Professional Documents
Culture Documents
M14
V800R022C00SPC600
Upgrade Guide
Issue 01
Date 2022-10-31
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Email: support@huawei.com
Purpose
This document provides instructions on how to upgrade routers to V800R022C00SPC600.
This document applies to the upgrade from an earlier version to V800R022C00SPC600. For
details about the supported upgrade paths, see 1.1 Upgrade Notes for Versions.
Intended Audience
This document is intended for:
System maintenance engineers
Data configuration engineers
Network monitoring engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation which, if
not avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, may result in minor or moderate injury.
Symbol Description
deterioration.
Change History
Issue Date Description
Contents
7 Troubleshooting ..................................................................................................................... 72
7.1 Boards or Fans Fail to Be Upgraded ......................................................................................................................72
7.1.1 Fault Symptom ..................................................................................................................................................72
7.1.2 Fault Analysis ....................................................................................................................................................72
7.1.3 Troubleshooting Procedure (Board Firmware EPLD Fault) .................................................................................73
7.2 IPU Fails to Be Registered ....................................................................................................................................74
7.2.1 Fault Symptom ..................................................................................................................................................74
7.2.2 Fault Analysis ....................................................................................................................................................74
7.2.3 Troubleshooting Procedure ................................................................................................................................75
7.3 System Software on the Device Is Incorrect or No System Software Exists ............................................................75
7.3.1 Fault Symptom ..................................................................................................................................................75
7.3.2 Fault Analysis ....................................................................................................................................................75
7.3.3 Troubleshooting Procedure ................................................................................................................................75
1.1.2 Upgrade Notes for the NetEngine 8000 M8 and PTN 6900-2-
M8C Product
1. For information about how to upgrade the NetEngine 8000 M8 and PTN 6900-2-M8C
products, refer to the upgrade procedure in this document.
2. The following table lists the upgrade information about the NetEngine 8000 M8 and
PTN 6900-2-M8C products.
For detailed information about feature and command updates after an upgrade, see
V800R022C00SPC600 Delta Information.
1.4 Precautions
Contact Huawei technical personnel for assistance and support during the upgrade process.
Note the following function about administrator rights, password, and login management:
Log in through the console port
The non-authentication mode has been canceled. When you log in for the first time, you
must configure a password and keep this password properly.
Telnet/SSH login The non-authentication mode has been canceled.
Choose to specify the authentication mode as AAA or password. If you do not specify an
authentication mode, Telnet or SSH users cannot log in.
Administrator password management
Simple authentication is no longer supported for newly configured local users in the
target version. If passwords in simple authentication have been set, they are retained after
an upgrade. Changing the passwords to ciphertext passwords is recommended.
Before you upgrade a version earlier than V800R010C10SPC100 to V800R022C00SPC600
or later, save the configuration file of the source version. If the upgrade fails, you can roll
back to the source version using the saved configuration file.
License version compatibility: To cope with the increasingly severe security situation,
the digital signature algorithm of the product license is upgraded from V800R021C00 to
RSA3072. Therefore, pay attention to the version compatibility when using the license
file.
− The license applied for in V800R021C00 and later versions cannot be used in
V800R0013 and earlier versions.
− The license applied for in V800R013 and earlier versions can continue to be used in
V800R021C00 and later versions.
− If the device that supports version downgrade is delivered with V800R021C00 and
the license of the corresponding version and the version needs to be downgraded to
a version earlier than V800R021C00 on the live network, you need to apply for the
license of the earlier version on the ESDP website.
As the memory size of some boards is relatively small, when a large amount of memory is
consumed in heavy traffic scenarios, service performance or functions may be
compromised. In V800R021C00SPC100, the zRAM feature is added on some types of
boards. zRAM can compress the system memory, which is equivalent to increasing the
available memory of the system.
zRAM newly supports main control boards and case-shaped devices with 8 GB or less
memory, and interface boards (LPUs and NPUs only) with 2 GB or less memory. The
available memory of a board with 1 GB memory can increase by 150 MB. If the memory
size of a board is greater than or equal to 2 GB, its total memory size can increase by 1/4.
For example, if the memory size of a board is 8 GB, its available memory size can
increase by 2 GB; if the memory size of a board is 4 GB, its available memory size of the
board can increase by 1 GB; if the memory size of a board is 2 GB, its available memory
size can increase by 512 MB.
After an upgrade, the display of memory usage on a zRAM-enabled main control board
and case-shaped device is optimized. Specifically, in the display health command output,
the value of Total increases by 1/4 of the total memory size, and the value of Used
increases by 200 MB for a board with 2 GB or less memory and by 300 MB for a board
with 4 GB or more memory (the increase indicates the expected cache consumption). The
value of Memory Usage changes accordingly.
After an upgrade, the display of memory usage on a zRAM-enabled interface board is
optimized. Specifically, in the display health command output, the value of Total
increases by 512 MB for a 2-GB board and 150 MB for a 1-GB board. The value of Used
increases by 200 MB for a board with 2 GB or less memory (the increase indicates the
expected cache consumption). The value of Memory Usage changes accordingly.
The following uses the NetEngine 8000 M8 as an example to describe the memory change
before and after an upgrade.
Before the upgrade:
<HUAWEI> display health
----------------------------------------------------------------
Slot CPU Usage Memory Usage(Used/Total)
----------------------------------------------------------------
10 IPU(Master) 21% 46% 3276MB/7022MB
9 IPU(Slave) 14% 36% 2541MB/7022MB
----------------------------------------------------------------
After the upgrade:
<HUAWEI> display health
----------------------------------------------------------------
Slot CPU Usage Memory Usage(Used/Total)
----------------------------------------------------------------
10 IPU(Master) 21% 39% 3576MB/9070MB
9 IPU(Slave) 14% 31% 2841MB/9070MB
----------------------------------------------------------------
Precautions for Upgrading the NetEngine 8000 M14 and PTN 6900-2-M14
If the NetEngine 8000 M14 or PTN 6900-2-M14 is to be upgraded from
V800R012C00SPC300 to a later version, you need to install V800R012SPH019 or a later
patch first; otherwise, an error message is displayed when you specify the system software file
for the next startup. An error message example on the NetEngine 8000 M14 is as follows:
For details about how to select and load a patch file, see Patch Release Notes.
Upgrade Precautions for the NetEngine 8000 M14, NE40E-X2-M14, and PTN 6900-
2-M14
If the device model is NetEngine 8000 M14, NE40E-X2-M14, or PTN 6900-2-M14 with two
main control boards and the EPLD version is 100, ensure that you succeed in logging in to the
device at least once during the upgrade. Otherwise, the upgrade of the standby main control
board takes a long time (about 40 minutes).
To determine the EPLD version, run the display version command and check the EPLD field
in the command output.
IPU version information:
IPU (Master) 15 : uptime is 0 day, 12 hours, 59 minutes
StartupTime 2020/11/30 21:40:49
SDRAM Memory Size : 16384 M bytes
FLASH Memory Size : 128 M bytes
CFCARD Memory Size : 4096 M bytes
IPU CR8D0IPU2TC1 version information
CPU PCB Version : DP51CPUA REV A
EPLD Version : 100
NPU PCB Version : CR81IPU2TAS REV A
EPLD Version : 100
FPGA Version : 110
NP Version : 100
TM Version : 100
NSE Version : NSE REV A
BootROM Version : 08.15
During an EPLD upgrade, do not power off or remove and then insert boards. Otherwise,
the boards may fail to work properly.
During the EPLD upgrade, subcard registration starts only after the standby main control
board registers. This takes about 15 minutes. If the standby main control board fails to
register repeatedly due to an exception, the subcard registration is suppressed for an hour.
In this case, you can manually remove and then insert the faulty main control board to
speed up subcard registration.
Upgrade References
Before the upgrade, contact Huawei technical personnel or log in to Huawei support
website to download the reference documents that may be used during the upgrade. (The
reference documents vary according to SPC versions. Therefore, obtain the reference
documents of the corresponding SPC versions.) For enterprise users, visit
https://support.huawei.com/enterprise. For carrier users, visit https://support.huawei.com.
− Upgrade Guide
− Release Notes
If IFIT services have been deployed on the network, you need to disable IFIT services before
upgrading the devices to a new version. Then, upgrade all devices and deploy IFIT again.
Otherwise, service traffic forwarding will be interrupted during the upgrade.
Step 2 Run the undo ifit command to disable global IFIT services, and run the commit command to
commit the configuration.
[~HUAWEI]undo ifit
Warning: This operation will delete all IFIT instances. Continue? [Y/N]:y
[*HUAWEI]commit
----End
The license control of IFIT services in versions earlier than V800R021C00SPC100 (old
versions) is different from that in V800R021C00SPC100 and later versions (new versions).
After a device running an old version is upgraded to a new version, if IFIT Enhanced Package
and IFIT Poor-QoE Demarcation Package are not included in the license, the number of
newly generated IFIT hop-by-hop dynamic flow (transitinput and transitoutput) instances is
limited. If automatic flow learning and reverse flow learning are not configured before the
upgrade, the functions cannot be configured after the upgrade due to license restrictions. In
addition, the number of newly configured static hop-by-hop instances is limited. If the
preceding configurations already exist on the device before the upgrade, the original
configurations are not affected, and a license inactive alarm is reported. If the preceding
functions are not configured before the upgrade but need to be configured after the upgrade,
load the IFIT Poor-QoE Demarcation Package (the IFIT hop-by-hop dynamic flow function
and number of static hop-by-hop instances) and IFIT Enhanced Package (automatic flow
learning and reverse flow learning) before the upgrade.
The process deployment modes of V800R022C00SPC600 and later greatly differ from those
of earlier versions. In an upgrade to V800R022C00SPC600 or later, the system automatically
uses the CFG upgrade mode, which takes a longer time than the DB upgrade mode. This
impact is not involved in an upgrade of V800R022C00SPC600 or later.
The upgrade duration to be prolonged varies according to the number of configured command
lines. For example, if 50,000 command lines are configured, the memory consumption is
reduced by 940 MB, the upgrade duration is prolonged by about 7 minutes, and the overall
upgrade duration is about 15 minutes (with the successful login time being considered the end
time of the duration).
Only the first time of upgrade to V800R022C00SPC600 or later takes a longer time. After the
first time of upgrade is complete, the startup duration at a device restart or board replacement
is not affected, and the duration of an upgrade from V800R022C00SPC600 to a later version
is not affected.
It is common to have 50,000 command lines configured. If excessive command lines are
configured, plan the operation window properly. In a test with 200,000 command lines
configured, it takes 37 minutes before a login is allowed (30 minutes longer than that in the
upgrade scenario without the board memory optimization feature).
Benefit and cost analysis: Assuming that 50,000 command lines are configured, the memory
consumption is reduced by more than 900 MB, and the CPU usage is reduced by about 2%
after an upgrade to the target version. The upgrade takes about 15 minutes, which is 7 minutes
longer than that in the upgrade scenario without the board memory optimization feature.
Check whether a board is an 8 GB one as follows:
The SDRAM Memory Size field in the display version command output indicates the total
physical memory size.
<HUAWEI> display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 8.221 (NetEngine 8000 V800R022C10SPC500)
Copyright (C) 2012-2022 Huawei Technologies Co., Ltd.
HUAWEI NetEngine 8000 M8 uptime is 2 days, 0 hour, 3 minutes
By default, the IKEv1 function is not supported in the target version. After the upgrade, the IKEv1
configuration will be lost, and IPsec services will be adversely affected.
For the IKEv1 MOD-based upgrade in a dual-system environment, upgrade the backup device and
then the master device. If the IKEv1 MOD file is not installed on the backup device, the device
cannot receive the backup data of IKEv1 tunnels.
If IKEv1 is configured but the IKEv1 MOD file is not specified for the next startup, the IKEv1
configuration will be lost after an upgrade. As a result, the restored configurations become
inconsistent with those on the peer end, and tunnels cannot be established. In this case, check the
IKEv1-related configurations and reconfigure the IPsec and IKE encryption and authentication
algorithms.
----End
If E-Trunk has been deployed before an upgrade, check whether a key has been configured. If
not, configure the same key (different from the default key 00E0FC0000000000) in the E-
Trunk view on both ends of the E-Trunk before the upgrade. The default key cannot be used
for authentication after the upgrade. If you do not perform this configuration, E-Trunk
negotiation will fail after the upgrade, affecting services.
Step 2 In the existing E-Trunk view, check whether an encryption key is configured. If an encryption
key is configured, as shown in the following command output, the upgrade of the E-Trunk is
not affected.
[HUAWEI-e-trunk-1]display this
#
e-trunk 1
security-key simple root@123
authentication-mode enhanced-hmac-sha256
#
return
If an encryption key is not configured in the E-Trunk view, as shown in the following
command output, the upgrade of the E-Trunk will be affected.
[HUAWEI-e-trunk-2]display this
#
e-trunk 2
authentication-mode enhanced-hmac-sha256
#
return
Step 3 Configure an encryption key in the E-Trunk view where an encryption key does not exist.
Note: Configure the same encryption key in the E-Trunk view on both ends of an E-Trunk.
[HUAWEI-e-trunk-2]security-key cipher Root@1234
[HUAWEI-e-trunk-2]disp
[HUAWEI-e-trunk-2]display this
#
e-trunk 2
security-key cipher %^%#e+,;P~l@H9Tk]{%K)b9Ad_ZgS/th}5N"i_>!E&N*%^%#
authentication-mode enhanced-hmac-sha256
#
return
Step 4 After the configuration is complete, run the display e-trunk command to check whether E-
Trunk negotiation works normally. If the State field value is Master or Backup and the Send
and Receive field values increase normally, the E-Trunk function is normal. Otherwise, check
whether the encryption keys configured on both ends of the E-Trunk are the same.
[HUAWEI-e-trunk-1]display e-trunk 1
The E-Trunk information
E-TRUNK-ID : 1 Revert-Delay-Time (s) : 120
Priority : 100 System-ID : 38ba-234a-ed02
VPN-Instance : _public_
Peer-IP : 1.1.1.1 Source-IP : 1.1.1.2
State : Master Causation : PRI
Send-Period (100ms) : 10 Fail-Time (100ms) : 200
Receive : 7 Send : 25
RecDrop : 0 SndDrop : 0
Peer-Priority : 100 Peer-System-ID : 38ba-26be-9a01
Peer-Fail-Time (100ms) : 200 BFD-Session : -
Description : -
Sequence : Disable
Dynamic-BFD : Disabled BFD-State : -
TX (ms) : - RX (ms) : -
Multiplier : -
----End
After the upgrade, you can run the undo crypto weak-algorithm disable command in the
system view to disable weak algorithms.
In V800R021C00SPC100 and later versions, the default account and SSH/SNMP all port
listening configuration are removed from the default configuration file of the device (only
management network port listening is retained), but the functions of first login and password
change upon the first login are added. In addition, weak algorithms are removed, and DTLS
data channel encryption is used by default in transmission mode. The removed configurations
are stored in the default-custom.defcfg file. You can tailor and load the file as needed. The
detailed changes are as follows:
1. The default account and SNMP/SSH all port listening configurations are removed from
the default configuration file. By default, only SSH login through the management
network port or login through the serial port is supported. In addition, the first-login
process is triggered upon the first login, requiring you to create a username and
password. Note that the first-login process is disabled during SSH login if the process
has been triggered during serial port login.
2. By default, the function of requiring a new user to change the password upon the first
login is enabled; however, this function is disabled in upgrade scenarios. To enable this
function, run the undo user-password password-force-change disable command in the
AAA view.
3. Weak algorithms are removed from the default.cfg file. If SSH-based login is used,
ensure that the login tool supports the security algorithms in the default configuration
file.
dh_group14_sha1 ecdh_sha2_nistp256
ecdh_sha2_nistp384 ecdh_sha2_nistp521
The dcn security-mode enable command takes effect only in the default.cfg or *.defcfg
default configuration file. This command cannot be run by a user, and no configuration
information is generated for it.
The dcn security-mode enable command automatically generates the bind client dtls-
policy qx_dtls_client command in the DCN view if a DTLS policy named qx_dtls_client
exists.
To disable the DTLS encryption channel of DCN, run the undo bind client dtls-policy
command in the DCN view.
5. If weak algorithms and protocols exist in the system, an alarm is reported to prompt you
to perform rectification.
Before running the reset saved-configuration command or the reset button to clear the
configuration, check whether the .defcfg file is configured.
If the default behavior of the device needs to be the same as the previous one, you can run the
startup default-configuration configuration-file command to specify the customized defcfg file
during the production of a new device.
You can also customize the .defcfg file for a live-network device when it is upgraded to
V800R021C00SPC100 or later If you add the preceding removed configurations to the
customized .defcfg file, the device retains the same default configuration restoration behavior as that
in the earlier version. For details, see the following operations.
If a device is downgraded to a version earlier than V800R021C00SPC100, delete the default
configuration file or load the defcfg file customized for the source version.
You can disable the weak algorithm in V800R022C00SPC600. If you do not need to disable it,
setting the latest .defcfg file is recommended. This prevents the weak algorithm from becoming
unavailable after the configuration is cleared using the reset saved-configuration command or the
reset button.
Prerequisites
1. The version is upgraded. By default, the new version still uses the license file of the old
version.
2. The license file of the new algorithm is activated.
3. Rollback is performed.
2. If the device runs V800R021 or a later version, it checks whether the CRL file is updated
too long ago. If the time during which the CRL file is not updated exceeds the precaution
threshold, the device reports an alarm (SSLCertificateExpiredEarlyWarning) indicating
that the CRL file has expired. To check the next update time of the CRL, you can
download the CRL file to a local PC and double-click the file to perform the check.
3. You can run the ssl certificate alarm-threshold early-alarm <time> command in the
system view to set the time threshold for the CRL file. The default time threshold is 90
days.
4. If you need to use the CRL file, update it periodically to prevent the device from
reporting alarms due to expiration.
NOTE
The time required for a rollback refers to the duration between the start of the rollback and the time all
boards are registered on an unconfigured router. The time listed here is an estimate; actual rollback time
varies with the size of the configuration file and the number of boards.
8 3.9 Checking The CF card has sufficient space to store the target
Remaining upgrade software.
Space in the
cfcard
----End
Configuration Files
The configuration file of V800R022C00SPC600 includes the user configuration file
(*.cfg/*.zip).
The user configuration file stores service configurations, and the device configuration file
stores hardware configurations.
System Software
System Software Name Product Model
NetEngine8000-M8- NetEngine 8000 M8
M14_V800R022C00SPC600.cc
NetEngine 8000 M14
NE40E-X2-M14_V800R022C00SPC600.cc NE40E-X2-M14
PTN6900-2-M8C- PTN 6900-2-M8C
M14_V800R022C00SPC600.cc
PTN 6900-2-M14
In this command output, the characters in bold are the Current system software version. If the
Current system software version is the target version, no upgrade is required.
Run the display device command in the user view to check the operating status of IPUs
and PICs to check that they are functioning properly.
<HUAWEI>display device
NetEngine 8000 M14's Device status:
-------------------------------------------------------------------------------
Slot # Type Online Register Status Role LsId Primary
-------------------------------------------------------------------------------
1 PIC Present Registered Normal OTHER 0 NA
2 PIC Present Registered Normal OTHER 0 NA
3 PIC Present Registered Normal OTHER 0 NA
4 PIC Present Registered Normal OTHER 0 NA
7 PIC Present Registered Normal OTHER 0 NA
9 PIC Present Registered Normal OTHER 0 NA
12 PIC Present Registered Normal OTHER 0 NA
13 PIC Present Registered Normal OTHER 0 NA
14 PIC Present Registered Normal OTHER 0 NA
15 IPU Present Registered Normal MMB 0 Master
16 IPU Present Registered Normal MMB 0 Slave
17 PWR Present Registered Normal OTHER 0 NA
18 PWR Present Registered Normal OTHER 0 NA
19 FAN Present Registered Normal OTHER 0 NA
20 CLK Present Registered Normal OTHER 0 Master
21 CLK Present Registered Normal OTHER 0 Slave
-------------------------------------------------------------------------------
If Unregistered is displayed in the Register field, the board in that slot is not registered.
If Abnormal is displayed in the Status field, the board in that slot is not functioning
properly.
The status of all monitored objects must be NORMAL. If any monitored object is not in the
NORMAL state, rectify faults.
Solutions in case of an exception: If the Temp values exceed 60, turning down the air-
conditioner in the equipment room.
If the state does not change to normal after faults are rectified, contact Huawei technical
personnel.
<HUAWEI>dir cfcard:/logfile/
Directory of cfcard:/logfile/
Exception handling: If the following logs are frequently generated, record these logs and
contact Huawei engineers for analysis.
6 -rw- 1,073,246 Jan 15 2020 18:04:28 diag.log
If there are too many log files in the log directory or the available space of the log directory is
insufficient, save the logs to a local computer or log server in time and delete unneeded logs
from the device to ensure that the log directory has sufficient space for storing new logs.
For information about memory usage on each board in various scenarios on a device running
V800R022C00SPC600 , see B Memory and CPU Usage of Boards.
If alarms are displayed, contact Huawei technical support personnel for assistance
determining whether or not to continue the upgrade.
Keep a detailed record of the operating status of each board for use as a troubleshooting
reference.
If SFTP is used for upgrade, the router functions as a client and the PC functions as a server, install
the SFTP server application on the PC. The SFTP server application does not come with the router;
therefore, you must purchase and install the SFTP server application separately.
Using SFTP is recommended.
You can download the system software using SFTP in the command line view, specify the
system software as the startup system software, and then restart the device to complete the
upgrade. For details, see 4.2 Upgrading the System Software Using Command Lines.
Figure 3-1 shows the basic networking diagram for establishing an upgrade environment
using SFTP.
A PC can also function as a server to store the downloaded system software. You will need to connect
the PC to the router using a network cable.
The general requirements for establishing an upgrade environment using SFTP are as follows:
The RS-232 serial interface on the PC and the console interface on the device are
connected using a console cable.
The server and the Ethernet interface on the IPU of the device are connected using a
network cable.
The IP addresses of the server and the Ethernet interface on the device are on the same
network segment.
Upgrade files, including the system software are stored on the server.
Figure 3-1 Networking diagram for upgrading the router using SFTP
The extension of a configuration file name must be .cfg or .zip. The system configuration file must be
saved in the root directory on the storage device.
<HUAWEI>save vrpcfg.zip
Warning: Are you sure to save the configuration to cfcard:/vrpcfg.zip? [Y/N]:y
Now saving the current configuration to the slot 15
Info: Save the configuration successfully.
Warning: Are you sure to save the configuration to slave#cfcard:/vrpcfg.zip?
[Y/N]:y
Now saving the current configuration to the slot 16 .
Info: Save the configuration successfully.
1. The save and save config-filename commands have different functions. Note the following
when using them.
The save command saves the current configuration to the configuration file for the next
startup on the storage device. You can use the display startup command to view
information about the configuration file for the next startup. By default, the configuration
file of the next startup is cfcard:/vrpcfg.zip.
The save config-filename command backs up the current configuration to the file specified
by config-filename on the storage device. The command execution does not affect the
current startup configuration file. If config-filename is specified the same as the
configuration file for the next startup and the storage path for the configuration file, the
save config-filename command functions the same as the save command.
2. If you have run the save config-filename command to back up the current configuration
and still want to deliver the new configuration, you must run the save config-filename
command again to back up the new configuration to the configuration file. This ensures
that the new configuration restores after the device restarts.
2. Set a PC as the SFTP server, configure a user named huawei with the password ******,
and store the target system software in the file directory of the FTP server. This example
assumes that the IP address of the SFTP server is X.X.X.X/X, and the IP address of the
Ethernet interface on the router is X.X.X.X/X.
In this example, a PC functions as an SFTP server. For more methods to upload/download files, refer
to the procedure in chapter A Uploading/Downloading Files.
If the router functions as a client, and the PC functions as a server, install the SFTP server
application on your PC before the upgrade. The SFTP server application does not come with the
router; therefore. you must purchase and install the SFTP server application separately.
3. Log in to the SFTP server.
Run the sftp ip-address command on the router to set up an FTP connection with the PC
and enter the FTP client view.
<HUAWEI>system-view
[~HUAWEI]sftp X.X.X.X
Trying X.X.X.X ...
Press CTRL+K to abort
Connected to X.X.X.X ...
Warning: The negotiated encryption or digest algorithm is insecure. Using a
security algorithm (AES-256, SHA-256) is recommended.
Please input the username:huawei
Enter password:**********
sftp-client>
4. At the prompt sftp-client>, run the put remote-filename [ local-filename ] command to
upload files from the FTP server.
For example, download the configuration file (vrpcfg.zip), GTL license file, and the pre-
upgrade system software (V800R012C00SPC300) to the local directory for backup.
sftp-client>put vrpcfg.zip vrpcfgbackup.zip
Local file: vrpcfg.zip ---> Remote file: / vrpcfgbackup.zip
Uploading the file. Please wait...\
Uploading file successfully ended.
File upload is completed in 0 seconds.
The cfcard has internal partitions. The remaining space information shown in the dir cfcard: command
output greatly differs from that shown in the dir cfcard:/logfile/ command output. Before you install the
target system software, run the dir cfcard: command to verify whether the remaining space is sufficient.
<HUAWEI>dir cfcard:
Directory of cfcard:/
//3,432,448 KB total indicates the capacity of the CF card, and 717,146 KB free indicates the
remaining space of the CF card.
<HUAWEI>dir slave#cfcard:
Directory of slave#cfcard:/
The files deleted using the delete command are saved in the Recycle Bin. You can restore
files in the Recycle Bin using the undelete command. Files in the Recycle Bin still occupy
space in the cfcard.
The file name huawei.pat is only an example.
The reset recycle-bin command permanently deletes all files from the recycle bin. This
means that these deleted files cannot be restored.
Run the following command to restore mistakenly deleted files stored in the Recycle Bin:
<HUAWEI> undelete cfcard:/backupelb.txt
Info:Undeleted file cfcard:/backupelb.txt.
<HUAWEI> undelete slave#cfcard:/backupelb.txt
Info:Undeleted file slave#cfcard:/backupelb.txt.
Time The upgrade takes approximately 50 minutes, including the time for
Required downloading and uploading the system software package.
The size of configuration file exceed the upper limit.(50 KB).Theoretically, the
size of the defcfg file cannot exceed 50 KB, check whether the file is a defcfg
file.
Invalid file name or file name extension.(*.defcfg),please change the file name
extension to defcfg.
The system is not ready.Please check and try again.
The device has insufficient space.Clearing the Disk Space (Spaces of
/opt/vrpv8/data).
Failed to set the configuration for booting system.Contact Huawei employees
to locate the fault.
Unknown error.Unknown error, please check the command output.
Get CFG process failed.
Start up defcfg file failed.
For details about other processes, see IP Toolkit V100R021C10SPC110 NE Upgrade
User Guide 1.3.
To download the uUpgrade tool, visit either of the following websites as required and ensure that the
uUpgrade tool is of the latest version:
Carrier network: https://support.huawei.com/carrier/navi?coltype=software#col=software&path=PBI1-
7275726/PBI1-7275757/PBI1-21039046/PBI1-21621186
Enterprise network: https://support.huawei.com/enterprise/en/enterprises-common/ibox-pid-
21621186/software
For details about how to install the uUpgrade tool and how to upgrade the uUpgrade tool, see the guide
released with the uUpgrade tool at the support website.
Time About 50 minutes, including the time for uploading and downloading the
Required software package
Prerequisites The router that runs a version earlier than the target version is
functioning properly.
The router and the PC can ping each other successfully.
The CF card has sufficient space to store the target system software.
The current configuration file and system software have been backed
up.
Upgrade Flowchart
Figure 4-1 Flowchart for upgrading the system software using command lines
This example only describes how to download files by using the router as an SFTP client. For more
methods to upload/download files, refer to the procedure in chapter A Uploading/Downloading Files.
During the upgrade, the router will be restarted, interrupting services temporarily. Therefore, choose
an appropriate time to upgrade the router, minimizing the impact on services.
On a router that has two IPUs, the system software on the master IPU must be the same as that on
the slave IPU.
The following example describes how to upgrade the router from V800R012C00SPC300 to
V800R022C00SPC600.
1. Set the SFTP server.
Set a PC as the SFTP server, configure a user named huawei with the password
huawei@123, and store the target system software in the file directory of the FTP server.
This example assumes that the IP address of the FTP server is X.X.X.X/X, and the IP
address of the Ethernet interface on the router is X.X.X.X.
2. Log in to the SFTP server.
Run the sftp ip-address command on the router to set up an FTP connection with the PC
and enter the FTP client view.
<HUAWEI>system-view
[~HUAWEI]sftp X.X.X.X
Trying X.X.X.X ...
Press CTRL+K to abort
Connected to X.X.X.X ...
Warning: The negotiated encryption or digest algorithm is insecure. Using a
security algorithm (AES-256, SHA-256) is recommended.
Please input the username:huawei
Enter password:**********
sftp-client>
3. At the sftp-client> prompt, run the get local-filename [ remote-filename ] command to
upload the specified files to the router.
The system software of the master and slave IPUs must be the same.
sftp-client>get NetEngine8000-M8-M14_V800R022C00SPC600.cc
Remote file: /NetEngine8000-M8-M14_V800R022C00SPC600.cc ---> Local file:
NetEngine8000-M8-M14_V800R022C00SPC600.cc
Downloading the file. Please wait.../
Downloading file successfully ended.
File download is completed in 743.13 seconds.
4. Copy files to the cfcard on the slave IPU and view uploaded files.
Run the copy source-filename destination-filename command to copy system software,
and the GTL license file from the master IPU's cfcard to the slave IPU's cfcard.
<HUAWEI>copy cfcard:/NetEngine8000-M8-M14_V800R022C00SPC600.cc
slave#cfcard:/NetEngine8000-M8-M14_V800R022C00SPC600.cc
Warning: File cfcard:/NetEngine8000-M8-M14_V800R022C00SPC600.cc will be copied
to slave#cfcard:/
NetEngine8000-M8-M14_V800R022C00SPC600.cc. Continue? [Y/N]:y
100% completed.
After the preceding operations, run the dir command to view the uploaded or
downloaded files and verify that the files have been uploaded or downloaded completely.
After uploading or downloading files, verify their completeness. If the files are not uploaded or
downloaded completely due to insufficient storage space, delete unnecessary files from the cfcard.
For instructions on how to delete unnecessary files from the cfcard, see 3.9 Checking Remaining
Space in the cfcard.
Verify the uploaded files by checking file sizes and dates.
Run the check system-software filename command to check the integrity of the uploaded software
package.
You are advised to verify the integrity of the target system software by checking the byte count.
<HUAWEI>dir cfcard:
Directory of cfcard:/
The Slot# column indicates the slot ID of each board. The BoardType column indicates the type of each
board, which is obtained from the electronic label of each board. The Result column indicates the
upgrade feasibility check result. The Detail column indicates the detailed cause why a board is not
compatible.
6. (Optional) To use the IKEv1 function, load the IKEv1 MOD file during the upgrade. Log
in to https://support.huawei.com, apply for the system software package, download the
MOD file with the system software package, and copy the MOD file to the root directory
of the CF card on each IPU. For example, download
NetEngine8000V800R022C00SPC600_IKE_V1.0.MOD.
After completing the preceding opreations, unload the MOD file. For details,
see the procedure in the scenario where no IKEv1 configuration exists.
7. Specify system software, and the configuration file for the next startup.
For the router with dual IPUs, the configuration file to be loaded must have been stored in the
cfcards of both the master and slave IPUs.
If the iupgrade tool is used, the configuration file used during next startup will be changed.
Before loading the patch file, run the check patch command to check the integrity of the patch
package to ensure that the target software is secure and available.
Specify system software before specifying the PAF and license files; otherwise, the system may use
the default PAF and license files during startup.
The system loads PAF and license files contained in system software by default. If you have
specified a user-defined PAF file for next startup, you can use the startup paf default command to
re-specify the default PAF file for next startup.
If dual IPUs are installed on the router, the configuration file must have been stored in CF cards on
both IPUs before being loaded; the PAF file, license file, and system software on the master IPU
must be the same as those on the slave IPU. Any inconsistency will cause trouble in restarting the
router.
If the NetEngine 8000 M14 or PTN 6900-2-M14 needs to be upgraded to V800R012C10SPC300 or
a later version, you need to install V800R012SPH019 or a later patch first; otherwise, an error
message is displayed when you specify the system software file for the next startup. For details
about the patch, see Precautions for Upgrading the NetEngine 8000 M14 and PTN 6900-2-M14.
Specify the system software to be loaded to both IPUs for the next startup.
<HUAWEI>startup system-software NetEngine8000-M8-M14_V800R022C00SPC600.cc
<HUAWEI>startup system-software NetEngine8000-M8-M14_V800R022C00SPC600.cc
slave-board
or
<HUAWEI> startup system-software NetEngine8000-M8-M14_V800R022C00SPC600.cc all
(Optional) Specifies the patch file to be loaded when the device is started.
<HUAWEI>check patch huawei.pat
Warning: Package verification consumes system CPU resources. Continue? [Y/N]:y
Info: Prepare to check file huawei.pat, please wait...done.
Info: Digital signature verification of the system patch succeeded.
<HUAWEI> startup patch huawei.pat all
Info: Operating, please wait for a moment........done.
Info: Succeeded in setting startup the patch.
(Optional) Specify the startup paf file for the router.
<HUAWEI>startup paf huawei.bin
Info: Succeeded in setting main board resource file for system.
(Optional) Specify the startup configuration file for the router. If no configuration file is
specified, the configuration file of the source version is used during the next startup.
If the configuration file for the next startup is specified, 8 cannot be performed. Otherwise, the specified
configuration file for the next startup will be overridden.
<HUAWEI>startup saved-configuration vrpcfg.zip
Info: Operating, please wait for a moment.......done. Info:
Succeeded in setting the configuration for booting system.
8. Save configurations.
<HUAWEI>save
Warning: The current configuration will be written to the device.
Are you sure to continue? [Y/N]:y
Now saving the current configuration to the slot 15 .
Info: Save the configuration successfully.
Now saving the current configuration to the slot 16 .......
Info: Save the configuration successfully.
9. (Optional) Block users from getting online and cut off online users.
Wait for a certain period of time and run the display domain command to verify
that all users are offline. After all users go offline, shut down the BAS interface and
save the configuration (do not shut down the remote login interface). And then back
up the configuration file for possible rollback (Do not run the block or cut access-
user command for the default_admin domain).
If a large number of users are online, running the cut access-user command results in increasing
CPU usage because many protocol packets are exchanged. After online users get offline, CPU usage
reduces and becomes stable. (The block and cut access-user domains cannot include the
administrative user domain. The default administrative user domain is default_admin.)
The cut access-user command takes effect only once and is not saved into the configuration file.
Running this command does not affect the follow-up upgrade procedure.
Before you run the cut access-user command, ensure that the number of online users in each
domain is less than or equal to 50% of the total number of users. In addition, run this command to
log out users in a different domain only after all users in the domain where this command is last run
are logged out. Running this command simultaneously for two or more domains will overburden the
RADIUS server (for example, suddenly increase the CPU and memory usage), thereby causing
system instability.
If the number of users in a domain exceeds 50% of the total number of users, you can run the cut
access-user interface or cut access-user slot command to log out users from a specified interface or
board. This prevents a large number of users from being logged out, reducing the burden on the
RADIUS server.
10. Reboot the device.
Some commands and functions may change because the configuration file changes after the reboot.
The reboot fast command is used for quick restart of the router without prompting the user to
confirm whether to save current configurations.
<HUAWEI>reboot
MPU 15:
Next startup system software: cfcard:/NetEngine8000-M8-M14_V800R022C00SPC600.cc
Next startup saved-configuration file: Vrpcfg.zip
− Scenario 4: A license file has been activated. The new license to be activated has
lower specifications than the existing activated one.
Enter Y or N to confirm the activation operation. Enter Y to activate the license.
Enter N to use the existing license.
<HUAWEI>license active gtl.xml
Warning: This operation will reduce current resource or function.
Continue? [Y/N]:y
Now activing the License.............done.
13. Check services after the upgrade.
After the device starts up, check the subcard registration status. If all subcards are
registered, check the configuration recovery status and check that no configuration loss
occurs. Then, run the undo shutdown command on the network-side interface and check
whether the network-side protocol status is restored.
(Optional)Run the undo block command, and then run the undo shutdown command on
one downstream BAS interface. Check that services are normal. Then enter all the
domains of online users on the BAS interface, and check that user services are normal.
14. If the IKEv1 MOD file is installed, enable IKEv1 and save the configuration.
Enable IKEv1 globally.
<HUAWEI>system
[~HUAWEI]ike v1 enable
[*HUAWEI]commit
[~HUAWEI]quit
<HUAWEI>
Save the configuration.
<HUAWEI>save
Warning: The current configuration will be written to the device.
Are you sure to continue? [Y/N]:y
Now saving the current configuration to the slot 15 ............
Info: Save the configuration successfully.
----End
Troubleshooting
If the IPU cannot be properly registered or the router cannot be telneted to but the BootROM
menu is displayed, you can implement a rollback to restore the source system software.
Another upgrade can be planned and performed after the router works properly. For
information about version rollback, see section 7.2 IPU Fails to Be Registered.
If any boards fail to run properly or register, see section 7.1 Boards or Fans Fail to Be
Upgraded.
Impact Services are interrupted when the host software on the master IPU is
being upgraded.
Prerequisites The device has Ethernet interfaces for communicating with an FTP
server.
CFcards have enough free space to store the system software.
Upgrade Flowchart
Figure 4-2 Upgrading the system software using the Console interface
Procedure
1. Connect the Console interface and the COM interface of a PC, and configure the
HyperTerminal.
2. Run the FTP and TFTP Server programs on the PC.
In this step, the window displayed may vary because the FTP and TFTP software may be different for
different devices. The TFTP and FTP software must be stored in the same directory which is used for
storing system software.
Set parameters for the FTP server program, including the file directory, user name, and
password. For details, see Figure 4-3.
Set parameters for the SFTP server program, including the user name, password, port
number, and file directory.
3. Restart the router. The HyperTerminal interface displays the following information:
boot from area 0
Build at 19:43:45 on Dec 17 2019
Totem_PLL: 1600 MHz, Nimbus_PLL: 2000 MHz
Totem B Cluster L1/L2 Cache Mbist OK
Reset times is 2
Press Ctrl+R to enter the Recovery mode and restore factory configurations.
Press CTRL+B to enter BOOT menu: 3
4. Press Ctrl+B within 3 seconds after the message of Press Ctrl+B to enter Menu: 3 is
displayed.
Press CTRL+B to enter BOOT menu: 3
Password:
5. Enter a password and access the main menu.
No preset password is required for the BootLoad menu. Modifying the preset password to prevent
security risks is recommended.
From V800R012C00, you can run the set boot password command in the system view to change
the BootLoad password.
[~HUAWEI]set boot password slot 15
Please set a login password (6-255)
Enter old password:
Enter new password:
Confirm new password:
Info: The password was changed successfully
When a device is upgraded from a version earlier than V800R012C00SPC300 to
V800R022C00SPC600, the BootLoad password before the upgrade is used. You are advised to
change the password after the upgrade.
Choose 5. Password manager submenu from the BootLoad menu to change the password. The
password must be a string of 6 to 255 characters that contain at least two of the following: uppercase
letters, lowercase letters, digits, and special characters. The password cannot contain question marks (?)
or spaces.
Main Menu
1. Default startup
2. Ethernet submenu
3. Startup parameters submenu
4. List file
5. Password manager submenu
6. Reboot
1. Update software
2. Display parameters
3. Modify parameters
0. Return
1. Update software
2. Display parameters
3. Modify parameters
0. Return
Update software
8. After parameter setting is complete, enter the system software name to load the system
software from Update software.
Update software
......
Master board license state: Demo. The license for the current configuration will
expire in XX day(s).
Apply for authentic license before the current license expires.
All of the items in the list above are controlled by the GTL license. A Used value of 0
indicates that a function is unavailable; a value of 1 indicates that it is available. A Control
value indicates the number of authorized resources. Use the list to check whether Authorize
type, Expired date, and Control value for GTL license items are the same as what you
applied for.
V800R022C00SPC600 does not support automatic EPLD upgrade on the master IPU, but
supports automatic EPLD upgrade on the slave IPU. To automatically upgrade the EPLD on
the master IPU, perform a master/slave IPU switchover first.
Keep a detailed record of the operating status of each board for use as a troubleshooting
reference.
Check whether services are running properly before running the save command.
If the rollback fails or any issue occurs during the rollback, contact Huawei technical support
engineers in a timely manner and record the symptoms and all the operations that have been
done to perform the rollback.
By default, Device tries each software package for a maximum of three times and will automatically
restart upon a start failure.
When System fails to start three times, it considers that the system software is invalid. To start
Device using the system software, power it off or rename the system software package.
If an earlier system software version is unavailable after a rollback, Device stays in the BIOS state.
6.2.1 Precautions
This section describes important precautions that must be taken during a rollback:
When a rollback is in progress, services will be temporarily interrupted. The interruption
time depends on the rollback method and service configuration.
Before performing a rollback, contact Huawei technical support engineers to determine if
the target version for the rollback requires a patch. If yes, install the required patch after
the rollback.
After performing a rollback, some new add board and subboard, which added on the new
version, maybe abnormal or unregister. If you need, contact Huawei technical support
engineers.
After the rollback command is run, the system configuration file and patch file will
automatically roll back. The configuration in the target version will be lost. For any
questions, contact Huawei technical support personnel.
Before performing a rollback, upload the configuration file that you have backed up before
the upgrade o NE, and set "Next startup saved-configuration file" to use the backed up
configuration file.
The text in bold indicates patch information. In the preceding command output, NULL is
displayed for patch information, indicating that no patch file is running.
In this situation, go to Step 2. If patch files are displayed, run the patch delete all command
to delete the patch files and then go to Step 2.
<HUAWEI> patch delete all
Patch files must be deleted under the guidance of Huawei technical support personnel.
Step 2 Specify the target system software that control boards will load during startup.
The following uses NetEngine8000-M8M14-V800R012C00SPC300.cc as an example.
<HUAWEI>startup system-software NetEngine8000-M8M14-V800R012C00SPC300.cc all
Info: Operating, please wait for a
moment............................................................................
..................................................................................
...done.
Info: Succeeded in setting the software for booting system in slot 10
Info: Succeeded in setting the software for booting system in slot 11.
The system software cannot be specified if it fails the CRC check or does not match the device
model.
The all parameter is not required when only one MPU.
Step 3 Check the files that the device is to load at the next startup.
<HUAWEI>display startup
MainBoard:
Configured startup system software: cfcard:/NetEngine8000-M8-
M14_V800R022C00SPC600.cc
Startup system software: cfcard:/NetEngine8000-M8-
M14_V800R022C00SPC600.cc
Next startup system software: cfcard:/NetEngine8000-M8M14-
V800R012C00SPC300.cc
Startup saved-configuration file: cfcard:/vrpcfg.cfg
Next startup saved-configuration file: cfcard:/vrpcfg.cfg
Startup paf file: default
Next startup paf file: default
Startup patch package: NULL
SlaveBoard:
Configured startup system software: cfcard:/NetEngine8000-M8-
M14_V800R022C00SPC600.cc
Startup system software: cfcard:/NetEngine8000-M8-
M14_V800R022C00SPC600.cc
Next startup system software: cfcard:/NetEngine8000-M8M14-
V800R012C00SPC300.cc
Startup saved-configuration file: cfcard:/vrpcfg.cfg
Next startup saved-configuration file: cfcard:/vrpcfg.cfg
Startup paf file: default
Next startup paf file: default
Startup patch package: NULL
Step 4 Perform a CRC check on the system software to be loaded at the next startup.
<HUAWEI>check system-software NetEngine8000-M8M14-V800R012C00SPC300.cc
Caution!!! Confirm to check startup file! Continue? [Y/N]:y
Info: Prepare to check system software cfcard:/NetEngine8000-M8M14-
V800R012C00SPC300.cc, please wait..........
Info: The SHA256 hash value of the system software is
d76a9989a4d64bb5909a387e18b8c1f98142b37e3e22ff71b673bec3576f5b46.
Info: System software signature check passed!
----End
The text in bold indicates patch information. In the preceding command output, NULL is
displayed for patch information, indicating that no patch file is running.
In this situation, go to Step 2. If patch files are displayed, run the patch delete all command
to delete the patch files and then go to Step 2.
<HUAWEI>patch delete all
Patch files must be deleted under the guidance of Huawei technical support personnel.
Step 2 Specify the target system software that control boards will load during startup.
The following uses NetEngine8000-M8M14-V800R012C00SPC300.cc as an example.
<HUAWEI>startup system-software NetEngine8000-M8M14-V800R012C00SPC300.cc all
Info: Operating, please wait for a
moment............................................................................
..................................................................................
...done.
Info: Succeeded in setting the software for booting system in slot 10
Info: Succeeded in setting the software for booting system in slot 11.
The system software cannot be specified if it fails the CRC check or does not match the device
model.
The all parameter is not required when only one MPU.
Step 4 Specify the configuration file to be loaded at the next startup. The following uses etn.zip as
an example.
<HUAWEI> startup saved-configuration etn.zip
Info: Operating, please wait for a moment.......done.
Info: Succeeded in setting the configuration for booting system.
The configuration file to be loaded at the next startup must have been stored in the CF cards of both the
master and slave control boards.
Step 5 Check the files that the device is to load at the next startup.
<HUAWEI>display startup
MainBoard:
Configured startup system software: cfcard:/NetEngine8000-M8-
M14_V800R022C00SPC600.cc
Startup system software: cfcard:/NetEngine8000-M8-
M14_V800R022C00SPC600.cc
Next startup system software: cfcard:/NetEngine8000-M8M14-
V800R012C00SPC300.cc
Startup saved-configuration file: cfcard:/vrpcfg.cfg
Next startup saved-configuration file: cfcard:/ atn.zip
Startup paf file: default
Next startup paf file: default
Startup patch package: NULL
Step 6 Perform a CRC check on the system software to be loaded at the next startup.
<HUAWEI>check system-software NetEngine8000-M8M14-V800R012C00SPC300.cc
Caution!!! Confirm to check startup file! Continue? [Y/N]:y
Info: Prepare to check system software cfcard:/NetEngine8000-M8M14-
V800R012C00SPC300.cc, please wait..........
Info: The SHA256 hash value of the system software is
a5b1a9d545131690c4a706ca568a38144e7fb70c97fbea3547ed965d4524629b.
Info: System software signature check passed!
----End
Step 2 Run the display rollback information command in the user view to check the version
rollback information.
<HUAWEI>display rollback information
--------------------------------------------------------------------------------
software package: cfcard:/NetEngine8000-M8M14-V800R012C00SPC300.cc
config file: cfcard:/vrpcfg.zip
patch file: cfcard:/patch.pat
rollback remaining time: 04:31:28
If no version rollback information is displayed, the source version does not support the rollback
command, or the system has been running for more than 48 hours continuously.In this situation, you can
perform the rollback using CMLs.
Step 3 Run the rollback command to roll back to the source version.
<HUAWEI>rollback
Checking rollback version information.....
Rollback software: cfcard:/NetEngine8000-M8M14-V800R012C00SPC300.cc
Rollback configuration: cfcard:/ vrpcfg.zip
Rollback patch: cfcard:/patch.pat
The system will rollback to the previous version, the current configuration will
be lost.
Continue?[Y/N]
Please select [Y/N]:y
----End
After the rollback command is run, the ATN device will check the validity of the source version,
configuration file, and patch file (if patches are running before the upgrade). If the check fails, the
rollback cannot be performed. You can roll back only to the source version through CMLs.
Follow-up Procedure
Reload the backup configuration files to the CF card after the rollback is complete.
The version rollback verification procedure provided here lists only key check items. For detailed
operating instructions, see the chapters pertaining to version rollback in the upgrade guide.
Procedure
Step 1 Run the display startup command to check the system software.
Check whether the target version software is used to start the device.
Step 2 Run the display current configuration command to check whether the configuration file
rollback is successful.
Step 3 Check whether the configuration file is the same as the configured one.
----End
Expected Results
The device version is the source version.
The device works properly, and all services are normal.
7 Troubleshooting
The NetEngine 8000 M14 usually does not support automatic EPLD upgrade, but the EPLD
can be upgraded separately using the test bus.
1. On a device with dual main control boards, the EPLD of the master main control board
cannot be upgraded directly. If you must upgrade the EPLD of the master main control
board, first perform a master/slave main control board switchover and then upgrade the
EPLD on what is now the slave main control board.
2. For a device with a single main control board, the EPLD of the main control board can
be directly upgraded. Before an upgrade, the system displays a message indicating that
an upgrade risk exists. Remove the risk and confirm that the upgrade will not be affected
before performing the upgrade.
Precautions for the upgrade:
1. Before the upgrade, save the configurations of a board to be upgraded.
2. During the upgrade, do not remove or insert any board or power off the device.
Otherwise, the device may become abnormal and cannot be restored.
If the boards register successfully but Huawei technical support engineers confirm that the firmware of a
board is abnormal, use the following method to upgrade the EPLD of the involved board.
Run the upgrade ipu by-testbus slotid { startup | file-name } upgradeType boardType
command in the diagnostic view to upgrade the EPLD of the board in a specified slot.
After the preceding operations are complete, the upgraded board automatically resets and does
not save the board configuration. Ensure that the corresponding configuration has been saved
before performing the following operations:
[~HUAWEI-diagnose]upgrade ipu by-testbus 15 startup ipu-epld ?
cpua CPUA BOARD
ipu2ta IPU2TA BOARD
[~HUAWEI-diagnose]upgrade ipu by-testbus 15 startup ipu-epld cpua
Info: Prepare to check system software cfcard:/NetEngine8000-M8-
M14_V800R022C00SPC600.cc.
Info: System software signature check passed!
Warning: This command may affect operation by wrong use, please carefully use
it with HUAWEI engineer's direction. Are you sure to do this operation? [Y/N]:
This command is used to upgrade the EPLD of a board whose firmware is not running
properly. (In this example, the slot ID is 15. Enter the slot ID based on the actual situation.)
Background
In V800R021C00SPC100 and later versions, the default account and SSH/SNMP all port
listening configuration are removed from the default configuration file of the device (only
management network port listening is retained), but the functions of first login and password
change upon the first login are added. In addition, weak algorithms are removed, and DTLS
data channel encryption is used by default in transmission mode. The removed configurations
are stored in the default-custom.defcfg file. You can tailor and load the file as needed.
Activate the pre-configuration file after the upgrade.The detailed changes are as follows:
1. The default account and SNMP/SSH all port listening configurations are removed from
the default configuration file. By default, only SSH login through the management
network port or login through the serial port is supported. In addition, the first-login
process is triggered upon the first login, requiring you to create a username and
password. Note that the first-login process is disabled during SSH login if the process
has been triggered during serial port login.
Securit Configuration Removed from the Default Configuration Added to or
y Configuration File Retained in the Default
Harden Configuration File
ing
Default #
account aaa
local-user root password irreversible-cipher
$1c$]f(3Q<j7uS$!0!)8@e`\+lj]vQx\2l&y-
$M(|\n_ERFU_BF$!6X$
local-user root service-type ssh
local-user root level 15
local-user root expire 2000-01-01
#
ssh user root
ssh user root authentication-type password
ssh user root service-type stelnet snetconf
ssh server-source all-interface
2. By default, the function of requiring a new user to change the password upon the first
login is enabled; however, this function is disabled in upgrade scenarios. To enable this
function, run the undo user-password password-force-change disable command in the
AAA view.
3. Weak algorithms are removed from the default.cfg file. If SSH-based login is used,
ensure that the login tool supports the security algorithms in the default configuration
file.
Security Configuration Removed from the Default Configuration Added to or
Hardenin Configuration File Retained in the Default
g Configuration File
Weak ssh server key-exchange ssh server key-exchange
algorithm dh_group_exchange_sha256 dh_group_exchange_sha256
dh_group_exchange_sha1
dh_group14_sha1 ecdh_sha2_nistp256
ecdh_sha2_nistp384 ecdh_sha2_nistp521
ssh server publickey ecc rsa rsa_sha2_256 ssh server publickey
rsa_sha2_512 rsa_sha2_256 rsa_sha2_512
ssh client key-exchange ssh client key-exchange
dh_group_exchange_sha256 dh_group_exchange_sha256
dh_group_exchange_sha1
dh_group14_sha1 ecdh_sha2_nistp256
ecdh_sha2_nistp384 ecdh_sha2_nistp521
ssh client publickey ecc rsa rsa_sha2_256 ssh client publickey
rsa_sha2_512 rsa_sha2_256 rsa_sha2_512
Enabling #
the DCN dtls policy qx_dtls_client
DTLS
encryptio #
The dcn security-mode enable command takes effect only in the default.cfg or *.defcfg
default configuration file. This command cannot be run by a user, and no configuration
information is generated for it.
The dcn security-mode enable command automatically generates the bind client dtls-
policy qx_dtls_client command in the DCN view if a DTLS policy named qx_dtls_client
exists.
To disable the DTLS encryption channel of DCN, run the undo bind client dtls-policy
command in the DCN view.
Before running the reset saved-configuration command or the reset button to clear the
configuration, check whether the .defcfg file is configured.
If the default behavior of the device needs to be the same as the previous one, you can run the
startup default-configuration configuration-file command to specify the customized defcfg file
during the production of a new device.
You can also customize the .defcfg file for a live-network device when it is upgraded to
V800R021C00SPC100 or later If you add the preceding removed configurations to the
customized .defcfg file, the device retains the same default configuration restoration behavior as that
in the earlier version. For details, see the following operations.
If a device is downgraded to a version earlier than V800R021C00SPC100, delete the default
configuration file or load the defcfg file customized for the source version.
Procedure
Step 1 Run the display ha component running-state | include CFG9 command to check the ID of
the process where the CFG component resides. The value in the PID column indicates the ID
of the process where the CFG component resides.
<HUAWEI> system-view
[~HUAWEI] diagnose
[~HUAWEI-diagnose] display ha component running-state | include CFG9
Info: It will take a long time if the content you search is too much or the string
you input is too long, you can press CTRL_C to break.
--------------------------------------------------------------------------------
NAME CID PID Type Version Board
Process State
--------------------------------------------------------------------------------
CFG9 0x80CB000C 0xCB0009 0xCB 1.2.103 17
3 PRIMARY
--------------------------------------------------------------------------------
Step 2 Run the display cmf-info file debug-info process locationId command to check whether the
device has a default configuration file.
Here, locationId specifies the process ID of the CFG component. For example:
<HUAWEI> system-view
[~HUAWEI] diagnose
[~HUAWEI-diagnose] display cmf-info file debug-info process 3
Startup default-configuration file summary info :
Setting state : true
File size : 8751
If the value of Setting state is true, the device has a default configuration file.
If no command output is displayed, the device does not have a default configuration file. In
this case, perform Step 3 to configure a default configuration file.
Step 3 Configure the .defcfg file.
1. Create a configuration file with the file name extension .defcfg.
2. For details about the content in the .defcfg file, see the following examples:
!Router function begin
#
undo crypto weak-algorithm disable
#
aaa
local-user root password irreversible-cipher
$1c$]f(3Q<j7uS$!0!)8@e`\+lj]vQx\2l&y-$M(|\n_ERFU_BF$!6X$
local-user root service-type ssh
local-user root user-group manage-ug
local-user root expire 2000-01-01
user-password password-force-change disable
#
snmp-agent protocol source-status all-interface
#
stelnet server enable
snetconf server enable
ssh user root
ssh user root authentication-type password
ssh user root service-type stelnet snetconf
ssh server-source all-interface
ssh ipv6 server-source all-interface
#
ssh server key-exchange dh_group_exchange_sha256 dh_group_exchange_sha1
dh_group14_sha1 ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521
#
ssh server publickey ecc rsa rsa_sha2_256 rsa_sha2_512
#
ssh client key-exchange dh_group_exchange_sha256 dh_group_exchange_sha1
dh_group14_sha1 ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521
#
ssh client publickey ecc rsa rsa_sha2_256 rsa_sha2_512
#
return
!Router function end
----End
A Uploading/Downloading Files
The system software to be downloaded must have been saved in the file directory of the TFTP server.
On the router, run the tftp ip-address getsource-filename [ destination-filename ]
command to download the system software from the PC.
<HUAWEI>tftp X.X.X.X get NetEngine8000-M8-M14_V800R022C00SPC600.cc
Transfer file in binary mode.
Now begin to download file from remote tftp server, please wait for a
while...
|
TFTP: 171900428 bytes received in 303 seconds.
File downloaded successfully.
Run the ftp ip-address command on the router to set up an FTP connection with the PC
and enter the FTP client view.
<HUAWEI>ftp X.X.X.X
Trying X.X.X.X ...
Press CTRL+K to abort
Connected to X.X.X.X.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(X.X.X.X:(none)):huawei
331 Give me your password, please
Password: ***
230 Logged in successfully
3. Download the router's system software.
Run the get source-filename [ destination-filename ] command in the FTP client view to
download the router's system software from the PC. After the download is complete, run
the bye command or quit command to terminate the FTP connection and return to the
user view.
[ftp]get NetEngine8000-M8-M14_V800R022C00SPC600.cc
200 PORT command okay
150 "C:\ NetEngine8000-M8-M14_V800R022C00SPC600.cc " file ready to send
(171900428 bytes) in ASCII mode
226 Transfer finished successfully.
FTP: 171900428 byte(s) received in 147.816 second(s) 89.80Kbyte(s)/sec.
[ftp] bye
221 Windows FTP Server (WFTPD, by Texas Imperial Software) says goodbye
The SSH user can be authenticated in six modes: password, RSA, password-RSA, DSA, password-dsa,
and all.
When the SSH user adopts the password, password-DSA, or password-RSA authentication mode,
configure a local user with the same name.
When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, or all authentication
mode, the server should save the RSA or DSA public key for the SSH client.
− Configure the VTY user interface.
[SSH Server]user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit
− Create Client001 for the SSH user.
Create an SSH user with the name Client001. The authentication mode is password.
The following provides an example of how to create a local key pair on an NE40E that functions as an
SFTP client. If your client is not an NE40E, see the corresponding usage guide of your client.
a. Generate a local key pair on the client.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] rsa local-key-pair create
b. View the RSA public key generated on the client.
[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2018/09/30
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2018/09/30
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
c. Send the RSA public key generated on the client to the server.
[SSH Server]rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end"
[SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end"
[SSH Server-rsa-key-code]3047
[SSH Server-rsa-key-code]0240
[SSH Server-rsa-key-code]BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[SSH Server-rsa-key-code]203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[SSH Server-rsa-key-code]EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[SSH Server-rsa-key-code]1D7E3E1B
[SSH Server-rsa-key-code]0203
[SSH Server-rsa-key-code]010001
[SSH Server-rsa-key-code]public-key-code end
[SSH Server-rsa-public-key]peer-public-key end
4. Bind the RSA public key of SSH client to Client002 of the SSH user.
[SSH Server]ssh user client002 assign rsa-key RsaKey001
5. Enable the STelnet service on the SSH server.
[SSH Server]sftp server enable
6. Configure the service type and authorized directory of the SSH user.
Two SSH users are configured on the SSH server, namely, Client001 and Client002. The
password authentication mode is configured for Client001 and the RSA authentication
mode is configured for Client002.
[SSH Server]ssh user client001 service-type sftp
[SSH Server]ssh user client001 sftp-directory cfcard
[SSH Server]ssh user client002 service-type sftp
[SSH Server]ssh user client002 sftp-directory cfcard
You are advised not to use the device as an SFTP server for a long time. To use the device as
an SFTP server temporarily, apply for authorization from the customer. After the SFTP server
function is used, delete the SFTP account and disable the function in a timely manner.
<HUAWEI>system-view
[HUAWEI]sysname client002
[client002]ssh client first-time enable
Connect the STelnet client Client001 to the SSH server with the password authentication
mode.
[client001]sftp X.X.X.X
Please input the username:client001
Trying X.X.X.X ...
Press CTRL+K to abort
Connected to X.X.X.X.
sftp-client>
Connect the STelnet client Client002 to the SSH server with the RSA authentication mode.
When the SSH user adopts the RSA authentication mode, the server should save the RSA or DSA public
key for the SSH client. For configuration details, see Using an Router as an SFTP Server.
[client002]sftp X.X.X.X
Please input the username: client002
Trying X.X.X.X ...
Press CTRL+K to abort
Connected to X.X.X.X.
sftp-client>
For the memory usages of the NetEngine 8000 M series products in V800R022C00SPC600
with empty configuration of all service boards and main control boards, see the Release Notes
of the corresponding product..
When you use a serial cable to connect the serial interface on a PC to the console interface on
the IPU while the IPU is starting, the following message is displayed:
boot from area 0
Build at 21:30:20 on Jan 7 2020
Totem_PLL: 1600 MHz, Nimbus_PLL: 2000 MHz
Totem B Cluster L1/L2 Cache Mbist OK
Reset times is 7
Single-Processor Single-Core Serial Execute Memory Init
[S0][GetDimmSpdData]
[ResetAllSlaveCore][12733]Single-P Single-C of serial execute memory training.
DDR three step test success
BTFL(area=0 start_flag=1)
BTFL(area=0 unsuccess_times=0)
BTFL(area=0 mainflash=0)
BTFL(area=0 os_unsuccess_times=0)
BTFL(area=0 os_boot_area=0)
[next_gen_mtd_get_file:518] file->flash_addr
[next_gen_mtd_get_file:531] Load uefi from mtd(0x0) area0
[next_gen_mtd_get_file:542] Read uefi, len=0x5326D8 ...
uefi signature check pass!
BTFL(area=0 media=0)
BTFL(area=0 start_flag=1)
BTFL(area=0 unsuccess_times=0)
BTFL(area=0 mainflash=0)
BTFL(area=0 os_unsuccess_times=1)
BTFL(area=0 os_boot_area=0)
[next_gen_mtd_get_file:531] Load os_pkg from mtd(0xC00000) area0
[next_gen_mtd_get_file:542] Read os_pkg, len=0x20D6F98 ...
os_pkg signature check pass!
Use eth2 as default
EFI stub: Booting Linux Kernel...
EFI stub: EFI_RNG_PROTOCOL unavailable, no randomness supplied
EFI stub: Generating empty DTB
Failed to handle fs_proto
EFI stub: ERROR: Failed initrd from command line!
EFI stub: Exiting boot services and installing virtual address map...
[ 5.277309] rtc-efi rtc-efi: can't read time
[ 5.330489] rtc-efi rtc-efi: can't read time
[ 5.381555] rtc-efi rtc-efi: hctosys: unable to read the hardware clock
[ 5.462293] **** Total Boot time: 5462 ms, uncompress initrd cost 3863 ms ****
SELinux: Could not open policy file <= /etc/selinux/standard/policy/policy.30: No
such file or directory
[ 5.677156] systemd[1]: Failed to find module 'autofs4'
[ OK ] Started PSSP SEVICE.
Press Ctrl+R to enter the Recovery mode and restore factory configurations.
BootLoad Menu
When you use a serial cable to connect the serial interface on a PC to the console interface on
the IPU while the IPU is starting, the following message is displayed:
Press Ctrl+B to enter bootload Menu...
Press Ctrl+B to enter the BootLoad menu. The BootLoad menu is used when you want to
upgrade the system software package, modify the system type, and set the board startup
parameters using TFTP or FTP on an Ethernet interface. If the system fails to restart due to a
hardware or software failure on a board, the BootLoad menu can be used to restore it.
Message
When you use a serial cable to connect the serial interface on a PC to the console interface on
the IPU while the IPU is starting, the following message is displayed:
Press CTRL+B to enter BOOT menu: 3
Entering a Password
Password:
No preset passwords are required for the BootLoad and BootROM. Seting the preset passwords to
prevent security risks is necessary.
The new password must be a string of 6 to 255 characters that contain at least two of the following:
uppercase letters, lowercase letters, digits, and special characters. The password cannot contain
question marks (?) or spaces.
1. Default startup
2. Ethernet submenu
3. Startup parameters submenu
4. List file
5. Password manager submenu
6. Reboot
Choose 2 from the BootLoad menu to enter the Ethernet interface submenu for the
configuration during the system software upgrade.
Ethernet submenu
1. Update software
2. Display parameters
3. Modify parameters
0. Return
In the boot phase, FTP is used to load the small system of the system software header.
Therefore, when using the BootLoad menu to upgrade the system software, you must use the
FTP tool and specify the path.
1. Load the system software through the Ethernet interface and start the system
Enter 1 in the Ethernet interface submenu to load the system software through the
Ethernet interface and start the system for version upgrade.
2. Display Ethernet interface parameter settings
Enter 2 in the Ethernet interface submenu to display Ethernet interface parameters.
3. Modify Ethernet interface loading parameters
Enter 3 in the Ethernet interface submenu to access Ethernet interface settings. Before
the upgrade, you must set the Ethernet interface loading parameters.
NOTE:
Net type define:
0(SFTP) 1(FTP) 2(TFTP)
Please check network parameters:
ENTER = no change; '.' = clear; Ctrl+C = quit
FTP type(0:SFTP 1:FTP 2:TFTP) : 1 -
Server IP address : X.X.X.X -
Local IP address : X.X.X.X -
Local IP mask : X.X.X.X -
FTP username :
FTP password :
1. Default startup
2. Ethernet submenu
3. Startup parameters submenu
4. List file
5. Password manager submenu
6. Reboot
Old password:
Old password:
New password:
Confirm password:
The entered confirm password does not match the password.
New password:
Confirm password:
E Upgrade Record
I
IPU Integrated Network Processing Unit