01-03 Basic Configurations Commands

CloudEngine 8800, 7800, 6800, and 5800
Command Reference 3 Basic Configurations Commands
3 Basic Configurations Commands
3.1 CLI Overview Commands

3.2 ZTP Commands
3.3 USB-based Deployment Configuration Commands
3.4 First Login Commands
3.5 UI Configuration Commands
3.6 User Login Configuration Commands
3.7 File Management Commands
3.8 Configuring System Startup Commands
3.9 ISSU Configuration Commands
3.10 Upgrade Commands
3.11 Open Source Software Declaration Information Checking Commands
3.12 HTTP Configuration Commands
3.1 CLI Overview Commands
3.1.1 abort trial

Function
The abort trial command disables the trial running of a configuration.
Format
abort trial [ session session-id ]
Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 33

CloudEngine 8800, 7800, 6800, and 5800
Parameters
Parameter Description Value
session session-id Specifies the ID of a session for which the trial running of the -
configuration is to be disabled.
Views
All views (excluding the user view)
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
After the two-phase configuration validation mode is configured and a command is run, run
the commit trial command to enable the trial running of the configuration. You can specify
the time parameter in the commit trial command to set the timeout period for the trial
running. After the trial running of the configuration times out, the system automatically rolls
the configuration back to the configuration state before the trial running. To disable the trial
running of the configuration before the trial running times out, run the abort trial command
to roll the system configuration back to the configuration state before the trial running.
Prerequisites
The commit trial command has been run for a configuration.
Configuration Impact
After the trial running of the configuration is disabled, the system configuration rolls back to
the configuration state before the trial running.
Precautions
The abort trial command must be run in the two-phase configuration validation mode.
Example
# Disable the trial running of a configuration.
<HUAWEI> system-view
[~HUAWEI] sysname rollback
[*HUAWEI] commit trial 120
[~rollback] abort trial
Warning: The trial configuration will be rolled back. Continue? [Y/N]:y
Info: The trial configuration rollback succeeded.
[~HUAWEI]
3.1.2 alias
Function
The alias command creates an alias for a command.

CloudEngine 8800, 7800, 6800, and 5800
The undo alias command deletes an alias.

By default, no alias is created.
Format
alias alias-string [ parameter parameter & <1-32> ] command command
undo alias alias-string
Parameters
alias-string Specifies an alias The value is a string of 1 to 63 case-insensitive
string. characters, supporting letters, digits, and hyphens
(-). It must start with a letter and cannot contain
spaces between characters.
parameter Specifies a parameter The value is a string of 2 to 63 case-insensitive
parameter for an alias. characters, supporting letters, digits, and hyphens
(-). It must start with the $ sign.
command Specifies a command The value is a string of 1 to 511 characters. If a
for which an alias is to space exists in the command, the character string
be created. of command must be enclosed in double
quotation marks (").
Views
Command alias view
Level
3: Management level
Task Name and Operations

Task Name Operations
cli write
Usage Guidelines
Usage Scenario
The alias command can be used in the following scenarios:
l Configure an easy-to-rember string of characters as the alias for a command. Then, you
can just enter the alias string when you need to run the command. For example, define
the alias for display as show. You can enter the alias show to substitute display.
l Change the order of parameters. For example, after you configure the alias showif
parameter $ifnum $iftype command "display interface $iftype $ifnum" command,
you can enter showif 1 Eth-Trunk to substitute display interface Eth-Trunk 1.

CloudEngine 8800, 7800, 6800, and 5800
Precautions
l A command can still be used after an alias is configured for it.
l The character string of command must reference all the parameters defined in parameter
in sequence, and each parameter can be referenced only once.
l When the character string of command starts referencing the parameters defined in
parameter, only parameters beginning with the $ sign rather than any command keyword
can be included. For example, command configuration like alias showif parameter
$ifnum $iftype command "display interface $iftype iftype $ifnum verbose" is
incorrect.
l If the alias definitions include loop nesting or the nesting level is more than 16 layers,
the alias is invalid and cannot substitute a command.
l The alias configured by the alias command can take effect only when the command alias
function is enabled using the terminal command alias command. By default, the
command alias function is enabled.
Example
# Create an alias for a command.
[~HUAWEI] command alias
[*HUAWEI-cmdalias] alias show command display
3.1.3 clear configuration candidate
Function
The clear configuration candidate command clears an uncommitted configuration.
Format
clear configuration candidate
Parameters
None
Views
All views except the user view
Default Level
Usage Guidelines
Usage Scenario
This command clears a configuration that has not been committed in the two-stage mode.
Prerequisites

CloudEngine 8800, 7800, 6800, and 5800
A configuration has been edited in two-stage mode.
Precautions
The uncommitted configuration is deleted. The system view is displayed.
Example
# Clear the configuration that has not been committed.
[~HUAWEI] clear configuration candidate
3.1.4 command alias
Function
The command alias command creates and enters the command alias view.
The undo command alias command deletes all alias configured on the device.
Format
command alias
undo command alias
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To enter the command alias view, run the command alias command.
The alias command can be used in the following scenarios:

l Configure an easy-to-rember string of characters as the alias for a command. Then, you
can just enter the alias string when you need to run the command. For example, define
the alias for display as show. You can enter the alias show to substitute display.
l Change the order of parameters. For example, after you configure the alias showif
parameter $ifnum $iftype command "display interface $iftype $ifnum" command,
you can enter showif 1 Eth-Trunk to substitute display interface Eth-Trunk 1.
Precautions

CloudEngine 8800, 7800, 6800, and 5800
The undo command alias command deletes all alias configured on the device as well as the
command alias view.
Follow-up Procedure
Run the alias command to configure an alias for a command.
Example
# Enter the command alias view.
[~HUAWEI] command alias
[~HUAWEI-cmdalias]
3.1.5 command-privilege level

Function
The command-privilege level command sets the command level in a specified view.
The undo command-privilege command restores the default command level.
By default, each command in each view has a default command level.
Format
command-privilege level level view view-name command-key
undo command-privilege [ level level ] view view-name command-key

CloudEngine 8800, 7800, 6800, and 5800
Parameters

level level Specifies the command If the command-privilege level rearrange
level. command is configured, the value of level
ranges from 0 to 15.
If the command-privilege level rearrange
command is not configured, the value of level
ranges from 0 to 3.
NOTE
If the command-privilege level rearrange command
configuration is changed, the value of level changes
based on the level mapping.
l If the command-privilege level rearrange
command configuration is added, the levels of
level-0 and level-1 commands remain unchanged,
the level of level-2 commands is upgraded to 10,
and that of level-3 commands is upgraded to 15.
l If the command-privilege level rearrange
command configuration is deleted, the level of
level-0 commands remains unchanged, the levels
of level-1 to level-9 commands are downgraded
to 1, the levels of level-10 to level-14 commands
are downgraded to 2, and the level of level-15
commands is downgraded to 3.
view view- Specifies the view name. -

name You can enter a question
mark (?) in the terminal
GUI to obtain all view
names in the command
view.
For example:
l shell: user view
l system: system view
l global: all views
l vlan: VLAN view
command-key Specifies a command. The The value is a character string.

command must be entered
manually because
automatic command line
completion is not
supported.
Views
System view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The system divides commands into four levels and sets the command level in the specified
view. The device administrator can change the command level as required, so that a lower-
level user can use some high-level commands. The device administrator can also change the
command level to a larger value to improve device security.
A login user can configure commands according to the configured privilege corresponding to
the user name (through the user privilege level command).
The command lines are classified into visit level (0), monitoring level (1), configuration level
(2), and management level (3) in an ascending order without command-privilege level
rearrange.
Table 3-1 Relationship between command levels and user levels

User Comm Description
Level and
Level
0 Visit Commands of this level include network diagnosis tool commands

level(0) (such as ping and tracert), commands for accessing external devices
from the local device (such as Telnet) and some display commands.
1 Visit Commands of this level are used for system maintenance, including
level(0) display commands.
, NOTE
Monito Some display commands are not at this level. For example, the display
ring current-configuration and display saved-configuration commands are at
level(1) level 3. For details about command levels, see the CloudEngine 8800, 7800,
6800, and 5800 Series SwitchesCommand Reference.
2 Visit Commands of this level are used for service configuration to provide
level(0) direct network services, including routing commands and commands
, of each network layer.
Monito
ring
level(1)
,
Config
uration
level(2)

CloudEngine 8800, 7800, 6800, and 5800

Level and
Level
3 Visit Commands of this level are used for basic system operations,
level(0) including file system, FTP, TFTP download, user management,
, command level configuration, and debugging.
Monito
ring
level(1)
,
Config
uration
level(2)
,
Manag
ement
level(3)
Precautions
You are not advised to change the default command level. If you need to change it, consult
with professional personnel to ensure that routine operation and maintenance are not affected
and security risk is avoided.
The command-key parameter specifies the command of which the level is to be changed. The
view view-name parameter specifies the view to which the command belongs. The command
matching rule is prefix-based matching. For example, the command-privilege level 2 view
shell display interface command changes the level of all commands starting with display
interface in the user view to level 2.
In versions earlier than V100R006C00, the user level ranges from 0 to 15. If the system
software is upgraded to V100R006C00 or a later version, and the command-privilege level
command is not configured, the levels of level-0 and level-1 users remain unchanged, and
those of level-3 to level-15 users change to 3.
Example
# Set the privilege level of the save command to 5.
[~HUAWEI] command-privilege level 5 view shell save
3.1.6 command-privilege level rearrange
Function
The command-privilege level rearrange command upgrades command levels in batches.
The undo command-privilege level rearrange command restores the default command
levels in batches.
By default, the command levels assigned by the system during registration are used.

CloudEngine 8800, 7800, 6800, and 5800
Format
command-privilege level rearrange
undo command-privilege level rearrange
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a command registers on the device, it is assigned with a default level–0, level–1, level–
2, or level–3, corresponding to the visit level, monitoring level, configuration level, and
management level respectively. You can run the command-privilege level rearrange
command to upgrade all the level-2 and level-3 commands to level-10 and level-15
commands in batches. The levels of level-0 and level-1 commands remain unchanged.
Changing the command-privilege level rearrange command configuration affects the value
of level in the user privilege, command-privilege level, adminuser-priority, and local-user
level commands. For details, see the "Parameters" table in the corresponding sections.
Precautions
l The command-privilege level command has a higher priority than the command-
privilege level rearrange command as follows:
– During batch command level upgrade, the levels of commands that are separately
changed using the command-privilege level command remain unchanged.
– You can only restore the levels of the commands that are upgraded in batches. The
levels of commands that are separately changed using the command-privilege level
command remain unchanged.
l Before running the command-privilege level rearrange or undo command-privilege
level rearrange command, ensure that your level is the highest (level 3 or 15);
otherwise, you cannot run the command. For an AAA authentication user, you can run
the display aaa access-user self command and view the User level field to check the
user's level.
l After the levels of the commands are upgraded in batches and before the levels of the
commands are restored, the operation of upgrading the levels of the commands is invalid
and does not change the status of the commands.
Example
# Change the levels of the current commands in batches.

CloudEngine 8800, 7800, 6800, and 5800
[~HUAWEI] command-privilege level rearrange
3.1.7 commit
Function
The commit command commits a configuration and generates a configuration rollback point.
Format
commit [ trial [ time ] ] [ label label ] [ description description ]
Parameters
trial time Specifies the timeout period The value is an integer ranging from 60
for the trial running of a to 65535, in seconds. The default value
configuration. is 600 seconds.
label label Specifies the user label of a The value is a string of 1 to 256 case-
configuration rollback point. sensitive characters without spaces. It
must start with a letter and cannot be a
hyphen (-).
description Specifies the description of a The value is a string of 1 to 60 case-
description configuration rollback point. sensitive characters with spaces.
Views
All views (excluding the user view)
Default Level
Usage Guidelines
Usage Scenario
When performing configurations in two-stage mode, perform the following operations:
l Edit a configuration in the first stage.
l Run the commit command to commit the configuration in the second stage. The new
configuration then takes effect in the current system.
If you want to add descriptions about configuration rollback, run the commit description
description command in two-stage mode. Run the display configuration commit list
verbose command to view the descriptions.
To enable the trial running of a configuration, run the trial command. This configuration
enables the trial running of new functions and services without interrupting the services
running on the live network, which improves network reliability. The time parameter specifies
the timeout period for the trial running of a configuration. When the trial running time
expires, the configuration that has been run in trial rolls back automatically. The system

CloudEngine 8800, 7800, 6800, and 5800
configuration restores to the configuration status before the configuration is committed. To

validate the configuration that has been run in trial, reconfigure the function and commit the
configuration.
NOTE
During the trial running of a configuration, other users cannot perform any configuration on the device,
and if the local user performs an operation and runs the commit command to commit the configuration,
the configuration in trial running is also committed and the system exits from the trial running status and
enters the normal configuration mode.
You can run the display configuration trial status command to check whether a system
configuration is in the trial running status and the remaining time of the trial running. If you
want to end the trial running status in advance, run the abort trial command to disable the
trial running of a configuration.
Prerequisites
You can edit a configuration only after you have run the system-view command to enter a
system view in two-stage mode.
Precautions
The system configurations change, including the configurations in two-stage mode.
You do not need to run the commit command to make the commands executed in the user
view to take effect.
In two-phase validation mode, you must run the commit command for the configuration to
take effect. However, you do not need to run the commit command in the following cases:
l Query commands (such as display interface) are run.
l Maintenance commands (such as slave switchover, dual-active restore, stack upgrade
fast rollback-timer, stack upgrade fast stack member, switch mode, and reset
keepalive packets count) are run.
l Commands are run to enter the existing views (such as the stack view and physical
interface view) on a physical device. For example, the interface 10ge1/0/1 command is
run.
l The existing configurations on a device are reconfigured.
Example
# Edit a configuration and commit it to make the change take effect.
[~HUAWEI] vlan 7
[*HUAWEI-vlan7] commit
# Set the configuration rollback information when committing a command.

[~HUAWEI] sysname ROLLBACK
[*HUAWEI] commit description This is a new name
[~ROLLBACK] display configuration commit list verbose
1) CommitId: 1000002027
Label: -
User: huawei
User-Intf: VTY 4
Type: CLI
TimeStamp: 2012-08-22 23:10:49+08:00
Description: This is a new name

CloudEngine 8800, 7800, 6800, and 5800
3.1.8 diagnose
Function
The diagnose command enters the diagnostic view from the system view.
Format
diagnose
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Diagnostic commands are mainly used for fault diagnosis. However, running some commands
may cause device faults or service interruptions. Therefore, use these commands under the
instruction of technical support personnel.
Example
# Enter the diagnostic view.
[~HUAWEI] diagnose
[~HUAWEI-diagnose]
3.1.9 display command alias

Function
The display command alias command displays configuration information of the command
alias.
Format
display command alias
Parameters
None
Views
All views

CloudEngine 8800, 7800, 6800, and 5800
Default Level
1: Monitoring level
Usage Guidelines
To view configuration information of command alias on a device, run the display command
alias command.
Example
# Display configuration information of the command alias.
<HUAWEI> display command alias
show = display
showif $ifnum $iftype = display interface $iftype $ifnum
3.1.10 display configuration candidate
Function
The display configuration candidate command displays uncommitted configurations or all
configurations in the system.
Format
display configuration candidate [ merge ]
Parameters
merge Displays all the configurations in the system, including committed –
configurations and uncommitted configurations.
If you do not specify this keyword, the command displays only
uncommitted configurations.
Views
All views in two-stage configuration mode
Default Level
NOTE
If the merge parameter is used, the default level of the command is the management level.
Usage Guidelines
Usage Scenario

CloudEngine 8800, 7800, 6800, and 5800
You can run the display configuration candidate command to check whether a configuration
to be committed is correct and whether it conflicts with existing configurations.
Prerequisites
A configuration has been edited in two-stage mode.
Example
# Display uncommitted configurations.
[~HUAWEI] ftp server enable
[*HUAWEI] display configuration candidate
ftp server enable
3.1.11 display history-command

Function
The display history-command command displays the historical commands stored on the
current device.
Format
display history-command [ all-users ]
Parameters
all-users Displays information about all successfully matched commands the -
users executed.
If the parameter is not specified, successfully matched historical
commands the current user executed are displayed.
Views
All views
Default Level
0: Visit level
NOTE
If the all-users parameter is used, the default level of the command is the management level.
Usage Guidelines
Usage Scenario
You can run this command to check historical commands the user has executed recently. This
command facilitates information search. Historical commands are recorded in circular mode.

CloudEngine 8800, 7800, 6800, and 5800
The display history-command and display history-command all-users commands display a

maximum of 10 and 200 historical commands, respectively.
Precautions
All the historical commands entered by a user are automatically saved on the terminal, that is,
any input that ends with Enter is saved as a historical command.
NOTE
l Historical commands are saved in the same format as that used in the input. If a command that is
entered by a user is in an incomplete format, the saved historical command is also in the incomplete
format.
l If a user runs a command several times, only the latest command is saved on the device. If the
command is entered in different formats, they are considered as different commands.
You can view historical commands using the following methods:
l To view the previous historical command, press the Up arrow key or Ctrl+P.
If there is an earlier historical command, the earlier historical command is displayed.
l To view the next historical command, press the Down arrow key or Ctrl+N.
If there is a new historical command, the new historical command is displayed.
NOTE
Access to historical commands using the Up arrow key does not apply to Windows 9X. The Up arrow
key has different functions in Windows 9X and needs to be replaced by shortcut keys Ctrl+P.
Example
# Display the historical commands that have been executed on the current terminal.
<HUAWEI> display history-command
system-view
user-interface vty 0 4
user privilege level 15
quit
3.1.12 display hotkey
Function
The display hotkey command displays the status of the defined, undefined, and system
hotkeys.
Format
display hotkey
Parameters
None
Views
All views

CloudEngine 8800, 7800, 6800, and 5800
Default Level
1: Monitoring level
Usage Guidelines
After you understand the defined, undefined, and system hotkeys in the system, you can use
hotkeys to quickly enter commands. To redefine hotkeys for a command, run the hotkey
command.
The system allows hotkeys in places where commands can be entered, and displays the
commands corresponding to hotkeys. You can run the display hotkey command to view the
commands corresponding to hotkeys.
Example
# Display defined, undefined, and system hotkeys.
<HUAWEI> display hotkey
----------------- HOTKEY -----------------
=Defined hotkeys=
Hotkeys Command
CTRL_G display current-configuration
CTRL_L display ip routing-table
CTRL_O undo debugging all
=Undefined hotkeys=
Hotkeys Command
CTRL_U NULL
=System hotkeys=
Hotkeys Function
CTRL_A Move the cursor to the beginning of the current line.
CTRL_B Move the cursor one character left.
CTRL_C Stop current command function.
CTRL_D Erase current character.
CTRL_E Move the cursor to the end of the current line.
CTRL_F Move the cursor one character right.
CTRL_H Erase the character left of the cursor.
CTRL_K Kill outgoing connection when connecting.
CTRL_N Display the next command from the history buffer.
CTRL_P Display the previous command from the history buffer.
CTRL_R Redisplay the current line.
CTRL_T Kill outgoing connection.
CTRL_V Paste text from the clipboard.
CTRL_W Delete the word left of the cursor.
CTRL_X Delete all characters up to the cursor.
CTRL_Y Delete all characters after the cursor.
CTRL_Z Return to the user view.
CTRL_] Kill incoming connection or redirect connection.
ESC_B Move the cursor one word back.
ESC_D Delete remainder of word.
ESC_F Move the cursor forward one word.
ESC_N Move the cursor down a line.
ESC_P Move the cursor up a line.
ESC_< Specify the beginning of clipboard.
ESC_> Specify the end of clipboard.

CloudEngine 8800, 7800, 6800, and 5800
Table 3-2 Description of the display hotkey command output

Item Description
Defined hotkeys Defined hotkeys.
Undefined hotkeys Undefined hotkeys.
System hotkeys System hotkeys.
3.1.13 display language character-set

Function
The display language character-set command displays the character set in the system or
Chinese character set supported on the terminal login software.
Format
display language character-set [ test ]
Parameters
test Displays the character set in the system and Chinese character set -
supported on the terminal login software.
If this parameter is not specified, only the character set in the system is
displayed.
Views
All views
Default Level
0: Visit level
Usage Guidelines
The system and terminal login software must use the same character set; otherwise, Chinese
characters may be displayed as garbled characters. You can run the display language
character-set [ test ] command to view the character set in the system and Chinese character
set supported on the terminal login software.
Example
# Display the character set in the system.
<HUAWEI> display language character-set
Current language character set encode : GBK

CloudEngine 8800, 7800, 6800, and 5800
Table 3-3 Description of the display language character-set command output

Item Description
Current language character set encode Character set in the system.
3.1.14 display sysname

Function
The display sysname command displays a device host name.
Format
display sysname
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
The host name determines the command interface prompt. For example, if the host name is
HUAWEI, the user interface prompt is <HUAWEI>.
You can run this command to view the host name of the current device.
Example
# Display the device host name.
<HUAWEI> display sysname
HUAWEI
3.1.15 display terminal command alias

Function
The display terminal command alias command displays whether the command alias
function is enabled for the current terminal.
Format
display terminal command alias

CloudEngine 8800, 7800, 6800, and 5800
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
You can run the terminal command alias command to enable the command alias function for
the current terminal. To view whether the command alias function is enabled for the current
terminal, run the display terminal command alias command.
Example
# After the command alias function is enabled, display the status of the current terminal.
<HUAWEI> display terminal command alias
Info: Current terminal command alias feature is enable.
# After the command alias function is disabled, display the status of the current terminal.
<HUAWEI> display terminal command alias
Info: Current terminal command alias feature is disable.
3.1.16 display this
Function
The display this command displays the running configuration in the current view.
Format
display this [ include-default ]
Parameters
include-default Displays both the configurations that users have performed and -
default configurations.
Views
All views
Default Level
1: Monitoring level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
After the configurations are complete in a certain view, run the display this command to
check the current configurations.
If include-default is not specified, the display this command displays only configurations
that users have performed. If include-default is specified, the display this command displays
both default configurations and configurations that users have performed.
Precautions
l If a configuration parameter uses the default value, this parameter is not displayed. The
set parameters that do not be committed successfully are neither displayed by display
this.
l If you run the display this command in an interface view, configuration of the interface
view is displayed. If you run this command in a protocol view, configuration of the
protocol view is displayed.
l Configuration information marked with * in the front in the command output indicates
the offline configuration.
Example
# Display the running configuration in the current view.
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] display this
#
interface 10GE1/0/1
port link-type trunk
#
return
# Display the configurations that take effect in the current view on the system and default
configurations. (The command output is not all listed.)
[~HUAWEI] display this include-default
#
sysname HUAWEI
#
undo command-privilege level rearrange
#
FTP server enable
FTP server port 21
...
3.1.17 display configuration trial status
Function
The display configuration trial status command displays the trial running status of a system
configuration.
Format
display configuration trial status

CloudEngine 8800, 7800, 6800, and 5800
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
To view the trial running status of a system configuration, run the display configuration trial
status command.
Trial running is initiated by NETCONF. If the trial running packets carry the persistency
mark, the trial running status information of a system configuration contains the persistency
mark.
Example
# Display the trial running status of a system configuration.
<HUAWEI> display configuration trial status
Trial status: ACTIVE
Trial time left (sec): 51
# Display the trial running status of a system configuration when trial running is initiated by
NETCONF and the trial running packets carry the persistency mark whose value is IQ,d4668.
[~HUAWEI] display configuration trial status
Trial status: ACTIVE
Persist id: IQ,d4668
Trial time left (sec): 30
Table 3-4 Description of the display trial status command output

Item Description
Trial status Trial running status of a system

configuration. The value can be:
l INACTIVE: The configuration is not in
the trial running status.
l ACTIVE: The configuration is in the
trial running status.
l CANCELING: The trial run of the
configuration is being canceled.
l WAITCANCEL: The trial run of the
configuration is waiting to be canceled.
Trial time left (sec) Remaining time of a trial run
Persist id Persistency mark

CloudEngine 8800, 7800, 6800, and 5800
3.1.18 header
Function
The header command configures header information displayed on a terminal when users log
in to a connected device.
The undo header command deletes header information displayed on a terminal when users
log in to a connected device.
By default, no header information is displayed on a terminal when users log in to a connected
device.
Format
header { login | shell } { information text | file file-name }
undo header { login | shell }
Parameters
login Indicates header information -
displayed on a terminal when a
user logs in to the device and a
connection between the
terminal and the device is
activated.
shell Indicates the header displayed -
on a terminal when the session
is set up after the user logs in to
the connected device.
information Specifies the header The value is a string. The maximum
text information and content. length of the string that can be entered at
one time is 480 characters. The value can
contain spaces, and starts and ends with
the same character that is not displayed.
file file-name Specifies the file name that the The value is a string. The maximum
header uses. length of the string is 64 characters. The
file name must be in the [drive] [path]
[file name] format, where [path] is the
absolute path of the file. The maximum
header file size is 2 KB. If the file size is
greater than 2 KB, only the first 2 KB
file information can be displayed.

CloudEngine 8800, 7800, 6800, and 5800
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To provide some prompts or alarms to users, you can use the header command to configure a
title on the device. If a user logs in to the device, the title is displayed.
You can directly define header information by specifying the information text parameter, or
configure the content of a specified file as header information by specifying the file file-name
parameter.
l If the information parameter is specified, the header content must start and end with the
same case-insensitive letter. For example, the header content abcda starts and ends with
a, and header information displayed on the terminal is bcd. You cannot press Enter to
enter information in the next line.
l If the file file-name parameter is specified, all the header content is header information
displayed on the terminal without any start or end character, and you can press Enter to
enter information in the next line.
When a terminal connection is activated and you attempt to log in (for example, before
entering the user name and password), the terminal displays the content of the title that is set
using the header login command. After the successful login, the terminal displays the content
of the title that is configured using the header shell command.
Precautions
l Before setting the login parameter, you must set login authentication parameters;
otherwise, no header information about authentication is displayed.
l Before setting the file parameter, ensure that the file containing the header exists;
otherwise, the file name cannot be obtained.
l If the header command is configured several times, only the latest configuration takes
effect.
l After the login title is configured, any user that logs in to the system can view the title.
Example
# Configure a shell header "Hello!".
[~HUAWEI] header shell information "Hello!"
[*HUAWEI] commit
[~HUAWEI] quit
<HUAWEI> quit // Log off.
# Press Enter. The shell header is displayed when the user logs in again.
Hello!
<HUAWEI>
# Specify the file that stores a login header.

CloudEngine 8800, 7800, 6800, and 5800
[~HUAWEI] header login file flash:/header-file.txt
3.1.19 hotkey
Function
The hotkey command sets a shortcut key for a command.
The undo hotkey restores the system shortcut keys to the default values.
By default, the system sets the default values for three shortcut keys CTRL+G, CTRL+L, and
CTRL+O, while does not set default value for CTRL+U.
Format
hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U } command-text
undo hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U }
Parameters

CTRL_G Specifies the shortcut key Ctrl+G -
for a command.
CTRL_L Specifies the shortcut key Ctrl+L -
for a command.
CTRL_O Specifies the shortcut key Ctrl+O -
for a command.
CTRL_U Specifies the shortcut key Ctrl+U -
for a command.
command-text Specifies the associated command It is a string of 1 to 240 case-sensitive
line for shortcut keys. characters, with spaces supported.
NOTE
When defining shortcut keys, mark the
command with double quotation marks if
the command consists of several words or
the command includes spaces, and do not
mark the command with double quotation
marks if the command consists of only one
word or the command includes no space.
Views
System view
Default Level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
You can set a shortcut key for a command that is often used; you can also change the default
value of the shortcut key that is defined by the system according to your requirements.
Four shortcut keys are customized by users: CTRL+G, CTRL+L, CTRL+O, and CTRL+U.
l By default, the shortcut key CTRL+G corresponds to the display current-
configuration command which displays current configuration.
l By default, the shortcut key CTRL+L corresponds to the display ip routing-table
command which displays routing table information.
l By default, the shortcut key CTRL+O corresponds to the undo debugging all command
which stops the output of all debugging information.
When specifying command-text, you can enter the abbreviation form of a command. For
example, you can enter the hotkey CTRL_G "display cur" command instead of the hotkey
CTRL_G "display current-configuration" command. These commands in two formats
function the same.
After you use the hotkey command to set a shortcut key for a command, you can run the
command by pressing the shortcut key or entering a command.
One shortcut key can be associated with only one command. If you run this command for a
number of times to associate a shortcut key with multiple commands, the last association
takes effect.
One shortcut key can be set for only one command. If you set a shortcut key for multiple
commands, only the latest configuration takes effect.
Example
# Assign the display tcp status command for the shortcut key CTRL+L.
[~HUAWEI] hotkey ctrl_l "display tcp status"
[*HUAWEI] commit
[~HUAWEI] display hotkey
----------------- HOTKEY -----------------
=Defined hotkeys=
Hotkeys Command
CTRL_G display current-configuration
CTRL_L display tcp status
CTRL_O undo debugging all
=Undefined hotkeys=
Hotkeys Command
CTRL_U NULL
=System hotkeys=
Hotkeys Function
CTRL_A Move the cursor to the beginning of the current line.
CTRL_B Move the cursor one character left.
CTRL_C Stop current command function.
CTRL_D Erase current character.
CTRL_E Move the cursor to the end of the current line.
CTRL_F Move the cursor one character right.
CTRL_H Erase the character left of the cursor.

CloudEngine 8800, 7800, 6800, and 5800
CTRL_K Kill outgoing connection when connecting.

CTRL_N Display the next command from the history buffer.
CTRL_P Display the previous command from the history buffer.
CTRL_R Redisplay the current line.
CTRL_T Kill outgoing connection.
CTRL_V Paste text from the clipboard.
CTRL_W Delete the word left of the cursor.
CTRL_X Delete all characters up to the cursor.
CTRL_Y Delete all characters after the cursor.
CTRL_Z Return to the user view.
CTRL_] Kill incoming connection or redirect connection.
ESC_B Move the cursor one word back.
ESC_D Delete remainder of word.
ESC_F Move the cursor forward one word.
ESC_N Move the cursor down a line.
ESC_P Move the cursor up a line.
ESC_< Specify the beginning of clipboard.
ESC_> Specify the end of clipboard.
3.1.20 language character-set

Function
The language character-set command configures the character set in the system.
The undo language character-set command restores the default character set in the system.
The default character set in the system is ISO8859-1.
Format
language character-set character
undo language character-set
Parameters
character Specifies the character set in the Currently, the system supports the
system. following character sets: GBK, UTF-8, and
ISO8859-1.
Views
System view
Default Level
3: Management level
Usage Guidelines
You can configure the character set so that the system supports Chinese or English input. The
character set facilitates device identification and management, for example, configured
Chinese device name and VLAN description.
Currently, the system supports the following character sets: GBK, UTF-8, and ISO8859-1.
GBK and UTF-8 support both English and Chinese input, whereas ISO8859-1 supports only

CloudEngine 8800, 7800, 6800, and 5800
English input. To enter Chinese characters on the device, configure GBK or UTF-8 according
to the character set supported on the terminal login software. You can run the display
language character-set test command to view the character sets in the system and on the
terminal login software.
NOTE
If the character sets in the system and on the terminal login software are different, Chinese characters
may be displayed as garbled characters.
Example
# Configure GBK as the character set in the system.
[~HUAWEI] language character-set GBK
Change language character-set, confirm? [Y/N]:y
3.1.21 quit
Function
The quit command returns from the current view to a lower-level view. If the current view is
the user view, this command exits from the system.
Format
quit
Parameters
None
Views
All views
Default Level
0: Visit level
Usage Guidelines
Usage Scenario
Three types of views are available and they are listed as follows from a lower level to a higher
level:
l User view
l System view
l Service view, such as interface view
Run the quit command to return to a lower-level command view from the current view. If you
are in the user view currently, after you run the quit command, you quit from the system.

CloudEngine 8800, 7800, 6800, and 5800
In two-phase mode, if some configurations are not committed, a message is displayed when
the quit command is run to return to the user view from the system view. You can enter Y, N,
or C after the message is displayed.
l Y: Configurations not committed are saved in the current configuration file, and the user
view is displayed.
l N: Configurations not committed are discarded, and the user view is displayed.
l C: Configurations not committed remain unchanged, and the current view is kept.
Example
# Return to the system view from the AAA view, and then return to the user view. After this,
quit the system.
[~HUAWEI] aaa
[~HUAWEI-aaa] quit
[~HUAWEI] quit
<HUAWEI> quit
3.1.22 reset history-command
Function
The reset history-command command deletes history commands entered by the current user
in the system.
Format
reset history-command
Parameters
None
Views
User view
Default Level
0: Visit level
Usage Guidelines
This command can be used to delete history commands entered only by the current user but
not by other users. The deleted history commands cannot be displayed.
Example
# Delete history commands entered by the current user.
<HUAWEI> reset history-command

CloudEngine 8800, 7800, 6800, and 5800
3.1.23 reset history-command all-users
Function
The reset history-command all-users command deletes the historical commands of all users
in the system.
Format
reset history-command all-users
Parameters
None
Views
User view
Level
3: Management level

cli write
Usage Guidelines
The reset history-command all-users command deletes only the query results of the display
history-command all-users command. Query results of the display history-command
command are not affected.
Example
# Delete the historical commands of all users.
<HUAWEI> reset history-command all-users
3.1.24 return
Function
The return command returns to the user view from other views except the user view.
Format
return

CloudEngine 8800, 7800, 6800, and 5800
Parameters
None
Views
All views
Default Level
0: Visit level
Usage Guidelines
In other views, you can use the return command to return to the user view.
l Run this command to return to the user view if the current view is another view except
the user view.
l If the current view is the user view, no change occurs after running this command.
l The shortcut keys<Ctrl+Z> have the same function as the return command.
Example
# Return to the user view from the user interface view.
[~HUAWEI] user-interface vty 0
[~HUAWEI-ui-vty0] return
<HUAWEI>
3.1.25 system-view
Function
The system-view command enables you to enter the system view from the user view.
Format
system-view [ immediately ]
Parameters
immediately Indicates that the configuration takes effect immediately. -
Views
User view
Default Level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
You must configure the device in the system view. Run this command in the user view to
enter the system view.
The system supports two configuration validation modes: immediate validation and two-phase
validation.
l You can run the system-view command to enter the system view and edit the
configuration in two-phase validation mode. In two-phase validation mode, the
configuration takes effect after you run the commit command.
l You can run the system-view immediately command to enter the system view and edit
the configuration in immediate validation mode. In immediate validation mode, after you
input a command line and press Enter, the configuration takes effect immediately.
Precautions
In a command line prompt, HUAWEI is the default device name. The prompt indicates the
current view. <HUAWEI> indicates the user view. [HUAWEI] indicates the immediate
validation mode of the system view. [~HUAWEI] indicates the two-phase validation mode of
the system view.
Example
# Enter the system view.
Enter system view, return user view with return command.
[~HUAWEI]
3.1.26 terminal command alias
Function
The terminal command alias command enables the command alias function for the current
terminal.
The undo terminal command alias disables the function.
By default, the function is enabled.
Format
terminal command alias
undo terminal command alias
Parameters
None
Views
User view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
Usage Guidelines
Usage Scenario
The alias configured by the alias command can take effect only when the command alias
function is enabled.
If you run the undo terminal command alias command to disable the command alias
function for the current terminal, the command alias function can still be configured, and the
configuration information of command alias is not deleted, but the alias configured cannot
take effect.
Precautions
The terminal command alias command takes effect only on the current terminal.
The command alias function can only be used in human-to-machine mode.
Example
# Disable the command alias function for the current terminal.
<HUAWEI> undo terminal command alias
3.1.27 timestamp enable
Function
The timestamp enable command enables the timestamp function for a system.
The undo timestamp enable command disables the timestamp function.
By default, the timestamp function is disabled for a system.
Format
timestamp enable
undo timestamp enable
Parameters
None
Views
System view
Default Level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
After the timestamp function is enabled, the system adds the query time to the output of the
display command.
Example
# Enable the timestamp function for the system.
[~HUAWEI] timestamp enable
[*HUAWEI] commit
[~HUAWEI] display this
2014-08-19
14:39:39.227
sysname
HUAWEI
vlan batch
10
dldp
enable
ip route-static 0.0.0.0 0.0.0.0

192.168.80.1
lldp
enable
user-interface maximum-vty
15
timestamp
enable
return
3.2 ZTP Commands

CloudEngine 8800, 7800, 6800, and 5800
3.2.1 display system ztp
Function
The display system ztp command displays whether the system completes deployment
through ZTP or whether the system starts the ZTP process at the next startup without
configuration.
Format
display system ztp
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
None
Example
# Check whether the system completes deployment through ZTP.
<HUAWEI> display system ztp
---------------------------------------------------------
Slot Last startup ZTP status Next startup ZTP status
---------------------------------------------------------
1 disable enable
---------------------------------------------------------
Table 3-5 Description of the display system ztp command output
Item Description
Slot Slot ID.
Last startup ZTP status Whether the system completes deployment

through ZTP at the last startup without
configuration:
l enable: yes
l disable: no

CloudEngine 8800, 7800, 6800, and 5800
Item Description
Next startup ZTP status Whether the system starts the ZTP process
at the next startup without configuration:
l enable: yes
l disable: no
3.2.2 set ztp { enable | disable }
Function
The set ztp enable command enables the ZTP function on the device.
The set ztp disable command disables the ZTP function on the device.
By default, the ZTP function is enabled on devices.
Format
set ztp enable
set ztp disable
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
By default, the ZTP function is enabled so that an unconfigured device can start the ZTP
process during a startup. To disable an unconfigured device from starting the ZTP process
during a startup, disable the ZTP function on the device.
Example
# Disable the ZTP function.
<HUAWEI> set ztp disable
3.3 USB-based Deployment Configuration Commands

CloudEngine 8800, 7800, 6800, and 5800
3.3.1 set device usb-deployment disable

Function
The set device usb-deployment disable command disables the USB-based deployment
function.
The undo set device usb-deployment disable command enables the USB-based deployment
function.
By default, the USB-based deployment function is disabled.
Format
set device usb-deployment disable
undo set device usb-deployment disable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
After the USB-based deployment function is enabled on a device, the device can be upgraded
once a qualified USB flash drive is connected to the device. After the USB-based deployment
function takes effect, to enhance device security and avoid service interruption caused by
unnecessary version upgrades, disable the USB-based deployment function. After the USB-
based deployment function is disabled, the device cannot be upgraded using any qualified
USB flash drive.
Example
# Enable the USB-based deployment function.
[~HUAWEI] undo set device usb-deployment disable
3.3.2 set device usb-deployment password

Function
The set device usb-deployment password command sets an authentication password for
USB-based deployment.
The undo set device usb-deployment password command deletes the authentication
password for USB-based deployment.

CloudEngine 8800, 7800, 6800, and 5800
By default, no authentication password is configured for USB-based deployment.
Format
set device usb-deployment password [ password ]
undo set device usb-deployment password
Parameters

password Specifies the l When the password parameter is not specified, the
authentication password is entered in interactive mode.
password for
USB-based The value is a string of 6 to 32 characters or a string of
deployment. 20 to 392 case-sensitive characters without spaces. The
password can be in plain or cipher text.
l When the password parameter is specified, the password
can be entered in plain or cipher text.
– The password in plain text is a string of 6 to 32 case-
sensitive characters without spaces. A secure
password must contain at least two types of the
following: uppercase letters (A to Z), lowercase
letters (a to z), digits, and special characters.
– The password in cipher text is a string of 20 to 432
characters.
The password is displayed in ciphertext in the
configuration file regardless of whether it is input in
plaintext or cipher text.
Views
System view
Default Level
3: Management level
Usage Guidelines
During USB-based deployment, you can check the HMAC of the configuration file to be
loaded to ensure validity of the configuration file. After an authentication password is
configured, the device uses the password as the key to calculate the HMAC of the
configuration file to be loaded based on the HMAC-SHA256 algorithm and compares the
calculated HMAC with the value of the HMAC field in the index file. If the two HMAC
values are the same, the device considers the configuration file valid, and USB-based
deployment can be performed. Otherwise, the device considers the configuration file invalid,
and USB-based deployment cannot be performed.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Set the authentication password for USB-based deployment to Pwd123456.
[~HUAWEI] set device usb-deployment password Pwd123456
3.4 First Login Commands
3.4.1 clock datetime

Function
The clock datetime command sets the current date and time on the switch.
Format
clock datetime [ utc ] HH:MM:SS YYYY-MM-DD
Parameters
utc Indicates the UTC time. -
HH:MM:SS Specifies the current HH specifies the hour, which is an integer
time on the switch. ranging from 0 to 23. MM specifies the minute,
which is an integer ranging from 0 to 59. SS
specifies the second, which is an integer ranging
from 0 to 59.
YYYY-MM-DD Specifies the current YYYY specifies the year, which is an integer
date (year, month, and ranging from 2000 to 2037. MM specifies the
day) on the switch. month, which is an integer ranging from 1 to 12.
DD specifies the day, which is an integer ranging
from 1 to 31.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
In the scenario where accurate absolute time is required, the current date and time must be set
on the switch.
Prerequisite

CloudEngine 8800, 7800, 6800, and 5800
The time zone and daylight saving time have been configured using the clock timezone and
clock daylight-saving-time commands. If the time zone and daylight saving time are not
configured, the clock datetime command sets a UTC time.
Precautions
l The specified time must be in 24-hour format. If you do not specify MM and SS, their
values are 0. You must enter at least one digit to specify HH. For example, when you
enter 0, the time is 00:00:00.
l The specified year must be a four-digit number and the specified month and day can be a
one-digit number. For example, when you enter 2012-9-1, the time is 2012-09-01.
l If the device is configured to restart at a specified time and if the system time is changed
to be more than 10 minutes later than the specified restart time, the scheduled restart
function will be disabled.
Example
# Set the current time and date of the system to 0:0:0 2012-01-01.
<HUAWEI> clock datetime 0:0:0 2012-01-01
3.4.2 clock date-format
Function
The clock date-format command sets the date format on a device.
The undo clock date-format command restores the default date format on a device.
By default, the date format of a device is YYYY-MM-DD.
Format
clock date-format { MM-DD-YYYY | YYY-MM-DD }
undo clock date-format
Parameters
MM-DD-YYYY Indicates that the date format is MM-DD-YYYY, standing for -
month-day-year.
YYYY-MM-DD Indicates that the date format is YYYY-MM-DD, standing for -
year-month-day.
Views
All views
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800

system write
Usage Guidelines
To change the date format on a device, run the clock date-format command.
Example
# Set the date format to MM-DD-YYYY.
<HUAWEI> clock date-format MM-DD-YYYY
3.4.3 clock daylight-saving-time

Function
The clock daylight-saving-time command sets the name, start time, and end time of the
daylight saving time (DST).
The undo clock daylight-saving-time command cancels the DST settings.
By default, DST is not used.
Format
clock daylight-saving-time time-zone-name one-year start-time start-date end-time end-date
offset
clock daylight-saving-time time-zone-name repeating start-time { first | second | third |
fourth | last } weekday month end-time { first | second | third | fourth | last } weekday
month offset [ start-year [ end-year ] ]
clock daylight-saving-time time-zone-name repeating start-time start-date1 end-time end-
date1 offset [ start-year [ end-year ] ]
undo clock daylight-saving-time
Parameters
time-zone- Specifies the name of the The value is a string of 1 to 32 characters.

name DST zone.

CloudEngine 8800, 7800, 6800, and 5800
one-year Specifies an absolute -

daylight saving time,
which takes effect only
for the daylight saving
time configured within a
specific year.
repeating Setting a periodic -

daylight saving time is to
set the daylight saving
time in each year since a
specific year.
start-time Specifies the DST start The start time is in 24-hour format hh:mm. hh
time. specifies the hour, which is an integer ranging
from 0 to 23. mm specifies the minute, which is
an integer ranging from 0 to 59. If mm is not
specified, DST starts on the hour. You must
enter at least one digit to specify hh. For
example, when you enter 0, the start time is
00:00.
start-date Specifies the DST start The start date is in the format YYYY-MM-DD.
date. YYYY specifies the year, which is an integer
ranging from 2000 to 2037, MM specifies the
month, which is an integer ranging from 1 to
12, and DD specifies the day, which is an
integer ranging from 1 to 31.
end-time Specifies the DST end The end time is in 24-hour format hh:mm. hh
time. specifies the hour, which is an integer ranging
from 0 to 23. mm specifies the minute, which is
an integer ranging from 0 to 59. If mm is not
specified, DST starts on the hour. You must
enter at least one digit to specify hh. For
example, when you enter 0, the start time is
00:00.
end-date Specifies the DST end The end date is in the format YYYY-MM-DD.
date. YYYY specifies the year, which is an integer
ranging from 2000 to 2037, MM specifies the
month, which is an integer ranging from 1 to
12, and DD specifies the day, which is an
NOTE
The start and end months must be different, and the
value obtained by deducting the start time from the
end time must be greater than the offset value.

CloudEngine 8800, 7800, 6800, and 5800
first Specifies the first -

workday in a month.
second Specifies the second -

workday in a month.
third Specifies the third -

workday in a month.
fourth indicates the fourth -

workday in a month.
last Specifies the last -

workday in a month.
weekday Specifies a day of the The value is Mon, Tue, Wed, Thu, Fri, Sat, or
week. Sun.
month Specifies a month. The value is Jan, Feb, Mar, Apr, May, Jun,
Jul, Aug, Sep, Oct, Nov, or Dec.
start-date1 Specifies the DST start The start date is in the format MM-DD. MM
date. specifies the month, which is an integer
ranging from 1 to 12, and DD specifies the day,
which is an integer ranging from 1 to 31.
end-date1 Specifies the DST end The end date is in the format MM-DD. MM
date. specifies the month, which is an integer
ranging from 1 to 12, and DD specifies the day,
which is an integer ranging from 1 to 31.
offset Specifies the DST offset. The value is in the format of HH:MM, where
HH indicates the hour and MM indicates the
minute. The value ranges from 00:01 to 02:00.
start-year Specifies the start year. The start year is in the format YYYY and ranges
from 2000 to 2037.
end-year Specifies the end year. The end year is in the format YYYY and ranges
from 2000 to 2037.
Views
User view, system view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level
Usage Guidelines
Usage Scenario
DST, also referred to as summer time, is a convention intended to save resources. In high
latitude areas, sunrise time is earlier in summer than in winter. To reduce use of incandescent
lighting in the evenings and save energy, clocks are adjusted forward one hour.
Users can customize the DST zone according to their countries' or regions' convention. In
addition, users can set how far ahead clocks are adjusted forward, usually an hour. With DST
enabled, when it is time to start DST, the system time is adjusted according to the user-
specified DST. When it is time to end DST, the system time automatically returns to the
original time.
To configure DST, note the following:

l The time in logs and debugging information uses the local time adjusted based on the
time zone and the configured DST.
l The time in the output of the display commands uses the local time adjusted based on
the time zone and the configured DST.
To remove configurations for DST, note the following:

l If DST has already taken effect when you remove the configurations, the device will
adjust its clock by subtracting the value of the offset parameter from the current time.
l If DST has not taken effect, removing the configurations will not affect the system time.
Precautions
l The DST is configured in the summer. The DST duration ranges from one day to one
year.
l You can configure the start time and end time for periodic DST in one of the following
modes: date+date and week+week.
Example
# Set periodic DST.
[~HUAWEI] clock daylight-saving-time bj repeating 0 first sun jan 0 first sun apr
2 2009 2009
# Set periodic DST by day.

[~HUAWEI] clock daylight-saving-time bj repeating 12:11 1-1 1:0 3-4 1
# Set absolute DST.

[~HUAWEI] clock daylight-saving-time bj one-year 12:11 2010-10-2 1:00 2010-11-4 1

CloudEngine 8800, 7800, 6800, and 5800
3.4.4 clock timezone
Function
The clock timezone command sets the local time zone.
The undo clock timezone command deletes the local time zone.
If you do not specify the time zone name, the system uses DefaultZoneName.
Format
clock timezone time-zone-name { add | minus } offset
undo clock timezone
Parameters

time-zone- Specifies the time zone name. The name is a string of 1 to 32 case-
name sensitive characters without spaces.
When double quotation marks are
used around the string, spaces are
allowed in the string.
add Specifies the offset from the UTC -
for the time zone specified by time-
zone-name. That is, the sum of the
default UTC time zone and offset is
equal to the time zone specified by
time-zone-name.
minus Specifies the offset from the UTC -
for the time zone specified by time-
zone-name. That is, the remainder
obtained by subtracting offset from
the default UTC time zone is equal
to the time zone specified by time-
zone-name.
offset Specifies the offset from the UTC. Format: HH:MM:SS
l HH specifies the hour, which is an
l MM and SS specify the minute and
second respectively, and both
range from 0 to 59.
l When HH is set to the maximum
value, the MM and SS values must
be 0.

CloudEngine 8800, 7800, 6800, and 5800
Views
User view, System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The system clock is the time indicated by the system timestamp. Because the rules governing
local time differ in different regions, the system clock can be configured to comply with the
rules of any given region.
System clock = UTC + Time zone offset + DST offset
To ensure normal communication between devices, set an accurate system clock. You can run
the clock timezone and clock daylight-saving-time commands to set the time zone and DST
offsets.
Precautions
l The specified time must be in 24-hour format. If you do not specify MM and SS, their
values are 0. You must enter at least one digit to specify HH. For example, when you
enter 0, the time is 00:00:00.
l After configuring the local time zone, run the display clock command to view the
configuration. The time in logs and diagnostic information uses the local time adjusted
based on the time zone and DST.
Example
# Set the local time zone name for Beijing China to BJ.
If the default UTC is London time 2012-12-01 00:00:00, Beijing time is London time plus
08:00 because the offset from UTC is 8 hours.
<HUAWEI> clock datetime 0:0:0 2012-12-01
<HUAWEI> clock timezone BJ add 08:00:00
3.4.5 display clock
Function
The display clock command displays the current date and clock setting.
Format
display clock [ utc ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters

utc Indicates that the clock is adjusted to the Coordinated Universal Time -
(UTC).
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
You can run the display clock command to view the system date and clock setting and adjust
the setting if necessary.
Precautions
The system clock is set using the clock datetime, clock timezone, and clock daylight-
saving-time commands.
l If the three commands are not used, the original system clock is displayed after you run
the display clock command.
l You can use any combination of the three commands to configure the system time. Table
3-6 lists the formats of the configured time.
The table assumes that the original system time is 08:00:00 on January 1, 2010.
l 1: indicates that the clock datetime command is used, in which the current time and date
is date-time.
l 2: indicates that the clock timezone command is used, in which the time zone parameter
is set and the time offset is zone-offset.
l 3: indicates that the clock daylight-saving-time command is used, in which the DST
parameters are set and the time offset is offset.
l [1]: indicates that the clock datetime command is optional.
Table 3-6 System clock setting examples
Action Configured System Example

Time
1 date-time Command: clock datetime 8:0:0 2011-11-12

Configured system time:
2011-11-12 08:00:18
Saturday
Time Zone(DefaultZoneName) : UTC

CloudEngine 8800, 7800, 6800, and 5800

Time
2 Original system time ± Command: clock timezone BJ add 8

zone-offset Configured system time:
2011-11-12 16:06:43+08:00
Saturday
Time Zone(BJ) : UTC+08:00
1, 2 date-time ± zone-offset Commands: clock datetime 8:0:0 2011-11-12

and clock timezone BJ add 8
2011-11-12 16:06:43+08:00
Saturday
[1], 2, 1 date-time Commands: clock timezone BJ add 8 and clock

datetime 9:0:0 2011-11-12
2011-11-12
09:00:03+08:00
Saturday
3 If the original system Command: clock daylight-saving-time BJ one-

time is not in the DST year 6:0 2011-8-1 6:0 2011-10-01 1:0
segment, the original Configured system time:
system time is 2010-01-01
displayed. 06:02:51+08:00
Friday
Time Zone(BJ) : UTC

+08:00
Daylight saving
time :
Name :
BJ
Repeat mode : one-

year
Start year :
2011
End year :
2011
Start time : 2011-08-01

06:00:00
End time : 2011-10-01
06:00:00
Saving Time : 01:00:00

CloudEngine 8800, 7800, 6800, and 5800

Time
If the original system Command: clock daylight-saving-time BJ one-

time is in the DST year 6:0 2010-1-1 6:0 2010-9-1 2:0
segment, the configured Configured system time:
system time is the 2010-01-01 08:04:46+10:00
original system time DST
plus offset.
Friday
Time Zone(BJ) : UTC

+08:00
Daylight saving
time :
Name :
BJ
Repeat mode : one-

year
Start year :
2010
End year :
2010
Start time : 2010-01-01

06:00:00
End time : 2010-09-01
06:00:00

CloudEngine 8800, 7800, 6800, and 5800

Time
1, 3 If date-time is not in the Commands: clock datetime 9:0:0 2011-11-12

DST segment, the and clock daylight-saving-time BJ one-year 6:0
configured system time 2012-8-1 6:0 2012-10-01 1:0
is date-time. Configured system time:
2011-11-12
09:00:11+08:00
Saturday
Time Zone(BJ) : UTC

+08:00
Daylight saving
time :
Name :
BJ
Repeat mode : one-

year
Start year :
2012
End year :
2012
Start time : 2012-08-01

06:00:00
End time : 2012-10-01
06:00:00

CloudEngine 8800, 7800, 6800, and 5800

Time
If date-time is in the Commands: clock datetime 9:0:0 2011-11-12

DST segment, the and clock daylight-saving-time BJ one-year 9:0
configured system time 2011-11-12 6:0 2011-12-01 2:0
is date-time+offset. Configured system time:
2011-11-12 11:00:09+10:00
DST
Saturday
Time Zone(BJ) : UTC

+08:00
Daylight saving
time :
Name :
BJ
Repeat mode : one-

year
Start year :
2011
End year :
2011
Start time : 2011-11-12

09:00:00
End time : 2011-12-01
06:00:00
Saving Time :
02:00:00

CloudEngine 8800, 7800, 6800, and 5800

Time
[1], 3, 1 If date-time is not in the Commands: clock daylight-saving-time BJ one-

DST segment, the year 6:0 2012-8-1 6:0 2012-10-01 1:0 and clock
configured system time datetime 9:0 2011-11-12
2011-11-12
09:00:06+08:00
Saturday
Time Zone(BJ) : UTC

+08:00
Daylight saving
time :
Name :
BJ
Repeat mode : one-

year
Start year :
2012
End year :
2012
Start time : 2012-08-01

06:00:00
End time : 2012-10-01
06:00:00
Saving Time :
01:00:00

CloudEngine 8800, 7800, 6800, and 5800

Time
If date-time is in the Commands: clock daylight-saving-time BJ one-

DST segment, the year 1:0 2011-1-1 1:0 2011-9-1 2:0 and clock
configured system time datetime 3:0 2011-1-1
2011-01-01 03:00:03+10:00
DST
Saturday
Time Zone(BJ) : UTC

+08:00
Daylight saving
time :
Name :
BJ
Repeat mode : one-

year
Start year :
2011
End year :
2011
Start time : 2011-01-01

01:00:00
End time : 2011-09-01
01:00:00
2, 3 or 3, 2 If the result of original Commands: clock timezone BJ add 8 and clock

system time ± zone- daylight-saving-time BJ one-year 6:0 2011-1-1
offset is not in the DST 6:0 2011-9-1 2:0
system time is equal to 2010-01-01 16:00:33+08:00
the original system time Friday
± zone-offset. Time Zone(BJ) : UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 2011-01-01
06:00:00
End time : 2011-09-01
06:00:00

CloudEngine 8800, 7800, 6800, and 5800

Time
If the result of original Commands: clock daylight-saving-time BJ one-

system time ± zone- year 1:0 2010-1-1 1:0 2010-9-1 2:0 and clock
offset is in the DST timezone BJ add 8
system time is equal to 2010-01-01 18:01:14+10:00 DST
the original system time Friday
± zone-offset ± offset. Time Zone(BJ) : UTC+08:00
Name : BJ
Start year : 2010
End year : 2010
Start time : 2010-01-01
01:00:00
End time : 2010-09-01
01:00:00
1, 2, 3 or 1, If the value of date-time Commands: clock datetime 8:0:0 2011-11-12,

3, 2 ± zone-offset is not in clock timezone BJ add 8, and clock daylight-
the DST segment, the saving-time BJ one-year 6:0 2012-1-1 6:0
configured system time 2012-9-1 2:0
is equal to date-time ± Configured system time:
zone-offset. 2011-11-12 16:00:37+08:00
Saturday
Name : BJ
Start year : 2012
End year : 2012
Start time : 2012-01-01
06:00:00
End time : 2012-09-01
06:00:00
If the value of date-time Commands: clock datetime 8:0:0 2011-1-1,

± zone-offset is in the clock daylight-saving-time BJ one-year 6:0
DST segment, the 2011-1-1 6:0 2011-9-1 2:0 and clock timezone
configured system time BJ add 8
is equal to date-time ± Configured system time:
zone-offset + offset. 2011-01-01 18:00:45+10:00 DST
Saturday
Name : BJ
Start year : 2011
End year : 2011
Start time : 2011-01-01
06:00:00
End time : 2011-09-01
06:00:00

CloudEngine 8800, 7800, 6800, and 5800

Time
[1], 2, 3, 1 If date-time is not in the Commands: clock daylight-saving-time BJ one-

or [1], 3, 2, DST segment, the year 6:0 2012-1-1 6:0 2012-9-1 2:0, clock
1 configured system time timezone BJ add 8, and clock datetime 8:0:0
is date-time. 2011-11-12
2011-11-12 08:00:06+08:00
Saturday
Name : BJ
Start year : 2012
End year : 2012
Start time : 2012-01-01
06:00:00
End time : 2012-09-01
06:00:00
If date-time is in the Commands: clock timezone BJ add 8, clock

DST segment, the daylight-saving-time BJ one-year 1:0 2011-1-1
configured system time 1:0 2011-9-1 2:0, and clock datetime 3:0:0
is date-time. 2011-1-1
2011-01-01 03:00:02+10:00 DST
Saturday
Name : BJ
Start year : 2011
End year : 2011
Start time : 2011-01-01
01:00:00
End time : 2011-09-01
01:00:00
Example
# Display the current system date and time.
<HUAWEI> display clock
2011-01-01 03:00:05+10:00
Saturday
Name : BJ
Start year : 2011
End year : 2011
Start time : 2011-01-01 01:00:00
End time : 2011-09-01 01:00:00

CloudEngine 8800, 7800, 6800, and 5800
Table 3-7 Description of the display clock command output

Item Description
2011-01-01 03:00:05+10:00 Current time of the system:

GMT+10, January 1, 2011 03:00:05
Time Zone Time zone.
Daylight saving time DST.
Name DST name.
Repeat mode DST mode.

l one-year: absolute DST
l repeating: periodic DST
Start year Year from which DST takes effect.
End year Year when DST becomes ineffective.
Start time Time when DST takes effect.
End time Time when DST becomes ineffective.
Saving time Storage time.
3.4.6 sysname
Function
The sysname command sets the device host name.
The undo sysname command restores the default device host name.
By default, the device host name is HUAWEI.
Format
sysname host-name
undo sysname

CloudEngine 8800, 7800, 6800, and 5800
Parameters
host-name Specifies the host The value is a string of 1 to 246 case-sensitive characters
name. with spaces.
NOTE
When configuring a system name, do not use the following special
characters: \ " , ! @ [ ] ' If these characters are used, the save-as
function and NE explorer of an NMS are opened slowly after the
name is synchronized to the NMS.
Views
System view
Default Level
3: Management level
Usage Guidelines
Changing the host name affects the command interface prompt. For example, if the host name
is HUAWEI, the user interface prompt is <HUAWEI>.
Example
# Set the host name to HUAWEIA.
[~HUAWEI] sysname HUAWEIA
[*HUAWEI] commit
[~HUAWEIA]
3.5 UI Configuration Commands
3.5.1 acl (user interface view)
Function
The acl command uses an ACL to restrict login rights of users on a terminal.
The undo acl command cancels the configuration.
By default, login rights are not restricted.
Format
acl [ ipv6 ] { acl-number | acl-name } { inbound | outbound }
undo acl [ ipv6 ] { inbound | outbound }

CloudEngine 8800, 7800, 6800, and 5800
Parameters
ipv6 Indicates an ACL6 number. -
acl-number Specifies the number of an ACL. The value is an integer ranging from 2000
to 3999.
l 2000-2999: restricts the source
address using the basic ACL.
l 3000-3999: restricts the source and
destination addresses using the
advanced ACL.
acl-name Specifies the name of an ACL. The value is a string of 1 to 32 case-

sensitive characters except spaces. The
value must start with a letter or digit, and
cannot contain only digits.
inbound Restricts users with an address or -
within an address segment to log in
to the device.
outbound Restricts users who have logged in -

to the device from logging in to
other devices.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command restricts the login rights of a user interface based on the source IP address,
destination IP address, source port, or destination port. You can use this command to permit or
deny access to a destination or from a source.
Prerequisites
Before running this command, run the acl (system view) in the system view and run the rule
(ACL view) command to configure an ACL.
If no rule is configured, login rights on the user interface are not restricted when the acl
command is executed.
Precautions

CloudEngine 8800, 7800, 6800, and 5800
After the configurations of the ACL take effect, all users on the user interface are restricted by
the ACL.
You can configure all of the following ACL types: IPv4 inbound, IPv4 outbound, IPv6
inbound, and IPv6 outbound on a user interface. Only one ACL of each type can be
configured on a user interface, and only the latest configuration of an ACL takes effect.
Example
# Restrict the Telnet login rights on user interface VTY 0.
[~HUAWEI] acl 3001
[*HUAWEI-acl4-advance-3001] rule deny tcp source any destination-port eq telnet
[*HUAWEI-acl4-advance-3001] quit
[*HUAWEI] user-interface vty 0
[*HUAWEI-ui-vty0] acl 3001 outbound
# Remove the restriction on the Telnet login rights on user interface VTY 0.
[*HUAWEI-ui-vty0] undo acl outbound
3.5.2 activate vty ip-block ip-address
Function
The activate vty ip-block ip-address command unlocks the IP address of a user that fails the
authentication through the VTY user interface.
Format
activate vty ip-block ip-address ip-address [ vpnname vpn-name ]
Parameters
ip-address Specifies a locked IP l For IPv4 address, the value is in the decimal
address. format.
l For IPv6 address, the value is a 32-digit
hexadecimal number, in the format of
X:X:X:X:X:X:X:X.
vpnname vpn- Specifies the name of a The value is a string of 1 to 31 case-sensitive
name VPN to which the characters.
locked user belongs.
NOTE
When quotation marks are used around the string,
spaces are allowed in the string.
Views
User view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level

tty write
Usage Guidelines
In the VTY user interface, if a user enters incorrect passwords for six consecutive times in 5
minutes, the IP address of this user is locked for 5 minutes. To unlock the IP address of this
user in advance, run the activate vty ip-block ip-address command.
Example
# Unlock the IP address 10.1.2.3.
<HUAWEI> activate vty ip-block ip-address 10.1.2.3
3.5.3 activate ssh server ip-block ip-address

Function
The activate ssh server ip-block ip-address command unlocks the IP address of a user that
fails the SSH connection authentication.
Format
activate ssh server ip-block ip-address ip-address [ vpn-instance vpn-name ]
Parameters
address. format.
X:X:X:X:X:X:X:X.
vpn-instance Specifies the name of a The value is a string of 1 to 31 case-sensitive
vpn-name VPN to which the characters.
locked user belongs.
NOTE
When quotation marks are used around the string,
Views
User view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level

ssh-server write
Usage Guidelines
In an SSH connection, if a user enters incorrect passwords for six consecutive times in 5
minutes, the IP address of this user will be blocked for 5 minutes. To unlock the IP address of
this user in advance, run the activate ssh server ip-block ip-address command.
Example
<HUAWEI> activate ssh server ip-block ip-address 10.1.2.3
3.5.4 authentication-mode (user interface view)
Function
The authentication-mode command configures the authentication mode for accessing the
user interface.
The undo authentication-mode command deletes the authentication mode for accessing the
user interface.
By default, no authentication method is configured for the user interface. For the users
logging in to the VTY interface, an authentication method must be configured; otherwise,
users cannot log in.
Format
authentication-mode { aaa | password | none }
undo authentication-mode
Parameters
aaa Indicates the AAA authentication mode. -
password Indicates the password authentication mode. -

CloudEngine 8800, 7800, 6800, and 5800
none Indicates the non-authentication mode. -

NOTE
The non-authentication mode has potential security risks. Therefore, exercise
caution when deciding to configure this mode.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a user logs in to the device using the console interface for the first time, the system
prompts the user to set the login password. After the user logs in to the device, the user can
run the authentication-mode command to change the authentication mode. The none mode
is not recommended because system security is low. It is recommended that you configure
AAA or password authentication to enhance system security.
Before Telnet or SSH users log in to the device using VTY user interface, they must run the
authentication-mode command to configure the authentication mode.
If SSH is configured for the user interface using the protocol inbound ssh command, you
must configure the authentication-mode aaa authentication mode to ensure successful
logins. If the password authentication mode is configured, the protocol inbound ssh
command cannot be executed.
Precautions
The authentication mode must be configured for login through the VTY user interface;
otherwise, users cannot log in to the device.
For the users logging in to the VTY interface, an authentication method must be configured;
otherwise, users cannot log in.
l After you set the authentication mode for accessing a user interface to password, run the
set authentication password command to configure an authentication password. Keep
the password safe. You need to enter the password when logging in to the device. The
levels of commands accessible to a user depend on the level configured for the user
interface to which the user logs in.
l When the authentication mode is set to aaa, the authentication password is deleted at the
same time. Users are required to enter the login user name and password to log in to the
device. After login, the level of the commands the user can run depends on the level of
the local user specified in AAA configuration.
l When you run the undo authentication-mode command to delete the authentication
mode, the system asks you whether to delete the authentication mode.

CloudEngine 8800, 7800, 6800, and 5800
l If the AAA authentication mode is used, run the local-user user-name password
command to configure the local user account and login password. Otherwise, user login
fails.
Example
# Configure the authentication mode for accessing the user interface.
[~HUAWEI-ui-vty0] authentication-mode aaa
3.5.5 databits
Function
The databits command sets the number of data bits of the user interface.
The undo databits command restores the default number of data bits.
By default, the number of data bits of the user interface is 8.
Format
databits { 5 | 6 | 7 | 8 }
undo databits
Parameters
5 Indicates that the number of data bits is 5. -
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Use this command only when necessary. If the number of data bits of a device's user interface
is changed, ensure that the same number of data bits is set on the HyperTerminal used for
login.
The setting is valid only when the serial port is configured to work in asynchronous mode.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Set the number of data bits to 5.
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] databits 5
3.5.6 display ssh server ip-block all
Function
The display ssh server ip-block all command displays information about the IP addresses of
all the clients that fail to pass authentication.
Format
display ssh server ip-block all
Parameters
None
Views
All views
Default Level
3: Management level

ssh-server read
Usage Guidelines
To check information about the IP addresses of all the clients that fail to pass authentication,
run the display ssh server ip-block all command. The command output includes the names
of VPN instances to which the IP addresses belong, IP address status, numbers of
authentication failures, and the IP addresses that fails to pass authentication will not be
adopted to make invalid authentication.
If a user logs in using SSH, the user's IP address will be locked for 5 minutes upon 6 incorrect
password attempts within 5 minutes. After the IP address is locked, the IP address status
displayed in the display ssh server ip-block all command output changes from AUTH
FAILED to BLOCKED.
Example
# Display information about the IP addresses of all the clients that fail to pass authentication.

CloudEngine 8800, 7800, 6800, and 5800
<HUAWEI> display ssh server ip-block all

----------------------------------------------------------------------------------
---
IP Address VPN Name State Auth-fail
Count
----------------------------------------------------------------------------------
----
192.168.10.1 _public_ BLOCKED
6
----------------------------------------------------------------------------------
----
Table 3-8 Description of the display ssh server ip-block all command output
Item Description
IP Address Locked client IP address
VPN Name Name of a VPN instance to which a locked client IP

address belongs
State Status of a locked client IP address:

l BLOCKED: The IP address is locked.
l AUTH FAILED: The IP address fails to pass
authentication.
Auth-fail Count Number of consecutive authentication failures

within 5 minutes
3.5.7 display ssh server ip-block list
Function
The display ssh server ip-block list command displays information about client IP addresses
that are locked because of authentication failures.
Format
display ssh server ip-block list
Parameters
None
Views
All views
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800

ssh-server read
Usage Guidelines
To check information about client IP addresses that are locked because of authentication
failures, run the display ssh server ip-block list command. The command output includes the
names of VPN instances to which the locked client IP addresses belong and the remaining
locking period.
Example
# Display information about client IP addresses that are locked because of authentication
failures.
<HUAWEI> display ssh server ip-block list
----------------------------------------------------------------------------------
---
IP Address VPN Name UnBlock
Interval(Seconds)
----------------------------------------------------------------------------------
---
192.168.10.1 _public_
36
----------------------------------------------------------------------------------
---
Table 3-9 Description of the display ssh server ip-block list command output
Item Description

address belongs
UnBlock Interval(Seconds) Remaining locking period, in seconds
3.5.8 display user-interface
Function
The display user-interface command displays information about a user interface.
Format
display user-interface [ ui-type ui-number1 | ui-number ] [ summary ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
ui-type Displays information about a The value can be Console, VTY, RPC, or
specified user interface. NCA.
ui-number1 Displays information about a user The minimum value is 0. The maximum
interface with a specified relative value is smaller by 1 than the number of
number. user interfaces the system supports.
ui-number Displays information about a user The value is an integer ranging from 0 to
interface with a specified absolute 104. The value varies according to the
number. device type.
summary Displays the summary of a user -

interface.
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display user-interface command to view detailed configuration information
about all user interfaces or a specified user interface. To obtain the relative number and
absolute number of a user interface, run the display users command and view the User-Intf
field in the command output.
Example
# Display detailed information about the user interface with the absolute number 0.
<HUAWEI> display user-interface 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
+ 0 CON 0 9600 - 15 15 - 6
UI(s) not in async mode -or- with no hardware support:
20-32
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
# Display detailed information about all user interfaces.

<HUAWEI> display user-interface
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
+ 0 CON 0 9600 - 15 15 - 6

CloudEngine 8800, 7800, 6800, and 5800
34 VTY 0 - 15 - A -
35 VTY 1 - 15 - A -
36 VTY 2 - 15 - A -
37 VTY 3 - 15 - A -
38 VTY 4 - 15 - A -
39 VTY 5 - 15 - - -
+ 40 VTY 6 - 15 15 N -
41 VTY 7 - 15 - - -
42 VTY 8 - 15 - - -
43 VTY 9 - 15 - - -
+ 44 VTY 10 - 15 15 N -
+ 45 VTY 11 - 15 15 N -
+ 46 VTY 12 - 15 15 N -
+ 47 VTY 13 - 15 15 N -
+ 48 VTY 14 - 15 15 N -
100 NCA 0 - - - A -
+ 101 NCA 1 - - 3 A -
+ 102 NCA 2 - - 3 A -
103 NCA 3 - - - A -
104 NCA 4 - - - A -
UI(s) not in async mode -or- with no hardware support:
21-32
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Table 3-10 Description of the display user-interface command output

Parameter Description
+ Active user interface.
F Active user interface in asynchronous mode.
Idx Absolute number of a user interface.
Type Type and relative number of a user interface.
Tx/Rx Data transfer rate of the user interface.
Modem Type of the modem.
Privi Authority configured on a user interface.
ActualPrivi Actual permission of a user interface. (In the case of the

AAA authentication mode, the level of a local user in AAA
configuration is the actual permission. You can run the
display aaa access-user command to check the user level.)
Auth Authentication mode on a user interface.

l A: AAA authentication.
l N: No authentication on the current user interface.
l P: Password authentication.

CloudEngine 8800, 7800, 6800, and 5800
Int User interface.
3.5.9 display user-interface maximum-vty
Function
The display user-interface maximum-vty command displays the maximum number of VTY
users.
Format
display user-interface maximum-vty
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display user-interface maximum-vty command to view the maximum
number of users who connect to the device using Telnet or SSH. By default, the total number
of Telnet users and SSH users is five maximum.
Example
# Display the maximum number of VTY users.
<HUAWEI> display user-interface maximum-vty
Maximum of VTY user : 5
Table 3-11 Description of the display user-interface maximum-vty command output
Maximum of VTY user Maximum number of VTY users.

The maximum number of VTY users can be configured
using the user-interface maximum-vty command.

CloudEngine 8800, 7800, 6800, and 5800
3.5.10 display users
Function
The display users command displays login information for each user interface.
Format
display users [ all ]
Parameters

all Displays information about all users who log in to the device through -
user interfaces, including information about user interfaces that are not
used. If the all parameter is not used, the command displays only
information about user interfaces that have been connected.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
You can run this command to view information about users who are connected to the device.
The information includes the user name, IP address, and authentication and authorization
information.
Example
# Run the display users command to view information about users who log in to the device
through the user interface.
<HUAWEI> display users
NOTE:
User-Intf: The absolute number and the relative number of user interface
Authen: Whether the authentication passes
Author: Command line authorization flag
--------------------------------------------------------------------------------
User-Intf Delay Type Network Address Authen Author Username
--------------------------------------------------------------------------------
34 VTY 0 16:07:36 TEL 10.135.34.246 pass yes root123
* 37 VTY 3 23:33:44 TEL 10.135.23.55 pass yes root123

CloudEngine 8800, 7800, 6800, and 5800
Table 3-12 Description of the display users command output
Item Description
* Current user interface. If the all parameter is specified, information

about user interfaces that have login users is displayed.
User-Intf The number in the first column indicates the absolute number of the
user interface, and the number in the second column indicates the
relative number of the user interface.
l CON: indicates that the user logs in to the device through the
console interface.
l VTY: indicates that the user logs in to the device using Telnet or
STelnet.
l NCA: indicates that the user logs in to the device using
NETCONF.
Delay Interval from the user's latest input to the current time, in seconds.
Type Connection type. If the all parameter is specified and this field is
empty, the user interface is not used. If the all parameter is not
specified:
l An empty field or -- indicates the console type.
l TEL indicates the Telnet type.
l SSH indicates the SSH type.
Network Address l Console user interface: The value is the slot ID of the main control
card.
l VTY user interface: The value is the IP address of the login user.
Username User name for logging in to the device. If the user name is not
specified, Unspecified is displayed.
Authen Whether the authentication succeeds.
Author Command line authorization status.

l yes: Command line authentication is enabled.
l no: Command line authentication is disabled.
3.5.11 display vty ip-block vty-password-mode all
Function
The display vty ip-block vty-password-mode all command displays all IP addresses that fail
to be authenticated.
Format
display vty ip-block vty-password-mode all

CloudEngine 8800, 7800, 6800, and 5800
Parameters
None
Views
All views
Default Level
3: Management level

tty debug
Usage Guidelines
To check IP addresses that fail to be authenticated, run the display vty ip-block vty-
password-mode all command.
Example
# Display all IP addresses that fail to be authenticated.
[~HUAWEI] diagnose
[~HUAWEI-diagnose] display vty ip-block vty-password-mode all
----------------------------------------------------------------------------------
---
IP Address VPN Name State Auth-fail
Count
----------------------------------------------------------------------------------
----
192.168.10.1 _public_ BLOCKED
6
----------------------------------------------------------------------------------
----
Table 3-13 Description of the display vty ip-block vty-password-mode all command output
Item Description
IP Address Blocked IP address
VPN Name Name of the VPN to which the blocked IP address

belongs
State State of an IP address

l BLOCKED: The IP address is blocked.
l AUTH FAILED: The IP address fails to be
authenticated.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
Auth-fail Count Number of IP address authentication failures in the

latest 5 minutes
3.5.12 display vty ip-block vty-password-mode list

Function
The display vty ip-block vty-password-mode list command displays IP addresses that are
blocked due to authentication failures.
Format
display vty ip-block vty-password-mode list
Parameters
None
Views
All views
Default Level
3: Management level

tty read
Usage Guidelines
To check information, such as the remaining block time, about IP addresses that are blocked
due to authentication failures, run the display vty ip-block vty-password-mode list
command.
Example
# Display IP addresses that are blocked due to authentication failures.
<HUAWEI> display vty ip-block vty-password-mode list
----------------------------------------------------------------------------------
---
IP Address VPN Name UnBlock
Interval(Seconds)
----------------------------------------------------------------------------------
---
192.168.10.1 _public_

CloudEngine 8800, 7800, 6800, and 5800
36
----------------------------------------------------------------------------------
---
Table 3-14 Description of the display vty ip-block vty-password-mode list command output
Item Description
IP Address Blocked IP address
VPN Name Name of the VPN to which the blocked IP address

belongs
UnBlock Interval(Seconds) Remaining block time after which the IP address

will be unblocked
3.5.13 flow-control
Function
The flow-control command configures a flow control mode.
The undo flow-control command restores the default flow control mode.
By default, the flow control mode is set to none, indicating that traffic is not controlled.
Format
flow-control { hardware | none | software }
undo flow-control
Parameters

hardware Implements hardware-based flow control. -
none Implements no flow control. -
software Implements software-based flow control. -
Views
Console user interface view
Default Level

CloudEngine 8800, 7800, 6800, and 5800

tty write
Usage Guidelines
The configuration is valid only when the serial port works in the console user interface view.
Example
# In the console user interface view, configure software-based flow control.
[*HUAWEI-ui-console0] flow-control software
3.5.14 kill user-interface
Function
The kill user-interface command disconnects the device from a specified user interface.
Format
kill user-interface { ui-number | ui-type ui-number1 }
Parameters

ui-number Specifies the absolute
The value is an integer ranging from 0 to 104. The
number of a user
value varies according to the device type.
interface.
ui-type Specifies the type of a The value can be RPC, NCA, Console, and VTY.
user interface.
ui-number1 Specifies the relative l If the ui-type is console, the value of ui-number
number of a specified is 0.
user interface. l If the ui-type is vty, the value of ui-number is 0 to
20.
l If the ui-type is nca, the value of ui-number is 0
to 4.
l If the ui-type is rpc, the value of ui-number is 0
to 14.
Views
User view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If a user logs in to the device and does not perform any operation or you want to forbid a user
from performing operations on the device, you can run the kill user-interface command to
delete a specified user. After the command is executed, the user logs out from the device.
Precautions
The kill user-interface command cannot be executed on the current user interface. If the
current user interface is VTY 2, the kill user-interface vty 2 fails to be executed.
Example
# Disconnect the VTY3 user's terminal from the device.
<HUAWEI> kill user-interface vty 3
Warning: User interface VTY3 will be freed. Do you want to continue? [Y/N]:y
Info: User interface VTY3 is free.
3.5.15 history-command max-size

Function
The history-command max-size command sets the size of the historical command buffer.
The undo history-command max-size command restores the default size of the historical
command buffer.
By default, a maximum of 10 previously-used commands can be saved in the buffer.
Format
history-command max-size size-value
undo history-command max-size
Parameters
size-value Specifies the size of the historical The value is an integer ranging from 0
command buffer. to 256.
Views
User interface view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
The CLI can automatically save the historical commands that you enter. This function is
similar to that of Doskey. You can invoke and run the historical commands at any time.
Example
# Set the size of the historical command buffer to 20.
[~HUAWEI-ui-console0] history-command max-size 20
3.5.16 idle-timeout
Function
The idle-timeout command sets the timeout duration for disconnection from a user interface.
The undo idle-timeout command restores the default timeout duration.
By default, the timeout duration is 10 minutes in vty user interface view, and 5 minutes in
console user interface view.
Format
idle-timeout minutes [ seconds ]
undo idle-timeout
Parameters
minutes Specifies the idle timeout The value is an integer that ranges from 0 to
duration, in minutes. 35791 in the VTY user interface view and from 1
to 1440 in the console user interface view, in
minutes.
seconds Specifies the idle timeout The value is an integer ranging from 0 to 59, in
duration, in seconds. seconds.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario

CloudEngine 8800, 7800, 6800, and 5800
If a user logs in to the device and does not perform an operation, the user interface is occupied
unnecessarily. You can run the idle-timeout command to disconnect the user's terminal from
the device.
Precautions
l If you set the time to zero, then the line connection remains alive until you close it.
l If the user interface disconnection function is not configured, other users may fail to log
in to the device.
l If the idle timeout interval is set to 0 or a large value, the terminal will remain in the
login state, resulting in security risks. You are advised to run the lock command to lock
the current connection.
l You are advised to set the timeout duration to 10-15 minutes.
l In versions earlier than V200R002C50, the timeout period configured using the idle-
timeout command for a user connection in the console user interface view ranges from 0
to 35791. If the timeout period is set to 0 minutes or is greater than 1440 minutes in a
version earlier than V200R002C50, it is automatically set to 1440 minutes after the
system software is upgraded to V200R002C50 or a later version.
Example
# Set the timeout duration to 1 minute and 30 seconds.
[~HUAWEI-ui-console0] idle-timeout 1 30
3.5.17 ip-block vty-password-mode disable

Function
The ip-block vty-password-mode disable command disables the function of blocking IP
addresses in VTY access scenarios.
The undo ip-block vty-password-mode disable command restores the default configuration.
By default, the function of blocking IP addresses in VTY access scenarios is enabled.
Format
ip-block vty-password-mode disable
undo ip-block vty-password-mode disable
Parameters
None
Views
Security password view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800

tty write
Usage Guidelines
If the function of blocking IP addresses in VTY access scenarios is enabled, the device blocks
IP addresses that fail to be authenticated and rejects VTY access requests that use the blocked
IP addresses. The device also records the blocked IP addresses in a list.
After the function is disabled, the device deletes the blocked IP addresses from the list and
does not record new IP addresses that fail to be authenticated. To disable the function, run the
ip-block vty-password-mode disable command.
Example
# Disable the function of blocking IP addresses in VTY access scenarios.
[~HUAWEI] security password
[*HUAWEI-security-password] ip-block vty-password-mode disable
Warning: It is not recommended to disable ip block feature. This operation may
result in system becoming vulnerable to security threats.
# Enable the function of blocking IP addresses in VTY access scenarios.

[~HUAWEI] security password
[*HUAWEI-security-password] undo ip-block vty-password-mode disable
3.5.18 mmi-mode enable
Function
The mmi-mode enable command enters the machine-to-machine mode.
The undo mmi-mode enable command enters the human-to-machine mode.
By default, a VTY user is in human-to-machine mode.
Format
mmi-mode enable
undo mmi-mode enable
Parameters
None
Views
User view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
1: Monitoring level
Usage Guidelines
After you enter the machine-to-machine mode using the mmi-mode enable command, the
command output is displayed in one screen.
After you enter the machine-to-machine mode using the mmi-mode enable command, some
important commands that you need to use with caution can be used directly. In human-to-
machine mode, use this command with caution.
Example
# Enter the machine-to-machine mode.
<HUAWEI> mmi-mode enable
3.5.19 parity
Function
The parity command sets the check bit of a user interface.
The undo parity command restores the default check bit of a user interface.
By default, no check is performed.
Format
parity { even | mark | none | odd | space }
undo parity
Parameters
even Sets the transmission check bit to even parity. -
mark Sets the transmission check bit to mark check. -
none Sets the transmission check bit to no check. -
odd Sets the transmission check bit to odd parity. -
space Sets the transmission check bit to space check. -
Views
Default Level

CloudEngine 8800, 7800, 6800, and 5800

tty write
Usage Guidelines
By default, no transmission check is performed. To prevent transmission errors, run the parity
command to configure the check bit of the specified user interface to improve data
transmission correctness.
Example
# Set the transmission check bit on the console port to odd parity.
[*HUAWEI-ui-console0] parity odd
3.5.20 protocol inbound
Function
The protocol inbound command specifies the protocols that the VTY user interface supports.
The undo protocol inbound command restores the default protocols that the VTY user
interface supports.
By default, the system supports all protocols.
Format
protocol inbound { all | ssh | telnet }
undo protocol inbound
Parameters
all Indicates that all protocols including SSH and Telnet are supported. -
ssh Indicates that only SSH is supported. -
telnet Indicates that only Telnet is supported. -
Views
VTY user interface view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
To manage and monitor login users, configure the VTY user interface for login users and run
the protocol inbound command to configure the protocols that the VTY user interface
supports.
Prerequisites
If SSH is configured for the user interface using the protocol inbound command, you must
configure the authentication-mode aaa authentication mode to ensure successful logins. If
the password authentication mode is configured, the protocol inbound ssh command cannot
be executed.
Precautions
l The configuration takes effect at the next login.
l Telnet is an insecure protocol. Using SSH is recommended.
l When SSH is specified for the VTY user interface, if the SSH server has been enabled
and the RSA/DSA/ECC key is not configured then the users can log in to the SSH server
using temporary key.
NOTE
You are advised to use a securer ECC authentication algorithm for higher security.
Example
# Configure SSH for user interfaces VTY0 to VTY4.
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] authentication-mode aaa
[*HUAWEI-ui-vty0-4] protocol inbound ssh
3.5.21 screen-length
Function
The screen-length command sets the number of lines on each terminal screen after you run a
command.
The undo screen-length command restores the default configuration.
By default, the number of lines to be displayed on a terminal screen is 24.
Format
In the user interface view:
screen-length screen-length [ temporary ]
undo screen-length [ temporary ]
In the user view:
screen-length screen-length temporary
undo screen-length temporary

CloudEngine 8800, 7800, 6800, and 5800
Parameters
screen-length Specifies the number of lines The value is an integer that ranges
displayed on a terminal screen. from 0 to 512. The value 0 indicates
that all command output is displayed
on one screen.
temporary Specifies the number of lines -
temporarily displayed on a terminal
screen.
Views
User interface view, user view
Default Level
3: Management level
Usage Guidelines
If you run a command and its output is displayed in more lines than you can see on one
screen, you can reduce the number of lines displayed on each screen.
In general, you do not need to change the number of lines displayed on each screen. Setting
the number of lines to 0 is not recommended. The configuration takes effect after you log in
to the system again.
NOTE
In the user view, the temporary parameter is mandatory and this command is at the Management level.
Example
# Set the number of lines on each screen of the terminal to 30.
[~HUAWEI-ui-console0] screen-length 30
3.5.22 set authentication password

Function
The set authentication password command configures a local authentication password.
The undo set authentication password command cancels the local authentication password.
By default, the local authentication password is not configured for the device.
Format
set authentication password [ cipher password ]
undo set authentication password

CloudEngine 8800, 7800, 6800, and 5800
Parameters
cipher Specifies the l When cipher is not entered, password input is in man-
password password for the machine interaction mode, and the system does not
user interface. display the entered password.
The password is a string of 8 to 16 case-sensitive
characters. The password must contain at least two of
the following characters: upper-case character, lower-
case character, digit, and special character.
Special character except the question mark (?) and
space. However, when double quotation marks are used
around the password, spaces are allowed in the
password.
– Double quotation marks cannot contain double
quotation marks if spaces are used in a password.
– Double quotation marks can contain double
quotation marks if no space is used in a password.
For example, the password "a123"45"" is valid, but the
password "a 123"45"" is invalid.
l When cipher is entered, the password is displayed in
either plaintext or ciphertext during input.
– When being input in plaintext, the password
requirements are the same as those when cipher is
not entered. When you input a password in simple
text, the system displays the password in simple text
mode, which brings risks.
– When being input in ciphertext, the password must
be a string of 48 to 128 consecutive characters.
The password is displayed in ciphertext in the
configuration file regardless of whether it is input in
plaintext or cipher text.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If password authentication is configured for users, you can run the set authentication
password command to change the password or set a password in cipher text.
If cipher password is not specified, the password is entered in interactive mode and can
contain 8 to 16 characters. The requirements for the password are the same as the

CloudEngine 8800, 7800, 6800, and 5800
requirements for the plaintext password when you specify the cipher password. The password
you enter will not be displayed on the screen.
NOTE
If you enter the plaintext password when specifying cipher password, security risks exist. The
interactive mode is recommended when users enter the password.
Pre-configuration Tasks
Before running the set authentication password command, run the authentication-mode
password command to set the authentication mode of the user interface to password
authentication; otherwise, the set authentication password command cannot be configured.
Precautions
l If a password in cipher text is configured, users must obtain the password in plain text
that is required for identity authentication.
l If the password authentication is configured but the password is not configured for the
user interface, the user cannot log in to the device.
l If the set authentication password command is executed multiple times, the latest
configuration overrides the previous ones. You can run the set authentication password
command to change the local authentication password. After the password is changed, a
user who wants to log in to the device must enter the latest password for identity
authentication.
l Users can press CTRL_C to cancel password modification in the interaction mode.
Example
# Set the local authentication password for the user interfaces VTY 0-4.
[~HUAWEI-ui-vty0-4] set authentication password
Warning: The "password" authentication mode is not secure, and it is strongly
recommended to use "aaa" authentication mode.
Please configure the login password (8-16)
Enter Password:
Confirm Password:
[*HUAWEI-ui-vty0-4]
# Set the local authentication password for the user interfaces VTY 0-4.
[~HUAWEI-ui-vty0-4] set authentication password cipher Huawei@123
3.5.23 shell
Function
The shell command enables terminal services on a user interface.
The undo shell command disables terminal services on a user interface.
By default, terminal services are enabled on all user interfaces.
Format
shell

CloudEngine 8800, 7800, 6800, and 5800
undo shell
Parameters
None
Views
VTY user interface view
Default Level
3: Management level
Usage Guidelines
You can use the shell command on a user interface to enable terminal services. This command
enables users to enter commands through this interface to query device information and
configure the device.
You can use the undo shell command on the user interface to disable terminal services. This
command does not allow users to perform any operations through this interface. After using
the undo shell command in the VTY view, this user interface does not provide Telnet and
STelnet access.
NOTE
The console user interface does not support this command.
Example
# Disable terminal services on VTY 0 to VTY 4.
[~HUAWEI-ui-vty0-4] undo shell
Warning: ui-vty0-4 will be disabled. Do you want to continue? [Y/N]:y
3.5.24 speed (user interface view)
Function
The speed command sets the baud rate of a user interface.
The undo speed command restores the default baud rate of a user interface.
By default, the baud rate is 9600 bit/s.
Format
speed speed-value
undo speed

CloudEngine 8800, 7800, 6800, and 5800
Parameters
speed-value Specifies the baud rate of The value is expressed in bit/s.
a user interface.
The asynchronous serial interface supports the
following baud rates:
l 1200
l 2400
l 4800
l 9600
l 19200
l 38400
l 57600
l 115200
Views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a user logs in to the switch through the console interface, the baud rate on the
HyperTerminal must be the same as that configured on the switch; otherwise, the user cannot
log in to the switch.
Precautions
In V200R003C00, this command does not take effect on all switches before the
V200R003SPH005 patch is loaded, and users log in to the switch through the serial interface
using the default baud rate 9600 bit/s. After the V200R003SPH005 patch is loaded, all baud
rates can be configured on the CE6870-24S6CQ-EI and CE6870-48S6CQ-EI, the speed 300
or speed 600 command does not take effect on the CE8850-32CQ-EI, and you are advised to
configure other baud rates on the CE8850-32CQ-EI. For other switches excluding the
preceding two models, this command does not take effect, and users log in to the switch
through the serial interface using the default baud rate 9600 bit/s.
In V200R002C50:
l For switches excluding the CE6860EI, CE6870-48T6CQ-EI, CE8850-32CQ-EI,
CE6880EI, CE5810EI, and CE5850HI, this command does not take effect before the
V200R002C50SPH012 patch is loaded, and users log in to the switch through the serial
interface using the default baud rate 9600 bit/s; all baud rates can be configured after the
V200R002C50SPH012 patch is installed.

CloudEngine 8800, 7800, 6800, and 5800
l For the CE6860EI, CE6870-48T6CQ-EI, and CE8850-32CQ-EI, this command does not
take effect before the V200R002C50SPH013 patch is loaded, and users log in to the
switch through the serial interface using the default baud rate 9600 bit/s; after the
V200R002C50SPH013 patch is loaded, the speed 300 or speed 600 command does not
take effect, and you are advised to configure other baud rates.
l For the CE6880EI, CE5810EI, and CE5850HI, this command does not take effect and
users log in to the switch through the serial interface using the default baud rate 9600
bit/s.
In V200R001C00 and earlier versions, the speed 300 or speed 600 command does not take
effect on the CE5810EI and CE5850HI, and you are advised to use other baud rates.
To prevent the problem:

l When a switch is upgraded from V200R001C00 or an earlier version to V200R002C50,
you are advised to perform the upgrade with the V200R002C50SPH013 patch.
Otherwise, users can only log in to the switch through the serial interface using the
default baud rate after the upgrade. The CE6880EI, CE5810EI and CE5850HI do not
support this patch. When theCE6880EI, CE5810EI or CE5850HI is upgraded to
V200R002C50 or V200R003C00, users can only log in to the switch through the serial
interface using the default baud rate.
l If a switch is upgraded from V200R003C00 or an earlier version to V200R005 or a later
version and the speed 300 or speed 600 command is configured before the upgrade, the
configuration may be lost after the upgrade and you need to configure the baud rate
again.
Example
# Set the baud rate of a user interface to 115200 bit/s.
[~HUAWEI-ui-console0] speed 115200
3.5.25 ssh server ip-block disable
Function
The ssh server ip-block disable command disables an SSH server from locking client IPv4
or IPv6addresses.
The undo ssh server ip-block disable command enables an SSH server to lock client IPv4
and IPv6 addresses.
By default, an SSH server is enabled to lock client IP addresses.
Format
ssh server ip-block disable
undo ssh server ip-block disable
Parameters
None

CloudEngine 8800, 7800, 6800, and 5800
Views
System view
Default Level
3: Management level

ssh-server write
Usage Guidelines
l If an SSH server is enabled to lock client IP addresses, locked client IP addresses fail to
pass authentication and are displayed in the display ssh server ip-block list command
output.
l If an SSH server is disabled from locking client IP addresses, the display ssh server ip-
block list command does not display any client IP address that is locked because of
authentication failures.
l The operation to disable an SSH server from locking client IP addresses poses system
risks and is thereby not recommended.
Example
# Disable an SSH server from locking client IP addresses.
[~HUAWEI] ssh server ip-block disable
Warning: It is not recommended to disable IP block feature. This operation may
result in system becoming vulnerable to security threats.
# Enable an SSH server to lock client IP addresses.

[~HUAWEI] undo ssh server ip-block disable
3.5.26 stopbits
Function
The stopbits command sets the stop bit of a user interface.
The undo stopbits command restores the default stop bit of a user interface.
By default, the stop bit is 1.
Format
stopbits { 1.5 | 1 | 2 }
undo stopbits

CloudEngine 8800, 7800, 6800, and 5800
Parameters
1.5 Sets the stop bit to 1.5. -
1 Sets the stop bit to 1. -
2 Sets the stop bit to 2. -
Views
Default Level
3: Management level
Usage Guidelines
When a user logs in to the switch through the console interface, the stop bit on the
HyperTerminal must be the same as that configured on the switch; otherwise, the user cannot
log in to the switch.
The stop bit and the data bit configured using the databits command are related.
l If the stop bit is 1, the corresponding data bit is 8.
l If the stop bit is 1.5, the corresponding data bit is 5.
l If the stop bit is 2, the corresponding data bit is 6, 7, or 8.
Example
# Set the stop bit of a user interface to 2.
[~HUAWEI-ui-console0] stopbits 2
3.5.27 user privilege
Function
The user privilege command configures the user level.
The undo user privilege command restores the default user level.
By default, the command level for the console port on the user interface is 15 when the
command-privilege level rearrange command is run, while is 3 when the command-
privilege level rearrange command is not run, and other users are at level 0.
Format
user privilege level level

CloudEngine 8800, 7800, 6800, and 5800
undo user privilege level
Parameters
level level Specifies the user If the command-privilege level rearrange command is
level. configured, the value of level ranges from 0 to 15.
NOTE
The larger the If the command-privilege level rearrange command is not
value, the higher configured, the value of level ranges from 0 to 3.
the priority.
NOTE
If the command-privilege level rearrange command
configuration is changed, the value of level changes based on the
level mapping.
l If the command-privilege level rearrange command
configuration is added, the levels of level-0 and level-1
commands remain unchanged, the level of level-2 commands is
upgraded to 10, and that of level-3 commands is upgraded to
15.
l If the command-privilege level rearrange command
configuration is deleted, the level of level-0 commands remains
unchanged, the levels of level-1 to level-9 commands are
downgraded to 1, the levels of level-10 to level-14 commands
are downgraded to 2, and the level of level-15 commands is
downgraded to 3.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The system manages users at levels to control their access permissions. Users who log in to
the device can use only commands at the same or lower level than their own levels.
Commands are classified into the visit level, monitoring level, configuration level, and
management level that map levels 0, 1, 2, and 3 without command-privilege level
rearrange, as listed in Table 3-15.

CloudEngine 8800, 7800, 6800, and 5800
Table 3-15 Relationship between command levels and user levels

Level and
Level
0 Visit Commands of this level include network diagnosis tool commands

level(0) (such as ping and tracert), commands for accessing external devices
from the local device (such as Telnet) and some display commands.
1 Visit Commands of this level are used for system maintenance, including
level(0) display commands.
, NOTE
Monito Some display commands are not at this level. For example, the display
ring current-configuration and display saved-configuration commands are at
level(1) level 3. For details about command levels, see the CloudEngine 8800, 7800,
6800, and 5800 Series SwitchesCommand Reference.
2 Visit Commands of this level are used for service configuration to provide
level(0) direct network services, including routing commands and commands
, of each network layer.
Monito
ring
level(1)
,
Config
uration
level(2)
3 Visit Commands of this level are used for basic system operations,
level(0) including file system, FTP, TFTP download, user management,
, command level configuration, and debugging.
Monito
ring
level(1)
,
Config
uration
level(2)
,
Manag
ement
level(3)
If the command level configured for a user interface conflicts with that of a user, the
command level of the user takes precedence. For example, if the user 001 can use commands
at level 3 and the command level configured for the user interface VTY 0 is 2, the user 001
can use commands at level 3 and lower levels when logging in to the system through the user
interface VTY 0.
You can run the display user-interface command to view detailed information about a user
interface.
Precautions

CloudEngine 8800, 7800, 6800, and 5800
If refined right management is required, run the command-privilege level command to

upgrade command levels.
In versions earlier than V100R006C00, the user level ranges from 0 to 15. If the system
software is upgraded to V100R006C00 or a later version, and the command-privilege level
command is not configured, the levels of level-0 and level-1 users remain unchanged, and
those of level-3 to level-15 users change to 3.
Example
# Set the user level on the VTY0 user interface to 2.
[~HUAWEI-ui-vty0] user privilege level 2
[*HUAWEI-ui-vty0] commit
3.5.28 user-interface
Function
The user-interface command displays one or more user interface views.
Format
user-interface ui-type first-ui-number [ last-ui-number ]
Parameters
ui-type The value can be console or
Specifies the type of a user interface.
vty.
first-ui- Specifies the number of the first user interface. l If ui-type is set to
number console, the first-ui-
number value is 0.
l If ui-type is set to vty,
the first-ui-number
value ranges from 0 to
the maximum number
of VTY user interfaces.

CloudEngine 8800, 7800, 6800, and 5800

last-ui- Specifies the number of the last user interface. -
number When you select this parameter, you enter
multiple user interface views at the same time.
This parameter is valid only when ui-type is
set to VTY. The last-ui-number value must be
larger than the first-ui-number number.
If the maximum number of VTY users has
been set using the user-interface maximum-
vty command in the system view before ui-
type is selected, the last-ui-number value is
less than or equal to the maximum number of
VTY user interfaces minus one.
Views
System view
Default Level
3: Management level
Usage Guidelines
When the network administrator logs in to the device using the console interface, Telnet, or
SSH, the system manages and monitors the session between the user and the device on the
corresponding user interface. Each user interface corresponds a user interface view. The
network administrator can set parameters such as authentication and user level to manage
sessions in a unified manner.
After you log in to the device, you can run the display user-interface command to view the
supported user interfaces and the corresponding relative.
Example
# Enter the Console 0 user interface.
[~HUAWEI-ui-console0]
# Enter the VTY 1 user interface.

[~HUAWEI-ui-vty1]
# Enter the VTY 1 to VTY 3 user interfaces.

[~HUAWEI-ui-vty1-3]

CloudEngine 8800, 7800, 6800, and 5800
3.5.29 user-interface maximum-vty
Function
The user-interface maximum-vty command configures the maximum number of login users.
The undo user-interface maximum-vty command restores the default maximum number of
login users.
By default, the maximum number of Telnet and SSH (STelnet) users is 5.
Format
user-interface maximum-vty number
undo user-interface maximum-vty
Parameters
number Specifies the maximum number of The value is an integer ranging from
Telnet and SSH users. 0 to 21.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The user-interface maximum-vty command configures the maximum number of login users.
If the VTY channels are fully occupied after the configuration is committed, new connections
are not allowed and the current users are not terminated.
Precautions
l The maximum number of login users set by the user-interface maximum-vty command
is the total number of Telnet and SSH (STelnet) users.
l If the maximum number of login users is set to 0, no user is allowed to log in to the
device using Telnet or SSH.
Example
# Set the maximum number of Telnet users to 7.
[~HUAWEI] user-interface maximum-vty 7

CloudEngine 8800, 7800, 6800, and 5800
3.5.30 user-interface vty security-policy disable

Function
The user-interface vty security-policy disable command disables the VTY user interface's
security policy.
The undo user-interface vty security-policy disable command enables the VTY user
interface's security policy.
By default, the VTY user interface's security policy is enabled.
Format
user-interface vty security-policy disable
undo user-interface vty security-policy disable
Parameters
None
Views
System view
Default Level
3: Management level

tty write
Usage Guidelines
The undo user-interface vty security-policy disable command clears a user authentication
request that has been pending for a long time to access the VTY user interface. For example,
if the number of existing user authentication requests has already reached the upper limit but a
new authentication request is received, the system clears the authentication request of the user
that fails to pass the authentication within 15 seconds and starts authenticating the new user.
The user-interface vty security-policy disable command cannot clear any user
authentication request that has been pending for a long time to access the VTY user interface.
NOTE
It is recommended that you enable the security policy to harden the VTY user interface's security.
Example
# Disable the VTY user interface's security policy.

CloudEngine 8800, 7800, 6800, and 5800
[~HUAWEI] user-interface vty security-policy disable
3.6 User Login Configuration Commands
3.6.1 configuration exclusive

Function
The configuration exclusive command locks the current system configuration. When the
system configuration is locked, the user who locks it can query and modify the configuration
while other users can only query the configuration.
The undo configuration exclusive command unlocks the system configuration.
By default, the system configuration is unlocked.
Format
configuration exclusive
undo configuration exclusive
Parameters
None
Views
All views
Default Level
Usage Guidelines
Usage Scenario
The device allows simultaneous access and configuration by multiple users, which may cause
configuration conflicts and service exceptions. To prevent service exceptions, run this
command to lock and modify the configuration while allowing other users to only query the
configuration.
To unlock the configuration, do either of the following:
l Run the undo configuration exclusive command.
l Do not modify the configuration in the configured maximum lock interval. The system
then automatically unlocks the configuration. To configure the maximum lock interval,
run configuration exclusive timeout.
Precautions
l After you run the configuration exclusive command, other users cannot modify the
system configuration, so confirm your action before running this command.

CloudEngine 8800, 7800, 6800, and 5800
l Before you run the configuration exclusive command, run the configuration exclusive
timeout command to configure the maximum lock interval so that the system can
automatically unlock the configuration after this interval.
l Only one user can lock the configuration at a time. After the user logs out, the
configuration is unlocked automatically.
Example
# Lock the current system configuration.
<HUAWEI> configuration exclusive
# Unlock the system configuration.

<HUAWEI> undo configuration exclusive
3.6.2 client ssl-policy (HTTP view)

Function
The client ssl-policy command configures an SSL policy for an HTTP client.
The undo client ssl-policy command deletes the SSL policy on an HTTP client.
By default, no SSL policy is configured on an HTTP client.
Format
client ssl-policy policy-name
undo client ssl-policy
Parameters
policy-name Specifies the name of an SSL policy. The name of an SSL policy must
already exist.
Views
HTTP view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Legacy HTTP does not have any security mechanism. It transmits data in simple text and does
not verify the identities of communicating parties. Therefore, data transmitted over HTTP
may be tampered with. In applications that require high security, such as e-commerce and
online banking, HTTP is inapplicable. To enhance security, run the client ssl-policy command
to configure an SSL policy for an HTTP client.

CloudEngine 8800, 7800, 6800, and 5800
HTTP security is enhanced with the SSL security mechanisms, such as data encryption,
identity verification, and message integrity check.
Prerequisites
1. An SSL policy has been created and the SSL policy view is displayed using the ssl
policy command in the system view.
2. A digital certificate or certificate chain has been loaded using the certificate load
command in the SSL policy view.
Precautions
An HTTP client can only have one SSL policy configured. If the client ssl-policy command is
run more than once, the latest configuration overrides the previous one.
Example
# Configure an SSL policy named policy1 for an HTTP client.
[~HUAWEI] ssl policy policy1
[*HUAWEI-ssl-policy-policy1] certificate load pem-cert
a_servercertchain2_pem_dsa.pem key-pair dsa key-file
a_serverkeychain2_pem_dsa.pem auth-code cipher 123456
[*HUAWEI-ssl-policy-policy1] commit
[~HUAWEI-ssl-policy-policy1] quit
[~HUAWEI] http
[*HUAWEI-http] client ssl-policy policy1
3.6.3 client ssl-verify peer (HTTP view)
Function
The client ssl-verify peer command configures an HTTP client to perform SSL verification
on HTTP servers.
The undo client ssl-verify command disables an HTTP client from performing SSL
verification on HTTP servers.
By default, an HTTP client does not perform SSL verification on HTTP servers.
Format
client ssl-verify peer
undo client ssl-verify
Parameters
None
Views
HTTP view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level

https write
Usage Guidelines
Usage Scenario
To configure an HTTP client to perform SSL verification on HTTP servers, run the client ssl-
verify peer command. After the HTTP client is granted an SSL digital certificate by a server,
the client can verify the validity of the server. This prevents the client from accessing invalid
servers, enhancing security.
Precautions
This command takes effect only if the client ssl-policy command has also been run to
configure an SSL policy for the client.
Example
# Configure an HTTP client to perform SSL verification on HTTP servers.
[~HUAWEI] http
[*HUAWEI-http] client ssl-verify peer
3.6.4 configuration exclusive by-user-name
Function
The configuration exclusive by-user-name command enables a user to lock the system
configuration.
The undo configuration exclusive by-user-name command enables a user to unlock the
system configuration.
By default, the system configuration is not locked.
Format
configuration exclusive by-user-name user-name
undo configuration exclusive by-user-name user-name
Parameters
user-name Specifies the name of a user. The value is a string of 1 to 253 characters.

CloudEngine 8800, 7800, 6800, and 5800
Views
System view
Default Level

config debug
Usage Guidelines
Usage Scenario
Multiple users can access a device and manage it. A user can be a controller or another type of
user. If the configuration of a forwarder is modified by a non-controller user, the
configurations of the controller and forwarder may be inconsistent. The configuration
exclusive by-user-name command can be used to specify the controller to lock the system
configuration of a forwarder to avoid the inconsistency.
When multiple users manage a device at the same time, you can specify a user to lock the
device. Only this user can modify the device configuration, while others cannot.
After the system configuration is locked by a user, only this user can perform configuration
operations. Other users can view, edit, maintain, and save the configuration but cannot
commit the configuration. If another user needs to commit the configuration, run the undo
configuration exclusive by-user-name user-name command to unlock the configuration
first.
When this command is run, ensure that the user-name value is that specified when the
configuration exclusive by-user-name command is run.
Precautions
l Only one user can lock the system configuration at a time.
l The user that runs the configuration exclusive by-user-name user-name command to
lock the system configuration can be different from the user-name in this command.
For example, User-A can run the configuration exclusive by-user-name User-B
command to specify User-B to lock the system configuration.
l Only users of the management user level can lock and unlock the system configuration.
Users of the management user level include:
– Users of levels 3 to 15 when the command-privilege level rearrange command
configuration exists
– Users of level 3 when the command-privilege level rearrange command
configuration does not exist
l The configuration exclusive by-user-name command locks the device configuration
based on the user name. Only the same user name can be used to unlock the device. The

CloudEngine 8800, 7800, 6800, and 5800
configuration exclusive command locks a device based on the session. The device can
be unlocked only by the current session. After the session is logged out, the device is
unlocked automatically.
Example
# Enable user root123 to lock the system configuration.
[~HUAWEI] configuration exclusive by-user-name root123
3.6.5 configuration exclusive timeout

Function
The configuration exclusive timeout command sets the timeout period before the system
automatically unlocks the configuration set.
The undo configuration exclusive timeout command restores the default timeout period.
By default, the timeout period is 30 seconds.
Format
configuration exclusive timeout timeout-value
undo configuration exclusive timeout
Parameters
timeout-value Specifies the timeout period The value is an integer ranging from 1 to
before the system automatically 7200, in seconds. By default, the timeout
unlocks the configuration set. period is 30 seconds.
Views
System view
Default Level
3: Management level
Usage Guidelines
Running the configuration exclusive timeout command can set an allowable maximum
period when no commands are delivered by the user that locks the configuration set. After the
timeout period expires, the configuration set is automatically unlocked and other users can
normally run commands.
You can run the configuration exclusive timeout command in one of the following
scenarios:
l When a user without configuration access runs this command, the system prompts an
error message.

CloudEngine 8800, 7800, 6800, and 5800
l If the configuration set is locked by another user, this command becomes invalid, and the
system prompts an error message when the command is run.
l If the configuration set is locked by the current user, the current user can run this
command.
NOTE
When running the configuration exclusive timeout command, note that:

l If the timeout period is too short, the configuration set is unlocked after a short period during
which no command is run by the user that locks the configuration set.
l If the timeout period is too long, the configuration set remains locked and other users cannot
obtain configuration access for a long period during which no command is run by the user that
locks the configuration set.
l After this command is run, all users (except the user that runs this command) cannot configure
commands because the configuration set is locked.
Example
# Set the timeout period before the system automatically unlocks the configuration set to 120
seconds.
[~HUAWEI] configuration exclusive timeout 120
3.6.6 display configuration exclusive by-user-name
Function
The display configuration exclusive by-user-name command displays lock information of
the system configuration locked based on user name.
Format
display configuration exclusive by-user-name
Parameters
None
Views
All views
Default Level
3: Management level

config read

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
To view system configuration lock information, run the display configuration exclusive by-
user-name command. The command output includes the name of a user who locks or unlocks
the system configuration, time when the system configuration is locked or unlocked, and lock
ID.
If no system configuration is locked, no command output is displayed after the display
configuration exclusive by-user-name command is run.
Example
# Display lock information after the system configuration is locked.
<HUAWEI> display configuration exclusive by-user-name
Lock User Name: root123
Lock Time: 2018-03-07 20:13:31+04:00 DST
Identifier: 13
# Display lock information after the system configuration is unlocked.

<HUAWEI> display configuration exclusive by-user-name
Unlock User Name: root1234
Unlock Time: 2018-03-07 20:14:09+04:00 DST
Table 3-16 Description of the display configuration exclusive by-user-name command

output
Item Description
Lock User Name Name of a user who locks the system configuration
Lock Time Time when the system configuration is locked
Identifier Lock ID, which is unique
Unlock User Name Name of a user who unlocks the system

configuration
Unlock Time Time when the system configuration is unlocked
3.6.7 display configuration exclusive user

Function
The display configuration exclusive user command displays information about the user that
locks the configuration set.
Format
display configuration exclusive user
Parameters
None

CloudEngine 8800, 7800, 6800, and 5800
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display configuration exclusive user command to query the user that
obtains configuration access.
Example
# Display the user that locks the configuration set.
<HUAWEI> display configuration exclusive user
User Index: 34
User Session Name: VTY 0
User Name: root
IP Address: 10.135.38.234
Locked Time: 2013-03-06 21:09:36
Last Configuration Time: 2013-03-06 21:09:36
The configuration right was locked and timeout duration is: 30 second(s)
Table 3-17 Description of the display configuration exclusive user command output
Item Description
User Index Index of a user
User Session Name Session name of a user, ranging from VTY0

to VTY20
User Name User name of logging
IP Address IP address of a user, valid for VTY users

only
Locked Time Time when the configuration set is locked
Last Configuration Time Time when the user runs the last command
The configuration right was locked and Time when the configuration right is locked
timeout duration is
3.6.8 display dsa key-pair
Function
The display dsa key-pair command displays information about the DSA key pair with a
label.

CloudEngine 8800, 7800, 6800, and 5800
Format
display dsa key-pair [ brief | label label-name ]
Parameters
brief Displays brief information about all DSA key -
pairs with labels.
label label-name Displays information about the DSA key pair with Label name of the
a specific label. key pair.
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display dsa key-pair command to check information about the DSA key pair
with a label. The information varies when you specify different parameters in the command.
l If brief is specified, you can view brief information about all DSA key pairs with labels.
l If label label-name is specified, you can view information about the DSA key pair with a
specific label.
l When neither label nor brief is specified, you can view information about all DSA key
pairs with labels.
Example
# Display information about all DSA key pairs with labels.
<HUAWEI> display dsa key-pair
=====================================
Label name: abc
Modulus: 2048
Time of Key pair created: 2014-01-13 07:41:46
=====================================
Key :
30820325
02820101
00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60
BE8B9E36 D3E4EB9C D6EB7FD2 10219AC0 F41AD47B
F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891
2E60452B 37CA17D6 11C2EE4C 46B4BC77 2654C268
56A99ECF A5D80036 7B31A905 22F13949 6F4182DB
FDAAB599 739AB021 85856A88 1F919736 8B92DBF6
849D1C74 6BA27E12 F98A28E4 B6D0587D 655979A7
505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35
A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714
B6326B7D B6067EBF 153CC1A7 20B0E1A7 E39C13FE
B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F
BB8F05D4 16B2B5DD 72E3629B B59244BF 9FA29C4F

CloudEngine 8800, 7800, 6800, and 5800
CD4EA0EE 501FC669 5D03D68D 519324E4 93

0215
00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE
BB
02820100
3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD
96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42
21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6
5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4
2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7
4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7
9A56E32E C15A0659 3D17C407 29F587C7 74959017
62B08070 24564B2E E79C6E1D 86793548 76CC662A
1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278
26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976
4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62
A915EE63 F660C092 360C5D2D 796AF230 DB7461F7
C15B6DBA 65C9EFAB 247DB13D 4942E2FF
02820101
00D34DAC 0A625592 F93D3107 E4CBD1BD 731B1EFD
A537588A 206E7B76 8826EE11 EBE93BA2 D2EF9211
32912326 3F274FAF 5953DFB3 19EF77DD 4AE1D3BB
90A2E56B AE20C8A5 37B5F1F8 0EE4609B D8AEB111
5AF138DF F044FEC8 E05DF127 875B228E 3347B0CE
A60B607C A4F16C2B 52D7A330 13F9FD2F EE24C90E
DC387478 3180115D A60BD22E 12E35B1B 1BFD1523
04C1013E CD2D3EAF D235E191 7DDADB79 824481FA
A312B43F 9B5DB808 63BC6A91 4A184E82 AC46262C
01D9D6A7 33331DF4 BF7DD29C 324437C3 670176D6
EBDE8C83 4A0D8BD6 666637C3 C4CE68FB C184CA27
520506BC BC6F523C 2D00F21E 1D73AB4D 5759D577
E5C90287 ABC97B64 91C3BB8D E24116C6 FD
=====================================
Table 3-18 Description of the display dsa key-pair command output
Item Description
Label name Label name. To specify the label name, run the dsa
key-pair label command.
Modulus Modulus of the key pair. To specify the modulus of

the key pair, run the dsa key-pair label command.
Time of Key pair created Time when the key pair is generated.
Key Code of the key pair.
3.6.9 display dsa local-key-pair public
Function
The display dsa local-key-pair public command displays the public key in the local DSA
key pair of the device.
Format
display dsa local-key-pair public

CloudEngine 8800, 7800, 6800, and 5800
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
This command displays the public key in the local DSA key pair. You can copy the public key
in the command output to the DSA public key of the SSH server to ensure that the public keys
on the client and server are consistent and that the client can be authenticated by the server.
Example
# Display the public key in the client DSA key pair.
<HUAWEI> display dsa local-key-pair public
========================================================
Time of key pair created : 2017-08-02 16:45:00
Key name : HUAWEI_Host_DSA
Key modulus : 2048
Key type : DSA encryption key
========================================================
Key code:
30820324
02820101
00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60
BE8B9E36 D3E4EB9C D6EB7FD2 10219AC0 F41AD47B
F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891
2E60452B 37CA17D6 11C2EE4C 46B4BC77 2654C268
56A99ECF A5D80036 7B31A905 22F13949 6F4182DB
FDAAB599 739AB021 85856A88 1F919736 8B92DBF6
849D1C74 6BA27E12 F98A28E4 B6D0587D 655979A7
505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35
A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714
B6326B7D B6067EBF 153CC1A7 20B0E1A7 E39C13FE
B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F
BB8F05D4 16B2B5DD 72E3629B B59244BF 9FA29C4F
CD4EA0EE 501FC669 5D03D68D 519324E4 93
0215
00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE
BB
02820100
3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD
96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42
21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6
5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4
2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7
4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7
9A56E32E C15A0659 3D17C407 29F587C7 74959017
62B08070 24564B2E E79C6E1D 86793548 76CC662A
1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278
26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976
4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62
A915EE63 F660C092 360C5D2D 796AF230 DB7461F7
C15B6DBA 65C9EFAB 247DB13D 4942E2FF
02820100

CloudEngine 8800, 7800, 6800, and 5800
067A64DE A6D47E2D 6D21BD8D C5C630D8 3FE16268

CAA42061 7D1A73E6 F6397EAF 1B0B88E9 035AFDE8
5F4387FA 364CD8E1 BD473BC4 7BE75D0A 8EA6A92E
5B763B53 B97019C0 EDA050B0 A832EC2C 62DB5718
265093E9 DF2C1F75 B8549280 89E496B4 1B2D1A83
07C04723 6ECE953F B51F4A31 8B9E9EED 5293E8AA
44C4E6F1 F6A36949 02350580 4BA4DA38 C8BFADD0
CBBDD72F 2E6681B1 FA7D7853 E1A3D191 6CA323C3
A6FF726F F1777D76 BB7C630A 5A4892A1 C78694CF
C17C07AD 6F640640 A65F22F4 AD2A4FE6 6C6232B1
FF354D22 8E77C44A E112196F 7FC60365 2B5C6793
4C132057 C69E2656 0E180446 AA7AE6AA 6D4FA2D8
18E431D6 ECA1502C 074D0C01 290B5FE2
Host public key for PEM format code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQ
IZrA9BrUe/HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZUwmhW
qZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB+RlzaLktv2hJ0cdGuifhL5
iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6Jb
eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQW
srXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0w
K5i1CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07
dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYg
XG76sUhm5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/t5pW4y7BWgZZPRfE
Byn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrky
eCbUzeUYmpPqUx4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDA
kjYMXS15avIw23Rh98Fbbbplye+rJH2xPUlC4v8AAAEABnpk3qbUfi1tIb2NxcYw
2D/hYmjKpCBhfRpz5vY5fq8bC4jpA1r96F9Dh/o2TNjhvUc7xHvnXQqOpqkuW3Y7
U7lwGcDtoFCwqDLsLGLbVxgmUJPp3ywfdbhUkoCJ5Ja0Gy0agwfARyNuzpU/tR9K
MYuenu1Sk+iqRMTm8fajaUkCNQWAS6TaOMi/rdDLvdcvLmaBsfp9eFPho9GRbKMj
w6b/cm/xd312u3xjClpIkqHHhpTPwXwHrW9kBkCmXyL0rSpP5mxiMrH/NU0ijnfE
SuESGW9/xgNlK1xnk0wTIFfGniZWDhgERqp65qptT6LYGOQx1uyhUCwHTQwBKQtf
4g==
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:

ssh-dss AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQIZrA9BrUe/
HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZU
wmhWqZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB
+RlzaLktv2hJ0cdGuifhL5iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBY
s6Jb
eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQWsrXdcuNim7WSRL
+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0wK5i1
CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07dr6BC0IhrY0y93I/
g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYgXG76sUhm
5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/
t5pW4y7BWgZZPRfEByn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrkyeC
bUzeUYmpPq
Ux4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDAkjYMXS15avIw23Rh98Fbbbplye
+rJH2xPUlC4v8AAAEABnpk3qbUfi1tIb2NxcYw2D/hYmjKpCBhfRpz
5vY5fq8bC4jpA1r96F9Dh/
o2TNjhvUc7xHvnXQqOpqkuW3Y7U7lwGcDtoFCwqDLsLGLbVxgmUJPp3ywfdbhUkoCJ5Ja0Gy0agwfARyNu
zpU/tR9KMYuenu1Sk+iqRMTm8faj
aUkCNQWAS6TaOMi/rdDLvdcvLmaBsfp9eFPho9GRbKMjw6b/cm/
xd312u3xjClpIkqHHhpTPwXwHrW9kBkCmXyL0rSpP5mxiMrH/NU0ijnfESuESGW9/xgNlK1xnk0wTIFfG
niZWDhgERqp65qptT6LYGOQx1uyhUCwHTQwBKQtf4g== dsa-key
Table 3-19 Description of the display dsa local-key-pair public command output
Item Description
Time of key pair created Time when the public key is created.
Key name Name of the public key.
Key modulus Length of the key.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
Key type Type of the public key.
Key code Content of the key.
Host public key for PEM format code PEM code of the public key.
Public key code for pasting into OpenSSH Public key format in the OpenSSH file.
authorized_keys file
3.6.10 display dsa peer-public-key

Function
The display dsa peer-public-key command displays the DSA public key that has been
configured.
Format
display dsa peer-public-key [ brief | name key-name ]
Parameters
brief Displays the brief information. -
name key-name Displays the DSA public key with the The key-name must
specified name. already exist.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command displays the DSA public key for you to check whether the local and peer
public keys are consistent.
Precautions
You must complete the DSA public key configuration before running this command.
Example
# Display the DSA public key with the specified name.

CloudEngine 8800, 7800, 6800, and 5800
<HUAWEI> display dsa peer-public-key name dsakey001

=====================================
Key name : dsakey001
Encoding type : DER
=====================================
Key code:
30820324
02820101
00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60 BE8B9E36 D3E4EB9C D6EB7FD2
10219AC0 F41AD47B F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891 2E60452B
37CA17D6 11C2EE4C 46B4BC77 2654C268 56A99ECF A5D80036 7B31A905 22F13949
6F4182DB FDAAB599 739AB021 85856A88 1F919736 8B92DBF6 849D1C74 6BA27E12
F98A28E4 B6D0587D 655979A7 505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35
A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714 B6326B7D B6067EBF 153CC1A7
20B0E1A7 E39C13FE B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F BB8F05D4
16B2B5DD 72E3629B B59244BF 9FA29C4F CD4EA0EE 501FC669 5D03D68D 519324E4
93
0215
00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE BB
02820100
3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD 96AE9215 7A29C723 72FE8A02
EBED3B76 BE810B42 21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6 5BD424BD
70677EFF 1ACF9B3C CE02CD40 46560DA4 2036205C 6EFAB148 66E6A106 0DF6258B
EE31CFE7 4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7 9A56E32E C15A0659
3D17C407 29F587C7 74959017 62B08070 24564B2E E79C6E1D 86793548 76CC662A
1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278 26D4CDE5 189A93EA 531E0FF8
2199EF35 DF038976 4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62 A915EE63
F660C092 360C5D2D 796AF230 DB7461F7 C15B6DBA 65C9EFAB 247DB13D 4942E2FF
02820100
6D7C4F77 4E3AC516 90D530FE CDC3A3AF BAC2BCBE 8F511D9D 78CA6E48 D5E4F8F0
9B5C7BBD 49235D79 962893F2 15B55280 F81C7DC1 1DE52FD2 5497ABA1 D7B353A0
2FB1605E 1CD5DB23 15CA4501 F0775337 E87A1BD7 D91B52C5 DCAEEC72 BABE9022
D96175B5 A0F0D536 B52D434E 77AEC2AC 690BC2AA CACBE255 C66F5FE5 F8DD55CB
B2125637 C2F86940 9C014F99 2AB92D09 A632635B E2B2876F E6B8F40B EC1E20F3
EE85F2FC 7B5DE110 EBCFB823 C483AE53 15C76E62 928E5CD8 9AB59158 212044E3
6A482039 D9A81187 3653D9A7 9C239E22 7DCAD3F6 BEB8D2F5 032219DC D4C638E5
B1A59128 74A70340 630057CD D53EE61F A111E3B4 F918B361 11035AC5 2A06EA0C
Table 3-20 Description of the display dsa peer-public-key command output
Item Description
Key name Type of the public key.
Encoding type Type of the public key encoding format.
Key code Code of the public key.
3.6.11 display ecc key-pair
Function
The display ecc key-pair command displays information about the ECC key pair with a
label.
Format
display ecc key-pair [ brief | label label-name ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
brief Displays brief information about all ECC key -
pairs with labels.
label label-name Displays information about the ECC key pair with Label name of the
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display ecc key-pair command to check information about the ECC key pair
l If brief is specified, you can view brief information about all ECC key pairs with labels.
l If label label-name is specified, you can view information about the ECC key pair with a
specific label.
l When neither label nor brief is specified, you can view information about all ECC key
pairs with labels.
Example
# Display information about all ECC key pairs with labels.
<HUAWEI> display ecc key-pair
=====================================
Label name: abc123
Modulus: 521
Time of Key pair created: 2014-01-13 08:01:02
=====================================
Key :
0400B83D B5796B8F 28060F9E 6AA444C6 17F904D5 DE1D25D1 DF86CC94
5B30D58B A8BEA1D6 405D7928 AADCF587 ECCCFEE0 AE4235FE 3F78485C
BA72121D 5C76B902 34C0BC00 6815A445 F3EE1F36 9E7F9646 8E0EDA8D
51EF14B3 164C4742 970A158D 0807FBE6 FC9D9277 31CFF900 75600A8C
BA99BE37 366FFFFB 883C73EA 0970553C F2032738 3D
=====================================
Table 3-21 Description of the display ecc key-pair command output

Item Description
Label name Label name. To specify the label name, run the ecc
Modulus Modulus of the key pair. To specify the modulus of

the key pair, run the ecc key-pair label command.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
Time of Key pair created Time when the key pair is generated.
3.6.12 display ecc local-key-pair public

Function
The display ecc local-key-pair public command displays information about the public key in
the local ECC key pair.
Format
display ecc local-key-pair public
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display ecc local-key-pair public command to check information about the
public key in the local ECC key pair on a client and then copy the public key to the server.
The public key enables a server to authenticate users and ensures the login of authorized
users.
Example
# Display information about the public key in the local ECC key pair on a client.
<HUAWEI> display ecc local-key-pair public
========================================================
Key name : HUAWEI_Host_ECC
Key modulus : 521
Key type : ECC encryption key
========================================================
Key code:
04012998 DFDD74C4 3F58DF73 C9CED003 8BB308ED
8353FD26 BAF2F836 5EFDCC2A D26E185F 6F6E2E19
683FF161 9141A7C2 3EEA52E3 9801E245 D33079A2
B12DAF27 1DF59401 E5068456 C54FE0E0 5DD99CEB
98C527DB B3CE0707 7863DC59 34EE830C 8AACBDB3
5EA697C4 9A660DD8 1049A330 7DC7ED5A 905184AC

CloudEngine 8800, 7800, 6800, and 5800
0F6D6022 07731458 4DC1CE84 D8

AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAACFBAEpmN/ddMQ/WN9zyc7QA4uzCO2D
U/0muvL4Nl79zCrSbhhfb24uGWg/8WGRQafCPupS45gB4kXTMHmisS2vJx31lAHl
BoRWxU/g4F3ZnOuYxSfbs84HB3hj3Fk07oMMiqy9s16ml8SaZg3YEEmjMH3H7VqQ
UYSsD21gIgdzFFhNwc6E2A==
Table 3-22 Description of the display ecc local-key-pair public command output
Item Description
Time of key pair created Time when the public key in the local ECC key
pair is generated, in the format of YYYY-MM-
DD HH:MM:SS.
Key name Name of the public key in the local ECC key
pair.
Key modulus Length of the public key in the local ECC key
pair.
Key type Type of the public key in the local ECC key
pair.
Key code Code of the public key in the local ECC key
pair configured using the ecc local-key-pair
command.
Host public key for PEM format code PEM code of the public key in the local ECC
key pair.
3.6.13 display ecc peer-public-key
Function
The display ecc peer-public-key command displays information about the ECC public key
configured on the remote end.
Format
display ecc peer-public-key [ brief | name key-name ]
Parameters
brief Displays brief information about the ECC public -
key configured on the remote end.
name key-name Displays the ECC public key with the specified The key-name must
name. already exist.

CloudEngine 8800, 7800, 6800, and 5800
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to check detailed information about the ECC public key and
whether the local and peer public keys are the same.
Precautions
You must complete the ECC public key configuration before running this command.
Example
# Display brief information about all the ECC public keys.
<HUAWEI> display ecc peer-public-key brief
------------------------------------------
Bits Name
------------------------------------------
521 sat
------------------------------------------
# Display detailed information about the ECC public key named sat.
<HUAWEI> display ecc peer-public-key name sat
=====================================
Key name: sat
=====================================
Key code:
040020D4 5436AC31 BB1501EE 54CB84B6 AD9D5DB5 1B65EA59 9B5409A9 045D12A5
9133AF2C A7E9E80E 344E95DA D166E270 77B67702 72F9B94F FB78E487 1C2928C9
5437CE00 93AD2608 0D940547 8D6B84AB DDD30FE1 75B2C790 884B4F91 5DEE668F
08EE50CE 1CAE6D54 1A1DC28C 1936C451 ECBB7AB0 B7F2F09B 8F699940 CF81C7C7
906A40F4 7D
Table 3-23 Description of the display ecc peer-public-key command output

Item Description
Bits Length of the ECC public key configured on

the remote end.
Name Name of the ECC public key configured on the

remote end.
Key name Name of the ECC public key configured on the

remote end.
Key code Code of the ECC public key configured on the

remote end.

CloudEngine 8800, 7800, 6800, and 5800
3.6.14 display rsa key-pair

Function
The display rsa key-pair command displays information about the RSA key pair with a
label.
Format
display rsa key-pair [ brief | label label-name ]
Parameters
brief Displays brief information about all RSA key -
pairs with labels.
label label-name Displays information about the RSA key pair with Label name of the
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display rsa key-pair command to check information about the RSA key pair
l If brief is specified, you can view brief information about all RSA key pairs with labels.
l If label label-name is specified, you can view information about the RSA key pair with a
specific label.
l When neither label nor brief is specified, you can view information about all RSA key
pairs with labels.
Example
# Display information about all RSA key pairs with labels.
<HUAWEI> display rsa key-pair
=====================================
Label name : a01
Modulus : 2048
=====================================
Key :
3082010A 02820101 00E788C5 7BE23271 71E4ACFE 2AC67BD1 5B6F2B1B 98B9B530
8C3A5635 2CA667E9 685537FB 7CFC6F7E B6834F92 3EB55305 AC37A137 A797318B
164873EE 9E156132 9CE6B060 E737C8EC C6B7B4B8 D79885EB B3710E69 D6420B5A
554573B6 B381E159 162601B7 2CA4DFD0 16899329 79EC1DE4 A23B0232 496E3373

CloudEngine 8800, 7800, 6800, and 5800
3408DC0F D4C84A71 7FC821B8 21AD254B 928C1003 FF549929 889FAFA1 AE8AC22E

F5BDAD25 ECA8D7C0 EE711AC7 CAB34583 325D1D58 4DBCDE86 BF3DA0C0 BA9D872E
6F745D72 0FD66EE0 56F35FB4 5F347405 3E7BDCAF 2F0EFE7E 990AD206 D9DA400E
2C380055 8462D6E0 B93B0C73 EB394D01 D83A6B6F 37B64FAF F7DFBAA4 F7073AE1
CC1B0C5E 8F735904 19020301 0001
=====================================
Table 3-24 Description of the display rsa key-pair command output

Item Description
Label name Label name. To specify the label name, run the rsa
Modulus Modulus of the RSA key pair. To specify the

modulus of the RSA key pair, run the rsa key-pair
label command.
Time of key pair created Time when the key pair is generated.
3.6.15 display rsa local-key-pair public

Function
The display rsa local-key-pair public command displays the public key in the local key pair.
Format
display rsa local-key-pair public
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run this command on the client and configure the client public key in the command
output to the SSH server, which ensures that the SSH client validity check by the SSH server
is successful and enables the secure data exchange between the SSH server and client.
Example
# Display the public key in the local key pair.

CloudEngine 8800, 7800, 6800, and 5800
<HUAWEI> display rsa local-key-pair public

======================Host key==========================
Key name : HUAWEI_Host
Key type : RSA encryption key
========================================================
Key code:
3082010A
02820101
00C4D569 631EC1E2 833E315D 5DED65F3 498F2ED0
9B04F901 DEC806AA 0941AC43 3BB7422B B1D6E754
26B36B48 9F40A1CE AAF31314 5B729DFB 931BDBD8
81EBF078 54D8570D B4BFDCF8 90091546 76CDED0A
5FAAA330 9F4D6186 DE41AFBE A2FA67D7 EB3FC5E9
FD80859D 4E7B1C12 21198FFA 231B8048 A6E6F0D3
205557D6 B0580D81 ADFD2B6D 3256FBAE 9E81ABA6
0E8FA794 5DB0AA13 FB4ACA36 E3D75918 C40E68C6
9F6CA0C8 7FAD471C AF7F0BD5 4469C4A7 CF8BC85B
EA735E02 5FAC972C 7BCD818C 3C8E3EAB DB830026
D6CDBA62 F00C8928 4A04A67C A597207E 23D91EF3
183E2466 F8D06754 CEE5EB2B 937E8516 AA1485D7
79B7CB6B 5AB299AB FFB1E1BF A0353DD3 97
0203
010001

AAAAB3NzaC1yc2EAAAADAQABAAABAQDE1WljHsHigz4xXV3tZfNJjy7QmwT5Ad7I
BqoJQaxDO7dCK7HW51Qms2tIn0ChzqrzExRbcp37kxvb2IHr8HhU2FcNtL/c+JAJ
FUZ2ze0KX6qjMJ9NYYbeQa++ovpn1+s/xen9gIWdTnscEiEZj/ojG4BIpubw0yBV
V9awWA2Brf0rbTJW+66egaumDo+nlF2wqhP7Sso249dZGMQOaMafbKDIf61HHK9/
C9VEacSnz4vIW+pzXgJfrJcse82BjDyOPqvbgwAm1s26YvAMiShKBKZ8pZcgfiPZ
HvMYPiRm+NBnVM7l6yuTfoUWqhSF13m3y2taspmr/7Hhv6A1PdOX
Public key code for pasting into OpenSSH authorized_keys file:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDE1WljHsHigz4xXV3tZfNJjy7QmwT5Ad7IBqoJQaxD
O7dCK7HW51Qms2tIn0ChzqrzExRbcp37kxvb2IHr8HhU2FcNtL/c+JAJFUZ2ze0KX6qjMJ9NYYbeQa++
ovpn1+s/xen9gIWdTnscEiEZj/ojG4BIpubw0yBVV9awWA2Brf0rbTJW+66egaumDo+nlF2wqhP7Sso2
49dZGMQOaMafbKDIf61HHK9/C9VEacSnz4vIW+pzXgJfrJcse82BjDyOPqvbgwAm1s26YvAMiShKBKZ8
pZcgfiPZHvMYPiRm+NBnVM7l6yuTfoUWqhSF13m3y2taspmr/7Hhv6A1PdOX rsa-key
Host public key for SSH1 format code:

2048 65537 248479449894298928294307779358726016363453127732399382240868603696328
38092602580810460413033525882290576141938684323785867753090434139378610895900966
99069400366338221105253327868286329658226300153628555662751480887246101263431835
00691736600459588199818030880967385624775381317439545767556794593852794045844003
34335076114347973757304101202989966991960922618440645983410857662297120846209864
22771028604935279415615054836817431585686417436260033974542999889336079286514057
18228159988733198430380627228312138479579994102250624429597554309014943522876720
35453712256315056983907073654304186669580624268424033646475701244823
======================Server key========================
Key name : HUAWEI_Server
Key type : RSA encryption key
========================================================
Key code:
3081B9
0281B1
00EA73D0 8787CAC7 01F5B1C3 BB526E42 18B4E740
C26250C8 E6453106 A22CC86D 9D702D5A A7192FFA
19ECBEAF C7AD3C56 89900E35 30D11766 4683E827
960AB080 6D1D5403 BB9553FC 57046006 D2A12AEA
086D0066 C7D81278 CC2720A9 7FF3F006 85EB945F
8306A451 D2795842 8FDAC528 0EAE9D23 8E7D0B28
BE4AA3BF 16F8282A 4C087B9E 87FBDF5D 7F2EB809

CloudEngine 8800, 7800, 6800, and 5800
BC0F278C E5A1D14E C664FD67 C6C48430 ED371D0E

CD97BE6A 0BF06704 53817E6E 1690CEE3 45
0203
010001
Table 3-25 Description of the display rsa local-key-pair public command output
Item Description
Time of key pair created Time and date when the public key is created.
Key name The value can be the host or server public key.
The server public key is saved only when the
key type is RSA.
Key type Type of the public key.
3.6.16 display rsa peer-public-key
Function
The display rsa peer-public-key command displays the peer public key saved on the local
host. If no parameter is specified, the command displays detailed information about all peer
public keys.
Format
display rsa peer-public-key [ brief | name key-name ]
Parameters
brief Displays the brief information about all peer -
public keys.
name key-name Specifies the key name. The key-name must
already exist.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario

CloudEngine 8800, 7800, 6800, and 5800
You can run this command to check detailed information about the RSA public key and
whether the local and peer public keys are the same.
Precautions
Before running the display rsa peer-public-key command, run the rsa peer-public-key
command to generate the peer public key.
Example
# Display the brief information about all RSA public keys.
<HUAWEI> display rsa peer-public-key brief
------------------------------------------
Bits Name
------------------------------------------
1024 rsakey001
------------------------------------------
Table 3-26 Description of the display rsa peer-public-key brief command output
Item Description
Bits Bits in the public key.
Name Name of the public key.
# Display the detailed information about the RSA public key named rsakey001.
<HUAWEI> display rsa peer-public-key name rsakey001
=====================================
Key name : rsakey001
Encoding type : DER
=====================================
Key code:
308188
028180
739A291A BDA704F5 D93DC8FD F84C4274 631991C1 64B0DF17 8C55FA83 3591C7D4
7D5381D0 9CE82913 D7EDF9C0 8511D83C A4ED2B30 B809808E B0D1F52D 045DE408
61B74A0E 135523CC D74CAC61 F8E58C45 2B2F3F2D A0DCC48E 3306367F E187BDD9
44018B3B 69F3CBB0 A573202C 16BB2FC1 ACF3EC8F 828D55A3 6F1CDDC4 BB45504F
0203
010001
Table 3-27 Description of the display rsa peer-public-key name command output
Item Description
Key name Name of the public key.
Encoding type Coding type of the public key

CloudEngine 8800, 7800, 6800, and 5800
3.6.17 display ssh client

Function
The display ssh client command displays SSH client information.
Format
display ssh client session
Parameters
session Displays current session status information of the SSH client. -
Views
All views
Default Level
3: Management level

ssh-client debug
Usage Guidelines
To view current session connection information of the SSH client, run the display ssh client
session command.
Example
# Display current status information about the SSH client.
<HUAWEI> display ssh client session
--------------------------------------------------------------------------
Session : 1
Version : 2.0
CTOS Cipher : aes256-ctr
STOC Cipher : aes256-ctr
CTOS Hmac : hmac-sha2-256
STOC Hmac : hmac-sha2-256
CTOS Compress : none
STOC Compress : none
Total Packet Number : 152
Packet Number after Rekey : 152
Total Data(MB) : 0
Data after Rekey(MB) : 0
Time after Session Established(Minute) : 2
Time after Rekey(Minute) : 2
--------------------------------------------------------------------------------

CloudEngine 8800, 7800, 6800, and 5800
Table 3-28 Description of the display ssh client session command output
Item Description
Session SSH session ID
Version Version information of the protocol that the SSH

session connection uses
CTOS Cipher Encryption algorithm from the client to the server
STOC Cipher Encryption algorithm from the server to the client
CTOS Hmac HMAC algorithm from the client to the server
STOC Hmac HMAC algorithm from the server to the client
CTOS Compress Compression algorithm from the client to the server
STOC Compress Compression algorithm from the server to the client
Total Packet Number Total number of SSH session packets
Packet Number after Rekey Total number of SSH session packets after key re-
negotiation
Total Data(MB) Total data volume of the SSH session connection, in

MB
Data after Rekey(MB) Total data volume of the SSH session connection
after key re-negotiation, in MB
Time after Session Connection duration after the SSH session

Established(Minute) connection is activated, in minutes
Time after Rekey(Minute) Connection duration after the SSH session

connection is activated and the key is re-negotiated,
in minutes
3.6.18 display ssh server
Function
The display ssh server command displays the SSH server information.
Format
display ssh server { status | session }
Parameters

status Displays the global configuration on the SSH server. -

CloudEngine 8800, 7800, 6800, and 5800

session Displays the current session connection information on the SSH server. -
Views
All views
Default Level
3: Management level
Usage Guidelines
After configuring the SSH attributes, you can run this command to view the configuration or
session connection information on the SSH server to verify that the SSH connection has been
established.
Example
# Display the global configuration on the SSH server.
<HUAWEI> display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) : 3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Disable
SSH server keepalive : Enable
SFTP IPv4 server : Enable
SFTP IPv6 server : Enable
STELNET IPv4 server : Enable
STELNET IPv6 server : Enable
SNETCONF IPv4 server : Disable
SNETCONF IPv6 server : Disable
SNETCONF IPv4 server port(830) : Disable
SNETCONF IPv6 server port(830) : Disable
SCP IPv4 server : Enable
SCP IPv6 server : Enable
SSH server DES : Enable
SSH IPv4 server port : 22
SSH IPv6 server port : 22
SSH server source address : 0.0.0.0
SSH ipv6 server source address : 0::0
SSH ipv6 server source vpnName :
ACL name : --
ACL number : --
ACL6 name : --
ACL6 number : --
SSH server ip-block : Enable
Table 3-29 Description of the display ssh server status command output
Item Description
SSH Version Protocol version used for the SSH session connection.
SSH authentication Timeout interval of SSH server authentication, in seconds.

timeout (Seconds) Run the ssh server timeout command to set this item.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
SSH authentication retries Number of times for retrying the SSH session connection.
(Times) Run the ssh server authentication-retries command to set
this item.
SSH server key Interval for generating an SSH server password, in hours.
generating interval Run the ssh server rekey-interval command to set this item.
(Hours)
SSH version 1.x SSH 1.x version compatibility, and the value can be Enable or
compatibility Disable.
Run the ssh server compatible-ssh1x enable command to set
this item.
SSH server keepalive Keepalive state of the SSH server. The value can be Enable or
Disable.
Run the ssh server keepalive disable command to set this
item.
SFTP IPv4 server/SFTP Status of the SFTP server. The value can be Enable or
IPv6 server Disable.
Run the sftp server enable command to set this item.
STELNET IPv4 server/ Status of the STelnet server. The value can be Enable or
STELNET IPv6 server Disable.
Run the stelnet server enable command to set this item.
SNETCONF IPv4 server/ Status of the SNETCONF server. The value can be Enable or
SNETCONF IPv6 server Disable.
Run the snetconf server enable command to set this item.
SNETCONF IPv4 server Port of the SNETCONF server.

port(830)/SNETCONF Run the protocol inbound ssh port 830 command to set this
IPv6 server port(830) item.
SCP IPv4 server/SCP Status of the SCP server. The value can be Enable or Disable.
IPv6 server Run the scp server enable command to set this item.
SSH server DES DES algorithm of the SSH server.

Run the ssh server cipher command to set this item.
SSH IPv4 server Port of the SSH server.

port/SSH IPv6 server port Run the ssh server port command to set this item.
ACL name Name of the ACL rule bound to the SSH server.
Run the ssh server acl acl-name command to set this item.
ACL number Number of the ACL rule bound to the SSH server.
Run the ssh server acl acl-number command to set this item.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
ACL6 name Name of the ACL6 rule bound to the SSH server.
Run the ssh ipv6 server acl acl-number command to set this
item.
ACL6 number Number of the ACL6 rule bound to the SSH server.
Run the ssh ipv6 server acl acl-number command to set this
item.
SSH server source Source IP address of the SSH server.

address/SSH ipv6 server Run the ssh server-source -i interface-type interface-number
source address command to set this item.
SSH ipv6 server source VPN name of the SSH IPv6 server.
vpnName
SSH server ip-block Status of the SSH server from locking client IP addresses. It
can be any one of the following:
l Enable: SSH server is enabled to lock client IP addresses.
l Disable: SSH server is disabled to lock client IP addresses.
# Display the current session connection information on the SSH server.

<HUAWEI> display ssh server session
--------------------------------------------------------------------------------
Session : 1
Connect type : VTY 0
Version : 2.0
State : Started
Username : root123
Retry : 2
Client to Server cipher : aes256-cbc
Server to Client cipher : aes256-cbc
Client to Server HMAC : hmac-sha2-256
Server to Client HMAC : hmac-sha2-256
Client to Server compression : none
Server to Client compression : none
Key exchange algorithm : ecdh-sha2-nistp521
Public key : ecc
Service type : stelnet
Authentication type : password
Connection port number : 22
Idle time : 00:00:00
Total Packet Number : 90
Packet Number after Rekey : 0
Total Data(MB) : 0
Data after Rekey(MB) : 0
Time after Session Established(Minute) : 0
Time after Rekey(Minute) : 1
--------------------------------------------------------------------------------
Table 3-30 Description of the display ssh server session command output
Item Description
Session SSH session ID.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
Connect type Connection used by the SSH session. The options are as
follows:
l VTY: connection used by the STelnet user
l NCA: connection used by the SNetconf user
l SFTP: connection used by the SFTP user
Version Protocol version used for the SSH session connection.
State Status of the SSH session connection.
Username User name for SSH session connection.

Run the ssh user command to set this item.
Retry Number of times for retrying the SSH session connection.

Run the ssh server authentication-retries command to set
this item.
Client to Server cipher Encryption algorithm name from the client to the server.
Server to Client cipher Encryption algorithm name from the server to the client.
Client to Server HMAC HMAC algorithm name from the client to the server.
Server to Client HMAC HMAC algorithm name from the server to the client.
Client to Server Name of the compression algorithm from the client to the
compression server.
Server to Client Name of the compression algorithm from the server to the
compression client.
Key exchange algorithm Exchange algorithm name.
Public key Public key algorithm used for server authentication, which can
be RSA, DSA, or ECC.
NOTE
You are advised to use a securer ECC authentication algorithm for
higher security.
Service type Service type for an SSH user. The options are as follows:
l sftp
l stelnet
l snetconf
Run the ssh user service-type command to set this item.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
Authentication type Authentication mode for an SSH user. The options are as
follows:
l password
l rsa
l dsa
l ecc
l password-rsa (password and RSA)
l password-dsa (password and DSA)
l password-ecc (password and ECC)
l all (password, DSA, ECC, or RSA)
Run the ssh user authentication-type command to set this
item.
Connection port number Port number of the SSH server.

Run the ssh server port command to set this item.
Idle time Idle time of the SSH session.
Total Packet Number Total number of SSH session packets.
Packet Number after Total number of SSH session packets after key re-negotiation.
Rekey
Total Data(MB) Total data volume of the SSH session connection, in MB.
Data after Rekey(MB) Total data volume of the SSH session connection after key re-
negotiation, in MB.
Time after Session Connection duration after the SSH session connection is
Established(Minute) activated, in minutes.
Time after Rekey(Minute) Connection duration after the SSH session connection is
activated and the key is re-negotiated, in minutes.
3.6.19 display ssh server-info

Function
The display ssh server-info command displays the binding between the SSH server and RSA,
DSA, or ECC public key when the current device works as the SSH client.
Format
display ssh server-info
Parameters
None

CloudEngine 8800, 7800, 6800, and 5800
Views
All views
Default Level
3: Management level
Usage Guidelines
When the SSH client needs to authenticate the server, the server public key saved in the local
host is used to authenticate the connected SSH server. If the authentication fails, you can run
the display ssh server-info command to verify that the server public key is correct.
Example
# Display all bindings between the SSH server and public keys on the SSH client.
<HUAWEI> display ssh server-info
----------------------------------------------------------------------------------
-------------------------------
Server Name(IP) Server public key name
Server public key type State
----------------------------------------------------------------------------------
-------------------------------
192.168.1.120 192.168.1.120
RSA CONFIGURE
192.168.1.110 192.168.1.110
RSA CONFIGURE
----------------------------------------------------------------------------------
-------------------------------
Table 3-31 Description of the display ssh server-info command output
Item Description
Server Name(IP) Host name of the SSH server.
Server Public Key Type Type of the public key on the SSH server.
Server public key name Name of the public key on the SSH server.
State Indicates the server key state:

l CONFIGURE: Indicates that the server public key is saved
in database.
l DYNAMIC: Indicates that the server public key is not
saved in database.
3.6.20 display ssh user-information
Function
The display ssh user-information command displays the configuration of all SSH users.

CloudEngine 8800, 7800, 6800, and 5800
Format
display ssh user-information [ username ]
Parameters

username Displays the SSH user name. The SSH must already exist.
Views
All views
Default Level
3: Management level
Usage Guidelines
This command displays the SSH user name, bound RSA, DSA, or ECC public key name, and
service type.
Example
# Display the configuration of all SSH users.
<HUAWEI> display ssh user-information
--------------------------------------------------------------------------------
User Name : client001
Authentication type : password
User public key name : --
User public key type : --
Sftp directory : flash:
Service type : sftp
User Name : client002

Authentication type : rsa
User public key name : --
User public key type : --
Sftp directory : flash:
Service type : sftp
--------------------------------------------------------------------------------
Total 2, 2 printed
Table 3-32 Description of the display ssh user-information command output
Item Description
User Name SSH user name.

Run the ssh user command to set this item.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
Authentication type Authentication mode for an SSH user. The options are as
follows:
l password
l rsa
l dsa
l ecc
l password-rsa (password and RSA)
l password-dsa (password and DSA)
l password-ecc (password and ECC)
l all (password, DSA, ECC, or RSA)
Run the ssh user authentication-type command to set this
item.
User public key name Peer RSA, DSA, or ECC public key assigned to an SSH user.
Run the rsa peer-public-key, dsa peer-public-key, or ecc
peer-public-key command to set this item.
User public key type Type of the public key allocated to the SSH user:
l RSA: indicates that the type is RSA.
l DSA: indicates that the type is DSA.
l ECC: indicates that the type is ECC.
l --: indicates that no public key type is specified.
Sftp directory SFTP service directory of an SSH user.

Run the ssh user sftp-directory command to set this item.
Service type Service type for an SSH user. The options are as follows:
l sftp: indicates that the service type is SFTP.
l stelnet: indicates that the service type is STelnet.
l snetconf: indicates that the service type is SNetConf.
l --: indicates that no service type is specified.
Run the ssh user service-type command to set this item.
3.6.21 display telnet server
Function
The display telnet server status command displays the configuration of the current Telnet
server.
Format
display telnet server

CloudEngine 8800, 7800, 6800, and 5800
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
When you fail to log in to a server using Telnet, run the display telnet server command to
check the configuration of the Telnet server. The command output can help you find the cause
of the login failure.
Example
# Display the basic configuration of the Telnet server.
<HUAWEI> display telnet server
Telnet server : Enable
Telnet server port : 23
Telnet IPv6 server : Disable
Telnet IPv6 server port : 23
Telnet server source address : 0.0.0.0
TELNET ipv6 server source address : 0::0
TELNET ipv6 server source vpnName :
ACL name : --
ACL number : --
ACL6 name : --
ACL6 number : --
Table 3-33 Description of the display telnet server command output

Item Description
Telnet server Status of the Telnet server. The value can be Enable
or Disable.
Run the telnet server disable command to set this
item.
Telnet server port Telnet server port number.

Run the telnet server port command to set this
item.
Telnet IPv6 server Status of the Telnet IPv6 server. The value can be
Enable or Disable.
Run the telnet ipv6 server disable command to set
this item.
Telnet IPv6 server port Port number of the Telnet IPv6 server.
Run the telnet server port command to set this
item.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
Telnet server source address Source IP address of the Telnet server.

Run the telnet server-source command to set this
item.
TELNET ipv6 server source Source IP address of the Telnet IPv6 server.
address
TELNET ipv6 server source Source VPN instance name of the Telnet IPv6
vpnName server.
ACL name Name of the ACL rule bound to Telnet server.

Run the telnet server acl acl-name command to set
this item.
ACL number Number of the ACL rule bound to Telnet server.

Run the telnet server acl acl-number command to
set this item.
ACL6 name Name of the ACL6 rule bound to Telnet server.

Run the telnet ipv6 server acl acl-name command
to set this item.
ACL6 number Number of the ACL6 rule bound to Telnet server.

Run the telnet ipv6 server acl acl-number
command to set this item.
3.6.22 display telnet server status
Function
The display telnet server status command displays the connection of the Telnet server.
Format
display telnet server status
Parameters
None
Views
All views
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
You can run this command to check the source IP address of the Telnet server and the source
address carried in a connection request.
If the Telnet connection does not exist, no information is displayed after you run this
command.
Example
# Display the status of the Telnet server.
<HUAWEI> display telnet server status
Session 1:
Source ip address : 192.168.1.3
VTY Index : 0
Session 2:
VTY Index : 1
Session 3:
VTY Index : 2
Session 4:
VTY Index : 3
Current number of sessions : 4
Table 3-34 Description of the display telnet server status command output
Item Description
Session Index of current connections.
Source ip address Source IP address in the Telnet connection.
VTY Index Relative number of the user interface.
Current number of sessions Number of current connections.
3.6.23 display telnet client
Function
The display telnet client command displays the number of current telnet connections.
Format
display telnet client
Parameters
None
Views
All views

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level
Usage Guidelines
An administrator can use the display telnet client command to check how many users have
logged in to a server through Telnet.
Example
# Display the number of current connections.
<HUAWEI> display telnet client
---------------------------------------
Current user count : 2
Source IPv4 address : 10.1.1.2
---------------------------------------
Table 3-35 Description of the display telnet client command output

Item Description
Current user count Number of current connected users.
Source IPv4 address The IPv4 address of Source.
3.6.24 dsa key-pair label

Function
The dsa key-pair label command generates a DSA key pair with a label.
The undo dsa key-pair label command deletes a DSA key pair with a label.
By default, no DSA key pair with a label is generated.
Format
dsa key-pair label label-name [ modulus modulus-bits ]
dsa key-pair label load private private-key public public-key
undo dsa key-pair label label-name
Parameters
label-name Specifies the label name of a The value is a string of 1 to 35 case-
DSA key pair. insensitive characters. The string can
contain only letters, digits, and
underscores (_).

CloudEngine 8800, 7800, 6800, and 5800

modulus modulus- Specifies the modulus of the The value is 2048, in bits. The default
bits DSA key pair. value is 2048.
A larger modulus indicates higher
security. However, it takes a long time to
generate and use such a key pair.
load private Specifies the private key in The private-key must already exist.
private-key the key pair.
public public-key Specifies the public key in The public-key must already exist.
the key pair.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to generate a DSA key pair for user authentication. The DSA key
pair improves authentication security. You can run the dsa key-pair label command to
generate multiple DSA key pairs, and the key pairs are identified by different labels.
Precautions
You can run the dsa key-pair label command to generate multiple DSA key pairs with labels.
The maximum number of DSA key pairs is specified by the dsa key-pair maximum
command. By default, the device can generate a maximum of 20 DSA key pairs with labels.
Example
# Generate the DSA key pair with the label name ssh_host.
[~HUAWEI] dsa key-pair label ssh_host
3.6.25 dsa key-pair maximum
Function
The dsa key-pair maximum command configures the maximum number of DSA key pairs
with labels that can be generated.
The undo dsa key-pair maximum command restores the maximum number of DSA key
pairs with labels to the default value.

CloudEngine 8800, 7800, 6800, and 5800
By default, the device can generate a maximum of 20 DSA key pairs with labels.
Format
dsa key-pair maximum max-keys
undo dsa key-pair maximum
Parameters
max-keys Specifies the maximum number of DSA The value is an integer that ranges
key pairs with labels. from 1 to 20.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Saving DSA key pairs consumes system memory and file resources. Therefore, you can adjust
the maximum number of DSA key pairs as required to ensure that they do not occupy too
many system resources.
The device fails to generate DSA key pairs with labels when the number of DSA key pairs
reaches the upper limit specified by this command.
Example
# Set the maximum number of DSA key pairs with labels to 15.
[~HUAWEI] dsa key-pair maximum 15
3.6.26 dsa local-key-pair create
Function
The dsa local-key-pair create command generates a local DSA key pair.
By default, a local DSA key pair is not configured.
Format
dsa local-key-pair create

CloudEngine 8800, 7800, 6800, and 5800
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Compared with RSA, Digital Signature Algorithm (DSA) has a wider application range in the
SSH protocol. According to the encryption principle of the asymmetric encryption system, the
public and private keys are generated to implement secure key exchange. This ensures the
secure session process.
The prerequisite for a user to successfully log in to the SSH server using DSA authentication
is to generate a local DSA key pair. A local DSA key pair can be generated in the following
two methods:
l Configuration: You can run the dsa local-key-pair create command to generate a local
DSA key pair.
l Automatic generation: If an SSH client logs in to a device and the SSH server has no
DSA key pair, the system automatically generates a DSA key pair.
Key pairs generated in the two methods are the same in terms of function, security, query, and
deletion. It is recommended that you run the dsa local-key-pair create command to generate
a local DSA key pair.
When you run this command, the system prompts you to confirm whether to change the
original key if the DSA key exists. The key in the new key pair is named device
name_Host_DSA, for example, HUAWEI_Host_DSA.
After you enter the command, the device prompts you to enter the number of bits in the host
key. The length of a host key pair is 2048.
After a successful login, run the save command to save configurations. The generated key
pair then is saved on the device and is not lost after the device restarts.
Precautions
This command is not saved in a configuration file and can take effect immediately after being
executed. After the device restarts, you do not need to run the command again.
Example
# Generate a local DSA key pair on the device.
[~HUAWEI] dsa local-key-pair create
Info: The key name will be: HUAWEI_Host_DSA
Info: The key modulus can be any one of the following : 2048.
Info: Key pair generation will take a short while.

CloudEngine 8800, 7800, 6800, and 5800
Info: Generating keys...

Info: Succeeded in creating the DSA host keys.
3.6.27 dsa local-key-pair destroy
Function
The dsa local-key-pair destroy command deletes local DSA host key pairs.
Format
dsa local-key-pair destroy
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
DSA applies to SSH verification. According to the encryption principle of the asymmetric
encryption system, the public and private keys are generated to implement secure key
exchange. This ensures the secure session process. You can run the dsa local-key-pair create
command to generate local DSA keys. When local DSA keys are unnecessary, you can run the
dsa local-key-pair destroy command to delete these keys.
Prerequisite
The local DSA keys that can be deleted exist.
Precautions
After you run this command, it takes effect and is not saved in a configuration file.
Example
# Delete local DSA keys.
[~HUAWEI] dsa local-key-pair destroy
Info: The name of the key which will be destroyed is
HUAWEI_Host_DSA.
Warning: These keys will be destroyed. Continue? Please select [Y/
N]:y
Info: Succeeded in destroying the DSA host keys.

CloudEngine 8800, 7800, 6800, and 5800
3.6.28 dsa local-key-pair load

Function
The dsa local-key-pair load command loads the local DSA and server key pairs from a
specified file.
By default, the local DSA and server key pairs are not configured.
Format
dsa local-key-pair load hostkey file-name
Parameters
hostkey Loads the local DSA key pair. -
file-name Specifies the name of the file from which key The name of the file must
pairs are loaded. already exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a user is upgraded from a low level to a high level and wants to use DSA key
configuration of the low level, run the dsa local-key-pair load command to load the local
DSA and server key pairs from a specified file.
Prerequisites
The file that contains the DSA key pair already exists.
Example
# Load the local DSA key pair.
[~HUAWEI] dsa local-key-pair load hostkey flash:/hostkey_dsa
3.6.29 dsa peer-public-key

Function
The dsa peer-public-key command configures an encoding format for a DSA public key and
displays the DSA public key view.

CloudEngine 8800, 7800, 6800, and 5800
The undo dsa peer-public-key command deletes a DSA public key.

By default, no encoding format is configured for a DSA public key.
Format
dsa peer-public-key key-name encoding-type { der | openssh | pem }
undo dsa peer-public-key key-name
Parameters
key-name Specifies the public key name. The value is a string of 1
to 40 case-sensitive
characters without space.
NOTE
When double quotation
marks are used around the
string, spaces are allowed
in the string.
encoding-type Specifies an encoding format for a DSA public -

key.
der Specifies the Distinguished Encoding Rules -
(DER) format for a DSA public key.
DER encodes data in hexadecimal format.
openssh Specifies the OpenSSH format for a DSA public -

key.
OpenSSH encodes data in base-64 format.
OpenSSH is an encoding format based on PEM.
pem Specifies the Privacy Enhanced Mail (PEM) -

format for a DSA public key.
PEM encodes data in base-64 format.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario

CloudEngine 8800, 7800, 6800, and 5800
When you use a DSA public key for authentication, you must specify the public key of the
corresponding client for an SSH user on the server. When the client logs in to the server, the
server uses the specified public key to authenticate the client. You can also save the public
key generated on the server to the client. Then the client can be successfully authenticated by
the server when it logs in to the server for the first time.
Huawei data communications devices support the DER, OpenSSH and PEM formats for DSA
keys. If you use a DSA key in non-DER/OpenSSH/PEM format, use a third-party tool to
convert the key into a key in DER, OpenSSH or PEM format.
Because a third-party tool is not released with Huawei system software, DSA usability is
unsatisfactory. In addition to DER and PEM, DSA keys need to support the OpenSSH format
to improve DSA usability.
Third-party software, such as SecureCRT, PuTTY, OpenSSH, and OpenSSL, can be used to
generate DSA keys in different formats. The details are as follows:
l The SecureCRT and PuTTY generate DSA keys in PEM format.
l The OpenSSH generates DSA keys in OpenSSH format.
l The OpenSSL generates DSA keys in DER format.
OpenSSL is an open source software. You can download related documents at http://
www.openssl.org/.
After you configure an encoding format for a DSA public key, Huawei data communications
device automatically generates a DSA public key in the configured encoding format and
enters the DSA public key view. Then you can run the public-key-code begin command and
manually copy the DSA public key generated on the peer device to the local device.
Follow-up Procedure
After you copy the DSA public key generated on the peer device to the local device, perform
the following operations to exit the DSA public key view:
1. Run the public-key-code end command to return to the DSA public key view.
2. Run the peer-public-key end command to exit the DSA public key view and return to
the system view.
Precautions
If a DSA public key has assigned to an SSH client, release the binding relationship between
the public key and the SSH client. If you do not release the binding relationship between
them, the undo dsa peer-public-key command will fail to delete the DSA public key.
If an DSA public key has been assigned to an SSH user, run the undo ssh user user-name
assign dsa-key command to delete the mapping between the DSA public key and the SSH
user. If you do not delete the mapping, the undo dsa peer-public-key command cannot delete
the DSA public key.
Example
# Configure an encoding format for a DSA public key and enter the DSA public key view.
[~HUAWEI] dsa peer-public-key 23 encoding-type der
[*HUAWEI-dsa-public-key]

CloudEngine 8800, 7800, 6800, and 5800
3.6.30 ecc key-pair label
Function
The ecc key-pair label command generates an ECC key pair with a label.
The undo ecc key-pair label command deletes an ECC key pair with a label.
By default, no ECC key pair with a label is generated.
Format
ecc key-pair label label-name [ modulus modulus-bits ]
undo ecc key-pair label label-name
Parameters
label-name Specifies the label name The value is a string of 1 to 35 case-insensitive
of an ECC key pair. characters. It can contain digits, letters, and
underscores (_) only.
modulus Specifies the modulus of The value can be 256, 384, or 521, in bits. The
modulus-bits the ECC key pair. default value is 521.
A larger modulus indicates higher security.
However, it takes a long time to generate and
use such a key pair.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to generate an ECC key pair for user authentication. The ECC key
pair improves authentication security. You can run the ecc key-pair label command to
generate multiple ECC key pairs, and the key pairs are identified by different labels.
Precautions
You can run the ecc key-pair label command to generate multiple ECC key pairs with labels.
The maximum number of ECC key pairs is specified by the ecc key-pair maximum
command. By default, the device can generate a maximum of 20 ECC key pairs with labels.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Generate an ECC key pair with a label named ecc_key_pair.
[~HUAWEI] ecc key-pair label ecc_key_pair
3.6.31 ecc key-pair maximum

Function
The ecc key-pair maximum command configures the maximum number of ECC key pairs
The undo ecc key-pair maximum command restores the maximum number of ECC key
By default, the device can generate a maximum of 20 ECC key pairs with labels.
Format
ecc key-pair maximum max-keys
undo ecc key-pair maximum
Parameters
max-keys Specifies the maximum number of ECC The value is an integer that ranges
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Saving ECC key pairs consumes system memory and file resources. Therefore, you can adjust
the maximum number of ECC key pairs as required to ensure that they do not occupy too
The device fails to generate ECC key pairs with labels when the number of ECC key pairs
Example
# Set the maximum number of ECC key pairs with labels to 15.

CloudEngine 8800, 7800, 6800, and 5800
[~HUAWEI] ecc key-pair maximum 15
3.6.32 ecc local-key-pair
Function
The ecc local-key-pair create command generates a local ECC key pair.
The ecc local-key-pair destroy command deletes the local ECC key.
By default, no local ECC key pair exists in the system.
Format
ecc local-key-pair create
ecc local-key-pair destroy
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
A local key pair is a prerequisite to a successful SSH login. Compared with the RSA
algorithm used by the rsa local-key-pair create command, the ECC algorithm shortens the
key length, accelerates the encryption, and improves the security. The length of the server key
pair can be 256 bits, 384 bits, and 521 bits. By default, the length of the key pair is 521 bits.
If you no longer need the local ECC key pairs, run the ecc local-key-pair destroy command
to delete them.
The prerequisite for a user to successfully log in to the SSH server using ECC authentication
is to generate a local ECC key pair. A local ECC key pair can be generated in the following
two methods:
l Configuration: You can run the ecc local-key-pair create command to generate a local
ECC key pair.
ECC key pair, the system automatically generates an ECC key pair.
deletion. It is recommended that you run the ecc local-key-pair create command to generate
a local ECC key pair.

CloudEngine 8800, 7800, 6800, and 5800
Precautions
l The generated ECC host key pair is named in the format of switch name_Host_ECC,
such as HUAWEI_Host_ECC.
l The ecc local-key-pair create and ecc local-key-pair destroy commands are not saved
in the configuration file. They only need to be run once and take effect even after the
switch restarts.
l Do not delete the ECC key file from the switch.
Example
# Generate a local ECC key pair.
[~HUAWEI] ecc local-key-pair create
Info: The key name will be: HUAWEI_Host_ECC
Info: The key modulus can be any one of the following: 256, 384, 521.
Info: Key pair generation will take a short while.
Please input the modulus [default=521]:
# Delete the local ECC key pair.

[~HUAWEI] ecc local-key-pair destroy
Info: The name of the key which will be destroyed is HUAWEI_Host_ECC.
Warning: These keys will be destroyed. Continue? Please select [Y/N]: Y
Info: Succeeded in destroying the ECC host keys.
3.6.33 ecc peer-public-key

Function
The ecc peer-public-key command generates an ECC public key and enters the ECC public
key view.
The undo ecc peer-public-key command deletes the ECC public key.
By default, no ECC public key is generated.
Format
ecc peer-public-key key-name [ encoding-type der ]
undo ecc peer-public-key key-name

CloudEngine 8800, 7800, 6800, and 5800
Parameters
key-name Specifies the ECC public key name. The value is a string of 1 to 40
case-sensitive characters without
spaces.
NOTE
When quotation marks are used
around the string, spaces are
encoding-type Sets the encoding format of the ECC -

der public key to Distinguished Encoding
Rules (DER).
In the DER format, data is encoded in
hexadecimal format.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When you use an ECC public key for authentication, specify the public key on the server for
the client of SSH users. When the client logs in to the server, the server uses the specified
public key to authenticate the client.
After you enter the ECC public key view, run the public-key-code begin command, and copy
the ECC public key to the server.
NOTE
A maximum of 20 ECC public keys can be configured.
Follow-up Procedure
After you copy the ECC public key generated on the client to the server, perform the
following operations to exit the ECC public key view:
1. Run the public-key-code end command to return to the ECC public key view.
2. Run the peer-public-key end command to exit the ECC public key view and return to
the system view.
Precautions
The public key on the client is randomly generated by the client software.
If an ECC public key has been assigned to an SSH user, run the undo ssh user user-name
assign ecc-key command to delete the mapping between the ECC public key and the SSH

CloudEngine 8800, 7800, 6800, and 5800
user. If you do not delete the mapping, the undo ecc peer-public-key command cannot delete
the ECC public key.
Example
# Create an ECC public key and enter the ECC public key view.
[~HUAWEI] ecc peer-public-key ecckey001
[*HUAWEI-ecc-public-key]
3.6.34 ftp server login-failed threshold-alarm

Function
The ftp server login-failed threshold-alarmcommand configures alarm generation and
clearance thresholds for FTP server login failures within a specified period.
The undo ftp server login-failed threshold-alarm command restores the default alarm
generation and clearance thresholds.
By default, an alarm is generated if the number of login failures reaches 30 within 5 minutes
and is cleared if the number of login failures falls below 20 within the same period.
Format
ftp server login-failed threshold-alarm upper-limit report-times lower-limit resume-times
period period-time
undo ftp server login-failed threshold-alarm [ upper-limit report-times lower-limit
resume-times period period-time ]
Parameters
upper-limit report- Specifies the number of times authentication The value is an integer
times failure alarms are reported. If the value is 0, ranging from 0 to 100.
no authentication failure alarm is reported.
The default value is 30.
lower-limit Specifies the number of times authentication
The value is an integer
resume-times failure clear alarms are reported. The default
ranging from 0 to 45.
value is 20.
period period-time Specifies the period in which failure alarms
The value is an integer
are counted. The default value is 5, in
ranging from 1 to 120.
minutes.
Views
System view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800

ftp-server write
Usage Guidelines
Usage Scenario
If an FTP management user frequently fails to log in within a short period, the device
generates a management security alarm and reports it to administrators for their intervention.
To configure alarm reporting and clearance thresholds within a specified period, run the ftp
server login-failed threshold-alarm command.
The command takes effect for both ipv4 and ipv6 FTP servers.
Example
# Configure 40 as the alarm reporting threshold and 25 as the alarm clearance threshold
within 10 minutes.
[*HUAWEI] ftp server login-failed threshold-alarm upper-limit 40 lower-limit 25
period 10
3.6.35 http
Function
The http command displays the HTTP view.
The undo http command deletes the HTTP view and all configurations in this view.
By default, the HTTP view is not displayed.
Format
http
undo http
Parameters
None
Views
System view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800

https write
Usage Guidelines
HTTP is an application-layer protocol that transports hypertext from WWW servers to local
browsers. HTTP uses the client/server model in which requests and replies are exchanged.
Before configuring HTTP, run the http command to enter the HTTP view.
Example
# Display the HTTP view.
[~HUAWEI] http
3.6.36 lock
Function
The lock command locks the current user interface to prevent unauthorized users from
operating the interface.
By default, the system does not automatically lock the current user interface.
Format
lock
Parameters
None
Views
User view
Default Level
0: Visit level
Usage Guidelines
Usage Scenario
Lock the current user interface using this command to prevent other users from operating the
interface. The user interfaces consist of console ports, and Virtual Type Terminals (VTYs).
After using the lock command, you are prompted to input the password twice. If you input the
correct password for twice, the user interface is locked.

CloudEngine 8800, 7800, 6800, and 5800
Precautions
l The passwords must meet the specified requirements.
– When password complexity check is supported, the requirements are as follows:
n The password is a string of 8 to 128 case-sensitive characters.
n The password must contain at least two of the following characters: upper-case
character, lower-case character, digit, and special character.
Special characters except the question mark (?) and space.
– If you run the undo local-user policy security-enhance command in the AAA
view to disable the local account security policy and then run the lock command,
the password does not need to meet the complexity requirement. In this case, the
requirements are as follows:
n The password is a string of 1 to 128 case-sensitive characters.
The character string does not include the special character question mark (?)
and space.
l Password entered in interactive mode is not displayed on the screen.
l When you run the lock command to lock the user interface and set a locking password,
you can press CTRL_C to cancel the operation.
l To unlock the user interface, press Enter, and then input the correct password as
prompted by the system.
Example
# Lock the current user interface after logging in through the console port.
<HUAWEI> lock
Enter Password:
Confirm Password:
Info: The terminal is locked.
# To log in to the system after the system is locked, you must press Enter. The following
information is displayed:
Enter Password:
# Enter the correct password and return to the user view.

<HUAWEI>
3.6.37 peer-public-key end

Function
The peer-public-key end command returns to the system view from the public key view and
saves the configured public keys.
Format
peer-public-key end
Parameters
None

CloudEngine 8800, 7800, 6800, and 5800
Views
Public key view
Default Level
3: Management level
Usage Guidelines
You must save the public key generated on the remote host to the local host, which ensures
that the validity check on the remote end is successful. After editing a public key in the public
key view, you can run this command to return to the system view.
Example
# Return to the system view from the public key view.
[~HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[*HUAWEI-dsa-public-key] public-key-code begin
[*HUAWEI-dsa-public-key-dsa-key-code] 308188
[*HUAWEI-dsa-public-key-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*HUAWEI-dsa-public-key-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[*HUAWEI-dsa-public-key-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[*HUAWEI-dsa-public-key-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[*HUAWEI-dsa-public-key-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[*HUAWEI-dsa-public-key-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[*HUAWEI-dsa-public-key-dsa-key-code] 171896FB 1FFC38CD
[*HUAWEI-dsa-public-key-dsa-key-code] public-key-code end
[*HUAWEI-dsa-public-key] peer-public-key end
[*HUAWEI]
3.6.38 public-key-code begin

Function
The public-key-code begin command displays the public key editing view.
Format
public-key-code begin
Parameters
None
Views
Public key view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
You must save the public key generated on the remote host to the local host, which ensures
that the validity check on the remote end is successful. Run the public-key-code begin
command to display the public key editing view, and enter the key data. The key characters
can contain spaces. You can press Enter to enter data in another line.
Prerequisite
A key name has been specified by running the rsa peer-public-key, dsa peer-public-key, or
ecc peer-public-key command.
For security purposes, it is not recommended that you use RSA as the public key.
Precautions
l The content of a key does not support Chinese characters.
l The public key must be a hexadecimal character string in the public key encoding
format, and generated by the client or server that supports SSH.
l The public keys displayed by running the display rsa local-key-pair public, display
dsa local-key-pair public, or display ecc local-key-pair public command can be used
as the key data to enter.
l You can successfully edit the public key in a public key pair by entering the public key in
the server key pair or client key pair. In SSH application, only the public key in the client
key pair can be entered as key data. If you enter the public key in the server key pair,
authentication fails during SSH login.
Example
# Display the public key editing view and enter the key data.
[*HUAWEI]

CloudEngine 8800, 7800, 6800, and 5800
3.6.39 public-key-code end

Function
The public-key-code end command returns to the public key view from the public key
editing view and saves the configured public keys.
Format
public-key-code end
Parameters
None
Views
Public key editing view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After this command is run, the process of editing the public key ends. Before saving the
public key, the system will check the validity of the key.
l If there are illegal characters in the public key character string configured by the user, the
system will display a relevant error prompt. The public key previously configured by the
user is discarded. As a result, the configuration fails.
l If the public key configured is valid, it is saved in the public key chain table of the client.
Precautions
l Generally, in the public key view, only the public-key-code end command can be used
to exit. Thus, in this instance the quit command cannot be used.
l If the legal key coding is not input, the key cannot be generated after the public-key-
code end command is used. The system prompts that generating the incorrect key fails.
l If the key is deleted in another window, the system prompts that the key does not exist
and returns to the system view directly after you run the public-key-code end command.
Example
# Exit from the RSA public key editing view and saves the RSA key configuration.

CloudEngine 8800, 7800, 6800, and 5800

[*HUAWEI]
3.6.40 rsa key-pair label

Function
The rsa key-pair label command generates an RSA key pair with a label.
The undo rsa key-pair label command deletes an RSA key pair with a label.
By default, no RSA key pair with a label is generated.
Format
rsa key-pair label label-name [ modulus modulus-bits ]
rsa key-pair label load private private-key public public-key
undo rsa key-pair label label-name
Parameters
label-name Specifies the label name of an The value is a string of 1 to 35
RSA key pair. case-insensitive characters. It can
contain letters, digits, or
underscores (_) only.
modulus modulus- Specifies the modulus of the The value is 2048, in bits. The
bits RSA key pair. default value is 2048.
load private Specifies the private key in the The private-key must already exist.
private-key key pair.
public public-key Specifies the public key in the The public-key must already exist.
key pair.
Views
System view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
The RSA key-pair is an algorithm for authenticating users in the SSH and ensures security of
user authentication. You can run the rsa key-pair label command to generate multiple RSA
key pairs, and the key pairs are identified by different labels.
Precautions
You can run the rsa key-pair label command to generate multiple RSA key pairs with labels.
The maximum number of RSA key pairs is specified by the rsa key-pair maximum
command. By default, the device can generate a maximum of 20 RSA key pairs with labels.
NOTE
To ensure high security, do not use the RSA key pair whose length is less than 2048 digits.
Example
# Generate an RSA key pair with a label named as ssh_host.
[~HUAWEI] rsa key-pair label ssh_host
3.6.41 rsa key-pair maximum

Function
The rsa key-pair maximum command configures the maximum number of RSA key pairs
The undo rsa key-pair maximum command restores the maximum number of RSA key
By default, the device can generate a maximum of 20 RSA key pairs with labels.
Format
rsa key-pair maximum max-keys
undo rsa key-pair maximum
Parameters
max-keys Specifies the maximum number of RSA The value is an integer that ranges
Views
System view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
Saving RSA key pairs consumes system memory and file resources. Therefore, you can adjust
the maximum number of RSA key pairs as required to ensure that they do not occupy too
The device fails to generate RSA key pairs with labels when the number of RSA key pairs
Example
# Set the maximum number of RSA key pairs with labels to 15.
[~HUAWEI] rsa key-pair maximum 15
3.6.42 rsa local-key-pair create

Function
The rsa local-key-pair create command generates a local RSA key pair.
By default, a local RSA key pair is not configured.
Format
rsa local-key-pair create
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To implement secure data exchange between the server and client, run this command to
generate a local key pair.
The prerequisite for a user to successfully log in to the SSH server using RSA authentication
is to generate a local RSA key pair. A local RSA key pair can be generated in the following
two methods:
l Configuration: You can run the rsa local-key-pair create command to generate a local
RSA key pair.

CloudEngine 8800, 7800, 6800, and 5800
RSA key pair, the system automatically generates an RSA key pair.
deletion. It is recommended that you run the rsa local-key-pair create command to generate
a local RSA key pair.
Precautions
If the RSA key pair exists, the system prompts you to confirm whether to replace the original
key pair. The keys in the new key pair are named device name_server and device
name_host, for example, HUAWEI_host and HUAWEI_server.
After inputting this command, you are prompted to enter the digit of the host key. The length
of the server key pair and the host key pair is 2048 digits. If there has been a key pair, you
should confirm whether to change it.
NOTE
The RSA key pair whose length is less than 2048 digits is insecure and therefore not recommended to
use.
This command is not saved in a configuration file.
Example
# Generate a local RSA key pair.
[~HUAWEI] rsa local-key-pair create
The key name will be: HUAWEI_Host
The range of public key size is (2048 ~ 2048).
NOTE: Key pair generation will take a short while.
3.6.43 rsa local-key-pair destroy

Function
The rsa local-key-pair destroy command deletes all local RSA host and server key pairs.
Format
rsa local-key-pair destroy
Parameters
None
Views
System view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
To delete the local key pair, run rsa local-key-pair destroy command. If the host key pair and
the service key pair of an SSH server are deleted, run the rsa local-key-pair create command
to create the host key pair and service key pair for the SSH server.
After you run this command, verify that all local RSA keys are deleted. This command is not
saved in a configuration file.
Prerequisite
The local RSA keys that can be deleted exist.
Example
# Delete all RSA server keys.
[~HUAWEI] rsa local-key-pair destroy
% The name for the keys which will be destroyed is HUAWEI_Host.
% Confirm to destroy these keys? Please select [Y/N]: y
3.6.44 rsa local-key-pair load
Function
The rsa local-key-pair load command loads the local RSA and server key pairs from a
specified file.
By default, the local RSA and server key pairs are not configured.
Format
rsa local-key-pair load { hostkey | serverkey } file-name
Parameters
hostkey Loads the local RSA key pair. -
serverkey Loads the server key pair. -
file-name Specifies the name of the file from which key pairs The name of the file must
are loaded. already exist.
Views
System view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
When a user is upgraded from a low level to a high level and wants to use RSA key
configuration of the low level, run the rsa local-key-pair load command to load the local
RSA and server key pairs from a specified file.
Prerequisites
The file that contains the RSA key pair already exists.
Example
# Load the local RSA key pair.
[~HUAWEI] rsa local-key-pair load hostkey flash:/rsahostkey.dat
3.6.45 rsa peer-public-key
Function
The rsa peer-public-key command configures an encoding format for RSA public key and
enters the RSA public key view.
The undo rsa peer-public-key command deletes a public key.
By default, no public key is configured.
Format
rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]
undo rsa peer-public-key key-name
Parameters
key-name Specifies the public key name. The value is a string of 1
to 40 case-insensitive
characters without spaces.
NOTE
string, spaces are allowed in
the string.
encoding-type Specifies an encoding format for RSA public -

key, the default is DER.
der Specifies the DER format for an RSA public -
key.
DER encodes data in hexadecimal format.

CloudEngine 8800, 7800, 6800, and 5800

openssh Specifies the OpenSSH format for an RSA -
public key.
OpenSSH encodes data in base-64 format.
OpenSSH is an encoding format based on
PEM.
pem Specifies the PEM format for an RSA public -

key.
PEM encodes data in base-64 format.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Run this command to display the public key view, and save the public key on the remote host
to the local host. This ensures that the remote device validity is checked in connection.
After you configure an encoding format for an RSA public key, Huawei data communications
device automatically generates an RSA public key in the configured encoding format and
enters the RSA public key view. Then you can run the public-key-code begin command and
manually copy the RSA public key generated on the peer device to the local device.
NOTE
A maximum of 20 RSA public keys can be configured. To ensure high security, do not use the RSA key
pair whose length is less than 2048 digits.
Prerequisite
The public key in hexadecimal notation on the remote host has been obtained and recorded.
Follow-up Procedure
After you copy the RSA public key generated on the peer device to the local device, perform
the following operations to exit the RSA public key view:
1. Run the public-key-code end command to return to the RSA public key view.
2. Run the peer-public-key end command to exit the RSA public key view and return to
the system view.
Precautions
If an RSA public key has been assigned to an SSH user, run the undo ssh user user-name
assign rsa-key command to delete the mapping between the RSA public key and the SSH

CloudEngine 8800, 7800, 6800, and 5800
user. If you do not delete the mapping, the undo rsa peer-public-key command cannot delete
the RSA public key.
Example
# Display the public key view.
[~HUAWEI] rsa peer-public-key rsakey001
[*HUAWEI-rsa-public-key]
3.6.46 run
Function
The run command executes a user view command in the system view.
By default, a user view command cannot be executed in the system view.
Format
run command-line
Parameters
command-line Specifies a command to be executed. -
Views
System view
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
To run commands, which can be run only in the user view, in the system view, you must
return to the user view. After completing this configuration task, you can run the run
command to run such commands in the system view without returning to the user view.
Precautions
l The command specified in the run command must be able to be run in the user view.
l When you run the run command, the association help function is unavailable.
l When you check the command history on the device using the display history-
command command, only the commands that you enter are recorded. The command
format is run command-line.

CloudEngine 8800, 7800, 6800, and 5800
l When you check log information using the CLI/5/CMDRECORD command, only the
commands that are actually executed are recorded in logs. The command format is run
command-line.
l run cannot be used to execute commands that involve configuration rollback or system
software behavior change, such as switch virtual-system vs-name, rollback
configuration to { commit-id commit-id | label label | file file-name } | last number-of-
commits }, quit, and patch load.
Example
# View .cfg files in the system view.
[~HUAWEI] run dir *.cfg
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName
0 -rw- 11,970 Mar 14 2012 19:11:22 31.cfg
1 -rw- 12,033 Apr 22 2012 17:10:30 31_new.cfg
509,256 KB total (118,784 KB free)
3.6.47 ssh authentication-type default password

Function
The ssh authentication-type default password command configures password
authentication as the default authentication mode for users who request to log in to a device
using SSH.
The undo ssh authentication-type default password command cancels the configuration.
By default, password authentication is used.
Format
ssh authentication-type default password
undo ssh authentication-type default password
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When there are multiple SSH users in the system, the default password authentication mode is
used to simplify the configuration.

CloudEngine 8800, 7800, 6800, and 5800
When users request to log in to a device using SSH, if no SSH user is created using the ssh
user, ssh user authentication-type, and ssh user service-type commands, successful user
login depends on whether the ssh authentication-type default password command is run.
l If the ssh authentication-type default password command is run, users log in through
AAA authentication.
l If the ssh authentication-type default password command is not run, users cannot log
in.
If an SSH user has been created using the ssh user, ssh user authentication-type, and ssh
user service-type commands, authentication of the SSH user depends on whether the ssh
user authentication-type command is run. If the ssh user authentication-type command is
run, the user is authenticated using the authentication mode specified in this command. If the
ssh user authentication-type command is not run, the user cannot log in to the device.
Precautions
You can run the ssh user user-name authentication-type password command to configure
the password authentication mode for an SSH user. If the ssh user and ssh authentication-
type default password commands are configured simultaneously, the ssh user command
takes effect.
This command takes effect for both IPv4 and IPv6 users.
Example
# Configure the password authentication mode for an SSH user.
[~HUAWEI] ssh authentication-type default password
3.6.48 ssh authorization-type default

Function
The ssh authorization-type default command sets the authorization method for an SSH
connection to AAA or Root.
The undo ssh authorization-type default command restores the authorization method.
By default, the authorization method for an SSH connection is AAA.
Format
ssh authorization-type default { aaa | root }
undo ssh authorization-type default
Parameters
aaa Sets the authorization method for an SSH session as AAA. -
root Sets the authorization method for an SSH session as Root. -

CloudEngine 8800, 7800, 6800, and 5800
Views
System view
Default Level
3: Management level

ssh-server write
Usage Guidelines
If the authorization type for an SSH connection is AAA, the privilege level of SSH user is that
configured in the AAA view.
If the authorization type for an SSH connection is root, the privilege level of SSH user is
different from that configured in the AAA view. In this situation, the privilege level is the
maximum value, 15 or 3.
This command takes effect for both ipv4 and ipv6 connections.
Example
# Set the authorization method for SSH session as AAA.
[~HUAWEI] ssh authorization-type default aaa
3.6.49 ssh client peer assign
Function
The ssh client peer assign command specifies the host public key of the SSH server to
connect on the SSH client.
The undo ssh client peer assign command cancels the specified host public key of the SSH
server to connect on the SSH client.
By default, the host public key of the server to connect is not specified on the client.
Format
ssh client peer server-ip-address assign { rsa-key | dsa-key | ecc-key } key-name
undo ssh client peer server-ip-address assign { rsa-key | dsa-key | ecc-key }

CloudEngine 8800, 7800, 6800, and 5800
Parameters
server-ip-address Specifies the host name or IP address of the The SSH must already
SSH server. exist.
rsa-key Specifies the RSA public key. -
dsa-key Specifies the DSA public key. -
ecc-key Specifies the ECC public key. -
key-name Specifies the SSH server public key name that The SSH server public
has been configured on the SSH client. key name must already
exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the SSH client connects to the SSH server for the first time and the first authentication is
not enabled on the SSH client using the ssh client first-time enable command, the SSH client
rejects the access from unauthorized SSH servers. You need to specify the host public key of
the SSH server and the mapping between the key and SSH server on the SSH client. After
that, the client will determine whether the server is reliable using the correct public key based
on the mapping.
Precautions
The RSA, DSA, or ECC public key to be assigned to the SSH server must have been
configured on the SSH client using the rsa peer-public-key, dsa peer-public-key, or ecc
peer-public-key command. If the key has not been configured, the verification for the RSA,
DSA, or ECC public key of the SSH server on the SSH client fails.
Example
# Assign the DSA public key to the SSH server.
[~HUAWEI] ssh client peer 10.164.39.120 assign dsa-key sshdsakey01
# Delete the DSA public key of the SSH server.


CloudEngine 8800, 7800, 6800, and 5800
[~HUAWEI] undo ssh client peer 10.164.39.120 assign dsa-key
3.6.50 ssh client cipher
Function
The ssh client cipher command configures an encryption algorithm list for an SSH client.
The undo ssh client cipher command restores the default encryption algorithm list of an SSH
client.
By default, an SSH client supports encryption algorithms including 3DES_CBC,

AES128_CBC, AES256_CBC, AES128_CTR, AES192_CTR, AES128_GCM,
AES256_GCM, AES256_CTR, Arcfour128, and Arcfour256.
Format
ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr | aes256_ctr |
arcfour128 | arcfour256 | aes192_cbc | aes192_ctr | aes128_gcm | aes256_gcm } *
undo ssh client cipher
Parameters

des_cbc Specifies the CBC DES encryption algorithm. -
3des_cbc Specifies the CBC 3DES encryption algorithm. -
aes128_cbc Specifies the CBC AES128 encryption algorithm. -
aes128_ctr Specifies the CTR AES128 encryption algorithm. -
arcfour128 Specifies the Arcfour128 encryption algorithm. -
aes192_cbc Specifies the AES192 encryption algorithm in CBC mode. -
aes192_ctr Specifies the AES192 encryption algorithm in CTR mode. -
aes128_gcm Specifies the AES128 encryption algorithm in GCM mode. -
aes256_gcm Specifies the AES256 encryption algorithm in GCM mode. -
Views
System view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an encryption algorithm for the packets
exchanged between them. You can run the ssh client cipher command to configure an
encryption algorithm list for the SSH client. After the list is configured, the server matches
the encryption algorithm list of a client against the local list after receiving a packet from the
client and selects the first encryption algorithm that matches the local list. If no encryption
algorithms in the list of the client match the local list, the negotiation fails.
Precautions
des_cbc, 3des_cbc, aes128_cbc, aes192_cbc, aes256_cbc, arcfour128 and arcfour256 are of

weak security. Therefore, do not add them to the encryption algorithm list. Using aes128_ctr,
aes192_ctr, aes128_gcm, aes256_gcm, or aes256_ctr is recommended, because such an
algorithm has a higher security.
This command takes effect for both ipv4 and ipv6 SSH servers.
Example
# Configure CTR encryption algorithms for an SSH client.
[~HUAWEI] ssh client cipher aes128_ctr aes256_ctr
3.6.51 ssh client first-time enable
Function
The ssh client first-time enable command enables the first authentication on the SSH client.
The undo ssh client first-time enable command disables the first authentication on the SSH
client.
By default, first authentication is disabled on the SSH client.
Format
ssh client first-time enable
undo ssh client first-time enable
Parameters
None
Views
System view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
When the SSH client accesses the SSH server for the first time and the public key of the SSH
server is not configured on the SSH client, you can enable the first authentication for the SSH
client to access the SSH server and save the public key on the SSH client. When the SSH
client accesses the SSH server next time, the saved public key is used to authenticate the SSH
server.
Precautions
You can run the ssh client peer assign command to pre-assign a public key to the SSH server.
In this manner, you can log in to the SSH server successfully at the first time.
This command takes effect for both ipv4 and ipv6 SSH clients.
Example
# Enable the first authentication on the SSH client.
[~HUAWEI] ssh client first-time enable
3.6.52 ssh client hmac
Function
The ssh client hmac command configures an HMAC authentication algorithm list for an SSH
client.
The undo ssh client hmac command restores the default HMAC authentication algorithm list
of an SSH client.
By default, an SSH client supports HMAC authentication algorithms including MD5,
MD5_96, SHA1, SHA1_96, SHA2_256,SHA2_512, and SHA2_256_96.
Format
ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 | sha2_512 } *
undo ssh client hmac
Parameters
md5 Specifies the MD5 HMAC authentication algorithm. -
md5_96 Specifies the MD5_96 HMAC authentication algorithm. -
sha1 Specifies the SHA1 HMAC authentication algorithm. -
sha1_96 Specifies the SHA1_96 HMAC authentication algorithm. -
sha2_256_96 Specifies the SHA2_256_96 HMAC authentication algorithm. -

CloudEngine 8800, 7800, 6800, and 5800

Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an HMAC authentication algorithm for the
packets exchanged between them. You can run the ssh client hmac command to configure an
HMAC authentication algorithm list for the SSH client. After the list is configured, the server
matches the list of a client against the local list after receiving a packet from the client and
selects the first HMAC authentication algorithm that matches the local list. If no HMAC
authentication algorithms in the list of the client match the local list, the negotiation fails.
Precautions
sha2_256_96, sha1, sha1_96, md5, and md5_96 provide weak security. Therefore, they are
not recommended in the HMAC authentication algorithm list.
Example
# Configure the SHA2_256 HMAC authentication algorithm for an SSH client.
[~HUAWEI] ssh client hmac sha2_256
3.6.53 ssh client keepalive-interval
Function
The ssh client keepalive-interval command sets the interval for sending keepalive packets on
the SSH client.
The undo ssh client keepalive-interval command restores the default interval for sending
keepalive packets on the SSH client.
The default interval for sending keepalive packets on the SSH client is 0.
Format
ssh client keepalive-interval seconds
undo ssh client keepalive-interval

CloudEngine 8800, 7800, 6800, and 5800
Parameters
seconds Specifies the interval for The value is an integer ranging from 0 to 3600,
sending keepalive packets. in seconds. The value 0 indicates that keepalive
packets are not sent.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the SSH client does not receive any data packet from the SSH server within a period, the
client sends keepalive packets to the server. If the client does not receive any keepalive
response packet from the server, the client disconnects from the server.
Precautions
If the interval is restored to 0, the client does not send any keepalive packet to the server.
Example
# Set the interval for sending keepalive packets on the SSH client to 30 seconds.
[~HUAWEI] ssh client keepalive-interval 30
3.6.54 ssh client keepalive-maxcount
Function
The ssh client keepalive-maxcount command sets the maximum number of keepalive
packets sent by the SSH client.
The undo ssh client keepalive-maxcount command restores the default maximum number of
keepalive packets sent by the SSH client.
The default maximum number of keepalive packets is 3, indicating that the client sends three
keepalive packets to the server before disconnecting from the server.
Format
ssh client keepalive-maxcount count
undo ssh client keepalive-maxcount

CloudEngine 8800, 7800, 6800, and 5800
Parameters

count Specifies the maximum number of The value is an integer that ranges from
keepalive packets. 1 to 30.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the SSH client does not receive any data packet from the server within a period, the client
sends the maximum number of keepalive packets to the server. If the client does not receive
any keepalive response packet from the server, the client disconnects from the server.
Precautions
The interval for sending keepalive packets on the client must be greater than the interval that
is set using the ssh client keepalive-interval command. If the client does not send any
keepalive packet (the interval is 0), the maximum number of keepalive packets does not take
effect.
Example
# Set the maximum number of keepalive packets on the SSH client to 5.
[~HUAWEI] ssh client keepalive-maxcount 5
3.6.55 ssh client key-exchange
Function
The ssh client key-exchange command configures a key exchange algorithm list on an SSH
client.
The undo ssh client key-exchange command restores the default configuration.
By default, an SSH client supports dh_group14_sha1, dh_group_exchange_sha1,

dh_group_exchange_sha256, ecdh_sha2_nistp256, ecdh_sha2_nistp384, sm2_kep, and
ecdh_sha2_nistp521 key exchange algorithms.

CloudEngine 8800, 7800, 6800, and 5800
Format
ssh client key-exchange { dh_group14_sha1 | dh_group1_sha1 |
dh_group_exchange_sha1 | dh_group_exchange_sha256 | ecdh_sha2_nistp256 |
ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep } *
undo ssh client key-exchange
Parameters

dh_group14_sha1 Specifies that the Diffie-hellman-group14-sha1 -
algorithm is contained in the key exchange
algorithm list configured on the SSH client.
dh_group_exchange_sha1 Specifies that the Diffie-hellman-group-exchange- -
sha1 algorithm is contained in the key exchange
ecdh_sha2_nistp256 Specifies that the Elliptic curve Diffie-hellman- -
sha2-nistp256 algorithm is contained in the key
exchange algorithm list configured on the SSH
client.
client.
client.
sm2_kep Specifies that the SuperMemo 2 Key Exchange -
Protocol algorithm is contained in the key exchange
algorithm list configured on the SSH server.
Views
System view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800

ssh-client write
Usage Guidelines
Usage Scenario
The client and server negotiate the key exchange algorithm used for packet transmission. You
can run the ssh client key-exchange command to configure a key exchange algorithm list on
the SSH client. The SSH server compares the configured key exchange algorithm list with the
counterpart sent by the client and then selects the first matched key exchange algorithm for
packet transmission. If the key exchange algorithm list sent by the client does not match any
algorithm in the key exchange algorithm list configured on the server, the negotiation fails.
This command takes effect for both IPv4 and IPv6 SSH clients.
Precautions
For security purposes, do not use insecure key exchange algorithms such as dh_group1_sha1.
Example
# Configure key exchange algorithm dh_group_exchange_sha256 on the SSH client.
[~HUAWEI] ssh client key-exchange dh_group_exchange_sha256
3.6.56 ssh client publickey
Function
The ssh client publickey command enables or disables the public key algorithm function of
the SSH client.
The undo ssh client publickey command restores public key algorithms of the SSH client to
default values.
By default, DSA, ECC and RSA algorithm is enabled.
Format
ssh client publickey { dsa | ecc | rsa } *
undo ssh client publickey [ dsa | ecc | rsa ] *
Parameters
dsa Indicates the DSA algorithm. -

CloudEngine 8800, 7800, 6800, and 5800

ecc Indicates the ECC algorithm. -
rsa Indicates the RSA algorithm. -
Views
System view
Default Level
3: Management level

ssh-client write
Usage Guidelines
Usage Scenario
The command enables you to use a more secure public key algorithm to log in to the device,
with other public key algorithms rejected. This improves device security. You are advised to
use the ECC public key algorithm.
To allow a public key algorithm and deny other public key algorithms, run the ssh client
publickey + the specified public key algorithm command. For example, after the ssh client
publickey dsa command is run, the DSA algorithm is allowed but the RSA, ECC or RSA
algorithm is not. If this command is run for multiple times, the last configuration takes effect.
Precautions
l A public key algorithm can be used for login only after it is enabled on both the client
and server.
l When you run the undo ssh client publickey command with an algorithm specified,
ensure that the algorithm specified is the same as that configured using the ssh client
publickey command. Or you can run the undo ssh client publickey command with no
algorithm specified. Otherwise, the configuration restoration function does not take
effect.
l If the ssh client first-time enable command function is enabled, a message is displayed
asking you to save the server public key when you use the client to log in to the server.
During the saving process, the SSH client automatically selects a successfully negotiated
public key algorithm and allocates the algorithm to the SSH server based on the public
key algorithm configured using the ssh client publickey command.
l If the ssh client first-time enable command function is disabled, run the ssh client peer
assign command to allocate a public key to the SSH server. Ensure that the allocated
public key algorithm can successfully negotiate with the public key algorithm configured

CloudEngine 8800, 7800, 6800, and 5800
using the ssh client publickey command. Otherwise, the SSH server's public key fails to
be authenticated by the SSH client.
Example
# Allow using of the ECC algorithm and deny other algorithms.
[~HUAWEI] ssh client publickey ecc
# Allow using of the SM2 algorithm and deny other algorithms.
3.6.57 ssh client rekey

Function
The ssh client rekey command sets the criteria that trigger SSH client key re-negotiation.
The undo ssh client rekey command restores the default values of criteria that trigger SSH
client key re-negotiation.
By default, key re-negotiation is triggered on the SSH client when one of the following
conditions is met:
l The total size of sent and received packets reaches 1000 MB.
l The total number of sent and received packets reaches 2147483648.
l The online duration reaches 60 minutes.
Format
ssh client rekey { data-limit data-limit | max-packet max-packet | time minutes } *
undo ssh client rekey { data-limit [ data-limit ] | max-packet [ max-packet ] | time
[ minutes ] } *
Parameters
data-limit data- Specifies the maximum packet The value is an integer ranging
limit data volume that triggers key re- from 100 to 10000, in MB.
negotiation.
max-packet max- Specifies the maximum number The value is an integer ranging
packet of packets that triggers key re- from 268435456 to 2147483648.
negotiation.
time minutes Specifies the session duration The value is an integer in the range
that triggers key re-negotiation. of 30 to 1440, in minutes.
Views
System view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level

ssh-client write
Usage Guidelines
When an SSH session meets one or more of the following criteria, the system re-negotiates a
key and uses the new key to establish SSH session connections, improving system security.
l The number of interaction packets meets the configured key re-negotiation criterion.
l The accumulated packet data volume meets the configured key re-negotiation criterion.
l The session duration meets the configured key re-negotiation criterion.
l This command takes effect for both IPv4 and IPv6 SSH clients.
NOTE
A key re-negotiation request is initiated when either the SSH client or server meets the key re-
negotiation criteria, and the other party responds.
Example
# Configure key re-negotiation to be triggered on the SSH client when the total size of sent
and received packets reaches 10000 MB, the total number of sent and received packets
reaches 268435456, or the online duration reaches 1440 minutes.
[~HUAWEI] ssh client rekey data-limit 10000 max-packet 268435456 time 1440
3.6.58 ssh dscp
Function
The ssh dscp command sets the DSCP priority of STelnet packets.
The undo ssh dscp command restores the default setting.
By default, the DSCP priority of STelnet packets is 48.
Format
ssh { client | server } dscp dscp-number
undo ssh { client | server } dscp [ dscp-number ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
client Specifies the STelnet client. -
server Specifies the STelnet server. -
dscp-number Specifies the DSCP priority. The value is an integer that ranges from 0 to 63.
A greater DSCP value indicates a higher
priority.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to set the DSCP priority of STelnet packets. The DSCP priority of
STelnet packets sent by the switch is then changed to the configured value. When network
congestion occurs, you can appropriately reduce the DSCP priority of STelnet packets to
ensure proper forwarding of data packets.
The priority of this command is higher than that of the set priority dscp command. If a DSCP
value is configured using this command, the configured value takes effect. If a DSCP value is
configured using the set priority dscp command rather than this command, the value
configured using the set priority dscp command takes effect. If no DSCP value is configured
using the preceding commands, the default DSCP value is used.
When you run the undo ssh { client | server } dscp [ dscp-number ] command:
l If dscp-number is not specified, the DSCP field is restored to the default value.
l If dscp-number is 48, the DSCP field is restored to the default value.
l If dscp-number is set to non-48 value, the value must be the same as ssh { client |
server } dscp dscp-number command. Otherwise, the command execution fails.
Precautions
The command only takes effect for IPv4 packets.
Example
# Set the DSCP priority of STelnet packets sent by the client to 40.
[~HUAWEI] ssh client dscp 40

CloudEngine 8800, 7800, 6800, and 5800
3.6.59 ssh server acl

Function
The ssh server acl command configures the ACL that the SSH server uses to control the
access permission of the SSH client.
The undo ssh server acl command cancels the configured ACL of the SSH server.
By default, no ACL is configured for SSH server.
Format
ssh [ ipv6 ] server acl { acl-number | acl-name }
undo ssh [ ipv6 ] server acl
Parameters
acl-number Specifies the ACL The value is an integer that ranges from 2000 to
number. 3999.
acl-name Specifies the ACL The value is a string of 1 to 32 case-sensitive
name. characters except spaces. The value must start with a
letter or digit, and cannot contain only digits.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Configure the ACL for the following servers for access control:
l STelnet server: controls which clients can log in to this server through STelnet.
l SFTP server: controls which clients can log in to this server through SFTP.
l SNetconf server: controls which clients can log in to this server through SNetconf.
Prerequisites
Precautions
A basic ACL is configured to restrict source addresses and an advanced ACL is configured to
restrict source and destination addresses.

CloudEngine 8800, 7800, 6800, and 5800
The command ssh server acl { acl-number | acl-name } only takes effect for ipv4 client.
Example
# Configure the ACL numbered 2000 on the SSH server.
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule permit source 10.10.10.10 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] ssh server acl 2000
# Configure the ACL named huawei on the SSH server.

[~HUAWEI] acl name huawei
[*HUAWEI-acl4-advance-huawei] rule permit tcp
[*HUAWEI-acl4-advance-huawei] quit
[*HUAWEI] ssh server acl huawei
3.6.60 ssh server assign

Function
The ssh server assign command assigns the generated RSA host key, DSA host key, or ECC
host key to the SSH server.
The undo ssh server assign command cancels the configuration.
By default, the device does not assign a key to the SSH server.
Format
ssh server assign { rsa-host-key | dsa-host-key | ecc-host-key } label-name
undo ssh server assign { rsa-server-key | rsa-host-key | dsa-host-key | ecc-host-key }
Parameters
rsa-server-key Specifies an RSA server key. -
rsa-host-key Sets the key type to RSA host key. -
dsa-host-key Sets the key type to DSA host key. -
ecc-host-key Sets the key type to ECC host key. -
label-name Specifies the label name of the RSA host key, RSA The label name
server key, DSA host key, or ECC host key. must already exist.
Views
System view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
You can run this command to reference the generated RSA, DSA, or ECC key pair with a
label to ensure security of the SSH server.
NOTE
Table 3-36 describes the usage scenarios for different authentication modes.
Table 3-36 Usage scenarios for authentication modes

Authentication Mode Usage Scenario
RSA It is a public key encryption architecture and

an asymmetric encryption algorithm. Based
on the problem of factoring large numbers,
RSA is mainly used to transmit the keys of
the symmetric encryption algorithm, which
can improve encryption efficiency and
simplify key management. The server
checks whether the SSH user, public key,
and digital user signature are valid. If all of
them are valid, the user is permitted to
access the server. If any of them is invalid,
the authentication fails and the user is
denied to access the server.
DSA It is the same as RSA authentication in

implementation. The server checks whether
the SSH user, public key, and digital user
signature are valid. If all of them are valid,
the user is permitted to access the server. If
any of them is invalid, the authentication
fails and the user is denied to access the
server.
Compared with RSA authentication, DSA
authentication uses the digital signature
algorithm for encryption and has a wider
application scope.
l Many SSH tools only support DSA
authentication for servers and clients.
l Based on the latest RFC
recommendation for SSH, DSA
authentication takes precedence over
RSA authentication.

CloudEngine 8800, 7800, 6800, and 5800
ECC Like RSA authentication, the server first

checks the validity of the SSH user and
whether the public key and the numeric
signature are valid. If all of them are
consistent with those configured on the
server, user authentication succeeds. If any
of the three cannot pass authentication, the
user access is denied. Compared with the
RSA algorithm, the ECC authentication has
the following advantages:
l Provides the same security with shorter
key length.
l Features a shorter computing process
and higher processing speed.
l Requires less storage space.
l Requires lower bandwidth.
Prerequisites
RSA, DSA, or ECC key pair with a label has been generated using the rsa key-pair label,
dsa key-pair label, or ecc key-pair label command before you run this command.
The RSA, DSA, or ECC key pair with a label assigned to the SSH server has a higher priority
than the key pair generated using the rsa local-key-pair create, dsa local-key-pair create, or
ecc local-key-pair create command. If this command is not configured, the SSH server uses
the key pair generated using the rsa local-key-pair create, dsa local-key-pair create, or ecc
local-key-pair create command for encryption.
Precautions
l After you delete the RSA, DSA, or ECC key pair with a label, the key pair assigned to
the SSH server is deleted simultaneously.
l This command takes effect for both ipv4 and ipv6 SSH server.
Example
# Assign the EC host key named ecckey to the SSH server.
[~HUAWEI] ecc key-pair label ecckey
[*HUAWEI] ssh server assign ecc-host-key ecckey
3.6.61 ssh server authentication-retries

Function
The ssh server authentication-retries command sets the maximum number of authentication
retries for an SSH connection.

CloudEngine 8800, 7800, 6800, and 5800
The undo ssh server authentication-retries command restores the default maximum number
of authentication retries for an SSH connection.
The default maximum number of authentication retries for an SSH connection is 3.
Format
ssh server authentication-retries times
undo ssh server authentication-retries
Parameters

times Specifies the maximum number of The value is an integer that ranges
authentication retries for an SSH from 1 to 5.
connection.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to configure the maximum number of authentication retries for an
SSH connection, which prevents server overload due to malicious access. When the number
of authentication retries exceeds the maximum number, the device instructs the remote host to
tear down the connection.
Precautions
The configured number of retries takes effect upon the next login.
The total number of RSA, DSA, ECC, and password authentication retries on the SSH client
cannot exceed the maximum number that is set using this command.
This command takes effect for both IPv4 and IPv6 connections.
Example
# Set the maximum number of times for retrying login authentication to 4.
[~HUAWEI] ssh server authentication-retries 4

CloudEngine 8800, 7800, 6800, and 5800
3.6.62 ssh server authentication-type keyboard-interactive enable
Function
The ssh server authentication-type keyboard-interactive enable command enables
keyboard interactive authentication on an SSH server.
The undo ssh server authentication-type keyboard-interactive enable command disables
keyboard interactive authentication on the SSH server.
By default, keyboard interactive authentication is enabled on an SSH server.
Format
ssh server authentication-type keyboard-interactive enable
undo ssh server authentication-type keyboard-interactive enable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Keyboard interaction authentication is also called password card authentication. If you need to
log in to an SSH server in keyboard interactive authentication mode, run the ssh server
authentication-type keyboard-interactive enable command. Its function implementation
process is as follows: An SSH user enters the user name to log in to a device. After detecting
that the user is a password card authentication user, the TACACS server sends the user name
to the password card authentication server. The password card authentication server generates
a challenge code based on the user name and sends the challenge code to the TACACS server.
The TACACS server displays the challenge code on the device. The user enters the user
password and the received challenge code in the password card. The password card computes
a challenge response code. The user sends the challenge response code to the password card
authentication server using the device and TACACS server. The password card authentication
server checks whether the challenge response code is correct and returns the authentication
result to the user.
After this function is enabled, the system prompts the user to enter the challenge response
code.
If you need to log in to the SSH server in password authentication mode, run the undo ssh
server authentication-type keyboard-interactive enable command to disable keyboard
interactive authentication as required.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Enable keyboard interactive authentication on an SSH server.
<~HUAWEI> system-view
[~HUAWEI] ssh server authentication-type keyboard-interactive enable
3.6.63 ssh server compatible-ssh1x enable
Function
The ssh server compatible-ssh1x enable command enables the earlier version-compatible
function on an SSH server.
The undo ssh server compatible-ssh1x enable command disables the earlier version-
compatible function on the SSH server.
By default, the earlier version-compatible function is disabled on an SSH server.
Format
ssh server compatible-ssh1x enable
undo ssh server compatible-ssh1x enable
Parameters
None
Views
System view
Default Level
3: Management level

ssh-server write
Usage Guidelines
Scenario
The earlier version-compatible function of an SSH server is applicable to the protocol version
negotiation between the client and server. The client negotiates the protocol version, by
comparing its own protocol version with the received packet. After a TCP connection is set up
between the client and server, the SSH client starts to negotiate with the server on the protocol
version by running which they can work normally.
By comparing the protocol versions, the server determines whether to work with the client.

CloudEngine 8800, 7800, 6800, and 5800
l If the client runs a protocol version that is earlier than 1.3 or later than 2.0, version
negotiation fails and the server terminates the TCP connection with the client.
l If the client runs a protocol version that is between 1.3 and 1.99 (including V1.3), the
SSH1.5 server module is established when the "compatibility configuration option" of
SSH is SSH1.x-compatible. The system then proceeds with the SSH1.x process. The
server terminates the TCP connection with the client when the "compatibility
configuration option" of SSH is SSH1.x-incompatible.
l That is 1.99 or 2.0, the SSH2.0 server module is established. The system then proceeds
with the SSH2.0 process.
Precaution
l All the connections from the SSH 1.x client are dropped, if the compatibility with SSH
1.3 and 1.5 is disabled.
l If the SSH server is enabled to be compatible with earlier SSH versions, the system
prompts a security risk.
l SSHv1 is not secure, and SSHv2 is recommended.
l The configuration takes effect upon the next login.
Example
# Enable the compatibility with SSH 1.x version.
[~HUAWEI] ssh server compatible-ssh1x enable
3.6.64 ssh server cipher
Function
The ssh server cipher command configures an encryption algorithm list for an SSH server.
The undo ssh server cipher command restores the default encryption algorithm list of an
SSH server.
The default situation is as follows:

l If a device starts without any configuration file, the encryption algorithms supported by
the SSH server are AES256_CTR and AES128_CTR.
l If a device starts with a loaded configuration file (for example, a configuration file is
loaded to the device using ZTP for initial configuration), and no encryption algorithm list
is configured for the SSH server in the configuration file using the ssh server cipher
command, the encryption algorithms supported by the SSH server are 3DES_CBC,
AES128_CBC, AES256_CBC, AES128_CTR, AES192_CTR, AES128_GCM,
AES256_GCM, AES256_CTR, Arcfour128, and Arcfour256.
Format
ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr | aes256_ctr
| arcfour128 | arcfour256 | aes192_cbc | aes192_ctr | aes128_gcm | aes256_gcm |
blowfish_cbc } *
undo ssh server cipher

CloudEngine 8800, 7800, 6800, and 5800
Parameters

des_cbc Specifies the CBC DES encryption algorithm. -
3des_cbc Specifies the CBC 3DES encryption algorithm. -
aes128_gcm Specifies the GCM AES128 encryption algorithm. -
aes256_gcm Specifies the GCM AES256 encryption algorithm. -
blowfish_cbc Specifies the CBC Blowfish encryption algorithm. -
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an encryption algorithm for the packets
exchanged between them. You can run the ssh server cipher command to configure an
encryption algorithm list for the SSH server. After the list is configured, the server matches
the encryption algorithm list of a client against the local list after receiving a packet from the
client and selects the first encryption algorithm that matches the local list. If no encryption
algorithms in the list of the client match the local list, the negotiation fails.
Precautions
des_cbc, 3des_cbc, aes128_cbc, aes192_cbc, aes256_cbc, arcfour128 and arcfour256 are of

weak security. Therefore, do not add them to the encryption algorithm list. Using aes128_ctr,
aes192_ctr, aes128_gcm, aes256_gcm, or aes256_ctr is recommended, because such an
algorithm has a higher security.
This command takes effect for both ipv4 and ipv6 SSH server.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Configure CTR encryption algorithms for an SSH server.
[~HUAWEI] ssh server cipher aes256_ctr aes128_ctr
3.6.65 ssh server dh-exchange min-len

Function
The ssh server dh-exchange min-len command configures the minimum key length
supported during Diffie-hellman-group-exchange key exchange between the SSH server and
client.
The undo ssh server dh-exchange min-len command restores the default minimum key
length supported during Diffie-hellman-group-exchange key exchange between the SSH
server and client.
By default, the minimum key length supported is 2048 bits.
Format
ssh server dh-exchange min-len min-len
undo ssh server dh-exchange min-len
Parameters
min-len Specifies the minimum Diffie-hellman-group- The value can be either 1024
exchange key length supported on the SSH or 2048, in bits.
server.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the SSH client supports the Diffie-hellman-group-exchange key of more than 1024 bits, run
the ssh server dh-exchange min-len command to set the minimum key length to 2048 bits to
improve security.
Precautions
Security risks exist if the minimum Diffie-hellman-group-exchange key length is less than
2048 bits. You are advised to set the minimum key length to 2048 bits.

CloudEngine 8800, 7800, 6800, and 5800
This command takes effect for both IPv4 and IPv6 SSH servers.
Example
# Set the minimum key length supported during Diffie-hellman-group-exchange key
exchange between the SSH server and client to 2048 bits.
[~HUAWEI] ssh server dh-exchange min-len 2048
3.6.66 ssh server hmac
Function
The ssh server hmac command configures an HMAC authentication algorithm list for an
SSH server.
The undo ssh server hmac command restores the default HMAC authentication algorithm
list of an SSH server.

l If a device starts without any configuration file, the default HMAC authentication
algorithms that can be configured for the SSH server are SHA2_256_96, SHA2_256, and
SHA1_96.
loaded to the device using ZTP for initial configuration), and no HMAC authentication
algorithm list is configured for the SSH server in the configuration file using the ssh
server hmac command, the HMAC authentication algorithms supported by the SSH
server are MD5, MD5_96, SHA1, SHA1_96, SHA2_256, SHA2_512, and
SHA2_256_96.
Format
ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 | sha2_512 } *
undo ssh server hmac
Parameters

md5 Specifies the MD5 HMAC authentication algorithm. -
md5_96 Specifies the MD5_96 HMAC authentication algorithm. -
sha1 Specifies the SHA1 HMAC authentication algorithm. -
sha2_256_96 Specifies the SHA2_256_96 HMAC authentication algorithm. -

CloudEngine 8800, 7800, 6800, and 5800
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an HMAC authentication algorithm for the
packets exchanged between them. You can run the ssh server hmac command to configure an
HMAC authentication algorithm list for the SSH server. After the list is configured, the server
matches the list of a client against the local list after receiving a packet from the client and
selects the first HMAC authentication algorithm that matches the local list. If no HMAC
authentication algorithms in the list of the client match the local list, the negotiation fails.
Precautions
sha2_256_96, sha1, sha1_96, md5, and md5_96 provide weak security. Therefore, they are
not recommended in the HMAC authentication algorithm list.
This command takes effect for both ipv4 and ipv6 SSH servers.
Example
# Configure the SHA2_256 HMAC authentication algorithm for an SSH server.
[~HUAWEI] ssh server hmac sha2_256
3.6.67 ssh server keepalive disable
Function
The ssh server keepalive disable command disables the keepalive function on the SSH
server.
The undo ssh server keepalive disable command enables the keepalive function on the SSH
server.
By default, the keepalive function is enabled on the SSH server.
Format
ssh server keepalive disable
undo ssh server keepalive disable
Parameters
None

CloudEngine 8800, 7800, 6800, and 5800
Views
System view
Default Level
3: Management level
Usage Guidelines
If the keepalive function is disabled on the SSH server, the server will disconnect from the
SSH client when there is no data exchange, which causes server resource waste due to
reconnections. After the keepalive function is enabled on the SSH server, the server responds
when receiving keepalive packets from the SSH client. If the function is disabled, the SSH
server discards the received keepalive packets. When the SSH client does not receive any
keepalive response packet, the client disconnects from the server.
Example
# Enable the keepalive function on the SSH server.
[~HUAWEI] undo ssh server keepalive disable
3.6.68 ssh server key-exchange
Function
The ssh server key-exchange command configures a key exchange algorithm list on an SSH
server.
The undo ssh server key-exchange command restores the default configuration.

l If a device starts without any configuration file, the key exchange algorithms supported
by the SSH server are dh_group_exchange_sha1, dh_group_exchange_sha256,
ecdh_sha2_nistp256, ecdh_sha2_nistp384, ecdh_sha2_nistp521, and sm2_kep.
loaded to the device using ZTP for initial configuration), and no key exchange algorithm
list is configured on the SSH server using the ssh server key-exchange command, the
SSH server supports all key exchange algorithms.
Format
ssh server key-exchange { dh_group14_sha1 | dh_group1_sha1 |
dh_group_exchange_sha1 | dh_group_exchange_sha256 | ecdh_sha2_nistp256 |
ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep } *
undo ssh server key-exchange

CloudEngine 8800, 7800, 6800, and 5800
Parameters

server.
server.
server.
sm2_kep Specifies that the SuperMemo 2 Key Exchange -
Protocol algorithm is contained in the key exchange
Views
System view
Default Level
3: Management level
Usage Guidelines
An SSH server and a client need to negotiate a key exchange algorithm for the packets
exchanged between them. You can run the ssh server key-exchange command to configure a
key exchange algorithm list for the SSH server. After the list is configured, the server matches
the key exchange algorithm list of a client against the local list after receiving a packet from
the client and selects the first key exchange algorithm that matches the local list. If no key
exchange algorithms in the list of the client match the local list, the negotiation fails.

CloudEngine 8800, 7800, 6800, and 5800
NOTE
For security purposes, do not use insecure key exchange algorithms such as dh_group1_sha1.
Example
# Configure key exchange algorithm lists dh_group_exchange_sha1 and
dh_group_exchange_sha256 on the SSH server.
[~HUAWEI] ssh server key-exchange dh_group_exchange_sha1 dh_group_exchange_sha256
3.6.69 ssh server login-failed threshold-alarm
Function
The ssh server login-failed threshold-alarm command configures alarm generation and
clearance thresholds for SSH server login failures within a specified period.
The undo ssh server login-failed threshold-alarm command restores the default alarm
Format
ssh server login-failed threshold-alarm upper-limit report-times lower-limit resume-times
period period-time
undo ssh server login-failed threshold-alarm [ upper-limit report-times lower-limit

Parameters

upper-limit Specifies an alarm The value is an integer ranging from 0 to 100. The
report-times generation default value is 30. If the value is 0, no alarms are
threshold. generated upon SSH server login failures.
lower-limit Specifies an alarm The value is an integer ranging from 0 to report-

resume-times clearance threshold. times and varies with report-times. The default
value is 20, and the maximum value is 45. If
resume-times is 0, the function is the same as that
when the value is set to 1, which means that a clear
alarm is generated if no login failures occur.
period period- Specifies a statistics The value is an integer ranging from 1 to 120, in
time collection period. minutes. The default value is 5. If report-times is 0,
the period-time value specified does not take effect.

CloudEngine 8800, 7800, 6800, and 5800
Views
System view
Default Level
3: Management level

ssh-server write
Usage Guidelines
Usage Scenario
To manage frequent SSH server login failures within a specified period, run the ssh server
login-failed threshold-alarm command to configure alarm generation and clearance
thresholds for the login failures.
Precautions
The alarm generation threshold specified using report-times must be greater than or equal to
the alarm clearance threshold specified using resume-times.
Example
# Configure the device to generate an alarm when the number of SSH server login failures
within 3 minutes reaches 20 and clear the alarm when the number of SSH server login failures
within 3 minutes is less than 10.
[~HUAWEI] ssh server login-failed threshold-alarm upper-limit 20 lower-limit 10
period 3
3.6.70 ssh server port
Function
The ssh server port command changes the listening port number of the SSH server.
The undo ssh server port command restores the default listening port number of the SSH
server.
The default listening port number of the SSH server is 22.
Format
ssh [ ipv4 | ipv6 ] server port port-number
undo ssh [ ipv4 | ipv6 ] server port

CloudEngine 8800, 7800, 6800, and 5800
Parameters
ipv4 Specifies the IPv4 server port. -
ipv6 Specifies the IPv6 server port. -
port-number Specifies the listening port number of the The value is 22 or an integer
SSH server. ranging from 1025 to 65535.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Configure the listening port number of the SSH server to prevent from malicious access to the
SSH service standard port and ensure security.
Run ssh server port command can enable both IPv4 and IPv6 SSH server. Run ssh ipv4
server port command to enable IPv4 SSH server. Run ssh ipv6 server port command to
enable IPv6 SSH server.
Precautions
The SSH client can log in successfully with no port specified only when the server is listening
on port 22. If the server is listening on another port, the port number must be specified upon
login.
Before changing the current port number, disconnect all devices from the port. After the port
number is changed, the server starts to listen on the new port.
Example
# Set the listening port number of the SSH server is 1025.
[~HUAWEI] ssh server port 1025
Warning: The operation will disconnect all online users. Continue? [Y/N]: y
3.6.71 ssh server publickey
Function
The ssh server publickey command enables or disables the public key algorithm function of
the SSH server.
The undo ssh server publickey command restores public key algorithms of the SSH server to
default values.

CloudEngine 8800, 7800, 6800, and 5800
By default, DSA, ECC and RSA algorithm is enabled.
Format
ssh server publickey { dsa | ecc | rsa } *
undo ssh server publickey [ dsa | ecc | rsa ] *
Parameters
dsa Indicates the DSA algorithm. -
ecc Indicates the ECC algorithm. -
rsa Indicates the RSA algorithm. -
Views
System view
Default Level
3: Management level

ssh-server write
Usage Guidelines
Usage Scenario
The command enables you to use a more secure public key algorithm to log in to the device,
with other public key algorithms rejected. This improves device security. You are advised to
use the ECC public key algorithm.
To allow a public key algorithm and deny other public key algorithms, run the ssh server
publickey + the specified public key algorithm command. For example, after the ssh server
publickey dsa command is run, the DSA algorithm is allowed but the ECC or RSA algorithm
is not. If this command is run for multiple times, the last configuration takes effect.
Precautions
l A public key algorithm can be used for login only after it is enabled on both the client
and server.
l When you run the undo ssh server publickey command with an algorithm specified,
ensure that the algorithm specified is the same as that configured using the ssh server
publickey command. Or you can run the undo ssh server publickey command with no

CloudEngine 8800, 7800, 6800, and 5800
algorithm specified. Otherwise, the configuration restoration function does not take
effect.
l If the ssh user authentication-type { password | rsa | dsa | ecc | password-rsa |
password-dsa | password-ecc | all } command is run to configure public key
authentication as the authentication mode of SSH users, the involved public key
algorithm must be consistent with that enabled in the ssh server publickey { dsa | ecc |
rsa } * command. Otherwise, device login fails. For example, if the ssh server
publickey ecc command is run, run the ssh user authentication-type { ecc | password-
ecc | all } command to set the authentication mode of SSH users to ECC, Password-
ECC, or All.
Example
# Allow using of the ECC algorithm and deny other algorithms.
[~HUAWEI] ssh server publickey ecc
3.6.72 ssh server rekey
Function
The ssh server rekey command sets the criteria that trigger SSH server key re-negotiation.
The undo ssh server rekey command restores the default values of criteria that trigger SSH
server key re-negotiation.
By default, key re-negotiation is triggered on the SSH server when one of the following
conditions is met:
l The total size of sent and received packets reaches 1000 MB.
l The total number of sent and received packets reaches 2147483648.
l The online duration reaches 60 minutes.
Format
ssh server rekey { data-limit data-limit | max-packet max-packet | time minutes } *
undo ssh server rekey { data-limit [ data-limit ] | max-packet [ max-packet ] | time

[ minutes ] } *
Parameters

data-limit data- Specifies the maximum packet The value is an integer ranging
limit data volume that triggers key re- from 100 to 10000, in MB.
negotiation.

CloudEngine 8800, 7800, 6800, and 5800

max-packet max- Specifies the maximum number The value is an integer ranging
packet of packets that triggers key re- from 268435456 to 2147483648.
negotiation.
time minutes Specifies the session duration The value is an integer in the range
that triggers key re-negotiation. of 30 to 1440, in minutes.
Views
System view
Default Level
3: Management level

ssh-server write
Usage Guidelines
When an SSH session meets one or more of the following criteria, the system re-negotiates a
key and uses the new key to establish SSH session connections, improving system security.
l The number of interaction packets meets the configured key re-negotiation criterion.
l The accumulated packet data volume meets the configured key re-negotiation criterion.
l The session duration meets the configured key re-negotiation criterion.
l This command takes effect for both IPv4 and IPv6 SSH clients.
NOTE
A key re-negotiation request is initiated when either the SSH client or server meets the key re-
negotiation criteria, and the other party responds.
Example
# Configure key re-negotiation to be triggered on the SSH server when the total size of sent
and received packets reaches 10000 MB, the total number of sent and received packets
reaches 268435456, or the online duration reaches 1440 minutes.
[~HUAWEI] ssh server rekey data-limit 10000 max-packet 268435456 time 1440
3.6.73 ssh server rekey-interval

Function
The ssh server rekey-interval command sets the interval for updating the SSH server key
pair.

CloudEngine 8800, 7800, 6800, and 5800
The undo ssh server rekey-interval command restores the default interval for updating the
SSH server key pair.
The default interval for updating the SSH server key pair is 0, indicating that the key pair is
never updated.
Format
ssh server rekey-interval hours
undo ssh server rekey-interval
Parameters
hours Specifies the interval for updating the The value is an integer that ranges from
server key pair. 0 to 24, in hours.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the server key pair is not updated for a long time, the key is easy to decrypt and the server is
insecure. After the interval for updating the SSH server key pair is set using this command,
the system will automatically update the key pair at intervals.
Precautions
If the client is connected to the server, the server public key on the client is not updated
immediately. This key is updated only when the client is reconnected to the server.
Example
# Set the interval for updating the SSH server key pair to 2 hours.
[~HUAWEI] ssh server rekey-interval 2
3.6.74 ssh server timeout

Function
The ssh server timeout command sets the timeout interval for SSH connection
authentication.
The undo ssh server timeout restores the default timeout interval for SSH connection
authentication.

CloudEngine 8800, 7800, 6800, and 5800
The default timeout interval for SSH connection authentication is 60 seconds.
Format
ssh server timeout seconds
undo ssh server timeout
Parameters

seconds Specifies the timeout interval for The value is an integer ranging from 1 to
SSH connection authentication. 120, in seconds.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If you have not logged in successfully at the timeout interval for SSH connection
authentication, the current connection is terminated to ensure security. You can run the
display ssh server command to query the current timeout interval.
Precautions
The setting for the timeout interval takes effect upon next login.
This command takes effect for both IPv4 and IPv6 connections.
Example
# Set the SSH connection authentication timeout interval to 90 seconds.
[~HUAWEI] ssh server timeout 90
3.6.75 ssh server-source
Function
The ssh server-source command specifies a source interface for an SSH server.
The undo ssh server-source command restores the default setting.
By default, the source interface of an SSH server is not specified.

CloudEngine 8800, 7800, 6800, and 5800
Format
ssh server-source -i interface-type interface-number
undo ssh server-source
ssh ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ]
undo ssh ipv6 server-source
Parameters

-i interface-type Specifies the source
You can enter a question mark (?) and select a
interface-number interface for the SSH
value from the displayed value range.
server.
-a ipv6-address Specifies the source The value consists of 128 octets, which are
IPv6 address. classified into 8 groups. Each group contains 4
hexadecimal numbers in the format
X:X:X:X:X:X:X:X.
ipv6 Specifies the SSH -
IPv6 server.
-vpn-instance vpn- Specifies the VPN. The value is a string of 1 to 31 case-sensitive
instance-name characters except spaces. When double
quotation marks are used to include the string,
spaces are allowed in the string. The value
_public_ is reserved and cannot be used as the
VPN instance name.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
By default, an SSH server receives connection requests from all interfaces so that the system
is vulnerable to attacks. To enhance system security, you can specify the source interface of
the SSH server. This sets a login condition and only authorized users can log in to the SSH
server.
The command ssh server-source -i interface-type interface-numbertakes effect for ipv4

function.
Prerequisites

CloudEngine 8800, 7800, 6800, and 5800
Before running this command to specify the source interface, ensure that the physical
interface exists on the device or the logical interface has been created successfully; otherwise,
this command cannot be run successfully.
Precautions
l After the source interface is specified, the system only allows SSH users to log in to the
SSH server through this source interface, and SSH users logging in through other
interfaces are denied. Note that setting this parameter only affects SSH users who
attempt to log in to the SSH server, and it does not affect SSH users who have logged in
to the server.
l After the source interface of an SSH server is specified using this command, ensure that
SSH users can access the source interface at Layer 3. Otherwise, the SSH users will fail
to log in to the SSH server.
l The configuration takes effect upon the next login. The system will prompt you to
determine whether to continue the operation.
l If the specified source interface has been bound to a VPN instance, the SSH server is
automatically bound to the same VPN instance.
l If the specified source interface has been bound to a VPN instance, for example, vpn1,
but a different VPN instance, for example, vpn2, is specified in the ssh ipv6 server-
source -a ipv6-address [ -vpn-instance vpn-instance-name ] command, vpn1 takes
effect for IPv4 users, and vpn2 takes effect for IPv6 users.
l After a bound VPN instance is deleted, the VPN configuration specified using the ssh
server-source command will not be cleared but does not take effect. In this case, the
SSH server uses a public IP address. If you configure the VPN instance with the same
name again, the VPN function restores.
l After a bound source interface is deleted, the interface configuration specified using the
ssh server-source command will not be cleared but does not take effect. If you configure
the source interface with the same name again, the interface configuration specified
using the ssh server-source command is updated and the function restores.
l For an IPv6 SSH server, you can run the ssh ipv6 server-source -a ipv6-address [ -vpn-
instance vpn-instance-name ] command to configure a user to log in to the server
through a specified IPv6 source address.
Example
# Specify Loopback0 as the source interface of the SSH server.
[~HUAWEI] interface loopback 0
[*HUAWEI-LoopBack0] ip address 10.1.1.1 24
[*HUAWEI-LoopBack0] quit
[*HUAWEI] ssh server-source -i loopback 0
3.6.76 ssh user
Function
The ssh user command creates an SSH user.
The undo ssh user command deletes an SSH user.
By default, no ssh user is created.

CloudEngine 8800, 7800, 6800, and 5800
Format
ssh user user-name
undo ssh user [ user-name ]
Parameters
user-name Specifies the name of an The name is a string of 1 to 253 case-insensitive
SSH user. characters without spaces.
NOTE
When quotation marks are used around the string, spaces
are allowed in the string.
Views
System view
Default Level
3: Management level

ssh-server write
Usage Guidelines
You can create a user using either of the following methods:
l Run the ssh user command.
l After the ssh user authentication-type, ssh user service-type, and ssh user sftp-
directory command are run, the system automatically create a user named user-name if
the system detects that the user named user-name does not exist.
Example
# Create an SSH user named testuser.
[~HUAWEI] ssh user testuser
3.6.77 ssh user assign

Function
The ssh user assign command assigns an existing public key to a user.
The undo ssh user assign command deletes the mapping between the user and public key.

CloudEngine 8800, 7800, 6800, and 5800
By default, no public key is assigned to a user.
Format
ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name
undo ssh user user-name assign { rsa-key | dsa-key | ecc-key }
Parameters
user-name Specifies the SSH user name. The SSH must already exist.
rsa-key Specifies the RSA public key. -

dsa-key Specifies the DSA public key. -
ecc-key Specifies the ECC public key. -
key-name Specifies the client public key name. The public key name must already exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When an SSH client needs to log in to the SSH server in RSA, DSA, or ECC mode, run this
command to assign a public key to the client. If the client has been assigned keys, the latest
assigned key takes effect.
Precautions
The newly configured public key takes effect upon next login.
If the user named user-name to whom a public key is assigned does not exist, the system
automatically creates an SSH user named user-name and performs the configured
authentication for the SSH user.
Example
# Assign key1 to a user named John.

CloudEngine 8800, 7800, 6800, and 5800
[~HUAWEI] ssh user john assign rsa-key key1
3.6.78 ssh user authentication-type
Function
The ssh user authentication-type command configures the authentication mode for an SSH
user.
The undo ssh user authentication-type command deletes the configured authentication
mode.
By default, no authentication mode is configured for an SSH user.
Format
ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-
dsa | ecc | password-ecc | all }
undo ssh user user-name authentication-type
Parameters

user-name Specifies the SSH user name. The SSH must
already exist.
password Specifies the password authentication mode. -

rsa Specifies the RSA authentication mode. -
NOTE
To ensure high security, do not use the RSA algorithm whose
length is less than 2048 digits as the authentication type for the
SSH user. You are advised to use a securer ECC authentication
algorithm for higher security.
password-rsa Specifies the password and RSA authentication mode. -

dsa Specifies the DSA authentication mode. -
password-dsa Specifies the password and DSA authentication mode. -
ecc Specifies the ECC authentication mode. -
password-ecc Specifies the password and ECC authentication mode. -
all Specifies the password, ECC, DSA, or RSA -
authentication mode.
Views
System view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When you configure the authentication mode for an SSH user, the system automatically
creates an SSH user named user-name if the user-name user does not exist.
For security purposes, you are advised not to use the RSA authentication mode.
Table 3-37 describes the usage scenarios for different authentication modes.
Table 3-37 Usage scenarios for authentication modes

RSA It is a public key encryption architecture and

an asymmetric encryption algorithm. Based
on the problem of factoring large numbers,
RSA is mainly used to transmit the keys of
the symmetric encryption algorithm, which
can improve encryption efficiency and
simplify key management. The server
checks whether the SSH user, public key,
and digital user signature are valid. If all of
them are valid, the user is permitted to
access the server. If any of them is invalid,
the authentication fails and the user is
denied to access the server.

CloudEngine 8800, 7800, 6800, and 5800
DSA It is the same as RSA authentication in

implementation. The server checks whether
the SSH user, public key, and digital user
signature are valid. If all of them are valid,
the user is permitted to access the server. If
any of them is invalid, the authentication
fails and the user is denied to access the
server.
Compared with RSA authentication, DSA
authentication uses the digital signature
algorithm for encryption and has a wider
application scope.
l Many SSH tools only support DSA
authentication for servers and clients.
l Based on the latest RFC
recommendation for SSH, DSA
authentication takes precedence over
RSA authentication.
ECC Like RSA authentication, the server first

checks the validity of the SSH user and
whether the public key and the numeric
signature are valid. If all of them are
consistent with those configured on the
server, user authentication succeeds. If any
of the three cannot pass authentication, the
user access is denied. Compared with the
RSA algorithm, the ECC authentication has
the following advantages:
l Provides the same security with shorter
key length.
l Features a shorter computing process
and higher processing speed.
l Requires less storage space.
l Requires lower bandwidth.

CloudEngine 8800, 7800, 6800, and 5800
password On the server, the AAA module assigns

each authorized user a password for login.
The server has the mapping between user
names and passwords. When a user requests
to access the server, the server authenticates
the user name and password. If either of
them fails to be authenticated, the access
request of the user is denied.
The account information of users who are
configured with the password authentication
mode can be configured on devices or
remote authentication servers (for example,
RADIUS servers).
password-rsa, password-dsa, and password- The SSH server authenticates a client by

ecc checking both the public key and password.
The client can be authenticated only when
both the public key and password meet the
requirement.
all In this authentication mode, the SSH server

authenticates a client by checking the public
key or password. The client can be
authenticated when either the public key or
password meets the requirement.
Precautions
A new SSH user cannot log in to the SSH server unless being configured with an
authentication mode. The newly configured authentication mode takes effect upon next login.
Example
# Configure the password authentication mode for an SSH user John.
[~HUAWEI] ssh user john authentication-type password
# Set the authentication type to ECC to the SSH user named ssh_user1@dom1.
[~HUAWEI] ssh user ssh_user1@dom1 authentication-type ecc
3.6.79 ssh user service-type

Function
The ssh user service-type command configures the service type for an SSH user.
The undo ssh user service-type command restores the default service type for an SSH user.
By default, no service type is configured for an SSH user.

CloudEngine 8800, 7800, 6800, and 5800
Format
ssh user user-name service-type { { sftp | stelnet | snetconf } * | all }
undo ssh user user-name service-type
Parameters

user-name Specifies the SSH user name. The SSH must already
exist.
sftp Specifies the SFTP service type. -

stelnet Specifies the STelnet service type. -
snetconf Specifies the SNetconf service type. -
all Specifies the SFTP, STelnet, and SNetconf service -
types.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to determine the service type for connecting to devices. If the user-
name user does not exist, the system creates an SSH user named user-name and uses the
configured service type for the SSH user.
Precautions
If the SFTP service type is configured for an SSH user, you need to set the authorized
directory for the user. By default, the SFTP service authorized directory is flash: for the SSH
user. You can run the ssh user sftp-directory command to set the authorized directory.
If you run the ssh user user-name service-type sftp stelnet snetconf command, the ssh user
user-name service-type all command is saved in the configuration file.
Example
# Configure the all service type for an SSH user John.
[~HUAWEI] ssh user john service-type all

CloudEngine 8800, 7800, 6800, and 5800
3.6.80 stelnet
Function
The stelnet command enables you to use the STelnet protocol to log in to another device from
the current device.
Format
# IPv4 address
stelnet [ -a source-ip-address | -i interface-type interface-number ] [ -force-receive-pubkey ]

host-ip [ port-number ] [ -vpn-instance vpn-instance-name | prefer_kex kex-type |
prefer_ctos_cipher cipher-type | prefer_stoc_cipher cipher-type | prefer_ctos_hmac hmac-
type | prefer_stoc_hmac hmac-type | prefer_ctos_compress compress-type |
prefer_stoc_compress compress-type | -ki aliveinterval | -kc alivecountmax | identity-key
{ dsa | ecc | rsa } | user-identity-key { dsa | ecc | rsa } ] *
# IPv6 address
stelnet ipv6 [ -a source-ip-address ] [ -force-receive-pubkey ] host-ipv6 [ -vpn-instance

vpn-instance-name ] [ -oi interface-type interface-number ] [ port-number ] [ prefer_kex kex-
type | prefer_ctos_cipher cipher-type | prefer_stoc_cipher cipher-type | prefer_ctos_hmac
hmac-type | prefer_stoc_hmac hmac-type | prefer_ctos_compress compress-type |
Parameters
-a source-ip-address Specifies the STelnet -
source IP address.
-i interface-type interface- Specifies the STelnet -
number source interface.
If the source interface
is specified using -i
interface-type
interface-number, the -
vpn-instance vpn-
instance-name
parameter is not
supported.
-force-receive-pubkey Indicates that a server -

forcibly receives public
key authentication.
host-ip Specifies the IP address The IPv4 STelnet must already exist.
or host name of the
remote IPv4 STelnet
server.

CloudEngine 8800, 7800, 6800, and 5800

host-ipv6 Specifies the IPv6 The IPv6 STelnet must already exist.
address or host name of
the remote IPv6
STelnet server.
-oi interface-type Specifies the outbound If the IPv6 address of the remote host
interface-number interface on the local is linked to a local address, the
device. outbound interface must be specified.
port-number Specifies the port The value is an integer that ranges
number that the SSH from 1 to 65535. The default value 22
server is listening on. is the standard port number.
prefer_kex kex-type Specifies the preferred The key exchange algorithms include:
key exchange l dh-exchange-group-sha256
algorithm.
l dh_exchange_group
l dh_group1
l ecdh-sha2-nistp256
l sm2_kep
l DH_Group14_SHA1
The default key exchange algorithm is
dh_group1.
NOTE
When the public key for the authentication
on the server is ECC, the preferred key
exchange algorithm must be sm2_kep.

CloudEngine 8800, 7800, 6800, and 5800

prefer_ctos_cipher Specifies the preferred The encryption algorithms include:
cipher-type encryption algorithm l 3des
from the client to the
server. l aes128
l aes256
l arcfour128
l arcfour256
l des
l aes128_ctr
l aes256_ctr
l aes192
l aes128_gcm
l aes256_gcm
l aes192_ctr
The default encryption algorithm is
aes256.
Encryption algorithms supported
depend on the ssh client cipher
command configured by the user.
prefer_stoc_cipher Specifies the preferred The encryption algorithms include:

cipher-type encryption algorithm l 3des
from the server to the
client. l aes128
l aes256
l arcfour128
l arcfour256
l des
l aes128_ctr
l aes256_ctr
l aes192
l aes128_gcm
l aes256_gcm
l aes192_ctr
aes256.
Encryption algorithms supported
depend on the ssh client cipher
command configured by the user.

CloudEngine 8800, 7800, 6800, and 5800

prefer_ctos_hmac hmac- Specifies the preferred The HMAC algorithms include:
type HMAC algorithm from l md5
the client to the server.
l md5_96
l sha1
l sha1_96
l sha2_256
l sha2_256_96
l sha2_512
The default HMAC algorithm is
sha2_256.
prefer_stoc_hmac hmac- Specifies the preferred The HMAC algorithms include:

type HMAC algorithm from l md5
the server to the client.
l md5_96
l sha1
l sha1_96
l sha2_256
l sha2_256_96
l sha2_512
sha2_256.
prefer_ctos_compress Specifies the preferred The value of this parameter can only
compress-type compression algorithm be set to zlib in the current version.
server.
prefer_stoc_compress Specifies the preferred The value of this parameter can only
client.
-vpn-instance vpn- Specifies the name of The VPN must already exist.
instance-name the VPN instance.
-ki aliveinterval Specifies the interval The value is an integer that ranges
for sending keepalive from 1 to 3600, in seconds.
packets when no packet
is received.
-kc alivecountmax Specifies the number of The value is an integer that ranges
times for no reply of from 1 to 30.The default value is 3.
keepalive packets.

CloudEngine 8800, 7800, 6800, and 5800

identity-key Specifies the public key The public key algorithm can be one
algorithm for the of the following:
authentication on the l dsa
server.
l ecc
l rsa
The default public key algorithm is
ecc.
user-identity-key Indicates the public key The public key algorithm can be one
for the user of the following:
authentication.
l dsa
l ecc
l rsa
ecc.
Views
User view, System view
Default Level
0: Visit level
Usage Guidelines
Usage Scenario
Logins through Telnet bring security risks because Telnet does not provide any authentication
mechanism and data is transmitted using TCP in plain text. Compared with Telnet, SSH
guarantees secure file transfer on a traditional insecure network by authenticating clients and
encrypting data in bidirectional mode. The SSH protocol supports STelnet. You can run this
command to use STelnet to log in to another device from the current device.
STelnet is a secure Telnet service. SSH users can use the STelnet service in the same way as
the Telnet service.
When a fault occurs in the connection between the client and server, the client needs to detect
the fault in real time and proactively release the connection. You need to set the interval for
sending keepalive packets and the maximum number of times on the client that logs in to the
server through STelnet.
l Interval for sending keepalive packets: If a client does not receive any packet within the
specified interval, the client sends a keepalive packet to the server.
l Maximum number of times the server has no response: If the number of times that the
server does not respond exceeds the specified value, the client proactively releases the
connection.
Precautions

CloudEngine 8800, 7800, 6800, and 5800
l Enable the STelnet service on the SSH server by stelnet server enable command, before
connecting the SSH server by using the STelnet command.
l The SSH client can log in to the SSH server with no port specified only when the server
is listening on port 22. If the server is listening on another port, the port number must be
specified upon login.
Example
# Set keepalive parameters when the client logs in to the server through STelnet.
<HUAWEI> stelnet 10.164.39.209 -ki 10 -kc 4
# Remotely connect to the STelnet server that uses an IPv6 address.

<HUAWEI> stelnet ipv6 fc00:2001:db8::1 prefer_ctos_cipher aes128
3.6.81 stelnet server enable
Function
The stelnet server enable command enables the STelnet service on the SSH server.
The undo stelnet server enable command disables the STelnet service on the SSH server.
By default, the STelnet service is disabled on the SSH server.
Format
stelnet [ ipv4 | ipv6 ] server enable
undo stelnet [ ipv4 | ipv6 ] server enable
Parameters
ipv4 Specifies IPv4 server. -
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To connect a client to the SSH server through STelnet, you must enable the STelnet service on
the SSH server.

CloudEngine 8800, 7800, 6800, and 5800
Run the command stelnet server enable can enable both IPv4 and IPv6 STelnet server. Run
stelnet ipv4 server enable command to enable IPv4 STelnet server. Run stelnet ipv6 server
enable command to enable IPv6 STelnet server.
Precautions
After you disable the STelnet service on the SSH server, all clients that have logged in
through STelnet are disconnected.
In V200R002C50 and V200R003C00, you can run the stelnet [ ipv4 | ipv6 ] server enable
command to enable the STELNET function. If the current version is downgraded to
V200R001C00 or an earlier version, this configuration will be lost, so you need to run the
stelnet server enable command again. In V200R005C00, you can run the stelnet ipv4 server
enable command to enable the IPv4 STELNET function, or run the stelnet ipv6 server
enable command to enable the IPv6 STELNET function (IPv4 STELNET and IPv6
STELNET functions are not enabled simultaneously). If the current version is downgraded to
V200R001C00 or an earlier version, this configuration will be lost, so you need to run the
stelnet server enable command again.
Example
# Enable the STelnet service.
[~HUAWEI] stelnet server enable
3.6.82 telnet
Function
The telnet command enables you to use the Telnet protocol to log in to another device from
the current device.
Format
# Log in to another device through Telnet based on IPv4.
telnet [ [ vpn-instance vpn-instance-name ] -a source-ip-address | -i interface-type interface-
number ] host-ip [ port-number ]
# Log in to another device through Telnet based on IPv6.
telnet ipv6 [ vpn-instance vpn-instance-name ] host-ipv6 [ -oi interface-type interface-
number ] [ port-number ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
vpn-instance vpn- Specifies the VPN instance name of the device The VPN must
instance-name to log in through Telnet. already exist.
If the VPN instance is specified using vpn-

instance vpn-instance-name, the -i interface-
type interface-number parameter is not
supported.
-a source-ip- By specifying a source IP address, you can use -

address this address to communicate with the server
for high network security. If no source address
is specified, the system will use the IP address
of the local outbound interface to initiate a
Telnet connection.
-i interface-type Specifies the source interface type and number -

interface-number on the local device.
host-ip Specifies the IPv4 address or host name of the The host-ip must
remote device. already exist.
host-ipv6 Specifies the IPv6 address or host name of the The host-ipv6 must
remote device. already exist.
-oi interface-type Specifies the outbound interface on the local If the IPv6 address of
interface-number device. the remote host is
linked to a local
address, the outbound
interface must be
specified.
port-number Specifies the number of the TCP port that is The value is an integer
used by the remote device to provide the that ranges from 1 to
Telnet service. 65535. The default
value is 23.
Views
User view
Default Level
0: Visit level
Usage Guidelines
Usage Scenario
If one or more devices on the network need to be configured and managed, you do not need to
connect each device to your terminal for local maintenance. If you have learned the IP address
of the device, you can run this command to log in to the device from your terminal for remote

CloudEngine 8800, 7800, 6800, and 5800
device configuration. By doing this, you can use one terminal to maintain multiple devices on
the network.
You can press Ctrl+K to terminate an active connection between the local and remote
devices.
Prerequisites
The terminal communicates with the remote device using IP address and the Telnet server is
enabled on the remote device.
Precautions
l Before you run the telnet command to connect to the Telnet server, the Telnet client and
server must be able to communicate through Layer 3 and the Telnet service must be
enabled on the Telnet server.
l Logins through Telnet bring security risks because Telnet does not provide any
authentication mechanism and data is transmitted using TCP in plain text. The STelnet
mode is recommended for the network that has the high security requirement.
Example
# Connect to a remote device through Telnet.
<HUAWEI> telnet 192.168.1.6
# Use the IPv6 address to connect to a remote device through Telnet.

<HUAWEI> telnet ipv6 fc00:0:0:11::158
3.6.83 telnet client source
Function
The telnet client source command specifies the source IP address and interface for a Telnet
client.
The undo telnet client source command restores the default settings.
The default source IP address of the Telnet client is 0.0.0.0.
Format
telnet client source { -a source-ip-address | -i interface-type interface-number }
undo telnet client source
Parameters

-a source-ip-address Specifies the IPv4 address of the local switch. -
-i interface-type interface-number Specifies the outbound interface of the local -
switch.

CloudEngine 8800, 7800, 6800, and 5800
Views
System view
Default Level
3: Management level
Usage Guidelines
If the source IP address and interface are not specified in the telnet command, use the default
settings specified by telnet client source. If the source IP address and interface are specified
in the telnet command, use the specified settings. Check the current Telnet connection on the
server. The IP address displayed is the specified source IP address or the primary IP address
of the specified interface.
After a bound source interface is deleted, the interface configuration specified using the ssh
server-source command will not be cleared but does not take effect. If you configure the
source interface with the same name again, the interface configuration specified using the ssh
server-source command is updated and the function restores.
If the specified source interface has been bound to a VPN instance, the client is automatically
bound to the same VPN instance.
Example
# Set the source IP address of the Telnet client to 10.1.1.1.
[~HUAWEI] telnet client source -a 10.1.1.1
3.6.84 telnet dscp
Function
The telnet dscp command sets the DSCP priority of Telnet packets.
The undo telnet dscp command restores the default setting.
By default, the DSCP priority of Telnet packets is 48.
Format
telnet { client | server } dscp dscp-number
undo telnet { client | server } dscp [ dscp-number ]
Parameters
client Specifies the Telnet client. -

CloudEngine 8800, 7800, 6800, and 5800
server Specifies the Telnet server. -
dscp-number Specifies the DSCP priority. The value is an integer that ranges from 0 to 63.
A greater DSCP value indicates a higher
priority.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to set the DSCP priority of Telnet packets. The DSCP priority of
Telnet packets sent by the switch is then changed to the configured value. When network
congestion occurs, you can appropriately reduce the DSCP priority of Telnet packets to ensure
proper forwarding of data packets.
The priority of this command is higher than that of the set priority dscp command. If a DSCP
value is configured using this command, the configured value takes effect. If a DSCP value is
configured using the set priority dscp command rather than this command, the value
configured using the set priority dscp command takes effect. If no DSCP value is configured
using the preceding commands, the default DSCP value is used.
When you run the undo telnet { client | server } dscp [ dscp-number ] command:
l If dscp-number is not specified, the DSCP field is restored to the default value.
l If dscp-number is 48, the DSCP field is restored to the default value.
l If dscp-number is set to non-48 value, the value must be the same as telnet { client |
server } dscp dscp-number command. Otherwise, the command execution fails.
Precautions
The command only takes effect for IPv4 packets.
Example
# Set the DSCP priority of Telnet packets sent by the client to 40.
[~HUAWEI] telnet client dscp 40

CloudEngine 8800, 7800, 6800, and 5800
3.6.85 telnet server acl

Function
The telnet server acl command configures the ACL to control the access of clients to the
Telnet server.
The undo telnet server acl command cancels the configuration of the ACL.
By default, no ACL is configured for Telnet server.
Format
telnet [ ipv6 ] server acl { acl-number | acl-name }
undo telnet [ ipv6 ] server acl
Parameters
ipv6 Specifies a Telnet IPv6 -
server.
acl-number Specifies the basic ACL The value is an integer that ranges from 2000 to
number. 3999.
acl-name Specifies the ACL name. The value is a string of 1 to 32 case-sensitive
characters except spaces. The value must start
with a letter or digit, and cannot contain only
digits.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a device functions as the Telnet server, you can configure the ACL on the device to
control the login of the clients to the device.
Prerequisites
Precautions
l If no rule is configured, the incoming and outgoing calls are not restricted after the
command telnet server acl is run.

CloudEngine 8800, 7800, 6800, and 5800
l A basic ACL is configured to restrict source addresses and an advanced ACL is

configured to restrict source and destination addresses.
l If the access control right for a network segment is permit or deny, the access control
right for the other network segments is deny. For example, if an ACL allows access from
clients on a network segment, clients on the other network segments cannot log in to the
device. If an ACL rejects access from clients on a network segment, clients on all the
network segments cannot log in to the device by default.
l The command telnet server acl { acl-number | acl-name } takes effect for ipv4 function.
Example
# Configure the ACL numbered 2000 on the Telnet server.
[~HUAWEI] acl 2000
[*HUAWEI] telnet server acl 2000
# Configure the ACL named huawei on the Telnet server.

[~HUAWEI] acl name huawei
[*HUAWEI-acl4-advance-huawei] rule permit tcp
[*HUAWEI-acl4-advance-huawei] quit
[*HUAWEI] telnet server acl huawei
3.6.86 telnet server login-failed threshold-alarm
Function
The telnet server login-failed threshold-alarm command configures alarm generation and
clearance thresholds for Telnet server login failures within a specified period.
The undo telnet server login-failed threshold-alarm command restores the default alarm
Format
telnet server login-failed threshold-alarm upper-limit report-times lower-limit resume-
times period period-time
undo telnet server login-failed threshold-alarm [ upper-limit report-times lower-limit

Parameters
upper-limit Specifies an alarm The value is an integer ranging from 0 to 100. The
report-times generation default value is 30. If the value is 0, no alarms are
threshold. generated upon Telnet server login failures.

CloudEngine 8800, 7800, 6800, and 5800

lower-limit Specifies an alarm The value is an integer ranging from 0 to report-
resume-times clearance threshold. times. It varies with report-times. The default value
is 20, and the maximum value is 45. If resume-
times is 0, it functions the same as the value is set
to 1, which means that a clear alarm is generated if
no login failures occur.
period period- Specifies a statistics The value is an integer ranging from 1 to 120, in
time collection period. minutes. The default value is 5. If report-times is 0,
the period-time value specified does not take effect.
Views
System view
Default Level
3: Management level

telnet-server write
Usage Guidelines
Usage Scenario
To manage frequent Telnet server login failures within a specified period, run the telnet
server login-failed threshold-alarm command to configure alarm generation and clearance
thresholds for the login failures.
This command takes effect for both ipv4 and ipv6 Telnet servers.
Precautions
The alarm generation threshold specified using report-times must be greater than or equal to
the alarm clearance threshold specified using resume-times.
Example
# Configure the device to generate an alarm when the number of Telnet server login failures
within 3 minutes reaches 20 and clear the alarm when the number of Telnet server login
failures within 3 minutes is less than 10.
[~HUAWEI] telnet server login-failed threshold-alarm upper-limit 20 lower-limit
10 period 3

CloudEngine 8800, 7800, 6800, and 5800
3.6.87 telnet server-source

Function
The telnet server-source command specifies a source interface for a Telnet server.
The undo telnet server-source command restores the default setting.
By default, the source interface of a Telnet server is not specified.
Format
telnet server-source -i loopback interface-number
undo telnet server-source
telnet ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ]
undo telnet ipv6 server-source
Parameters
-i loopback Specifies a loopback The value is an integer that ranges from 0 to
interface-number interface as the source 1023.
interface of the Telnet
server.
-a ipv6-address Specifies the source The value consists of 128 octets, which are
IPv6 address. classified into 8 groups. Each group contains 4
hexadecimal numbers in the format
X:X:X:X:X:X:X:X.
ipv6 Specifies the Telnet -
IPv6 server.
-vpn-instance Specifies the VPN. The value is a string of 1 to 31 case-sensitive
vpn-instance-name characters except spaces. When double
quotation marks are used to include the string,
spaces are allowed in the string. The value
_public_ is reserved and cannot be used as the
VPN instance name.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario

CloudEngine 8800, 7800, 6800, and 5800
By default, a Telnet server receives connection requests from all interfaces so that the system
is vulnerable to attacks. To enhance system security, you can specify the source interface of
the Telnet server. This sets a login condition and only authorized users can log in to the Telnet
server.
The command telnet server-source -i loopback interface-number takes effect for ipv4
function.
Prerequisites
Before running the telnet server-source command, ensure that the loopback interface to be
specified as the source interface has been created. If the loopback interface is not created, the
telnet server-source command cannot be correctly executed.
VPN configuration must be successful, to configure the vpn instance using this command.
Precautions
l After the source interface is specified, the system only allows Telnet users to log in to the
Telnet server through this source interface, and Telnet users logging in through other
interfaces are denied. Note that setting this parameter only affects Telnet users who
attempt to log in to the Telnet server, and it does not affect Telnet users who have logged
in to the server.
l After the source interface of a Telnet server is specified using this command, ensure that
Telnet users can access the source interface at Layer 3. Otherwise, the Telnet users will
fail to log in to the Telnet server.
l If the specified source interface has been bound to a VPN instance, the server is
l After a bound VPN instance is deleted, the VPN configuration specified using the telnet
Telnet server uses a public IP address. If you configure the VPN instance with the same
l For an IPv6 Telnet server, you can run the telnet ipv6 server-source -a ipv6-address [ -
vpn-instance vpn-instance-name ] command to configure a user to log in to the server
through a specified IPv6 source address.
Example
# Specify Loopback0 as the source interface of the Telnet server.
[~HUAWEI] interface loopback 0
[*HUAWEI-LoopBack0] quit
[*HUAWEI] telnet server-source -i loopback 0
3.6.88 telnet server disable

Function
The telnet server disable command disables the Telnet server.

CloudEngine 8800, 7800, 6800, and 5800
The undo telnet server disable command enables the Telnet server.
l If a device starts without any configuration file, the Telnet server is disabled.
loaded to the device using ZTP for initial configuration) and the configuration file
contains the telnet server disable command, the Telnet server is disabled; otherwise, the
Telnet server is enabled.
Format
telnet [ ipv6 ] server disable
undo telnet [ ipv6 ] server disable
Parameters
ipv6 Specifies a Telnet IPv6 server. -
Views
System view
Default Level
3: Management level
Usage Guidelines
You can run this command to enable and disable the Telnet server. A Telnet server can be
connected only when it is enabled.
If the Telnet server is disabled using the telnet [ ipv6 ] server disable command, new Telnet
connections are not allowed and existing Telnet connections are disconnected.
When a Telnet server stops, you can log in to the device only through the console port or
SSH.
The Telnet protocol is insecure, and the STelnet V2 mode is recommended.
Example
# Enable a Telnet server.
[~HUAWEI] undo telnet server disable
# Disable a Telnet server.

CloudEngine 8800, 7800, 6800, and 5800
[~HUAWEI] telnet server disable
# Enable an IPv6 Telnet server.

[~HUAWEI] undo telnet ipv6 server disable
3.6.89 telnet server port
Function
The telnet server port command configures the listening port number of a Telnet server.
The undo telnet server port command restores the default listening port of a Telnet server.
The default listening port of a Telnet server is 23.
Format
telnet [ ipv6 ] server port port-number
undo telnet [ ipv6 ] server port
Parameters
ipv6 Specifies a Telnet IPv6 server. -
port-number Specifies the listening port The value is an integer that is 23 or ranges
number of a Telnet server. from 1025 to 65535. The default value 23
is the standard Telnet server port number.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To protect the Telnet standard port against attacks and ensure network security, configure the
listening port number of the Telnet server.
The command telnet server port port-number takes effect for ipv4 Telnet servers.
Precautions
A Telnet client can log in to the server with no port specified only when the server is listening
on port 23. If the server is listening on another port, the port number must be specified upon
login.

CloudEngine 8800, 7800, 6800, and 5800
Before changing the current port number, disconnect all devices from the port. After the port
number is changed, the server starts to listen on the new port.
Example
# Configure the listening port number to 1026.
[~HUAWEI] telnet server port 1026
# Restore the listening port number to the default value.

[~HUAWEI] undo telnet server port
3.7 File Management Commands
3.7.1 activate ftp server ip-block ip-address
Function
The activate ftp server ip-block ip-address command unlocks the ipv4 and ipv6 addresses
of a user that fails the FTP authentication.
Format
activate ftp server ip-block ip-address ip-address [ vpn-instance vpn-name ]
Parameters

address. format.
X:X:X:X:X:X:X:X.
vpn-instance Specifies the name of The value is a string of 1 to 31 case-sensitive
vpn-name a VPN to which the characters, spaces not supported. In addition, the
locked user belongs. VPN instance name must not be _public_. When
double quotation marks are used around the string,
Views
User view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800

ftp-server write
Usage Guidelines
In an FTP connection, if a user enters incorrect passwords for the consecutive times in
specified minutes, the IP address of this user will be locked. Run the ftp server ip-block
reactive command to set lock period. To unlock the IP address of this user in advance, run
activate ftp server ip-block ip-address command.
Example
<HUAWEI> activate ftp server ip-block ip-address 10.1.2.3
3.7.2 append
Function
The append command adds local file data to the end of a file on the FTP server.
Format
append local-filename [ remote-filename ]
Parameters
local-filename Specifies the local file name. The value is a string of 1 to
128 characters.
remote-filename Specifies the name of a file on the FTP The value is a string of 1 to
server. If the specified file does not exist 128 characters.
on the FTP server, create the file.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
If the file specified in the remote-filename parameter does not exist when you run the
append command, create the file and add local file data to the end of the created file.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Add the data of local file sample2.txt to the end of file sample1.txt on the FTP server.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp] append sample2.txt sample1.txt
200 Port command okay.
150 Opening ASCII mode data connection for /
sample1.txt.
226 Transfer complete.
\ 100% [***********]
FTP: 35 byte(s) send in 1.443522666 second(s) 23byte(s)/sec.
# Add the data of local file a.txt to the end of file a.txt on the FTP server.
[ftp] append a.txt
150 Opening ASCII mode data connection for /a.txt.
\ 100% [***********]
FTP: 35 byte(s) send in 1.443522666 second(s) 23byte(s)/sec.
3.7.3 ascii
Function
The ascii command sets the file transfer mode to ASCII on an FTP client.
The default file transfer mode is ASCII.
Format
ascii
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Files can be transferred in ASCII or binary mode.
ASCII mode is used to transfer plain text files, and binary mode is used to transfer application
files, such as system software, images, video files, compressed files, and database files.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Set the file transfer mode to ASCII.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] ascii
200 Type set to A.
3.7.4 binary
Function
The binary command sets the file transmission mode to binary on an FTP client.
The default file transfer mode is ASCII.
Format
binary
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Files can be transferred in ASCII or binary mode.
ASCII mode is used to transfer plain text files, and binary mode is used to transfer application
files, such as system software, images, video files, compressed files, and database files.
NOTE
The binary mode can be set to transfer ASCII and binary files.
Example
# Set the file transmission mode to binary.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.

CloudEngine 8800, 7800, 6800, and 5800

Enter password:
230 User logged in.
[ftp] binary
200 Type set to I
3.7.5 bye
Function
The bye command terminates the connection with the remote FTP server and enters the user
view.
Format
bye
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
This command is equivalent to the quit command.
You can use the close and disconnect commands to terminate the connection with the remote
FTP server and retain the FTP client view.
Example
# Terminate the connection with the remote FTP server and enter the user view.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] bye
221 server closing.
<HUAWEI>

CloudEngine 8800, 7800, 6800, and 5800
3.7.6 bye/exit
Function
The bye/exit command enables the system to disconnect from the remote SFTP server and
return to the SFTP client view.
Format
bye
exit
Parameters
None
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
You can use this command to return to the system view from the SFTP client view.
Example
# Disconnect from SFTP server using bye command.
[~HUAWEI] sftp 10.1.1.1
sftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
Please input the username: sftp
sftp-client> bye
[~HUAWEI]
# Disconnect from SFTP server using exit command.

[~HUAWEI] sftp 10.1.1.1
sftp 10.1.1.1
Trying 10.1.1.1 ...
Connected to 10.1.1.1 ...
Please input the username: sftp
sftp-client> exit
[~HUAWEI]

CloudEngine 8800, 7800, 6800, and 5800
3.7.7 cd (FTP client view)

Function
The cd command changes the working directory of the FTP server.
Format
cd remote-directory
Parameters
remote-directory Specifies the name of a working The value is a string of 1 to 128 case-
directory on the FTP server. insensitive characters without spaces.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
The FTP server authorizes users to access files in certain directories and their subdirectories.
Example
# Change the working directory to d:/temp.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] cd d:/temp
250 "D:/temp" is current directory.
3.7.8 cd (SFTP client view)

Function
The cd command changes the working directory of the SFTP server.
Format
cd [ remote-directory ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
remote-directory Specifies the name of a directory The value is a string of 1 to 128 case-
on the SFTP server. insensitive characters without spaces.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
l The SFTP server authorizes users to access files in certain directories and their
subdirectories.
l The specified working directory must exist on the SFTP server. If the remote-directory
parameter is not included in the cd command, only the current working directory of an
SSH user is displayed as the command output.
Example
# Change the current working directory of the SFTP server to /bill.
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> cd bill
Current directory is:
/bill
3.7.9 cd (user view)

Function
The cd command changes the current working directory of a user.
By default, the current working directory is flash:/.
Format
cd [ directory ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
directory Specifies the The value is a string of 1 to 255 case-sensitive characters
current working without spaces in the [ drive ] path format.
directory of a user.
In the preceding parameter, drive specifies the storage
device name, and path specifies the directory and
subdirectory.
advised to add : and / between the storage device name
and directory. Characters ? ~ * / \ : ' " | < > [ ] cannot be
used in the directory name.
For example, a directory name is flash:/selftest/test/.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes the drive name.
l drive is the storage device and is named as flash:.
l If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the stack.
– chassis ID#flash: root directory of the flash memory on a device in the stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be designated relative to
either the root directory or the current working directory. A relative path beginning with a
slash (/) is a path relative to the root directory.
l flash:/my/test/ is an absolute path.
l /selftest/ is a path relative to the root directory and indicates the selftest directory in the
root directory.
l selftest/ is a path relative to the current working directory and indicates the selftest
directory in the current working directory.
For example, if you change the current working directory flash:/selftest/ to the logfile
directory in flash, the absolute path is flash:/logfile/, and the relative path is /logfile/. The
logfile directory is not logfile/ because it is not in the current working directory selftest.
Precautions
l The directory specified in the cd command must exist; otherwise, the error messages will
be displayed:

CloudEngine 8800, 7800, 6800, and 5800
You can perform the following operations to rectify faults:

a. Run the pwd command to view the current working directory.
b. Run the dir command to view the current working directory and verify that the
directory specified in the cd command exists.
l If you run the cd command without specifying the directory parameter, the system
returns to the root directory.
Example
# Change the current working directory from flash:/temp to flash:.
<HUAWEI> pwd
flash:/temp/
<HUAWEI> cd flash:
<HUAWEI> pwd
flash:/
# Change the current working directory from flash: to flash:/t1/t2.

<HUAWEI> pwd
flash:/
<HUAWEI> cd flash:/t1/t2
<HUAWEI> pwd
flash:/t1/t2/
# Change the current working directory from flash:/selftest to flash:/logfile.

<HUAWEI> pwd
flash:/selftest/
<HUAWEI> cd /logfile/
<HUAWEI> pwd
flash:/logfile/
# Change the current working directory from flash:/selftest to flash:/selftest/test.

<HUAWEI> pwd
flash:/selftest/
<HUAWEI> cd test/
<HUAWEI> pwd
flash:/selftest/test/
3.7.10 cdup (SFTP client view)

Function
The cdup command changes the current working directory of an SSH user to its parent
directory.
Format
cdup
Parameters
None
Views
SFTP client view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level
Usage Guidelines
You can run the cdup command to change the current working directory to its parent
directory.
Example
# Change the current working directory to its parent directory.
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201 ...
Enter password:
sftp-client> cd dhcp
/dhcp
sftp-client> cdup
/
sftp-client>
3.7.11 cdup (FTP client view)
Function
The cdup command enables you to return to the upper-level directory.
Format
cdup
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To exit from the current directory and return to the upper-level directory, run the cdup
command.

CloudEngine 8800, 7800, 6800, and 5800
Precautions
The directories accessible to an FTP user are restricted by the authorized directories
configured for the user.
Example
# Exit from the current directory and return to the upper-level directory.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] cd security
250 CWD command successful.
[ftp] cdup
200 CDUP command successful.
3.7.12 close
Function
The close command terminates the connection with the remote FTP server and retains the
FTP client view.
Format
close
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command is equivalent to the disconnect command.
You can run the bye and quit commands to terminate the connection with the remote FTP
server and enter the user view.
Precautions
To enter the user view from the FTP client view, you can run the bye or quit command.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Terminate the connection with the remote FTP server and enter the FTP client view.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] close
221 Server closing.
[ftp]
3.7.13 copy
Function
The copy command copies a file.
Format
copy source-filename destination-filename [ all ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
Parameter Description Settings
source-filename Specifies the path and the An absolute path name is a

name of a source file. string of 1 to 255 characters.
A relative path name is a
string of 1 to 128 case-
sensitive characters without
spaces in the [ drive ]
[ path ] file name format.
Up to 8 levels of directories
are supported. When
quotation marks are used
In the preceding parameter,
drive specifies the storage
device name, and path
specifies the directory and
subdirectory.
advised to add : and /
between the storage device
name and directory.
Characters ? ~ * / \ : ' " | < >
[ ] cannot be used in the
directory name.
destination-filename Specifies the path and the An absolute path name is a

name of a destination file. string of 1 to 255 characters.
are supported. When
subdirectory.
name and directory.
Characters ? ~ * / \ : ' " | < >
directory name.

CloudEngine 8800, 7800, 6800, and 5800
all Copies a file to all member -

devices.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
root directory.
Precautions
l If the destination file name is not specified, the designation file and the source file have
the same name. If the source file and the destination file are in the same directory, you
must specify the destination file name. If the destination file name is not specified, you
cannot copy the source file.
Example
# Copy the newbasicsoft.cc file from the master device in a stack to other member devices.
<HUAWEI> copy newbasicsoft.cc 1#flash:/newbasicsoft.cc
Info: Are you sure to copy flash:/newbasicsoft.cc to 1#flash:/newbasicsoft.cc?
[Y/N]:y
100% complete
Info: Copying file flash:/newbasicsoft.cc to 1#flash:/newbasicsoft.cc...Done.
# Copy the file config.cfg from the root directory of the flash card to flash:/temp. The
destination file name is temp.cfg.

CloudEngine 8800, 7800, 6800, and 5800
<HUAWEI> copy flash:/config.cfg flash:/temp/temp.cfg

Info: copy flash:/config.cfg to flash:/temp/temp.cfg?[Y/N]:y
100% complete
Info: Copied file flash:/config.cfg to flash:/temp/temp.cfg...Done.
# If the current directory is the root directory of the flash card, you can perform the preceding
configuration using the relative path.
<HUAWEI> pwd
flash:/
<HUAWEI> dir

0 -rw- 6,721,804 Mar 19 2012 12:31:58 devicesoft.cc
1 -rw- 910 Mar 19 2012 12:32:58 config.cfg
2 drw- - Mar 05 2012 09:54:34 temp
...
670,092 KB total (569,904 KB free)
<HUAWEI> copy config.cfg temp/temp.cfg
Info: copy flash:/config.cfg to flash:/temp/temp.cfg?[Y/N]:y
100% complete
Info: Copied file flash:/config.cfg to flash:/temp/temp.cfg...Done.
# Copy the file config.cfg from the root directory of the flash card to flash:/temp. The
destination file name is config.cfg.
<HUAWEI> pwd
flash:/
<HUAWEI> dir

1 -rw- 910 Mar 19 2012 12:32:58 config.cfg
2 drw- - Mar 05 2012 09:54:34 temp
...
670,092 KB total (569,904 KB free)
<HUAWEI> copy config.cfg temp
Info: copy flash:/config.cfg to flash:/temp/config.cfg?[Y/N]:y
100% complete
Info: Copied file flash:/config.cfg to flash:/temp/config.cfg...Done.
# Copy the file backup.zip to backup1.zip in the test directory from the current working
directory flash:/test/.
<HUAWEI> pwd
flash:/test/
<HUAWEI> copy backup.zip backup1.zip
Info: copy flash:/test/backup.zip to flash:/test/backup1.zip?[Y/N]:y
100% complete
Info: Copied file flash:/test/backup.zip to flash:/test/backup1.zip...Done.
3.7.14 compare configuration
Function
The compare configuration compares whether the current configurations are identical with
the next startup configuration file.
Format
compare configuration [ configuration-file ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
configuration-file Specifies the name of the configuration file to The name of the
be compared with the current configurations. configuration file must
NOTE already exist.
If this parameter is not specified, the current
configurations and the next startup configuration file
are compared.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After completing a series of operations, you can compare whether the current configurations
are the same as the configurations in the next startup configuration file or a specified
configuration file starting from the first line of the current configurations. You can determine
whether to save the current configurations based on the comparison result and specify the
current configurations as the next startup configuration file.
After you run this command to compare the current configurations with the next startup
configuration file or a specified configuration file, the system displays the different content
starting from the first different line to the ninth different line. If the different content contains
fewer than nine lines, the system displays only the content from the first different line to the
end of the file.
NOTE
You can run this command to compare whether the current configurations are the same as the
configurations in the next startup configuration file or a specified configuration file in VSn.
Precautions
The file name extension of the configuration file must be .cfg or .zip.
After this command is run once, only the first difference between the two configuration files
is displayed. To compare all differences, modify the difference recognized to be the same and
run the compare configuration command repeatedly.
Example
# Compare whether the current configurations are identical with the next startup configuration
file.
<HUAWEI> compare configuration
Building configuration...
Warning: The current configuration is not the same as the next startup
configuration file. There may be several differences, and the

CloudEngine 8800, 7800, 6800, and 5800
following are some configurations beginning from the first:

====== Current configuration line 9 ======
loopback-detect packet-interval 10
#
drop-profile default
#
vlan batch 10
#
dldp enable
#
lldp enable
====== Configuration file line 7 ======

#
vlan batch 10
#
lldp enable
#
diffserv domain default
#
mpls
3.7.15 delete (FTP client view)
Function
The delete command deletes a file from the FTP server.
Format
delete remote-filename
Parameters

remote-filename Specifies the name of a file to The value is a string of 1 to 128 case-
be deleted. insensitive characters without spaces.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
The permission to delete the file completely depends on the access rights configuration on the
remote server system. By executing the dir command displays the list of directories and files
in the specified directory.
A file deleted in the FTP client view cannot be restored.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Delete the file temp.c.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] delete temp.c
Warning: File temp.c will be deleted. Continue? [Y/N]:y
250 File deleted from remote host.
3.7.16 delete (user view)
Function
The delete command deletes a specified file in the storage device.
Format
delete [ /unreserved ] [ /quiet ] { filename | devicename } [ all ]
Parameters

/unreserved Deletes a specified file. The -
deleted file cannot be
restored.
/quiet Deletes a file directly -

without any confirmation.
filename Specifies the name of a file An absolute path name is a string of 1 to 255
to be deleted. characters. A relative path name is a string of 1
to 128 case-sensitive characters without spaces
in the [ drive ] [ path ] file name format. Up
to 8 levels of directories are supported. When
quotation marks are used around the string,
In the preceding parameter, drive specifies the
storage device name, and path specifies the
directory and subdirectory.
advised to add : and / between the storage
device name and directory. Characters ? ~ * /
\ : ' " | < > [ ] cannot be used in the directory
name.

CloudEngine 8800, 7800, 6800, and 5800

devicename Deletes all the files in the -
storage device.
all Deletes files in the specified -

directory in a batch from all
storage devices.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
root directory.
Precautions
l The wildcard (*) character can be used in the delete command.
l If the parameter /unreserved is not included, the file is stored in the recycle bin. To
display all files including deleted files that are displayed in square brackets ([ ]), run the
dir /all command. To restore these files that are displayed in square brackets ([ ]), run the
undelete command. To clear these files from the recycle bin, run the reset recycle-bin
command.
If you delete a file using the /unreserved parameter, the file cannot be restored.

CloudEngine 8800, 7800, 6800, and 5800
l If the recycle bin is full, files cannot be deleted using the delete command without the
parameter /unreserved configured. In this case, delete unnecessary files permanently
using the delete command with the parameter /unreserved configured.
l If you delete two files with the same name from different directories, the last file deleted
is kept in the recycle bin.
l If you attempt to delete a protected file, such as a configuration file, or patch filer, a
system prompt is displayed.
l You cannot delete a directory by running the delete command. To delete a directory, run
the rmdir (user view) command.
l After the system is restarted, if a failure message is displayed when you delete a software
package or configuration file before service processes become stable, perform the
deletion only when the processes become stable.
Example
# Delete the file test.txt from the current working directory flash:/selftest.
<HUAWEI> delete test.txt
Info: Are you sure to delete flash:/selftest/test.txt? [Y/N]:y
3.7.17 dir (user view)

Function
The dir command displays information about files and directories in the storage medium.
Format
dir [ /all ] [ filename | directory | /all-filesystems ]
Parameters
/all Displays information about -

all files and directories in
the current directory,
including files and
directories moved to the
recycle bin from the current
directory.

CloudEngine 8800, 7800, 6800, and 5800
filename Specifies the file name. An absolute path name is a

string of 1 to 255 characters.
are supported. When
subdirectory.
name and directory.
Characters ? ~ * / \ : ' " | < >
directory name.
directory Specifies the file directory. The value is a string of 1 to

255 case-sensitive
characters without spaces in
the [ drive ] path format.
subdirectory.
name and directory.
Characters ? ~ * / \ : ' " | < >
directory name.
/all-filesystems Display information about -

files and directories in the
root directories of all the
storage media on the device.
Views
User view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level
Usage Guidelines
The wildcard character (*) can be used in this command. If no parameter is specified, this
command displays information about files and directories in the current directory.
The following describes the drive name:
root directory.
You can run the dir /all command to view information about all files and directories of the
storage medium, including those moved to the recycle bin. The name of a file in the recycle
bin is placed in square brackets ([]), for example, [test.txt].
Table 3-38 lists information about some files queried through the dir command.
Table 3-38 File information

Item Description
$_checkpoint Directory for storing configuration rollback

point information.
**.cc Software version file.
POST Directory for storing hardware self-test

information when the system starts.
SysResTemplate.ini System forwarding resource template,

which exists in the user directory after the
forwarding mode is set in the system.
device.sys System hardware configuration file.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
logfile Directory for storing log information:

l diag.log: detailed logs of key events and
exceptions
l log.log: logs of operations and key
events
You can run the display logbuffer
command to view event logs and other logs.
lost+found Directory for storing information about the

damaged file in the file management
module recovered by the system during
abnormal restart.
**.zip/**.cfg/**.dat System configuration file. For details, see

the save command.
The file name extension of compressed log
files is also .zip.
l log_slot ID_time.log.zip: a common log
file that reaches a specified size
l diaglog_slot ID_time.log.zip: a
diagnostic log file that reaches a
specified size
You can run the info-center logfile size
command to set the size of a log file.
*.ztbl File for saving security MAC address

information after port security is configured.
*.cap File for saving captured packets after packet

capture is configured on the device.
*.MOD/*.mod Modules that are not running can be

dynamically loaded to the system using a
file. The file must be uploaded to the
directory flash:/$_install_mod/.
Example
# Display information about all files and directories in the current directory.
<HUAWEI> dir /all

0 drwx - Mar 03 2013 03:44:28 $_checkpoint
2 drwx - Mar 03 2013 03:42:52 POST
3 -rw- 14 Mar 03 2013 03:45:32 SysResTemplate.ini
4 -rw- 16,781 Mar 03 2013 03:41:39 device.sys
5 drwx - Jan 19 2012 09:54:13 logfile
6 drwx - Feb 27 2013 04:44:53 lost+found
7 -rw- 33,036 Mar 03 2013 03:41:39 vrpcfg.cfg

CloudEngine 8800, 7800, 6800, and 5800
8 -rw- 6,311 Feb 25 2012 17:22:30 [vrpcfg1.cfg]

9 lrwx 164,169,606 Jul 08 2015 20:48:21 link.cc -> flash:/home/CE5810-
V100R006C00.cc
10 lrwx 6,632 Jul 13 2015 20:19:02 link.txt -> system file
670,092 KB total (569,904 KB free)
# Display information about the file in the current directory.

<HUAWEI> dir vrpcfg.cfg

8 -rw- 33,036 Jan 22 2012 16:35:31 vrpcfg.cfg
670,092 KB total (569,904 KB free)
# Display information about all .ini files in the current directory.

<HUAWEI> dir *.ini

1 -rw- 14 Jan 10 2012 10:39:27 SysResTemplate.ini
670,092 KB total (569,904 KB free)
Table 3-39 Description of the dir command output
Item Description
Directory of Flash memory directory.

flash
Idx File index.
Attr File attributes:

l d: indicates a directory. If this item is not displayed, the corresponding
FileName field displays a file. For example, devicesoft.cc is a file and
logfile is a directory.
l r: indicates that the file or directory is readable.
l w: indicates that the file or directory is writable.
l x: indicates that the file or directory is executable.
l l: indicates that the file is a link file.
Size(Byte) File size.
Date Date when the file is generated.
Time Time when the file is generated.
FileName File name.

l vrpcfg.cfg: configuration file. The file name extension of the
configuration file must be .cfg or .zip.
l devicesoft.cc: system software. The file name extension of the system
software must be .cc.
Some software sub-systems store necessary data in other files in the file
system when the device is running properly. The name of a file in the
recycle bin is placed in square brackets ([]).

CloudEngine 8800, 7800, 6800, and 5800
3.7.18 dir/ls (FTP client view)
Function
The dir and ls commands display all files or specified files that are stored on the FTP server,
and save them to a local disk.
Format
dir [ remote-filename [ local-filename ] ]
ls [ remote-filename [ local-filename ] ]
Parameters

remote- Specifies the name and directory The value is a string of 1 to 128 case-
filename of a file stored on the FTP server. sensitive characters without spaces.
The remote-filename must already
exist.
local-filename Specifies the name of the local file The value is a string of 1 to 128 case-
that saves the FTP server file sensitive characters without spaces.
information.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes differences between the dir and ls commands.
l When you run the dir command, detailed file information is displayed, including the file
size, date when the file was created, whether the file is a directory, and whether the file
can be modified. When you run the ls command, only the file name is displayed.
l The dir command is used to save detailed file information, while the ls command is used
to save only the file name even if the file is specified and saved in a local directory.
Precautions
The wildcard (*) character can be used in commands dir and ls.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Display the name or detailed information about a file that is saved in the test directory.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] cd test
250 CWD command successful.
[ftp] dir
150 Opening ASCII mode data connection for /test.
drwxrwxrwx 1 noone nogroup 0 Mar 23 16:04 yourtest
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 10:38 backup.txt
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 10:38 backup1.txt
[ftp] ls
150 Opening ASCII mode data connection for /test.
yourtest
backup.txt
backup1.txt
# Display the detailed information for the file temp.c, and save the displayed information in
file temp1.
[ftp] dir temp.c temp1
150 Opening ASCII mode data connection for /temp.c.
[ftp] quit
221 Server closing.

<HUAWEI> more temp1
-rwxrwxrwx 1 noone nogroup 3929 Apr 27 18:13 temp.c
# Display the name of file test.bat, and save the displayed information in file test.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] ls test.bat test
150 Opening ASCII mode data connection for /test.bat.
[ftp] quit
221 Server closing.

<HUAWEI> more test
test.bat

CloudEngine 8800, 7800, 6800, and 5800
Table 3-40 Description of the dir/Is command output

Item Description
d Indicates a directory. If this parameter is not present, the command output

indicates a file.
r Indicates that the file or directory can be read.
w Indicates that the file or directory can be modified.
x Indicates that the file or directory is executable.
3.7.19 dir/ls (SFTP client view)

Function
The dir and ls commands display a list of specified files that are stored on the SFTP server.
Format
dir [ -l | -a ] [ remote-directory ]
ls [ -l | -a ] [ remote-directory ]
Parameters
-l Displays detailed information about all files -
and directories in a specified directory.
-a Displays names of all files and directories in -
a specified directory.
remote-directory Specifies the name of a directory on the The value is a string of 1 to
SFTP server. 128 case-sensitive
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
The dir and ls commands are equivalent.
l If -l and -a parameters are not specified, detailed information about all files and
directories in a specified directory is displayed when you run the dir or ls command. The
effect is the same as the dir -l command output.

CloudEngine 8800, 7800, 6800, and 5800
l By default, if the remote-directory parameter is not specified, the list of current directory
files is displayed when you run the dir or ls command.
Example
# Display a list of files in the test directory of the SFTP server.
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201 ...
Enter password:
sftp-client> dir test
-rwxrwxrwx 1 noone nogroup 0 Mar 24 00:04 yourtest
sftp-client> dir -a test
yourtest
backup.txt
backup1.txt
sftp-client> ls test
-rwxrwxrwx 1 noone nogroup 0 Mar 24 00:04 yourtest
sftp-client> ls -a test
yourtest
backup.txt
backup1.txt
3.7.20 disconnect
Function
The disconnect command terminates the connection with the remote FTP server and displays
the FTP client view.
Format
disconnect
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
This command is equivalent to the close command.

CloudEngine 8800, 7800, 6800, and 5800
You can run the bye and quit commands to terminate the connection with the remote FTP
server and enter the user view.
To enter the user view from the FTP client view, you can run the bye or quit command.
Example
# Terminate the connection with the remote FTP server and enter the FTP client view.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] disconnect
221 Server closing.
[ftp]
3.7.21 display ftp client
Function
The display ftp client command displays the source IP address configured for the FTP client.
Format
display ftp client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
The default source IP address 0.0.0.0 is used if ftp client source is not configured.
Example
# Display the source IP address of the FTP client.
<HUAWEI> display ftp client
SrcIPv4Addr : 10.18.26.233

CloudEngine 8800, 7800, 6800, and 5800
Table 3-41 Description of the display ftp client command output

Item Description
SrcIPv4Addr IPv4 address of an FTP client.

You can run the ftp client source command
to change the IPv4 address of the FTP
client.
If the IP address is configured for the
source port, the message "Interface Name"
is displayed.
3.7.22 display ftp server

Function
The display ftp server command displays FTP server parameter settings.
Format
display ftp server
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run this command to display FTP server parameter settings.
Example
# Display FTP server parameter settings.
<HUAWEI> display ftp server
Server state : Disabled
IPv6 server state : Disabled
Timeout value (mins) : 10
IPv6 Timeout value (mins) : 10
Listen port : 21
IPv6 listen port : 21
ACL name :
IPv6 ACL name :
ACL number :
IPv6 ACL number :

CloudEngine 8800, 7800, 6800, and 5800
Current user count : 0

Max user number : 15
Source IPv6 Address : ::
Source IPv6 VpnName :
Table 3-42 Description of the display ftp server command output

Server state FTP server status.

l Enabled
l Disabled
By default, the FTP server is disabled.
You can run the ftp server enable command to start the FTP server.
IPv6 server FTP IPv6 server status.

state l Enabled
l Disabled
By default, the FTP IPv6 server is disabled.
You can run the ftp ipv6 server enable command to start the FTP
server.
Timeout value Idle timeout duration of FTP users.

(mins) The default idle timeout duration is 30 minutes.
You can run the ftp server timeout command to set the idle timeout
duration of FTP users.
IPv6 Timeout Idle timeout duration of FTP users.

value (mins) The default idle timeout duration is 30 minutes.
You can run the ftp ipv6 server timeout command to set the idle
timeout duration of FTP users.
Listen Port Number of the listening port on the FTP server.

If the value is not 21, you can run the ftp server port command to
configure the listening port number.
IPv6 listen port Number of the listening port on the FTP IPv6 server.
If the value is not 21, you can run the ftp ipv6 server port command to
configure the listening port number.
ACL name Name of the ACL for the IPv4 address.

If no ALC is configured, the ACL name is unavailable. You can run the
ftp server acl acl-name command to change the ACL name.
IPv6 ACL name Name of the ACL for the IPv6 address.
If no ALC is configured, the ACL name is unavailable. You can run the
ftp ipv6 server acl acl-name command to change the ACL name.

CloudEngine 8800, 7800, 6800, and 5800
ACL number ACL number.

If no ALC is configured, the ACL number is unavailable. You can run
the ftp server acl acl-number command to change the ACL number.
IPv6 ACL ACL6 number.

number If no ALC is configured, the ACL number is unavailable. You can run
the ftp ipv6 server acl acl-number command to change the ACL6
number.
Current user Number of current users who has logged in to the FTP server.
count
Max user Maximum number of users allowed to log in to the FTP server.
number The default value is 15.
Source IPv4 Source IPv4 address.

address The default source IPv4 address is 0.0.0.0.
You can run the ftp server source -a command to configure the source
IPv4 address.
Source IPv6 Source IPv6 address.

Address The default source IPv6 address is 0.0.0.0.
You can run the ftp ipv6 server source -a ipv6-address command to
configure the source IPv6 address.
Source IPv6 Name of the source IPv6 VPN instance.

VpnName You can run the ftp ipv6 server source -a -vpn-instance vpn-instance-
name command to configure the name of the source IPv6 VPN instance.
3.7.23 display ftp server ip auth-fail information
Function
The display ftp server ip auth-fail information command displays the information of the
FTP auth–failed IP addresses of user.
Format
display ftp server ip auth-fail information
Parameters
None
Views
All view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level

ftp-server read
Usage Guidelines
The display ftp server ip auth-fail information command displays the information of the
FTP auth–failed IP addresses. The command output includes the names of VPN instances to
which the IP addresses belong, IP address status, numbers of authentication failures, and the
IP addresses that fails to pass FTP authentication will not be adopted to make invalid
authentication.
Example
# Display information about the IP addresses of all the clients that fail to pass FTP
authentication.
<HUAWEI> display ftp server ip auth-fail information
----------------------------------------------------------------------------------
----------------------------------------------
IP Address VPN Name
First Time Auth-fail Auth-fail Count
----------------------------------------------------------------------------------
----------------------------------------------
10.0.0.1 _public_
2016-09-05 11:19:28 1
----------------------------------------------------------------------------------
----------------------------------------------
Table 3-43 Description of the display ftp server ip-block all command output
Item Description

address belongs
First Time Auth-fail Time when the first authentication fails
Auth-fail Count Number of consecutive client authentication failures

in the latest authentication period
3.7.24 display ftp server ip-block list

Function
The display ftp server ip-block list command displays information about client IP addresses
that are locked because of FTP authentication failures.

CloudEngine 8800, 7800, 6800, and 5800
Format
display ftp server ip-block list
Parameters
None
Views
All views
Default Level
3: Management level

ftp-server read
Usage Guidelines
To check information about client IP addresses that are locked because of FTP authentication
failures, run the display ftp server ip-block list command. The command output includes the
names of VPN instances to which the locked client IP addresses belong and the remaining
locking period.
Example
# Display information about client IP addresses that are locked because of FTP authentication
failures.
<HUAWEI> display ftp server ip-block list
----------------------------------------------------------------------------------
------------------------
IP Address VPN Name
UnBlock Interval (Seconds)
----------------------------------------------------------------------------------
------------------------
10.0.0.1 _public_
294
----------------------------------------------------------------------------------
------------------------
Table 3-44 Description of the display ftp server ip-block list command output
Item Description

address belongs
UnBlock Interval(Seconds) Remaining locking period, in seconds

CloudEngine 8800, 7800, 6800, and 5800
3.7.25 display ftp server users
Function
The display ftp server users command displays FTP user parameters on the FTP server.
Format
display ftp server users
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can check FTP user parameters on the FTP server, such as the FTP user name, IP address
of the client host, port number, idle duration, and the authorized directories.
Example
# Display FTP user parameters.
<HUAWEI> display ftp server users
User Name : root
Host Address : 10.18.26.139
Control Port : 20465
Idle Time (mins) : 1
Root Directory : flash:
Table 3-45 Description of the display ftp-users command output
Item Description
User Name FTP user name.
Host Address IP address of the client host.
Control Port Port number of the client host.
Idle Time (mins) Idle duration.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
Root Directory Authorized directory of a user.

You can run the local-user ftp-directory command to configure the
authorized directory.
3.7.26 display scp client
Function
The display scp client command displays source parameters of the current SCP client.
Format
display scp client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display scp client command to check source parameters of the SCP client.
Example
# Display source parameters of the SCP client.
<HUAWEI> display scp client
The source address of SCP client is 10.1.1.1.
Table 3-46 Description of the display scp client command output
Item Description
The source address of SCP client is The source address of the SCPclient. By
10.1.1.1. default, the source address of the SCP client
is 0.0.0.0.

CloudEngine 8800, 7800, 6800, and 5800
3.7.27 display sftp client
Function
The display sftp client command displays the source IP address configured for the SFTP
client.
Format
display sftp client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display sftp client command to display the source IP address of the SFTP
client. The default source IP address 0.0.0.0 is used if sftp client-source is not configured.
Example
# Display the source IP address configured for the SFTP client.
<HUAWEI> display sftp client
The source address of SFTP client is 10.1.1.1.
Table 3-47 Description of the display sftp client command output
Item Description
The source address of SFTP client is 10.1.1.1 is the source IP address of the
10.1.1.1. SFTP client.
You can run the sftp client-source
command to configure the source IP
address for the SFTP client.
If an IP address has been configured for the
source port, the message "The source
interface of SFTP client is LoopBack0" is
displayed.

CloudEngine 8800, 7800, 6800, and 5800
3.7.28 display tftp client
Function
The display tftp client command displays the source IP address configured for the TFTP
client.
Format
display tftp client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display tftp client command to query source IP address of the TFTP client.
The default source IP address is 0.0.0.0 if tftp client source is not configured.
Example
# Display the source IP address configured for the TFTP client.
<HUAWEI> display tftp client
--------------------------------------------------------------------------------
ACL name :
ACL number :
IPv6 ACL name :
IPv6 ACL number :
--------------------------------------------------------------------------------
Table 3-48 Description of the display tftp client command output
Item Description
ACL name Name of the ACL that specifies the IPv4 address the
TFTP client can access.
ACL number Number of the ACL that specifies the IPv4 address
the TFTP client can access.
IPv6 ACL name Name of the ACL that specifies the IPv6 address the
TFTP client can access.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
IPv6 ACL number Number of the ACL that specifies the IPv6 address
the TFTP client can access.
Source IPv4 address Source IPv4 address of the TFTP client.

The source IPv4 address is configured using the tftp
client source -a source-ip-address command.
Interface Name Source interface of the TFTP client.

The source interface is configured using the tftp
client source -i interface-type interface-number
command. This field is displayed only when the
source interface is configured using this command.
3.7.29 execute
Function
The execute command executes a specified batch file or VRP Shell Languages (VSL) script.
Format
execute batch-filename [ parameter&<1-8> ]
Parameters

batch-filename Specifies the name and The name and path of a batch file must already
path of a batch file. exist. If the batch file to be processed is in the
current directory; you can only input the name
of a batch file.
parameter Specifies a VSL The value is a string of 1 to 32 case-sensitive
parameter. characters.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario

CloudEngine 8800, 7800, 6800, and 5800
The commands in a batch file are run one by one. A batch file cannot contain any invisible
character. If an invisible character is detected, the execute command exits from the current
process and no rollback is performed.
NOTE
Whether a character is invisible is determined based on the ASCII character table. Characters whose
ASCII character value ranges from 32 to 126 are visible (the ASCII character value 32 indicates spaces).
Other characters are invisible.
The execute command does not ensure that all commands can be run. The execute command
is not hot backed up, and no restriction is on the format or contents of the command.
Running the execute command functions the same as running the commands one by one
manually.
Precautions
l The commands in a batch file are run one by one. A batch file cannot contain invisible
characters (control characters or escape characters, such as \r, \n, and \b). If any invisible
character is detected, the execute command exits from the current process and no
rollback is performed.
l The execute command does not ensure that all commands can be run. If the system runs
a wrong or immature command, it displays the error and goes to next command. The
execute command does not perform the hot backup operation, and the command format
or content is not restricted.
l When a .bat file is a VSL script, the execute command configures services automatically
and commands in the batch file as well as performs configurations for services specified
by parameter at a time.
Example
# Execute the test.bat file in the directory flash:/. The test.bat file contains four commands:
system-view, aaa, local-user huawei password irreversible-cipher Helloworld@6789, and
commit.
[~HUAWEI] execute test.bat
[*HUAWEI] system-view
^
Error: Unrecognized command found at '^' position.
[*HUAWEI] aaa
[*HUAWEI-aaa] local-user huawei password irreversible-cipher Helloworld@6789
[*HUAWEI-aaa] commit
[~HUAWEI-aaa]
When the system runs the first command system-view in current system view, it displays an
error and continues to run the following commands.
The system displays the execution of a batch file in AAA view.
[~HUAWEI-aaa] display this
local-user huawei password irreversible-cipher $1c$g8wLJ`LjL!
$CyE(V{3qg5DdU:PM[6=6O$UF-.fQ,Q}>^)OBzgoU$
3.7.30 ftp
Function
The ftp command connects the FTP client to the FTP server and enters the FTP client view.

CloudEngine 8800, 7800, 6800, and 5800
Format
# Connect the FTP client to the FTP server based on the IPv4 address.
ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip [ port-number ]
[ public-net | vpn-instance vpn-instance-name ] ]
ftp ipv6 host-ipv6 [ public-net | vpn-instance vpn-instance-name ] [ port-number | -oi
interface-type interface-number ]
Parameters
-a source-ip- Specifies the source IP address for The value is in dotted decimal
address connecting to the FTP client. You are notation.
advised to use the loopback interface IP
address.
-i interface-type Specifies the source interface type and -

interface- ID. You are advised to use the loopback
number interface.
The IP address configured for this
interface is the source IP address for
sending packets. If no IP address is
configured for the source interface, the
FTP connection cannot be set up.
host-ip Specifies the IP address or host name of The value is in dotted decimal
the remote IPv4 FTP server. notation.
NOTE
You can run the display dns dynamic-host or
display ip host command to view the
mapping between the IP address and host
name.
port-number Specifies the port number of the FTP The value is an integer that
server. ranges from 1 to 65535. The
default value is the standard
port number 21.
public-net Specifies the FTP server on the public -

network.
You must set the public-net parameter
when the FTP server IP address is a
public network IP address.

CloudEngine 8800, 7800, 6800, and 5800

network.
vpn-instance Specifies the name of the VPN instance The value is a string of 1 to 31
vpn-instance- where the FTP server is located. case-sensitive characters
name except spaces. When double
quotation marks are used to
include the string, spaces are
allowed in the string. The
value _public_ is reserved and
cannot be used as the VPN
instance name.
host-ipv6 Specifies the IP address of the remote The value is a 32-digit

IPv6 FTP server. hexadecimal number, in the
format X:X:X:X:X:X:X:X.
-oi interface- Specifies the source interface for the IPv6 -

type interface- FTP client, including the type and
number number of the interface. The IPv6 address
configured in this interface view is the
source IPv6 address of the packet. If no
IPv6 address is configured for the source
interface, the FTP connection cannot be
set up.
Setting the loopback interface as the
source IPv6 address is recommended.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before accessing the FTP server on the FTP client, you must first run the ftp command to
connect the FTP client to the FTP server.
On an IPv4 network, the source IP address specified using the ftp command takes precedence
over the source IP address specified using the ftp client-source command. If the ftp

CloudEngine 8800, 7800, 6800, and 5800
command is run after a source IP address has been specified using the ftp client-source
command, the source IP address specified using the ftp command is used for communication.
The source IP address specified using the ftp client-source command is available for all FTP
connections; the source IP address specified using the ftp command is available only for the
current FTP connection.
Prerequisites
An FTP connection can establish if the following conditions are met:
l FTP server function on a device is enabled by executing the ftp server enable command
on the FTP server to allow FTP users to log in.
l The FTP server and FTP client are routable.
Precautions
l You can set the source IP address to the source or destination IP address in the ACL rule
when the -a or -i parameter is specified on the IPv4 network. This shields the IP address
differences and interface status impact, filters incoming and outgoing packets, and
implements security authentication.
l You can run the set net-manager vpn-instance command to configure the NMS
management VPN instance before running the open command to connect the FTP client
and server.
– If public-net or vpn-instance is not specified, the FTP client accesses the FTP
server in the VPN instance managed by the NMS.
– If public-net is specified, the FTP client accesses the FTP server on the public
network.
– If vpn-instance vpn-instance-name is specified, the FTP client accesses the FTP
server in a specified VPN instance.
l If no parameter is set in the ftp command, only the FTP view is displayed, and no
connection is set up between the FTP server and client.
l If the port number that the FTP server uses is non-standard, you must specify a standard
port number; otherwise, the FTP server and client cannot be connected.
l When you run the ftp command, the system prompts you to enter the user name and
password for logging in to the FTP server. You can log in to the FTP server if the user
name and password are correct.
l If the number of login users exceeds the maximum value that the FTP server allows,
other authorized users cannot log in to the FTP server. To allow news authorized users to
log in to the FTP server, users who have performed FTP services must disconnect their
clients from the FTP server. You can run the bye or quit command to disconnect the FTP
client from the FTP server and return to the user view, or run the close or disconnect
command to disconnect the FTP client from the FTP server and retain in the FTP client
view.
Example
# Connect to the FTP server whose IP address is 10.137.217.201.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.

CloudEngine 8800, 7800, 6800, and 5800

Enter password:
230 User logged in.
[ftp]
# Establish FTP connection with a remote server with source IP address.

[~HUAWEI] interface LoopBack 0
[*HUAWEI-LoopBack0] commit
[~HUAWEI-LoopBack0] quit
[~HUAWEI] ftp client source -a 1.1.1.1
[*HUAWEI] commit
[~HUAWEI] quit
<HUAWEI> ftp -a 1.1.1.1 1.1.1.1 10000
Trying 1.1.1.1 ...
Connected to 1.1.1.1.
220 VRPV8 FTP service ready.
User(1.1.1.1:(none)):root
331 Password required for root.
Password:
230 User logged in.
[ftp]
# Connect to the remote IPv6 FTP server whose address is fc00:2001:db8::1.

<HUAWEI> ftp ipv6 fc00:2001:db8::1
Trying fc00:2001:db8::1
Connected to ftp fc00:2001:db8::1
User(fc00:2001:db8::1:(none)):huawei
331 Password required for huawei
Enter Password:
230 User logged in.
[ftp]
3.7.31 ftp server acl

Function
The ftp server acl command specifies an ACL number or ACL name for the current FTP
server so that the FTP client with the same ACL number or ACL name can access the FTP
server.
The undo ftp server acl command deletes an ACL number or ACL name of the current FTP
server.
By default, no ACL is configured for FTP server.
Format
ftp [ ipv6 ] server acl { acl-number | acl-name }
undo ftp [ ipv6 ] server acl

CloudEngine 8800, 7800, 6800, and 5800
Parameters
ipv6 Specifies the IPv6 FTP -
server.
acl-number Specifies the number of the The value is an integer that ranges from 2000 to
ACL. 3999.
digits.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To ensure the security of an FTP server, you need to configure an ACL for it to specify FTP
clients that can access the current FTP server.
Precautions
If no rule is configured, the incoming and outgoing calls are not restricted after the command
ftp server acl is run.
The ftp server acl command takes effect only after you run the rule command to configure
the ACL rule.
The command ftp server acl { acl-number | acl-name } only takes effect for ipv4 client.
Example
# Allow the client whose ACL number is 2000 to log in to the FTP server.
[~HUAWEI] acl 2000
[*HUAWEI] ftp server acl 2000
3.7.32 ftp client source
Function
The ftp client source command specifies the source IP address for the FTP client to send
packets.

CloudEngine 8800, 7800, 6800, and 5800
The undo ftp client source command restores the default source IP address for the FTP client
to send packets.
The default source IP address for the FTP client to send packets is 0.0.0.0.
Format
ftp client source { -a source-ip-address | -i interface-type interface-number }
undo ftp client source
Parameters
-a source-ip-address The value is in
Specifies the source IP address. You are advised to
dotted decimal
use the loopback interface IP address.
notation.
-i interface-type Specifies the source interface, including the interface -
interface-number type and number. You are advised to use the loopback
interface.
The IP address configured for the source interface is
the source IP address for sending packets. If no IP
address is configured for the source interface, the
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If no source IP address is specified, the client uses the source IP address that the router
specifies to send packets. The source IP address must be configured for an interface with
stable performance. The loopback interface is recommended. Using the loopback interface as
the source interface simplifies the ACL rule and security policy configuration. This shields
the IP address differences and interface status impact, filters incoming and outgoing packets,
and implements security authentication.
Precautions
l You can also run the ftp command to configure the source IP address whose priority is
higher than that of the source IP address specified by the ftp client source command. If
you specify the source IP addresses by running the ftp client source and ftp commands,
the source IP address specified by the ftp command is used for data communication and
is available only for the current FTP connection, while the source IP address specified by
the ftp client source command is available for all FTP connections.

CloudEngine 8800, 7800, 6800, and 5800
l The IP address that a user displays on the FTP server is the specified source IP address
or source interface IP address.
l This command takes effect for ipv4 client.
l If the specified source interface has been bound to a VPN instance, the client is
Example
# Set the source IP address of the FTP client to 10.1.1.1.
[~HUAWEI] ftp client source -a 10.1.1.1
3.7.33 ftp get/put

Function
The ftp get/put command uploads a source file to the FTP server or downloads a source file
from the FTP server to a host.
Format
# IPv4 address
ftp { put | get } [ -a source-ip-address | -i interface-type interface-number ] host-ip host-ip
[ port portnumber ] [ public-net | vpn-instance vpn-instance-name ] username username
sourcefile local-filename [ destination remote-filename ]
# IPv6 address
ftp { put | get } ipv6 host-ip host-ipv6 [ public-net | vpn-instance vpn-instance-name ]
[ port portnumber ] username username sourcefile local-filename [ destination remote-
filename ]
Parameters
-a source-ip- Specifies the IP address for The value is in dotted decimal
address establishing the FTP connection. notation.
-i interface-type Specifies the interface for -
interface-number establishing the FTP connection.

CloudEngine 8800, 7800, 6800, and 5800

host-ip host-ip Specifies the IPv4 address or host The value is in dotted decimal
name of the FTP server. notation.
NOTE
You can run the display dns dynamic-
host or display ip host command to
view the mapping between the IP
address and host name.
host-ip host-ipv6 Specifies the IPv6 address or host The value is a 32-digit
name of the FTP server. hexadecimal number, in the
format X:X:X:X:X:X:X:X.
NOTE
host or display ip host command to
view the mapping between the IP
address and host name.
put Saves local files to the FTP server. -

get Saves the files on the FTP server to -
the local host.
port portnumber Specifies the port number of the The value is an integer that ranges
FTP server. from 1 to 65535. The default
value is 21.
public-net Specifies the FTP server on the -
public network.
You must set the public-net
parameter when the FTP server IP
address is a public network IP
address.
vpn-instance vpn- Specifies the name of a VPN The VPN must already exist.
instance-name instance.
username Specifies a user name. The value is a string of 1 to 255
username case-insensitive characters that
can contain letters, digits, and
special characters.
sourcefile local- Specifies the name of the source file The value is a string of 1 to 128
filename to be uploaded or downloaded. characters, which can contain
digits, letters, and special
characters.
destination Specifies the name of the The value is a string of 1 to 128

remote-filename destination file to be uploaded or characters, which can contain
downloaded. digits, letters, and special
characters.

CloudEngine 8800, 7800, 6800, and 5800
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the device only needs to upload files to or download files from the FTP server, you can use
this command to complete a file transfer at one time.
Prerequisites
Ensure that the VPN has been configured when you specify vpn-instance vpn-instance-name
in the command.
Precautions
l After this command is executed, the device (FTP client) establishes a connection with
the FTP server before starting the file transfer.
l If the server monitors the FTP connection through default port, you need not specify port
number, else specify the port number.
l This command does not support resumable upload or download. If the uploading or
downloading process is interrupted due to a fault, the previously generated file (which
includes only part of the source file) will be replaced by a new file after the fault is
removed and the uploading or downloading task resumes.
Example
# Upload the source file sample.txt to the FTP server.
<HUAWEI> ftp put -a 10.1.1.10 host-ip 10.1.1.1 username huawei sourcefile
sample.txt
Trying 10.1.1.1 ...
Enter password:
200 Type set to I.
150 Opening BINARY mode data connection for /sample.txt.
/ 100% [***********]
FTP: 4860 byte(s) send in 0.134 second(s) 35.417Kbyte(s)/sec.
# Upload the source file sample.txt to the FTP server 10.1.1.1 through an interface.
<HUAWEI> ftp put -i 10ge 1/0/1 host-ip 10.1.1.1 username huawei sourcefile
sample.txt
Trying 10.1.1.1 ...
Enter password:

CloudEngine 8800, 7800, 6800, and 5800
200 Type set to I.

150 Opening BINARY mode data connection for /sample.txt.
/ 100% [***********]
FTP: 4860 byte(s) send in 0.134 second(s) 35.417Kbyte(s)/sec.
3.7.34 ftp server default-directory

Function
The ftp server default-directory command configures the default FTP working directory.
The undo ftp server default-directory command disables the default FTP working directory.
By default, no default FTP working directory is configured.
Format
ftp server default-directory directory
undo ftp server default-directory
Parameters
directory Specify the default FTP The value is a string of 1 to 255 case-sensitive
working directory. characters without spaces. When double quotation
marks are used around the string, spaces are allowed
in the string.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the set default ftp-directory command to configure a default FTP working
directory for all FTP users at one time.
The command takes effect for both ipv4 and ipv6 users.
Precautions
l The ftp server default-directory command takes effect only when the device functions
as an FTP server and the user function as an FTP client.
l You can run the local-user ftp-directory command to configure an authorized working
directory for a local user.

CloudEngine 8800, 7800, 6800, and 5800
l If you have configured the FTP working directory by running the local-user ftp-
directory command, you must use this FTP working directory.
l You can run the lcd command to view the working directory of FTP users.
l If no FTP working directory is specified on the device, FTP users cannot log in to the
device, and are prompted that the working directory is unauthorized.
Example
# Set the default FTP working directory to flash:/.
[~HUAWEI] ftp server default-directory flash:/
3.7.35 ftp server enable
Function
The ftp server enable command enables the FTP server function to allow FTP users to log in
to the FTP server.
The undo ftp server command disables the FTP server function so that FTP users cannot log
in to the FTP server.
By default, the FTP function is disabled.
Format
ftp [ ipv6 ] server enable
undo ftp [ ipv6 ] server [ enable ]
Parameters
ipv6 Specifies the IPv6 FTP server. -
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To manage FTP server files on a client, you must run the ftp server enable command to
enable the FTP server function to allow FTP users to log in to the FTP server.
Precautions

CloudEngine 8800, 7800, 6800, and 5800
If the FTP server function is disabled, no user can log in to the FTP server, and users who
have logged in to the FTP server cannot perform any operation except logout.
The ftp server enable command can enable IPv4 function. However, the ftp ipv6 server
enable command enables only the IPv6 function.
The FTP protocol compromises device security. SFTP V2 mode is recommended.
Example
# Enable the FTP server function.
[~HUAWEI] ftp server enable
3.7.36 ftp server ip-block disable
Function
The ftp server ip-block disable command disables an FTP server from locking client ipv4
and ipv6 addresses.
The undo ftp server ip-block disable command enables an FTP server to lock client ipv4
and ipv6 addresses.
By default, an FTP server is enabled to lock client ipv4 and ipv6 addresses.
Format
ftp server ip-block disable
undo ftp server ip-block disable
Parameters
None
Views
System view
Default Level
3: Management level

ftp-server write

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
If an FTP server is enabled to lock client ipv4 and ipv6 addresses, a client IP address is locked
when the number of FTP authentication failures reaches the upper limit in a specific period of
time. Client IP addresses being locked fail the authentication and are displayed in the display
ftp server ip-block list command output.
If an FTP server is disabled from locking client IP addresses, the display ftp server ip-block
list command does not display any client IP address that is locked because of authentication
failures.
IP addresses being locked are unlocked immediately after the FTP server is disabled from
locking client IP addresses.
You are advised to enable the FTP server to lock client IP addresses to ensure security.
Example
# Disable an FTP server from locking client IP addresses.
[~HUAWEI] ftp server ip-block disable
# Enable an FTP server to lock client IP addresses.

[~HUAWEI] undo ftp server ip-block disable
3.7.37 ftp server ip-block failed-times
Function
The ftp server ip-block failed-times command sets the maximum number of consecutive
FTP authentication failures within a specified period. If the number is reached, the system
locks out the IP address of user.
The undo ftp server ip-block failed-times command restores the maximum number of
consecutive FTP authentication failures and the period in which consecutive authentication
failures are counted to default values.
By default, the maximum number of consecutive FTP authentication failures before the IP
address of user lockout is 6, and the period is 5 minutes.
Format
ftp server ip-block failed-times failed-times period period
undo ftp server ip-block failed-times failed-times period period
Parameters
failed-times Specifies the maximum number of The value is an integer ranging
consecutive FTP authentication failures from 1 to 10.
before the IP address of user lockout.

CloudEngine 8800, 7800, 6800, and 5800

period period Specifies a period in which consecutive The value is an integer ranging
FTP authentication failures are counted. from 1 to 120, in minutes.
Views
System view
Default Level
3: Management level

ftp-server write
Usage Guidelines
To set the maximum number of consecutive authentication failures within a specified period,
run the ftp server ip-block failed-times command. If the number is reached, the system locks
out the IP address of user, which prevents the user from accessing the device through FTP.
The system automatically unlocks the IP address of user until the unlocking period expires.
This improves device security.
To manually unlock the IP address of user, run the activate ftp server ip-block ip-address
command.
Example
# Set the maximum number of consecutive authentication failures before the IP address of
user lockout to 3 and the period in which consecutive FTP authentication failures are counted
to 6 minutes.
[~HUAWEI] ftp server ip-block failed-times 3 period 6
3.7.38 ftp server ip-block reactive
Function
The ftp server ip-block reactive command sets a period after which the system automatically
unlocks an ipv4 and ipv6 address of user.
The undo ftp server ip-block reactive command restores the default period.
By default, the period is 5 minutes.
Format
ftp server ip-block reactive reactive-period

CloudEngine 8800, 7800, 6800, and 5800
undo ftp server ip-block reactive [ reactive-period ]
Parameters

reactive-period Specifies a period after which the system The value is an integer ranging
automatically unlocks an IP address of from 1 to 1000, in minute.
user.
Views
System view
Default Level
3: Management level

ftp-server write
Usage Guidelines
To set a period after which the system automatically unlocks an IP address of user, run the ftp
server ip-block reactive command. A locked IP address of user cannot access the device
through FTP. The system automatically unlocks the IP address of user until the unlocking
period expires. This improves device security.
To manually unlock the IP address of user, run the activate ftp server ip-block ip-address
command.
Example
# Set the period after which the system automatically unlocks the IP address of user to 50
minutes.
[~HUAWEI] ftp server ip-block reactive 50
3.7.39 ftp server port
Function
The ftp server port command specifies the listening port number of the FTP server.
The undo ftp server port command restores the default value of the listening port number.

CloudEngine 8800, 7800, 6800, and 5800
Format
ftp [ ipv6 ] server port port-number
undo ftp [ ipv6 ] server port
Parameters
port port-number Specifies the listening port number of The value is 21 or an integer
the FTP server. that ranges from 1025 to 65535.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
By default, the listening port number of the FTP server is 21. Attackers may frequently access
the default listening port, which wastes bandwidth, deteriorates server performance, and
prevents authorized users from accessing the FTP server through the listening port. You can
run the ftp [ ipv6 ] server port command to specify another listening port number to prevent
attackers from accessing the listening port.
The command ftp server port port-number sets the FTP server ipv4 listen port.
Prerequisites
Before running the ftp [ ipv6 ] server port command to specify the listening port number,
you must first run the undo ftp server command to disable FTP services.
Precautions
l After the listening port number is changed, the FTP server disconnects all FTP
connections and uses the new listening port.
l If the current listening port number is 21, FTP client users do not need to specify the port
number for logging in to the FTP server. If the current listening port number is not 21,
FTP client users must use the FTP server's listening port number to log in to the FTP
server.
l After the listening port number is changed, you must run the ftp server enable
command to enable FTP services to make the configuration take effect.
Example
# Change the port number of the FTP server to 1028.

CloudEngine 8800, 7800, 6800, and 5800
[~HUAWEI] undo ftp server
[*HUAWEI] ftp server port 1028
3.7.40 ftp server source
Function
The ftp server source command sets the specific source IP address of the FTP server to
establish the connection, including the source IP address and source interface.
The undo ftp server source command cancels the configuration of FTP server source
configuration.
By default, the source IP address and source interface of the FTP server are not specified, and
the source IP address for the FTP server to send packets is 0.0.0.0.The IPv6 source address of
packet sent by the FTP server is ::.
Format
ftp server source { -a source-ip-address | -i interface-type interface-number }
undo ftp server source
ftp ipv6 server source -a ipv6-address [ -vpn-instance vpn-instance-name ]
undo ftp ipv6 server source
Parameters
-a source-ip- Specifies the source IP address The value is in dotted decimal
address for the FTP server to send notation.
packets. The loopback IP address
is recommended.
-i interface-type Specifies the loopback interface -

interface-number of the FTP server as the source
interface.
The primary IP address of the
source interface is the source IP
address for sending packets. If
no IP address is configured for
the source IP address, the FTP
connection cannot be set up.
ipv6 Specifies the FTP IPv6 server. -

-a ipv6-address Specifies the source IPv6 The value consists of 128 octets,
address. which are classified into 8 groups.
Each group contains 4 hexadecimal
numbers in the format
X:X:X:X:X:X:X:X.

CloudEngine 8800, 7800, 6800, and 5800

-vpn-instance Specifies the VPN. The value is a string of 1 to 31 case-
vpn-instance- sensitive characters except spaces.
name When double quotation marks are
used to include the string, spaces are
allowed in the string. The value
_public_ is reserved and cannot be
used as the VPN instance name.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If no source IP address is specified, the FTP server uses the source IP address specified by
routes to send packets. The source IP address must be configured for an interface with stable
performance, such as the loopback interface. Using the loopback interface as the source IP
address simplifies the ACL rule and security policy configuration. This shields the IP address
Before specifying a loopback interface as the source interface of the FTP server, the loopback
interface must have been created successfully; otherwise, the command cannot be run
successfully.
Before specifying a VPN instance for the FTP server, the VPN must have been created
successfully; otherwise, the command cannot be run successfully.
Precautions
l After the source IP address is specified for the FTP server, you must use the specified IP
address to log in to the FTP server.
l After running the ftp server-source command, you can only use the specified IP address
or loopback interface of the FTP server for login. You need to restart the FTP service to
activate the configuration.
l If the ftp server-source command is not configured, all users can log in to the FTP
server by default.
l If the FTP service has been enabled, the FTP service restarts after the ftp server source
command is executed.
l If the specified source interface has been bound to a VPN instance, the server is
l After a bound VPN instance is deleted, the VPN configuration specified using the ftp
FTP server uses a public IP address. If you configure the VPN instance with the same

CloudEngine 8800, 7800, 6800, and 5800
Example
# Set the source IP address of the FTP server to Loopback0.
[~HUAWEI] ftp server source -i loopback0
Warning: To make the server source configuration take effect, the FTP server will
be restarted. Continue? [Y/N]: y
Info: Succeeded in setting the source interface of the FTP server to LoopBack0.
Info: Succeeded in starting the FTP server.
3.7.41 ftp server timeout

Function
The ftp server timeout command configures the idle timeout duration of the FTP server.
The undo ftp server timeout command restores the default idle timeout duration.
By default, the idle timeout duration of the FTP server is 10 minutes.
Format
ftp [ ipv6 ] server timeout minutes
undo ftp [ ipv6 ] server timeout
Parameters
minutes Specifies idle timeout duration. The value is an integer that ranges from 1 to
35791, in minutes.
Views
System view
Default Level
3: Management level
Usage Guidelines
After a user logs in to the FTP server, a connection is set up between the FTP server and the
user's client. The idle timeout duration is configured to release the connection when the
connection is interrupted or when the user performs no operation for a specified time.
The command ftp server timeout minutes only takes effect for ipv4 connection.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Set the idle timeout duration to 36 minutes.
[~HUAWEI] ftp server timeout 36
3.7.42 get (SFTP client view)

Function
The get command downloads a file from the SFTP server and saves the file to the local
device.
Format
get remote-filename [ local-filename ]
Parameters
remote- Specifies the name of the file to be The value is a string of 1 to 128 case-
filename downloaded from the SFTP sensitive characters without spaces.
server. The remote-filename must already
exist.
local-filename Specifies the name of a The value is a string of 1 to 128 case-
downloaded file to be saved to the sensitive characters without spaces.
local device.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the get command to download files from the FTP server to upgrade devices.
Precautions
l If local-filename is not specified on the local device, the original file name is used.
l If the name of the downloaded file is the same as that of an existing local file, the system
prompts you whether to overwrite the existing file.
Example
# Download a file from the SFTP server.

CloudEngine 8800, 7800, 6800, and 5800
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201 ...
Enter password:
sftp-client> get test.txt
Remote file: / test.txt ---> Local file: test.txt
Downloading the file. Please wait.../
Downloading file successfully ended.
File download is completed in 1 seconds.
3.7.43 get (FTP client view)

Function
The get command downloads a file from the FTP server and saves the file to the local device.
Format
get remote-filename [ local-filename ]
Parameters
remote- Specifies the name of the file to be The value is a string of 1 to 128 case-
filename downloaded from the FTP server. sensitive characters without spaces.
The remote-filename must already
exist.
local-filename Specifies the name of a The value is a string of 1 to 128 case-
downloaded file to be saved to the sensitive characters without spaces.
local device.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the get command to download system software, backup configuration files, and
patch files from the FTP server to upgrade devices.
Precautions
l If the downloaded file name is not specified on the local device, the original file name is
used.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Download the system software devicesoft.cc from the FTP server.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] get devicesoft.cc
150 Opening ASCII mode data connection for /devicesoft.cc.
\ 6482944 bytes transferred
FTP: 6482944 byte(s) received in 54.500 second(s) 1117.40Kbyte(s)/sec.
3.7.44 help (SFTP client view)

Function
The help command displays the help information in the SFTP client view.
Format
help [ command-name ]
Parameters
command-name Displays the format and parameters of a The value is a string of 1 to 255
specified command in the SFTP client characters.
view.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the help command to obtain the help information and display all commands or a
command format in the SFTP client view.
Precautions
If you specify no parameter when running the help command, all commands in the SFTP
client view are displayed.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Display the format of the command get.
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201 ...
Enter password:
sftp-client> help get
get Remote file name STRING<1-128> [Local file name STRING<1-128>] Download
file
Default local file name is the same with remote file.
3.7.45 lcd
Function
The lcd command displays and changes the local working directory of the FTP client in the
FTP client view.
Format
lcd [ local-directory ]
Parameters
local-directory Specifies the local working The value is a string of 1 to 128 case-
directory of the FTP client. sensitive characters without spaces.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the lcd command to display the local working directory of the FTP client when
uploading or downloading files, and set the upload or download path to the path of the local
working directory.
Precautions
The lcd command displays the local working directory of the FTP client, while the pwd
command displays the working directory of the FTP server. If you specify the parameter
local-directory in the lcd command, you can directly change the local working directory in
the FTP client view.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Change the local working directory to flash:/test.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] lcd
The current local directory is flash:/.
[ftp] lcd flash:/test/
The current local directory is flash:/test/.
3.7.46 mget
Function
The mget command downloads multiple files from the remote FTP server to the local device.
Format
mget remote-filenames
Parameters
remote- Specifies multiple files to download to the The value is a string of 1 to
filenames local device. File names are separated using 254 characters.
spaces, and the wildcard (*) is supported.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the mget command to download multiple files at the same time.
Precautions
l The command cannot download all files in a directory or subdirectory.


CloudEngine 8800, 7800, 6800, and 5800
Example
# Download files 1.txt, 2.txt, and vrp221.cfg from the remote FTP server.
<HUAWEI> ftp 10.10.10.1
Trying 10.10.10.1 ...
Enter password:
230 User logged in.
[ftp]mget 1.txt 2.txt vrp221.cfg

150 Opening ASCII mode data connection for 1.txt.


150 Opening ASCII mode data connection for 2.txt.


150 Opening ASCII mode data connection for vrp221.cfg.

[ftp]
3.7.47 mkdir (FTP client view)

Function
The mkdir command creates a directory on the remote FTP server.
Format
mkdir remote-directory
Parameters
remote-directory Specifies the directory to The value is a string of case-sensitive
be created. characters without spaces. The absolute path
length ranges from 1 to 128.
Views
FTP client view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
l You can run the mkdir command to create a subdirectory in a specified directory, and
the subdirectory name must be unique.
l If no path is specified when you create a subdirectory, the subdirectory is created in the
current directory.
l The created directory is stored on the FTP server.
Example
# Create a directory test on the remote FTP server.
<HUAWEI> ftp 172.16.104.110
Trying 172.16.104.110 ...
Connected to 172.16.104.110.
Enter password:
230 User logged in.
[ftp] mkdir test
257 "test" new directory created.
3.7.48 mkdir (SFTP client view)
Function
The mkdir command creates a directory on the remote SFTP server.
Format
mkdir remote-directory
Parameters
remote-directory Specifies the directory to The value is a string of case-sensitive
be created. characters without spaces. The absolute path
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
l You can run the mkdir command to create a subdirectory in a specified directory, and
the subdirectory name must be unique.

CloudEngine 8800, 7800, 6800, and 5800
l If no path is specified when you create a subdirectory, the subdirectory is created in the
current directory.
l The created directory is stored on the SFTP server.
l After a directory is created, you can run the dir/ls (SFTP client view) command to view
the directory.
Example
# Create a directory on the SFTP server.
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201 ...
Enter password:
sftp-client> mkdir ssh
Info: Succeeded in creating a directory.
3.7.49 mkdir (User view)
Function
The mkdir command creates a directory in the current storage device.
Format
mkdir directory
Parameters
directory Specifies a directory or The value is a string of case-

directory and its path. sensitive characters in the
[ drive ] [ path ] directory
format. The absolute path
length ranges from 1 to 255,
while the directory name
are supported.
subdirectory.
Characters such as ~, *, /,
\, :, ', " cannot be used in the
directory name.

CloudEngine 8800, 7800, 6800, and 5800
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario

root directory.
If you only the subdirectory name is specified, a subdirectory is created in the current working
directory. You can run the pwd command to query the current working directory. If the
subdirectory name and directory path are specified, the subdirectory is created in the specified
directory.
Precautions
l The subdirectory name must be unique in a directory; otherwise, the message "Error:
Directory with same name already exists" is displayed.
l A maximum of eight directory levels are supported when you create a directory.
Example
# Create the subdirectory new in the flash card.
<HUAWEI> mkdir flash:/new
Info: Create directory flash:/new......Done.
3.7.50 more
Function
The more command displays the content of a specified file.

CloudEngine 8800, 7800, 6800, and 5800
Format
more filename [ offset ]
Parameters
filename Specifies the file An absolute path name is a string of 1 to 255 characters. A
name. relative path name is a string of 1 to 128 case-sensitive
characters without spaces in the [ drive ] [ path ] file name
format. Up to 8 levels of directories are supported. When
quotation marks are used around the string, spaces are
subdirectory.
advised to add : and / between the storage device name and
directory. Characters ? ~ * / \ : ' " | < > [ ] cannot be used in
the directory name.
offset Specifies the file The value is an integer that ranges from 0 to 2147483647, in
offset. bytes.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the more command to display the file content directly on a device.
l The following describes the drive name.
– drive is the storage device and is named as flash:.
– If devices are stacked, drive can be named as:
n flash: root directory of the flash memory of the master switch in the stack.
n chassis ID#flash: root directory of the flash memory on a device in the stack.
l The path can be an absolute path or relative path. A relative path can be designated
relative to either the root directory or the current working directory. A relative path
beginning with a slash (/) is a path relative to the root directory.
– flash:/my/test/ is an absolute path.
– /selftest/ is a path relative to the root directory and indicates the selftest directory in
the root directory.

CloudEngine 8800, 7800, 6800, and 5800
– selftest/ is a path relative to the current working directory and indicates the selftest
Precautions
l You are not advised to use this command to display non-text files; otherwise, the
terminal is shut down or displays garbled characters, which is harmless to the system.
l Files are displayed in text format.
l You can display the file content flexibly by specifying parameters before running the
more command:
– You can run the more filename command to view a specified text file. The content
of the specified text file is displayed on multiple screens. You can press the
spacebar consecutively on the current session GUI to display all content of the file.
To display the file content on multiple screens, you must ensure that:
n The number of lines that can be displayed on a terminal screen is greater than
0. (The number of lines that can be displayed on a terminal screen is set by
running the screen-length command.)
n The total number of file lines is greater than the number of lines that can be
displayed on a terminal screen. (The number of lines that can be displayed on a
terminal screen is set by running the screen-length command.)
– You can run the more filename offset command to view a specified file. The content
of the specified text file starting from offset is displayed on multiple screens. You
can press the spacebar consecutively on the current session GUI to display all
content of the file.
To display the file content on multiple screens, you must ensure that:
n The number of lines that can be displayed on a terminal screen is greater than
0. (The number of lines that can be displayed on a terminal screen is set by
running the screen-length command.)
n The number of lines starting from offset in the file is greater than the number
of lines that can be displayed on a terminal screen. (The number of lines that
can be displayed on a terminal screen is set by running the screen-length
command.)
Example
# Display the content of the file test.bat.
<HUAWEI> more test.bat
rsa local-key-pair create
authentication-mode aaa
protocol inbound ssh
commit
quit
ssh user sftpuser authentication-type password
ssh user sftpuser service-type all
sftp server enable
commit
# Display the content of the file log.txt and set the offset to 100.
<HUAWEI> more log.txt 100
: CHINA HUAWEI TECHNOLOGY LIMITTED CO.,LTD
# FILE NAME: Product Adapter File(PAF)
# PURPOSE: MAKE VRPV5 SUITABLE FOR DIFFERENT PRODUCT IN LIB

CloudEngine 8800, 7800, 6800, and 5800
# SOFTWARE PLATFORM: V6R2C00

# DETAIL VERSION: B283
# DEVELOPING GROUP: 8090 SYSTEM MAINTAIN GROUP
# HARDWARE PLATFORM: 8090 (512M Memory)
# CREATED DATE: 2003/05/10
# AUTH: RAINBOW
# Updation History: Kelvin dengqiulin update for 8090(2004.08.18)
# lmg update for R3(2006.11.7)
# fsr update for R5 (2008.1.18)
# qj update for R6 (2008.08.08)
# COPYRIGHT: 2003---2008
#---------------------------------------------------------------------------------
-
#BEGIN FOR RESOURCE DEFINATION

[RESOURCE]
FORMAT: SPECS RESOURCE NAME STRING = CONTROLLABLE(1 : ABLE , 0: NOT ABLE),DEFAUL
T VALUE , MAX VALUE , MIN VALUE
#BEGIN SPECS RESOURCE FOR TE tunnel Nto1 PS MODULE
PAF_LCS_TUNNEL_SPECS_TE_PS_MAX_PROTECT_NUM = 1, 8, 16, 1
PAF_LCS_TUNNEL_SPECS_TE_PS_REBOOT_TIME = 1, 180000, 3600000, 60000
---- More ----
3.7.51 move
Function
The move command moves the source file from a specified directory to a destination
directory.
Format
move source-filename destination-filename

CloudEngine 8800, 7800, 6800, and 5800
Parameters
source-filename Specifies the directory and An absolute path name is a

name of a source file. string of 1 to 255 characters.
are supported. When
subdirectory.
name and directory.
Characters ? ~ * / \ : ' " | < >
directory name.
destination-filename Specifies the directory and An absolute path name is a

name of a destination file. string of 1 to 255 characters.
are supported. When
subdirectory.
name and directory.
Characters ? ~ * / \ : ' " | < >
directory name.

CloudEngine 8800, 7800, 6800, and 5800
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
root directory.
Precautions
l The move and copy commands have different effects:
– The move command moves the source file to the destination directory.
– The copy command copies the source file to the destination directory.
Example
# Move the file test from the root directory to the directory new.
<HUAWEI> move test new/
Warning: Move file flash:/test to flash:/new/test? [Y/N]:y
100% complete
Info: Move file flash:/test to flash:/new/test...Done.
3.7.52 mput
Function
The mput command uploads multiple files from the local device to the remote FTP server.
Format
mput local-filenames

CloudEngine 8800, 7800, 6800, and 5800
Parameters

local-filenames Specifies files to be uploaded. File names The value is a string of 1 to
are separated using spaces, and the 256 characters.
wildcard (*) is supported.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the mput command to upload multiple files to the remote FTP server at the same
time, especially in the upgrade scenario.
System prompts a confirmation message to the user before file transfer. You can disable the
prompt message using undo prompt command.
Precautions
If the name of the uploaded file is the same as that of an existing file on the FTP server, the
system overwrites the existing file.
Example
# Upload two local files 111.text and vrp222.cfg to the remote FTP server.
<HUAWEI> ftp 10.10.10.1
Trying 10.10.10.1 ...
Enter password:
230 User logged in.
[ftp] mput 111.txt vrp222.cfg

200 Port command successful.
150 Opening ASCII mode data connection for file transfer.
FTP: 6556 byte(s) sent in 0.231 second(s) 28.38Kbyte(s)/sec.
200 Port command successful.

150 Opening ASCII mode data connection for file transfer.
[ftp]

CloudEngine 8800, 7800, 6800, and 5800
3.7.53 open
Function
The open command connects the FTP client and server.
Format
open [ -a source-ip-address | -i interface-type interface-number ] host-ip [ port-number ]

[ public-net | vpn-instance vpn-instance-name ]
open ipv6 host-ipv6 [ -oi interface-type interface-number ] [ port-number ] [ public-net |

vpn-instance vpn-instance-name ]
Parameters
-a source-ip- Specifies the source IP address for -
address connecting to the FTP client. You are
advised to use the loopback interface
IP address.
-i interface-type Specifies the source interface type and -

interface- ID. You are advised to use the
number loopback interface.
host-ip Specifies the IP address or host name The IPv4 address is in dotted
of the remote IPv4 FTP server. decimal notation. The host name
is a string of 1 to 255 characters.
NOTE
host or display ip host command to view
the mapping between the IP address and
host name.
host-ipv6 Specifies the IP address or host name The IPv6 address is a 32-digit
of the remote IPv6 FTP server. hexadecimal number in the
X:X:X:X:X:X:X:X format. The
NOTE
host name is a string of 1 to 255
You can run the display dns dynamic- characters.
host or display ip host command to view
the mapping between the IP address and
host name.

CloudEngine 8800, 7800, 6800, and 5800

port-number Specifies the port number of the FTP The value is an integer that
server. ranges from 1 to 65535. The
default value is the standard port
number 21.
network.
vpn-instance Specifies the name of the VPN The value is a string of 1 to 31

vpn-instance- instance where the FTP server is case-sensitive characters except
name located. spaces. When double quotation
marks are used to include the
string, spaces are allowed in the
string. The value _public_ is
reserved and cannot be used as
the VPN instance name.
host-ipv6 Specifies the IP address of the remote The value is a 32-digit
IPv6 FTP server. hexadecimal number in the
X:X:X:X:X:X:X:X format.
-oi interface- Specifies the source interface type and -

type interface- ID.
number
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the open command in the FTP client view to connect the FTP client to the server
to transmit files and manage files and directories of the FTP server.
Precautions
l You can run the ftp command in the user view to connect the FTP client and server and
enter the FTP client view.
when the -a or -i parameter is specified on the IPv4 network. This shields the IP address

CloudEngine 8800, 7800, 6800, and 5800
l You can run the set net-manager vpn-instance command to configure the NMS
management VPN instance before running the open command to connect the FTP client
and server.
– If public-net or vpn-instance is not specified, the FTP client accesses the FTP
server in the VPN instance managed by the NMS.
– If public-net is specified, the FTP client accesses the FTP server on the public
network.
– If vpn-instance vpn-instance-name is specified, the FTP client accesses the FTP
server in a specified VPN instance.
l If the port number that the FTP server uses is non-standard, you must specify a standard
port number; otherwise, the FTP server and client cannot be connected.
l When you run the open command, the system prompts you to enter the user name and
password for logging in to the FTP server. You can log in to the FTP client and enter the
FTP client view if the user name and password are correct.
Example
# Connect the FTP client with the FTP server whose IP address is 10.137.217.204.
<HUAWEI> ftp
[ftp] open 10.137.217.204
Trying 10.137.217.204 ...
Connected to 10.137.217.204.
Enter password:
230 User logged in.
[ftp]
# Connect the FTP client with the FTP server whose IP address is fc00:2001:db8::1.
<HUAWEI> ftp
[ftp] open ipv6 fc00:2001:db8::1
Trying fc00:2001:db8::1 ...
Connected to fc00:2001:db8::1
User(fc00:2001:db8::1:(none)):huawei
Enter Password:
230 User logged in.
[ftp]
3.7.54 passive
Function
The passive command sets the data transmission mode to passive.
The undo passive command sets the data transmission mode to active.
By default, the data transmission mode is active.
Format
passive

CloudEngine 8800, 7800, 6800, and 5800
undo passive
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
The device supports the active and passive data transmission modes. In active mode, the
server initiates a connection request, and the client and server need to enable and monitor a
port to establish a connection. In passive mode, the client initiates a connection request, and
only the server needs to monitor the corresponding port. This command is used together with
the firewall function. When the client is configured with the firewall function, FTP
connections are restricted between internal clients and external FTP servers if the FTP
transmission mode is active. If the FTP transmission mode is passive, FTP connections
between internal clients and external FTP servers are not restricted.
Example
# Set the data transmission mode to passive.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] passive
Info: Succeeded in switching passive on.
3.7.55 prompt
Function
The prompt command enables the prompt function when files are transmitted between the
FTP client and server.
The undo prompt command disables the prompt function.
By default, the prompt function is disabled.
Format
prompt
undo prompt

CloudEngine 8800, 7800, 6800, and 5800
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can enable the prompt function as required when transmitting files between the FTP
client and server.
Precautions
l The prompt command can be used when you run the put, mput, get, and mget
commands.
l The prompt function can be enabled only for confirming service upload and download.
– When you run the put or mput command, the system always overwrites the
existing file if the name of the uploaded file is the same as that of an existing file on
the FTP server.
– When you run the get or mget command, the system always prompts you whether
to overwrite the existing file if the name of the uploaded file is the same as an
existing file name in the specified directory.
Example
# Enable the FTP message prompt function.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] prompt
Info: Succeeded in switching prompt on.
# Disable the FTP message prompt function.

[ftp] undo prompt
Info: Succeeded in switching prompt off.
3.7.56 put (FTP client view)

Function
The put command uploads a local file to the remote FTP server.

CloudEngine 8800, 7800, 6800, and 5800
Format
put local-filename [ remote-filename ]
Parameters
local-filename Specifies the local file name of The value is a string of 1 to 128 case-
the FTP client. sensitive characters without spaces. The
local-filename must already exist.
remote-filename Specifies the name of the file to The value is a string of 1 to 128 case-
be uploaded to the remote FTP sensitive characters without spaces.
server.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the put command to upload a local file to the remote FTP server for further
check and backup. For example, you can upload the local log file to the FTP server for other
users to check, and upload the configuration file to the FTP server as a backup before
upgrading the device.
Precautions
l If the file name is not specified on the remote FTP server, the local file name is used.
l If the name of the uploaded file is the same as that of an existing file on the FTP server,
the system overwrites the existing file.
Example
# Upload the configuration file vrpcfg.zip to the remote FTP server as a backup, and save it
as backup.zip.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] put vrpcfg.zip backup.zip
150 Opening ASCII mode data connection for /backup.zip.
/ 100% [***********]

CloudEngine 8800, 7800, 6800, and 5800

3.7.57 put (SFTP client view)
Function
The put command uploads a local file to a remote SFTP server.
Format
put local-filename [ remote-filename ]
Parameters
local-filename Specifies a local file name The value is a case-sensitive character string
on the SFTP client. without spaces. The file name (including the
absolute path) contains 1 to 128 characters.
The local-filename must already exist.
remote- Specifies the name of the The value is a case-sensitive character string
filename file uploaded to the remote without spaces. The file name (including the
SFTP server. absolute path) contains 1 to 128 characters.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command enables you to upload files from the local device to a remote SFTP server to
view the file contents or back up the files. For example, you can upload log files of a device to
an SFTP server and view the logs in the server. During an upgrade, you can upload the
configuration file of the device to the SFTP server for backup.
Precautions
l If remote-filename is not specified, the uploaded file is saved on the remote SFTP server
with the original file name.
l If the specified remote-filename is the same as an existing file name on the SFTP server,
the uploaded file overwrites the existing file on the server.
Example
# Upload a file to the SFTP server.

CloudEngine 8800, 7800, 6800, and 5800
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201 ...
Enter password:
sftp-client> put wm.cfg
Local file: wm.cfg ---> Remote file: /wm.cfg
Uploading the file. Please wait...\
Uploading file successfully ended.
File upload is completed in 0 seconds.
3.7.58 pwd (FTP client view)
Function
The pwd command displays the FTP client's working directory on the remote FTP server.
Format
pwd
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
After logging in to the FTP server, you can run the pwd command to display the FTP client's
working directory on the remote FTP server.
If the displayed working directory is incorrect, you can run the cd command to change the
FTP client's working directory on the remote FTP server.
Example
# Display the FTP client's working directory on the remote FTP server.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] pwd
257 "/" is current directory.

CloudEngine 8800, 7800, 6800, and 5800
3.7.59 pwd (SFTP client view)
Function
The pwd command displays the SFTP client's working directory on the remote FTP server.
Format
pwd
Parameters
None
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
After logging in to the SFTP server, you can run the pwd command to display the SFTP
client's working directory on the remote SFTP server.
If the displayed working directory is incorrect, you can run the cd command to change the
SFTP client's working directory on the remote SFTP server.
Example
# Display the SFTP client's working directory on the remote SFTP server.
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201 ...
Enter password:
sftp-client> pwd
/
sftp-client> cd test
/test
sftp-client> pwd
/test
3.7.60 pwd (user view)
Function
The pwd command displays the current working directory.

CloudEngine 8800, 7800, 6800, and 5800
Format
pwd
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
You can run the pwd command in any directory to display the current working directory. To
change the current working directory, you can run the cd command.
Example
# Display the current working directory.
<HUAWEI> pwd
flash:/test/
3.7.61 remotehelp
Function
The remotehelp command displays the help information about an FTP command when the
FTP client and server are connected.
Format
remotehelp [ command ]
Parameters
command Specifies the FTP command. The value is a string of 1 to 16 characters.
Views
FTP client view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
You can run the remotehelp command to display the help information about an FTP
command.
l The help information is provided by the remote server. Different remote servers may
provide different help information for an FTP command.
l The following are the protocol commands support help information.
Command Help Information
USER "USER <sp> <username>"
PASS "PASS <sp> password"
ACCT* "ACCT <sp> account-information"
CWD "CWD [ <sp> directory-name ]"
CDUP "CDUP <change to parent directory>"
SMNT* "SMNT <sp> <structure mount>,

Unimplemented"
QUIT "QUIT <terminate service>"
REIN* "REIN <reinitialize server state>;

Unimplemented"
PORT "PORT <sp> b0, b1,b2, b3, b4, b5"
PASV "PASV <set server in passive mode>"
TYPE "TYPE <sp> [ A | I ]"
STRU* "STRU <specify file structure>; Unimplemented"
MODE* "MODE <specify transfer mode>;

Unimplemented"
RETR "RETR <sp> file-name"
STOR "STOR <sp> file-name"
STOU* "STOU <sp> file-name; Unimplemented"
APPE "APPE <sp> file-name"
ALLO* "ALLO allocate storage<vacuously>;

Unimplemented"
REST* "REST <restart command>; Unimplemented"
RNFR "RNFR <sp> file-name"
RNTO "RNTO <sp> file-name"
ABOR* "ABOR <abort operation>; Unimplemented"
DELE "DELE <sp> file-name"

CloudEngine 8800, 7800, 6800, and 5800
Command Help Information
RMD "RMD <sp> path-name"
MKD "MKD <sp> path-name"
PWD "PWD <return current directory>"
LIST "LIST [ <sp> path-name ]"
NLST* "NLST [ <sp> path-name ]; Unimplemented"
SITE* "SITE; Unimplemented"
SYST "SYST <get type of operating system>"
STAT* "STAT [ <sp> <pathname> ]"
HELP "HELP [ <sp> <string> ]"
NOOP* "NOOP; Unimplemented"
XCUP "XCUP <change to parent directory>"
XCWD "XCWD [ directory-name ]"
XMKD "XMKD <sp> path-name"
XPWD "XPWD <return current directory>"
XRMD "XRMD <sp> path-name"
EPSV "EPSV <sp> <net-prt>"
EPRT "EPRT <sp> <d><net-prt><d><net-

addr><d><port><d>"
FEAT* "FEAT, Unimplemented"
NOTE
l * means the command is not complete.

l For the commands other than the above listed commands, the response string is "Unknown
command".
Example
# Display the syntax of the command cdup.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] remotehelp
214-The following commands are recognized (Commands marked with '*' are unimplem

CloudEngine 8800, 7800, 6800, and 5800
ented).
USER PASS ACCT* CWD CDUP SMNT* QUIT REIN*
PORT PASV TYPE STRU* MODE* RETR STOR STOU*
APPE ALLO* REST* RNFR RNTO ABOR DELE RMD
MKD PWD LIST NLST SITE* SYST STAT* HELP
NOOP* XCUP XCWD XMKD XPWD XRMD EPSV EPRT
FEAT*
214 Direct comments to Huawei Tech.
[ftp] remotehelp cdup
214 Syntax: CDUP <change to parent directory>.
3.7.62 remove (SFTP client view)

Function
The remove command deletes specified files from the remote SFTP server.
Format
remove remote-filename &<1-10>
Parameters
remote-filename Specifies the name of the file to be The value is a string of 1 to 128
deleted from the remote SFTP server. case-sensitive characters without
spaces.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
l You can configure a maximum of 10 file names in the command and separate them using
spaces and delete them at one time.
l If the file to be deleted is not in the current directory, you must specify the file path.
Example
# Delete the file 3.txt from the server and backup1.txt from the test directory.
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201 ...
Enter password:
sftp-client> remove 3.txt test/backup1.txt
Warning: Are sure to remove these files? [Y/N]:y
Info: Succeeded in removing the file: /3.txt.
Info: Succeeded in removing the file: /test/backup1.txt.

CloudEngine 8800, 7800, 6800, and 5800
3.7.63 rename (SFTP client view)
Function
The rename command renames a file or directory stored on the SFTP server.
Format
rename old-name new-name
Parameters
old-name The value is a string of 1 to 128 case-
Specifies the name of a file or
sensitive characters without spaces. The old-
directory.
name must already exist.
new-name Specifies the new name of the The value is a string of 1 to 128 case-
file or directory. sensitive characters without spaces.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
You can run the rename command to rename a file or directory.
Example
# Rename the directory yourtest on the SFTP server.
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201 ...
Enter password:
sftp-client> rename test/yourtest test/test
Warning: Rename /test/yourtest to /test/test? [Y/N]:y
Info: Succeeded in renaming file.
sftp-client> cd test
/test
sftp-client> dir
drwxrwxrwx 1 noone nogroup 0 Mar 29 22:44 .
drwxrwxrwx 1 noone nogroup 0 Mar 29 22:39 ..
drwxrwxrwx 1 noone nogroup 0 Mar 24 00:04 test

CloudEngine 8800, 7800, 6800, and 5800
3.7.64 rename (user view)

Function
The rename command renames a file or folder.
Format
rename old-name new-name
Parameters
old-name Specifies the name of a file An absolute path name is a

or folder. string of 1 to 255 characters.
case-sensitive characters
without spaces in the
[ drive ] [ path ] filename
format.
subdirectory.
name and directory.
Characters ? ~ * / \ : ' " | < >
directory name.

CloudEngine 8800, 7800, 6800, and 5800
new-name Specifies the new name of An absolute path name is a

the file or directory. string of 1 to 255 characters.
case-sensitive characters
without spaces in the
[ drive ] [ path ] filename
format.
subdirectory.
name and directory.
Characters ? ~ * / \ : ' " | < >
directory name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes the drive name:
root directory.

CloudEngine 8800, 7800, 6800, and 5800
Precautions
l You must rename a file or directory in its source directory.
l If the renamed file or directory has the same name as an existing file or directory, an
error message is displayed.
l If you specify old-name or new-name without specifying the file path, the file must be
saved in your current working directory.
Example
# Rename the directory mytest to yourtest in the directory flash:/test/.
<HUAWEI> pwd
flash:/test
<HUAWEI> rename mytest yourtest
Info: Rename file flash:/test/mytest to flash:/test/yourtest ?[Y/N]:y
Info: Rename file flash:/test/mytest to flash:/test/yourtest ......Done.
# Rename the file sample.txt to sample.bak.

<HUAWEI> rename sample.txt sample.bak
Info: Rename file flash:/sample.txt to flash:/sample.bak ?[Y/N] :y
Info: Rename file flash:/sample.txt to flash:/sample.bak .......Done.
3.7.65 reset recycle-bin

Function
The reset recycle-bin command permanently deletes files from the recycle bin.
Format
reset recycle-bin [ /f | filename | devicename ]
Parameters
/f Directly deletes all -
files from the recycle
bin.

CloudEngine 8800, 7800, 6800, and 5800

filename Specifies the name of An absolute path name is a string of 1 to 255
a file to be deleted. characters. A relative path name is a string of 1 to 128
case-sensitive characters without spaces in the
[ drive ] [ path ] file name format. Up to 8 levels of
directories are supported. When quotation marks are
used around the string, spaces are allowed in the
string.
subdirectory.
advised to add : and / between the storage device
name and directory. Characters ? ~ * / \ : ' " | < > [ ]
cannot be used in the directory name.
The wildcard (*) character is supported.
devicename Specifies the storage

-
device name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If you run the delete command without specifying the /unreserved parameter, the file is
moved to the recycle bin and still occupies the memory. To free up the space, you can run the
reset recycle-bin command to permanently delete the file from the recycle bin.
root directory.

CloudEngine 8800, 7800, 6800, and 5800
Precautions
l You can run the dir /all command to display all files that are moved to the recycle bin
from the current directory, and file names are displayed in square brackets ([ ]).
l If you delete a specified storage device, all files in the root directory of the storage
device are deleted.
l If you run the reset recycle-bin command directly, all files that are moved to the recycle
bin from the current directory are permanently deleted.
Example
# Delete the file test.txt that is moved to the recycle bin from the directory test.
<HUAWEI> reset recycle-bin flash:/test/test.txt
Info: Are you sure to clear flash:/test/test.txt?[Y/N]:y
Info: Clearing file flash:/test/test.txt......Done.
# Delete files that are moved to the recycle bin from the current directory.
<HUAWEI> pwd
flash:/test
<HUAWEI> reset recycle-bin
Info: Are you sure to clear flash:/test/aa.txt?[Yes/All/No/Cancel]:y
Info: Clearing file flash:/test/aa.txt......Done.
Info: Are you sure to clear flash:/test/abc.txt?[Yes/All/No/Cancel]:y
Info: Clearing file flash:/test/abc.txt......Done.
Info: Are you sure to clear flash:/test/1.bat?[Yes/All/No/Cancel]:y
Info: Clearing file flash:/test/1.bat......Done.
3.7.66 rmdir (FTP client view)

Function
The rmdir command deletes a specified directory from the remote FTP server.
Format
rmdir remote-directory
Parameters
remote-directory Specifies a directory or path on The value is a string of 1 to 128 case-
the FTP server. sensitive characters without spaces.
Views
FTP client view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
You can run the rmdir command to delete a specified directory from the remote FTP server.
Precautions
l Before running the rmdir command to delete a directory, you must delete all files and
subdirectories from the directory.
l If no path is specified when you delete a subdirectory, the subdirectory is deleted from
the current directory.
l The directory is deleted from the FTP server rather than the FTP client.
Example
# Delete the directory d:/temp1 from the remote FTP server.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] rmdir d:/temp1
250 'D:\temp1': directory removed.
3.7.67 rmdir (user view)

Function
The rmdir command deletes a specified directory from the storage device.
Format
rmdir directory
Parameters
directory Specifies a The value is a string of case-sensitive characters in the
directory or [ drive ] [ path ] directory format. The absolute path
directory and its length ranges from 1 to 255, while the directory name
path. length ranges from 1 to 128. Up to 8 levels of directories
are supported.
subdirectory.
Characters such as ~, *, /, \, :, ', " cannot be used in the
directory name.

CloudEngine 8800, 7800, 6800, and 5800
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario

root directory.
Precautions
l A deleted directory and its files cannot be restored from the recycle bin.
Example
# Delete the directory test from the current directory.
<HUAWEI> rmdir test
Info: Are you sure to remove directory flash:/test?[Y/N]:y
Info: Removing directory flash:/test/.......Done.
3.7.68 rmdir (SFTP client view)
Function
The rmdir command deletes a specified directory from the remote SFTP server.
Format
rmdir remote-directory &<1-10>

CloudEngine 8800, 7800, 6800, and 5800
Parameters
remote-directory Specifies the name of a file on The value is a string of 1 to 128 case-
the SFTP server. sensitive characters without spaces.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
l You can configure a maximum of 10 file names in the command and separate them using
spaces and delete them at one time.
l If the directory to be deleted is not in the current directory, you must specify the file
path.
Example
# Delete the directory 1 from the current directory, and the directory 2 from the test directory.
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201 ...
Enter password:
sftp-client> rmdir 1 test/2
Warning: Are sure to remove these directories? [Y/N]:y
Info: Succeeded in removing the directory: /test/1.
Info: Succeeded in removing the directory: /test/test/2.
3.7.69 scp
Function
The scp command uploads a local file to the remote SCP server or downloads a file from the
remote SCP server to a local directory.
Format
# Transfer a file between the local client and the remote SCP server based on IPv4.
scp [ -a source-ip-address | -i interface-type interface-number ] [ -force-receive-pubkey ] [ -
port port-number | { public-net | vpn-instance vpn-instance-name } | -c | -cipher cipher-type
| -prefer-kex kex-type | -r | identity-key { dsa | ecc | rsa } | user-identity-key { dsa | ecc |
rsa } ] * source-filename destination-filename

CloudEngine 8800, 7800, 6800, and 5800
# Transfer a file between the local client and the remote SCP server based on IPv6.
scp ipv6 [ -a source-ipv6-address | -oi interface-type interface-number ] [ public-net | vpn-
instance vpn-instance-name ] [ -force-receive-pubkey ] [ -port port-number | -c | -cipher
cipher-type | -prefer-kex kex-type | -r | identity-key { dsa | ecc | rsa } | user-identity-key
{ dsa | ecc | rsa } ] * source-filename destination-filename
Parameters
-a source-ip- Specifies the source IPv4 -

address address for connecting to the
SCP client. You are advised to
use the loopback interface IP
address.
-a source-ipv6- Specifies the source IPv6 -

address address for connecting to the
SCP client. You are advised to
use the loopback interface IP
address.
-i interface-type Specifies the source interface -

interface-number used by the SCP client to set up
connections. It consists of the
interface type and number. It is
recommended that you specify a
loopback interface. The IP
address configured for this
interface is the source IP address
for sending packets. If no IP
address is configured for the
source interface, the FTP
connection cannot be set up.
If the source interface is
specified using -i interface-type
interface-number, the public-
net and vpn-instance vpn-
instance-name parameters are
not supported.
-oi interface-type Specifies an outbound interface -

interface-number on the local device.
If the remote host uses an IPv6
address, you must specify the
outbound interface on the local
device.

CloudEngine 8800, 7800, 6800, and 5800
-force-receive- Indicates that a server forcibly -

pubkey receives public key
authentication.
-port port- Specifies the port number of the The value is an integer that ranges
number SCP server. from 1 to 65535. The default value is
22.
public-net Indicates that the SCP server is -

connected to the public network.
vpn-instance Specifies the name of the VPN The name of the VPN instance must
vpn-instance- instance where the SCP server is already exist.
name located.
-r Uploads or downloads files in -

batches.
-c Compress files when uploading -

or downloading them.
-cipher cipher- Specifies the encryption The algorithms include:

type algorithms for uploading or
downloading files. l 3des
l aes128
l aes256
l arcfour128
l arcfour256
l des
l aes128_ctr
l aes256_ctr
l aes192
l aes128_gcm
l aes256_gcm
l aes192_ctr
aes256.
NOTE
You are advised to use aes128, aes256,
arcfour128, aes128_ctr, aes256_ctr, and
arcfour256 encryption algorithms to
ensure high security.

CloudEngine 8800, 7800, 6800, and 5800
-prefer_kex kex- Specifies the preferred key The key exchange algorithms include:
type exchange algorithm. l dh-exchange-group-sha256
l dh_exchange_group
l dh_group1
l sm2_kep
l dh_group14_sha1
The default key exchange algorithm is
ecdh-sha2-nistp521.
NOTE
When the public key algorithm on the
server is ecc, the sm2_kep algorithm is
preferred.
algorithm for server of the following:
authentication. l dsa
l ecc
l rsa
ecc.
user-identity- Specifies a public key algorithm The public key algorithm can be one
key for user authentication. of the following:
l dsa
l ecc
l rsa
ecc.
source-filename Specifies a source file to be The source file format is

uploaded or downloaded. username@hostname:[path]filename
for the file downloading operation.
The source file format is
[path]filename for the file uploading
operation.

CloudEngine 8800, 7800, 6800, and 5800
destination- Specifies a destination file to be The destination file format is

filename uploaded or downloaded. username@hostname:[path]filename
for the file uploading operation.
The destination file format is
[path]filename for the file
downloading operation.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
SCP file transfer mode is based on SSH2.0 Compared with the SFTP file transfer mode, the
SCP file transfer mode allows you to upload or download files when the connection is set up
between the SCP client and server.
l You are advised to set the source IP address to the loopback address, or set the outbound
interface to the loopback interface using -a and -i, to improve security.
l When -r is specified, you can use the wildcard (*) to upload or download files in
batches, for example, *.txt and huawei.*.
l When -c is specified, files are compressed before being transmitted. File compression
takes a long time and affects file transfer speed; therefore, you are not advised to
compress files before transferring them.
Precautions
l The format of uploaded and downloaded files of the SCP server is username@hostname:
[path]filename.
– username is the user name for logging in to the SCP server.
– hostname is the name or IP address of the SCP server.
– path is the working directory on the SCP server.
– filename is the name of a file.
l If hostname is an IPv6 address, the IPv6 address must be included in square brackets
([ ]), for example, john@[1000::1]:.
l If the destination file name is the same as the name of an existing directory, the file is
moved to this directory with the source file name. If the destination file has the same
name as an existing file, the system overwrites the existing file.
l If an SCP user on the client authenticates the server using an RSA, a DSA or an ECC
public key, the SCP user is prompted to select the key pair for authentication.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Log in through DSA authentication and copy the xxxx.txt file to the flash memory of
remote SCP server at 10.10.0.114.
[~HUAWEI] scp identity-key dsa flash:/xxxx.txt root@10.10.0.114:flash:/xxxx.txt
Trying 10.10.0.114...
Connected to 10.10.0.114...
The server is not authenticated. Continue to access it? [Y/N]:y
Save the server's public key? [Y/N]:y
The server's public key will be saved with the name 10.10.0.114. Please wait...
Please select public key type for user authentication [R for RSA/D for DSA/E for
ECC] Please select [R/D/E]: d
Enter password:
xxxx.txt 100% 261Bytes 1Kb/s
3.7.70 scp client-source

Function
The scp client-source command specifies the source IP address for the SCP client to send
packets.
The undo scp client-source command cancels the source IP address for the SCP client to
send packets.
The default source IP address of the SCP client is 0.0.0.0.
Format
scp client-source { -a source-ip-address [ public-net | -vpn-instance vpn-instance-name ] | -i
interface-type interface-number }
undo scp client-source
Parameters
-a source-ip- Specifies the source IP address of the SCP -
address client. You are advised to use the loopback
interface IP address.
public-net Indicates that the SCP server is connected -

to the public network.

CloudEngine 8800, 7800, 6800, and 5800

-vpn-instance vpn- Specifies the name of the VPN instance The value is a string of 1
instance-name where the SCP server is located. to 31 case-sensitive
characters except spaces.
marks are used to include
the string, spaces are
value _public_ is reserved
and cannot be used as the
VPN instance name.
-i interface-type Specifies the type and number of a source -
interface-number interface.
SCP connection cannot be set up.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before specifying the parameter vpn-instance vpn-instance-name, ensure that a VPN instance
has been configured.
If you use -i to specify a logical interface as the source interface, ensure that the logical
interface has been created successfully.
Precautions
l The scp command also configures the source IP address whose priority is higher than
that of the source IP address specified in the scp client-source command. If you specify
source addresses in the scp client-source and scp commands, the source IP address
specified in the scp command is used for data communication. The source address
specified in the scp client-source command applies to all SCP connections. The source
address specified in the scp command applies only to the current SCP connection.

CloudEngine 8800, 7800, 6800, and 5800
l After a bound VPN instance is deleted, the VPN configuration specified using the scp
client-source command will not be cleared but does not take effect. In this case, the SCP
server uses a public IP address. If you configure the VPN instance with the same name
again, the VPN function restores.
Example
# Set the source IP address of the SCP client to the loopback interface IP address 10.1.1.1.
[~HUAWEI] scp client-source -a 10.1.1.1
3.7.71 scp max-sessions

Function
The scp max-sessions command sets the maximum number of SCP clients allowed to connect
to an SCP server concurrently.
The undo scp max-sessions command restores the default number of SCP clients allowed to
connect to an SCP server concurrently.
By default, a maximum of 2 SCP clients are allowed to connect to an SCP server
concurrently.
Format
scp max-sessions max-session-count
undo scp max-sessions
Parameters
max-session-count Specifies the number of SCP The value is an integer that

clients allowed to connect to ranges from 0 to 5. The
an SCP server concurrently. default value is 2.
Views
System view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
This command limits the number of SCP clients connecting to an SCP server.
NOTE
If the configured limit is smaller than the number of currently connected SCP clients, the SCP clients are not
disconnected, but new SCP clients cannot be connect to the SCP server.
Example
# Set the number of SCP clients allowed to connect to an SCP server to 5.
[~HUAWEI] scp max-sessions 5
3.7.72 scp server enable
Function
The scp server enable command enables the SCP service on the SSH server.
The undo scp server enable command disables the SCP service on the SSH server.
By default, the SCP function is disabled.
Format
scp [ ipv4 | ipv6 ] server enable
undo scp [ ipv4 | ipv6 ] server enable
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
SCP is used to copy, upload, and download files based on the SSH remote copy function. The
SCP file copy command is easy to use, improving network maintenance efficiency.

CloudEngine 8800, 7800, 6800, and 5800
Run scp server enable command can enable both IPv4 and IPv6 SCP server. Run scp ipv4
server enable command to enable IPv4 SCP server. Run scp ipv6 server enable command to
enable IPv6 SCP server.
To connect the client to the SSH server to transfer files in SCP mode, you must first enable
the SCP server on the SSH server.
In V200R002C50 and V200R003C00, you can run the scp [ ipv4 | ipv6 ] server enable
command to enable the SCP function. If the current version is downgraded to V200R001C00
or an earlier version, this configuration will be lost, so you need to run the scp server enable
command again. In V200R005C00, you can run the scp ipv4 server enable command to
enable the IPv4 SCP function, or run the scp ipv6 server enable command to enable the IPv6
SCP function (IPv4 SCP and IPv6 SCP functions are not enabled simultaneously). If the
current version is downgraded to V200R001C00 or an earlier version, this configuration will
be lost, so you need to run the scp server enable command again.
Example
# Enable the SCP service.
[~HUAWEI] scp server enable
3.7.73 set configuration appdata auto-check enable
Function
The set configuration appdata auto-check enable command enables the function to
automatically check whether data in the service process database is the same as that in the
central database.
The undo set configuration appdata auto-check enable command disables the function to
automatically check whether data in the service process database is the same as that in the
central database.
By default, this function is disabled.
Format
set configuration appdata auto-check enable
undo set configuration appdata auto-check enable
Parameters
none
Views
System view
Default Level

CloudEngine 8800, 7800, 6800, and 5800

config write
Usage Guidelines
Usage Scenario
The device data is saved in the central database and service process databases. Each service
process database needs to synchronize data from the central database. If the data in a service
process database is inconsistent with that in the central database, the host behaviors may not
meet operator expectations, causing service function exceptions. Therefore, automatic data
verification needs to be enabled to periodically check data consistency between service
process databases and the central database. If any inconsistency is detected, an alarm is
reported immediately, notifying you of analyzing the impact on services timely. You can
restart the board or device to rectify the fault.
To enable or disable the automatic data verification function, run this command.
Example
# Disable the function to automatically check whether data in the service process database is
the same as that in the central database.
[~HUAWEI] undo set configuration appdata auto-check enable
3.7.74 set net-manager vpn-instance
Function
The set net-manager vpn-instance command configures the default VPN instance that the
NMS uses on the device.
The undo set net-manager vpn-instance command deletes the default VPN instance from
the device.
By default, no VPN instance is configured on the device.
Format
set net-manager [ ipv6 ] vpn-instance vpn-instance-name
undo set net-manager [ ipv6 ] vpn-instance
Parameters

ipv6 Specifies the IPv6 VPN -
instance.

CloudEngine 8800, 7800, 6800, and 5800

vpn-instance Specifies the name of The value is a string of 1 to 31 case-sensitive
vpn-instance- the default VPN characters except spaces. When double
name instance. quotation marks are used to include the
string, spaces are allowed in the string. The
value _public_ is reserved and cannot be used
as the VPN instance name.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the NMS manages devices on the VPN network, you need to send the device information to
the NMS using the VPN instance.
You can run the set net-manager vpn-instance command to configure the default VPN
instance for the NMS to manage the device so that the device can use this VPN instance to
communicate with the NMS.
Precautions
l Before running the set net-manager vpn-instance command, you must create VPN
instances.
l If the host has been configured as a log host, the NMS can receive device logs from the
default VPN instance.
l The VPN configured using the set net-manager vpn-instance command affects the
following service modules: TFTP client, FTP client, SFTP client, SCP client, Info Center
module, SNMP module, TACACS module, IP FPM module, PM module, Callhome
module of the SSH server.
l After a bound VPN instance is deleted, the VPN configuration specified using the set
net-manager command will not be cleared but does not take effect. In this case, the
server uses a public IP address. If you configure the VPN instance with the same name
again, the VPN function restores.
Example
# Set the default VPN instance to v1.
[~HUAWEI] set net-manager vpn-instance v1

CloudEngine 8800, 7800, 6800, and 5800
3.7.75 sftp
Function
The sftp command connects the device to the SSH server so that you can manage files that are
stored on the SFTP server.
Format
# Connect the SFTP client to the SFTP server based on IPv4.
sftp [ -a source-address | -i interface-type interface-number | -force-receive-pubkey ] host-ip
[ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | prefer_kex kex-type |
prefer_ctos_cipher cipher-type | prefer_stoc_cipher cipher-type | prefer_ctos_hmac hmac-
type | prefer_stoc_hmac hmac-type | prefer_ctos_compress compress-type |
# Connect the SFTP client to the SFTP server based on IPv6.
sftp ipv6 [ -force-receive-pubkey ] [ -a source-address ] host-ipv6 [ public-net | -vpn-
instance vpn-instance-name ] [ -oi interface-type interface-number ] [ port ] [ prefer_kex
kex-type | prefer_ctos_cipher cipher-type | prefer_stoc_cipher cipher-type |
prefer_ctos_hmac hmac-type | prefer_stoc_hmac hmac-type | prefer_ctos_compress
compress-type | prefer_stoc_compress compress-type | -ki aliveinterval | -kc alivecountmax |
identity-key { dsa | ecc | rsa } | user-identity-key { dsa | ecc | rsa } ] *
Parameters
-a source-address Specifies the source IP -

address for connecting to
the SFTP client. You are
advised to use the
loopback interface IP
address.

CloudEngine 8800, 7800, 6800, and 5800
-i interface-type interface- Specifies the source -

number interface type and ID.
You are advised to use
the loopback interface.
The IP address
configured for this
interface is the source IP
address for sending
packets. If no IP address
is configured for the
source interface, the
SFTP connection cannot
be set up.
If the source interface is
specified using -i
interface-type interface-
number, the -vpn-
instance vpn-instance-
name and public-net
parameters are not
supported.
-force-receive-pubkey Indicates that a server -

forcibly receives public
key authentication.
host-ip Specifies the IP address The value is a string of 1 to 255

or host name of the case-sensitive characters without
remote IPv4 SFTP server. spaces. When quotation marks are
used around the string, spaces are
host-ipv6 Specifies the IPv6 The value is a string of 1 to 255

address or host name of case-sensitive characters without
the remote IPv6 SFTP spaces. When quotation marks are
server. used around the string, spaces are
-oi interface-type Specifies an outbound -

interface-number interface on the local
device.
If the remote host uses an
IPv6 address, you must
specify the outbound
interface on the local
device.

CloudEngine 8800, 7800, 6800, and 5800
port Specifies the port number The value is an integer that ranges
of the SSH server. from 1 to 65535. The default port
number is 22.
public-net Specifies the SFTP server -

on the public network.
You must set the public-
net parameter when the
SFTP server IP address is
a public network IP
address.
-vpn-instance vpn- Name of the VPN The VPN must already exist.
instance-name instance where the SFTP
server is located.
prefer_kex kex-type Specifies the preferred The key exchange algorithms

key exchange algorithm. include:
l dh-exchange-group-sha256
l dh_exchange_group
l dh_group1
l sm2_kep
l DH_Group14_SHA1
The default key exchange algorithm
is ecdh-sha2-nistp521.
NOTE
When the public key for the
authentication on the server is ecc, the
preferred key exchange algorithm must
be sm2_kep.

CloudEngine 8800, 7800, 6800, and 5800
prefer_ctos_cipher Specify an encryption The encryption algorithms include:

cipher-type algorithm for l 3des
transmitting data from
the client to the server. l aes128
l aes256
l arcfour128
l arcfour256
l aes128_ctr
l aes256_ctr
l aes128_gcm
l aes256_gcm
l aes192_ctr
aes256.
NOTE
Encryption algorithms supported depend
on the ssh client cipher command
configured by the user.
arcfour128, aes128_ctr, aes256_ctr, and
arcfour256 encryption algorithms to
prefer_stoc_cipher Specify an encryption The encryption algorithms include:

cipher-type algorithm for l 3des
the server to the client. l aes128
l aes256
l arcfour128
l arcfour256
l aes128_ctr
l aes256_ctr
l aes128_gcm
l aes256_gcm
l aes192_ctr
aes256.
NOTE
Encryption algorithms supported depend
on the ssh client cipher command
configured by the user.
arcfour128, arcfour256, aes128_ctr, and
aes256_ctr encryption algorithms to

CloudEngine 8800, 7800, 6800, and 5800
prefer_ctos_hmac hmac- Specify an HMAC The HMAC algorithms include:

type algorithm for l md5
the client to the server. l md5_96
l sha1
l sha1_96
l sha2_256
l sha2_256_96
l sha2_512
sha2_256.
prefer_stoc_hmac hmac- Specify an HMAC The HMAC algorithms include:

type algorithm for l md5
the server to the client. l md5_96
l sha1
l sha1_96
l sha2_256
l sha2_256_96
l sha2_512
sha2_256.
prefer_ctos_compress Specifies the preferred The value of this parameter can only
server.
prefer_stoc_compress Specifies the preferred The value of this parameter can only
client.
-ki aliveinterval Specifies the interval for The value is an integer that ranges
sending keepalive from 1 to 3600, in seconds.
is received in reply.
-kc alivecountmax Specifies the times for The value is an integer that ranges
sending keepalive from 1 to 30.The default value is 3.
is received in reply.

CloudEngine 8800, 7800, 6800, and 5800
algorithm for the of the following:
authentication on the l dsa
server.
l ecc
l rsa
ecc.
user-identity-key Indicates the public key The public key algorithm can be one
for the user of the following:
authentication. l dsa
l ecc
l rsa
ecc.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
SFTP is short for SSH FTP that is a secure FTP protocol. SFTP is on the basis of SSH. It
ensures that users can log in to a remote device securely for file management and
transmission, and enhances the security in data transmission. In addition, you can log in to a
remote SSH server from the device that functions as an SFTP client.
When the connection between the SFTP server and client fails, the SFTP client must detect
the fault in time and disconnect from the SFTP server. To ensure this, before being connected
to the server in SFTP mode, the client must be configured with the interval and times for
sending the keepalive packet when no packet is received in reply. If the client receives no
packet in reply within the specified interval, the client sends the keepalive packet to the server
again. If the maximum number of times that the client sends keepalive packets exceeds the
specified value, the client releases the connection. By default, when no packet is received, the
function for sending keepalive packets is not enabled.
Precautions
when the -a or -i parameter is specified. This shields the IP address differences and
interface status impact, filters incoming and outgoing packets, and implements security
authentication.

CloudEngine 8800, 7800, 6800, and 5800
l The SSH client can log in to the SSH server with no port number specified only when
the port number of the SSH server is 22. If the SSH server uses another port, the port
number must be specified when SSH clients log in to the SSH server.
l If you cannot run the sftp command successfully when you configured the ACL on the
SFTP client, or when the TCP connection fails, an error message is displayed indicating
that the SFTP client cannot be connected to the server.
NOTE
To ensure high security, do not use the des algorithm, 3des algorithm, and rsa algorithm whose length is
less than 2048 digits.
Example
# Set the current listening port number of the SSH server to 1025, and specify the SFTP client
on the public network and the SSH server on the private network.
[~HUAWEI] sftp 10.164.39.223 1025 -vpn-instance ssh
Trying 10.164.39.223 ...
Connected to 10.164.39.223 ...
Please input the username: client001
Enter password:
sftp-client>
# Set keepalive parameters when the client is connected to the server in SFTP mode.
[~HUAWEI] sftp 10.164.39.223 -ki 10 -kc 4
Trying 10.164.39.223 ...
Connected to 10.164.39.223 ...
Please input the username: client001
Enter password:
sftp-client>
3.7.76 sftp client-source
Function
The sftp client-source command specifies the source IP address for the SFTP client to send
packets.
The undo sftp client-source command restores the default source IP address for the SFTP
client to send packets.
The default source IP address for the SFTP client to send packets is 0.0.0.0.
Format
sftp client-source { -a source-ip-address [ public-net | -vpn-instance vpn-instance-name ] | -
i interface-type interface-number }
undo sftp client-source

CloudEngine 8800, 7800, 6800, and 5800
Parameters
-a source-ip- Specifies the IP address of the SFTP client The value is in dotted
address as the source IP address. decimal notation.
public-net Indicates that the source address of -

packets sent by the client is a public
address.
This parameter is mandatory when you run
this command to configure the source
address of packets as the public address.
-vpn-instance Specifies the VPN instance name. The value is a string of 1

vpn-instance-name to 31 case-sensitive
characters except spaces.
marks are used to include
the string, spaces are
VPN instance name.
-i interface-type Specifies the source interface. -
interface-number
The IP address configured for the source
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Precautions

CloudEngine 8800, 7800, 6800, and 5800
l If the specified source interface has been bound to a VPN instance, for example, vpn1,
but a different VPN instance, for example, vpn2, is specified in the sftp client-source{ -
a source-ip-address-vpn-instance vpn-instance-name } command, The vpn configured
by this command (vpn2) takes effect.
l You can query the source IP address or primary IP address of the source interface for the
SFTP connection on the SFTP server.
l The sftp command also configures the source IP address whose priority is higher than
that of the source IP address specified in the sftp client-source command. If you specify
source addresses in the sftp client-source and sftp commands, the source IP address
specified in the sftp command is used for data communication. The source address
specified in the sftp client-source command applies to all SFTP connections. The source
address specified in the sftp command applies only to the current SFTP connection.
Example
# Set the source IP address of the SFTP client to 10.1.1.1.
[~HUAWEI] sftp client-source -a 10.1.1.1
Info: Succeeded in setting the source address of the SFTP client to 10.1.1.1.
3.7.77 sftp client-transfile
Function
The sftp client-transfile command uploads files from an SFTP client to an SFTP server or
downloads files from an SFTP server to an SFTP client.
Format
# Establish an SFTP connection based on IPv4.
sftp client-transfile { get | put } [ -a source-address | -i interface-type interface-number ]

host-ip host-ipv4 [ port ] [ public-net | -vpn-instance vpn-instance-name | prefer_kex
prefer_kex | identity-key { rsa | dsa | ecc } | prefer_ctos_cipher prefer_ctos_cipher |
prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac |
prefer_stoc_hmac prefer_stoc_hmac | -ki interval | -kc count ] * username user-name
password password sourcefile source-file [ destination destination ]
# Establish an SFTP connection based on IPv6.
sftp client-transfile { get | put } ipv6 [ -a source-ipv6-address ] host-ip host-ipv6 [ -oi

interface-type interface-number ] [ port ] [ public-net | -vpn-instance vpn-instance-name |
prefer_kex prefer_kex | identity-key { rsa | dsa | ecc } | prefer_ctos_cipher
prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac
prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki interval | -kc count ] *
username user-name password password sourcefile source-file [ destination destination ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
get Downloads the files on the -
SFTP server to the local
devicem shih .
put Uploads local files to the -

SFTP server.
-a source-address Specifies the source address The value is in dotted decimal

of an SFTP client. notation.
-i interface-type Specifies the source interface -

interface-number of an SFTP client.
host-ip host-ipv4 Specifies the IPv4 address or -

host name of an SFTP server.
port Specifies the current The value is an integer ranging

monitoring port number on from 1 to 65535. The default value
the SSH server. is 22, which is a standard SFTP
port number.
Only when the monitoring
port number on the SFTP
server is 22, the SFTP client
can log in without a port
number being specified. If the
monitoring port number on
the SFTP server is not 22,
you must specify a port
number for the SFTP client to
log in.
public-net Establishes the SFTP -

connection on a public
network.
-vpn-instance vpn- Specifies the name of a VPN The value is a string of 1 to 31

instance-name instance. case-sensitive characters, spaces
not supported.
The SFTP connection is
established on a private NOTE
network. When quotation marks are used
around the string, spaces are allowed
in the string.

CloudEngine 8800, 7800, 6800, and 5800

prefer_kex prefer_kex Specifies a preferred Currently, the DH-group1, DH-
algorithm for key exchange. exchange-group, SM2-KEP,
ECDH-SHA2-NISTP256, ECDH-
SHA2-NISTP384, ECDH-SHA2-
NISTP521, DH-exchange-group-
SHA256, and DH_group14_SHA1
algorithms are supported. The
default algorithm is
DH_group14_SHA1.
identity-key { rsa | dsa Specifies a public key Currently, the RSA, DSA, and
| ecc } algorithm for the server ECC algorithms are supported.
authentication. The default algorithm is ECC.
prefer_ctos_cipher Specifies the preferred Currently, the 3DES, AES128,

prefer_ctos_cipher encryption algorithm for AES128_CTR, AES128_GCM,
packets from the client to the AES192_CTR, AES256,
server. AES256_CTR, AES256_GCM,
ARCFOUR128, and
ARCFOUR256 encryption
AES256_CTR.
prefer_stoc_cipher Specifies the preferred Currently, the 3DES, AES128,

prefer_stoc_cipher encryption algorithm for AES128_CTR, AES128_GCM,
packets from the server to the AES192_CTR, AES256,
client. AES256_CTR, AES256_GCM,
ARCFOUR128, and
ARCFOUR256 encryption
AES256_CTR.
prefer_ctos_hmac Specifies the preferred Currently, the SHA1, SHA1_96,

prefer_ctos_hmac HMAC algorithm for packets MD5, MD5_96, SHA2_256,
from the client to the server. SHA2_512, and SHA2_256_96
HMAC algorithms are supported.
The default algorithm is
SHA2_256.
prefer_stoc_hmac Specifies the preferred Currently, the SHA1, SHA1_96,

prefer_stoc_hmac HMAC algorithm for packets MD5, MD5_96, SHA2_256,
from the server to the client. SHA2_512, and SHA2_256_96
HMAC algorithms are supported.
The default algorithm is
SHA2_256.

CloudEngine 8800, 7800, 6800, and 5800

-ki interval Specifies an interval at which The value is an integer ranging
keepalive packets are sent if from 1 to 3600, in seconds. The
no data is received. default value is 60.
-kc count Specifies the maximum The value is an integer ranging

number of times that the from 1 to 30. The default value is
server does not respond. 5.
username user-name Specifies the user name used The value is a string of 1 to 255
to log in to the SFTP server. case-sensitive characters, spaces
not supported.
NOTE
in the string.
password password Specifies the password used The value is a string of 1 to 128
to log in to the SFTP server. case-sensitive characters, spaces
not supported.
NOTE
in the string.
sourcefile source-file Specifies the absolute path of The value is a string of case-
the source file to be uploaded insensitive characters, spaces not
or downloaded. supported. The absolute path is a
destination destination Specifies the absolute path of The value is a string of case-
the destination file to be insensitive characters, spaces not
uploaded or downloaded. supported. The absolute path is a
If the destination destination
parameter is not specified, the
name of the uploaded or
downloaded file is the same
as that on the SFTP server.
ipv6 Specifies an IPv6 SFTP -

server.

CloudEngine 8800, 7800, 6800, and 5800

-oi interface-type Specifies the source IPv6 -
interface-number interface of an SFTP client.
If host-ipv6 is set to a link-
local IPv6 address, you must
specify the interface name
corresponding to the link-
local address. If host-ipv6 is
not set to a link-local IPv6
address, no interface name is
required.
host-ip host-ipv6 Specifies the IPv6 address or -

host name of an SFTP server.
-a source-ipv6-address Specifies the source address The value is a 32-digit

of an SFTP IPv6 client. hexadecimal number, in the format
of X:X:X:X:X:X:X:X.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To upload files from an SFTP client to an SFTP server or download files from an SFTP server
to an SFTP client, run the sftp client-transfile command. This command can be run only on
an SFTP client.
Before you run the sftp command to transfer files, enter the user name and password. You can
transfer files only when the authentication succeeds. The sftp client-transfile command
supports one-click file transfer, so that a file can be transferred after you run the command.
Prerequisites
Before you run the sftp client-transfile command to connect to an SFTP server, ensure that
the following requirements are met:
l The route between the SSH client and server is reachable. If the server does not use a
standard port number, the port number configured on the server must be obtained.
l The IP address of the SSH server and the information about the SSH user used for login
are obtained.
l The SFTP service is enabled on the server; the service types configured for the server
contain SFTP; password authentication is configured for the SSH user.

CloudEngine 8800, 7800, 6800, and 5800
After a connection is established between an SFTP client and an SFTP server, they start to
communicate.
Precautions
l If command execution fails due to ACL configuration on the SFTP client or the TCP
connection fails, the system displays an error message indicating that the connection to
the server fails.
l When the connection between the server and the client fails, the client must detect the
fault in time and proactively tears down the connection. To achieve this, before the client
logs in to the server through SFTP, configure an interval at which keepalive packets are
sent if no data is received and the maximum number of times that the server does not
respond. If the client does not receive any data within the specified interval, it sends a
keepalive packet to the server. If the maximum number of times that the server does not
respond exceeds the specified value, the client proactively tears down the connection.
l If a source interface is specified using the -i interface-type interface-number parameter,
the -vpn-instance vpn-instance-name parameter cannot be set then.
l This command is used to connect to the server and transfer files. Password authentication
is required for login.
Example
# Configure an SFTP user to download the source file sample.txt from the server at 10.1.1.2
to the SFTP client.
[~HUAWEI] ip vpn-instance ssh
[*HUAWEI-vpn-instance-ssh] ipv4-family
[*HUAWEI-vpn-instance-ssh-af-ipv4] commit
[~HUAWEI-vpn-instance-ssh-af-ipv4] quit
[~HUAWEI-vpn-instance-ssh] quit
[~HUAWEI] sftp client-transfile get host-ip 10.1.1.2 1025 -vpn-instance ssh
username huawei password Huawei-123 sourcefile sample.txt
to the SFTP client. Set the interval at which keepalive packets are sent if no data is received
and the maximum number of times that the server does not respond to 10 and 4, respectively.
[~HUAWEI] sftp client-transfile get host-ip 10.1.1.3 -ki 10 -kc 4 username huawei
password Huawei-123 sourcefile sample.txt
to the SFTP client, and log in to the SFTP server in DSA authentication mode.
[~HUAWEI] sftp client-transfile get host-ip 10.1.1.4 identity-key dsa username
huawei password Huawei-123 sourcefile sample.txt
# Configure an SFTP user to upload the sample.txt file to the SFTP server whose IPv6
address is 10::1, and log in to the SFTP server in DSA authentication mode.
[~HUAWEI] sftp client-transfile put ipv6 host-ip 10::1 identity-key dsa username
huawei password Huawei-123 sourcefile sample.txt

CloudEngine 8800, 7800, 6800, and 5800
3.7.78 sftp idle-timeout
Function
The sftp idle-timeout command configures the idle timeout duration for disconnecting to the
SFTP client from the SSH server.
The undo sftp idle-timeout command restores the default idle timeout duration.
By default, the timeout period is 10 minutes.
Format
sftp idle-timeout minutes [ seconds ]
undo sftp idle-timeout
Parameters
minutes Specifies the idle timeout The value is an integer that ranges from 0 to
minutes. 35791.
seconds Specifies the idle timeout It is an integer that ranges from 0 to 59.
seconds.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the undo sftp idle-timeout command to configure the idle timeout duration to
disconnect the SFTP client from the SSH server when an SFTP user does not perform any
operation within the specified duration.
Precautions
If you run the sftp idle-timeout 0 0 command, the idle timeout function is disabled.
Example
# Set the idle timeout duration to 1 minute and 30 seconds.
[~HUAWEI] sftp idle-timeout 1 30

CloudEngine 8800, 7800, 6800, and 5800
3.7.79 sftp max-sessions
Function
The sftp max-sessions command configures the maximum number of server connections in
SFTP mode.
The undo sftp max-sessions command restores the maximum number of server connections
in SFTP mode to the default value.
By default, a maximum of five servers can be connected in SFTP mode.
Format
sftp max-sessions max-session-count
undo sftp max-sessions
Parameters

max-session-count Specifies the maximum number of The value is an integer that
server connections in SFTP mode. ranges from 0 to 15.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the sftp max-sessions command to configure the maximum number of SSH
server connections in SFTP mode to prevent the heavy load resulting from excessive accesses,
and it takes effect for both IPv4 and IPv6 connections.
Precautions
If the maximum number is smaller than that of the current value, the current connection
persists and no connection can be set up.
Example
# Set the maximum number of server connections to 10.
[~HUAWEI] sftp max-sessions 10

CloudEngine 8800, 7800, 6800, and 5800
3.7.80 sftp server enable

Function
The sftp server enable command enables the SFTP service on the SSH server.
The undo sftp server enable command disables the SFTP service on the SSH server.
By default, the SFTP service is disabled.
Format
sftp [ ipv4 | ipv6 ] server enable
undo sftp [ ipv4 | ipv6 ] server enable
Parameters
Views
System view
Default Level
3: Management level
Usage Guidelines
To connect the client to the SSH server to transfer files in SFTP mode, you must first enable
the SFTP server on the SSH server.
Run sftp server enable command can enable both IPv4 and IPv6 SFTP server. Run sftp ipv4
server enable command to enable IPv4 SFTP server. Run sftp ipv6 server enable command
to enable IPv6 SFTP server.
Disabling the SFTP service on the server disconnects all the clients connected through SFTP.
In V200R002C50 and V200R003C00, you can run the sftp [ ipv4 | ipv6 ] server enable
command to enable the SFTP function. If the current version is downgraded to V200R001C00
or an earlier version, this configuration will be lost, so you need to run the sftp server enable
command again. In V200R005C00, you can run the sftp ipv4 server enable command to
enable the IPv4 SFTP function, or run the sftp ipv6 server enable command to enable the
IPv6 SFTP function (IPv4 SFTP and IPv6 SFTP functions are not enabled simultaneously). If
the current version is downgraded to V200R001C00 or an earlier version, this configuration
will be lost, so you need to run the sftp server enable command again.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Enable the SFTP service.
[~HUAWEI] sftp server enable
Info: Succeeded in starting the SFTP server.
3.7.81 sftp server default-directory

Function
The sftp server default-directory command configures the default authorized directory of
the SFTP server.
The undo sftp server default-directory command cancels the configured default authorized
directory of the SFTP server.
By default, the default authorized directory of the SFTP server is not configured.
Format
sftp server default-directory sftpdir
undo sftp server default-directory [ sftpdir ]
Parameters
sftpdir Configures the default authorized The directory of the server must
directory of the SFTP server. already exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When accessing the server using SFTP, you can only access the authorized directory of the
SFTP server. You can use any of the following methods to configure the authorized directory
of the SFTP server. The three methods are in descending order of priorities.
l Run the ssh user username sftp-directory directoryname command in the system view
to configure the authorized directory of the SFTP server for a specified user.
l Run the local-user user-name ftp-directory directory command in the AAA view to
configure the authorized directory of the FTP server for a specified user.
l Run the sftp server default-directory sftpdir command in the system view to configure
the global and default authorized directory of the SFTP server.

CloudEngine 8800, 7800, 6800, and 5800
The authorized directory configured using the ssh user sftp-directory command has the
highest priority and takes effect only for specified SSH users. The authorized directory
configured using the sftp server default-directory command has the lowest priority and
takes effect for all SSH users. For example, if directoryA is configured for the user client001
using the ssh user client001 sftp-directory directoryA command, and directoryB is also
configured for the user client001 using the local-user client001 ftp-directory directoryB
command in the AAA view, the authorized directory that takes effect for the user client001 is
directoryA. If the authorized directories of the SFTP server and the FTP server are not
configured, the authorized directory configured using the sftp server default-directory
command is used.
Precautions
This command takes effect for both ipv4 and ipv6 SFTP servers.
In versions earlier than V200R001C00, the default access path of the device is flash:/. In
V200R001C00 and later versions, the SFTP access path is empty by default. Therefore, if you
perform file operations using SFTP on a device running a version earlier than V200R001C00
and the authorized directory of the SFTP server is not configured, the default access path
flash:/ is used.
l When the device is upgraded to V200R001C00 or V200R002C50, you need to manually
configure the ssh user username sftp-directory flash: command.
l When the device is upgraded to V200R003C00 or a later version, the sftp server
default-directory flash: command is automatically configured in the system to ensure
that users can properly access the device using SFTP after the upgrade, which requires
no attention.
Example
# Set the default authorized directory of the SFTP server for SSH users to flash:.
[~HUAWEI] sftp server default-directory flash:
3.7.82 ssh user sftp-directory
Function
The ssh user sftp-directory command configures the SFTP service authorized directory for
an SSH user.
The undo ssh user sftp-directory command cancels the SFTP service authorized directory
for an SSH user.
By default, the authorized directory of the SFTP service for the SSH user is not configured.
Format
ssh user username sftp-directory directoryname
undo ssh user username sftp-directory

CloudEngine 8800, 7800, 6800, and 5800
Parameters
username Specifies the SSH user The value is a string of 1 to 253 case-
name. insensitive characters without spaces. When
double quotation marks are used around the
string, spaces are allowed in the string.
directoryname Specifies the directory The SFTP must already exist.
name on the SFTP server.
Views
System view
Default Level
3: Management level
Usage Guidelines
Users can only access the specified directory on the SFTP server. If the username user does
not exist, the system creates an SSH user named username and uses the SFTP service
authorized directory configured for the user. If the configured directory does not exist, the
SFTP client fails to connect to the SSH server using this SSH user.
The command takes effect for both ipv4 and ipv6 functions.
In versions earlier than V200R001C00, the default access path of the device is flash:/. In
V200R001C00 and later versions, the SFTP access path is empty by default. Therefore, if you
perform file operations using SFTP on a device running a version earlier than V200R001C00
and the authorized directory of the SFTP server is not configured, the default access path
flash:/ is used.
l When the device is upgraded to V200R001C00 or V200R002C50, you need to manually
configure the ssh user username sftp-directory flash: command.
l When the device is upgraded to V200R003C00 or a later version, the sftp server
default-directory flash: command is automatically configured in the system to ensure
that users can properly access the device using SFTP after the upgrade, which requires
no attention.
Example
# Configure the SFTP service authorized directory flash:/ssh for the SSH user admin.
[~HUAWEI] ssh user admin sftp-directory flash:/ssh
3.7.83 tail
Function
The tail command displays information in a file.

CloudEngine 8800, 7800, 6800, and 5800
Format
tail file-name [ line ]
Parameters
file-name Specifies the name of a file. The value is a string in the [ drive ] [ path ] [ file-
name ] format. An absolute path name is a string
of 1 to 255 characters. A relative path name is a
string of 1 to 128 characters. Up to 8 levels of
directories are supported. The path must already
exist.
line Specifies the number of The value is an integer ranging from 0 to
lines of information to be 2147483647. By default, if this parameter is not
viewed. The number of lines selected, information in the last 10 lines is
is counted backwards from displayed.
the last line in the file.
Views
User view
Default Level
3: Management level
Usage Guidelines
You can run the tail command to view information in a file or in the last several lines of the
file.
Example
# Display information in the last two lines of the rpm.log file.
<HUAWEI> tail rpm.log 2
[140808-07:52:26] [RPM][SIGN] RPM ReqAppDBRspHandle RequestType:2, RequestId:
10001, RcvTransNo:655458744,SndTransNo:655458744,Session:655458744
[140808-07:52:27] [RPM][ERR] File:autoconfig.py does exist in the filelist in
node /opt/svrp/router1/1-17/vrpv8/home/$_system for osnode:273 when add file
[PID(25786): LinuxError(0)]
3.7.84 tftp
Function
The tftp command uploads a file to the TFTP server or downloads a file to the local device.
Format
# Upload a file to the TFTP server or download a file to the local device based on the IPv4
address

CloudEngine 8800, 7800, 6800, and 5800
tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ vpn-instance

vpn-instance-name | public-net ] { get | put } source-filename [ destination-filename ]
# Upload a file to the TFTP server or download a file to the local device based on the IPv6
address
tftp ipv6 [ -a source-ipv6-address ] tftp-server-ipv6 [ vpn-instance vpn-instance-name |
public-net ] [ -oi interface-type interface-number ] { get | put } source-filename
[ destination-filename ]
Parameters
-a source-ip- Specifies the source IP address for -
address connecting to the TFTP client. You are
advised to use the loopback interface
IPv4 address.
-a source-ipv6- Specifies the source IPv6 address for -
address connecting to the TFTP client. You are
advised to use the loopback interface IP
address.
-i interface-type Specifies the source interface used by -
interface-number the TFTP client to set up connections. It
consists of the interface type and
number. It is recommended that you
specify a loopback interface.
TFTP connection cannot be set up.
tftp-server Specifies the IPv4 address or host name -

of the TFTP server.
NOTE
You can run the display dns dynamic-host
or display ip host command to view the
mapping between the IP address and host
name.
tftp-server-ipv6 Specifies the IPv6 address for the TFTP -

server.

CloudEngine 8800, 7800, 6800, and 5800

vpn-instance Name of the VPN instance where the The value is a string of 1 to
vpn-instance- TFTP server is located. 31 case-sensitive characters
name except spaces. When double
quotation marks are used to
include the string, spaces are
VPN instance name.
public-net Indicates that the TFTP server on the -
public network is connected.
get Download a file. -

put Upload a file. -
source-filename Specifies the source file name. The value is a string of 1 to
128 case-sensitive characters
without spaces. It can contain
alphanumeric and special
characters. The source-
filename must already exist.
destination- Specifies the destination file name. The value is a string of 1 to
filename 128 case-sensitive characters
without spaces. It can contain
alphanumeric and special
characters. By default, source
and destination file names are
the same.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When upgrading the system, you can run the tftp command to upload an important file to the
TFTP server or download a system software to the local device.
Precautions
l When you run the tftp command to upload a file to the TFTP server in TFTP mode, files
are transferred in binary mode by default. The tftp does not support the ASCII mode for
file transfer.

CloudEngine 8800, 7800, 6800, and 5800
l After specifying a source IP address, you can use this IP address to communicate with
the server and implement packet filtering to ensure data security.
Example
# Download file vrpcfg.txt from the root directory of the TFTP server to the local device. The
IP address of the TFTP server is 10.1.1.1. Save the downloaded file to the local device as file
vrpcfg.bak.
<HUAWEI> tftp 10.1.1.1 get vrpcfg.txt flash:/vrpcfg.bak
# Upload file vrpcfg.txt from the root directory of the storage device to the default directory
of the TFTP server. The IP address of the TFTP server is 10.1.1.1. Save file vrpcfg.txt on the
TFTP server as file vrpcfg.bak.
<HUAWEI> tftp 10.1.1.1 put flash:/vrpcfg.txt vrpcfg.bak
3.7.85 tftp client source

Function
The tftp client source command specifies the source IP address for the TFTP client to send
packets.
The undo tftp client source command restores the default source IP address for the TFTP
client to send packets.
The default source IP address for the TFTP client to send packets is 0.0.0.0.
Format
tftp client source { -a source-ip-address | -i interface-type interface-number }
undo tftp client source
Parameters
-a source-ip- Specifies the source IP address of the TFTP client. The value is in
address You are advised to use the loopback interface IP dotted decimal
address. notation.
-i interface-type Specifies the source interface type and interface -

interface-number number to establish the connection with the server.
The IP address configured for this interface is the
source IP address for sending packets. If no IP
address is configured for the source interface, the
TFTP connection cannot be set up.
Views
System view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Precautions
l The tftp command also configures the source IP address whose priority is higher than
that of the source IP address specified in the tftp client source command. If you specify
source addresses in the tftp client source and tftp commands, the source IP address
specified in the tftp command is used for data communication. The source address
specified in the tftp client source command applies to all TFTP connections. The source
address specified in the tftp command applies only to the current TFTP connection.
l You can query the source IP address or source interface IP address specified in the TFTP
connection on the TFTP server.
l The command takes effect for ipv4 functions.
Example
# Set the source IP address of the TFTP client to 10.1.1.1.
[~HUAWEI] tftp client source -a 10.1.1.1
Info: Succeeded in setting the source address of the TFTP client to 10.1.1.1.
3.7.86 tftp server acl
Function
The tftp server acl command specifies the ACL number or ACL name for the local device so
that the device can access TFTP servers with the same ACL number or ACL name.
The undo tftp server acl command deletes the ACL number or ACL name from the local
device.
By default, no ACL number or ACL name is specified on the local client.

CloudEngine 8800, 7800, 6800, and 5800
Format
tftp server [ ipv6 ] acl { acl-number | acl-name }
undo tftp server [ ipv6 ] acl
Parameters

acl-number Specifies the number of the The value is an integer that ranges from 2000
ACL. to 2999.
digits.
ipv6 Specifies the IPv6 address of a -
specific server.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To ensure the security of the local device, you need to run the tftp-server acl command to
specify an ACL to specify TFTP servers that the local device can access.
Precautions
The tftp-server acl command takes effect only after you run the rule (ACL view) or rule
(ACL6 view) command to configure the rule. If no rule is configured, the local device can
access a specified TFTP server in TFTP mode.
If no rule is configured, the incoming and outgoing calls are not restricted after the command
tftp-server acl is run.
Example
# Allow the local device to the access the TFTP server whose ACL number is 2000.
[~HUAWEI] acl 2000
[*HUAWEI] tftp server acl 2000

CloudEngine 8800, 7800, 6800, and 5800
3.7.87 undelete
Function
The undelete command restores a file that has been has been temporally deleted and moved
to the recycle bin.
Format
undelete { filename | devicename }
Parameters
filename Specifies the name An absolute path name is a string of 1 to 255 characters.
of a file to be A relative path name is a string of 1 to 128 case-sensitive
restored. characters without spaces in the [ drive ] [ path ] file
name format. Up to 8 levels of directories are supported.
When quotation marks are used around the string, spaces
are allowed in the string.
subdirectory.
devicename Specifies the -

storage device
name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the undelete command to restore a file that has been temporally deleted and
moved to the recycle bin. However, files that are permanently deleted by running the delete or
reset recycle-bin command with the /unreserved parameter cannot be restored.

CloudEngine 8800, 7800, 6800, and 5800

root directory.
Like devicename, drive specifies the storage device name.
Precautions
l To display information about a temporally deleted file, run the dir /all command. The
file name is displayed in square brackets ([ ]).
Example
# Restore file sample.bak from the recycle bin.
<HUAWEI> undelete sample.bak
Info: Are you sure to undelete flash:/sample.bak ?[Y/N]:y
Info: Undeleting file flash:/sample.bak......Done.
# Restore a file that has been moved from the root directory to the recycle bin.
<HUAWEI> undelete flash:
Info: Are you sure to undelete flash:/test.txt?[Y/N] :y
Info: Undeleting file flash:/test.txt......Done.
Info: Are you sure to undelete flash:/rr.bak?[Y/N]:y
Info: Undeleting file flash:/rr.bak......Done.
3.7.88 unzip
Function
The unzip command decompresses a file.
Format
unzip source-filename destination-filename [ password password ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
source- Specifies the name An absolute path name is a string of 1 to 255
filename of a source file to characters. A relative path name is a string of 1 to 128
be decompressed. case-sensitive characters without spaces in the [ drive ]
[ path ] file name format. Up to 8 levels of directories
are supported. When quotation marks are used around
the string, spaces are allowed in the string.
subdirectory.
and directory. Characters ? ~ * / \ : ' " | < > [ ] cannot
be used in the directory name.
destination- Specifies the name An absolute path name is a string of 1 to 255

filename of a destination file characters. A relative path name is a string of 1 to 128
that is case-sensitive characters without spaces in the [ drive ]
decompressed. [ path ] file name format. Up to 8 levels of directories
subdirectory.
and directory. Characters ? ~ * / \ : ' " | < > [ ] cannot
be used in the directory name.
password Specifies the The password is a string of 8 to 20 characters

password password for an containing two or more types of digits, uppercase
encrypted letters, lowercase letters, and special characters.
compressed file.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can decompress files, especially log files that are stored on the storage device and run the
more command to query the file.

CloudEngine 8800, 7800, 6800, and 5800
If the target file requires high security, you are advised to encrypt the file. unzip can
decompress compressed files encrypted in AES-256 mode.

root directory.
Precautions
l If the destination file path is specified while the file name is not specified, the
designation file name is the same as the source file name.
l The source file persists after being decompressed.
l The compressed file must be a .zip file. If a file to be decompressed is not a zip file, the
system displays an error message during decompression.
l The source file must be a single file. If you attempt to decompress a directory or multiple
files, the decompression cannot succeed.
Example
# Decompress log file syslogfile-2012-02-27-17-47-50.zip that are stored in the syslogfile
directory and save it to the root directory as file log.txt.
<HUAWEI> pwd
flash:/syslogfile
<HUAWEI> unzip syslogfile-2012-02-27-17-47-50.zip flash:/log.txt
Info: Extract flash:/syslogfile/syslogfile-2012-02-27-17-47-50.zip to flash:/
log.txt?[Y/N]:y
100% complete
Info: Decompressed file flash:/syslogfile/syslogfile-2012-02-27-17-47-50.zip to
flash
:/log.txt...Done
3.7.89 user
Function
The user command changes the current FTP user when the local device is connected to the
FTP server.

CloudEngine 8800, 7800, 6800, and 5800
Format
user user-name
Parameters
user-name Specifies the name of a login The value is a string of 1 to 255 case-
user. insensitive characters.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the user command to change the current user on the FTP server.
Precautions
After you run the user command to change the current user, a new FTP connection is set up,
which is the same as that you specify in the ftp command.
Example
# Log in to the FTP server using the user name tom.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] user tom
331 Password required for tom.
Enter password:
230 User logged in.
3.7.90 verbose
Function
The verbose command enables the verbose function on the FTP client.
The undo verbose command disables the verbose function.
By default, the verbose function is enabled.

CloudEngine 8800, 7800, 6800, and 5800
Format
verbose
undo verbose
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
After the verbose function is enabled, all FTP response messages are displayed on the FTP
client.
Example
# Enable the verbose function.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Connected to 10.137.217.201.
Enter password:
230 User logged in.
[ftp] verbose
Info: Succeeded in switching verbose on.
[ftp] get h1.txt
150 Opening ASCII mode data connection for h1.txt.

FTP: 69 byte(s) received in 0.160 second(s) 431.25byte(s)/sec.
# Disable the verbose function.

[ftp] undo verbose
Info: Succeeded in switching verbose off.
[ftp] get h1.txt
FTP: 69 byte(s) received in 0.150 second(s) 460.00byte(s)/sec.
3.7.91 zip
Function
The zip command compresses a file.

CloudEngine 8800, 7800, 6800, and 5800
The unzip command decompresses a file.
Format
zip source-filename destination-filename [ password password ]
unzip source-filename destination-filename [ password password ]
Parameters
source- Specifies the name An absolute path name is a string of 1 to 255 characters.
filename of a source file to A relative path name is a string of 1 to 128 case-
be compressed. sensitive characters without spaces in the [ drive ]
[ path ] file name format. Up to 8 levels of directories
subdirectory.
destination- Specifies the name An absolute path name is a string of 1 to 255 characters.
filename of a destination A relative path name is a string of 1 to 128 case-
file that is sensitive characters without spaces in the [ drive ]
compressed. [ path ] file name format. Up to 8 levels of directories
subdirectory.
password Specifies the The password is a string of 8 to 20 characters containing

password password for an two or more types of digits, uppercase letters, lowercase
encrypted letters, and special characters.
compressed file.
Views
User view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the target file requires high security, you are advised to encrypt the file. Specify the
password parameter, the target file will be encrypted in AES-256 mode.
root directory.
Precautions
l If the destination file path is specified while the file name is not specified, the
designation file name is the same as the source file name.
l The source file persists after being compressed.
l Directories cannot be compressed.
Example
# Compress file log.txt that is stored in the root directory and save it to the test directory as
file log.zip.
<HUAWEI> dir

0 -rw- 155 Dec 02 2011 01:28:48 log.txt
1 -rw- 9,870 Oct 01 2011 00:22:46 patch.pat
2 drw- - Mar 22 2012 00:00:48 test
3 -rw- 836 Dec 22 2011 16:55:46 rr.dat
...
670,092 KB total (569,904 KB free)

<HUAWEI> zip log.txt flash:/test/log.zip
Info: Compress flash:/log.txt to flash:/test/log.zip? [Y/N]:y
100% complete
Info: Compress file flash:/log.txt to flash:/test/log.zip...Done.
<HUAWEI> cd test
<HUAWEI> dir

CloudEngine 8800, 7800, 6800, and 5800
Directory of flash:/test/

0 -rw- 836 Mar 20 2012 19:49:14 test
1 -rw- 239 Mar 22 2012 20:57:38 test.txt
2 -rw- 1,056 Dec 02 2011 01:28:48 log.txt
3 -rw- 240 Mar 22 2012 21:23:46 log.zip
670,092 KB total (569,903 KB free)
3.8 Configuring System Startup Commands
3.8.1 clear configuration commit
Function
The clear configuration commit command deletes the label of a configuration rollback point
specified in the system or the earliest configuration rollback point generated in the system.
Format
clear configuration commit { commit-id label | oldest number-of-commits }
Parameters
commit-id label Deletes the label of a The value is an integer that the system
specified configuration generates automatically.
rollback point.
Run the display configuration commit
list command to check the configuration
rollback points.
oldest number-of- Specifies the number of the

The value is an integer that ranges from
commits earliest configuration
1 to 80.
rollback points to be deleted.
Views
User view
Default Level
NOTE
If use the oldest parameter, this command is at the management level.
Usage Guidelines
Usage Scenario

CloudEngine 8800, 7800, 6800, and 5800
To reduce the information amount in the system buffer, run this command to delete one or
more earliest configuration rollback points that are generated.
Configuration rollback points in the system can be classified into those with labels and those
without any label.
l You can run the clear configuration commit commit-id label command to delete the
label of a specified configuration rollback point.
l You can run the clear configuration commit oldest number-of-commits command to
delete a configuration rollback point without any label. After the clear configuration
commit oldest number-of-commits command is run, configuration rollback points with
labels become discontinuous configuration rollback points. If you run the display
configuration commit list command to check the configuration rollback points, values
of the CommitId fields of these discontinuous configuration rollback points in the
command output are marked with an asterisk (*).
In normal cases, you do not need to run this command to delete the earliest rollback points
from the list. The system will automatically delete the earliest rollback points before
generating new points if the number of rollback points in the list reaches the upper limit (80).
Prerequisites
Make sure that the configuration rollback point can be deleted by running the display
configuration commit list or display configuration commit changes command to check the
system configuration change in the rollback point.
Follow-up Procedure
Run the display configuration commit list command to check whether the configuration
rollback point has been deleted.
Example
# Delete the configuration rollback point numbered 1000000265.
<HUAWEI> clear configuration commit 1000000265 label
3.8.2 clear configuration commit label

Function
The clear configuration commit label command deletes a configuration rollback point with
a specified user label.
Format
clear configuration commit label label-name

CloudEngine 8800, 7800, 6800, and 5800
Parameters
label-name Specifies a user The value is a string of 1 to 256 case-sensitive
label of a characters. It can be any visible ASCII character except
configuration for the space. However, the string can contain spaces if it
rollback point. is enclosed with double quotation marks (" "). The string
cannot start with a digit or be a hyphen (-).
NOTE
The value of this parameter must be an existing configuration
rollback point on the device. Otherwise, the command cannot be
executed.
Views
User interface view
Default Level

config write
Usage Guidelines
Usage Scenario
To delete a useless configuration rollback point with a specified label, run the clear
configuration commit command. The system can generate a maximum of 20 configuration
rollback points with labels, 10 periodic configuration rollback points, and five historical
periodic configuration rollback points. If a configuration rollback point is no longer useful,
run this command to clear it to reduce the system cache information.
Precautions
After a configuration rollback point is deleted, system configurations cannot be rolled back to
what they were at this configuration rollback point by running rollback commands.
Run the display configuration commit list and display configuration changes commands to
display information about the configuration rollback point. Checking the command output
helps prevent misoperations.
Example
# Delete the configuration rollback point with the label named new_label.
<HUAWEI> clear configuration commit label new_label
Warning: The current operation will delete the rollback checkpoint. Continue? [Y/
N]: y

CloudEngine 8800, 7800, 6800, and 5800
3.8.3 check patch

Function
The check patch command checks the integrity of a patch package.
Format
check patch { file-name | startup }
Parameters
file-name Specifies the name of the patch The name of the patch must already
package to be checked. exist. It is in the format of [ drive ]
[ path ] filename. If [ drive ] is not
specified, the name of the default storage
device is used.
startup Checks the integrity of the patch -

package used for the next startup.
Views
User view
Default Level
3: Management level
Usage Guidelines
To check whether the patch package is damaged before installing it, run the check patch
command. If the patch package is not damaged, a message indicating that the patch package is
complete is displayed. Otherwise, a message indicating that the patch package is incomplete is
displayed. If the specified patch package does not exist, a message indicating that the patch
package does not exist is displayed. If you specify the startup parameter without setting any
next-startup patch file, a message is displayed indicating that the required patch file does not
exist. In this case, run the startup patch file-name all command to specify a next-startup
patch package.
Example
# Check the integrity of the patch package named CE-V200R003SPH001.PAT.
<HUAWEI> check patch CE-V200R003SPH001.PAT
Warning: Patch package verification consumes system CPU resources. Continue? [Y/
N]: y
# Check the integrity of the patch package used for the next startup.
<HUAWEI> check patch startup

CloudEngine 8800, 7800, 6800, and 5800
Warning: Patch package verification consumes system CPU resources. Continue? [Y/
N]: y
3.8.4 check system-software

Function
The check system-software command checks the integrity of the system software package.
Format
check system-software system-file
Parameters
system-file Specifies the name of the The name of the system software package
system software package on must already exist. It is in the format of
which an integrity check is [ drive ] [ path ] filename. If [ drive ] is not
performed. specified, the name of the default storage
device is used.
Views
User view
Default Level
3: Management level
Usage Guidelines
Before switching the system software package, you can run this command to check whether
the system software package is destroyed. If the system software package is not destroyed, the
system prompts that the system software package passes the check. Otherwise, the system
prompts that the system software package is incomplete. If the entered name of the system
software package does not exist, the system prompts that the check is mistaken. Make sure
that the system software package has existed on the device before running this command.
Example
# Check the integrity of the system software package CE-V200R003C00.cc.
<HUAWEI> check system-software CE-V200R003C00.cc
3.8.5 clear inactive-configuration

Function
The clear inactive-configuration command deletes the inactive configurations from the
board that does not operate.

CloudEngine 8800, 7800, 6800, and 5800
Format
clear inactive-configuration { slot slot-id | all | chassis chassis-id }
Parameters
slot slot-id Specifies the slot ID of an interface The value is an integer and the
board that is not installed. value range depends on device
model.
all Specifies all interface boards that are -

not installed.
chassis chassis-id Specifies the stack ID. The value must be set according
to the device configuration.
NOTE
This parameter is available only in stack
scenarios.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After a device has been replaced, using the clear inactive-configuration slot command
deletes the configurations of thedevice that does not operate if these configurations do not
need to be saved.
Precautions
This command is only used in stack scenarios.
Ensure that the specified device on which configurations are to be deleted does not operate.
After this command is executed, inactive configurations on the device are deleted.
Uncommitted configurations that depend on these inactive configurations will fail to be
committed, and the system displays an error message.
Example
# Delete the configurations from the device that does not operate in slot 1.
[~HUAWEI] clear inactive-configuration slot 1
Warning: The inactive configuration of slot 1 will be deleted and can't be
restored.

CloudEngine 8800, 7800, 6800, and 5800
Are you sure to continue?[Y/N] y

The command will takes a few minutes, please wait..
Info: Succeeding in clearing the inactive configuration.
3.8.6 configuration current backup-to-server monthly
Function
The configuration current backup-to-server monthly command enables the function to
upload a configuration file to the server on a specific date and time every month.
The undo configuration current backup-to-server monthly command disables this

function.
By default, the function to upload a configuration file to the server on a specific date and time
every month is disabled.
Format
configuration current backup-to-server monthly date date-value [ time time-value ]
undo configuration current backup-to-server monthly
Parameters
date date-value Specifies a date. The value is an integer ranging from 1 to 31.
time time-value Specifies a time The value is expressed in the format of HH:MM:SS,
point. where HH:MM:SS indicates a second-specific time
point. HH ranges from 0 to 23, and MM and SS
both range from 0 to 59. The default value is
00:00:00.
Views
System view
Default Level
3: Management level

config debug
Usage Guidelines
To upload a configuration file to the server on a specific date and time every month, run the
configuration current backup-to-server monthly command.

CloudEngine 8800, 7800, 6800, and 5800
The configuration file generated after this command is a .dat file, and the generated time is
local time.
Example
# Upload a configuration file to the server at 12:12:12 on the first day every month.
[~HUAWEI] configuration current backup-to-server monthly date 1 time 12:12:12
3.8.7 configuration file auto-save

Function
The configuration file auto-save command enables the function of saving system
configurations periodically.
The undo configuration file auto-save command disables the function of saving system
configurations periodically.
By default, the system does not periodically save configurations.
Format
configuration file auto-save [ interval interval | cpu-limit cpu-usage | delay delay-interval ]
*
configuration file auto-save { interval | cpu-limit | delay } default

undo configuration file auto-save
Parameters
interval interval Specifies the interval for saving The value is an integer that ranges
configurations. from 30 to 43200, in minutes. The
default value is 30.
cpu-limit cpu- Specifies the threshold of the The value is an integer that ranges
usage CPU usage during the periodic from 1 to 100. The default value is
save operation. 50.
delay delay- Specifies the delay in automatic The value is an integer that ranges
interval backup after the configuration from 1 to 60, in minutes. The default
changes. value is five minutes. The value of
delay-interval must be less than the
value of interval.
default Restores the default values for -
the parameters of the automatic
save function.
Views
System view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After this command enables the function of saving system configurations periodically, the
configuration file will not be lost if the device is powered off or restarts.
If the configuration file auto-save command is not executed, the system does not enable the
function of saving system configurations periodically. In this case, the configuration file
auto-save { interval | cpu-limit | delay } default command does not take effect.
If the configuration file auto-save command is executed, the system compares the
configuration files before saving configurations. If the configurations do not change, the
system does not save the configurations.
l You can specify interval interval to set the interval for periodically saving
configurations. If interval is not specified, the default interval (30 minutes) is used.
l If cpu-limit cpu-usage is specified, the automatic save function does not affect system
performance. After the automatic save timer is triggered, the system cancels the current
automatic save operation if the system CPU usage is detected to be higher than the upper
limit. The default upper limit of the CPU usage is 50% for the automatic save function.
l After delay delay-interval is specified, the system saves the changed configurations after
the specified delay. The default value is 5 minutes.
l If the interval interval and delay delay-interval parameters are both set, the parameter in
which the configured interval first expires triggers the configuration save operation.
When the interval configured in the other parameter expires, the system checks
configurations again. It performs a save operation only when detecting a configuration
change.
The undo configuration file auto-save command disables the automatic save function.
After the autosave function is configured, the system automatically saves configurations to the
server configuration file when the local configuration file is different from the server
configuration file and the interval configured in the interval interval or delay delay-interval
parameter expires, no matter whether the save operation has been manually saved.
Follow-up Procedure
Run the display saved-configuration configuration command to check the configurations
about the periodic save function.
Precautions
After the automatic save function is enabled, the configurations are saved in the configuration
file for the next startup. The content in the configuration file changes when the configuration
changes. The system cancels the automatic save operation when:
l Content is being written into the configuration file.
l The configurations are being recovered.
l The CPU usage is excessively high.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Set the automatic save interval to 60 minutes.
[~HUAWEI] configuration file auto-save interval 60
# Configure the system to save the new configuration 3 minutes after the configuration
changes at an interval of 10 hours when the upper limit of the CPU usage is 60%.
[~HUAWEI] configuration file auto-save interval 600 delay 3 cpu-limit 60
3.8.8 copy startup
Function
The copy startup command copies the configuration file and specifies the file copy as the
configuration file for next startup.
Format
copy source-filename startup destination-filename [ slot slot-id | all ]
Parameters
source-filename Specifies the name of the The value is a string of 1 to

source file to be copied. 255 case-sensitive
The format is [path]+file
name. The value does not
support the following
characters: ~ ? * / \ : ' " | < >
[]
destination-filename Specifies the name of the The value is a string of 5 to

destination file. 64 case-sensitive characters
without spaces. No path can
be specified. The value does
not support the following
characters: ~ ? * / ' " | < > [ ]
slot slot-id Copies a file to a device that The value is an integer or a

is installed in the specified character string. You can
slot. enter a question mark (?)
and select a value from the
displayed value range.
all Copies a file to all member -

devices.

CloudEngine 8800, 7800, 6800, and 5800
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To specify a configuration file as the next startup file, run this command to copy the
configuration file and set the file copy as the configuration file for next startup. In this case,
when configurations on the device are modified again, the configuration file for next startup is
not affected.
The configuration file name extension must be .zip, .dat, or .cfg.

l A configuration file with the file name extension .cfg is a text file, and you can view the
file content in the text file. After the file is specified as the configuration file for next
startup, the system restores all commands in the file one by one during a startup.
l A .cfg file is compressed to a .zip file that occupies less space. After being specified as
the configuration file, the .zip file is decompressed to the .cfg file and the system restores
all commands in the .cfg file one by one during startup.
l A .dat file is a binary file. If the startup software version and the .dat file version are the
same, the system restores all configurations in the .dat file in batches when the device
starts. This speeds up the system startup. If the startup software version and the .dat file
version are different, the system restores configurations using commands in the .dat file.
Follow-up Procedure
Run the reboot command to restart the device.
Precautions
l When using a .dat file, do not manually modify the content of the file; otherwise, the file
may fail to be loaded during the startup and the device is started without any
configuration file.
l You must store the source file in the flash directory.
l When this command and the startup saved-configuration command are configured, the
later configuration takes effect.
Example
# Copy the oldvrp.cfg file and specify the file copy as the configuration file for next startup.
<HUAWEI> copy oldvrp.cfg startup newvrp.cfg all
Are you sure to copy flash:/oldvrp.cfg to flash:/newvrp.cfg and specify
newvrp.cfg as the configuration file for next startup? [Y/N]: y
Info: Operating, please wait for a moment....
Info: Copying file flash:/oldvrp.cfg to flash:/newvrp.cfg...Done.
Info: Succeeded in setting the configuration for booting system.

CloudEngine 8800, 7800, 6800, and 5800
3.8.9 configuration file auto-save backup-to-server

Function
The configuration file auto-save backup-to-server command specifies the server where the
system periodically saves the configuration file.
The undo configuration file auto-save backup-to-server command cancels the server where
the system periodically saves the configuration file.
By default, the system does not periodically save configurations to the server.
Format
configuration file auto-save backup-to-server server server-ip [ vpn-instance vpn-
instance-name ] transport-type { { ftp | sftp } user user-name password password | tftp }
[ path folder ]
undo configuration file auto-save backup-to-server server [ server-ip | server-ip vpn-
instance vpn-instance-name ]
Parameters
server server-ip Specifies the IP address of the -

server where the system
periodically saves the
configuration file.
vpn-instance Specifies the name of the VPN The value is a string of 1 to 31 case-
vpn-instance- instance. sensitive characters except spaces.
name When double quotation marks are used
to include the string, spaces are allowed
in the string. The value _public_ is
reserved and cannot be used as the VPN
instance name.
transport-type Specifies the mode in which The value can be ftp, sftp, or tftp. To
the configuration file is ensure file transfer security, use the
transmitted to the server. SFTP method.
user user-name Specifies the name of the user The value is a string of 1 to 64
who saves the configuration characters without spaces.
file on the server.

CloudEngine 8800, 7800, 6800, and 5800
password Specifies the password of the The value is a string of case-sensitive

password user who saves the characters without spaces. It can be a
configuration file on the server. plaintext string of 1 to 255 characters or
a ciphertext string of 20 to 432
characters.
A 24-character ciphertext password
configured in an earlier version is also
supported in this version.
When double quotation marks are used
around the string, spaces are allowed in
the string.
path folder Specifies the relative save path The value is a string of 1 to 64 case-
on the server. sensitive characters .
If this parameter is not
specified, the FTP, SFTP, or
TFTP root path is enabled by
default.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Run this command to periodically save the configuration file to the server.
The configuration file generated after this command is run is in the same format as the
configuration file for the next startup. If the configuration file for the next startup is a .dat file,
the configuration file generated is also a .dat file. If the configuration file for the next startup
is a .cfg or .zip file, the configuration file generated is a .zip file.
The configuration file is saved on the server as a compressed package. The package is named
in the format of YY-MM-DD.HH-MM-SS.device name.zip, for example,
2012-10-25.15-13-37.HUAWEI.zip. After the package is decompressed, the file with the file
name extension of .cfg is the configuration file.
The periodic saving interval depends on the interval configured using the configuration file
auto-save command.
Precautions
l Before using this command, run the configuration file auto-save command; and enable
FTP, SFTP, or TFTP on the server, otherwise, the configuration file auto-save backup-to-

CloudEngine 8800, 7800, 6800, and 5800
server command does not take effect. The system cancels the operation of periodically
saving the configuration file in the following scenarios:
– The configuration file is being written.
– The LPU is recovering the configuration.
– The CPU usage is high.
l The system supports a maximum of five servers. The servers are independent of each
other. If the system fails to save configuration files to a server, the system reports traps to
the NMS and records logs.
l When configuration files are being uploaded, the system does not save configurations to
a server until the configuration files are uploaded.
l The user name and password must be the same as those used in FTP or SFTP login
mode.
l The time of the configuration file generated after this command is run is the UTC.
l After a bound VPN instance is deleted, the VPN configuration specified using the
configuration file auto-save backup-to-server command will not be cleared but does
not take effect. If you configure the VPN instance with the same name again, the VPN
function restores.
l When you run this command to save configuration files to a server, the system supports
only the binary transmission mode. Therefore, the server must support the binary
transmission mode.
Example
# Specify the server to which the system periodically sends the configuration file, and set the
transmission mode to SFTP.
[~HUAWEI] configuration file auto-save
[*HUAWEI] configuration file auto-save backup-to-server server 10.1.1.1 transport-
type sftp user admin1234 password Helloworld@6789
3.8.10 display configuration
Function
The display configuration command displays the configuration in a specified configuration
file.
Format
display configuration configuration-file
Parameters

configuration-file Specifies the name of an The value is a string of 5 to 64 case-sensitive
existing configuration file. characters without spaces. The file name
extension can be .zip, .dat, or .cfg.

CloudEngine 8800, 7800, 6800, and 5800
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After a configuration file is saved using the save command, run the display configuration
command to view the configuration file.
The command output is relevant to user configuration. The command does not display the
default configuration.
Prerequisites
The specified configuration file exists.
Example
# Display the configuration file named vrpcfg.zip.
<HUAWEI> display configuration vrpcfg.zip
#
FTP server enable
#
...
aaa
local-user ftp password irreversible-cipher `xy$!D3>a#Oc5/Js:mGN*Ii8AZtE4Kb!
0h*QS7J<wD(j-9oN^.5%!@OKp,.5*YKuR
local-user ftp ftp-directory flash:/
local-user ftp service-type ftp
#
...
interface 10GE1/0/1
undo shutdown
ip address 10.1.1.200 255.255.255.0
#
...
interface LoopBack0
ip address 10.10.1.1 255.255.255.255
#
...
user-interface con 0
set authentication password cipher %$%$~^Mg.QBcGS^}H.Q*w~#*,JA8%$%
$
history-command max-size 30
#
idle-timeout 0 0
#
return

CloudEngine 8800, 7800, 6800, and 5800
3.8.11 display configuration changes
Function
The display configuration changes command displays the difference between a
configuration file and the current running configuration file on the device.
Format
To display the difference based on the configuration file names, run:
display configuration changes [ running file file-name | file file-name running ]
To display the difference based on the user labels, run:
display configuration changes [ running label label | label label running ]
Parameters
file file-name The name is a string of 5 to 64
Displays the difference between a
characters in the format of *.zip,
configuration file and the current running
*.cfg, or *.dat. The file-name
configuration file.
must already exist.
label label Displays the difference between the The label must already exist.
current running configuration file and the
configuration file based on a specific
user label.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the display configuration changes running file file-name command to check
the difference between the current running configuration file and a specified configuration
file.
You can run the display configuration changes file file-name running command to check
the difference between a specified configuration file and the current running configuration
file.
The display configuration changes running label label command displays the difference
between the current configuration and the configuration of a specified user label.

CloudEngine 8800, 7800, 6800, and 5800
The display configuration changes label label running command displays the difference
between the configuration of a specified user label and the current configuration.
This command can only compare the current running configuration file with a configuration
file. When you run this command, the first specified configuration file is called source
configuration, and the later specified configuration file is called target configuration. If the
target configuration is different from the source configuration, the difference is displayed
based on the following rules:
l An added command is displayed in the format of prefix+.
l A deleted command is displayed in the format of prefix-.
l If a command is modified, the original command is displayed in the format of prefix-,
and the new command is displayed in the format of prefix+.
Precautions
The specified configuration file specified by file-name must exist on the device.
Example
# Display the difference between the current running configuration file and the configuration
file a.cfg.
<HUAWEI> display configuration changes running file a.cfg
Building configuration
Warning: The specified configuration file is not the same as the current
configuration. There are several differences as follow:
#
+ sysname China
3.8.12 display configuration commit at at
Function
The display configuration commit at command displays all configurations of a device at a
specific configuration rollback point.
Format
display configuration commit at commit-id
Parameters

commit-id Displays all configurations of a The value is an integer ranging from
device at a specific 1000000001 to 1999999999. A commit ID is
configuration rollback point. automatically generated by a device and
cannot be manually modified.
Views
All views

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level
Usage Guidelines
After a user commits a command to a device, the device automatically generates a
configuration rollback point, which records the configuration changes and all configurations
at this point. You can run the display configuration commit at command to view all
configurations of the device at this point. So that if the device has a fault, run the rollback
configuration command to roll the device back to the configurations before the fault occurs.
Example
# Display all configurations of a device at the 1000000481 configuration rollback point.
<HUAWEI> display configuration commit at 1000000481
#
sysname HUAWEI
#
#
diffserv domain default
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
domain default_admin
#
stack
#
stack member 1 domain 10
#
---- More ----
3.8.13 display configuration commit changes

Function
The display configuration commit changes command displays the configuration change
recorded at a configuration rollback point.
Format
display configuration commit changes [ at commit-id | since commit-id | last number-of-
commits ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
at commit-id Displays the configuration The value is an integer that the system
change at a specified generates automatically.
configuration rollback point.
Run the display configuration commit
rollback points.
since commit-id Displays the configuration The value is an integer that the system
changes from the specified generates automatically.
configuration rollback point
to the current state. Run the display configuration commit
rollback points.
last number-of- Displays the changes at the

The value is an integer that ranges from 1
commits specified number of latest
to 80.
configuration rollback points.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Run this command to check the configuration changes when you need to restore the system to
a historical state because incorrect operations are performed on the device or some
configurations fail due to some faults.
Prerequisites
Configuration has been performed and the configuration rollback point has been generated.
Follow-up Procedure
Recover or roll back the configuration after checking the configuration change.
Example
# Display the configuration change saved at the configuration rollback point numbered
1000002001.
<HUAWEI> display configuration commit changes at 1000002001
Building
configuration

CloudEngine 8800, 7800, 6800, and 5800
+ interface
Vlanif89
+ ip address 192.168.89.1
255.255.255.0
# Display the configuration changes from the specified configuration rollback point to the
latest rollback point.
<HUAWEI> display configuration commit changes since 1000001999
#
- vlan batch 10
#
+ vlan batch 10 89
#
+ interface
Vlanif89
+ ip address 192.168.89.1
255.255.255.0
# Display the configuration changes at the latest three configuration rollback points.
<HUAWEI> display configuration commit changes last 3
#
- vlan batch 10
#
+ vlan batch 10 89
#
+ interface
Vlanif89
+ ip address 192.168.89.1
255.255.255.0
# Display the configuration changes at all configuration rollback points in the current system.
<HUAWEI> display configuration commit changes
Building
configuration
Commit changes of commitId 1000002001 2015-06-18

03:04:59
+ interface
Vlanif89
+ ip address 192.168.89.1
255.255.255.0

03:04:30

CloudEngine 8800, 7800, 6800, and 5800

03:01:59
- vlan batch 10
#
+ vlan batch 10 89
Commit changes of commitId 1000001998 2015-06-18 03:00:20
Commit changes of commitId 1000001997 2015-06-18 02:01:39
Table 3-49 Description of the display configuration commit changes command output
Item Description
Commit changes of commitId Number of a configuration rollback point, which

uniquely identifies the rollback point.
Run the display configuration commit list
command to check the configuration rollback
points.
- Deleted configuration.
For the modified configuration, - indicates the old
configuration and + indicates the new
configuration.
+ Added configuration.
For the modified configuration, - indicates the old
configuration and + indicates the new
configuration.
3.8.14 display configuration candidate changes

Function
The display configuration candidate changes command displays the difference between the
candidate configuration and current running configuration.
Format
display configuration candidate changes
Parameters
None

CloudEngine 8800, 7800, 6800, and 5800
Views
Default Level
3: Management level

config read
Usage Guidelines
Usage Scenario
Before committing a set of configuration, run the display configuration candidate changes
command to view the difference between the candidate configuration and current running
configuration.
This command displays the difference between the configuration in the <candidate/>
configuration database and that in the <running/> configuration database. If a configuration
difference exists, the command output is displayed as follows:
l Commands that exist in the candidate configuration rather than the current running
configuration are prefixed with "+".
l Commands that exist in the current running configuration rather than the candidate
configuration are prefixed with "-".
l If a command in the current running configuration is modified in the candidate
configuration, two commands that are prefixed with "-" and "+", respectively, are
displayed in sequence.
Precautions
This command applies only to the two-phase validation mode.
Before you run the commit command to commit a configuration, a configuration conflict
occurs if the current running configuration is changed. In this case, run the refresh
configuration candidate command to resolve the configuration conflict, and then run the
display configuration candidate changes command to view the configuration difference.
Example
# Display the difference between the candidate configuration and current running
configuration.
[~HUAWEI] display configuration candidate changes
#
interface Tunnel1
- mtu 1400
+ mtu 1300
#
+ interface Tunnel3
#

CloudEngine 8800, 7800, 6800, and 5800
Table 3-50 Description of the display configuration candidate changes command output
Item Description
Building Generation of differential configuration.

configuration
3.8.15 display configuration commit list

Function
The display configuration commit list command displays the configuration rollback points
that are generated in the system.
Format
display configuration commit list [ verbose ] [ number-of-commits | label ]
Parameters
verbose Displays the configuration rollback point -
details including the description.
number-of-commits Displays a specified number of The value is an integer
configuration rollback points. that ranges from 1 to
100.
label Displays label of the configuration rollback -
point list.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After configuring the system, run this command to check historical configuration rollback
points.
The system displays the configuration rollback points in descending order of generation time.
That is, the latest configuration rollback point is displayed first.

CloudEngine 8800, 7800, 6800, and 5800
Follow-up Procedure
Use the rollback point label to roll back the configuration.
Example
# Display all configuration rollback points.
[*HUAWEI] commit description This is a test
[~ROLLBACK] display configuration commit list
----------------------------------------------------------------------------------
--
No. CommitId Label User TimeStamp
----------------------------------------------------------------------------------
--
1 1000002002 - - 2012-08-22 17:55:49+08:00
2 1000002001 - huawei 2012-08-22 17:12:04+08:00
3 1000002000 - - 2012-08-22 17:11:09+08:00
# Display details about all configuration rollback points.

[*HUAWEI] commit description This is a test
[~ROLLBACK] display configuration commit list verbose
1) CommitId: 1000002002
Label: -
User: -
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-08-22 17:55:49+08:00
Description: This is a test
2) CommitId: 1000002001
Label: -
User: huawei
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-08-22 17:12:04+08:00
Description:
3) CommitId: 1000002000
Label: -
User: -
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-08-22 17:11:09+08:00
Description:
Table 3-51 Description of the display configuration commit list command output
Item Description
No. Sequence number.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
CommitId ID of the configuration rollback point, which uniquely identifies the

If values of the CommitId fields are marked with an asterisk (*), the
configuration rollback points are discontinuous configuration rollback
points, that is, a user has configured labels for the configuration
rollback points and then run the clear configuration commit oldest
number-of-commits command to change the labeled configuration
rollback points into discontinuous ones.
Label Label of the configuration rollback point.

You can run the commit label label command to add a label for a
User User name.
User-Intf User interface type, such as CON0 and VTY1.
Type Terminal type, such as CLI, SNMP, NETCONF, RESTORE,

SYSTEM, and ROLLBACK.
TimeStamp Timestamp of the configuration rollback point.
Description Description of a configuration rollback point.

You can run the commit description description command to add
description for a configuration rollback point.
3.8.16 display configuration recover-result
Function
The display configuration recover-result command displays the configuration recovery
result after an upgrade.
Format
display configuration recover-result
Parameters
None
Views
All views
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
After you run the startup saved-configuration or copy startup command to specify the
configuration file for the next startup and restart the device, run this command to check the
configuration recovery result (success, failure, or partial failure) and failure cause.
Example
# Display the configuration result after an upgrade.
<HUAWEI> display configuration recover-result
Info: The current startup saved-configuration file is flash:/vrpcfg.zip.
The number of failed commands is 1.
--------------------------------------------------------------------------------
Command : vm-manager
View : system
Line : 204
Reason : Execute failed
Time : 2013-06-25 09:13:09
--------------------------------------------------------------------------------
Table 3-52 Description of the display configuration recover-result command output
Item Description
Command Command that fails the configuration

recovery
View View in which the command resides
Line Line number of the command in the current

startup configuration file
Reason Reason why the command fails
Time Execution time of the configuration

recovery
3.8.17 display configuration rollback result
Function
The display configuration rollback result command displays the configurations that fail to
roll back and the messages that are generated during the configuration rollback.
Format
display configuration rollback result
Parameters
None

CloudEngine 8800, 7800, 6800, and 5800
Views
All views
Default Level
3: Management level
Usage Guidelines
During the configuration rollback, some configurations fail to roll back or messages are
generated during configuration rollback. Run this command to check the failed configurations
and messages.
Example
# Display the latest configuration rollback failure and the messages generated during
configuration rollback.
<HUAWEI> display configuration rollback result
!warning information
interface 10GE1/0/5
+ pim bfd enable
Warning: The configuration is successful. Enable global BFD to validate the
configuration.
!There are still several differences as follow:
#
interface 10GE1/0/2
- ip address 10.3.3.3 255.255.255.0
+ ip address 10.4.4.4 255.255.255.0
#
# Display the latest configuration rollback success without messages generated during
configuration rollback.
<HUAWEI> display configuration rollback result
Info: The latest rollback operation is successful.
Table 3-53 Description of the display configuration rollback result command output
Item Description
!warning Message that is generated during the configuration rollback.

information
!There are still Information about a rollback failure.

several
differences as
follow:
For the modified configuration, - indicates the old configuration and +
indicates the new configuration.
For the modified configuration, - indicates the old configuration and +
indicates the new configuration.

CloudEngine 8800, 7800, 6800, and 5800
3.8.18 display configuration sessions

Function
The display configuration sessions command displays session status.
Format
display configuration sessions [ verbose ]
Parameters
verbose Indicates detailed information about session status. -
Views
All views
Default Level
3: Management level
Usage Guidelines
To query information about users who have logged in to the device, you can run the display
configuration sessions command to view session status.
Example
# Display session status.
<HUAWEI> display configuration sessions
--------------------------------------------------------------------------------
Session User-Intf User Date Lock
--------------------------------------------------------------------------------
285 _SYSTEM_ 2014-09-23 15:07:52 -
286 SNMP_User 2014-09-23 15:07:54 -
514 * VTY 0 2014-09-25 13:39:11 -
--------------------------------------------------------------------------------
# Display detailed information about session status.

<HUAWEI> display configuration sessions verbose
--------------------------------------------------------------------------------
Session : 285
User-Intf :
User : _SYSTEM_
Date : 2014-09-23 15:07:52
Lock-Type : -
Cfg-Mode : -
Client : NETCONF
Elapsed-Time : 1 days, 22:36:57

CloudEngine 8800, 7800, 6800, and 5800
Session : 286
User-Intf : SNMP_User
User :
Date : 2014-09-23 15:07:54
Lock-Type : -
Cfg-Mode : 1-stage
Client : SNMP
Session : 514 *
User-Intf : VTY 0
User :
Date : 2014-09-25 13:39:11
Lock-Type : -
Cfg-Mode : -
Client : CLI
--------------------------------------------------------------------------------
Table 3-54 Description of the display configuration sessions command output

Item Description
Session Indicates the ID of the session that connects to the

system.
User-Intf Indicates the interface information that the user used

to logging on.
User Indicates the user name.

l When a user performs operations through an NMS,
SNMP_User is displayed.
l When a user performs RMON operations,
RMON_User is displayed.
l After the system is started, OPS will automatically
apply for an internal link that is used as a channel
for the Maintenance assistant to subscribe to logs
and alarms. The link user name is _SYSTEM_.
Date Indicates the time of the logging user.
Lock Indicates the lock state.
Cfg-Mode Indicates the configuration mode.
Client Indicates the client information.
Elapsed-Time Indicates the elapsed time of the logging user.
3.8.19 display current-configuration

Function
The display current-configuration command displays the currently running configuration.
This command does not display parameters that use default settings.

CloudEngine 8800, 7800, 6800, and 5800
Format
display current-configuration [ configuration [ configuration-type [ configuration-
instance ] ] | interface [ interface-type [ interface-number ] ] | all | inactive ] [ include-
default ]
Parameters
configuration Specifies the configuration The value is determined by the
configuration-type type. current system configurations.
configuration-instance Specifies a configuration The value is a string of 1 to 200
instance. case-insensitive characters without
spaces. When double quotation
marks are used around the string,
interface [ interface- Specifies an interface type. -
type [ interface-
number ] ]
all Displays all the -
configuration information.
inactive Displays the offline -

configuration information.
include-default Displays the default -

configuration.
Views
All views
Default Level
3: Management level
Usage Guidelines
To check whether the configured parameters take effect, run the display current-
configuration command. The parameters that do not take effect are not displayed.
The command output is relevant to user configuration. If the include-default parameter is
specified, the command output includes the default system configuration starting with a tilde
(~).
You can use a regular expression to filter the command output. For the regular expression
rules, see "Filtering Command Outputs" in the CloudEngine 8800, 7800, 6800, and 5800
Series SwitchesConfiguration Guide - Basic Configuration.
After you run the display current-configuration all or display current-configuration
inactive command, * in the command output indicates offline configuration.

CloudEngine 8800, 7800, 6800, and 5800
NOTE
The symbol * has two meanings:

1. When * is displayed in an interactive operation, it indicates the configurations that have not been
submitted.
2. When * is displayed in configuration information, it indicates the offline configurations.
Example
# Display all configurations that include vlan.
<HUAWEI> display current-configuration | include vlan
vlan batch 10 77 88
port trunk allow-pass vlan 10
# Display the FTP configuration.

<HUAWEI> display current-configuration configuration ftp
#
FTP server enable
#
return
# Display the configuration that includes the default configuration.

<HUAWEI> display current-configuration include-default
!Software Version V100R006C00SPC200
!Last configuration was updated at 2015-09-14 02:34:08+00:00
!Last configuration was saved at 2015-09-08 06:58:17+00:00
#
~language character-set ISO8859-1
#
sysname HUAWEI
#
~undo command-privilege level rearrange
#
return
3.8.20 display module-information

Function
The display module-information command displays information about dynamically installed
modules in the system.
Format
display module-information [ verbose | next-startup ]
Parameters
verbose Displays details about dynamically installed -
modules.
file-name Displays the specify module information The module must already
loaded at the next startup. exist, with the file name
extension being .mod
or .MOD.

CloudEngine 8800, 7800, 6800, and 5800

next-startup Displays module information loaded at the -
next startup.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
To view information about dynamically installed modules in the system, run the display
module-information command. The information helps to monitor whether modules are
successfully installed or uninstalled.
Example
# Display details about dynamically installed modules in the system.
<HUAWEI> display module-information verbose
Module Information
--------------------------------------------------------------------
Module Version InstallTime PackageName
--------------------------------------------------------------------
TLV V200R001MOD503 2012-05-23 06:28:00 CE6850V200R001MOD503.MOD
--------------------------------------------------------------------
Total = 1
Board Info :
----------------------------------------------------------------------------------
------
Slot-id ProcId Type FileName EffectiveTime Module
----------------------------------------------------------------------------------
------
17 2 C HM800000.mod 2015-08-24 22:48:00.322 MOD0031
17 3 C HM800000.mod 2015-08-24 22:48:00.320 MOD0031
17 4 C HM800000.mod 2015-08-24 22:48:00.322 MOD0031
18 6 C HM800000.mod 2015-08-24 22:48:00.349 MOD0031
18 7 C HM800000.mod 2015-08-24 22:48:00.349 MOD0031
18 8 C HM800000.mod 2015-08-24 22:48:00.353 MOD0031
----------------------------------------------------------------------------------
------
Total = 6
# Displays the specify module information loaded at the next startup.

<HUAWEI> display module-information CE6850V200R001MOD503.MOD verbose
Module Information
--------------------------------------------------------------------
Module Version InstallTime PackageName
--------------------------------------------------------------------
TLV V200R001MOD503 2012-05-23 06:28:00 CE6850V200R001MOD503.MOD
--------------------------------------------------------------------
Total = 1
Board Info :
----------------------------------------------------------------------------------
------
Slot-id ProcId Type FileName EffectiveTime Module
----------------------------------------------------------------------------------

CloudEngine 8800, 7800, 6800, and 5800
------
17 3 SCRIPT HM980000.mod 2014-11-19 08:26:46.491 m0
18 6 SCRIPT HM980000.mod 2014-11-19 08:26:46.812 m0
----------------------------------------------------------------------------------
------
Total = 2
Table 3-55 Description of the display module-information verbose command output

Item Description
Module Information Information about a module
Module Name of a module
Version Version of a module
InstallTime Time when a module is installed
PackageName Name of a module file
Total Number of modules installed
Board Info Board information
Slot-id Board ID
ProcId Process ID
Type File type
FileName File name
Module Name of a module
3.8.21 display saved-configuration
Function
The display saved-configuration command displays the configuration file to be used for the
next startup.
Format
display saved-configuration [ last | time | configuration ]
Parameters
last Displays the system configurations saved last time. -
time Displays the recent time when the configurations are saved -
manually or automatically.
configuration Displays the parameters of the automatic save function. -

CloudEngine 8800, 7800, 6800, and 5800
Views
All views
Default Level
3: Management level
Usage Guidelines
If the device has been started and is not working properly, run the display saved-
configuration command to check the device startup configuration in the file specified by
running the startup saved-configuration or copy startup command.
Run the display saved-configuration last command to check the system configurations
saved last time in the configuration file loaded during the current startup.
Run the display saved-configuration time command to check the last time when the system
configurations are saved.
Run the display saved-configuration configuration command to check the automatic save
function parameters including the automatic save interval and CPU usage.
The command output is relevant to user configuration. The command does not display the
default configuration.
Example
# Display the configuration file for the next startup.
<HUAWEI> display saved-configuration
#
sysname Switch
...
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.1.3 255.255.255.0
#
interface Vlanif20
ip address 192.168.4.3 255.255.255.0
...
#
interface MEth0/0/0
ip address 192.168.200.8 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
...
#
user-interface maximum-vty 15
user-interface con 0
idle-timeout 0 0
#
return

CloudEngine 8800, 7800, 6800, and 5800
3.8.22 display schedule reboot
Function
The display schedule reboot command displays the configuration of the scheduled restart of
the device.
Format
display schedule reboot
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
After using the schedule reboot command to configure a scheduled restart, you can use this
command to view the configuration of the scheduled restart.
Example
# Display the configuration of the scheduled restart of the device.
<HUAWEI> display schedule reboot
Info: System will reboot at 22:00:00 2013/09/17 UTC(in 1 hours and 36 minutes).
Table 3-56 Description of the display schedule reboot command output
Item Description
System will reboot at Specific restart time.
in hours and minutes Time span between the restart time and the current time.
3.8.23 display software crl
Function
The display software crl command displays information about a digital signature certificate
revocation list (CRL) file.

CloudEngine 8800, 7800, 6800, and 5800
Format
display software crl
Parameters
None
Views
ALL views
Default Level
1: Monitoring level
Usage Guidelines
If an issued digital signature certificate needs to be revoked due to key disclosure or other
reasons, a third-party tool can be used to mark the certificate invalid and add the certificate to
a digital certificate CRL. To check information about the digital signature CRL file, run the
display software crl command.
Example
# Display information about a digital signature CRL file that has been loaded to the main
control board.
<HUAWEI> display software crl
----------------------------------------------------------------------------------
-------------------------------------------------------
Slot-id
Publisher
Issue date Status
----------------------------------------------------------------------------------
-------------------------------------------------------
1 C=CN,O=Huawei,CN=Huawei Root
CA 2015-10-19
15:38:25+08:00 Valid
1 C=CN,O=Huawei,CN=Huawei Code Signing Certificate
Authority 2016-04-05 16:27:05+08:00 Valid
1 C=CN,O=Huawei,CN=Huawei Timestamp Certificate
Authority 2016-03-01 16:56:22+08:00 Valid
2 C=CN,O=Huawei,CN=Huawei Root
CA 2015-10-19
15:38:25+08:00 Valid
2 C=CN,O=Huawei,CN=Huawei Code Signing Certificate
Authority 2016-04-05 16:27:05+08:00 Valid
2 C=CN,O=Huawei,CN=Huawei Timestamp Certificate
Authority 2016-03-01 16:56:22+08:00 Valid
----------------------------------------------------------------------------------
-------------------------------------------------------
Table 3-57 Description of the display software crl command output

Item Description
Slot-id Slot ID of the device where the CRL resides

CloudEngine 8800, 7800, 6800, and 5800
Item Description
Publisher CRL issuer
Issue date CRL issue date
CRL status:
Status l Valid
l InValid
3.8.24 display startup

Function
The display startup command displays the system software for the current and next startup,
configuration file, PAF, and patch file.
Format
display startup [ slot slot-id ]
Parameters
slot slot-id Specifies a member device in a The value is an integer. The range of the
stack. integer is dependent on the specific device.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Before upgrading or degrading a device, run this command to check whether the files for next
startup have been loaded. If the files have been loaded, the device can be upgraded or
degraded successfully after it is restarted. You can also run the command to view the system
software and files for current startup.
Example
# Display the names of system software for current and next startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software: flash:/basicsoftware.cc

CloudEngine 8800, 7800, 6800, and 5800
Startup system software: flash:/basicsoftware.cc

Next startup system software: flash:/basicsoftware.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Startup paf file: default
Next startup paf file: default
Startup patch package: NULL
Next startup patch package: NULL
Table 3-58 Description of the display startup command output

Item Description
Configured startup system software System software that is configured for the
current startup by running the startup system-
software command before the system starts.
Startup system software System software that is used in the current

startup.
Next startup system software System software that is configured for the next
startup by running the startup system-
software or copy startup command.
If no system software for the next startup is
configured, the system software used in the
current startup is displayed.
Startup saved-configuration file Configuration file that is used in the current

startup.
Next startup saved-configuration file Configuration file that is configured for the
next startup by running the startup saved-
configuration command.
If no configuration file for the next startup is
configured, the configuration file used in the
current startup is displayed.
Startup paf file PAF file that is used in the current startup.
default indicates that no PAF file is specified
or the PAF file does not take effect.
Next startup paf file PAF file that is configured for the next startup.
If no PAF file is configured, default is
displayed.
Startup patch package Patch package file that is used in the current
startup.
NULL indicates that no patch package file is
specified or the patch package file does not
take effect.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
Next startup patch package Patch package file that is configured for the
next startup by running the startup patch
command.
If no patch package file is configured, NULL
is displayed.
3.8.25 install-module
Function
The install-module command dynamically loads a specified module file.
Format
install-module file-name [ next-startup ]
Parameters

file-name Specifies the name of the module file to be loaded. The name of the module
file must already exist.
next-startup Specifies the name of the module file to be loaded -
at the next startup.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Guideline
To install a module in the current system by loading the module file, run the install-module
command. The extension of a module file name must be *.MOD or *.mod.
To view information about successfully loaded module files, run the display module-
information command.
Precautions
Loaded module files must be stored in the $_install_mod directory.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Load the SwitchV200R001MOD501.MOD file to the $_install_mod directory.
<HUAWEI> install-module SwitchV200R001MOD501.MOD
3.8.26 reboot
Function
The reboot command restarts the device.
Format
reboot [ fast | save diagnostic-information ]
Parameters
fast Fast restarts the device. In fast restart mode, the -
configuration file is not saved.
save diagnostic- Saves the diagnostic information before the restart. -
information
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command functions in the same way as a power recycle operation (power off and then
restart the device). The command enables you to restart the device remotely.
l After the reboot or reboot save diagnostic-information command is run, the system
displays a message asking you whether to save the configuration. If you choose to save
the configuration, the current configuration is written into the configuration file to
prevent configuration loss after the reboot. If you choose not to save the configuration,
the device reboots using the configuration in the configuration file, leading to the loss of
unsaved configuration.
l After the reboot fast command is run, the device reboots without prompting you to save
the configuration. Therefore, the unsaved configuration will be lost.
l After the reboot save diagnostic-information command is run, if a diagnostic
information file already exists, the system displays a message asking you whether to
overwrite the file before the reboot. If you choose to overwrite the file, the system saves
current diagnostic information to the root directory of the CF card and overwrites the

CloudEngine 8800, 7800, 6800, and 5800
original diagnostic information file. If you choose not to overwrite the file, the system
does not collect diagnostic information. Diagnostic information does not affect device
configuration.
Precautions
l If you do not respond to the displayed message within the timeout period after running
this command, the system will return to the user view and the device will not be
restarted.
l To avoid loss of diagnostic information after a restart, configure the device to save the
diagnostic information before restarting.
l This command interrupts services on the entire device. Therefore, do not use this
command when the device is running properly.
l Before restarting the device, ensure that the configuration file has been saved.
Example
# Restart the device.
<HUAWEI> reboot
# Restart the device quickly.

<HUAWEI> reboot fast
3.8.27 refresh configuration candidate
Function
The refresh configuration candidate command re-executes candidate configuration to
resolve configuration conflicts.
Format
refresh configuration candidate
Parameters
None
Views
Default Level
3: Management level

cli execute

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
If the system displays a message indicating that the current running configuration is changed
when you run the display configuration candidate changes command to view the difference
between the candidate configuration and current running configuration, run the refresh
configuration candidate command to resolve the configuration conflict so that you can
continue to view the configuration difference.
If a configuration conflict occurs before you commit the configuration, you can resolve the
configuration conflict and then run the commit command to commit the configuration.
Alternatively, run the commit command to commit the configuration directly, without
resolving the configuration conflict.
Precautions
This command applies only to the two-phase validation mode.
Example
# Update the candidate configuration based on the current running configuration to resolve
configuration conflicts.
[~HUAWEI] refresh configuration candidate
3.8.28 reset boot password

Function
The reset boot password command resets the password of the BIOS menu to
Admin@huawei.com.
By default, the password of the BIOS menu is Admin@huawei.com.
Format
reset boot password [ slot slot-id ]
Parameters
slot slot-id Specifies a slot ID. The value range depends on

the device configuration.
Views
User view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
If you forget the password of the BIOS menu, use the reset boot password command to set
the password to Admin@huawei.com. Then you can use this password to enter the BIOS
menu.
Example
# Reset the password of the BIOS menu.
<HUAWEI> reset boot password
Warning: The password used to enter the boot menu by clicking Ctrl+B will be
restored to the default password, continue? [Y/N]: y
Info: Succeeded in setting password of BIOS to the default password.
3.8.29 reset saved-configuration
Function
The reset saved-configuration command cancels the configuration file used for next startup.
Format
reset saved-configuration
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After the device software is upgraded or the device in use is applied to another scenario, you
can run the reset saved-configuration command to cancel the configuration file used for next
startup so that the device starts with empty configurations.
Precautions
l After this command is run and the device restarts, enter N when the system asks you
whether to save the current configuration file as the next startup configuration file. Then
configuration of canceling the configuration file for next startup then takes effect.
l After the device starts with the default configuration, you need to log in to the device
through the console port. Remote login is not supported.
l If the next startup configuration file is empty, the device displays a message indicating
that the file does not exist.

CloudEngine 8800, 7800, 6800, and 5800
l Exercise caution when you run the reset saved-configuration command.
Example
# Cancel the configuration file used for next startup.
<HUAWEI> reset saved-configuration
The action will delete the saved configuration on the device.
The configuration will be erased to reconfigure.Continue? [Y/N]: y
Warning: Now the configuration on the device is being
deleted.
..........
Info: Succeeded in clearing the configuration in the device.
<HUAWEI> reboot
slot 1:
Next startup system software: flash:/basicsoftware.cc
Next startup saved-configuration file: NULL
Next startup paf file: default
Next startup patch package: NULL
Warning: The current configuration will be saved to the next startup saved-confi
guration file. Continue? [Y/N]: n
Warning: The system will reboot. Continue? [Y/N]: y
3.8.30 rollback configuration

Function
The rollback configuration command rolls back the system from the current configuration
state to a historical configuration state.
Format
rollback configuration { to { commit-id commit-id | label label | file file-name } | last
number-of-commits }
Parameters
commit-id Specifies the label of the The value is an integer that the
commit-id configuration rollback point to system generates automatically.
which system configurations are
expected to roll back. Run the display configuration
commit list command to check the
configuration rollback points.
label label Specifies a user label for a The value is a string of 1 to 256 case-
configuration rollback point. A sensitive ASCII characters, spaces
specified user label indicates the not supported. The value must start
historical configuration state to with a letter and cannot be presented
which the system configuration is in a single hyphen (-). The label must
expected to roll back. already exist.

CloudEngine 8800, 7800, 6800, and 5800

file file-name Specifies a configuration file for The value is a string of 5 to 64 case-
configuration rollback. A specified sensitive characters in the format of
configuration file indicates the *.zip, *.cfg, or *.dat, spaces not
historical configuration state to supported. The file-name must
which the system configuration is already exist.
expected to roll back.
last number-of- Specifies the number of The value is an integer that ranges
commits configuration rollback points. The from 1 to 80.
system will be rolled back to the
historical configuration state before
these configuration rollback points.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the configuration is incorrect, the service is not running properly, or an unexpected

configuration result occurs on the network, run this command to roll back the system to the
specified historical configuration state.
For example, a user performs four configuration operations and submits these configurations
and four consecutive rollback points a, b, c, and d are generated. The user finds that the
configuration at b is incorrect and wants to roll back the system to the configuration state
before b. After the user rolls back the system configuration to a, a new rollback point e is
generated and marked with Rollback.
If an error occurs in the configuration rollback, you can recover the configuration to the state
before the rollback, and a new rollback point is generated and marked with Rollback.
Prerequisites
The display configuration commit changes command has been executed to check the
configuration change in the configuration rollback point to determine whether the
configuration can be rolled back to the expected historical state.
Follow-up Procedure
If some configurations fail to be rolled back, run the display configuration rollback result
command to check these configurations and the messages generated during configuration
execution.
Example
# Roll back the system to the historical configuration state at rollback point 1000000001.

CloudEngine 8800, 7800, 6800, and 5800
<HUAWEI> rollback configuration to commit-id 1000000001
# Roll back the system to the historical configuration state at the rollback point before the last
two rollback points.
<HUAWEI> rollback configuration last 2
3.8.31 save
Function
The save command saves the configurations to the configuration file.
Format
save [ configuration-file ]
Parameters
configuration-file Specifies the name of a The value is a string of 5 to 64 case-
configuration file. sensitive characters without spaces.
Views
User view
Default Level
Usage Guidelines
Usage Scenario
You can run commands to modify the current configuration of the device, but the modified
configuration will be lost after the device restarts. To enable the new configuration to take
effect after a restart, save the current configuration in the configuration file before restarting
the device.
When a series of configurations are complete and take effect, you must save the current
configuration file to the storage device.
The save configuration-file command saves the current configuration to a specific file on the
storage device. Generally, running the save configuration-file command does not affect the
current startup configuration file. If the configuration file specified by configuration-file has
the same name with the current configuration file and the default directory is used, running
the save configuration-file command is equivalent to running the save command.
If you do not specify configuration-file when saving the configuration file for the first time,
the system displays the file name extension of the configuration file. If you directly press
Enter, the configuration file is saved as vrpcfg.zip. The vrpcfg.zip file is the default system
configuration file and does not contain any configuration in the initial state.
Precautions

CloudEngine 8800, 7800, 6800, and 5800
l If the configuration file to be saved using this command has the same name with the
existing configuration file, the existing configuration file is rewritten.
l The configuration file name extension must be .zip, .dat or .cfg.
– .cfg: The file is saved in plain text mode. After the file is specified as the
configuration file, all commands in the file are recovered one by one during startup.
– .zip: The .cfg file is compressed to a .zip file that occupies less space. After being
specified as the configuration file, the .zip file is decompressed to the .cfg file and
all commands in the .cfg file are recovered one by one during startup.
– .dat: A .dat file is a binary file. If the startup software version and the .dat file
version are the same, the system restores all configurations in the .dat file in batches
when the device starts. This speeds up the system startup.
Example
# Save the current configuration file to the default storage medium when the switch starts with
configuration.
<HUAWEI> save
Warning: The current configuration will be written to the device. Continue? [Y/
N]:y
Now saving the current configuration to the slot 1
Info: Save the configuration successfully.
# Save the current configuration file to the default storage medium for the first time when the
switch starts without configuration.
<HUAWEI> save
Warning: The current configuration will be written to the device. Continue? [Y/
N]: y
Info: Please input the file name(*.cfg, *.zip, *.dat)[vrpcfg.zip]:
Now saving the current configuration to the slot 2 ..
Info: Save the configuration successfully.
3.8.32 schedule reboot

Function
The schedule reboot command configures the scheduled restart of a device and set the
specific time when the device restarts or the delay time before the device restarts.
The undo schedule reboot command disables the scheduled restart function.
By default, the scheduled restart is disabled.
Format
schedule reboot { at time | delay interval [ force ] }
undo schedule reboot

CloudEngine 8800, 7800, 6800, and 5800
Parameters
at time Specifies the The format of time is hh:mm YYYY/MM/DD. The restart
device restart time must be later than the current device time by less
time. than 720 hours.YYYY/MM/DD indicates year, month,
and date and is optional.
l hh indicates hour and the value ranges from 0 to 23.
l mm indicates minute and the value ranges from 0 to
59.
l YYYY indicates year and the value ranges from 2000
to 2037.
l MM indicates month and the value ranges from 1 to
12.
l DD indicates date and the value ranges from 1 to 31.
delay interval Specifies the delay The format of interval is hh:mm or mm. The delay time
time before the must be no more than 720 hours.
device restarts. l In hh:mm, hh indicates hour and the value ranges
from 0 to 720 and mm indicates minute and the value
ranges from 0 to 59.
l mm indicates minute and the value ranges from 0 to
43200.
force Specifies forcible -
scheduled restart.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When upgrading or restarting the device, you can configure the device to restart at time when
few services are running to minimize the impact on services.
Precautions
l If the schedule reboot at command is used to set a specific date (YYYY/MM/DD) and the
date is a future date, the device restarts at the specified time, with an error within 1
minute. If no date is set, two situations occur: If the specified time is later than the
current time, the device restarts at the specified time of the day. If the specified time is
earlier than the current time, the device restarts at the set time next day.
l Note that the gap between the specified date and current date must be shorter than or
equal to 720 hours. If the scheduled restart has been configured, the latest configuration
overrides the previous one.

CloudEngine 8800, 7800, 6800, and 5800
l Run the schedule reboot delay interval command to set the delay time before the device
restarts. If the force parameter is not specified, the system compares the configuration
file with the current configuration. If the current configuration is different from the
configuration file, the system asks you whether to save the current configuration. After
you complete the selection, the system prompts you to confirm the configured restart
time. Enter Y or y to make the configured restart time take effect. If the force parameter
is specified, the system does not display any message, and the restart time takes effect
directly. The current configuration is not compared or saved.
l The scheduled restart function becomes invalid when you use the clock datetime
command to set the system time to over 10 minutes later than the restart time set by the
schedule reboot command. If the time difference is equal to or less than ten minutes, the
device immediately restarts and does not save the configuration.
l This command restarts the device at the specified time, interrupting all services on the
device. Therefore, do not use this command when the device is running properly.
l Before restarting the device, ensure that the configuration file has been saved.
Example
# Configure the device to restart at 22:00.
<HUAWEI> schedule reboot at 22:00
Warning: The current configuration will be saved to the next startup saved-
configuration file. Continue? [Y/N]:y
Now saving the current configuration....
Save the configuration successfully.
Info: Reboot system at 22:00:00 2017/08/07 UTC (in 11 hours and 19
minutes).
Confirm? [Y/N]:y
3.8.33 set configuration commit

Function
The set configuration commit command sets a user label for a configuration rollback point.
By default, no user label is set for configuration commit.
Format
set configuration commit commit-id label label-string
Parameters
commit-id Specifies the ID of a The value is an integer ranging from
configuration rollback point. 1000000001 to 1999999999 and
generated by the system automatically.

CloudEngine 8800, 7800, 6800, and 5800

label label- Specifies the user label of a The value is a string of 1 to 256 case-
string configuration rollback point. sensitive ASCII characters without
NOTE spaces. The value must start with a
The parameter value must be
letter and cannot be presented in a
unique in the system and in one-to- single hyphen (-).
one mappings with commit-id.
Views
User view
Default Level
Usage Guidelines
Usage Scenario
After a configuration rollback point is generated, the system automatically allocates a commit
ID for this configuration rollback point. The commit ID is an integer that ranges from
1000000001 to 1999999999, which is difficult to understand and remember. When the
number of configuration rollback points that are automatically generated by the system
reaches the upper threshold, earliest configuration rollback points are replaced by latest
configuration rollback points. For some important configurations, however, the related
configuration rollback points need to be retained. In this case, you can run the set
configuration commit command to specify a user label for a configuration rollback point,
which is easy to understand and remember and configuration rollback points related to
important configurations are not replaced.
You can specify a user label when a configuration rollback point is generated using the
commit command. If a configuration rollback point has been generated, you can run the set
configuration commit command to add a user label for the configuration rollback point. For
continuous configuration rollback points with labels, you cannot directly modify the labels.
You must run the clear configuration commit commit-id label command to delete the labels
of the configuration rollback points first and then run the set configuration commit
command to specify user labels for the configuration rollback points.
NOTE
For discontinuous configuration rollback points with labels (values of the CommitId fields of the
configuration rollback points in the display configuration commit list command output are marked
with an asterisk [*]), exercise caution when running the clear configuration commit commit-id label
command because this command will simultaneously delete the configuration rollback points and their
labels.
You can run the clear configuration commit commit-id label command to delete label
information of a configuration rollback point.
You can run the display configuration commit list command to check label information of a
Precautions

CloudEngine 8800, 7800, 6800, and 5800
l In unified management mod, the set configuration commit command can only be run in
a physical system (PS).
l You cannot run the clear configuration commit oldest number-of-commits command to
delete a configuration rollback point with a label.
l If the set configuration commit command has been run, you cannot run the rollback
configuration command to roll back the system to the previous configuration.
l If you run the set configuration commit command multiple times, only the latest
configuration takes effect.
Example
# Set the label new_label for configuration commit ID 1000000002.
<HUAWEI> set configuration commit 1000000002 label new_label
3.8.34 software crl load
Function
The software crl load command loads a digital signature certificate revocation list (CRL) file
to the main control board.
Format
software crl load crl-name
Parameters
crl-name Specifies a CRL name. The value is a string of 5 to 63 case-
insensitive characters, spaces not supported.
The CRL file must be in the
flash directory of the main The file name is determined by the uploaded
control board. file and must be the same as the name of the
uploaded file.
Views
User view
Default Level
3: Management level

patch write

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
The lifetime of a certificate is limited. A certificate authority (CA) can revoke a certificate to
shorten its lifetime. A CRL is a list of certificates that have been revoked, and therefore
should not be relied upon. The CRL is issued by a CA. If a CA revokes a certificate, the key
pair defined in the certificate can no longer be used even if the certificate does not expire.
After a certificate in a CRL expires, the certificate is deleted from the CRL to shorten the
CRL.
If an issued digital signature certificate needs to be revoked due to key disclosure or other
reasons, a third-party tool can be used to mark the certificate invalid and add the certificate to
a digital certificate CRL. To load the latest digital signature CRL file to a device, run the
software crl load command. After the file is loaded, the device does not verify the digital
signature certificate upon next startup.
Example
# Load a CRL file to the main control board.
<HUAWEI> software crl load crldata-new.crl
3.8.35 startup saved-configuration
Function
The startup saved-configuration command specifies the system configuration file for next
startup.
Format
startup saved-configuration configuration-file [ slot slot-id ]
Parameters
configuration-file Specifies the name of a The name of a configuration file must
configuration file. Make sure already exist. The file name extension
that the file exists. can be .zip, .dat, or .cfg.
slot slot-id Specifies a member device in The value is an integer. The range of the
a stack. integer is dependent on the specific
device.
Views
User view
Default Level
3: Management level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
When the original configuration file cannot be used due to the software upgrade, run the
startup saved-configuration command to specify another configuration file for next startup.
The startup configuration file must be saved in the root directory of the storage device.
Follow-up Procedure
Precautions
l The configuration file specified for the next startup must exist.
l The configuration file name extension must be .zip, .dat, or .cfg.
– A configuration file with the file name extension .cfg is a text file, and you can
view the file content in the text file. After the file is specified as the configuration
file for next startup, the system restores all commands in the file one by one during
a startup.
– A .cfg file is compressed to a .zip file that occupies less space. After being specified
as the configuration file, the .zip file is decompressed to the .cfg file and the system
restores all commands in the .cfg file one by one during startup.
– A .dat file is a binary file. If the startup software version and the .dat file version are
the same, the system restores all configurations in the .dat file in batches when the
device starts. This speeds up the system startup. If the startup software version and
the .dat file version are different, the system restores configurations using
commands in the .dat file.
l This command and the copy startup command can be used to specify the configuration
file for next startup and the later configuration takes effect.
Example
# Specify the system configuration file for the next startup.
<HUAWEI> startup saved-configuration vrpcfg.cfg
Info: Succeeded in setting the configuration for booting system.
3.8.36 startup system-software
Function
The startup system-software command specifies the system software for next startup.
By default, no system software file to be used at the next startup is specified.
Format
startup system-software system-file [ all | slave-board | slot slot-id ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
system-file Specifies the name of the system The name of the system software file must
software file. already exist. It is in the format of [ drive-
name ] [ file-name ]. If drive-name is not
specified, the name of the default storage
device is used.
all Specifies all member devices in -

a stack.
slave-board Specifies the system software for -
next startup on the slave switch.
slot slot-id Specifies a member device in a The value is an integer. The range of the
stack. integer is dependent on the specific device.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
In system software upgrade or downgrade, run this command to specify the system software
for next startup.
Follow-up Procedure
Precautions
l The system software package must use .cc as the file name extension and be saved to the
root directory of the storage device.
l The system software configured for next startup cannot be deleted.
Example
# Specify the system software to be loaded for next startup.
<HUAWEI> startup system-software basicsoft.cc
3.8.37 startup patch

Function
The startup patch command specifies the patch file for next startup.

CloudEngine 8800, 7800, 6800, and 5800
Format
startup patch patch-name { all | slot slot-id }
Parameters
patch-name Specifies the name of the The name of the patch file must already exist.
patch file for next startup. It is in the format of [ drive-name ] [ path ]
[ file-name ]. If drive-name is not specified, the
name of the default storage device is used.
all Specifies all member devices -

in a stack.
slot slot-id Specifies a member device in The value is an integer. The range of the
a stack. integer is dependent on the specific device.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To make the patch file take effect after the device restarts, run this command to specify the
patch file for next startup.
Prerequisites
The desired patch file has been uploaded to the Flash:/ of the device.
Follow-up Procedure
Precautions
l A patch file uses .pat as the file name extension and must be saved in the root directory.
l If you use this command to specify another patch for next startup, the previous patch will
be overridden.
l After the patch file is specified for next startup, run the display patch-information
command to view the patch file.
– If the patch file for next startup is not empty, the device load the patch
automatically after next startup.
– If the patch file for next startup is empty, the device cannot load the patch after next
startup.

CloudEngine 8800, 7800, 6800, and 5800
l After the device restarts, the system loads and runs the patch. If you do not want the
system to load the patch file after startup, use either of the following methods to delete
the patch file:
– Run the patch delete all command to delete the current patch.
– Run the reset patch-configure next-startup command to delete the patch file
already loaded on the system after startup.
Example
# Specify the patch file for next startup.
<HUAWEI> startup patch patch.pat all
3.8.38 uninstall-module
Function
The uninstall-module command uninstalls a specified module file.
Format
uninstall-module { file-name [ next-startup ] | all }
uninstall-module next-startup all
Parameters
file-name Specifies the name of the module file to be The value is a string of 5 to 63
uninstalled. case-sensitive characters in the
format of .mod or .MOD.
next-startup Specifies the name of the module file loaded -
at next startup.
all Specifies that all modules need to be -
uninstalled.
Views
User view
Default Level
3: Management level

patch execute

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
The uninstall-module command can be used to uninstall in-use modules from the system.
The display module-information command can be used to check whether a specified module
has been uninstalled from the system.
The uninstall-module next-startup all command configures a device to remove all

dynamically loaded modules at a next startup.
Example
# Uninstall module 123.MOD from the system.
<HUAWEI> uninstall-module 123.MOD
This will uninstall the module. Are you sure? [Y/N]:y
Info: Succeeded in uninstalling the module.
# Remove all dynamically loaded modules at a next startup.

<HUAWEI> uninstall-module next-startup all
Info: Operating, please wait for a moment........done.
Info: Succeeded in uninstalling the module.
3.9 ISSU Configuration Commands
3.9.1 display fei frame backup-time
Function
The display fei frame backup-time command displays the backup time of each service
module during an ISSU upgrade.
NOTE
Only the CE6870EI support this command.
Format
display fei frame backup-time slot slot-id component fei
Parameters

slot slot-id Specifies a slot ID. The value is an integer or a string of characters.
You can enter a question mark (?) and select a
value from the displayed value range.
component fei Indicates FEI -
components.

CloudEngine 8800, 7800, 6800, and 5800
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
You can run this command to check the backup time of each service module during an ISSU
upgrade, including the backup start time and end time.
Example
# Display the backup time of each service module during an ISSU upgrade.
<HUAWEI> display fei frame backup-time slot 1 component fei
The details of service backup time as follows:
----------------------------------------------------------------------------------
----------
Service BeginTime EndTime UsedTime (s)
ThresholdTime (s)
----------------------------------------------------------------------------------
----------
ACL 15:24:30 15:24:32 2 20
CPU_DEFEND 15:24:32 15:24:36 4 250
VLAN 15:24:36 15:24:39 3 150
TRUNK 15:24:39 15:24:41 2 20
MAC 15:24:41 15:24:43 2 100
ARP 15:24:43 15:24:57 14 1000
MSTP 15:24:57 15:24:59 2 10
LLDP 15:24:59 15:25:01 2 10
DLDP 15:25:01 15:25:03 2 10
SMARTLINK 15:25:03 15:25:05 2 10
EFM 15:25:05 15:25:07 2 10
DAD 15:25:07 15:25:09 2 10
L2PT 15:25:09 15:25:11 2 200
LDT 15:25:11 15:25:13 2 10
ERPS 15:25:13 15:25:15 2 10
TRILL 15:25:15 15:25:17 2 50
QOS 15:25:17 15:25:20 3 1500
MQC 15:25:20 15:25:22 2 100
FCOE 15:25:22 15:25:24 2 100
DCB 15:25:24 15:25:26 2 20

CloudEngine 8800, 7800, 6800, and 5800
SECURITY 15:25:26 15:25:29 3 250
NS_FLOW 15:25:29 15:25:29 0 200
MC 15:25:29 15:25:31 2 50
MIRR 15:25:31 15:25:33 2 50

----------------------------------------------------------------------------------
--
Table 3-59 Description of the display fei frame backup-time command output
Item Description
Service Name of a service profile.
BeginTime Backup start time.
EndTime Backup end time.
UsedTime (s) Time taken for backup.
ThresholdTime (s) Upper threshold for the time taken for backup.
3.9.2 display issu check-result

Function
The display issu check-result command displays the result of ISSU check.
Format
display issu check-result
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
After you use the issu check command to perform ISSU check, you can use the display issu
check-result command to view the check result.
Example
# Display the result of system upgrade check.

CloudEngine 8800, 7800, 6800, and 5800
<HUAWEI> display issu check-result

------------------------------ISSU CHECK RESULT-------------------------------
Check Date : 2015/03/07 15:57:01
Check Result : success
Upgrade type : lossy
Base package : CE6850EI-V100R005C00SPC300.cc
Upgrade package : CE6850EI-V100R005C10SPC200.cc
Base patch : CE6850EI-V100R005SPH001.PAT
Base paf : default
Upgrade paf : default
------------------------------------------------------------------------------
Info: The upgrade procedure is:
Reboot the slave board with the upgrade system software.
Create standby process with the upgrade system software, and detailed process
groups are as follows:
process group: 10003 slot: 1
Upgrade process with the upgrade system software, and detailed process groups
are as follows:
Reboot group with the upgrade system software, The detail groups is below:
board group: 1 slot: 3
Reboot the master board with the upgrade system software.
------------------------------------------------------------------------------
Table 3-60 Description of the display issu check-result command output

Item Description
Check Date Date when an ISSU check is performed.
Check Result ISSU check result.
Upgrade type ISSU type.
Base package Name of the old system software.
Upgrade package Name of the new system software.
Base patch Name of the old patch file.
Base paf Name of the old PAF file.
Upgrade paf Name of the new PAF file.

CloudEngine 8800, 7800, 6800, and 5800
3.9.3 display issu group

Function
The display issu group command displays information about device groups.
Format
display issu group
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
You can run the command to check information about device groups during ISSU.
Example
# Display current information about board groups.
<HUAWEI> display issu group
Grouping Information
-----------------------------------
GroupId SlotId BoardType
-----------------------------------
1 1 MPU
-----------------------------------
Table 3-61 Description of the display issu group command output

Item Description
GroupId Group ID.
SlotId ID of a device.
BoardType Device type.
3.9.4 display issu report

Function
The display issu report command displays detailed information about the ISSU process.

CloudEngine 8800, 7800, 6800, and 5800
Format
display issu report
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
After you use the issu start command to start ISSU, you can use the display issu report
command to view detailed information about the ISSU process.
Example
# Display detailed information about the ISSU progress.
<HUAWEI> display issu report
-----------------------------ISSU REPORT-----------------------------------
Upgrade number : 20150815164424
Upgrade type : lossy
Upgrade result : success
Base package : CE6850EI-V100R005C00SPC300.cc
Upgrade package : CE6850EI-V100R005C10SPC200.cc
Base patch : CE6850EI-V100R005SPH001.PAT
Base paf : default
Upgrade paf : default
Upgrade rollback time(min) : 120
Upgrade start begin time : 2015/08/15 16:44:24

Upgrade start end time : 2015/08/15 17:02:11
Upgrade start total duration : 0 Hours 17 Minutes 47 Seconds
Upgrade confirm time : 2015/08/15 17:02:42

Upgrade abort time : --
---------------------------------------------------------------------------
Upgrade procedure details:
slot: 1 [reboot]
begin time: 2015/08/15 16:46:07
end time: 2015/08/15 16:54:26
duration: 0 Hours 8 Minutes 19 Seconds
slot: 2 [upgrade process]
process group: 10003
begin time: 2015/08/15 16:54:32
end time: 2015/08/15 16:56:04
slot: 2 [upgrade process]
begin time: 2015/08/15 16:54:33
end time: 2015/08/15 16:56:04
slot: 2 [reset process]
process group: 3

CloudEngine 8800, 7800, 6800, and 5800
begin time: 2015/08/15 16:54:59

end time: 2015/08/15 16:55:52
process group: 1000
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:53
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:54
process group: 1002
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:55
process group: 1001
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:56
process group: 2
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:57
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:58
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:50
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:51
slot: 2 [reboot]
begin time: 2015/08/15 16:56:13
end time: 2015/08/15 17:00:09
---------------------------------------------------------------------------
Table 3-62 Description of the display issu report command output

Item Description
Upgrade number System upgrade number.
Upgrade type Upgrade type.

l lossy.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
Upgrade result Upgrade result:

l success: indicates that upgrade is
successful.
l user abort: The user exists upgrade.
l rollback: issu fails and system rollback
because of abnormal system or rollback
timer expiration.
Base package Name of the old system software.
Upgrade package Name of the new system software.
Base patch Name of the old patch file.
Base paf Name of the old PAF file.
Upgrade paf Name of the new PAF file.
Upgrade rollback time(min) Rollback timer value.
Upgrade start begin time Date and time when the ISSU start phase
begins.
Upgrade start end time Date and time when the ISSU start phase
ends.
Upgrade start total duration Duration for the ISSU start phase.
Upgrade confirm time Date and time when ISSU confirmation is

performed.
Upgrade abort time Date and time when rollback is performed.
Upgrade procedure details Detailed information about the ISSU

progress.
slot Slot ID and upgrade mode of the device to

be upgraded.
begin time Date and time when device upgrade begins.
end time Date and time when device upgrade ends.
duration Duration for device upgrade.
3.9.5 display issu rollback-timer

Function
The display issu rollback-timer command displays the remaining time of the ISSU rollback
timer.

CloudEngine 8800, 7800, 6800, and 5800
Format
display issu rollback-timer
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the issu start [ rollback-timer [ time ] ] system-file [ patch patch-name ] command sets the
ISSU rollback timer value, you can use the display issu rollback-timer command to view the
remaining time of the ISSU rollback timer.
Prerequisites
The rollback-timer parameter has been specified in the issu start [ rollback-timer [ time ] ]
system-file [ patch patch-name ] command in ISSU start phase.
Example
# Display the remaining time of the ISSU rollback timer during ISSU.
<HUAWEI> display issu rollback-timer
-----------------------------------------
Timer Timeleft(min)
-----------------------------------------
rollback 50
-----------------------------------------
Table 3-63 Description of the display issu rollback-timer command output

Item Description
Timer Timer name.
Timeleft(min) Remaining time of the timer, in minutes.
3.9.6 display issu state
Function
The display issu state command displays the ISSU phase.

CloudEngine 8800, 7800, 6800, and 5800
Format
display issu state
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
You can use the display issu state command to check which ISSU phase the system enters,
which can be ISSU check, ISSU start, or ISSU confirm.
Example
# Display the ISSU phase.
<HUAWEI> display issu state
--------------------------------------------------------------------------------
Phase State Progress
--------------------------------------------------------------------------------
1.issu check : finished 100%
2.issu start : processing 90%
3.issu confirm : - 0%
--------------------------------------------------------------------------------
Table 3-64 Description of the display issu state command output

Item Description
Phase ISSU phase:

l 1. issu check: phase of checking the
ISSU upgrade.
l 2. issu start: phase of starting the ISSU
upgrade.
l 3. issu confirm: phase of confirming the
upgrade.
State ISSU state:

l processing: The phase is being
processed.
l finished: The phase has finished.
l -: The phase does not begin.
Progress Progress of the phase.

CloudEngine 8800, 7800, 6800, and 5800
3.9.7 issu abort

Function
The issu abort command aborts ISSU.
Format
issu abort
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
While the ISSU is in progress, run the issu abort command to abort the ISSU if necessary
after the ISSU start phase is over (you can run the display issu state command to check it,
and the issu start is finished) The system then restarts and rolls back to the previous software
version.
Prerequisites
The rollback-timer parameter has been specified in the issu start command in the ISSU start
phase.
Example
# Abort ISSU.
<HUAWEI> issu abort
Warning: The upgrade operation will be aborted, and the system will reboot to old
version. Continue?
Please select [Y/N]:y
3.9.8 issu check

Function
The issu check command configures the system to perform ISSU check.
Format
issu check system-file [ patch patch-name ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
system-file Specifies the path for storing The value is a string of 4 to 127 case-
the system upgrade file and file sensitive characters without spaces.
name. The default directory is flash:/.
patch patch- Specifies the path for storing The value is a string of 5 to 63 case-
name the patch file and file name. sensitive characters without spaces.
The default directory is flash:/.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before performing ISSU, you need to check whether the system meets ISSU requirements
using the issu check command. ISSU check includes checking the system running
environment, new version integrity and validity, hardware compatibility, and software
compatibility.
Prerequisites
The system software to be upgraded has been uploaded to all stack member switches.
Follow-up Procedure
If no error information is displayed in the output of the issu check command, the check result
is success. You can also run the display issu check-result command to view the ISSU check
result.
Example
# Perform ISSU check.
<HUAWEI> issu check CE6800-V100R006C00SPC600.cc
3.9.9 issu confirm

Function
The issu confirm command configures the system to confirm the upgrade result.
Format
issu confirm

CloudEngine 8800, 7800, 6800, and 5800
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When you run the issu start command and specify the rollback-timer parameter to start
ISSU, you need to run the issu confirm command to confirm ISSU before the rollback timer
expires or run the issu abort command to abort ISSU to enable the system to roll back to the
old version.
Prerequisites
The issu confirm command can be run to confirm the upgrade result only when the rollback-
timer parameter is specified in the issu start command.
After the issu confirm command is executed, the new system software is specified as the
software for the next startup. The ISSU is complete.
Example
# Confirm the upgrade result.
<HUAWEI> issu confirm
3.9.10 issu group
Function
The issu group command adds a device to a specified group in an ISSU upgrade.
The issu group reset restores the default device group.
Format
issu group group-id add slot slot-id
issu group reset

CloudEngine 8800, 7800, 6800, and 5800
Parameters
group-id Specifies the ID of a group that a The value is an integer that ranges from 1
device belongs to. to 65535.
slot slot-id Specifies the ID of a device. The value is an integer. You can enter ?
to select a value as prompted.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
During an ISSU upgrade of an SVF system, the system groups leaf switches and upgrades the
leaf switches in ascending order of their group IDs.
By default, the system adds a device to a default group. You can manually add a device to a
different group to change the sequence in which devices are restarted. Upstream and
downstream devices then connect to devices in different groups, reducing the service
interruption time.
You can run the display issu group command to check which group the current device
belongs to.
Precautions
You can add only leaf switches in an SVF system but not slave switches in a stack to a
specified group.
Example
# Add the device with leaf ID 104 to group 2.
<HUAWEI> issu group 2 add slot 104
3.9.11 issu reset rollback-timer

Function
The issu reset rollback-timer command resets the ISSU rollback timer value in an ISSU
upgrade.
By default, the ISSU rollback timer is reset to 120 minutes.
Format
issu reset rollback-timer [ time | limitless ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters

time Specifies the ISSU rollback timer value. The value is an integer that ranges
from 1 to 2880, in minutes.
limitless Sets the ISSU rollback timer to -

limitless.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After the system enters the ISSU start phase, the ISSU rollback timer is automatically
activated. If the ISSU rollback timer expires before the ISSU confirm phase, the system rolls
back to the old version. You can reset the ISSU rollback timer value according to service
requirements.
Prerequisites
The rollback-timer parameter has been specified in the issu start command.
Precautions
If you use the issu reset rollback-timer command to reset the ISSU rollback timer value, the
new configuration takes effect immediately and the old configuration becomes invalid.
Example
# Reset the ISSU rollback timer to 100 minutes.
<HUAWEI> issu reset rollback-timer 100
3.9.12 issu start
Function
The issu start command starts ISSU.
Format
issu start [ rollback-timer [ time ] ] system-file [ patch patch-name ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters

rollback-timer Specifies the ISSU rollback timer. -
time Specifies the ISSU rollback timer The value is an integer that ranges
value. from 0 to 2880, in minutes. The
default value is 120 minutes. 0
If rollback-timer is specified but
indicates that the time of the ISSU
time is not specified, the default
rollback timer is infinite.
value of the rollback timer is used.
system-file Specifies the path for storing the The value is a string of 4 to 127 case-
system upgrade file and file name. sensitive characters without spaces.
patch patch- Specifies the path for storing the The value is a string of 5 to 63 case-
name patch file and file name. sensitive characters without spaces.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After you run the issu start command to start ISSU, the system enters the ISSU start phase.
All stack member switches upgrade from the old version to new version.
Precautions
When you run the issu start command without specifying the rollback-timer parameter to
start ISSU, the system confirms ISSU after the ISSU start phase ends. In this situation, you do
not need to run the issu confirm command to confirm ISSU. If you specify the rollback-
timer parameter, you need to run the issu confirm command before the rollback timer expires
or run the issu abort command to abort ISSU to enable the system to roll back to the old
version.
Example
# Start ISSU and set the ISSU rollback timer to 120 minutes.
<HUAWEI> issu start rollback-timer 120 CE6800-V100R003C00.cc

CloudEngine 8800, 7800, 6800, and 5800
3.10 Upgrade Commands
3.10.1 display license

Function
The display license command displays information about the license file in the system.
Format
display license [ verbose ]
display license [ verbose ] slot slot-id
Parameters
verbose Displays detailed information about -
the current active license file.
slot slot-id Specifies a stacked device. The value is an integer, and the value
range depends on the device
configuration.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
A license file dynamically controls the availability of some features. Only one license file is
active in the system. Run this command to view detailed information about the active license
in the system, including license file name, version, validity period, and control item.
NOTE
The encoding format used to display license information in the current version is GBK. To prevent
garbled characters when you use a different terminal to log in to the device and Chinese characters are
displayed, change the terminal's encoding format to GBK.
For example, if you use the PuTTY tool as the terminal, set its encoding format to Use font encoding,
and the operating system's default encoding format must be GBK. After the encoding format is set to
GBK, Chinese information about the license can be correctly displayed.
Example
# Display information about the active license file of the device.

CloudEngine 8800, 7800, 6800, and 5800
<HUAWEI> display license

MainBoard:
Active License : flash:/CloudEngine7800.dat
License state : Demo
Revoke ticket : No ticket
RD of Huawei Technologies Co., Ltd.
Product name : CloudEngine 7800

Product version : V100R006
License Serial No : LIC201411261KSH50
Creator : Huawei Technologies Co., Ltd.
Created Time : 2014-11-26 09:09:51
Feature name : CELIC
Authorize type : demo
Expired date : 2015-02-20
Trial days : -
Item name Item type Value Description

-------------------------------------------------------------
CE-LIC-VXLAN Function YES CE-LIC-VXLAN
License state: Demo. The license for the current configuration will expire in 86
day(s).
Apply for authentic license before the current license expires.
Table 3-65 Description of the display license command output

Item Description
MainBoard Information about the license file on the

master switch.
Active License Name and path of the active license file.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
License state Status of a license file:

l Normal
This state value indicates that a license
file is working properly. If the status of
the license file on the live network is not
Normal, check the license file.
l Trial
– If the device ESN changes, a normal
license file enters the Trial state and
can be used only for 60 days.
To continue to use a license file after
the Trial state, apply for a new
license file matching the new ESN
and activate it.
– A license file expires and enters the
Trial state.
license file and activate it.
– A license file is revoked and enters
the Trial state.
license file based on the revocation
code and activate it.
l Demo
When you activate a temporary license
file, it enters the Demo state. The Demo
state exists only for a demo license file
used for test and deployment.
A license file in Demo state allows you
to use normal functions within a
specified period. Before the expiration of
the license file in Demo state, replace it
with a commercial license file.
l Default
After a license file expires, the functions
controlled by the license become invalid
(restored to the status before the license
is activated).
If you want to use services after a license
file expires, apply for a new license file
and activate it.
Revoke ticket License revocation code.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
RD of Huawei Technologies Co., Ltd. Name of the customer.
Product name Name of the product that runs the license.
Product version Product version of the license file.

NOTE
After the device is upgraded, the license file is
automatically compatible with the new version.
Therefore, Product version may be different
from the version number of the system software.
License Serial No Serial number of license file.
Creator Creator of the file.
Created Time Time when the file was created.
Feature name Feature name.
Authorize type Authorization type.

l demo: trial authorization.
l comm: commercial authorization.
Expired date License expiration date. PERMANENT

indicates that the license is permanently
valid.
Trial days Trial period.
Item name Name of a control item.
Item type Type of a control item.

l Function
l Resource
Value License function item. For a functional

license, this item is displayed as YES,
indicating the license function item is
enabled. For a resource license, the value of
this item indicates the supported control
item specifications.
Description Description of a control item.
3.10.2 display license revoke-ticket

Function
The display license revoke-ticket command displays the revocation code of the current
license file of the device.

CloudEngine 8800, 7800, 6800, and 5800
Format
display license revoke-ticket [ slot slot-id ]
Parameters

slot slot-id The value is an integer, and the value range
Specifies a stacked device.
depends on the device configuration.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
The display license revoke-ticket command enables you to check the revocation code of a
license file that has become invalid on the device. This code proves that the current license
file is invalid and is used to apply for a new license.
Precautions
This command displays information only when the license file in current device system is
invalid.
Example
# Display the revocation code of the current invalid license file.
<HUAWEI> display license revoke-ticket
MainBoard:
Info: The revoke ticket is:
LIC20121103006100:27C1B773ED11D9F877855CDAEE74ABFE60E07126.
3.10.3 display license state
Function
The display license state command displays the license status on the device.
Format
display license state [ trial ]
display license state slot slot-id

CloudEngine 8800, 7800, 6800, and 5800
Parameters
trial Displays the number of days before a license in -
Trial state expires.
If the current license is not in Trial state, the
system displays no information when this
parameter is configured.
slot slot-id Specifies a stacked device. The value is an integer, and

the value range depends on
the device configuration.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
To check the status of the running license, run this command. The command displays the
status of the license and the number of days before the license in this status will expire.
The system supports the following license states:
l Normal: normal license
l Demo: demonstration license
l Trial: trial license
l Default: default license
This command helps you locate license problems and verify the license status on the device.
Example
# Display the status of the license on the device.
<HUAWEI> display license state
MainBoard:
Info: Current license state is Demo. The license for the current configuration
will expire in 22 day(s).
# Display the number of days before a license in Trial state expires.

<HUAWEI> display license state trial
Info: Current license state is Trial. The trial days remains 59 day(s).

CloudEngine 8800, 7800, 6800, and 5800
3.10.4 display paf

Function
The display paf command displays information about the product adaptive file (PAF) in the
system.
Format
display paf [ verbose ]
Parameters
None
verbose Displays details about the -

system PAF file.
Views
All views
Default Level
3: Management level
Usage Guidelines
A PAF file provides only required resources and features. This command can display all the
specification information about the PAF file.
Example
# View details about the PAF file.
<HUAWEI> display paf verbose
SPEC_FUNC_RAAS_ENABLED
Value : 0
Default value: 0
Min value : 0
Max value : 1
Description : Raas funcation switch(1: enable, 0: disable)
SPEC_FUNC_LVRM_LRSPEC
Value : 0
Default value: 0
Min value : 0
Max value : 1
Description : Logic system funcationswitch(1: enable, 0: disable)
SPEC_FUNC_LVRM_VSSPEC
Value : 1
Default value: 1

CloudEngine 8800, 7800, 6800, and 5800
Min value : 0
Max value : 1
Description : Virtual system funcationswitch(1: enable, 0: disable)
Table 3-66 Description of the display paf verbose command output

Item Description
Value Specification items in the PAF file, for example:

l SPEC_FUNC_RAAS_ENABLED: Whether the
RAAS function is enabled.
– 0: disabled
– 1: enabled
l SPEC_RES_LVRM_LRSPEC: 8 logic systems.
Default value Default specifications in the PAF file.
Min value Minimum specifications in the PAF file.
Max value Maximum specifications in the PAF file.
Description Definition in the PAF file.
3.10.5 display patch-information

Function
The display patch-information command displays information about the patch in the current
system.
Format
display patch-information [ verbose | history ]
Parameters
verbose Displays detailed information about the patch. -
history Displays historical information about the patch in the current system. -
Views
All views
Default Level
1: Monitoring level

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
After a patch is loaded or deleted, run this command to view information about the patch,
including its version, name, and status.
Precautions
If the system has no patch loaded, the patch version, name, and status displayed by this
command are "-".
Example
# Display detailed information about the patch in the current system.
<HUAWEI> display patch-information verbose
Patch Package Name :flash:/PATCH.PAT
Patch Package Version :V100R006SPH001
Patch Package State :Running
Patch Package Run Time:2014-11-14 14:02:43
****************************************************************************
* Information about patch errors is as follows: *
****************************************************************************
SlotId CurrentVersion
----------------------------------------------------------------------------
No patch error occurs on any board
Board Info :
----------------------------------------------------------------------------------
------------
SlotId ProcId State PatchType Valid PatchEffectiveTime
PatchFileName
----------------------------------------------------------------------------------
------------
1 1049 Running C YES 2014-11-14 14:02:09.297
HP000012.pat
1 1049 Running C YES 2014-11-14 14:02:09.308
HP000028.pat
----------------------------------------------------------------------------------
------------
Total = 2
Table 3-67 Description of the display patch-information verbose command output
Item Description
Patch Package Name Name of the patch.
Patch Package Version Version of the patch.
Patch Package State Status of the patch.
Patch Package Run Time Running time of the patch.
Board Info Information about the device with the patch

loaded.
SlotId ID of the device with the patch loaded.
ProcId ID of a patch process.

CloudEngine 8800, 7800, 6800, and 5800
Item Description
State Running status of the patch.

l Idle: none.
l Deactive: The patch is inactive.
l Active: The patch is active.
l Running: The patch is running.
PatchType Patch type.
Valid Indicates whether the patch is valid.
PatchEffectiveTime Patch effective time.
PatchFileName Patch name.
3.10.6 display upgrade rollback-timer
Function
The display upgrade rollback-timer command displays the status of the rollback function in
the current version.
Format
display upgrade rollback-timer
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
If an error occurs during an upgrade (for example, the new startup files are damaged), cancel
the current upgrade and restore the previous version used before the upgrade.
To check whether the version rollback function is enabled, run this command.
Example
# Display the status of the rollback function in the current version (the version rollback
function is enabled).

CloudEngine 8800, 7800, 6800, and 5800
<HUAWEI> display upgrade rollback-timer

Info:The state of upgrade rollback is enable. Limit time is 10 minutes.
# Display the status of the rollback function in the current version (the version rollback
function is disabled).
<HUAWEI> display upgrade rollback-timer
Info:The state of upgrade rollback is disable.
3.10.7 license
Function
The license command creates a license view and enters the view.
NOTE
The CE6850EI, CE6810EI, CE6810LI, CE5855EI, CE5850HI, CE5850EI and CE5810EI do not support this
command.
Format
license
Parameters
None
Views
System view
Level
3: Management level

license execute
Usage Guidelines
To create and enter a license view, run the license command.
Example
# Create and enter a license view.
[~HUAWEI] license
[~HUAWEI-license]

CloudEngine 8800, 7800, 6800, and 5800
3.10.8 license active

Function
The license active command activates the license file saved in the storage of the device.
Format
license active file-name
Parameters
file-name Specifies the name of a The name of a license file

license file. must already exist.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Change or upgrade the license file when the current license file is outdated or needs higher
specifications and more features. The initial state of a license file is inactive and the license
file does not take effect in the system. Run this command to activate the new or updated
license file.
The license active command can be used to activate a license file in the following situations:
l The license needs to be activated for the first time.
You can directly run this command to activate a license.
l The current license file needs to be updated.
If the specifications of the new license file are lower than those of the current license
file, the system displays a message asking you whether to continue. If you choose No,
the system retains the current license file. If you choose Yes, the device activates the
current license file and the system uses the new license file.

CloudEngine 8800, 7800, 6800, and 5800
If the configuration items of the new license file are lower than those of the current
license file, check whether the configuration items required by services exist in the new
license file. If not, apply for a correct license file and activate it. Otherwise, services may
be interrupted due to lack of dependent license configuration items after the device is
restarted.
Prerequisites
The new license file has been uploaded to the device.
Precautions
l The license file must use .dat or .zip as file name extension and be saved to the default
root directory in the storage of the device.
l In a stack with multiple switches, if a license file is applied for each stack member, you
need to compress multiple .dat license files into a .zip file, upload the .zip file to the
stack master, and then load the file.
l Before activating a license file, you can run the license verify command to verify the
license file.
Example
# Activate license.dat in the storage of the device.
<HUAWEI> license active license.dat
Now activing the license.................................done.
MainBoard:
Info: Succeeded in activating the license file on the board.
3.10.9 license backup
Function
The license backup command backs up license information in the license partition to the
specified file.
NOTE
The CE5800 series switches (excluding CE5880EI) do not support this command.
Format
license backup flash file-name
Parameters
flash Backs up license -

information in the license
partition in specified files.

CloudEngine 8800, 7800, 6800, and 5800
file-name Specifies the name of the The value is a string of 1 to

backup file. 127 case-sensitive
string, spaces are allowed in
the string.
Views
User view
Default Level
3: Management level
Usage Guidelines
To check whether the activated license is the same as the loaded license, run the license
backup flash command to back up the activated license in specified files and then compare it
with the loaded license file. The license file can be opened in text mode.
After you run this command, the system backs up two files using the file name
extensions .master.zip and .slave.zip, and saves the files to the root directory on the default
storage of the device. The backup license file in the primary license partition uses the file
name extension .master.zip, and that in the secondary license partition uses the file name
extension .slave.zip.
Example
# Back up license information in the license partition to the files huawei.master.zip and
huawei.slave.zip.
<HUAWEI> license backup flash huawei
Info: Succeeded in backing up the license file to huawei.master.zip and
huawei.slave.zip.
3.10.10 license delete
Function
The license delete command deletes a license file in the $_license directory.
Format
license delete file-name

CloudEngine 8800, 7800, 6800, and 5800
Parameters

file-name Specifies the name of a license file The value is a string of 1 to 127 case-
to be deleted. sensitive characters without spaces.
Views
User view
Default Level
3: Management level
Usage Guidelines
After you run the license active command to activate a license file, the system backs up the
license file in the $_license directory. After you upgrade the license file, the expired license
file in $_license still exists and occupies system resources. To delete redundant license files in
$_license, run the license delete command.
To view files in $_license, run the dir command.

<HUAWEI> cd $_license
<HUAWEI> dir
Directory of flash:/$_license/

0 -r-- 1,710 Nov 04 2014 11:50:57 LICENSE.dat
3,480,880 KB total (2,307,848 KB free)
Example
# Delete the license file license.dat in $_license.
<HUAWEI> license delete license.dat
Warning: The file license.dat cannot be recycled. Continue? [Y/N]:y
3.10.11 license export
Function
The license export command stores a license file which is activated in the current system in
the root directory of a storage device.
By default, an activated license file is not stored in the root directory.
Format
license export file-name

CloudEngine 8800, 7800, 6800, and 5800
Parameters
file-name Specifies the name of the license The value is a string of 5 to 127 case-
file to be saved to the root sensitive characters without spaces. The
directory. extension of a file is ".zip".
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to save the license file to the root directory on the storage of the
device.
Precautions
The saved license file must use .zip as the file name extension.
Example
# Save the license file to the root directory on the storage of the device.
<HUAWEI> license export license.zip
Info: Succeeded in exporting the license file to license.zip.
3.10.12 license revoke

Function
The license revoke command revokes a license file.
Format
license revoke [ slot slot-id ]
Parameters
slot slot-id The value is an integer, and the value range
Specifies a stacked device.
depends on the device configuration.
Views
User view

CloudEngine 8800, 7800, 6800, and 5800
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can upgrade a license file to:
l Add new features.

l Optimizes device performance.
l Fix bugs in the current version.
Before updating a license file, run the license revoke command to revoke the existing license.
The system then returns a license revocation code. This code is the evidence for license
invalidation and is used to apply for a new license.
NOTE
A license revocation code is a character string generated after a license file becomes invalid. You can
determine that a license file is invalid based on the corresponding revocation code.
Precautions
After you run the license revoke command, the license file enters the Trial state and cannot be
activated again regardless of how long the license file will expire. A license file in Trial state
can be used only for 60 days. After the license file in Trial state expires, the successfully
delivered features controlled by the license are still valid. The features can be deleted, but
cannot be added. To add functions controlled by the license, re-apply for a license file and
activate it.
Please apply for a new license and activate it before the original license expires so that
services are not affected.
Example
# Revoke the current license file.
<HUAWEI> license revoke
Warning: The license will switch to trial state. Continue? [Y/N]:y
MainBoard:
Info: Succeeded in revoking the license. The revoke ticket is
LIC201411261KSC50:87CE09A70A7401C7D0E1853B7931E3FA755AC88D.
3.10.13 license verify
Function
The license verify command verifies the license file of the device.
Format
license verify file-name

CloudEngine 8800, 7800, 6800, and 5800
Parameters
file-name Specifies the name of a license file. The name of a license file must already
exist.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before running the license active command to activate a license file, verify the license file.
The result of the license verify command can be the following:

l Major error
The license file cannot be activated.
l Minor error
The license file may be unable to be activated.
l Success
The license file can be activated.
Prerequisites
The license file has been saved on the device.
Example
# Verify the license file license.dat.
<HUAWEI> license verify license.dat
MainBoard:
Info: Verify license succeeded.
3.10.14 patch active all
Function
The patch active all command activates the patches on the current system.
By default, the loaded patches on the current system are inactive.
Format
patch active all

CloudEngine 8800, 7800, 6800, and 5800
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If you do not specify the active or run keyword when running the patch load command, run
the patch active all command to activate all the loaded patches to make them effect.
Prerequisites
Patches have been loaded using the patch load command.
l After a non-incremental patch is loaded and the patch active all command is run, the
patches in the current system are activated.
l If an incremental patch is loaded and the previous patch package is running, the previous
patch package is still in running state after you run the patch active all command. The
new patch package is activated.
Follow-up Procedure
After running the patch active all command, use the patch run all command to run the
activated patch.
Precautions
After you run the patch active all command:

l If the device is restarted, all the active patches become inactive. To reactivate the
patches, run the patch active all command.
Example
# Activate all patches.
<HUAWEI> patch active all
3.10.15 patch configuration-synchronize
Function
The patch configuration-synchronize command synchronizes the patch configuration and
patch file of the master switch to other member switches in a stack.

CloudEngine 8800, 7800, 6800, and 5800
Format
patch configuration-synchronize
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
After you replace or add a member switch in a stack and start the new member switch, run
this command to synchronize the patch configuration and patch file from the master switch if
the patch file of the new member switch is incorrect.
Example
# Run the following commands on the new member switch to synchronize the patch
configurations and patch files to the new member switch.
<HUAWEI> patch configuration-synchronize
3.10.16 patch deactive all

Function
The patch deactive all command deactivates the patches on the current system.
Format
patch deactive all
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario

CloudEngine 8800, 7800, 6800, and 5800
If you find errors in some patches after using the patch active all command to activate the
loaded patches, run the patch deactive all command to deactivate patches on the current
system to prevent them from taking effect.
Prerequisites
Active patches exist on the current system.
Precautions
After the patch deactive all command is run, patches in the active state are deactivated.
The patch deactive all command makes patches on the current system ineffective. To make
the loaded patches take effect again, run the patch active all command.
Example
# Deactivate patches on the current system.
<HUAWEI> patch deactive all
3.10.17 patch delete

Function
The patch delete command deletes patches from the current system.
Format
patch delete all
Parameters
all Deletes all patches on all the boards. -
Views
User view
Default Level
3: Management level

patch write
Usage Guidelines
Usage Scenario

CloudEngine 8800, 7800, 6800, and 5800
Before installing a non-incremental patch, you need to run the patch delete all command to
delete existing patches from the current system and then install a new patch package.
After the patch delete all command is run, patches on the system are deleted regardless of
their status.
Precautions
l The patch delete all command may affect the performance of the system. So, confirm
the action before you use this command.
l When the patch delete all command is run to delete patches from the current system, the
system prompts you whether to delete patches.
l After the patch delete all command is run to delete existing patches from the current
system, the deleted patches cannot be restored. So, confirm the action before you use this
command.
Example
# Delete all hot patches from the current system.
<HUAWEI> patch delete all
This will delete the patch. Are you sure? [Y/N]:y
Info: Operating, please wait for a moment....done.
Info:Succeeded in deleting the patch.
# Delete all cold patches from the current system.

<HUAWEI> patch delete all
This will delete the patch. Are you sure? [Y/N]:y
Info: Operating, please wait for a moment.......done.
****************************************************************************
* Warning: Perform the following operations to deal with the cold patch. *
****************************************************************************
----------------------------------------
Device Type Upgrade mode
----------------------------------------
10 MPU reset board
----------------------------------------
Info: Succeeded in deleting the patch.
3.10.18 patch load

Function
The patch load command loads a matching patch in the patch package to the current system.
Format
patch load file-name all [ active | run ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
file-name Specifies the path name and name of the The value is a string of 5 to 127
patch package. The path name is an absolute case-sensitive characters
path name or a relative path name. without spaces. The value of the
patch name is a string of 5 to 63
characters.
all Loads all patches on all the boards. -
active Activates a patch after the patch is loaded. -
run Runs a patch after the patch is loaded. -
Views
User view
Default Level
3: Management level

patch execute
Usage Guidelines
Usage Scenario
Before loading a patch, the system resolves the patch package to check the validity of patch
files and obtain the attributes of patch files.
When loading a patch to the current system, the system searches the patch package for a
matching patch file according to the attributes of the patch file.
l If a matching patch file is found in the patch package, the system loads the patch.
l If no matching patch file is found in the patch package, the system does not load the
patch.
Prerequisites
The desired patch file has been uploaded to the master main control board of the device.
After the patch load command is run, the system loads all types of patches in the patch
package.
l If the parameter active is used in the patch load command, the system activates the
patch file after loading it. Then, you can run the patch run all command to run the patch
file.

CloudEngine 8800, 7800, 6800, and 5800
l If the parameter run is used in the patch load command, the system runs the patch file
after loading it.
Precautions
The device is reset before a cold patch takes effect.
Example
# Load and run the cold patch package on the current system.
<HUAWEI> patch load CE8800, CE7800,
CE6800, and CE5800 series switchesV200R005C10SPH403.PAT all run
Info: Operating, please wait for a moment...
****************************************************************************
* Warning: Perform the following operations to deal with the cold patch. *
****************************************************************************
----------------------------------------
Device Type Upgrade mode
----------------------------------------
11 MPU reset board
12 MPU reset board
----------------------------------------
Info: Succeeded in running the patch.
3.10.19 patch run all
Function
The patch run all command runs the patches on the current system.
Format
patch run all
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When the device is restarted, the active patches become deactivated and need to be activated
again. To enable the active patches to retain in running start after a device restart, use this
command to run these active patches.
Prerequisites
Patches have been loaded and activated on the system.

CloudEngine 8800, 7800, 6800, and 5800
After you run this command to run patches on the current system, the patches remain in the
running state if a device restart occurs.
After the patch run all command is run, the patches enter running state and cannot be
restored to the previous state. Confirm the action before you run the command.
Example
# Run active patches in the current system.
<HUAWEI> patch run all
3.10.20 reset patch-configure
Function
The reset patch-configure command deletes the configuration of the patch file for next
startup.
Format
reset patch-configure next-startup
Parameters
next-startup Deletes the configuration of the patch file for next startup. -
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After you run the startup patch command to specify the patch file for next startup, you can
use the reset patch-configure command to delete the configuration.
Precautions
If you run the reset patch-configure command, the patch file for next startup is empty. When
the device restarts, the system does not load and run the patch file.
Example
# Delete the configuration of the patch file for next startup.

CloudEngine 8800, 7800, 6800, and 5800
<HUAWEI> reset patch-configure next-startup

Info: Succeeded in clearing startup the patch.
3.10.21 upgrade all
Function
The upgrade all command upgrades the system file.
Format
upgrade all { startup | filename } bios [ force ]
Parameters
all Indicates all the registered devices. -
startup Uses the running system software to upgrade the -

system.
filename Specifies the name of the system file that is used to The name of the system
upgrade the system. file must already exist.
The format is flash:/
xxx.cc.
bios Indicates the BIOS system. -
force Indicates forcible upgrade. -
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To restart the system faster, you can run this command to upgrade the system file before the
restart.
Precautions
Services are interrupted during a device upgrade or logical software upgrade using this
command.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Forcibly upgrade the system using the current startup file.
<HUAWEI> upgrade all startup bios force
*********************************************************
* W A R N I N G *
* *
* Please ensure that the configuration has been saved. *
* And please ensure that the board does not be powered *
* off or be reseted during the upgrade operation. *
* Also ensure that any board of this device is not *
* removed (pull out or plug in) during this process. *
* *
* W A R N I N G *
*********************************************************
Confirm to upgrade.continue? [Y/N]:y
Loading slot:<1>
Info: Operating, please wait for a moment...
....................
Load BIOS Finish!
Upgrade result information:
------------------------------------------------------------
Slot Type Item LoadMode Result
------------------------------------------------------------
1 MPU BIOS online success
------------------------------------------------------------
done.
Table 3-68 Description of the upgrade all startup bios force command output
Item Description
Slot A device.
Type Status of a device.
Item Items to be upgraded.
LoadMode Mode in which the upgrade file is loaded.
Result Upgrade result.
3.10.22 upgrade slot startup
Function
The upgrade slot startup command upgrades the system file of a device.
Format
upgrade boardtype slot slotid { startup | filename } bios [ force ]

CloudEngine 8800, 7800, 6800, and 5800
Parameters
boardtype Indicates all the registered devices. The value is mpu, lpu.
slot slotid The value is dependent on the

Indicates a device.
specific device.
startup Uses the running system software to -
upgrade the system.
filename The name of the system file must

Specifies the name of the system file that is
already exist, in the format of
used to upgrade the system.
flash:/xxx.cc.
bios Indicates the BIOS system. -
force Indicates forcible upgrade. -
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When you find that the version of a device is different from the system software, run the
command to upgrade the device version.
Precautions
Services are interrupted during a device upgrade or logical software upgrade using this
command.
Example
# Forcibly upgrade the device by using the current bios software.
<HUAWEI> upgrade mpu slot 1 startup bios force
*********************************************************
* W A R N I N G
*
*
*
* Please ensure that the configuration has been saved.
*
* And please ensure that the board does not be powered
*
* off or be reseted during the upgrade operation.

CloudEngine 8800, 7800, 6800, and 5800
*
* Also ensure that any board of this device is not
*
* removed (pull out or plug in) during this process.
*
*
*
* W A R N I N G
*
*********************************************************
Confirm to upgrade.continue? [Y/

N]:y
Loading
slot:<1>
Info: Operating, please wait for a

moment...
....................
Load BIOS
Finish!
Upgrade result
information:
------------------------------------------------------------
Slot Type Item LoadMode

Result
------------------------------------------------------------
1 MPU BIOS online

success
------------------------------------------------------------
done.
Table 3-69 Description of the upgrade mpu slot 1 startup bios force command output
Item Description
Slot A device.
Type Type of a device.
Item Items to be upgraded.
LoadMode Mode in which the upgrade file is loaded.
Result Upgrade result.

CloudEngine 8800, 7800, 6800, and 5800
3.10.23 upgrade rollback
Function
The upgrade rollback command enables the system rollback function and sets the time the
system has to wait before rollback.
The undo upgrade rollback command disables the rollback function.
By default, the rollback function is disabled.
Format
upgrade rollback rollback-timer time-value
undo upgrade rollback
Parameters
rollback-timer time- Specifies the value of the The value is an integer that ranges
value rollback timer. from 10 to 360, in minutes.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If an error occurs during an upgrade (for example, the new startup files are damaged), cancel
the current upgrade and restore the previous version used before the upgrade.
After the version rollback function is enabled and the system package is restarted, the system
will perform a version rollback to roll back the system package and patch if no users
successfully log in to the device in a specified period of time.
After the version rollback function is disabled, the system version does not roll back
regardless whether any user is authenticated and logs in to the system within the specified
period.
By default, the version rollback function is disabled. After each version rollback completes,
the version rollback function is disabled again.
Precautions
If any user successfully logs in to the device, the rollback timer is cancelled.
After you run this command, the current system resets the rollback timer.

CloudEngine 8800, 7800, 6800, and 5800
Example
# Configure the rollback timer for the current system upgrade.
<HUAWEI> upgrade rollback rollback-timer 300
Info:The state of upgrade rollback is enable. Limit time is 300 minutes.
If no User cancels the function, the main MPU will restart by the bootfile flash:/
software.cc.
# Disable the rollback function.

<HUAWEI> undo upgrade rollback
3.11 Open Source Software Declaration Information

Checking Commands
3.11.1 display copyright

Function
The display copyright command displays declaration information of an open source
software.
Format
display copyright
Parameters
None.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
You can run display copyright command to view declaration information of an open source
software.
The declaration information of an open source software includes the following items:
l Warranty Disclaimer
l Copyright Notice
l Written Offer
Example
# Display declaration information of an open source software.

CloudEngine 8800, 7800, 6800, and 5800
<HUAWEI> display copyright

OPEN SOURCE SOFTWARE
NOTICE
This document contains open source software notice for the product. And this
document is confidential information of copyright holde
r. Recipient shall protect it in due care and shall not disseminate it without
permission.
Warranty
Disclaimer
This document is provided "as is" without any warranty whatsoever, including the
accuracy or comprehensiveness. Copyright holder of
this document may change the contents of this document at any time without prior
notice, and copyright holder disclaims any liabilit
y in relation to recipient's use of this document.
---- More ----
3.12 HTTP Configuration Commands
3.12.1 acl (Service-Restconf view)
Function
The acl command configures an HTTP access control list (ACL).
The undo acl command deletes an HTTP ACL.
By default, no HTTP ACL is configured.
Format
acl { acl-name | acl-number }
undo acl
Parameters
acl-name Specifies the name of The value is a string of 1 to 32 case-sensitive
an ACL. characters, spaces not supported. The value starts with
a letter or digit but cannot contain only digits.
acl-number Specifies an ACL The value is an integer ranging from 2000 to 3999.
number.
l ACLs numbered 2000 to 2999 are basic ACLs.
l ACLs numbered 3000 to 3999 are advanced ACLs.
Views
Service-Restconf view

CloudEngine 8800, 7800, 6800, and 5800
Default Level

https write
Usage Guidelines
Usage Scenario
To configure an HTTP ACL, run the acl command. An ACL limits clients that access the
server, improving server security.
Prerequisites
Create an ACL of a specified type.
l Run acl { name basic-acl-name { basic | [ number ] basic-acl-number } | [ number ]
basic-acl-number } command, create an basic ACL.
l Run acl { name advance-acl-name [ advance ] | [ number ] advance-acl-number }
command, create an advanced ACL.
Precautions
If the ACL configured in this command has not been created in the system view, no client is
allowed to access the HTTP server.
Example
# Configure an HTTP ACL named policy1.
[~HUAWEI] acl policy1
[*HUAWEI-acl4-advance-policy1] quit
[*HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] acl policy1
# Configure an HTTP ACL numbered 2100.

[~HUAWEI] acl 2100
[*~HUAWEI] http
[*HUAWEI-http-service-restconf] acl 2100
3.12.2 idle-timeout (Service-Restconf view)

Function
The idle-timeout command sets a timeout period for an idle HTTP connection.
The undo idle-timeout command restores the default timeout period of an idle HTTP
connection.

CloudEngine 8800, 7800, 6800, and 5800
By default, the timeout period of an idle HTTP connection is 20 minutes.
Format
idle-timeout minutes
undo idle-timeout
Parameters
minutes Specifies a timeout period for an idle The value is an integer ranging from 1
HTTP connection. to 60, in minutes.
Views
Default Level

https write
Usage Guidelines
Before a client transmits HTTP services, it logs in to an HTTP server and establishes a TCP
connection with the server. However, if the connection is torn down unexpectedly, the HTTP
server cannot detect the disconnection and still retains the connection, which wastes
resources. To resolve this problem, run the idle-timeout command to configure a timeout
period for an idle HTTP connection. If the client does not send any packet during the timeout
period, the HTTP server considers the connection invalid and tears down the TCP connection
with the client after the timeout period elapses.
Example
# Set the timeout period to 30 minutes for an idle HTTP connection.
[~HUAWEI] http
[*HUAWEI-http-service-restconf] idle-timeout 30
3.12.3 secure-server enable

Function
The secure-server enable command enables the HTTPS listening function.

CloudEngine 8800, 7800, 6800, and 5800
The undo secure-server enable command disables the HTTPS listening function.
By default, the HTTPS listening function is disabled.
Format
secure-server enable
undo secure-server enable
Parameters
None
Views
Default Level

https write
Usage Guidelines
Usage Scenario
To enable the HTTPS listening service, run the secure server enable command. HTTPS
encrypts data before transmitting it, enhancing security.
Precautions
HTTPS has a higher security than HTTP, and therefore using HTTPS is recommended.
Currently, HTTPS listening supports only IPv4.
Example
# Enable the HTTPS listening function.
[~HUAWEI] http
[*HUAWEI-http-service-restconf] secure-server enable

CloudEngine 8800, 7800, 6800, and 5800
3.12.4 secure-server port

Function
The secure-server port command configures an HTTPS service listening port.
The undo secure-server port command restores the default HTTPS service listening port.
By default, HTTPS service listening uses port 443.
Format
secure-server port port-number
undo secure-server port
Parameters
port-number Specifies the number for an HTTPS The value can be 443 or an integer
service listening port. ranging from 1025 to 65535.
Views
Default Level

https write
Usage Guidelines
l When the default HTTP service listening port is being used, run the secure-server port
command to configure an HTTP service listening port so that the firewall can filter
packets on this port. This enhances network security.
l Currently, the HTTPS service listening port supports only IPv4.
l A port number that is being used cannot be specified.
Example
# Configure port 1028 for HTTPS listening.
[~HUAWEI] http
[*HUAWEI-http-service-restconf] secure-server port 1028

CloudEngine 8800, 7800, 6800, and 5800
3.12.5 server enable
Function
The server enable command enables the HTTP listening service.
The undo server enable command disables the HTTP listening service.
By default, the HTTP listening function is disabled.
Format
server enable
undo server enable
Parameters
None
Views
Default Level

https write
Usage Guidelines
To enable the HTTP listening service so that the HTTP server can identify the connection
requests from clients, run the server enable command.
Currently, the HTTP listening service supports only IPv4.
Example
# Enable the HTTP listening service.
[~HUAWEI] http
[*HUAWEI-http-service-restconf] server enable

CloudEngine 8800, 7800, 6800, and 5800
3.12.6 server port
Function
The server port command configures an HTTP service listening port.
The undo server port command restores the default HTTP service listening port.
By default, HTTP service listening uses port 80.
Format
server port port-number
undo server port
Parameters
port-number Specifies the number for an HTTP The value can be 80 or an integer
service listening port. ranging from 1025 to 65535.
Views
Default Level

https write
Usage Guidelines
l When the default HTTP service listening port is being used, run the server port
command to configure an HTTP service listening port so that the firewall can filter
packets on this port. This enhances network security.
l Currently, the HTTP service listening port supports only IPv4.
l A port number that is being used cannot be specified.
Example
# Configure port 1028 for HTTP service listening.
[~HUAWEI] http
[*HUAWEI-http-service-restconf] server port 1028

CloudEngine 8800, 7800, 6800, and 5800
3.12.7 service restconf

Function
The service restconf command creates the Service-Restconf view and displays it, or displays
the Service-Restconf view that has been created.
The undo service restconf command deletes the Service-Restconf view and all
configurations in this view.
By default, the Service-Restconf view is not created.
Format
service restconf
undo service restconf
Parameters
None
Views
HTTP view
Default Level

https write
Usage Guidelines
Before you perform HTTP configurations, run the service restconf command to enter the
Service-Restconf view.
Example
# Display the Service-Restconf view.
[~HUAWEI] http
3.12.8 ssl-policy (Service-Restconf view)

Function
The ssl-policy command configures an SSL policy for an HTTP server.

CloudEngine 8800, 7800, 6800, and 5800
The undo ssl-policy command deletes the SSL policy on an HTTP server.
By default, no SSL policy is configured on an HTTP server.
Format
ssl-policy policy-name
undo ssl-policy
Parameters
policy-name Specifies the name of an SSL The value is a string of 1 to 23 case-
policy. insensitive characters, spaces not supported.
Views
Default Level

https write
Usage Guidelines
Usage Scenario
Conventional HTTP does not have any security mechanism. It transmits data in plaintext and
does not verify the identities of communications parties. Therefore, data transmitted over
HTTP may be tampered with. In applications that require high security, such as e-commerce
and online banking, HTTP is inapplicable. To enhance security, run the ssl-policy command
to specify an SSL policy for an HTTP server.
HTTP security is enhanced with the SSL security mechanisms, such as data encryption,
identity verification, and message integrity check.
Prerequisites
The following configurations must have been complete before you run the ssl-policy
command.
1. An SSL policy has been created and the SSL policy view is displayed using the ssl
policy policy-name command in the system view.

CloudEngine 8800, 7800, 6800, and 5800
2. A digital certificate or certificate chain has been loaded using the certificate load
command in the SSL policy view.
3. The HTTPS listening function has been enabled using the secure-server enable
command in the Service-Restconf view.
Precautions
An HTTP server can only have one SSL policy configured. If the ssl-policy command is run
more than once, the latest configuration overrides the previous one.
Example
# Configure an SSL policy named policy1 for an HTTP server.
[~HUAWEI] http
[*HUAWEI-http] service-restconf
[*HUAWEI-http-service-restconf] secure-server enable
[*HUAWEI-http-service-restconf] ssl-policy policy1
3.12.9 ssl-verify peer (Service-Restconf view)
Function
The ssl-verify peer command configures an HTTP server to perform SSL verification on
HTTP clients.
The undo ssl-verify command disables an HTTP server from performing SSL verification on
HTTP clients.
By default, an HTTP server does not perform SSL verification on HTTP clients.
Format
ssl-verify peer
undo ssl-verify
Parameters
None
Views
Default Level

https write

CloudEngine 8800, 7800, 6800, and 5800
Usage Guidelines
Usage Scenario
To prevent access of unauthorized HTTP clients, run the ssl-verify-mode command to
configure an HTTP server to perform SSL verification on HTTP clients. This configuration
enhances security.
Precautions
If a client does not have a certificate loaded or has an incorrect certificate loaded, the
verification fails, and the server disconnects the client.
Example
# Configure an HTTP server to perform forcible SSL verification on HTTP clients.
[~HUAWEI] http
[*HUAWEI-http] service-restconf
[*HUAWEI-http-service-restconf] ssl-verify peer

01-03 Basic Configurations Commands

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-03 Basic Configurations Commands

Uploaded by

Copyright:

Available Formats

CloudEngine 8800, 7800, 6800, and 5800

Command Reference 3 Basic Configurations Commands

3 Basic Configurations Commands

3.1 CLI Overview Commands

3.1 CLI Overview Commands

3.1.1 abort trial

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 33

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 34

The undo alias command deletes an alias.

Task Name and Operations

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 35

3.1.3 clear configuration candidate

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 36

A configuration has been edited in two-stage mode.

The uncommitted configuration is deleted. The system view is displayed.

3.1.4 command alias

undo command alias

The alias command can be used in the following scenarios:

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 37

3.1.5 command-privilege level

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 38

Parameter Description Value

view view- Specifies the view name. -

command-key Specifies a command. The The value is a character string.

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 39

Table 3-1 Relationship between command levels and user levels

0 Visit Commands of this level include network diagnosis tool commands

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 40

User Comm Description

3.1.6 command-privilege level rearrange

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 41

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 42

[~HUAWEI] command-privilege level rearrange

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 43

configuration restores to the configuration status before the configuration is committed. To

# Set the configuration rollback information when committing a command.

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 44

3.1.9 display command alias

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 45

3.1.10 display configuration candidate

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 46

3.1.11 display history-command

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 47

The display history-command and display history-command all-users commands display a

You can view historical commands using the following methods:

3.1.12 display hotkey

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 48

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 49

Table 3-2 Description of the display hotkey command output

Defined hotkeys Defined hotkeys.

Undefined hotkeys Undefined hotkeys.

System hotkeys System hotkeys.

3.1.13 display language character-set

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 50

Table 3-3 Description of the display language character-set command output

Current language character set encode Character set in the system.

3.1.14 display sysname

3.1.15 display terminal command alias

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 51

3.1.16 display this

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 52

3.1.17 display configuration trial status

Issue 03 (2019-01-25) Copyright © Huawei Technologies Co., Ltd. 53

Table 3-4 Description of the display trial status command output