enabled on the Telnet server.
l Logins through Telnet bring security risks because Telnet does not provide any
authentication mechanism and data is transmitted using TCP in plain text. The STelnet
mode is recommended for the network that has the high security requirement.
Example
# Connect to a remote device through Telnet.
<HUAWEI> telnet 192.168.1.6
Function
The telnet client source command specifies the source IP address and interface for a Telnet
client.
The undo telnet client source command restores the default settings.
Format
telnet client source { -a source-ip-address | -i interface-type interface-number }
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
If the source IP address and interface are not specified in the telnet command, use the default
settings specified by telnet client source. If the source IP address and interface are specified
in the telnet command, use the specified settings. Check the current Telnet connection on the
server. The IP address displayed is the specified source IP address or the primary IP address
of the specified interface.
After a bound source interface is deleted, the interface configuration specified using the ssh
server-source command will not be cleared but does not take effect. If you configure the
source interface with the same name again, the interface configuration specified using the ssh
server-source command is updated and the function restores.
If the specified source interface has been bound to a VPN instance, the client is automatically
bound to the same VPN instance.
Example
# Set the source IP address of the Telnet client to 10.1.1.1.
<HUAWEI> system-view
[~HUAWEI] telnet client source -a 10.1.1.1
Function
The telnet dscp command sets the DSCP priority of Telnet packets.
Format
telnet { client | server } dscp dscp-number
Parameters
Parameter Description Value
dscp-number Specifies the DSCP priority. The value is an integer that ranges from 0 to 63.
A greater DSCP value indicates a higher
priority.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to set the DSCP priority of Telnet packets. The DSCP priority of
Telnet packets sent by the switch is then changed to the configured value. When network
congestion occurs, you can appropriately reduce the DSCP priority of Telnet packets to ensure
proper forwarding of data packets.
The priority of this command is higher than that of the set priority dscp command. If a DSCP
value is configured using this command, the configured value takes effect. If a DSCP value is
configured using the set priority dscp command rather than this command, the value
configured using the set priority dscp command takes effect. If no DSCP value is configured
using the preceding commands, the default DSCP value is used.
When you run the undo telnet { client | server } dscp [ dscp-number ] command:
l If dscp-number is not specified, the DSCP field is restored to the default value.
l If dscp-number is 48, the DSCP field is restored to the default value.
l If dscp-number is set to non-48 value, the value must be the same as telnet { client |
server } dscp dscp-number command. Otherwise, the command execution fails.
Precautions
Example
# Set the DSCP priority of Telnet packets sent by the client to 40.
<HUAWEI> system-view
[~HUAWEI] telnet client dscp 40
Format
telnet [ ipv6 ] server acl { acl-number | acl-name }
undo telnet [ ipv6 ] server acl
Parameters
Parameter Description Value
ipv6 Specifies a Telnet IPv6 -
server.
acl-number Specifies the basic ACL The value is an integer that ranges from 2000 to
number. 3999.
acl-name Specifies the ACL name. The value is a string of 1 to 32 case-sensitive
characters except spaces. The value must start
with a letter or digit, and cannot contain only
digits.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a device functions as the Telnet server, you can configure the ACL on the device to
control the login of the clients to the device.
Prerequisites
Before running this command, run the acl (system view) in the system view and run the rule
(ACL view) command to configure an ACL.
Precautions
l If no rule is configured, the incoming and outgoing calls are not restricted after the
command telnet server acl is run.
Example
# Configure the ACL numbered 2000 on the Telnet server.
<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule permit source 10.1.1.1 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] telnet server acl 2000
Function
The telnet server login-failed threshold-alarm command configures alarm generation and
clearance thresholds for Telnet server login failures within a specified period.
The undo telnet server login-failed threshold-alarm command restores the default alarm
generation and clearance thresholds.
By default, an alarm is generated if the number of login failures reaches 30 within 5 minutes
and is cleared if the number of login failures falls below 20 within the same period.
Format
telnet server login-failed threshold-alarm upper-limit report-times lower-limit resume-
times period period-time
Parameters
Parameter Description Value
upper-limit Specifies an alarm The value is an integer ranging from 0 to 100. The
report-times generation default value is 30. If the value is 0, no alarms are
threshold. generated upon Telnet server login failures.
period period- Specifies a statistics The value is an integer ranging from 1 to 120, in
time collection period. minutes. The default value is 5. If report-times is 0,
the period-time value specified does not take effect.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To manage frequent Telnet server login failures within a specified period, run the telnet
server login-failed threshold-alarm command to configure alarm generation and clearance
thresholds for the login failures.
This command takes effect for both ipv4 and ipv6 Telnet servers.
Precautions
The alarm generation threshold specified using report-times must be greater than or equal to
the alarm clearance threshold specified using resume-times.
Example
# Configure the device to generate an alarm when the number of Telnet server login failures
within 3 minutes reaches 20 and clear the alarm when the number of Telnet server login
failures within 3 minutes is less than 10.
<HUAWEI> system-view
[~HUAWEI] telnet server login-failed threshold-alarm upper-limit 20 lower-limit
10 period 3
Format
telnet server-source -i loopback interface-number
undo telnet server-source
telnet ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ]
undo telnet ipv6 server-source
Parameters
Parameter Description Value
-i loopback Specifies a loopback The value is an integer that ranges from 0 to
interface-number interface as the source 1023.
interface of the Telnet
server.
-a ipv6-address Specifies the source The value consists of 128 octets, which are
IPv6 address. classified into 8 groups. Each group contains 4
hexadecimal numbers in the format
X:X:X:X:X:X:X:X.
ipv6 Specifies the Telnet -
IPv6 server.
-vpn-instance Specifies the VPN. The value is a string of 1 to 31 case-sensitive
vpn-instance-name characters except spaces. When double
quotation marks are used to include the string,
spaces are allowed in the string. The value
_public_ is reserved and cannot be used as the
VPN instance name.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
By default, a Telnet server receives connection requests from all interfaces so that the system
is vulnerable to attacks. To enhance system security, you can specify the source interface of
the Telnet server. This sets a login condition and only authorized users can log in to the Telnet
server.
The command telnet server-source -i loopback interface-number takes effect for ipv4
function.
Prerequisites
Before running the telnet server-source command, ensure that the loopback interface to be
specified as the source interface has been created. If the loopback interface is not created, the
telnet server-source command cannot be correctly executed.
VPN configuration must be successful, to configure the vpn instance using this command.
Precautions
l After the source interface is specified, the system only allows Telnet users to log in to the
Telnet server through this source interface, and Telnet users logging in through other
interfaces are denied. Note that setting this parameter only affects Telnet users who
attempt to log in to the Telnet server, and it does not affect Telnet users who have logged
in to the server.
l After the source interface of a Telnet server is specified using this command, ensure that
Telnet users can access the source interface at Layer 3. Otherwise, the Telnet users will
fail to log in to the Telnet server.
l If the specified source interface has been bound to a VPN instance, the server is
automatically bound to the same VPN instance.
l After a bound VPN instance is deleted, the VPN configuration specified using the telnet
server-source command will not be cleared but does not take effect. In this case, the
Telnet server uses a public IP address. If you configure the VPN instance with the same
name again, the VPN function restores.
l For an IPv6 Telnet server, you can run the telnet ipv6 server-source -a ipv6-address [ -
vpn-instance vpn-instance-name ] command to configure a user to log in to the server
through a specified IPv6 source address.
l After a bound source interface is deleted, the interface configuration specified using the
ssh server-source command will not be cleared but does not take effect. If you configure
the source interface with the same name again, the interface configuration specified
using the ssh server-source command is updated and the function restores.
Example
# Specify Loopback0 as the source interface of the Telnet server.
<HUAWEI> system-view
[~HUAWEI] interface loopback 0
[*HUAWEI-LoopBack0] ip address 10.1.1.1 24
[*HUAWEI-LoopBack0] quit
[*HUAWEI] telnet server-source -i loopback 0
The undo telnet server disable command enables the Telnet server.
The default situation is as follows:
l If a device starts without any configuration file, the Telnet server is disabled.
l If a device starts with a loaded configuration file (for example, a configuration file is
loaded to the device using ZTP for initial configuration) and the configuration file
contains the telnet server disable command, the Telnet server is disabled; otherwise, the
Telnet server is enabled.
Format
telnet [ ipv6 ] server disable
undo telnet [ ipv6 ] server disable
Parameters
Parameter Description Value
ipv6 Specifies a Telnet IPv6 server. -
Views
System view
Default Level
3: Management level
Usage Guidelines
You can run this command to enable and disable the Telnet server. A Telnet server can be
connected only when it is enabled.
If the Telnet server is disabled using the telnet [ ipv6 ] server disable command, new Telnet
connections are not allowed and existing Telnet connections are disconnected.
When a Telnet server stops, you can log in to the device only through the console port or
SSH.
Example
# Enable a Telnet server.
<HUAWEI> system-view
[~HUAWEI] undo telnet server disable
<HUAWEI> system-view
[~HUAWEI] telnet server disable
Function
The telnet server port command configures the listening port number of a Telnet server.
The undo telnet server port command restores the default listening port of a Telnet server.
Format
telnet [ ipv6 ] server port port-number
Parameters
Parameter Description Value
ipv6 Specifies a Telnet IPv6 server. -
port-number Specifies the listening port The value is an integer that is 23 or ranges
number of a Telnet server. from 1025 to 65535. The default value 23
is the standard Telnet server port number.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To protect the Telnet standard port against attacks and ensure network security, configure the
listening port number of the Telnet server.
The command telnet server port port-number takes effect for ipv4 Telnet servers.
Precautions
A Telnet client can log in to the server with no port specified only when the server is listening
on port 23. If the server is listening on another port, the port number must be specified upon
login.
Before changing the current port number, disconnect all devices from the port. After the port
number is changed, the server starts to listen on the new port.
Example
# Configure the listening port number to 1026.
<HUAWEI> system-view
[~HUAWEI] telnet server port 1026
Function
The activate ftp server ip-block ip-address command unlocks the ipv4 and ipv6 addresses
of a user that fails the FTP authentication.
Format
activate ftp server ip-block ip-address ip-address [ vpn-instance vpn-name ]
Parameters
Views
User view
Default Level
3: Management level
Usage Guidelines
In an FTP connection, if a user enters incorrect passwords for the consecutive times in
specified minutes, the IP address of this user will be locked. Run the ftp server ip-block
reactive command to set lock period. To unlock the IP address of this user in advance, run
activate ftp server ip-block ip-address command.
Example
# Unlock the IP address 10.1.2.3.
<HUAWEI> activate ftp server ip-block ip-address 10.1.2.3
3.7.2 append
Function
The append command adds local file data to the end of a file on the FTP server.
Format
append local-filename [ remote-filename ]
Parameters
Parameter Description Value
local-filename Specifies the local file name. The value is a string of 1 to
128 characters.
remote-filename Specifies the name of a file on the FTP The value is a string of 1 to
server. If the specified file does not exist 128 characters.
on the FTP server, create the file.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
If the file specified in the remote-filename parameter does not exist when you run the
append command, create the file and add local file data to the end of the created file.
Example
# Add the data of local file sample2.txt to the end of file sample1.txt on the FTP server.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] append sample2.txt sample1.txt
200 Port command okay.
150 Opening ASCII mode data connection for /
sample1.txt.
226 Transfer complete.
\ 100% [***********]
FTP: 35 byte(s) send in 1.443522666 second(s) 23byte(s)/sec.
# Add the data of local file a.txt to the end of file a.txt on the FTP server.
[ftp] append a.txt
200 Port command okay.
150 Opening ASCII mode data connection for /a.txt.
226 Transfer complete.
\ 100% [***********]
FTP: 35 byte(s) send in 1.443522666 second(s) 23byte(s)/sec.
3.7.3 ascii
Function
The ascii command sets the file transfer mode to ASCII on an FTP client.
The default file transfer mode is ASCII.
Format
ascii
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Files can be transferred in ASCII or binary mode.
ASCII mode is used to transfer plain text files, and binary mode is used to transfer application
files, such as system software, images, video files, compressed files, and database files.
Example
# Set the file transfer mode to ASCII.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] ascii
200 Type set to A.
3.7.4 binary
Function
The binary command sets the file transmission mode to binary on an FTP client.
The default file transfer mode is ASCII.
Format
binary
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Files can be transferred in ASCII or binary mode.
ASCII mode is used to transfer plain text files, and binary mode is used to transfer application
files, such as system software, images, video files, compressed files, and database files.
NOTE
The binary mode can be set to transfer ASCII and binary files.
Example
# Set the file transmission mode to binary.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
3.7.5 bye
Function
The bye command terminates the connection with the remote FTP server and enters the user
view.
Format
bye
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
This command is equivalent to the quit command.
You can use the close and disconnect commands to terminate the connection with the remote
FTP server and retain the FTP client view.
Example
# Terminate the connection with the remote FTP server and enter the user view.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] bye
221 server closing.
<HUAWEI>
3.7.6 bye/exit
Function
The bye/exit command enables the system to disconnect from the remote SFTP server and
return to the SFTP client view.
Format
bye
exit
Parameters
None
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
You can use this command to return to the system view from the SFTP client view.
Example
# Disconnect from SFTP server using bye command.
<HUAWEI> system-view
[~HUAWEI] sftp 10.1.1.1
sftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
Please input the username: sftp
sftp-client> bye
[~HUAWEI]
Format
cd remote-directory
Parameters
Parameter Description Value
remote-directory Specifies the name of a working The value is a string of 1 to 128 case-
directory on the FTP server. insensitive characters without spaces.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
The FTP server authorizes users to access files in certain directories and their subdirectories.
Example
# Change the working directory to d:/temp.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] cd d:/temp
250 "D:/temp" is current directory.
Format
cd [ remote-directory ]
Parameters
Parameter Description Value
remote-directory Specifies the name of a directory The value is a string of 1 to 128 case-
on the SFTP server. insensitive characters without spaces.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
l The SFTP server authorizes users to access files in certain directories and their
subdirectories.
l The specified working directory must exist on the SFTP server. If the remote-directory
parameter is not included in the cd command, only the current working directory of an
SSH user is displayed as the command output.
Example
# Change the current working directory of the SFTP server to /bill.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> cd bill
Current directory is:
/bill
Format
cd [ directory ]
Parameters
Parameter Description Value
directory Specifies the The value is a string of 1 to 255 case-sensitive characters
current working without spaces in the [ drive ] path format.
directory of a user.
In the preceding parameter, drive specifies the storage
device name, and path specifies the directory and
subdirectory.
advised to add : and / between the storage device name
and directory. Characters ? ~ * / \ : ' " | < > [ ] cannot be
used in the directory name.
For example, a directory name is flash:/selftest/test/.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes the drive name.
l drive is the storage device and is named as flash:.
l If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the stack.
– chassis ID#flash: root directory of the flash memory on a device in the stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be designated relative to
either the root directory or the current working directory. A relative path beginning with a
slash (/) is a path relative to the root directory.
l flash:/my/test/ is an absolute path.
l /selftest/ is a path relative to the root directory and indicates the selftest directory in the
root directory.
l selftest/ is a path relative to the current working directory and indicates the selftest
directory in the current working directory.
For example, if you change the current working directory flash:/selftest/ to the logfile
directory in flash, the absolute path is flash:/logfile/, and the relative path is /logfile/. The
logfile directory is not logfile/ because it is not in the current working directory selftest.
Precautions
l The directory specified in the cd command must exist; otherwise, the error messages will
be displayed:
Example
# Change the current working directory from flash:/temp to flash:.
<HUAWEI> pwd
flash:/temp/
<HUAWEI> cd flash:
<HUAWEI> pwd
flash:/
Format
cdup
Parameters
None
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
You can run the cdup command to change the current working directory to its parent
directory.
Example
# Change the current working directory to its parent directory.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> cd dhcp
Current directory is:
/dhcp
sftp-client> cdup
Current directory is:
/
sftp-client>
Function
The cdup command enables you to return to the upper-level directory.
Format
cdup
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To exit from the current directory and return to the upper-level directory, run the cdup
command.
Precautions
The directories accessible to an FTP user are restricted by the authorized directories
configured for the user.
Example
# Exit from the current directory and return to the upper-level directory.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] cd security
250 CWD command successful.
[ftp] cdup
200 CDUP command successful.
3.7.12 close
Function
The close command terminates the connection with the remote FTP server and retains the
FTP client view.
Format
close
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command is equivalent to the disconnect command.
You can run the bye and quit commands to terminate the connection with the remote FTP
server and enter the user view.
Precautions
To enter the user view from the FTP client view, you can run the bye or quit command.
Example
# Terminate the connection with the remote FTP server and enter the FTP client view.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] close
221 Server closing.
[ftp]
3.7.13 copy
Function
The copy command copies a file.
Format
copy source-filename destination-filename [ all ]
Parameters
Parameter Description Settings
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes the drive name.
l drive is the storage device and is named as flash:.
l If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the stack.
– chassis ID#flash: root directory of the flash memory on a device in the stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be designated relative to
either the root directory or the current working directory. A relative path beginning with a
slash (/) is a path relative to the root directory.
l flash:/my/test/ is an absolute path.
l /selftest/ is a path relative to the root directory and indicates the selftest directory in the
root directory.
l selftest/ is a path relative to the current working directory and indicates the selftest
directory in the current working directory.
Precautions
l If the destination file name is not specified, the designation file and the source file have
the same name. If the source file and the destination file are in the same directory, you
must specify the destination file name. If the destination file name is not specified, you
cannot copy the source file.
Example
# Copy the newbasicsoft.cc file from the master device in a stack to other member devices.
<HUAWEI> copy newbasicsoft.cc 1#flash:/newbasicsoft.cc
Info: Are you sure to copy flash:/newbasicsoft.cc to 1#flash:/newbasicsoft.cc?
[Y/N]:y
100% complete
Info: Copying file flash:/newbasicsoft.cc to 1#flash:/newbasicsoft.cc...Done.
# Copy the file config.cfg from the root directory of the flash card to flash:/temp. The
destination file name is temp.cfg.
# If the current directory is the root directory of the flash card, you can perform the preceding
configuration using the relative path.
<HUAWEI> pwd
flash:/
<HUAWEI> dir
Directory of flash:/
# Copy the file config.cfg from the root directory of the flash card to flash:/temp. The
destination file name is config.cfg.
<HUAWEI> pwd
flash:/
<HUAWEI> dir
Directory of flash:/
# Copy the file backup.zip to backup1.zip in the test directory from the current working
directory flash:/test/.
<HUAWEI> pwd
flash:/test/
<HUAWEI> copy backup.zip backup1.zip
Info: copy flash:/test/backup.zip to flash:/test/backup1.zip?[Y/N]:y
100% complete
Info: Copied file flash:/test/backup.zip to flash:/test/backup1.zip...Done.
Function
The compare configuration compares whether the current configurations are identical with
the next startup configuration file.
Format
compare configuration [ configuration-file ]
Parameters
Parameter Description Value
configuration-file Specifies the name of the configuration file to The name of the
be compared with the current configurations. configuration file must
NOTE already exist.
If this parameter is not specified, the current
configurations and the next startup configuration file
are compared.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After completing a series of operations, you can compare whether the current configurations
are the same as the configurations in the next startup configuration file or a specified
configuration file starting from the first line of the current configurations. You can determine
whether to save the current configurations based on the comparison result and specify the
current configurations as the next startup configuration file.
After you run this command to compare the current configurations with the next startup
configuration file or a specified configuration file, the system displays the different content
starting from the first different line to the ninth different line. If the different content contains
fewer than nine lines, the system displays only the content from the first different line to the
end of the file.
NOTE
You can run this command to compare whether the current configurations are the same as the
configurations in the next startup configuration file or a specified configuration file in VSn.
Precautions
The file name extension of the configuration file must be .cfg or .zip.
After this command is run once, only the first difference between the two configuration files
is displayed. To compare all differences, modify the difference recognized to be the same and
run the compare configuration command repeatedly.
Example
# Compare whether the current configurations are identical with the next startup configuration
file.
<HUAWEI> compare configuration
Building configuration...
Warning: The current configuration is not the same as the next startup
configuration file. There may be several differences, and the
Function
The delete command deletes a file from the FTP server.
Format
delete remote-filename
Parameters
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
The permission to delete the file completely depends on the access rights configuration on the
remote server system. By executing the dir command displays the list of directories and files
in the specified directory.
Example
# Delete the file temp.c.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] delete temp.c
Warning: File temp.c will be deleted. Continue? [Y/N]:y
250 File deleted from remote host.
Function
The delete command deletes a specified file in the storage device.
Format
delete [ /unreserved ] [ /quiet ] { filename | devicename } [ all ]
Parameters
filename Specifies the name of a file An absolute path name is a string of 1 to 255
to be deleted. characters. A relative path name is a string of 1
to 128 case-sensitive characters without spaces
in the [ drive ] [ path ] file name format. Up
to 8 levels of directories are supported. When
quotation marks are used around the string,
spaces are allowed in the string.
In the preceding parameter, drive specifies the
storage device name, and path specifies the
directory and subdirectory.
advised to add : and / between the storage
device name and directory. Characters ? ~ * /
\ : ' " | < > [ ] cannot be used in the directory
name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes the drive name.
l drive is the storage device and is named as flash:.
l If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the stack.
– chassis ID#flash: root directory of the flash memory on a device in the stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be designated relative to
either the root directory or the current working directory. A relative path beginning with a
slash (/) is a path relative to the root directory.
l flash:/my/test/ is an absolute path.
l /selftest/ is a path relative to the root directory and indicates the selftest directory in the
root directory.
l selftest/ is a path relative to the current working directory and indicates the selftest
directory in the current working directory.
Precautions
l The wildcard (*) character can be used in the delete command.
l If the parameter /unreserved is not included, the file is stored in the recycle bin. To
display all files including deleted files that are displayed in square brackets ([ ]), run the
dir /all command. To restore these files that are displayed in square brackets ([ ]), run the
undelete command. To clear these files from the recycle bin, run the reset recycle-bin
command.
If you delete a file using the /unreserved parameter, the file cannot be restored.
l If the recycle bin is full, files cannot be deleted using the delete command without the
parameter /unreserved configured. In this case, delete unnecessary files permanently
using the delete command with the parameter /unreserved configured.
l If you delete two files with the same name from different directories, the last file deleted
is kept in the recycle bin.
l If you attempt to delete a protected file, such as a configuration file, or patch filer, a
system prompt is displayed.
l You cannot delete a directory by running the delete command. To delete a directory, run
the rmdir (user view) command.
l After the system is restarted, if a failure message is displayed when you delete a software
package or configuration file before service processes become stable, perform the
deletion only when the processes become stable.
Example
# Delete the file test.txt from the current working directory flash:/selftest.
<HUAWEI> delete test.txt
Info: Are you sure to delete flash:/selftest/test.txt? [Y/N]:y
Format
dir [ /all ] [ filename | directory | /all-filesystems ]
Parameters
Parameter Description Value
Views
User view
Default Level
3: Management level
Usage Guidelines
The wildcard character (*) can be used in this command. If no parameter is specified, this
command displays information about files and directories in the current directory.
The following describes the drive name:
l drive is the storage device and is named as flash:.
l If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the stack.
– chassis ID#flash: root directory of the flash memory on a device in the stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be designated relative to
either the root directory or the current working directory. A relative path beginning with a
slash (/) is a path relative to the root directory.
l flash:/my/test/ is an absolute path.
l /selftest/ is a path relative to the root directory and indicates the selftest directory in the
root directory.
l selftest/ is a path relative to the current working directory and indicates the selftest
directory in the current working directory.
You can run the dir /all command to view information about all files and directories of the
storage medium, including those moved to the recycle bin. The name of a file in the recycle
bin is placed in square brackets ([]), for example, [test.txt].
Table 3-38 lists information about some files queried through the dir command.
Item Description
Example
# Display information about all files and directories in the current directory.
<HUAWEI> dir /all
Directory of flash:/
Item Description
Function
The dir and ls commands display all files or specified files that are stored on the FTP server,
and save them to a local disk.
Format
dir [ remote-filename [ local-filename ] ]
ls [ remote-filename [ local-filename ] ]
Parameters
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
l When you run the dir command, detailed file information is displayed, including the file
size, date when the file was created, whether the file is a directory, and whether the file
can be modified. When you run the ls command, only the file name is displayed.
l The dir command is used to save detailed file information, while the ls command is used
to save only the file name even if the file is specified and saved in a local directory.
Precautions
The wildcard (*) character can be used in commands dir and ls.
Example
# Display the name or detailed information about a file that is saved in the test directory.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] cd test
250 CWD command successful.
[ftp] dir
200 Port command okay.
150 Opening ASCII mode data connection for /test.
drwxrwxrwx 1 noone nogroup 0 Mar 23 16:04 yourtest
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 10:38 backup.txt
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 10:38 backup1.txt
226 Transfer complete.
[ftp] ls
200 Port command okay.
150 Opening ASCII mode data connection for /test.
yourtest
backup.txt
backup1.txt
226 Transfer complete.
# Display the detailed information for the file temp.c, and save the displayed information in
file temp1.
[ftp] dir temp.c temp1
200 Port command okay.
150 Opening ASCII mode data connection for /temp.c.
[ftp] quit
# Display the name of file test.bat, and save the displayed information in file test.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] ls test.bat test
200 Port command okay.
150 Opening ASCII mode data connection for /test.bat.
[ftp] quit
Format
dir [ -l | -a ] [ remote-directory ]
ls [ -l | -a ] [ remote-directory ]
Parameters
Parameter Description Value
-l Displays detailed information about all files -
and directories in a specified directory.
-a Displays names of all files and directories in -
a specified directory.
remote-directory Specifies the name of a directory on the The value is a string of 1 to
SFTP server. 128 case-sensitive
characters without spaces.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
The dir and ls commands are equivalent.
l If -l and -a parameters are not specified, detailed information about all files and
directories in a specified directory is displayed when you run the dir or ls command. The
effect is the same as the dir -l command output.
l By default, if the remote-directory parameter is not specified, the list of current directory
files is displayed when you run the dir or ls command.
Example
# Display a list of files in the test directory of the SFTP server.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> dir test
-rwxrwxrwx 1 noone nogroup 0 Mar 24 00:04 yourtest
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 18:38 backup.txt
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 18:38 backup1.txt
sftp-client> dir -a test
yourtest
backup.txt
backup1.txt
sftp-client> ls test
-rwxrwxrwx 1 noone nogroup 0 Mar 24 00:04 yourtest
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 18:38 backup.txt
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 18:38 backup1.txt
sftp-client> ls -a test
yourtest
backup.txt
backup1.txt
3.7.20 disconnect
Function
The disconnect command terminates the connection with the remote FTP server and displays
the FTP client view.
Format
disconnect
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
This command is equivalent to the close command.
You can run the bye and quit commands to terminate the connection with the remote FTP
server and enter the user view.
To enter the user view from the FTP client view, you can run the bye or quit command.
Example
# Terminate the connection with the remote FTP server and enter the FTP client view.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] disconnect
[ftp]
Function
The display ftp client command displays the source IP address configured for the FTP client.
Format
display ftp client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
The default source IP address 0.0.0.0 is used if ftp client source is not configured.
Example
# Display the source IP address of the FTP client.
<HUAWEI> display ftp client
SrcIPv4Addr : 10.18.26.233
Format
display ftp server
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run this command to display FTP server parameter settings.
Example
# Display FTP server parameter settings.
<HUAWEI> display ftp server
Server state : Disabled
IPv6 server state : Disabled
Timeout value (mins) : 10
IPv6 Timeout value (mins) : 10
Listen port : 21
IPv6 listen port : 21
ACL name :
IPv6 ACL name :
ACL number :
IPv6 ACL number :
IPv6 listen port Number of the listening port on the FTP IPv6 server.
The default value is 21.
If the value is not 21, you can run the ftp ipv6 server port command to
configure the listening port number.
IPv6 ACL name Name of the ACL for the IPv6 address.
If no ALC is configured, the ACL name is unavailable. You can run the
ftp ipv6 server acl acl-name command to change the ACL name.
Parameter Description
Current user Number of current users who has logged in to the FTP server.
count
Max user Maximum number of users allowed to log in to the FTP server.
number The default value is 15.
Function
The display ftp server ip auth-fail information command displays the information of the
FTP auth–failed IP addresses of user.
Format
display ftp server ip auth-fail information
Parameters
None
Views
All view
Default Level
3: Management level
Usage Guidelines
The display ftp server ip auth-fail information command displays the information of the
FTP auth–failed IP addresses. The command output includes the names of VPN instances to
which the IP addresses belong, IP address status, numbers of authentication failures, and the
IP addresses that fails to pass FTP authentication will not be adopted to make invalid
authentication.
Example
# Display information about the IP addresses of all the clients that fail to pass FTP
authentication.
<HUAWEI> display ftp server ip auth-fail information
----------------------------------------------------------------------------------
----------------------------------------------
IP Address VPN Name
First Time Auth-fail Auth-fail Count
----------------------------------------------------------------------------------
----------------------------------------------
10.0.0.1 _public_
2016-09-05 11:19:28 1
----------------------------------------------------------------------------------
----------------------------------------------
Table 3-43 Description of the display ftp server ip-block all command output
Item Description
Format
display ftp server ip-block list
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
To check information about client IP addresses that are locked because of FTP authentication
failures, run the display ftp server ip-block list command. The command output includes the
names of VPN instances to which the locked client IP addresses belong and the remaining
locking period.
Example
# Display information about client IP addresses that are locked because of FTP authentication
failures.
<HUAWEI> display ftp server ip-block list
----------------------------------------------------------------------------------
------------------------
IP Address VPN Name
UnBlock Interval (Seconds)
----------------------------------------------------------------------------------
------------------------
10.0.0.1 _public_
294
----------------------------------------------------------------------------------
------------------------
Table 3-44 Description of the display ftp server ip-block list command output
Item Description
Function
The display ftp server users command displays FTP user parameters on the FTP server.
Format
display ftp server users
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can check FTP user parameters on the FTP server, such as the FTP user name, IP address
of the client host, port number, idle duration, and the authorized directories.
Example
# Display FTP user parameters.
<HUAWEI> display ftp server users
User Name : root
Host Address : 10.18.26.139
Control Port : 20465
Idle Time (mins) : 1
Root Directory : flash:
Item Description
Item Description
Function
The display scp client command displays source parameters of the current SCP client.
Format
display scp client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display scp client command to check source parameters of the SCP client.
Example
# Display source parameters of the SCP client.
<HUAWEI> display scp client
The source address of SCP client is 10.1.1.1.
Item Description
The source address of SCP client is The source address of the SCPclient. By
10.1.1.1. default, the source address of the SCP client
is 0.0.0.0.
Function
The display sftp client command displays the source IP address configured for the SFTP
client.
Format
display sftp client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display sftp client command to display the source IP address of the SFTP
client. The default source IP address 0.0.0.0 is used if sftp client-source is not configured.
Example
# Display the source IP address configured for the SFTP client.
<HUAWEI> display sftp client
The source address of SFTP client is 10.1.1.1.
Item Description
The source address of SFTP client is 10.1.1.1 is the source IP address of the
10.1.1.1. SFTP client.
You can run the sftp client-source
command to configure the source IP
address for the SFTP client.
If an IP address has been configured for the
source port, the message "The source
interface of SFTP client is LoopBack0" is
displayed.
Function
The display tftp client command displays the source IP address configured for the TFTP
client.
Format
display tftp client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display tftp client command to query source IP address of the TFTP client.
The default source IP address is 0.0.0.0 if tftp client source is not configured.
Example
# Display the source IP address configured for the TFTP client.
<HUAWEI> display tftp client
--------------------------------------------------------------------------------
ACL name :
ACL number :
IPv6 ACL name :
IPv6 ACL number :
Source IPv4 address : 0.0.0.0
--------------------------------------------------------------------------------
Item Description
ACL name Name of the ACL that specifies the IPv4 address the
TFTP client can access.
ACL number Number of the ACL that specifies the IPv4 address
the TFTP client can access.
IPv6 ACL name Name of the ACL that specifies the IPv6 address the
TFTP client can access.
Item Description
IPv6 ACL number Number of the ACL that specifies the IPv6 address
the TFTP client can access.
3.7.29 execute
Function
The execute command executes a specified batch file or VRP Shell Languages (VSL) script.
Format
execute batch-filename [ parameter&<1-8> ]
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The commands in a batch file are run one by one. A batch file cannot contain any invisible
character. If an invisible character is detected, the execute command exits from the current
process and no rollback is performed.
NOTE
Whether a character is invisible is determined based on the ASCII character table. Characters whose
ASCII character value ranges from 32 to 126 are visible (the ASCII character value 32 indicates spaces).
Other characters are invisible.
The execute command does not ensure that all commands can be run. The execute command
is not hot backed up, and no restriction is on the format or contents of the command.
Running the execute command functions the same as running the commands one by one
manually.
Precautions
l The commands in a batch file are run one by one. A batch file cannot contain invisible
characters (control characters or escape characters, such as \r, \n, and \b). If any invisible
character is detected, the execute command exits from the current process and no
rollback is performed.
l The execute command does not ensure that all commands can be run. If the system runs
a wrong or immature command, it displays the error and goes to next command. The
execute command does not perform the hot backup operation, and the command format
or content is not restricted.
l When a .bat file is a VSL script, the execute command configures services automatically
and commands in the batch file as well as performs configurations for services specified
by parameter at a time.
Example
# Execute the test.bat file in the directory flash:/. The test.bat file contains four commands:
system-view, aaa, local-user huawei password irreversible-cipher Helloworld@6789, and
commit.
<HUAWEI> system-view
[~HUAWEI] execute test.bat
[*HUAWEI] system-view
^
Error: Unrecognized command found at '^' position.
[*HUAWEI] aaa
[*HUAWEI-aaa] local-user huawei password irreversible-cipher Helloworld@6789
[*HUAWEI-aaa] commit
[~HUAWEI-aaa]
When the system runs the first command system-view in current system view, it displays an
error and continues to run the following commands.
The system displays the execution of a batch file in AAA view.
[~HUAWEI-aaa] display this
local-user huawei password irreversible-cipher $1c$g8wLJ`LjL!
$CyE(V{3qg5DdU:PM[6=6O$UF-.fQ,Q}>^)OBzgoU$
3.7.30 ftp
Function
The ftp command connects the FTP client to the FTP server and enters the FTP client view.
Format
# Connect the FTP client to the FTP server based on the IPv4 address.
ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip [ port-number ]
[ public-net | vpn-instance vpn-instance-name ] ]
# Connect the FTP client to the FTP server based on the IPv6 address.
ftp ipv6 host-ipv6 [ public-net | vpn-instance vpn-instance-name ] [ port-number | -oi
interface-type interface-number ]
Parameters
Parameter Description Value
-a source-ip- Specifies the source IP address for The value is in dotted decimal
address connecting to the FTP client. You are notation.
advised to use the loopback interface IP
address.
host-ip Specifies the IP address or host name of The value is in dotted decimal
the remote IPv4 FTP server. notation.
NOTE
You can run the display dns dynamic-host or
display ip host command to view the
mapping between the IP address and host
name.
port-number Specifies the port number of the FTP The value is an integer that
server. ranges from 1 to 65535. The
default value is the standard
port number 21.
vpn-instance Specifies the name of the VPN instance The value is a string of 1 to 31
vpn-instance- where the FTP server is located. case-sensitive characters
name except spaces. When double
quotation marks are used to
include the string, spaces are
allowed in the string. The
value _public_ is reserved and
cannot be used as the VPN
instance name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before accessing the FTP server on the FTP client, you must first run the ftp command to
connect the FTP client to the FTP server.
On an IPv4 network, the source IP address specified using the ftp command takes precedence
over the source IP address specified using the ftp client-source command. If the ftp
command is run after a source IP address has been specified using the ftp client-source
command, the source IP address specified using the ftp command is used for communication.
The source IP address specified using the ftp client-source command is available for all FTP
connections; the source IP address specified using the ftp command is available only for the
current FTP connection.
Prerequisites
An FTP connection can establish if the following conditions are met:
l FTP server function on a device is enabled by executing the ftp server enable command
on the FTP server to allow FTP users to log in.
l The FTP server and FTP client are routable.
Precautions
l You can set the source IP address to the source or destination IP address in the ACL rule
when the -a or -i parameter is specified on the IPv4 network. This shields the IP address
differences and interface status impact, filters incoming and outgoing packets, and
implements security authentication.
l You can run the set net-manager vpn-instance command to configure the NMS
management VPN instance before running the open command to connect the FTP client
and server.
– If public-net or vpn-instance is not specified, the FTP client accesses the FTP
server in the VPN instance managed by the NMS.
– If public-net is specified, the FTP client accesses the FTP server on the public
network.
– If vpn-instance vpn-instance-name is specified, the FTP client accesses the FTP
server in a specified VPN instance.
l If no parameter is set in the ftp command, only the FTP view is displayed, and no
connection is set up between the FTP server and client.
l If the port number that the FTP server uses is non-standard, you must specify a standard
port number; otherwise, the FTP server and client cannot be connected.
l When you run the ftp command, the system prompts you to enter the user name and
password for logging in to the FTP server. You can log in to the FTP server if the user
name and password are correct.
l If the number of login users exceeds the maximum value that the FTP server allows,
other authorized users cannot log in to the FTP server. To allow news authorized users to
log in to the FTP server, users who have performed FTP services must disconnect their
clients from the FTP server. You can run the bye or quit command to disconnect the FTP
client from the FTP server and return to the user view, or run the close or disconnect
command to disconnect the FTP client from the FTP server and retain in the FTP client
view.
Example
# Connect to the FTP server whose IP address is 10.137.217.201.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
Format
ftp [ ipv6 ] server acl { acl-number | acl-name }
undo ftp [ ipv6 ] server acl
Parameters
Parameter Description Value
ipv6 Specifies the IPv6 FTP -
server.
acl-number Specifies the number of the The value is an integer that ranges from 2000 to
ACL. 3999.
acl-name Specifies the ACL name. The value is a string of 1 to 32 case-sensitive
characters except spaces. The value must start
with a letter or digit, and cannot contain only
digits.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To ensure the security of an FTP server, you need to configure an ACL for it to specify FTP
clients that can access the current FTP server.
Precautions
If no rule is configured, the incoming and outgoing calls are not restricted after the command
ftp server acl is run.
The ftp server acl command takes effect only after you run the rule command to configure
the ACL rule.
The command ftp server acl { acl-number | acl-name } only takes effect for ipv4 client.
Example
# Allow the client whose ACL number is 2000 to log in to the FTP server.
<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule permit source 10.10.10.1 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] ftp server acl 2000
Function
The ftp client source command specifies the source IP address for the FTP client to send
packets.
The undo ftp client source command restores the default source IP address for the FTP client
to send packets.
The default source IP address for the FTP client to send packets is 0.0.0.0.
Format
ftp client source { -a source-ip-address | -i interface-type interface-number }
undo ftp client source
Parameters
Parameter Description Value
-a source-ip-address The value is in
Specifies the source IP address. You are advised to
dotted decimal
use the loopback interface IP address.
notation.
-i interface-type Specifies the source interface, including the interface -
interface-number type and number. You are advised to use the loopback
interface.
The IP address configured for the source interface is
the source IP address for sending packets. If no IP
address is configured for the source interface, the
FTP connection cannot be set up.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If no source IP address is specified, the client uses the source IP address that the router
specifies to send packets. The source IP address must be configured for an interface with
stable performance. The loopback interface is recommended. Using the loopback interface as
the source interface simplifies the ACL rule and security policy configuration. This shields
the IP address differences and interface status impact, filters incoming and outgoing packets,
and implements security authentication.
Precautions
l You can also run the ftp command to configure the source IP address whose priority is
higher than that of the source IP address specified by the ftp client source command. If
you specify the source IP addresses by running the ftp client source and ftp commands,
the source IP address specified by the ftp command is used for data communication and
is available only for the current FTP connection, while the source IP address specified by
the ftp client source command is available for all FTP connections.
l The IP address that a user displays on the FTP server is the specified source IP address
or source interface IP address.
l After a bound source interface is deleted, the interface configuration specified using the
ssh server-source command will not be cleared but does not take effect. If you configure
the source interface with the same name again, the interface configuration specified
using the ssh server-source command is updated and the function restores.
l This command takes effect for ipv4 client.
l If the specified source interface has been bound to a VPN instance, the client is
automatically bound to the same VPN instance.
Example
# Set the source IP address of the FTP client to 10.1.1.1.
<HUAWEI> system-view
[~HUAWEI] ftp client source -a 10.1.1.1
Format
# IPv4 address
ftp { put | get } [ -a source-ip-address | -i interface-type interface-number ] host-ip host-ip
[ port portnumber ] [ public-net | vpn-instance vpn-instance-name ] username username
sourcefile local-filename [ destination remote-filename ]
# IPv6 address
ftp { put | get } ipv6 host-ip host-ipv6 [ public-net | vpn-instance vpn-instance-name ]
[ port portnumber ] username username sourcefile local-filename [ destination remote-
filename ]
Parameters
Parameter Description Value
-a source-ip- Specifies the IP address for The value is in dotted decimal
address establishing the FTP connection. notation.
-i interface-type Specifies the interface for -
interface-number establishing the FTP connection.
NOTE
You can run the display dns dynamic-
host or display ip host command to
view the mapping between the IP
address and host name.
host-ip host-ipv6 Specifies the IPv6 address or host The value is a 32-digit
name of the FTP server. hexadecimal number, in the
format X:X:X:X:X:X:X:X.
NOTE
You can run the display dns dynamic-
host or display ip host command to
view the mapping between the IP
address and host name.
vpn-instance vpn- Specifies the name of a VPN The VPN must already exist.
instance-name instance.
username Specifies a user name. The value is a string of 1 to 255
username case-insensitive characters that
can contain letters, digits, and
special characters.
sourcefile local- Specifies the name of the source file The value is a string of 1 to 128
filename to be uploaded or downloaded. characters, which can contain
digits, letters, and special
characters.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the device only needs to upload files to or download files from the FTP server, you can use
this command to complete a file transfer at one time.
Prerequisites
Ensure that the VPN has been configured when you specify vpn-instance vpn-instance-name
in the command.
Precautions
l After this command is executed, the device (FTP client) establishes a connection with
the FTP server before starting the file transfer.
l If the server monitors the FTP connection through default port, you need not specify port
number, else specify the port number.
l This command does not support resumable upload or download. If the uploading or
downloading process is interrupted due to a fault, the previously generated file (which
includes only part of the source file) will be replaced by a new file after the fault is
removed and the uploading or downloading task resumes.
Example
# Upload the source file sample.txt to the FTP server.
<HUAWEI> ftp put -a 10.1.1.10 host-ip 10.1.1.1 username huawei sourcefile
sample.txt
Trying 10.1.1.1 ...
Press CTRL + K to abort
Connected to 10.1.1.1.
220 FTP service ready.
331 Password required for huawei.
Enter password:
200 Type set to I.
200 Port command okay.
150 Opening BINARY mode data connection for /sample.txt.
/ 100% [***********]
226 Transfer complete.
# Upload the source file sample.txt to the FTP server 10.1.1.1 through an interface.
<HUAWEI> ftp put -i 10ge 1/0/1 host-ip 10.1.1.1 username huawei sourcefile
sample.txt
Trying 10.1.1.1 ...
Press CTRL + K to abort
Connected to 10.1.1.1.
220 FTP service ready.
331 Password required for huawei.
Enter password:
Format
ftp server default-directory directory
undo ftp server default-directory
Parameters
Parameter Description Value
directory Specify the default FTP The value is a string of 1 to 255 case-sensitive
working directory. characters without spaces. When double quotation
marks are used around the string, spaces are allowed
in the string.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the set default ftp-directory command to configure a default FTP working
directory for all FTP users at one time.
The command takes effect for both ipv4 and ipv6 users.
Precautions
l The ftp server default-directory command takes effect only when the device functions
as an FTP server and the user function as an FTP client.
l You can run the local-user ftp-directory command to configure an authorized working
directory for a local user.
l If you have configured the FTP working directory by running the local-user ftp-
directory command, you must use this FTP working directory.
l You can run the lcd command to view the working directory of FTP users.
l If no FTP working directory is specified on the device, FTP users cannot log in to the
device, and are prompted that the working directory is unauthorized.
Example
# Set the default FTP working directory to flash:/.
<HUAWEI> system-view
[~HUAWEI] ftp server default-directory flash:/
Function
The ftp server enable command enables the FTP server function to allow FTP users to log in
to the FTP server.
The undo ftp server command disables the FTP server function so that FTP users cannot log
in to the FTP server.
Format
ftp [ ipv6 ] server enable
Parameters
Parameter Description Value
ipv6 Specifies the IPv6 FTP server. -
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To manage FTP server files on a client, you must run the ftp server enable command to
enable the FTP server function to allow FTP users to log in to the FTP server.
Precautions
If the FTP server function is disabled, no user can log in to the FTP server, and users who
have logged in to the FTP server cannot perform any operation except logout.
The ftp server enable command can enable IPv4 function. However, the ftp ipv6 server
enable command enables only the IPv6 function.
Example
# Enable the FTP server function.
<HUAWEI> system-view
[~HUAWEI] ftp server enable
Function
The ftp server ip-block disable command disables an FTP server from locking client ipv4
and ipv6 addresses.
The undo ftp server ip-block disable command enables an FTP server to lock client ipv4
and ipv6 addresses.
By default, an FTP server is enabled to lock client ipv4 and ipv6 addresses.
Format
ftp server ip-block disable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
If an FTP server is enabled to lock client ipv4 and ipv6 addresses, a client IP address is locked
when the number of FTP authentication failures reaches the upper limit in a specific period of
time. Client IP addresses being locked fail the authentication and are displayed in the display
ftp server ip-block list command output.
If an FTP server is disabled from locking client IP addresses, the display ftp server ip-block
list command does not display any client IP address that is locked because of authentication
failures.
IP addresses being locked are unlocked immediately after the FTP server is disabled from
locking client IP addresses.
You are advised to enable the FTP server to lock client IP addresses to ensure security.
Example
# Disable an FTP server from locking client IP addresses.
<HUAWEI> system-view
[~HUAWEI] ftp server ip-block disable
Function
The ftp server ip-block failed-times command sets the maximum number of consecutive
FTP authentication failures within a specified period. If the number is reached, the system
locks out the IP address of user.
The undo ftp server ip-block failed-times command restores the maximum number of
consecutive FTP authentication failures and the period in which consecutive authentication
failures are counted to default values.
By default, the maximum number of consecutive FTP authentication failures before the IP
address of user lockout is 6, and the period is 5 minutes.
Format
ftp server ip-block failed-times failed-times period period
Parameters
Parameter Description Value
failed-times Specifies the maximum number of The value is an integer ranging
consecutive FTP authentication failures from 1 to 10.
before the IP address of user lockout.
Views
System view
Default Level
3: Management level
Usage Guidelines
To set the maximum number of consecutive authentication failures within a specified period,
run the ftp server ip-block failed-times command. If the number is reached, the system locks
out the IP address of user, which prevents the user from accessing the device through FTP.
The system automatically unlocks the IP address of user until the unlocking period expires.
This improves device security.
To manually unlock the IP address of user, run the activate ftp server ip-block ip-address
command.
Example
# Set the maximum number of consecutive authentication failures before the IP address of
user lockout to 3 and the period in which consecutive FTP authentication failures are counted
to 6 minutes.
<HUAWEI> system-view
[~HUAWEI] ftp server ip-block failed-times 3 period 6
Function
The ftp server ip-block reactive command sets a period after which the system automatically
unlocks an ipv4 and ipv6 address of user.
The undo ftp server ip-block reactive command restores the default period.
By default, the period is 5 minutes.
Format
ftp server ip-block reactive reactive-period
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
To set a period after which the system automatically unlocks an IP address of user, run the ftp
server ip-block reactive command. A locked IP address of user cannot access the device
through FTP. The system automatically unlocks the IP address of user until the unlocking
period expires. This improves device security.
To manually unlock the IP address of user, run the activate ftp server ip-block ip-address
command.
Example
# Set the period after which the system automatically unlocks the IP address of user to 50
minutes.
<HUAWEI> system-view
[~HUAWEI] ftp server ip-block reactive 50
Function
The ftp server port command specifies the listening port number of the FTP server.
The undo ftp server port command restores the default value of the listening port number.
Format
ftp [ ipv6 ] server port port-number
Parameters
Parameter Description Value
ipv6 Specifies the IPv6 FTP server. -
port port-number Specifies the listening port number of The value is 21 or an integer
the FTP server. that ranges from 1025 to 65535.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
By default, the listening port number of the FTP server is 21. Attackers may frequently access
the default listening port, which wastes bandwidth, deteriorates server performance, and
prevents authorized users from accessing the FTP server through the listening port. You can
run the ftp [ ipv6 ] server port command to specify another listening port number to prevent
attackers from accessing the listening port.
The command ftp server port port-number sets the FTP server ipv4 listen port.
Prerequisites
Before running the ftp [ ipv6 ] server port command to specify the listening port number,
you must first run the undo ftp server command to disable FTP services.
Precautions
l After the listening port number is changed, the FTP server disconnects all FTP
connections and uses the new listening port.
l If the current listening port number is 21, FTP client users do not need to specify the port
number for logging in to the FTP server. If the current listening port number is not 21,
FTP client users must use the FTP server's listening port number to log in to the FTP
server.
l After the listening port number is changed, you must run the ftp server enable
command to enable FTP services to make the configuration take effect.
Example
# Change the port number of the FTP server to 1028.
<HUAWEI> system-view
[~HUAWEI] undo ftp server
[*HUAWEI] ftp server port 1028
Function
The ftp server source command sets the specific source IP address of the FTP server to
establish the connection, including the source IP address and source interface.
The undo ftp server source command cancels the configuration of FTP server source
configuration.
By default, the source IP address and source interface of the FTP server are not specified, and
the source IP address for the FTP server to send packets is 0.0.0.0.The IPv6 source address of
packet sent by the FTP server is ::.
Format
ftp server source { -a source-ip-address | -i interface-type interface-number }
Parameters
Parameter Description Value
-a source-ip- Specifies the source IP address The value is in dotted decimal
address for the FTP server to send notation.
packets. The loopback IP address
is recommended.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If no source IP address is specified, the FTP server uses the source IP address specified by
routes to send packets. The source IP address must be configured for an interface with stable
performance, such as the loopback interface. Using the loopback interface as the source IP
address simplifies the ACL rule and security policy configuration. This shields the IP address
differences and interface status impact, filters incoming and outgoing packets, and
implements security authentication.
Before specifying a loopback interface as the source interface of the FTP server, the loopback
interface must have been created successfully; otherwise, the command cannot be run
successfully.
Before specifying a VPN instance for the FTP server, the VPN must have been created
successfully; otherwise, the command cannot be run successfully.
Precautions
l After the source IP address is specified for the FTP server, you must use the specified IP
address to log in to the FTP server.
l After running the ftp server-source command, you can only use the specified IP address
or loopback interface of the FTP server for login. You need to restart the FTP service to
activate the configuration.
l If the ftp server-source command is not configured, all users can log in to the FTP
server by default.
l If the FTP service has been enabled, the FTP service restarts after the ftp server source
command is executed.
l If the specified source interface has been bound to a VPN instance, the server is
automatically bound to the same VPN instance.
l After a bound VPN instance is deleted, the VPN configuration specified using the ftp
server-source command will not be cleared but does not take effect. In this case, the
FTP server uses a public IP address. If you configure the VPN instance with the same
name again, the VPN function restores.
l After a bound source interface is deleted, the interface configuration specified using the
ssh server-source command will not be cleared but does not take effect. If you configure
the source interface with the same name again, the interface configuration specified
using the ssh server-source command is updated and the function restores.
Example
# Set the source IP address of the FTP server to Loopback0.
<HUAWEI> system-view
[~HUAWEI] ftp server source -i loopback0
Warning: To make the server source configuration take effect, the FTP server will
be restarted. Continue? [Y/N]: y
Info: Succeeded in setting the source interface of the FTP server to LoopBack0.
Info: Succeeded in starting the FTP server.
Format
ftp [ ipv6 ] server timeout minutes
undo ftp [ ipv6 ] server timeout
Parameters
Parameter Description Value
ipv6 Specifies the IPv6 FTP server. -
minutes Specifies idle timeout duration. The value is an integer that ranges from 1 to
35791, in minutes.
Views
System view
Default Level
3: Management level
Usage Guidelines
After a user logs in to the FTP server, a connection is set up between the FTP server and the
user's client. The idle timeout duration is configured to release the connection when the
connection is interrupted or when the user performs no operation for a specified time.
The command ftp server timeout minutes only takes effect for ipv4 connection.
Example
# Set the idle timeout duration to 36 minutes.
<HUAWEI> system-view
[~HUAWEI] ftp server timeout 36
Format
get remote-filename [ local-filename ]
Parameters
Parameter Description Value
remote- Specifies the name of the file to be The value is a string of 1 to 128 case-
filename downloaded from the SFTP sensitive characters without spaces.
server. The remote-filename must already
exist.
local-filename Specifies the name of a The value is a string of 1 to 128 case-
downloaded file to be saved to the sensitive characters without spaces.
local device.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the get command to download files from the FTP server to upgrade devices.
Precautions
l If local-filename is not specified on the local device, the original file name is used.
l If the name of the downloaded file is the same as that of an existing local file, the system
prompts you whether to overwrite the existing file.
Example
# Download a file from the SFTP server.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> get test.txt
Remote file: / test.txt ---> Local file: test.txt
Downloading the file. Please wait.../
Downloading file successfully ended.
File download is completed in 1 seconds.
Format
get remote-filename [ local-filename ]
Parameters
Parameter Description Value
remote- Specifies the name of the file to be The value is a string of 1 to 128 case-
filename downloaded from the FTP server. sensitive characters without spaces.
The remote-filename must already
exist.
local-filename Specifies the name of a The value is a string of 1 to 128 case-
downloaded file to be saved to the sensitive characters without spaces.
local device.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the get command to download system software, backup configuration files, and
patch files from the FTP server to upgrade devices.
Precautions
l If the downloaded file name is not specified on the local device, the original file name is
used.
l If the name of the downloaded file is the same as that of an existing local file, the system
prompts you whether to overwrite the existing file.
Example
# Download the system software devicesoft.cc from the FTP server.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] get devicesoft.cc
200 Port command okay.
150 Opening ASCII mode data connection for /devicesoft.cc.
\ 6482944 bytes transferred
226 Transfer complete.
FTP: 6482944 byte(s) received in 54.500 second(s) 1117.40Kbyte(s)/sec.
Format
help [ command-name ]
Parameters
Parameter Description Value
command-name Displays the format and parameters of a The value is a string of 1 to 255
specified command in the SFTP client characters.
view.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the help command to obtain the help information and display all commands or a
command format in the SFTP client view.
Precautions
If you specify no parameter when running the help command, all commands in the SFTP
client view are displayed.
Example
# Display the format of the command get.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> help get
get Remote file name STRING<1-128> [Local file name STRING<1-128>] Download
file
Default local file name is the same with remote file.
3.7.45 lcd
Function
The lcd command displays and changes the local working directory of the FTP client in the
FTP client view.
Format
lcd [ local-directory ]
Parameters
Parameter Description Value
local-directory Specifies the local working The value is a string of 1 to 128 case-
directory of the FTP client. sensitive characters without spaces.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the lcd command to display the local working directory of the FTP client when
uploading or downloading files, and set the upload or download path to the path of the local
working directory.
Precautions
The lcd command displays the local working directory of the FTP client, while the pwd
command displays the working directory of the FTP server. If you specify the parameter
local-directory in the lcd command, you can directly change the local working directory in
the FTP client view.
Example
# Change the local working directory to flash:/test.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] lcd
The current local directory is flash:/.
[ftp] lcd flash:/test/
The current local directory is flash:/test/.
3.7.46 mget
Function
The mget command downloads multiple files from the remote FTP server to the local device.
Format
mget remote-filenames
Parameters
Parameter Description Value
remote- Specifies multiple files to download to the The value is a string of 1 to
filenames local device. File names are separated using 254 characters.
spaces, and the wildcard (*) is supported.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the mget command to download multiple files at the same time.
Precautions
Example
# Download files 1.txt, 2.txt, and vrp221.cfg from the remote FTP server.
<HUAWEI> ftp 10.10.10.1
Trying 10.10.10.1 ...
Press CTRL+K to abort
Connected to 10.10.10.1.
220 FTP service ready.
User(10.10.10.1:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
Format
mkdir remote-directory
Parameters
Parameter Description Value
remote-directory Specifies the directory to The value is a string of case-sensitive
be created. characters without spaces. The absolute path
length ranges from 1 to 128.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
l You can run the mkdir command to create a subdirectory in a specified directory, and
the subdirectory name must be unique.
l If no path is specified when you create a subdirectory, the subdirectory is created in the
current directory.
l The created directory is stored on the FTP server.
Example
# Create a directory test on the remote FTP server.
<HUAWEI> ftp 172.16.104.110
Trying 172.16.104.110 ...
Press CTRL+K to abort
Connected to 172.16.104.110.
220 FTP service ready.
User(172.16.104.110:(none)):huawei
331 Password required for huawei
Enter password:
230 User logged in.
[ftp] mkdir test
257 "test" new directory created.
Function
The mkdir command creates a directory on the remote SFTP server.
Format
mkdir remote-directory
Parameters
Parameter Description Value
remote-directory Specifies the directory to The value is a string of case-sensitive
be created. characters without spaces. The absolute path
length ranges from 1 to 128.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
l You can run the mkdir command to create a subdirectory in a specified directory, and
the subdirectory name must be unique.
l If no path is specified when you create a subdirectory, the subdirectory is created in the
current directory.
l The created directory is stored on the SFTP server.
l After a directory is created, you can run the dir/ls (SFTP client view) command to view
the directory.
Example
# Create a directory on the SFTP server.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> mkdir ssh
Info: Succeeded in creating a directory.
Function
The mkdir command creates a directory in the current storage device.
Format
mkdir directory
Parameters
Parameter Description Settings
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The path can be an absolute path or relative path. A relative path can be designated relative to
either the root directory or the current working directory. A relative path beginning with a
slash (/) is a path relative to the root directory.
l flash:/my/test/ is an absolute path.
l /selftest/ is a path relative to the root directory and indicates the selftest directory in the
root directory.
l selftest/ is a path relative to the current working directory and indicates the selftest
directory in the current working directory.
If you only the subdirectory name is specified, a subdirectory is created in the current working
directory. You can run the pwd command to query the current working directory. If the
subdirectory name and directory path are specified, the subdirectory is created in the specified
directory.
Precautions
l The subdirectory name must be unique in a directory; otherwise, the message "Error:
Directory with same name already exists" is displayed.
l A maximum of eight directory levels are supported when you create a directory.
Example
# Create the subdirectory new in the flash card.
<HUAWEI> mkdir flash:/new
Info: Create directory flash:/new......Done.
3.7.50 more
Function
The more command displays the content of a specified file.
Format
more filename [ offset ]
Parameters
Parameter Description Value
filename Specifies the file An absolute path name is a string of 1 to 255 characters. A
name. relative path name is a string of 1 to 128 case-sensitive
characters without spaces in the [ drive ] [ path ] file name
format. Up to 8 levels of directories are supported. When
quotation marks are used around the string, spaces are
allowed in the string.
In the preceding parameter, drive specifies the storage
device name, and path specifies the directory and
subdirectory.
advised to add : and / between the storage device name and
directory. Characters ? ~ * / \ : ' " | < > [ ] cannot be used in
the directory name.
offset Specifies the file The value is an integer that ranges from 0 to 2147483647, in
offset. bytes.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the more command to display the file content directly on a device.
l The following describes the drive name.
– drive is the storage device and is named as flash:.
– If devices are stacked, drive can be named as:
n flash: root directory of the flash memory of the master switch in the stack.
n chassis ID#flash: root directory of the flash memory on a device in the stack.
For example, slot2#flash: indicates the flash memory in slot 2.
l The path can be an absolute path or relative path. A relative path can be designated
relative to either the root directory or the current working directory. A relative path
beginning with a slash (/) is a path relative to the root directory.
– flash:/my/test/ is an absolute path.
– /selftest/ is a path relative to the root directory and indicates the selftest directory in
the root directory.
– selftest/ is a path relative to the current working directory and indicates the selftest
directory in the current working directory.
Precautions
l You are not advised to use this command to display non-text files; otherwise, the
terminal is shut down or displays garbled characters, which is harmless to the system.
l Files are displayed in text format.
l You can display the file content flexibly by specifying parameters before running the
more command:
– You can run the more filename command to view a specified text file. The content
of the specified text file is displayed on multiple screens. You can press the
spacebar consecutively on the current session GUI to display all content of the file.
To display the file content on multiple screens, you must ensure that:
n The number of lines that can be displayed on a terminal screen is greater than
0. (The number of lines that can be displayed on a terminal screen is set by
running the screen-length command.)
n The total number of file lines is greater than the number of lines that can be
displayed on a terminal screen. (The number of lines that can be displayed on a
terminal screen is set by running the screen-length command.)
– You can run the more filename offset command to view a specified file. The content
of the specified text file starting from offset is displayed on multiple screens. You
can press the spacebar consecutively on the current session GUI to display all
content of the file.
To display the file content on multiple screens, you must ensure that:
n The number of lines that can be displayed on a terminal screen is greater than
0. (The number of lines that can be displayed on a terminal screen is set by
running the screen-length command.)
n The number of lines starting from offset in the file is greater than the number
of lines that can be displayed on a terminal screen. (The number of lines that
can be displayed on a terminal screen is set by running the screen-length
command.)
Example
# Display the content of the file test.bat.
<HUAWEI> more test.bat
rsa local-key-pair create
user-interface vty 12 14
authentication-mode aaa
protocol inbound ssh
user privilege level 5
commit
quit
ssh user sftpuser authentication-type password
ssh user sftpuser service-type all
sftp server enable
commit
# Display the content of the file log.txt and set the offset to 100.
<HUAWEI> more log.txt 100
: CHINA HUAWEI TECHNOLOGY LIMITTED CO.,LTD
# FILE NAME: Product Adapter File(PAF)
# PURPOSE: MAKE VRPV5 SUITABLE FOR DIFFERENT PRODUCT IN LIB
3.7.51 move
Function
The move command moves the source file from a specified directory to a destination
directory.
Format
move source-filename destination-filename
Parameters
Parameter Description Settings
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes the drive name.
l drive is the storage device and is named as flash:.
l If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the stack.
– chassis ID#flash: root directory of the flash memory on a device in the stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be designated relative to
either the root directory or the current working directory. A relative path beginning with a
slash (/) is a path relative to the root directory.
l flash:/my/test/ is an absolute path.
l /selftest/ is a path relative to the root directory and indicates the selftest directory in the
root directory.
l selftest/ is a path relative to the current working directory and indicates the selftest
directory in the current working directory.
Precautions
l The move and copy commands have different effects:
– The move command moves the source file to the destination directory.
– The copy command copies the source file to the destination directory.
Example
# Move the file test from the root directory to the directory new.
<HUAWEI> move test new/
Warning: Move file flash:/test to flash:/new/test? [Y/N]:y
100% complete
Info: Move file flash:/test to flash:/new/test...Done.
3.7.52 mput
Function
The mput command uploads multiple files from the local device to the remote FTP server.
Format
mput local-filenames
Parameters
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the mput command to upload multiple files to the remote FTP server at the same
time, especially in the upgrade scenario.
System prompts a confirmation message to the user before file transfer. You can disable the
prompt message using undo prompt command.
Precautions
If the name of the uploaded file is the same as that of an existing file on the FTP server, the
system overwrites the existing file.
Example
# Upload two local files 111.text and vrp222.cfg to the remote FTP server.
<HUAWEI> ftp 10.10.10.1
Trying 10.10.10.1 ...
Press CTRL+K to abort
Connected to 10.10.10.1.
220 FTP service ready.
User(10.10.10.1:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
3.7.53 open
Function
The open command connects the FTP client and server.
Format
# Connect the FTP client to the FTP server based on the IPv4 address.
# Connect the FTP client to the FTP server based on the IPv6 address.
Parameters
Parameter Description Value
-a source-ip- Specifies the source IP address for -
address connecting to the FTP client. You are
advised to use the loopback interface
IP address.
host-ip Specifies the IP address or host name The IPv4 address is in dotted
of the remote IPv4 FTP server. decimal notation. The host name
is a string of 1 to 255 characters.
NOTE
You can run the display dns dynamic-
host or display ip host command to view
the mapping between the IP address and
host name.
host-ipv6 Specifies the IP address or host name The IPv6 address is a 32-digit
of the remote IPv6 FTP server. hexadecimal number in the
X:X:X:X:X:X:X:X format. The
NOTE
host name is a string of 1 to 255
You can run the display dns dynamic- characters.
host or display ip host command to view
the mapping between the IP address and
host name.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the open command in the FTP client view to connect the FTP client to the server
to transmit files and manage files and directories of the FTP server.
Precautions
l You can run the ftp command in the user view to connect the FTP client and server and
enter the FTP client view.
l You can set the source IP address to the source or destination IP address in the ACL rule
when the -a or -i parameter is specified on the IPv4 network. This shields the IP address
differences and interface status impact, filters incoming and outgoing packets, and
implements security authentication.
l You can run the set net-manager vpn-instance command to configure the NMS
management VPN instance before running the open command to connect the FTP client
and server.
– If public-net or vpn-instance is not specified, the FTP client accesses the FTP
server in the VPN instance managed by the NMS.
– If public-net is specified, the FTP client accesses the FTP server on the public
network.
– If vpn-instance vpn-instance-name is specified, the FTP client accesses the FTP
server in a specified VPN instance.
l If the port number that the FTP server uses is non-standard, you must specify a standard
port number; otherwise, the FTP server and client cannot be connected.
l When you run the open command, the system prompts you to enter the user name and
password for logging in to the FTP server. You can log in to the FTP client and enter the
FTP client view if the user name and password are correct.
Example
# Connect the FTP client with the FTP server whose IP address is 10.137.217.204.
<HUAWEI> ftp
[ftp] open 10.137.217.204
Trying 10.137.217.204 ...
Press CTRL + K to abort
Connected to 10.137.217.204.
220 FTP service ready.
User(10.137.217.204:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
# Connect the FTP client with the FTP server whose IP address is fc00:2001:db8::1.
<HUAWEI> ftp
[ftp] open ipv6 fc00:2001:db8::1
Trying fc00:2001:db8::1 ...
Press CTRL + K to abort
Connected to fc00:2001:db8::1
220 FTP service ready.
User(fc00:2001:db8::1:(none)):huawei
331 Password required for huawei
Enter Password:
230 User logged in.
[ftp]
3.7.54 passive
Function
The passive command sets the data transmission mode to passive.
The undo passive command sets the data transmission mode to active.
By default, the data transmission mode is active.
Format
passive
undo passive
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
The device supports the active and passive data transmission modes. In active mode, the
server initiates a connection request, and the client and server need to enable and monitor a
port to establish a connection. In passive mode, the client initiates a connection request, and
only the server needs to monitor the corresponding port. This command is used together with
the firewall function. When the client is configured with the firewall function, FTP
connections are restricted between internal clients and external FTP servers if the FTP
transmission mode is active. If the FTP transmission mode is passive, FTP connections
between internal clients and external FTP servers are not restricted.
Example
# Set the data transmission mode to passive.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] passive
Info: Succeeded in switching passive on.
3.7.55 prompt
Function
The prompt command enables the prompt function when files are transmitted between the
FTP client and server.
The undo prompt command disables the prompt function.
By default, the prompt function is disabled.
Format
prompt
undo prompt
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can enable the prompt function as required when transmitting files between the FTP
client and server.
Precautions
l The prompt command can be used when you run the put, mput, get, and mget
commands.
l The prompt function can be enabled only for confirming service upload and download.
– When you run the put or mput command, the system always overwrites the
existing file if the name of the uploaded file is the same as that of an existing file on
the FTP server.
– When you run the get or mget command, the system always prompts you whether
to overwrite the existing file if the name of the uploaded file is the same as an
existing file name in the specified directory.
Example
# Enable the FTP message prompt function.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] prompt
Info: Succeeded in switching prompt on.
Format
put local-filename [ remote-filename ]
Parameters
Parameter Description Value
local-filename Specifies the local file name of The value is a string of 1 to 128 case-
the FTP client. sensitive characters without spaces. The
local-filename must already exist.
remote-filename Specifies the name of the file to The value is a string of 1 to 128 case-
be uploaded to the remote FTP sensitive characters without spaces.
server.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the put command to upload a local file to the remote FTP server for further
check and backup. For example, you can upload the local log file to the FTP server for other
users to check, and upload the configuration file to the FTP server as a backup before
upgrading the device.
Precautions
l If the file name is not specified on the remote FTP server, the local file name is used.
l If the name of the uploaded file is the same as that of an existing file on the FTP server,
the system overwrites the existing file.
Example
# Upload the configuration file vrpcfg.zip to the remote FTP server as a backup, and save it
as backup.zip.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] put vrpcfg.zip backup.zip
200 Port command okay.
150 Opening ASCII mode data connection for /backup.zip.
/ 100% [***********]
Function
The put command uploads a local file to a remote SFTP server.
Format
put local-filename [ remote-filename ]
Parameters
Parameter Description Value
local-filename Specifies a local file name The value is a case-sensitive character string
on the SFTP client. without spaces. The file name (including the
absolute path) contains 1 to 128 characters.
The local-filename must already exist.
remote- Specifies the name of the The value is a case-sensitive character string
filename file uploaded to the remote without spaces. The file name (including the
SFTP server. absolute path) contains 1 to 128 characters.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command enables you to upload files from the local device to a remote SFTP server to
view the file contents or back up the files. For example, you can upload log files of a device to
an SFTP server and view the logs in the server. During an upgrade, you can upload the
configuration file of the device to the SFTP server for backup.
Precautions
l If remote-filename is not specified, the uploaded file is saved on the remote SFTP server
with the original file name.
l If the specified remote-filename is the same as an existing file name on the SFTP server,
the uploaded file overwrites the existing file on the server.
Example
# Upload a file to the SFTP server.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> put wm.cfg
Local file: wm.cfg ---> Remote file: /wm.cfg
Uploading the file. Please wait...\
Uploading file successfully ended.
File upload is completed in 0 seconds.
Function
The pwd command displays the FTP client's working directory on the remote FTP server.
Format
pwd
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
After logging in to the FTP server, you can run the pwd command to display the FTP client's
working directory on the remote FTP server.
If the displayed working directory is incorrect, you can run the cd command to change the
FTP client's working directory on the remote FTP server.
Example
# Display the FTP client's working directory on the remote FTP server.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] pwd
257 "/" is current directory.
Function
The pwd command displays the SFTP client's working directory on the remote FTP server.
Format
pwd
Parameters
None
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
After logging in to the SFTP server, you can run the pwd command to display the SFTP
client's working directory on the remote SFTP server.
If the displayed working directory is incorrect, you can run the cd command to change the
SFTP client's working directory on the remote SFTP server.
Example
# Display the SFTP client's working directory on the remote SFTP server.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> pwd
Current directory is:
/
sftp-client> cd test
Current directory is:
/test
sftp-client> pwd
Current directory is:
/test
Function
The pwd command displays the current working directory.
Format
pwd
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
You can run the pwd command in any directory to display the current working directory. To
change the current working directory, you can run the cd command.
Example
# Display the current working directory.
<HUAWEI> pwd
flash:/test/
3.7.61 remotehelp
Function
The remotehelp command displays the help information about an FTP command when the
FTP client and server are connected.
Format
remotehelp [ command ]
Parameters
Parameter Description Value
command Specifies the FTP command. The value is a string of 1 to 16 characters.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
You can run the remotehelp command to display the help information about an FTP
command.
l The help information is provided by the remote server. Different remote servers may
provide different help information for an FTP command.
l The following are the protocol commands support help information.
NOTE
Example
# Display the syntax of the command cdup.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] remotehelp
214-The following commands are recognized (Commands marked with '*' are unimplem
ented).
USER PASS ACCT* CWD CDUP SMNT* QUIT REIN*
PORT PASV TYPE STRU* MODE* RETR STOR STOU*
APPE ALLO* REST* RNFR RNTO ABOR DELE RMD
MKD PWD LIST NLST SITE* SYST STAT* HELP
NOOP* XCUP XCWD XMKD XPWD XRMD EPSV EPRT
FEAT*
214 Direct comments to Huawei Tech.
[ftp] remotehelp cdup
214 Syntax: CDUP <change to parent directory>.
Format
remove remote-filename &<1-10>
Parameters
Parameter Description Value
remote-filename Specifies the name of the file to be The value is a string of 1 to 128
deleted from the remote SFTP server. case-sensitive characters without
spaces.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
l You can configure a maximum of 10 file names in the command and separate them using
spaces and delete them at one time.
l If the file to be deleted is not in the current directory, you must specify the file path.
Example
# Delete the file 3.txt from the server and backup1.txt from the test directory.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> remove 3.txt test/backup1.txt
Warning: Are sure to remove these files? [Y/N]:y
Info: Succeeded in removing the file: /3.txt.
Info: Succeeded in removing the file: /test/backup1.txt.
Function
The rename command renames a file or directory stored on the SFTP server.
Format
rename old-name new-name
Parameters
Parameter Description Value
old-name The value is a string of 1 to 128 case-
Specifies the name of a file or
sensitive characters without spaces. The old-
directory.
name must already exist.
new-name Specifies the new name of the The value is a string of 1 to 128 case-
file or directory. sensitive characters without spaces.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
You can run the rename command to rename a file or directory.
Example
# Rename the directory yourtest on the SFTP server.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> rename test/yourtest test/test
Warning: Rename /test/yourtest to /test/test? [Y/N]:y
Info: Succeeded in renaming file.
sftp-client> cd test
Current directory is:
/test
sftp-client> dir
drwxrwxrwx 1 noone nogroup 0 Mar 29 22:44 .
drwxrwxrwx 1 noone nogroup 0 Mar 29 22:39 ..
drwxrwxrwx 1 noone nogroup 0 Mar 24 00:04 test
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 18:38 backup.txt
Format
rename old-name new-name
Parameters
Parameter Description Settings
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes the drive name:
l drive is the storage device and is named as flash:.
l If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the stack.
– chassis ID#flash: root directory of the flash memory on a device in the stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be designated relative to
either the root directory or the current working directory. A relative path beginning with a
slash (/) is a path relative to the root directory.
l flash:/my/test/ is an absolute path.
l /selftest/ is a path relative to the root directory and indicates the selftest directory in the
root directory.
l selftest/ is a path relative to the current working directory and indicates the selftest
directory in the current working directory.
Precautions
l You must rename a file or directory in its source directory.
l If the renamed file or directory has the same name as an existing file or directory, an
error message is displayed.
l If you specify old-name or new-name without specifying the file path, the file must be
saved in your current working directory.
Example
# Rename the directory mytest to yourtest in the directory flash:/test/.
<HUAWEI> pwd
flash:/test
<HUAWEI> rename mytest yourtest
Info: Rename file flash:/test/mytest to flash:/test/yourtest ?[Y/N]:y
Info: Rename file flash:/test/mytest to flash:/test/yourtest ......Done.
Format
reset recycle-bin [ /f | filename | devicename ]
Parameters
Parameter Description Value
/f Directly deletes all -
files from the recycle
bin.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If you run the delete command without specifying the /unreserved parameter, the file is
moved to the recycle bin and still occupies the memory. To free up the space, you can run the
reset recycle-bin command to permanently delete the file from the recycle bin.
The following describes the drive name.
l drive is the storage device and is named as flash:.
l If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the stack.
– chassis ID#flash: root directory of the flash memory on a device in the stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be designated relative to
either the root directory or the current working directory. A relative path beginning with a
slash (/) is a path relative to the root directory.
l flash:/my/test/ is an absolute path.
l /selftest/ is a path relative to the root directory and indicates the selftest directory in the
root directory.
l selftest/ is a path relative to the current working directory and indicates the selftest
directory in the current working directory.
Precautions
l You can run the dir /all command to display all files that are moved to the recycle bin
from the current directory, and file names are displayed in square brackets ([ ]).
l If you delete a specified storage device, all files in the root directory of the storage
device are deleted.
l If you run the reset recycle-bin command directly, all files that are moved to the recycle
bin from the current directory are permanently deleted.
Example
# Delete the file test.txt that is moved to the recycle bin from the directory test.
<HUAWEI> reset recycle-bin flash:/test/test.txt
Info: Are you sure to clear flash:/test/test.txt?[Y/N]:y
Info: Clearing file flash:/test/test.txt......Done.
# Delete files that are moved to the recycle bin from the current directory.
<HUAWEI> pwd
flash:/test
<HUAWEI> reset recycle-bin
Info: Are you sure to clear flash:/test/aa.txt?[Yes/All/No/Cancel]:y
Info: Clearing file flash:/test/aa.txt......Done.
Info: Are you sure to clear flash:/test/abc.txt?[Yes/All/No/Cancel]:y
Info: Clearing file flash:/test/abc.txt......Done.
Info: Are you sure to clear flash:/test/1.bat?[Yes/All/No/Cancel]:y
Info: Clearing file flash:/test/1.bat......Done.
Format
rmdir remote-directory
Parameters
Parameter Description Value
remote-directory Specifies a directory or path on The value is a string of 1 to 128 case-
the FTP server. sensitive characters without spaces.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the rmdir command to delete a specified directory from the remote FTP server.
Precautions
l Before running the rmdir command to delete a directory, you must delete all files and
subdirectories from the directory.
l If no path is specified when you delete a subdirectory, the subdirectory is deleted from
the current directory.
l The directory is deleted from the FTP server rather than the FTP client.
Example
# Delete the directory d:/temp1 from the remote FTP server.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] rmdir d:/temp1
250 'D:\temp1': directory removed.
Format
rmdir directory
Parameters
Parameter Description Value
directory Specifies a The value is a string of case-sensitive characters in the
directory or [ drive ] [ path ] directory format. The absolute path
directory and its length ranges from 1 to 255, while the directory name
path. length ranges from 1 to 128. Up to 8 levels of directories
are supported.
In the preceding parameter, drive specifies the storage
device name, and path specifies the directory and
subdirectory.
Characters such as ~, *, /, \, :, ', " cannot be used in the
directory name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The path can be an absolute path or relative path. A relative path can be designated relative to
either the root directory or the current working directory. A relative path beginning with a
slash (/) is a path relative to the root directory.
l flash:/my/test/ is an absolute path.
l /selftest/ is a path relative to the root directory and indicates the selftest directory in the
root directory.
l selftest/ is a path relative to the current working directory and indicates the selftest
directory in the current working directory.
Precautions
l Before running the rmdir command to delete a directory, you must delete all files and
subdirectories from the directory.
l A deleted directory and its files cannot be restored from the recycle bin.
Example
# Delete the directory test from the current directory.
<HUAWEI> rmdir test
Info: Are you sure to remove directory flash:/test?[Y/N]:y
Info: Removing directory flash:/test/.......Done.
Function
The rmdir command deletes a specified directory from the remote SFTP server.
Format
rmdir remote-directory &<1-10>
Parameters
Parameter Description Value
remote-directory Specifies the name of a file on The value is a string of 1 to 128 case-
the SFTP server. sensitive characters without spaces.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
l You can configure a maximum of 10 file names in the command and separate them using
spaces and delete them at one time.
l Before running the rmdir command to delete a directory, you must delete all files and
subdirectories from the directory.
l If the directory to be deleted is not in the current directory, you must specify the file
path.
Example
# Delete the directory 1 from the current directory, and the directory 2 from the test directory.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> rmdir 1 test/2
Warning: Are sure to remove these directories? [Y/N]:y
Info: Succeeded in removing the directory: /test/1.
Info: Succeeded in removing the directory: /test/test/2.
3.7.69 scp
Function
The scp command uploads a local file to the remote SCP server or downloads a file from the
remote SCP server to a local directory.
Format
# Transfer a file between the local client and the remote SCP server based on IPv4.
scp [ -a source-ip-address | -i interface-type interface-number ] [ -force-receive-pubkey ] [ -
port port-number | { public-net | vpn-instance vpn-instance-name } | -c | -cipher cipher-type
| -prefer-kex kex-type | -r | identity-key { dsa | ecc | rsa } | user-identity-key { dsa | ecc |
rsa } ] * source-filename destination-filename
# Transfer a file between the local client and the remote SCP server based on IPv6.
scp ipv6 [ -a source-ipv6-address | -oi interface-type interface-number ] [ public-net | vpn-
instance vpn-instance-name ] [ -force-receive-pubkey ] [ -port port-number | -c | -cipher
cipher-type | -prefer-kex kex-type | -r | identity-key { dsa | ecc | rsa } | user-identity-key
{ dsa | ecc | rsa } ] * source-filename destination-filename
Parameters
Parameter Description Value
-port port- Specifies the port number of the The value is an integer that ranges
number SCP server. from 1 to 65535. The default value is
22.
vpn-instance Specifies the name of the VPN The name of the VPN instance must
vpn-instance- instance where the SCP server is already exist.
name located.
-prefer_kex kex- Specifies the preferred key The key exchange algorithms include:
type exchange algorithm. l dh-exchange-group-sha256
l dh_exchange_group
l dh_group1
l ecdh-sha2-nistp256
l ecdh-sha2-nistp384
l ecdh-sha2-nistp521
l sm2_kep
l dh_group14_sha1
The default key exchange algorithm is
ecdh-sha2-nistp521.
NOTE
When the public key algorithm on the
server is ecc, the sm2_kep algorithm is
preferred.
identity-key Specifies the public key The public key algorithm can be one
algorithm for server of the following:
authentication. l dsa
l ecc
l rsa
The default public key algorithm is
ecc.
user-identity- Specifies a public key algorithm The public key algorithm can be one
key for user authentication. of the following:
l dsa
l ecc
l rsa
The default public key algorithm is
ecc.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
SCP file transfer mode is based on SSH2.0 Compared with the SFTP file transfer mode, the
SCP file transfer mode allows you to upload or download files when the connection is set up
between the SCP client and server.
l You are advised to set the source IP address to the loopback address, or set the outbound
interface to the loopback interface using -a and -i, to improve security.
l When -r is specified, you can use the wildcard (*) to upload or download files in
batches, for example, *.txt and huawei.*.
l When -c is specified, files are compressed before being transmitted. File compression
takes a long time and affects file transfer speed; therefore, you are not advised to
compress files before transferring them.
Precautions
l The format of uploaded and downloaded files of the SCP server is username@hostname:
[path]filename.
– username is the user name for logging in to the SCP server.
– hostname is the name or IP address of the SCP server.
– path is the working directory on the SCP server.
– filename is the name of a file.
l If hostname is an IPv6 address, the IPv6 address must be included in square brackets
([ ]), for example, john@[1000::1]:.
l If the destination file name is the same as the name of an existing directory, the file is
moved to this directory with the source file name. If the destination file has the same
name as an existing file, the system overwrites the existing file.
l If an SCP user on the client authenticates the server using an RSA, a DSA or an ECC
public key, the SCP user is prompted to select the key pair for authentication.
Example
# Log in through DSA authentication and copy the xxxx.txt file to the flash memory of
remote SCP server at 10.10.0.114.
<HUAWEI> system-view
[~HUAWEI] scp identity-key dsa flash:/xxxx.txt root@10.10.0.114:flash:/xxxx.txt
Trying 10.10.0.114...
Press CTRL+K to abort
Connected to 10.10.0.114...
The server is not authenticated. Continue to access it? [Y/N]:y
Save the server's public key? [Y/N]:y
The server's public key will be saved with the name 10.10.0.114. Please wait...
Please select public key type for user authentication [R for RSA/D for DSA/E for
ECC] Please select [R/D/E]: d
Enter password:
xxxx.txt 100% 261Bytes 1Kb/s
Format
scp client-source { -a source-ip-address [ public-net | -vpn-instance vpn-instance-name ] | -i
interface-type interface-number }
undo scp client-source
Parameters
Parameter Description Value
-a source-ip- Specifies the source IP address of the SCP -
address client. You are advised to use the loopback
interface IP address.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If no source IP address is specified, the client uses the source IP address that the router
specifies to send packets. The source IP address must be configured for an interface with
stable performance. The loopback interface is recommended. Using the loopback interface as
the source interface simplifies the ACL rule and security policy configuration. This shields
the IP address differences and interface status impact, filters incoming and outgoing packets,
and implements security authentication.
Before specifying the parameter vpn-instance vpn-instance-name, ensure that a VPN instance
has been configured.
If you use -i to specify a logical interface as the source interface, ensure that the logical
interface has been created successfully.
Precautions
l The scp command also configures the source IP address whose priority is higher than
that of the source IP address specified in the scp client-source command. If you specify
source addresses in the scp client-source and scp commands, the source IP address
specified in the scp command is used for data communication. The source address
specified in the scp client-source command applies to all SCP connections. The source
address specified in the scp command applies only to the current SCP connection.
l If the specified source interface has been bound to a VPN instance, the client is
automatically bound to the same VPN instance.
l After a bound VPN instance is deleted, the VPN configuration specified using the scp
client-source command will not be cleared but does not take effect. In this case, the SCP
server uses a public IP address. If you configure the VPN instance with the same name
again, the VPN function restores.
l After a bound source interface is deleted, the interface configuration specified using the
ssh server-source command will not be cleared but does not take effect. If you configure
the source interface with the same name again, the interface configuration specified
using the ssh server-source command is updated and the function restores.
Example
# Set the source IP address of the SCP client to the loopback interface IP address 10.1.1.1.
<HUAWEI> system-view
[~HUAWEI] scp client-source -a 10.1.1.1
Format
scp max-sessions max-session-count
undo scp max-sessions
Parameters
Parameter Description Value
Views
System view
Default Level
3: Management level
Usage Guidelines
This command limits the number of SCP clients connecting to an SCP server.
This command takes effect for both ipv4 and ipv6 connections.
NOTE
If the configured limit is smaller than the number of currently connected SCP clients, the SCP clients are not
disconnected, but new SCP clients cannot be connect to the SCP server.
Example
# Set the number of SCP clients allowed to connect to an SCP server to 5.
<HUAWEI> system-view
[~HUAWEI] scp max-sessions 5
Function
The scp server enable command enables the SCP service on the SSH server.
The undo scp server enable command disables the SCP service on the SSH server.
Format
scp [ ipv4 | ipv6 ] server enable
Parameters
Parameter Description Value
ipv4 Specifies IPv4 server. -
ipv6 Specifies IPv6 server. -
Views
System view
Default Level
3: Management level
Usage Guidelines
SCP is used to copy, upload, and download files based on the SSH remote copy function. The
SCP file copy command is easy to use, improving network maintenance efficiency.
Run scp server enable command can enable both IPv4 and IPv6 SCP server. Run scp ipv4
server enable command to enable IPv4 SCP server. Run scp ipv6 server enable command to
enable IPv6 SCP server.
To connect the client to the SSH server to transfer files in SCP mode, you must first enable
the SCP server on the SSH server.
In V200R002C50 and V200R003C00, you can run the scp [ ipv4 | ipv6 ] server enable
command to enable the SCP function. If the current version is downgraded to V200R001C00
or an earlier version, this configuration will be lost, so you need to run the scp server enable
command again. In V200R005C00, you can run the scp ipv4 server enable command to
enable the IPv4 SCP function, or run the scp ipv6 server enable command to enable the IPv6
SCP function (IPv4 SCP and IPv6 SCP functions are not enabled simultaneously). If the
current version is downgraded to V200R001C00 or an earlier version, this configuration will
be lost, so you need to run the scp server enable command again.
Example
# Enable the SCP service.
<HUAWEI> system-view
[~HUAWEI] scp server enable
Function
The set configuration appdata auto-check enable command enables the function to
automatically check whether data in the service process database is the same as that in the
central database.
The undo set configuration appdata auto-check enable command disables the function to
automatically check whether data in the service process database is the same as that in the
central database.
Format
set configuration appdata auto-check enable
Parameters
none
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
The device data is saved in the central database and service process databases. Each service
process database needs to synchronize data from the central database. If the data in a service
process database is inconsistent with that in the central database, the host behaviors may not
meet operator expectations, causing service function exceptions. Therefore, automatic data
verification needs to be enabled to periodically check data consistency between service
process databases and the central database. If any inconsistency is detected, an alarm is
reported immediately, notifying you of analyzing the impact on services timely. You can
restart the board or device to rectify the fault.
To enable or disable the automatic data verification function, run this command.
Example
# Disable the function to automatically check whether data in the service process database is
the same as that in the central database.
<HUAWEI> system-view
[~HUAWEI] undo set configuration appdata auto-check enable
Function
The set net-manager vpn-instance command configures the default VPN instance that the
NMS uses on the device.
The undo set net-manager vpn-instance command deletes the default VPN instance from
the device.
Format
set net-manager [ ipv6 ] vpn-instance vpn-instance-name
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the NMS manages devices on the VPN network, you need to send the device information to
the NMS using the VPN instance.
You can run the set net-manager vpn-instance command to configure the default VPN
instance for the NMS to manage the device so that the device can use this VPN instance to
communicate with the NMS.
Precautions
l Before running the set net-manager vpn-instance command, you must create VPN
instances.
l If the host has been configured as a log host, the NMS can receive device logs from the
default VPN instance.
l The VPN configured using the set net-manager vpn-instance command affects the
following service modules: TFTP client, FTP client, SFTP client, SCP client, Info Center
module, SNMP module, TACACS module, IP FPM module, PM module, Callhome
module of the SSH server.
l After a bound VPN instance is deleted, the VPN configuration specified using the set
net-manager command will not be cleared but does not take effect. In this case, the
server uses a public IP address. If you configure the VPN instance with the same name
again, the VPN function restores.
Example
# Set the default VPN instance to v1.
<HUAWEI> system-view
[~HUAWEI] set net-manager vpn-instance v1
3.7.75 sftp
Function
The sftp command connects the device to the SSH server so that you can manage files that are
stored on the SFTP server.
Format
# Connect the SFTP client to the SFTP server based on IPv4.
sftp [ -a source-address | -i interface-type interface-number | -force-receive-pubkey ] host-ip
[ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | prefer_kex kex-type |
prefer_ctos_cipher cipher-type | prefer_stoc_cipher cipher-type | prefer_ctos_hmac hmac-
type | prefer_stoc_hmac hmac-type | prefer_ctos_compress compress-type |
prefer_stoc_compress compress-type | -ki aliveinterval | -kc alivecountmax | identity-key
{ dsa | ecc | rsa } | user-identity-key { dsa | ecc | rsa } ] *
# Connect the SFTP client to the SFTP server based on IPv6.
sftp ipv6 [ -force-receive-pubkey ] [ -a source-address ] host-ipv6 [ public-net | -vpn-
instance vpn-instance-name ] [ -oi interface-type interface-number ] [ port ] [ prefer_kex
kex-type | prefer_ctos_cipher cipher-type | prefer_stoc_cipher cipher-type |
prefer_ctos_hmac hmac-type | prefer_stoc_hmac hmac-type | prefer_ctos_compress
compress-type | prefer_stoc_compress compress-type | -ki aliveinterval | -kc alivecountmax |
identity-key { dsa | ecc | rsa } | user-identity-key { dsa | ecc | rsa } ] *
Parameters
Parameter Description Value
port Specifies the port number The value is an integer that ranges
of the SSH server. from 1 to 65535. The default port
number is 22.
-vpn-instance vpn- Name of the VPN The VPN must already exist.
instance-name instance where the SFTP
server is located.
prefer_ctos_compress Specifies the preferred The value of this parameter can only
compress-type compression algorithm be set to zlib in the current version.
from the client to the
server.
prefer_stoc_compress Specifies the preferred The value of this parameter can only
compress-type compression algorithm be set to zlib in the current version.
from the server to the
client.
-ki aliveinterval Specifies the interval for The value is an integer that ranges
sending keepalive from 1 to 3600, in seconds.
packets when no packet
is received in reply.
-kc alivecountmax Specifies the times for The value is an integer that ranges
sending keepalive from 1 to 30.The default value is 3.
packets when no packet
is received in reply.
identity-key Specifies the public key The public key algorithm can be one
algorithm for the of the following:
authentication on the l dsa
server.
l ecc
l rsa
The default public key algorithm is
ecc.
user-identity-key Indicates the public key The public key algorithm can be one
for the user of the following:
authentication. l dsa
l ecc
l rsa
The default public key algorithm is
ecc.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
SFTP is short for SSH FTP that is a secure FTP protocol. SFTP is on the basis of SSH. It
ensures that users can log in to a remote device securely for file management and
transmission, and enhances the security in data transmission. In addition, you can log in to a
remote SSH server from the device that functions as an SFTP client.
When the connection between the SFTP server and client fails, the SFTP client must detect
the fault in time and disconnect from the SFTP server. To ensure this, before being connected
to the server in SFTP mode, the client must be configured with the interval and times for
sending the keepalive packet when no packet is received in reply. If the client receives no
packet in reply within the specified interval, the client sends the keepalive packet to the server
again. If the maximum number of times that the client sends keepalive packets exceeds the
specified value, the client releases the connection. By default, when no packet is received, the
function for sending keepalive packets is not enabled.
Precautions
l You can set the source IP address to the source or destination IP address in the ACL rule
when the -a or -i parameter is specified. This shields the IP address differences and
interface status impact, filters incoming and outgoing packets, and implements security
authentication.
l The SSH client can log in to the SSH server with no port number specified only when
the port number of the SSH server is 22. If the SSH server uses another port, the port
number must be specified when SSH clients log in to the SSH server.
l If you cannot run the sftp command successfully when you configured the ACL on the
SFTP client, or when the TCP connection fails, an error message is displayed indicating
that the SFTP client cannot be connected to the server.
NOTE
To ensure high security, do not use the des algorithm, 3des algorithm, and rsa algorithm whose length is
less than 2048 digits.
Example
# Set the current listening port number of the SSH server to 1025, and specify the SFTP client
on the public network and the SSH server on the private network.
<HUAWEI> system-view
[~HUAWEI] sftp 10.164.39.223 1025 -vpn-instance ssh
Trying 10.164.39.223 ...
Press CTRL+K to abort
Connected to 10.164.39.223 ...
Please input the username: client001
Please select public key type for user authentication [R for RSA/D for DSA/E for
ECC] Please select [R/D/E]: d
Enter password:
sftp-client>
# Set keepalive parameters when the client is connected to the server in SFTP mode.
<HUAWEI> system-view
[~HUAWEI] sftp 10.164.39.223 -ki 10 -kc 4
Trying 10.164.39.223 ...
Press CTRL+K to abort
Connected to 10.164.39.223 ...
Please input the username: client001
Please select public key type for user authentication [R for RSA/D for DSA/E for
ECC] Please select [R/D/E]: d
Enter password:
sftp-client>
Function
The sftp client-source command specifies the source IP address for the SFTP client to send
packets.
The undo sftp client-source command restores the default source IP address for the SFTP
client to send packets.
The default source IP address for the SFTP client to send packets is 0.0.0.0.
Format
sftp client-source { -a source-ip-address [ public-net | -vpn-instance vpn-instance-name ] | -
i interface-type interface-number }
Parameters
Parameter Description Value
-a source-ip- Specifies the IP address of the SFTP client The value is in dotted
address as the source IP address. decimal notation.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If no source IP address is specified, the client uses the source IP address that the router
specifies to send packets. The source IP address must be configured for an interface with
stable performance. The loopback interface is recommended. Using the loopback interface as
the source interface simplifies the ACL rule and security policy configuration. This shields
the IP address differences and interface status impact, filters incoming and outgoing packets,
and implements security authentication.
Precautions
l If the specified source interface has been bound to a VPN instance, the client is
automatically bound to the same VPN instance.
l If the specified source interface has been bound to a VPN instance, for example, vpn1,
but a different VPN instance, for example, vpn2, is specified in the sftp client-source{ -
a source-ip-address-vpn-instance vpn-instance-name } command, The vpn configured
by this command (vpn2) takes effect.
l You can query the source IP address or primary IP address of the source interface for the
SFTP connection on the SFTP server.
l The sftp command also configures the source IP address whose priority is higher than
that of the source IP address specified in the sftp client-source command. If you specify
source addresses in the sftp client-source and sftp commands, the source IP address
specified in the sftp command is used for data communication. The source address
specified in the sftp client-source command applies to all SFTP connections. The source
address specified in the sftp command applies only to the current SFTP connection.
l After a bound source interface is deleted, the interface configuration specified using the
ssh server-source command will not be cleared but does not take effect. If you configure
the source interface with the same name again, the interface configuration specified
using the ssh server-source command is updated and the function restores.
Example
# Set the source IP address of the SFTP client to 10.1.1.1.
<HUAWEI> system-view
[~HUAWEI] sftp client-source -a 10.1.1.1
Info: Succeeded in setting the source address of the SFTP client to 10.1.1.1.
Function
The sftp client-transfile command uploads files from an SFTP client to an SFTP server or
downloads files from an SFTP server to an SFTP client.
Format
# Establish an SFTP connection based on IPv4.
Parameters
Parameter Description Value
get Downloads the files on the -
SFTP server to the local
devicem shih .
identity-key { rsa | dsa Specifies a public key Currently, the RSA, DSA, and
| ecc } algorithm for the server ECC algorithms are supported.
authentication. The default algorithm is ECC.
username user-name Specifies the user name used The value is a string of 1 to 255
to log in to the SFTP server. case-sensitive characters, spaces
not supported.
NOTE
When quotation marks are used
around the string, spaces are allowed
in the string.
password password Specifies the password used The value is a string of 1 to 128
to log in to the SFTP server. case-sensitive characters, spaces
not supported.
NOTE
When quotation marks are used
around the string, spaces are allowed
in the string.
sourcefile source-file Specifies the absolute path of The value is a string of case-
the source file to be uploaded insensitive characters, spaces not
or downloaded. supported. The absolute path is a
string of 1 to 256 characters.
destination destination Specifies the absolute path of The value is a string of case-
the destination file to be insensitive characters, spaces not
uploaded or downloaded. supported. The absolute path is a
string of 1 to 256 characters.
If the destination destination
parameter is not specified, the
name of the uploaded or
downloaded file is the same
as that on the SFTP server.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To upload files from an SFTP client to an SFTP server or download files from an SFTP server
to an SFTP client, run the sftp client-transfile command. This command can be run only on
an SFTP client.
Before you run the sftp command to transfer files, enter the user name and password. You can
transfer files only when the authentication succeeds. The sftp client-transfile command
supports one-click file transfer, so that a file can be transferred after you run the command.
Prerequisites
Before you run the sftp client-transfile command to connect to an SFTP server, ensure that
the following requirements are met:
l The route between the SSH client and server is reachable. If the server does not use a
standard port number, the port number configured on the server must be obtained.
l The IP address of the SSH server and the information about the SSH user used for login
are obtained.
l The SFTP service is enabled on the server; the service types configured for the server
contain SFTP; password authentication is configured for the SSH user.
Configuration Impact
After a connection is established between an SFTP client and an SFTP server, they start to
communicate.
Precautions
l If command execution fails due to ACL configuration on the SFTP client or the TCP
connection fails, the system displays an error message indicating that the connection to
the server fails.
l When the connection between the server and the client fails, the client must detect the
fault in time and proactively tears down the connection. To achieve this, before the client
logs in to the server through SFTP, configure an interval at which keepalive packets are
sent if no data is received and the maximum number of times that the server does not
respond. If the client does not receive any data within the specified interval, it sends a
keepalive packet to the server. If the maximum number of times that the server does not
respond exceeds the specified value, the client proactively tears down the connection.
l If a source interface is specified using the -i interface-type interface-number parameter,
the -vpn-instance vpn-instance-name parameter cannot be set then.
l This command is used to connect to the server and transfer files. Password authentication
is required for login.
Example
# Configure an SFTP user to download the source file sample.txt from the server at 10.1.1.2
to the SFTP client.
<HUAWEI> system-view
[~HUAWEI] ip vpn-instance ssh
[*HUAWEI-vpn-instance-ssh] ipv4-family
[*HUAWEI-vpn-instance-ssh-af-ipv4] commit
[~HUAWEI-vpn-instance-ssh-af-ipv4] quit
[~HUAWEI-vpn-instance-ssh] quit
[~HUAWEI] sftp client-transfile get host-ip 10.1.1.2 1025 -vpn-instance ssh
username huawei password Huawei-123 sourcefile sample.txt
# Configure an SFTP user to download the source file sample.txt from the server at 10.1.1.3
to the SFTP client. Set the interval at which keepalive packets are sent if no data is received
and the maximum number of times that the server does not respond to 10 and 4, respectively.
<HUAWEI> system-view
[~HUAWEI] sftp client-transfile get host-ip 10.1.1.3 -ki 10 -kc 4 username huawei
password Huawei-123 sourcefile sample.txt
# Configure an SFTP user to download the source file sample.txt from the server at 10.1.1.4
to the SFTP client, and log in to the SFTP server in DSA authentication mode.
<HUAWEI> system-view
[~HUAWEI] sftp client-transfile get host-ip 10.1.1.4 identity-key dsa username
huawei password Huawei-123 sourcefile sample.txt
# Configure an SFTP user to upload the sample.txt file to the SFTP server whose IPv6
address is 10::1, and log in to the SFTP server in DSA authentication mode.
<HUAWEI> system-view
[~HUAWEI] sftp client-transfile put ipv6 host-ip 10::1 identity-key dsa username
huawei password Huawei-123 sourcefile sample.txt
Function
The sftp idle-timeout command configures the idle timeout duration for disconnecting to the
SFTP client from the SSH server.
The undo sftp idle-timeout command restores the default idle timeout duration.
By default, the timeout period is 10 minutes.
Format
sftp idle-timeout minutes [ seconds ]
undo sftp idle-timeout
Parameters
Parameter Description Value
minutes Specifies the idle timeout The value is an integer that ranges from 0 to
minutes. 35791.
seconds Specifies the idle timeout It is an integer that ranges from 0 to 59.
seconds.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the undo sftp idle-timeout command to configure the idle timeout duration to
disconnect the SFTP client from the SSH server when an SFTP user does not perform any
operation within the specified duration.
Precautions
If you run the sftp idle-timeout 0 0 command, the idle timeout function is disabled.
This command takes effect for both ipv4 and ipv6 connections.
Example
# Set the idle timeout duration to 1 minute and 30 seconds.
<HUAWEI> system-view
[~HUAWEI] sftp idle-timeout 1 30
Function
The sftp max-sessions command configures the maximum number of server connections in
SFTP mode.
The undo sftp max-sessions command restores the maximum number of server connections
in SFTP mode to the default value.
Format
sftp max-sessions max-session-count
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the sftp max-sessions command to configure the maximum number of SSH
server connections in SFTP mode to prevent the heavy load resulting from excessive accesses,
and it takes effect for both IPv4 and IPv6 connections.
Precautions
If the maximum number is smaller than that of the current value, the current connection
persists and no connection can be set up.
Example
# Set the maximum number of server connections to 10.
<HUAWEI> system-view
[~HUAWEI] sftp max-sessions 10
Format
sftp [ ipv4 | ipv6 ] server enable
undo sftp [ ipv4 | ipv6 ] server enable
Parameters
Parameter Description Value
ipv4 Specifies IPv4 server. -
ipv6 Specifies IPv6 server. -
Views
System view
Default Level
3: Management level
Usage Guidelines
To connect the client to the SSH server to transfer files in SFTP mode, you must first enable
the SFTP server on the SSH server.
Run sftp server enable command can enable both IPv4 and IPv6 SFTP server. Run sftp ipv4
server enable command to enable IPv4 SFTP server. Run sftp ipv6 server enable command
to enable IPv6 SFTP server.
Disabling the SFTP service on the server disconnects all the clients connected through SFTP.
In V200R002C50 and V200R003C00, you can run the sftp [ ipv4 | ipv6 ] server enable
command to enable the SFTP function. If the current version is downgraded to V200R001C00
or an earlier version, this configuration will be lost, so you need to run the sftp server enable
command again. In V200R005C00, you can run the sftp ipv4 server enable command to
enable the IPv4 SFTP function, or run the sftp ipv6 server enable command to enable the
IPv6 SFTP function (IPv4 SFTP and IPv6 SFTP functions are not enabled simultaneously). If
the current version is downgraded to V200R001C00 or an earlier version, this configuration
will be lost, so you need to run the sftp server enable command again.
Example
# Enable the SFTP service.
<HUAWEI> system-view
[~HUAWEI] sftp server enable
Info: Succeeded in starting the SFTP server.
Format
sftp server default-directory sftpdir
undo sftp server default-directory [ sftpdir ]
Parameters
Parameter Description Value
sftpdir Configures the default authorized The directory of the server must
directory of the SFTP server. already exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When accessing the server using SFTP, you can only access the authorized directory of the
SFTP server. You can use any of the following methods to configure the authorized directory
of the SFTP server. The three methods are in descending order of priorities.
l Run the ssh user username sftp-directory directoryname command in the system view
to configure the authorized directory of the SFTP server for a specified user.
l Run the local-user user-name ftp-directory directory command in the AAA view to
configure the authorized directory of the FTP server for a specified user.
l Run the sftp server default-directory sftpdir command in the system view to configure
the global and default authorized directory of the SFTP server.
The authorized directory configured using the ssh user sftp-directory command has the
highest priority and takes effect only for specified SSH users. The authorized directory
configured using the sftp server default-directory command has the lowest priority and
takes effect for all SSH users. For example, if directoryA is configured for the user client001
using the ssh user client001 sftp-directory directoryA command, and directoryB is also
configured for the user client001 using the local-user client001 ftp-directory directoryB
command in the AAA view, the authorized directory that takes effect for the user client001 is
directoryA. If the authorized directories of the SFTP server and the FTP server are not
configured, the authorized directory configured using the sftp server default-directory
command is used.
Precautions
This command takes effect for both ipv4 and ipv6 SFTP servers.
In versions earlier than V200R001C00, the default access path of the device is flash:/. In
V200R001C00 and later versions, the SFTP access path is empty by default. Therefore, if you
perform file operations using SFTP on a device running a version earlier than V200R001C00
and the authorized directory of the SFTP server is not configured, the default access path
flash:/ is used.
l When the device is upgraded to V200R001C00 or V200R002C50, you need to manually
configure the ssh user username sftp-directory flash: command.
l When the device is upgraded to V200R003C00 or a later version, the sftp server
default-directory flash: command is automatically configured in the system to ensure
that users can properly access the device using SFTP after the upgrade, which requires
no attention.
Example
# Set the default authorized directory of the SFTP server for SSH users to flash:.
<HUAWEI> system-view
[~HUAWEI] sftp server default-directory flash:
Function
The ssh user sftp-directory command configures the SFTP service authorized directory for
an SSH user.
The undo ssh user sftp-directory command cancels the SFTP service authorized directory
for an SSH user.
By default, the authorized directory of the SFTP service for the SSH user is not configured.
Format
ssh user username sftp-directory directoryname
Parameters
Parameter Description Value
username Specifies the SSH user The value is a string of 1 to 253 case-
name. insensitive characters without spaces. When
double quotation marks are used around the
string, spaces are allowed in the string.
directoryname Specifies the directory The SFTP must already exist.
name on the SFTP server.
Views
System view
Default Level
3: Management level
Usage Guidelines
Users can only access the specified directory on the SFTP server. If the username user does
not exist, the system creates an SSH user named username and uses the SFTP service
authorized directory configured for the user. If the configured directory does not exist, the
SFTP client fails to connect to the SSH server using this SSH user.
The command takes effect for both ipv4 and ipv6 functions.
In versions earlier than V200R001C00, the default access path of the device is flash:/. In
V200R001C00 and later versions, the SFTP access path is empty by default. Therefore, if you
perform file operations using SFTP on a device running a version earlier than V200R001C00
and the authorized directory of the SFTP server is not configured, the default access path
flash:/ is used.
l When the device is upgraded to V200R001C00 or V200R002C50, you need to manually
configure the ssh user username sftp-directory flash: command.
l When the device is upgraded to V200R003C00 or a later version, the sftp server
default-directory flash: command is automatically configured in the system to ensure
that users can properly access the device using SFTP after the upgrade, which requires
no attention.
Example
# Configure the SFTP service authorized directory flash:/ssh for the SSH user admin.
<HUAWEI> system-view
[~HUAWEI] ssh user admin sftp-directory flash:/ssh
3.7.83 tail
Function
The tail command displays information in a file.
Format
tail file-name [ line ]
Parameters
Parameter Description Value
file-name Specifies the name of a file. The value is a string in the [ drive ] [ path ] [ file-
name ] format. An absolute path name is a string
of 1 to 255 characters. A relative path name is a
string of 1 to 128 characters. Up to 8 levels of
directories are supported. The path must already
exist.
line Specifies the number of The value is an integer ranging from 0 to
lines of information to be 2147483647. By default, if this parameter is not
viewed. The number of lines selected, information in the last 10 lines is
is counted backwards from displayed.
the last line in the file.
Views
User view
Default Level
3: Management level
Usage Guidelines
You can run the tail command to view information in a file or in the last several lines of the
file.
Example
# Display information in the last two lines of the rpm.log file.
<HUAWEI> tail rpm.log 2
[140808-07:52:26] [RPM][SIGN] RPM ReqAppDBRspHandle RequestType:2, RequestId:
10001, RcvTransNo:655458744,SndTransNo:655458744,Session:655458744
[140808-07:52:27] [RPM][ERR] File:autoconfig.py does exist in the filelist in
node /opt/svrp/router1/1-17/vrpv8/home/$_system for osnode:273 when add file
[PID(25786): LinuxError(0)]
3.7.84 tftp
Function
The tftp command uploads a file to the TFTP server or downloads a file to the local device.
Format
# Upload a file to the TFTP server or download a file to the local device based on the IPv4
address
Parameters
Parameter Description Value
-a source-ip- Specifies the source IP address for -
address connecting to the TFTP client. You are
advised to use the loopback interface
IPv4 address.
-a source-ipv6- Specifies the source IPv6 address for -
address connecting to the TFTP client. You are
advised to use the loopback interface IP
address.
-i interface-type Specifies the source interface used by -
interface-number the TFTP client to set up connections. It
consists of the interface type and
number. It is recommended that you
specify a loopback interface.
The IP address configured for this
interface is the source IP address for
sending packets. If no IP address is
configured for the source interface, the
TFTP connection cannot be set up.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When upgrading the system, you can run the tftp command to upload an important file to the
TFTP server or download a system software to the local device.
Precautions
l When you run the tftp command to upload a file to the TFTP server in TFTP mode, files
are transferred in binary mode by default. The tftp does not support the ASCII mode for
file transfer.
l After specifying a source IP address, you can use this IP address to communicate with
the server and implement packet filtering to ensure data security.
Example
# Download file vrpcfg.txt from the root directory of the TFTP server to the local device. The
IP address of the TFTP server is 10.1.1.1. Save the downloaded file to the local device as file
vrpcfg.bak.
<HUAWEI> tftp 10.1.1.1 get vrpcfg.txt flash:/vrpcfg.bak
# Upload file vrpcfg.txt from the root directory of the storage device to the default directory
of the TFTP server. The IP address of the TFTP server is 10.1.1.1. Save file vrpcfg.txt on the
TFTP server as file vrpcfg.bak.
<HUAWEI> tftp 10.1.1.1 put flash:/vrpcfg.txt vrpcfg.bak
Format
tftp client source { -a source-ip-address | -i interface-type interface-number }
undo tftp client source
Parameters
Parameter Description Value
-a source-ip- Specifies the source IP address of the TFTP client. The value is in
address You are advised to use the loopback interface IP dotted decimal
address. notation.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If no source IP address is specified, the client uses the source IP address that the router
specifies to send packets. The source IP address must be configured for an interface with
stable performance. The loopback interface is recommended. Using the loopback interface as
the source interface simplifies the ACL rule and security policy configuration. This shields
the IP address differences and interface status impact, filters incoming and outgoing packets,
and implements security authentication.
Precautions
l The tftp command also configures the source IP address whose priority is higher than
that of the source IP address specified in the tftp client source command. If you specify
source addresses in the tftp client source and tftp commands, the source IP address
specified in the tftp command is used for data communication. The source address
specified in the tftp client source command applies to all TFTP connections. The source
address specified in the tftp command applies only to the current TFTP connection.
l You can query the source IP address or source interface IP address specified in the TFTP
connection on the TFTP server.
l After a bound source interface is deleted, the interface configuration specified using the
ssh server-source command will not be cleared but does not take effect. If you configure
the source interface with the same name again, the interface configuration specified
using the ssh server-source command is updated and the function restores.
l The command takes effect for ipv4 functions.
l If the specified source interface has been bound to a VPN instance, the client is
automatically bound to the same VPN instance.
Example
# Set the source IP address of the TFTP client to 10.1.1.1.
<HUAWEI> system-view
[~HUAWEI] tftp client source -a 10.1.1.1
Info: Succeeded in setting the source address of the TFTP client to 10.1.1.1.
Function
The tftp server acl command specifies the ACL number or ACL name for the local device so
that the device can access TFTP servers with the same ACL number or ACL name.
The undo tftp server acl command deletes the ACL number or ACL name from the local
device.
Format
tftp server [ ipv6 ] acl { acl-number | acl-name }
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To ensure the security of the local device, you need to run the tftp-server acl command to
specify an ACL to specify TFTP servers that the local device can access.
Precautions
The tftp-server acl command takes effect only after you run the rule (ACL view) or rule
(ACL6 view) command to configure the rule. If no rule is configured, the local device can
access a specified TFTP server in TFTP mode.
If no rule is configured, the incoming and outgoing calls are not restricted after the command
tftp-server acl is run.
Example
# Allow the local device to the access the TFTP server whose ACL number is 2000.
<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule permit source 10.10.10.1 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] tftp server acl 2000
3.7.87 undelete
Function
The undelete command restores a file that has been has been temporally deleted and moved
to the recycle bin.
Format
undelete { filename | devicename }
Parameters
Parameter Description Value
filename Specifies the name An absolute path name is a string of 1 to 255 characters.
of a file to be A relative path name is a string of 1 to 128 case-sensitive
restored. characters without spaces in the [ drive ] [ path ] file
name format. Up to 8 levels of directories are supported.
When quotation marks are used around the string, spaces
are allowed in the string.
In the preceding parameter, drive specifies the storage
device name, and path specifies the directory and
subdirectory.
advised to add : and / between the storage device name
and directory. Characters ? ~ * / \ : ' " | < > [ ] cannot be
used in the directory name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the undelete command to restore a file that has been temporally deleted and
moved to the recycle bin. However, files that are permanently deleted by running the delete or
reset recycle-bin command with the /unreserved parameter cannot be restored.
The following describes the drive name.
l drive is the storage device and is named as flash:.
Example
# Restore file sample.bak from the recycle bin.
<HUAWEI> undelete sample.bak
Info: Are you sure to undelete flash:/sample.bak ?[Y/N]:y
Info: Undeleting file flash:/sample.bak......Done.
# Restore a file that has been moved from the root directory to the recycle bin.
<HUAWEI> undelete flash:
Info: Are you sure to undelete flash:/test.txt?[Y/N] :y
Info: Undeleting file flash:/test.txt......Done.
Info: Are you sure to undelete flash:/rr.bak?[Y/N]:y
Info: Undeleting file flash:/rr.bak......Done.
3.7.88 unzip
Function
The unzip command decompresses a file.
Format
unzip source-filename destination-filename [ password password ]
Parameters
Parameter Description Value
source- Specifies the name An absolute path name is a string of 1 to 255
filename of a source file to characters. A relative path name is a string of 1 to 128
be decompressed. case-sensitive characters without spaces in the [ drive ]
[ path ] file name format. Up to 8 levels of directories
are supported. When quotation marks are used around
the string, spaces are allowed in the string.
In the preceding parameter, drive specifies the storage
device name, and path specifies the directory and
subdirectory.
advised to add : and / between the storage device name
and directory. Characters ? ~ * / \ : ' " | < > [ ] cannot
be used in the directory name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can decompress files, especially log files that are stored on the storage device and run the
more command to query the file.
If the target file requires high security, you are advised to encrypt the file. unzip can
decompress compressed files encrypted in AES-256 mode.
The path can be an absolute path or relative path. A relative path can be designated relative to
either the root directory or the current working directory. A relative path beginning with a
slash (/) is a path relative to the root directory.
l flash:/my/test/ is an absolute path.
l /selftest/ is a path relative to the root directory and indicates the selftest directory in the
root directory.
l selftest/ is a path relative to the current working directory and indicates the selftest
directory in the current working directory.
Precautions
l If the destination file path is specified while the file name is not specified, the
designation file name is the same as the source file name.
l The source file persists after being decompressed.
l The compressed file must be a .zip file. If a file to be decompressed is not a zip file, the
system displays an error message during decompression.
l The source file must be a single file. If you attempt to decompress a directory or multiple
files, the decompression cannot succeed.
Example
# Decompress log file syslogfile-2012-02-27-17-47-50.zip that are stored in the syslogfile
directory and save it to the root directory as file log.txt.
<HUAWEI> pwd
flash:/syslogfile
<HUAWEI> unzip syslogfile-2012-02-27-17-47-50.zip flash:/log.txt
Info: Extract flash:/syslogfile/syslogfile-2012-02-27-17-47-50.zip to flash:/
log.txt?[Y/N]:y
100% complete
Info: Decompressed file flash:/syslogfile/syslogfile-2012-02-27-17-47-50.zip to
flash
:/log.txt...Done
3.7.89 user
Function
The user command changes the current FTP user when the local device is connected to the
FTP server.
Format
user user-name
Parameters
Parameter Description Value
user-name Specifies the name of a login The value is a string of 1 to 255 case-
user. insensitive characters.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the user command to change the current user on the FTP server.
Precautions
After you run the user command to change the current user, a new FTP connection is set up,
which is the same as that you specify in the ftp command.
Example
# Log in to the FTP server using the user name tom.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] user tom
331 Password required for tom.
Enter password:
230 User logged in.
3.7.90 verbose
Function
The verbose command enables the verbose function on the FTP client.
The undo verbose command disables the verbose function.
By default, the verbose function is enabled.
Format
verbose
undo verbose
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
After the verbose function is enabled, all FTP response messages are displayed on the FTP
client.
Example
# Enable the verbose function.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] verbose
Info: Succeeded in switching verbose on.
[ftp] get h1.txt
200 Port command okay.
150 Opening ASCII mode data connection for h1.txt.
3.7.91 zip
Function
The zip command compresses a file.
Format
zip source-filename destination-filename [ password password ]
unzip source-filename destination-filename [ password password ]
Parameters
Parameter Description Value
source- Specifies the name An absolute path name is a string of 1 to 255 characters.
filename of a source file to A relative path name is a string of 1 to 128 case-
be compressed. sensitive characters without spaces in the [ drive ]
[ path ] file name format. Up to 8 levels of directories
are supported. When quotation marks are used around
the string, spaces are allowed in the string.
In the preceding parameter, drive specifies the storage
device name, and path specifies the directory and
subdirectory.
advised to add : and / between the storage device name
and directory. Characters ? ~ * / \ : ' " | < > [ ] cannot be
used in the directory name.
destination- Specifies the name An absolute path name is a string of 1 to 255 characters.
filename of a destination A relative path name is a string of 1 to 128 case-
file that is sensitive characters without spaces in the [ drive ]
compressed. [ path ] file name format. Up to 8 levels of directories
are supported. When quotation marks are used around
the string, spaces are allowed in the string.
In the preceding parameter, drive specifies the storage
device name, and path specifies the directory and
subdirectory.
advised to add : and / between the storage device name
and directory. Characters ? ~ * / \ : ' " | < > [ ] cannot be
used in the directory name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the target file requires high security, you are advised to encrypt the file. Specify the
password parameter, the target file will be encrypted in AES-256 mode.
The following describes the drive name.
l drive is the storage device and is named as flash:.
l If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the stack.
– chassis ID#flash: root directory of the flash memory on a device in the stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be designated relative to
either the root directory or the current working directory. A relative path beginning with a
slash (/) is a path relative to the root directory.
l flash:/my/test/ is an absolute path.
l /selftest/ is a path relative to the root directory and indicates the selftest directory in the
root directory.
l selftest/ is a path relative to the current working directory and indicates the selftest
directory in the current working directory.
Precautions
l If the destination file path is specified while the file name is not specified, the
designation file name is the same as the source file name.
l The source file persists after being compressed.
l Directories cannot be compressed.
Example
# Compress file log.txt that is stored in the root directory and save it to the test directory as
file log.zip.
<HUAWEI> dir
Directory of flash:/
Directory of flash:/test/
Function
The clear configuration commit command deletes the label of a configuration rollback point
specified in the system or the earliest configuration rollback point generated in the system.
Format
clear configuration commit { commit-id label | oldest number-of-commits }
Parameters
Parameter Description Value
commit-id label Deletes the label of a The value is an integer that the system
specified configuration generates automatically.
rollback point.
Run the display configuration commit
list command to check the configuration
rollback points.
Views
User view
Default Level
2: Configuration level
NOTE
Usage Guidelines
Usage Scenario
To reduce the information amount in the system buffer, run this command to delete one or
more earliest configuration rollback points that are generated.
Configuration rollback points in the system can be classified into those with labels and those
without any label.
l You can run the clear configuration commit commit-id label command to delete the
label of a specified configuration rollback point.
l You can run the clear configuration commit oldest number-of-commits command to
delete a configuration rollback point without any label. After the clear configuration
commit oldest number-of-commits command is run, configuration rollback points with
labels become discontinuous configuration rollback points. If you run the display
configuration commit list command to check the configuration rollback points, values
of the CommitId fields of these discontinuous configuration rollback points in the
command output are marked with an asterisk (*).
In normal cases, you do not need to run this command to delete the earliest rollback points
from the list. The system will automatically delete the earliest rollback points before
generating new points if the number of rollback points in the list reaches the upper limit (80).
Prerequisites
Make sure that the configuration rollback point can be deleted by running the display
configuration commit list or display configuration commit changes command to check the
system configuration change in the rollback point.
Follow-up Procedure
Run the display configuration commit list command to check whether the configuration
rollback point has been deleted.
Example
# Delete the configuration rollback point numbered 1000000265.
<HUAWEI> clear configuration commit 1000000265 label
Format
clear configuration commit label label-name
Parameters
Parameter Description Value
label-name Specifies a user The value is a string of 1 to 256 case-sensitive
label of a characters. It can be any visible ASCII character except
configuration for the space. However, the string can contain spaces if it
rollback point. is enclosed with double quotation marks (" "). The string
cannot start with a digit or be a hyphen (-).
NOTE
The value of this parameter must be an existing configuration
rollback point on the device. Otherwise, the command cannot be
executed.
Views
User interface view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
To delete a useless configuration rollback point with a specified label, run the clear
configuration commit command. The system can generate a maximum of 20 configuration
rollback points with labels, 10 periodic configuration rollback points, and five historical
periodic configuration rollback points. If a configuration rollback point is no longer useful,
run this command to clear it to reduce the system cache information.
Precautions
After a configuration rollback point is deleted, system configurations cannot be rolled back to
what they were at this configuration rollback point by running rollback commands.
Run the display configuration commit list and display configuration changes commands to
display information about the configuration rollback point. Checking the command output
helps prevent misoperations.
Example
# Delete the configuration rollback point with the label named new_label.
<HUAWEI> clear configuration commit label new_label
Warning: The current operation will delete the rollback checkpoint. Continue? [Y/
N]: y
Format
check patch { file-name | startup }
Parameters
Parameter Description Value
file-name Specifies the name of the patch The name of the patch must already
package to be checked. exist. It is in the format of [ drive ]
[ path ] filename. If [ drive ] is not
specified, the name of the default storage
device is used.
Views
User view
Default Level
3: Management level
Usage Guidelines
To check whether the patch package is damaged before installing it, run the check patch
command. If the patch package is not damaged, a message indicating that the patch package is
complete is displayed. Otherwise, a message indicating that the patch package is incomplete is
displayed. If the specified patch package does not exist, a message indicating that the patch
package does not exist is displayed. If you specify the startup parameter without setting any
next-startup patch file, a message is displayed indicating that the required patch file does not
exist. In this case, run the startup patch file-name all command to specify a next-startup
patch package.
Example
# Check the integrity of the patch package named CE-V200R003SPH001.PAT.
<HUAWEI> check patch CE-V200R003SPH001.PAT
Warning: Patch package verification consumes system CPU resources. Continue? [Y/
N]: y
# Check the integrity of the patch package used for the next startup.
<HUAWEI> check patch startup
Warning: Patch package verification consumes system CPU resources. Continue? [Y/
N]: y
Format
check system-software system-file
Parameters
Parameter Description Value
system-file Specifies the name of the The name of the system software package
system software package on must already exist. It is in the format of
which an integrity check is [ drive ] [ path ] filename. If [ drive ] is not
performed. specified, the name of the default storage
device is used.
Views
User view
Default Level
3: Management level
Usage Guidelines
Before switching the system software package, you can run this command to check whether
the system software package is destroyed. If the system software package is not destroyed, the
system prompts that the system software package passes the check. Otherwise, the system
prompts that the system software package is incomplete. If the entered name of the system
software package does not exist, the system prompts that the check is mistaken. Make sure
that the system software package has existed on the device before running this command.
Example
# Check the integrity of the system software package CE-V200R003C00.cc.
<HUAWEI> check system-software CE-V200R003C00.cc
Format
clear inactive-configuration { slot slot-id | all | chassis chassis-id }
Parameters
Parameter Description Value
slot slot-id Specifies the slot ID of an interface The value is an integer and the
board that is not installed. value range depends on device
model.
chassis chassis-id Specifies the stack ID. The value must be set according
to the device configuration.
NOTE
This parameter is available only in stack
scenarios.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After a device has been replaced, using the clear inactive-configuration slot command
deletes the configurations of thedevice that does not operate if these configurations do not
need to be saved.
Precautions
This command is only used in stack scenarios.
Ensure that the specified device on which configurations are to be deleted does not operate.
After this command is executed, inactive configurations on the device are deleted.
Uncommitted configurations that depend on these inactive configurations will fail to be
committed, and the system displays an error message.
Example
# Delete the configurations from the device that does not operate in slot 1.
<HUAWEI> system-view
[~HUAWEI] clear inactive-configuration slot 1
Warning: The inactive configuration of slot 1 will be deleted and can't be
restored.
Function
The configuration current backup-to-server monthly command enables the function to
upload a configuration file to the server on a specific date and time every month.
By default, the function to upload a configuration file to the server on a specific date and time
every month is disabled.
Format
configuration current backup-to-server monthly date date-value [ time time-value ]
Parameters
Parameter Description Value
date date-value Specifies a date. The value is an integer ranging from 1 to 31.
time time-value Specifies a time The value is expressed in the format of HH:MM:SS,
point. where HH:MM:SS indicates a second-specific time
point. HH ranges from 0 to 23, and MM and SS
both range from 0 to 59. The default value is
00:00:00.
Views
System view
Default Level
3: Management level
Usage Guidelines
To upload a configuration file to the server on a specific date and time every month, run the
configuration current backup-to-server monthly command.
The configuration file generated after this command is a .dat file, and the generated time is
local time.
Example
# Upload a configuration file to the server at 12:12:12 on the first day every month.
<HUAWEI> system-view
[~HUAWEI] configuration current backup-to-server monthly date 1 time 12:12:12
Format
configuration file auto-save [ interval interval | cpu-limit cpu-usage | delay delay-interval ]
*
Parameters
Parameter Description Value
interval interval Specifies the interval for saving The value is an integer that ranges
configurations. from 30 to 43200, in minutes. The
default value is 30.
cpu-limit cpu- Specifies the threshold of the The value is an integer that ranges
usage CPU usage during the periodic from 1 to 100. The default value is
save operation. 50.
delay delay- Specifies the delay in automatic The value is an integer that ranges
interval backup after the configuration from 1 to 60, in minutes. The default
changes. value is five minutes. The value of
delay-interval must be less than the
value of interval.
default Restores the default values for -
the parameters of the automatic
save function.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After this command enables the function of saving system configurations periodically, the
configuration file will not be lost if the device is powered off or restarts.
If the configuration file auto-save command is not executed, the system does not enable the
function of saving system configurations periodically. In this case, the configuration file
auto-save { interval | cpu-limit | delay } default command does not take effect.
If the configuration file auto-save command is executed, the system compares the
configuration files before saving configurations. If the configurations do not change, the
system does not save the configurations.
l You can specify interval interval to set the interval for periodically saving
configurations. If interval is not specified, the default interval (30 minutes) is used.
l If cpu-limit cpu-usage is specified, the automatic save function does not affect system
performance. After the automatic save timer is triggered, the system cancels the current
automatic save operation if the system CPU usage is detected to be higher than the upper
limit. The default upper limit of the CPU usage is 50% for the automatic save function.
l After delay delay-interval is specified, the system saves the changed configurations after
the specified delay. The default value is 5 minutes.
l If the interval interval and delay delay-interval parameters are both set, the parameter in
which the configured interval first expires triggers the configuration save operation.
When the interval configured in the other parameter expires, the system checks
configurations again. It performs a save operation only when detecting a configuration
change.
The undo configuration file auto-save command disables the automatic save function.
Configuration Impact
After the autosave function is configured, the system automatically saves configurations to the
server configuration file when the local configuration file is different from the server
configuration file and the interval configured in the interval interval or delay delay-interval
parameter expires, no matter whether the save operation has been manually saved.
Follow-up Procedure
Run the display saved-configuration configuration command to check the configurations
about the periodic save function.
Precautions
After the automatic save function is enabled, the configurations are saved in the configuration
file for the next startup. The content in the configuration file changes when the configuration
changes. The system cancels the automatic save operation when:
l Content is being written into the configuration file.
l The configurations are being recovered.
l The CPU usage is excessively high.
Example
# Set the automatic save interval to 60 minutes.
<HUAWEI> system-view
[~HUAWEI] configuration file auto-save interval 60
# Configure the system to save the new configuration 3 minutes after the configuration
changes at an interval of 10 hours when the upper limit of the CPU usage is 60%.
<HUAWEI> system-view
[~HUAWEI] configuration file auto-save interval 600 delay 3 cpu-limit 60
Function
The copy startup command copies the configuration file and specifies the file copy as the
configuration file for next startup.
Format
copy source-filename startup destination-filename [ slot slot-id | all ]
Parameters
Parameter Description Value
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To specify a configuration file as the next startup file, run this command to copy the
configuration file and set the file copy as the configuration file for next startup. In this case,
when configurations on the device are modified again, the configuration file for next startup is
not affected.
Follow-up Procedure
Precautions
l When using a .dat file, do not manually modify the content of the file; otherwise, the file
may fail to be loaded during the startup and the device is started without any
configuration file.
l You must store the source file in the flash directory.
l When this command and the startup saved-configuration command are configured, the
later configuration takes effect.
Example
# Copy the oldvrp.cfg file and specify the file copy as the configuration file for next startup.
<HUAWEI> copy oldvrp.cfg startup newvrp.cfg all
Are you sure to copy flash:/oldvrp.cfg to flash:/newvrp.cfg and specify
newvrp.cfg as the configuration file for next startup? [Y/N]: y
Info: Operating, please wait for a moment....
Info: Copying file flash:/oldvrp.cfg to flash:/newvrp.cfg...Done.
Info: Succeeded in setting the configuration for booting system.
Format
configuration file auto-save backup-to-server server server-ip [ vpn-instance vpn-
instance-name ] transport-type { { ftp | sftp } user user-name password password | tftp }
[ path folder ]
undo configuration file auto-save backup-to-server server [ server-ip | server-ip vpn-
instance vpn-instance-name ]
Parameters
Parameter Description Value
vpn-instance Specifies the name of the VPN The value is a string of 1 to 31 case-
vpn-instance- instance. sensitive characters except spaces.
name When double quotation marks are used
to include the string, spaces are allowed
in the string. The value _public_ is
reserved and cannot be used as the VPN
instance name.
transport-type Specifies the mode in which The value can be ftp, sftp, or tftp. To
the configuration file is ensure file transfer security, use the
transmitted to the server. SFTP method.
user user-name Specifies the name of the user The value is a string of 1 to 64
who saves the configuration characters without spaces.
file on the server.
path folder Specifies the relative save path The value is a string of 1 to 64 case-
on the server. sensitive characters .
If this parameter is not
specified, the FTP, SFTP, or
TFTP root path is enabled by
default.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Run this command to periodically save the configuration file to the server.
The configuration file generated after this command is run is in the same format as the
configuration file for the next startup. If the configuration file for the next startup is a .dat file,
the configuration file generated is also a .dat file. If the configuration file for the next startup
is a .cfg or .zip file, the configuration file generated is a .zip file.
The configuration file is saved on the server as a compressed package. The package is named
in the format of YY-MM-DD.HH-MM-SS.device name.zip, for example,
2012-10-25.15-13-37.HUAWEI.zip. After the package is decompressed, the file with the file
name extension of .cfg is the configuration file.
The periodic saving interval depends on the interval configured using the configuration file
auto-save command.
Precautions
l Before using this command, run the configuration file auto-save command; and enable
FTP, SFTP, or TFTP on the server, otherwise, the configuration file auto-save backup-to-
server command does not take effect. The system cancels the operation of periodically
saving the configuration file in the following scenarios:
– The configuration file is being written.
– The LPU is recovering the configuration.
– The CPU usage is high.
l The system supports a maximum of five servers. The servers are independent of each
other. If the system fails to save configuration files to a server, the system reports traps to
the NMS and records logs.
l When configuration files are being uploaded, the system does not save configurations to
a server until the configuration files are uploaded.
l The user name and password must be the same as those used in FTP or SFTP login
mode.
l The time of the configuration file generated after this command is run is the UTC.
l After a bound VPN instance is deleted, the VPN configuration specified using the
configuration file auto-save backup-to-server command will not be cleared but does
not take effect. If you configure the VPN instance with the same name again, the VPN
function restores.
l When you run this command to save configuration files to a server, the system supports
only the binary transmission mode. Therefore, the server must support the binary
transmission mode.
Example
# Specify the server to which the system periodically sends the configuration file, and set the
transmission mode to SFTP.
<HUAWEI> system-view
[~HUAWEI] configuration file auto-save
[*HUAWEI] configuration file auto-save backup-to-server server 10.1.1.1 transport-
type sftp user admin1234 password Helloworld@6789
Function
The display configuration command displays the configuration in a specified configuration
file.
Format
display configuration configuration-file
Parameters
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After a configuration file is saved using the save command, run the display configuration
command to view the configuration file.
The command output is relevant to user configuration. The command does not display the
default configuration.
Prerequisites
The specified configuration file exists.
Example
# Display the configuration file named vrpcfg.zip.
<HUAWEI> display configuration vrpcfg.zip
#
FTP server enable
#
...
aaa
local-user ftp password irreversible-cipher `xy$!D3>a#Oc5/Js:mGN*Ii8AZtE4Kb!
0h*QS7J<wD(j-9oN^.5%!@OKp,.5*YKuR
local-user ftp ftp-directory flash:/
local-user ftp service-type ftp
#
...
interface 10GE1/0/1
undo shutdown
ip address 10.1.1.200 255.255.255.0
#
...
interface LoopBack0
ip address 10.10.1.1 255.255.255.255
#
...
user-interface con 0
set authentication password cipher %$%$~^Mg.QBcGS^}H.Q*w~#*,JA8%$%
$
history-command max-size 30
#
user-interface vty 0 14
user privilege level 3
idle-timeout 0 0
#
return
Function
The display configuration changes command displays the difference between a
configuration file and the current running configuration file on the device.
Format
To display the difference based on the configuration file names, run:
Parameters
Parameter Description Value
file file-name The name is a string of 5 to 64
Displays the difference between a
characters in the format of *.zip,
configuration file and the current running
*.cfg, or *.dat. The file-name
configuration file.
must already exist.
label label Displays the difference between the The label must already exist.
current running configuration file and the
configuration file based on a specific
user label.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the display configuration changes running file file-name command to check
the difference between the current running configuration file and a specified configuration
file.
You can run the display configuration changes file file-name running command to check
the difference between a specified configuration file and the current running configuration
file.
The display configuration changes running label label command displays the difference
between the current configuration and the configuration of a specified user label.
The display configuration changes label label running command displays the difference
between the configuration of a specified user label and the current configuration.
This command can only compare the current running configuration file with a configuration
file. When you run this command, the first specified configuration file is called source
configuration, and the later specified configuration file is called target configuration. If the
target configuration is different from the source configuration, the difference is displayed
based on the following rules:
l An added command is displayed in the format of prefix+.
l A deleted command is displayed in the format of prefix-.
l If a command is modified, the original command is displayed in the format of prefix-,
and the new command is displayed in the format of prefix+.
Precautions
The specified configuration file specified by file-name must exist on the device.
Example
# Display the difference between the current running configuration file and the configuration
file a.cfg.
<HUAWEI> display configuration changes running file a.cfg
Building configuration
Warning: The specified configuration file is not the same as the current
configuration. There are several differences as follow:
#
+ sysname China
Function
The display configuration commit at command displays all configurations of a device at a
specific configuration rollback point.
Format
display configuration commit at commit-id
Parameters
Views
All views
Default Level
3: Management level
Usage Guidelines
After a user commits a command to a device, the device automatically generates a
configuration rollback point, which records the configuration changes and all configurations
at this point. You can run the display configuration commit at command to view all
configurations of the device at this point. So that if the device has a fault, run the rollback
configuration command to roll the device back to the configurations before the fault occurs.
Example
# Display all configurations of a device at the 1000000481 configuration rollback point.
<HUAWEI> display configuration commit at 1000000481
#
sysname HUAWEI
#
drop-profile default
#
diffserv domain default
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
domain default_admin
#
stack
#
stack member 1 domain 10
#
---- More ----
Format
display configuration commit changes [ at commit-id | since commit-id | last number-of-
commits ]
Parameters
Parameter Description Value
at commit-id Displays the configuration The value is an integer that the system
change at a specified generates automatically.
configuration rollback point.
Run the display configuration commit
list command to check the configuration
rollback points.
since commit-id Displays the configuration The value is an integer that the system
changes from the specified generates automatically.
configuration rollback point
to the current state. Run the display configuration commit
list command to check the configuration
rollback points.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Run this command to check the configuration changes when you need to restore the system to
a historical state because incorrect operations are performed on the device or some
configurations fail due to some faults.
Prerequisites
Configuration has been performed and the configuration rollback point has been generated.
Follow-up Procedure
Recover or roll back the configuration after checking the configuration change.
Example
# Display the configuration change saved at the configuration rollback point numbered
1000002001.
<HUAWEI> display configuration commit changes at 1000002001
Building
configuration
+ interface
Vlanif89
+ ip address 192.168.89.1
255.255.255.0
# Display the configuration changes from the specified configuration rollback point to the
latest rollback point.
<HUAWEI> display configuration commit changes since 1000001999
Building configuration
#
- vlan batch 10
#
+ vlan batch 10 89
#
+ interface
Vlanif89
+ ip address 192.168.89.1
255.255.255.0
# Display the configuration changes at the latest three configuration rollback points.
<HUAWEI> display configuration commit changes last 3
Building configuration
#
- vlan batch 10
#
+ vlan batch 10 89
#
+ interface
Vlanif89
+ ip address 192.168.89.1
255.255.255.0
# Display the configuration changes at all configuration rollback points in the current system.
<HUAWEI> display configuration commit changes
Building
configuration
+ interface
Vlanif89
+ ip address 192.168.89.1
255.255.255.0
- vlan batch 10
#
+ vlan batch 10 89
Table 3-49 Description of the display configuration commit changes command output
Item Description
- Deleted configuration.
For the modified configuration, - indicates the old
configuration and + indicates the new
configuration.
+ Added configuration.
For the modified configuration, - indicates the old
configuration and + indicates the new
configuration.
Format
display configuration candidate changes
Parameters
None
Views
All views except the user view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before committing a set of configuration, run the display configuration candidate changes
command to view the difference between the candidate configuration and current running
configuration.
This command displays the difference between the configuration in the <candidate/>
configuration database and that in the <running/> configuration database. If a configuration
difference exists, the command output is displayed as follows:
l Commands that exist in the candidate configuration rather than the current running
configuration are prefixed with "+".
l Commands that exist in the current running configuration rather than the candidate
configuration are prefixed with "-".
l If a command in the current running configuration is modified in the candidate
configuration, two commands that are prefixed with "-" and "+", respectively, are
displayed in sequence.
Precautions
This command applies only to the two-phase validation mode.
Before you run the commit command to commit a configuration, a configuration conflict
occurs if the current running configuration is changed. In this case, run the refresh
configuration candidate command to resolve the configuration conflict, and then run the
display configuration candidate changes command to view the configuration difference.
Example
# Display the difference between the candidate configuration and current running
configuration.
<HUAWEI> system-view
[~HUAWEI] display configuration candidate changes
Building configuration
#
interface Tunnel1
- mtu 1400
+ mtu 1300
#
+ interface Tunnel3
#
Table 3-50 Description of the display configuration candidate changes command output
Item Description
- Deleted configuration.
+ Added configuration.
Format
display configuration commit list [ verbose ] [ number-of-commits | label ]
Parameters
Parameter Description Value
verbose Displays the configuration rollback point -
details including the description.
number-of-commits Displays a specified number of The value is an integer
configuration rollback points. that ranges from 1 to
100.
label Displays label of the configuration rollback -
point list.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After configuring the system, run this command to check historical configuration rollback
points.
The system displays the configuration rollback points in descending order of generation time.
That is, the latest configuration rollback point is displayed first.
Follow-up Procedure
Use the rollback point label to roll back the configuration.
Example
# Display all configuration rollback points.
<HUAWEI> system-view
[~HUAWEI] sysname ROLLBACK
[*HUAWEI] commit description This is a test
[~ROLLBACK] display configuration commit list
----------------------------------------------------------------------------------
--
No. CommitId Label User TimeStamp
----------------------------------------------------------------------------------
--
1 1000002002 - - 2012-08-22 17:55:49+08:00
2 1000002001 - huawei 2012-08-22 17:12:04+08:00
3 1000002000 - - 2012-08-22 17:11:09+08:00
2) CommitId: 1000002001
Label: -
User: huawei
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-08-22 17:12:04+08:00
Description:
3) CommitId: 1000002000
Label: -
User: -
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-08-22 17:11:09+08:00
Description:
Table 3-51 Description of the display configuration commit list command output
Item Description
Item Description
Function
The display configuration recover-result command displays the configuration recovery
result after an upgrade.
Format
display configuration recover-result
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
After you run the startup saved-configuration or copy startup command to specify the
configuration file for the next startup and restart the device, run this command to check the
configuration recovery result (success, failure, or partial failure) and failure cause.
Example
# Display the configuration result after an upgrade.
<HUAWEI> display configuration recover-result
Info: The current startup saved-configuration file is flash:/vrpcfg.zip.
The number of failed commands is 1.
--------------------------------------------------------------------------------
Command : vm-manager
View : system
Line : 204
Reason : Execute failed
Time : 2013-06-25 09:13:09
--------------------------------------------------------------------------------
Item Description
Function
The display configuration rollback result command displays the configurations that fail to
roll back and the messages that are generated during the configuration rollback.
Format
display configuration rollback result
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
During the configuration rollback, some configurations fail to roll back or messages are
generated during configuration rollback. Run this command to check the failed configurations
and messages.
Example
# Display the latest configuration rollback failure and the messages generated during
configuration rollback.
<HUAWEI> display configuration rollback result
!warning information
interface 10GE1/0/5
+ pim bfd enable
Warning: The configuration is successful. Enable global BFD to validate the
configuration.
!There are still several differences as follow:
#
interface 10GE1/0/2
- ip address 10.3.3.3 255.255.255.0
+ ip address 10.4.4.4 255.255.255.0
#
# Display the latest configuration rollback success without messages generated during
configuration rollback.
<HUAWEI> display configuration rollback result
Info: The latest rollback operation is successful.
Table 3-53 Description of the display configuration rollback result command output
Item Description
- Deleted configuration.
For the modified configuration, - indicates the old configuration and +
indicates the new configuration.
+ Added configuration.
For the modified configuration, - indicates the old configuration and +
indicates the new configuration.
Format
display configuration sessions [ verbose ]
Parameters
Parameter Description Value
verbose Indicates detailed information about session status. -
Views
All views
Default Level
3: Management level
Usage Guidelines
To query information about users who have logged in to the device, you can run the display
configuration sessions command to view session status.
Example
# Display session status.
<HUAWEI> display configuration sessions
--------------------------------------------------------------------------------
Session User-Intf User Date Lock
--------------------------------------------------------------------------------
285 _SYSTEM_ 2014-09-23 15:07:52 -
--------------------------------------------------------------------------------
Session : 286
User-Intf : SNMP_User
User :
Date : 2014-09-23 15:07:54
Lock-Type : -
Cfg-Mode : 1-stage
Client : SNMP
Elapsed-Time : 1 days, 22:36:55
Session : 514 *
User-Intf : VTY 0
User :
Date : 2014-09-25 13:39:11
Lock-Type : -
Cfg-Mode : -
Client : CLI
Elapsed-Time : 0 days, 0:05:38
--------------------------------------------------------------------------------
Format
display current-configuration [ configuration [ configuration-type [ configuration-
instance ] ] | interface [ interface-type [ interface-number ] ] | all | inactive ] [ include-
default ]
Parameters
Parameter Description Value
configuration Specifies the configuration The value is determined by the
configuration-type type. current system configurations.
configuration-instance Specifies a configuration The value is a string of 1 to 200
instance. case-insensitive characters without
spaces. When double quotation
marks are used around the string,
spaces are allowed in the string.
interface [ interface- Specifies an interface type. -
type [ interface-
number ] ]
all Displays all the -
configuration information.
Views
All views
Default Level
3: Management level
Usage Guidelines
To check whether the configured parameters take effect, run the display current-
configuration command. The parameters that do not take effect are not displayed.
The command output is relevant to user configuration. If the include-default parameter is
specified, the command output includes the default system configuration starting with a tilde
(~).
You can use a regular expression to filter the command output. For the regular expression
rules, see "Filtering Command Outputs" in the CloudEngine 8800, 7800, 6800, and 5800
Series SwitchesConfiguration Guide - Basic Configuration.
After you run the display current-configuration all or display current-configuration
inactive command, * in the command output indicates offline configuration.
NOTE
Example
# Display all configurations that include vlan.
<HUAWEI> display current-configuration | include vlan
vlan batch 10 77 88
port trunk allow-pass vlan 10
Format
display module-information [ verbose | next-startup ]
Parameters
Parameter Description Value
verbose Displays details about dynamically installed -
modules.
file-name Displays the specify module information The module must already
loaded at the next startup. exist, with the file name
extension being .mod
or .MOD.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
To view information about dynamically installed modules in the system, run the display
module-information command. The information helps to monitor whether modules are
successfully installed or uninstalled.
Example
# Display details about dynamically installed modules in the system.
<HUAWEI> display module-information verbose
Module Information
--------------------------------------------------------------------
Module Version InstallTime PackageName
--------------------------------------------------------------------
TLV V200R001MOD503 2012-05-23 06:28:00 CE6850V200R001MOD503.MOD
--------------------------------------------------------------------
Total = 1
Board Info :
----------------------------------------------------------------------------------
------
Slot-id ProcId Type FileName EffectiveTime Module
----------------------------------------------------------------------------------
------
17 2 C HM800000.mod 2015-08-24 22:48:00.322 MOD0031
17 3 C HM800000.mod 2015-08-24 22:48:00.320 MOD0031
17 4 C HM800000.mod 2015-08-24 22:48:00.322 MOD0031
18 6 C HM800000.mod 2015-08-24 22:48:00.349 MOD0031
18 7 C HM800000.mod 2015-08-24 22:48:00.349 MOD0031
18 8 C HM800000.mod 2015-08-24 22:48:00.353 MOD0031
----------------------------------------------------------------------------------
------
Total = 6
------
17 3 SCRIPT HM980000.mod 2014-11-19 08:26:46.491 m0
18 6 SCRIPT HM980000.mod 2014-11-19 08:26:46.812 m0
----------------------------------------------------------------------------------
------
Total = 2
Slot-id Board ID
ProcId Process ID
Function
The display saved-configuration command displays the configuration file to be used for the
next startup.
Format
display saved-configuration [ last | time | configuration ]
Parameters
Parameter Description Value
last Displays the system configurations saved last time. -
time Displays the recent time when the configurations are saved -
manually or automatically.
configuration Displays the parameters of the automatic save function. -
Views
All views
Default Level
3: Management level
Usage Guidelines
If the device has been started and is not working properly, run the display saved-
configuration command to check the device startup configuration in the file specified by
running the startup saved-configuration or copy startup command.
Run the display saved-configuration last command to check the system configurations
saved last time in the configuration file loaded during the current startup.
Run the display saved-configuration time command to check the last time when the system
configurations are saved.
Run the display saved-configuration configuration command to check the automatic save
function parameters including the automatic save interval and CPU usage.
The command output is relevant to user configuration. The command does not display the
default configuration.
Example
# Display the configuration file for the next startup.
<HUAWEI> display saved-configuration
#
sysname Switch
...
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.1.3 255.255.255.0
#
interface Vlanif20
ip address 192.168.4.3 255.255.255.0
...
#
interface MEth0/0/0
ip address 192.168.200.8 255.255.255.0
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 20
...
#
user-interface maximum-vty 15
user-interface con 0
user-interface vty 0 14
idle-timeout 0 0
#
return
Function
The display schedule reboot command displays the configuration of the scheduled restart of
the device.
Format
display schedule reboot
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
After using the schedule reboot command to configure a scheduled restart, you can use this
command to view the configuration of the scheduled restart.
Example
# Display the configuration of the scheduled restart of the device.
<HUAWEI> display schedule reboot
Info: System will reboot at 22:00:00 2013/09/17 UTC(in 1 hours and 36 minutes).
Item Description
in hours and minutes Time span between the restart time and the current time.
Function
The display software crl command displays information about a digital signature certificate
revocation list (CRL) file.
Format
display software crl
Parameters
None
Views
ALL views
Default Level
1: Monitoring level
Usage Guidelines
If an issued digital signature certificate needs to be revoked due to key disclosure or other
reasons, a third-party tool can be used to mark the certificate invalid and add the certificate to
a digital certificate CRL. To check information about the digital signature CRL file, run the
display software crl command.
Example
# Display information about a digital signature CRL file that has been loaded to the main
control board.
<HUAWEI> display software crl
----------------------------------------------------------------------------------
-------------------------------------------------------
Slot-id
Publisher
Issue date Status
----------------------------------------------------------------------------------
-------------------------------------------------------
1 C=CN,O=Huawei,CN=Huawei Root
CA 2015-10-19
15:38:25+08:00 Valid
1 C=CN,O=Huawei,CN=Huawei Code Signing Certificate
Authority 2016-04-05 16:27:05+08:00 Valid
1 C=CN,O=Huawei,CN=Huawei Timestamp Certificate
Authority 2016-03-01 16:56:22+08:00 Valid
2 C=CN,O=Huawei,CN=Huawei Root
CA 2015-10-19
15:38:25+08:00 Valid
2 C=CN,O=Huawei,CN=Huawei Code Signing Certificate
Authority 2016-04-05 16:27:05+08:00 Valid
2 C=CN,O=Huawei,CN=Huawei Timestamp Certificate
Authority 2016-03-01 16:56:22+08:00 Valid
----------------------------------------------------------------------------------
-------------------------------------------------------
Item Description
CRL status:
Status l Valid
l InValid
Format
display startup [ slot slot-id ]
Parameters
Parameter Description Value
slot slot-id Specifies a member device in a The value is an integer. The range of the
stack. integer is dependent on the specific device.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Before upgrading or degrading a device, run this command to check whether the files for next
startup have been loaded. If the files have been loaded, the device can be upgraded or
degraded successfully after it is restarted. You can also run the command to view the system
software and files for current startup.
Example
# Display the names of system software for current and next startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software: flash:/basicsoftware.cc
Configured startup system software System software that is configured for the
current startup by running the startup system-
software command before the system starts.
Next startup system software System software that is configured for the next
startup by running the startup system-
software or copy startup command.
If no system software for the next startup is
configured, the system software used in the
current startup is displayed.
Next startup saved-configuration file Configuration file that is configured for the
next startup by running the startup saved-
configuration command.
If no configuration file for the next startup is
configured, the configuration file used in the
current startup is displayed.
Startup paf file PAF file that is used in the current startup.
default indicates that no PAF file is specified
or the PAF file does not take effect.
Next startup paf file PAF file that is configured for the next startup.
If no PAF file is configured, default is
displayed.
Startup patch package Patch package file that is used in the current
startup.
NULL indicates that no patch package file is
specified or the patch package file does not
take effect.
Item Description
Next startup patch package Patch package file that is configured for the
next startup by running the startup patch
command.
If no patch package file is configured, NULL
is displayed.
3.8.25 install-module
Function
The install-module command dynamically loads a specified module file.
Format
install-module file-name [ next-startup ]
Parameters
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Guideline
To install a module in the current system by loading the module file, run the install-module
command. The extension of a module file name must be *.MOD or *.mod.
To view information about successfully loaded module files, run the display module-
information command.
Precautions
Example
# Load the SwitchV200R001MOD501.MOD file to the $_install_mod directory.
<HUAWEI> install-module SwitchV200R001MOD501.MOD
3.8.26 reboot
Function
The reboot command restarts the device.
Format
reboot [ fast | save diagnostic-information ]
Parameters
Parameter Description Value
fast Fast restarts the device. In fast restart mode, the -
configuration file is not saved.
save diagnostic- Saves the diagnostic information before the restart. -
information
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command functions in the same way as a power recycle operation (power off and then
restart the device). The command enables you to restart the device remotely.
l After the reboot or reboot save diagnostic-information command is run, the system
displays a message asking you whether to save the configuration. If you choose to save
the configuration, the current configuration is written into the configuration file to
prevent configuration loss after the reboot. If you choose not to save the configuration,
the device reboots using the configuration in the configuration file, leading to the loss of
unsaved configuration.
l After the reboot fast command is run, the device reboots without prompting you to save
the configuration. Therefore, the unsaved configuration will be lost.
l After the reboot save diagnostic-information command is run, if a diagnostic
information file already exists, the system displays a message asking you whether to
overwrite the file before the reboot. If you choose to overwrite the file, the system saves
current diagnostic information to the root directory of the CF card and overwrites the
original diagnostic information file. If you choose not to overwrite the file, the system
does not collect diagnostic information. Diagnostic information does not affect device
configuration.
Precautions
l If you do not respond to the displayed message within the timeout period after running
this command, the system will return to the user view and the device will not be
restarted.
l To avoid loss of diagnostic information after a restart, configure the device to save the
diagnostic information before restarting.
l This command interrupts services on the entire device. Therefore, do not use this
command when the device is running properly.
l Before restarting the device, ensure that the configuration file has been saved.
Example
# Restart the device.
<HUAWEI> reboot
Function
The refresh configuration candidate command re-executes candidate configuration to
resolve configuration conflicts.
Format
refresh configuration candidate
Parameters
None
Views
All views except the user view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the system displays a message indicating that the current running configuration is changed
when you run the display configuration candidate changes command to view the difference
between the candidate configuration and current running configuration, run the refresh
configuration candidate command to resolve the configuration conflict so that you can
continue to view the configuration difference.
If a configuration conflict occurs before you commit the configuration, you can resolve the
configuration conflict and then run the commit command to commit the configuration.
Alternatively, run the commit command to commit the configuration directly, without
resolving the configuration conflict.
Precautions
This command applies only to the two-phase validation mode.
Example
# Update the candidate configuration based on the current running configuration to resolve
configuration conflicts.
<HUAWEI> system-view
[~HUAWEI] refresh configuration candidate
Format
reset boot password [ slot slot-id ]
Parameters
Parameter Description Value
Views
User view
Default Level
3: Management level
Usage Guidelines
If you forget the password of the BIOS menu, use the reset boot password command to set
the password to Admin@huawei.com. Then you can use this password to enter the BIOS
menu.
Example
# Reset the password of the BIOS menu.
<HUAWEI> reset boot password
Warning: The password used to enter the boot menu by clicking Ctrl+B will be
restored to the default password, continue? [Y/N]: y
Info: Succeeded in setting password of BIOS to the default password.
Function
The reset saved-configuration command cancels the configuration file used for next startup.
Format
reset saved-configuration
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After the device software is upgraded or the device in use is applied to another scenario, you
can run the reset saved-configuration command to cancel the configuration file used for next
startup so that the device starts with empty configurations.
Precautions
l After this command is run and the device restarts, enter N when the system asks you
whether to save the current configuration file as the next startup configuration file. Then
configuration of canceling the configuration file for next startup then takes effect.
l After the device starts with the default configuration, you need to log in to the device
through the console port. Remote login is not supported.
l If the next startup configuration file is empty, the device displays a message indicating
that the file does not exist.
Example
# Cancel the configuration file used for next startup.
<HUAWEI> reset saved-configuration
The action will delete the saved configuration on the device.
The configuration will be erased to reconfigure.Continue? [Y/N]: y
Warning: Now the configuration on the device is being
deleted.
..........
Info: Succeeded in clearing the configuration in the device.
<HUAWEI> reboot
slot 1:
Next startup system software: flash:/basicsoftware.cc
Next startup saved-configuration file: NULL
Next startup paf file: default
Next startup patch package: NULL
Warning: The current configuration will be saved to the next startup saved-confi
guration file. Continue? [Y/N]: n
Warning: The system will reboot. Continue? [Y/N]: y
Format
rollback configuration { to { commit-id commit-id | label label | file file-name } | last
number-of-commits }
Parameters
Parameter Description Value
commit-id Specifies the label of the The value is an integer that the
commit-id configuration rollback point to system generates automatically.
which system configurations are
expected to roll back. Run the display configuration
commit list command to check the
configuration rollback points.
label label Specifies a user label for a The value is a string of 1 to 256 case-
configuration rollback point. A sensitive ASCII characters, spaces
specified user label indicates the not supported. The value must start
historical configuration state to with a letter and cannot be presented
which the system configuration is in a single hyphen (-). The label must
expected to roll back. already exist.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
For example, a user performs four configuration operations and submits these configurations
and four consecutive rollback points a, b, c, and d are generated. The user finds that the
configuration at b is incorrect and wants to roll back the system to the configuration state
before b. After the user rolls back the system configuration to a, a new rollback point e is
generated and marked with Rollback.
If an error occurs in the configuration rollback, you can recover the configuration to the state
before the rollback, and a new rollback point is generated and marked with Rollback.
Prerequisites
The display configuration commit changes command has been executed to check the
configuration change in the configuration rollback point to determine whether the
configuration can be rolled back to the expected historical state.
Follow-up Procedure
If some configurations fail to be rolled back, run the display configuration rollback result
command to check these configurations and the messages generated during configuration
execution.
Example
# Roll back the system to the historical configuration state at rollback point 1000000001.
# Roll back the system to the historical configuration state at the rollback point before the last
two rollback points.
<HUAWEI> rollback configuration last 2
3.8.31 save
Function
The save command saves the configurations to the configuration file.
Format
save [ configuration-file ]
Parameters
Parameter Description Value
configuration-file Specifies the name of a The value is a string of 5 to 64 case-
configuration file. sensitive characters without spaces.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
You can run commands to modify the current configuration of the device, but the modified
configuration will be lost after the device restarts. To enable the new configuration to take
effect after a restart, save the current configuration in the configuration file before restarting
the device.
When a series of configurations are complete and take effect, you must save the current
configuration file to the storage device.
The save configuration-file command saves the current configuration to a specific file on the
storage device. Generally, running the save configuration-file command does not affect the
current startup configuration file. If the configuration file specified by configuration-file has
the same name with the current configuration file and the default directory is used, running
the save configuration-file command is equivalent to running the save command.
If you do not specify configuration-file when saving the configuration file for the first time,
the system displays the file name extension of the configuration file. If you directly press
Enter, the configuration file is saved as vrpcfg.zip. The vrpcfg.zip file is the default system
configuration file and does not contain any configuration in the initial state.
Precautions
l If the configuration file to be saved using this command has the same name with the
existing configuration file, the existing configuration file is rewritten.
l The configuration file name extension must be .zip, .dat or .cfg.
– .cfg: The file is saved in plain text mode. After the file is specified as the
configuration file, all commands in the file are recovered one by one during startup.
– .zip: The .cfg file is compressed to a .zip file that occupies less space. After being
specified as the configuration file, the .zip file is decompressed to the .cfg file and
all commands in the .cfg file are recovered one by one during startup.
– .dat: A .dat file is a binary file. If the startup software version and the .dat file
version are the same, the system restores all configurations in the .dat file in batches
when the device starts. This speeds up the system startup.
Example
# Save the current configuration file to the default storage medium when the switch starts with
configuration.
<HUAWEI> save
Warning: The current configuration will be written to the device. Continue? [Y/
N]:y
Now saving the current configuration to the slot 1
Info: Save the configuration successfully.
# Save the current configuration file to the default storage medium for the first time when the
switch starts without configuration.
<HUAWEI> save
Warning: The current configuration will be written to the device. Continue? [Y/
N]: y
Info: Please input the file name(*.cfg, *.zip, *.dat)[vrpcfg.zip]:
Now saving the current configuration to the slot 2 ..
Info: Save the configuration successfully.
Format
schedule reboot { at time | delay interval [ force ] }
undo schedule reboot
Parameters
Parameter Description Value
at time Specifies the The format of time is hh:mm YYYY/MM/DD. The restart
device restart time must be later than the current device time by less
time. than 720 hours.YYYY/MM/DD indicates year, month,
and date and is optional.
l hh indicates hour and the value ranges from 0 to 23.
l mm indicates minute and the value ranges from 0 to
59.
l YYYY indicates year and the value ranges from 2000
to 2037.
l MM indicates month and the value ranges from 1 to
12.
l DD indicates date and the value ranges from 1 to 31.
delay interval Specifies the delay The format of interval is hh:mm or mm. The delay time
time before the must be no more than 720 hours.
device restarts. l In hh:mm, hh indicates hour and the value ranges
from 0 to 720 and mm indicates minute and the value
ranges from 0 to 59.
l mm indicates minute and the value ranges from 0 to
43200.
force Specifies forcible -
scheduled restart.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When upgrading or restarting the device, you can configure the device to restart at time when
few services are running to minimize the impact on services.
Precautions
l If the schedule reboot at command is used to set a specific date (YYYY/MM/DD) and the
date is a future date, the device restarts at the specified time, with an error within 1
minute. If no date is set, two situations occur: If the specified time is later than the
current time, the device restarts at the specified time of the day. If the specified time is
earlier than the current time, the device restarts at the set time next day.
l Note that the gap between the specified date and current date must be shorter than or
equal to 720 hours. If the scheduled restart has been configured, the latest configuration
overrides the previous one.
l Run the schedule reboot delay interval command to set the delay time before the device
restarts. If the force parameter is not specified, the system compares the configuration
file with the current configuration. If the current configuration is different from the
configuration file, the system asks you whether to save the current configuration. After
you complete the selection, the system prompts you to confirm the configured restart
time. Enter Y or y to make the configured restart time take effect. If the force parameter
is specified, the system does not display any message, and the restart time takes effect
directly. The current configuration is not compared or saved.
l The scheduled restart function becomes invalid when you use the clock datetime
command to set the system time to over 10 minutes later than the restart time set by the
schedule reboot command. If the time difference is equal to or less than ten minutes, the
device immediately restarts and does not save the configuration.
l This command restarts the device at the specified time, interrupting all services on the
device. Therefore, do not use this command when the device is running properly.
l Before restarting the device, ensure that the configuration file has been saved.
Example
# Configure the device to restart at 22:00.
<HUAWEI> schedule reboot at 22:00
Warning: The current configuration will be saved to the next startup saved-
configuration file. Continue? [Y/N]:y
Now saving the current configuration....
Save the configuration successfully.
Info: Reboot system at 22:00:00 2017/08/07 UTC (in 11 hours and 19
minutes).
Confirm? [Y/N]:y
Format
set configuration commit commit-id label label-string
Parameters
Parameter Description Value
commit-id Specifies the ID of a The value is an integer ranging from
configuration rollback point. 1000000001 to 1999999999 and
generated by the system automatically.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
After a configuration rollback point is generated, the system automatically allocates a commit
ID for this configuration rollback point. The commit ID is an integer that ranges from
1000000001 to 1999999999, which is difficult to understand and remember. When the
number of configuration rollback points that are automatically generated by the system
reaches the upper threshold, earliest configuration rollback points are replaced by latest
configuration rollback points. For some important configurations, however, the related
configuration rollback points need to be retained. In this case, you can run the set
configuration commit command to specify a user label for a configuration rollback point,
which is easy to understand and remember and configuration rollback points related to
important configurations are not replaced.
You can specify a user label when a configuration rollback point is generated using the
commit command. If a configuration rollback point has been generated, you can run the set
configuration commit command to add a user label for the configuration rollback point. For
continuous configuration rollback points with labels, you cannot directly modify the labels.
You must run the clear configuration commit commit-id label command to delete the labels
of the configuration rollback points first and then run the set configuration commit
command to specify user labels for the configuration rollback points.
NOTE
For discontinuous configuration rollback points with labels (values of the CommitId fields of the
configuration rollback points in the display configuration commit list command output are marked
with an asterisk [*]), exercise caution when running the clear configuration commit commit-id label
command because this command will simultaneously delete the configuration rollback points and their
labels.
You can run the clear configuration commit commit-id label command to delete label
information of a configuration rollback point.
You can run the display configuration commit list command to check label information of a
configuration rollback point.
Precautions
l In unified management mod, the set configuration commit command can only be run in
a physical system (PS).
l You cannot run the clear configuration commit oldest number-of-commits command to
delete a configuration rollback point with a label.
l If the set configuration commit command has been run, you cannot run the rollback
configuration command to roll back the system to the previous configuration.
l If you run the set configuration commit command multiple times, only the latest
configuration takes effect.
Example
# Set the label new_label for configuration commit ID 1000000002.
<HUAWEI> set configuration commit 1000000002 label new_label
Function
The software crl load command loads a digital signature certificate revocation list (CRL) file
to the main control board.
Format
software crl load crl-name
Parameters
Parameter Description Value
crl-name Specifies a CRL name. The value is a string of 5 to 63 case-
insensitive characters, spaces not supported.
The CRL file must be in the
flash directory of the main The file name is determined by the uploaded
control board. file and must be the same as the name of the
uploaded file.
Views
User view
Default Level
3: Management level
Usage Guidelines
The lifetime of a certificate is limited. A certificate authority (CA) can revoke a certificate to
shorten its lifetime. A CRL is a list of certificates that have been revoked, and therefore
should not be relied upon. The CRL is issued by a CA. If a CA revokes a certificate, the key
pair defined in the certificate can no longer be used even if the certificate does not expire.
After a certificate in a CRL expires, the certificate is deleted from the CRL to shorten the
CRL.
If an issued digital signature certificate needs to be revoked due to key disclosure or other
reasons, a third-party tool can be used to mark the certificate invalid and add the certificate to
a digital certificate CRL. To load the latest digital signature CRL file to a device, run the
software crl load command. After the file is loaded, the device does not verify the digital
signature certificate upon next startup.
Example
# Load a CRL file to the main control board.
<HUAWEI> software crl load crldata-new.crl
Function
The startup saved-configuration command specifies the system configuration file for next
startup.
Format
startup saved-configuration configuration-file [ slot slot-id ]
Parameters
Parameter Description Value
configuration-file Specifies the name of a The name of a configuration file must
configuration file. Make sure already exist. The file name extension
that the file exists. can be .zip, .dat, or .cfg.
slot slot-id Specifies a member device in The value is an integer. The range of the
a stack. integer is dependent on the specific
device.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When the original configuration file cannot be used due to the software upgrade, run the
startup saved-configuration command to specify another configuration file for next startup.
The startup configuration file must be saved in the root directory of the storage device.
Follow-up Procedure
Precautions
l The configuration file specified for the next startup must exist.
l The configuration file name extension must be .zip, .dat, or .cfg.
– A configuration file with the file name extension .cfg is a text file, and you can
view the file content in the text file. After the file is specified as the configuration
file for next startup, the system restores all commands in the file one by one during
a startup.
– A .cfg file is compressed to a .zip file that occupies less space. After being specified
as the configuration file, the .zip file is decompressed to the .cfg file and the system
restores all commands in the .cfg file one by one during startup.
– A .dat file is a binary file. If the startup software version and the .dat file version are
the same, the system restores all configurations in the .dat file in batches when the
device starts. This speeds up the system startup. If the startup software version and
the .dat file version are different, the system restores configurations using
commands in the .dat file.
l This command and the copy startup command can be used to specify the configuration
file for next startup and the later configuration takes effect.
Example
# Specify the system configuration file for the next startup.
<HUAWEI> startup saved-configuration vrpcfg.cfg
Info: Succeeded in setting the configuration for booting system.
Function
The startup system-software command specifies the system software for next startup.
Format
startup system-software system-file [ all | slave-board | slot slot-id ]
Parameters
Parameter Description Value
system-file Specifies the name of the system The name of the system software file must
software file. already exist. It is in the format of [ drive-
name ] [ file-name ]. If drive-name is not
specified, the name of the default storage
device is used.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
In system software upgrade or downgrade, run this command to specify the system software
for next startup.
Follow-up Procedure
Run the reboot command to restart the device.
Precautions
l The system software package must use .cc as the file name extension and be saved to the
root directory of the storage device.
l The system software configured for next startup cannot be deleted.
Example
# Specify the system software to be loaded for next startup.
<HUAWEI> startup system-software basicsoft.cc
Format
startup patch patch-name { all | slot slot-id }
Parameters
Parameter Description Value
patch-name Specifies the name of the The name of the patch file must already exist.
patch file for next startup. It is in the format of [ drive-name ] [ path ]
[ file-name ]. If drive-name is not specified, the
name of the default storage device is used.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To make the patch file take effect after the device restarts, run this command to specify the
patch file for next startup.
Prerequisites
The desired patch file has been uploaded to the Flash:/ of the device.
Follow-up Procedure
Run the reboot command to restart the device.
Precautions
l A patch file uses .pat as the file name extension and must be saved in the root directory.
l If you use this command to specify another patch for next startup, the previous patch will
be overridden.
l After the patch file is specified for next startup, run the display patch-information
command to view the patch file.
– If the patch file for next startup is not empty, the device load the patch
automatically after next startup.
– If the patch file for next startup is empty, the device cannot load the patch after next
startup.
l After the device restarts, the system loads and runs the patch. If you do not want the
system to load the patch file after startup, use either of the following methods to delete
the patch file:
– Run the patch delete all command to delete the current patch.
– Run the reset patch-configure next-startup command to delete the patch file
already loaded on the system after startup.
Example
# Specify the patch file for next startup.
<HUAWEI> startup patch patch.pat all
3.8.38 uninstall-module
Function
The uninstall-module command uninstalls a specified module file.
Format
uninstall-module { file-name [ next-startup ] | all }
Parameters
Parameter Description Value
file-name Specifies the name of the module file to be The value is a string of 5 to 63
uninstalled. case-sensitive characters in the
format of .mod or .MOD.
next-startup Specifies the name of the module file loaded -
at next startup.
all Specifies that all modules need to be -
uninstalled.
Views
User view
Default Level
3: Management level
Usage Guidelines
The uninstall-module command can be used to uninstall in-use modules from the system.
The display module-information command can be used to check whether a specified module
has been uninstalled from the system.
Example
# Uninstall module 123.MOD from the system.
<HUAWEI> uninstall-module 123.MOD
This will uninstall the module. Are you sure? [Y/N]:y
Info: Succeeded in uninstalling the module.
Function
The display fei frame backup-time command displays the backup time of each service
module during an ISSU upgrade.
NOTE
Format
display fei frame backup-time slot slot-id component fei
Parameters
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
You can run this command to check the backup time of each service module during an ISSU
upgrade, including the backup start time and end time.
Example
# Display the backup time of each service module during an ISSU upgrade.
<HUAWEI> display fei frame backup-time slot 1 component fei
The details of service backup time as follows:
----------------------------------------------------------------------------------
----------
Service BeginTime EndTime UsedTime (s)
ThresholdTime (s)
----------------------------------------------------------------------------------
----------
MC 15:25:29 15:25:31 2 50
Table 3-59 Description of the display fei frame backup-time command output
Item Description
ThresholdTime (s) Upper threshold for the time taken for backup.
Format
display issu check-result
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
After you use the issu check command to perform ISSU check, you can use the display issu
check-result command to view the check result.
Example
# Display the result of system upgrade check.
------------------------------------------------------------------------------
Info: The upgrade procedure is:
Reboot the slave board with the upgrade system software.
Create standby process with the upgrade system software, and detailed process
groups are as follows:
process group: 10003 slot: 1
process group: 10005 slot: 3
process group: 10004 slot: 1
process group: 10006 slot: 3
Upgrade process with the upgrade system software, and detailed process groups
are as follows:
process group: 10003 slot: 1
process group: 10005 slot: 3
process group: 10004 slot: 1
process group: 10006 slot: 3
process group: 3 slot: 1
process group: 1000 slot: 1
process group: 10001 slot: 1
process group: 1002 slot: 1
process group: 1001 slot: 1
process group: 2 slot: 1
process group: 10002 slot: 1
Reboot group with the upgrade system software, The detail groups is below:
board group: 1 slot: 3
Reboot the master board with the upgrade system software.
------------------------------------------------------------------------------
Format
display issu group
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
You can run the command to check information about device groups during ISSU.
Example
# Display current information about board groups.
<HUAWEI> display issu group
Grouping Information
-----------------------------------
GroupId SlotId BoardType
-----------------------------------
1 1 MPU
-----------------------------------
SlotId ID of a device.
Format
display issu report
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
After you use the issu start command to start ISSU, you can use the display issu report
command to view detailed information about the ISSU process.
Example
# Display detailed information about the ISSU progress.
<HUAWEI> display issu report
-----------------------------ISSU REPORT-----------------------------------
Upgrade number : 20150815164424
Upgrade type : lossy
Upgrade result : success
Base package : CE6850EI-V100R005C00SPC300.cc
Upgrade package : CE6850EI-V100R005C10SPC200.cc
Base patch : CE6850EI-V100R005SPH001.PAT
Base paf : default
Upgrade paf : default
Upgrade rollback time(min) : 120
---------------------------------------------------------------------------
Upgrade procedure details:
slot: 1 [reboot]
begin time: 2015/08/15 16:46:07
end time: 2015/08/15 16:54:26
duration: 0 Hours 8 Minutes 19 Seconds
slot: 2 [upgrade process]
process group: 10003
begin time: 2015/08/15 16:54:32
end time: 2015/08/15 16:56:04
duration: 0 Hours 1 Minutes 32 Seconds
slot: 2 [upgrade process]
process group: 10004
begin time: 2015/08/15 16:54:33
end time: 2015/08/15 16:56:04
duration: 0 Hours 1 Minutes 31 Seconds
slot: 2 [reset process]
process group: 3
Item Description
Upgrade start begin time Date and time when the ISSU start phase
begins.
Upgrade start end time Date and time when the ISSU start phase
ends.
Upgrade start total duration Duration for the ISSU start phase.
Format
display issu rollback-timer
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the issu start [ rollback-timer [ time ] ] system-file [ patch patch-name ] command sets the
ISSU rollback timer value, you can use the display issu rollback-timer command to view the
remaining time of the ISSU rollback timer.
Prerequisites
The rollback-timer parameter has been specified in the issu start [ rollback-timer [ time ] ]
system-file [ patch patch-name ] command in ISSU start phase.
Example
# Display the remaining time of the ISSU rollback timer during ISSU.
<HUAWEI> display issu rollback-timer
-----------------------------------------
Timer Timeleft(min)
-----------------------------------------
rollback 50
-----------------------------------------
Function
The display issu state command displays the ISSU phase.
Format
display issu state
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
You can use the display issu state command to check which ISSU phase the system enters,
which can be ISSU check, ISSU start, or ISSU confirm.
Example
# Display the ISSU phase.
<HUAWEI> display issu state
--------------------------------------------------------------------------------
Phase State Progress
--------------------------------------------------------------------------------
1.issu check : finished 100%
2.issu start : processing 90%
3.issu confirm : - 0%
--------------------------------------------------------------------------------
Format
issu abort
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
While the ISSU is in progress, run the issu abort command to abort the ISSU if necessary
after the ISSU start phase is over (you can run the display issu state command to check it,
and the issu start is finished) The system then restarts and rolls back to the previous software
version.
Prerequisites
The rollback-timer parameter has been specified in the issu start command in the ISSU start
phase.
Example
# Abort ISSU.
<HUAWEI> issu abort
Warning: The upgrade operation will be aborted, and the system will reboot to old
version. Continue?
Format
issu check system-file [ patch patch-name ]
Parameters
Parameter Description Value
system-file Specifies the path for storing The value is a string of 4 to 127 case-
the system upgrade file and file sensitive characters without spaces.
name. The default directory is flash:/.
patch patch- Specifies the path for storing The value is a string of 5 to 63 case-
name the patch file and file name. sensitive characters without spaces.
The default directory is flash:/.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before performing ISSU, you need to check whether the system meets ISSU requirements
using the issu check command. ISSU check includes checking the system running
environment, new version integrity and validity, hardware compatibility, and software
compatibility.
Prerequisites
The system software to be upgraded has been uploaded to all stack member switches.
Follow-up Procedure
If no error information is displayed in the output of the issu check command, the check result
is success. You can also run the display issu check-result command to view the ISSU check
result.
Example
# Perform ISSU check.
<HUAWEI> issu check CE6800-V100R006C00SPC600.cc
Format
issu confirm
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When you run the issu start command and specify the rollback-timer parameter to start
ISSU, you need to run the issu confirm command to confirm ISSU before the rollback timer
expires or run the issu abort command to abort ISSU to enable the system to roll back to the
old version.
Prerequisites
The issu confirm command can be run to confirm the upgrade result only when the rollback-
timer parameter is specified in the issu start command.
Configuration Impact
After the issu confirm command is executed, the new system software is specified as the
software for the next startup. The ISSU is complete.
Example
# Confirm the upgrade result.
<HUAWEI> issu confirm
Function
The issu group command adds a device to a specified group in an ISSU upgrade.
Format
issu group group-id add slot slot-id
Parameters
Parameter Description Value
group-id Specifies the ID of a group that a The value is an integer that ranges from 1
device belongs to. to 65535.
slot slot-id Specifies the ID of a device. The value is an integer. You can enter ?
to select a value as prompted.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
During an ISSU upgrade of an SVF system, the system groups leaf switches and upgrades the
leaf switches in ascending order of their group IDs.
By default, the system adds a device to a default group. You can manually add a device to a
different group to change the sequence in which devices are restarted. Upstream and
downstream devices then connect to devices in different groups, reducing the service
interruption time.
You can run the display issu group command to check which group the current device
belongs to.
Precautions
You can add only leaf switches in an SVF system but not slave switches in a stack to a
specified group.
Example
# Add the device with leaf ID 104 to group 2.
<HUAWEI> issu group 2 add slot 104
Format
issu reset rollback-timer [ time | limitless ]
Parameters
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After the system enters the ISSU start phase, the ISSU rollback timer is automatically
activated. If the ISSU rollback timer expires before the ISSU confirm phase, the system rolls
back to the old version. You can reset the ISSU rollback timer value according to service
requirements.
Prerequisites
The rollback-timer parameter has been specified in the issu start command.
Precautions
If you use the issu reset rollback-timer command to reset the ISSU rollback timer value, the
new configuration takes effect immediately and the old configuration becomes invalid.
Example
# Reset the ISSU rollback timer to 100 minutes.
<HUAWEI> issu reset rollback-timer 100
Function
The issu start command starts ISSU.
Format
issu start [ rollback-timer [ time ] ] system-file [ patch patch-name ]
Parameters
time Specifies the ISSU rollback timer The value is an integer that ranges
value. from 0 to 2880, in minutes. The
default value is 120 minutes. 0
If rollback-timer is specified but
indicates that the time of the ISSU
time is not specified, the default
rollback timer is infinite.
value of the rollback timer is used.
system-file Specifies the path for storing the The value is a string of 4 to 127 case-
system upgrade file and file name. sensitive characters without spaces.
The default directory is flash:/.
patch patch- Specifies the path for storing the The value is a string of 5 to 63 case-
name patch file and file name. sensitive characters without spaces.
The default directory is flash:/.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After you run the issu start command to start ISSU, the system enters the ISSU start phase.
All stack member switches upgrade from the old version to new version.
Precautions
When you run the issu start command without specifying the rollback-timer parameter to
start ISSU, the system confirms ISSU after the ISSU start phase ends. In this situation, you do
not need to run the issu confirm command to confirm ISSU. If you specify the rollback-
timer parameter, you need to run the issu confirm command before the rollback timer expires
or run the issu abort command to abort ISSU to enable the system to roll back to the old
version.
Example
# Start ISSU and set the ISSU rollback timer to 120 minutes.
<HUAWEI> issu start rollback-timer 120 CE6800-V100R003C00.cc
Format
display license [ verbose ]
display license [ verbose ] slot slot-id
Parameters
Parameter Description Value
verbose Displays detailed information about -
the current active license file.
slot slot-id Specifies a stacked device. The value is an integer, and the value
range depends on the device
configuration.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
A license file dynamically controls the availability of some features. Only one license file is
active in the system. Run this command to view detailed information about the active license
in the system, including license file name, version, validity period, and control item.
NOTE
The encoding format used to display license information in the current version is GBK. To prevent
garbled characters when you use a different terminal to log in to the device and Chinese characters are
displayed, change the terminal's encoding format to GBK.
For example, if you use the PuTTY tool as the terminal, set its encoding format to Use font encoding,
and the operating system's default encoding format must be GBK. After the encoding format is set to
GBK, Chinese information about the license can be correctly displayed.
Example
# Display information about the active license file of the device.
License state: Demo. The license for the current configuration will expire in 86
day(s).
Apply for authentic license before the current license expires.
Item Description
Item Description
Format
display license revoke-ticket [ slot slot-id ]
Parameters
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
The display license revoke-ticket command enables you to check the revocation code of a
license file that has become invalid on the device. This code proves that the current license
file is invalid and is used to apply for a new license.
Precautions
This command displays information only when the license file in current device system is
invalid.
Example
# Display the revocation code of the current invalid license file.
<HUAWEI> display license revoke-ticket
MainBoard:
Info: The revoke ticket is:
LIC20121103006100:27C1B773ED11D9F877855CDAEE74ABFE60E07126.
Function
The display license state command displays the license status on the device.
Format
display license state [ trial ]
Parameters
Parameter Description Value
trial Displays the number of days before a license in -
Trial state expires.
If the current license is not in Trial state, the
system displays no information when this
parameter is configured.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
To check the status of the running license, run this command. The command displays the
status of the license and the number of days before the license in this status will expire.
The system supports the following license states:
l Normal: normal license
l Demo: demonstration license
l Trial: trial license
l Default: default license
This command helps you locate license problems and verify the license status on the device.
Example
# Display the status of the license on the device.
<HUAWEI> display license state
MainBoard:
Info: Current license state is Demo. The license for the current configuration
will expire in 22 day(s).
Format
display paf [ verbose ]
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
A PAF file provides only required resources and features. This command can display all the
specification information about the PAF file.
Example
# View details about the PAF file.
<HUAWEI> display paf verbose
SPEC_FUNC_RAAS_ENABLED
Value : 0
Default value: 0
Min value : 0
Max value : 1
Description : Raas funcation switch(1: enable, 0: disable)
SPEC_FUNC_LVRM_LRSPEC
Value : 0
Default value: 0
Min value : 0
Max value : 1
Description : Logic system funcationswitch(1: enable, 0: disable)
SPEC_FUNC_LVRM_VSSPEC
Value : 1
Default value: 1
Min value : 0
Max value : 1
Description : Virtual system funcationswitch(1: enable, 0: disable)
Format
display patch-information [ verbose | history ]
Parameters
Parameter Description Value
verbose Displays detailed information about the patch. -
history Displays historical information about the patch in the current system. -
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
After a patch is loaded or deleted, run this command to view information about the patch,
including its version, name, and status.
Precautions
If the system has no patch loaded, the patch version, name, and status displayed by this
command are "-".
Example
# Display detailed information about the patch in the current system.
<HUAWEI> display patch-information verbose
Patch Package Name :flash:/PATCH.PAT
Patch Package Version :V100R006SPH001
Patch Package State :Running
Patch Package Run Time:2014-11-14 14:02:43
****************************************************************************
* Information about patch errors is as follows: *
****************************************************************************
SlotId CurrentVersion
----------------------------------------------------------------------------
No patch error occurs on any board
Board Info :
----------------------------------------------------------------------------------
------------
SlotId ProcId State PatchType Valid PatchEffectiveTime
PatchFileName
----------------------------------------------------------------------------------
------------
1 1049 Running C YES 2014-11-14 14:02:09.297
HP000012.pat
1 1049 Running C YES 2014-11-14 14:02:09.308
HP000028.pat
----------------------------------------------------------------------------------
------------
Total = 2
Item Description
Item Description
Function
The display upgrade rollback-timer command displays the status of the rollback function in
the current version.
Format
display upgrade rollback-timer
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
If an error occurs during an upgrade (for example, the new startup files are damaged), cancel
the current upgrade and restore the previous version used before the upgrade.
To check whether the version rollback function is enabled, run this command.
Example
# Display the status of the rollback function in the current version (the version rollback
function is enabled).
# Display the status of the rollback function in the current version (the version rollback
function is disabled).
<HUAWEI> display upgrade rollback-timer
Info:The state of upgrade rollback is disable.
3.10.7 license
Function
The license command creates a license view and enters the view.
NOTE
The CE6850EI, CE6810EI, CE6810LI, CE5855EI, CE5850HI, CE5850EI and CE5810EI do not support this
command.
Format
license
Parameters
None
Views
System view
Level
3: Management level
Usage Guidelines
To create and enter a license view, run the license command.
Example
# Create and enter a license view.
<HUAWEI> system-view
[~HUAWEI] license
[~HUAWEI-license]
Format
license active file-name
Parameters
Parameter Description Value
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Change or upgrade the license file when the current license file is outdated or needs higher
specifications and more features. The initial state of a license file is inactive and the license
file does not take effect in the system. Run this command to activate the new or updated
license file.
The license active command can be used to activate a license file in the following situations:
l The license needs to be activated for the first time.
You can directly run this command to activate a license.
l The current license file needs to be updated.
If the specifications of the new license file are lower than those of the current license
file, the system displays a message asking you whether to continue. If you choose No,
the system retains the current license file. If you choose Yes, the device activates the
current license file and the system uses the new license file.
If the configuration items of the new license file are lower than those of the current
license file, check whether the configuration items required by services exist in the new
license file. If not, apply for a correct license file and activate it. Otherwise, services may
be interrupted due to lack of dependent license configuration items after the device is
restarted.
Prerequisites
Precautions
l The license file must use .dat or .zip as file name extension and be saved to the default
root directory in the storage of the device.
l In a stack with multiple switches, if a license file is applied for each stack member, you
need to compress multiple .dat license files into a .zip file, upload the .zip file to the
stack master, and then load the file.
l Before activating a license file, you can run the license verify command to verify the
license file.
Example
# Activate license.dat in the storage of the device.
<HUAWEI> license active license.dat
Now activing the license.................................done.
MainBoard:
Info: Succeeded in activating the license file on the board.
Function
The license backup command backs up license information in the license partition to the
specified file.
NOTE
The CE5800 series switches (excluding CE5880EI) do not support this command.
Format
license backup flash file-name
Parameters
Parameter Description Value
Views
User view
Default Level
3: Management level
Usage Guidelines
To check whether the activated license is the same as the loaded license, run the license
backup flash command to back up the activated license in specified files and then compare it
with the loaded license file. The license file can be opened in text mode.
After you run this command, the system backs up two files using the file name
extensions .master.zip and .slave.zip, and saves the files to the root directory on the default
storage of the device. The backup license file in the primary license partition uses the file
name extension .master.zip, and that in the secondary license partition uses the file name
extension .slave.zip.
Example
# Back up license information in the license partition to the files huawei.master.zip and
huawei.slave.zip.
<HUAWEI> license backup flash huawei
Info: Succeeded in backing up the license file to huawei.master.zip and
huawei.slave.zip.
Function
The license delete command deletes a license file in the $_license directory.
Format
license delete file-name
Parameters
Views
User view
Default Level
3: Management level
Usage Guidelines
After you run the license active command to activate a license file, the system backs up the
license file in the $_license directory. After you upgrade the license file, the expired license
file in $_license still exists and occupies system resources. To delete redundant license files in
$_license, run the license delete command.
Example
# Delete the license file license.dat in $_license.
<HUAWEI> license delete license.dat
Warning: The file license.dat cannot be recycled. Continue? [Y/N]:y
Function
The license export command stores a license file which is activated in the current system in
the root directory of a storage device.
Format
license export file-name
Parameters
Parameter Description Value
file-name Specifies the name of the license The value is a string of 5 to 127 case-
file to be saved to the root sensitive characters without spaces. The
directory. extension of a file is ".zip".
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to save the license file to the root directory on the storage of the
device.
Precautions
The saved license file must use .zip as the file name extension.
Example
# Save the license file to the root directory on the storage of the device.
<HUAWEI> license export license.zip
Info: Succeeded in exporting the license file to license.zip.
Format
license revoke [ slot slot-id ]
Parameters
Parameter Description Value
slot slot-id The value is an integer, and the value range
Specifies a stacked device.
depends on the device configuration.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before updating a license file, run the license revoke command to revoke the existing license.
The system then returns a license revocation code. This code is the evidence for license
invalidation and is used to apply for a new license.
NOTE
A license revocation code is a character string generated after a license file becomes invalid. You can
determine that a license file is invalid based on the corresponding revocation code.
Precautions
After you run the license revoke command, the license file enters the Trial state and cannot be
activated again regardless of how long the license file will expire. A license file in Trial state
can be used only for 60 days. After the license file in Trial state expires, the successfully
delivered features controlled by the license are still valid. The features can be deleted, but
cannot be added. To add functions controlled by the license, re-apply for a license file and
activate it.
Please apply for a new license and activate it before the original license expires so that
services are not affected.
Example
# Revoke the current license file.
<HUAWEI> license revoke
Warning: The license will switch to trial state. Continue? [Y/N]:y
MainBoard:
Info: Succeeded in revoking the license. The revoke ticket is
LIC201411261KSC50:87CE09A70A7401C7D0E1853B7931E3FA755AC88D.
Function
The license verify command verifies the license file of the device.
Format
license verify file-name
Parameters
Parameter Description Value
file-name Specifies the name of a license file. The name of a license file must already
exist.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before running the license active command to activate a license file, verify the license file.
Prerequisites
Example
# Verify the license file license.dat.
<HUAWEI> license verify license.dat
MainBoard:
Info: Verify license succeeded.
Function
The patch active all command activates the patches on the current system.
Format
patch active all
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If you do not specify the active or run keyword when running the patch load command, run
the patch active all command to activate all the loaded patches to make them effect.
Prerequisites
Configuration Impact
l After a non-incremental patch is loaded and the patch active all command is run, the
patches in the current system are activated.
l If an incremental patch is loaded and the previous patch package is running, the previous
patch package is still in running state after you run the patch active all command. The
new patch package is activated.
Follow-up Procedure
After running the patch active all command, use the patch run all command to run the
activated patch.
Precautions
Example
# Activate all patches.
<HUAWEI> patch active all
Function
The patch configuration-synchronize command synchronizes the patch configuration and
patch file of the master switch to other member switches in a stack.
Format
patch configuration-synchronize
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
After you replace or add a member switch in a stack and start the new member switch, run
this command to synchronize the patch configuration and patch file from the master switch if
the patch file of the new member switch is incorrect.
Example
# Run the following commands on the new member switch to synchronize the patch
configurations and patch files to the new member switch.
<HUAWEI> patch configuration-synchronize
Format
patch deactive all
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If you find errors in some patches after using the patch active all command to activate the
loaded patches, run the patch deactive all command to deactivate patches on the current
system to prevent them from taking effect.
Prerequisites
Active patches exist on the current system.
Precautions
After the patch deactive all command is run, patches in the active state are deactivated.
The patch deactive all command makes patches on the current system ineffective. To make
the loaded patches take effect again, run the patch active all command.
Example
# Deactivate patches on the current system.
<HUAWEI> patch deactive all
Format
patch delete all
Parameters
Parameter Description Value
all Deletes all patches on all the boards. -
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before installing a non-incremental patch, you need to run the patch delete all command to
delete existing patches from the current system and then install a new patch package.
Configuration Impact
After the patch delete all command is run, patches on the system are deleted regardless of
their status.
Precautions
l The patch delete all command may affect the performance of the system. So, confirm
the action before you use this command.
l When the patch delete all command is run to delete patches from the current system, the
system prompts you whether to delete patches.
l After the patch delete all command is run to delete existing patches from the current
system, the deleted patches cannot be restored. So, confirm the action before you use this
command.
Example
# Delete all hot patches from the current system.
<HUAWEI> patch delete all
This will delete the patch. Are you sure? [Y/N]:y
Info: Operating, please wait for a moment....done.
Info:Succeeded in deleting the patch.
****************************************************************************
* Warning: Perform the following operations to deal with the cold patch. *
****************************************************************************
----------------------------------------
Device Type Upgrade mode
----------------------------------------
10 MPU reset board
----------------------------------------
Info: Succeeded in deleting the patch.
Format
patch load file-name all [ active | run ]
Parameters
Parameter Description Value
file-name Specifies the path name and name of the The value is a string of 5 to 127
patch package. The path name is an absolute case-sensitive characters
path name or a relative path name. without spaces. The value of the
patch name is a string of 5 to 63
characters.
all Loads all patches on all the boards. -
active Activates a patch after the patch is loaded. -
run Runs a patch after the patch is loaded. -
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before loading a patch, the system resolves the patch package to check the validity of patch
files and obtain the attributes of patch files.
When loading a patch to the current system, the system searches the patch package for a
matching patch file according to the attributes of the patch file.
l If a matching patch file is found in the patch package, the system loads the patch.
l If no matching patch file is found in the patch package, the system does not load the
patch.
Prerequisites
The desired patch file has been uploaded to the master main control board of the device.
Configuration Impact
After the patch load command is run, the system loads all types of patches in the patch
package.
l If the parameter active is used in the patch load command, the system activates the
patch file after loading it. Then, you can run the patch run all command to run the patch
file.
l If the parameter run is used in the patch load command, the system runs the patch file
after loading it.
Precautions
The device is reset before a cold patch takes effect.
Example
# Load and run the cold patch package on the current system.
<HUAWEI> patch load CE8800, CE7800,
CE6800, and CE5800 series switchesV200R005C10SPH403.PAT all run
Info: Operating, please wait for a moment...
****************************************************************************
* Warning: Perform the following operations to deal with the cold patch. *
****************************************************************************
----------------------------------------
Device Type Upgrade mode
----------------------------------------
11 MPU reset board
12 MPU reset board
----------------------------------------
Info: Succeeded in running the patch.
Function
The patch run all command runs the patches on the current system.
Format
patch run all
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When the device is restarted, the active patches become deactivated and need to be activated
again. To enable the active patches to retain in running start after a device restart, use this
command to run these active patches.
Prerequisites
Patches have been loaded and activated on the system.
Configuration Impact
After you run this command to run patches on the current system, the patches remain in the
running state if a device restart occurs.
After the patch run all command is run, the patches enter running state and cannot be
restored to the previous state. Confirm the action before you run the command.
Example
# Run active patches in the current system.
<HUAWEI> patch run all
Function
The reset patch-configure command deletes the configuration of the patch file for next
startup.
Format
reset patch-configure next-startup
Parameters
Parameter Description Value
next-startup Deletes the configuration of the patch file for next startup. -
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After you run the startup patch command to specify the patch file for next startup, you can
use the reset patch-configure command to delete the configuration.
Precautions
If you run the reset patch-configure command, the patch file for next startup is empty. When
the device restarts, the system does not load and run the patch file.
Example
# Delete the configuration of the patch file for next startup.
Function
The upgrade all command upgrades the system file.
Format
upgrade all { startup | filename } bios [ force ]
Parameters
Parameter Description Value
all Indicates all the registered devices. -
filename Specifies the name of the system file that is used to The name of the system
upgrade the system. file must already exist.
The format is flash:/
xxx.cc.
bios Indicates the BIOS system. -
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To restart the system faster, you can run this command to upgrade the system file before the
restart.
Precautions
Services are interrupted during a device upgrade or logical software upgrade using this
command.
Example
# Forcibly upgrade the system using the current startup file.
<HUAWEI> upgrade all startup bios force
*********************************************************
* W A R N I N G *
* *
* Please ensure that the configuration has been saved. *
* And please ensure that the board does not be powered *
* off or be reseted during the upgrade operation. *
* Also ensure that any board of this device is not *
* removed (pull out or plug in) during this process. *
* *
* W A R N I N G *
*********************************************************
Confirm to upgrade.continue? [Y/N]:y
Loading slot:<1>
Info: Operating, please wait for a moment...
....................
Load BIOS Finish!
Upgrade result information:
------------------------------------------------------------
Slot Type Item LoadMode Result
------------------------------------------------------------
1 MPU BIOS online success
------------------------------------------------------------
done.
Table 3-68 Description of the upgrade all startup bios force command output
Item Description
Slot A device.
Function
The upgrade slot startup command upgrades the system file of a device.
Format
upgrade boardtype slot slotid { startup | filename } bios [ force ]
Parameters
Parameter Description Value
boardtype Indicates all the registered devices. The value is mpu, lpu.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When you find that the version of a device is different from the system software, run the
command to upgrade the device version.
Precautions
Services are interrupted during a device upgrade or logical software upgrade using this
command.
Example
# Forcibly upgrade the device by using the current bios software.
<HUAWEI> upgrade mpu slot 1 startup bios force
*********************************************************
* W A R N I N G
*
*
*
* Please ensure that the configuration has been saved.
*
* And please ensure that the board does not be powered
*
* off or be reseted during the upgrade operation.
*
* Also ensure that any board of this device is not
*
* removed (pull out or plug in) during this process.
*
*
*
* W A R N I N G
*
*********************************************************
Loading
slot:<1>
....................
Load BIOS
Finish!
Upgrade result
information:
------------------------------------------------------------
------------------------------------------------------------
------------------------------------------------------------
done.
Table 3-69 Description of the upgrade mpu slot 1 startup bios force command output
Item Description
Slot A device.
Function
The upgrade rollback command enables the system rollback function and sets the time the
system has to wait before rollback.
The undo upgrade rollback command disables the rollback function.
By default, the rollback function is disabled.
Format
upgrade rollback rollback-timer time-value
undo upgrade rollback
Parameters
Parameter Description Value
rollback-timer time- Specifies the value of the The value is an integer that ranges
value rollback timer. from 10 to 360, in minutes.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If an error occurs during an upgrade (for example, the new startup files are damaged), cancel
the current upgrade and restore the previous version used before the upgrade.
After the version rollback function is enabled and the system package is restarted, the system
will perform a version rollback to roll back the system package and patch if no users
successfully log in to the device in a specified period of time.
After the version rollback function is disabled, the system version does not roll back
regardless whether any user is authenticated and logs in to the system within the specified
period.
By default, the version rollback function is disabled. After each version rollback completes,
the version rollback function is disabled again.
Precautions
If any user successfully logs in to the device, the rollback timer is cancelled.
After you run this command, the current system resets the rollback timer.
Example
# Configure the rollback timer for the current system upgrade.
<HUAWEI> upgrade rollback rollback-timer 300
Info:The state of upgrade rollback is enable. Limit time is 300 minutes.
If no User cancels the function, the main MPU will restart by the bootfile flash:/
software.cc.
Format
display copyright
Parameters
None.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
You can run display copyright command to view declaration information of an open source
software.
The declaration information of an open source software includes the following items:
l Warranty Disclaimer
l Copyright Notice
l Written Offer
Example
# Display declaration information of an open source software.
This document contains open source software notice for the product. And this
document is confidential information of copyright holde
r. Recipient shall protect it in due care and shall not disseminate it without
permission.
Warranty
Disclaimer
This document is provided "as is" without any warranty whatsoever, including the
accuracy or comprehensiveness. Copyright holder of
this document may change the contents of this document at any time without prior
notice, and copyright holder disclaims any liabilit
y in relation to recipient's use of this document.
---- More ----
Function
The acl command configures an HTTP access control list (ACL).
Format
acl { acl-name | acl-number }
undo acl
Parameters
Parameter Description Value
acl-name Specifies the name of The value is a string of 1 to 32 case-sensitive
an ACL. characters, spaces not supported. The value starts with
a letter or digit but cannot contain only digits.
acl-number Specifies an ACL The value is an integer ranging from 2000 to 3999.
number.
l ACLs numbered 2000 to 2999 are basic ACLs.
l ACLs numbered 3000 to 3999 are advanced ACLs.
Views
Service-Restconf view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
To configure an HTTP ACL, run the acl command. An ACL limits clients that access the
server, improving server security.
Prerequisites
Create an ACL of a specified type.
l Run acl { name basic-acl-name { basic | [ number ] basic-acl-number } | [ number ]
basic-acl-number } command, create an basic ACL.
l Run acl { name advance-acl-name [ advance ] | [ number ] advance-acl-number }
command, create an advanced ACL.
Precautions
If the ACL configured in this command has not been created in the system view, no client is
allowed to access the HTTP server.
Example
# Configure an HTTP ACL named policy1.
<HUAWEI> system-view
[~HUAWEI] acl policy1
[*HUAWEI-acl4-advance-policy1] quit
[*HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] acl policy1
Format
idle-timeout minutes
undo idle-timeout
Parameters
Parameter Description Value
minutes Specifies a timeout period for an idle The value is an integer ranging from 1
HTTP connection. to 60, in minutes.
Views
Service-Restconf view
Default Level
2: Configuration level
Usage Guidelines
Before a client transmits HTTP services, it logs in to an HTTP server and establishes a TCP
connection with the server. However, if the connection is torn down unexpectedly, the HTTP
server cannot detect the disconnection and still retains the connection, which wastes
resources. To resolve this problem, run the idle-timeout command to configure a timeout
period for an idle HTTP connection. If the client does not send any packet during the timeout
period, the HTTP server considers the connection invalid and tears down the TCP connection
with the client after the timeout period elapses.
Example
# Set the timeout period to 30 minutes for an idle HTTP connection.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] idle-timeout 30
The undo secure-server enable command disables the HTTPS listening function.
Format
secure-server enable
Parameters
None
Views
Service-Restconf view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
HTTP is an application-layer protocol that transports hypertext from WWW servers to local
browsers. HTTP uses the client/server model in which requests and replies are exchanged.
To enable the HTTPS listening service, run the secure server enable command. HTTPS
encrypts data before transmitting it, enhancing security.
Precautions
HTTPS has a higher security than HTTP, and therefore using HTTPS is recommended.
Example
# Enable the HTTPS listening function.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] secure-server enable
Format
secure-server port port-number
undo secure-server port
Parameters
Parameter Description Value
port-number Specifies the number for an HTTPS The value can be 443 or an integer
service listening port. ranging from 1025 to 65535.
Views
Service-Restconf view
Default Level
2: Configuration level
Usage Guidelines
l When the default HTTP service listening port is being used, run the secure-server port
command to configure an HTTP service listening port so that the firewall can filter
packets on this port. This enhances network security.
l Currently, the HTTPS service listening port supports only IPv4.
l A port number that is being used cannot be specified.
Example
# Configure port 1028 for HTTPS listening.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] secure-server port 1028
Function
The server enable command enables the HTTP listening service.
The undo server enable command disables the HTTP listening service.
Format
server enable
Parameters
None
Views
Service-Restconf view
Default Level
2: Configuration level
Usage Guidelines
HTTP is an application-layer protocol that transports hypertext from WWW servers to local
browsers. HTTP uses the client/server model in which requests and replies are exchanged.
To enable the HTTP listening service so that the HTTP server can identify the connection
requests from clients, run the server enable command.
Example
# Enable the HTTP listening service.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] server enable
Function
The server port command configures an HTTP service listening port.
The undo server port command restores the default HTTP service listening port.
By default, HTTP service listening uses port 80.
Format
server port port-number
undo server port
Parameters
Parameter Description Value
port-number Specifies the number for an HTTP The value can be 80 or an integer
service listening port. ranging from 1025 to 65535.
Views
Service-Restconf view
Default Level
2: Configuration level
Usage Guidelines
l When the default HTTP service listening port is being used, run the server port
command to configure an HTTP service listening port so that the firewall can filter
packets on this port. This enhances network security.
l Currently, the HTTP service listening port supports only IPv4.
l A port number that is being used cannot be specified.
Example
# Configure port 1028 for HTTP service listening.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] server port 1028
Format
service restconf
undo service restconf
Parameters
None
Views
HTTP view
Default Level
2: Configuration level
Usage Guidelines
Before you perform HTTP configurations, run the service restconf command to enter the
Service-Restconf view.
Example
# Display the Service-Restconf view.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service restconf
The undo ssl-policy command deletes the SSL policy on an HTTP server.
Format
ssl-policy policy-name
undo ssl-policy
Parameters
Parameter Description Value
policy-name Specifies the name of an SSL The value is a string of 1 to 23 case-
policy. insensitive characters, spaces not supported.
Views
Service-Restconf view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
Conventional HTTP does not have any security mechanism. It transmits data in plaintext and
does not verify the identities of communications parties. Therefore, data transmitted over
HTTP may be tampered with. In applications that require high security, such as e-commerce
and online banking, HTTP is inapplicable. To enhance security, run the ssl-policy command
to specify an SSL policy for an HTTP server.
Configuration Impact
HTTP security is enhanced with the SSL security mechanisms, such as data encryption,
identity verification, and message integrity check.
Prerequisites
The following configurations must have been complete before you run the ssl-policy
command.
1. An SSL policy has been created and the SSL policy view is displayed using the ssl
policy policy-name command in the system view.
2. A digital certificate or certificate chain has been loaded using the certificate load
command in the SSL policy view.
3. The HTTPS listening function has been enabled using the secure-server enable
command in the Service-Restconf view.
Precautions
An HTTP server can only have one SSL policy configured. If the ssl-policy command is run
more than once, the latest configuration overrides the previous one.
Example
# Configure an SSL policy named policy1 for an HTTP server.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service-restconf
[*HUAWEI-http-service-restconf] secure-server enable
[*HUAWEI-http-service-restconf] ssl-policy policy1
Function
The ssl-verify peer command configures an HTTP server to perform SSL verification on
HTTP clients.
The undo ssl-verify command disables an HTTP server from performing SSL verification on
HTTP clients.
By default, an HTTP server does not perform SSL verification on HTTP clients.
Format
ssl-verify peer
undo ssl-verify
Parameters
None
Views
Service-Restconf view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
To prevent access of unauthorized HTTP clients, run the ssl-verify-mode command to
configure an HTTP server to perform SSL verification on HTTP clients. This configuration
enhances security.
Precautions
If a client does not have a certificate loaded or has an incorrect certificate loaded, the
verification fails, and the server disconnects the client.
Example
# Configure an HTTP server to perform forcible SSL verification on HTTP clients.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service-restconf
[*HUAWEI-http-service-restconf] ssl-verify peer