Configuration Guide - Basic Configurations(V600R003C00_01)

HUAWEI CX600 Metro Services PlatformV600R003C00

Configuration Guide - BasicConfigurations

Issue 01

Date 2011-05-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 01 (2011-05-30) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

PurposeThis part describes the organization of this document, product version, intended audience,conventions, and Change history.

NOTE

l This document takes interface numbers and link types of the CX600-X8 as an example. In workingsituations, the actual interface numbers and link types may be different from those used in thisdocument.

l On CX600 series excluding CX600-X1 and CX600-X2, line processing boards are called LineProcessing Units (LPUs) and switching fabric boards are called Switching Fabric Units (SFUs). Onthe CX600-X1 and CX600-X2, there are no LPUs and SFUs, and NPUs implement the same functionsof LPUs and SFUs to exchange and forward packets.

Intended AudienceThis document is intended for:

l Commissioning Engineer

l Data Configuration Engineer

l Network Monitoring Engineer

l System Maintenance Engineer

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

DANGERAlerts you to a high risk hazard that could, if not avoided,result in serious injury or death.

WARNINGAlerts you to a medium or low risk hazard that could, ifnot avoided, result in moderate or minor injury.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations About This Document


iii

Symbol Description

CAUTIONAlerts you to a potentially hazardous situation that could,if not avoided, result in equipment damage, data loss,performance deterioration, or unanticipated results.

TIP Provides a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize orsupplement important points in the main text.

Change HistoryChanges between document issues are cumulative. The latest document issue contains all thechanges made in earlier issues.

Changes in Issue 01 (2011-05-30)Initial commercial release.

About This DocumentHUAWEI CX600 Metro Services Platform

Configuration Guide - Basic Configurations

iv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

Contents

About This Document...................................................................................................................iii

1 Logging In to the System for the First Time.........................................................................1-11.1 Introduction to Log In to the Device for the First Time..................................................................................1-21.2 Logging In to the Device Through the Console Port......................................................................................1-2

1.2.1 Establishing the Configuration Task......................................................................................................1-31.2.2 Establishing the Physical Connection....................................................................................................1-31.2.3 Logging in to the CX device..................................................................................................................1-4

1.3 Logging In to the CX device That Supports the Plug-and-Play Function......................................................1-6

2 CLI Overview..............................................................................................................................2-12.1 CLI Introduction..............................................................................................................................................2-2

2.1.1 Command Line Interface........................................................................................................................2-22.1.2 Command Levels....................................................................................................................................2-32.1.3 Command Line Views............................................................................................................................2-4

2.2 Online Help.....................................................................................................................................................2-42.2.1 Full Help.................................................................................................................................................2-52.2.2 Partial Help.............................................................................................................................................2-52.2.3 Error Messages of the Command Line Interface....................................................................................2-6

2.3 CLI Features....................................................................................................................................................2-62.3.1 Editing....................................................................................................................................................2-72.3.2 Displaying..............................................................................................................................................2-82.3.3 Regular Expressions...............................................................................................................................2-82.3.4 Previously-Used Commands................................................................................................................2-112.3.5 Batch Command Execution..................................................................................................................2-12

2.4 Shortcut Keys................................................................................................................................................2-132.4.1 Classifying Shortcut Keys....................................................................................................................2-132.4.2 Defining Shortcut Keys........................................................................................................................2-152.4.3 Use of Shortcut Keys............................................................................................................................2-15

2.5 Configuration Examples................................................................................................................................2-162.5.1 Example for Running Commands in Batches......................................................................................2-162.5.2 Example for Using Tab........................................................................................................................2-172.5.3 Example for Using Shortcut Keys........................................................................................................2-182.5.4 Example for Copying Commands Using Shortcut Keys......................................................................2-19

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations Contents


v

3 Basic Configuration...................................................................................................................3-13.1 Configuring the Basic System Environment...................................................................................................3-2

3.1.1 Establishing the Configuration Task......................................................................................................3-23.1.2 Switching the Language Mode...............................................................................................................3-33.1.3 Configuring the Equipment Name......................................................................................................... 3-33.1.4 Setting the System Clock....................................................................................................................... 3-43.1.5 Configuring a Header.............................................................................................................................3-53.1.6 Configuring Command Levels...............................................................................................................3-63.1.7 Configuring the Undo Command to Match in the Previous View Automatically.................................3-7

3.2 Displaying System Status Messages...............................................................................................................3-83.2.1 Displaying System Configuration..........................................................................................................3-83.2.2 Displaying System Status.......................................................................................................................3-93.2.3 Collecting System Diagnostic Information............................................................................................3-9

4 Configuring User Interface......................................................................................................4-14.1 User Interface Overview................................................................................................................................. 4-24.2 Configuring the Console User Interface..........................................................................................................4-4

4.2.1 Establishing the Configuration Task......................................................................................................4-44.2.2 Setting Physical Attributes of Console User Interface...........................................................................4-54.2.3 Setting Terminal Attributes of Console User Interface..........................................................................4-64.2.4 Configuring User Priority of Console User Interface............................................................................ 4-74.2.5 Configuring the User Authentication Mode of the Console User Interface...........................................4-84.2.6 Checking the Configuration...................................................................................................................4-9

4.3 Configuring the AUX User Interface............................................................................................................4-104.3.1 Establishing the Configuration Task....................................................................................................4-114.3.2 Setting Physical Attributes of AUX User Interface.............................................................................4-114.3.3 Setting Terminal Attributes of AUX User Interface............................................................................4-124.3.4 Setting User Priority of AUX User Interface.......................................................................................4-134.3.5 Setting Modem Attributes of AUX User Interface..............................................................................4-144.3.6 (Optional) Configuring Auto-Execute Commands of AUX User Interface.........................................4-154.3.7 Setting User Authentication Mode of AUX User Interface.................................................................4-164.3.8 Checking the Configuration.................................................................................................................4-17

4.4 Configuring VTY User Interface..................................................................................................................4-184.4.1 Establishing the Configuration Task....................................................................................................4-194.4.2 Configuring Maximum VTY User Interfaces......................................................................................4-194.4.3 (Optional)Setting Limit on Incoming and Outgoing Calls of VTY User Interfaces............................4-204.4.4 Setting Terminal Attributes of the VTY User Interface.......................................................................4-214.4.5 Setting User Priority of VTY User Interface........................................................................................4-224.4.6 Setting User Authentication Mode of the VTY User Interface............................................................4-234.4.7 (Optional) Configuring NMS Users to Log In Through VTY User Interfaces....................................4-244.4.8 Checking the Configuration.................................................................................................................4-25

4.5 Configuration Examples................................................................................................................................4-274.5.1 Example for Configuring Console User Interface................................................................................4-27

ContentsHUAWEI CX600 Metro Services Platform


vi Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

4.5.2 Example for Configuring AUX User Interface....................................................................................4-294.5.3 Example for Configuring VTY User Interface.....................................................................................4-31

5 Configuring User Login............................................................................................................5-15.1 Overview of User Login..................................................................................................................................5-35.2 Logging in to the Devices Through the Console Port.....................................................................................5-3

5.2.1 Establishing the Configuration Task......................................................................................................5-45.2.2 Configuring Console User Interface......................................................................................................5-45.2.3 Logging in to the CX device Through a Console Port...........................................................................5-55.2.4 Checking the Configuration...................................................................................................................5-5

5.3 Logging in to the Devices Through the AUX Port.........................................................................................5-65.3.1 Establishing the Configuration Task......................................................................................................5-65.3.2 Configuring AUX User Interface...........................................................................................................5-85.3.3 Logging in to the CX deviceThrough an AUX Port..............................................................................5-85.3.4 Checking the Configuration.................................................................................................................5-11

5.4 Logging in to the Devices by Using Telnet...................................................................................................5-125.4.1 Establishing the Configuration Task....................................................................................................5-135.4.2 Configuring VTY User Interface.........................................................................................................5-145.4.3 (Optional) Configuring Local Telnet Users.........................................................................................5-145.4.4 Enabling the Telnet Service.................................................................................................................5-155.4.5 (Optional) Configuring Listening Port Number for Telnet Server.......................................................5-155.4.6 Logging in to the CX device by Using Telnet.....................................................................................5-165.4.7 Checking the Configuration.................................................................................................................5-17

5.5 Logging in to the Devices by Using STelnet................................................................................................5-185.5.1 Establishing the Configuration Task....................................................................................................5-195.5.2 Configuring VTY User Interface.........................................................................................................5-195.5.3 Configuring SSH for the VTY User Interface.....................................................................................5-205.5.4 Configuring an SSH User and Specifying STelnet as One of Service Types......................................5-215.5.5 Enabling the STelnet Server Function.................................................................................................5-235.5.6 (Optional) Configuring the STelnet Server Parameters.......................................................................5-245.5.7 Logging in to the CX device by Using STelnet...................................................................................5-255.5.8 Checking the Configuration.................................................................................................................5-26

5.6 Common Operations After Login.................................................................................................................5-275.6.1 Establishing the Configuration Task....................................................................................................5-285.6.2 Switching User Levels.........................................................................................................................5-285.6.3 Locking User Interfaces.......................................................................................................................5-305.6.4 Sending Messages to Other User Interfaces.........................................................................................5-305.6.5 Displaying Logged-in Users.................................................................................................................5-305.6.6 Clearing Logged-in Users....................................................................................................................5-315.6.7 Configuring Configuration Locking.....................................................................................................5-31

5.7 Configuration Examples................................................................................................................................5-325.7.1 Example for Configuring User Login Through a Console Port...........................................................5-325.7.2 Example for Logging In Through the AUX Port.................................................................................5-35



vii

5.7.3 Example for Configuring User Login by Using Telnet........................................................................5-365.7.4 Example for Configuring User Login by Using STelnet.....................................................................5-40

6 Managing File System...............................................................................................................6-16.1 File System Overview.....................................................................................................................................6-2

6.1.1 File System.............................................................................................................................................6-26.1.2 Methods of File Management................................................................................................................6-2

6.2 Performing File Operations by Means of the File System..............................................................................6-36.2.1 Establishing the Configuration Task......................................................................................................6-36.2.2 Managing Storage Devices.....................................................................................................................6-46.2.3 Managing the Directory.........................................................................................................................6-56.2.4 Managing Files.......................................................................................................................................6-5

6.3 Performing File Operations by Means of FTP................................................................................................6-86.3.1 Establishing the Configuration Task......................................................................................................6-86.3.2 Configuring a Local FTP User...............................................................................................................6-96.3.3 (Optional) Specifying a Port Number for the FTP Server...................................................................6-106.3.4 Enabling the FTP Server......................................................................................................................6-116.3.5 (Optional) Configuring the FTP Server Parameters.............................................................................6-116.3.6 (Optional) Configuring an FTP ACL...................................................................................................6-126.3.7 Accessing the System by Using FTP...................................................................................................6-136.3.8 Performing File Operations by Using FTP Commands.......................................................................6-146.3.9 Checking the Configuration.................................................................................................................6-16

6.4 Performing File Operations by Means of SFTP............................................................................................6-166.4.1 Establishing the Configuration Task....................................................................................................6-176.4.2 Configuring VTY User Interface.........................................................................................................6-186.4.3 Configuring SSH for the VTY User Interface.....................................................................................6-186.4.4 Configuring an SSH User and Specifying SFTP as One of Service Types.........................................6-196.4.5 Enabling the SFTP Service..................................................................................................................6-226.4.6 (Optional) Configuring the STelnet Server Parameters.......................................................................6-226.4.7 Accessing the System by Using SFTP.................................................................................................6-236.4.8 Performing File Operations by Using SFTP........................................................................................6-256.4.9 Checking the Configuration.................................................................................................................6-26

6.5 Performing File Operations by Means of Xmodem......................................................................................6-276.5.1 Establishing the Configuration Task....................................................................................................6-276.5.2 Getting a File Through Xmodem.........................................................................................................6-28

6.6 Configuration Examples................................................................................................................................6-286.6.1 Example for Performing File Operations by Means of the File System..............................................6-296.6.2 Example for Performing File Operations by Means of FTP................................................................6-306.6.3 Example for Performing File Operations by Means of SFTP..............................................................6-336.6.4 Example for Performing File Operations by Means of Xmodem........................................................6-35

7 Configuring System Startup....................................................................................................7-17.1 System Startup Overview................................................................................................................................7-2

7.1.1 System Software.....................................................................................................................................7-2



viii Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

7.1.2 Configuration Files.................................................................................................................................7-27.1.3 Configuration Files and Current Configurations....................................................................................7-2

7.2 Managing Configuration Files........................................................................................................................ 7-37.2.1 Establishing the Configuration Task......................................................................................................7-47.2.2 Saving Configuration Files.....................................................................................................................7-47.2.3 Clearing a Configuration File.................................................................................................................7-67.2.4 Comparing Configuration Files..............................................................................................................7-77.2.5 Checking the Configuration...................................................................................................................7-7

7.3 Specifying a File for System Startup...............................................................................................................7-87.3.1 Establishing the Configuration Task......................................................................................................7-97.3.2 Configuring System Software for a CX device to Load for the Next Startup........................................7-97.3.3 Configuring the Configuration File for CX- to Load for the Next Startup..........................................7-107.3.4 Checking the Configuration.................................................................................................................7-10

7.4 Configuration Examples................................................................................................................................7-117.4.1 Example for Configuring System Startup............................................................................................7-11

8 Accessing Another Device........................................................................................................8-18.1 Accessing Another Device..............................................................................................................................8-3

8.1.1 Telnet Method........................................................................................................................................8-38.1.2 FTP Method............................................................................................................................................8-58.1.3 TFTP Method.........................................................................................................................................8-68.1.4 SSH Method...........................................................................................................................................8-6

8.2 Logging in to Other Devices by Using Telnet................................................................................................ 8-78.2.1 Establishing the Configuration Task......................................................................................................8-88.2.2 (Optional) Configuring a Source IP Address for an Telnet Client.........................................................8-98.2.3 Logging in to Another Device by Using Telnet.....................................................................................8-98.2.4 Checking the Configuration.................................................................................................................8-10

8.3 Connecting to Another Device by Using the Telnet Redirection Function..................................................8-108.3.1 Establishing the Configuration Task....................................................................................................8-118.3.2 Enabling the Telnet Redirection Function...........................................................................................8-128.3.3 Connecting Another Device by Using the Telnet Redirection Function..............................................8-128.3.4 Checking the Configuration.................................................................................................................8-13

8.4 Logging in to Another Device by Using STelnet..........................................................................................8-138.4.1 Establishing the Configuration Task....................................................................................................8-148.4.2 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication onthe SSH Client)..............................................................................................................................................8-158.4.3 Configuring the First Successful Login to Another Device (Allocating an RSA Public Key to the SSHServer)...........................................................................................................................................................8-168.4.4 Logging in to Another Device by Using STelnet.................................................................................8-178.4.5 Checking the configuration..................................................................................................................8-18

8.5 Accessing Files on Another Device by Using TFTP....................................................................................8-188.5.1 Establishing the Configuration Task....................................................................................................8-198.5.2 (Optional) Configuring a Source IP Address for a TFTP Client..........................................................8-198.5.3 (Optional) Configuring TFTP Access Authority.................................................................................8-20



ix

8.5.4 Downloading Files by Using TFTP.....................................................................................................8-218.5.5 Uploading Files by Using TFTP..........................................................................................................8-218.5.6 Checking the Configuration.................................................................................................................8-21

8.6 Accessing Files on Another Device by Using FTP.......................................................................................8-228.6.1 Establishing the Configuration Task....................................................................................................8-238.6.2 (Optional) Configuring Source IP Address and Interface of the FTP Client.......................................8-238.6.3 Connecting to Other Devices by Using FTP Commands.....................................................................8-248.6.4 Operating Files by Using FTP Commands..........................................................................................8-258.6.5 Changing Login Users..........................................................................................................................8-278.6.6 Disconnecting from the FTP Server.....................................................................................................8-288.6.7 Checking the Configuration.................................................................................................................8-28

8.7 Accessing Files on Another Device by Using SFTP.....................................................................................8-298.7.1 Establishing the Configuration Task....................................................................................................8-308.7.2 (Optional) Configuring a Source IP Address for an SFTP Client........................................................8-308.7.3 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication onthe SSH Client)..............................................................................................................................................8-318.7.4 Configuring the First Successful Login to Another Device (Allocating an RSA Public Key to the SSHServer)...........................................................................................................................................................8-328.7.5 Connecting to Other Devices by Using SFTP......................................................................................8-338.7.6 Operating Files by Using SFTP Commands........................................................................................8-348.7.7 Checking the Configuration.................................................................................................................8-35

8.8 Configuration Examples................................................................................................................................8-368.8.1 Example for Logging in to Another Device by Using Telnet..............................................................8-378.8.2 Example for Logging in to Another Device by Using the Telnet Redirection Function.....................8-398.8.3 Example for Logging in to Another Device by Using Telnet on a VPN.............................................8-418.8.4 Example for Configuring the Device as the STelnet Client to Connect to the SSH Server.................8-438.8.5 Example for Accessing Files on Another Device by Using TFTP......................................................8-498.8.6 Example for Configuring the Access of the TFTP Server on the Public Network When the ManagementVPN Instance Is Used...................................................................................................................................8-518.8.7 Example for Accessing Files on Another Device by Using FTP.........................................................8-538.8.8 Example for Configuring the Access of the FTP Server on the Public Network When the ManagementVPN Instance Is Used...................................................................................................................................8-548.8.9 Example for Accessing Files on Another Device by Using SFTP.......................................................8-568.8.10 Example for Configuring the Access of the SFTP Server on the Public Network When the ManagementVPN Instance Is Used...................................................................................................................................8-628.8.11 Example for Accessing the SSH Server Through Other Port Numbers.............................................8-678.8.12 Example for an SSH Client in the Public Network to Access an SSH Server in the Private Network.......................................................................................................................................................................8-73

9 Clock Synchronization Configuration...................................................................................9-19.1 Introduction of Clock Synchronization Configuration....................................................................................9-2

9.1.1 Overview of Clock Synchronization Configuration...............................................................................9-29.1.2 Clock Synchronization Supported by the CX600..................................................................................9-2

9.2 Setting Basic Configurations for Clock Synchronization...............................................................................9-39.2.1 Establishing the Configuration Task......................................................................................................9-3



x Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

9.2.2 Setting Basic Configurations for Clock Synchronization......................................................................9-39.2.3 Checking the Configuration...................................................................................................................9-5

9.3 Configuring an External BITS Clock Source..................................................................................................9-59.3.1 Establishing the Configuration Task......................................................................................................9-59.3.2 Configuring the Lower Threshold of the Clock Signals Output by the BITS Clock.............................9-59.3.3 Configuring an External Clock Source and Its Signal Type on the CX device..................................... 9-69.3.4 Checking the Configuration...................................................................................................................9-6

9.4 Configuring a Clock Reference Source Manually or Forcibly........................................................................9-79.4.1 Establishing the Configuration Task......................................................................................................9-79.4.2 Configuring a Clock Reference Source..................................................................................................9-89.4.3 Checking the Configuration...................................................................................................................9-9

9.5 Configuring Clock Protection Switching Based on SSM Levels....................................................................9-99.5.1 Establishing the Configuration Task....................................................................................................9-109.5.2 Configuring the Router to Automatically Select Clock Sources..........................................................9-109.5.3 Enabling SSM......................................................................................................................................9-119.5.4 Configuring the SSM Level of the Clock Reference Source...............................................................9-119.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal to Carry SSMs.........................................9-129.5.6 Setting the Modes of Extracting SSM Levels......................................................................................9-129.5.7 Checking the Configuration.................................................................................................................9-13

9.6 Configuring Clock Protection Switching Based on Priorities.......................................................................9-149.6.1 Establishing the Configuration Task....................................................................................................9-149.6.2 Configuring the Router to Automatically Select Clock Sources..........................................................9-149.6.3 Disabling SSM.....................................................................................................................................9-159.6.4 Setting Priorities of Clock Reference Sources.....................................................................................9-159.6.5 Checking the Configuration.................................................................................................................9-16

9.7 Configuring Ethernet Clock Synchronization...............................................................................................9-169.7.1 Establishing the Configuration Task....................................................................................................9-179.7.2 Enabling Ethernet Clock Synchronization...........................................................................................9-189.7.3 Configuring Ethernet Clock Source.....................................................................................................9-189.7.4 Checking the Configuration.................................................................................................................9-19

9.8 Configuration Examples of Clock Synchronization......................................................................................9-199.8.1 Example for Configuring Protection Switchover of Clock Sources....................................................9-19

10 Device Maintenance..............................................................................................................10-110.1 Introduction of Device Maintenance...........................................................................................................10-3

10.1.1 Overview of Device Maintenance......................................................................................................10-310.1.2 Maintenance Features Supported by the CX600................................................................................10-3

10.2 Powering off the MPU................................................................................................................................10-310.2.1 Establishing the Configuration Task..................................................................................................10-410.2.2 Powering off the Slave MPU.............................................................................................................10-410.2.3 Checking the Configuration...............................................................................................................10-5

10.3 Powering off the SFU..................................................................................................................................10-610.3.1 Establishing the Configuration Task..................................................................................................10-6



xi

10.3.2 Powering off the SFU.........................................................................................................................10-710.3.3 Checking the Configuration...............................................................................................................10-7

10.4 Powering off the NPU.................................................................................................................................10-810.4.1 Establishing the Configuration Task..................................................................................................10-810.4.2 Powering off the NPU........................................................................................................................10-910.4.3 Checking the Configuration...............................................................................................................10-9

10.5 Powering off the LPU...............................................................................................................................10-1010.5.1 Establishing the Configuration Task................................................................................................10-1010.5.2 Powering off the LPU......................................................................................................................10-1110.5.3 Checking the Configuration.............................................................................................................10-11

10.6 Restoring the Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s.................................10-1210.6.1 Establishing the Configuration Task................................................................................................10-1210.6.2 Restoring the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s.........................10-1310.6.3 Checking the Configuration.............................................................................................................10-13

10.7 Switching Between the Operation Modes of the LPUF-10.......................................................................10-1410.7.1 Establishing the Configuration Task................................................................................................10-1410.7.2 Switching Between the Operation Modes of the LPUF-10..............................................................10-1510.7.3 Checking the Configuration.............................................................................................................10-16

10.8 Configuring the CMU...............................................................................................................................10-1610.8.1 Establishing the Configuration Task................................................................................................10-1610.8.2 Configuring Monitor Items for a CMU............................................................................................10-17

10.9 Configuring a Cleaning Cycle for the Air Filter.......................................................................................10-1810.9.1 Establishing the Configuration Task................................................................................................10-1810.9.2 Configuring a Cleaning Cycle for the Air Filter..............................................................................10-1810.9.3 Remonitoring the Cleaning Cycle of the Air Filter..........................................................................10-1910.9.4 Checking the Configuration.............................................................................................................10-19

10.10 Monitoring the Device Status..................................................................................................................10-2010.10.1 Displaying the System Version Information..................................................................................10-2110.10.2 Displaying Basic Information About the Router............................................................................10-2110.10.3 Displaying the Electronic Label.....................................................................................................10-2210.10.4 Displaying the Soft Boot Mode......................................................................................................10-2210.10.5 Displaying the Threshold of the Memory Usage...........................................................................10-2210.10.6 Displaying the Threshold of CPU Usage.......................................................................................10-2310.10.7 Displaying Alarm Information.......................................................................................................10-2310.10.8 Displaying the Board Temperature................................................................................................10-2410.10.9 Displaying the Board Voltage........................................................................................................10-2410.10.10 Displaying the Power Supply Status............................................................................................10-2510.10.11 Displaying Current Information About Boards............................................................................10-2510.10.12 Displaying Entironment Information About the Device..............................................................10-2510.10.13 Displaying the Fan Status.............................................................................................................10-2610.10.14 Displaying the Sequence Number of the MPU............................................................................10-2610.10.15 Displaying the Next Start Mode of the Board..............................................................................10-26



xii Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

10.10.16 Displaying the Number of the Registered SFUs By Default.......................................................10-2710.11 Board Maintence ....................................................................................................................................10-27

10.11.1 Resetting a Board...........................................................................................................................10-2810.11.2 Clearing the Maximum CPU Usage...............................................................................................10-28

10.12 Configuring NAP-based Remote Deployment........................................................................................10-2910.12.1 Establishing the Configuration Task..............................................................................................10-2910.12.2 Configuring and Starting the NAP Master Interface......................................................................10-3010.12.3 Remote Login.................................................................................................................................10-3210.12.4 Disabling NAP on the Slave Device..............................................................................................10-3210.12.5 Checking the Configuration...........................................................................................................10-33

10.13 Configuration Examples of the Device Maintenance..............................................................................10-3410.13.1 Example for Powering off the MPU..............................................................................................10-3510.13.2 Example for Powering off the SFU................................................................................................10-3610.13.3 Example for Powering off the LPU................................................................................................10-3710.13.4 Example for Configuring the Operation Mode of the LPUF-10....................................................10-3910.13.5 Example for Configuring NAP-based Remote Deployment in Automatic Mode..........................10-4010.13.6 Example for Configuring NAP-based Remote Deployment in Static Mode.................................10-41

11 Device Upgrading..................................................................................................................11-111.1 Overview of Device Upgrade......................................................................................................................11-211.2 Upgrade Modes Supported by the CX600..................................................................................................11-2

12 Patch Management.................................................................................................................12-112.1 Introduction of Patch Management.............................................................................................................12-2

12.1.1 Overview of Patch Management........................................................................................................12-212.1.2 Patches Supported by the CX600.......................................................................................................12-3

12.2 Checking the Running of Patch in the System............................................................................................12-412.2.1 Establishing the Configuration Task..................................................................................................12-512.2.2 Checking the Running of Patch in the System...................................................................................12-512.2.3 (Optional) Deleting a Patch................................................................................................................12-5

12.3 Loading a Patch...........................................................................................................................................12-612.3.1 Establishing the Configuration Task..................................................................................................12-612.3.2 Loading a Patch..................................................................................................................................12-712.3.3 Checking the Configuration...............................................................................................................12-7

12.4 Installing a Patch.........................................................................................................................................12-912.4.1 Establishing the Configuration Task..................................................................................................12-912.4.2 Loading a Patch................................................................................................................................12-1012.4.3 Activating a Patch............................................................................................................................12-1012.4.4 Running a Patch...............................................................................................................................12-1112.4.5 (Optional) Synchronizing Patches....................................................................................................12-1112.4.6 Checking the Configuration.............................................................................................................12-12

12.5 (Optional) Unactivating the activating of Patch........................................................................................12-1512.5.1 Establishing the Configuration Task................................................................................................12-1612.5.2 Deactivating a Patch.........................................................................................................................12-16



xiii

12.5.3 Checking the Configuration.............................................................................................................12-1612.6 Configuration Examples of the Patch Management..................................................................................12-17

12.6.1 Example for Installing a Patch.........................................................................................................12-17

A Glossary.....................................................................................................................................A-1

B Acronyms and Abbreviations.................................................................................................B-1



xiv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

Figures

Figure 1-1 Connection creation............................................................................................................................1-4Figure 1-2 Interface setting .................................................................................................................................1-5Figure 1-3 Communication parameter setting .....................................................................................................1-5Figure 5-1 Networking diagram of remote login through an AUX port..............................................................5-7Figure 5-2 Connection creating............................................................................................................................5-8Figure 5-3 Dialing information setting.................................................................................................................5-9Figure 5-4 Remote connection with the CX device.............................................................................................5-9Figure 5-5 Connection attribute modification....................................................................................................5-10Figure 5-6 Communications parameters setting.................................................................................................5-11Figure 5-7 Networking diagram of user login through a console port...............................................................5-33Figure 5-8 Connection creation..........................................................................................................................5-33Figure 5-9 Interface setting................................................................................................................................5-34Figure 5-10 Communication parameter setting..................................................................................................5-34Figure 5-11 Networking diagram of logging in through the AUX port.............................................................5-35Figure 5-12 Networking diagram of user login by using Telnet........................................................................5-36Figure 5-13 Telnet login window on the PC......................................................................................................5-38Figure 5-14 Window after login of the CX device.............................................................................................5-39Figure 5-15 Networking diagram of configuring user login by using STelnet..................................................5-40Figure 6-1 Networking for performing file operations by using FTP................................................................6-30Figure 6-2 Logging in to the FTP Server...........................................................................................................6-31Figure 6-3 Performing file operations by means of FTP....................................................................................6-32Figure 6-4 Networking diagram for operating files by using SFTP...................................................................6-33Figure 6-5 Accessing Interface...........................................................................................................................6-34Figure 6-6 Specifying the file to be sent............................................................................................................6-36Figure 8-1 Networking diagram for accessing another device from the CX device............................................8-3Figure 8-2 Telnet client services..........................................................................................................................8-4Figure 8-3 Telnet redirection services..................................................................................................................8-4Figure 8-4 Usage of Telnet shortcut keys............................................................................................................8-5Figure 8-5 Networking diagram for accessing another device from the CX device that you have logged in to...............................................................................................................................................................................8-8Figure 8-6 Schematic diagram of redirecting the client login to another device by using Telnet.....................8-11Figure 8-7 Networking diagram for logging in to another device by using Telnet............................................8-37Figure 8-8 Networking of logging in to another device by using the Telnet redirection function.....................8-40Figure 8-9 Networking diagram for logging in to another device by using Telnet on a VPN...........................8-41

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations Figures


xv

Figure 8-10 Networking diagram for logging in to another device by Using STelnet.......................................8-43Figure 8-11 Networking diagram for accessing files on another device by using TFTP...................................8-49Figure 8-12 Setting the Base Directory of the TFTP server...............................................................................8-50Figure 8-13 Networking diagram of configuring the access of the TFTP server on the public network when themanagement VPN instance is used..................................................................................................................... 8-51Figure 8-14 Setting the Base Directory of the TFTP server...............................................................................8-52Figure 8-15 Networking diagram for accessing files on another device by using FTP.....................................8-53Figure 8-16 Networking diagram of configuring the access of the FTP server on the public network when themanagement VPN instance is used..................................................................................................................... 8-55Figure 8-17 Networking diagram for accessing files on another device by using SFTP...................................8-56Figure 8-18 Networking diagram of configuring the access of the SFTP server on the public network when themanagement VPN instance is used..................................................................................................................... 8-62Figure 8-19 Networking diagram of accessing the SSH server through other port numbers.............................8-68Figure 8-20 Networking diagram of configuring the SSH client in public network accessing the SSH server in theprivate network....................................................................................................................................................8-74Figure 9-1 Diagram of configuring the clock reference source manually............................................................9-8Figure 9-2 Networking diagram of applying Ethernet clock synchronization...................................................9-17Figure 9-3 Networking diagram of configuring clock source tracing................................................................9-20Figure 9-4 Networking diagram of the clock source tracing after the connection between the BITS clock sourceand CX- A is closed............................................................................................................................................ 9-24Figure 10-1 Networking diagram of configuring NAP-based remote deployment..........................................10-40Figure 10-2 Networking diagram of configuring NAP-based remote deployment..........................................10-41Figure 12-1 Conversion between the statuses of a patch................................................................................... 12-3Figure 12-2 Logical relationships between configuration tasks.........................................................................12-4Figure 12-3 Networking diagram of installing a patch....................................................................................12-17

FiguresHUAWEI CX600 Metro Services Platform


xvi Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

Tables

Table 2-1 Command line levels............................................................................................................................2-3Table 2-2 Common error messages of the command line....................................................................................2-6Table 2-3 Keys for editing....................................................................................................................................2-7Table 2-4 Keys for displaying..............................................................................................................................2-8Table 2-5 Description of particular characters.....................................................................................................2-9Table 2-6 Access the previously-used commands..............................................................................................2-12Table 2-7 System-defined shortcut keys............................................................................................................2-14Table 4-1 Example for the absolute numbering...................................................................................................4-3Table 5-1 User login modes..................................................................................................................................5-3Table 6-1 File management methods....................................................................................................................6-3Table 9-1 Clock sources of all CX device and the priorities..............................................................................9-20Table 12-1 Patch states.......................................................................................................................................12-2

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations Tables


xvii

1 Logging In to the System for the First Time

About This Chapter

Users can log in to a new CX device through the console port to configure the CX device.

1.1 Introduction to Log In to the Device for the First TimeA user can log in to the CX device that is powered on for the first time through the console portor by the plug-and-play function to configure the CX device.

1.2 Logging In to the Device Through the Console PortThis section describes how to connect a terminal to a CX device through the console port toestablish the configuration environment.

1.3 Logging In to the CX device That Supports the Plug-and-Play FunctionThe plug-and-play function enables the CX device to automatically access the network andobtains an IP address after the CX device is powered on. This allows engineers to remotely login to the CX device to perform basic configurations.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations 1 Logging In to the System for the First Time


1-1

1.1 Introduction to Log In to the Device for the First TimeA user can log in to the CX device that is powered on for the first time through the console portor by the plug-and-play function to configure the CX device.

Log in to the CX device through the console port

The console port is a linear port on the main control board.

Each main control board provides one console port that conforms to the EIA/TIA-232 standardand whose type is DCE. The serial interface of a terminal can be directly connected to the consoleport on the CX device. Users can then configure the CX device on the terminal.

NOTEWhen a device is powered on for the first time, you must log in to the device through the console port. Itis a prerequisite for other login modes. For example, the IP address for Telnet login must be configured bylogging in to the device through the console port.

Log in to the CX device by the plug-and-play functionNOTE

The plug-and-play function only can be configured on the X1 , X2 and X3 models of the CX600.

During site deployment, the CX devices reside far away from the equipment room. Sendingsoftware commissioning engineers to deploy the network at the site is quite costly. After theplug-and-play function is enabled, however, the CX device automatically obtains an IP address.Software commissioning engineers are able to remotely deliver configurations to the CXdevice through the NMS after installation personnel finishes hardware installation. This greatlysimplifies installation and reduces costs with minimized site visits.

The plug-and-play function is controlled by a PAF file and users do not need to configure itmanually. This function is automatically disabled after the CX device correctly obtains an IPaddress.

1.2 Logging In to the Device Through the Console PortThis section describes how to connect a terminal to a CX device through the console port toestablish the configuration environment.

1.2.1 Establishing the Configuration TaskBefore logging in to the CX device through the console port, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data. Thiswill help you complete the configuration task quickly and accurately.

1.2.2 Establishing the Physical ConnectionThe console port on the CX device must be connected to the COM port on a terminal by usinga console cable.

1.2.3 Logging in to the CX deviceYou can log in to the CX device through the console port to configure and manage the CXdevice that is powered on for the first time.

1 Logging In to the System for the First TimeHUAWEI CX600 Metro Services Platform


1-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

1.2.1 Establishing the Configuration TaskBefore logging in to the CX device through the console port, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data. Thiswill help you complete the configuration task quickly and accurately.

Applicable Environment

When the CX device is powered on for the first time, you need to use the console port to log into the CX device to configure and manage the CX device.

Pre-configuration Tasks

Before logging in to the CX device through the console port, complete the following tasks:

l Installing terminal emulation program on the PC (such as Windows XP HyperTerminal)

l Preparing the RS-232 cable

Data Preparation

To log in to the CX device through the console port, you need the following data.

No. Data

1 Terminal communication parametersl Baud ratel Data bitl Parityl Stop bitl Flow-control mode

NOTEWhen the CX device is logged in for the first time, the system automatically uses default parameter values.

1.2.2 Establishing the Physical ConnectionThe console port on the CX device must be connected to the COM port on a terminal by usinga console cable.

Procedure

Step 1 Power on all devices to perform a self-check.

Step 2 Connect the COM port on the PC and the console port on the CX device by a cable.

----End



1-3

1.2.3 Logging in to the CX deviceYou can log in to the CX device through the console port to configure and manage the CXdevice that is powered on for the first time.

ContextYou need to configure terminal attributes for the PC according to the attributes configured forthe console port, including the transmission rate, data bit, parity bit, stop bit, and flow controlmode. As the CX device is logged in for the first time, every terminal attribute uses the defaultvalue of the CX device.

Procedure

Step 1 Start a terminal emulator on the PC, and create a new connection, as shown in Figure 1-1.

Figure 1-1 Connection creation

Step 2 Set interface,as shown in Figure 1-2.




Issue 01 (2011-05-30)

Figure 1-2 Interface setting

Step 3 Set communication parameter, same as the default of CX device,as shown in Figure 1-3.

Figure 1-3 Communication parameter setting



1-5

Step 4 Press Enter. A command line prompt such as <HUAWEI> appears, and the user view isdisplayed for you to configure the CX device.

----End

1.3 Logging In to the CX device That Supports the Plug-and-Play Function

The plug-and-play function enables the CX device to automatically access the network andobtains an IP address after the CX device is powered on. This allows engineers to remotely login to the CX device to perform basic configurations.

ContextNOTE

The plug-and-play function only can be configured on the X1 , X2 and X3 models of the CX600.

During site deployment, the CX devices reside far away from the equipment room. Sendingsoftware commissioning engineers to deploy the network at the site is quite costly. After theplug-and-play function is enabled, however, the CX device automatically obtains an IP address.Software commissioning engineers are able to remotely deliver configurations to the CXdevice through the NMS after installation personnel finishes hardware installation. This greatlysimplifies installation and reduces costs with minimized site visits. The plug-and-play functionis controlled by a PAF file and users do not need to configure it manually. This function isautomatically disabled after the CX device correctly obtains an IP address. The process oflogging in to the CX device supporting the plug-and-play function is as follows:

Procedure

Step 1 After planning the network, network planning engineers provide a planning list for softwarecommissioning engineers.

Step 2 Based on the planning list, software commissioning engineers configure the mappings betweenthe CX device locations and IP addresses on the DHCP server, compile configuration scripts,and configure the mappings between the CX device locations and scripts.

Step 3 Hardware installation personnel installs the CX device and power them on at the site.

Step 4 The CX device sends a DHCPREQUEST message to the DHCP server, and then the interfaceconnecting to the DHCP server obtains an IP address.

Step 5 The NMS delivers configurations to the CX device.

----End

Follow-up ProcedureIf there is no DHCP server on the network or the CX device cannot obtain an IP address forsome reason, the CX device displays the following information: PNP State!!!PLEASE UNDO PNP enable for manual Setup! You can undo PNP in system view with "undo pnp enable"At this time, do as follows to disable the plug-and-play function:

1. Run the system-view command to enter the system view.




Issue 01 (2011-05-30)

2. Run the undo pnp enable command to disable the plug-and-play function.3. Run the undo pnp default route command to delete the default route generated by the

plug-and-play function.



1-7

2 CLI Overview

About This Chapter

The command line interface (CLI) is used to configure and maintain devices.

2.1 CLI IntroductionAfter you log in to the CX device, a prompt is displayed, indicating that you enter the commandline interface (CLI). The CLI is used by users to interact with the CX device.

2.2 Online HelpWhen inputting command lines or configuring services, you can use the online help function toobtain real-time help.

2.3 CLI FeaturesThe CLI provides the following features to help users flexibly use it.

2.4 Shortcut KeysUsing the system or user-defined shortcut keys makes it easier to enter commands.

2.5 Configuration ExamplesThis section provides several examples for using command lines.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations 2 CLI Overview


2-1

2.1 CLI IntroductionAfter you log in to the CX device, a prompt is displayed, indicating that you enter the commandline interface (CLI). The CLI is used by users to interact with the CX device.

2.1.1 Command Line InterfaceYou can configure and manage the CX device by using the CLI commands.

2.1.2 Command LevelsThe system manages commands in hierarchy for security. The administrator can set user levelscorresponding to command levels to implement user-specific access control.

2.1.3 Command Line ViewsThe command line interface has different command views. All the commands are registered inone or more command views. You can run a command only when you enter the correspondingcommand view.

2.1.1 Command Line InterfaceYou can configure and manage the CX device by using the CLI commands.

The characteristics of CLI are as follows:

l Local or remote configuration through the AUX port.l Local configuration through console port.l Local or remote configuration through Telnet or Secure Shell (SSH).l Remote configuration by logging in to an asynchronous serial interface on the CX device

through Modem dialup.l The telnet command for directly logging in to and managing other CX devices.l FTP service for file uploading and downloading.l A user interface view for specific configuration management.l Hierarchical command protection for users of different levels, that is, running the

commands of the corresponding levels.l Three authentication modes are supported, namely, none-authentication, password

authentication, and Authentication, Authorization, and Accounting (AAA) authentication.Password and AAA authentication prohibit unauthorized users from logging in to the CXdevice, guaranteeing system security.

l Entering "?" for online help at any time.l A command line interpreter provides intelligent command resolution methods such as key

word fuzzy match and context conjunction. These methods make it easy for users to entertheir commands.

l Network testing commands such as tracert and ping for rapidly diagnosing a network.l Abundant debugging information to help in diagnosing the network.l Running a command used previously on the device, like DosKey.

2 CLI OverviewHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

NOTE

l The system supports the command with up to 512 characters. The command can be incomplete. Thismeans that you can input initial characters (one or some) of the command to represent the wholecommand. The incomplete command, however, must be unqiue in the system. For example, to use thedisplay current-configuration command, just input d cu, di cu, or dis cu. d c or dis c, however, cannotbe input, becuse they are not unique to represent the display current-configuration command.

l The system saves the incomplete command to the configuration files in the complete form; therefore,the command may have more than 512 characters. When the system is restarted, however, theincomplete command cannot be restored. Therefore, pay attention to the length of the incompletecommand.

2.1.2 Command LevelsThe system manages commands in hierarchy for security. The administrator can set user levelscorresponding to command levels to implement user-specific access control.

The default command levels are as follows:

Table 2-1 Command line levels

Level Name Description

0 Visit level Commands of this level include commands of networkdiagnosis tool (such as ping and tracert) and commands thatstart from the local device and visit external device (suchas Telnet client side).

1 Monitoring level Commands of this level, including the display commands,are used for system maintenance and fault diagnosis.

2 Configurationlevel

Commands of this level are service configurationcommands that provide direct network service to the user,including routing and network layer commands.

3 Management level Commands of this level are commands that influence thebasic operation of the system and provide support to theservice. They include file system commands, FTPcommands, TFTP commands, XModem downloadingcommands, configuration file switching commands, powersupply control commands, backup board controlcommands, user management commands, level settingcommands, system internal parameter setting commands,and debugging commands that are used for fault diagnosis.

To implement efficient management, you can increase the command levels to 0-15. For theincrease in the command levels, refer to Chapter 4 "Basic Configuration" ConfiguringCommand Levels in the HUAWEI CX600 Configuration Guide - Basic Configurations.



2-3

NOTE

l The default command level may be higher than the command level defined according to the commandrules in application.

l The level of the command that a user can run is determined by the level of this user.

l Login users have the same 16 levels as the command levels. The login users can use only the commandof the levels that are equal to or lower than their own levels. The user privilege level level commandsets the user level.

2.1.3 Command Line ViewsThe command line interface has different command views. All the commands are registered inone or more command views. You can run a command only when you enter the correspondingcommand view.

The following part uses the user, system, and BFD views as an example:

# Establish connection to the CX device. If the CX device adopts the default configuration, youcan enter the user view with the prompt of <HUAWEI>.

<HUAWEI>

# Run the system-view command to enter the system view.

<HUAWEI> system-view[HUAWEI]

# Run the aaa command in the system view to enter the AAA view.

[HUAWEI] aaa[HUAWEI-aaa]

NOTE

l The command prompt "HUAWEI" is the default host name.

l The prompt indicates a specific view. For example, "<HUAWEI>" indicates the user view, and"[HUAWEI-ui-console0]" indicates the console user interface view.

Some commands can be used in both system and other views, but have different effects. Forexample, the mpls command can be run in the system view to enable MPLS globally or in theinterface view to enable MPLS only on this interface.

2.2 Online HelpWhen inputting command lines or configuring services, you can use the online help function toobtain real-time help.

2.2.1 Full HelpWhen inputting a command, you can use the full help function to obtain all keywords orparameters of this command.

2.2.2 Partial HelpIf you enter only the first one or a few characters of a command, you can use the partial helpfunction to obtain all keywords following the character or character string.

2.2.3 Error Messages of the Command Line InterfaceIf an entered command passes the syntax check, the system executes it. Otherwise, the systemprompts an error message.




Issue 01 (2011-05-30)

2.2.1 Full HelpWhen inputting a command, you can use the full help function to obtain all keywords orparameters of this command.

Procedurel You can obtain the full help of a command line in the following manners.

– Enter a question mark (?) in any command line view to display all the commands andtheir simple descriptions.<HUAWEI> ?User view commands: arp-ping ARP-ping backup Backup information batch-cmd Batch commands board-channel-check Board-Channel-Check enable/disable capture-packet enable capturing packet cd Change current directory......

– Enter a command and a question mark (?) separated by a space. If the key word is atthis position, all key words and their simple descriptions are displayed. For example:<HUAWEI> language-mode ?Chinese Chinese environmentEnglish English environmentChinese and English are keywords; Chinese environment and Englishenvironment describe the keywords respectively.

– Enter a command and a question mark (?) separated by a space, and if a parameter is atthis position, the related parameter names and parameter descriptions are displayed. Forexample:[HUAWEI] ftp timeout ? INTEGER<1-35791> The value of FTP timeout (in minutes)[HUAWEI] ftp timeout 35 ?<cr> Please press ENTER to execute command [HUAWEI] ftp timeout 35

In the preceding display, INTEGER<1-35791> describes the parameter value; Thevalue of FTP timeout (in minutes) is a simple description of the parameter usage;<cr> indicates that no parameter is at this position. The command is repeated in the nextcommand line. You can press Enter to run the command.

----End

2.2.2 Partial HelpIf you enter only the first one or a few characters of a command, you can use the partial helpfunction to obtain all keywords following the character or character string.

Procedurel You can obtain the partial help of a command line in the following manners.

– Enter a character string with a question mark (?) closely following it to display allcommands that begin with this character string.<HUAWEI> d? debugging delete dir display



2-5

– Enter a command and a character string with a question mark (?) closely following itto display all the key words that begin with this character string.<HUAWEI> display b? bas-interface bfd bgp board-current board-power board-type bootmode-current bootmode-next bootrom btv buffer bulk-stat

– Enter the first several letters of a key word in the command and then press Tab to displaythe complete key word on the condition that the letters uniquely identify the key word.Otherwise, if you continue to press Tab, different key words are displayed. You canselect the needed key word.

----End

2.2.3 Error Messages of the Command Line InterfaceIf an entered command passes the syntax check, the system executes it. Otherwise, the systemprompts an error message.

All the commands entered by the user are run correctly, if the grammar check has been passed.Otherwise, error messages are reported to the user. See Table 2-2 for the common errormessages.

Table 2-2 Common error messages of the command line

Error messages Cause of the error

Unrecognized command The command cannot be found

The key word cannot be found

Wrong parameter Parameter type error

The parameter value exceeds the limit

Incomplete command Incomplete command entered

Too many parameters Too many parameters entered

Ambiguous command Indefinite parameters entered

2.3 CLI FeaturesThe CLI provides the following features to help users flexibly use it.

2.3.1 EditingThe editing function of command lines helps you edit command lines or obtain help by usingcertain keys.

2.3.2 DisplayingAll command lines have the same displaying feature. You can construct the displaying mode asrequired.

2.3.3 Regular Expressions




Issue 01 (2011-05-30)

The regular expression is an expression that describes a set of strings. It consists of commoncharacters (such as letters from "a" to "z") and particular characters (also named metacharacters).The regular expression is a template according to which you can search for the required string.Users can use regular expressions to filter output information to rapidly locate desiredinformation.

2.3.4 Previously-Used CommandsThe CLI provides a function similar to DosKey to automatically save commands used previouslyon the device. If you need to run a command that has been executed, you can call the commandfrom those have been used previously on the device. This facilitates user operation.

2.3.5 Batch Command ExecutionIf multiple commands are frequently used consecutively, you can edit these commands to beexecuted in batches. This simplifies command input and improves efficiency.

2.3.1 EditingThe editing function of command lines helps you edit command lines or obtain help by usingcertain keys.

The command line supports multi-line edition. The maximum length of each command is 512characters.

Keys for editing that are often used are shown in Table 2-3.

Table 2-3 Keys for editing

Key Function

Common key Inserts a character in the current position of the cursor if the editingbuffer is not full and the cursor moves to the right. Otherwise, analarm is generated.

Backspace Deletes the character on the left of the cursor that moves to theleft. When the cursor reaches the head of the command, an alarmis generated.

Left cursor key ← orCtrl_B

Moves the cursor to the left by the space of a character. When thecursor reaches the head of the command, an alarm is generated.

Right cursor key → orCtrl_F

Moves the cursor to the right by the space of a character. Whenthe cursor reaches the end of the command, an alarm is generated.

Tab Press Tab after typing the incomplete key word and the systemruns the partial help:l If the matching key word is unique, the system replaces the

typed one with the complete key word and displays it in a newline with the cursor a space behind.

l If there are several matches or no match at all, the systemdisplays the prefix first. Then you can press Tab to view thematching key word one by one. In this case, the cursor closelyfollows the end of the word and you can type a space to enterthe next word.

l If a wrong key word is entered, press Tab and the word isdisplayed in a new line.



2-7

2.3.2 DisplayingAll command lines have the same displaying feature. You can construct the displaying mode asrequired.

You can control the display of information on the CLI as follows:

l Prompts and help information can be displayed in both Chinese and English. You can usethe language-mode language-name command to change the language mode.

l If output information cannot be displayed on a full screen, you have three options to viewthe information, as shown in Table 2-4.

Table 2-4 Keys for displaying

Key Function

Ctrl_C Stops the display and running of the command.NOTE

You can also press any of the keys except the spacebar and Enter keyto stop the display and running of the command.

Space Allows information to be displayed on the next screen.

Enter Allows information to be displayed on the next line.

2.3.3 Regular ExpressionsThe regular expression is an expression that describes a set of strings. It consists of commoncharacters (such as letters from "a" to "z") and particular characters (also named metacharacters).The regular expression is a template according to which you can search for the required string.Users can use regular expressions to filter output information to rapidly locate desiredinformation.

A regular expression can provide the following functions:l Searching for and obtaining a sub-string that matches a rule in the string.l Substituting a string according to a certain matching rule.

Formal Language Theory of the Regular ExpressionThe regular expression consists of common characters and particular characters.

l Common charactersCommon characters are used to match themselves in a string, including all upper-case andlower-case letters, digits, punctuation, and special symbols. For example, a matches theletter "a" in "abc", 202 matches the digit "202" in "202.113.25.155", and @ matches thesymbol "@" in "[email protected]".

l Particular charactersParticular characters are used together with common characters to match the complex orparticular string combination. Table 2-5 describes particular characters and their syntax.




Issue 01 (2011-05-30)

Table 2-5 Description of particular characters

Particularcharacter

Syntax Example

\ Defines an escape character, whichis used to mark the next character(common or particular) as thecommon character.

\* matches "*".

^ Matches the starting position of thestring.

^10 matches "10.10.10.1" instead of"20.10.10.1".

$ Matches the ending position of thestring.

1$ matches "10.10.10.1" instead of"10.10.10.2".

* Matches the preceding element zeroor more times.

10* matches "1", "10", "100", and"1000".(10)* matches "null", "10", "1010",and "101010".

+ Matches the preceding element oneor more times

10+ matches "10", "100", and"1000".(10)+ matches "10", "1010", and"101010".

? Matches the preceding element zeroor one time.

10? matches "1" and "10".(10)? matches "null" and "10".

. Matches any single character. 0.0 matches "0x0" and "020"..oo matches "book", "look", and"tool".

() Defines a subexpression, which canbe null. Both the expression and thesubexpression should be matched.

100(200)+ matches "100200" and"100200200".

x|y Matches x or y. 100|200 matches "100" or "200".1(2|3)4 matches "124" or "134",instead of "1234", "14", "1224", and"1334".

[xyz] Matches any single character in theregular expression.

[123] matches the character 2 in"255".

[^xyz] Matches any character that is notcontained within the brackets.

[^123] matches any character exceptfor "1", "2", and "3".

[a-z] Matches any character within thespecified range.

[0-9] matches any character rangingfrom 0 to 9.

[^a-z] Matches any character beyond thespecified range.

[^0-9] matches all non-numericcharacters.



2-9

Particularcharacter

Syntax Example

_ Matches a comma "," left brace "{",right brace "}", left parenthesis "(",and right parenthesis ")".Matches the starting position of theinput string.Matches the ending position of theinput string.Matches a space.

_2008_ matches "2008", "space2008 space", "space 2008", "2008space", ",2008,", "{2008}","(2008)", "{2008", and "(2008}".

NOTE

Unless otherwise specified, all characters in the preceding table are displayed on the screen.

l Degeneration of particular charactersCertain particular characters, when being placed at the following positions in the regularexpression, degenerate to common characters.– The particular characters following "\" is transferred to match particular characters

themselves.– The particular characters "*", "+", and "?" placed at the starting position of the regular

expression. For example, +45 matches "+45" and abc(*def) matches "abc*def".– The particular character "^" placed at any position except for the start of the regular

expression. For example, abc^ matches "abc^".– The particular character "$" placed at any position except for the end of the regular

expression. For example, 12$2 matches "12$2".– The right bracket such as ")" or "]" being not paired with its corresponding left bracket

"(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".

NOTE

Unless otherwise specified, degeneration rules are applicable when preceding regular expressionsserve as subexpressions within parentheses.

l Combination of common and particular charactersIn actual application, a regular expression combines multiple common and particularcharacters to match certain strings.




Issue 01 (2011-05-30)

Specifying a Filtering Mode in Command

CAUTIONThe HUAWEI CX600 uses a regular expression to implement the filtering function of the pipecharacter. A display command supports the pipe character only when there is excessive outputinformation.

When the output information is queried according to the filtering conditions, the first line of thecommand output starts with the information containing the regular expression.

The command can carry the parameter | count to display the number of matching entries. Theparameter | count can be used together with other parameters.

For the commands supporting regular expressions, the three filtering methods are as follows:

l | begin regular-expression: displays the information that begins with the line that matchesregular expression.

l | exclude regular-expression: displays the information that excludes the lines that matchregular expression.

l | include regular-expression: displays the information that includes the lines that matchregular expression.

NOTE

The value of regular-expression is a string of 1 to 255 characters.

Specify a Filtering Mode when Information is Displayed

When a lot of information is displayed, you can specify a filtering mode in the prompt "---- More----".

l /regular-expression: displays the information that begins with the line that matches regularexpression.

l -regular-expression: displays the information that excludes lines that match regularexpression.

l +regular-expression: displays the information that includes lines that match regularexpression.

2.3.4 Previously-Used CommandsThe CLI provides a function similar to DosKey to automatically save commands used previouslyon the device. If you need to run a command that has been executed, you can call the commandfrom those have been used previously on the device. This facilitates user operation.

By default, the system saves a maximum of 10 previously-used commands for each user. Youcan run the history-command max-size size-value command in the user view to set the numberof previously-used commands saved in the system. A maximum of 256 previously-usedcommands can be saved in the system.



2-11

NOTESetting the number of saved previously-used commands to a proper value is recommended. If a largenumber of previously-used commands are saved, it will take a long time to locate a needed previously-used command, affecting efficiency.

The operations are shown in Table 2-6

Table 2-6 Access the previously-used commands

Action Key or Command Result

Displaypreviously-usedcommands.

display history-command

Display previously-used commands entered byusers.

Access the lastpreviously-usedcommand.

Up cursor key (↑) orCtrl_P

Display the last previously-used command if thereis an earlier previously-used command. Otherwise,an alarm is generated.

Access the nextpreviously-usedcommand.

Down cursor key(↓) or Ctrl_N

Display the next previously-used command if thereis a later previously-used command. Otherwise, thecommand is cleared and an alarm is generated.

NOTE

On the HyperTerminal of Windows 9X, cursor key ↑ is invalid as the HyperTerminals of Windows 9Xdefine the keys differently. In this case, you can replace the cursor key ↑ with Ctrl_P.

When you use previously-used commands, note the following points:

l The saved previously-used commands are the same as that those entered by users. Forexample, if the user enters an incomplete command, the saved command also is incomplete.

l If the user runs the same command several times, the earliest command is saved. If thecommand is entered in different forms, they are considered as different commands.For example, if the display ip routing-table command is run several times, only onepreviously-used command is saved. If the disp ip routing command and the display iprouting-table command are run, two previously-used commands are saved.

2.3.5 Batch Command ExecutionIf multiple commands are frequently used consecutively, you can edit these commands to beexecuted in batches. This simplifies command input and improves efficiency.

Procedure

Step 1 In the user view, run:batch-cmd edit

Commands are edited to be executed in batches.

The batch-cmd edit command can be used by only one user at a time.




Issue 01 (2011-05-30)

The maximum length of a command (including the incomplete command) to be entered is 512characters.

When editing commands, press Enter to complete the editing of each command.

NOTE

l After the batch-cmd edit command is run successfully to edit the commands to be executed in batches,the system deletes the original commands to be run in batches.

l The commands that are already edited are saved in memory and are deleted for ever when the systemis restarted.

Step 2 After all commands are edited, you can press the shortcut buttons Ctrl_Z to exit the editing stateand return to the user view.

Step 3 In the user view, run:batch-cmd execute

The commands are executed in batches.

The batch-cmd execute command can be used by only one user at a time.

The sequence of running commands is the same as the sequence of editing commands. You canview the execution of these commands on the CLI. After the execution is complete, the userview is displayed.

NOTE

If the batch-cmd edit or batch-cmd execute command is among the commands to be executed in batches,the system displays an error when executing the batch-cmd edit or batch-cmd execute command andcontinues to execute the following commands.

----End

2.4 Shortcut KeysUsing the system or user-defined shortcut keys makes it easier to enter commands.

2.4.1 Classifying Shortcut KeysThere are two types of shortcut keys, namely, system shortcut keys and user-defined shortcutkeys. Familiarize yourself with shortcut keys so as to use them accurately.

2.4.2 Defining Shortcut KeysIf one or multiple commands are frequently used, you can correlate these commands withshortcut keys. This facilitates user operation and improves efficiency. Only management-levelusers have the rights to define shortcut keys.

2.4.3 Use of Shortcut KeysYou can use the shortcut key at any position that allows a command to be entered. The systemexecutes an entered shortcut key and displays the corresponding command on the screen in thesame way as you enter a complete command.

2.4.1 Classifying Shortcut KeysThere are two types of shortcut keys, namely, system shortcut keys and user-defined shortcutkeys. Familiarize yourself with shortcut keys so as to use them accurately.

The shortcut keys in the system are classified into the following types:



2-13

l User-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, and CTRL_U. The user cancorrelate these shortcut keys with any commands. When the shortcut keys are pressed, thesystem automatically runs the corresponding command. For details of defining the shortcutkeys, see 2.4.2 Defining Shortcut Keys.

l System-defined shortcut keys: These shortcut keys with fixed functions are defined by thesystem. Table 2-7 lists the system-defined shortcut keys.

NOTE

Different terminal software defines these keys differently. Therefore, the shortcut keys on the terminal maybe different from those listed in this section.

Table 2-7 System-defined shortcut keys

Key Function

CTRL_A The cursor moves to the beginning of the current line.

CTRL_B The cursor moves to the left by the space of a character.

CTRL_C Terminates the running function.

CTRL_D Deletes the character where the cursor lies.

CTRL_E The cursor moves to the end of the current line.

CTRL_F The cursor moves to the right by the space of a character.

CTRL_H Deletes one character on the left of the cursor.

CTRL_K Stops the creation of the outbound connection.

CTRL_N Displays the next command in the previously-used commandbuffer.

CTRL_P Displays the previous command in the previously-usedcommand buffer.

CTRL_R Repeats the display of the information of the current line.

CTRL_T Terminates the outbound connection.

CTRL_V Pastes the contents on the clipboard.

CTRL_W Deletes a character string or character on the left of the cursor.

CTRL_X Deletes all the characters on the left of the cursor.

CTRL_Y Deletes all the characters on the right of the cursor.

CTRL_Z Returns to the user view.

CTRL_] Terminates the inbound or redirection connections.

ESC_B The cursor moves to the left by the space of a word.

ESC_D Deletes a word on the right of the cursor.

ESC_F The cursor moves to the right to the end of next word.




Issue 01 (2011-05-30)

Key Function

ESC_N The cursor moves downward to the next line.

ESC_P The cursor moves upward to the previous line.

ESC_SHIFT_< Sets the position of the cursor to the beginning of the clipboard.

ESC_SHIFT_> Sets the position of the cursor to the end of the clipboard.

2.4.2 Defining Shortcut KeysIf one or multiple commands are frequently used, you can correlate these commands withshortcut keys. This facilitates user operation and improves efficiency. Only management-levelusers have the rights to define shortcut keys.

Configure as follows in the system view.

Action Command

Define shortcut keys hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U }command-text

NOTE

When defining the shortcut keys, use double quotation marks to define the command if this commandcontains several commands words, that is, if spaces exist in the command.

By default, CTRL_G, CTRL_L and CTRL_O correspond to the following commandsrespectively:

l CTRL_G: display current-configuration

l CTRL_L: display ip routing-table

l CTRL_O: undo debugging all

By default, CTRL_U is not correlated with any command.

2.4.3 Use of Shortcut KeysYou can use the shortcut key at any position that allows a command to be entered. The systemexecutes an entered shortcut key and displays the corresponding command on the screen in thesame way as you enter a complete command.

l If you have typed part of a command and have not pressed Enter, you can press the shortcutkeys to clear the entered command and display the full corresponding command. Thisoperation has the same effect as that of deleting all commands and then re-entering thecomplete command.

l The shortcut keys are run as the commands, the syntax is recorded to the command bufferand log for fault location and querying.



2-15

NOTE

The terminal in use may affect the functions of the shortcut keys. For example, if the customized shortcutkeys of the terminal conflict with those of the CX device, the input shortcut keys are captured by the terminalprogram and hence the shortcut keys do not function.

Run the following command in any view to display the use of shortcut keys.

Action Command

Check the usage of shortcut keys. display hotkey

2.5 Configuration ExamplesThis section provides several examples for using command lines.

2.5.1 Example for Running Commands in BatchesThis part provides an example for running commands in batches. In this example, by editing thecommands to be run in batches, you can configure the system to automatically run the commandsin batches.

2.5.2 Example for Using TabThis example shows how to use the Tab key. After inputting an incomplete keyword, you canpress Tab and obtain all related keywords or verify the correctness of the input keyword.

2.5.3 Example for Using Shortcut KeysThis example shows how to use shortcut keys. In this example, frequently-used commands arecorrelated with shortcut keys. You can press the shortcut keys instead of inputting the commands.This facilitates user operation and improves efficiency.

2.5.4 Example for Copying Commands Using Shortcut KeysThis example shows how to copy commands by using shortcut keys. In this example, after aspecified command is copied by using shortcut keys, you can use the shortcut keysCtrl_Shift_V to paste the command.

2.5.1 Example for Running Commands in BatchesThis part provides an example for running commands in batches. In this example, by editing thecommands to be run in batches, you can configure the system to automatically run the commandsin batches.

Context

If commands are frequently used consecutively, especially a large number of commands, youcan run the commands in batches to improve efficiency.

For example, during the preventive maintenance inspection (PMI), you can run commands inbatches. That is, enter all PMI commands once and then send all the command output informationto the PMI tool, which can improve the PMI efficiency.

Log in to the CX device and do as follows:




Issue 01 (2011-05-30)

Procedure

Step 1 Edit the display users, display startup, and display clock commands to be run in batches.

<HUAWEI> batch-cmd editInfo: Begin editing batch commands. Press "Ctrl+Z" to abort this session.display usersdisplay startupdisplay clock<HUAWEI>

Step 2 Run the commands in batches.<HUAWEI> batch-cmd execute<HUAWEI>batch-cmd execute command: display users

User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 35 VTY 1 00:00:00 TEL 190.120.2.19 no Username : Unspecified<HUAWEI>batch-cmd execute command: display startup

MainBoard: Configured startup system software: cfcard:/V600R003C00.cc Startup system software: cfcard:/V600R003C00.cc Next startup system software: cfcard:/V600R003C00.cc Startup saved-configuration file: cfcard:/vrp.cfg Next startup saved-configuration file: cfcard:/vrp.cfg Startup paf file: default Next startup paf file: default Startup license file: default Next startup license file: default Startup patch package: NULL Next startup patch package: NULL<HUAWEI>batch-cmd execute command: display clock

2011-01-27 01:25:24ThursdayTime Zone(DefaultZoneName) : UTC<HUAWEI>batch-cmd execute finished.

----End

2.5.2 Example for Using TabThis example shows how to use the Tab key. After inputting an incomplete keyword, you canpress Tab and obtain all related keywords or verify the correctness of the input keyword.

ContextUsually, you do not need to input complete keywords. Instead, you can just input one or a fewbeginning characters of a keyword and press Tab to complete the keyword. The Tab key helpssearch for and use commands.

Procedurel Tab can be used in three ways as shown in the following example.

– The matching key word is unique after the incomplete key word is input.

1. Input the incomplete key word.[HUAWEI] info-

2. Press Tab.



2-17

The system replaces the input one with the complete key word and displays it in anew line with the cursor leaving a space behind.[HUAWEI] info-center

– There are several matches or no match after the incomplete key word is input.

# info-center can be followed by three key words.[HUAWEI] info-center log? logbuffer logfile loghost

1. Input the incomplete key word.[HUAWEI] info-center l

2. Press Tab.

The system displays the prefix first. The prefix in this example is "log".[HUAWEI] info-center log

Continue to press Tab. The cursor is closely following the end of the word.[HUAWEI] info-center loghost[HUAWEI] info-center logbuffer[HUAWEI] info-center logfile

Stop pressing Tab after the key word logfile that you need is displayed.

3. Input a space to enter the next word channel.[HUAWEI] info-center logfile channel

– Input an incorrect keyword and press Tab to check the correctness of the keyword.

1. Input a wrong keyword loglog.[HUAWEI] info-center loglog

2. Press Tab.[HUAWEI] info-center loglog

The system displays information in a new line, but the keyword loglog remainsunchanged and there is no space between the cursor and the keyword, indicatingthat this keyword is inexistent.

----End

2.5.3 Example for Using Shortcut KeysThis example shows how to use shortcut keys. In this example, frequently-used commands arecorrelated with shortcut keys. You can press the shortcut keys instead of inputting the commands.This facilitates user operation and improves efficiency.

Context

If the login CX device is defined with shortcut keys, the shortcut keys can be used by any userregardless of the user level.

Procedure

Step 1 Correlate Ctrl_U with the display ip routing-table command and run the shortcut keys.<HUAWEI> system-view[HUAWEI] hotkey ctrl_u "display ip routing-table"




Issue 01 (2011-05-30)

NOTE

When defining shortcut keys for a command, use double quotation marks to quote the command if thecommand consisting of multiple words, which are separated by spaces. No double quotation marks arerequired for single-word commands.

Step 2 Press Ctrl_U when the prompt [HUAWEI] appears.[HUAWEI] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8Destination/Mask Proto Pre Cost Flags NextHop Interface 51.51.51.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.0.0/16 Direct 0 0 D 100.2.150.51 GigabitEthernet0/0/0 100.2.150.51/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0---------------------------------------------------------------------

----End

2.5.4 Example for Copying Commands Using Shortcut KeysThis example shows how to copy commands by using shortcut keys. In this example, after aspecified command is copied by using shortcut keys, you can use the shortcut keysCtrl_Shift_V to paste the command.

Context

If you need to repeatedly run a command, you can use shortcut keys to copy the command.

The copied command is saved on the clipboard and is available for only the current logged-inuser. After the user logs out of the CX device, the clipboard is cleared.

You can use shortcut keys to copy a command in any view.

Procedure

Step 1 Move the cursor to the beginning of the command and press Esc_Shift_<. Move the cursor tothe end and press Esc_Shift_>.

<HUAWEI> display ip routing-table

Step 2 Run the display clipboard command to view the contents on the clipboard.

<HUAWEI> display clipboard---------------- CLIPBOARD-----------------display ip routing-table

Step 3 Enter the command in any view, and press Ctrl_Shift_V to paste the contents of clipboard.

<HUAWEI> display ip routing-table



2-19

NOTE

If you press shortcut keys to copy a new command, you can paste only the new command by using shortcutkeys.

----End




Issue 01 (2011-05-30)

3 Basic Configuration

About This Chapter

This chapter describes how to configure the CX device to follow your using habits and the actualenvironment requirements after logging in to the CX device.

3.1 Configuring the Basic System EnvironmentThis section describes how to configure the basic system environment.

3.2 Displaying System Status MessagesThis section describes how to use display commands to check basic configurations of the currentsystem.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations 3 Basic Configuration


3-1

3.1 Configuring the Basic System EnvironmentThis section describes how to configure the basic system environment.

3.1.1 Establishing the Configuration TaskBefore configuring the basic system environment, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

3.1.2 Switching the Language ModeYou can switch between the Chinese mode and the English mode as needed.

3.1.3 Configuring the Equipment NameWhen multiple devices on the network need to be managed, you can identify them by setting anequipment name for each device.

3.1.4 Setting the System ClockYou need to set the system time properly to ensure the cooperation between the CX600 and otherdevices.

3.1.5 Configuring a HeaderIf you need to provide information for users logging in, you can configure a header that thesystem displays during or after login.

3.1.6 Configuring Command LevelsThis section describes how to configure command levels to ensure device security or allow low-level users to run high-level commands. By default, commands are registered in the sequenceof Level 0 to Level 3. If refined rights management is required, you can divide commands in to16 levels, that is, from Level 0 to Level 15.

3.1.7 Configuring the Undo Command to Match in the Previous View AutomaticallyYou can run the undo command in the current view and thus the system automatically matchesthe previous view.

3.1.1 Establishing the Configuration TaskBefore configuring the basic system environment, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.


Before configuring services, you need to configure the basic system environment (such as thelanguage mode, time, device name, login information, and command level) to meet theenvironment requirement.


Before configuring the basic system environment, complete the following task:

l Powering on the CX device

3 Basic ConfigurationHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

Data Preparation

To configure the basic system environment, you need the following data.

No. Data

1 Language mode

2 System time

3 Host name

4 Login information

5 Command level

3.1.2 Switching the Language ModeYou can switch between the Chinese mode and the English mode as needed.

Context

After the language mode is switched, the system displays prompts and outputs of command linesin the specified language.

Language information (Chinese and English) has been stored in the system software and doesnot need to be loaded.

Do as follows in the user view:

Procedurel Run:

language-mode { chinese | english }

The language mode is switched.

By default, the English mode is used.

The help information on the CX device can be in English or in Chinese. The language modeis stored in the system software and does not need to be loaded.

----End

3.1.3 Configuring the Equipment NameWhen multiple devices on the network need to be managed, you can identify them by setting anequipment name for each device.

Context

The new equipment name takes effect immediately.



3-3

Procedure

Step 1 Run:system-view

The system view is displayed.

Step 2 Run:sysname host-name

The equipment name is set.

By default, the equipment name of the CX device is HUAWEI.

You can change the name of the CX device that appears in the command prompt.

----End

3.1.4 Setting the System ClockYou need to set the system time properly to ensure the cooperation between the CX600 and otherdevices.

ContextThe system clock displays the current time and date of the system, time zone to which the systembelongs, and daylight saving time. The CX600 supports the configurations of the time zone andthe daylight saving time.

Do as follows in the user view:

Procedure

Step 1 Run:clock datetime [ utc ] HH:MM:SS YYYY-MM-DD

The current date and time is set.

Step 2 Run:clock timezone time-zone-name { add | minus } offset

The time zone is set.

l If add is configured, the current time is the UTC time plus the time offset. That is, the defaultUTC time plus offset is equal to the time of time-zone-name.

l If minus is configured, the current time is the UTC time minus the time offset. That is, thedefault UTC time minus offset is equal to the time of time-zone-name.

NOTE

UTC stands for the Universal Time Coordinated.

Step 3 Run:clock daylight-saving-time time-zone-name one-year start-time start-date end-time end-date offset

or

clock daylight-saving-time time-zone-name repeating start-time { { first | second | third | fourth | last } weekday month | start-date } end-time { { first |




Issue 01 (2011-05-30)

second | third | fourth | last } weekday month | end-date } offset [ start-year [ end-year ] ]

The daylight saving time is set.

By default, the daylight saving time is not set.

During the configuration of the daylight saving time, you can configure the starting time andending time in one of the following modes: date+date, week+week, date+week, and week+date.For details, see clock daylight-saving-time.

CAUTIONWhen the device is upgraded from an earlier version to the V600R003C00 version, theconfigured daylight saving time does not take effect and needs to be reconfigured.

----End

3.1.5 Configuring a HeaderIf you need to provide information for users logging in, you can configure a header that thesystem displays during or after login.

ContextA header text is a message displayed by the system when and after a user is logging in to theCX device.

If you need to provide information for login users, you can configure a header that the systemdisplays during login or after login.

Procedure



Step 2 Run:header login { information text | file file-name }

The header displayed during login is set.

Step 3 Run:header shell { information text | file file-name }

The header displayed after login is set.

To display the header when the terminal connection has been activated but the user is not beingauthenticated, configure the parameter login.

To display the header after the user logs in successfully, configure the parameter shell.

If the user can log in to the CX device without authentication, the system directly displays theheader after the login.



3-5

CAUTIONl The header text starts and ends with the same character. After a character is input and

Enter is pressed, an interactive interface is displayed. You can input the required informationended with the first character. The system then exits from the interactive interface.

l If a user logs in to the CX device by using SSH1.X, the login header is not displayed duringlogin, but the shell header is displayed after login.

l If a user logs in to the CX device by using SSH2.0, both login and shell headers are displayed.

----End

3.1.6 Configuring Command LevelsThis section describes how to configure command levels to ensure device security or allow low-level users to run high-level commands. By default, commands are registered in the sequenceof Level 0 to Level 3. If refined rights management is required, you can divide commands in to16 levels, that is, from Level 0 to Level 15.

ContextIf the user does not adjust a command level separately, after the command level is updated, alloriginally-registered command lines adjust automatically according to the following rules:

l The commands of Level 0 and Level 1 remain unchanged.l The commands of Level 2 are updated to Level 10 and the commands of Level 3 are updated

to Level 15.l No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust

the command lines to these levels separately to refine the management of privilege.

CAUTIONChanging the default level of a command is not recommended. If the default level of a commandis changed, some users may be unable to use the command any longer.

Procedure



Step 2 Run:command-privilege level rearrange

Update the command level in batches.

When no password is configured for a Level 15 user, the system prompts the user to set a super-password for the level 15 user. At the same time, the system asks if the user wants to continuewith the update of command line level. Then, just select "N" to set a password. If you select "Y",




Issue 01 (2011-05-30)

the command level can be updated in batches directly. This results in the user not logging inthrough the Console port and failing to update the level.

Step 3 Run:command-privilege level level view view-name command-key

The command level is configured. With the command, you can specify the level and viewmultiple commands at one time (command-key).

All commands have default command views and levels. You do not need to reconfigure them.

----End

3.1.7 Configuring the Undo Command to Match in the PreviousView Automatically

You can run the undo command in the current view and thus the system automatically matchesthe previous view.

ContextIf the user allows the undo command to automatically match the previous view and the userruns the undo command that is not registered in the current view, the system searches theundo command in the previous view.

CAUTIONThe undo command has disadvantages due to automatically matching. For example, when theuser runs the undo ospf command in the interface view where the command is not registered,the system searches in system view automatically. This may lead to global deletion of the OSPFfeature.

Procedure



Step 2 Run:matched upper-view

The undo command is configured to match the upper level view.

By default, the undo command does not match the previous view automatically.

NOTE

l The matched upper-view command is valid for current login users who run this command.

l It is not recommended that you configure the undo command to automatically match the upper levelview, unless necessary.

----End



3-7

3.2 Displaying System Status MessagesThis section describes how to use display commands to check basic configurations of the currentsystem.

Context

You can use the display commands to collect information about the system status. The displaycommands are classified according to the following functions:

l Displays system configurations.

l Displays the running status of the system.

l Displays the diagnostic information about a system.

l Displays the restart information about the main control board.

See the related sections for display commands for protocols and interfaces. The following partonly shows the system-level display commands.

Run the following commands in any view.

3.2.1 Displaying System ConfigurationThis section describes how to check the system version, system time, original configuration, andcurrent configuration by using command lines.

3.2.2 Displaying System StatusThis section describes how to check the system operating status (the configuration of the currentview) by using command lines.

3.2.3 Collecting System Diagnostic InformationThis section describes how to collect information about all modules in the system.

3.2.1 Displaying System ConfigurationThis section describes how to check the system version, system time, original configuration, andcurrent configuration by using command lines.

PrerequisiteBasic configuration are complete.

Procedurel Run the display version command to display the system version.

l Run the display clock [ utc ] command to display the system time.

l Run the display calendar command to display system calendar.

l Run the display saved-configuration command to display the original configuration.

l Run the display current-configuration command to display the current configuration.




Issue 01 (2011-05-30)

NOTE

l The display version command can be used to display the software version of the system, thechassis type, and the information about the main control board and interface board.

l The original configuration refers to information about configuration files used by the device whenthe device has been powered on and is being initialized. The current configuration refers to theconfiguration files taking effect during the device operation. For details, see the chapter"Configuring System Startup" in the CX600 Basic-Configuration.

----End

3.2.2 Displaying System StatusThis section describes how to check the system operating status (the configuration of the currentview) by using command lines.

PrerequisiteBasic configurations are complete.

Procedurel Run the display this command to display the configuration of the current view.

----End

3.2.3 Collecting System Diagnostic InformationThis section describes how to collect information about all modules in the system.

ContextWhen the system fails to perform routine maintenance, you need to collect a lot of informationto locate faults. Then, you have to run different display commands to collect all information. Inthis case, you can use the display diagnostic-information command to collect all informationabout the current running modules in the system.

Procedurel Run:

display diagnostic-information [ file-name ]

The system diagnosis information is displayed.

The display diagnostic-information command collects all information collected byrunning the following commands, including display clock, display version, display cpu-usage, display interface, display current-configuration, display saved-configuration,display history-command, and so on.

----End



3-9

4 Configuring User Interface

About This Chapter

A user can log in to the CX device by using a console port or an AUX port, or by means of Telnetor SSH (STelnet). For users logging in to CX device in different modes, the system uses differentuser interfaces to manage the sessions between the CX device and the users.

4.1 User Interface OverviewThe system supports console, AUX, and VTY user interfaces.

4.2 Configuring the Console User InterfaceWhen a user logs in to the CX device by using a console port for local maintenance, you canconfigure attributes for the corresponding console user interface are needed.

4.3 Configuring the AUX User InterfaceWhen a user logs in to the CX device for local or remote configuration by using an AUX port,configuring attributes in the corresponding AUX user interface is needed.

4.4 Configuring VTY User InterfaceIf you need to log in to the CX device for local or remote maintenance by using Telnet or SSH,you can configure the corresponding VTY user interface as needed.

4.5 Configuration ExamplesThis section provides examples for configuring console, AUX, and VTY user interfaces. Theseconfiguration examples explain networking requirements, configuration roadmap, andconfiguration notes.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations 4 Configuring User Interface


4-1

4.1 User Interface OverviewThe system supports console, AUX, and VTY user interfaces.

Each user interface has a corresponding user interface view. A user interface view is a commandline view provided by the system. It is used to configure and manage all the physical and logicalinterfaces in asynchronous mode.

User Interfaces Supported by the Systeml Console port (CON)

The console port is a serial port provided by the main control board of the CX device.The main control board provides one EIA/TIA-232 DCE console port for localconfiguration by directly connecting a terminal to a CX device.

l Auxiliary port (AUX)It is a linear port provided by the main control board of the CX device and supports thedialup by using a modem.Each main control board provides one AUX port with the type of EIA/TIA-232 DTE. Aterminal can remotely access the CX device through the modem on the AUX port.

l Virtual type terminal (VTY)It is a logical terminal line. A VTY connection is set up when a CX device connects to aterminal by means of Telnet. It is used for local or remote access to a CX device. Amaximum of 16 users can log in to the CX device by using the VTY user interface.

Numbering of a User InterfaceAfter a user logs in to the CX device, the system assigns an idle user interface of the smallestnumber to the user according to the user's login mode. You can number a user interface in thefollowing manners:

l Relative numberingThe relative numbering is in the format of user interface type + number.The relative numbering is available for interfaces of a specific type. It is used only to specifyone or a group of user interfaces of a specified type. Relative numbering must comply withthe following rules:– Number of the console port: CON 0– Number of the auxiliary port: AUX 0– Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on

l Absolute numberingThe absolute numbering is used to uniquely specify a user interface or a group of userinterfaces.The number starts with 0. The ports are numbered in the sequence of CON → AUX →VTY. There is only one console port and one AUX port and 0-15 VTY interfaces. You canuse the user-interface maximum-vty command to set the maximum number of userinterfaces. The default number is five.By default, the system supports three types of user interfaces: CON, AUX, and VTY.Table 4-1 shows the absolute numbers of the user interfaces in this system.

4 Configuring User InterfaceHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

Table 4-1 Example for the absolute numbering

Absolute number User-interface

0 CON0

33 AUX0

34 The first virtual interface (VTY0)

35 The second virtual interface (VTY1)

36 The third virtual interface (VTY2)

37 The fourth virtual interface (VTY3)

38 The fifth virtual interface (VTY4)

NOTE

The absolute numbers allocated for AUX and VTY interfaces are device-specific.

The numbers from 1 to 32 are reserved for the TTY user interfaces.

Run the display user-interface command to view the absolute number of user interfaces.

Authentication of a User Interface

After a user is configured, the system authenticates the user during user login.

There are three user authentication modes: non-authentication, password authentication, andAAA.

l Non-authentication: In this mode, users can log in to the CX device without enteringusernames or passwords. For security, this mode is not recommended.

l Password authentication: In this mode, users need to enter passwords, not usernames,during the login process.

l AAA authentication: In this mode, users need to enter passwords and usernames during thelogin process. Telnet users are usually authenticated in this mode.

Priority of a User Interface

Users that log in to the CX device are managed according to their levels.

Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater thenumber, the higher the user level.

The level of the command that a user can run is determined by the level of this user.

l In the case of non-authentication or password authentication, the level of the command thatthe user can run is determined by the level of the user interface.

l In the case of AAA authentication, the command that the user can run is determined by thelevel of the local user specified in the AAA configuration.



4-3

4.2 Configuring the Console User InterfaceWhen a user logs in to the CX device by using a console port for local maintenance, you canconfigure attributes for the corresponding console user interface are needed.

4.2.1 Establishing the Configuration TaskBefore configuring the console user interface, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

4.2.2 Setting Physical Attributes of Console User InterfaceYou can configure the rate, flow control mode, parity mode, stop bit, and data bit for the consoleport.

4.2.3 Setting Terminal Attributes of Console User InterfaceThis section describes how to set terminal attributes of the console user interface, including theuser timeout disconnection function, number of lines displayed in a terminal screen, and size ofthe history command buffer.

4.2.4 Configuring User Priority of Console User InterfaceThis section describes how to control users' authority of logging in to the CX device and improvethe security of managing the CX device by configuring the user priority.

4.2.5 Configuring the User Authentication Mode of the Console User InterfaceThe system provides three authentication modes: AAA, password authentication, and non-authentication. Configuring the user authentication mode can improve the security of the CXdevice.

4.2.6 Checking the ConfigurationAfter configuring the console user interface, you can view information about the user interface,physical attributes and configurations of the user interface, local user list, and online users.

4.2.1 Establishing the Configuration TaskBefore configuring the console user interface, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.


If you need to log in to the CX device for local maintenance by using a console port, you canconfigure the corresponding console user interface, including the physical attributes, terminalattributes, user priority, and user authentication mode. The preceding parameters have defaultvalues on the CX device and additional configuration is not needed. You can configure theseparameters as needed.


Before configuring a console user interface, complete the following tasks:

l Logging in to the CX device by using a terminal




Issue 01 (2011-05-30)

Data PreparationTo configure a console user interface, you need the following data.

No. Data

1 Baud rate, flow-control mode, parity, stop bit, and data bit

2 Idle timeout period, number of lines displayed in a terminal screen, and the size ofhistory command buffer

3 User priority

4 User authentication method, user name, and password

NOTE

All the default values (excluding the password and username) are stored on the CX device and do not needadditional configuration.

4.2.2 Setting Physical Attributes of Console User InterfaceYou can configure the rate, flow control mode, parity mode, stop bit, and data bit for the consoleport.

ContextPhysical attributes of a console port have default values on the CX device and no additionalconfiguration is needed.

NOTE

When a user logs in to a CX device through a console port, the physical attributes set for the console porton the HyperTerminal should be consistent with the attributes of the console user interface on the CXdevice. Otherwise, the user cannot log in to the CX device.

Procedure



Step 2 Run:user-interface console interface-number

The console user interface view is displayed.

Step 3 Run:speed speed-value

The baud rate is set.

By default, the baud rate is 9600 bit/s.

Step 4 Run:flow-control { hardware | none | software }



4-5

The flow control mode is set. By default, the flow-control mode is none.

Step 5 Run:parity { even | mark | none | odd | space }

The parity mode is set.

By default, the value is none.

Step 6 Run:stopbits { 1.5 | 1 | 2 }

The stop bit is set.

By default, the value is 1 bit.

Step 7 (Run:databits { 5 | 6 | 7 | 8 }

The data bit is set.

By default, the data bit is 8.

----End

4.2.3 Setting Terminal Attributes of Console User InterfaceThis section describes how to set terminal attributes of the console user interface, including theuser timeout disconnection function, number of lines displayed in a terminal screen, and size ofthe history command buffer.

ContextTerminal attributes of the console user interface have default values on the CX device and youcan set them as needed.

Procedure





Step 3 Run:shell

The terminal service is started.

Step 4 Run:idle-timeout minutes [ seconds ]

The idle timeout period is set.

If the connection keeps idle within the timeout period, the system automatically terminates theconnection.




Issue 01 (2011-05-30)

By default, the idle timeout period on the user interface is 10 minutes.

Step 5 Run:screen-length screen-length [temporary]

The length of a terminal screen is set.

The parameter temporary is used to display the number of lines to be temporarily displayed ona terminal screen.

By default, the length of a terminal screen is 24 lines.

Step 6 Run:history-command max-size size-value

The history command buffer is set.

By default, the size of history command buffer on a user interface is 10 entries.

----End

4.2.4 Configuring User Priority of Console User InterfaceThis section describes how to control users' authority of logging in to the CX device and improvethe security of managing the CX device by configuring the user priority.

Contextl Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater

the number, the higher the user level.l This process is to set the priority for a user who logs in through the console port. A user

can only use the commands with the level corresponding to the user level.For details about command levels, see "Command Level" in the chapter "CLI Overview" ofthe Configuration Guide - Basic Configuration.

ProcedureStep 1 Run:

system-view




Step 3 Run:user privilege level level

The priority of the user is set.

NOTE

l By default, users logging in through the console user interface can use commands at level 3, and userslogging in through other user interfaces can use commands at level 0.

l If the command level is inconsistent with the user level, the user level takes precedence.

----End



4-7

4.2.5 Configuring the User Authentication Mode of the ConsoleUser Interface

The system provides three authentication modes: AAA, password authentication, and non-authentication. Configuring the user authentication mode can improve the security of the CXdevice.

ContextBy default, the user authentication mode of the console user interface is non-authentication.

Procedurel Configuring AAA Authentication

1. Run:system-view

The system view is displayed.2. Run:

user-interface console interface-number

The console user interface view is displayed.3. Run:

authentication-mode aaa

The authentication mode is set to AAA.4. Run:

quit

Exit from the console user interface view.5. Run:

aaa

The AAA view is displayed.6. Run:

local-user user-name password { simple | cipher } password

Name and password of the local user are created.l Configuring Password Authentication

1. Run:system-view




authentication-mode password

You can set the authentication mode as password authentication.4. Run:

set authentication password { cipher | simple } password




Issue 01 (2011-05-30)

A password for authentication is set.l Configuring Non-Authentication

1. Run:system-view




authentication-mode none

The authentication mode is set to non-authentication.

----End

4.2.6 Checking the ConfigurationAfter configuring the console user interface, you can view information about the user interface,physical attributes and configurations of the user interface, local user list, and online users.

PrerequisiteThe configurations of the user management function are complete.

Procedurel Run the display users [ all ] command to check information about the user interface.l Run the display user-interface console ui-number1 [ summary ] command to check

physical attributes and configurations of the user interface.l Run the display local-user command to check the local user list.l Run the display access-user command to check the local user list.

----End

ExampleRun the display users command, and you can view information about the current user interface.

<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 0 CON 0 00:00:44 pass noUsername : Unspecified

Run the display user-interface console ui-number1 [ summary ] command, and you can viewthe physical attributes and configurations of the user interface.

<HUAWEI> display user-interface console 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 - 3 - N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs.



4-9

A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.

Run the display local-user command, and you can view the local user list.

<HUAWEI> display local-user ---------------------------------------------------------------------------- Username State Type CAR Access-limit Online ---------------------------------------------------------------------------- user123 Active All Dft No 0 ll Active F Dft No 0 user1 Active F Dft No 0 ---------------------------------------------------------------------------- Total 3,3 printed

4.3 Configuring the AUX User InterfaceWhen a user logs in to the CX device for local or remote configuration by using an AUX port,configuring attributes in the corresponding AUX user interface is needed.

4.3.1 Establishing the Configuration TaskBefore configuring the AUX user interface, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

4.3.2 Setting Physical Attributes of AUX User InterfacePhysical attributes of the AUX user interface include the transmission rate, flow control mode,parity mode, stop bit, and data bit of the AUX port.

4.3.3 Setting Terminal Attributes of AUX User InterfaceThis section describes how to configure terminal attributes of the AUX user interface, includingthe user idle timeout, number of lines displayed in a terminal screen, and size of the historycommand buffer.

4.3.4 Setting User Priority of AUX User InterfaceThis section describes how to control users' authority of logging in to the CX device and improvethe security of managing the CX device by configuring the user priority.

4.3.5 Setting Modem Attributes of AUX User InterfaceYou can set the time period from picking up the signal to detecting the carrier when a call isestablished, modem for only incoming calls or for both incoming and outgoing calls, andautomatic answer.

4.3.6 (Optional) Configuring Auto-Execute Commands of AUX User InterfaceYou can set a command to be an auto-executed command.

4.3.7 Setting User Authentication Mode of AUX User InterfaceThe system provides three authentication modes: AAA, password authentication, and non-authentication. Configuring the user authentication mode can improve the security of the CXdevice.

4.3.8 Checking the ConfigurationAfter configuring the AUX user interface, you can view the usage information of the userinterface, physical attributes and configurations of the user interface, local user list, and onlineusers.




Issue 01 (2011-05-30)

4.3.1 Establishing the Configuration TaskBefore configuring the AUX user interface, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.


If you need to log in to the CX device for remote maintenance by using an AUX port, you canconfigure the corresponding AUX user interface as needed by setting the physical attributes,terminal attributes, user priority, and user authentication mode. The preceding parameters havedefault values on the CX device and additional configuration is not needed.


Before configuring an AUX user interface, complete the following tasks:


Data Preparation

Before configuring an AUX user interface, you need the following data.

No. Data

1 Baud rate, flow-control mode, parity, stop bit, and data bit

2 Idle timeout period, number of lines displayed in a terminal screen, and the size ofhistory command buffer

3 User priority

4 Modem attributes

5 (Optional) Auto-execute commands


NOTE

All the default values (excluding the auto-run commands, password, and username) are stored on the CXdevice and do not need additional configuration.

4.3.2 Setting Physical Attributes of AUX User InterfacePhysical attributes of the AUX user interface include the transmission rate, flow control mode,parity mode, stop bit, and data bit of the AUX port.

Context

Physical attributes of the AUX user interface have default values on the CX device and noadditional configuration is needed.



4-11

Procedure



Step 2 Run:user-interface aux interface-number

The AUX user interface view is displayed.

Step 3 Run:speed speed-value

The transmission rate is set.

By default, the baud rate is 9600 bit/s.

Step 4 Run:flow-control { hardware | none | software }

The flow control mode is set.

By default, the flow-control mode is none.

Step 5 Run:parity { even | mark | none | odd | space }

The parity mode is set.

By default, the value is none.

Step 6 Run:stopbits { 1.5 | 1 | 2 }

The stop bit is set.

By default, the value is 1 bit.

Step 7 Run:databits { 5 | 6 | 7 | 8 }

The data bit is set.

By default, the value is 8.

NOTE

When the user logs in to a CX device through an AUX port, the configured attributes for the console porton the HyperTerminal should be in accordance with the attributes of the AUX user interface on the CXdevice. Otherwise, the user cannot log in to the CX device.

----End

4.3.3 Setting Terminal Attributes of AUX User InterfaceThis section describes how to configure terminal attributes of the AUX user interface, includingthe user idle timeout, number of lines displayed in a terminal screen, and size of the historycommand buffer.




Issue 01 (2011-05-30)

Context

Terminal attributes of the AUX user interface have default values on the CX device and you canconfigure them as needed.

Procedure





Step 3 Run:shell

AUX terminal service is enabled.

Step 4 Run:idle-timeout minutes [ seconds ]

User idle timeout is enabled.


By default, idle timeout period on the interface is 10 minutes.






The size of the history command buffer is configured.

By default, the size of history command buffer on user interface is 10 entries.

----End

4.3.4 Setting User Priority of AUX User InterfaceThis section describes how to control users' authority of logging in to the CX device and improvethe security of managing the CX device by configuring the user priority.



4-13




Procedure






The user priority is set.

NOTE

l By default, users logging in by using the AUX user interface can use commands at level 0.

l If the authority to use commands is inconsistent with the user level, the user level takes precedence.

----End

4.3.5 Setting Modem Attributes of AUX User InterfaceYou can set the time period from picking up the signal to detecting the carrier when a call isestablished, modem for only incoming calls or for both incoming and outgoing calls, andautomatic answer.

Procedure





Step 3 Run:modem timer answer seconds

The period between the system receiving the ring signal and the system waiting for the CD_UPis set. That is the time that elapses between picking up the signal to detecting the carrier, sincethe call is established.




Issue 01 (2011-05-30)

By default, the waiting time is 30 seconds.

Step 4 Run:modem [ both | call-in ]

The switch of incoming call or outgoing call is set.

By default, incoming and outgoing calls are prohibited.

Step 5 Run:modem auto-answer

Automatic answer is enabled.

By default, manual answering is enabled.

----End

4.3.6 (Optional) Configuring Auto-Execute Commands of AUX UserInterface

You can set a command to be an auto-executed command.

Context

CAUTIONAfter the auto-execute command command is run, you cannot perform general configurationin the system through a terminal.

Before configuring the auto-execute command command and the save command to save theexisting configurations, ensure that you can log in to the system using other methods to deletethe configurations.

Do as follows on the CX device that the user logs in to:

Procedure



Step 2 Run:user-interface aux 0


Step 3 Run:auto-execute command command

A command is specified as an auto-execute command.



4-15

Generally, the auto-execute command command is run to configure Telnet on a terminal. Afterthe configuration, the user can automatically connect to a designated host.

----End

4.3.7 Setting User Authentication Mode of AUX User InterfaceThe system provides three authentication modes: AAA, password authentication, and non-authentication. Configuring the user authentication mode can improve the security of the CXdevice.

ContextBy default, the user authentication mode of the AUX user interface is non-authentication.


1. Run:system-view


user-interface aux interface-number

The AUX user interface view is displayed.3. Run:



quit

Exit from the AUX user interface view.5. Run:

aaa



Local user and password are configured.l Configuring Password Authentication

1. Run:system-view




authentication-mode password




Issue 01 (2011-05-30)

The authentication mode is set to password.4. Run:


A password is set.l Configuring Non-Authentication

1. Run:system-view





The authentication mode is set to non-authentication.

----End

4.3.8 Checking the ConfigurationAfter configuring the AUX user interface, you can view the usage information of the userinterface, physical attributes and configurations of the user interface, local user list, and onlineusers.

PrerequisiteConfigurations of the AUX user interface are complete.

Procedurel Run the display users [ all ] command to check usage information about the AUX user

interface.l Run the display user-interface aux interface-number [ summary ] command to check


----End


<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 33 AUX 0 00:00:44 pass noUsername : Unspecified

Run the display user-interface aux ui-number1 [ summary ] command, and you can view thephysical attributes and configurations of the user interface.

<HUAWEI> display user-interface aux 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int



4-17

33 AUX 0 9600 - 0 - N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.



4.4 Configuring VTY User InterfaceIf you need to log in to the CX device for local or remote maintenance by using Telnet or SSH,you can configure the corresponding VTY user interface as needed.

4.4.1 Establishing the Configuration TaskBefore configuring the VTY user interface, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

4.4.2 Configuring Maximum VTY User InterfacesThis section describes how to limit the number of users logging in to the CX device byconfiguring the maximum number of VTY user interfaces.

4.4.3 (Optional)Setting Limit on Incoming and Outgoing Calls of VTY User InterfacesThis section describes how to configure an ACL to limit incoming and outgoing calls of theVTY user interface.

4.4.4 Setting Terminal Attributes of the VTY User InterfaceThis section describes how to configure terminal attributes of the VTY user interface, includinguser idle timeout, number of lines displayed in a terminal screen, and size of the history commandbuffer.

4.4.5 Setting User Priority of VTY User InterfaceThis section describes how to control users' authority of logging in to the CX device and improvethe security of managing the CX device by configuring the user priority.

4.4.6 Setting User Authentication Mode of the VTY User InterfaceThe system provides three authentication modes: AAA, password authentication, and non-authentication. Configuring the user authentication mode can improve the security of the CXdevice.

4.4.7 (Optional) Configuring NMS Users to Log In Through VTY User InterfacesNetwork Management System (NMS) users can log in to a device through VTY user interfacesto set parameters about the device.




Issue 01 (2011-05-30)

4.4.8 Checking the ConfigurationAfter configuring the VTY user interface, you can view information about user interfaces, themaximum number of VTY user interfaces, and physical attributes and configurations of userinterfaces.

4.4.1 Establishing the Configuration TaskBefore configuring the VTY user interface, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


If you need to log in to the CX device for local or remote maintenance by using Telnet or SSH,you can configure the corresponding VTY user interface, including the maximum number ofVTY user interfaces, limit of incoming and outgoing calls, user priority, and user authenticationmode. The preceding parameters have default values on the CX device. You can also set theseparameters as needed.


Before configuring VTY user interface, complete the following tasks:


Data Preparation

To configure a VTY user interface, you need the following data.

No. Data

1 Maximum VTY user interfaces

2 (Optional) ACL code to limit VTY user interface to call in and out

3 Idle timeout period, number of characters in each line displayed in a terminal screen

4 User priority


NOTE

All the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY userinterfaces, password, and user name) have default values on the CX device, and no additional configurationis needed.

4.4.2 Configuring Maximum VTY User InterfacesThis section describes how to limit the number of users logging in to the CX device byconfiguring the maximum number of VTY user interfaces.



4-19

Context

The maximum number of VTY user interfaces is the total number of users logging in to the CXdevice by using Telnet and SSH.

Procedure



Step 2 Run:user-interface maximum-vty number

The maximum VTY user interfaces that can log in to the CX device is set.

NOTE

When the maximum number of VTY user interfaces is set to zero, any user (including the NMS user) cannotlog in to the CX device by using a VTY user interface.

If the maximum number of VTY user interfaces to be configured is smaller than the maximumnumber of current interfaces, current online users will not be affected and no additionconfiguration is needed.

If the maximum number of VTY user interfaces to be configured is larger than the maximumnumber of current interfaces, the authentication mode and password need to be configured fornewly added user interfaces.

For newly added user interfaces, the system defaults to password authentication.

For example, a maximum of five users are allowed online. To allow 15 VTY users online at thesame time, you need to run the authentication-mode command and the set authenticationpassword command to configure authentication modes and passwords for user interfaces fromVTY 5 to VTY 14. The command is run as follows:

<HUAWEI> system-view[HUAWEI] user-interface maximum-vty 15[HUAWEI] user-interface vty 5 14[HUAWEI-ui-vty5-14] authentication-mode password[HUAWEI-ui-vty5-14] set authentication password cipher huawei

----End

4.4.3 (Optional)Setting Limit on Incoming and Outgoing Calls ofVTY User Interfaces

This section describes how to configure an ACL to limit incoming and outgoing calls of theVTY user interface.

Context

Before setting the limit on incoming and outgoing calls of the VTY user interface, run the aclcommand in the system view to create an ACL and enter the ACL view. Then, run the rulecommand to add rules to the ACL.




Issue 01 (2011-05-30)

NOTE

The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging from3000 to 3999.

Procedure



Step 2 Run:user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.

Step 3 Run:acl acl-number { inbound | outbound }

The limits to calling in/out of VTY are configured.

l When you need to prevent a user of certain address or segment address from logging in tothe CX device, use the inbound command.

l When you need to prevent a user who logs in to a CX device from accessing other CXdevices, use the outbound command.

----End

4.4.4 Setting Terminal Attributes of the VTY User InterfaceThis section describes how to configure terminal attributes of the VTY user interface, includinguser idle timeout, number of lines displayed in a terminal screen, and size of the history commandbuffer.

ContextTerminal attributes of the VTY user interface have default values on the CX device and you canset them as needed.

Procedure



Step 2 Run:user-interface vty number1 [ number2 ]


Step 3 Run:shell

VTY terminal service is enabled.

Step 4 Run:



4-21

idle-timeout minutes [ seconds ]

User ilde timeout is enabled.


By default, the timeout period is 10 minutes.






Set the size of the history command buffer.

By default, a maximum number of 10 commands can be cached in the history command buffer.

----End

4.4.5 Setting User Priority of VTY User InterfaceThis section describes how to control users' authority of logging in to the CX device and improvethe security of managing the CX device by configuring the user priority.




Procedure



Step 2 Run:user-interface vty interface-number



The user priority is set.




Issue 01 (2011-05-30)

By default, users logging in through the VTY user interface can use commands at level 0.

NOTE

If the command level configured in the VTY user interface view is inconsistent with the user priority, theuser priority takes effect.

----End

4.4.6 Setting User Authentication Mode of the VTY User InterfaceThe system provides three authentication modes: AAA, password authentication, and non-authentication. Configuring the user authentication mode can improve the security of the CXdevice.

ContextBy default, the user authentication mode of the VTY user interface is password authentication.


1. Run:system-view


user-interface vty number1 [ number2 ]

The VTY user interface view is displayed.3. Run:



quit

Exit from the VTY user interface view.5. Run:

aaa



Name and password of the local user are created.l Configuring Password Authentication

1. Run:system-view






4-23

3. Run:authentication-mode password

Set the authentication mode as password.4. Run:


A password for this authentication mode is set.l Configuring Non-Authentication

1. Do as follows on the CX device, run:system-view



The VTY user interface view is displayed.3. Run:


The authentication mode is set to none.

----End

4.4.7 (Optional) Configuring NMS Users to Log In Through VTYUser Interfaces

Network Management System (NMS) users can log in to a device through VTY user interfacesto set parameters about the device.

ContextNMS users can log in to the CX device through VTY user interfaces to set parameters about theCX device.

Procedure



Step 2 Run:aaa

The AAA view is displayed.

Step 3 Run:local-user user-name password { simple | cipher } password

A local user is created.

Step 4 Run:local-user user-name user-type netmanager




Issue 01 (2011-05-30)

The local user is set as an NM user.

Step 5 Run:quit


Step 6 Run:user-interface vty first-ui-number [ last-ui-number ]

The user interface view is displayed.

Step 7 Run:authentication-mode aaa

An authentication mode used to log in to the user interface is configured.

NOTE

The system reserves five VTYs (VTY 16-VTY 20) for an NMS user. The five VTYs are used as specialchannels of the network management. The channels do not support the RSA authentication mode butsupport the password authentication.

Step 8 Run:quit


Step 9 Run:mmi-mode enable

The system is switched to the machine-to-machine mode.

NOTE

l This command is invisible to terminals and cannot be obtained by using the online help. In man-to-machine mode, exercise caution when using this command.

l In the VTY machine-to-machine mode, the system reserves five user interfaces to which an NMS usercan log in through VTYs. A common user cannot log in through Telnet but can log in by using the fivereserved user interfaces.

l In the machine-to-machine mode, the system does not output logs, alarms, and debugging informationto the screen.

l In the machine-to-machine mode, the save and reboot commands can be used directly.

l In the machine-to-machine mode, a maximum of 512 lines are displayed by default. The value can beadjusted by using the screen-length command. In addition, you can run the screen-lengthtemporary command to adjust the number of lines temporarily displayed on the screen.

----End

4.4.8 Checking the ConfigurationAfter configuring the VTY user interface, you can view information about user interfaces, themaximum number of VTY user interfaces, and physical attributes and configurations of userinterfaces.

PrerequisiteThe configurations of the VTY user interface are complete.



4-25

Procedurel Run the display users [ all ] command to check information about user interfaces.l Run the display user-interface maximum-vty command to check the maximum number

of VTY user interfaces.l Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ]

command to check the physical attributes and configurations of user interfaces.l Run the display local-user command to check the local user list.l Run the display vty mode command to check the VTY mode.

----End

ExampleRun the display users command, and you can view information about the current user interfaces.

<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 34 VTY 0 00:00:12 TEL 10.138.77.38 noUsername : Unspecified+ 35 VTY 1 00:00:00 TEL 10.138.77.57 noUsername : Unspecified

Run the display user-interface maximum-vty command, and you can view the maximumnumber of VTY user interfaces.

<HUAWEI> display user-interface maximum-vty Maximum of VTY user:15

Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to checkthe physical attributes and configurations of user interfaces.

<HUAWEI> display user-interface vty 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int+ 34 VTY 0 - 14 14 N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.



Run the display vty mode command, and you can view the prompt message indicating that themachine-to-machine interface is enabled. For example:

<HUAWEI> display vty modecurrent VTY mode is Machine-Machine interface




Issue 01 (2011-05-30)

4.5 Configuration ExamplesThis section provides examples for configuring console, AUX, and VTY user interfaces. Theseconfiguration examples explain networking requirements, configuration roadmap, andconfiguration notes.

4.5.1 Example for Configuring Console User InterfaceThis part provides an example describing how to configure the console user interface. In thisconfiguration example, to allow a user in password authentication mode to log in to the CXdevice by using a console user interface, multiple attributes of the console user interface are set,including physical attributes, terminal attributes, user priority, user authentication mode, andpassword.

4.5.2 Example for Configuring AUX User InterfaceThis part provides an example describing how to configure the AUX user interface. In theconfiguration example, to allow a user in AAA authentication mode to log in to the CXdevice by using an AUX user interface, multiple attributes of the console user interface are set,including physical attributes, terminal attributes, user priority, user authentication mode, andpassword.

4.5.3 Example for Configuring VTY User InterfaceThis part provides an example describing how to configure the VTY user interface. In thisconfiguration example, to allow a user in password authentication mode to log in to the CXdevice by using Telnet or SSH (Stelnet), multiple attributes of the VTY user interface are set,including the maximum number of VTY user interfaces, call-in and call-out limit, terminalattributes, authentication mode, and password.

4.5.1 Example for Configuring Console User InterfaceThis part provides an example describing how to configure the console user interface. In thisconfiguration example, to allow a user in password authentication mode to log in to the CXdevice by using a console user interface, multiple attributes of the console user interface are set,including physical attributes, terminal attributes, user priority, user authentication mode, andpassword.

Networking Requirements

To initialize configurations of the CX device or locally maintain the CX device, a user can login to the CX device through a console user interface. To allow the user to log in, you can setattributes of the console user interface as needed (for security reasons, for example).

In the console user interface view, the user priority is set to 15, and the password authenticationmode is set (the password is huawei).

After a user logs in, if the user takes no action on the CX device for more than 30 minutes, theconnection between the user and the CX device is torn down.

Configuration Roadmap

The configuration roadmap is as follows:

1. Enter the interface view and set physical attributes of the console user interface.



4-27

2. Set terminal attributes of the console user interface.3. Set the user priority of the console user interface.4. Set the user authentication mode and password of the console user interface.

Data PreparationTo complete the configuration, you need the following data:

l Transmission rate of the console user interface: 4800 bit/sl Flow control mode of the console user interface: Nonel Parity of the console user interface: evenl Stop bit of the console user interface: 2l Data bit of the console user interface: 6l Timeout period for disconnecting from the console user interface: 30 minutesl Number of lines that a terminal screen displays: 30l Size of the history command buffer: 20l User priority: 15l User authentication mode: password (password: huawei)

Procedure

Step 1 Set physical attributes of the console user interface.<HUAWEI> system-view[HUAWEI] user-interface console 0[HUAWEI-ui-console0] speed 4800[HUAWEI-ui-console0] flow-control none[HUAWEI-ui-console0] parity even[HUAWEI-ui-console0] stopbits 2[HUAWEI-ui-console0] databits 6

Step 2 Set terminal attributes of the console user interface.[HUAWEI-ui-console0] shell[HUAWEI-ui-console0] idle-timeout 30[HUAWEI-ui-console0] screen-length 30[HUAWEI-ui-console0] history-command max-size 20

Step 3 Set the user priority of the console user interface.[HUAWEI-ui-console0] user privilege level 15

Step 4 Set the user authentication mode in the console user interface to password.[HUAWEI-ui-console0] authentication-mode password[HUAWEI-ui-console0] set authentication password simple huawei[HUAWEI-ui-console0] quit

After the console user interface is configured, a user in password authentication mode can login to the CX device through a console port, implementing local maintenance of the CX device.For details on how a user logs in to the CX device, see the 5 Configuring User Login.

----End

Configuration Files# sysname HUAWEI#




Issue 01 (2011-05-30)

user-interface con 0 authentication-mode password user privilege level 15 set authentication password simple huawei history-command max-size 20 idle-timeout 30 0 screen-length 30 databits 6 parity even stopbits 2 speed 4800 screen-length 30#return

4.5.2 Example for Configuring AUX User InterfaceThis part provides an example describing how to configure the AUX user interface. In theconfiguration example, to allow a user in AAA authentication mode to log in to the CXdevice by using an AUX user interface, multiple attributes of the console user interface are set,including physical attributes, terminal attributes, user priority, user authentication mode, andpassword.


To maintain the CX device locally or remotely, a user can log in to the CX device through anAUX user interface.

To allow the user login, an operator can set attributes of the AUX user interface as needed (forsecurity reasons, for example).

In the AUX user interface, the user priority is set to 15, and the authentication mode is set toAAA, with the user name of user123 and the password of huawei.

After a user logs in, if the user takes no action on the CX device for more than 30 minutes, theconnection between the user and the CX device is torn down.



1. Enter the interface view and set physical attributes of the AUX user interface.2. Set terminal attributes of the AUX user interface.3. Set the user priority of the AUX user interface.4. Set modem attributes of the AUX user interface.5. Set the authentication mode and password in the AUX user interface.

Data Preparation

To complete the configuration, you need the following data:

l Transmission rate of the AUX user interface: 9600 bit/sl Flow control mode of the AUX user interface: Nonel Parity of the AUX user interface: Nonel Stop bit of the AUX user interface: 1



4-29

l Data bit of the AUX user interface: 8l Timeout period for disconnecting from the AUX user interface: 30 minutesl Number of lines that a terminal screen displays: 30l Size of the history command buffer: 20l User priority: 15l Modem attributes: idle timeout from off-hook to carrier detection (45 seconds), call-in

permission, and automatic responsel User authentication mode and password in the AUX user interface

Procedure

Step 1 Set physical attributes of the AUX user interface.<HUAWEI> system-view[HUAWEI] user-interface aux 0[HUAWEI-ui-aux0] speed 9600[HUAWEI-ui-aux0] flow-control none[HUAWEI-ui-aux0] parity none[HUAWEI-ui-aux0] stopbits 1[HUAWEI-ui-aux0] databits 8

All the preceding physical attributes of the AUX user interface are set with default values. Infact, if a user chooses to use the default values, the user does not need to set them. The precedingsettings only mean to provide the configuration method.

Step 2 Set terminal attributes of the AUX user interface.[HUAWEI-ui-aux0] shell[HUAWEI-ui-aux0] idle-timeout 30[HUAWEI-ui-aux0] screen-length 30[HUAWEI-ui-aux0] history-command max-size 20

Step 3 Set the user priority of the AUX user interface.[HUAWEI-ui-aux0] user privilege level 15

Step 4 Set modem attributes of the AUX user interface.[HUAWEI-ui-aux0] modem timer answer 45[HUAWEI-ui-aux0] modem call-in[HUAWEI-ui-aux0] modem auto-answer

Step 5 Set the authentication mode of the AUX user interface to AAA.[HUAWEI-ui-aux0] authentication-mode aaa[HUAWEI-ui-aux0] quit[HUAWEI] aaa[HUAWEI-aaa] local-user user123 password simple huawei[HUAWEI-aaa] quit

After the AUX user interface is configured, a user in AAA authentication mode can log in tothe CX device through an AUX port, implementing maintenance of the CX device. For detailson how a user logs in to the CX device, refer to the 5 Configuring User Login.

----End

Configuration Files# sysname HUAWEI#user-interface aux 0 authentication-mode aaa user privilege level 15




Issue 01 (2011-05-30)

history-command max-size 20 idle-timeout 30 0 modem call-in modem auto-answer modem timer answer 45 screen-length 30#return

4.5.3 Example for Configuring VTY User InterfaceThis part provides an example describing how to configure the VTY user interface. In thisconfiguration example, to allow a user in password authentication mode to log in to the CXdevice by using Telnet or SSH (Stelnet), multiple attributes of the VTY user interface are set,including the maximum number of VTY user interfaces, call-in and call-out limit, terminalattributes, authentication mode, and password.


A user logs in to the CX device through a VTY channel by using Telnet or SSH. To allow theuser login, an operator can set attributes of the VTY user interface as needed (for security reasons,for example).

In the VTY user interface, the user priority is set to 15, the authentication mode is set to password,with the password of "huawei", and the user with the IP address of 10.1.1.1 is prohibitted fromlogging in to the CX device.

After logging in, if the user takes no action on the CX device for more than 30 minutes, theconnection between the user and the CX device is torn down.



1. Enter the interface view and set the maximum number of VTY user interfaces to 15.2. Set the call-in and call-out limit of the VTY user interface, limiting the access of an IP

address or an IP address segment to the CX device.3. Set terminal attributes of the VTY user interface.4. Set the user priority in the VTY user interface.5. Set the authentication mode and password in the VTY user interface.

Data Preparation


l Maximum number of VTY user interfaces: 15l ACL applied to limit call-in in the VTY user interface: 2000l Timeout period for disconnecting from the VTY user interface: 30 minutesl Number of lines that a terminal screen displays: 30l Size of the history command buffer: 20l User priority: 15l User authentication mode: password, password: huawei



4-31

Procedure

Step 1 Set the maximum number of VTY user interfaces.<HUAWEI> system-view[HUAWEI] user-interface maximum-vty 15

Step 2 Set the limit on call-in and call-out in the VTY user interface.[HUAWEI] acl 2000[HUAWEI-acl-basic-2000] rule deny source 10.1.1.1 0[HUAWEI-acl-basic-2000] quit[HUAWEI] user-interface vty 0 14[HUAWEI-ui-vty0-14] acl 2000 inbound

Step 3 Set terminal attributes of the VTY user interface.[HUAWEI-ui-vty0-14] shell[HUAWEI-ui-vty0-14] idle-timeout 30[HUAWEI-ui-vty0-14] screen-length 30[HUAWEI-ui-vty0-14] history-command max-size 20

Step 4 Set the user priority in the VTY user interface.[HUAWEI-ui-vty0-14] user privilege level 15

Step 5 Set the authentication mode and password in the VTY user interface.[HUAWEI-ui-vty0-14] authentication-mode password[HUAWEI-ui-vty0-14] set authentication password simple huawei[HUAWEI-ui-vty0-14] quit

After the VTY user interface is configured, a user authenticated in password mode can log in tothe CX device by using Telnet or SSH (Stelnet), implementing local or remote maintenance ofthe CX device. For details on how a user logs in to the CX device, see the 5 Configuring UserLogin.

----End

Configuration Files# sysname HUAWEI#acl number 2000 rule 5 deny source 10.1.1.1 0 rule permit source any#user-interface maximum-vty 15user-interface vty 0 14 acl 2000 inbound user privilege level 15 set authentication password simple huawei history-command max-size 20 idle-timeout 30 0 screen-length 30#return




Issue 01 (2011-05-30)

5 Configuring User Login

About This Chapter

A user can log in to the CX device through a console port, an AUX port, or by using Telnet orSSH (STelnet). After the login, the user can maintain the CX device locally or remotely.

5.1 Overview of User LoginUsers can manage and maintain the CX device only after logging in to the CX device. Users canlog in to the CX device by using the AUX port, console port, Telnet, or STelnet (SSH Telnet).

5.2 Logging in to the Devices Through the Console PortWhen a user needs to configure the CX device that is powered on for the first time or locallymaintain the CX device, the user can log in to the CX device through a console port.

5.3 Logging in to the Devices Through the AUX PortWhen a user terminal and the CX device have no reachable route between each other, the usercan remotely configure and manage or locally maintain the CX device by logging in to the CXdevice through an AUX port.

5.4 Logging in to the Devices by Using TelnetIf multiple CX devices need to be configured and managed, you do not need to connect the CXdevices and maintain them locally one by one. Instead, you can log in to the CX devices froma terminal by using Telnet. This implements remote maintenance of the CX device and greatlyfacilitates device management.

5.5 Logging in to the Devices by Using STelnetSTelnet provides secured remote access over an insecure network. After the client/servernegotiation is complete and a secured connection is established, a user can log in to the CXdevice in a similar way as Telnet.

5.6 Common Operations After LoginAfter logging in to the CX device, you can perform following operations as needed, such as userpriority switching and terminal window locking.

5.7 Configuration ExamplesThis section provides several examples describing how to configure user login by using a consoleport, Telnet, or STelnet. You can understand the configuration procedures by referring to the

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations 5 Configuring User Login


5-1

configuration flowchart. The configuration examples provide information about the networkingrequirements, configuration notes, and configuration roadmap.

5 Configuring User LoginHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

5.1 Overview of User LoginUsers can manage and maintain the CX device only after logging in to the CX device. Users canlog in to the CX device by using the AUX port, console port, Telnet, or STelnet (SSH Telnet).

To configure, monitor, and maintain the local or remote network devices running CX600, youneed to configure the user interface, the user management, and the terminal service.

The user interface provides a login plane. The user management guarantees the login securityand the terminal service provides related processes of login protocol.

The CX600 supports the following login methods:

l Login through the console port

l Local or remote login through the AUX port

l Local or remote login through Telnet or STelnet

Table 5-1 User login modes

Login Mode Application

Console port Users log in to the CX device through the console port to configure the CXdevice locally. Login through the console port is required when the CXdevice is powered on for the first time.

Telnet Users log in to the CX device by using Telnet for local and remotemaintenance. Telnet helps users maintain remote devices but brings securitythreats.

AUX port Users log in to the CX device through the AUX port to maintain the CXdevice locally when there is no available route and Telnet is unsuitable.

SSH (STelnet) SSH (STelnet) provides security protection for users logging in to the CXdevice to maintain the CX device locally or remotely.

NOTE

Logins by using Telnet bring security risks because no secure authentication mechanism is available anddata is transmitted by using TCP in plain text mode. Unlike Telnet, SSH guarantees secure data transmissionon a conventional insecure network by authenticating the client and encrypting data in both directions. SSHsupports security Telnet (STelnet).

For detailed information about SSH, see the CX600 Feature Description - Basic Configurations.

5.2 Logging in to the Devices Through the Console PortWhen a user needs to configure the CX device that is powered on for the first time or locallymaintain the CX device, the user can log in to the CX device through a console port.

5.2.1 Establishing the Configuration Task



5-3

Before configuring user login through a console port, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.

5.2.2 Configuring Console User InterfaceTo allow users to log in to the CX device through a console port, configure attributes of theconsole user interface.

5.2.3 Logging in to the CX device Through a Console PortA user can log in to the CX device by connecting a terminal with the CX device through a consoleport.

5.2.4 Checking the ConfigurationAfter a user logs in through a console port, the user can view information on the console userinterface, such as use information, physical attributes and configurations, local user list, andonline users.

5.2.1 Establishing the Configuration TaskBefore configuring user login through a console port, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.


A user can log in to the CX device locally through a console port. If the CX device is poweredon for the first time, the user has to log in through a console port.


Before configuring user login through a console port, complete the following tasks:

l Configuring the PC/terminal (including the serial port and RS-232 cable)

l Installing the terminal emulator (such as HyperTerminal of Windows XP) to the PC

Data Preparation

To configure user login through a console port, you need the following data.

No. Data

1 l Transmission rate, flow control mode, parity mode, stop bit, data bitl Number of lines displayed in a terminal screen, size of the history command bufferl User priorityl User authentication mode, user name, and password

5.2.2 Configuring Console User InterfaceTo allow users to log in to the CX device through a console port, configure attributes of theconsole user interface.




Issue 01 (2011-05-30)

ContextAttributes of an console user interface have default values on the CX device, and generally needno additional settings. To meet specific application requirements or ensure network security,you can set attributes of the console user interface, such as terminal attributes and userauthentication mode.

For detailed settings, see Configuring Console User Interface.

5.2.3 Logging in to the CX device Through a Console PortA user can log in to the CX device by connecting a terminal with the CX device through a consoleport.

ContextFor details, see Login Through the Console PortCX device.

NOTE

l Communication parameters of the user terminal must be consistent with the physical attributeparameters of the console user interface on the CX device.

l If a user authentication mode is specified in the console user interface, a user can log in to the CXdevice only after passing the authentication. This enhances network security.

5.2.4 Checking the ConfigurationAfter a user logs in through a console port, the user can view information on the console userinterface, such as use information, physical attributes and configurations, local user list, andonline users.

PrerequisiteConfigurations of user login through a console port are complete.

Procedurel Run the display users [ all ] command to check information about the user interface.l Run the display user-interface console ui-number1 [ summary ] command to check


----End


<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 0 CON 0 00:00:44 pass noUsername : Unspecified

Run the display user-interface console ui-number1 [ summary ] command, and you can viewthe physical attributes and configurations of the user interface.



5-5

<HUAWEI> display user-interface console 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 - 3 - N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.



5.3 Logging in to the Devices Through the AUX PortWhen a user terminal and the CX device have no reachable route between each other, the usercan remotely configure and manage or locally maintain the CX device by logging in to the CXdevice through an AUX port.

5.3.1 Establishing the Configuration TaskBefore configuring user login through an AUX port, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.

5.3.2 Configuring AUX User InterfaceTo allow users to log in to the CX device through an AUX port, configure attributes of the AUXuser interface.

5.3.3 Logging in to the CX deviceThrough an AUX PortYou can establish a connection between a terminal and the CX device through an AUX port.

5.3.4 Checking the ConfigurationAfter a user log in through an AUX port, the user can view information on the console userinterface, such as use information, physical attributes and configurations, local user list, andonline users.

5.3.1 Establishing the Configuration TaskBefore configuring user login through an AUX port, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentYou can configure and maintain the CX device locally or remotely through an AUX port.




Issue 01 (2011-05-30)

In local configuration of the CX device, the AUX login method is similar to the console loginmethod. The only difference between the two login methods lies in the default user priority: Thedefault user priority of the console user interface is 3, whereas that of the AUX user interface is0. Therefore, Logging in by using the console login method is recommended in the localconfiguration. The following part mainly describes remote login of the CX device through anAUX port.

NOTE

To manage and maintain the CX device through an AUX port, firstly modify the user priority of the AUXuser interface.

When there is no reachable route between a PC and the CX device, you can connect the serialport of the PC to the AUX port of the CX device by using a modem. In this manner, you can usethe PSTN to configure and maintain the CX device remotely.

As shown in Figure 5-1, The COM interface of the PC is connected to the modem that isconnected to the PSTN. The AUX port of the CX device is connected to another modem that isconnected to the PSTN.

Figure 5-1 Networking diagram of remote login through an AUX port

PSTN

PC CX600Modem Modem

Pre-configuration TasksBefore configuring user login through an AUX port, complete the following tasks:

l Connecting the PC to the CX device through modemsl Configuring the modeml Installing a terminal emulator (such as HyperTerminal of Windows XP) in the PC

Data PreparationTo configure user login through an AUX port, you need the following data.

No. Data

1 l Transmission rate, flow control mode, parity, stop bit, data bitl Number of lines displayed in a terminal screen, size of the history command bufferl user priorityl modem attributesl (Optional) Auto-run commandsl User authentication mode, user name, password

2 Telephone number of the modem at the remote CX device side.



5-7

5.3.2 Configuring AUX User InterfaceTo allow users to log in to the CX device through an AUX port, configure attributes of the AUXuser interface.

Context

Attributes of an AUX user interface have default values on the CX device, and generally needno additional settings. To meet specific application requirements or ensure network security,you can also set attributes of the AUX user interface, such as terminal attributes and userauthentication mode.

For detailed settings, see Configuring AUX User Interface.

5.3.3 Logging in to the CX deviceThrough an AUX PortYou can establish a connection between a terminal and the CX device through an AUX port.

Procedure

Step 1 Start a terminal emulator (such as HyperTerminal of Windows XP) in the PC to establish aconnection with the CX device, as shown in Figure 5-2.

Figure 5-2 Connection creating

Step 2 Set dialing information, as shown in Figure 5-3.




Issue 01 (2011-05-30)

Figure 5-3 Dialing information setting

Step 3 Establish a connection with the CX device, as shown in Figure 5-4.

Figure 5-4 Remote connection with the CX device

If certain communication parameters need to be modified, press Modify in the Figure 5-4, asshown in Figure 5-5, and then press Set, as shown in Figure 5-6.



5-9

Figure 5-5 Connection attribute modification




Issue 01 (2011-05-30)

Figure 5-6 Communications parameters setting

Step 4 Press Dialing. If user authentication is needed, input the corresponding authenticationinformation, and wait till the command line prompt of the user view appears, such as<HUAWEI>. This indicates that the user view is entered and relevant configurations can beinput.

----End

5.3.4 Checking the ConfigurationAfter a user log in through an AUX port, the user can view information on the console userinterface, such as use information, physical attributes and configurations, local user list, andonline users.

PrerequisiteConfigurations of user login through the AUX port are complete.

Procedurel Run the display users [ all ] command to check usage information about the AUX user

interface.l Run the display user-interface aux interface-number [ summary ] command to check

physical attributes and configurations of the user interface.



5-11

l Run the display local-user command to check the local user list.l Run the display access-user command to check the local user list.

----End

ExampleRun the display users command, and you can view information about the current user interface.<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 33 AUX 0 00:00:44 pass noUsername : Unspecified

Run the display user-interface aux ui-number1 [ summary ] command, and you can view thephysical attributes and configurations of the user interface.<HUAWEI> display user-interface aux 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 33 AUX 0 9600 - 0 - N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.

Run the display local-user command, and you can view the local user list.<HUAWEI> display local-user ---------------------------------------------------------------------------- Username State Type CAR Access-limit Online ---------------------------------------------------------------------------- user123 Active All Dft No 0 ll Active F Dft No 0 user1 Active F Dft No 0 ---------------------------------------------------------------------------- Total 3,3 printed

5.4 Logging in to the Devices by Using TelnetIf multiple CX devices need to be configured and managed, you do not need to connect the CXdevices and maintain them locally one by one. Instead, you can log in to the CX devices froma terminal by using Telnet. This implements remote maintenance of the CX device and greatlyfacilitates device management.

5.4.1 Establishing the Configuration TaskBefore configuring user login by using Telnet, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.

5.4.2 Configuring VTY User InterfaceTo log in to the CX device by using Telnet, configure attributes of the VTY user interface.

5.4.3 (Optional) Configuring Local Telnet UsersIf the user authentication mode is AAA in the VTY user interface, the access type of local usersneeds to be specified. Local users with the access type of Telnet are Telnet users.




Issue 01 (2011-05-30)

5.4.4 Enabling the Telnet ServiceBefore a terminal establishes a Telnet connection with the CX device, enable the Telnet serverfunction on the CX device.

5.4.5 (Optional) Configuring Listening Port Number for Telnet ServerA user can configure or change the listening port number of the Telnet server. Changing thelistening port number ensures network security, because only the user that knows the currentlistening port number can log in to the CX device.

5.4.6 Logging in to the CX device by Using TelnetAfter the CX device is configured, you can log in to the CX device from a terminal by usingTelnet, implementing remote maintenance of the CX device.

5.4.7 Checking the ConfigurationAfter users log in to the system by using Telnet, you can view the connection status of the currentuser interface, connection status of each user interface, and status of all established TCPconnections.

5.4.1 Establishing the Configuration TaskBefore configuring user login by using Telnet, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.


If you have known the IP address of the CX device to be accessed, you can log in to the CXdevice from a terminal by using Telnet, and remotely maintain the device. This allows you tomaintain multiple CX devices on the same terminal, greatly facilitating device management.

Note that IP addresses of the CX devices need to be preset through console ports.


Before configuring user login in Telnet mode, complete the following tasks:

l Configuring reachable routes between the terminal and the device

Data Preparation

Before configuring user login in Telnet mode, you need the following data.

No. Data

1 l Maximum number of VTY user interfacesl (Optional) ACL for limiting call-in and call-out in VTY user interfacesl Connection timeout period of terminal users, number of lines displayed in a

terminal screen, size of the history command bufferl User priorityl User authentication mode, user name, password

2 TCP port number for the remote CX device to provide Telnet services, VPN instancename



5-13

No. Data

3 IPv4/IPv6 address or host name of the CX device

5.4.2 Configuring VTY User InterfaceTo log in to the CX device by using Telnet, configure attributes of the VTY user interface.

ContextBy default, the user authentication mode in the VTY user interface is password. Therefore, beforea user logs in to the CX device by using Telnet, the user authentication mode in the VTY userinterface must be set. Otherwise, the user cannot log in to the CX device.

You can log in to the CX device through a console port to set the user authentication mode inthe VTY user interface.

Other attributes of the VTY user interface in the CX device, such as terminal attributes and userpriorities, can also be set as needed. These attributes, however, generally do not need to be setbecause they have default values.

For detailed settings, see Configuring VTY User Interface.

5.4.3 (Optional) Configuring Local Telnet UsersIf the user authentication mode is AAA in the VTY user interface, the access type of local usersneeds to be specified. Local users with the access type of Telnet are Telnet users.

ContextIf the user authentication mode of the VTY user interface is non-authentication or passwordauthentication, the following configurations are not needed.

By default, a local user can apply for any access type. You can specify an access type to allowonly users configured with the specified access type to log in to the CX device.

Do as follows on the CX device that functions as a Telnet server:

Procedure



Step 2 Run:aaa



The local user name and password are set.




Issue 01 (2011-05-30)

Step 4 Run:local-user user-name service-type telnet

The access type of the local user is set to Telnet.

----End

5.4.4 Enabling the Telnet ServiceBefore a terminal establishes a Telnet connection with the CX device, enable the Telnet serverfunction on the CX device.

ContextBy default, the function of the Telnet server is enabled.

Do as follows on the CX device that serves as an Telnet server.

Select and perform one of the following two steps for IPv4 or IPv6.

Procedurel For the IPv4 network

1. Run:system-view


telnet server enable

The Telnet service is enabled.

l For the IPv6 network1. Run:

system-view


telnet ipv6 server enable

The Telnet service is enabled.

NOTE

l If the undo telnet [ipv6] server enable command is run when a user logs in by usingTelnet, the command does not take effect.

l After the Telnet server function is disabled, you can log in to the device only using SSHor an asynchronous serial port rather than using Telnet.

----End

5.4.5 (Optional) Configuring Listening Port Number for TelnetServer

A user can configure or change the listening port number of the Telnet server. Changing thelistening port number ensures network security, because only the user that knows the currentlistening port number can log in to the CX device.



5-15

ContextBy default, the listening port number of a Telnet server is 23. Users can directly log in to theCX device by using the default listening port number. Attackers probably access the defaultlistening port, reducing available bandwidth, deteriorating performance of the server, andcausing valid users unable to access the server. After the listening port number of the Telnetserver is changed, attackers do not know the new listening port number. This effectively preventsattackers from accessing the listening port.

Do as follows on the CX device that functions as a Telnet server:


system-view


Step 2 Run:telnet server port port-number

The listening port number of the Telnet server is set.

If a new listening port number is set, the Telnet server terminates all established Telnetconnections, and then uses the new port number to listen to new requests for Telnet connections.

----End

5.4.6 Logging in to the CX device by Using TelnetAfter the CX device is configured, you can log in to the CX device from a terminal by usingTelnet, implementing remote maintenance of the CX device.

ContextIf you need to log in to the CX device by using Telnet, you can use either windows commandlines or a third-party software in the terminal. In this part, the windows command line promptis used.

Do as follows on the user terminal:

ProcedureStep 1 Use the windows command line.

Step 2 Run the telnet ip-address command to telnet the CX device.1. Input the IP address of the Telnet server.




Issue 01 (2011-05-30)

2. Press "Enter" to display the command line prompt of the system view, such as

<HUAWEI>. This indicates that you have accessed the Telnet server.

----End

5.4.7 Checking the ConfigurationAfter users log in to the system by using Telnet, you can view the connection status of the currentuser interface, connection status of each user interface, and status of all established TCPconnections.

PrerequisiteConfigurations of logins by using Telnet are complete.

Procedurel Run the display users [ all ] command to check information about logged-in users on user

interfaces.l Run the display tcp status command to check TCP connections.l Run the display telnet server status command to check the configuration and status of the

Telnet server.

----End

ExampleRun the display users command to view information about the currently-used user interface.

<HUAWEI]> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 34 VTY 0 00:00:12 TEL 10.138.77.38 no



5-17

Username : Unspecified+ 35 VTY 1 00:00:00 TEL 10.138.77.57 noUsername : Unspecified

Run the display tcp status command to view TCP connections. In the command output,Established indicates that a TCP connection has been established.

<HUAWEI> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0 Closed32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849 Listening34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0 Established

Run the display telnet server status command to view the configuration and status of the Telnetserver.

<HUAWEI> display telnet server statusTelnet IPV4 server :EnableTelnet IPV6 server :EnableTelnet server port :23

5.5 Logging in to the Devices by Using STelnetSTelnet provides secured remote access over an insecure network. After the client/servernegotiation is complete and a secured connection is established, a user can log in to the CXdevice in a similar way as Telnet.

5.5.1 Establishing the Configuration TaskBefore configuring users to log in by using STelnet, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.

5.5.2 Configuring VTY User InterfaceTo allow a user to log in to the CX device by using STelnet, configure attributes of the VTYuser interface.

5.5.3 Configuring SSH for the VTY User InterfaceTo allow users to log in to the CX device by using STelnet, you need to configure VTY userinterfaces to support SSH.

5.5.4 Configuring an SSH User and Specifying STelnet as One of Service TypesTo allow a user to log in to the CX device by using STelnet, you must configure an SSH user,configure the CX device to generate a local RSA key pair, configure a user authentication mode,and specify a service type for the SSH user.

5.5.5 Enabling the STelnet Server FunctionTo allow users to log in to the CX device by using STelnet, you must enable the STelnet serverfunction on the CX device.

5.5.6 (Optional) Configuring the STelnet Server ParametersYou can configure a device to be compatible with the SSH protocol of earlier versions, configureor change the listening port number of an SSH server, and set an interval at which the key pairof the SSH server is updated.

5.5.7 Logging in to the CX device by Using STelnetAfter the CX device is configured, a user can log in to the CX device from a terminal by usingSTelnet, implementing remote maintenance of the CX device.




Issue 01 (2011-05-30)

5.5.8 Checking the ConfigurationAfter configuring users to log in by using STelnet, you can view the SSH server configuration.

5.5.1 Establishing the Configuration TaskBefore configuring users to log in by using STelnet, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.


Logins by using Telnet bring security risks because no secure authentication mechanism isavailable and data is transmitted by using TCP in plain text mode. Unlike Telnet, SSH guaranteessecure data transmission on a conventional insecure network by authenticating the client andencrypting data in both directions.

STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the same manneras using the Telnet service.


Before configuring users to log in by using STelnet, complete the following task:


Data Preparation

To configure users to log in by using STelnet, you need the following data:

No. Data

1 Maximum number of VTY user interfaces, (optional) ACL for limiting call-in andcall-out in VTY user interfaces, connection timeout period of terminal users, numberof rows displayed in a terminal screen, size of the history command buffer, userauthentication mode, user name, and password

2 User name, password, authentication mode, and service type of an SSH user andremote public RSA key pair allocated to the SSH user

3 (Optional) Name of an SSH server, number of the port monitored by the SSH server,preferred encryption algorithm from the STelnet client to the SSH server, preferredencrypted algorithm from the SSH server to the STelnet client, preferred HMACalgorithm from the STelnet client to the SSH server, preferred HMAC algorithm fromthe SSH server to the STelnet client, preferred algorithm of key exchange, name ofthe outgoing interface, and source address

5.5.2 Configuring VTY User InterfaceTo allow a user to log in to the CX device by using STelnet, configure attributes of the VTYuser interface.



5-19

Context

By default, the user authentication mode in the VTY user interface is password. Therefore, beforea user logs in to the CX device by using STelnet, the user authentication mode in the VTY userinterface must be set. Otherwise, the user cannot log in to the CX device.

You can log in to the CX device through a console port to set the user authentication mode inthe VTY user interface.



5.5.3 Configuring SSH for the VTY User InterfaceTo allow users to log in to the CX device by using STelnet, you need to configure VTY userinterfaces to support SSH.

Context

By default, user interfaces support Telnet. If no user interface is configured to support SSH,users cannot log in to the CX device by using STelnet.

Do as follows on the CX device that serves as an SSH server:

Procedure



Step 2 Run:user-interface [ vty ] first-ui-number [ last-ui-number ]

The VTY user interface is displayed.


The AAA authentication mode is configured.

Step 4 Run:protocol inbound ssh

The VTY user interface is configured to support SSH.

NOTE

If a VTY user interface is configured to support SSH, the VTY user interface must be configured withAAA authentication. Otherwise, the protocol inbound ssh command cannot be configured.

----End




Issue 01 (2011-05-30)

5.5.4 Configuring an SSH User and Specifying STelnet as One ofService Types

To allow a user to log in to the CX device by using STelnet, you must configure an SSH user,configure the CX device to generate a local RSA key pair, configure a user authentication mode,and specify a service type for the SSH user.

Context

l SSH users can be authenticated in four modes: RSA, password, password-RSA, and all.Password authentication depends on Authentication, Authorization and Accounting(AAA). Before a user logs in to the CX device in password or password-RSA authenticationmode, you must create a local user with the specified user name in the AAA view.

l Configuring the CX device to generate a local RSA key pair is a key step for SSH login.If an SSH user logs in to an SSH server in password authentication mode, configure theserver to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSAauthentication mode, configure both the server and the client to generate local RSA keypairs.

NOTE

Password-RSA authentication requires success of both password authentication and RSA authentication.The all authentication mode requires success of either password authentication or RSA authentication.

Do as follows on the CX device that functions as an SSH server:

Procedure



Step 2 Run:ssh user user-name

1. Run:aaa



Name and password of the local user are created.

Step 3 Run:rsa local-key-pair create

A local RSA key pair is generated.

NOTE

l Before performing the other SSH configurations, you must configure the rsa local-key-pair createcommand to generate a local key pair.

l After generating the local key pair,you can perform the display rsa local-key-pair public commandto view the public key in the local key pair.



5-21

Step 4 Run:ssh user user-name authentication-type { password | rsa | password-rsa | all }

The authentication mode for SSH users is configured.

Perform the following as required:

l Authenticate the SSH user through the password.– Run:

ssh user user-name authentication-type password

The password authentication is configured for the SSH user.– Run:

ssh authentication-type default password

The default password authentication is configured for the SSH user.For the local authentication or HWTACACS authentication, if the number of SSH usersis small, you can adopt the former command; if the number of SSH users is large, adoptthe later command to simplify the configuration.

l Authenticate the SSH user through RSA.1. Run:

ssh user user-name authentication-type rsa

The RSA authentication is configured for the SSH user.2. Run:

rsa peer-public-key key-name

The public key view is displayed.3. Run:

public-key-code begin

The public key editing view is displayed.4. Run:

hex-data

The public key is edited.

NOTE

l In the public key view, only hexadecimal strings complying with the public key format can betyped in. Each string is randomly generated on an SSH client. For detailed operations, see manualsfor SSH client software.

l After the public key editing view is displayed, the RSA public key generated on the client canbe sent to the server. Copy the RSA public key to the CX device that serves as the SSH server.

5. Run:public-key-code end

Quit the public key editing view.

l If the specified hex-data is invalid, the public key cannot be generated after the peer-public-key end command is run.

l If the specified key-name is deleted in other views, the system prompts that the key doesnot exist after the peer-public-key end command is run and the system view isdisplayed.

6. Run:




Issue 01 (2011-05-30)

peer-public-key end

Return to the system view from the public key view.7. Run:

ssh user user-name assign rsa-key key-name

The public key is assigned to the SSH user.

Step 5 (Optional) Configuring the Basic Authentication Information for SSH Users1. Run:

ssh server rekey-interval interval

The interval for updating the server key pair is configured.

By default, the interval for updating the key pair of the SSH server is 0 that indicates noupdating.

2. Run:ssh server timeout seconds

The timeout period of the SSH authentication is set.

By default, the timeout period is 60 seconds.3. Run:

ssh server authentication-retries times

The number of retry times of the SSH authentication is set.

By default, the retry times is 3.

Step 6 (Optional) Authorizing SSH Users Through the Command Line

SSH users can be authenticated in four modes: password, RSA, password-RSA, and all. In RSAauthentication mode, you can configure SSH users to be authorized based on command levels.

Run:

ssh user user-name authorization-cmd aaa

The command line authorization is configured for the specified SSH user.

After configuring the authorization through command lines for the SSH user to perform RSAauthentication, you have to configure the AAA authorization. Otherwise, the command lineauthorization for the SSH user does not take effect.

Step 7 Run:ssh user username service-type { stelnet | all }

The service type for the SSH user is configured.

By default, the service type of the SSH user is not configured.

----End

5.5.5 Enabling the STelnet Server FunctionTo allow users to log in to the CX device by using STelnet, you must enable the STelnet serverfunction on the CX device.



5-23

ContextBy default, no CX device is enabled with the STelnet server function. Users can establishconnections to the CX device by using STelnet only after the CX device is enabled with theSTelnet server function.



system-view


Step 2 Run:stelnet server enable

The STelnet server function is enabled.

By default, the STelnet server function is disabled.

----End


Contextl Compared with SSH1.X, SSH2.0 is extended in structure to more authentication modes

and key exchange modes with higher service capability, such as SFTP. The CX600 supportsthe SSH protocol of version 1.3 to version 2.0.

l By default, the listening port number of an SSH server is 22. Users can directly log in tothe CX device by using the default listening port number. Attackers probably access thedefault listening port, reducing available bandwidth, deteriorating performance of theserver, and causing valid users unable to access the server. After the listening port numberof the SSH server is changed, attackers do not know the new port number. This effectivelyprevents attackers from accessing the listening port, improving security.

l You can set an interval at which the key pair of an SSH server is updated. When the timerexpires, the key pair is automatically updated, improving security.



system-view


Step 2 Run:ssh server compatible-ssh1x enable

The earlier version-compatible function is enabled.




Issue 01 (2011-05-30)

By default, the server enabled with SSH2.0 is compatible with the server enabled with SSH1.X.To prevent the clients running SSH1.3 to SSH1.99 from logging in, you can run the undo sshserver compatible-ssh1x enable command to disable the CX device from being compatiblewith the SSH protocol of earlier versions.

Step 3 Run:ssh server port port-number

If a new listening port number is configured, the SSH server interrupts all the STelnet and SFTPconnections and starts to listen to the new port. By default, the listening port number of an SSHserver is 22.

Step 4 Run:ssh server rekey-interval interval

By default, the interval at which the key pair of an SSH server is updated is 0, which means thatthe key pair is not updated.

----End

5.5.7 Logging in to the CX device by Using STelnetAfter the CX device is configured, a user can log in to the CX device from a terminal by usingSTelnet, implementing remote maintenance of the CX device.

ContextIn STelnet login mode, a third-party software can be used in the terminal. In this part, the third-party software OpenSSH and windows command line are used.

After installing OpenSSH in the user terminal, do as follows on the user terminal:

NOTE

For details on how to install OpenSSH, refer to the installation guide of the software.

For details on how to use OpenSSH commands to log in to the CX device, refer to the help document ofthe software.

Procedure

Step 1 Use the windows command line.

Step 2 Run relevant OpenSSH commands to log in to the CX device in STelnet mode.



5-25

----End

5.5.8 Checking the ConfigurationAfter configuring users to log in by using STelnet, you can view the SSH server configuration.

PrerequisiteConfigurations of logins by using STelnet are complete.

Procedurel Run the display ssh user-information username command on the SSH server to check

information about SSH users.

l Run the display ssh server status command on the SSH server to check its configurations.




Issue 01 (2011-05-30)

l Run the display ssh server session command on the SSH server to check sessions for SSHusers.

----End

ExampleRun the display ssh user-information username command to view information about aspecified SSH user.

<HUAWEI> display ssh user-information client001 User Name : client001 Authentication-type : password User-public-key-name : - Sftp-directory : - Service-type : stelnet Authorization-cmd : No

If no SSH user is specified, information about all SSH users logging in to an SSH server will bedisplayed.

Run the display ssh server status command to view configurations of an SSH server.

<HUAWEI> display ssh server status SSH version :1.99 SSH connection timeout :60 seconds SSH server key generating interval :0 hours SSH Authentication retries :3 times SFTP server :Disable Stelnet server :Enable

Run the display ssh server session command. The command output shows that the sessioninformation between SSH server and client.

<HUAWEI> display ssh server sessionSession 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-md5 STOC Hmac : hmac-md5 Kex : diffie-hellman-group-exchange-sha1 Service Type : stelnet Authentication Type : password

5.6 Common Operations After LoginAfter logging in to the CX device, you can perform following operations as needed, such as userpriority switching and terminal window locking.

5.6.1 Establishing the Configuration TaskBefore performing operations after login, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

5.6.2 Switching User LevelsIf a user wants to upgrade from a lower level to a higher level after logging in to the CXdevice, a password is required. The password needs to be configured in advance.



5-27

5.6.3 Locking User InterfacesWhen you leave the operation terminals for a moment, you can lock the user interface to preventunauthorized users from operating the interface.

5.6.4 Sending Messages to Other User InterfacesMessages can be exchanged between the current user interface and other user interfaces.

5.6.5 Displaying Logged-in UsersAfter users log in, you can query information about logged-in users.

5.6.6 Clearing Logged-in UsersIf you want to force a logged-in user to log out of the CX device, you can tear down the connectionbetween the CX device and the user.

5.6.7 Configuring Configuration LockingWhen multiple users log in to the CX device to configure the device, configuration conflict mayoccur. To prevent configuration conflict from affecting services, you can enable the function ofconfiguration locking. This allows only one user to configure the device at a time.

5.6.1 Establishing the Configuration TaskBefore performing operations after login, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


To ensure that the operator manages CX devices safely, you need to configure the switching ofuser levels, enable message sending between user interfaces, and clear designated users.


Before performing operations after login, complete the following tasks:

l Connecting the terminal to the CX device

Data Preparations

Before performing operations after login, you need the following data:

No. Data

1 Password used for switching user levels

2 Type and number of the user interface

3 Contents of the message to be sent

5.6.2 Switching User LevelsIf a user wants to upgrade from a lower level to a higher level after logging in to the CXdevice, a password is required. The password needs to be configured in advance.




Issue 01 (2011-05-30)

ContextTo prevent an unauthorized user from using high-level commands, a password is required toincrease the user level.

When configuring the switchover of user levels on the CX device, users can performHWTACACS Authentication. For detailed configurations, refer to the HUAWEI CX600 CXdevice Configuration Guide - Security.


system-view


Step 2 Run:super password [ level user-level ] { simple | cipher } password

The password for switching user levels is configured.

By default, the password for the user is set to Level 3.

CAUTIONIf simple is configured, the password is saved in the configuration file in plain text. This meansthat low-level login users can easily obtain and change the password by checking theconfiguration file, compromising the network security. Therefore, selecting cipher to save thepassword in the cipher text is recommended.If cipher is used to set the password, the password cannot be obtained from the system. Savethe password to avoid oblivion or missing.

Step 3 Run:quit

Return to the user view.

Step 4 Run:super [ level ]

User levels are switched.

By default, the level is 3.

Step 5 Follow the prompt and enter a password.

If the password entered is correct, the user can switch to a higher level. If the user enters apassword incorrectly for three consecutive times, the user remains at the current login level andreturns to the user view.

NOTE

When the login user of lower level is switched to the user of higher level through the super command, thesystem automatically sends trap messages and records the switchover in a log. When the switched levelis lower than that of the current level, the system only records the switchover in a log.

----End



5-29

5.6.3 Locking User InterfacesWhen you leave the operation terminals for a moment, you can lock the user interface to preventunauthorized users from operating the interface.

ContextThe user interface can be classified into the Console user interface, AUX user interface, andVTY user interface.


lock

The user interface is locked.

Step 2 Follow the system prompt and input an unlock password, and then confirm the input.<HUAWEI> lockEnter Password:Confirm Password:

If the locking is successful, the system prompts that the user interface is locked.

You must enter a correct password to unlock the user interface.

----End

5.6.4 Sending Messages to Other User InterfacesMessages can be exchanged between the current user interface and other user interfaces.

ContextUsers logging in to the CX device can send messages from the current user interface to users inother user interfaces as needed.


send { all | ui-type ui-number | ui-number1 }

You can enable message sending between user interfaces.

Step 2 Following the prompt, you can view the message to be sent. You can press Ctrl_Z or Enter toend the display, and press Ctrl_C to abort the display.

----End

5.6.5 Displaying Logged-in UsersAfter users log in, you can query information about logged-in users.

ContextUser information includes the user name, address, and authentication and authorizationinformation.




Issue 01 (2011-05-30)

Procedurel Run the display users [ all ] command to view information about logged-in users.

If all is configured, information about logged-in users on all user interfaces is displayed.

----End

5.6.6 Clearing Logged-in UsersIf you want to force a logged-in user to log out of the CX device, you can tear down the connectionbetween the CX device and the user.

ContextYou can run the display users command to view users logging in to the CX device.

Procedure

Step 1 Run:kill user-interface { ui-number | ui-type ui-number1 }

Online users are cleared.

Step 2 Based on displayed information, you can confirm whether specified logged-in users have beencleared.

----End

5.6.7 Configuring Configuration LockingWhen multiple users log in to the CX device to configure the device, configuration conflict mayoccur. To prevent configuration conflict from affecting services, you can enable the function ofconfiguration locking. This allows only one user to configure the device at a time.

ContextBefore configuring configuration locking, check whether the configuration set is locked byanother user. If no user locks the configuration set, you can exclusively lock the configuration.

Procedure

Step 1 Run:configuration exclusive

The user obtains exclusive configuration access.

After enabling the configuration locking function, you can exclusively enjoy the configurationauthority in an explicit manner.

NOTE

This command can be run in any view.

You can run the display configuration-occupied user command to check information about the user wholocks the configuration set at the moment.

If the configuration set is already locked, an prompt message is displayed after this command is run.



5-31



Step 3 Run:configuration-occupied timeout timeout-value

The timeout period for automatically unlocking the configuration set is set.

After the timeout period expires, the configuration set is automatically unlocked, allowing otherusers to configure the device.

By default, the timeout period is 30s.

NOTE

l When a user without exclusive configuration access runs this command, the system prompts an errormessage.

l If the configuration set is locked by another user, this command cannot be configured, and the systemprompts an error message.

l If the configuration set is locked by the current user, the current user can run this command.

----End

5.7 Configuration ExamplesThis section provides several examples describing how to configure user login by using a consoleport, Telnet, or STelnet. You can understand the configuration procedures by referring to theconfiguration flowchart. The configuration examples provide information about the networkingrequirements, configuration notes, and configuration roadmap.

5.7.1 Example for Configuring User Login Through a Console PortThis part provides an configuration example describing how to configure user login through aconsole port. In this configuration example, certain login settings are performed on the PC,enabling the access to the CX device through a console port.

5.7.2 Example for Logging In Through the AUX PortIn this example, you can configure terminal and modem communication parameters so as to login to the CX device through the AUX port.

5.7.3 Example for Configuring User Login by Using TelnetThis part provides an example describing how to configure user login by using Telnet. In thisconfiguration example, a user logs in to the CX device after setting the VTY user interface anduser login parameters.

5.7.4 Example for Configuring User Login by Using STelnetThis part provides an example describing how to configure user login by using STelnet.. In thisexample, after generating the local key pair on the SSH server, configuring the name andpassword of the SSH user on the SSH server, and enabling the STelnet service on the SSH server,you can connect the Stelnet client to the SSH server.

5.7.1 Example for Configuring User Login Through a Console PortThis part provides an configuration example describing how to configure user login through aconsole port. In this configuration example, certain login settings are performed on the PC,enabling the access to the CX device through a console port.




Issue 01 (2011-05-30)

Networking RequirementsIf a user modifies default values of certain parameters in the console user interface, the userneeds to reset corresponding parameters in the PC when logging in to the CX device throughthe console port next time.

Figure 5-7 Networking diagram of user login through a console port

CX600PC

Configuration Roadmap1. Connect a PC to the CX device through a console port.2. Perform login settings on the PC.3. Log in to the CX device.

Data PreparationCommunication parameters of the PC (baud rate: 4800 bps, data bit: 6, parity: even, stop bit: 2,flow control mode: none)

ProcedureStep 1 Establish the configuration environment by connecting the serial port of the PC to the console

port of the CX device through standard RS-232 cable.

Step 2 Start a terminal emulator on the PC, and set the communication parameters of the PC, as shownin Figure 5-8 to Figure 5-10.

Figure 5-8 Connection creation



5-33

Figure 5-9 Interface setting

Figure 5-10 Communication parameter setting




Issue 01 (2011-05-30)

Step 3 Power on the CX device and wait for the completion of the self-check. After the CX device startsnormally and finishes the self-check, the system prompts you to press Enter.

Wait till the prompt (mostly the <HUAWEI>) appears, and then you can use a command to viewthe running status of the CX device or configure the CX device.

----End

5.7.2 Example for Logging In Through the AUX PortIn this example, you can configure terminal and modem communication parameters so as to login to the CX device through the AUX port.

Networking RequirementsIf you cannot configure the CX device by local login and no CX device is reachable to otherCX devices, connect the serial port of the PC with the AUX port of the CX device through themodem. The detailed configuration environment is shown in Figure 5-11.

Figure 5-11 Networking diagram of logging in through the AUX port

CX600

PC

COM

PSTN

Modem Modem

Configuration RoadmapThe configuration roadmap is as follows:

1. Establish the physical connection.2. Configure the name, authentication mode, and password of a user that logs in.3. Configure the AUX port to support the modem dialup.4. Configure modem parameters.


l Type of terminalsl Terminal communication parametersl User name, password, and authentication mode used for user login, which are huawei,

hello, and password respectively.



5-35

l Modem communication parameters

Procedure

Step 1 Establish the physical connection, as shown in Figure 5-11.

Step 2 Configure the AUX port to support the modem dialup.<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] local-user huawei password cipher hello[HUAWEI-aaa] local-user huawei service-type terminal[HUAWEI-aaa] local-user huawei level 3[HUAWEI-aaa] quit[HUAWEI] user-interface aux 0[HUAWEI-ui-aux0] authentication-mode aaa[HUAWEI-ui-aux0] modem both

Step 3 Configure modem parameters.

# Run the PC emulation terminal, see Logging in to the CX device Through an AUX Port

Press Enter on the PC emulation terminal or terminal until a command line prompt of the modemsuch as ">" appears.

Configure the modem to meet the requirements of AUX communication.

For details, see modem descriptions.

Step 4 Log in to the CX device.

Enter the user name and password in the remote terminal emulation program.

After authentication succeeds, a command line prompt such as <HUAWEI> appears.

Enter the command to check the running status of the CX device or configure the CX device.

Enter "?" for help.

----End

5.7.3 Example for Configuring User Login by Using TelnetThis part provides an example describing how to configure user login by using Telnet. In thisconfiguration example, a user logs in to the CX device after setting the VTY user interface anduser login parameters.

Networking RequirementsA user can log in to the CX device on another network segment from a PC to remotely maintainthe CX device.

Figure 5-12 Networking diagram of user login by using Telnet

NetWork

PC CX600

GE1/0/110.137.217.221/16




Issue 01 (2011-05-30)

After a Telnet user logs in to the CX device in AAA authentication mode, the Telnet user isprohibited from logging in to another CX device through the CX device.

Configuration Roadmap1. Establish a physical connection.2. Assign IP addresses to interfaces on the CX device.3. Set parameters of the VTY user interface, including limit on call-in and call-out.4. Set user login parameters.5. Log in to the CX device.


l IP address of the PCl IP address of the Ethernet interface on the CX device: 10.137.217.221l Maximum number of VTY user interfaces: 10l Number of the ACL that is used to prohibit users from logging into another CX device:

3001l Timeout period for disconnecting from the VTY user interface: 20 minutesl Number of lines that a terminal screen displays: 30l Size of the history command buffer: 20l Telnet user information (authentication mode: AAA, user name: huawei, password: hello)

Procedure

Step 1 Respectively connection the PC and the CX device to the network.

Step 2 Configure a login address.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo shutdown[HUAWEI-GigabitEthernet1/0/1] ip address 10.137.217.221 255.255.0.0[HUAWEI-GigabitEthernet1/0/1] quit

Step 3 Configure the VTY user interface on the CX device.

# Set the maximum number of VTY user interfaces.

[HUAWEI] user-interface maximum-vty 10

# Configure an ACL that is used to prohibit users from logging into another CX device.

[HUAWEI]acl 3001[HUAWEI-acl-adv-3001]rule deny tcp source any destination-port eq telnet[HUAWEI-acl-adv-3001]quit[HUAWEI] user-interface vty 0 9[HUAWEI-ui-vty0-9] acl 3001 outbound

# Set terminal attributes of the VTY user interface.

[HUAWEI-ui-vty0-9] shell[HUAWEI-ui-vty0-9] idle-timeout 20



5-37

[HUAWEI-ui-vty0-9] screen-length 30[HUAWEI-ui-vty0-9] history-command max-size 20

# Set the user authentication mode of the VTY user interface.

[HUAWEI-ui-vty0-9] authentication-mode aaa[HUAWEI-ui-vty0-9] quit

Step 4 Set parameters of the login user on the CX device.

# Specify the user authentication mode.

[HUAWEI] aaa[HUAWEI-aaa] local-user huawei password cipher hello[HUAWEI-aaa] local-user huawei service-type telnet[HUAWEI-aaa] local-user huawei level 3[HUAWEI-aaa] quit

Step 5 # Configure user login.

Use the windows command line to telnet the CX device. The Telnet login window is shown inthe following figure.

Figure 5-13 Telnet login window on the PC

Press Enter, and then input the user name and password in the login window. If userauthentication succeeds, a command line prompt of the system view is displayed. It indicatesthat you have entered the user view.




Issue 01 (2011-05-30)

Figure 5-14 Window after login of the CX device

Click Yes and then input the user name and password in the login window. If user authenticationsucceeds, a command line prompt such as HUAWEI is displayed.

----End

Configuration FilesConfiguration file of the CX-

# sysname HUAWEI#acl number 3001 rule 5 deny tcp destination-port eq telnet#aaa local-user huawei password cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! local-user huawei service-type telnet local-user huawei level 3#interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.221 255.255.0.0#user-interface maximum-vty 10 user-interface con 0user-interface vty 0 9 acl 3001 outbound authentication-mode aaa history-command max-size 20 idle-timeout 20 0 screen-length 30#return



5-39

5.7.4 Example for Configuring User Login by Using STelnetThis part provides an example describing how to configure user login by using STelnet.. In thisexample, after generating the local key pair on the SSH server, configuring the name andpassword of the SSH user on the SSH server, and enabling the STelnet service on the SSH server,you can connect the Stelnet client to the SSH server.

Networking RequirementsAs shown in Figure 5-15, after the STelnet service is enabled on the SSH server, the STelnetclient can log in to the SSH server with the password, RSA, password-rsa, or all authenticationmode.

In this configuration example, the password authentication mode is used.

Figure 5-15 Networking diagram of configuring user login by using STelnet

Network

PC SSH Server

GE1/0/110.137.217.225/16


1. Configure a local key pair on the SSH server for secure data exchange between the STelnetclient and the SSH server.

2. Configure the VTY user interface on the SSH server.3. Configure an SSH client, which involves the setting of the user authentication mode, user

name, and password.4. Enable the STelnet server function on the SSH server and configure a user service type.


l SSH user authentication mode: password, user name: client001, password: huaweil User level of client001: 3l IP address of the SSH server: 10.164.39.210

Procedure

Step 1 Generate a local key pair on the server.<HUAWEI> system-view[HUAWEI] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: HUAWEI_HostThe range of public key size is (512 ~ 2048).




Issue 01 (2011-05-30)

NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++..........++++++++++++...................................++++++++......++++++++

Step 2 Configure the VTY user interface.[SSH Server] user-interface vty 0 4[SSH Server-ui-vty0-4] authentication-mode aaa[SSH Server-ui-vty0-4] protocol inbound ssh[SSH Server-ui-vty0-4] quit

NOTE

If SSH is configured as the login protocol, the CX600 automatically disables Telnet.

Step 3 Configure the password of the SSH user Client001 to huawei.[SSH Server] aaa[SSH Server-aaa] local-user client001 password cipher huawei[SSH Server-aaa] local-user client001 level 3[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

Step 4 Enable the STelnet service on the SSH server.[SSH Server] stelnet server enable[SSH Server] ssh authentication-type default password[SSH Server] quit

Step 5 Verify the configuration.

# Log in to the device through the software putty, and specify the IP address of the device being10.164.39.210 and the login protocol being SSH.



5-41

# Log in to the device through the software putty, and enter the user name client001 and thepassword huawei.

----End

Configuration Filesl Configuration file of the SSH server

# sysname SSH Server#aaa local-user client001 password cipher huawei local-user client001 level 3 local-user client001 service-type ssh#interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.225 255.255.255.0# stelnet server enable ssh user client001 authentication-type password#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#return




Issue 01 (2011-05-30)

6 Managing File System

About This Chapter

The file system manages the files and directories in the storage devices on the CX device. It canmove and delete a file or directory and display the contents of the file.

6.1 File System OverviewThe CX device effectively manages all files by means of the file system.

6.2 Performing File Operations by Means of the File SystemUsers can perform file operations by means of the file system, including managing storagedevices, directories, and files.

6.3 Performing File Operations by Means of FTPFTP can transmit files between local and remote hosts, and is widely used for version upgrade,log downloading, file transmission, and configuration saving.

6.4 Performing File Operations by Means of SFTPSFTP enables users to log in to the CX device securely from the remote device to manage files.This improves the security of data transmission for the remote end to update its system.

6.5 Performing File Operations by Means of XmodemThis section describes how to transfer files through XModem.

6.6 Configuration ExamplesThis section provides an example for performing files by accessing the system and using FTPor SFTP.These configuration examples explain networking requirements, configurationroadmap, and configuration notes.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations 6 Managing File System


6-1

6.1 File System OverviewThe CX device effectively manages all files by means of the file system.

6.1.1 File SystemThe file system manages the files and directories in the storage devices. It can create, delete,modify, and rename a file or directory and display the contents of the file.

6.1.2 Methods of File ManagementYou can manage files by means of the file system, FTP or SFTP.

6.1.1 File SystemThe file system manages the files and directories in the storage devices. It can create, delete,modify, and rename a file or directory and display the contents of the file.

The file system has two functions: managing the storage devices and managing the files that arestored in those storage devices.

6.1.2 Methods of File ManagementYou can manage files by means of the file system, FTP or SFTP.

Performing File Operations by Means of the File Systeml Storage Devices

Storage devices are hardware devices for storing messages.At present, the CX device supports the storage devices CF card.

l FilesThe file is a mechanism with which the system stores and manages messages.

l DirectoriesThe directory is a mechanism with which the system integrates and organizes the file,serving as a logical container of the file.

Performing File Operations by Means of FTPYou can configure the CX device as the FTP server, and log in to the CX device from the userterminal to transmit files and manage directories on the FTP server.

Performing File Operations by Means of SFTPSSH supports Secure File Transfer Protocol (SFTP), which enables users to remotely andsecurely log in to the CX device to manage files. SSH guarantees secure data transmission on aconventional insecure network by authenticating the client and encrypting data in bothdirections.

Performing File Operations by Means of XmodemXModem is a file transfer protocol and is mainly applied to the AUX port.XModem does notsupport simultaneous operations of multiple users.

6 Managing File SystemHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

Table 6-1 File management methods

File Management Method Implementation

Logging in to the system You can log in to the system through theConsole or AUX port or by using Telnet orSTelnet to manage files.

FTP The CX device needs to be enabled with FTP.Most terminals support the FTP clientfunction.

SFTP l SFTP provides secure file transferservices based on SSH, irrelevant to thestandard FTP protocol.

l The CX device needs to be enabled withSFTP. Terminals need to be installed withthe SFTP client software.

6.2 Performing File Operations by Means of the File SystemUsers can perform file operations by means of the file system, including managing storagedevices, directories, and files.

6.2.1 Establishing the Configuration TaskBefore performing file operations by means of the file system, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data. Thiscan help you complete the configuration tasks quickly and accurately.

6.2.2 Managing Storage DevicesWhen the file system of the storage devices on the CX device functions abnormally, you needto repair and format the file system before managing the storage devices.

6.2.3 Managing the DirectoryYou can manage directories to logically store files in hierarchy.

6.2.4 Managing FilesYou can log in to the file system to view, delete, or rename the files on the CX device.

6.2.1 Establishing the Configuration TaskBefore performing file operations by means of the file system, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data. Thiscan help you complete the configuration tasks quickly and accurately.

Applicable EnvironmentWhen the CX device fails to save or obtain data, you can log in to the file system to repair thefaulty storage devices or manage files or directories on the CX device. You can especiallymanage storage devices by logging in to the file system.



6-3

Pre-configuration TasksBefore performing file operations by logging in to the file system, complete the following tasks:

l Connecting the client with the server correctly

Data PreparationTo perform file operations by logging in to the file system, you need the following data:

No. Data

1 Storage device name

2 Directory name

3 File name

6.2.2 Managing Storage DevicesWhen the file system of the storage devices on the CX device functions abnormally, you needto repair and format the file system before managing the storage devices.

ContextWhen the file system on a storage device fails, the terminal of the CX device prompts you torectify the fault.

You can format a storage device when you fail to repair the file system or you do not need anydata saved on the storage device.

CAUTIONFormatting storage devices may lead to data loss. Therefore, exercise caution when perform thisoperation.

Procedurel Run:

fixdisk device-name

The storage devices with file system troubles is repaired.

NOTE

After this command is run, if the prompt that the system should be repaired is still received, it indicatesthat the physical medium may be damaged.

l Run:format device-name

The storage device is formatted.




Issue 01 (2011-05-30)

NOTE

If the storage device cannot work after running the format device-name command, a fault may occurto the hardware.

----End

6.2.3 Managing the DirectoryYou can manage directories to logically store files in hierarchy.

Context

You can manage directories by changing and displaying directories, displaying files indirectories and sub-directories, and creating and deleting directories.

Procedurel Run:

cd directory

A directory is specified.l Run:

pwd

The current directory is displayed.l Run:

dir [ /all ] [ filename ]

The file and sub-directory list in the directory is displayed.

Either the absolute path or relative path is applicable.l Run:

mkdir directory

The directory is created.l Run:

rmdir directory

The directory is deleted.

----End

6.2.4 Managing FilesYou can log in to the file system to view, delete, or rename the files on the CX device.

Contextl Managing files include: displaying contents, copying, moving, renaming, compressing,

deleting, undeleting, deleting files in the recycle bin, running files in batch and configuringprompt modes.

l You can run the cd directory command to enter the required directory from the currentdirectory.



6-5

Procedurel Run:

more filename [ offset | all ]

The content of the file is displayed.

By specifying parameters in the more command, you can view files flexibly:– By running the more file-name command, you can view the file named file-name.

Contents of a text file are displayed screen after screen. If you hold and press thespacebar on the current terminal, all contents of the current file can be displayed.There are two preconditions if you want to display the contents of a text file screen afterscreen:– The value configured by screen-length screen-length temporary command must

be larger than 0.– The total lines of the file must be larger than the value configured by screen-

length command.– By running the more file-name offset command, you can view the file named file-

name. Contents of a text file are displayed from the line specified by offset screen afterscreen. If you hold and press the spacebar on the current terminal, all contents of thecurrent file can be displayed.There are two preconditions if you want to display the contents of a text file screen afterscreen:– The value configured by screen-length screen-length command must be larger than

0.– The result of the number of file characters subtracted by the value of offset must be

larger than the value configured by screen-length command.– By running the more file-name all command, you can view the file named file-name.

Contents of a text file are completely displayed without pausing after each screenful ofinformation.

l Run:copy source-filename destination-filename

The file is copied.

NOTE

The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.

l Run:move source-filename destination-filename

The file is moved.l Run:

rename source-filename destination-filename

The file is renamed.l Run:

zip source-filename destination-filename

The file is compressed.l Run:

delete [ /unreserved ] [ /quiet ] { filename | device-name }




Issue 01 (2011-05-30)

The file is deleted.

If you use the parameter [ /unreserved ] in the delete command, the file cannot be restoredafter being deleted.

l Run:undelete filename

The deleted file is recovered.

NOTE

If the current directory is not the parent directory, you must operate the file by using the absolutepath.

l Run:reset recycle-bin [ filename ]

The file is deleted.

You can permanently delete files in the recycle bin.

l Running Files in Batch

You can upload the files and then process the files in batches. The edited batch files needto be saved in the storage devices on the CX device.

When the batch file is created, you can run the batch file to implement routine tasksautomatically.

1. Run:system-view


2. Run:execute filename

The batched file is executed.

l Configuring Prompt Modes

The system displays prompts or warning messages when you operate the device (especiallythe operations leading to data loss). If you need to change the prompt mode for fileoperations, you can configure the prompt mode of the file system.

1. Run:system-view


2. Run:file prompt { alert | quiet }

The prompt mode of the file system is configured.

By default, the prompt mode is alert.



6-7

CAUTIONIf the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation.

----End

6.3 Performing File Operations by Means of FTPFTP can transmit files between local and remote hosts, and is widely used for version upgrade,log downloading, file transmission, and configuration saving.

6.3.1 Establishing the Configuration TaskBefore performing file operations by means of FTP, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

6.3.2 Configuring a Local FTP UserYou can configure the authorization mode and authorization directory for FTP users. In thiscase, unauthorized users cannot access the specific directory, which guarantees the security.

6.3.3 (Optional) Specifying a Port Number for the FTP ServerYou can configure or change the monitoring port number of the FTP server. After the portnumber is changed, only the user knows the current port number, which guarantees the security.

6.3.4 Enabling the FTP ServerBefore using FTP to perform file operations, you need to enable the FTP sever on the CXdevice.

6.3.5 (Optional) Configuring the FTP Server ParametersThe FTP server parameters include the source address of the FTP server and the timeout periodfor FTP connection.

6.3.6 (Optional) Configuring an FTP ACLAfter an FTP ACL is configured, only the specified clients can access the deviceCX device.

6.3.7 Accessing the System by Using FTPAfter the FTP server is configured, you can access the CX device from the PC by using FTP tomanage the files on the CX device.

6.3.8 Performing File Operations by Using FTP CommandsAfter logging in to the CX device that functions as an FTP server by using FTP, you can uploadfiles to or download files from the CX device, and manage the directories on the CX device.

6.3.9 Checking the ConfigurationAfter the configuration is complete, you can view the configuration and status of the FTP serveras well as information about login FTP users.

6.3.1 Establishing the Configuration TaskBefore performing file operations by means of FTP, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.




Issue 01 (2011-05-30)

Applicable EnvironmentWhen the CX device serves as the FTP server, after the client logs in to the CX device throughFTP, the user can transfer files between the client and the server.

Pre-configuration TasksBefore performing file operations by means of FTP, complete the following task:

l Connecting the FTP client to the server

Data PreparationTo perform file operations by means of FTP, you need the following data:

NOTEFor FTP secure server connection, perform step 2.

No. Data

1 FTP user name and password, File directory authorized to the FTP user

2 (Optional) Listening port number specified on the FTP server

3 (Optional) Source IP address or source interface of the FTP server(Optional) Timeout period of the disconnection from the FTP server

4 IP address or host name of the FTP server

6.3.2 Configuring a Local FTP UserYou can configure the authorization mode and authorization directory for FTP users. In thiscase, unauthorized users cannot access the specific directory, which guarantees the security.

ContextTo perform file operations by means of FTP, you need to configure a local user name and apassword on the CX device and specify the service type and the directories that can be accessed.Otherwise, you cannot access the CX device by using FTP.

Do as follows on the CX device that serves as the FTP server:

Procedure



Step 2 Run:set default ftp-directory directory

The default FTP working directory is configured.



6-9

NOTE

The configuration in this step is valid for only TACACS users.

Step 3 Run:aaa



The local user name and the password are configured.

Step 5 Run:local-user user-name service-type ftp

The FTP service type is configured.

Step 6 Run:local-user user-name ftp-directory directory

The authorization directory about the FTP user is configured.

----End

6.3.3 (Optional) Specifying a Port Number for the FTP ServerYou can configure or change the monitoring port number of the FTP server. After the portnumber is changed, only the user knows the current port number, which guarantees the security.

ContextBy default, the listening port number of an FTP server is 21. Users can directly log in to the CXdevice by using the default listening port number. Attackers probably access the default listeningport, reducing available bandwidth, affecting performance of the server, and causing valid usersunable to access the server. After the listening port number of the FTP server is changed, attackersdo not know the new listening port number. This effectively prevents attackers from accessingthe listening port.

NOTE

If the FTP is not enabled, change the FTP port as required.

If the FTP service is enabled, run the undo ftp server command to disable the FTP service, and then changethe FTP port.


Procedure



Step 2 Run:ftp [ ipv6 ] server port port-number

The port number of the FTP server is configured.




Issue 01 (2011-05-30)

If a new number of a monitored port is configured, the FTP server interrupts all the FTPconnections and monitors the port of the new number.

----End

6.3.4 Enabling the FTP ServerBefore using FTP to perform file operations, you need to enable the FTP sever on the CXdevice.

Context

By default, the FTP server is disabled on the CX device. Therefore, you must enable the FTPserver before using FTP.


Procedure



Step 2 Run:ftp [ ipv6 ] server enable

The FTP server is enabled.

NOTE

When the file operation between clients and the CX device ends, run the undo ftp [ ipv6 ] server commandto disable the FTP server function. This ensures the security of the CX device.

----End

6.3.5 (Optional) Configuring the FTP Server ParametersThe FTP server parameters include the source address of the FTP server and the timeout periodfor FTP connection.

Contextl You can configure a source IP address for the FTP server. This limits the destination address

that the client can access and therefore guarantee the security.l You can configure the timeout period for FTP connections on the FTP server. When the

timeout period of an FTP connection expires, the system breaks the connection to releaseresources.


Procedure




6-11


Step 2 Run:ftp server-source { -a ip-address | -iinterface-type interface-number }

The source IP address and source interface of an FTP server is configured.

To log in to the FTP server, you must specify the same source IP address in the ftp command.Otherwise, you cannot log in to the FTP server.

Step 3 Run:ftp [ ipv6 ] timeout minutes

The timeout period of the FTP server is configured.

If the client is idle for the configured time, the connection is removed from the FTP server.

By default, the timeout value is 30 minutes.

----End

6.3.6 (Optional) Configuring an FTP ACLAfter an FTP ACL is configured, only the specified clients can access the deviceCX device.

ContextWhen the CX devicedevice functions as an FTP server, you can configure an ACL to allow theclients that meet the matching rules to access the FTP server.


Procedure



Step 2 Run:acl acl-number

The ACL view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *

The ACL rule is configured.

NOTE

FTP supports only the basic ACL (2000 to 2999).

Step 4 Run:quit

Return the system view.




Issue 01 (2011-05-30)

Step 5 Run:ftp [ ipv6 ] acl acl-number

The basic FTP ACL is configured.

----End

6.3.7 Accessing the System by Using FTPAfter the FTP server is configured, you can access the CX device from the PC by using FTP tomanage the files on the CX device.

Context

If you need to log in to the CX device by using FTP, you can use either windows command lineprompt or a third-party software. Here uses the windows command line prompt as an example.

Do as follows on the PC:

Procedure


Step 2 Run the ftp ip-address command to log in to the CX device by using FTP.

Enter the user name and password at the prompt, and press Enter. When the windows commandline prompts are displayed in the FTP client view, such as ftp>, you have entered the workingdirectory of the FTP server.

----End



6-13

6.3.8 Performing File Operations by Using FTP CommandsAfter logging in to the CX device that functions as an FTP server by using FTP, you can uploadfiles to or download files from the CX device, and manage the directories on the CX device.

Context

After logging in to the FTP server, you can perform the following operations:

l Configuring data type for the file

l Uploading or downloading files

l Creating directories on or deleting directories from the FTP server

l Displaying information about a specified remote directory or a file of the FTP server, ordeleting a specified file from the FTP server

After logging in to the FTP server and entering the FTP client view, you can perform thefollowing one or more operations:

Procedurel Configuring data type and transmission mode for the file.

– Run:ascii or binary

The data type of the file to be transmitted is ascii or binary mode.

NOTE

FTP supports the ASCII type and the binary type. Their differences are as follows:

l In ASCII transmission mode, ASCII characters are used to separate carriage returned fromline feeds.

l In binary transmission mode, characters can be transferred without format conversion orformatting.

The selection of the FTP transmission mode is client-customized. The system defaults to theASCII transmission mode. The client can use a mode switch command to switch between theASCII mode and the binary mode. The ASCII mode is used to transmit .txt files and the binarymode is used to transmit binary files.

l Upload or download files.

– Upload or download a file.

– Run:put local-filename [ remote-filename ]

The local file is uploaded to the remote FTP server.

– Run:get remote-filename [ local-filename ]

The FTP file is downloaded from the FTP server and saved to the local file.

– Upload or download multiple files.

– Run the mput local-filenames command to upload multiple local filessynchronously to the remote FTP server.

– Run the mget remote-filenames command to download multiple files from the FTPserver and save them locally.




Issue 01 (2011-05-30)

NOTE

l When you are uploading or downloading files, and the prompt command is run in the FTP clientview to enable the file transmission prompt function, the system will prompt you to confirm theuploading or downloading operation.

l If the prompt command is run again in the FTP client view, the file transmission prompt functionwill be disabled.

l Run one or more commands in the following order to manage directories.– Run:

cd pathname

The working path of the remote FTP server is specified.– Run:

pwd

The specified directory of the FTP server is displayed.– Run:

lcd [ local-directory ]

The directory of the FTP client is displayed or changed.– Run:

mkdir remote-directory

A directory is created on the FTP server.– Run:

rmdir remote-directory

A directory is removed from the FTP server.l Run one or more commands in the following to manage files.

– Run:ls [ remote-filename ] [ local-filename ]

The specified directory or file on the remote FTP server is displayed.If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

– Run:dir [ remote-filename ] [ local-filename ]

The specified directory or file on the local FTP server is displayed.If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

– Run:delete remote-filename

The specified file on the FTP server is deleted.If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

When local-filename is set, related information about the file can be downloaded locally.

NOTE

If you need other FTP operations,you can perform the help [ command ] command to get help in theWindows command line.

----End



6-15

6.3.9 Checking the ConfigurationAfter the configuration is complete, you can view the configuration and status of the FTP serveras well as information about login FTP users.

Prerequisite

All configurations for operating files by using FTP are complete.

Procedurel Run the display [ ipv6 ] ftp-server command to check the configuration of the FTP server.l Run the display ftp-users command to check how many users are currently logged in FTP

server.

----End

Example

Run the display [ ipv6 ] ftp-server to view the FTP server is working.

<HUAWEI> display ftp-server FTP server is running Max user number 5 User count 1 Timeout value(in minute) 30 Listening Port 1080 Acl number 0 FTP server's source address 1.1.1.1

Run the display ftp-users command to view the user name, port number, authorization directoryof the FTP user configured presently.

<HUAWEI> display ftp-users username host port idle topdir zll 100.2.150.226 1383 3 cfcard:

6.4 Performing File Operations by Means of SFTPSFTP enables users to log in to the CX device securely from the remote device to manage files.This improves the security of data transmission for the remote end to update its system.

6.4.1 Establishing the Configuration TaskBefore performing file operations by using SFTP, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

6.4.2 Configuring VTY User InterfaceTo allow a user to log in to the CX device by using SFTP, you need to configure attributes ofthe VTY user interface.

6.4.3 Configuring SSH for the VTY User InterfaceTo allow users to log in to the CX device by using SFTP, you need to configure VTY userinterfaces to support SSH.

6.4.4 Configuring an SSH User and Specifying SFTP as One of Service Types




Issue 01 (2011-05-30)

To allow a user to log in to the CX device by using SFTP, you must configure an SSH user,configure the CX device to generate a local RSA key pair, configure a user authentication mode,specify a service type and authorized directory for the SSH user.

6.4.5 Enabling the SFTP ServiceBefore enjoying the STelnet service, you need to enable it.


6.4.7 Accessing the System by Using SFTPAfter the configuration is complete, users can log in to the CX device from the user terminal byusing SFTP to manage files on the CX device.

6.4.8 Performing File Operations by Using SFTPOn the SFTP client, you can log in to the SSH server to create or delete directories on the SSHserver.

6.4.9 Checking the ConfigurationAfter performing file operations by using SFTP, you can view SSH user information and globalconfigurations of the SSH server.

6.4.1 Establishing the Configuration TaskBefore performing file operations by using SFTP, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.


SSH guarantees secure data transmission on a conventional insecure network by authenticatingthe client and encrypting data in both directions. SSH supports SFTP.

SFTP is a secure FTP service and enables users to log in to the FTP server for data transmission.


Before performing file operations by using SFTP, complete the following task:


Data Preparation

Before performing file operations by using SFTP, you need the following data.

No. Data

1 Maximum number of VTY user interfaces, (optional) ACL for limiting call-in andcall-out in VTY user interfaces, connection timeout period of terminal users, numberof rows displayed in a terminal screen, size of the history command buffer, userauthentication mode, user name, and password



6-17

No. Data

2 User name, password, authentication mode, and service type of an SSH user andremote public RSA key pair allocated to the SSH user, SFTP working directory ofthe SSH user

3 (Option) Number of the port monitored by the SSH server(Option) The interval for updating the key pair on the SSH server

4 Name of the SSH server,Number of the port monitored by the SSH server,Preferredencrypted algorithm from the SFTP client to the SSH server,Preferred encryptedalgorithm from the SSH server to the SFTP client,Preferred HMAC algorithm fromthe SFTP client to the SSH server,Preferred HMAC algorithm from the SSH serverto the SFTP client,Preferred algorithm of key exchange,Name of the outgoinginterface,Source address

5 Directory name and File name

6.4.2 Configuring VTY User InterfaceTo allow a user to log in to the CX device by using SFTP, you need to configure attributes ofthe VTY user interface.

Context

By default, the user authentication mode in the VTY user interface is password. Therefore, beforea user logs in to the CX device by using SFTP, the user authentication mode in the VTY userinterface must be set. Otherwise, the user cannot log in to the CX device.



6.4.3 Configuring SSH for the VTY User InterfaceTo allow users to log in to the CX device by using SFTP, you need to configure VTY userinterfaces to support SSH.

Context

By default, user interfaces support Telnet. If no user interface is configured to support SSH,users cannot log in to the CX device by using SFTP.

Procedure






Issue 01 (2011-05-30)

Step 2 Run:user-interface [ vty ] first-ui-number [ last-ui-number ]

The VTY user interface is displayed.


The AAA authentication mode is configured.

Step 4 Run:protocol inbound ssh

The VTY user interface is configured to support SSH.

NOTE

If a VTY user interface is configured to support SSH, the VTY user interface must be configured withAAA authentication. Otherwise, the protocol inbound ssh command cannot be configured.

----End

6.4.4 Configuring an SSH User and Specifying SFTP as One ofService Types

To allow a user to log in to the CX device by using SFTP, you must configure an SSH user,configure the CX device to generate a local RSA key pair, configure a user authentication mode,specify a service type and authorized directory for the SSH user.

Contextl SSH users can be authenticated in four modes: RSA, password, password-RSA, and all.

Password authentication depends on Authentication, Authorization and Accounting(AAA). Before a user logs in to the CX device in password or password-RSA authenticationmode, you must create a local user with the specified user name in the AAA view.

l Configuring the CX device to generate a local RSA key pair is a key step for SSH login.If an SSH user logs in to an SSH server in password authentication mode, configure theserver to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSAauthentication mode, configure both the server and the client to generate local RSA keypairs.

NOTE

Password-RSA authentication requires success of both password authentication and RSA authentication.The all authentication mode requires success of either password authentication or RSA authentication.

Do as follows on the CX device that functions as an SSH server:

Procedure



Step 2 Run:ssh user user-name



6-19

1. Run:aaa



Name and password of the local user are created.

Step 3 Run:rsa local-key-pair create

A local RSA key pair is generated.

NOTE

l Before performing the other SSH configurations, you must configure the rsa local-key-pair createcommand to generate a local key pair.

l After generating the local key pair,you can perform the display rsa local-key-pair public commandto view the public key in the local key pair.

Step 4 Run:ssh user user-name authentication-type { password | rsa | password-rsa | all }

The authentication mode for SSH users is configured.


l Authenticate the SSH user through the password.– Run:

ssh user user-name authentication-type passwordThe password authentication is configured for the SSH user.

– Run:ssh authentication-type default passwordThe default password authentication is configured for the SSH user.For the local authentication or HWTACACS authentication, if the number of SSH usersis small, you can adopt the former command; if the number of SSH users is large, adoptthe later command to simplify the configuration.

l Authenticate the SSH user through RSA.1. Run:

ssh user user-name authentication-type rsa

The RSA authentication is configured for the SSH user.2. Run:

rsa peer-public-key key-name

The public key view is displayed.3. Run:

public-key-code begin

The public key editing view is displayed.4. Run:

hex-data





Issue 01 (2011-05-30)

NOTE

l In the public key view, only hexadecimal strings complying with the public key format can betyped in. Each string is randomly generated on an SSH client. For detailed operations, see manualsfor SSH client software.

l After the public key editing view is displayed, the RSA public key generated on the client canbe sent to the server. Copy the RSA public key to the CX device that serves as the SSH server.

5. Run:public-key-code end



l If the specified key-name is deleted in other views, the system prompts that the key doesnot exist after the peer-public-key end command is run and the system view isdisplayed.

6. Run:peer-public-key end

Return to the system view from the public key view.7. Run:

ssh user user-name assign rsa-key key-name

The public key is assigned to the SSH user.

Step 5 (Optional) Configuring the Basic Authentication Information for SSH Users1. Run:

ssh server rekey-interval interval

The interval for updating the server key pair is configured.

By default, the interval for updating the key pair of the SSH server is 0 that indicates noupdating.

2. Run:ssh server timeout seconds

The timeout period of the SSH authentication is set.

By default, the timeout period is 60 seconds.3. Run:

ssh server authentication-retries times

The number of retry times of the SSH authentication is set.

By default, the retry times is 3.

Step 6 (Optional) Authorizing SSH Users Through the Command Line

SSH users can be authenticated in four modes: password, RSA, password-RSA, and all. In RSAauthentication mode, you can configure SSH users to be authorized based on command levels.

Run:

ssh user user-name authorization-cmd aaa

The command line authorization is configured for the specified SSH user.



6-21

After configuring the authorization through command lines for the SSH user to perform RSAauthentication, you have to configure the AAA authorization. Otherwise, the command lineauthorization for the SSH user does not take effect.

Step 7 Run:ssh user username service-type { SFTP | all }

The service type of an SSH user is set to SFTP or all.

By default, the service type of the SSH user is not configured.

Step 8 Run:ssh user username sftp-directory directoryname

The authorized directory of the SFTP service for SSH users is configured.

By default, the authorized directory of the SFTP service for SSH users is cfcard:.

----End

6.4.5 Enabling the SFTP ServiceBefore enjoying the STelnet service, you need to enable it.

Context

By default, the CX device is not enabled with the SFTP server function. Users can establishconnections with the CX device by using SFTP only after the CX device is enabled with theSFTP server function.


Procedure



Step 2 Run:sftp server enable

The SFTP service is enabled.

By default, the SFTP service is disabled.

----End





Issue 01 (2011-05-30)

Contextl Compared with SSH1.X, SSH2.0 is extended in structure to more authentication modes

and key exchange modes with higher service capability, such as SFTP. The CX600 supportsthe SSH protocol of version 1.3 to version 2.0.

l By default, the listening port number of an SSH server is 22. Users can directly log in tothe CX device by using the default listening port number. Attackers probably access thedefault listening port, reducing available bandwidth, deteriorating performance of theserver, and causing valid users unable to access the server. After the listening port numberof the SSH server is changed, attackers do not know the new port number. This effectivelyprevents attackers from accessing the listening port, improving security.

l You can set an interval at which the key pair of an SSH server is updated. When the timerexpires, the key pair is automatically updated, improving security.



system-view


Step 2 Run:ssh server compatible-ssh1x enable

The earlier version-compatible function is enabled.

By default, the server enabled with SSH2.0 is compatible with the server enabled with SSH1.X.To prevent the clients running SSH1.3 to SSH1.99 from logging in, you can run the undo sshserver compatible-ssh1x enable command to disable the CX device from being compatiblewith the SSH protocol of earlier versions.

Step 3 Run:ssh server port port-number

If a new listening port number is configured, the SSH server interrupts all the STelnet and SFTPconnections and starts to listen to the new port. By default, the listening port number of an SSHserver is 22.

Step 4 Run:ssh server rekey-interval interval

By default, the interval at which the key pair of an SSH server is updated is 0, which means thatthe key pair is not updated.

----End

6.4.7 Accessing the System by Using SFTPAfter the configuration is complete, users can log in to the CX device from the user terminal byusing SFTP to manage files on the CX device.

ContextThe third-party software can be used to access the CX device from the user terminal by usingSFTP. Here uses the third-party software OpenSSH and windows command line as an example.



6-23

After installing OpenSSH on the user terminal, do as follows on the user terminal:

NOTE

For details on how to install OpenSSH, see the installation guide of the software.

For details on how to use OpenSSH commands to log in to the CX device, see the help document of thesoftware.

Procedure


Step 2 Run relevant OpenSSH commands to log in to the CX device in SFTP mode.

When the command line prompt is displayed in the SFTP client view, such as sftp>, users haveentered the working directory of the SFTP server.

----End




Issue 01 (2011-05-30)

6.4.8 Performing File Operations by Using SFTPOn the SFTP client, you can log in to the SSH server to create or delete directories on the SSHserver.

ContextAfter logging in to the SFTP server, you can perform the following operations:

l Displaying the SFTP client command helpl Managing the directory on the SFTP serverl Managing the directory on the SFTP server

After logging in to the SFTP server and entering the SFTP client view, you can perform thefollowing one or more operations.

Procedurel Run:

help [ all | command-name ]

The SFTP client command help is displayed.l You can perform one or multiple of the following operations as required.

– Run:cd [ remote-directory ]

The current operating directory of users is changed.– Run:

pwd

The current operating directory of users is displayed.– Run:

dir/ls [ path ]

The file list in the specified directory is displayed.– Run:

rmdir remote-directory &<1-10>

– The directory on the server is deleted.– Run:

mkdir remote-directory

A directory is created on the server.l You can perform one or multiple of the following operations as required.

– Run:rename old-name new-name

The name of the specified file on the server is changed.– Run:

get remote-filename [ local-filename ]

The file on the remote server is downloaded.– Run:

put local-filename [ remote-filename ]



6-25

The local file is uploaded to the remote server.– Run:

rmdir remote-directory &<1-10>The file on the server is removed.

----End

6.4.9 Checking the ConfigurationAfter performing file operations by using SFTP, you can view SSH user information and globalconfigurations of the SSH server.

PrerequisiteThe configuration of SSH Users are complete.

Procedurel Run the display ssh user-information username command to check the information about

the SSH client on the SSH server.l Run the display ssh server status command on the SSH server to check its global

configurations.l Run the display ssh server session command on the SSH server to check information about

connection sessions with SSH clients.

----End

ExampleRun the display ssh user-information username command. It shows that the SSH user namedclinet001 is authenticated by password, and its service type is sftp.

[HUAWEI] display ssh user-information client001 User Name : client001 Authentication-type : password User-public-key-name : - Sftp-directory : - Service-type : sftp Authorization-cmd : No

If no SSH user is specified, information about all SSH users logging in to an SSH server will bedisplayed.

Run the display ssh server status command to view global configurations of an SSH server.

<HUAWEI> display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 2 hours SSH Authentication retries : 5 times SFTP server : Enable Stelnet server : Enable SSH server port : 55535

NOTE

If the default interception port is in use, information about the current interception port is not displayed.

Run the display ssh server session command to view information about sessions between theSSH server and SSH clients.




Issue 01 (2011-05-30)

<HUAWEI> display ssh server sessionSession 2: Conn : VTY 4 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-md5 STOC Hmac : hmac-md5 Kex : diffie-hellman-group-exchange-sha1 Service Type : sftp Authentication Type : password

6.5 Performing File Operations by Means of XmodemThis section describes how to transfer files through XModem.

6.5.1 Establishing the Configuration TaskBefore configuring XModem, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.

6.5.2 Getting a File Through XmodemUsing XModem, you can download files to a CX device through the AUX port.

6.5.1 Establishing the Configuration TaskBefore configuring XModem, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.

Applicable EnvironmentConfigure XModem to transfer files through serial interfaces.

Pre-configuration TasksBefore configuring XModem, complete the following tasks:

l Powering on the CX devicel Connecting the CX device and the PC through an AUX port or a console portl Logging in to the CX device through the terminal emulation program and specifying a file

path in the terminal emulation program

Data PreparationTo configure XModem, you need the following data.

No. Data

1 Name of a specific file

2 Absolute path of the file



6-27

6.5.2 Getting a File Through XmodemUsing XModem, you can download files to a CX device through the AUX port.

ContextXModem file transfer consists of receiving program and sending program.

l The receiving program first sends the negotiation character to negotiate the check mode.l After the negotiation is successful, the sending program begins to send packets.l When the receiving program receives a complete packet, it checks the packet in the

negotiated mode.l If the check is successful, the receiving program sends the acknowledgement character and

then the sending program sends the next packet.l If the check fails, the receiving program sends the denial character and the sending program

retransmits the packet.

CX600 provides the function of XModem receiving program, which is applied to the AUX portand supports 128-byte packets and CRC. The function of XModem sending program isautomatically included in the HyperTerminal.

Do as follows on the CX device:

Procedurel Run:

xmodem get { filename | devicename }

XModem is used to get the file.

NOTE

l Before getting the file, confirm the path and the name of the file that are to be sent.l For the filename, an absolute path name is required.l If the filename is similar to an existing one, the system sends a prompt asking you whether to

overwrite the file or not.

----End

6.6 Configuration ExamplesThis section provides an example for performing files by accessing the system and using FTPor SFTP.These configuration examples explain networking requirements, configurationroadmap, and configuration notes.

6.6.1 Example for Performing File Operations by Means of the File SystemThis section describes how to perform file operations by means of the file system. In thisexample, you can log in to the CX device to view and copy directories.

6.6.2 Example for Performing File Operations by Means of FTPThis section provides an example for operating files by means of FTP.In this example, a PCconnected to a CX device logs in to the FTP server by entering the correct user name andpassword through FTP, and then downloads files to the memory of the FTP client.

6.6.3 Example for Performing File Operations by Means of SFTP




Issue 01 (2011-05-30)

This section provides an example for operating files by using SFTP. In this example, a local keypair is configured on the SSH server, and a user name and a password are configured on theserver for an SSH user. After SFTP services are enabled on the server and the SFTP client isconnected to the server, you can operate files between the client and the server.

6.6.4 Example for Performing File Operations by Means of XmodemIn this example, you run the HyperTerminal on a PC and then log in to a CX device to downloadfiles through the AUX port.

6.6.1 Example for Performing File Operations by Means of the FileSystem

This section describes how to perform file operations by means of the file system. In thisexample, you can log in to the CX device to view and copy directories.

Networking RequirementsYou can log in to the CX device through the Console interface, AUX interface, Telnet, or STelnetto perform file operations on the CX device.

The file path in the storage device must be correct. If the user does not specify a target file name,the source file name is the name of the target file by default.


1. Check the files under a certain directory.2. Copy a file to this directory.3. Check this directory and view that the file is copied successfully to the specified directory.


l Source file name and target file namel Source file path and target file path

Procedure

Step 1 Display the file information in the current directory, cfcard:/ is the flash memory identifier.

<HUAWEI> dir cfcard:/Directory of cfcard:/

Idx Attr Size(Byte) Date Time FileName0 -rw- 64 Nov 15 2006 13:07:44 patchnpstate.dat1 -rw- 418 Jul 26 2007 19:52:14 vrpcfg.zip2 -rw- 38017 Aug 01 2007 11:02:00 paf.txt3 -rw- 2292 Aug 21 2006 15:35:50 vrp.zip4 -rw- 7041 Aug 02 2007 11:02:00 license.txt5 -rw- 117013076 Jul 13 2007 10:40:44 V600R003C00.cc500192 KB total (347760 KB free)

Step 2 Copy files from hda1:/sample.txt to flash:/sample.txt<HUAWEI> copy hda1:/sample.txt flash:/sample1.txtCopy hda1:/sample.txt to flash:/sample1.txt?[Y/N]:y



6-29

100% completeInfo:Copied file hda1:/sample.txt to flash:/sample1.txt...Done

Copy files from cfcard2:/sample.txt to cfcard:/sample.txt

<HUAWEI> copy cfcard2:/sample.txt cfcard:/sample1.txtCopy cfcard2:/sample.txt to cfcard:/sample1.txt?[Y/N]:y100% completeInfo:Copied file cfcard2:/sample.txt to cfcard:/sample1.txt...Done

Step 3 Display the file information about the current directory, and you can view that the file is copiedto the specified directory.<HUAWEI> dir cfcard:/Directory of cfcard:/

Idx Attr Size(Byte) Date Time FileName0 -rw- 64 Nov 15 2006 13:07:44 patchnpstate.dat1 -rw- 418 Jul 26 2007 19:52:14 vrpcfg.zip2 -rw- 38017 Aug 01 2007 11:02:00 paf.txt3 -rw- 2292 Aug 21 2006 15:35:50 vrp.zip4 -rw- 7041 Aug 02 2007 11:02:00 license.txt5 -rw- 117013076 Jul 13 2007 10:40:44 V600R003C00.cc6 -rw- 1605 Nov 18 2007 05:30:11 sample1.txt500192 KB total (346155 KB free)

----End

6.6.2 Example for Performing File Operations by Means of FTPThis section provides an example for operating files by means of FTP.In this example, a PCconnected to a CX device logs in to the FTP server by entering the correct user name andpassword through FTP, and then downloads files to the memory of the FTP client.

Networking RequirementsAs shown in Figure 6-1, after the FTP server is enabled on the CX device, you can log in to theFTP server from the HyperTerminal to upload or download files.

Figure 6-1 Networking for performing file operations by using FTP

Network

GE1/0/110.137.217.221/16

PC FTP Server


1. Configure the IP address of the FTP server.2. Enable the FTP server.3. Configure the authentication information, authorization mode, and directories to be

accessed for an FTP user.4. Log in to the FTP server by using the correct user name and password.




Issue 01 (2011-05-30)

5. Upload files to or download files from the FTP server.


l IP address of the FTP server, that is, 10.137.217.221l Timeout period for the FTP connection, that is, 30 minutesl FTP username as huawei and password as huawei on the serverl The destination file name and its position in the FTP client

Procedure

Step 1 Configure the IP address of the FTP server.[server] interface gigabitethernet1/0/1[server-GigabitEthernet1/0/1] undo shutdown[server-GigabitEthernet1/0/1] ip address 10.137.217.221 255.255.0.0[server-GigabitEthernet1/0/1] quit

Step 2 Enable the FTP server.<HUAWEI> system-view[HUAWEI] sysname server[server] ftp server enable[server] ftp timeout 30

Step 3 Configure the authentication information, authorization mode, and authorized directories for anFTP user on the FTP server.[server] aaa[server-aaa] local-user huawei password simple huawei[server-aaa] local-user huawei service-type ftp[server-aaa] local-user huawei ftp-directory cfcard:[server-aaa] quit

Step 4 Run the FTP commands at the windows command line prompt, and enter the correct user nameand password to set tup an FTP connection with the FTP server.

Figure 6-2 Logging in to the FTP Server



6-31

Step 5 Upload and download files, as shown in the following figure.

Figure 6-3 Performing file operations by means of FTP

NOTEYou can run the dir command before downloading a file or after uploading a file to view the detailedinformation of the file.

----End

Configuration Filesl Configuration file of the FTP server.

#sysname Server# FTP server enable#interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.221 255.255.0.0 #aaa local-user huawei password simple Huawei local-user huawei service-type ftp local-user huawei ftp-directory cfcard: authentication-scheme default#authorization-scheme default#accounting-scheme default#domain default#




Issue 01 (2011-05-30)

return

6.6.3 Example for Performing File Operations by Means of SFTPThis section provides an example for operating files by using SFTP. In this example, a local keypair is configured on the SSH server, and a user name and a password are configured on theserver for an SSH user. After SFTP services are enabled on the server and the SFTP client isconnected to the server, you can operate files between the client and the server.

Networking RequirementsAs shown in Figure 6-4, after SFTP services are enabled on the CX device functioning as anSSH server, you can log in to the server in password, RSA, password-rsa, or all authenticationmode from a PC on the SFTP client.

Configure a user to log in to the SSH server in password authentication mode.

Figure 6-4 Networking diagram for operating files by using SFTP

Network

PC SSH Server

GE1/0/110.137.217.225/16


1. Configure a local key pair on the SSH server to securely exchange data between the SFTPclient and the SSH server.

2. Configure VTY user interfaces on the SSH server.3. Configure an SSH user, including user authentication mode, user name, password, and

authorization directory.4. Enable SFTP services on the SSH server and configure a user service type.


l SSH user authentication mode: password, user name: client001, password: huaweil User level of client001: 3l IP address of the SSH server: 10.137.217.225

Procedure

Step 1 Configure a local key pair on the SSH server.<HUAWEI> system-view[HUAWEI] sysname SSH Server[SSH Server] rsa local-key-pair create



6-33

The key name will be: HUAWEI_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++..........++++++++++++...................................++++++++......++++++++

Step 2 Configure VTY user interfaces on the SSH server.[SSH Server] user-interface vty 0 4[SSH Server-ui-vty0-4] authentication-mode aaa[SSH Server-ui-vty0-4] protocol inbound ssh[SSH Server-ui-vty0-4] quit

Step 3 Configure the SSH user name and password on the SSH server.[SSH Server] aaa[SSH Server-aaa] local-user client001 password cipher huawei[SSH Server-aaa] local-user client001 level 3[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

Step 4 Enable SFTP and configure the user service type to be SFTP.[SSH Server] sftp server enable[SSH Server] ssh user client001 authentication-type password

Step 5 Configure the authorization directory for the SSH user.[SSH Server] ssh user client001 service-type sftp

Step 6 Verify the configurations.

Figure 6-5 Accessing Interface




Issue 01 (2011-05-30)

----End


# sysname SSH Server#aaa local-user client001 password cipher huawei local-user client001 level 3 local-user client001 service-type ssh#interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.225 255.255.255.0# sftp server enable ssh user client001 authentication-type password#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#return

6.6.4 Example for Performing File Operations by Means of XmodemIn this example, you run the HyperTerminal on a PC and then log in to a CX device to downloadfiles through the AUX port.


The CX device is connected to PC through the AUX port. Log in to the CX device through theAUX port, to receive files from the AUX port and save the received files to the cfcard.



1. Run the HyperTerminal on the PC and log in to the CX device.

2. Use the xmodem get command to download files on the CX device, and specify the filepath on the HyperTerminal.

Data Preparation


l Files that are copied to the PC

l The path of the file in the PC

Procedure

Step 1 Log in to the CX device through the AUX port.



6-35

Refer to Chapter 2 "Logging in to the Devices Through the AUX Port" in theCX600Configuration Guide - Basic Configuration.

Step 2 Use the XModem protocol to receive the file form the AUX port.

The received file is saved on the cfcard memory of the CX device and the file name is paf.txt.

<HUAWEI> xmodem get cfcard:/paf.txt**** WARNING ****xmodem is a slow transfer protocol limited to the current speedsettings of the auxiliary ports.During the course of the download no exec input/output will beavailable! ---- ******* ----Proceed?[Y/N]yDestination filename [cfcard:/ paf.txt]?Before press ENTER you must choose 'YES' or 'NO'[Y/N]:yDownload with XMODEM protocol....

Step 3 Specify the file to be sent on the HyperTerminal.

Figure 6-6 Specifying the file to be sent

After the configuration, press Send to send the file.

Step 4 The system prompts that the file is sent successfully. Then, you can view the directory of thefiled named cfcard.

<HUAWEI>Download successful!<HUAWEI> dirDirectory of cfcard:/ Idx Attr Size(Byte) Date Time FileName 0 -rw- 10014764 Jun 20 2005 15:00:28 ne20-vrp5.10-c01b070.bin 1 -rw- 98776 Jul 27 2005 09:36:12 matnlog.dat 2 -rw- 28 Jul 27 2005 09:34:39 private-data.txt 3 -rw- 480 May 10 2003 11:25:18 vrpcfg.zip 4 -rw- 10103172 Jul 22 2005 16:40:37 ne20-vrp5.10-c01db90.bin 5 -rw- 1515 Jul 19 2005 17:39:55 vrpcfg.cfg 6 -rw- 3844 Jul 14 2004 11:51:45 exception.dat 7 -rw- 8628372 Jun 01 2005 10:14:34 ne20-vrp330-0521.01.bin 8 -rw- 45 Jul 27 2005 10:51:26 paf.txt

----End




Issue 01 (2011-05-30)

7 Configuring System Startup

About This Chapter

When the CX device starts, system software is started and configuration files are loaded. Toensure smooth running of the CX device, you need to efficiently manage system software andconfiguration files.

7.1 System Startup OverviewWhen the CX device starts, system software is started and configuration files are loaded.

7.2 Managing Configuration FilesYou can manage the configuration files for the current and next startup operations on the CXdevice.

7.3 Specifying a File for System StartupYou can specify a file for system startup by specifying the system software and configurationfile for the next startup of the CX device.

7.4 Configuration ExamplesThis section provides an example for configuring system startup.These configuration examplesexplain networking requirements, configuration roadmap, and configuration notes.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations 7 Configuring System Startup


7-1

7.1 System Startup OverviewWhen the CX device starts, system software is started and configuration files are loaded.

7.1.1 System SoftwareSystem software is the operation system of the CX device, and is the basis for the CX device torun properly and provide various services.

7.1.2 Configuration FilesThe configuration file is the add-in configuration item when restarting the CX device this timeor next time.

7.1.3 Configuration Files and Current ConfigurationsDuring the running of the CX device, configuration files and current configurations aredifferently defined.

7.1.1 System SoftwareSystem software is the operation system of the CX device, and is the basis for the CX device torun properly and provide various services.

The extension name of the system software file is .cc. The file must be saved in the root directoryof the storage device.

7.1.2 Configuration FilesThe configuration file is the add-in configuration item when restarting the CX device this timeor next time.

The configuration file is a text file in the following formats:

l It is saved in the command format.l To save space, default parameters are not saved.l Commands are organized on the basis of the command view. All commands of the identical

command view are grouped into a section. Every two command sections are separated byone or several blank lines or comment lines (beginning with "#").

l The sequence of command sections is global configuration, physical interfaceconfiguration, logic interface configuration, routing protocol configuration and so on.

l The filename extension of the configuration file must be .cfg or .zip, and must be stored inthe root directory of a storage device.

NOTE

l The system can run the command with the maximum length of 512 characters, including the commandin an incomplete form.

l If the configuration is in the incomplete form, the command is saved in complete form. Therefore, thecommand length in the configuration file may exceed 512 characters. When the system restarts, thesecommands cannot be restored.

7.1.3 Configuration Files and Current ConfigurationsDuring the running of the CX device, configuration files and current configurations aredifferently defined.

7 Configuring System StartupHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

The concepts of configuration files and current configurations are as follows:

Concept Identifying Method

Configuration Files Initial configurations: Onpowering on, the CX deviceretrieves the configurationfiles from a default save pathto initiate itself. Ifconfiguration files do notexist in the default save path,the CX device uses the defaultparameters.

l Run the display startupcommand to view theconfiguration files for thecurrent and next startupoperations on the CXdevice.

l Run the display saved-configuration commandto view the configurationfile for the next startupoperation on the CXdevice.

Current Configurations Current configurations:indicates the effectiveconfigurations of thecurrently running CX device.

Run the display current-configuration command toview the currentconfigurations on the CXdevice.

Users can modify the current configurations of the CX device through the command lineinterface. Use the save command to save the current configuration to the configuration file ofthe default storage devices, and the current configuration becomes the initial configuration ofthe CX device when the CX device is powered on next time.

7.2 Managing Configuration FilesYou can manage the configuration files for the current and next startup operations on the CXdevice.

7.2.1 Establishing the Configuration TaskBefore managing configuration files, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

7.2.2 Saving Configuration FilesThe configurations completed by using command lines are valid for only the current operationon the CX device. To allow the configurations to be valid for the next startup operation, youneed to save the current configurations to configuration files before restarting the CX device.

7.2.3 Clearing a Configuration FileYou can clear the configuration file that has been loaded to a device, or clear the inactiveconfigurations of the boards that are not installed in slots.

7.2.4 Comparing Configuration FilesYou can determine whether the current configuration file is the same as the one for the nextstartup operation or a specified one on the CX device by comparing them.

7.2.5 Checking the Configuration



7-3

After managing configuration files, you can view the current configuration files and files in thestorage device.

7.2.1 Establishing the Configuration TaskBefore managing configuration files, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


You can manage configuration files by saving, clearing, and comparing configuration files. Toupgrade the CX device, take preventive measures, repair configuration files, and viewconfigurations after the CX device starts, you need to manage configuration files.


Before managing configuration files, complete the following task:

l Installing the CX device and starting it properly

Data Preparation

To manage configuration files, you need the following data.

No. Data

1 Configuration file and its name

2 Saving configuration files interval and delay interval

3 The number of the start line from which the comparison of the configuration filesbegins

7.2.2 Saving Configuration FilesThe configurations completed by using command lines are valid for only the current operationon the CX device. To allow the configurations to be valid for the next startup operation, youneed to save the current configurations to configuration files before restarting the CX device.

Context

The system can save the configuration files periodically or in real time to prevent data loss whenthe CX device is powered off or accidentally restarted.

Run one of the following commands to save configuration files.

Procedurel Run:




Issue 01 (2011-05-30)

CAUTIONWhen the automatic saving function is enabled and the LPU is not properly installed,corresponding configurations may be lost.

1. system-viewThe system view is displayed.

2. set save-configuration [ interval interval | cpu-limit cpu-usage |delay delay-interval ] *

The configuration file is saved at intervals.After the parameter interval interval is specified, the device saves the configurationfile at specified intervals regardless of whether the configuration file is changed.– If the set save-configuration command is not run, the system does not

automatically save configurations.– If the set save-configuration command without specified interval is run, the

system automatically saves configurations at 30-minute intervals.When you configure the automatic saving function, to prevent that function fromaffecting system performance, you can set the upper limit of the CPU usage for thesystem during automatic saving. When automatic saving is triggered by the expiry ofthe timer, the CPU usage is checked. If the CPU usage is higher than the set upperlimit, automatic saving will be canceled.After delay delay-interval is specified, if the configuration is changed, the deviceautomatically saves the configuration after the specified delay.After automatic saving of configurations is configured, the system automatically savesthe changed configurations to the configuration file for the next startup andconfiguration files are changed accordingly with the saved configurations.Before configuring the automatic configure file saving on the server, you need to runthe set save-configuration backup-to-server server server-ip [ transport-type{ ftp | sftp } ] user user-name password password [ path folder ] or set save-configuration backup-to-server server server-ip transport-type tftp [ pathfolder ] command to configure the server, including the IP address, user name,password of the server, destination path, and mode of transporting the configurationfile to the server.

NOTEIf TFTP is used, run the tftp client-source command to configure a loopback interface address as aclient source IP address on the CX device, improving security.

l Run:save [ all ] [ configuration-file ]

The current configurations are saved.

The filename extension of the configuration file must be .cfg or .zip. The system startupconfiguration file must be saved in the root directory of a storage device.

The user can modify the current configuration through the command line interface. To setthe current configuration as initial configuration when the CX device starts next time, youcan use the save command to save the current configuration in the cfcard memory.

You can use the save all command to save all the current configurations, including theconfigurations of the boards that are not inserted, to the default directory.



7-5

NOTE

When saving the configuration file for the first time, if you do not specify the optional parameterconfiguration-file, the CX device asks you whether to save the file as "vrpcfg.zip" or not. "vrpcfg.zip"is the default configuration file and initially contains no configuration.

----End

7.2.3 Clearing a Configuration FileYou can clear the configuration file that has been loaded to a device, or clear the inactiveconfigurations of the boards that are not installed in slots.

ContextThe configuration file stored in cfcard memory needs to be cleared in the following cases:

l The system software does not match the configuration file after the CX device has beenupgraded.

l The configuration file is destroyed or an incorrect configuration file has been loaded.

Do as follows to clear the contents of a configuration file:

Procedurel Clear the currently loaded configuration file.

Run the reset saved-configuration command to clear the currently loaded configurationfile.– If the configuration file of the CX device used for the current startup is the same as that

used for the next startup, running the reset saved-configuration command will clearboth the configuration files. The CX device will uses the default configuration file forthe next startup.

– If the configuration file of the CX device used for the current startup is different fromthat used at the next startup, running the reset saved-configuration command will clearthe configuration file used for the current startup.

– If the configuration file of the CX device used for the current startup is empty, the systemwill prompt you that the configuration file does not exist after you run the reset saved-configuration command.

CAUTIONl After the contents of a configuration file are cleared, the empty configuration file with

the original file name is left.l If you do not run the startup saved-configuration configuration-file command to

specify a new correct configuration file, or do not run the save command to save theconfiguration file after the configuration file is cleared, the CX device will use thedefault configuration file at the next startup.

l Exercise caution when running this command. If necessary, do it under the guidance ofHuawei technical support personnel.

l Clear the inactive configurations of the boards that are not installed in slots.




Issue 01 (2011-05-30)

1. Run the system-view command to enter the system view.2. Run the clear inactive-configuration slot command to clear the inactive

configurations of the boards that are not installed in slots.

----End

7.2.4 Comparing Configuration FilesYou can determine whether the current configuration file is the same as the one for the nextstartup operation or a specified one on the CX device by comparing them.

ContextYou can determine whether to specify the current configuration file as the one for the next startupoperation by comparing the current configuration file with the one for the next startup operation.

Procedurel Run:

compare configuration [ configuration-file ] [ current-line-number save-line-number ]

The current configuration is compared with the configuration file for next startup.

– If configuration-file is configured, the system checks whether the current configurationfile is the same as the specified configuration file.

– If no parameter is set, the comparison begins with the first lines of configuration files.current-line-number and save-line-number are used to continue the comparison byignoring the differences between the configuration files.

When comparing differences between the configuration files, the system displays thecontents of the current configuration file and saved configuration file from the first differentline. By default, 150 characters are displayed for each configuration file. If the number ofcharacters from the first different line to the end is less than 150, the contents after the firstdifferent line are all displayed.

NOTE

In comparing the current configurations with the configuration file for next startup, if theconfiguration file for next startup is unavailable or its contents are null, the system prompts thatreading files fails.

----End

7.2.5 Checking the ConfigurationAfter managing configuration files, you can view the current configuration files and files in thestorage device.

PrerequisiteThe configuration of Managing Configuration Files are complete.

Procedurel Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]



7-7

[ feature feature-name [ filter filter-expression ] | filter filter-expression ] or displaycurrent-configuration [ all | inactive ]command to check current configurations.

l Run the display startup command to check files for startup.

l Run the dir [ /all ] [ filename ] command to check files saved in the storage device.

l Run the display saved-configuration configuration command to view configurations ofthe autosave function, including the status of the autosave function, time for autosave check,threshold for the CPU usage, and period during which configurations are unchanged (whenthe period expires, configurations are automatically saved).

l Run the display changed-configuration time command to check the time of the lastconfiguration change.

----End

Example

Run the display startup command to check files for startup.

<HUAWEI> display startupMainBoard: Configured startup system software: cfcard:/V600R003C00.cc Startup system software: cfcard:/V600R003C00.cc Next startup system software: cfcard:/V600R003C00.cc Startup saved-configuration file: cfcard:/vrp.cfg Next startup saved-configuration file: cfcard:/vrp.cfg Startup paf file: default Next startup paf file: default Startup license file: default Next startup license file: default Startup patch package: NULL Next startup patch package: NULL

7.3 Specifying a File for System StartupYou can specify a file for system startup by specifying the system software and configurationfile for the next startup of the CX device.

7.3.1 Establishing the Configuration TaskBefore specifying a file for system startup, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

7.3.2 Configuring System Software for a CX device to Load for the Next StartupTo upgrade the system software of a CX device, you can specify the CX600 system software tobe loaded for the next startup.

7.3.3 Configuring the Configuration File for CX- to Load for the Next StartupBefore restarting a CX device, you can specify the configuration files that are loaded for thenext startup.

7.3.4 Checking the ConfigurationAfter specifying a file for system startup, you can check the contents of the configuration file tobe loaded and the information about the file to be used during the next startup on the CXdevice.




Issue 01 (2011-05-30)

7.3.1 Establishing the Configuration TaskBefore specifying a file for system startup, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentTo enable the CX device to provide user-defined configurations during the next startup, youneed to correctly specify the system software and configuration file for the next startup.

Pre-configuration TasksBefore specifying a file for the system startup, complete the following task:

l Installing the CX device and powering it on properly

Data PreparationTo specify a file for system startup, you need the following data.

No. Data

1 System software and its file name on the CX600

2 Configuration file and its file name on the CX600

7.3.2 Configuring System Software for a CX device to Load for theNext Startup

To upgrade the system software of a CX device, you can specify the CX600 system software tobe loaded for the next startup.

ContextIf no system software is specified for the next startup operation of the CX device, the systemsoftware loaded this time will be started during the next startup operation. To change systemsoftware for the next startup operation, you need to specify the required one.

The filename extension of the system software must be .cc and must be stored in the root directoryof a storage device.

Procedure

Step 1 Run:startup system-software system-file [ slave-board ]

The CX600 system software for the CX device to load next time when it starts is configured.

You can specify the system-file and use the system software for the next startup that is saved onthe device.



7-9

slave-board is valid only on the CX device with dual main control boards.

----End

7.3.3 Configuring the Configuration File for CX- to Load for theNext Startup

Before restarting a CX device, you can specify the configuration files that are loaded for thenext startup.

Context

You can run the display startup command on the CX device to check whether the configurationfile to be loaded during the next startup operation is specified. If no configuration file is specified,the default configuration file is loaded during the next startup operation.

The filename extension of the configuration file must be .cfg or .zip, and must be stored in theroot directory of a storage device.

When the CX device turns on, it initiates by reading the configuration file from the cfcardmemory by default. Thus, the configuration in this configuration file is called initialconfiguration. If no configuration file is saved in the cfcard, the CX device initiates with defaultparameters.

Procedurel Run:

startup saved-configuration configuration-file

Configuration file is saved for the CX device to load next time on startup.

----End

7.3.4 Checking the ConfigurationAfter specifying a file for system startup, you can check the contents of the configuration file tobe loaded and the information about the file to be used during the next startup on the CXdevice.

PrerequisiteThe file has been specified for system startup.

Procedurel Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ][ feature feature-name [ filterfilter-expression ] | filterfilter-expression ] command tocheck current configurations.

l Run the display saved-configuration [ last | time | configuration ] command to check thecontents of the configuration file to be loaded during the next startup.

l Run the display startup command to check information about the files to be used duringthe next startup.




Issue 01 (2011-05-30)

l Run the display current-configuration slave command to check the configuration of theslave board.

----End

ExampleRun the display startup command to check information about the files to be used during thenext startup.

<HUAWEI> display startupMainBoard: Configured startup system software: cfcard:/V600R003C00.cc Startup system software: cfcard:/V600R003C00.cc Next startup system software: cfcard:/V600R003C00.cc Startup saved-configuration file: cfcard:/vrp.cfg Next startup saved-configuration file: cfcard:/vrp.cfg Startup paf file: default Next startup paf file: default Startup license file: default Next startup license file: default Startup patch package: NULL Next startup patch package: NULL

7.4 Configuration ExamplesThis section provides an example for configuring system startup.These configuration examplesexplain networking requirements, configuration roadmap, and configuration notes.

7.4.1 Example for Configuring System StartupThis section provides an example for configuring system startup. In this example, theconfiguration file is saved and the system software and configuration file to be loaded duringthe next startup are specified so that the CX device can start in a required manner.

7.4.1 Example for Configuring System StartupThis section provides an example for configuring system startup. In this example, theconfiguration file is saved and the system software and configuration file to be loaded duringthe next startup are specified so that the CX device can start in a required manner.

Networking RequirementsThe CX device is installed with double main control boards. After the CX device is configured,new configurations take effect after the system restarts.


1. Save the current configuration.2. Specify the configuration file to be loaded during the next startup of the CX device.3. Specify the system software to be loaded during the next startup of the CX device.




7-11

l Name of the configuration filel File name of the system software

Procedure

Step 1 Check the configuration file and system software that are used during the current startup.<HUAWEI> display startupMainBoard: Configured startup system software: cfcard:/V600R003C00.cc Startup system software: cfcard:/V600R003C00.cc Next startup system software: cfcard:/V600R003C00.cc Startup saved-configuration file: cfcard:/vrp.cfg Next startup saved-configuration file: cfcard:/vrp.cfg Startup paf file: default Next startup paf file: default Startup license file: default Next startup license file: default Startup patch package: NULL Next startup patch package: NULL

Step 2 Save the current configuration to the specified file.<HUAWEI> save vrpcfg.cfg

The system prompts you whether to save the current configuration to the file named vrpcfg.cfgon the master and slave main control boards. After entering y at the prompt, you save theconfiguration successfully.

Step 3 Specify the configuration file to be loaded during the next startup of the CX device.<HUAWEI> startup saved-configuration vrpcfg.cfg

Step 4 Specify the system software to be loaded during the next startup of the CX device.

Specify the system software to be loaded during the next startup of the master main controlboard.

<HUAWEI> startup system-software V600R003C00.cc

Specify the system software to be loaded during the next startup of the slave main control board.

<HUAWEI> startup system-software V600R003C00.cc slave-board

NOTE

l The slave main control board automatically synchronizes with the master main control board after theconfiguration file to be loaded during the next startup is specified for the master main control board.

l Ensure that the system software to be loaded during the next startup of the CX device is saved on themaster and slave main control boards of the CX device. Configure the system software to be loadedduring the next startup of the master and slave main control boards respectively.


After the configuration is complete, run the following command to check the configuration fileand system software to be loaded during the next startup of the CX device.

<HUAWEI> display startupMainBoard: Configured startup system software: cfcard:/V600R003C00.cc Startup system software: cfcard:/V600R003C00.cc Next startup system software: cfcard:/V600R003C00.cc Startup saved-configuration file: cfcard:/vrp.cfg Next startup saved-configuration file: cfcard:/vrpcfg.cfg Startup paf file: default Next startup paf file: default Startup license file: default




Issue 01 (2011-05-30)

Next startup license file: default Startup patch package: NULL Next startup patch package: NULL

----End

Configuration FilesNone.



7-13

8 Accessing Another Device

About This Chapter

To manage configurations or operate files of another device, you can access the device by usingTelnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to.

8.1 Accessing Another DeviceThis section describes how to access another device on the network by using Telnet, FTP, TFTP,or SSH.

8.2 Logging in to Other Devices by Using TelnetOn the network, a large number of CX devices need to be managed and maintained. Not all CXdevices, however, can be connected to terminal PCs. In addition, there are not reachable routesbetween some CX devices and terminal PCs. To manage and maintain CX devices remotely,you can log in to them by using Telnet from a device that you have logged in to.

8.3 Connecting to Another Device by Using the Telnet Redirection FunctionIf the client is not connected to the remote device on an IP network, you can manage the deviceby using the Telnet redirection function on the CX device.

8.4 Logging in to Another Device by Using STelnetSTelnet ensures secure Telnet services. You can log in to another CX device from the CXdevice that you have logged in to by using STelnet, and thus to manage the device remotely.

8.5 Accessing Files on Another Device by Using TFTPYou can configure the CX device as a TFTP client, and log in to the TFTP server to upload anddownload files.

8.6 Accessing Files on Another Device by Using FTPThis section describes how to configure the CX device as an FTP client to log in to the FTPserver, and to upload files to or download files from the server.

8.7 Accessing Files on Another Device by Using SFTPSFTP is a secure FTP service. After the CX device is configured as an SFTP client. The SFTPserver authenticates the client and encrypts data in both directions to provide secure datatransmission.

8.8 Configuration Examples

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations 8 Accessing Another Device


8-1

This section describes examples for access another device. The examples explain networkingrequirements, configuration notes, and configuration roadmap.

8 Accessing Another DeviceHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

8.1 Accessing Another DeviceThis section describes how to access another device on the network by using Telnet, FTP, TFTP,or SSH.

Figure 8-1 Networking diagram for accessing another device from the CX device

Network Network

PC Client

Server

As shown in Figure 8-1, when you run the terminal emulation program or Telnet program on aPC to connect to the CX device successfully, the CX device can still function as a client to accessanother device on the network by using the following one or more methods.

8.1.1 Telnet MethodTo configure and manage remote device on the network, you can use the CX device that youhave logged in to as a client to log in to the device, or use the redirection terminal service ontheCX device to log in to the device.

8.1.2 FTP MethodTo access files on a remote FTP server, you can establish a connection between the CX devicethat you have logged in to and the remote FTP server by using FTP.

8.1.3 TFTP MethodOn the network, if a client communicates with a server in a comparatively simple interactionenvironment, you can enable TFTP services on the CX device that functions as a client to accessfiles on the TFTP server.

8.1.4 SSH MethodTo securely access another device on the network, you can log in to it by using SSH (includingSTelnet,SFTP) from the CX device that you have logged in to.

8.1.1 Telnet MethodTo configure and manage remote device on the network, you can use the CX device that youhave logged in to as a client to log in to the device, or use the redirection terminal service ontheCX device to log in to the device.

Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login anda virtual terminal service through the network.

The CX600 provides the following Telnet services:

l Telnet server: You can run the Telnet client program on a PC to log in to the CX device,configure and manage it. The CX device acts as a Telnet server.

l Telnet client: You can run the terminal emulation program or the Telnet client program ona PC to connect with the CX device. With the telnet command, you can log in to other CX



8-3

devices to configure and manage them. As shown in Figure 8-2,CX- A serves as both theTelnet server and the Telnet client.

Figure 8-2 Telnet client services

CX-APC CX-B

Telnet Session 1 Telnet Session2

Telnet Server

l Redirection terminal services: You can run the Telnet client program on a PC to log in to

the CX device through a specified port number. Then connect with the serial interfacedevices that are connected with the asynchronous interface of the CX device, as shown inFigure 8-3. The typical application is to connect the asynchronous interface of the CXdevice with multiple devices for their remote configuration and maintenance.

Figure 8-3 Telnet redirection services

Ethernet

PC

CX600

Router2ModemSwitchRouter1

Async0

Async1 Async2

Async3

NOTE

Only the devices that provide the asynchronous interface support the Telnet redirection service.

l Interruption of Telnet servicesIn Telnet connection, you can use two types of shortcut keys to interrupt the connection.As shown in Figure 8-4, CX- A logs in to CX- B through Telnet, and CX- B logs in toCX- C through Telnet. Thus, a cascade network is formed. In this case, CX- A is the clientof CX- B and CX- B is the client of CX- C. Figure 8-4 illustrates the usage of the two typesof shortcut keys.




Issue 01 (2011-05-30)

Figure 8-4 Usage of Telnet shortcut keys

CX-B CX-C

Telnet Session 1 Telnet Session2

TelnetServer

CX-A

TelnetClient

<Ctrl_]>: The server interrupts the connection.If the network connection is normal, when you press Ctrl_], the Telnet server interruptsthe current Telnet connection actively. For example:<CX-C>

Press <Ctrl_]> to return to the prompt of CX-B.Info: The max number of VTY users is 10, and the current numberof VTY users on line is 1.Info: The connection was closed by the remote host.<CX-B>

Press <Ctrl_]> to return to the prompt of CX-A.Info: The max number of VTY users is 10, and the current numberof VTY users on line is 1.Info: The connection was closed by the remote host.<CX-A>

NOTE

If the network disconnects, the shortcut keys become invalid. The instruction cannot be sent to theserver.

<Ctrl_T>: The client interrupts the connection.When the server fails and the client is unaware of the failure, the server does not respondto the input of the client. In this case, if you press Ctrl_T, the Telnet client interrupts theconnection actively and quits the Telnet connection.For example:<CX-C>

Press <Ctrl_T> to directly interrupt the connection and quit Telnet connection.<CX-A>

CAUTIONWhen the number of remote login users reaches to the maximum number of VTY userinterfaces, the system prompts that all user interfaces are in use and you cannot use Telnetto log in.

8.1.2 FTP MethodTo access files on a remote FTP server, you can establish a connection between the CX devicethat you have logged in to and the remote FTP server by using FTP.



8-5

FTP can transmit files between hosts, and provide users with common FTP commands to simplymanage file system. To be specific, through the FTP client program outside the router, users canupload or download the files and access the directories on the router; through the FTP clientprogram inside the router, users can transfer files to the FTP servers of other devices.

FTP can transmit files between local and remote hosts, and is widely used for version upgrade,log downloading, file transmission, and configuration saving.

8.1.3 TFTP MethodOn the network, if a client communicates with a server in a comparatively simple interactionenvironment, you can enable TFTP services on the CX device that functions as a client to accessfiles on the TFTP server.

Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.

Compared with FTP, TFTP does not have a complex interactive access interface andauthentication control. TFTP is applicable in an environment where there is no complexinteraction between the client and the server. For example, TFTP is used to obtain the memoryimage of the system when the system starts up.

TFTP is implemented based on the User Datagram Protocol (UDP).

The client initiates the TFTP transfer. To download files, the client sends a read request packetto the TFTP server, receives packets from the server, and sends acknowledgement to the server.To upload files, the client sends a write request packet to the TFTP server, sends packets to theserver, and receives acknowledgement from the server.

TFTP transfers the files in two formats:

l The binary format: transfers program files.l The ASCII format: transfers text files.

At present, the CX600 serves only as the TFTP client and transfers files in the binary format.

8.1.4 SSH MethodTo securely access another device on the network, you can log in to it by using SSH (includingSTelnet,SFTP) from the CX device that you have logged in to.

SSH OverviewWhen users on an insecure network log in to the CX device through Telnet, the Secure Shell(SSH) feature ensures information security and authentication. It protects the CX device fromattacks such as IP address spoofing and interception of plain text password.

The SSH client function allows users to establish SSH connections with CX device serving asSSH server or with UNIX hosts.

SSH Client FunctionThe CX600 supports the STelnet client function ,the SFTP client function.

l STelnet clientThe Telnet protocol does not provide secure authentication. The TCP transmits data in plaintext. This leads to security problems. The system also faces serious threats from DOS




Issue 01 (2011-05-30)

(Denial of Service) attacks, the host IP address spoofing, and routing spoofing. Telnetservices are prone to network attacks.SSH implements secure remote access on insecure networks and it has the followingadvantages compared with Telnet:

– SSH supports Remote Subscriber Access (RSA) authentication. In RSA authentication,SSH generates and exchanges public and private keys compliant with asymmetricencipherment system to ensure the session security.

– SSH supports Data Encryption Standard (DES), 3DES, and AES authentications.

– The user name and the password are both encrypted in the communication between theSSH client and the SSH server. This prevents password interception.

– SSH encrypts the transmitted data.When the STelnet server or the connection to the client is faulty, the client must detect thefault in time and release the connection voluntarily. To implement this, when logging in tothe server through Stelnet, the client must be configured with the interval for sending thekeepalive packet and the number of times for no reply restriction on the server if no packetis received by the client. If a client does not receive any packet within specified period, theclient sends a keepalive packet to the server. If the number of times of no reply restrictionexceeds the specified number, the client releases the connection voluntarily.

l SFTP clientSFTP is short for Secure FTP. You can log in to a device from the secure remote end tomanage files. This improves the security of data transmission when the remote system isupdated. Meanwhile, the client function enables you to log in to the remote device throughSFTP for secure file transmission.When the SFTP server or the connection between it and the client is faulty, the client mustdetect the fault in time and releases the connection voluntarily. To implement this, whenlogging in to the server through SFTP, the client must be configured with the period ofsending the keepalive packet and the number of times for no reply restriction on the serverif no packet is received by the client. If a client does not receive any packet within specifiedperiod, the client sends a keepalive packet to the server. If the number of times of no replyrestriction exceeds the specified number, the client takes the initiative to release theconnection.

8.2 Logging in to Other Devices by Using TelnetOn the network, a large number of CX devices need to be managed and maintained. Not all CXdevices, however, can be connected to terminal PCs. In addition, there are not reachable routesbetween some CX devices and terminal PCs. To manage and maintain CX devices remotely,you can log in to them by using Telnet from a device that you have logged in to.

8.2.1 Establishing the Configuration TaskBefore establishing the configuration task of logging in to another CX device from the CXdevice that you have logged in to, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.

8.2.2 (Optional) Configuring a Source IP Address for an Telnet ClientYou can configure a source IP address for an Telnet client. Then, you can set up an Telnetconnection from the Telnet client to the server through a specific route by using this source IPaddress.



8-7

8.2.3 Logging in to Another Device by Using TelnetYou can log in to another CX device and manage it by using Telnet.

8.2.4 Checking the ConfigurationWhen you log in to another CX device successfully from the CX device that you have loggedin to, you can check information about the established TCP connection.

8.2.1 Establishing the Configuration TaskBefore establishing the configuration task of logging in to another CX device from the CXdevice that you have logged in to, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.


Figure 8-5 Networking diagram for accessing another device from the CX device that you havelogged in to

Network Network

PC CX-A CX-B

As shown in Figure 8-5, you can log in to CX- A from a PC by using Telnet, but cannot manageCX- B remotely. This is because there is no reachable route between the PC and CX- B. Tomanage CX- B remotely, you can log in to it from CX- A by using Telnet.

In this situation, CX- A functions as a Telnet client, and CX- B that you attempt to log in tofunctions as a server.

Pre-configuration TasksBefore logging in to another device on the network by using Telnet, complete the followingtasks:

l Ensuring that the CX device that you attempt to log in to works properly, and enablingTelnet services on the device

l Ensuring that there is a reachable route between the CX device that you have logged intoand the CX device that you attempt to log in to

Data PreparationTo log in to another device by using Telnet, you need the following data:

No. Data

1 IP address or host name of CX-B

2 Number of the TCP port used by the CX-B to provide Telnet services




Issue 01 (2011-05-30)

8.2.2 (Optional) Configuring a Source IP Address for an TelnetClient

You can configure a source IP address for an Telnet client. Then, you can set up an Telnetconnection from the Telnet client to the server through a specific route by using this source IPaddress.

ContextAn IP address is configured for an interface on the CX device and functions as the source IPaddress of an telnet connection. In this manner, security checks can be implemented.

The source address of a client can be configured as a source interface or a source IP address.

Do as follows on a CX device that functions as an Telnet client.

Procedure



Step 2 Run:telnet client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address of an Telnet client is configured.

After the configuration, the source IP address of the Telnet client displayed on the Telnet servermust be the same as the configured one.

----End

8.2.3 Logging in to Another Device by Using TelnetYou can log in to another CX device and manage it by using Telnet.

ContextTelnet provides an interactive CLI for users to log in to a remote server. Users can log in to ahost, and then remotely log in to another host by using Telnet to configure and manage the remotehost. In this manner, not each host is required to connect to a hardware terminal.

Do as follows on the CX device that serves as a Telnet client:

Procedurel Select and perform one of the following two steps for IPv4 or IPv6.

– Run:telnet [ vpn-instance vpn-instance-name ] [-a source-ip-address ] host-name [ port-number ]Log in to the CX device and manage other CX devices.



8-9

– Run:telnet ipv6 [ -a source-ip-address ] [ vpn-instance vpn-instance-name ] host-name [ -i interface-type interface-number ] [ port-number ]Log in to the CX device and manage other CX devices.

----End

8.2.4 Checking the ConfigurationWhen you log in to another CX device successfully from the CX device that you have loggedin to, you can check information about the established TCP connection.

PrerequisiteAll configurations for logging in to another device are complete.

Procedurel Run the display tcp status command to check the status of all TCP connections.

----End

ExampleRun the display tcp status command to view the status of TCP connections. The Establishedstatus indicates that a TCP connection has been established.

<HUAWEI> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0 Closed32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849 Listening34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0 Established

8.3 Connecting to Another Device by Using the TelnetRedirection Function

If the client is not connected to the remote device on an IP network, you can manage the deviceby using the Telnet redirection function on the CX device.

8.3.1 Establishing the Configuration TaskBefore establishing the configuration task of redirecting the client login to another device,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.

8.3.2 Enabling the Telnet Redirection FunctionAfter the redirection function is enabled on the CX device that functions as a Telnet client, youcan log in to a remote device from a specified interface of the client to manage and maintain theremote device.

8.3.3 Connecting Another Device by Using the Telnet Redirection FunctionYou can log in to a device to be managed from the CX device functioning as a Telnet client byusing the Telnet redirection function.




Issue 01 (2011-05-30)

8.3.4 Checking the ConfigurationAfter logging in to another device remotely by using Telnet, you can check status informationabout the current TCP connection.

8.3.1 Establishing the Configuration TaskBefore establishing the configuration task of redirecting the client login to another device,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.


If a remote device needs to be managed and maintained but is not connected with the terminalPC on the IP network, such as a new device on the network, you can log in to the remote devicefrom a CX device by using the Telnet redirection function.

The remote device can be a device that supports serial interfaces, such as a CX device, a switch,or a modem.

Figure 8-6 Schematic diagram of redirecting the client login to another device by using Telnet

NetworkConsole

PC CX-A CX-B

Aux

Session

As shown in Figure 8-6, remote CX- B is not connected with the client over the IP network. IfCX- B needs to be managed remotely, you can use the Telnet redirection function of CX- A.That is, connect the asynchronous serial interface of CX- A to the serial interface of CX- B. Thisallows you to run the Telnet client program on the PC to log in to CX- B by using a specifiedinterface, and thus to manage and maintain the device remotely.

CX- B in the diagram above has been configured with serial interfaces. CX- A is directlyconnected with CX- B.


Before redirecting the client to another device by using Telnet, complete the following tasks:

l Configuring a reachable route between the client and CX- Al Powering on the remote devicel CX deviceis directly connected with the remote device by configuring cable

Data Preparation

To log in to another device by using the Telnet redirection function, you need the following data:



8-11

No. Data

1 IP address of CX deviceCX- A

8.3.2 Enabling the Telnet Redirection FunctionAfter the redirection function is enabled on the CX device that functions as a Telnet client, youcan log in to a remote device from a specified interface of the client to manage and maintain theremote device.

Context

The Telnet redirection function is supported by the products whose AUX ports or TTY interfacescan be configured with this function.

Perform the following steps on the CX device:

Procedure



Step 2 Run:user-interface aux 0

The AUX0 user interface is displayed.

Step 3 Run:undo shell

Terminal services are disabled on the AUX0 user interface.

Step 4 Run:redirect

The Telnet redirection function is enabled on the AUX0 user interface.

NOTE

l After the Telnet redirection function is enabled, the interface number used for redirection will beassigned. AUX0 is numbered as 33, and the interface number is therefore 2033.

l You can log in to the remote device that needs to be managed and maintained from the Telnet clientby using the specified interface.

----End

8.3.3 Connecting Another Device by Using the Telnet RedirectionFunction

You can log in to a device to be managed from the CX device functioning as a Telnet client byusing the Telnet redirection function.




Issue 01 (2011-05-30)

ContextUsers attempt to log in to another device by using a specified interface of the client.

Perform the following step on the client:

Procedurel Run:

telnet host-name port-number

Logging in to the remote device succeeds.

The host-name parameter specifies the IP address or host name of the CX device that hasenabled the redirection function.

----End

8.3.4 Checking the ConfigurationAfter logging in to another device remotely by using Telnet, you can check status informationabout the current TCP connection.

PrerequisiteThe configurations for logging in to another device by using the Telnet redirection function arecomplete.

Contextl Run the display tcp status command to check status information about the established TCP

connection.

ExampleRun the display tcp status command to view status information about the established TCPconnection.

<HUAWEI> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State348d3c50 6 /1 0.0.0.0:21 0.0.0.0:0 23553 Listening3b558554 128/1 0.0.0.0:23 0.0.0.0:0 23553 Listening31cf1978 128/4 0.0.0.0:2033 0.0.0.0:0 23553 Listening31cf1bb0 128/6 0.0.0.0:4033 0.0.0.0:0 23553 Listening11a22ad8 128/3 10.137.217.225:23 10.138.77.38:3670 0 Established

8.4 Logging in to Another Device by Using STelnetSTelnet ensures secure Telnet services. You can log in to another CX device from the CXdevice that you have logged in to by using STelnet, and thus to manage the device remotely.




8-13

Before establishing the configuration task of logging in to another device by using Stelnet,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.

8.4.2 Configuring the First Successful Login to Another Device (Enabling the First-TimeAuthentication on the SSH Client)After the first-time authentication on the SSH client is enabled, the STelnet client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time.

8.4.3 Configuring the First Successful Login to Another Device (Allocating an RSA Public Keyto the SSH Server)To configure the first successful login to another device on the SSH client, you need to allocatean RSA public key to the SSH server before the login.

8.4.4 Logging in to Another Device by Using STelnetYou can log in to the SSH server from the SSH client by using STelnet.

8.4.5 Checking the configurationAfter the configuration task of logging in to another device by using STelnet is established, youcan check the mappings between all SSH servers of the STelnet client and the RSA public keyson the client, the global configurations of the SSH servers, and the sessions between the SSHservers and the STelnet client.

8.4.1 Establishing the Configuration TaskBefore establishing the configuration task of logging in to another device by using Stelnet,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.

Applicable EnvironmentLogins by using Telnet bring security risks because no secure authentication mechanism isavailable and data is transmitted by using TCP in plain text mode.

STelnet is short for SSH Telnet that is a secure Telnet protocol. STelnet is on the basis of SSH.SSH users can use STelnet services as Telnet services.

In this configuration, the CX- that you have logged in to functions as a Telnet client, andtheCX- that you attempt to log in to functions as an SSH server.

Pre-configuration TasksBefore logging in to another device by using STelnet, complete the following tasks:

l Configuring a reachable route between the client and SSH server

Data PreparationTo log in to another device by using STelnet, you need the following data:

No. Data

1 Name of the SSH server,Public key that is assigned by the client to the SSH server




Issue 01 (2011-05-30)

No. Data

2 IPv4 or IPv6 address or host name of the SSH server,Number of the port monitoredby the SSH server,Preferred encrypted algorithm from the SFTP client to the SSHserver,Preferred encrypted algorithm from the SSH server to the SFTPclient,Preferred HMAC algorithm from the SFTP client to the SSH server,PreferredHMAC algorithm from the SSH server to the SFTP client,Preferred algorithm of keyexchangeThe user information for logging in to the SSH server

8.4.2 Configuring the First Successful Login to Another Device(Enabling the First-Time Authentication on the SSH Client)

After the first-time authentication on the SSH client is enabled, the STelnet client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time.

ContextIf the first-time authentication on the SSH client is enabled, the STelnet client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time. Afterthe login, the system automatically allocates the RSA public key and saves it for authenticationin next login.

Do as follows on the CX device that serves as an SSH client:


system-view


Step 2 Run:ssh client first-time enable

The first-time authentication on the SSH client is enabled.

By default, the first-time authentication on the SSH client is disabled.

NOTE

l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validityof the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the firsttime. The check is skipped because the STelnet server has not saved the RSA public key of the SSHserver.

l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to theSSH server for the first time, the STelnet client fails to pass the check on the RSA public key validityand cannot log in to the server.

TIP

To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSApublic key in advance to the SSH server on the SSH client in addition to enabling the first-timeauthentication on the SSH client.

----End



8-15

8.4.3 Configuring the First Successful Login to Another Device(Allocating an RSA Public Key to the SSH Server)

To configure the first successful login to another device on the SSH client, you need to allocatean RSA public key to the SSH server before the login.

ContextIf the first-time authentication is not enabled on the SSH client, when the STelnet client logs into the SSH server for the first time, the STelnet client fails to pass the check on the RSA publickey validity and cannot log in to the server.So you need to allocate an RSA public key to theSSH server before the STelnet client logs in to the SSH server.


Procedure



Step 2 Run:rsa peer-public-key key-name

The public key view is displayed.

Step 3 Run:public-key-code begin

The public key editing view is displayed.

Step 4 Run:hex-data


The public key must be a string of hexadecimal alphanumeric characters. It is automaticallygenerated by an SSH client. You can run the display rsa local-key-pair public command toview a generated public key.

NOTE

Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSHserver and must be configured on the SSH client. Then, the STelnet client client can successfully undergothe validity check on the RSA public key of the SSH server.

Step 5 Run:public-key-code end



l If the specified key-name is deleted in other views, the system prompts that the key does notexist after the peer-public-key end command is run and the system view is displayed.




Issue 01 (2011-05-30)

Step 6 Run:peer-public-key end

Return to the system view from the public key view.

Step 7 Run:ssh client servername assign rsa-key keyname

The RSA public key is assigned to the SSH server.

NOTE

If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servernameassign rsa-key command to cancel the association between the SSH client and the SSH server. Then, runthe ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSHserver.

----End

8.4.4 Logging in to Another Device by Using STelnetYou can log in to the SSH server from the SSH client by using STelnet.

ContextWhen accessing an SSH server, the STelnet client can carry the source address and the VPNinstance name and choose the key exchange algorithm, encryption algorithm, or HMACalgorithm, and configure the keepalive function.


Procedure



Step 2 According to the address type of the SSH server, select and run one of the following twocommands.l For IPv4 addresses,

Run the stelnet [ -a source-address ] host-ipv4 [ port ] [ [ -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 |sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. Youcan log in to the SSH server through STelnet.

l For IPv6 addresses,Run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ][ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 |sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. Youcan log in to the SSH server through STelnet.

----End



8-17

8.4.5 Checking the configurationAfter the configuration task of logging in to another device by using STelnet is established, youcan check the mappings between all SSH servers of the STelnet client and the RSA public keyson the client, the global configurations of the SSH servers, and the sessions between the SSHservers and the STelnet client.

PrerequisiteThe configurations for logging in to another device by using STelnet are complete.

Procedurel Run the display ssh server-info command to check the mappings between all SSH servers

of the SSH client and the RSA public keys on the client.

----End

ExampleRun the display ssh server-info to view the mappings between all servers of the SSH client andthe RSA public keys on the SSH client.

<HUAWEI> display ssh server-infoServer Name(IP) Server public key name________________________________________________________________________ 1000::1 1000::1 10.164.39.223 10.164.39.223 11.11.11.23 11.11.11.23 10.164.39.204 10.164.39.204 10.164.39.222 10.164.39.222

8.5 Accessing Files on Another Device by Using TFTPYou can configure the CX device as a TFTP client, and log in to the TFTP server to upload anddownload files.

8.5.1 Establishing the Configuration TaskBefore accessing another device by using TFTP, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

8.5.2 (Optional) Configuring a Source IP Address for a TFTP ClientYou can configure a source IP address for a TFTP client. Then, you can set up a TFTP connectionfrom the TFTP client to the server through a specific route by using this source IP address.

8.5.3 (Optional) Configuring TFTP Access AuthorityThis section describes how to use an ACL rule to authorize the users to specify the TFTP serversthat can be accessed by using TFTP from the CX device that you have logged in to.

8.5.4 Downloading Files by Using TFTPYou can download files from the TFTP server to the TFTP client.

8.5.5 Uploading Files by Using TFTPYou can upload files from the TFTP client to the TFTP server.





Issue 01 (2011-05-30)

When a device is configured to be a TFTP client, you can check the source address of the clientand the configured ACl rule.

8.5.1 Establishing the Configuration TaskBefore accessing another device by using TFTP, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.


You can transfer files through TFTP between the server and the client in a simple interactionenvironment.

The current CX- functions as a TFTP client, and theCX- to be accessed functions as a TFTPserver.


Before accessing another device by using TFTP, complete the following tasks:

l Configuring a reachable route between the client and TFTP server

Data Preparation

To access another device by using TFTP, you need the following data.

No. Data

1 (Optional) Source address or source interface of the CX device that functions as aTFTP client

2 IP address or host name of the TFTP server

3 Name of the specific file in the TFTP server and the file directory

8.5.2 (Optional) Configuring a Source IP Address for a TFTP ClientYou can configure a source IP address for a TFTP client. Then, you can set up a TFTP connectionfrom the TFTP client to the server through a specific route by using this source IP address.

Context

An IP address is configured for an interface on the CX device and functions as the source IPaddress of a TFTP connection. In this manner, security checks can be implemented.


Do as follows on a CX device that functions as a TFTP client.



8-19

Procedure



Step 2 Run:tftp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address of a TFTP client is configured.

After the configuration, the source IP address of the TFTP client displayed on the TFTP servermust be the same as the configured one.

----End

8.5.3 (Optional) Configuring TFTP Access AuthorityThis section describes how to use an ACL rule to authorize the users to specify the TFTP serversthat can be accessed by using TFTP from the CX device that you have logged in to.

ContextAn Access Control List (ACL) is a set of sequential rules. These rules are described based onthe source address, destination address, and port number of a packet. CX-s use the ACL rulesto filter packets. With the rule applied to the interface on a CX device, the CX device permitsor denies the packets.

Each ACL can define multiple rules. ACL rules are classified into the interface ACL, basic ACL,and advanced ACL based on the functions of ACL rules.

NOTE

TFTP supports only the basic ACL (whose number ranges from 2000 to 2999).

Do as follows on the CX device that serves as the TFTP client:

Procedure



Step 2 Run:acl acl-number

The ACL view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *

The ACL rule is configured.

Step 4 Run:quit




Issue 01 (2011-05-30)


Step 5 Run:tftp-server acl acl-number

The ACL can be used to limit the access to the TFTP server.

----End

8.5.4 Downloading Files by Using TFTPYou can download files from the TFTP server to the TFTP client.


Procedurel Run the following commands according to the type of the server IP addresses.

– The IP address of the server is IPv4 address, run:tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ public-net | vpn-instance vpn-instance-name ] get source-filename [ destination-filename ]The CX device is configured to download files through TFTP.

– The IP address of the server is IPv6 address, run:tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type interface-number ] get source-filename [ destination-filename ]The CX device is configured to download files through TFTP.

----End

8.5.5 Uploading Files by Using TFTPYou can upload files from the TFTP client to the TFTP server.


Procedurel Run the following commands according to the type of the server IP addresses.

– The IP address of the server is IPv4 address, run:tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ public-net | vpn-instance vpn-instance-name ] put source-filename [ destination-filename ]The CX device is configured to upload files through TFTP.

– The IP address of the server is IPv6 address, run:tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type interface-number ] put source-filename [ destination-filename ]The CX device is configured to upload files through TFTP.

----End

8.5.6 Checking the ConfigurationWhen a device is configured to be a TFTP client, you can check the source address of the clientand the configured ACl rule.



8-21

PrerequisiteConfigurations of using the device as a TFTP client are complete.

Procedurel Run the display tftp-client command to check the device address that is set to the source

address of the TFTP client.l Run the display acl { name acl-name | acl-number | all } command to check the ACL rule

that is configured on the TFTP client.

----End

ExampleRun the display tftp-client command to view the source address of the TFTP client.

<HUAWEI> display tftp-clientThe source address of TFTP client is 1.1.1.1.

Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configuredon the TFTP client.

<HUAWEI> display acl 2001Basic acl 2001, 2 rules,Acl's step is 5 rule 5 permit rule 10 permit source 1.1.1.1 0

8.6 Accessing Files on Another Device by Using FTPThis section describes how to configure the CX device as an FTP client to log in to the FTPserver, and to upload files to or download files from the server.

8.6.1 Establishing the Configuration TaskBefore establishing the configuration task of accessing files on another device by using FTP,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.

8.6.2 (Optional) Configuring Source IP Address and Interface of the FTP ClientThis section describes how to configure the source IP address and interface of FTP client toestablish the connection with FTP server.

8.6.3 Connecting to Other Devices by Using FTP CommandsYou can run FTP commands to log in to other devices from the CX device that functions as theFTP client.

8.6.4 Operating Files by Using FTP CommandsAfter logging in to a FTP server, you can operate files by using FTP commands. File operationsinclude configuring a file transmission method, checking online help about FTP commands,uploading or downloading files, and managing directories and files.

8.6.5 Changing Login UsersAfter logging in to an FTP server, you can change the username on the client and re-log in tothe server with the new username.

8.6.6 Disconnecting from the FTP Server




Issue 01 (2011-05-30)

You can terminate the connection with the FTP server and return to the user view or FTP view.

8.6.7 Checking the ConfigurationAfter the configurations of accessing other devices by using FTP are complete, you can viewthe source parameters configured on the FTP client.

8.6.1 Establishing the Configuration TaskBefore establishing the configuration task of accessing files on another device by using FTP,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.


Before transmitting files between a client and a remote FTP server, or managing directories ofthe server, you can configure the CX device that you have logged in to as an FTP client. Then,you can access the FTP server by using FTP for file transmission or directory management.


Before establishing the configuration task of accessing files on another device by using FTP,complete the following tasks:

l Configuring a reachable route between the CX device and the FTP server

Data Preparation

To establish the configuration task of accessing files on another device by using FTP, you needthe following data:

No. Data

1 (Optional) Source IP address or source interface of the CX device functioning as anFTP client

2 Host name or IP address of the FTP server, port number of connecting FTP, loginusername and password

3 Local file name and file name on the remote FTP server,working directory name ofthe remote FTP server, local working directory of the FTP client, or directory nameof the remote FTP server

8.6.2 (Optional) Configuring Source IP Address and Interface of theFTP Client

This section describes how to configure the source IP address and interface of FTP client toestablish the connection with FTP server.



8-23

PrerequisiteAn IP address is configured for an interface on the CX device and functions as the source IPaddress of an FTP connection. In this manner, security checks can be implemented.


The interface configuration is possible, only if the system has a loopback interface.

Procedure



Step 2 Run:ftp client-source { -a ip-address }

The source IP address of the FTP client is configured.

or

ftp client-source { -i interface-type interface-number }

The loopback addresses of the FTP client is configured.

NOTE

Then, run the display ftp-client command on the CX device to view the current configuration of the FTP client.

----End

8.6.3 Connecting to Other Devices by Using FTP CommandsYou can run FTP commands to log in to other devices from the CX device that functions as theFTP client.

ContextYou can log in to the FTP server in the user view or the FTP view.

Do as follows on the CX device that serves as the client:

Procedure

Step 1 Run the following commands according to types of the server IP address.l If the IP address of the server is an IPv4 address, do as follows:

– In the user view, establish a connection to the FTP server.Run:ftp [ [ -a source-ip-address | -i interface-type interface-number ] host [ port-number ] [ public-net | vpn-instance vpn-instace-name ]The CX device is connected to the FTP server.

– In the FTP view, establish a connection to the FTP server.

1. In the user view,Run:ftp




Issue 01 (2011-05-30)

The FTP view is displayed.2. Run:

open [-a source-ip-address | -i interface-type interface-number ] host [ port-number ] [ vpn-instance vpn-instance-name ]

The CX device is connected to the FTP server.

NOTE

Before logging in to the FTP server, you can run the set net-manager vpn-instancecommand to configure a default VPN instance. After that, the default VPN instance is usedin the FTP operation.

l If the IP address of the server is an IPv6 address, do as follows:– In the user view, establish a connection to the FTP server.

Run:ftp ipv6 host [ port-number ]

The CX device is connected to the FTP server.– In the FTP view, establish a connection to the FTP server.

1. In the user view,Run:ftp

The FTP view is displayed.2. Run:

open ipv6 host-ipv6-address [ port-number ]

The CX device is connected to the FTP server.

----End

8.6.4 Operating Files by Using FTP CommandsAfter logging in to a FTP server, you can operate files by using FTP commands. File operationsinclude configuring a file transmission method, checking online help about FTP commands,uploading or downloading files, and managing directories and files.

ContextAfter logging in to the FTP server, you can perform the following operations:

l Configure a data type for transmission files and a file transmission method.l Check the online help about FTP commands in the FTP client view.l Upload local files to the remote FTP server, or download files from the FTP server and

save them locally.l Create directories on or delete directories from the FTP server.l Display information about a specified remote directory or a file of the FTP server, or delete

a specified file from the FTP server.

After logging in to the CX device that functions as a client and entering the FTP client view,you can perform the following steps:

Procedurel Configuring data type and transmission mode for the file.



8-25

– Run:ascii | binaryThe data type of the file to be transmitted is ascii or binary mode.

NOTE

FTP supports the ASCII type and the binary type. Their differences are as follows:

l In ASCII transmission mode, ASCII characters are used to separate carriage returned fromline feeds.

l In binary transmission mode, characters can be transferred without format conversion orformatting.

The selection of the FTP transmission mode is client-customized. The system defaults to theASCII transmission mode. The client can use a mode switch command to switch between theASCII mode and the binary mode. The ASCII mode is used to transmit .txt files and the binarymode is used to transmit binary files.

– Run:passiveThe passive file transfer mode is configured.

– Run:verboseThe verbose mode for FTP is enabled.When verbose is enabled, all FTP responses are displayed. After file transmission, thestatistics about transmission efficiency will be displayed.

l Viewing online help of the FTP command.remotehelp [ command ]

The online help of the FTP command is displayed.l Upload or download files.

– Upload or download a file.– Run:

put local-filename [ remote-filename ]The local file is uploaded to the remote FTP server.

– Run:get remote-filename [ local-filename ]The FTP file is downloaded from the FTP server and saved to the local file.

– Upload or download multiple files.– Run the mput local-filenames command to upload multiple local files

synchronously to the remote FTP server.– Run the mget remote-filenames command to download multiple files from the FTP

server and save them locally.

NOTE

l When you are uploading or downloading files, and the prompt command is run in the FTP clientview to enable the file transmission prompt function, the system will prompt you to confirm theuploading or downloading operation.

l If the prompt command is run again in the FTP client view, the file transmission prompt functionwill be disabled.

l Run one or more commands in the following order to manage directories.– Run:




Issue 01 (2011-05-30)

cd pathnameThe working path of the remote FTP server is specified.

– Run:cdupThe working path of the FTP server is switched to the upper-level directory.

– Run:pwdThe specified directory of the FTP server is displayed.

– Run:lcd [ local-directory ]The directory of the FTP client is displayed or changed.

– Run:mkdir remote-directoryA directory is created on the FTP server.

– Run:rmdir remote-directoryA directory is removed from the FTP server.

NOTE

l The directory to be created can comprise letters and digits, but not special characters such as<, >, ?, \ and :.

l When running the mkdir /abc command, you create a sub-directory named "abc".

l Run one or more commands in the following to manage files.– Run:

ls [ remote-filename ] [ local-filename ]The specified directory or file on the remote FTP server is displayed.If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

– Run:dir [ remote-filename ] [ local-filename ]The specified directory or file on the local FTP server is displayed.If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

– Run:delete remote-filenameThe specified file on the FTP server is deleted.If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

When local-filename is set, related information about the file can be downloaded locally.

----End

8.6.5 Changing Login UsersAfter logging in to an FTP server, you can change the username on the client and re-log in tothe server with the new username.



8-27

ContextFrom the CX600 (an FTP client) that you have logged in to, you can log in to the FTP server byusing another username without logging out of the FTP client view. The established FTPconnection is identical with that established by running the ftp command.

Perform the following steps on the CX device that functions as a client:

Procedurel Run:

user user-name [ password ]

The user that have logged in to the FTP server is changed and the new user logs in to theserver.

When the username that is used to log in to the FTP server is changed, the originalconnection between the user and the FTP server is interrupted.

----End

8.6.6 Disconnecting from the FTP ServerYou can terminate the connection with the FTP server and return to the user view or FTP view.

ContextYou can select different commands to terminate the connection with the FTP server in the FTPclient view.

Do as follows on the CX device that serves as the client.

Procedurel Run the following commands according to different configurations.

– Run:byeOr,quitThe client CX device is disconnected from the FTP server.Return to the user view.

– Run:closeOr,disconnectThe client CX device is disconnected from the FTP server.Return to the FTP view.

----End

8.6.7 Checking the ConfigurationAfter the configurations of accessing other devices by using FTP are complete, you can viewthe source parameters configured on the FTP client.




Issue 01 (2011-05-30)

PrerequisiteThe configurations of accessing other devices by using FTP are complete.

Procedurel Run the display ftp-client command to view the source parameters of the FTP client.

----End

ExampleRun the display ftp-client command to view the source parameters of the FTP client.

<HUAWEI> display ftp-clientThe source address of FTP client is 1.1.1.1.

8.7 Accessing Files on Another Device by Using SFTPSFTP is a secure FTP service. After the CX device is configured as an SFTP client. The SFTPserver authenticates the client and encrypts data in both directions to provide secure datatransmission.

8.7.1 Establishing the Configuration TaskBefore establishing the configuration task of accessing files on another device by using SFTP,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.

8.7.2 (Optional) Configuring a Source IP Address for an SFTP ClientYou can configure a source IP address for an SFTP client. Then, you can set up an SFTPconnection from the SFTP client to the server through a specific route by using this source IPaddress.

8.7.3 Configuring the First Successful Login to Another Device (Enabling the First-TimeAuthentication on the SSH Client)After the first-time authentication on the SSH client is enabled, the SFTP client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time.

8.7.4 Configuring the First Successful Login to Another Device (Allocating an RSA Public Keyto the SSH Server)To configure the first successful login to another device on the SSH client, you need to allocatean RSA public key to the SSH server before the login.

8.7.5 Connecting to Other Devices by Using SFTPYou can log in to the SSH server from the SSH client through SFTP.

8.7.6 Operating Files by Using SFTP CommandsYou can manage directories and files on the SSH server from the SFTP client, and check thecommand help on the SFTP client.

8.7.7 Checking the ConfigurationAfter logging in to another device by using SFTP, you can view the source address of the SSHclient, the mappings between all SSH servers and the RSA public keys on the client, the globalconfigurations of the SSH servers, and the sessions between the SSH servers and the client.



8-29

8.7.1 Establishing the Configuration TaskBefore establishing the configuration task of accessing files on another device by using SFTP,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.


SFTP is short for SSH FTP that is a secure FTP protocol. SFTP is on the basis of SSH. It ensuresthat users can log in to a remote device securely for file management and transmission, andenhances the security in data transmission. In addition, you can log in to a remote SSH serverfrom the CX device that functions as an SFTP client.


Before establishing the configuration task of accessing files on another device by using SFTP,complete the following tasks:

l Configuring a reachable route between the client and SSH server

Data Preparation

To access files on another device by using SFTP, you need the following data:

No. Data

1 (Optional) Source address of the device that functions as the SFTP client

2 (Optional) Name of the SSH server

3 (Optional) Public key that is assigned by the client to the SSH server

4 IPv4 or IPv6 address or host name of the SSH server

5 Number of the port monitored by the SSH server,Preferred encrypted algorithm fromthe SFTP client to the SSH server,Preferred encrypted algorithm from the SSH serverto the SFTP client,Preferred HMAC algorithm from the SFTP client to the SSHserver,Preferred HMAC algorithm from the SSH server to the SFTP client,Preferredalgorithm of key exchange,Name of the outgoing interface,Source addressThe user information for logging in to the SSH server

6 Name and directory of a specified file on the SSH server

8.7.2 (Optional) Configuring a Source IP Address for an SFTP ClientYou can configure a source IP address for an SFTP client. Then, you can set up an SFTPconnection from the SFTP client to the server through a specific route by using this source IPaddress.




Issue 01 (2011-05-30)

Context

An IP address is configured for an interface on the CX device and functions as the source IPaddress of an FTP connection. In this manner, security checks can be implemented.


Do as follows on a CX device that functions as an SFTP client.

Procedure



Step 2 Run:sftp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address is configured for an SFTP client.

----End

8.7.3 Configuring the First Successful Login to Another Device(Enabling the First-Time Authentication on the SSH Client)

After the first-time authentication on the SSH client is enabled, the SFTP client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time.

Context

If the first-time authentication on the SSH client is enabled, the SFTP client does not check thevalidity of the RSA public key when logging in to the SSH server for the first time. After thelogin, the system automatically allocates the RSA public key and saves it for authentication innext login.


Procedure



Step 2 Run:ssh client first-time enable

The first-time authentication on the SSH client is enabled.

By default, the first-time authentication on the SSH client is disabled.



8-31

NOTE

l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validityof the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the firsttime. The check is skipped because the STelnet server has not saved the RSA public key of the SSHserver.

l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to theSSH server for the first time, the STelnet client fails to pass the check on the RSA public key validityand cannot log in to the server.

TIP

To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSApublic key in advance to the SSH server on the SSH client in addition to enabling the first-timeauthentication on the SSH client.

----End

8.7.4 Configuring the First Successful Login to Another Device(Allocating an RSA Public Key to the SSH Server)

To configure the first successful login to another device on the SSH client, you need to allocatean RSA public key to the SSH server before the login.

Context

If the first-time authentication is not enabled on the SSH client, when the SFTP client logs in tothe SSH server for the first time, the SFTP client fails to pass the check on the RSA public keyvalidity and cannot log in to the server.

Do as follows on the CX device functioning as an SSH client:

Procedure



Step 2 Run:rsa peer-public-key key-name

The public key view is displayed.

Step 3 Run:public-key-code begin

The public key editing view is displayed.

Step 4 Run:hex-data


The public key must be a string of hexadecimal alphanumeric characters. It is automaticallygenerated by an SSH client. You can run the display rsa local-key-pair public command toview a generated public key.




Issue 01 (2011-05-30)

NOTE

Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSHserver and must be configured on the SSH client. Then, the STelnet client client can successfully undergothe validity check on the RSA public key of the SSH server.

Step 5 Run:public-key-code end



l If the specified key-name is deleted in other views, the system prompts that the key does notexist after the peer-public-key end command is run and the system view is displayed.

Step 6 Run:peer-public-key end

Return to the system view from the public key view.

Step 7 Run:ssh client servername assign rsa-key keyname

The RSA public key is assigned to the SSH server.

NOTE

If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servernameassign rsa-key command to cancel the association between the SSH client and the SSH server. Then, runthe ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSHserver.

----End

8.7.5 Connecting to Other Devices by Using SFTPYou can log in to the SSH server from the SSH client through SFTP.

ContextThe command of enabling the SFTP client is similar to that of the STelnet. When accessing theSSH server, the SFTP can carry the source address and the name of the VPN instance and choosethe key exchange algorithm, encrypted algorithm and HMAC algorithm, and configure thekeepalive function.

Do as follows on the CX device that serves as an SSH client.

Procedure



Step 2 According to the address type of the SSH server, select and perform one of the two configurationsbelow.l For IPv4 addresses,



8-33

Run:sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

You can log in to the SSH server through SFTP.l For IPv6 addresses,

Run:sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

----End

8.7.6 Operating Files by Using SFTP CommandsYou can manage directories and files on the SSH server from the SFTP client, and check thecommand help on the SFTP client.

ContextAfter logging in to the SSH server from the SFTP client, you can perform the followingoperations on the SFTP client:

l Create or delete a directory on the SSH server, and display the current working directory,the specified directory and information about the file in the specified directory.

l Change a file name, delete a file, display a file list, and upload or download a file.l Displaying the SFTP client command help.

After logging in to the CX device that functions as an SSH client and entering the SFTP clientview, you can perform the following steps:

Procedurel Managing the directory


– Run:cd [ remote-directory ]

The current operating directory of users is changed.– Run:

cdup

The operating directory of users is switched to the upper-level directory.– Run:

pwd

The current operating directory of users is displayed.




Issue 01 (2011-05-30)

– Run:dir / ls [ remote-directory ]The file list in the specified directory is displayed.

– Run:rmdir remote-directory & <1-10>

– The directory on the server is deleted.– Run:

mkdir remote-directoryA directory is created on the server.

l Managing the file


– Run:rename old-name new-nameThe name of the specified file on the server is changed.

– Run:get remote-filename [local-filename]The file on the remote server is downloaded.

– Run:put local-filename [remote-filename]The local file is uploaded to the remote server.

– Run:remove remote-filenameThe file on the server is removed.

l Displaying the SFTP client command helphelp [all | command-name ]

The SFTP client command help is displayed.

----End

8.7.7 Checking the ConfigurationAfter logging in to another device by using SFTP, you can view the source address of the SSHclient, the mappings between all SSH servers and the RSA public keys on the client, the globalconfigurations of the SSH servers, and the sessions between the SSH servers and the client.

PrerequisiteThe configuration of accessing files on another device by using SFTP is complete.

Procedurel Run the display sftp-client command to check the source IP address of the SFTP client on

the SSH client.l Run the display ssh server-info command to check the mapping between the SSH server

and the RSA public key on the SSH client.

----End



8-35

ExampleRun the display sftp-client command on the client to view the source parameters of the devicefunctioning as an SFTP client.

<HUAWEI> display sftp-clientThe source address of SFTP client is 1.1.1.1

Run the display ssh server-info command to view the mappings between all servers and theRSA public keys on the SSH client.

<HUAWEI> display ssh server-infoServer Name(IP) Server public key name________________________________________________________________________ 1000::1 1000::1 10.164.39.223 10.164.39.223 11.11.11.23 11.11.11.23 10.164.39.204 10.164.39.204 10.164.39.222 10.164.39.222

8.8 Configuration ExamplesThis section describes examples for access another device. The examples explain networkingrequirements, configuration notes, and configuration roadmap.

8.8.1 Example for Logging in to Another Device by Using TelnetThis section provides an example for logging in to another device by using Telnet.In thisexample, the authentication mode and password are configured for users to log in through Telnet.

8.8.2 Example for Logging in to Another Device by Using the Telnet Redirection FunctionThis section describes an example for logging in to another device on the network by using theTelnet redirection function. This allows users to manage the device remotely.

8.8.3 Example for Logging in to Another Device by Using Telnet on a VPNThis section provides an example for logging in to another device by using Telnet on a VPN.Inthis example, the authentication mode and password are configured for users on a VPN so as tolog in to the CX device through Telnet.

8.8.4 Example for Configuring the Device as the STelnet Client to Connect to the SSH ServerThis section provides an example for logging in to another device by using STelnet.In thisexample, the local key pairs are generated on the STelnet client and the SSH server; the publicRSA key is generated on the SSH server and then bound to the STelnet client. In this manner,the STelnet client can connect to the SSH server.

8.8.5 Example for Accessing Files on Another Device by Using TFTPIn this example, the TFTP application is run on the TFTP server and the location of the sourcefile on the server is set. After that, you can upload and download files.

8.8.6 Example for Configuring the Access of the TFTP Server on the Public Network When theManagement VPN Instance Is UsedThis part provides an example for configuring the access of the TFTP server on the publicnetwork when the management VPN instance is used. In this example, after logging in to theCX device that is configured with the management VPN instance, you can download files fromthe TFTP server on the public network.

8.8.7 Example for Accessing Files on Another Device by Using FTP




Issue 01 (2011-05-30)

This section provides an example for accessing files on another device by using FTP. In thisexample, a user logs in to the FTP server from the CX device to download system software andconfiguration software from the FTP server.8.8.8 Example for Configuring the Access of the FTP Server on the Public Network When theManagement VPN Instance Is UsedThis part provides an example for configuring the access of the FTP server on the public networkwhen the management VPN instance is used. In this example, after logging in to the CXdevice that is configured with the management VPN instance, you can download files from theFTP server on the public network.8.8.9 Example for Accessing Files on Another Device by Using SFTPIn this example, the local key pairs are generated on the SFTP client and the SSH serverrespectively; the public RSA key is generated on the SSH server and bind the RSA public keyto the SFTP client. In this manner, the SFTP client can connect to the SSH server.8.8.10 Example for Configuring the Access of the SFTP Server on the Public Network Whenthe Management VPN Instance Is UsedThis part provides an example for configuring the access of the SFTP server on the publicnetwork when the management VPN instance is used. In this example, after generating the localkey pair on the SFTP client and SSH server, generating the RSA public key on the SSH server,and binding the RSA public key to the client, you can connect the SFTP client to the SFTP serveron the public network when using the management VPN instance.8.8.11 Example for Accessing the SSH Server Through Other Port NumbersThis section provides an example for accessing the SSH server through other port numbers.Inthis example, the monitoring port number of the SSH server is set to a port number other thanthe standard monitoring port number so that only valid users can set up connections with theSSH server.8.8.12 Example for an SSH Client in the Public Network to Access an SSH Server in the PrivateNetworkIn this example, SSH attributes of users on the public network are configured so as to access theSSH server on the private network through STelnet or SFTP.

8.8.1 Example for Logging in to Another Device by Using TelnetThis section provides an example for logging in to another device by using Telnet.In thisexample, the authentication mode and password are configured for users to log in through Telnet.

Networking RequirementsAs shown in Figure 8-7, users can telnet CX- A but cannot telnet CX- B. The route betweenCX- A and CX- B is reachable. In this case, users can telnet CX- B from CX- A to remotelyconfigure and manage CX- B.

Figure 8-7 Networking diagram for logging in to another device by using Telnet

Network Network

PC CX-A CX-B

Session Session

GE1/0/12.1.1.1/24

GE1/0/11.1.1.1/24



8-37


1. On CX- B, configure the authentication mode and password for users on CX- A to log into CX- B..

2. Configure a Telnet server port number on CX- B to ensure that users log in through thisport only.


l Host address of CX- B is 2.1.1.1l Password hello for users' loginl Telnet server port number is 1028

Procedure

Step 1 Configure the authentication mode and password for Telnet services on CX- B.<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] user-interface vty 0 4[CX-B-ui-vty0-4] authentication-mode password[CX-B-ui-vty0-4] set authentication password simple hello[CX-B-ui-vty0-4] quit

To configure an ACL for Telnetting another device, run the following commands on CX- B.

[CX-B] acl 2000[CX-B-acl-basic-2000] rule permit source 1.1.1.1 0[CX-B-acl-basic-2000] quit[CX-B] user-interface vty 0 4[CX-B-ui-vty0-4] acl 2000 inbound[CX-B-ui-vty0-4] quit

NOTE

It is optional to configure an ACL for Telnet services.

Step 2 Log in to CX- B from CX- A through Telnet.<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] quit<CX-A> telnet 2.1.1.1Trying 2.1.1.1 ...Press CTRL+K to abortConnected to 2.1.1.1 ...Login authenticationPassword:Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. The current login time is 2010-02-22 14:31:01.<CX-B>

Step 3 Configure a Telnet server port number on CX- B.<CX-B> system-view[CX-B] telnet server port 1028Warning: This operation will cause all the online Telnet users to be offline. Continue?[Y/N]: y




Issue 01 (2011-05-30)

Info: Succeeded in changing the listening port of telnet server.

Step 4 Use the port number 1028 to log in to CX- B from CX- A through Telnet.<CX-A> telnet 2.1.1.1 1028Trying 2.1.1.1 ...Press CTRL+K to abortConnected to 2.1.1.1 ...Login authenticationPassword:Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. The current login time is 2010-02-22 14:33:48.<CX-B>

----End

Configuration Filesl Configuration file of CX- A

# sysname CX-A#interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0#return

l Configuration file of CX- B# sysname CX-B#acl number 2000 rule 5 permit source 1.1.1.1 0#interface GigabitEthernet1/0/1 undo shutdown ip address 2.1.1.1 255.255.255.0#user-interface con 0user-interface vty 0 4 acl 2000 inbound set authentication password simple hello#return

8.8.2 Example for Logging in to Another Device by Using the TelnetRedirection Function

This section describes an example for logging in to another device on the network by using theTelnet redirection function. This allows users to manage the device remotely.


As shown in Figure 8-8, there is a reachable route between the PC and CX- A, and CX- A isnot connected with CX- B on the IP network. To manage CX- B remotely, you can enable theTelnet redirection function on CX- A, and connect the asynchronous serial interface of CX- Ato the serial interface of CX- B. Then, you can log in toCX- B remotely from the terminal PCby using the specified port number of CX- A to manage CX- B.



8-39

Figure 8-8 Networking of logging in to another device by using the Telnet redirection function

NetworkConsole

PC CX-A CX-B

Aux

Session

GE1/0/110.1.1.1/24


1. Use the AUX interface of CX- A to connect withCX- B.2. Enable the Telnet redirection function on CX- A.


l IP address of CX- A: 10.1.1.1

Procedure

Step 1 Open the AUX interface of CX- A.<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] interface Aux 0/0/1[CX-A-Aux0/0/1] undo shutdown[CX-A-Aux0/0/1] quit

Step 2 Enable the redirection function on CX- A.[CX-A] user-interface aux 0[CX-A-ui-aux0] undo shell[CX-A-ui-aux0] redirect

Step 3 View the port number.<CX-A> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State37b26538 6 /1 0.0.0.0:21 0.0.0.0:0 23553 Listening37b20808 135/4 0.0.0.0:22 0.0.0.0:0 23553 Listening15b8a270 135/1 0.0.0.0:23 0.0.0.0:0 23553 Listening32fa2744 135/15 0.0.0.0:2033 0.0.0.0:0 23553 Listening32facdac 135/17 0.0.0.0:4033 0.0.0.0:0 23553 Listening32f9e4b4 88 /1 0.0.0.0:6000 0.0.0.0:0 23553 Listening2ff6bbcc 135/9 10.137.217.226:23 10.138.77.21:2993 0 Established

Step 4 Verify the configuration.Run the telnet 10.1.1.1 2033(or 4033) command on the PC to log in to CX- B.

----End





Issue 01 (2011-05-30)

# sysname CX-A#interface Aux0/0/1 undo shutdown#interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.1 255.255.255.0#user-interface con 0user-interface aux 0 undo shell redirect#return

8.8.3 Example for Logging in to Another Device by Using Telnet ona VPN

This section provides an example for logging in to another device by using Telnet on a VPN.Inthis example, the authentication mode and password are configured for users on a VPN so as tolog in to the CX device through Telnet.

Networking RequirementsAs shown in Figure 8-9, CX- A and CX- B can ping through each other. Users can log in toCX- A from CX- B through Telnet.

Figure 8-9 Networking diagram for logging in to another device by using Telnet on a VPN

CX-A CX-B

GE1/0/01.1.1.1 24

GE1/0/01.1.1.2 24

VPN ttIP Network


1. Configure a VPN on CX- B.2. Configure the authentication mode and the password of the user interface VTY0 to VTY4

on CX- B.3. Set the user to enter the password to log in to CX- B from CX- A in Telnet mode.


l Host IP address of CX- Bl Authentication mode and password



8-41

l VPN instance

Procedure

Step 1 Configure the VPN instance and IP address.

# Configure CX- A.

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] interface gigabitethernet1/0/0[CX-A-GigabitEthernet1/0/0] undo shutdown[CX-A-GigabitEthernet1/0/0] ip address 1.1.1.1 24

# Configure CX- B.

<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] ip vpn-instance tt[CX-B-vpn-instance-tt] route-distinguisher 1000:1[CX-B-vpn-instance-tt] quit[CX-B] interface gigabitethernet1/0/0[CX-B-GigabitEthernet1/0/0] undo shutdown[CX-B-GigabitEthernet1/0/0] ip binding vpn-instance tt[CX-B-GigabitEthernet1/0/0] ip address 1.1.1.2 24[CX-B-GigabitEthernet1/0/0] quit[CX-B] quit

Step 2 Configure the Telnet authentication mode and password on CX- B.<CX-B> system-view[CX-B] user-interface vty 0 4[CX-B-ui-vty0-4] authentication-mode password[CX-B-ui-vty0-4] set authentication password simple hello[CX-B-ui-vty0-4] quit

To configure Telnet terminal services based on the ACL, do as follows on CX- B.

[CX-B] acl 2000[CX-B-acl-basic-2000] rule permit vpn-instance tt source 1.1.1.1 0[CX-B-acl-basic-2000] quit[CX-B] user-interface vty 0 4[CX-B-ui-vty0-4] acl 2000 inbound

NOTE

Configuring Telnet terminal services based on the ACL is optional.


After the configuration is complete, you can log in to CX- B from CX- A through Telnet.

<CX-A> telnet 1.1.1.2Trying 1.1.1.2 ...Press CTRL+K to abortConnected to 1.1.1.2 ...Login authenticationPassword:Note: The max number of VTY users is 10, and the current numberof VTY users on line is 1.<CX-B>

----End


#




Issue 01 (2011-05-30)

sysname CX-A#interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.1 255.255.255.0#return

l Configuration file of CX- B# sysname CX-B#ip vpn-instance tt route-distinguisher 1000:1#acl number 2000 rule 5 permit vpn-instance tt source 1.1.1.1 0#interface GigabitEthernet1/0/0 undo shutdown ip binding vpn-instance tt ip address 1.1.1.2 255.255.255.0#user-interface con 0user-interface vty 0 4 acl 2000 inbound set authentication password simple hello#return

8.8.4 Example for Configuring the Device as the STelnet Client toConnect to the SSH Server

This section provides an example for logging in to another device by using STelnet.In thisexample, the local key pairs are generated on the STelnet client and the SSH server; the publicRSA key is generated on the SSH server and then bound to the STelnet client. In this manner,the STelnet client can connect to the SSH server.

Networking RequirementsAs shown in Figure 8-10, after the STelnet service is enabled on the SSH server, the STelnetclient can log in to the SSH server with the password, RSA, password-rsa, or all authenticationmode. In this example, the Huawei CX device functions as an SSH server.

Two users client001 and client002 are configured to log in to the SSH server in the authenticationmode of password and RSA respectively.

Figure 8-10 Networking diagram for logging in to another device by Using STelnet

Client 002

GE1/0/110.10.3.3/16

SSH ServerGE1/0/110.10.1.1/16

Client 001

GE1/0/110.10.2.2/16



8-43


1. Configure Client001 and Client002 to log in to the SSH server in different authenticationmodes.

2. Create a local RSA key pair on the STelnet client Client002 and the SSH server, and bindthe client client002 to an RSA key to authenticate the client when the client attempts to login to the server.

3. Enable STelnet service on the SSH server.4. Set the service type of Client001 and Client002 to STelnet.5. Enable first-time authentication on the SSH client.6. Users Client001 and Client002 log in to the SSH server through STelnet.


l Client001 with the password as huawei and adopt the password authentication.l Client002, adopt the RSA authentication and assign the public key RsaKey001 to

Client002.l IP address of the SSH server is 10.10.1.1.

Procedure

Step 1 Generate a local key pair on the server.<HUAWEI> system-view[HUAWEI] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: SSH Server_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++..........++++++++++++...................................++++++++......++++++++

Step 2 Create an SSH user on the server.NOTE

The SSH user can be authenticated in four modes: password, RSA, password-rsa, and all.l When the SSH adopts the password or password-rsa authentication mode, configure a local user with

the same name.l When the SSH user adopts the RSA, password-rsa, or all authentication modes, the server should save

the RSA public key for the SSH client.

# Configure the VTY user interface.

[SSH Server] user-interface vty 0 4[SSH Server-ui-vty0-4] authentication-mode aaa[SSH Server-ui-vty0-4] protocol inbound ssh[SSH Server-ui-vty0-4] quit




Issue 01 (2011-05-30)

l Create SSH user Client001.# Configure the password authentication for the SSH user Client001.[SSH Server] ssh user client001[SSH Server] ssh user client001 authentication-type password# Configure the password of the SSH user Client001 to huawei.[SSH Server] aaa[SSH Server-aaa] local-user client001 password cipher huawei[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

l Create SSH user Client002.# Configure the RSA authentication for the SSH user Client002.[SSH Server] ssh user client002[SSH Server] ssh user client002 authentication-type rsa

Step 3 Configure the RSA public key on the server.

# Generate a local key pair on the client.

<HUAWEI> system-view[HUAWEI] sysname client002[client002] rsa local-key-pair create

# View the RSA public key generated on the client.

[client002] display rsa local-key-pair public=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001[client002]

# Send the RSA public key generated on the client software to the server.



8-45

[SSH Server]rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".[SSH Server-rsa-public-key]public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[SSH Server-rsa-key-code]3047[SSH Server-rsa-key-code]0240[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43[SSH Server-rsa-key-code] 1D7E3E1B[SSH Server-rsa-key-code]0203[SSH Server-rsa-key-code]010001[SSH Server-rsa-key-code]public-key-code end[SSH Server-rsa-public-key]peer-public-key end

Step 4 Bind the SSH user Client002 to the RSA public key of the SSH client.[SSH Server] ssh user client002 assign rsa-key RsaKey001

Step 5 Enable the STelnet service on the SSH server.

# Enable the STelnet service.

[SSH Server] stelnet server enable

Step 6 Configure the STelnet service for the SSH users Client001 and Client002.[SSH Server] ssh user client001 service-type stelnet[SSH Server] ssh user client002 service-type stelnet

Step 7 Connect the STelnet client to the SSH server.

# For the first login, you need to enable the first authentication on SSH client.

Enabling the first authentication on Client001.

<HUAWEI> system-view[HUAWEI] sysname client001[client001] ssh client first-time enable



# Client001 of the STelnet connects to SSH server with the password authentication mode . Enterthe user name and password.

<client001> system-view[client001] stelnet 10.10.1.1Please input the username:client001Trying 10.10.1.1 ...Press CTRL+K to abortConnected to 10.10.1.1 ...The server is not authenticated. Continue to access it?(Y/N):ySave the server's public key?(Y/N):yThe server's public key will be saved with the name 10.10.1.1. Please wait...Enter password:

Enter the password huawei. It shows that the login is successful, as follows:

Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2010-09-06 11:42:42.<SSH Server>

# Connect the STelnet client Client002 to the SSH server with the RSA authentication mode.

<client002> system-view




Issue 01 (2011-05-30)

[client002] stelnet 10.10.1.1Please input the username: client002Trying 10.10.1.1 ...Press CTRL+K to abortConnected to 10.10.1.1 ... The server is not authenticated. Continue to access it?(Y/N):ySave the server's public key?(Y/N):yThe server's public key will be saved with the name 10.10.1.1. Please wait... Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2010-09-06 11:42:42.<SSH Server>


After the configuration, run the display ssh server status and display ssh server sessioncommands. You can view that the STelnet service is enabled and the STelnet client is connectedto the SSH server successfully.

# Display the SSH status.

[SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server : Disable Stelnet server : Enable

# Display the connection of the SSH server.

[SSH Server] display ssh server sessionSession 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password Session 2: Conn : VTY 4 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : rsa

# Display the information about the SSH user.

[SSH Server] display ssh user-informationUser 1: User Name : client001 Authentication-type : password User-public-key-name : - Sftp-directory : - Service-type : stelnet Authorization-cmd : No



8-47

User 2: User Name : client002 Authentication-type : rsa User-public-key-name : RsaKey001 Sftp-directory : - Service-type : stelnet Authorization-cmd : No

----End


# sysname SSH Server# rsa peer-public-key rsakey001 public-key-code begin 3047 0240BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 public-key-code end peer-public-key end#aaa local-user client001 password cipher huawei local-user client001 service-type ssh#interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0# stelnet server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type stelnet#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#return

l Configuration file of Client001 on SSH client# sysname client001#interface GigabitEthernet1/0/1 ip address 10.10.2.2 255.255.0.0#ssh client first-time enable#return

l Configuration file of Client002 on SSH client# sysname client002#interface GigabitEthernet1/0/1 ip address 10.10.3.3 255.255.0.0#




Issue 01 (2011-05-30)

ssh client first-time enable#return

8.8.5 Example for Accessing Files on Another Device by Using TFTPIn this example, the TFTP application is run on the TFTP server and the location of the sourcefile on the server is set. After that, you can upload and download files.

Networking RequirementsAs shown in Figure 8-11, the IP address of the TFTP server is 10.111.16.160/24.

Log in to the CX device from the HyperTerminal and then download the fileV600R003C00.cc from the TFTP server.

Figure 8-11 Networking diagram for accessing files on another device by using TFTP

TFTP Client TFTP ServerPC

10.111.16.160/24


1. Run the TFTP application on the TFTP server, and set the location of the file on the server.2. Use the TFTP command on the CX device to download the file.3. Use the TFTP command on the CX device to upload the file.


l The TFTP application installed on the TFTP serverl The path of the file on the TFTP serverl The destination file name and its path on the CX device

Procedure

Step 1 Start the TFTP server, and set its Current Directory as the directory where theV600R003C00.cc file resides. Figure 8-12 shows the interface.



8-49

Figure 8-12 Setting the Base Directory of the TFTP server

NOTE

The display may be different depending on different TFTP server applications run in the computer.

Step 2 Log in to the CX device from the computer HyperTerminal and enter the following commandto download the file.<HUAWEI>tftp 10.111.16.160 get V600R003C00.cc cfcard:/V600R003C00.cc Info: Transfer file in binary mode. Downloading the file from the remote TFTP server. Please wait...| TFTP: Downloading the file successfully. 15805100 bytes received in 42734 second.

Step 3 Run the dir command to check whether the downloaded file is saved in the specified directoryon the CX device.<HUAWEI> dir cfcard:Directory of cfcard:/ Idx Attr Size(Byte) Date Time FileName 1 -rw- 40 Jun 24 2006 09:30:40 private-data.txt 2 -rw- 396 May 19 2006 15:00:10 rsahostkey.dat 3 -rw- 540 May 19 2006 15:00:10 rsaserverkey.dat 4 -rw- 2718 Jun 21 2006 17:46:46 1.cfg 5 -rw- 14343 May 19 2006 15:00:10 paf.txt 6 -rw- 1004 Feb 05 2001 09:51:22 vrp1.zip 7 -rw- 6247 May 19 2006 15:00:10 license.txt 8 -rw- 14343 May 16 2006 14:13:42 paf.txt.bak 9 -rw- 86235884 Feb 05 2001 10:23:46 V600R003C00.cc

Step 4 Log in to the CX device from the computer HyperTerminal and enter the following commandto upload the file.<HUAWEI> tftp 10.111.16.160 put cfcard:/vrpcfg.zip Info: Transfer file in binary mode. Uploading the file to the remote TFTP server. Please wait.../ TFTP: Uploading the file successfully. 1217 bytes send in 1 second.

----End




Issue 01 (2011-05-30)

8.8.6 Example for Configuring the Access of the TFTP Server on thePublic Network When the Management VPN Instance Is Used

This part provides an example for configuring the access of the TFTP server on the publicnetwork when the management VPN instance is used. In this example, after logging in to theCX device that is configured with the management VPN instance, you can download files fromthe TFTP server on the public network.


As shown in Figure 8-13, a management VPN instance is configured on the CX device. Usersuse the VPN instance to access the FTP server from the CX device. To enable the client to accessthe TFTP server on the public network, you need to connect the CX device to the TFTP serveron the public network.

Log in to the CX device from the HyperTerminal and then download the fileV600R003C00.cc from the TFTP server.

Figure 8-13 Networking diagram of configuring the access of the TFTP server on the publicnetwork when the management VPN instance is used

PC TFTP Client

TFTP Server10.111.16.160/24Network



1. Run the TFTP application on the TFTP server, and set the location of the file on the server.

2. Use the TFTP command on the CX device to download the file.

3. Use the TFTP command on the CX device to upload the file.

Data Preparation


l The TFTP application installed on the TFTP server

l The path of the file on the TFTP server

l The destination file name and its path on the CX device

Procedure

Step 1 Start the TFTP server, and set its Current Directory as the directory where theV600R003C00.cc file resides. Figure 8-14 shows the interface.



8-51

Figure 8-14 Setting the Base Directory of the TFTP server

NOTE

The display may be different depending on different TFTP server applications run in the computer.

Step 2 Log in to the CX device from the computer HyperTerminal and enter the following commandto download the file.<HUAWEI>tftp 10.111.16.160 public-net get V600R003C00.cc cfcard:/V600R003C00.cc Info: Transfer file in binary mode. Downloading the file from the remote TFTP server. Please wait...| TFTP: Downloading the file successfully. 15805100 bytes received in 42734 second.

Step 3 Run the dir command to check whether the downloaded file is saved in the specified directoryon the CX device.<HUAWEI> dir cfcard:Directory of cfcard:/ Idx Attr Size(Byte) Date Time FileName 1 -rw- 40 Jun 24 2006 09:30:40 private-data.txt 2 -rw- 396 May 19 2006 15:00:10 rsahostkey.dat 3 -rw- 540 May 19 2006 15:00:10 rsaserverkey.dat 4 -rw- 2718 Jun 21 2006 17:46:46 1.cfg 5 -rw- 14343 May 19 2006 15:00:10 paf.txt 6 -rw- 1004 Feb 05 2001 09:51:22 vrp1.zip 7 -rw- 6247 May 19 2006 15:00:10 license.txt 8 -rw- 14343 May 16 2006 14:13:42 paf.txt.bak 9 -rw- 86235884 Feb 05 2001 10:23:46 V600R003C00.cc

Step 4 Log in to the CX device from the computer HyperTerminal and enter the following commandto upload the file.<HUAWEI> tftp 10.111.16.160 public-net put cfcard:/vrpcfg.zip Info: Transfer file in binary mode. Uploading the file to the remote TFTP server. Please wait.../ TFTP: Uploading the file successfully. 1217 bytes send in 1 second.

----End




Issue 01 (2011-05-30)


8.8.7 Example for Accessing Files on Another Device by Using FTPThis section provides an example for accessing files on another device by using FTP. In thisexample, a user logs in to the FTP server from the CX device to download system software andconfiguration software from the FTP server.

Networking RequirementsAs shown in Figure 8-15, the route between CX- A that functions as the FTP client and the FTPserver is reachable. A user needs to download system software and configuration software fromthe FTP server. The Huawei CX device functions as an FTP server.

Figure 8-15 Networking diagram for accessing files on another device by using FTP

GE1/0/11.1.1.1/24

GE1/0/12.1.1.1/24

FTP ServerCX-A

Network


1. Configure the user name and password for an FTP user to log in to the FTP server.2. Enable the FTP server on the CX device.3. Run certain login commands to log in to the FTP server.4. Configure the file transmission mode and directories for the client before downloading

required files from the FTP server.


l User name huawei and password 123 for a user's loginl IP address of the FTP server, that is, 1.1.1.1l Target file and its location on CX- A

Procedure

Step 1 Configure an FTP user on the FTP server.<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] local-user huawei password simple 123[HUAWEI-aaa] local-user huawei service-type ftp[HUAWEI-aaa] local-user huawei ftp-directory cfcard:



8-53

[HUAWEI-aaa] quit

Step 2 Enable the FTP server.[HUAWEI] ftp server enable

Step 3 Log in to the FTP server from CX- A.<HUAWEI> ftp 1.1.1.1Trying 1.1.1.1 ...Press CTRL+K to abortConnected to 1.1.1.1.220 FTP service ready.User(1.1.1.1:(none)):huawei331 Password required for huawei.Enter password:230 User logged in. [ftp]

Step 4 On CX- A, configure the binary format as the file transfer mode and flash:/ as the workingdirectory.[ftp] binary200 Type set to I.[ftp] lcd cfcard:/Info: Local directory now cfcard:.

Step 5 On CX- A, download the latest system software from the remote FTP server.[ftp] get V600R003C00.cc200 Port command okay.150 Opening ASCII mode data connection for V600R003C00.cc.226 Transfer complete.FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.[ftp] quit

You can run the dir command to check whether the required file is downloaded to the client.

----End

Configuration Filesl Configuration file on the FTP server

# FTP server enable#aaa local-user huawei password simple 123 local-user huawei service-type ftp local-user huawei ftp-directory cfcard:#interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 Return

l Configuration file on the FTP client#interface GigabitEthernet1/0/1 undo shutdown ip address 2.1.1.1 255.255.255.0 Return

8.8.8 Example for Configuring the Access of the FTP Server on thePublic Network When the Management VPN Instance Is Used

This part provides an example for configuring the access of the FTP server on the public networkwhen the management VPN instance is used. In this example, after logging in to the CX




Issue 01 (2011-05-30)

device that is configured with the management VPN instance, you can download files from theFTP server on the public network.

Networking RequirementsAs shown in Figure 8-16, a management VPN instance is configured on CX- A. Users use theVPN instance to access the FTP server. To enable CX- A to access the FTP server on the publicnetwork, you need to connect the CX device to the FTP server on the public network.

The route between CX device that functions as the FTP client and the FTP server is reachable.A user needs to download system software and configuration software from the FTP server onthe public network.

Figure 8-16 Networking diagram of configuring the access of the FTP server on the publicnetwork when the management VPN instance is used

GE1/0/11.1.1.1/24

GE1/0/12.1.1.1/24

FTP ServerCX-A

Network

Configuration Roadmap1. Log in to the FTP server from the FTP client on the Public Network.2. Download the system files form the server to the storage devices on the client side.


l IP address of the FTP server is 1.1.1.1l User name huawei and password huaweil The destination file name and its position in the CX device

Procedure

Step 1 Log in to the FTP server from the CX device.<HUAWEI> ftp 1.1.1.1 public-netTrying 1.1.1.1Press CTRL+K to abortConnected to 1.1.1.1220 FTP service ready.User(ftp 1.1.1.1:(none)):huawei331 Password required for huaweiPassword:230 User logged in.

Step 2 Configure the transmission mode to the binary format and configure the directory of the cfcardmemory on the CX device..

[ftp] binary200 Type set to I.



8-55

[ftp] lcd cfcard:/Info: Local directory now cfcard:.

Step 3 Download the newest system software from the remote FTP server on the CX device.[ftp] get V600R003C00.cc200 Port command okay.150 Opening ASCII mode data connection for V600R003C00.cc.226 Transfer complete.FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.[ftp] quit

----End

Configuration Files

None.

8.8.9 Example for Accessing Files on Another Device by Using SFTPIn this example, the local key pairs are generated on the SFTP client and the SSH serverrespectively; the public RSA key is generated on the SSH server and bind the RSA public keyto the SFTP client. In this manner, the SFTP client can connect to the SSH server.


As shown in Figure 8-17, after the SFTP service is enabled on the SSH server, the SFTP Clientcan log in to the SSH server with the password, RSA, password-rsa, or all authentication. In thisexample, the Huawei CX device functions as an SSH server.

Two users client001 and client002 are configured to log in to the SSH server in the authenticationmode of password and RSA respectively.

Figure 8-17 Networking diagram for accessing files on another device by using SFTP

Client 002

GE1/0/110.10.3.3/16

SSH ServerGE1/0/110.10.1.1/16

Client 001

GE1/0/110.10.2.2/16



1. Configure Client001 and Client002 to log in to the SSH server in different authenticationmodes.




Issue 01 (2011-05-30)


3. Enable the SFTP service on the SSH server.4. Configure the service mode and authorization directory for the SSH user.5. Client001 and Client002 log in to the SSH server by using SFTP to access files on the

server.




Procedure

Step 1 Generate a local key pair on the server.<HUAWEI> system-view [HUAWEI] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: SSH Server_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys............++++++++......................++++++++......................+++++++++.....+++++++++

Step 2 Create an SSH user on the server.

NOTE

The SSH user can be authenticated in four modes: password, RSA, password-rsa, and all.

l When the SSH adopts the password or password-rsa authentication, configure a local user with thesame name.

l When the SSH user adopts the RSA, password-rsa, or all authentication, the server should save theRSA public key for the SSH client.

# Configure the VTY user Interface.


l Create Client001 for the SSH user.# Create an SSH user with the name Client001. The authentication mode is password.[SSH Server] ssh user client001[SSH Server] ssh user client001 authentication-type password

# Set huawei as the password for the Client001 of the SSH user.[SSH Server] aaa[SSH Server-aaa] local-user client001 password simple huawei



8-57

[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

l Create Client002 for the SSH user.# Create an SSH user with user name Client002 and RSA authentication.[SSH Server] ssh user client002[SSH Server] ssh user client002 authentication-type rsa

Step 3 Configure the RSA public key of the server.




[client002] display rsa local-key-pair public=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001[client]

# Send the RSA public key generated on the client to the server.

[SSH Server] rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".[SSH Server-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[SSH Server-rsa-key-code] 3047[SSH Server-rsa-key-code] 0240[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43




Issue 01 (2011-05-30)

[SSH Server-rsa-key-code] 1D7E3E1B[SSH Server-rsa-key-code] 0203[SSH Server-rsa-key-code] 010001[SSH Server-rsa-key-code] public-key-code end[SSH Server-rsa-public-key] peer-public-key end

Step 4 Bind the RSA public key of SSH client to Client002 of the SSH user.[SSH Server] ssh user client002 assign rsa-key RsaKey001



[SSH Server] sftp server enable

Step 6 Configure the service type and authorized directory of the SSH user.

Two SSH users are configured on the SSH server, namely, Client001 and Client002. Thepassword authentication mode is configured for Client001 and the RSA authentication mode isconfigured for Client002.

[SSH Server] ssh user client001 service-type sftp[SSH Server] ssh user client001 sftp-directory cfcard:[SSH Server] ssh user client002 service-type sftp[SSH Server] ssh user client002 sftp-directory cfcard:


# For the first login, you need to enable the first authentication on the SSH client.





# Connect the STelnet client Client001 to the SSH server with the password authentication mode.

<client001> system-view[client001] sftp 10.10.1.1Please input the username:client001Trying 10.10.1.1 ...Press CTRL+K to abortThe server is not authenticated. Continue to access it? [Y/N] :y Save the server's public key? [Y/N] : yThe server's public key will be saved with the name 10.10.1.1. Please wait...Enter password: sftp-client>


<client002> system-view[client002] sftp 10.10.1.1Please input the username: client002Trying 10.10.1.1 ...Press CTRL+K to abortThe server is not authenticated. Continue to access it? [Y/N] :y Save the server's public key? [Y/N] :y The server's public key will be saved with the name 10.10.1.1. Please wait...sftp-client>



8-59


After the configuration, run the display ssh server status and display ssh server sessioncommands. You can view that the STelnet service is enabled and the SFTP client is connectedto the SSH server successfully.


[SSH Server] display ssh server statusSSH version : 1.99SSH connection timeout : 60 secondsSSH server key generating interval : 0 hoursSSH Authentication retries : 3 timesSFTP server: Enable Stelnet server: Disable


[SSH Server] display ssh server sessionSession 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : password Session 2: Conn : VTY 4 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : rsa

# Display information about the SSH user.

[SSH Server]display ssh user-informationUser 1: User Name : client001 Authentication-type : password User-public-key-name : - Sftp-directory : cfcard: Service-type : sftp Authorization-cmd : No User 2: User Name : client002 Authentication-type : rsa User-public-key-name : RsaKey001 Sftp-directory : cfcard: Service-type : sftp Authorization-cmd : No

----End




Issue 01 (2011-05-30)

Configuration Filesl Configuration file of the SSH server.

# sysname SSH Server# rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end#aaa local-user client001 password simple huawei local-user client001 service-type ssh#interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0# sftp server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type sftp ssh user client002 service-type sftp ssh user client001 sftp-directory cfcard:. ssh user client002 sftp-directory cfcard:. #user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#Return

l Configuration file of Client001 on the SSH client# sysname client001#interface GigabitEthernet1/0/1 ip address 10.10.2.2 255.255.0.0# ssh client first-time enable#return

l Configuration file of Client002 on the SSH client# sysname client002#interface GigabitEthernet1/0/1ip address 10.10.3.3 255.255.0.0# ssh client first-time enable#return



8-61

8.8.10 Example for Configuring the Access of the SFTP Server onthe Public Network When the Management VPN Instance Is Used

This part provides an example for configuring the access of the SFTP server on the publicnetwork when the management VPN instance is used. In this example, after generating the localkey pair on the SFTP client and SSH server, generating the RSA public key on the SSH server,and binding the RSA public key to the client, you can connect the SFTP client to the SFTP serveron the public network when using the management VPN instance.


As shown in Figure 8-18, a management VPN instance is configured for Client001 andClient002. Users use the VPN instance to access the FTP server. To enable the client to accessthe SFTP server on the public network, you need to connect the CX device to the SFTP serveron the public network.

The Huawei CX device functions as an SSH server. Two users client001 and client002 areconfigured to access the SSH server in the authentication mode of password and RSArespectively.

Figure 8-18 Networking diagram of configuring the access of the SFTP server on the publicnetwork when the management VPN instance is used

Client 002

GE1/0/110.10.3.3/16

SSH ServerGE1/0/110.10.1.1/16

Client 001

GE1/0/110.10.2.2/16



1. Configure Client001 and Client002 to log in to the SSH server in different authenticationmodes..


3. Enable the SFTP service on the SSH server.

4. Configure the service mode and authorization directory for the SSH user.

5. Configure Client001 and Client002 to log in to the SSH server on the Public Networkthrough SFTP..




Issue 01 (2011-05-30)




Procedure

Step 1 Generate a local key pair on the server.<HUAWEI> system-view [HUAWEI] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: HUAWEI_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys............++++++++......................++++++++......................+++++++++.....+++++++++


NOTE


l When the SSH adopts the password or password-rsa authentication, configure a local user with thesame name.

l When the SSH user adopts the RSA, password-rsa, or all authentication, the server should save theRSA public key for the SSH client.



l Create Client001 for the SSH user.# Create an SSH user with the name Client001. The authentication mode is password.[SSH Server] ssh user client001[SSH Server] ssh user client001 authentication-type password# Set huawei as the password for the Client001 of the SSH user.[SSH Server] aaa[SSH Server-aaa] local-user client001 password simple huawei[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

l Create Client002 for the SSH user.# Create an SSH user with user name Client002 and RSA authentication.[SSH Server] ssh user client002[SSH Server] ssh user client002 authentication-type rsa





8-63



[client002] display rsa local-key-pair public=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001[client]


[SSH Server] rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".[SSH Server-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[SSH Server-rsa-key-code] 3047[SSH Server-rsa-key-code] 0240[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43[SSH Server-rsa-key-code] 1D7E3E1B[SSH Server-rsa-key-code] 0203[SSH Server-rsa-key-code] 010001[SSH Server-rsa-key-code] public-key-code end[SSH Server-rsa-public-key] peer-public-key end

Step 4 Bind the RSA public key of SSH client to Client002 of the SSH user.[SSH Server] ssh user client002 assign rsa-key RsaKey001






Issue 01 (2011-05-30)

[SSH Server] sftp server enable

Step 6 Configure the service type and authorized directory of the SSH user.

Two SSH users are configured on the SSH server, namely, Client001 and Client002. Thepassword authentication mode is configured for Client001 and the RSA authentication mode isconfigured for Client002.

[SSH Server] ssh user client001 service-type sftp[SSH Server] ssh user client001 sftp-directory cfcard:[SSH Server] ssh user client002 service-type sftp[SSH Server] ssh user client002 sftp-directory cfcard:


# For the first login, you need to enable the first authentication on the SSH client.





# Connect the STelnet client Client001to the SSH server with the password authentication mode.

<client001> system-view[client001] sftp 10.10.1.1 public-netPlease input the username:client001Trying 10.10.1.1 ...Press CTRL+K to abortConnected to 10.10.1.1 ...Enter password: sftp-client>


<client002> system-view[client002] sftp 10.10.1.1 public-netPlease input the username: client002Trying 10.10.1.1 ...Press CTRL+K to abortConnected to 10.10.1.1 ...sftp-client>


After the configuration, run the display ssh server status and display ssh server sessioncommands. You can view that the STelnet service is enabled and the SFTP client is connectedto the SSH server successfully.


[SSH Server] display ssh server statusSSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server: Enable STELNET server: Disable


[SSH Server] display ssh server session



8-65

Session 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : password Session 2: Conn : VTY 4 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : rsa

# Display information about the SSH user.

[SSH Server] display ssh user-informationUser 1: User Name : client001 Authentication-type : password User-public-key-name : - Sftp-directory : cfcard: Service-type : sftp Authorization-cmd : No User 2: User Name : client002 Authentication-type : rsa User-public-key-name : RsaKey001 Sftp-directory : cfcard: Service-type : sftp Authorization-cmd : No

----End


# sysname SSH Server# rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end#aaa local-user client001 password simple huawei local-user client001 service-type ssh#




Issue 01 (2011-05-30)

interface GigabitEthernet1/0/1 undo shutdownip address 10.10.1.1 255.255.0.0# sftp server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001ssh user client001 service-type sftp ssh user client002 service-type sftpssh user client001 sftp-directory cfcard:. ssh user client002 sftp-directory cfcard:. #user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#Return



8.8.11 Example for Accessing the SSH Server Through Other PortNumbers

This section provides an example for accessing the SSH server through other port numbers.Inthis example, the monitoring port number of the SSH server is set to a port number other thanthe standard monitoring port number so that only valid users can set up connections with theSSH server.


The standard monitored port number of the SSH protocol is 22. The frequent malicious accessesto the standard port consume bandwidth and affect the performance of the server, and other userscannot access the standard port.

After the number of the port monitored by the SSH server is set to other port numbers, the attackerdoes not know the change of the number of the monitored port and keeps sending socketconnection requests with the standard port 22. After detecting that the port number intheconnection requests is not the number of the monitored port, the SSH does not set up the socketconnection.



8-67

Thus, only the valid user can set up the socket connection through the non-standard monitoredport set by the SSH server, and follow the procedure of negotiating the SSH version number,negotiating the algorithm, generating the session key, authenticating, sending session request,and performing the interactive session.

The Huawei CX device functions as an SSH server. The client client001 is configured to log into the SSH server by using STelnet in the authentication mode of password; the client client002is configured to log in to the SSH server by using SFTP in the authentication mode of RSA.

Figure 8-19 Networking diagram of accessing the SSH server through other port numbers

Client 002

GE1/0/110.10.3.3/16

SSH ServerGE1/0/110.10.1.1/16

Client 001

GE1/0/110.10.2.2/16



1. Configure Client001 and Client002 to log in to the SSH server in different authenticationmodes..


3. Enable the STelnet and SFTP service on the SSH server.

4. Configure the service mode and authorization directory of the SSH user.

5. Configure the interception port number for the SSH server so that the client can access theserver through other port numbers.

6. Client001 and Client002 log in to the SSH server through STelnet and SFTP respectively.

Data Preparation


l Client001 with the password as huawei and adopt the password authentication.

l Client002, adopt the RSA authentication and assign the public key RsaKey001 toClient002.

l IP address of the SSH server is 10.10.1.1.

l Number of the port monitored by the SSH server is 1025.




Issue 01 (2011-05-30)

ProcedureStep 1 Generate a local key pair on the server.

<HUAWEI> system-view [HUAWEI] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: SSH Server_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++..........++++++++++++...................................++++++++......++++++++


# Generate a local key pair of client on the client.



[client002] display rsa local-key-pair public=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001


[SSH Server] rsa peer-public-key RsaKey001



8-69

Enter "RSA public key" view, return system view with "peer-public-key end".[SSH Server-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[SSH Server-rsa-key-code] 3047[SSH Server-rsa-key-code] 0240[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43[SSH Server-rsa-key-code] 1D7E3E1B[SSH Server-rsa-key-code] 0203[SSH Server-rsa-key-code] 010001[SSH Server-rsa-key-code] public-key-code end[SSH Server-rsa-public-key] peer-public-key end


NOTE


l When the SSH adopts the password or password-rsa authentication mode, configure a local user at thesame name.

l When the SSH user adopts the RSA, password-rsa, or all authentication modes, the server should savethe RSA public key for the SSH client.



l Create Client001 for the SSH user.# Create an SSH user with the name Client001. The authentication mode is password.[SSH Server] ssh user client001[SSH Server] ssh user client001 authentication-type password

# Set huawei as the password toSSH user Client001.[SSH Server] aaa[SSH Server-aaa] local-user client001 password simple huawei[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

# Configure Client001 with service type of STelnet.[SSH Server] ssh user client001 service-type stelnet

l Create Client002 for the SSH user.Create an SSH user with the name of Client002 and RSA authentication, bound to RSA publickey of the SSH client.[SSH Server] ssh user client002[SSH Server] ssh user client002 authentication-type rsa[SSH Server] ssh user client002 assign rsa-key RsaKey001

# Configure the service type of Client002 as SFTP and the authorization directory.[SSH Server] ssh user client002 service-type sftp[SSH Server] ssh user client002 sftp-directory cfcard:

Step 4 Enable the STelnet service and the SFTP service on the SSH server.

# Enable the STelnet service and the SFTP service.

[SSH Server] stelnet server enable[SSH Server] sftp server enable

Step 5 Configure a new number of the port monitored by the SSH server. [SSH Server] ssh server port 1025




Issue 01 (2011-05-30)







# Connect the STelnet client to the SSH server through the new port number.

[client001] stelnet 10.10.1.1 1025Please input the username:client001Trying 10.10.1.1 ...Press CTRL+K to abortConnected to 10.10.1.1 ...he server is not authenticated. Continue to access it?(Y/N):ySave the server's public key?(Y/N):yhe server's public key will be saved with the name 10.10.1.1. Please wait...Enter password:

Enter the password Huawei and view as follows:

Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. <SSH Server>

# Connect the SFTP client to the SSH server through the new port number.

[client002] sftp 10.10.1.1 1025Please input the username:client002Trying 10.10.1.1 ...Press CTRL+K to abortThe server is not authenticated. Continue to access it?(Y/N):ySave the server's public key?(Y/N):yThe server's public key will be saved with the name 10.10.1.1. Please wait...sftp-client>


The attacker fails to access the SSH server through port 22.

[client002] sftp 10.10.1.1Please input the username:client002Trying 10.10.1.1 ...Press CTRL+K to abortError: Failed to connect to the server.

After the configuration, run the display ssh server status and display ssh server sessioncommands. You can view the number of the port monitored by the SSH server and that theSTelnet client or SFTP client is connected to the SSH server successfully.


[SSH Server] display ssh server statusSSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server: Enable STELNET server: Enable



8-71

SSH server port: 1025


[SSH Server] display ssh server sessionSession 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password Session 2: Conn : VTY 4 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : rsa

----End


# sysname SSH Server# rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end#aaa local-user client001 password simple huawei local-user client001 service-type ssh#interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0# sftp server enable stelnet server enable ssh server port 1025 ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type RSA ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet




Issue 01 (2011-05-30)

ssh user client002 service-type sftpssh user client002 sftp-directory cfcard:.#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#return

l Configuration file of Client001 on the SSH client# sysname client001#interface GigabitEthernet1/0/1ip address 10.10.2.2 255.255.0.0#ssh client first-time enable#return

l Configuration file of Client002 on the SSH client# sysname client002#interface GigabitEthernet1/0/1 ip address 10.10.3.3 255.255.0.0#ssh client first-time enable#return

8.8.12 Example for an SSH Client in the Public Network to Accessan SSH Server in the Private Network

In this example, SSH attributes of users on the public network are configured so as to access theSSH server on the private network through STelnet or SFTP.

Networking RequirementsAs shown in Figure 8-20, PE1 as an SSH client resides on an MPLS backbone network, andCE1 as an SSH server is located at a private network of AS 65410. The users in the publicnetwork can safely access and manage CE1 on the private network through PE1.

The Huawei CX device functions as an SSH server. The client client001 is configured to log into the SSH server by using STelnet in the authentication mode of password; the client client002is configured to log in to the SSH server by using SFTP in the authentication mode of RSA.



8-73

Figure 8-20 Networking diagram of configuring the SSH client in public network accessing theSSH server in the private network

PE1(SSH

Client)POS1/0/1

100.1.1.2/30GE1/0/110.1.1.2/24

Loopback11.1.1.9/32

Loopback13.3.3.9/32

Loopback12.2.2.9/32

POS1/0/1100.1.1.1/30

POS1/0/2200.1.1.1/30 GE1/0/1

10.1.2.2/24

POS1/0/1200.1.1.2/30

MPLS BackboneAS:100

PE2

P

GE1/0/110.1.1.1/24

GE1/0/110.1.2.1/24CE1

(SSHserver)

CE2

VPN Site VPN Site

Configuration RoadmapThe roadmap for configuring SSH supporting access from the private network as follows:

1. Configure a VPN instance on the PE functioning as an SSH client so that the CE can accessthe PE.

2. Set up EBGP peer relationships between PEs and CEs and import VPN routes.3. Create a local RSA key pair on the STelnet client Client002 and the SSH server, and bind

the client client002 to an RSA key to authenticate the client when the client attempts to login to the server.

4. Enable the STelnet and SFTP service on the SSH server.5. Users in the public network access devices in the private network through STelent and

SFTP.

Data PreparationTo complete the configuration, you need the following data.

l Name of vpn-instance vpn1 on PEl VPN-target on PE is 111:1l IP address 10.1.1.2 of PE1; IP address 10.1.2.2 of PE2l Client001 with the password as huawei and adopt the password authenticationl Client002, adopt the RSA authentication and assign the public key RsaKey001 to Client002l IP address of the SSH server CE1 on the private network, that is, 10.1.1.1




Issue 01 (2011-05-30)

Procedure

Step 1 Configure the MPLS backbone network

With IGP configured on the MPLS backbone network, the PE on the backbone network cancommunicate with P; configure the MPLS basic capability and MPLS LDP, and create LDPLSPs.

The detailed configurations are not mentioned here. For more information, refer to theconfiguration file of this example.

Step 2 Configure the VPN instance. Configure VPN on PE and connect CE to PE.

# Configure PE1.

[PE1] ip vpn-instance vpn1[PE1-vpn-instance-vpn1] route-distinguisher 100:1[PE1-vpn-instance-vpn1] vpn-target 111:1 both[PE1-vpn-instance-vpn1] quit[PE1] interface gigabitethernet 1/0/1[PE1-GigabitEthernet1/0/1] ip binding vpn-instance vpn1[PE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24[PE1-GigabitEthernet1/0/1] quit

# Configure PE2.

[PE2] ip vpn-instance vpn1[PE2-vpn-instance-vpn1] route-distinguisher 200:1[PE2-vpn-instance-vpn1] vpn-target 111:1 both[PE2-vpn-instance-vpn1] quit[PE2] interface gigabitethernet 1/0/1[PE2-GigabitEthernet1/0/1] ip binding vpn-instance vpn1[PE2-GigabitEthernet1/0/1] undo shutdown[PE2-GigabitEthernet1/0/1] ip address 10.1.2.2 24[PE2-GigabitEthernet1/0/1] quit

# Configure IP addresses of interfaces on CEs as shown in Figure 8-20. The detailedconfigurations are not mentioned here.

After the configuration, run the display ip vpn-instance verbose command on PE. You canview the configuration of VPN. Each PE can ping through the accessed CE.

NOTE

In case of several VPN interfaces bound with PE, you have to run the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping the CE that connects to the peer PE. Thesource IP address must be specified. Otherwise, it may fail to ping through.

Take PE1 and CE1 for example:

[PE1] display ip vpn-instance verbose Total VPN-Instances configured : 1 VPN-Instance Name and ID : vpn1, 1 Create date : 2007/06/08 11:42:58 Up time : 0 days, 00 hours, 03 minutes and 27 seconds Route Distinguisher : 100:1 Export VPN Targets : 111:1 Import VPN Targets : 111:1 Label policy : label per route The diffserv-mode Information is : uniform The ttl-mode Information is : uniform Interfaces : GigabitEthernet2/0/0[PE1] ping -vpn-instance vpn1 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=260 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=70 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=60 ms



8-75

Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=60 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=90 ms --- 10.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 60/108/260 ms

Step 3 Establish EBGP peer relationship between PEs and CEs and import VPN CX device.

# Configure CE1.

[CE1] bgp 65410[CE1-bgp] peer 10.1.1.2 as-number 100[CE1-bgp] import-route direct[CE1-bgp] quit

# Configure PE1.

[PE1] bgp 100[PE1-bgp] ipv4-family vpn-instance vpn1[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410[PE1-bgp-vpn1] import-route direct[PE1-bgp-vpn1] quit[PE1-bgp] quit

# Configure CE2.

[CE2] bgp 65420[CE2-bgp] peer 10.1.2.2 as-number 100[CE2-bgp] import-route direct[CE2-bgp] quit

# Configure PE2.

[PE2] bgp 100[PE2-bgp] ipv4-family vpn-instance vpn1[PE2-bgp-vpn1] peer 10.1.2.1 as-number 65420[PE2-bgp-vpn1] import-route direct[PE2-bgp-vpn1] quit[PE2-bgp] quit

After configuration, run the display bgp vpnv4 vpn-instance peer command on PE. You canview that the BGP peer relationship between PE and CE is created and in the established state.

Take the peer relationship between PE 1 and CE 1 as an example.

[PE1] display bgp vpnv4 vpn-instance vpn1 peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 10.1.1.1 4 65410 3 3 0 00:00:37 Established 1

# Establish MP-BGP peer relationship between PEs.

The detailed configurations are not mentioned here. For more information, refer to theconfiguration file of this example.

Step 4 Generate a local key pair on the server.[CE1] rsa local-key-pair createThe key name will be: CE1_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++




Issue 01 (2011-05-30)

..........++++++++++++

...................................++++++++

......++++++++


# Generate a local key pair of client on the client.

[PE1] rsa local-key-pair createThe key name will be: PE1_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++..........++++++++++++...................................++++++++......++++++++


[PE1] display rsa local-key-pair public=====================================================Time of Key pair created: 12:02:09 2007/6/8Key name: PE1_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D E2EE8EB5 0203 010001 Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg72x/w0h8F2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg72x/w0h8F2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61 rsa-key=====================================================Time of Key pair created: 12:02:09 2007/6/8Key name: PE1_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3 0203 010001


[CE1] rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".[CE1-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[CE1-rsa-key-code] 3067[CE1-rsa-key-code] 0240[CE1-rsa-key-code] BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376



8-77

[CE1-rsa-key-code] 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695[CE1-rsa-key-code] 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D[CE1-rsa-key-code] E2EE8EB5[CE1-rsa-key-code] 0203[CE1-rsa-key-code] 010001[CE1-rsa-key-code] public-key-code end[CE1-rsa-public-key] peer-public-key end[CE1-rsa-public-key] quit

Step 6 Create an SSH user on the server.NOTE

The SSH user can be authenticated in four modes namely, password, RSA, password-rsa, and all.l When the SSH adopts the password or password-rsa authentication, a local user must be configured

with the same name.l When the SSH user adopts the RSA, password-rsa, or all authentication, the server should save the

RSA public key for the SSH client.

# Configure the VTY user interface.

[CE1] user-interface vty 0 4[CE1-ui-vty0-4] authentication-mode aaa[CE1-ui-vty0-4] protocol inbound ssh[CE1-ui-vty0-4] quitl Create Client001 for the SSH user.

# Create an SSH user with the name Client001. The authentication mode is password.[CE1] ssh user client001[CE1] ssh user client001 authentication-type password# Set huawei as the password for the Client001 of the SSH user.[CE1] aaa[CE1-aaa] local-user client001 password simple huawei[CE1-aaa] local-user client001 service-type ssh[CE1-aaa] quit# Configure service type of Client001 as STelnet.[CE1] ssh user client001 service-type stelnet

l Create an SSH user with the name of Client002 and RSA authentication, bound to RSA publickey of the SSH client.[CE1] ssh user client002[CE1] ssh user client002 authentication-type rsa[CE1] ssh user client002 assign rsa-key RsaKey001# Configure the service type of Client002 as SFTP and the authorization directory.[CE1] ssh user client002 service-type sftp[CE1] ssh user client002 sftp-directory cfcard:

Step 7 Enable STelnet and SFTP services on the SSH server.[CE1] stelnet server enable[CE1] sftp server enable

Step 8 PE logs in to CE as the SSH client.


[PE1] ssh client first-time enable

# Log in to the SSH server through STelnet.

[PE1] stelnet 10.1.1.1 -vpn-instance vpn1Please input the username:client001Trying 10.1.1.1 ...Press CTRL+K to abortConnected to 10.1.1.1 ...




Issue 01 (2011-05-30)

The server is not authenticated. Do you continue to access it?(Y/N):yDo you want to save the server's public key?(Y/N):yThe server's public key will be saved with the name:10.1.1.1. Please wait...Enter password:

Enter the password huawei. The following information is displayed:

Info: The max number of VTY users is 10, and the current number of VTY users on line is 1.<CE1>

# Log in to the SSH server by SFTP.

[PE1] sftp 10.1.1.1 -vpn-instance vpn1Please input the username:client002Trying 10.1.1.1 ...Press CTRL+K to abortThe server is not authenticated. Do you continue to access it?(Y/N):yDo you want to save the server's public key?(Y/N):yThe server's public key will be saved with the name:10.1.1.1. Please wait...

After successful login, the following information is displayed, and then you can continue.

sftp-client>

Step 9 Check the Configuration

When running the display this command in the PE interface view, you can view that theconfiguration of the VPN instance is successful; when running the display ssh server sessioncommand on CE, you can view that the STelnet client or SFTP client is connected to the SSHserver successfully.

# View information about SSH server connection.

[PE1] display ssh server session Session 1: Conn : VTY 0 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password

----End

Configuration Filesl Configuration file of CE1

# sysname CE1# rsa peer-public-key RsaKey001 public-key-code begin 3067 0260 9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3 0203 010001 public-key-code end



8-79

peer-public-key end#interface GigabitEthernet1/0/1 ip address 10.1.1.1 255.255.255.0#bgp 65410 peer 10.1.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.1.2 enable#aaa local-user client001 password simple huawei local-user client001 service-type ssh authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default# sftp server enable stelnet server enablessh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type RSA ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type sftp ssh user client002 sftp-directory cfcard#user-interface con 0user-interface vty 0 4 authentication-mode aaa protocol inbound sshuser-interface vty 16 20#return

l Configuration file of PE1# sysname PE1#ip vpn-instance vpn1 ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity# mpls lsr-id 1.1.1.9 mpls#mpls ldp#interface GigabitEthernet1/0/1 ip binding vpn-instance vpn1 ip address 10.1.1.2 255.255.255.0#interface Pos1/0/1 link-protocol ppp ip address 100.1.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 1.1.1.9 255.255.255.255




Issue 01 (2011-05-30)

#bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 3.3.3.9 enable # ipv4-family vpn-instance vpn1 import-route direct peer 10.1.1.1 as-number 65410#ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 100.1.1.0 0.0.0.255# ssh client first-time enable#user-interface con 0user-interface vty 0 4user-interface vty 16 20#return

l Configuration file of P# sysname P# mpls lsr-id 2.2.2.9 mpls#mpls ldp#interface Pos1/0/1 link-protocol ppp ip address 100.1.1.2 255.255.255.0 mpls mpls ldp#interface Pos1/0/2 link-protocol ppp ip address 200.1.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 2.2.2.9 255.255.255.255#ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 100.1.1.0 0.0.0.255 network 200.1.1.0 0.0.0.255#return

l Configuration file of PE2# sysname PE2#ip vpn-instance vpn1 ipv4-family route-distinguisher 200:1 vpn-target 111:1 export-extcommunity



8-81

vpn-target 111:1 import-extcommunity# mpls lsr-id 3.3.3.9 mpls#mpls ldp#interface GigabitEthernet1/0/1 ip binding vpn-instance vpn1 ip address 10.1.2.2 255.255.255.0#interface Pos1/0/1 link-protocol ppp ip address 200.1.1.2 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 3.3.3.9 255.255.255.255#bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpn1 import-route direct peer 10.1.2.1 as-number 65420#ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 200.1.1.0 0.0.0.255#return

l Configuration file of CE2# sysname CE2#interface GigabitEthernet1/0/1 ip address 10.1.2.1 255.255.255.0#bgp 65420 peer 10.1.2.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.2.2 enable#return




Issue 01 (2011-05-30)

9 Clock Synchronization Configuration

About This Chapter

Clock synchronization is used to keep differences in clock frequency and phase among networkelements within a tolerable range. Effective clock synchronization improves the transmissionperformance of a network.

9.1 Introduction of Clock Synchronization ConfigurationClock synchronization ensures that digital pulse signals are sent and received in a specifictimeslot.

9.2 Setting Basic Configurations for Clock SynchronizationThis section describes how to set basic configurations for clock synchronization.

9.3 Configuring an External BITS Clock SourceYou can run commands on the CX deviceto configure the device to trace different types ofexternal BITS clock sources.

9.4 Configuring a Clock Reference Source Manually or ForciblyThis section describes how to manually or forcibly configure a clock reference source.

9.5 Configuring Clock Protection Switching Based on SSM LevelsThe higher its SSM level, the more accurate a clock is. By default, a clock board uses the mostaccurate clock source available.

9.6 Configuring Clock Protection Switching Based on PrioritiesIf clock sources are configured with different priorities, then the clock source with the secondhighest priority becomes effective immediately after the clock source with the highest priorityfails.

9.7 Configuring Ethernet Clock SynchronizationEthernet clock synchronization implements clock synchronization among devices on an IPbearer network.

9.8 Configuration Examples of Clock SynchronizationThis section provides examples for configuring clock protection switching and for configuringEthernet clock synchronization.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations 9 Clock Synchronization Configuration


9-1

9.1 Introduction of Clock Synchronization ConfigurationClock synchronization ensures that digital pulse signals are sent and received in a specifictimeslot.

9.1.1 Overview of Clock Synchronization ConfigurationClock synchronization ensures that digital pulse signals are sent and received in a specifictimeslot.

9.1.2 Clock Synchronization Supported by the CX600

9.1.1 Overview of Clock Synchronization ConfigurationClock synchronization ensures that digital pulse signals are sent and received in a specifictimeslot.

Definition

Synchronization must be maintained on Data Communications Networks (DCN). The sendingend places a pulse in a specified timeslot at the end of the digital pulse signal. The receiving endextracts the pulse in the specified timeslot, so that normal communications between sending andreceiving ends are guaranteed. A clock ensures that signals are sent in a certain timeslot and thenreceived and extracted from that timeslot.

Purpose

Clock synchronization is used to keep differences in clock frequency and phase among networkelements on a digital network within a specific range. If the differences exceed the specifiedrange, bit errors and jitter occur and transmission performance is degraded.

9.1.2 Clock Synchronization Supported by the CX600

Clock Transmission

The clock signals can be transmitted on the Ethernet network, Asynchronous Transfer Mode(ATM) network, and Synchronous Digital Hierarchy (SDH) network.

Tracing BITS Clock

For the Building Integrated Timing Supply System (BITS) clock source, the clock moduleextracts Synchronization Status Messages (SSMs) from the 2.048 Mbit/s stream signals, or theMain Processing Unit (MPU) sets a preset SSM level for the 2.048 MHz clock signals.

Stratum-3 Clock Source

The device that provides the clock signals for the local device is called the clock source. Thelocal device may have multiple clock sources. Include BITS0, BITS1, BITS2 and PTP.

9 Clock Synchronization ConfigurationHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

9.2 Setting Basic Configurations for Clock SynchronizationThis section describes how to set basic configurations for clock synchronization.


9.2.2 Setting Basic Configurations for Clock Synchronization



Applicable EnvironmentBefore configuring clock synchronization, you must set basic configurations.

Pre-configuration TasksNone.

Data PreparationNone.

9.2.2 Setting Basic Configurations for Clock Synchronization

ContextDo as follows on every CX device on the clock synchronization network.

Procedure



Step 2 Run:clock ethernet-synchronization enable

The Ethernet clock synchronization function is enabled.

Step 3 Run:clock source { bits0 | bits1 | bits2 | ptp } synchronization enable

The clock synchronization function is enabled.

Step 4 Run:interface interface-type interface-number

or

controller { e1 | cpos } controller-number



9-3

The interface view is displayed.

Step 5 Run:clock synchronization enable

The clock synchronization function is enabled on a port.

Step 6 Run:quit

Return to the system view from the interface view.

Step 7 (Optional) Run:clock ssm-control { on | off }

SSM control is enabled.

By default, SSM control is enabled.

Step 8 (Optional) Run:clock run-mode

The running mode of the Ethernet Equipment Clock (EEC) is set. By default, an EEC works innormal mode.

Step 9 (Optional) Run:clock switch { revertive | non-revertive }

The recovery mode for a clock is configured. By default, a clock is revertive.

Step 10 (Optional) Run:clock wtr

The Wait to Recovery (WTR) time is configured.

By default, the WTR time is five minutes.

Step 11 (Optional) Run:clock source-lost holdoff-time

The holdoff time is set for a clock when the timing signal is invalid.

By default, the holdoff time is 1000 ms.

Step 12 (Optional) Run:clock max-out-ssm

The max out ssm value of the interface clock source is configured.

Step 13 (Optional) Run:clock freq-deviation-detect enable

Clock frequency offset detection is enabled. By default, clock frequency offset detection isdisabled.

----End




Issue 01 (2011-05-30)


Procedurel Run:

display clock config

Check whether basic configurations for clock synchronization take effect.

----End

9.3 Configuring an External BITS Clock SourceYou can run commands on the CX deviceto configure the device to trace different types ofexternal BITS clock sources.

9.3.1 Establishing the Configuration TaskBefore configuring the router to trace an external BITS clock source, familiarize yourself withthe applicable environment, complete the pre-configuration tasks, and obtain the data requiredthe configuration. This will help you complete the configuration task quickly and accurately.

9.3.2 Configuring the Lower Threshold of the Clock Signals Output by the BITS Clock

9.3.3 Configuring an External Clock Source and Its Signal Type on the CX deviceThe CX device supports four types of signals (2mhz, 2mbps, dcls, and 1pps).


9.3.1 Establishing the Configuration TaskBefore configuring the router to trace an external BITS clock source, familiarize yourself withthe applicable environment, complete the pre-configuration tasks, and obtain the data requiredthe configuration. This will help you complete the configuration task quickly and accurately.

Applicable EnvironmentOn a synchronous Ethernet network, if the site where the CX device is located has a BITS clock,the CX device must be set to trace the BITS clock. The CX device serves as the primary clockto provide a clock source for the entire synchronous Ethernet network.

There are four types of BITS clocks: 2.048 MHz, 2.048 Mbit/s, 1 pps, and DCLS. You can usecommands to specify the type of external BITS clock source on the clock board.



9.3.2 Configuring the Lower Threshold of the Clock Signals Outputby the BITS Clock



9-5

ContextDo as follows on all CX devices on the clock synchronization network.

Procedure



Step 2 Run:clock bits output-threshold

The lower threshold (the lowest quality level) of clock signals output by the BITS clock isconfigured.

----End

9.3.3 Configuring an External Clock Source and Its Signal Type onthe CX device

The CX device supports four types of signals (2mhz, 2mbps, dcls, and 1pps).

ContextDo as follows on every CX devices on the clock synchronization network.

Procedure



Step 2 Run:clock bits-type

An external BITS clock source and its signal type are configured.

For information about clock source IDs and signal types, refer to the HUAWEI CX600 MetroServices Platform - Command Reference.

----End


ContextRun the following commands to check the previous configuration.

Procedurel Run the display clock source command to check the status and attributes of the clock

reference source.




Issue 01 (2011-05-30)

l Run the display clock config command to check the configuration informations of theclock reference source.

----End

9.4 Configuring a Clock Reference Source Manually orForcibly

This section describes how to manually or forcibly configure a clock reference source.


9.4.2 Configuring a Clock Reference Source




Manually configuring the clock reference source and forcibly configuring the clock referencesource differ in the following aspects:

l The clock reference source cannot be configured manually in the following situations:

– The clock reference source is not enabled with the clock synchronization enablecommand.

– The clock reference source is in the Abnormal state.

– The quality level of the clock reference source is QL-DNU or is not the highest.

l The clock reference source cannot be configured forcibly in the following situations:

– The clock reference source is not enabled with the clock synchronization enablecommand.

– The clock reference source is in the Abnormal state.

– The QL of the clock reference source is QL-DNU.

– The clock works in hold mode.

You can switch the mode of configuring the clock reference source from manual to forciblethrough command lines.

The clock reference source should be specified on the master clock, as shown in Figure 9-1. OnCX- A, the external clock interface, bits0, on the master clock board is connected to BITS0, onereference clock source; the external clock interface, bits0, on the slave clock board is connectedto BITS1, another reference clock source. The output clock signals of BITS0 and BITS1 aresame.

CX- A is manually or forcibly configured to trace the clock signal input through bits0. In normalsituations, CX- A traces the BITS0 clock reference source. When the master clock board fails,a switchover of the clock boards is performed. After that, CX- A traces the BITS1 clock referencesource.



9-7

Figure 9-1 Diagram of configuring the clock reference source manually

BITS0

CLK-IN

CX-A

CLK-IN

BITS1

ETH ETH

CX-B CX-C

Pre-configuration TasksBefore configuring the clock reference source manually, complete the following tasks:Configuring an External Clock Reference Source and Its Signal Type on the device.

l Configuring an external clock reference sourcel Configuring signal type of the external clock reference source


9.4.2 Configuring a Clock Reference Source

ContextDo as follows on all CX devices on the clock synchronization network.

Procedurel Configure a clock reference source manually.

1. Run:system-view

The system view is displayed.2. (Optional) Run:

clock clear [ 2msync-1 | 2msync-2 ]

Forcible specification of a clock reference source is cancelled.

If forcible specification of a clock reference source has been configured, you need torun the clock clear command to cancel the configuration before configuring manualspecification of a clock reference source.

3. Run:clock manual { 2msync-1 | 2msync-2 } source interface interface-type interface-number

or




Issue 01 (2011-05-30)

clock manual source { bits0 | bits1 | bits2 | ptp | interface interface-type interface-number}

A clock reference source is manually configured.l Configure a clock reference source forcibly.

1. Run:system-view


clock force { 2msync-1 | 2msync-2 } source interface interface-type interface-number

or

clock force source { bits0 | bits1 | bits2 | ptp | interface interface-type interface-number}

A clock reference source is forcibly configured.

----End



Procedure

Step 1 Run:display clock { config | source }

View the information about the clock source attributes.

----End

9.5 Configuring Clock Protection Switching Based on SSMLevels

The higher its SSM level, the more accurate a clock is. By default, a clock board uses the mostaccurate clock source available.


9.5.2 Configuring the Router to Automatically Select Clock Sources

9.5.3 Enabling SSMSSM must be enabled for the system to perform clock protection switching based on SSM levels.

9.5.4 Configuring the SSM Level of the Clock Reference Source

9.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal to Carry SSMs

9.5.6 Setting the Modes of Extracting SSM Levels




9-9


Applicable EnvironmentSynchronous Ethernet signals can be used to carry SSM messages. The system then selects oneclock source based on the SSM levels of all the available clock sources. If clock sources areconfigured with SSM levels, the configured SSM levels are used; if clock sources are notconfigured with SSM levels, the SSM levels carried in the SSM messages are extracted for use.

The SSM levels include Primary Reference Clock (PRC), primary level SSU (SSU-A), secondlevel SSU (SSU-B), SDH Equipment Clock (SEC), Do Not Use for synchronization (DNU),and UNK in the descending order. If the SSM level of a clock source is DNU and SSM is enabled,the clock source is not selected during protection switchover.

The BITS clock has two types of signal. When the BITS clock signal is 2.048 Mbit/s, the clockboard extracts the SSM from the signal. When the BITS clock signal is 2.048 MHz, set the SSMlevel manually.

Pre-configuration TasksBefore configuring protection switchover of clock sources based on SSM levels, complete thefollowing tasks:l Configuring an external clock reference source and its signal type on the device.

Data PreparationTo configure protection switchover of clock sources based on SSM levels, you need SSM levelsof clock sources.


ContextDo as follows on all CX devices in the clock synchronization network:

Procedure



Step 2 Run:clock clear [ 2msync-1 | 2msync-2 ]

The CX device is configured to automatically select clock sources.

NOTEIf the clock sources are manually or forcibly specified, you need to run the clock clear command to enablethe system to automatically select clock sources. By default, the CX device automatically selects clocksources.

Step 3 Run:




Issue 01 (2011-05-30)

clock run-mode normal

The Ethernet Equipment Clock (EEC) is configured to work in normal mode.

By default, the EEC works in normal mode.

----End

9.5.3 Enabling SSMSSM must be enabled for the system to perform clock protection switching based on SSM levels.

ContextDo as follows on every CX device on the clock synchronization network:

Procedure



Step 2 Run:clock ssm-control on

SSM is enabled.

----End

9.5.4 Configuring the SSM Level of the Clock Reference Source

ContextDo as follows on the CX device that are connected with external clock sources:

Procedurel Configuring the SSM level of the clock reference source

1. Run:system-view


clock source { bits0 | bits1 | bits2 | ptp } ssm { prc | ssua | ssub | sec | dnu | unk }

The SSM level of the external clock reference source is configured.l Configuring the SSM level of the clock reference source on the interface

1. Run:system-view


interface interface-type interface-number



9-11

or


The interface view is displayed.3. Run:

clock ssm { dnu | prc | sec | ssua | ssub | unk }

The SSM level of the clock reference source on the interface is configured.

----End

9.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal toCarry SSMs

ContextDo as follows on the CX device that are connected with external BITS clock sources:

Procedure



Step 2 Run:clock sa-bit { sa4 | sa5 | sa6 | sa7 | sa8 } source { bits0 | bits1 | bits2 }

The setting timeslot of the 2.048 Mbit/s BITS clock signal is set to carry SSMs.

----End

9.5.6 Setting the Modes of Extracting SSM Levels

ContextSSM levels can be configured in one of the following modes:

l Forcibly configuring an SSM levell Extracting the SSM level from the interface

By default, the SSM level is extracted from the interface. If the SSM level is forcibly set, theforcibly-set SSM level takes effect.

Do as follows on all CX devices in the clock synchronization network:

Procedurel Forcibly configuring the SSM levels of clock reference sources

1. Run:system-view





Issue 01 (2011-05-30)

2. Run:clock source { bits0 | bits1 | bits2 | ptp }ssm { dnu | prc | sec | ssua | ssub | unk }

The SSM level of the clock reference source is configured.

NOTE

Repeat Step 2 to configure SSM levels for multiple clock reference sources.

To forcibly configure the SSM level of a clock reference source on the interface, you canfirst enter the corresponding interface view and run the clock ssm { dnu | prc | sec | ssua| ssub | unk } commands. This can achieve the same effect as that of Step 2.

l Extracting the SSM level of the clock reference source from the interface1. Run:

system-view


undo clock source { bits0 | bits1 | bits2 | ptp }ssm { dnu | prc | sec | ssua | ssub | unk }

Forcibly configuring the SSM level of a clock reference source is disabled.

To extract the SSM level of a clock reference source from the interface, you can first enterthe corresponding interface view and run the undo clock ssm command. This can achievethe same effect as that of Step 2.

NOTE

The current version only supports extracting the SSM level of a clock reference source from theEthernet interface, GigabitEthernet interface and CE1 interface.

To extract the SSM level of a clock reference source from the CE1 interface , you need to configurethe frame format as crc4.

----End



Procedurel Run:

display clock { config | source }


----End



9-13

9.6 Configuring Clock Protection Switching Based onPriorities

If clock sources are configured with different priorities, then the clock source with the secondhighest priority becomes effective immediately after the clock source with the highest priorityfails.



9.6.3 Disabling SSM

9.6.4 Setting Priorities of Clock Reference Sources



Applicable EnvironmentWhen you configure protection switchover of clock sources based on priorities, you need to runthe command clock ssm-control off to disable SSM.

When there are multiple clock sources, you can set different priorities for them. Normally, theclock uses the clock source with the highest priority. When the clock source with the highestpriority is faulty, the clock uses the clock source with the second highest priority. By default thepriority of a clock reference source is not set, it indicates that this clock reference source doesnot participate in selecting the clock source.

Pre-configuration TasksBefore configuring protection switchover of clock sources based on priorities, complete thefollowing tasks:

l Configuring an external clock reference source and its signal type on the device.

Data PreparationTo configure protection switchover of clock sources based on priorities, you need the prioritiesof different clock sources.


ContextDo as follows on all CX device in the clock synchronization network:

Procedure





Issue 01 (2011-05-30)


Step 2 Run:clock clear [ 2msync-1 | 2msync-2 ]

The CX device is configured to automatically select clock sources.

NOTEIf the clock sources are manually or forcibly specified, you need to run the clock clear [ 2msync-1 |2msync-2 ] command to enable the system to automatically select clock sources. By default, the CXdevice automatically selects clock sources.

Step 3 Run:clock run-mode normal

Set the Ethernet Equipment Clock (EEC) to work in normal mode.

By default, the EEC work in normal mode.

----End

9.6.3 Disabling SSM


Procedure



Step 2 Run:clock ssm-control off

SSM is disabled.

NOTE

When SSM is disabled, the CX device selects a clock source based on priorities.

----End

9.6.4 Setting Priorities of Clock Reference Sources

ContextDo as follows on all CX devices in the clock synchronization network.

Procedurel Setting priorities for the clock reference sources BITS and 1588

1. Run:system-view



9-15


clock source { bits0 | bits1 | bits2 | ptp } priority priority-value

Priorities are set for the clock reference sources BITS and 1588.

– Repeat the preceding step to configure priorities for multiple clock referencesources.

– You can set the same priority for multiple clock reference sources. The clockreference source is selected according to the priority. In the case of the samepriority, the clock reference source is selected based on the type of the clockreference source and port number.

l Setting the priority of a clock reference source on the interface1. Run:

system-view



or



clock [ 2msync-1 | 2msync-2 ] priority priority-value

The priority of the clock reference source on the interface is set.

----End



Procedure

Step 1 Run:display clock { config | source }


----End

9.7 Configuring Ethernet Clock SynchronizationEthernet clock synchronization implements clock synchronization among devices on an IPbearer network.


9.7.2 Enabling Ethernet Clock Synchronization




Issue 01 (2011-05-30)

9.7.3 Configuring Ethernet Clock Source



Applicable EnvironmentAs shown in Figure 9-2, the IP and Ethernet technology is adopted on the IP bearer networkbetween the Radio Network Controller (RNC) and the Base Transceiver Station (BTS) in theapplication of wireless service. The clock signals sent by the devices on the bearer network aresent to the data communication devices that connect the BTS after pass through the Ethernetclock synchronization. The Ethernet clock synchronization can ensure reliable quality of clocktransmission.

Figure 9-2 Networking diagram of applying Ethernet clock synchronization

BTS

FE

FE

BTS

BTS

GE

GE GE

CX-C

CX-B

GE

RNC

BITS

FE

CX-A

Pre-configuration TasksBefore configuring the Ethernet clock synchronization, complete the following tasks:

l Configuring the parameters of the link layer protocols and assign IP addresses to theinterfaces so that the link layer protocol status of the interface is Up.

l Configuring a static route or the Interior gateway protocol (IGP) protocol to so that thereis reachable IP route between the nodes.

Data PreparationTo configure the Ethernet clock synchronization, you need the following data.

l Slot number, sub-card number, and port number of the Ethernet clock source



9-17

9.7.2 Enabling Ethernet Clock Synchronization

ContextNOTE

Ethernet clock signals can be transmitted only after the Ethernet clock synchronization is enabled on allthe CX device in an IP bearer network.

Do as follows on all CX device in the clock synchronization network:

Procedure



Step 2 Run:clock ethernet-synchronization enable

The Ethernet clock synchronization is enabled.

----End

9.7.3 Configuring Ethernet Clock Source


Procedure




or



Step 3 Run:clock synchronization enable

The Ethernet clock synchronization function is enabled.

Step 4 Run:clock [ 2msync-1 | 2msync-2 ] priority priority-value

The priority of the clock reference source is configured.




Issue 01 (2011-05-30)

Step 5 Run:clock ssm { dnu | prc | sec | ssua | ssub | unk }

The SSM level of the clock source is configured.

----End



Procedurel Run:

display clock { config | source }

View information about the attributes of the clock source.

----End

9.8 Configuration Examples of Clock SynchronizationThis section provides examples for configuring clock protection switching and for configuringEthernet clock synchronization.

Follow-up ProcedureNOTE

This document takes interface numbers and link types of the CX600-X8 as an example. In workingsituations, the actual interface numbers and link types may be different from those used in this document.

9.8.1 Example for Configuring Protection Switchover of Clock Sources

9.8.1 Example for Configuring Protection Switchover of ClockSources

Networking RequirementsAs shown in Figure 9-3, there are two BITS clock sources on the network, and the master BITSclock source is used to synchronize the clock of the entire network. If the NEs cannot trace theclock signal from the master BITS clock source, they change to trace the clock signal from theslave BITS clock source. As shown in Figure 9-3, CX- A to CX- F trace the clock signal fromBITS0. The figure shows the direction of clock tracing in normal situations.



9-19

Figure 9-3 Networking diagram of configuring clock source tracing

BITS 0

BITS 1

GE1/0/0W

GE1/0/0 E

WGE2/0/0

E

GE1/0/040.1.1.2

W

GE1/0/040.1.1.1

EGE2/0/050.1.1.1

W GE2/0/030.1.1.2

E GE2/0/030.1.1.1

W GE1/0/020.1.1.2

E GE1/0/020.1.1.1

WGE2/0/010.1.1.2

EGE2/0/010.1.1.1

CX-A

CX-B CX-F

CX-C

CX-D

CX-E


1. Configure the external BITS clock signal types of CX- A and CX- D.2. Configure the priorities of all clock sources for the CX device.


Table 9-1 Clock sources of all CX device and the priorities

CX- Current ClockSource

Available ClockSources

Priority

CX-A BITS0 BITS0 1

CX-A BITS0 GE1/0/0 2

CX-A BITS0 Internal clock 3

CX-B GE1/0/0 GE1/0/0 1

CX-B GE1/0/0 GE2/0/0 2

CX-B GE1/0/0 Internal clock 3




Issue 01 (2011-05-30)

CX- Current ClockSource

Available ClockSources

Priority

CX-C GE2/0/0 GE2/0/0 1

CX-C GE2/0/0 GE1/0/0 2

CX-C GE2/0/0 Internal clock 3

CX-D GE1/0/0 GE1/0/0 1

CX-D GE1/0/0 BITS1 2

CX-D GE1/0/0 Internal clock 3

CX-E GE1/0/0 GE1/0/0 1

CX-E GE1/0/0 GE2/0/0 2

CX-E GE1/0/0 Internal clock 3

CX-F GE2/0/0 GE2/0/0 1

CX-F GE2/0/0 GE1/0/0 2

CX-F GE2/0/0 Internal clock 3

Procedure

Step 1 Connect the CX device and the BITS clock sources as shown inFigure 9-3

Step 2 Configure the IP addresses of the interfaces.

The details are not mentioned here.

Step 3 Set the priorities of all clock sources for the CX device as shown inFigure 9-3.

# Configure CX-A

<CX-A> system-view[CX-A] clock ethernet-synchronization enable[CX-A] clock source bits0 synchronization enable[CX-A] clock source bits0 ssm prc[CX-A] clock source bits0 priority 1 [CX-A] interface GigabitEthernet 1/0/0[CX-A-GigabitEthernet1/0/0] clock synchronization enable[CX-A-GigabitEthernet1/0/0] clock priority 2[CX-A-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0[CX-A-GigabitEthernet2/0/0] clock synchronization enable

# Configure CX-B

<CX-B> system-view[CX-B] clock ethernet-synchronization enable[CX-B] interface GigabitEthernet 1/0/0[CX-B-GigabitEthernet1/0/0] clock synchronization enable[CX-B-GigabitEthernet1/0/0] clock priority 1[CX-B-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0[CX-B-GigabitEthernet2/0/0] clock synchronization enable[CX-B-GigabitEthernet2/0/0] clock priority 2

# Configure CX-C



9-21

<CX-C> system-view[CX-C] clock ethernet-synchronization enable[CX-C] interface GigabitEthernet 1/0/0[CX-C-GigabitEthernet1/0/0] clock synchronization enable[CX-C-GigabitEthernet1/0/0] clock priority 2[CX-C-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0[CX-C-GigabitEthernet2/0/0] clock synchronization enable[CX-C-GigabitEthernet2/0/0] clock priority 1

# Configure CX-D

<CX-D> system-view[CX-D] clock ethernet-synchronization enable[CX-D] clock source bits1 synchronization enable[CX-D] clock source bits1 ssm ssua[CX-D] clock source bits1 priority 2[CX-D] interface GigabitEthernet 1/0/0 [CX-D-GigabitEthernet1/0/0] clock synchronization enable[CX-D-GigabitEthernet1/0/0] clock priority 1[CX-D-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0[CX-D-GigabitEthernet2/0/0] clock synchronization enable

# Configure CX-E

<CX-E> system-view[CX-E] clock ethernet-synchronization enable[CX-E] interface GigabitEthernet 1/0/0[CX-E-GigabitEthernet1/0/0] clock synchronization enable[CX-E-GigabitEthernet1/0/0] clock priority 1[CX-E-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [CX-E-GigabitEthernet2/0/0] clock synchronization enable[CX-E-GigabitEthernet2/0/0] clock priority 2

# Configure CX-F

<CX-F> system-view[CX-F] clock ethernet-synchronization enable[CX-F] interface GigabitEthernet 1/0/0[CX-F-GigabitEthernet1/0/0] clock synchronization enable[CX-F-GigabitEthernet1/0/0] clock priority 2[CX-F-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [CX-F-GigabitEthernet2/0/0] clock synchronization enable[CX-F-GigabitEthernet2/0/0] clock priority 1

Step 4 Check the clock source attributes of CX- A.<CX-A> display clock sourceSystem trace source State: lock mode into pull-in range Current system trace source: bits0 Current 2M-1 trace source: system PLL Current 2M-2 trace source: system PLL Master board source Pri(sys/2m-1/2m-2) In-SSM Out-SSM State -------------------------------------------------------------------------- bits0 1 /---/--- prc dnu normal GigabitEthernet1/0/0 2 /---/--- dnu prc normal GigabitEthernet2/0/0 ---/---/--- dnu prc normal Slave board source In-SSM Out-SSM State -------------------------------------------------------------------------- bits0 prc dnu normal

Step 5 Check the clock source attributes of other CX device.

# The displayed information about CX- B, CX- C, CX- D, CX- E, and CX- F is similar. Thefollowing uses CX- B as an example.




Issue 01 (2011-05-30)

<CX-B> display clock sourceSystem trace source State: lock mode into pull-in range Current system trace source: GigabitEthernet1/0/0 Current 2M-1 trace source: system PLL Current 2M-2 trace source: system PLL Master board source Pri(sys/2m-1/2m-2) In-SSM Out-SSM State -------------------------------------------------------------------------- GigabitEthernet1/0/0 1 /---/--- prc dnu normal GigabitEthernet2/0/0 2 /---/--- dnu prc normal Slave board source In-SSM Out-SSM State --------------------------------------------------------------------------


When the master BITS clock source fails, all NEs trace the clock signal from the slave BITSclock source.

The following takes CX- A as an example.

# Run the following command on CX- A.

<CX-A> display clock sourceSystem trace source State: lock mode into pull-in range Current system trace source: GigabitEthernet1/0/0 Current 2M-1 trace source: system PLL Current 2M-2 trace source: system PLL Master board source Pri(sys/2m-1/2m-2) In-SSM Out-SSM State -------------------------------------------------------------------------- bits0 1 /---/--- prc ssua abnormal GigabitEthernet1/0/0 2 /---/--- ssua dnu normal GigabitEthernet2/0/0 ---/---/--- ssua ssua normal Slave board source In-SSM Out-SSM State -------------------------------------------------------------------------- bits0 prc ssua abnormal

# After the connection between the BITS clock source and CX- A is closed, all CX deviceperform clock source tracing switchover/

Figure 9-4shows the clock source tracing after the connection between the BITS clock sourceand CX- A is closed.



9-23

Figure 9-4 Networking diagram of the clock source tracing after the connection between theBITS clock source and CX- A is closed

W

E

W

E

W

E

W

E

W

E

W

E

CX-A

CX-B CX-F

CX-C

CX-D

CX-E

BITS 1

----End

Configuration Filesl CX-A Configuration Files

# sysname CX-A# clock ethernet-synchronization enable clock source bits0 priority 1 clock source bits0 ssm prc clock source bits0 synchronization enable# interface GigabitEthernet1/0/0 undo shutdown clock priority 2 clock synchronization enable# interface GigabitEthernet2/0/0 undo shutdown clock synchronization enable#return

l CX-B Configuration Files# sysname CX-B# clock ethernet-synchronization enable# interface GigabitEthernet1/0/0 undo shutdown clock priority 1 clock synchronization enable# interface GigabitEthernet2/0/0




Issue 01 (2011-05-30)

undo shutdown clock priority 2 clock synchronization enable#return

l CX-C Configuration Files# sysname CX-C# clock ethernet-synchronization enable# interface GigabitEthernet1/0/0 undo shutdown clock priority 2 clock synchronization enable# interface GigabitEthernet2/0/0 undo shutdown clock priority 1 clock synchronization enable#return

l CX-D Configuration Files# sysname CX-D# clock ethernet-synchronization enable clock source bits1 priority 2 clock source bits1 ssm ssua clock source bits1 synchronization enable# interface GigabitEthernet1/0/0 undo shutdown clock priority 1 clock synchronization enable# interface GigabitEthernet2/0/0 undo shutdown clock synchronization enable#return

l CX-E Configuration Files# sysname CX-E#clock ethernet-synchronization enable# interface GigabitEthernet1/0/0 undo shutdown clock priority 1 clock synchronization enable# interface GigabitEthernet2/0/0 undo shutdown clock priority 2 clock synchronization enable#return

l CX-F Configuration Files# sysname CX-F#clock ethernet-synchronization enable# interface GigabitEthernet1/0/0



9-25

undo shutdown clock priority 2 clock synchronization enable # interface GigabitEthernet2/0/0 undo shutdown clock priority 1 clock synchronization enable#return




Issue 01 (2011-05-30)

10 Device Maintenance

About This Chapter

With routine device maintenance, you can detect potential operation threats on devices and theneradicate the potential threats in time to ensure that the system runs securely, stably, and reliably.

10.1 Introduction of Device MaintenanceDevice maintenance involves replacing boards and monitoring the internal environment.

10.2 Powering off the MPUTo ensure non-stop services, you can power off the slave MPU only. If the device has only oneMPU, confirm the action before powering off the MPU.

10.3 Powering off the SFUWhen the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU.

10.4 Powering off the NPUThis section describes how to power off the NPU.

10.5 Powering off the LPUWhen the LPU is faulty or you need to routinely maintain the LPU, you can power off the LPU.

10.6 Restoring the Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/sTo restore the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s, you need tobind a valid Global Trotter License (GTL) file to the NPU.

10.7 Switching Between the Operation Modes of the LPUF-10You can run a command to configure the LPUF-10 to work in either FR or ATM mode.

10.8 Configuring the CMU

10.9 Configuring a Cleaning Cycle for the Air FilterThis section describes the procedure for configuring a cleaning cycle for the air filter.

10.10 Monitoring the Device StatusMonitoring the device status facilitates fault location and cause analysis.

10.11 Board MaintenceBoard Maintenance involves resetting a board and clearing the maximum CPU usage.

10.12 Configuring NAP-based Remote Deployment

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations 10 Device Maintenance


10-1

Using NAP, you can remotely log in to devices with empty configurations to implement remotedeployment.

10.13 Configuration Examples of the Device MaintenanceThis section provides examples for powering off different types of boards to describe commondevice maintenance operations.

10 Device MaintenanceHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

10.1 Introduction of Device MaintenanceDevice maintenance involves replacing boards and monitoring the internal environment.

10.1.1 Overview of Device MaintenanceDevice maintenance involves replacing boards and monitoring the internal environment.

10.1.2 Maintenance Features Supported by the CX600The CX600boards to be powered off and allows the operation status to be monitored.

10.1.1 Overview of Device MaintenanceDevice maintenance involves replacing boards and monitoring the internal environment.

ConceptThe stable running of a CX devicedepends on the mature network planning and the routinemaintenance. In addition, fast location of the hidden hazards is necessary.

The maintenance personnel must check the alarm information in time and deal with the faultproperly to keep the device in normal operation and reduce the failure rate. Thus, the systemruns in a safe, stable, and reliable environment.

Maintenance OperationMaintenance such as board replacement and internal environment check ensures the normaloperation of the CX device.

10.1.2 Maintenance Features Supported by the CX600The CX600boards to be powered off and allows the operation status to be monitored.

Powering offYou can power on or power off the boards through command lines to perform hot pluggingwithout interrupting the services on the CX device.

MonitoringIn routine maintenance of the device, you can run the display commands to view the workingstatus of the CX device. This can help the maintenance personnel fast locate the fault during thetroubleshooting procedure.

10.2 Powering off the MPUTo ensure non-stop services, you can power off the slave MPU only. If the device has only oneMPU, confirm the action before powering off the MPU.

10.2.1 Establishing the Configuration TaskBefore powering off the MPU, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.



10-3

10.2.2 Powering off the Slave MPUWhen the MPU is faulty or you need to routinely maintain the MPU, you can power off theMPU.

10.2.3 Checking the ConfigurationAfter the MPU is powered off, you can run the display device command to check whether theMPU has been powered off.

10.2.1 Establishing the Configuration TaskBefore powering off the MPU, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.

Applicable EnvironmentThe two Main Processing Units (MPUs) are in 1:1 backup mode. During operation, one MPUserves as the master MPU and the other as the slave MPU. Remove the MPUs in the followingsituations:

l Maintenance of the MPU such as dust removingl Upgrade of the hardware on the MPUs such as memory capacity extendingl Failure of the MPU

Pre-configuration TasksBefore powering off the MPU, complete the following tasks:

l Checking the slot of the MPU to be powered offl Running the display device command to check the status of the MPU

If the MPU is the master MPU, perform the master and slave switchover first.

Data PreparationTo power off the MPU, you need the following data.

No. Data

1 Slot number of the MPU to be powered off

10.2.2 Powering off the Slave MPUWhen the MPU is faulty or you need to routinely maintain the MPU, you can power off theMPU.




Issue 01 (2011-05-30)

Context

WARNINGThe CX device cannot work with a single MPU for a long time. If the single MPU fails, thewhole system breaks down. After powering off the slave MPU, restore the MPU immediately.

Do as follows on the CX device to be configured:

Procedure

Step 1 Run:power off slot slot-id

The slave MPU is powered off.

NOTE

If there is no terminal on the deployment site, you can power off the slave MPU by using the OFL (offline)button. The OFL button is in the upper part of the slave MPU. Press the button for six seconds.

If the OFL indicator is on, it means that the slave MPU is powered off successfully.

----End

10.2.3 Checking the ConfigurationAfter the MPU is powered off, you can run the display device command to check whether theMPU has been powered off.


Procedurel Run:

display device

Check the registration of the SRU/MPU.

----End

ExampleAfter the power-off operation, run the display device command. If the slave SRU/MPU is inthe abnormal state, it means that the operation succeeds. For example:

<HUAWEI> display deviceCX600-X16's Device status:

Slot # Type Online Register Status Primary- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - -

5 LPU Present Registered Normal NA6 LPU Present Registered Normal NA



10-5

9 LPU Present Registered Normal NA 12 LPU Present Registered Normal NA 11 LPU Present Registered Normal NA 16 LPU Present Registered Normal NA 17 MPU Present Unregistered Abnormal Slave18 MPU Present NA Normal Master19 SFU Present Registered Normal NA20 SFU Present Registered Normal NA21 SFU Present Registered Normal NA 22 SFU Present Registered Normal NA23 CLK Present Registered Normal NA24 CLK Present Registered Normal NA25 PWR Present Registered Normal NA26 PWR Present Registered Normal NA27 FAN Present Registered Normal NA28 FAN Present Registered Normal NA

10.3 Powering off the SFUWhen the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU.

NOTE

SFUs are not supported on the X1 and X2 models of the CX600.

10.3.1 Establishing the Configuration TaskBefore powering off the SFU, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.

10.3.2 Powering off the SFUYou can power off the SFU by using a command or pressing the OFL button.

10.3.3 Checking the ConfigurationAfter the SFU is powered off, you can run the display device command to check whether theSFU has been powered off.

10.3.1 Establishing the Configuration TaskBefore powering off the SFU, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.


During normal operation of the device, four Switch and Fabric Units (SFUs) work in 3+1 loadbalancing mode. Remove the SFUs in the following situations:

l Maintenance of the SFU such as dust removing

l Failure of the SFU and replacement or repair of the SFU


Before powering off the SFU, complete the following tasks:

l Checking the slot of the SFU to be powered off




Issue 01 (2011-05-30)

Data PreparationTo power off the SFU, you need the following data.

No. Data

1 Slot number of the SFU to be powered off

10.3.2 Powering off the SFUYou can power off the SFU by using a command or pressing the OFL button.

ContextDo as follows on the CX device to be configured:

Procedure


The SFU is powered off.

NOTE

SFU is not supported on the X1 and X2 models of the CX600.If there is no terminal on the deployment site, you can power off the slave SFU by using the OFL button.The OFL button is in the upper part of the slave SFU. Press the button for six seconds. If the OFL indicatoris on, it means that powering off the SFU succeeds.

----End

10.3.3 Checking the ConfigurationAfter the SFU is powered off, you can run the display device command to check whether theSFU has been powered off.


Procedure

Step 1 Run:display device

Check the registration of the SFU.

----End

ExampleAfter the power-off operation, run the display device command. If the SFU is in the unregisteredstate, it means that the operation succeeds. For example:



10-7



5 LPU Present Registered Normal NA6 LPU Present Registered Normal NA 9 LPU Present Registered Normal NA 12 LPU Present Registered Normal NA 11 LPU Present Registered Normal NA 16 LPU Present Registered Normal NA 17 MPU Present Registered Normal Slave18 MPU Present NA Normal Master19 SFU Present Unregistered Abnormal NA20 SFU Present Registered Normal NA21 SFU Present Registered Normal NA 22 SFU Present Registered Normal NA23 CLK Present Registered Normal NA24 CLK Present Registered Normal NA25 PWR Present Registered Normal NA26 PWR Present Registered Normal NA27 FAN Present Registered Normal NA28 FAN Present Registered Normal NA

10.4 Powering off the NPUThis section describes how to power off the NPU.

NOTE

NPUs are only supported on the X1 and X2 models of the CX600.


10.4.2 Powering off the NPU




Remove the NPU in the following situations:

l Maintenance of the NPU such as dust removing

l Failure of the NPU and replacement or repair of the NPU


Before powering off the NPU, complete the following tasks:

None.

Data Preparation

To power off the NPU, you need the following data.




Issue 01 (2011-05-30)

No. Data

1 Slot number of the NPU to be powered off

10.4.2 Powering off the NPU


Procedure


The NPU is powered off.

NOTE

If there is no terminal on the deployment site, you can power off the slave NPU by using the OFL button.The OFL button is in the upper part of the slave NPU. Press the button for six seconds. If the OFL indicatoris on, it means that powering off the NPU succeeds.

----End



Procedure

Step 1 Run:display device

Check the registration of the NPU.

----End

ExampleAfter the power-off operation, run the display device command. If the NPU is in the unregisteredstate, it means that the operation succeeds. For example:

<HUAWEI> display deviceCX600-X1's Device status:Slot # Type Online Register Status Primary- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 NPU Present Unregistered Abnormal NA2 PIC Present Registered Normal NA3 PIC Present Registered Normal NA4 PIC Present Registered Normal NA5 PIC Present Registered Normal NA



10-9

7 MPU Present NA Normal Master8 PWR Present Registered Normal NA10 FAN Present Registered Normal NA12 CLK Present Registered Normal Master

10.5 Powering off the LPUWhen the LPU is faulty or you need to routinely maintain the LPU, you can power off the LPU.

10.5.1 Establishing the Configuration TaskBefore powering off the LPU, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.

10.5.2 Powering off the LPUYou can power off the LPU by using a command or pressing the OFL button.

10.5.3 Checking the ConfigurationAfter the LPU is powered off, you can run the display device command to check whether theLPU has been powered off.

10.5.1 Establishing the Configuration TaskBefore powering off the LPU, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.


Power off the LPU in the following situations:

l Maintenance of the LPU such as dust removing

l Failure of the LPU and replacement of the LPU


Before powering off the LPU, you need finish the following task:

l prepare a slave LPU.

Data Preparation

To power off the LPU, you need the following data:

No. Data

1 The slot number of the LPU to be powered off

2 A slave LPU whose board type and Physical Interface Card (PIC) type are the sameas those of the LPU to be powered off




Issue 01 (2011-05-30)

10.5.2 Powering off the LPUYou can power off the LPU by using a command or pressing the OFL button.


Procedure


The LPU is powered off.

NOTE

l To power off the sub-cards of the FPICs, Run:power off slot slot-id card card-idcommand.

l If there is no terminal on the deployment site, you can power off the LPU by using the OFL button.The OFL button is in the upper part of the LPU. Press the button for six seconds. If the OFL indicatoris on, it means that powering off the LPU succeeds.

----End

10.5.3 Checking the ConfigurationAfter the LPU is powered off, you can run the display device command to check whether theLPU has been powered off.


Procedurel Run:

display device

Check the registration of the LPU.

----End

ExampleAfter the power-off operation, run the display device command. If the LPU is in the unregisteredstate, it means that the operation succeeds. Take powering off the LPU in slot 5 for example:



5 LPU Present Unregistered Abnormal NA6 LPU Present Registered Normal NA 9 LPU Present Registered Normal NA 12 LPU Present Registered Normal NA 11 LPU Present Registered Normal NA 16 LPU Present Registered Normal NA



10-11

17 MPU Present Registered Normal Slave18 MPU Present NA Normal Master19 SFU Present Registered Normal NA20 SFU Present Registered Normal NA21 SFU Present Registered Normal NA 22 SFU Present Registered Normal NA23 CLK Present Registered Normal NA24 CLK Present Registered Normal NA25 PWR Present Registered Normal NA26 PWR Present Registered Normal NA27 FAN Present Registered Normal NA28 FAN Present Registered Normal NA

10.6 Restoring the Bandwidth of 10GE LAN/WANInterfaces on an NPU to 10 Gbit/s

To restore the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s, you need tobind a valid Global Trotter License (GTL) file to the NPU.

NOTE

NPUs are only supported on the X1 and X2 models of the CX600.

10.6.1 Establishing the Configuration TaskBefore restoring the bandwidth of 10GE LAN/WAN interfaces on the NPU to 10 Gbit/s ,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.

10.6.2 Restoring the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/sTo restoring the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s , you needto bind a valid Global Trotter License (GTL) file to the NPU.

10.6.3 Checking the ConfigurationAfter enabling the 10GE LAN/WAN interface on an NPU, you can check the current PIC cardson the device.

10.6.1 Establishing the Configuration TaskBefore restoring the bandwidth of 10GE LAN/WAN interfaces on the NPU to 10 Gbit/s ,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.

Application EnvironmentBy default, the bandwidth of 10GE LAN/WAN interfaces on an NPU is 10 Mbit/s. To restorethe bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, purchase a legitimate GTL file.


Data PreparationTo restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, you need the followingdata.




Issue 01 (2011-05-30)

No. Data

1 GTL file used to restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s

10.6.2 Restoring the bandwidth of 10GE LAN/WAN interfaces onan NPU to 10 Gbit/s

To restoring the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s , you needto bind a valid Global Trotter License (GTL) file to the NPU.

ContextBy default, the bandwidth of 10GE LAN/WAN interfaces on an NPU is 10 Mbit/s. To restorethe bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, purchase a legitimate GTL file.

Procedure

Step 1 Run:license active file-name

The GTL file for enabling 10GE LAN/WAN interfaces is activated.



Step 3 Run:slot slot-id

The slot view is displayed.

Step 4 Run:active 10ge-interface

The GTL file used to restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s is boundto the NPU.

NOTE

The active 10ge-interface command takes effect only in the view of the slot where the NPU resides.

After binding the GTL file to the NPU, you are recommended to run the save command to save theconfiguration. Otherwise, you need to bind the GTL file again once the device is restarted.

----End

10.6.3 Checking the ConfigurationAfter enabling the 10GE LAN/WAN interface on an NPU, you can check the current PIC cardson the device.

ContextRun the following command to check the previous configuration.



10-13

Procedure

Step 1 Run the display device pic-status command to view the current PIC cards on the device.

----End

Example

# View the current PIC cards on the device.

<HUAWEI> display device pic-status

Pic-status information in Chassis 1:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -SLOT PIC Status Type Port_count Init_result Logic down7 0 Registered LAN_WAN_2x10GX_V_CARD 2 SUCCESS SUCCESS7 6 Registered ETH_8xGF_B_CARD 8 SUCCESS SUCCESS- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

10.7 Switching Between the Operation Modes of theLPUF-10

You can run a command to configure the LPUF-10 to work in either FR or ATM mode.

NOTE

LPUF-10 is not supported on the X1 and X2 models of the CX600.

10.7.1 Establishing the Configuration TaskBefore configuring the operation mode of the LPUF-10, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

10.7.2 Switching Between the Operation Modes of the LPUF-10FR and ATM services cannot be configured together on the LPUF-10.

10.7.3 Checking the ConfigurationAfter the operation mode of the LPUF-10 is configured, you can check the configuration.

10.7.1 Establishing the Configuration TaskBefore configuring the operation mode of the LPUF-10, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Application Environment

When configuring FR or ATM services on the LPUF-10, you need to manually switch theoperation mode of the LPUF-10. An LPUF-10 can operate in either of the following modes:

l support-atm mode

When operating in support-atm mode, the LPUF-10 can support ATM services, instead ofFR services.

l support-fr mode




Issue 01 (2011-05-30)

When operating in support-fr mode, the LPUF-10 can support FR services, instead of ATMservices.

Pre-configuration TasksBefore switching the operation mode of the LPUF-10, complete the following task:

l Identifying the current operation mode of the LPUF-10

Data PreparationTo switch the operation mode of the LPUF-10, you need the following data.

No. Data

1 Slot ID of the LPU and the ID of the subcardwhose operation mode needs to beswitched

10.7.2 Switching Between the Operation Modes of the LPUF-10FR and ATM services cannot be configured together on the LPUF-10.

ContextDo as follows on the CX device:

Procedure



Step 2 Run:slot slot-id

The slot view is displayed.

Step 3 Run:switch lpuf work-mode {support-atm | support-fr}

The operation mode of the LPUF-10 is switched.

----End



10-15


l FR and ATM services are mutually exclusive on an LPUF-10.

l When the board is switched to a slot where FR is configured for a POS interface, the operation modeof the LPUF-10 is automatically switched to support-fr. The FR configuration for the POS interfaceneeds to be deleted if ATM services are required to be configured.

l If the operation mode of the board is not set, the board adopts the support-atm mode by default whenstarting.

10.7.3 Checking the ConfigurationAfter the operation mode of the LPUF-10 is configured, you can check the configuration.

ContextRun the following command to check the previous configuration.

Procedure

Step 1 Run the display work-mode [slot slot-id] command to view the operation mode of the board.

----End

Example# View the current operation mode of the board in slot 1.

<HUAWEI> display work-mode slot 1

CX600-X8's current work-mode on lpuf-10:Slot Type Current-workmode- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 LPUF-10 SUPPORT-ATM

10.8 Configuring the CMU

10.8.1 Establishing the Configuration TaskBefore Configuring Monitor Items for a CMU, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

10.8.2 Configuring Monitor Items for a CMU

10.8.1 Establishing the Configuration TaskBefore Configuring Monitor Items for a CMU, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Application EnvironmentIn remote and unattended equipment rooms, CX device providing the environment monitoringfunction can monitor the working environment in real time. Upon receiving an input signal




Issue 01 (2011-05-30)

indicating that a specific environment variable is abnormal, a CX device will generate an alarm.Then, the maintenance personnel can take immediate actions to adjust the environment variable,without having to wait on site for environment monitoring. This effectively reduces equipmentroom maintenance costs for carriers.

The CMU on the AUXQ can be connected to an environment monitoring device. Based on thereceived input signals from the environment monitoring device, the CMU generates an alarmand reports the alarm to the NMS so that the maintenance personnel can be informed of theproblem and come to the site to address the problem.


None.

Data Preparation

None.

10.8.2 Configuring Monitor Items for a CMU

Prerequisite

In remote and unattended equipment rooms, CX device providing the environment monitoringfunction can monitor the working environment in real time. Upon receiving an input signalindicating that a specific environment variable is abnormal, a CX device will generate an alarm.Then, the maintenance personnel can take immediate actions to adjust the environment variable,without having to wait on site for environment monitoring. This effectively reduces equipmentroom maintenance costs for carriers.

The CMU on the AUXQ can be connected to an environment monitoring device. Based on thereceived input signals from the environment monitoring device, the CMU generates an alarmand reports the alarm to the NMS so that the maintenance personnel can be informed of theproblem and come to the site to address the problem.

Procedure



Step 2 Run:cmu-switch switch-id slot slot-id name { voltage | door | humidity | fog | temperature } alarm-mode { 0 | 1 }

Monitor items such as objects to be monitored and an alarm mode are configured for a CMU.

NOTE

A CX device can monitor four types of environment variables at a time. You need to run the cmu-switch command to configure each environment variable that needs to be monitored and the associatedalarm mode.

----End



10-17

10.9 Configuring a Cleaning Cycle for the Air FilterThis section describes the procedure for configuring a cleaning cycle for the air filter.

ContextNOTE

The X1 and X2 models of the CX600 do not have air filter.


10.9.2 Configuring a Cleaning Cycle for the Air Filter

10.9.3 Remonitoring the Cleaning Cycle of the Air Filter



Application EnvironmentYou need to clean the air filter after the air filter has been running for a period of time.


Data PreparationTo configure a cleaning cycle for the air filter, you need the following data.

No. Data

1 Cleaning cycle of the air filter

10.9.2 Configuring a Cleaning Cycle for the Air Filter


Procedure



Step 2 Rundustproof check-timer day days




Issue 01 (2011-05-30)

The cleaning cycle for the air filtered is configured.

NOTE

The air filter is a component without memory. All the monitored information is saved on the MPU, whichmay be inserted, removed, switched, or replaced during usage. Therefore, the monitoring cycle may differfrom the set cycle, but this does not affect the monitoring function.

----End

10.9.3 Remonitoring the Cleaning Cycle of the Air Filter

Context

The system generates an alarm about cleaning the air filter. After ensuring that the air filter iscleaned or does not need to be cleaned, you need to clear the alarm and remonitor the cleaningcycle of the air filter.


Procedure

Step 1 Run:reset dustproof run-time

The alarm is cleared. The cleaning cycle of the air filter is monitored.

----End


Procedure

Step 1 Run:display dustproof

Information about the air filter is displayed.

----End

Example

Run the display dustproof command. You can view information about the cleaning cycle ofthe air filter, the last time when the air filter was cleaned (referring to the time on the CXdevice), how many days the router had been run since the previous cleaning, and how long thealarm about cleaning the air filter exists. For example:

<HUAWEI> display dustproofClean Dustproof-Net cycle : 365(days)Last clean date : 2009/02/07Up to last clean days : 1(day)Clean alarm existence days: 0(day)



10-19

10.10 Monitoring the Device StatusMonitoring the device status facilitates fault location and cause analysis.

10.10.1 Displaying the System Version InformationThe system version information includes the system software version and various hardwareversions.

10.10.2 Displaying Basic Information About the RouterThe basic information includes detailed information about the LPU, MPU, SFU, clock board,power supply, and fan module.

10.10.3 Displaying the Electronic LabelThe electronic label information includes the type of the board/card, bar code, BOM code,English description, production date, supplier name, issuing number, Common LanguageEquipment Identification (CLEI) code, and sales BOM code.

10.10.4 Displaying the Soft Boot ModeBy default, the soft boot mode function is automatically enabled, which shortens the time spenton system restart.

10.10.5 Displaying the Threshold of the Memory UsageBy specifying the slot ID, you can check the memory usage of the MPU or of the LPU.

10.10.6 Displaying the Threshold of CPU UsageBy specifying the slot ID, you can check the CPU usage of the MPU or of the LPU.

10.10.7 Displaying Alarm InformationThe alarm information includes the alarm level, alarm date and time, and alarm description.

10.10.8 Displaying the Board TemperatureThe temperature information includes the temperature status of each board, temperature alarmthresholds of a board, and actual temperature of a board.

10.10.9 Displaying the Board VoltageThe voltage information includes the number of voltage sensors on each board, working voltagesensor of each board, working status of the voltage sensor on each board, and voltage alarmthresholds of each board.

10.10.10 Displaying the Power Supply StatusThe power supply information includes the slot ID of the power supply module, whether thepower supply module is registered, working mode of the power supply module, and cable statusof the power supply module.

10.10.11 Displaying Current Information About Boards

10.10.12 Displaying Entironment Information About the DeviceYou can check environment information about the device that is installed with an environmentmonitoring board.

10.10.13 Displaying the Fan StatusThe fan status information includes the slot ID of the fan module, whether a fan module isregistered, registration status, working status of the fan module, and speed mode of the fanmodule.

10.10.14 Displaying the Sequence Number of the MPUEach MPU has a globally unique equipment serial number (ESN).




Issue 01 (2011-05-30)

10.10.15 Displaying the Next Start Mode of the BoardA board supports two startup modes, namely, fast startup and normal startup.

10.10.16 Displaying the Number of the Registered SFUs By DefaultThe number of actually used SFUs must be greater than the number of SFUs that the systemrequires for registration by default; otherwise, an alarm will be generated.

10.10.1 Displaying the System Version InformationThe system version information includes the system software version and various hardwareversions.

Procedure

Step 1 Run:display version

The system version information is displayed.

In practice, using this command in any view, you can view the system version information. Themain information is as follows:

l System software versionl Hardware and software version of the MPUsl Hardware and software version of the SFUsl Hardware and software version of the LPUs

.l Hardware and software version of the Fan and Black Plane

.

----End

10.10.2 Displaying Basic Information About the RouterThe basic information includes detailed information about the LPU, MPU, SFU, clock board,power supply, and fan module.

Procedure

Step 1 Run:display device [ pic-status | slot-id]

Basic information about the CX device is displayed.

In practice, using this command in any view, you can view the basic device information. Enterslot-id to view information about the board in the specified slot.

l Choose a board in a certain slot. You can view basic information about this board.l Run:

display device pic-statusBasic information about the PIC card of the LPU is displayed.

----End



10-21

10.10.3 Displaying the Electronic LabelThe electronic label information includes the type of the board/card, bar code, BOM code,English description, production date, supplier name, issuing number, Common LanguageEquipment Identification (CLEI) code, and sales BOM code.

Procedure

Step 1 Run:display elabel [ backplane | slot-id ]

The electronic label is displayed.

In practice, using this command in the user view, you can view information about the electroniclabel of the boards. Enter slot-id to view information about the electronic label of the board inthe specified slot.

NOTE

For the range of numbers of the slots on the CX device, refer to the HUAWEI CX600 Metro ServicesPlatform Hardware Description.

Information displayed includes the type of the board and PIC card, bar code, BOM, Englishdescription, production date, supplier name, issuing number, CLEI (Common LanguageEquipment Identification) code, and sales BOM.

NOTE

You can back up the electronic label of the specified board in the following methods:

l Run the backup elabel filename [ backplane | slot-id ] command to back up the electronic label to theCF card on the CX device.

l Run the backup elabel ftp host filename username password [ backplane | slot-id ] command to backup the electronic label to the specified FTP server.

----End

10.10.4 Displaying the Soft Boot ModeBy default, the soft boot mode function is automatically enabled, which shortens the time spenton system restart.

Procedure

Step 1 Run the display system soft-bootmode command, you can view the soft boot mode.

NOTE

By default, the soft boot mode function is automatically enabled, which shortens the time spent on systemstartup during reset. You can run the undo set system soft-bootmode command in the system view todisable the boot function as required.

----End

10.10.5 Displaying the Threshold of the Memory UsageBy specifying the slot ID, you can check the memory usage of the MPU or of the LPU.




Issue 01 (2011-05-30)

Procedure

Step 1 Run:display memory-usage [ slave | slot slot-id ]

The threshold of the memory usage of the main MPU and LPU are displayed.

NOTE

To set the threshold of the memory usage in the main MPU and LPU, you can run the set memory-usagethreshold threshold [ slot slot-id ]command.

----End

10.10.6 Displaying the Threshold of CPU UsageBy specifying the slot ID, you can check the CPU usage of the MPU or of the LPU.

Procedure

Step 1 Run:display cpu-usage entry-number [ offset ] [ verbose ] [ slave | slot slot-id ] [ history ]

The threshold of the CPU usage of the main MPU and LPU are displayed.

Select the following parameters as required when you run this command:

l entry-number: specifies the number of entries to be displayed.l offset: specifies the entry with the offset value before the current entry.l verbose: displays information about each record.l history: displays history records of the CPU usage.

NOTE

To set the threshold of the CPU usage on the main MPU and LPU, you can run the set cpu-usagethreshold threshold-value [ slave slot slot-id ] command, and run the [ slave | slot slot-id ] command candisplay the current configuration of the CPU usage.

----End

10.10.7 Displaying Alarm InformationThe alarm information includes the alarm level, alarm date and time, and alarm description.

Procedure

Step 1 Run:display alarm { slot-id | all }

Information about the alarm is displayed.

In the operation, using this command in any view, you can view current information about thealarm of the CX device. Alarm information includes the following:

l Alarm levell Alarm date and time



10-23

l Alarm description

NOTE

After displaying the alarm of the CX device, you can run the clear alarm index index-id { send-trap |no-trap } command to clear the alarm at the specified index-id.

----End

10.10.8 Displaying the Board TemperatureThe temperature information includes the temperature status of each board, temperature alarmthresholds of a board, and actual temperature of a board.

Procedure

Step 1 Run:display temperature [ lpu | mpu | sfu | slot slot-id ]

The temperature of the specified board is displayed.

NOTE

l Run the display temperature [ lpu slot slot-id [ pic pic-id ] ] command to view the temperature of thespecified subcard in the specified slot.

l Run the display temperature command to view the temperature of each module of all the boards onthe CX device.

In practice, using this command in any view, you can view the current temperature of the CXdevice.The temperature information includes the following:

l Current temperature status of the boardl Threshold to the alarm temperature of the boardl Actual temperature of the board

----End

10.10.9 Displaying the Board VoltageThe voltage information includes the number of voltage sensors on each board, working voltagesensor of each board, working status of the voltage sensor on each board, and voltage alarmthresholds of each board.

Procedure

Step 1 Run:display voltage [ lpu | mpu | sfu | slot slot-id]

The board voltage is displayed.

NOTE

l Run the display voltage [lpu | slot slot-id [pic pic-id]] command to view the voltage of the specifiedsubcard on the specified LPU.

l Run the display voltage command to view the voltage of all the boards on the CX device.

In practice, using this command in any view, you can view the voltage of all the boards. Thevoltage information includes the following:




Issue 01 (2011-05-30)

l Number of the voltage sensorsl Working voltage sensorsl Working status of the voltage sensorsl Alarm field value of the voltagel Actual board voltagel Normal working temperature of the voltage sensors

----End

10.10.10 Displaying the Power Supply StatusThe power supply information includes the slot ID of the power supply module, whether thepower supply module is registered, working mode of the power supply module, and cable statusof the power supply module.

Procedure

Step 1 Run:display power[{environment-info|manufacture-info}slot slot-id|slot[slot-id]]

The power supply status is displayed.

In practice, using this command in any view, you can view the power supply status. The displayedinformation includes the following:

l Slot number of the power supply modulel Presence status of the power supply modulel Operation mode of the power supply modulel Cable status of the power supply module

----End

10.10.11 Displaying Current Information About Boards

ContextDo as follows on the CX device.

Procedure

Step 1 Run:display board-current [ slot slot-id ]

Current information about a specified board is displayed.

----End

10.10.12 Displaying Entironment Information About the DeviceYou can check environment information about the device that is installed with an environmentmonitoring board.



10-25


Procedure

Step 1 Run:display device [ CMU-slotID ]

Entironment information about the device is displayed.

This command is supported only on the CX600-X8 and CX600-X16 on which the entironmentmonitoring board is installed and runs normally.

----End

10.10.13 Displaying the Fan StatusThe fan status information includes the slot ID of the fan module, whether a fan module isregistered, registration status, working status of the fan module, and speed mode of the fanmodule.

Procedure

Step 1 Run:display fan

The fan status is displayed.

In practice, using this command in any view, you can view the fan status. The informationincludes the following:

l Slot number of the fan modulel Presence and registration status of the fan modulel Working status of the fan modulel Fan speed mode of the fan module

----End

10.10.14 Displaying the Sequence Number of the MPUEach MPU has a globally unique equipment serial number (ESN).

Procedure

Step 1 Run:display esn

The sequence number of the MPU is displayed. In the operation, using this command in anyview, you can view the sequence number of the MPU on the CX device.

----End

10.10.15 Displaying the Next Start Mode of the BoardA board supports two startup modes, namely, fast startup and normal startup.




Issue 01 (2011-05-30)

Procedure

Step 1 Run:display bootmode-next

The next start mode of the board is displayed.

In the operation, you can use the command in any view to check the next start mode of eachboard on the CX device, including the MPU, LPU, and SFU. The start modes are as follows:

l The fast start model The normal start mode

----End

10.10.16 Displaying the Number of the Registered SFUs By DefaultThe number of actually used SFUs must be greater than the number of SFUs that the systemrequires for registration by default; otherwise, an alarm will be generated.

ContextNOTE


Procedure



Step 2 Run:display least sfuboard

The number of the registered SFUs that the device requires by default is displayed.

In the operation, if the number of the SFUs that is actually used is smaller than the number ofthe SFUs that the device requires for registration, the trap is generated. Run the leastsfuboardindex-id command to change the number of the SFUs that the device requires forregistration.

----End

10.11 Board MaintenceBoard Maintenance involves resetting a board and clearing the maximum CPU usage.

10.11.1 Resetting a BoardYou need to back up important data before resetting a board.

10.11.2 Clearing the Maximum CPU UsageTo recalculate the maximum CPU usage, you can clear the original statistics.



10-27

10.11.1 Resetting a BoardYou need to back up important data before resetting a board.

ContextIn the case that a board is faulty, you can use the reset slot command to reset the board.

WARNINGBack up important data before resetting the board.


Procedure

Step 1 Run:reset slot slot-id [card card-id]

The board is reset.

NOTE

l If this command is run to reset a master MPU and no slave MPU exists, the master MPU is reset withthe CPU being powered on. If a slave MPU exists, this command performs master/slave MPUswitchover.

l If the board is still abnormal after being reset, contact the Huawei technical support personnel.

----End

10.11.2 Clearing the Maximum CPU UsageTo recalculate the maximum CPU usage, you can clear the original statistics.

Context

CAUTIONThe maximum CPU usage cannot be restored after you clear it. So, confirm the action beforeyou use the command.

To clear the maximum CPU usage statistics, run the following reset command in the systemview.

Procedure

Step 1 Run the reset cpu-usage record [ slot slot-id | slave ] command to clear the maximum CPUusage.

----End




Issue 01 (2011-05-30)

10.12 Configuring NAP-based Remote DeploymentUsing NAP, you can remotely log in to devices with empty configurations to implement remotedeployment.

Context

CAUTIONAfter the device with an empty configuration is powered on and started, you must make surethat its interfaces connected to the devices on the current network are Up and support NAP;otherwise, the function of NAP-based remote deployment cannot take effect.

10.12.1 Establishing the Configuration TaskBefore configuring NAP-based remote deployment, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

10.12.2 Configuring and Starting the NAP Master InterfaceYou can assign an IP address to the NAP master interface or use the IP address that isautomatically allocated by the system to start the NAP master interface.

10.12.3 Remote LoginAfter the neighbor relationship is set up, you can log in to the NAP slave device from the NAPmaster device.

10.12.4 Disabling NAP on the Slave DeviceIf the NAP function is no longer required, you need to disable NAP on the slave interface of theslave device.

10.12.5 Checking the ConfigurationAfter configuring NAP-based remote deployment, you can view the NAP status globally or ona specified interface.

10.12.1 Establishing the Configuration TaskBefore configuring NAP-based remote deployment, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.


To deploy devices having empty configurations, you can use NAP to perform remote login tothe devices from a device in the current network. In this manner, you can implement remotedeployment of devices.


Before configuring NAP-based remote deployment, complete the following tasks:



10-29

l Connecting the device having an empty configuration to a device in the current networkvia a single hop by using network cables

l Ensuring that the interfaces connecting the device with an empty configuration and thedevice in the current network are both in the Up state, and support NAP.

Data PreparationNOTE

l If the IP addresses used for establishing NAP connections are to be manually configured, you need toprepare the following data before configuring NAP.

l Conversely, if the IP addresses for establishing NAP connections are to be automatically configured,you can skip this.

To configure NAP-based remote deployment, you need the following data.

No. Data

1 Two primary IP addresses. The two IP addresses are primary IP addresses for themaster interface and the slave interface respectively, and should be on the samenetwork segment.

2 Two secondary IP addresses. The two IP addresses are secondary IP addresses forthe master interface and the slave interface respectively, and should be on the samenetwork segment.

10.12.2 Configuring and Starting the NAP Master InterfaceYou can assign an IP address to the NAP master interface or use the IP address that isautomatically allocated by the system to start the NAP master interface.

Context

CAUTIONIf commands affecting the IP address configuration or IP packet forwarding (such asconfigurations and commands related to the VPN, Eth-Trunk, IP-Tunk, or Layer 2 interface)exist on device of the master interface, NAP enabled on the master interface becomesunavailable. You are recommended to delete these commands and re-enable NAP.

Do as follows on the CX device to configure and start the NAP master interface.

In NAP, IP addresses can be allocated either automatically or manually.

Procedurel Automatic allocation of IP addresses

1. Run:system-view




Issue 01 (2011-05-30)




nap port master

The NAP Master interface is configured and started.l Manual IP address allocation

Two methods are available for manually allocating IP addresses. You can choose themethod according to actual needs.You can specify the NAP IP address pool. Then, IP addresses are automatically allocatedto the IP address pool. To use this method, do as follows.1. Run:

system-view


nap ip-pool ip-address mask-length

An IP address pool is configured for NAP.

The default IP address pool for establishing NAP connections is 10.167.253.0/24. Youcan run the nap ip-pool ip-address mask-length command to change the IP addresspool.

NOTE

After NAP is started on the master device, the IP address pool cannot be changed.

3. Run:interface interface-type interface-number


nap port master

The NAP Master interface is configured and started.You can also specify the NAP IP addresses. To use this method, do as follows.1. Run:

system-view




nap port master

The NAP master interface is configured and started.4. Run:

nap local-ip mast-inter-mast-ip sub-ip mast-inter-sub-ip peer-ip sub-inter-mast-ip sub-ip sub-inter-sub-ip mask-length



10-31

IP addresses are configured for establishing NAP connections.

The default IP address pool for establishing NAP connections is 10.167.253.0/24.

When configuring IP addresses, ensure that the primary IP addresses of both the masterand the slave interfaces are on the same network segment, and that the secondary IPaddresses of both the master and the slave interfaces are on the same network segment.

----End

10.12.3 Remote LoginAfter the neighbor relationship is set up, you can log in to the NAP slave device from the NAPmaster device.

ContextUsing the display nap interface command, you can view the NAP status of an interface toensure that the interface is assigned a correct IP address.

Do as follows on the CX device where the NAP master interface is configured.


system-view




Step 3 Run:nap login neighbor

The login to the slave device from the master device is performed.

l If the slave device has an empty configuration, you can log in to the slave device from themaster device without a user name and a password.

l If, however, the slave device is configured with user name(s) and password(s), you mustenter the correct user name and password to perform a NAP-based remote login to the slavedevice.NOTETo ensure security for NAP, the slave device having an empty configuration checks the source address ofthe Telnet login. If the Telnet source address is the NAP address of the master device that is telnetting tothe slave device, the slave device allows the master device to directly log in without being authenticated.This is because by default, the user level of the remote login based on the NAP address is the same as thelogin through the console interface, which enjoys the highest user level. If the Telnet source address is notthe NAP address of the master device, the remote login fails.

----End

10.12.4 Disabling NAP on the Slave DeviceIf the NAP function is no longer required, you need to disable NAP on the slave interface of theslave device.




Issue 01 (2011-05-30)

ContextThe master device has logged in to the slave device through Telnet. The NAP function is nolonger required, and to ensure security of the network, NAP should be globally disabled on theslave interface of the slave device.

Do as follows on the CX device that is configured as the NAP slave device.

Procedure



Step 2 Run:undo nap slave enable

NAP is disabled on the slave device.

----End

10.12.5 Checking the ConfigurationAfter configuring NAP-based remote deployment, you can view the NAP status globally or ona specified interface.

PrerequisiteNAP-based remote deployment has been completed.

Procedure

Step 1 Using the display nap status command, you can view the current NAP status.

Step 2 Using the display nap interface [ interface-type interface-number ] command, you can viewthe NAP status of the specified interface.

----End

ExampleRun the display nap status command to view the current NAP status.

<HUAWEI> display nap status Slave port status : Enable Nap ip-pool/Mask : 12.12.12.0/24

Run the display nap interface interface-type interface-number command to view the NAP statusof the specified interface.

<HUAWEI> display nap interface gigabitethernet1/0/1l If the interface is not assigned an IP address, the following information is displayed.

------------------------------------------------------ NAP master port list: Port count : 2------------------------------------------------------ Port property : Master Current status : DETECTING



10-33

Local port : GigabitEthernet1/0/1 Peer port : GigabitEthernet1/0/1 Local primary ip : NULL Peer primary ip : NULL Local secondary ip : NULL Peer secondary ip : NULL Hello time : 3s Linked time : 00:00:00------------------------------------------------------ Port property : Master Current status : DETECTING Local port : GigabitEthernet1/0/2 Peer port : GigabitEthernet1/0/2 Local primary ip : NULL Peer primary ip : NULL Local secondary ip : NULL Peer secondary ip : NULL Hello time : 3s Linked time : 00:00:00------------------------------------------------------

l If the interface is assigned an IP address, the following information is displayed.------------------------------------------------------ NAP master port list : Port count : 2------------------------------------------------------ Port property : Master Current status : IP-ASSIGNED Local port : GigabitEthernet1/0/1 Peer port : GigabitEthernet1/0/1 Local primary ip : 12.12.12.5 Peer primary ip : 12.12.12.6 Local secondary ip : 12.12.12.9 Peer secondary ip : 12.12.12.10 Hello time : 3s Linked time : 00:09:12------------------------------------------------------ Port property : Master Current status : IP-ASSIGNED Local port : GigabitEthernet1/0/2 Peer port : GigabitEthernet1/0/2 Local primary ip : 10.10.10.5 Peer primary ip : 10.10.10.6 Local secondary ip : 10.10.10.9 Peer secondary ip : 10.10.10.10 Hello time : 3s Linked time : 00:03:41------------------------------------------------------

10.13 Configuration Examples of the Device MaintenanceThis section provides examples for powering off different types of boards to describe commondevice maintenance operations.


This document takes interface numbers and link types of the CX600-X8 as an example. In workingsituations, the actual interface numbers and link types may be different from those used in this document.

10.13.1 Example for Powering off the MPUOn a dual-MPU router, if the master MPU malfunctions or you need to routinely maintain themaster MPU, you can power off the master MPU after performing the master/slave switchover.

10.13.2 Example for Powering off the SFU




Issue 01 (2011-05-30)

When the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU.

10.13.3 Example for Powering off the LPUWhen the LPU is faulty or you need to routinely maintain the LPU, you can power off the LPU.

10.13.4 Example for Configuring the Operation Mode of the LPUF-10You can set the working mode of the LPUF-10 to enable the LPUF-10 to support ATM or FRservices.

10.13.5 Example for Configuring NAP-based Remote Deployment in Automatic ModeIn this example, the temporary neighbor relationship is set up between a CX device and anotherCX device that has the empty configuration to implement remote deployment in automatic mode.

10.13.6 Example for Configuring NAP-based Remote Deployment in Static ModeIn this example, the temporary neighbor relationship is set up between the CX device and thedevice with the empty configuration and IP addresses are assigned to the CX device and thedevice to implement remote deployment in manual mode.

10.13.1 Example for Powering off the MPUOn a dual-MPU router, if the master MPU malfunctions or you need to routinely maintain themaster MPU, you can power off the master MPU after performing the master/slave switchover.

Networking RequirementsAfter checking the alarm information, you find that the hardware on the master MPU fails. Then,check the hardware by powering off the master MPU.


1. Switch the master MPU to the slave MPU through the master and slave switchover.2. Power off the slave MPU


l Slot number of the master MPUl In this example, the slot number of the master MPU is.17

Procedure

Step 1 Perform the master and slave switchover on the CX device.<HUAWEI> system-view [HUAWEI] slave switchover enable

Before performing the master and slave switchover, make sure that the user interfaces such asAUX, console, and VTY are connected to the two MPUs. Otherwise, the users that use theinterfaces connected with the former master MPU automatically quit the login after the masterand slave switchover.

[HUAWEI] slave switchoverCaution!!! Confirm switch slave to master[Y/N]?ySwitching......................................................................



10-35

......

Step 2 Power off the MPU in slot 17.<HUAWEI> power off slot 17Caution!!! This command may affect operation by wrong use, please carefully use it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y


# Check the registration status of the MPU. You can view that the MPU in slot 17 is in theunregistered and abnormal state. It means that powering off the MPU succeeds.



5 LPU Present Registered Normal NA6 LPU Present Registered Normal NA 9 LPU Present Registered Normal NA 12 LPU Present Registered Normal NA 11 LPU Present Registered Normal NA 16 LPU Present Registered Normal NA 17 MPU Present Unregistered Abnormal Slave18 MPU Present NA Normal Master19 SFU Present Registered Normal NA20 SFU Present Registered Normal NA21 SFU Present Registered Normal NA 22 SFU Present Registered Normal NA23 CLK Present Registered Normal NA24 CLK Present Registered Normal NA25 PWR Present Registered Normal NA26 PWR Present Registered Normal NA27 FAN Present Registered Normal NA28 FAN Present Registered Normal NA

----End

Configuration Files

None

10.13.2 Example for Powering off the SFUWhen the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU.

Networking RequirementsNOTE


You need to power off the SFUs before dust removing.



l Power off the SFU.




Issue 01 (2011-05-30)

Data Preparation


Slot number of the current SFU In this example, the slot number of the SFU is 19.

Procedure

Step 1 Power off the SFU in slot 19<HUAWEI> power off slot 19Caution!!! This command may affect operation by wrong use, please carefully use it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y


# Check the registration status of the SRU in slot 19. You can view that the SRU is in theunregistered and abnormal state. It means that powering off the SRU succeeds.



5 LPU Present Registered Normal NA6 LPU Present Registered Normal NA 9 LPU Present Registered Normal NA 12 LPU Present Registered Normal NA 11 LPU Present Registered Normal NA 16 LPU Present Registered Normal NA 17 MPU Present Registered Normal Slave18 MPU Present NA Normal Master19 SFU Present Unregistered Abnormal NA20 SFU Present Registered Normal NA21 SFU Present Registered Normal NA 22 SFU Present Registered Normal NA23 CLK Present Registered Normal NA24 CLK Present Registered Normal NA25 PWR Present Registered Normal NA26 PWR Present Registered Normal NA27 FAN Present Registered Normal NA28 FAN Present Registered Normal NA

----End

Configuration Files

None

10.13.3 Example for Powering off the LPUWhen the LPU is faulty or you need to routinely maintain the LPU, you can power off the LPU.

Networking RequirementsNOTE

LPUs are not supported on the X1 and X2 models of the CX600.

None



10-37



Replace the failed LPU.

Data Preparation


l Slot number of the LPU that needs replacement

In this example, the slot number of the LPU is 5.

l Service part whose PIC card type and board type are the same as that of the LPU to bereplaced

Procedure

Step 1 Power off the LPU in slot 5.<HUAWEI> power off slot 5Caution!!! This command may affect operation by wrong use, please carefully use it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y


# Check the registration status of the LPU in slot 51. You can view that the LPU is in theunregistered and abnormal state. It means that powering off the LPU succeeds.



5 LPU Present Unregistered Abnormal NA6 LPU Present Registered Normal NA 9 LPU Present Registered Normal NA 12 LPU Present Registered Normal NA 11 LPU Present Registered Normal NA 16 LPU Present Registered Normal NA 17 MPU Present Registered Normal Slave18 MPU Present NA Normal Master19 SFU Present Registered Normal NA20 SFU Present Registered Normal NA21 SFU Present Registered Normal NA 22 SFU Present Registered Normal NA23 CLK Present Registered Normal NA24 CLK Present Registered Normal NA25 PWR Present Registered Normal NA26 PWR Present Registered Normal NA27 FAN Present Registered Normal NA28 FAN Present Registered Normal NA

----End

Configuration Files

None




Issue 01 (2011-05-30)

10.13.4 Example for Configuring the Operation Mode of theLPUF-10

You can set the working mode of the LPUF-10 to enable the LPUF-10 to support ATM or FRservices.

NOTE

LPUF-10 is not supported on the X1 and X2 models of the CX600.


It is required that the FR service be configured for the POS interface on the LPUF-10. If theLPUF-10 operates in support-atm mode, you need to switch the operation mode to support-fr.



1. Check the current operation mode of the LPUF-10.2. Switch the operation mode of the LPUF-10.

Data Preparation


l Slot number of the LPUF-10, that is, slot 1 in this example

Configuration Procedure1. Check the operation mode of the LPUF-10 in slot 1. You can find that the LPUF-10 operates

in support-atm mode.<HUAWEI> display work-mode slot 1

CX600-X8's current work-mode on lpuf-10:Slot Type Current-workmode- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 LPUF-10 SUPPORT-ATM

2. Switch the operation mode of the LPUF-10 to support-fr.<HUAWEI> system-view [HUAWEI] slot 1[HUAWEI-slot-1] switch lpuf work-mode support-fr

Warning: After this operation, ATM cards on this board will be powered off.Are you sure to switch[Y/N]?yNow begin to switch the working mode. Please wait.......................Info: The switch is successful and the current working mode on slot1 is SUPPORT-FR.

3. Verify the configuration.<HUAWEI> display work-mode slot 1

CX600-X8's current work-mode on lpuf-10:Slot Type Current-workmode- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 LPUF-10 SUPPORT-FR

You can find that the LPUF-10 in slot 1 operates in support-fr mode.



10-39


10.13.5 Example for Configuring NAP-based Remote Deploymentin Automatic Mode

In this example, the temporary neighbor relationship is set up between a CX device and anotherCX device that has the empty configuration to implement remote deployment in automatic mode.

Networking RequirementsAs shown in Figure 10-1, the user needs to perform a remote login to CX- B from CX- A.CX- B is the master device, and temporary neighbor relationship is to be set up between CX- Band CX- C having an empty configuration. CX- B and CX- C need to be directly connected viaa single hop. Both the interfaces connecting CX- B and CX- C should be in the Up state, andshould support NAP.

Figure 10-1 Networking diagram of configuring NAP-based remote deployment

Network

CX-APC CX-B CX-C


1. Configure a primary IP address and a secondary IP address on CX- B.2. Configure the NAP master interface on CX- B.3. Telnet to CX- C from CX- B by means of NAP.

Data PreparationNone

Procedure

Step 1 Configuring the NAP master interface

# Do as follows on CX- B.

<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] interface gigabitethernet1/0/1[CX-B-GigabitEthernet1/0/1] undo shutdown[CX-B-GigabitEthernet1/0/1] nap port master

Step 2 Logging in to the slave device from the master device.




Issue 01 (2011-05-30)

# Do as follows on CX- B.

[CX-B-GigabitEthernet1/0/1] nap login neighborTrying 10.167.253.10 ...Press CTRL+K to abortConnected to 10.167.253.10 ...

Info: The max number of VTY users is 10, and the number of current VTY users on line is 1.<HUAWEI>

Step 3 Shutting down NAP on the slave device.

# Do as follows on CX- C.

<HUAWEI> system-view[HUAWEI] sysname CX-C[CX-C] undo nap slave enable

----End

Configuration Files

None

10.13.6 Example for Configuring NAP-based Remote Deploymentin Static Mode

In this example, the temporary neighbor relationship is set up between the CX device and thedevice with the empty configuration and IP addresses are assigned to the CX device and thedevice to implement remote deployment in manual mode.


As shown in Figure 10-2, the user needs to perform a remote login to CX- B from CX- A.CX- B is the master device, and temporary neighbor relationship is to be set up between CX- Band CX- C having an empty configuration. CX- B and CX- C need to be directly connected viaa single hop. Both the interfaces connecting CX- B and CX- C should be in the Up state, andshould support NAP.

Figure 10-2 Networking diagram of configuring NAP-based remote deployment

Network

CX-APC CX-B CX-C



1. Configure a NAP master interface on CX- B.



10-41

2. Configure an IP address for establishing a NAP connection on CX- B.3. Use NAP to log in to CX- C from CX- B by means of Telnet.


l Two primary IP addresses. The two IP addresses are primary IP addresses for the masterinterface and the slave interface respectively, and should be on the same network segment.

l Two secondary IP addresses. The two IP addresses are secondary IP addresses for themaster interface and the slave interface respectively, and should be on the same networksegment.

Procedure

Step 1 Configure a NAP master interface on CX- B<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] interface gigabitethernet1/0/1[CX-B-GigabitEthernet1/0/1] nap port master

Step 2 Configure an IP address for establishing a NAP connection on CX- B[CX-B-GigabitEthernet1/0/1] nap local-ip 12.12.12.5 sub-ip 12.12.12.9 peer-ip 12.12.12.6 sub-ip 12.12.12.10 30Are you sure to continue?[Y/N] y

# After the preceding configuration is complete, run the display nap status command on CX-B. You can view that NAP has been enabled on CX- B. Then, run the display nap interfacecommand. You can view that the primary and secondary IP addresses have been assigned to themaster and slave interfaces. For example:

[CX-B-GigabitEthernet1/0/1] display nap statusSlave port status : Enable Nap ip-pool/Mask : 10.167.253.0/24[CX-B-GigabitEthernet1/0/1] display nap interface------------------------------------------------------ NAP master port list Port count : 1------------------------------------------------------ Port property : Master Current status : IP-ASSIGNED Local port : GigabitEthernet1/0/1 Peer port : GigabitEthernet1/0/1 Local primary ip : 12.12.12.5 Peer primary ip : 12.12.12.6 Local secondary ip : 12.12.12.9 Peer secondary ip : 12.12.12.10 Hello time : 3s Linked time : 00:02:33------------------------------------------------------

Step 3 Log in to the slave device from the master device.

# Configure CX- B.

[CX-B-GigabitEthernet1/0/1] nap login neighborTrying 12.12.12.10 ...Press CTRL+K to abortConnected to 12.12.12.10 ...

Info: The max number of VTY users is 10, and the number of current VTY users on line is 1.




Issue 01 (2011-05-30)

Step 4 Disable NAP on the slave device.

# Configure CX- C.

<HUAWEI> system-view[HUAWEI] sysname CX-C[CX-C] undo nap slave enable

----End

Configuration FilesNone



10-43

11 Device Upgrading

About This Chapter

When you need to add new features, optimize existing features, or solve problems in the currentversion, you can upgrade the device.

11.1 Overview of Device Upgrade

11.2 Upgrade Modes Supported by the CX600

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations 11 Device Upgrading


11-1

11.1 Overview of Device Upgrade

A device is upgraded when new features need to be added, existing performance needs to beoptimized, and existing problems in the current version need to be solved.

Application Scenario of Device UpgradeTo perform the following actions, you need to upgrade the CX600:

l Adding new featuresl Optimizing the existing performancel Solving existing problems in the current version

NoteBefore upgrading the CX600, pay attention to the following items:

l When upgrading the CX600 at the site, prepare a spare part for each board.l Obtain the new system software, the Product Adaptive File (PAF) or license file, and the

corresponding documents of the new version from Huawei.l Back up configuration files, and collect and save service configurations.l Enable the log function to record all the operations during the upgrade process.l Check software versions of all modules on each board, including versions of the BootROM,

Firmware, and MonitorBus.

11.2 Upgrade Modes Supported by the CX600

At present, the CX600 can be upgraded by using the command line, mobile storage device, orBootROM.

Upgrade by Using the Command LineThis mode is applicable for the following situations. For operation details, refer to the "CX600V600R003C00 Version Upgrade Instructions" of the corresponding system software version.

l The CX600 works properly and uses FTP/TFTP for the upgrade. Other devices can performremote login to the CX600.

l The CX600 is upgraded for the first time and has been loaded with the system softwarepackage. Other devices can log in to the CX600 through the serial interface to configurethe IP address or perform remote login to the CX600 through NAP.

Upgrade by Using a Mobile Storage Device ( CF card or USB )Upgrading the CX600 by using the CF card or USB is mainly used during the engineering stageor troubleshooting process. Before the upgrade, prepare two CF cards or two USBs.

In this mode, the CX600 is upgraded by replacing the CF card on the master and slave MPU/SRU with CF cards containing the system software package or inserting a USB to any USB

11 Device UpgradingHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

interface on the MPU/SRU. For operation details, refer to the "Version Upgrade Instructions"of the corresponding system software version.

Upgrade by Using BootROMThis mode is applicable for the following situations. For operation details, refer to the "CX600V600R003C00 Version Upgrade Instructions" of the corresponding system software version:

l The CX600 is upgraded for the first time, but the system software package of the CX600does not exist or is incorrect.

l After the CX600 is upgraded and restarted, both the master and slave MPUs/SRUs cannotbe registered.

l After the CX600 is upgraded, the master MPU/SRU can be registered but the slave MPUs/SRUs cannot be registered.

l The MPU/SRU is replaced.l Other devices cannot log in to the CX600 through Telnet.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations 11 Device Upgrading


11-3

12 Patch Management

About This Chapter

Patch management includes checking the running patch, loading patch files, and installingpatches.

12.1 Introduction of Patch ManagementThis section describes the basics of the patch.

12.2 Checking the Running of Patch in the SystemThe system allows only one patch to run. Therefore, confirm that no patch is running beforeloading a new patch.

12.3 Loading a PatchPatches can be loaded through FTP, TFTP, or XModem.

12.4 Installing a PatchTo repair the system that has vulnerabilities or defects, you can install a patch on the system.By installing a patch, you can upgrade the system without upgrading the system software.

12.5 (Optional) Unactivating the activating of PatchIf an installed patch does not take effect, you need to deactivate the patch.

12.6 Configuration Examples of the Patch ManagementThis section describes some Configuration Examples.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations 12 Patch Management


12-1

12.1 Introduction of Patch ManagementThis section describes the basics of the patch.

12.1.1 Overview of Patch ManagementYou can install patches to improve system functions.

12.1.2 Patches Supported by the CX600The CX600 allows patches to be loaded to the system or a certain board.

12.1.1 Overview of Patch ManagementYou can install patches to improve system functions.

Patch OverviewDuring the operation of the device, you need to revise the system software sometimes such asremove the system defects or add new functions for service requirements. We used to upgradethe software after shutting down the system. This static upgrade affects the service on the deviceand does not improve the communication. If we load a patch to the system software, we canupgrade it online without interrupting the operation of the device. This dynamic upgrade doesnot affect the service and can improve the communication.

Patch AreaIn the memory of the Main Processing Unit (MPU) and Line Processing Unit (LPU), a certainspace is reserved to save the patch. This space is called patch area.

To install the patch, save the patch to the patch area in advance in the memory of the board.

The patch saved in the patch area is numbered uniquely. Up to 200 patches can be saved to thepatch area in the memory of the MPU or LPU.

Patch StatesPatch status can be idle, deactive, active, and running. For details, seeTable 12-1,

Table 12-1 Patch states

State Description States Conversion

No patch(idle)

The patch file is saved to the CFcard but not loaded to the patcharea in the memory.

When the patch is loaded to the patcharea, the patch status is set to deactive.

deactive The patch is loaded to the patcharea but disabled.

The patch in the deactive state can be asfollows:l Uninstalled, that is, deleted from the

patch area.l Enabled temporarily and turns to the

active state.

12 Patch ManagementHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

State Description States Conversion

active The patch is loaded to the patcharea and enabled temporarily.If the board is reset, the activepatch on that board turns to thedeactive state.

The patch in the active state can be asfollows:l Uninstalled, that is, deleted from the

patch area.l Enabled temporarily and turned into

the active state.l Enabled permanently, and turns to

the running state.

running The patch is loaded to the patcharea and enabled permanently.If the board is reset, the patch onthe board keeps in the runningstate.

The patch in the running state can beuninstalled and deleted from the patcharea.

Figure 12-1shows the conversion between patch states.

Figure 12-1 Conversion between the statuses of a patch

DeactivatedNo patch

Running Activated

Delete patchDelete patch

Run patch

Deactive patch Active patch

Delete patch

Load patch

12.1.2 Patches Supported by the CX600The CX600 allows patches to be loaded to the system or a certain board.



12-3

Patch Functions

Installing patches can improve system functions or fix bugs. By installing a patch, you canupgrade the system without upgrading the system software.

In some special scenarios, you can install patches specific to an MPU or LPU to optimize boardfunctions.

Logic Relationships Between Configuration Tasks

Figure 12-2Shows the logic relationships between the configuration tasks.

Figure 12-2 Logical relationships between configuration tasks

Run VRP

Normally run

End

Resort totechnical

support fornew patch

Enable patchtemporarily Bug removed Disable patch

Unload patch

No

Yes

No

Yes

12.2 Checking the Running of Patch in the SystemThe system allows only one patch to run. Therefore, confirm that no patch is running beforeloading a new patch.

12.2.1 Establishing the Configuration TaskBefore checking the running patch, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

12.2.2 Checking the Running of Patch in the SystemBy running the display patch-information command, you can view information about therunning patch units, activated patch units, and deactivated patch units.

12.2.3 (Optional) Deleting a PatchThe system allows only one patch to run. If there is a running patch, you need to delete it beforeloading a new patch.




Issue 01 (2011-05-30)

12.2.1 Establishing the Configuration TaskBefore checking the running patch, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentAt a certain time, the system allows the running of only one patch. Therefore, you need to confirmno patch is running in the current system before installing a patch. If a patch runs, delete thepatch before installing the new patch.

Pre-configuration TasksBefore checking the running of patch in the system, complete the following tasks:

l Ensuring that the CX device is started normally after power-onl Ensuring that the CX device can be logged in to


12.2.2 Checking the Running of Patch in the SystemBy running the display patch-information command, you can view information about therunning patch units, activated patch units, and deactivated patch units.

ContextDo as follows on the CX device to be upgraded:


display patch-information

All the information about the current patch is displayed, including information about the patchunits that are running, the patch units that are activated, and the patch units that are deactivated.

----End

Example<PE> display patch-informationInfo: No patch exists.

This indicates that no patch runs in the current system.

NOTEIf there are patches running, you must delete them before loading new patches.

12.2.3 (Optional) Deleting a PatchThe system allows only one patch to run. If there is a running patch, you need to delete it beforeloading a new patch.



12-5

ContextBefore installing a patch, you need to delete the running patch.

Do as follows on the CX device to be upgraded.

Procedure

Step 1 Run:patch delete allThe running patch is deleted.

----End

12.3 Loading a PatchPatches can be loaded through FTP, TFTP, or XModem.

12.3.1 Establishing the Configuration TaskBefore loading a patch, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configurationtask quickly and accurately.

12.3.2 Loading a PatchOn a dual-MPU router, you need to load a patch to both the master MPU and the slave MPU.

12.3.3 Checking the ConfigurationAfter a patch is loaded, you can check patch information.

12.3.1 Establishing the Configuration TaskBefore loading a patch, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configurationtask quickly and accurately.

Applicable EnvironmentBefore a patch is installed, it should be uploaded to the root directory of the CF card of the masterand slave MPUs. Upload the patch to the root directory of the CF card of the master MPU. Then,copy the patch to the root directory of the CF card of the slave MPU.

The three methods to upload a patch are FTP, TFTP and XModem.

Pre-configuration TasksBefore loading a patch, complete the following tasks:

l Ensuring that the CX device is started normally after power-onl Ensuring that the CX device can be logged in to

Data PreparationBefore running a patch, you need to obtain a patch that is consistent with the board.




Issue 01 (2011-05-30)

No. Data

1 Uploading a Patch to the Root Directory of the CF Card of the Master MPU

2 Copying a Patch to the Root Directory of the CF Card of the Slave MPU

12.3.2 Loading a PatchOn a dual-MPU router, you need to load a patch to both the master MPU and the slave MPU.


Procedure

Step 1 Upload a patch to the root directory of the CF card of the master MPU.

The CX device supports the uploading of files through FTP, TFTP and XModem, for moreinfirmation ,please see: "FTP, TFTP and XModem". Choose an uploading method based on therequirements.

Step 2 Run:copy source-filename slave#cfcard:/destination-filename

The patch is copied to the root directory of the CF card of the slave MPU.

Step 3 Run:startup patch file-name

The patch package is specified for the master MPU on the next startup.

Step 4 Run:startup patch file-name slave-board

The patch package is specified for the slave MPU on the next startup.

----End

12.3.3 Checking the ConfigurationAfter a patch is loaded, you can check patch information.


Procedurel Run:

dir cfcard:/

Check the files on the MPU.



12-7

l Run:dir slave#cfcard:/

Check the files on the slave MPU.

l Run:display startup

Check the patch file used in the next system startup.

----End

Example

After uploading the files, run the commands of dir cfcard:/ and dir slave#cfcard:/. Thepatch.pat file is contained in the files on the CF card.

For example, check the files on the CF card of the master MPU:

<HUAWEI> dir cfcard:/Directory of cfcard:/

Idx Attr Size(Byte) Date Time FileName0 -rw- 64 Nov 15 2006 13:07:44 patchnpstate.dat1 -rw- 418 Jul 26 2007 19:52:14 vrpcfg.zip2 -rw- 38017 Aug 01 2007 11:02:00 paf.txt3 -rw- 2292 Aug 21 2006 15:35:50 vrp.zip4 -rw- 7041 Aug 02 2007 11:02:00 license.txt5 -rw- 117013076 Jul 13 2007 10:40:44 V600R003C00.cc6 -rw- 134213212 Nov 18 2007 05:30:11 V600R003C00.cc7 -rw- 4041 Nov 02 2007 11:04:00 patch.pat500192 KB total (347760 KB free)

For example, check the files on the CF card of the slave MPU:

<HUAWEI> dir slave#cfcard:/Directory of slave#cfcard:/

Idx Attr Size(Byte) Date Time FileName0 -rw- 64 Nov 15 2006 13:07:44 patchnpstate.dat1 -rw- 418 Jul 26 2007 19:52:14 vrpcfg.zip2 -rw- 38017 Aug 01 2007 11:02:00 paf.txt3 -rw- 2292 Aug 21 2006 15:35:50 vrp.zip4 -rw- 7041 Aug 02 2007 11:02:00 license.txt5 -rw- 117013076 Jul 13 2007 10:40:44 V600R003C00.cc6 -rw- 134213212 Nov 18 2007 05:30:11 V600R003C00.cc7 -rw- 4041 Nov 02 2007 11:04:00 patch.pat500192 KB total (343160 KB free)

For example, check the patch file used in the next system startup.

<HUAWEI>display startup

MainBoard: Configed startup system software: cfcard:/V600R003C00.cc Startup system software: cfcard:/V600R003C00.cc Next startup system software: cfcard:/V600R003C00.cc Startup saved-configuration file: cfcard:/current_cfg.cfg Next startup saved-configuration file: cfcard:/current_cfg.cfg Startup paf file: cfcard:/paf-V600R003C00.txt Next startup paf file: cfcard:/paf-V600R003C00.txt Startup license file: cfcard:/license-V600R003C00.txt Next startup license file: cfcard:/license-V600R003C00.txt Startup patch package: Null Next startup patch package: cfcard:/patch.pat




Issue 01 (2011-05-30)

12.4 Installing a PatchTo repair the system that has vulnerabilities or defects, you can install a patch on the system.By installing a patch, you can upgrade the system without upgrading the system software.

12.4.1 Establishing the Configuration TaskBefore installing a patch on the system, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

12.4.2 Loading a PatchA patch can be successfully loaded only when the patch version matches the system softwareversion.

12.4.3 Activating a PatchA patch can be activated only when it is correctly loaded and is in the deactivated state.

12.4.4 Running a PatchA patch can be run only after it is activated. Running a patch means that the patch is activatedpermanently.

12.4.5 (Optional) Synchronizing PatchesAfter patches on the active and standby MPUs are synchronized, the patches on the active andstandby MPUs are the same.

12.4.6 Checking the ConfigurationAfter a patch is installed on the system, you can check the patch status and the patch for the nextstartup.

12.4.1 Establishing the Configuration TaskBefore installing a patch on the system, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


CAUTIONWhen installing a patch, it is recommended to specify all to install the patch for all boards atone time rather than specify slot to install the patch for boards one by one. In some specialscenarios, you must specify slot to install a patch for the master and slave MPUs, and then forall LPUs one by one.

Installing patches can fix system vulnerabilities or correct system defects. By installing a patch,you can upgrade the system without upgrading the system software.

When a patch is uploaded, the system checks that the patch version is the same as the systemversion. If the two versions are not the same, the system prompts that the patch uploading fails.



12-9


Before installing a patch, upload the patch to the root directory of the CF card of the master andslave MPUs.

Data Preparation

None

12.4.2 Loading a PatchA patch can be successfully loaded only when the patch version matches the system softwareversion.


Procedure

Step 1 Run:patch load file-name all

The patch is loaded.

----End

Follow-up Procedure

When a patch is loaded, the system checks that the patch version is the same as the systemversion. If the two versions are not the same, the system prompts that the patch loading fails.

When the patch is loaded successfully, it's status is Deactive and keeps Deactive after the boardis reset.

12.4.3 Activating a PatchA patch can be activated only when it is correctly loaded and is in the deactivated state.


Procedure

Step 1 Run:patch active all

The patch is activated.

----End




Issue 01 (2011-05-30)

Follow-up ProcedureA patch can be activated only when it is correctly loaded and is in the deactivated state. Whena patch is activated, it becomes valid immediately. After the board is reset, however, the statusof the patch becomes Deactive , and the patch does not remain valid.

12.4.4 Running a PatchA patch can be run only after it is activated. Running a patch means that the patch is activatedpermanently.

ContextDo as follows on the CX device be upgraded:

Procedure

Step 1 Run:patch run all

The patch is run.

----End

Follow-up ProcedureA patch can be run only after it is activated. Running a patch means that the patch is activatedpermanently and the patch remains valid after the board is reset. The status of the patch keepsRunning.

12.4.5 (Optional) Synchronizing PatchesAfter patches on the active and standby MPUs are synchronized, the patches on the active andstandby MPUs are the same.

Context


Procedure

Step 1 Enter the user view.

Step 2 Run:patch configuration-synchronize

The patch is synchronized to the standby MPU.

After patch configurations and patch files are synchronized from the active MPU to the standbyMPU, the patch files, patch configurations, and patch status can remain unchanged if the active-standby MPU switchover occurs.

----End



12-11

12.4.6 Checking the ConfigurationAfter a patch is installed on the system, you can check the patch status and the patch for the nextstartup.

Procedurel Run:


Check the patch state.

----End

ExampleAfter the patch is loaded, run the display patch-information command. The results are asfollows:<HUAWEI> display patch-information

Service pack Version:V600R003C00SPH001Pack file name cfcard:/patch.pat

----------The patch information of slot 3---------- This slot does not need patch



----------The patch information of slot 33---------- Total Patch Unit : 1Running Patch Unit : Active Patch Unit : Deactive Patch Unit : 1 - 1

----------The patch information of slot 34---------- Total Patch Unit : 1Running Patch Unit : Active Patch Unit : Deactive Patch Unit : 1 - 1<HUAWEI>display patch-information configure-file

Codes: M(Max patch ID in the board)------------------------------------------------------------- Slot State Run Active Deactive NPPatch------------------------------------------------------------- 1 registered - - M deactive 2 registered - - M deactive 3 unregistered - - M deactive 4 unregistered - - M deactive 5 unregistered - - M deactive 6 unregistered - - M deactive 7 unregistered - - M deactive 8 unregistered - - M deactive 9 unregistered - - M deactive 10 unregistered - - M deactive 11 unregistered - - M deactive 12 unregistered - - M deactive 13 unregistered - - M deactive 14 unregistered - - M deactive 15 unregistered - - M deactive 16 unregistered - - M deactive




Issue 01 (2011-05-30)

17 registered - - M idle 18 registered - - M idle-------------------------------------------------------<HUAWEI>display patch-information configure-file next-startup

Codes: M(Max patch ID in the board)----------------------------------------- Slot Run Active Deactive NPPatch----------------------------------------- 1 - - M deactive 2 - - M deactive 3 - - M deactive 4 - - M deactive 5 - - M deactive 6 - - M deactive 7 - - M deactive 8 - - M deactive 9 - - M deactive 10 - - M deactive 11 - - M deactive 12 - - M deactive 13 - - M deactive 14 - - M deactive 15 - - M deactive 16 - - M deactive 17 - - M idle 18 - - M idle--------------------------------------

After the patch is actived, run the display patch-information command. The results are asfollows:<HUAWEI> display patch-information





----------The patch information of slot 33---------- Total Patch Unit : 1Running Patch Unit : Active Patch Unit : 1 - 1Deactive Patch Unit :

----------The patch information of slot 34---------- Total Patch Unit : 1Running Patch Unit : Active Patch Unit : 1 - 1Deactive Patch Unit : <HUAWEI>display patch-information configure-file

Codes: M(Max patch ID in the board)------------------------------------------------------------- Slot State Run Active Deactive NPPatch------------------------------------------------------------- 1 registered - M - active 2 registered - M - active 3 unregistered - M - active 4 unregistered - M - active 5 unregistered - M - active 6 unregistered - M - active 7 unregistered - M - active



12-13

8 unregistered - M - active 9 unregistered - M - active 10 unregistered - M - active 11 unregistered - M - active 12 unregistered - M - active 13 unregistered - M - active 14 unregistered - M - active 15 unregistered - M - active 16 unregistered - M - active 17 registered - M - idle 18 registered - M - idle-------------------------------------------------------<HUAWEI>display patch-information configure-file next-startup

Codes: M(Max patch ID in the board)----------------------------------------- Slot Run Active Deactive NPPatch----------------------------------------- 1 - M - active 2 - M - active 3 - M - active 4 - M - active 5 - M - active 6 - M - active 7 - M - active 8 - M - active 9 - M - active 10 - M - active 11 - M - active 12 - M - active 13 - M - active 14 - M - active 15 - M - active 16 - M - active 17 - M - idle 18 - M - idle--------------------------------------

After running the patch , run the display patch-information command. The results are asfollows:<HUAWEI> display patch-information





----------The patch information of slot 33---------- Total Patch Unit : 1Running Patch Unit : 1 - 1Active Patch Unit : Deactive Patch Unit :

----------The patch information of slot 34---------- Total Patch Unit : 1Running Patch Unit : 1 - 1Active Patch Unit : Deactive Patch Unit : <HUAWEI>display patch-information configure-file

Codes: M(Max patch ID in the board)-------------------------------------------------------------




Issue 01 (2011-05-30)

Slot State Run Active Deactive NPPatch------------------------------------------------------------- 1 registered M - - run 2 registered M - - run 3 unregistered M - - run 4 unregistered M - - run 5 unregistered M - - run 6 unregistered M - - run 7 unregistered M - - run 8 unregistered M - - run 9 unregistered M - - run 10 unregistered M - - run 11 unregistered M - - run 12 unregistered M - - run 13 unregistered M - - run 14 unregistered M - - run 15 unregistered M - - run 16 unregistered M - - run 17 registered M - - idle 18 registered M - - idle-------------------------------------------------------<HUAWEI>display patch-information configure-file next-startup

Codes: M(Max patch ID in the board)----------------------------------------- Slot Run Active Deactive NPPatch----------------------------------------- 1 M - - run 2 M - - run 3 M - - run 4 M - - run 5 M - - run 6 M - - run 7 M - - run 8 M - - run 9 M - - run 10 M - - run 11 M - - run 12 M - - run 13 M - - run 14 M - - run 15 M - - run 16 M - - run 17 M - - idle 18 M - - idle--------------------------------------

12.5 (Optional) Unactivating the activating of PatchIf an installed patch does not take effect, you need to deactivate the patch.

12.5.1 Establishing the Configuration TaskBefore deactivating a patch, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.

12.5.2 Deactivating a PatchDeactivating a patch makes an active patch become inactive.

12.5.3 Checking the ConfigurationAfter a patch is deactivated, you can run the display command to check the patch status.



12-15

12.5.1 Establishing the Configuration TaskBefore deactivating a patch, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.

Applicable EnvironmentAfter a patch is activated, you need to judge that the patch has achieved the expected effect. Ifthe patch does not become valid, you need to activate the patch.

A patch can be deactivated only after it is activated.

Pre-configuration TasksNone


12.5.2 Deactivating a PatchDeactivating a patch makes an active patch become inactive.

Procedure

Step 1 Run:patch deactive all

The patch is deactivated.

----End

12.5.3 Checking the ConfigurationAfter a patch is deactivated, you can run the display command to check the patch status.

Procedurel Run:


Check the patch state.

----End

ExampleAfter the preceding configuration succeeds, run the display patch-information command. Theresults are as follows:

<HUAWEI> display patch-information





Issue 01 (2011-05-30)






12.6 Configuration Examples of the Patch ManagementThis section describes some Configuration Examples.

12.6.1 Example for Installing a PatchWhen the system has vulnerabilities or defects, you can install a patch to repair the system.

12.6.1 Example for Installing a PatchWhen the system has vulnerabilities or defects, you can install a patch to repair the system.


Figure 12-3shows that some urgent bug occurs to the system software at the Provider Edge (PE)connected to the Internet. Huawei provides the patch file to remove the bug. The patch in thispatch file must be installed to remove the bug.

Figure 12-3 Networking diagram of installing a patch

MPLS Core

PE

FTP Server

GE0/0/010.1.1.1/24

PC

10.1.1.2/24

10.1.1.3/24



12-17


1. Save the patch file to the root directory of the CF card on the master and slave MPUs.2. Load the patch.3. Activate the patch.4. Run the patch.


l File name of the patch: patch.patl Path the patch saved to on the MPU: cfcard:/

Procedure

Step 1 Upload the patch file for the system software.

# Log in to the FTP server.

<PE> ftp 10.1.1.2Trying 10.1.1.2 ...Press CTRL+K to abortConnected to 192.168.1.2.220 FTP service ready.User(10.1.1.2:(none)):huawei331 Password required for huawei.Password:230 User logged in.[ftp]

# Configure the binary transmission format and the working directory of the CF card on PE.

[ftp] binary200 Type set to I.[ftp] lcd cfcard:/% Local directory now cfcard:.

# Load the patch file for the current system software from the remote FTP server.

[ftp] get patch.pat200 Port command okay.150 Opening ASCII mode data connection for license.txt.226 Transfer complete.FTP: 6309 byte(s) received in 0.188 second(s) 33.55Kbyte(s)/sec. [ftp] bye221 Server closing.<PE>

# Copy the patch file to the CF card on the slave MPU.

<PE> copy cfcard:/patch.pat slave#cfcard:/Copy cfcard:/patch.pat to slave#cfcard:/patch.pat?[Y/N]:y100% completeInfo:Copied file cfcard:/ patch.pat to slave#cfcard:/ patch.pat...Done

Step 2 Load the patch.<PE> patch load patch.pat all

Step 3 Activate the patch.




Issue 01 (2011-05-30)

<PE> patch active all

Step 4 Run the patch.<PE> patch run all

Step 5 Verify the configuration<PE> display patch-information Patch Package Name :cfcard:/patch.patPatch Package Version:V600R003C00SPH001

************************************************************************* The hot patch information, as follows: *************************************************************************

Slot Type State Count------------------------------------------------------------ 7 C Running 1

************************************************************************* The cold patch information, as follows: *************************************************************************

all slots do not need cold patch

----End

Configuration FilesNone



12-19

A Glossary

This appendix collates frequently used terms in this document.

A

Accounting A network security service that records the user's access to thenetwork.

Agent A process that is used in all managed devices. It receives requestpackets from the NM Station and performs the Read or Writeoperation on managed variables according to packet types andgenerates response packets and sends them to the NM Station.

AH Authentication Header. A security protocol that provides dataauthentication and integrity for IP packets. AH is used in thetransmission mode and in the tunneling mode.

ASSP Analogue Sensor Signal Processes. An error tolerance protocolthat provides the interface backup in the multiple access, multicastand broadcast in LAN (such as Ethernet).

Authentication A method used to prove user identity.

Authorization A method used to prove identity of users to use the service.

B

Backup center A mechanism in which the interfaces on a device back up eachother and trace the status of the interface. If an interface is Down,the backup center provides a backup interface to undertake theservice.

BFD Bidirectional Forwarding Detection. A unified detectionmechanism that is used to detect and monitor the link or IP routesforwarding at a fast pace.

Black list A filtering mode that is used to filter the packet according to thesource IP address. Compared with the ACL, the black list can filterthe packet at a high speed because its matching region is simple.It can shield the packet from the specified IP address.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations A Glossary


A-1

C

CLI Command Line Interface. An interface that allows the user tointeract with the operating system. Users can configure andmanage the CX600 by entering commands through the CLI.

Congestion avoidance A flow control mechanism by which the network overload isrelieved by adjusting the network traffic. When the congestionoccurs and becomes worse, the packet is discarded by monitoringthe network resource.

Congestion management A flow control measure to solve the problem of network resourcecompetition. When the network congestion occurs, it places thepacket into the queue for buffer and determines the order offorwarding the packet.

Command line level The priority of the system command that is divided into 4 levels.Users of a level can run the command only of the same or lowerlevel.

E

Ethernet A baseband LAN specification created by Xerox and developedby Xerox, Intel, and Digital Equipment Corporation (DEC). Thisspecification is similar to IEEE802.3.

Ethernet_II An encapsulation format of the Ethernet frame. Ethernet_II thatcontains a 16-bit protocol type field is the standard ARPA EthernetVersion 2.0 encapsulation.

Ethernet_SNAP An encapsulation format of the Ethernet frame. The frame formatcomplies with RFC 1042 and enables the transmission of theEthernet frame on the IEEE 802.2 media.

F

FIFO First In First Out. A queuing scheme in which the first data intothe network is also the fist data out of the network.

File system A method in which files and directories in the storage devices aremanaged, such as creating a file system, creating, deleting,modifying and renaming a file or directory or displaying thecontents of the file.

FTP File Transfer Protocol. An application protocol in the TCP/IPstack, used for transferring files between remote hosts. FTP isimplemented based on the file system.

H

A GlossaryHUAWEI CX600 Metro Services Platform


A-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

HGMPv2 Huawei Group Management Protocol Version 2. A protocol withwhich the discovery, topology collection, centralized managementand remote maintenance are implemented on Layer 2 devices of acluster that are connected with the CX device.

I

Information center The information hinge in the MA5200G that can classify and filterthe output information.

Interface mirroring A method of copying the packet of the mirrored interface to theother mirroring interfaces to forward the packet.

IPv6 Internet Protocol Version 6. Replacement for the current versionof IP (version 4) designed by the IETF. It is the second generationstandard protocol of the internet layer and it is also called IPng(next generation). The length of the IP address in IPv6 is 128 bitsand the length of the IP address in IPv4 is 32 bits.

IP negotiated An attribute of the interface. When the user accesses the Internetthrough the ISP, the IP address is usually allocated by the peerserver. The PPP packet must be encapsulated and the IP addressnegotiated attribute must be configured on the interface so that thelocal interface accepts the IP address allocated by the peer endthrough the PPP negotiation.

IP unnumbered A mechanism in which the interface that is not configured with anIP address can borrow the IP address of the interface that isconfigured with an IP address to save the IP address resource.

ISATAP tunnel Intra-site Automatic Tunnel Addressing Protocol. A protocol thatis used for the IPv4/IPv6 host in the IPv4 network to access theIPv6 network. The ISATAP tunnel can be established between theISATAP hosts or between the ISATAP host and the ISATAP CXdevice.

ISIS-TE Traffic engineering of IS-IS. (For the information of IS-IS, referto )

L

LAN interface Local Area Network interface. Often an Ethernet interface throughwhich the CX device can exchange data with the network devicein a LAN.

License Permission of some features that dynamically control the product.

Logical interface A configured interface that can exchange data but does not existphysically. A logical interface can be a sub-interface, virtual-template interface, virtual Ethernet interface, Loopback interface,Null interface and Tunnel interface.



A-3

M

MIB Management Information Base. A database of variables of themonitored network device. It can uniquely define a managedobject.

Modem Modulator-demodulator. Device that converts digital and analogsignals.

Multicast A process of transmitting packets of data from one source to manydestinations. The destination address of the multicast packet usesClass D address, that is, the IP address ranges from 224.0.0.0 to239.255.255.255. Each multicast address represents a multicastgroup rather than a host.

N

NDP Neighbor Discovery Protocol. A protocol that is used to discoverthe information of the neighboring Huawei device that isconnected with the local device.

NMS Network Management System. A system that sends various querypackets and receives the response packet and trap packet from themanaged devices and displays all the information.

NTDP A protocol that is used to collect the information of the adjacencyand the backup switch of each device in the network.

NTP Network Time Protocol. An application protocol that is used tosynchronize the distributed server and the client side.

O

OSPF-TE Traffic engineering of OSPF. (For the information of OSPF, referto )

P

Policy-based routing A routing scheme that forwards packets to specific interfaces basedon user-configured policies.

R

Regular expression When a lot of information is output, you can filter the unnecessarycontents out with regular expressions and display the necessarycontents.

RMON Remote monitoring. An MIB agent specification defined by theIETF that defines functions for the remote monitoring of the dataflow of a network segment or the whole network.




Issue 01 (2011-05-30)

CX device A device on the network layer that selects routes in the network.The CX device selects the optimal route according to thedestination address of the received packet through a network andforwards the packet to the next CX device. The last CX device isresponsible for sending the packet to the destination host.

RRPP Rapid Ring Protection Protocol. A protocol that is applied on thedata link layer. When the Ethernet ring is complete, it can preventthe broadcast storm caused by the data loop. When a link isdisconnected on an Ethernet ring, it can rapidly restore thecommunication link between the nodes on the ring network.

RSVP-TE Traffic engineering of RSVP. (For the information of RSVP, referto )

S

Service tracing A method of service debugging, diagnosis and error detection thatis mainly used for service personnel to locate the fault in useraccess. The service tracing can output the status change and theresult of the protocol processing of the specified user during theaccess to the terminal or the server for the reference and analysisof the service personnel.

SSH Secure Shell. A protocol that provides a secure connection to aCX device through a TCP application.

Static ARP A protocol that binds some IP addresses to a specified gateway.The packet of these IP addresses must be forwarded through thisgateway.

System environment Basic parameters for running the MA5200G such as host name,language mode and system time. After configuration, the systemenvironment can meet the requirements of the actual environment.

T

Telnet An application protocol of the TCP/IP stack that provides virtualterminal services for a wide variety of remote systems.

Terminal A device that is connected with other devices through the serialport. The keyboard and the display have no disk drives.

Traffic policing A process used to measure the actual traffic flow across a givenconnection and compare it to the total admissible traffic flow forthat connection. When the traffic exceeds the flow that is agreedupon , some restrictions or penalties are adopted to protect theinterest and the network resource of the operator.

Traffic shaping A flow control measure to shape the flow rate. It is often used tocontrol the flow in regular amounts to ensure that the traffic iswithin the traffic stipulated for the downstream CX device andprevents unnecessary discard and congestion.



A-5

Tunnel Secure communication path between two peers in the VPN thatprotect the internal information of the VPN from the interruption.

V

VPN Virtual Private Network. A new technology developed with theInternet to provide an apparent single private network over a publicnetwork. "Virtual" means the network is a logical network.

VPR Versatile Routing Platform. A versatile routing operating systemplatform developed for all data communication products ofHuawei. With the IP service as its core, the CX600 adopts thecomponentized architecture. The CX600 realizes rich functionsand provides tailorability and scalability based on applications.

VRRP Virtual CX device Redundancy Protocol. An error tolerantprotocol defined in RFC 2338. It forms a backup group for a groupof CX device in a LAN that functions as a virtual CX device.

VTY Virtual type terminal. A terminal line that is used to access a CXdevice through Telnet.

W

X

X.25 A protocol applied on the data link layer that defines howconnections between DTE and DCE are maintained for remoteterminal access and computer communications in PDNs.

XModem A transmission protocol in the format of the binary code.

XOT X.25 over TCP. A protocol that implements the interconnectionbetween two X.25 networks through the TCP packet bearing X.25frames.




Issue 01 (2011-05-30)

B Acronyms and Abbreviations

This appendix collates frequently used acronyms and abbreviations in this document.

Numerics

3DES Triple Data Encryption Standard

A

AAA Authentication, Authorization and Accounting

ACL Access Control List

ARP Address Resolution Protocol

AES Advanced Encryption Standard

ASPF Application Specific Packet Filter

AUX Auxiliary port

B

BGP Border Gateway Protocol

C

CBQ Class-based Queue

CHAP Challenge Handshake Authentication Protocol

CQ Custom Queuing

CR-LDP Constraint-based Routing LDP

D

DES Data Encryption Standard

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations B Acronyms and Abbreviations


B-1

DHCP Dynamic Host Configuration Protocol

DNS Domain Name System

E

ESP Encapsulating Security Payload

F

FR Frame Relay

G

GRE Generic Routing Encapsulation

H

HDLC High Level Data Link Control

I

IETF Internet Engineering Task Force

IKE Internet Key Exchange

IPSec IP Security

IS-IS Intermediate System-to-Intermediate System intra-domainrouting information exchange protocol

ITU-T International Telecommunication Union TelecommunicationsStandardization Sector

L

L2TP Layer Two Tunneling Protocol

LAPB Link Access Procedure Balanced

LDP Label Distribution Protocol

M

MAC Medium Access Control

MBGP Multiprotocol Extensions for BGP-4

MFR Multiple Frame Relay

B Acronyms and AbbreviationsHUAWEI CX600 Metro Services Platform


B-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

MP MultiLink PPP

MPLS Multiprotocol Label Switching

MSDP Multicast Source Discovery Protocol

MTU Maximum Transmission Unit

N

NAT Network Address Translation

NAT-PT Network Address Translation - Protocol Translation

O

OAM Operation, Administration and Maintenance

OSPF Open Shortest Path First

P

PAP Password Authentication Protocol

PE Provider Edge

Ping Ping (Packet Internet Groper)

PPP Point-to-Point Protocol

PPPoA PPP over AAL5

PPPoE Point-to-Point Protocol over Ethernet

PPPoEoA PPPoE on AAL5

PQ Priority Queuing

Q

QoS Quality of Service

R

RADIUS Remote Authentication Dial In User Service

RIP Routing Information Protocol

RPR Resilient Packet Ring

RSVP Resource Reservation Protocol

HUAWEI CX600 Metro Services PlatformConfiguration Guide - Basic Configurations B Acronyms and Abbreviations


B-3

S

SFTP SSH File Transfer Protocol

T

TE Traffic Engineering

TCP Transmission Control Protocol

TFTP Trivial File Transfer Protocol

V

VPN Virtual Private Network

VRP Versatile Routing Platform

VRRP Virtual Router Redundancy Protocol

W

WAN Wide Area Network

WFQ Weighted Fair Queuing

WRED Weighted Random Early Detection

X

XOT X.25 Over TCP

B Acronyms and AbbreviationsHUAWEI CX600 Metro Services Platform


B-4 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

Documents

Configuration Guide - Basic Configurations(V600R003C00_01)