NE40 Configuration Guide - Basic Configurations(V600R003C00_02)

HUAWEI NetEngine80E/40E RouterV600R003C00

Configuration Guide - BasicConfigurations

Issue 02

Date 2011-09-10

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 02 (2011-09-10) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

PurposeThis part describes the organization of this document, product version, intended audience,conventions, and Change history.

NOTE

l This document takes interface numbers and link types of the NE40E-X8 as an example. In workingsituations, the actual interface numbers and link types may be different from those used in thisdocument.

l On NE80E/40E series excluding NE40E-X1 and NE40E-X2, line processing boards are called LineProcessing Units (LPUs) and switching fabric boards are called Switching Fabric Units (SFUs). Onthe NE40E-X1 and NE40E-X2, there are no LPUs and SFUs, and NPUs implement the same functionsof LPUs and SFUs to exchange and forward packets.

Related VersionsThe following table lists the product versions related to this document.

Product Name Version

HUAWEI NetEngine80E/40ERouter

V600R003C00

Intended AudienceThis document is intended for:

l Commissioning Engineerl Data Configuration Engineerl Network Monitoring Engineerl System Maintenance Engineer

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations About This Document


ii

Symbol Description

DANGERAlerts you to a high risk hazard that could, if not avoided,result in serious injury or death.

WARNINGAlerts you to a medium or low risk hazard that could, ifnot avoided, result in moderate or minor injury.

CAUTIONAlerts you to a potentially hazardous situation that could,if not avoided, result in equipment damage, data loss,performance deterioration, or unanticipated results.

TIP Provides a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize orsupplement important points in the main text.

Command ConventionsThe command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.



iii

Change HistoryChanges between document issues are cumulative. The latest document issue contains all thechanges made in earlier issues.

Changes in Issue 02 (2011-09-10)The second commercial release.

l Device Maintenance10.8 Configuring a Working Mode for an LPUF-40 or LPUF-20/21 is added to describethe configuration of service mode for an LPUF-20/21 or LPUF-40.

Changes in Issue 01 (2011-06-30)Initial commercial release.



iv

Contents

About This Document.....................................................................................................................ii

1 Logging In to the System for the First Time............................................................................11.1 Introduction to Log In to the Device for the First Time.....................................................................................21.2 Logging In to the Device Through the Console Port..........................................................................................2

1.2.1 Establishing the Configuration Task.........................................................................................................21.2.2 Establishing the Physical Connection........................................................................................................31.2.3 Logging in to the router.............................................................................................................................3

1.3 Logging In to the router That Supports the Plug-and-Play Function.................................................................5

2 CLI Overview.................................................................................................................................72.1 CLI Introduction.................................................................................................................................................8

2.1.1 Command Line Interface...........................................................................................................................82.1.2 Command Levels.......................................................................................................................................82.1.3 Command Line Views.............................................................................................................................11

2.2 Online Help.......................................................................................................................................................122.2.1 Full Help..................................................................................................................................................122.2.2 Partial Help..............................................................................................................................................132.2.3 Error Messages of the Command Line Interface.....................................................................................13

2.3 CLI Features.....................................................................................................................................................142.3.1 Editing.....................................................................................................................................................142.3.2 Displaying................................................................................................................................................142.3.3 Regular Expressions................................................................................................................................152.3.4 Previously-Used Commands...................................................................................................................182.3.5 Batch Command Execution.....................................................................................................................19

2.4 Shortcut Keys...................................................................................................................................................202.4.1 Classifying Shortcut Keys.......................................................................................................................202.4.2 Defining Shortcut Keys...........................................................................................................................222.4.3 Use of Shortcut Keys...............................................................................................................................22

2.5 Configuration Examples...................................................................................................................................232.5.1 Example for Running Commands in Batches..........................................................................................232.5.2 Example for Using Tab............................................................................................................................242.5.3 Example for Using Shortcut Keys...........................................................................................................252.5.4 Example for Copying Commands Using Shortcut Keys.........................................................................25

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations Contents


v

3 Basic Configuration.....................................................................................................................273.1 Configuring the Basic System Environment....................................................................................................28

3.1.1 Establishing the Configuration Task.......................................................................................................283.1.2 Switching the Language Mode................................................................................................................283.1.3 Configuring the Equipment Name...........................................................................................................293.1.4 Setting the System Clock.........................................................................................................................293.1.5 Configuring a Header..............................................................................................................................303.1.6 Configuring Command Levels................................................................................................................313.1.7 Configuring the Undo Command to Match in the Previous View Automatically..................................32

3.2 Displaying System Status Messages.................................................................................................................333.2.1 Displaying System Configuration...........................................................................................................333.2.2 Displaying System Status........................................................................................................................343.2.3 Collecting System Diagnostic Information.............................................................................................34

4 Configuring User Interface........................................................................................................354.1 User Interface Overview...................................................................................................................................364.2 Configuring the Console User Interface...........................................................................................................38

4.2.1 Establishing the Configuration Task.......................................................................................................384.2.2 Setting Physical Attributes of Console User Interface............................................................................384.2.3 Setting Terminal Attributes of Console User Interface...........................................................................404.2.4 Configuring User Priority of Console User Interface..............................................................................414.2.5 Configuring the User Authentication Mode of the Console User Interface............................................414.2.6 Checking the Configuration.....................................................................................................................43

4.3 Configuring the AUX User Interface...............................................................................................................444.3.1 Establishing the Configuration Task.......................................................................................................444.3.2 Setting Physical Attributes of AUX User Interface.................................................................................444.3.3 Setting Terminal Attributes of AUX User Interface................................................................................464.3.4 Setting User Priority of AUX User Interface..........................................................................................474.3.5 Setting Modem Attributes of AUX User Interface..................................................................................474.3.6 (Optional) Configuring Auto-Execute Commands of AUX User Interface............................................484.3.7 Setting User Authentication Mode of AUX User Interface.....................................................................494.3.8 Checking the Configuration.....................................................................................................................50

4.4 Configuring VTY User Interface......................................................................................................................514.4.1 Establishing the Configuration Task.......................................................................................................514.4.2 Configuring Maximum VTY User Interfaces.........................................................................................524.4.3 (Optional)Setting Limit on Incoming and Outgoing Calls of VTY User Interfaces...............................534.4.4 Setting Terminal Attributes of the VTY User Interface..........................................................................534.4.5 Setting User Priority of VTY User Interface...........................................................................................544.4.6 Setting User Authentication Mode of the VTY User Interface...............................................................554.4.7 (Optional) Configuring NMS Users to Log In Through VTY User Interfaces.......................................564.4.8 Checking the Configuration.....................................................................................................................58

4.5 Configuration Examples...................................................................................................................................594.5.1 Example for Configuring Console User Interface...................................................................................59



vi

4.5.2 Example for Configuring AUX User Interface.......................................................................................614.5.3 Example for Configuring VTY User Interface........................................................................................63

5 Configuring User Login.............................................................................................................655.1 Overview of User Login...................................................................................................................................675.2 Logging in to the Devices Through the Console Port......................................................................................67

5.2.1 Establishing the Configuration Task.......................................................................................................685.2.2 Configuring Console User Interface........................................................................................................685.2.3 Logging in to the router Through a Console Port....................................................................................685.2.4 Checking the Configuration.....................................................................................................................69

5.3 Logging in to the Devices Through the AUX Port...........................................................................................705.3.1 Establishing the Configuration Task.......................................................................................................705.3.2 Configuring AUX User Interface............................................................................................................715.3.3 Logging in to the routerThrough an AUX Port.......................................................................................715.3.4 Checking the Configuration.....................................................................................................................74

5.4 Logging in to the Devices by Using Telnet......................................................................................................755.4.1 Establishing the Configuration Task.......................................................................................................755.4.2 Configuring VTY User Interface.............................................................................................................765.4.3 (Optional) Configuring Local Telnet Users.............................................................................................775.4.4 Enabling the Telnet Service.....................................................................................................................775.4.5 (Optional) Configuring Listening Port Number for Telnet Server..........................................................785.4.6 Logging in to the router by Using Telnet................................................................................................795.4.7 Checking the Configuration.....................................................................................................................80

5.5 Logging in to the Devices by Using STelnet....................................................................................................815.5.1 Establishing the Configuration Task.......................................................................................................815.5.2 Configuring VTY User Interface.............................................................................................................825.5.3 Configuring SSH for the VTY User Interface.........................................................................................825.5.4 Configuring an SSH User and Specifying STelnet as One of Service Types.........................................835.5.5 Enabling the STelnet Server Function.....................................................................................................865.5.6 (Optional) Configuring the STelnet Server Parameters...........................................................................865.5.7 Logging in to the router by Using STelnet..............................................................................................885.5.8 Checking the Configuration.....................................................................................................................89

5.6 Common Operations After Login.....................................................................................................................905.6.1 Establishing the Configuration Task.......................................................................................................905.6.2 Switching User Levels.............................................................................................................................905.6.3 Locking User Interfaces...........................................................................................................................915.6.4 Sending Messages to Other User Interfaces............................................................................................925.6.5 Displaying Logged-in Users....................................................................................................................925.6.6 Clearing Logged-in Users........................................................................................................................935.6.7 Configuring Configuration Locking........................................................................................................93

5.7 Configuration Examples...................................................................................................................................945.7.1 Example for Configuring User Login Through a Console Port..............................................................945.7.2 Example for Logging In Through the AUX Port....................................................................................97



vii

5.7.3 Example for Configuring User Login by Using Telnet...........................................................................985.7.4 Example for Configuring User Login by Using STelnet.......................................................................101

6 Managing File System..............................................................................................................1056.1 File System Overview....................................................................................................................................106

6.1.1 File System............................................................................................................................................1066.1.2 Methods of File Management................................................................................................................106

6.2 Performing File Operations by Means of the File System.............................................................................1076.2.1 Establishing the Configuration Task.....................................................................................................1076.2.2 Managing Storage Devices....................................................................................................................1086.2.3 Managing the Directory.........................................................................................................................1086.2.4 Managing Files......................................................................................................................................109

6.3 Performing File Operations by Means of FTP...............................................................................................1116.3.1 Establishing the Configuration Task.....................................................................................................1126.3.2 Configuring a Local FTP User..............................................................................................................1126.3.3 (Optional) Specifying a Port Number for the FTP Server.....................................................................1136.3.4 Enabling the FTP Server........................................................................................................................1146.3.5 (Optional) Configuring the FTP Server Parameters..............................................................................1146.3.6 (Optional) Configuring an FTP ACL....................................................................................................1156.3.7 Accessing the System by Using FTP.....................................................................................................1166.3.8 Performing File Operations by Using FTP Commands.........................................................................1176.3.9 Checking the Configuration...................................................................................................................119

6.4 Performing File Operations by Means of SFTP.............................................................................................1196.4.1 Establishing the Configuration Task.....................................................................................................1196.4.2 Configuring VTY User Interface...........................................................................................................1206.4.3 Configuring SSH for the VTY User Interface.......................................................................................1206.4.4 Configuring an SSH User and Specifying SFTP as One of Service Types...........................................1216.4.5 Enabling the SFTP Service....................................................................................................................1246.4.6 (Optional) Configuring the STelnet Server Parameters.........................................................................1256.4.7 Accessing the System by Using SFTP..................................................................................................1266.4.8 Performing File Operations by Using SFTP..........................................................................................1276.4.9 Checking the Configuration...................................................................................................................128

6.5 Performing File Operations by Means of Xmodem.......................................................................................1296.5.1 Establishing the Configuration Task.....................................................................................................1306.5.2 Getting a File Through Xmodem...........................................................................................................130

6.6 Configuration Examples.................................................................................................................................1316.6.1 Example for Performing File Operations by Means of the File System...............................................1316.6.2 Example for Performing File Operations by Means of FTP.................................................................1326.6.3 Example for Performing File Operations by Means of SFTP...............................................................1356.6.4 Example for Performing File Operations by Means of Xmodem..........................................................137

7 Configuring System Startup....................................................................................................1407.1 System Startup Overview...............................................................................................................................141

7.1.1 System Software....................................................................................................................................141



viii

7.1.2 Configuration Files................................................................................................................................1417.1.3 Configuration Files and Current Configurations...................................................................................141

7.2 Managing Configuration Files........................................................................................................................1427.2.1 Establishing the Configuration Task.....................................................................................................1427.2.2 Saving Configuration Files....................................................................................................................1437.2.3 Clearing a Configuration File................................................................................................................1447.2.4 Comparing Configuration Files.............................................................................................................1457.2.5 Checking the Configuration...................................................................................................................146

7.3 Specifying a File for System Startup..............................................................................................................1477.3.1 Establishing the Configuration Task.....................................................................................................1477.3.2 Configuring System Software for a router to Load for the Next Startup..............................................1477.3.3 Configuring the Configuration File for Router to Load for the Next Startup.......................................1487.3.4 Checking the Configuration...................................................................................................................148

7.4 Configuration Examples.................................................................................................................................1497.4.1 Example for Configuring System Startup.............................................................................................149

8 Accessing Another Device.......................................................................................................1528.1 Accessing Another Device.............................................................................................................................153

8.1.1 Telnet Method........................................................................................................................................1538.1.2 FTP Method...........................................................................................................................................1558.1.3 TFTP Method........................................................................................................................................1558.1.4 SSH Method..........................................................................................................................................156

8.2 Logging in to Other Devices by Using Telnet................................................................................................1578.2.1 Establishing the Configuration Task.....................................................................................................1578.2.2 (Optional) Configuring a Source IP Address for an Telnet Client........................................................1588.2.3 Logging in to Another Device by Using Telnet....................................................................................1588.2.4 Checking the Configuration...................................................................................................................159

8.3 Connecting to Another Device by Using the Telnet Redirection Function....................................................1608.3.1 Establishing the Configuration Task.....................................................................................................1608.3.2 Enabling the Telnet Redirection Function.............................................................................................1618.3.3 Connecting Another Device by Using the Telnet Redirection Function...............................................1628.3.4 Checking the Configuration...................................................................................................................162

8.4 Logging in to Another Device by Using STelnet...........................................................................................1638.4.1 Establishing the Configuration Task.....................................................................................................1638.4.2 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication onthe SSH Client)...............................................................................................................................................1638.4.3 Configuring the First Successful Login to Another Device (Allocating an RSA Public Key to the SSHServer)............................................................................................................................................................1648.4.4 Logging in to Another Device by Using STelnet..................................................................................1668.4.5 Checking the configuration...................................................................................................................166

8.5 Accessing Files on Another Device by Using TFTP......................................................................................1678.5.1 Establishing the Configuration Task.....................................................................................................1678.5.2 (Optional) Configuring a Source IP Address for a TFTP Client...........................................................1688.5.3 (Optional) Configuring TFTP Access Authority...................................................................................168



ix

8.5.4 Downloading Files by Using TFTP.......................................................................................................1698.5.5 Uploading Files by Using TFTP............................................................................................................1698.5.6 Checking the Configuration...................................................................................................................170

8.6 Accessing Files on Another Device by Using FTP........................................................................................1708.6.1 Establishing the Configuration Task.....................................................................................................1718.6.2 (Optional) Configuring Source IP Address and Interface of the FTP Client........................................1718.6.3 Connecting to Other Devices by Using FTP Commands......................................................................1728.6.4 Operating Files by Using FTP Commands............................................................................................1738.6.5 Changing Login Users...........................................................................................................................1758.6.6 Disconnecting from the FTP Server......................................................................................................1768.6.7 Checking the Configuration...................................................................................................................176

8.7 Accessing Files on Another Device by Using SFTP......................................................................................1778.7.1 Establishing the Configuration Task.....................................................................................................1778.7.2 (Optional) Configuring a Source IP Address for an SFTP Client.........................................................1788.7.3 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication onthe SSH Client)...............................................................................................................................................1788.7.4 Configuring the First Successful Login to Another Device (Allocating an RSA Public Key to the SSHServer)............................................................................................................................................................1798.7.5 Connecting to Other Devices by Using SFTP.......................................................................................1808.7.6 Operating Files by Using SFTP Commands..........................................................................................1818.7.7 Checking the Configuration...................................................................................................................183

8.8 Configuration Examples.................................................................................................................................1838.8.1 Example for Logging in to Another Device by Using Telnet...............................................................1838.8.2 Example for Logging in to Another Device by Using the Telnet Redirection Function.......................1868.8.3 Example for Logging in to Another Device by Using Telnet on a VPN...............................................1878.8.4 Example for Configuring the Device as the STelnet Client to Connect to the SSH Server..................1898.8.5 Example for Accessing Files on Another Device by Using TFTP........................................................1958.8.6 Example for Configuring the Access of the TFTP Server on the Public Network When the ManagementVPN Instance Is Used.....................................................................................................................................1978.8.7 Example for Accessing Files on Another Device by Using FTP..........................................................1998.8.8 Example for Configuring the Access of the FTP Server on the Public Network When the ManagementVPN Instance Is Used.....................................................................................................................................2018.8.9 Example for Accessing Files on Another Device by Using SFTP........................................................2028.8.10 Example for Configuring the Access of the SFTP Server on the Public Network When the ManagementVPN Instance Is Used.....................................................................................................................................2088.8.11 Example for Accessing the SSH Server Through Other Port Numbers..............................................2138.8.12 Example for an SSH Client in the Public Network to Access an SSH Server in the Private Network........................................................................................................................................................................219

9 Clock Synchronization Configuration..................................................................................2299.1 Introduction of Clock Synchronization Configuration...................................................................................230

9.1.1 Overview of Clock Synchronization Configuration..............................................................................2309.1.2 Clock Synchronization Supported by the NE80E/40E..........................................................................230

9.2 Setting Basic Configurations for Clock Synchronization...............................................................................2309.2.1 Establishing the Configuration Task.....................................................................................................231



x

9.2.2 Setting Basic Configurations for Clock Synchronization......................................................................2319.2.3 Checking the Configuration...................................................................................................................232

9.3 Configuring an External BITS Clock Source.................................................................................................2329.3.1 Establishing the Configuration Task.....................................................................................................2339.3.2 Configuring the Lower Threshold of the Clock Signals Output by the BITS Clock............................2339.3.3 Configuring an External Clock Source and Its Signal Type on the router............................................2339.3.4 Checking the Configuration...................................................................................................................234

9.4 Configuring a Clock Reference Source Manually or Forcibly.......................................................................2349.4.1 Establishing the Configuration Task.....................................................................................................2349.4.2 Configuring a Clock Reference Source.................................................................................................2359.4.3 Checking the Configuration...................................................................................................................236

9.5 Configuring Clock Protection Switching Based on SSM Levels...................................................................2379.5.1 Establishing the Configuration Task.....................................................................................................2379.5.2 Configuring the Router to Automatically Select Clock Sources...........................................................2379.5.3 Enabling SSM........................................................................................................................................2389.5.4 Configuring the SSM Level of the Clock Reference Source.................................................................2389.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal to Carry SSMs..........................................2399.5.6 Setting the Modes of Extracting SSM Levels.......................................................................................2399.5.7 Checking the Configuration...................................................................................................................240

9.6 Configuring Clock Protection Switching Based on Priorities........................................................................2419.6.1 Establishing the Configuration Task.....................................................................................................2419.6.2 Configuring the Router to Automatically Select Clock Sources...........................................................2419.6.3 Disabling SSM.......................................................................................................................................2429.6.4 Setting Priorities of Clock Reference Sources......................................................................................2429.6.5 Checking the Configuration...................................................................................................................243

9.7 Configuring Ethernet Clock Synchronization................................................................................................2439.7.1 Establishing the Configuration Task.....................................................................................................2439.7.2 Enabling Ethernet Clock Synchronization............................................................................................2449.7.3 Configuring Ethernet Clock Source......................................................................................................2459.7.4 Checking the Configuration...................................................................................................................245

9.8 Configuration Examples of Clock Synchronization.......................................................................................2469.8.1 Example for Configuring Protection Switchover of Clock Sources......................................................246

10 Device Maintenance................................................................................................................25410.1 Introduction of Device Maintenance............................................................................................................256

10.1.1 Overview of Device Maintenance.......................................................................................................25610.1.2 Maintenance Features Supported by the NE80E/40E.........................................................................256

10.2 Powering off the MPU..................................................................................................................................25610.2.1 Establishing the Configuration Task...................................................................................................25610.2.2 Powering off the Slave MPU...............................................................................................................25710.2.3 Checking the Configuration.................................................................................................................258

10.3 Powering off the SFU...................................................................................................................................25810.3.1 Establishing the Configuration Task...................................................................................................259



xi

10.3.2 Powering off the SFU..........................................................................................................................25910.3.3 Checking the Configuration.................................................................................................................260

10.4 Powering off the NPU..................................................................................................................................26010.4.1 Establishing the Configuration Task...................................................................................................26110.4.2 Powering off the NPU.........................................................................................................................26110.4.3 Checking the Configuration.................................................................................................................262

10.5 Powering off the LPU...................................................................................................................................26210.5.1 Establishing the Configuration Task...................................................................................................26210.5.2 Powering off the LPU..........................................................................................................................26310.5.3 Checking the Configuration.................................................................................................................263

10.6 Restoring the Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s....................................26410.6.1 Establishing the Configuration Task...................................................................................................26410.6.2 Restoring the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s............................26510.6.3 Checking the Configuration.................................................................................................................265

10.7 Switching Between the Operation Modes of the LPUF-10..........................................................................26610.7.1 Establishing the Configuration Task...................................................................................................26610.7.2 Switching Between the Operation Modes of the LPUF-10.................................................................26710.7.3 Checking the Configuration.................................................................................................................267

10.8 Configuring a Working Mode for an LPUF-40 or LPUF-20/21..................................................................26810.8.1 Establishing the Configuration Task...................................................................................................26810.8.2 Configuring a Service Mode for an LPUF-20/21 or LPUF-40...........................................................26910.8.3 Checking the Configuration.................................................................................................................270

10.9 Configuring the CMU...................................................................................................................................27110.9.1 Establishing the Configuration Task...................................................................................................27110.9.2 Configuring Monitor Items for a CMU...............................................................................................271

10.10 Configuring a Cleaning Cycle for the Air Filter.........................................................................................27210.10.1 Establishing the Configuration Task.................................................................................................27210.10.2 Configuring a Cleaning Cycle for the Air Filter................................................................................27210.10.3 Remonitoring the Cleaning Cycle of the Air Filter...........................................................................27310.10.4 Checking the Configuration...............................................................................................................273

10.11 Monitoring the Device Status.....................................................................................................................27410.11.1 Displaying the System Version Information.....................................................................................27410.11.2 Displaying Basic Information About the Router...............................................................................27410.11.3 Displaying the Electronic Label........................................................................................................27510.11.4 Displaying the Soft Boot Mode.........................................................................................................27510.11.5 Displaying the Threshold of the Memory Usage...............................................................................27610.11.6 Displaying the Threshold of CPU Usage..........................................................................................27610.11.7 Displaying Alarm Information..........................................................................................................27610.11.8 Displaying the Board Temperature....................................................................................................27710.11.9 Displaying the Board Voltage...........................................................................................................27710.11.10 Displaying the Power Supply Status...............................................................................................27810.11.11 Displaying Current Information About Boards...............................................................................278



xii

10.11.12 Displaying Entironment Information About the Device.................................................................27910.11.13 Displaying the Fan Status................................................................................................................27910.11.14 Displaying the Sequence Number of the MPU...............................................................................27910.11.15 Displaying the Next Start Mode of the Board.................................................................................28010.11.16 Displaying the Number of the Registered SFUs By Default...........................................................280

10.12 Board Maintence ........................................................................................................................................28110.12.1 Resetting a Board...............................................................................................................................28110.12.2 Clearing the Maximum CPU Usage..................................................................................................281

10.13 Configuring NAP-based Remote Deployment...........................................................................................28210.13.1 Establishing the Configuration Task.................................................................................................28210.13.2 Configuring and Starting the NAP Master Interface.........................................................................28310.13.3 Remote Login....................................................................................................................................28510.13.4 Disabling NAP on the Slave Device..................................................................................................28510.13.5 Checking the Configuration...............................................................................................................286

10.14 Configuration Examples of the Device Maintenance.................................................................................28710.14.1 Example for Powering off the MPU..................................................................................................28710.14.2 Example for Powering off the SFU...................................................................................................28910.14.3 Example for Powering off the LPU...................................................................................................29010.14.4 Example for Configuring the Operation Mode of the LPUF-10.......................................................29110.14.5 Example for Configuring NAP-based Remote Deployment in Automatic Mode.............................29210.14.6 Example for Configuring NAP-based Remote Deployment in Static Mode.....................................293

11 Device Upgrading....................................................................................................................29611.1 Overview of Device Upgrade.......................................................................................................................29711.2 Upgrade Modes Supported by the NE80E/40E............................................................................................297

12 Patch Management..................................................................................................................29912.1 Introduction of Patch Management..............................................................................................................300

12.1.1 Overview of Patch Management.........................................................................................................30012.1.2 Patches Supported by the NE80E/40E................................................................................................301

12.2 Checking the Running of Patch in the System.............................................................................................30212.2.1 Establishing the Configuration Task...................................................................................................30212.2.2 Checking the Running of Patch in the System....................................................................................30312.2.3 (Optional) Deleting a Patch.................................................................................................................303

12.3 Loading a Patch............................................................................................................................................30412.3.1 Establishing the Configuration Task...................................................................................................30412.3.2 Loading a Patch...................................................................................................................................30412.3.3 Checking the Configuration.................................................................................................................305

12.4 Installing a Patch..........................................................................................................................................30612.4.1 Establishing the Configuration Task...................................................................................................30612.4.2 Loading a Patch...................................................................................................................................30712.4.3 Activating a Patch................................................................................................................................30712.4.4 Running a Patch...................................................................................................................................30812.4.5 (Optional) Synchronizing Patches.......................................................................................................308



xiii

12.4.6 Checking the Configuration.................................................................................................................30912.5 (Optional) Unactivating the activating of Patch...........................................................................................313

12.5.1 Establishing the Configuration Task...................................................................................................31312.5.2 Deactivating a Patch............................................................................................................................31312.5.3 Checking the Configuration.................................................................................................................313

12.6 Configuration Examples of the Patch Management.....................................................................................31412.6.1 Example for Installing a Patch.............................................................................................................314

A Glossary......................................................................................................................................317

B Acronyms and Abbreviations.................................................................................................323



xiv

1 Logging In to the System for the First Time

About This Chapter

You can log in to a new router through the console port to configure the router.

1.1 Introduction to Log In to the Device for the First TimeA user can log in to the router that is powered on for the first time through the console port orby the plug-and-play function to configure the router.

1.2 Logging In to the Device Through the Console PortThis section describes how to connect a terminal to a router through the console port to establishthe configuration environment.

1.3 Logging In to the router That Supports the Plug-and-Play FunctionThe plug-and-play function enables the router to automatically access the network and obtainsan IP address after the router is powered on. This allows engineers to remotely log in to therouter to perform basic configurations.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations 1 Logging In to the System for the First Time


1

1.1 Introduction to Log In to the Device for the First TimeA user can log in to the router that is powered on for the first time through the console port orby the plug-and-play function to configure the router.

Log in to the router through the console portThe console port is a linear port on the main control board.

Each main control board provides one console port that conforms to the EIA/TIA-232 standardand whose type is DCE. The serial interface of a terminal can be directly connected to the consoleport on the router. Users can then configure the router on the terminal.

NOTEWhen a device is powered on for the first time, you must log in to the device through the console port. Itis a prerequisite for other login modes. For example, the IP address for Telnet login must be configured bylogging in to the device through the console port.

Log in to the router by the plug-and-play functionNOTE

The plug-and-play function only can be configured on the X1 , X2 and X3 models of the NE80E/40E.

During site deployment, the routers reside far away from the equipment room. Sending softwarecommissioning engineers to deploy the network at the site is quite costly. After the plug-and-play function is enabled, however, the router automatically obtains an IP address. Softwarecommissioning engineers are able to remotely deliver configurations to the router through theNMS after installation personnel finishes hardware installation. This greatly simplifiesinstallation and reduces costs with minimized site visits.

The plug-and-play function is controlled by a PAF file and users do not need to configure itmanually. This function is automatically disabled after the router correctly obtains an IP address.

1.2 Logging In to the Device Through the Console PortThis section describes how to connect a terminal to a router through the console port to establishthe configuration environment.

1.2.1 Establishing the Configuration TaskBefore logging in to the router through the console port, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentWhen the router is powered on for the first time, you need to use the console port to log in tothe router to configure and manage the router.

Pre-configuration TasksBefore logging in to the router through the console port, complete the following tasks:



2

l Installing terminal emulation program on the PC (such as Windows XP HyperTerminal)

l Preparing the RS-232 cable

Data Preparation

To log in to the router through the console port, you need the following data.

No. Data

1 Terminal communication parametersl Baud ratel Data bitl Parityl Stop bitl Flow-control mode

NOTEWhen the router is logged in for the first time, the system automatically uses default parameter values.

1.2.2 Establishing the Physical ConnectionThe console port on the router must be connected to the COM port on a terminal by using aconsole cable.

Procedure

Step 1 Power on all devices to perform a self-check.

Step 2 Connect the COM port on the PC and the console port on the router by a cable.

----End

1.2.3 Logging in to the routerYou can log in to the router through the console port to configure and manage the router that ispowered on for the first time.

Context

You need to configure terminal attributes for the PC according to the attributes configured forthe console port, including the transmission rate, data bit, parity bit, stop bit, and flow controlmode. As the router is logged in for the first time, every terminal attribute uses the default valueof the router.

Procedure

Step 1 Start a terminal emulator on the PC, and create a new connection, as shown in Figure 1-1.



3

Figure 1-1 Connection creation

Step 2 Set interface,as shown in Figure 1-2.

Figure 1-2 Interface setting

Step 3 Set communication parameter, same as the default of router,as shown in Figure 1-3.



4

Figure 1-3 Communication parameter setting

Step 4 Press Enter. A command line prompt such as <HUAWEI> appears, and the user view isdisplayed for you to configure the router.

----End

1.3 Logging In to the router That Supports the Plug-and-PlayFunction

The plug-and-play function enables the router to automatically access the network and obtainsan IP address after the router is powered on. This allows engineers to remotely log in to therouter to perform basic configurations.

ContextNOTE

The plug-and-play function only can be configured on the X1 , X2 and X3 models of the NE80E/40E.

During site deployment, the routers reside far away from the equipment room. Sending softwarecommissioning engineers to deploy the network at the site is quite costly. After the plug-and-play function is enabled, however, the router automatically obtains an IP address. Softwarecommissioning engineers are able to remotely deliver configurations to the router through theNMS after installation personnel finishes hardware installation. This greatly simplifiesinstallation and reduces costs with minimized site visits. The plug-and-play function is controlled



5

by a PAF file and users do not need to configure it manually. This function is automaticallydisabled after the router correctly obtains an IP address. The process of logging in to therouter supporting the plug-and-play function is as follows:

Procedure

Step 1 After planning the network, network planning engineers provide a planning list for softwarecommissioning engineers.

Step 2 Based on the planning list, software commissioning engineers configure the mappings betweenthe router locations and IP addresses on the DHCP server, compile configuration scripts, andconfigure the mappings between the router locations and scripts.

Step 3 Hardware installation personnel installs the router and power them on at the site.

Step 4 The router sends a DHCPREQUEST message to the DHCP server, and then the interfaceconnecting to the DHCP server obtains an IP address.

Step 5 The NMS delivers configurations to the router.

----End

Follow-up ProcedureIf there is no DHCP server on the network or the router cannot obtain an IP address for somereason, the router displays the following information: PNP State!!!PLEASE UNDO PNP enable for manual Setup! You can undo PNP in system view with "undo pnp enable"At this time, do as follows to disable the plug-and-play function:

1. Run the system-view command to enter the system view.2. Run the undo pnp enable command to disable the plug-and-play function.3. Run the undo pnp default route command to delete the default route generated by the

plug-and-play function.



6

2 CLI Overview

About This Chapter

The command line interface (CLI) is used to configure and maintain devices.

2.1 CLI IntroductionAfter you log in to the router, a prompt is displayed, indicating that you enter the command lineinterface (CLI). The CLI is used by users to interact with the router.

2.2 Online HelpWhen inputting command lines or configuring services, you can use the online help function toobtain real-time help.

2.3 CLI FeaturesThe CLI provides the following features to help users flexibly use it.

2.4 Shortcut KeysUsing the system or user-defined shortcut keys makes it easier to enter commands.

2.5 Configuration ExamplesThis section provides several examples for using command lines.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations 2 CLI Overview


7

2.1 CLI IntroductionAfter you log in to the router, a prompt is displayed, indicating that you enter the command lineinterface (CLI). The CLI is used by users to interact with the router.

2.1.1 Command Line InterfaceYou can configure and manage the router by using the CLI commands.

The characteristics of CLI are as follows:

l Local or remote configuration through the AUX port.l Local configuration through console port.l Local or remote configuration through Telnet or Secure Shell (SSH).l Remote configuration by logging in to an asynchronous serial interface on the router

through Modem dialup.l The telnet command for directly logging in to and managing other routers.l FTP service for file uploading and downloading.l A user interface view for specific configuration management.l Hierarchical command protection for users of different levels, that is, running the

commands of the corresponding levels.l Three authentication modes are supported, namely, none-authentication, password

authentication, and Authentication, Authorization, and Accounting (AAA) authentication.Password and AAA authentication prohibit unauthorized users from logging in to therouter, guaranteeing system security.

l Entering "?" for online help at any time.l A command line interpreter provides intelligent command resolution methods such as key

word fuzzy match and context conjunction. These methods make it easy for users to entertheir commands.

l Network testing commands such as tracert and ping for rapidly diagnosing a network.l Abundant debugging information to help in diagnosing the network.l Running a command used previously on the device, like DosKey.

NOTE

l The system supports the command with up to 512 characters. The command can be incomplete. Thismeans that you can input initial characters (one or some) of the command to represent the wholecommand. The incomplete command, however, must be unqiue in the system. For example, to use thedisplay current-configuration command, just input d cu, di cu, or dis cu. d c or dis c, however, cannotbe input, becuse they are not unique to represent the display current-configuration command.

l The system saves the incomplete command to the configuration files in the complete form; therefore,the command may have more than 512 characters. When the system is restarted, however, theincomplete command cannot be restored. Therefore, pay attention to the length of the incompletecommand.

2.1.2 Command LevelsThe system manages commands in hierarchy for security. The administrator can set user levelscorresponding to command levels to implement user-specific access control.



8

The default command levels are as follows:

Table 2-1 Command line levels

Level Name Description

0 Visit level Commands of this level include commands of networkdiagnosis tool (such as ping and tracert) and commands thatstart from the local device and visit external device (suchas Telnet client side).

1 Monitoring level Commands of this level, including the display commands,are used for system maintenance and fault diagnosis.

2 Configurationlevel

Commands of this level are service configurationcommands that provide direct network service to the user,including routing and network layer commands.

3 Management level Commands of this level are commands that influence thebasic operation of the system and provide support to theservice. They include file system commands, FTPcommands, TFTP commands, XModem downloadingcommands, configuration file switching commands, powersupply control commands, backup board controlcommands, user management commands, level settingcommands, system internal parameter setting commands,and debugging commands that are used for fault diagnosis.

To implement efficient management, you can increase the command levels to 0-15. For theincrease in the command levels, refer to Chapter 4 "Basic Configuration" ConfiguringCommand Levels in the HUAWEI NetEngine80E/40E Configuration Guide - BasicConfigurations.

NOTE

l The default command level may be higher than the command level defined according to the commandrules in application.

l The level of the command that a user can run is determined by the level of this user.

l Login users have the same 16 levels as the command levels. The login users can use only the commandof the levels that are equal to or lower than their own levels. The user privilege level level commandsets the user level.

Searching Commands Based on Command LevelsYou can search for all commands of a specific level simultaneously. The procedure is as follows:

1. Open the command reference (.chm.) file.2. Click the "Search" tab. The search window will be displayed as shown in Figure 2-1.



9

Figure 2-1 Entering the search window

3. Enter a desired command level in the "Type in the word(s) to search for" textbox and click"List Topics". All commands of the specified level will be displayed as shown in Figure2-2.



10

Figure 2-2 Searching commands based on a specific level

2.1.3 Command Line ViewsThe command line interface has different command views. All the commands are registered inone or more command views. You can run a command only when you enter the correspondingcommand view.

The following part uses the user, system, and BFD views as an example:

# Establish connection to the router. If the router adopts the default configuration, you can enterthe user view with the prompt of <HUAWEI>.

<HUAWEI>

# Run the system-view command to enter the system view.

<HUAWEI> system-view[HUAWEI]

# Run the aaa command in the system view to enter the AAA view.

[HUAWEI] aaa[HUAWEI-aaa]



11

NOTE

l The command prompt "HUAWEI" is the default host name.l The prompt indicates a specific view. For example, "<HUAWEI>" indicates the user view, and

"[HUAWEI-ui-console0]" indicates the console user interface view.

Some commands can be used in both system and other views, but have different effects. Forexample, the mpls command can be run in the system view to enable MPLS globally or in theinterface view to enable MPLS only on this interface.

2.2 Online HelpWhen inputting command lines or configuring services, you can use the online help function toobtain real-time help.

2.2.1 Full HelpWhen inputting a command, you can use the full help function to obtain all keywords orparameters of this command.

Procedurel You can obtain the full help of a command line in the following manners.

– Enter a question mark (?) in any command line view to display all the commands andtheir simple descriptions.<HUAWEI> ?User view commands: arp-ping ARP-ping backup Backup information batch-cmd Batch commands board-channel-check Board-Channel-Check enable/disable capture-packet enable capturing packet cd Change current directory......

– Enter a command and a question mark (?) separated by a space. If the key word is atthis position, all key words and their simple descriptions are displayed. For example:<HUAWEI> language-mode ?Chinese Chinese environmentEnglish English environmentChinese and English are keywords; Chinese environment and Englishenvironment describe the keywords respectively.

– Enter a command and a question mark (?) separated by a space, and if a parameter is atthis position, the related parameter names and parameter descriptions are displayed. Forexample:[HUAWEI] ftp timeout ? INTEGER<1-35791> The value of FTP timeout (in minutes)[HUAWEI] ftp timeout 35 ?<cr> Please press ENTER to execute command [HUAWEI] ftp timeout 35In the preceding display, INTEGER<1-35791> describes the parameter value; Thevalue of FTP timeout (in minutes) is a simple description of the parameter usage;<cr> indicates that no parameter is at this position. The command is repeated in the nextcommand line. You can press Enter to run the command.

----End



12

2.2.2 Partial HelpIf you enter only the first one or a few characters of a command, you can use the partial helpfunction to obtain all keywords following the character or character string.

Procedurel You can obtain the partial help of a command line in the following manners.

– Enter a character string with a question mark (?) closely following it to display allcommands that begin with this character string.<HUAWEI> d? debugging delete dir display

– Enter a command and a character string with a question mark (?) closely following itto display all the key words that begin with this character string.<HUAWEI> display b? bas-interface bfd bgp board-current board-power board-type bootmode-current bootmode-next bootrom btv buffer bulk-stat

– Enter the first several letters of a key word in the command and then press Tab to displaythe complete key word on the condition that the letters uniquely identify the key word.Otherwise, if you continue to press Tab, different key words are displayed. You canselect the needed key word.

----End

2.2.3 Error Messages of the Command Line InterfaceIf an entered command passes the syntax check, the system executes it. Otherwise, the systemprompts an error message.

All the commands entered by the user are run correctly, if the grammar check has been passed.Otherwise, error messages are reported to the user. See Table 2-2 for the common errormessages.

Table 2-2 Common error messages of the command line

Error messages Cause of the error

Unrecognized command The command cannot be found

The key word cannot be found

Wrong parameter Parameter type error

The parameter value exceeds the limit

Incomplete command Incomplete command entered

Too many parameters Too many parameters entered

Ambiguous command Indefinite parameters entered



13

2.3 CLI FeaturesThe CLI provides the following features to help users flexibly use it.

2.3.1 EditingThe editing function of command lines helps you edit command lines or obtain help by usingcertain keys.

The command line supports multi-line edition. The maximum length of each command is 512characters.

Keys for editing that are often used are shown in Table 2-3.

Table 2-3 Keys for editing

Key Function

Common key Inserts a character in the current position of the cursor if the editingbuffer is not full and the cursor moves to the right. Otherwise, analarm is generated.

Backspace Deletes the character on the left of the cursor that moves to theleft. When the cursor reaches the head of the command, an alarmis generated.

Left cursor key ← orCtrl_B

Moves the cursor to the left by the space of a character. When thecursor reaches the head of the command, an alarm is generated.

Right cursor key → orCtrl_F

Moves the cursor to the right by the space of a character. Whenthe cursor reaches the end of the command, an alarm is generated.

Tab Press Tab after typing the incomplete key word and the systemruns the partial help:l If the matching key word is unique, the system replaces the

typed one with the complete key word and displays it in a newline with the cursor a space behind.

l If there are several matches or no match at all, the systemdisplays the prefix first. Then you can press Tab to view thematching key word one by one. In this case, the cursor closelyfollows the end of the word and you can type a space to enterthe next word.

l If a wrong key word is entered, press Tab and the word isdisplayed in a new line.

2.3.2 DisplayingAll command lines have the same displaying feature. You can construct the displaying mode asrequired.

You can control the display of information on the CLI as follows:



14

l Prompts and help information can be displayed in both Chinese and English. You can usethe language-mode language-name command to change the language mode.

l If output information cannot be displayed on a full screen, you have three options to viewthe information, as shown in Table 2-4.

Table 2-4 Keys for displaying

Key Function

Ctrl_C Stops the display and running of the command.NOTE

You can also press any of the keys except the spacebar and Enter keyto stop the display and running of the command.

Space Allows information to be displayed on the next screen.

Enter Allows information to be displayed on the next line.

2.3.3 Regular ExpressionsThe regular expression is an expression that describes a set of strings. It consists of commoncharacters (such as letters from "a" to "z") and particular characters (also named metacharacters).The regular expression is a template according to which you can search for the required string.Users can use regular expressions to filter output information to rapidly locate desiredinformation.

A regular expression can provide the following functions:l Searching for and obtaining a sub-string that matches a rule in the string.l Substituting a string according to a certain matching rule.

Formal Language Theory of the Regular ExpressionThe regular expression consists of common characters and particular characters.

l Common charactersCommon characters are used to match themselves in a string, including all upper-case andlower-case letters, digits, punctuation, and special symbols. For example, a matches theletter "a" in "abc", 202 matches the digit "202" in "202.113.25.155", and @ matches thesymbol "@" in "[email protected]".

l Particular charactersParticular characters are used together with common characters to match the complex orparticular string combination. Table 2-5 describes particular characters and their syntax.



15

Table 2-5 Description of particular characters

Particularcharacter

Syntax Example

\ Defines an escape character, whichis used to mark the next character(common or particular) as thecommon character.

\* matches "*".

^ Matches the starting position of thestring.

^10 matches "10.10.10.1" instead of"20.10.10.1".

$ Matches the ending position of thestring.

1$ matches "10.10.10.1" instead of"10.10.10.2".

* Matches the preceding element zeroor more times.

10* matches "1", "10", "100", and"1000".(10)* matches "null", "10", "1010",and "101010".

+ Matches the preceding element oneor more times

10+ matches "10", "100", and"1000".(10)+ matches "10", "1010", and"101010".

? Matches the preceding element zeroor one time.

10? matches "1" and "10".(10)? matches "null" and "10".

. Matches any single character. 0.0 matches "0x0" and "020"..oo matches "book", "look", and"tool".

() Defines a subexpression, which canbe null. Both the expression and thesubexpression should be matched.

100(200)+ matches "100200" and"100200200".

x|y Matches x or y. 100|200 matches "100" or "200".1(2|3)4 matches "124" or "134",instead of "1234", "14", "1224", and"1334".

[xyz] Matches any single character in theregular expression.

[123] matches the character 2 in"255".

[^xyz] Matches any character that is notcontained within the brackets.

[^123] matches any character exceptfor "1", "2", and "3".

[a-z] Matches any character within thespecified range.

[0-9] matches any character rangingfrom 0 to 9.

[^a-z] Matches any character beyond thespecified range.

[^0-9] matches all non-numericcharacters.



16

Particularcharacter

Syntax Example

_ Matches a comma "," left brace "{",right brace "}", left parenthesis "(",and right parenthesis ")".Matches the starting position of theinput string.Matches the ending position of theinput string.Matches a space.

_2008_ matches "2008", "space2008 space", "space 2008", "2008space", ",2008,", "{2008}","(2008)", "{2008", and "(2008}".

NOTE

Unless otherwise specified, all characters in the preceding table are displayed on the screen.

l Degeneration of particular charactersCertain particular characters, when being placed at the following positions in the regularexpression, degenerate to common characters.– The particular characters following "\" is transferred to match particular characters

themselves.– The particular characters "*", "+", and "?" placed at the starting position of the regular

expression. For example, +45 matches "+45" and abc(*def) matches "abc*def".– The particular character "^" placed at any position except for the start of the regular

expression. For example, abc^ matches "abc^".– The particular character "$" placed at any position except for the end of the regular

expression. For example, 12$2 matches "12$2".– The right bracket such as ")" or "]" being not paired with its corresponding left bracket

"(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".

NOTE

Unless otherwise specified, degeneration rules are applicable when preceding regular expressionsserve as subexpressions within parentheses.

l Combination of common and particular charactersIn actual application, a regular expression combines multiple common and particularcharacters to match certain strings.



17

Specifying a Filtering Mode in Command

CAUTIONThe HUAWEI NetEngine80E/40E uses a regular expression to implement the filtering functionof the pipe character. A display command supports the pipe character only when there isexcessive output information.

When the output information is queried according to the filtering conditions, the first line of thecommand output starts with the information containing the regular expression.

The command can carry the parameter | count to display the number of matching entries. Theparameter | count can be used together with other parameters.

For the commands supporting regular expressions, the three filtering methods are as follows:

l | begin regular-expression: displays the information that begins with the line that matchesregular expression.

l | exclude regular-expression: displays the information that excludes the lines that matchregular expression.

l | include regular-expression: displays the information that includes the lines that matchregular expression.

NOTE

The value of regular-expression is a string of 1 to 255 characters.

Specify a Filtering Mode when Information is Displayed

When a lot of information is displayed, you can specify a filtering mode in the prompt "---- More----".

l /regular-expression: displays the information that begins with the line that matches regularexpression.

l -regular-expression: displays the information that excludes lines that match regularexpression.

l +regular-expression: displays the information that includes lines that match regularexpression.

2.3.4 Previously-Used CommandsThe CLI provides a function similar to DosKey to automatically save commands used previouslyon the device. If you need to run a command that has been executed, you can call the commandfrom those have been used previously on the device. This facilitates user operation.

By default, the system saves a maximum of 10 previously-used commands for each user. Youcan run the history-command max-size size-value command in the user view to set the numberof previously-used commands saved in the system. A maximum of 256 previously-usedcommands can be saved in the system.



18

NOTESetting the number of saved previously-used commands to a proper value is recommended. If a largenumber of previously-used commands are saved, it will take a long time to locate a needed previously-used command, affecting efficiency.

The operations are shown in Table 2-6

Table 2-6 Access the previously-used commands

Action Key or Command Result

Displaypreviously-usedcommands.

display history-command

Display previously-used commands entered byusers.

Access the lastpreviously-usedcommand.

Up cursor key (↑) orCtrl_P

Display the last previously-used command if thereis an earlier previously-used command. Otherwise,an alarm is generated.

Access the nextpreviously-usedcommand.

Down cursor key(↓) or Ctrl_N

Display the next previously-used command if thereis a later previously-used command. Otherwise, thecommand is cleared and an alarm is generated.

NOTE

On the HyperTerminal of Windows 9X, cursor key ↑ is invalid as the HyperTerminals of Windows 9Xdefine the keys differently. In this case, you can replace the cursor key ↑ with Ctrl_P.

When you use previously-used commands, note the following points:

l The saved previously-used commands are the same as that those entered by users. Forexample, if the user enters an incomplete command, the saved command also is incomplete.

l If the user runs the same command several times, the earliest command is saved. If thecommand is entered in different forms, they are considered as different commands.For example, if the display ip routing-table command is run several times, only onepreviously-used command is saved. If the disp ip routing command and the display iprouting-table command are run, two previously-used commands are saved.

2.3.5 Batch Command ExecutionIf multiple commands are frequently used consecutively, you can edit these commands to beexecuted in batches. This simplifies command input and improves efficiency.

Procedure

Step 1 In the user view, run:batch-cmd edit

Commands are edited to be executed in batches.

The batch-cmd edit command can be used by only one user at a time.



19

The maximum length of a command (including the incomplete command) to be entered is 512characters.

When editing commands, press Enter to complete the editing of each command.

NOTE

l After the batch-cmd edit command is run successfully to edit the commands to be executed in batches,the system deletes the original commands to be run in batches.

l The commands that are already edited are saved in memory and are deleted for ever when the systemis restarted.

Step 2 After all commands are edited, you can press the shortcut buttons Ctrl_Z to exit the editing stateand return to the user view.

Step 3 In the user view, run:batch-cmd execute

The commands are executed in batches.

The batch-cmd execute command can be used by only one user at a time.

The sequence of running commands is the same as the sequence of editing commands. You canview the execution of these commands on the CLI. After the execution is complete, the userview is displayed.

NOTE

If the batch-cmd edit or batch-cmd execute command is among the commands to be executed in batches,the system displays an error when executing the batch-cmd edit or batch-cmd execute command andcontinues to execute the following commands.

----End

2.4 Shortcut KeysUsing the system or user-defined shortcut keys makes it easier to enter commands.

2.4.1 Classifying Shortcut KeysThere are two types of shortcut keys, namely, system shortcut keys and user-defined shortcutkeys. Familiarize yourself with shortcut keys so as to use them accurately.

The shortcut keys in the system are classified into the following types:

l User-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, and CTRL_U. The user cancorrelate these shortcut keys with any commands. When the shortcut keys are pressed, thesystem automatically runs the corresponding command. For details of defining the shortcutkeys, see 2.4.2 Defining Shortcut Keys.

l System-defined shortcut keys: These shortcut keys with fixed functions are defined by thesystem. Table 2-7 lists the system-defined shortcut keys.

NOTE

Different terminal software defines these keys differently. Therefore, the shortcut keys on the terminal maybe different from those listed in this section.



20

Table 2-7 System-defined shortcut keys

Key Function

CTRL_A The cursor moves to the beginning of the current line.

CTRL_B The cursor moves to the left by the space of a character.

CTRL_C Terminates the running function.

CTRL_D Deletes the character where the cursor lies.

CTRL_E The cursor moves to the end of the current line.

CTRL_F The cursor moves to the right by the space of a character.

CTRL_H Deletes one character on the left of the cursor.

CTRL_K Stops the creation of the outbound connection.

CTRL_N Displays the next command in the previously-used commandbuffer.

CTRL_P Displays the previous command in the previously-usedcommand buffer.

CTRL_R Repeats the display of the information of the current line.

CTRL_T Terminates the outbound connection.

CTRL_V Pastes the contents on the clipboard.

CTRL_W Deletes a character string or character on the left of the cursor.

CTRL_X Deletes all the characters on the left of the cursor.

CTRL_Y Deletes all the characters on the place of the cursor and the rightof the cursor.

CTRL_Z Returns to the user view.

CTRL_] Terminates the inbound or redirection connections.

ESC_B The cursor moves to the left by the space of a word.

ESC_D Deletes a word on the right of the cursor.

ESC_F The cursor moves to the right to the end of next word.

ESC_N The cursor moves downward to the next line.

ESC_P The cursor moves upward to the previous line.

ESC_SHIFT_< Sets the position of the cursor to the beginning of the clipboard.

ESC_SHIFT_> Sets the position of the cursor to the end of the clipboard.



21

2.4.2 Defining Shortcut KeysIf one or multiple commands are frequently used, you can correlate these commands withshortcut keys. This facilitates user operation and improves efficiency. Only management-levelusers have the rights to define shortcut keys.

Configure as follows in the system view.

Action Command

Define shortcut keys hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U }command-text

NOTE

When defining the shortcut keys, use double quotation marks to define the command if this commandcontains several commands words, that is, if spaces exist in the command.

By default, CTRL_G, CTRL_L and CTRL_O correspond to the following commandsrespectively:

l CTRL_G: display current-configuration

l CTRL_L: display ip routing-table

l CTRL_O: undo debugging all

By default, CTRL_U is not correlated with any command.

2.4.3 Use of Shortcut KeysYou can use the shortcut key at any position that allows a command to be entered. The systemexecutes an entered shortcut key and displays the corresponding command on the screen in thesame way as you enter a complete command.

l If you have typed part of a command and have not pressed Enter, you can press the shortcutkeys to clear the entered command and display the full corresponding command. Thisoperation has the same effect as that of deleting all commands and then re-entering thecomplete command.

l The shortcut keys are run as the commands, the syntax is recorded to the command bufferand log for fault location and querying.

NOTE

The terminal in use may affect the functions of the shortcut keys. For example, if the customized shortcutkeys of the terminal conflict with those of the router, the input shortcut keys are captured by the terminalprogram and hence the shortcut keys do not function.

Run the following command in any view to display the use of shortcut keys.

Action Command

Check the usage of shortcut keys. display hotkey



22

2.5 Configuration ExamplesThis section provides several examples for using command lines.

2.5.1 Example for Running Commands in BatchesThis part provides an example for running commands in batches. In this example, by editing thecommands to be run in batches, you can configure the system to automatically run the commandsin batches.

ContextIf commands are frequently used consecutively, especially a large number of commands, youcan run the commands in batches to improve efficiency.

For example, during the preventive maintenance inspection (PMI), you can run commands inbatches. That is, enter all PMI commands once and then send all the command output informationto the PMI tool, which can improve the PMI efficiency.

Log in to the router and do as follows:

Procedure

Step 1 Edit the display users, display startup, and display clock commands to be run in batches.

<HUAWEI> batch-cmd editInfo: Begin editing batch commands. Press "Ctrl+Z" to abort this session.display usersdisplay startupdisplay clock<HUAWEI>

Step 2 Run the commands in batches.<HUAWEI> batch-cmd execute<HUAWEI>batch-cmd execute command: display users

User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 35 VTY 1 00:00:00 TEL 190.120.2.19 no Username : Unspecified<HUAWEI>batch-cmd execute command: display startup

MainBoard: Configured startup system software: cfcard:/V600R003C00SPC300.cc Startup system software: cfcard:/V600R003C00SPC300.cc Next startup system software: cfcard:/V600R003C00SPC300.cc Startup saved-configuration file: cfcard:/vrp.cfg Next startup saved-configuration file: cfcard:/vrp.cfg Startup paf file: default Next startup paf file: default Startup license file: default Next startup license file: default Startup patch package: NULL Next startup patch package: NULL<HUAWEI>batch-cmd execute command: display clock

2011-01-27 01:25:24ThursdayTime Zone(DefaultZoneName) : UTC



23

<HUAWEI>batch-cmd execute finished.

----End

2.5.2 Example for Using TabThis example shows how to use the Tab key. After inputting an incomplete keyword, you canpress Tab and obtain all related keywords or verify the correctness of the input keyword.

Context

Usually, you do not need to input complete keywords. Instead, you can just input one or a fewbeginning characters of a keyword and press Tab to complete the keyword. The Tab key helpssearch for and use commands.

Procedurel Tab can be used in three ways as shown in the following example.

– The matching key word is unique after the incomplete key word is input.

1. Input the incomplete key word.[HUAWEI] info-

2. Press Tab.The system replaces the input one with the complete key word and displays it in anew line with the cursor leaving a space behind.[HUAWEI] info-center

– There are several matches or no match after the incomplete key word is input.# info-center can be followed by three key words.[HUAWEI] info-center log? logbuffer logfile loghost

1. Input the incomplete key word.[HUAWEI] info-center l

2. Press Tab.The system displays the prefix first. The prefix in this example is "log".[HUAWEI] info-center log

Continue to press Tab. The cursor is closely following the end of the word.[HUAWEI] info-center loghost[HUAWEI] info-center logbuffer[HUAWEI] info-center logfile

Stop pressing Tab after the key word logfile that you need is displayed.3. Input a space to enter the next word channel.

[HUAWEI] info-center logfile channel

– Input an incorrect keyword and press Tab to check the correctness of the keyword.

1. Input a wrong keyword loglog.[HUAWEI] info-center loglog

2. Press Tab.[HUAWEI] info-center loglog



24

The system displays information in a new line, but the keyword loglog remainsunchanged and there is no space between the cursor and the keyword, indicatingthat this keyword is inexistent.

----End

2.5.3 Example for Using Shortcut KeysThis example shows how to use shortcut keys. In this example, frequently-used commands arecorrelated with shortcut keys. You can press the shortcut keys instead of inputting the commands.This facilitates user operation and improves efficiency.

Context

If the login router is defined with shortcut keys, the shortcut keys can be used by any userregardless of the user level.

Procedure

Step 1 Correlate Ctrl_U with the display ip routing-table command and run the shortcut keys.<HUAWEI> system-view[HUAWEI] hotkey ctrl_u "display ip routing-table"

NOTE

When defining shortcut keys for a command, use double quotation marks to quote the command if thecommand consisting of multiple words, which are separated by spaces. No double quotation marks arerequired for single-word commands.

Step 2 Press Ctrl_U when the prompt [HUAWEI] appears.[HUAWEI] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8Destination/Mask Proto Pre Cost Flags NextHop Interface 51.51.51.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.0.0/16 Direct 0 0 D 100.2.150.51 GigabitEthernet0/0/0 100.2.150.51/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0---------------------------------------------------------------------

----End

2.5.4 Example for Copying Commands Using Shortcut KeysThis example shows how to copy commands by using shortcut keys. In this example, after aspecified command is copied by using shortcut keys, you can use the shortcut keysCtrl_Shift_V to paste the command.

Context

If you need to repeatedly run a command, you can use shortcut keys to copy the command.



25

The copied command is saved on the clipboard and is available for only the current logged-inuser. After the user logs out of the router, the clipboard is cleared.

You can use shortcut keys to copy a command in any view.

Procedure

Step 1 Move the cursor to the beginning of the command and press Esc_Shift_<. Move the cursor tothe end and press Esc_Shift_>.

<HUAWEI> display ip routing-table

Step 2 Run the display clipboard command to view the contents on the clipboard.

<HUAWEI> display clipboard---------------- CLIPBOARD-----------------display ip routing-table

Step 3 Enter the command in any view, and press Ctrl_Shift_V to paste the contents of clipboard.

<HUAWEI> display ip routing-table

NOTE

If you press shortcut keys to copy a new command, you can paste only the new command by using shortcutkeys.

----End



26

3 Basic Configuration

About This Chapter

This chapter describes how to configure the router to follow your using habits and the actualenvironment requirements after logging in to the router.

3.1 Configuring the Basic System EnvironmentThis section describes how to configure the basic system environment.

3.2 Displaying System Status MessagesThis section describes how to use display commands to check basic configurations of the currentsystem.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations 3 Basic Configuration


27

3.1 Configuring the Basic System EnvironmentThis section describes how to configure the basic system environment.

3.1.1 Establishing the Configuration TaskBefore configuring the basic system environment, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentBefore configuring services, you need to configure the basic system environment (such as thelanguage mode, time, device name, login information, and command level) to meet theenvironment requirement.

Pre-configuration TasksBefore configuring the basic system environment, complete the following task:

l Powering on the router

Data PreparationTo configure the basic system environment, you need the following data.

No. Data

1 Language mode

2 System time

3 Host name

4 Login information

5 Command level

3.1.2 Switching the Language ModeYou can switch between the Chinese mode and the English mode as needed.

ContextAfter the language mode is switched, the system displays prompts and outputs of command linesin the specified language.

Language information (Chinese and English) has been stored in the system software and doesnot need to be loaded.

Do as follows in the user view:



28

Procedurel Run:

language-mode { chinese | english }

The language mode is switched.

By default, the English mode is used.

The help information on the router can be in English or in Chinese. The language mode isstored in the system software and does not need to be loaded.

----End

3.1.3 Configuring the Equipment NameWhen multiple devices on the network need to be managed, you can identify them by setting anequipment name for each device.

ContextThe new equipment name takes effect immediately.

Procedure

Step 1 Run:system-view

The system view is displayed.

Step 2 Run:sysname host-name

The equipment name is set.

By default, the equipment name of the router is HUAWEI.

You can change the name of the router that appears in the command prompt.

----End

3.1.4 Setting the System ClockYou need to set the system time properly to ensure the cooperation between the NE80E/40E andother devices.

ContextThe system clock displays the current time and date of the system, time zone to which the systembelongs, and daylight saving time. The NE80E/40E supports the configurations of the time zoneand the daylight saving time.

Do as follows in the user view:

Procedure

Step 1 Run:



29

clock datetime [ utc ] HH:MM:SS YYYY-MM-DD

The current date and time is set.

Step 2 Run:clock timezone time-zone-name { add | minus } offset

The time zone is set.

l If add is configured, the current time is the UTC time plus the time offset. That is, the defaultUTC time plus offset is equal to the time of time-zone-name.

l If minus is configured, the current time is the UTC time minus the time offset. That is, thedefault UTC time minus offset is equal to the time of time-zone-name.

NOTE

UTC stands for the Universal Time Coordinated.

Step 3 Run:clock daylight-saving-time time-zone-name one-year start-time start-date end-time end-date offset

or

clock daylight-saving-time time-zone-name repeating start-time { { first | second | third | fourth | last } weekday month | start-date } end-time { { first | second | third | fourth | last } weekday month | end-date } offset [ start-year [ end-year ] ]

The daylight saving time is set.

By default, the daylight saving time is not set.

During the configuration of the daylight saving time, you can configure the starting time andending time in one of the following modes: date+date, week+week, date+week, and week+date.For details, see clock daylight-saving-time.

CAUTIONWhen the device is upgraded from an earlier version to the V600R003C00 version, theconfigured daylight saving time does not take effect and needs to be reconfigured.

----End

3.1.5 Configuring a HeaderIf you need to provide information for users logging in, you can configure a header that thesystem displays during or after login.

Context

A header text is a message displayed by the system when and after a user is logging in to therouter.

If you need to provide information for login users, you can configure a header that the systemdisplays during login or after login.



30

Procedure



Step 2 Run:header login { information text | file file-name }

The header displayed during login is set.

Step 3 Run:header shell { information text | file file-name }

The header displayed after login is set.

To display the header when the terminal connection has been activated but the user is not beingauthenticated, configure the parameter login.

To display the header after the user logs in successfully, configure the parameter shell.

If the user can log in to the router without authentication, the system directly displays the headerafter the login.

CAUTIONl The header text starts and ends with the same character. After a character is input and

Enter is pressed, an interactive interface is displayed. You can input the required informationended with the first character. The system then exits from the interactive interface.

l If a user logs in to the router by using SSH1.X, the login header is not displayed during login,but the shell header is displayed after login.

l If a user logs in to the router by using SSH2.0, both login and shell headers are displayed.

----End

3.1.6 Configuring Command LevelsThis section describes how to configure command levels to ensure device security or allow low-level users to run high-level commands. By default, commands are registered in the sequenceof Level 0 to Level 3. If refined rights management is required, you can divide commands in to16 levels, that is, from Level 0 to Level 15.

ContextIf the user does not adjust a command level separately, after the command level is updated, alloriginally-registered command lines adjust automatically according to the following rules:

l The commands of Level 0 and Level 1 remain unchanged.l The commands of Level 2 are updated to Level 10 and the commands of Level 3 are updated

to Level 15.l No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust

the command lines to these levels separately to refine the management of privilege.



31

CAUTIONChanging the default level of a command is not recommended. If the default level of a commandis changed, some users may be unable to use the command any longer.

Procedure



Step 2 Run:command-privilege level rearrange

Update the command level in batches.

When no password is configured for a Level 15 user, the system prompts the user to set a super-password for the level 15 user. At the same time, the system asks if the user wants to continuewith the update of command line level. Then, just select "N" to set a password. If you select "Y",the command level can be updated in batches directly. This results in the user not logging inthrough the Console port and failing to update the level.

Step 3 Run:command-privilege level level view view-name command-key

The command level is configured. With the command, you can specify the level and viewmultiple commands at one time (command-key).

All commands have default command views and levels. You do not need to reconfigure them.

----End

3.1.7 Configuring the Undo Command to Match in the PreviousView Automatically

You can run the undo command in the current view and thus the system automatically matchesthe previous view.

ContextIf the user allows the undo command to automatically match the previous view and the userruns the undo command that is not registered in the current view, the system searches theundo command in the previous view.

CAUTIONThe undo command has disadvantages due to automatically matching. For example, when theuser runs the undo ospf command in the interface view where the command is not registered,the system searches in system view automatically. This may lead to global deletion of the OSPFfeature.



32

Procedure



Step 2 Run:matched upper-view

The undo command is configured to match the upper level view.

By default, the undo command does not match the previous view automatically.

NOTE

l The matched upper-view command is valid for current login users who run this command.

l It is not recommended that you configure the undo command to automatically match the upper levelview, unless necessary.

----End

3.2 Displaying System Status MessagesThis section describes how to use display commands to check basic configurations of the currentsystem.

ContextYou can use the display commands to collect information about the system status. The displaycommands are classified according to the following functions:

l Displays system configurations.l Displays the running status of the system.l Displays the diagnostic information about a system.l Displays the restart information about the main control board.

See the related sections for display commands for protocols and interfaces. The following partonly shows the system-level display commands.

Run the following commands in any view.

3.2.1 Displaying System ConfigurationThis section describes how to check the system version, system time, original configuration, andcurrent configuration by using command lines.

PrerequisiteBasic configuration are complete.

Procedurel Run the display version command to display the system version.l Run the display clock [ utc ] command to display the system time.



33

l Run the display calendar command to display system calendar.

l Run the display saved-configuration command to display the original configuration.

l Run the display current-configuration command to display the current configuration.

NOTE

l The display version command can be used to display the software version of the system, thechassis type, and the information about the main control board and interface board.

l The original configuration refers to information about configuration files used by the device whenthe device has been powered on and is being initialized. The current configuration refers to theconfiguration files taking effect during the device operation. For details, see the chapter"Configuring System Startup" in the NE80E/40E Basic-Configuration.

----End

3.2.2 Displaying System StatusThis section describes how to check the system operating status (the configuration of the currentview) by using command lines.

PrerequisiteBasic configurations are complete.

Procedurel Run the display this command to display the configuration of the current view.

----End

3.2.3 Collecting System Diagnostic InformationThis section describes how to collect information about all modules in the system.

Context

When the system fails to perform routine maintenance, you need to collect a lot of informationto locate faults. Then, you have to run different display commands to collect all information. Inthis case, you can use the display diagnostic-information command to collect all informationabout the current running modules in the system.

Procedurel Run:

display diagnostic-information [ file-name ]

The system diagnosis information is displayed.

The display diagnostic-information command collects all information collected byrunning the following commands, including display clock, display version, display cpu-usage, display interface, display current-configuration, display saved-configuration,display history-command, and so on.

----End



34

4 Configuring User Interface

About This Chapter

A user can log in to the router by using a console port or an AUX port, or by means of Telnetor SSH (STelnet). For users logging in to router in different modes, the system uses differentuser interfaces to manage the sessions between the router and the users.

4.1 User Interface OverviewThe system supports console, AUX, and VTY user interfaces.

4.2 Configuring the Console User InterfaceWhen a user logs in to the router by using a console port for local maintenance, you can configureattributes for the corresponding console user interface are needed.

4.3 Configuring the AUX User InterfaceWhen a user logs in to the router for local or remote configuration by using an AUX port,configuring attributes in the corresponding AUX user interface is needed.

4.4 Configuring VTY User InterfaceIf you need to log in to the router for local or remote maintenance by using Telnet or SSH, youcan configure the corresponding VTY user interface as needed.

4.5 Configuration ExamplesThis section provides examples for configuring console, AUX, and VTY user interfaces. Theseconfiguration examples explain networking requirements, configuration roadmap, andconfiguration notes.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations 4 Configuring User Interface


35

4.1 User Interface OverviewThe system supports console, AUX, and VTY user interfaces.

Each user interface has a corresponding user interface view. A user interface view is a commandline view provided by the system. It is used to configure and manage all the physical and logicalinterfaces in asynchronous mode.

User Interfaces Supported by the Systeml Console port (CON)

The console port is a serial port provided by the main control board of the router.The main control board provides one EIA/TIA-232 DCE console port for localconfiguration by directly connecting a terminal to a router.

l Auxiliary port (AUX)It is a linear port provided by the main control board of the router and supports the dialupby using a modem.Each main control board provides one AUX port with the type of EIA/TIA-232 DTE. Aterminal can remotely access the router through the modem on the AUX port.

l Virtual type terminal (VTY)It is a logical terminal line. A VTY connection is set up when a router connects to a terminalby means of Telnet. It is used for local or remote access to a router. A maximum of 16 userscan log in to the router by using the VTY user interface.

Numbering of a User InterfaceAfter a user logs in to the router, the system assigns an idle user interface of the smallest numberto the user according to the user's login mode. You can number a user interface in the followingmanners:

l Relative numberingThe relative numbering is in the format of user interface type + number.The relative numbering is available for interfaces of a specific type. It is used only to specifyone or a group of user interfaces of a specified type. Relative numbering must comply withthe following rules:– Number of the console port: CON 0– Number of the auxiliary port: AUX 0– Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on

l Absolute numberingThe absolute numbering is used to uniquely specify a user interface or a group of userinterfaces.The number starts with 0. The ports are numbered in the sequence of CON → AUX →VTY. There is only one console port and one AUX port and 0-15 VTY interfaces. You canuse the user-interface maximum-vty command to set the maximum number of userinterfaces. The default number is five.By default, the system supports three types of user interfaces: CON, AUX, and VTY.Table 4-1 shows the absolute numbers of the user interfaces in this system.



36

Table 4-1 Example for the absolute numbering

Absolute number User-interface

0 CON0

33 AUX0

34 The first virtual interface (VTY0)

35 The second virtual interface (VTY1)

36 The third virtual interface (VTY2)

37 The fourth virtual interface (VTY3)

38 The fifth virtual interface (VTY4)

NOTE

The absolute numbers allocated for AUX and VTY interfaces are device-specific.

The numbers from 1 to 32 are reserved for the TTY user interfaces.

Run the display user-interface command to view the absolute number of user interfaces.

Authentication of a User Interface

After a user is configured, the system authenticates the user during user login.

There are three user authentication modes: non-authentication, password authentication, andAAA.

l Non-authentication: In this mode, users can log in to the router without entering usernamesor passwords. For security, this mode is not recommended.

l Password authentication: In this mode, users need to enter passwords, not usernames,during the login process.

l AAA authentication: In this mode, users need to enter passwords and usernames during thelogin process. Telnet users are usually authenticated in this mode.

Priority of a User Interface

Users that log in to the router are managed according to their levels.

Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater thenumber, the higher the user level.

The level of the command that a user can run is determined by the level of this user.

l In the case of non-authentication or password authentication, the level of the command thatthe user can run is determined by the level of the user interface.

l In the case of AAA authentication, the command that the user can run is determined by thelevel of the local user specified in the AAA configuration.



37

4.2 Configuring the Console User InterfaceWhen a user logs in to the router by using a console port for local maintenance, you can configureattributes for the corresponding console user interface are needed.

4.2.1 Establishing the Configuration TaskBefore configuring the console user interface, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable Environment

If you need to log in to the router for local maintenance by using a console port, you can configurethe corresponding console user interface, including the physical attributes, terminal attributes,user priority, and user authentication mode. The preceding parameters have default values onthe router and additional configuration is not needed. You can configure these parameters asneeded.

Pre-configuration Tasks

Before configuring a console user interface, complete the following tasks:

l Logging in to the router by using a terminal

Data Preparation

To configure a console user interface, you need the following data.

No. Data

1 Baud rate, flow-control mode, parity, stop bit, and data bit

2 Idle timeout period, number of lines displayed in a terminal screen, and the size ofhistory command buffer

3 User priority

4 User authentication method, user name, and password

NOTE

All the default values (excluding the password and username) are stored on the router and do not needadditional configuration.

4.2.2 Setting Physical Attributes of Console User InterfaceYou can configure the rate, flow control mode, parity mode, stop bit, and data bit for the consoleport.



38

Context

Physical attributes of a console port have default values on the router and no additionalconfiguration is needed.

NOTE

When a user logs in to a router through a console port, the physical attributes set for the console port onthe HyperTerminal should be consistent with the attributes of the console user interface on the router.Otherwise, the user cannot log in to the router.

Procedure



Step 2 Run:user-interface console interface-number

The console user interface view is displayed.

Step 3 Run:speed speed-value

The baud rate is set.

By default, the baud rate is 9600 bit/s.

Step 4 Run:flow-control { hardware | none | software }

The flow control mode is set. By default, the flow-control mode is none.

Step 5 Run:parity { even | mark | none | odd | space }

The parity mode is set.

By default, the value is none.

Step 6 Run:stopbits { 1.5 | 1 | 2 }

The stop bit is set.

By default, the value is 1 bit.

Step 7 Run:databits { 5 | 6 | 7 | 8 }

The data bit is set.

By default, the data bit is 8.

----End



39

4.2.3 Setting Terminal Attributes of Console User InterfaceThis section describes how to set terminal attributes of the console user interface, including theuser timeout disconnection function, number of lines displayed in a terminal screen, and size ofthe history command buffer.

Context

Terminal attributes of the console user interface have default values on the router and you canset them as needed.

Procedure





Step 3 Run:shell

The terminal service is started.

Step 4 Run:idle-timeout minutes [ seconds ]

The idle timeout period is set.

If the connection keeps idle within the timeout period, the system automatically terminates theconnection.

By default, the idle timeout period on the user interface is 10 minutes.

Step 5 Run:screen-length screen-length [temporary]

The length of a terminal screen is set.

The parameter temporary is used to display the number of lines to be temporarily displayed ona terminal screen.

By default, the length of a terminal screen is 24 lines.

Step 6 Run:history-command max-size size-value

The history command buffer is set.

By default, the size of history command buffer on a user interface is 10 entries.

----End



40

4.2.4 Configuring User Priority of Console User InterfaceThis section describes how to control users' authority of logging in to the router and improvethe security of managing the router by configuring the user priority.

Contextl Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater

the number, the higher the user level.l This process is to set the priority for a user who logs in through the console port. A user

can only use the commands with the level corresponding to the user level.For details about command levels, see "Command Level" in the chapter "CLI Overview" ofthe Configuration Guide - Basic Configuration.

Procedure





Step 3 Run:user privilege level level

The priority of the user is set.

NOTE

l By default, users logging in through the console user interface can use commands at level 3, and userslogging in through other user interfaces can use commands at level 0.

l If the command level is inconsistent with the user level, the user level takes precedence.

----End

4.2.5 Configuring the User Authentication Mode of the ConsoleUser Interface

The system provides three authentication modes: AAA, password authentication, and non-authentication. Configuring the user authentication mode can improve the security of therouter.

ContextBy default, the user authentication mode of the console user interface is non-authentication.

Procedurel Configuring AAA Authentication

1. Run:system-view



41

The system view is displayed.2. Run:

user-interface console interface-number

The console user interface view is displayed.3. Run:

authentication-mode aaa

The authentication mode is set to AAA.4. Run:

quit

Exit from the console user interface view.5. Run:

aaa

The AAA view is displayed.6. Run:

local-user user-name password { simple | cipher } password

Name and password of the local user are created.l Configuring Password Authentication

1. Run:system-view




authentication-mode password

You can set the authentication mode as password authentication.4. Run:

set authentication password { cipher | simple } password

A password for authentication is set.l Configuring Non-Authentication

1. Run:system-view




authentication-mode none

The authentication mode is set to non-authentication.

----End



42

4.2.6 Checking the ConfigurationAfter configuring the console user interface, you can view information about the user interface,physical attributes and configurations of the user interface, local user list, and online users.

PrerequisiteThe configurations of the user management function are complete.

Procedurel Run the display users [ all ] command to check information about the user interface.

l Run the display user-interface console ui-number1 [ summary ] command to checkphysical attributes and configurations of the user interface.

l Run the display local-user command to check the local user list.

l Run the display access-user command to check the local user list.

----End

Example

Run the display users command, and you can view information about the current user interface.

<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 0 CON 0 00:00:44 pass noUsername : Unspecified

Run the display user-interface console ui-number1 [ summary ] command, and you can viewthe physical attributes and configurations of the user interface.

<HUAWEI> display user-interface console 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 - 3 - N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.

Run the display local-user command, and you can view the local user list.

<HUAWEI> display local-user ---------------------------------------------------------------------------- Username State Type CAR Access-limit Online ---------------------------------------------------------------------------- user123 Active All Dft No 0 ll Active F Dft No 0 user1 Active F Dft No 0 ---------------------------------------------------------------------------- Total 3,3 printed



43

4.3 Configuring the AUX User InterfaceWhen a user logs in to the router for local or remote configuration by using an AUX port,configuring attributes in the corresponding AUX user interface is needed.

4.3.1 Establishing the Configuration TaskBefore configuring the AUX user interface, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentIf you need to log in to the router for remote maintenance by using an AUX port, you canconfigure the corresponding AUX user interface as needed by setting the physical attributes,terminal attributes, user priority, and user authentication mode. The preceding parameters havedefault values on the router and additional configuration is not needed.

Pre-configuration TasksBefore configuring an AUX user interface, complete the following tasks:


Data PreparationBefore configuring an AUX user interface, you need the following data.

No. Data

1 Baud rate, flow-control mode, parity, stop bit, and data bit

2 Idle timeout period, number of lines displayed in a terminal screen, and the size ofhistory command buffer

3 User priority

4 Modem attributes

5 (Optional) Auto-execute commands


NOTE

All the default values (excluding the auto-run commands, password, and username) are stored on therouter and do not need additional configuration.

4.3.2 Setting Physical Attributes of AUX User InterfacePhysical attributes of the AUX user interface include the transmission rate, flow control mode,parity mode, stop bit, and data bit of the AUX port.



44

Context

Physical attributes of the AUX user interface have default values on the router and no additionalconfiguration is needed.

Procedure



Step 2 Run:user-interface aux interface-number

The AUX user interface view is displayed.

Step 3 Run:speed speed-value

The transmission rate is set.

By default, the baud rate is 9600 bit/s.

Step 4 Run:flow-control { hardware | none | software }

The flow control mode is set.

By default, the flow-control mode is none.

Step 5 Run:parity { even | mark | none | odd | space }

The parity mode is set.

By default, the value is none.

Step 6 Run:stopbits { 1.5 | 1 | 2 }

The stop bit is set.

By default, the value is 1 bit.

Step 7 Run:databits { 5 | 6 | 7 | 8 }

The data bit is set.

By default, the value is 8.

NOTE

When the user logs in to a router through an AUX port, the configured attributes for the console port onthe HyperTerminal should be in accordance with the attributes of the AUX user interface on the router.Otherwise, the user cannot log in to the router.

----End



45

4.3.3 Setting Terminal Attributes of AUX User InterfaceThis section describes how to configure terminal attributes of the AUX user interface, includingthe user idle timeout, number of lines displayed in a terminal screen, and size of the historycommand buffer.

Context

Terminal attributes of the AUX user interface have default values on the router and you canconfigure them as needed.

Procedure





Step 3 Run:shell

AUX terminal service is enabled.


User idle timeout is enabled.


By default, idle timeout period on the interface is 10 minutes.






The size of the history command buffer is configured.

By default, the size of history command buffer on user interface is 10 entries.

----End



46

4.3.4 Setting User Priority of AUX User InterfaceThis section describes how to control users' authority of logging in to the router and improvethe security of managing the router by configuring the user priority.




Procedure






The user priority is set.

NOTE

l By default, users logging in by using the AUX user interface can use commands at level 0.

l If the authority to use commands is inconsistent with the user level, the user level takes precedence.

----End

4.3.5 Setting Modem Attributes of AUX User InterfaceYou can set the time period from picking up the signal to detecting the carrier when a call isestablished, modem for only incoming calls or for both incoming and outgoing calls, andautomatic answer.

Procedure







47

Step 3 Run:modem timer answer seconds

The period between the system receiving the ring signal and the system waiting for the CD_UPis set. That is the time that elapses between picking up the signal to detecting the carrier, sincethe call is established.

By default, the waiting time is 30 seconds.

Step 4 Run:modem [ both | call-in ]

The switch of incoming call or outgoing call is set.

By default, incoming and outgoing calls are prohibited.

Step 5 Run:modem auto-answer

Automatic answer is enabled.

By default, manual answering is enabled.

----End

4.3.6 (Optional) Configuring Auto-Execute Commands of AUX UserInterface

You can set a command to be an auto-executed command.

Context

CAUTIONAfter the auto-execute command command is run, you cannot perform general configurationin the system through a terminal.Before configuring the auto-execute command command and the save command to save theexisting configurations, ensure that you can log in to the system using other methods to deletethe configurations.

Do as follows on the router that the user logs in to:

Procedure



Step 2 Run:user-interface aux 0




48

Step 3 Run:auto-execute command command

A command is specified as an auto-execute command.

Generally, the auto-execute command command is run to configure Telnet on a terminal. Afterthe configuration, the user can automatically connect to a designated host.

----End

4.3.7 Setting User Authentication Mode of AUX User InterfaceThe system provides three authentication modes: AAA, password authentication, and non-authentication. Configuring the user authentication mode can improve the security of therouter.

ContextBy default, the user authentication mode of the AUX user interface is non-authentication.


1. Run:system-view


user-interface aux interface-number

The AUX user interface view is displayed.3. Run:

authentication-mode aaa


quit

Exit from the AUX user interface view.5. Run:

aaa



Local user and password are configured.l Configuring Password Authentication

1. Run:system-view





49



The authentication mode is set to password.4. Run:


A password is set.l Configuring Non-Authentication

1. Run:system-view





The authentication mode is set to non-authentication.

----End

4.3.8 Checking the ConfigurationAfter configuring the AUX user interface, you can view the usage information of the userinterface, physical attributes and configurations of the user interface, local user list, and onlineusers.

PrerequisiteConfigurations of the AUX user interface are complete.

Procedurel Run the display users [ all ] command to check usage information about the AUX user

interface.l Run the display user-interface aux interface-number [ summary ] command to check

physical attributes and configurations of the user interface.l Run the display local-user command to check the local user list.l Run the display access-user command to check the local user list.

----End

ExampleRun the display users command, and you can view information about the current user interface.

<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 33 AUX 0 00:00:44 pass noUsername : Unspecified



50

Run the display user-interface aux ui-number1 [ summary ] command, and you can view thephysical attributes and configurations of the user interface.

<HUAWEI> display user-interface aux 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 33 AUX 0 9600 - 0 - N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.



4.4 Configuring VTY User InterfaceIf you need to log in to the router for local or remote maintenance by using Telnet or SSH, youcan configure the corresponding VTY user interface as needed.

4.4.1 Establishing the Configuration TaskBefore configuring the VTY user interface, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentIf you need to log in to the router for local or remote maintenance by using Telnet or SSH, youcan configure the corresponding VTY user interface, including the maximum number of VTYuser interfaces, limit of incoming and outgoing calls, user priority, and user authentication mode.The preceding parameters have default values on the router. You can also set these parametersas needed.

Pre-configuration TasksBefore configuring VTY user interface, complete the following tasks:


Data PreparationTo configure a VTY user interface, you need the following data.



51

No. Data

1 Maximum VTY user interfaces

2 (Optional) ACL code to limit VTY user interface to call in and out

3 Idle timeout period, number of characters in each line displayed in a terminal screen

4 User priority


NOTE

All the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY userinterfaces, password, and user name) have default values on the router, and no additional configuration isneeded.

4.4.2 Configuring Maximum VTY User InterfacesThis section describes how to limit the number of users logging in to the router by configuringthe maximum number of VTY user interfaces.

ContextThe maximum number of VTY user interfaces is the total number of users logging in to therouter by using Telnet and SSH.

Procedure



Step 2 Run:user-interface maximum-vty number

The maximum VTY user interfaces that can log in to the router is set.

NOTE

When the maximum number of VTY user interfaces is set to zero, any user (including the NMS user) cannotlog in to the router by using a VTY user interface.

If the maximum number of VTY user interfaces to be configured is smaller than the maximumnumber of current interfaces, current online users will not be affected and no additionconfiguration is needed.

If the maximum number of VTY user interfaces to be configured is larger than the maximumnumber of current interfaces, the authentication mode and password need to be configured fornewly added user interfaces.

For newly added user interfaces, the system defaults to password authentication.

For example, a maximum of five users are allowed online. To allow 15 VTY users online at thesame time, you need to run the authentication-mode command and the set authentication



52

password command to configure authentication modes and passwords for user interfaces fromVTY 5 to VTY 14. The command is run as follows:

<HUAWEI> system-view[HUAWEI] user-interface maximum-vty 15[HUAWEI] user-interface vty 5 14[HUAWEI-ui-vty5-14] authentication-mode password[HUAWEI-ui-vty5-14] set authentication password cipher huawei

----End

4.4.3 (Optional)Setting Limit on Incoming and Outgoing Calls ofVTY User Interfaces

This section describes how to configure an ACL to limit incoming and outgoing calls of theVTY user interface.

ContextBefore setting the limit on incoming and outgoing calls of the VTY user interface, run the aclcommand in the system view to create an ACL and enter the ACL view. Then, run the rulecommand to add rules to the ACL.

NOTE

The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging from3000 to 3999.

Procedure



Step 2 Run:user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.

Step 3 Run:acl acl-number { inbound | outbound }

The limits to calling in/out of VTY are configured.

l When you need to prevent a user of certain address or segment address from logging in tothe router, use the inbound command.

l When you need to prevent a user who logs in to a router from accessing other routers, usethe outbound command.

----End

4.4.4 Setting Terminal Attributes of the VTY User InterfaceThis section describes how to configure terminal attributes of the VTY user interface, includinguser idle timeout, number of lines displayed in a terminal screen, and size of the history commandbuffer.



53

Context

Terminal attributes of the VTY user interface have default values on the router and you can setthem as needed.

Procedure



Step 2 Run:user-interface vty number1 [ number2 ]


Step 3 Run:shell

VTY terminal service is enabled.


User idle timeout is enabled.


By default, the timeout period is 10 minutes.






Set the size of the history command buffer.

By default, a maximum number of 10 commands can be cached in the history command buffer.

----End

4.4.5 Setting User Priority of VTY User InterfaceThis section describes how to control users' authority of logging in to the router and improvethe security of managing the router by configuring the user priority.



54




Procedure



Step 2 Run:user-interface vty interface-number



The user priority is set.

By default, users logging in through the VTY user interface can use commands at level 0.

NOTE

If the command level configured in the VTY user interface view is inconsistent with the user priority, theuser priority takes effect.

----End

4.4.6 Setting User Authentication Mode of the VTY User InterfaceThe system provides three authentication modes: AAA, password authentication, and non-authentication. Configuring the user authentication mode can improve the security of therouter.

ContextBy default, the user authentication mode of the VTY user interface is password authentication.


1. Run:system-view


user-interface vty number1 [ number2 ]




55

3. Run:authentication-mode aaa


quit

Exit from the VTY user interface view.5. Run:

aaa



Name and password of the local user are created.l Configuring Password Authentication

1. Run:system-view



The VTY user interface view is displayed.3. Run:


Set the authentication mode as password.4. Run:


A password for this authentication mode is set.l Configuring Non-Authentication

1. Do as follows on the router, run:system-view



The VTY user interface view is displayed.3. Run:


The authentication mode is set to none.

----End

4.4.7 (Optional) Configuring NMS Users to Log In Through VTYUser Interfaces

Network Management System (NMS) users can log in to a device through VTY user interfacesto set parameters about the device.



56

Context

NMS users can log in to the router through VTY user interfaces to set parameters about therouter.

Procedure



Step 2 Run:aaa

The AAA view is displayed.

Step 3 Run:local-user user-name password { simple | cipher } password

A local user is created.

Step 4 Run:local-user user-name user-type netmanager

The local user is set as an NM user.

Step 5 Run:quit


Step 6 Run:user-interface vty first-ui-number [ last-ui-number ]

The user interface view is displayed.

Step 7 Run:authentication-mode aaa

An authentication mode used to log in to the user interface is configured.

NOTE

The system reserves five VTYs (VTY 16-VTY 20) for an NMS user. The five VTYs are used as specialchannels of the network management. The channels do not support the RSA authentication mode butsupport the password authentication.

Step 8 Run:quit


Step 9 Run:mmi-mode enable

The system is switched to the machine-to-machine mode.



57

NOTE

l This command is invisible to terminals and cannot be obtained by using the online help. In man-to-machine mode, exercise caution when using this command.

l In the VTY machine-to-machine mode, the system reserves five user interfaces to which an NMS usercan log in through VTYs. A common user cannot log in through Telnet but can log in by using the fivereserved user interfaces.

l In the machine-to-machine mode, the system does not output logs, alarms, and debugging informationto the screen.

l In the machine-to-machine mode, the save and reboot commands can be used directly.

l In the machine-to-machine mode, a maximum of 512 lines are displayed by default. The value can beadjusted by using the screen-length command. In addition, you can run the screen-lengthtemporary command to adjust the number of lines temporarily displayed on the screen.

----End

4.4.8 Checking the ConfigurationAfter configuring the VTY user interface, you can view information about user interfaces, themaximum number of VTY user interfaces, and physical attributes and configurations of userinterfaces.

PrerequisiteThe configurations of the VTY user interface are complete.

Procedurel Run the display users [ all ] command to check information about user interfaces.l Run the display user-interface maximum-vty command to check the maximum number

of VTY user interfaces.l Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ]

command to check the physical attributes and configurations of user interfaces.l Run the display local-user command to check the local user list.l Run the display vty mode command to check the VTY mode.

----End

ExampleRun the display users command, and you can view information about the current user interfaces.

<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 34 VTY 0 00:00:12 TEL 10.138.77.38 no Username : Unspecified+ 35 VTY 1 00:00:00 TEL 10.138.77.57 no Username : Unspecified

Run the display user-interface maximum-vty command, and you can view the maximumnumber of VTY user interfaces.

<HUAWEI> display user-interface maximum-vty Maximum of VTY user:15

Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to checkthe physical attributes and configurations of user interfaces.



58

<HUAWEI> display user-interface vty 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int+ 34 VTY 0 - 14 14 N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.



Run the display vty mode command, and you can view the prompt message indicating that themachine-to-machine interface is enabled. For example:

<HUAWEI> display vty modecurrent VTY mode is Machine-Machine interface

4.5 Configuration ExamplesThis section provides examples for configuring console, AUX, and VTY user interfaces. Theseconfiguration examples explain networking requirements, configuration roadmap, andconfiguration notes.

4.5.1 Example for Configuring Console User InterfaceThis part provides an example describing how to configure the console user interface. In thisconfiguration example, to allow a user in password authentication mode to log in to the routerby using a console user interface, multiple attributes of the console user interface are set,including physical attributes, terminal attributes, user priority, user authentication mode, andpassword.

Networking Requirements

To initialize configurations of the router or locally maintain the router, a user can log in to therouter through a console user interface. To allow the user to log in, you can set attributes of theconsole user interface as needed (for security reasons, for example).

In the console user interface view, the user priority is set to 15, and the password authenticationmode is set (the password is huawei).

After a user logs in, if the user takes no action on the router for more than 30 minutes, theconnection between the user and the router is torn down.



59

Configuration RoadmapThe configuration roadmap is as follows:

1. Enter the interface view and set physical attributes of the console user interface.2. Set terminal attributes of the console user interface.3. Set the user priority of the console user interface.4. Set the user authentication mode and password of the console user interface.

Data PreparationTo complete the configuration, you need the following data:

l Transmission rate of the console user interface: 4800 bit/sl Flow control mode of the console user interface: Nonel Parity of the console user interface: evenl Stop bit of the console user interface: 2l Data bit of the console user interface: 6l Timeout period for disconnecting from the console user interface: 30 minutesl Number of lines that a terminal screen displays: 30l Size of the history command buffer: 20l User priority: 15l User authentication mode: password (password: huawei)

Procedure

Step 1 Set physical attributes of the console user interface.<HUAWEI> system-view[HUAWEI] user-interface console 0[HUAWEI-ui-console0] speed 4800[HUAWEI-ui-console0] flow-control none[HUAWEI-ui-console0] parity even[HUAWEI-ui-console0] stopbits 2[HUAWEI-ui-console0] databits 6

Step 2 Set terminal attributes of the console user interface.[HUAWEI-ui-console0] shell[HUAWEI-ui-console0] idle-timeout 30[HUAWEI-ui-console0] screen-length 30[HUAWEI-ui-console0] history-command max-size 20

Step 3 Set the user priority of the console user interface.[HUAWEI-ui-console0] user privilege level 15

Step 4 Set the user authentication mode in the console user interface to password.[HUAWEI-ui-console0] authentication-mode password[HUAWEI-ui-console0] set authentication password simple huawei[HUAWEI-ui-console0] quit

After the console user interface is configured, a user in password authentication mode can login to the router through a console port, implementing local maintenance of the router. For detailson how a user logs in to the router, see the 5 Configuring User Login.

----End



60

Configuration Files# sysname HUAWEI#user-interface con 0 authentication-mode password user privilege level 15 set authentication password simple huawei history-command max-size 20 idle-timeout 30 0 screen-length 30 databits 6 parity even stopbits 2 speed 4800 screen-length 30#return

4.5.2 Example for Configuring AUX User InterfaceThis part provides an example describing how to configure the AUX user interface. In theconfiguration example, to allow a user in AAA authentication mode to log in to the router byusing an AUX user interface, multiple attributes of the console user interface are set, includingphysical attributes, terminal attributes, user priority, user authentication mode, and password.

Networking RequirementsTo maintain the router locally or remotely, a user can log in to the router through an AUX userinterface.

To allow the user login, an operator can set attributes of the AUX user interface as needed (forsecurity reasons, for example).

In the AUX user interface, the user priority is set to 15, and the authentication mode is set toAAA, with the user name of user123 and the password of huawei.

After a user logs in, if the user takes no action on the router for more than 30 minutes, theconnection between the user and the router is torn down.


1. Enter the interface view and set physical attributes of the AUX user interface.2. Set terminal attributes of the AUX user interface.3. Set the user priority of the AUX user interface.4. Set modem attributes of the AUX user interface.5. Set the authentication mode and password in the AUX user interface.


l Transmission rate of the AUX user interface: 9600 bit/sl Flow control mode of the AUX user interface: None



61

l Parity of the AUX user interface: Nonel Stop bit of the AUX user interface: 1l Data bit of the AUX user interface: 8l Timeout period for disconnecting from the AUX user interface: 30 minutesl Number of lines that a terminal screen displays: 30l Size of the history command buffer: 20l User priority: 15l Modem attributes: idle timeout from off-hook to carrier detection (45 seconds), call-in

permission, and automatic responsel User authentication mode and password in the AUX user interface

Procedure

Step 1 Set physical attributes of the AUX user interface.<HUAWEI> system-view[HUAWEI] user-interface aux 0[HUAWEI-ui-aux0] speed 9600[HUAWEI-ui-aux0] flow-control none[HUAWEI-ui-aux0] parity none[HUAWEI-ui-aux0] stopbits 1[HUAWEI-ui-aux0] databits 8

All the preceding physical attributes of the AUX user interface are set with default values. Infact, if a user chooses to use the default values, the user does not need to set them. The precedingsettings only mean to provide the configuration method.

Step 2 Set terminal attributes of the AUX user interface.[HUAWEI-ui-aux0] shell[HUAWEI-ui-aux0] idle-timeout 30[HUAWEI-ui-aux0] screen-length 30[HUAWEI-ui-aux0] history-command max-size 20

Step 3 Set the user priority of the AUX user interface.[HUAWEI-ui-aux0] user privilege level 15

Step 4 Set modem attributes of the AUX user interface.[HUAWEI-ui-aux0] modem timer answer 45[HUAWEI-ui-aux0] modem call-in[HUAWEI-ui-aux0] modem auto-answer

Step 5 Set the authentication mode of the AUX user interface to AAA.[HUAWEI-ui-aux0] authentication-mode aaa[HUAWEI-ui-aux0] quit[HUAWEI] aaa[HUAWEI-aaa] local-user user123 password simple huawei[HUAWEI-aaa] quit

After the AUX user interface is configured, a user in AAA authentication mode can log in tothe router through an AUX port, implementing maintenance of the router. For details on how auser logs in to the router, refer to the 5 Configuring User Login.

----End

Configuration Files# sysname HUAWEI



62

#user-interface aux 0 authentication-mode aaa user privilege level 15 history-command max-size 20 idle-timeout 30 0 modem call-in modem auto-answer modem timer answer 45 screen-length 30#return

4.5.3 Example for Configuring VTY User InterfaceThis part provides an example describing how to configure the VTY user interface. In thisconfiguration example, to allow a user in password authentication mode to log in to the routerby using Telnet or SSH (Stelnet), multiple attributes of the VTY user interface are set, includingthe maximum number of VTY user interfaces, call-in and call-out limit, terminal attributes,authentication mode, and password.

Networking RequirementsA user logs in to the router through a VTY channel by using Telnet or SSH. To allow the userlogin, an operator can set attributes of the VTY user interface as needed (for security reasons,for example).

In the VTY user interface, the user priority is set to 15, the authentication mode is set to password,with the password of "huawei", and the user with the IP address of 10.1.1.1 is prohibitted fromlogging in to the router.

After logging in, if the user takes no action on the router for more than 30 minutes, the connectionbetween the user and the router is torn down.


1. Enter the interface view and set the maximum number of VTY user interfaces to 15.2. Set the call-in and call-out limit of the VTY user interface, limiting the access of an IP

address or an IP address segment to the router.3. Set terminal attributes of the VTY user interface.4. Set the user priority in the VTY user interface.5. Set the authentication mode and password in the VTY user interface.


l Maximum number of VTY user interfaces: 15l ACL applied to limit call-in in the VTY user interface: 2000l Timeout period for disconnecting from the VTY user interface: 30 minutesl Number of lines that a terminal screen displays: 30l Size of the history command buffer: 20



63

l User priority: 15l User authentication mode: password, password: huawei

Procedure

Step 1 Set the maximum number of VTY user interfaces.<HUAWEI> system-view[HUAWEI] user-interface maximum-vty 15

Step 2 Set the limit on call-in and call-out in the VTY user interface.[HUAWEI] acl 2000[HUAWEI-acl-basic-2000] rule deny source 10.1.1.1 0[HUAWEI-acl-basic-2000] quit[HUAWEI] user-interface vty 0 14[HUAWEI-ui-vty0-14] acl 2000 inbound

Step 3 Set terminal attributes of the VTY user interface.[HUAWEI-ui-vty0-14] shell[HUAWEI-ui-vty0-14] idle-timeout 30[HUAWEI-ui-vty0-14] screen-length 30[HUAWEI-ui-vty0-14] history-command max-size 20

Step 4 Set the user priority in the VTY user interface.[HUAWEI-ui-vty0-14] user privilege level 15

Step 5 Set the authentication mode and password in the VTY user interface.[HUAWEI-ui-vty0-14] authentication-mode password[HUAWEI-ui-vty0-14] set authentication password simple huawei[HUAWEI-ui-vty0-14] quit

After the VTY user interface is configured, a user authenticated in password mode can log in tothe router by using Telnet or SSH (Stelnet), implementing local or remote maintenance of therouter. For details on how a user logs in to the router, see the 5 Configuring User Login.

----End

Configuration Files# sysname HUAWEI#acl number 2000 rule 5 deny source 10.1.1.1 0 rule permit source any#user-interface maximum-vty 15user-interface vty 0 14 acl 2000 inbound user privilege level 15 set authentication password simple huawei history-command max-size 20 idle-timeout 30 0 screen-length 30#return



64

5 Configuring User Login

About This Chapter

A user can log in to the router through a console port, an AUX port, or by using Telnet or SSH(STelnet). After the login, the user can maintain the router locally or remotely.

5.1 Overview of User LoginUsers can manage and maintain the router only after logging in to the router. Users can log into the router by using the AUX port, console port, Telnet, or STelnet (SSH Telnet).

5.2 Logging in to the Devices Through the Console PortWhen a user needs to configure the router that is powered on for the first time or locally maintainthe router, the user can log in to the router through a console port.

5.3 Logging in to the Devices Through the AUX PortWhen a user terminal and the router have no reachable route between each other, the user canremotely configure and manage or locally maintain the router by logging in to the router throughan AUX port.

5.4 Logging in to the Devices by Using TelnetIf multiple routers need to be configured and managed, you do not need to connect the routersand maintain them locally one by one. Instead, you can log in to the routers from a terminal byusing Telnet. This implements remote maintenance of the router and greatly facilitates devicemanagement.

5.5 Logging in to the Devices by Using STelnetSTelnet provides secured remote access over an insecure network. After the client/servernegotiation is complete and a secured connection is established, a user can log in to the routerin a similar way as Telnet.

5.6 Common Operations After LoginAfter logging in to the router, you can perform following operations as needed, such as userpriority switching and terminal window locking.

5.7 Configuration ExamplesThis section provides several examples describing how to configure user login by using a consoleport, Telnet, or STelnet. You can understand the configuration procedures by referring to the

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations 5 Configuring User Login


65

configuration flowchart. The configuration examples provide information about the networkingrequirements, configuration notes, and configuration roadmap.



66

5.1 Overview of User LoginUsers can manage and maintain the router only after logging in to the router. Users can log into the router by using the AUX port, console port, Telnet, or STelnet (SSH Telnet).

To configure, monitor, and maintain the local or remote network devices running NE80E/40E,you need to configure the user interface, the user management, and the terminal service.

The user interface provides a login plane. The user management guarantees the login securityand the terminal service provides related processes of login protocol.

The NE80E/40E supports the following login methods:

l Login through the console portl Local or remote login through the AUX portl Local or remote login through Telnet or STelnet

Table 5-1 User login modes

Login Mode Application

Console port Users log in to the router through the console port to configure the routerlocally. Login through the console port is required when the router ispowered on for the first time.

Telnet Users log in to the router by using Telnet for local and remote maintenance.Telnet helps users maintain remote devices but brings security threats.

AUX port Users log in to the router through the AUX port to maintain the router locallywhen there is no available route and Telnet is unsuitable.

SSH (STelnet) SSH (STelnet) provides security protection for users logging in to therouter to maintain the router locally or remotely.

NOTE

Logins by using Telnet bring security risks because no secure authentication mechanism is available anddata is transmitted by using TCP in plain text mode. Unlike Telnet, SSH guarantees secure data transmissionon a conventional insecure network by authenticating the client and encrypting data in both directions. SSHsupports security Telnet (STelnet).

For detailed information about SSH, see the NE80E/40E Feature Description - Basic Configurations.

5.2 Logging in to the Devices Through the Console PortWhen a user needs to configure the router that is powered on for the first time or locally maintainthe router, the user can log in to the router through a console port.



67

5.2.1 Establishing the Configuration TaskBefore configuring user login through a console port, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentA user can log in to the router locally through a console port. If the router is powered on for thefirst time, the user has to log in through a console port.

Pre-configuration TasksBefore configuring user login through a console port, complete the following tasks:

l Configuring the PC/terminal (including the serial port and RS-232 cable)l Installing the terminal emulator (such as HyperTerminal of Windows XP) to the PC

Data PreparationTo configure user login through a console port, you need the following data.

No. Data

1 l Transmission rate, flow control mode, parity mode, stop bit, data bitl Number of lines displayed in a terminal screen, size of the history command bufferl User priorityl User authentication mode, user name, and password

5.2.2 Configuring Console User InterfaceTo allow users to log in to the router through a console port, configure attributes of the consoleuser interface.

ContextAttributes of an console user interface have default values on the router, and generally need noadditional settings. To meet specific application requirements or ensure network security, youcan set attributes of the console user interface, such as terminal attributes and user authenticationmode.

For detailed settings, see Configuring Console User Interface.

5.2.3 Logging in to the router Through a Console PortA user can log in to the router by connecting a terminal with the router through a console port.

ContextFor details, see Login Through the Console Portrouter.



68

NOTE

l Communication parameters of the user terminal must be consistent with the physical attributeparameters of the console user interface on the router.

l If a user authentication mode is specified in the console user interface, a user can log in to the routeronly after passing the authentication. This enhances network security.

5.2.4 Checking the ConfigurationAfter a user logs in through a console port, the user can view information on the console userinterface, such as use information, physical attributes and configurations, local user list, andonline users.

PrerequisiteConfigurations of user login through a console port are complete.

Procedurel Run the display users [ all ] command to check information about the user interface.l Run the display user-interface console ui-number1 [ summary ] command to check

physical attributes and configurations of the user interface.l Run the display local-user command to check the local user list.l Run the display access-user command to check the local user list.

----End

ExampleRun the display users command, and you can view information about the current user interface.

<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 0 CON 0 00:00:44 pass noUsername : Unspecified

Run the display user-interface console ui-number1 [ summary ] command, and you can viewthe physical attributes and configurations of the user interface.

<HUAWEI> display user-interface console 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 - 3 - N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.


<HUAWEI> display local-user ---------------------------------------------------------------------------- Username State Type CAR Access-limit Online ---------------------------------------------------------------------------- user123 Active All Dft No 0



69

ll Active F Dft No 0 user1 Active F Dft No 0 ---------------------------------------------------------------------------- Total 3,3 printed

5.3 Logging in to the Devices Through the AUX PortWhen a user terminal and the router have no reachable route between each other, the user canremotely configure and manage or locally maintain the router by logging in to the router throughan AUX port.

5.3.1 Establishing the Configuration TaskBefore configuring user login through an AUX port, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentYou can configure and maintain the router locally or remotely through an AUX port.

In local configuration of the router, the AUX login method is similar to the console login method.The only difference between the two login methods lies in the default user priority: The defaultuser priority of the console user interface is 3, whereas that of the AUX user interface is 0.Therefore, Logging in by using the console login method is recommended in the localconfiguration. The following part mainly describes remote login of the router through an AUXport.

NOTE

To manage and maintain the router through an AUX port, firstly modify the user priority of the AUX userinterface.

When there is no reachable route between a PC and the router, you can connect the serial portof the PC to the AUX port of the router by using a modem. In this manner, you can use the PSTNto configure and maintain the router remotely.

As shown in Figure 5-1, The COM interface of the PC is connected to the modem that isconnected to the PSTN. The AUX port of the router is connected to another modem that isconnected to the PSTN.

Figure 5-1 Networking diagram of remote login through an AUX port

PSTN

PC RouterModem Modem

Pre-configuration TasksBefore configuring user login through an AUX port, complete the following tasks:



70

l Connecting the PC to the router through modemsl Configuring the modeml Installing a terminal emulator (such as HyperTerminal of Windows XP) in the PC

Data PreparationTo configure user login through an AUX port, you need the following data.

No. Data

1 l Transmission rate, flow control mode, parity, stop bit, data bitl Number of lines displayed in a terminal screen, size of the history command bufferl user priorityl modem attributesl (Optional) Auto-run commandsl User authentication mode, user name, password

2 Telephone number of the modem at the remote router side.

5.3.2 Configuring AUX User InterfaceTo allow users to log in to the router through an AUX port, configure attributes of the AUX userinterface.

ContextAttributes of an AUX user interface have default values on the router, and generally need noadditional settings. To meet specific application requirements or ensure network security, youcan also set attributes of the AUX user interface, such as terminal attributes and userauthentication mode.

For detailed settings, see Configuring AUX User Interface.

5.3.3 Logging in to the routerThrough an AUX PortYou can establish a connection between a terminal and the router through an AUX port.

Procedure

Step 1 Start a terminal emulator (such as HyperTerminal of Windows XP) in the PC to establish aconnection with the router, as shown in Figure 5-2.



71

Figure 5-2 Connection creating

Step 2 Set dialing information, as shown in Figure 5-3.

Figure 5-3 Dialing information setting

Step 3 Establish a connection with the router, as shown in Figure 5-4.



72

Figure 5-4 Remote connection with the router

If certain communication parameters need to be modified, press Modify in the Figure 5-4, asshown in Figure 5-5, and then press Set, as shown in Figure 5-6.

Figure 5-5 Connection attribute modification



73

Figure 5-6 Communications parameters setting

Step 4 Press Dialing. If user authentication is needed, input the corresponding authenticationinformation, and wait till the command line prompt of the user view appears, such as<HUAWEI>. This indicates that the user view is entered and relevant configurations can beinput.

----End

5.3.4 Checking the ConfigurationAfter a user log in through an AUX port, the user can view information on the console userinterface, such as use information, physical attributes and configurations, local user list, andonline users.

PrerequisiteConfigurations of user login through the AUX port are complete.

Procedurel Run the display users [ all ] command to check usage information about the AUX user

interface.l Run the display user-interface aux interface-number [ summary ] command to check

physical attributes and configurations of the user interface.



74

l Run the display local-user command to check the local user list.

l Run the display access-user command to check the local user list.

----End

Example

Run the display users command, and you can view information about the current user interface.

<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 33 AUX 0 00:00:44 pass noUsername : Unspecified

Run the display user-interface aux ui-number1 [ summary ] command, and you can view thephysical attributes and configurations of the user interface.

<HUAWEI> display user-interface aux 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 33 AUX 0 9600 - 0 - N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.



5.4 Logging in to the Devices by Using TelnetIf multiple routers need to be configured and managed, you do not need to connect the routersand maintain them locally one by one. Instead, you can log in to the routers from a terminal byusing Telnet. This implements remote maintenance of the router and greatly facilitates devicemanagement.

5.4.1 Establishing the Configuration TaskBefore configuring user login by using Telnet, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.



75


If you have known the IP address of the router to be accessed, you can log in to the router froma terminal by using Telnet, and remotely maintain the device. This allows you to maintainmultiple routers on the same terminal, greatly facilitating device management.

Note that IP addresses of the routers need to be preset through console ports.


Before configuring user login in Telnet mode, complete the following tasks:

l Configuring reachable routes between the terminal and the device

Data Preparation

Before configuring user login in Telnet mode, you need the following data.

No. Data

1 l Maximum number of VTY user interfacesl (Optional) ACL for limiting call-in and call-out in VTY user interfacesl Connection timeout period of terminal users, number of lines displayed in a

terminal screen, size of the history command bufferl User priorityl User authentication mode, user name, password

2 TCP port number for the remote router to provide Telnet services, VPN instance name

3 IPv4/IPv6 address or host name of the router

5.4.2 Configuring VTY User InterfaceTo log in to the router by using Telnet, configure attributes of the VTY user interface.

Context

By default, the user authentication mode in the VTY user interface is password. Therefore, beforea user logs in to the router by using Telnet, the user authentication mode in the VTY user interfacemust be set. Otherwise, the user cannot log in to the router.

You can log in to the router through a console port to set the user authentication mode in theVTY user interface.

Other attributes of the VTY user interface in the router, such as terminal attributes and userpriorities, can also be set as needed. These attributes, however, generally do not need to be setbecause they have default values.

For detailed settings, see Configuring VTY User Interface.



76

5.4.3 (Optional) Configuring Local Telnet UsersIf the user authentication mode is AAA in the VTY user interface, the access type of local usersneeds to be specified. Local users with the access type of Telnet are Telnet users.

ContextIf the user authentication mode of the VTY user interface is non-authentication or passwordauthentication, the following configurations are not needed.

By default, a local user can apply for any access type. You can specify an access type to allowonly users configured with the specified access type to log in to the router.

Do as follows on the router that functions as a Telnet server:

Procedure



Step 2 Run:aaa



The local user name and password are set.

Step 4 Run:local-user user-name service-type telnet

The access type of the local user is set to Telnet.

----End

5.4.4 Enabling the Telnet ServiceBefore a terminal establishes a Telnet connection with the router, enable the Telnet serverfunction on the router.

ContextBy default, the function of the Telnet server is enabled.

Do as follows on the router that serves as an Telnet server.

Select and perform one of the following two steps for IPv4 or IPv6.

Procedurel For the IPv4 network

1. Run:system-view



77


telnet server enable

The Telnet service is enabled.

l For the IPv6 network1. Run:

system-view


telnet ipv6 server enable

The Telnet service is enabled.

NOTE

l If the undo telnet [ipv6] server enable command is run when a user logs in by usingTelnet, the command does not take effect.

l After the Telnet server function is disabled, you can log in to the device only using SSHor an asynchronous serial port rather than using Telnet.

----End

5.4.5 (Optional) Configuring Listening Port Number for TelnetServer

A user can configure or change the listening port number of a Telnet server. Changing thelistening port number ensures network security, because only the user that knows the currentlistening port number can log in to the router.

Context

By default, the listening port number of a Telnet server is 23. Users can directly log in to therouter using the default listening port number. Attackers may access the default listening port,consuming bandwidth, deteriorating server performance, and causing authorized users unableto access the server. After the listening port number of the Telnet server is changed, attackersdo not know the new listening port number. This effectively prevents attackers from accessingthe listening port.

Do as follows on the router that functions as a Telnet server:

Procedure



Step 2 Run:telnet server port port-number

The listening port number of the Telnet server is set.



78

If a new listening port number is set, the Telnet server terminates all established Telnetconnections, and then uses the new port number to listen to new requests for Telnet connections.

----End

5.4.6 Logging in to the router by Using TelnetAfter the router is configured, you can log in to the router from a terminal by using Telnet,implementing remote maintenance of the router.

Context

If you need to log in to the router by using Telnet, you can use either windows command linesor a third-party software in the terminal. In this part, the windows command line prompt is used.

Do as follows on the user terminal:

Procedure

Step 1 Use the windows command line.

Step 2 Run the telnet ip-address command to telnet the router.

1. Input the IP address of the Telnet server.

2. Press "Enter" to display the command line prompt of the system view, such as<HUAWEI>. This indicates that you have accessed the Telnet server.



79

----End

5.4.7 Checking the ConfigurationAfter users log in to the system by using Telnet, you can view the connection status of the currentuser interface, connection status of each user interface, and status of all established TCPconnections.

PrerequisiteConfigurations of logins by using Telnet are complete.

Procedurel Run the display users [ all ] command to check information about logged-in users on user

interfaces.

l Run the display tcp status command to check TCP connections.

l Run the display telnet server status command to check the configuration and status of theTelnet server.

----End

Example

Run the display users command to view information about the currently-used user interface.

<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 34 VTY 0 00:00:12 TEL 10.138.77.38 noUsername : Unspecified+ 35 VTY 1 00:00:00 TEL 10.138.77.57 noUsername : Unspecified

Run the display tcp status command to view TCP connections. In the command output,Established indicates that a TCP connection has been established.

<HUAWEI> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0 Closed32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849 Listening34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0 Established

Run the display telnet server status command to view the configuration and status of the Telnetserver.

<HUAWEI> display telnet server statusTelnet IPV4 server :EnableTelnet IPV6 server :EnableTelnet server port :23



80

5.5 Logging in to the Devices by Using STelnetSTelnet provides secured remote access over an insecure network. After the client/servernegotiation is complete and a secured connection is established, a user can log in to the routerin a similar way as Telnet.

5.5.1 Establishing the Configuration TaskBefore configuring users to log in by using STelnet, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.


Logins by using Telnet bring security risks because no secure authentication mechanism isavailable and data is transmitted by using TCP in plain text mode. Unlike Telnet, SSH guaranteessecure data transmission on a conventional insecure network by authenticating the client andencrypting data in both directions.

STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the same manneras using the Telnet service.


Before configuring users to log in by using STelnet, complete the following task:


Data Preparation

To configure users to log in by using STelnet, you need the following data:

No. Data

1 Maximum number of VTY user interfaces, (optional) ACL for limiting call-in andcall-out in VTY user interfaces, connection timeout period of terminal users, numberof rows displayed in a terminal screen, size of the history command buffer, userauthentication mode, user name, and password

2 User name, password, authentication mode, and service type of an SSH user andremote public RSA key pair allocated to the SSH user

3 (Optional) Name of an SSH server, number of the port monitored by the SSH server,preferred encryption algorithm from the STelnet client to the SSH server, preferredencrypted algorithm from the SSH server to the STelnet client, preferred HMACalgorithm from the STelnet client to the SSH server, preferred HMAC algorithm fromthe SSH server to the STelnet client, preferred algorithm of key exchange, name ofthe outgoing interface, and source address



81

5.5.2 Configuring VTY User InterfaceTo allow a user to log in to the router by using STelnet, configure attributes of the VTY userinterface.

Context

By default, the user authentication mode in the VTY user interface is password. Therefore, beforea user logs in to the router by using STelnet, the user authentication mode in the VTY userinterface must be set. Otherwise, the user cannot log in to the router.

You can log in to the router through a console port to set the user authentication mode in theVTY user interface.



5.5.3 Configuring SSH for the VTY User InterfaceTo allow users to log in to the router by using STelnet, you need to configure VTY user interfacesto support SSH.

Context

By default, user interfaces support Telnet. If no user interface is configured to support SSH,users cannot log in to the router by using STelnet.

Do as follows on the router that serves as an SSH server:

Procedure



Step 2 Run:user-interface [ vty ] first-ui-number [ last-ui-number ]

The VTY user interface is displayed.


The AAA authentication mode is configured.

Step 4 Run:protocol inbound ssh

The VTY user interface is configured to support SSH.



82

NOTE

If a VTY user interface is configured to support SSH, the VTY user interface must be configured withAAA authentication. Otherwise, the protocol inbound ssh command cannot be configured.

----End

5.5.4 Configuring an SSH User and Specifying STelnet as One ofService Types

To allow a user to log in to the router by using STelnet, you must configure an SSH user,configure the router to generate a local RSA key pair, configure a user authentication mode, andspecify a service type for the SSH user.

Context

l SSH users can be authenticated in four modes: RSA, password, password-RSA, and all.Password authentication depends on Authentication, Authorization and Accounting(AAA). Before a user logs in to the router in password or password-RSA authenticationmode, you must create a local user with the specified user name in the AAA view.

l Configuring the router to generate a local RSA key pair is a key step for SSH login. If anSSH user logs in to an SSH server in password authentication mode, configure the serverto generate a local RSA key pair. If an SSH user logs in to an SSH server in RSAauthentication mode, configure both the server and the client to generate local RSA keypairs.

NOTE

Password-RSA authentication requires success of both password authentication and RSA authentication.The all authentication mode requires success of either password authentication or RSA authentication.

Do as follows on the router that functions as an SSH server:

Procedure



Step 2 Run:ssh user user-name

1. Run:aaa



Name and password of the local user are created.

Step 3 Run:rsa local-key-pair create

A local RSA key pair is generated.



83

NOTE

l Before performing the other SSH configurations, you must configure the rsa local-key-pair createcommand to generate a local key pair.

l After generating the local key pair,you can perform the display rsa local-key-pair public commandto view the public key in the local key pair.

Step 4 Run:ssh user user-name authentication-type { password | rsa | password-rsa | all }

The authentication mode for SSH users is configured.

Perform the following as required:

l Authenticate the SSH user through the password.

– Run:ssh user user-name authentication-type password

The password authentication is configured for the SSH user.

– Run:ssh authentication-type default password

The default password authentication is configured for the SSH user.For the local authentication or HWTACACS authentication, if the number of SSH usersis small, you can adopt the former command; if the number of SSH users is large, adoptthe later command to simplify the configuration.

l Authenticate the SSH user through RSA.1. Run:

ssh user user-name authentication-type rsa

The RSA authentication is configured for the SSH user.2. Run:

rsa peer-public-key key-name

The public key view is displayed.3. Run:

public-key-code begin

The public key editing view is displayed.4. Run:

hex-data

The public key is edited.

NOTE

l In the public key view, only hexadecimal strings complying with the public key format can betyped in. Each string is randomly generated on an SSH client. For detailed operations, see manualsfor SSH client software.

l After the public key editing view is displayed, the RSA public key generated on the client canbe sent to the server. Copy the RSA public key to the router that serves as the SSH server.

5. Run:public-key-code end

Quit the public key editing view.



84

l If the specified hex-data is invalid, the public key cannot be generated after the peer-public-key end command is run.

l If the specified key-name is deleted in other views, the system prompts that the key doesnot exist after the peer-public-key end command is run and the system view isdisplayed.

6. Run:peer-public-key end

Return to the system view from the public key view.7. Run:

ssh user user-name assign rsa-key key-name

The public key is assigned to the SSH user.

Step 5 (Optional) Configuring the Basic Authentication Information for SSH Users1. Run:

ssh server rekey-interval interval

The interval for updating the server key pair is configured.

By default, the interval for updating the key pair of the SSH server is 0 that indicates noupdating.

2. Run:ssh server timeout seconds

The timeout period of the SSH authentication is set.

By default, the timeout period is 60 seconds.3. Run:

ssh server authentication-retries times

The number of retry times of the SSH authentication is set.

By default, the retry times is 3.

Step 6 (Optional) Authorizing SSH Users Through the Command Line

SSH users can be authenticated in four modes: password, RSA, password-RSA, and all. In RSAauthentication mode, you can configure SSH users to be authorized based on command levels.

Run:

ssh user user-name authorization-cmd aaa

The command line authorization is configured for the specified SSH user.

After configuring the authorization through command lines for the SSH user to perform RSAauthentication, you have to configure the AAA authorization. Otherwise, the command lineauthorization for the SSH user does not take effect.

Step 7 Run:ssh user username service-type { stelnet | all }

The service type for the SSH user is configured.

By default, the service type of the SSH user is not configured.

----End



85

5.5.5 Enabling the STelnet Server FunctionTo allow users to log in to the router by using STelnet, you must enable the STelnet serverfunction on the router.

ContextBy default, no router is enabled with the STelnet server function. Users can establish connectionsto the router by using STelnet only after the router is enabled with the STelnet server function.


Procedure



Step 2 Run:stelnet server enable

The STelnet server function is enabled.

By default, the STelnet server function is disabled.

----End

5.5.6 (Optional) Configuring the STelnet Server ParametersYou can configure a device to be compatible with the SSH protocol of earlier versions, configureor change the listening port number of an SSH server, and set an interval at which the key pairof the SSH server is updated.

ContextTable 5-2 lists server parameters.

Table 5-2 Server parameters

ServerParameter

Description

Earlier SSHversioncompatibility

SSH has two versions: SSH1.X (earlier than SSH2.0) and SSH2.0. Comparedwith SSH1.X, SSH2.0 is extended in structure and supports moreauthentication modes and key exchange methods. SSH2.0 also supports moreadvanced services such as SFTP. The HUAWEI NetEngine80E/40Esupports SSH versions ranging from 1.3 to 2.0.



86

ServerParameter

Description

Listening portnumber of anSSH server

The default listening port number of an SSH server is 22. Users can log in tothe device by using the default listening port number. Attackers may accessthe default listening port, consuming bandwidth, deteriorating serverperformance, and causing authorized users unable to access the server. Afterthe listening port number of the SSH server is changed, attackers do not knowthe new port number. This effectively prevents attackers from accessing thelistening port and improves security.

Interval atwhich the keypair of theSSH server isupdated

After the interval is set, the key pair of the SSH server is updated periodicallyto improve security.


Procedure



Step 2 Perform one or more operations shown in Table 5-3 as needed.

Table 5-3 Configurations of server parameters

ServerParameter

Operation


Run the ssh server compatible-ssh1x enable command.By default, an SSH server running SSH2.0 is compatible with SSH1.X. Toprevent clients running SSH1.3 to SSH1.99 to log in, run the undo ssh servercompatible-ssh1x enable command to disable the system from supportingearlier SSH protocol versions.

Listening portnumber of theSSH server

Run the ssh server port port-number command.If a new listening port is set, the SSH server cuts off all established STelnetand SFTP connections, and uses the new port number to listen to connectionrequests. By default, the listening port number is 22.


Run the ssh server rekey-interval hours command.By default, the interval is 0, indicating that the key pair will never be updated.

----End



87

5.5.7 Logging in to the router by Using STelnetAfter the router is configured, a user can log in to the router from a terminal by using STelnet,implementing remote maintenance of the router.

Context

In STelnet login mode, a third-party software can be used in the terminal. In this part, the third-party software OpenSSH and windows command line are used.

After installing OpenSSH in the user terminal, do as follows on the user terminal:

NOTE

For details on how to install OpenSSH, refer to the installation guide of the software.

For details on how to use OpenSSH commands to log in to the router, refer to the help document of thesoftware.

Procedure


Step 2 Run relevant OpenSSH commands to log in to the router in STelnet mode.

----End



88

5.5.8 Checking the ConfigurationAfter configuring users to log in by using STelnet, you can view the SSH server configuration.

PrerequisiteConfigurations of logins by using STelnet are complete.

Procedurel Run the display ssh user-information username command on the SSH server to check

information about SSH users.l Run the display ssh server status command on the SSH server to check its configurations.l Run the display ssh server session command on the SSH server to check sessions for SSH

users.

----End

ExampleRun the display ssh user-information username command to view information about aspecified SSH user.

<HUAWEI> display ssh user-information client001 User Name : client001 Authentication-type : password User-public-key-name : - Sftp-directory : - Service-type : stelnet Authorization-cmd : No

If no SSH user is specified, information about all SSH users logging in to an SSH server will bedisplayed.

Run the display ssh server status command to view configurations of an SSH server.

<HUAWEI> display ssh server status SSH version :1.99 SSH connection timeout :60 seconds SSH server key generating interval :0 hours SSH Authentication retries :3 times SFTP server :Disable Stelnet server :Enable

Run the display ssh server session command. The command output shows that the sessioninformation between SSH server and client.

<HUAWEI> display ssh server sessionSession 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-md5 STOC Hmac : hmac-md5 Kex : diffie-hellman-group-exchange-sha1 Service Type : stelnet Authentication Type : password



89

5.6 Common Operations After LoginAfter logging in to the router, you can perform following operations as needed, such as userpriority switching and terminal window locking.

5.6.1 Establishing the Configuration TaskBefore performing operations after login, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


To ensure that the operator manages routers safely, you need to configure the switching of userlevels, enable message sending between user interfaces, and clear designated users.


Before performing operations after login, complete the following tasks:

l Connecting the terminal to the router

Data Preparations

Before performing operations after login, you need the following data:

No. Data

1 Password used for switching user levels

2 Type and number of the user interface

3 Contents of the message to be sent

5.6.2 Switching User LevelsIf a user wants to upgrade from a lower level to a higher level after logging in to the router, apassword is required. The password needs to be configured in advance.

Context

To prevent an unauthorized user from using high-level commands, a password is required toincrease the user level.

When configuring the switchover of user levels on the router, users can perform HWTACACSAuthentication. For detailed configurations, refer to the HUAWEI NetEngine80E/40E routerConfiguration Guide - Security.



90

Procedure



Step 2 Run:super password [ level user-level ] { simple | cipher } password

The password for switching user levels is configured.

By default, the password for the user is set to Level 3.

CAUTIONIf simple is configured, the password is saved in the configuration file in plain text. This meansthat low-level login users can easily obtain and change the password by checking theconfiguration file, compromising the network security. Therefore, selecting cipher to save thepassword in the cipher text is recommended.

If cipher is used to set the password, the password cannot be obtained from the system. Savethe password to avoid oblivion or missing.

Step 3 Run:quit

Return to the user view.

Step 4 Run:super [ level ]

User levels are switched.

By default, the level is 3.

Step 5 Follow the prompt and enter a password.

If the password entered is correct, the user can switch to a higher level. If the user enters apassword incorrectly for three consecutive times, the user remains at the current login level andreturns to the user view.

NOTE

When the login user of lower level is switched to the user of higher level through the super command, thesystem automatically sends trap messages and records the switchover in a log. When the switched levelis lower than that of the current level, the system only records the switchover in a log.

----End

5.6.3 Locking User InterfacesWhen you leave the operation terminals for a moment, you can lock the user interface to preventunauthorized users from operating the interface.



91

ContextThe user interface can be classified into the Console user interface, AUX user interface, andVTY user interface.

Procedure

Step 1 Run:lock

The user interface is locked.

Step 2 Follow the system prompt and input an unlock password, and then confirm the input.<HUAWEI> lockEnter Password:Confirm Password:

If the locking is successful, the system prompts that the user interface is locked.

You must enter a correct password to unlock the user interface.

----End

5.6.4 Sending Messages to Other User InterfacesMessages can be exchanged between the current user interface and other user interfaces.

ContextUsers logging in to the router can send messages from the current user interface to users in otheruser interfaces as needed.

Procedure

Step 1 Run:send { all | ui-type ui-number | ui-number1 }

You can enable message sending between user interfaces.

Step 2 Following the prompt, you can view the message to be sent. You can press Ctrl_Z or Enter toend the display, and press Ctrl_C to abort the display.

----End

5.6.5 Displaying Logged-in UsersAfter users log in, you can query information about logged-in users.

ContextUser information includes the user name, address, and authentication and authorizationinformation.

Procedurel Run the display users [ all ] command to view information about logged-in users.



92

If all is configured, information about logged-in users on all user interfaces is displayed.

----End

5.6.6 Clearing Logged-in UsersIf you want to force a logged-in user to log out of the router, you can tear down the connectionbetween the router and the user.

ContextYou can run the display users command to view users logging in to the router.

Procedure

Step 1 Run:kill user-interface { ui-number | ui-type ui-number1 }

Online users are cleared.

Step 2 Based on displayed information, you can confirm whether specified logged-in users have beencleared.

----End

5.6.7 Configuring Configuration LockingWhen multiple users log in to the router to configure the device, configuration conflict mayoccur. To prevent configuration conflict from affecting services, you can enable the function ofconfiguration locking. This allows only one user to configure the device at a time.

ContextBefore configuring configuration locking, check whether the configuration set is locked byanother user. If no user locks the configuration set, you can exclusively lock the configuration.

Procedure

Step 1 Run:configuration exclusive

The user obtains exclusive configuration access.

After enabling the configuration locking function, you can exclusively enjoy the configurationauthority in an explicit manner.

NOTE

This command can be run in any view.

You can run the display configuration-occupied user command to check information about the user wholocks the configuration set at the moment.

If the configuration set is already locked, an prompt message is displayed after this command is run.




93


Step 3 Run:configuration-occupied timeout timeout-value

The timeout period for automatically unlocking the configuration set is set.

After the timeout period expires, the configuration set is automatically unlocked, allowing otherusers to configure the device.

By default, the timeout period is 30s.

NOTE

l When a user without exclusive configuration access runs this command, the system prompts an errormessage.

l If the configuration set is locked by another user, this command cannot be configured, and the systemprompts an error message.

l If the configuration set is locked by the current user, the current user can run this command.

----End

5.7 Configuration ExamplesThis section provides several examples describing how to configure user login by using a consoleport, Telnet, or STelnet. You can understand the configuration procedures by referring to theconfiguration flowchart. The configuration examples provide information about the networkingrequirements, configuration notes, and configuration roadmap.

5.7.1 Example for Configuring User Login Through a Console PortThis part provides an configuration example describing how to configure user login through aconsole port. In this configuration example, certain login settings are performed on the PC,enabling the access to the router through a console port.

Networking RequirementsIf a user modifies default values of certain parameters in the console user interface, the userneeds to reset corresponding parameters in the PC when logging in to the router through theconsole port next time.

Figure 5-7 Networking diagram of user login through a console port

RouterPC

Configuration Roadmap1. Connect a PC to the router through a console port.2. Perform login settings on the PC.



94

3. Log in to the router.

Data PreparationCommunication parameters of the PC (baud rate: 4800 bps, data bit: 6, parity: even, stop bit: 2,flow control mode: none)

Procedure

Step 1 Establish the configuration environment by connecting the serial port of the PC to the consoleport of the router through standard RS-232 cable.

Step 2 Start a terminal emulator on the PC, and set the communication parameters of the PC, as shownin Figure 5-8 to Figure 5-10.

Figure 5-8 Connection creation



95

Figure 5-9 Interface setting

Figure 5-10 Communication parameter setting

Step 3 Power on the router and wait for the completion of the self-check. After the router starts normallyand finishes the self-check, the system prompts you to press Enter.



96

Wait till the prompt (mostly the <HUAWEI>) appears, and then you can use a command to viewthe running status of the router or configure the router.

----End

5.7.2 Example for Logging In Through the AUX PortIn this example, you can configure terminal and modem communication parameters so as to login to the router through the AUX port.

Networking RequirementsIf you cannot configure the router by local login and no router is reachable to other routers,connect the serial port of the PC with the AUX port of the router through the modem. The detailedconfiguration environment is shown in Figure 5-11.

Figure 5-11 Networking diagram of logging in through the AUX port

Router

PC

COM

PSTN

Modem Modem


1. Establish the physical connection.2. Configure the name, authentication mode, and password of a user that logs in.3. Configure the AUX port to support the modem dialup.4. Configure modem parameters.


l Type of terminalsl Terminal communication parametersl User name, password, and authentication mode used for user login, which are huawei,

hello, and password respectively.l Modem communication parameters

Procedure

Step 1 Establish the physical connection, as shown in Figure 5-11.



97

Step 2 Configure the AUX port to support the modem dialup.<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] local-user huawei password cipher hello[HUAWEI-aaa] local-user huawei service-type terminal[HUAWEI-aaa] local-user huawei level 3[HUAWEI-aaa] quit[HUAWEI] user-interface aux 0[HUAWEI-ui-aux0] authentication-mode aaa[HUAWEI-ui-aux0] modem both

Step 3 Configure modem parameters.

# Run the PC emulation terminal, see Logging in to the router Through an AUX Port

Press Enter on the PC emulation terminal or terminal until a command line prompt of the modemsuch as ">" appears.

Configure the modem to meet the requirements of AUX communication.

For details, see modem descriptions.

Step 4 Log in to the router.

Enter the user name and password in the remote terminal emulation program.

After authentication succeeds, a command line prompt such as <HUAWEI> appears.

Enter the command to check the running status of the router or configure the router.

Enter "?" for help.

----End

5.7.3 Example for Configuring User Login by Using TelnetThis part provides an example describing how to configure user login by using Telnet. In thisconfiguration example, a user logs in to the router after setting the VTY user interface and userlogin parameters.

Networking RequirementsA user can log in to the router on another network segment from a PC to remotely maintain therouter.

Figure 5-12 Networking diagram of user login by using Telnet

NetWork

PC Router

GE1/0/110.137.217.221/16

After a Telnet user logs in to the router in AAA authentication mode, the Telnet user is prohibitedfrom logging in to another router through the router.



98

Configuration Roadmap1. Establish a physical connection.2. Assign IP addresses to interfaces on the router.3. Set parameters of the VTY user interface, including limit on call-in and call-out.4. Set user login parameters.5. Log in to the router.


l IP address of the PCl IP address of the Ethernet interface on the router: 10.137.217.221l Maximum number of VTY user interfaces: 10l Number of the ACL that is used to prohibit users from logging into another router: 3001l Timeout period for disconnecting from the VTY user interface: 20 minutesl Number of lines that a terminal screen displays: 30l Size of the history command buffer: 20l Telnet user information (authentication mode: AAA, user name: huawei, password: hello)

Procedure

Step 1 Respectively connection the PC and the router to the network.

Step 2 Configure a login address.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] undo shutdown[HUAWEI-GigabitEthernet1/0/1] ip address 10.137.217.221 255.255.0.0[HUAWEI-GigabitEthernet1/0/1] quit

Step 3 Configure the VTY user interface on the router.

# Set the maximum number of VTY user interfaces.

[HUAWEI] user-interface maximum-vty 10

# Configure an ACL that is used to prohibit users from logging into another router.

[HUAWEI]acl 3001[HUAWEI-acl-adv-3001]rule deny tcp source any destination-port eq telnet[HUAWEI-acl-adv-3001]quit[HUAWEI] user-interface vty 0 9[HUAWEI-ui-vty0-9] acl 3001 outbound

# Set terminal attributes of the VTY user interface.

[HUAWEI-ui-vty0-9] shell[HUAWEI-ui-vty0-9] idle-timeout 20[HUAWEI-ui-vty0-9] screen-length 30[HUAWEI-ui-vty0-9] history-command max-size 20

# Set the user authentication mode of the VTY user interface.

[HUAWEI-ui-vty0-9] authentication-mode aaa[HUAWEI-ui-vty0-9] quit



99

Step 4 Set parameters of the login user on the router.

# Specify the user authentication mode.

[HUAWEI] aaa[HUAWEI-aaa] local-user huawei password cipher hello[HUAWEI-aaa] local-user huawei service-type telnet[HUAWEI-aaa] local-user huawei level 3[HUAWEI-aaa] quit

Step 5 # Configure user login.

Use the windows command line to telnet the router. The Telnet login window is shown in thefollowing figure.

Figure 5-13 Telnet login window on the PC

Press Enter, and then input the user name and password in the login window. If userauthentication succeeds, a command line prompt of the system view is displayed. It indicatesthat you have entered the user view.

Figure 5-14 Window after login of the router

Click Yes and then input the user name and password in the login window. If user authenticationsucceeds, a command line prompt such as HUAWEI is displayed.

----End



100

Configuration Files

Configuration file of the Router

# sysname HUAWEI#acl number 3001 rule 5 deny tcp destination-port eq telnet#aaa local-user huawei password cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! local-user huawei service-type telnet local-user huawei level 3#interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.221 255.255.0.0#user-interface maximum-vty 10 user-interface con 0user-interface vty 0 9 acl 3001 outbound authentication-mode aaa history-command max-size 20 idle-timeout 20 0 screen-length 30#return

5.7.4 Example for Configuring User Login by Using STelnetThis part provides an example describing how to configure user login by using STelnet.. In thisexample, after generating the local key pair on the SSH server, configuring the name andpassword of the SSH user on the SSH server, and enabling the STelnet service on the SSH server,you can connect the Stelnet client to the SSH server.


As shown in Figure 5-15, after the STelnet service is enabled on the SSH server, the STelnetclient can log in to the SSH server with the password, RSA, password-rsa, or all authenticationmode.

In this configuration example, the password authentication mode is used.

Figure 5-15 Networking diagram of configuring user login by using STelnet

Network

PC SSH Server

GE1/0/110.137.217.225/16

Configuration Roadmap

The configuration roadmap is as follows:



101

1. Configure a local key pair on the SSH server for secure data exchange between the STelnetclient and the SSH server.

2. Configure the VTY user interface on the SSH server.

3. Configure an SSH client, which involves the setting of the user authentication mode, username, and password.

4. Enable the STelnet server function on the SSH server and configure a user service type.

Data Preparation

To complete the configuration, you need the following data:

l SSH user authentication mode: password, user name: client001, password: huaweil User level of client001: 3

l IP address of the SSH server: 10.164.39.210

Procedure

Step 1 Generate a local key pair on the server.<HUAWEI> system-view[HUAWEI] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: HUAWEI_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++..........++++++++++++...................................++++++++......++++++++

Step 2 Configure the VTY user interface.[SSH Server] user-interface vty 0 4[SSH Server-ui-vty0-4] authentication-mode aaa[SSH Server-ui-vty0-4] protocol inbound ssh[SSH Server-ui-vty0-4] quit

NOTE

If SSH is configured as the login protocol, the NE80E/40E automatically disables Telnet.

Step 3 Configure the password of the SSH user Client001 to huawei.[SSH Server] aaa[SSH Server-aaa] local-user client001 password cipher huawei[SSH Server-aaa] local-user client001 level 3[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

Step 4 Enable the STelnet service on the SSH server.[SSH Server] stelnet server enable[SSH Server] ssh authentication-type default password[SSH Server] quit

Step 5 Verify the configuration.

# Log in to the device through the software putty, and specify the IP address of the device being10.164.39.210 and the login protocol being SSH.



102

# Log in to the device through the software putty, and enter the user name client001 and thepassword huawei.

----End

Configuration Filesl Configuration file of the SSH server

# sysname SSH Server#aaa local-user client001 password cipher huawei local-user client001 level 3



103

local-user client001 service-type ssh#interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.225 255.255.255.0# stelnet server enable ssh user client001 authentication-type password#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#return



104

6 Managing File System

About This Chapter

The file system manages the files and directories in the storage devices on the router. It can moveand delete a file or directory and display the contents of the file.

6.1 File System OverviewThe router effectively manages all files by means of the file system.

6.2 Performing File Operations by Means of the File SystemUsers can perform file operations by means of the file system, including managing storagedevices, directories, and files.

6.3 Performing File Operations by Means of FTPFTP can transmit files between local and remote hosts, and is widely used for version upgrade,log downloading, file transmission, and configuration saving.

6.4 Performing File Operations by Means of SFTPSFTP enables users to log in to the router securely from the remote device to manage files. Thisimproves the security of data transmission for the remote end to update its system.

6.5 Performing File Operations by Means of XmodemThis section describes how to transfer files through XModem.

6.6 Configuration ExamplesThis section provides an example for performing files by accessing the system and using FTPor SFTP.These configuration examples explain networking requirements, configurationroadmap, and configuration notes.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations 6 Managing File System


105

6.1 File System OverviewThe router effectively manages all files by means of the file system.

6.1.1 File SystemThe file system manages the files and directories in the storage devices. It can create, delete,modify, and rename a file or directory and display the contents of the file.

The file system has two functions: managing the storage devices and managing the files that arestored in those storage devices.

6.1.2 Methods of File ManagementYou can manage files by means of the file system, FTP or SFTP.

Performing File Operations by Means of the File Systeml Storage Devices

Storage devices are hardware devices for storing messages.At present, the router supports the storage devices CF card.

l FilesThe file is a mechanism with which the system stores and manages messages.

l DirectoriesThe directory is a mechanism with which the system integrates and organizes the file,serving as a logical container of the file.

Performing File Operations by Means of FTPYou can configure the router as the FTP server, and log in to the router from the user terminalto transmit files and manage directories on the FTP server.

Performing File Operations by Means of SFTPSSH supports Secure File Transfer Protocol (SFTP), which enables users to remotely andsecurely log in to the router to manage files. SSH guarantees secure data transmission on aconventional insecure network by authenticating the client and encrypting data in bothdirections.

Performing File Operations by Means of XmodemXModem is a file transfer protocol and is mainly applied to the AUX port.XModem does notsupport simultaneous operations of multiple users.



106

Table 6-1 File management methods

File Management Method Implementation

Logging in to the system You can log in to the system through theConsole or AUX port or by using Telnet orSTelnet to manage files.

FTP The router needs to be enabled with FTP.Most terminals support the FTP clientfunction.

SFTP l SFTP provides secure file transferservices based on SSH, irrelevant to thestandard FTP protocol.

l The router needs to be enabled with SFTP.Terminals need to be installed with theSFTP client software.

6.2 Performing File Operations by Means of the File SystemUsers can perform file operations by means of the file system, including managing storagedevices, directories, and files.

6.2.1 Establishing the Configuration TaskBefore performing file operations by means of the file system, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data. Thiscan help you complete the configuration tasks quickly and accurately.

Applicable EnvironmentWhen the router fails to save or obtain data, you can log in to the file system to repair the faultystorage devices or manage files or directories on the router. You can especially manage storagedevices by logging in to the file system.

Pre-configuration TasksBefore performing file operations by logging in to the file system, complete the following tasks:

l Connecting the client with the server correctly

Data PreparationTo perform file operations by logging in to the file system, you need the following data:

No. Data

1 Storage device name

2 Directory name



107

No. Data

3 File name

6.2.2 Managing Storage DevicesWhen the file system of the storage devices on the router functions abnormally, you need torepair and format the file system before managing the storage devices.

Context

When the file system on a storage device fails, the terminal of the router prompts you to rectifythe fault.

You can format a storage device when you fail to repair the file system or you do not need anydata saved on the storage device.

CAUTIONFormatting storage devices may lead to data loss. Therefore, exercise caution when perform thisoperation.

Procedurel Run:

fixdisk device-name

The storage devices with file system troubles is repaired.

NOTE

After this command is run, if the prompt that the system should be repaired is still received, it indicatesthat the physical medium may be damaged.

l Run:format device-name

The storage device is formatted.

NOTE

If the storage device cannot work after running the format device-name command, a fault may occurto the hardware.

----End

6.2.3 Managing the DirectoryYou can manage directories to logically store files in hierarchy.



108

ContextYou can manage directories by changing and displaying directories, displaying files indirectories and sub-directories, and creating and deleting directories.

Procedurel Run:

cd directory

A directory is specified.l Run:

pwd

The current directory is displayed.l Run:

dir [ /all ] [ filename ]

The file and sub-directory list in the directory is displayed.

Either the absolute path or relative path is applicable.l Run:

mkdir directory

The directory is created.l Run:

rmdir directory

The directory is deleted.

----End

6.2.4 Managing FilesYou can log in to the file system to view, delete, or rename the files on the router.

Contextl Managing files include: displaying contents, copying, moving, renaming, compressing,

deleting, undeleting, deleting files in the recycle bin, running files in batch and configuringprompt modes.

l You can run the cd directory command to enter the required directory from the currentdirectory.

Procedurel Run:

more filename [ offset | all ]

The content of the file is displayed.

By specifying parameters in the more command, you can view files flexibly:– By running the more file-name command, you can view the file named file-name.

Contents of a text file are displayed screen after screen. If you hold and press thespacebar on the current terminal, all contents of the current file can be displayed.



109

There are two preconditions if you want to display the contents of a text file screen afterscreen:

– The value configured by screen-length screen-length temporary command mustbe larger than 0.

– The total lines of the file must be larger than the value configured by screen-length command.

– By running the more file-name offset command, you can view the file named file-name. Contents of a text file are displayed from the line specified by offset screen afterscreen. If you hold and press the spacebar on the current terminal, all contents of thecurrent file can be displayed.

There are two preconditions if you want to display the contents of a text file screen afterscreen:

– The value configured by screen-length screen-length command must be larger than0.

– The result of the number of file characters subtracted by the value of offset must belarger than the value configured by screen-length command.

– By running the more file-name all command, you can view the file named file-name.Contents of a text file are completely displayed without pausing after each screenful ofinformation.

l Run:copy source-filename destination-filename

The file is copied.

NOTE

The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.

l Run:move source-filename destination-filename

The file is moved.

l Run:rename source-filename destination-filename

The file is renamed.

l Run:zip source-filename destination-filename

The file is compressed.

l Run:delete [ /unreserved ] [ /quiet ] { filename | device-name }

The file is deleted.

If you use the parameter [ /unreserved ] in the delete command, the file cannot be restoredafter being deleted.

l Run:undelete filename

The deleted file is recovered.



110

NOTE

If the current directory is not the parent directory, you must operate the file by using the absolutepath.

l Run:reset recycle-bin [ filename ]

The file is deleted.

You can permanently delete files in the recycle bin.l Running Files in Batch

You can upload the files and then process the files in batches. The edited batch files needto be saved in the storage devices on the router.

When the batch file is created, you can run the batch file to implement routine tasksautomatically.

1. Run:system-view


execute filename

The batched file is executed.l Configuring Prompt Modes

The system displays prompts or warning messages when you operate the device (especiallythe operations leading to data loss). If you need to change the prompt mode for fileoperations, you can configure the prompt mode of the file system.

1. Run:system-view


file prompt { alert | quiet }

The prompt mode of the file system is configured.

By default, the prompt mode is alert.

CAUTIONIf the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation.

----End

6.3 Performing File Operations by Means of FTPFTP can transmit files between local and remote hosts, and is widely used for version upgrade,log downloading, file transmission, and configuration saving.



111

6.3.1 Establishing the Configuration TaskBefore performing file operations by means of FTP, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentWhen the router serves as the FTP server, after the client logs in to the router through FTP, theuser can transfer files between the client and the server.

Pre-configuration TasksBefore performing file operations by means of FTP, complete the following task:

l Connecting the FTP client to the server

Data PreparationTo perform file operations by means of FTP, you need the following data:

NOTEFor FTP secure server connection, perform step 2.

No. Data

1 FTP user name and password, File directory authorized to the FTP user

2 (Optional) Listening port number specified on the FTP server

3 (Optional) Source IP address or source interface of the FTP server(Optional) Timeout period of the disconnection from the FTP server

4 IP address or host name of the FTP server

6.3.2 Configuring a Local FTP UserYou can configure the authorization mode and authorization directory for FTP users. In thiscase, unauthorized users cannot access the specific directory, which guarantees the security.

ContextTo perform file operations by means of FTP, you need to configure a local user name and apassword on the router and specify the service type and the directories that can be accessed.Otherwise, you cannot access the router by using FTP.

Do as follows on the router that serves as the FTP server:

Procedure




112


Step 2 Run:set default ftp-directory directory

The default FTP working directory is configured.

NOTE

The configuration in this step is valid for only TACACS users.

Step 3 Run:aaa



The local user name and the password are configured.

Step 5 Run:local-user user-name service-type ftp

The FTP service type is configured.

Step 6 Run:local-user user-name ftp-directory directory

The authorization directory about the FTP user is configured.

----End

6.3.3 (Optional) Specifying a Port Number for the FTP ServerYou can configure or change the monitoring port number of the FTP server. After the portnumber is changed, only the user knows the current port number, which guarantees the security.

ContextBy default, the listening port number of an FTP server is 21. Users can directly log in to therouter by using the default listening port number. Attackers probably access the default listeningport, reducing available bandwidth, affecting performance of the server, and causing valid usersunable to access the server. After the listening port number of the FTP server is changed, attackersdo not know the new listening port number. This effectively prevents attackers from accessingthe listening port.

NOTE

If the FTP is not enabled, change the FTP port as required.

If the FTP service is enabled, run the undo ftp server command to disable the FTP service, and then changethe FTP port.


Procedure




113


Step 2 Run:ftp [ ipv6 ] server port port-number

The port number of the FTP server is configured.

If a new number of a monitored port is configured, the FTP server interrupts all the FTPconnections and monitors the port of the new number.

----End

6.3.4 Enabling the FTP ServerBefore using FTP to perform file operations, you need to enable the FTP sever on the router.

Context

By default, the FTP server is disabled on the router. Therefore, you must enable the FTP serverbefore using FTP.


Procedure



Step 2 Run:ftp [ ipv6 ] server enable

The FTP server is enabled.

NOTE

When the file operation between clients and the router ends, run the undo ftp [ ipv6 ] server command todisable the FTP server function. This ensures the security of the router.

----End

6.3.5 (Optional) Configuring the FTP Server ParametersThe FTP server parameters include the source address of the FTP server and the timeout periodfor FTP connection.

Contextl You can configure a source IP address for the FTP server. This limits the destination address

that the client can access and therefore guarantee the security.l You can configure the timeout period for FTP connections on the FTP server. When the

timeout period of an FTP connection expires, the system breaks the connection to releaseresources.




114

Procedure



Step 2 Run:ftp server-source { -a ip-address | -iinterface-type interface-number }

The source IP address and source interface of an FTP server is configured.

To log in to the FTP server, you must specify the same source IP address in the ftp command.Otherwise, you cannot log in to the FTP server.

Step 3 Run:ftp [ ipv6 ] timeout minutes

The timeout period of the FTP server is configured.

If the client is idle for the configured time, the connection is removed from the FTP server.

By default, the timeout value is 30 minutes.

----End

6.3.6 (Optional) Configuring an FTP ACLAfter an FTP ACL is configured, only the specified clients can access the devicerouter.

ContextWhen the routerdevice functions as an FTP server, you can configure an ACL to allow the clientsthat meet the matching rules to access the FTP server.


Procedure



Step 2 Run:acl acl-number

The ACL view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *

The ACL rule is configured.

NOTE

FTP supports only the basic ACL (2000 to 2999).



115

Step 4 Run:quit

Return the system view.

Step 5 Run:ftp [ ipv6 ] acl acl-number

The basic FTP ACL is configured.

----End

6.3.7 Accessing the System by Using FTPAfter the FTP server is configured, you can access the router from the PC by using FTP to managethe files on the router.

Context

If you need to log in to the router by using FTP, you can use either windows command lineprompt or a third-party software. Here uses the windows command line prompt as an example.

Do as follows on the PC:

Procedure


Step 2 Run the ftp ip-address command to log in to the router by using FTP.

Enter the user name and password at the prompt, and press Enter. When the windows commandline prompts are displayed in the FTP client view, such as ftp>, you have entered the workingdirectory of the FTP server.

----End



116

6.3.8 Performing File Operations by Using FTP CommandsAfter logging in to the router that functions as an FTP server by using FTP, you can upload filesto or download files from the router, and manage the directories on the router.

Context

After logging in to the FTP server, you can perform the following operations:

l Configuring data type for the file

l Uploading or downloading files

l Creating directories on or deleting directories from the FTP server

l Displaying information about a specified remote directory or a file of the FTP server, ordeleting a specified file from the FTP server

After logging in to the FTP server and entering the FTP client view, you can perform thefollowing one or more operations:

Procedurel Configuring data type and transmission mode for the file.

– Run:ascii or binary

The data type of the file to be transmitted is ascii or binary mode.

NOTE

FTP supports the ASCII type and the binary type. Their differences are as follows:

l In ASCII transmission mode, ASCII characters are used to separate carriage returned fromline feeds.

l In binary transmission mode, characters can be transferred without format conversion orformatting.

The selection of the FTP transmission mode is client-customized. The system defaults to theASCII transmission mode. The client can use a mode switch command to switch between theASCII mode and the binary mode. The ASCII mode is used to transmit .txt files and the binarymode is used to transmit binary files.

l Upload or download files.

– Upload or download a file.

– Run:put local-filename [ remote-filename ]

The local file is uploaded to the remote FTP server.

– Run:get remote-filename [ local-filename ]

The FTP file is downloaded from the FTP server and saved to the local file.

– Upload or download multiple files.

– Run the mput local-filenames command to upload multiple local filessynchronously to the remote FTP server.

– Run the mget remote-filenames command to download multiple files from the FTPserver and save them locally.



117

NOTE

l When you are uploading or downloading files, and the prompt command is run in the FTP clientview to enable the file transmission prompt function, the system will prompt you to confirm theuploading or downloading operation.

l If the prompt command is run again in the FTP client view, the file transmission prompt functionwill be disabled.

l Run one or more commands in the following order to manage directories.– Run:

cd pathname

The working path of the remote FTP server is specified.– Run:

pwd

The specified directory of the FTP server is displayed.– Run:

lcd [ local-directory ]

The directory of the FTP client is displayed or changed.– Run:

mkdir remote-directory

A directory is created on the FTP server.– Run:

rmdir remote-directory

A directory is removed from the FTP server.l Run one or more commands in the following to manage files.

– Run:ls [ remote-filename ] [ local-filename ]

The specified directory or file on the remote FTP server is displayed.If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

– Run:dir [ remote-filename ] [ local-filename ]

The specified directory or file on the local FTP server is displayed.If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

– Run:delete remote-filename

The specified file on the FTP server is deleted.If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

When local-filename is set, related information about the file can be downloaded locally.

NOTE

If you need other FTP operations,you can perform the help [ command ] command to get help in theWindows command line.

----End



118

6.3.9 Checking the ConfigurationAfter the configuration is complete, you can view the configuration and status of the FTP serveras well as information about login FTP users.

Prerequisite

All configurations for operating files by using FTP are complete.

Procedurel Run the display [ ipv6 ] ftp-server command to check the configuration of the FTP server.l Run the display ftp-users command to check how many users are currently logged in FTP

server.

----End

Example

Run the display [ ipv6 ] ftp-server to view the FTP server is working.

<HUAWEI> display ftp-server FTP server is running Max user number 5 User count 1 Timeout value(in minute) 30 Listening Port 1080 Acl number 0 FTP server's source address 1.1.1.1

Run the display ftp-users command to view the user name, port number, authorization directoryof the FTP user configured presently.

<HUAWEI> display ftp-users username host port idle topdir zll 100.2.150.226 1383 3 cfcard:

6.4 Performing File Operations by Means of SFTPSFTP enables users to log in to the router securely from the remote device to manage files. Thisimproves the security of data transmission for the remote end to update its system.

6.4.1 Establishing the Configuration TaskBefore performing file operations by using SFTP, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.


SSH guarantees secure data transmission on a conventional insecure network by authenticatingthe client and encrypting data in both directions. SSH supports SFTP.

SFTP is a secure FTP service and enables users to log in to the FTP server for data transmission.



119

Pre-configuration TasksBefore performing file operations by using SFTP, complete the following task:


Data PreparationBefore performing file operations by using SFTP, you need the following data.

No. Data

1 Maximum number of VTY user interfaces, (optional) ACL for limiting call-in andcall-out in VTY user interfaces, connection timeout period of terminal users, numberof rows displayed in a terminal screen, size of the history command buffer, userauthentication mode, user name, and password

2 User name, password, authentication mode, and service type of an SSH user andremote public RSA key pair allocated to the SSH user, SFTP working directory ofthe SSH user

3 (Option) Number of the port monitored by the SSH server(Option) The interval for updating the key pair on the SSH server

4 Name of the SSH server,Number of the port monitored by the SSH server,Preferredencrypted algorithm from the SFTP client to the SSH server,Preferred encryptedalgorithm from the SSH server to the SFTP client,Preferred HMAC algorithm fromthe SFTP client to the SSH server,Preferred HMAC algorithm from the SSH serverto the SFTP client,Preferred algorithm of key exchange,Name of the outgoinginterface,Source address

5 Directory name and File name

6.4.2 Configuring VTY User InterfaceTo allow a user to log in to the router by using SFTP, you need to configure attributes of theVTY user interface.

ContextBy default, the user authentication mode in the VTY user interface is password. Therefore, beforea user logs in to the router by using SFTP, the user authentication mode in the VTY user interfacemust be set. Otherwise, the user cannot log in to the router.



6.4.3 Configuring SSH for the VTY User InterfaceTo allow users to log in to the router by using SFTP, you need to configure VTY user interfacesto support SSH.



120

ContextBy default, user interfaces support Telnet. If no user interface is configured to support SSH,users cannot log in to the router by using SFTP.

Procedure



Step 2 Run:user-interface [ vty ] first-ui-number [ last-ui-number ]

The VTY user interface is displayed.


The AAA authentication mode is configured.

Step 4 Run:protocol inbound ssh

The VTY user interface is configured to support SSH.

NOTE

If a VTY user interface is configured to support SSH, the VTY user interface must be configured withAAA authentication. Otherwise, the protocol inbound ssh command cannot be configured.

----End

6.4.4 Configuring an SSH User and Specifying SFTP as One ofService Types

To allow a user to log in to the router by using SFTP, you must configure an SSH user, configurethe router to generate a local RSA key pair, configure a user authentication mode, specify aservice type and authorized directory for the SSH user.

Contextl SSH users can be authenticated in four modes: RSA, password, password-RSA, and all.

Password authentication depends on Authentication, Authorization and Accounting(AAA). Before a user logs in to the router in password or password-RSA authenticationmode, you must create a local user with the specified user name in the AAA view.

l Configuring the router to generate a local RSA key pair is a key step for SSH login. If anSSH user logs in to an SSH server in password authentication mode, configure the serverto generate a local RSA key pair. If an SSH user logs in to an SSH server in RSAauthentication mode, configure both the server and the client to generate local RSA keypairs.

NOTE

Password-RSA authentication requires success of both password authentication and RSA authentication.The all authentication mode requires success of either password authentication or RSA authentication.



121

Do as follows on the router that functions as an SSH server:

Procedure



Step 2 Run:ssh user user-name

1. Run:aaa



Name and password of the local user are created.

Step 3 Run:rsa local-key-pair create

A local RSA key pair is generated.

NOTE

l Before performing the other SSH configurations, you must configure the rsa local-key-pair createcommand to generate a local key pair.

l After generating the local key pair,you can perform the display rsa local-key-pair public commandto view the public key in the local key pair.

Step 4 Run:ssh user user-name authentication-type { password | rsa | password-rsa | all }

The authentication mode for SSH users is configured.


l Authenticate the SSH user through the password.– Run:

ssh user user-name authentication-type password

The password authentication is configured for the SSH user.– Run:

ssh authentication-type default password

The default password authentication is configured for the SSH user.For the local authentication or HWTACACS authentication, if the number of SSH usersis small, you can adopt the former command; if the number of SSH users is large, adoptthe later command to simplify the configuration.

l Authenticate the SSH user through RSA.1. Run:

ssh user user-name authentication-type rsa

The RSA authentication is configured for the SSH user.



122

2. Run:rsa peer-public-key key-name

The public key view is displayed.3. Run:

public-key-code begin

The public key editing view is displayed.4. Run:

hex-data


NOTE

l In the public key view, only hexadecimal strings complying with the public key format can betyped in. Each string is randomly generated on an SSH client. For detailed operations, see manualsfor SSH client software.

l After the public key editing view is displayed, the RSA public key generated on the client canbe sent to the server. Copy the RSA public key to the router that serves as the SSH server.

5. Run:public-key-code end



l If the specified key-name is deleted in other views, the system prompts that the key doesnot exist after the peer-public-key end command is run and the system view isdisplayed.

6. Run:peer-public-key end

Return to the system view from the public key view.7. Run:

ssh user user-name assign rsa-key key-name

The public key is assigned to the SSH user.

Step 5 (Optional) Configuring the Basic Authentication Information for SSH Users1. Run:

ssh server rekey-interval interval

The interval for updating the server key pair is configured.

By default, the interval for updating the key pair of the SSH server is 0 that indicates noupdating.

2. Run:ssh server timeout seconds

The timeout period of the SSH authentication is set.

By default, the timeout period is 60 seconds.3. Run:

ssh server authentication-retries times

The number of retry times of the SSH authentication is set.



123

By default, the retry times is 3.

Step 6 (Optional) Authorizing SSH Users Through the Command Line

SSH users can be authenticated in four modes: password, RSA, password-RSA, and all. In RSAauthentication mode, you can configure SSH users to be authorized based on command levels.

Run:

ssh user user-name authorization-cmd aaa

The command line authorization is configured for the specified SSH user.

After configuring the authorization through command lines for the SSH user to perform RSAauthentication, you have to configure the AAA authorization. Otherwise, the command lineauthorization for the SSH user does not take effect.

Step 7 Run:ssh user username service-type { SFTP | all }

The service type of an SSH user is set to SFTP or all.

By default, the service type of the SSH user is not configured.

Step 8 Run:ssh user username sftp-directory directoryname

The authorized directory of the SFTP service for SSH users is configured.

By default, the authorized directory of the SFTP service for SSH users is cfcard:.

----End

6.4.5 Enabling the SFTP ServiceBefore enjoying the STelnet service, you need to enable it.

ContextBy default, the router is not enabled with the SFTP server function. Users can establishconnections with the router by using SFTP only after the router is enabled with the SFTP serverfunction.


Procedure



Step 2 Run:sftp server enable

The SFTP service is enabled.

By default, the SFTP service is disabled.

----End



124

6.4.6 (Optional) Configuring the STelnet Server ParametersYou can configure a device to be compatible with the SSH protocol of earlier versions, configureor change the listening port number of an SSH server, and set an interval at which the key pairof the SSH server is updated.

ContextTable 6-2 lists server parameters.

Table 6-2 Server parameters

ServerParameter

Description


SSH has two versions: SSH1.X (earlier than SSH2.0) and SSH2.0. Comparedwith SSH1.X, SSH2.0 is extended in structure and supports moreauthentication modes and key exchange methods. SSH2.0 also supports moreadvanced services such as SFTP. The HUAWEI NetEngine80E/40Esupports SSH versions ranging from 1.3 to 2.0.

Listening portnumber of anSSH server

The default listening port number of an SSH server is 22. Users can log in tothe device by using the default listening port number. Attackers may accessthe default listening port, consuming bandwidth, deteriorating serverperformance, and causing authorized users unable to access the server. Afterthe listening port number of the SSH server is changed, attackers do not knowthe new port number. This effectively prevents attackers from accessing thelistening port and improves security.


After the interval is set, the key pair of the SSH server is updated periodicallyto improve security.


Procedure



Step 2 Perform one or more operations shown in Table 6-3 as needed.



125

Table 6-3 Configurations of server parameters

ServerParameter

Operation


Run the ssh server compatible-ssh1x enable command.By default, an SSH server running SSH2.0 is compatible with SSH1.X. Toprevent clients running SSH1.3 to SSH1.99 to log in, run the undo ssh servercompatible-ssh1x enable command to disable the system from supportingearlier SSH protocol versions.

Listening portnumber of theSSH server

Run the ssh server port port-number command.If a new listening port is set, the SSH server cuts off all established STelnetand SFTP connections, and uses the new port number to listen to connectionrequests. By default, the listening port number is 22.


Run the ssh server rekey-interval hours command.By default, the interval is 0, indicating that the key pair will never be updated.

----End

6.4.7 Accessing the System by Using SFTPAfter the configuration is complete, users can log in to the router from the user terminal by usingSFTP to manage files on the router.

ContextThe third-party software can be used to access the router from the user terminal by using SFTP.Here uses the third-party software OpenSSH and windows command line as an example.

After installing OpenSSH on the user terminal, do as follows on the user terminal:

NOTE

For details on how to install OpenSSH, see the installation guide of the software.

For details on how to use OpenSSH commands to log in to the router, see the help document of the software.

Procedure


Step 2 Run relevant OpenSSH commands to log in to the router in SFTP mode.

When the command line prompt is displayed in the SFTP client view, such as sftp>, users haveentered the working directory of the SFTP server.



126

----End

6.4.8 Performing File Operations by Using SFTPOn the SFTP client, you can log in to the SSH server to create or delete directories on the SSHserver.

Context

After logging in to the SFTP server, you can perform the following operations:

l Displaying the SFTP client command helpl Managing the directory on the SFTP serverl Managing the directory on the SFTP server

After logging in to the SFTP server and entering the SFTP client view, you can perform thefollowing one or more operations.

Procedurel Run:

help [ all | command-name ]

The SFTP client command help is displayed.l You can perform one or multiple of the following operations as required.



127

– Run:cd [ remote-directory ]

The current operating directory of users is changed.– Run:

pwd

The current operating directory of users is displayed.– Run:

dir/ls [ path ]

The file list in the specified directory is displayed.– Run:

rmdir remote-directory &<1-10>

– The directory on the server is deleted.– Run:

mkdir remote-directory

A directory is created on the server.l You can perform one or multiple of the following operations as required.

– Run:rename old-name new-name

The name of the specified file on the server is changed.– Run:

get remote-filename [ local-filename ]

The file on the remote server is downloaded.– Run:

put local-filename [ remote-filename ]

The local file is uploaded to the remote server.– Run:

rmdir remote-directory &<1-10>

The file on the server is removed.

----End

6.4.9 Checking the ConfigurationAfter performing file operations by using SFTP, you can view SSH user information and globalconfigurations of the SSH server.

PrerequisiteThe configuration of SSH Users are complete.

Procedurel Run the display ssh user-information username command to check the information about

the SSH client on the SSH server.l Run the display ssh server status command on the SSH server to check its global

configurations.



128

l Run the display ssh server session command on the SSH server to check information aboutconnection sessions with SSH clients.

----End

Example

Run the display ssh user-information username command. It shows that the SSH user namedclinet001 is authenticated by password.

[HUAWEI] display ssh user-information client001 User Name : client001 Authentication-type : password User-public-key-name : - Sftp-directory : - Service-type : sftp Authorization-cmd : No

If no SSH user is specified, information about all SSH users logging in to an SSH server will bedisplayed.

Run the display ssh server status command to view global configurations of an SSH server.

<HUAWEI> display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 2 hours SSH Authentication retries : 5 times SFTP server : Enable

Stelnet server : Enable SSH server port : 55535

NOTE

If the default interception port is in use, information about the current interception port is not displayed.

Run the display ssh server session command to view information about sessions between theSSH server and SSH clients.

<HUAWEI> display ssh server sessionSession 2: Conn : VTY 4 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-md5 STOC Hmac : hmac-md5 Kex : diffie-hellman-group-exchange-sha1 Service Type : sftp Authentication Type : password

6.5 Performing File Operations by Means of XmodemThis section describes how to transfer files through XModem.



129

6.5.1 Establishing the Configuration TaskBefore configuring XModem, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.

Applicable EnvironmentConfigure XModem to transfer files through serial interfaces.

Pre-configuration TasksBefore configuring XModem, complete the following tasks:

l Powering on the routerl Connecting the router and the PC through an AUX port or a console portl Logging in to the router through the terminal emulation program and specifying a file path

in the terminal emulation program

Data PreparationTo configure XModem, you need the following data.

No. Data

1 Name of a specific file

2 Absolute path of the file

6.5.2 Getting a File Through XmodemUsing XModem, you can download files to a router through the AUX port.

ContextXModem file transfer consists of receiving program and sending program.

l The receiving program first sends the negotiation character to negotiate the check mode.l After the negotiation is successful, the sending program begins to send packets.l When the receiving program receives a complete packet, it checks the packet in the

negotiated mode.l If the check is successful, the receiving program sends the acknowledgement character and

then the sending program sends the next packet.l If the check fails, the receiving program sends the denial character and the sending program

retransmits the packet.

NE80E/40E provides the function of XModem receiving program, which is applied to the AUXport and supports 128-byte packets and CRC. The function of XModem sending program isautomatically included in the HyperTerminal.

Do as follows on the router:



130

Procedurel Run:

xmodem get { filename | devicename }

XModem is used to get the file.

NOTE

l Before getting the file, confirm the path and the name of the file that are to be sent.

l For the filename, an absolute path name is required.

l If the filename is similar to an existing one, the system sends a prompt asking you whether tooverwrite the file or not.

----End

6.6 Configuration ExamplesThis section provides an example for performing files by accessing the system and using FTPor SFTP.These configuration examples explain networking requirements, configurationroadmap, and configuration notes.

6.6.1 Example for Performing File Operations by Means of the FileSystem

This section describes how to perform file operations by means of the file system. In thisexample, you can log in to the router to view and copy directories.


You can log in to the router through the Console interface, AUX interface, Telnet, or STelnetto perform file operations on the router.

The file path in the storage device must be correct. If the user does not specify a target file name,the source file name is the name of the target file by default.



1. Check the files under a certain directory.

2. Copy a file to this directory.

3. Check this directory and view that the file is copied successfully to the specified directory.

Data Preparation


l Source file name and target file name

l Source file path and target file path



131

Procedure

Step 1 Display the file information in the current directory, cfcard:/ is the flash memory identifier.

<HUAWEI> dir cfcard:/Directory of cfcard:/

Idx Attr Size(Byte) Date Time FileName0 -rw- 64 Nov 15 2006 13:07:44 patchnpstate.dat1 -rw- 418 Jul 26 2007 19:52:14 vrpcfg.zip2 -rw- 38017 Aug 01 2007 11:02:00 paf.txt3 -rw- 2292 Aug 21 2006 15:35:50 vrp.zip4 -rw- 7041 Aug 02 2007 11:02:00 license.txt5 -rw- 117013076 Jul 13 2007 10:40:44 V600R003C00SPC300.cc500192 KB total (347760 KB free)

Step 2 Copy files from hda1:/sample.txt to flash:/sample.txt<HUAWEI> copy hda1:/sample.txt flash:/sample1.txtCopy hda1:/sample.txt to flash:/sample1.txt?[Y/N]:y100% completeInfo:Copied file hda1:/sample.txt to flash:/sample1.txt...Done

Copy files from cfcard2:/sample.txt to cfcard:/sample.txt

<HUAWEI> copy cfcard2:/sample.txt cfcard:/sample1.txtCopy cfcard2:/sample.txt to cfcard:/sample1.txt?[Y/N]:y100% completeInfo:Copied file cfcard2:/sample.txt to cfcard:/sample1.txt...Done

Step 3 Display the file information about the current directory, and you can view that the file is copiedto the specified directory.<HUAWEI> dir cfcard:/Directory of cfcard:/

Idx Attr Size(Byte) Date Time FileName0 -rw- 64 Nov 15 2006 13:07:44 patchnpstate.dat1 -rw- 418 Jul 26 2007 19:52:14 vrpcfg.zip2 -rw- 38017 Aug 01 2007 11:02:00 paf.txt3 -rw- 2292 Aug 21 2006 15:35:50 vrp.zip4 -rw- 7041 Aug 02 2007 11:02:00 license.txt5 -rw- 117013076 Jul 13 2007 10:40:44 V600R003C00SPC300.cc6 -rw- 1605 Nov 18 2007 05:30:11 sample1.txt500192 KB total (346155 KB free)

----End

6.6.2 Example for Performing File Operations by Means of FTPThis section provides an example for operating files by means of FTP.In this example, a PCconnected to a router logs in to the FTP server by entering the correct user name and passwordthrough FTP, and then downloads files to the memory of the FTP client.

Networking RequirementsAs shown in Figure 6-1, after the FTP server is enabled on the router, you can log in to the FTPserver from the HyperTerminal to upload or download files.



132

Figure 6-1 Networking for performing file operations by using FTP

Network

GE1/0/110.137.217.221/16

PC FTP Server



1. Configure the IP address of the FTP server.2. Enable the FTP server.3. Configure the authentication information, authorization mode, and directories to be

accessed for an FTP user.4. Log in to the FTP server by using the correct user name and password.5. Upload files to or download files from the FTP server.

Data Preparation


l IP address of the FTP server, that is, 10.137.217.221l Timeout period for the FTP connection, that is, 30 minutesl FTP username as huawei and password as huawei on the serverl The destination file name and its position in the FTP client

Procedure

Step 1 Configure the IP address of the FTP server.[server] interface gigabitethernet1/0/1[server-GigabitEthernet1/0/1] undo shutdown[server-GigabitEthernet1/0/1] ip address 10.137.217.221 255.255.0.0[server-GigabitEthernet1/0/1] quit

Step 2 Enable the FTP server.<HUAWEI> system-view[HUAWEI] sysname server[server] ftp server enable[server] ftp timeout 30

Step 3 Configure the authentication information, authorization mode, and authorized directories for anFTP user on the FTP server.[server] aaa[server-aaa] local-user huawei password simple huawei[server-aaa] local-user huawei service-type ftp[server-aaa] local-user huawei ftp-directory cfcard:[server-aaa] quit

Step 4 Run the FTP commands at the windows command line prompt, and enter the correct user nameand password to set tup an FTP connection with the FTP server.



133

Figure 6-2 Logging in to the FTP Server

Step 5 Upload and download files, as shown in the following figure.

Figure 6-3 Performing file operations by means of FTP

NOTEYou can run the dir command before downloading a file or after uploading a file to view the detailedinformation of the file.

----End



134

Configuration Filesl Configuration file of the FTP server.

#sysname Server# FTP server enable#interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.221 255.255.0.0 #aaa local-user huawei password simple Huawei local-user huawei service-type ftp local-user huawei ftp-directory cfcard: authentication-scheme default#authorization-scheme default#accounting-scheme default#domain default#return

6.6.3 Example for Performing File Operations by Means of SFTPThis section provides an example for operating files by using SFTP. In this example, a local keypair is configured on the SSH server, and a user name and a password are configured on theserver for an SSH user. After SFTP services are enabled on the server and the SFTP client isconnected to the server, you can operate files between the client and the server.


As shown in Figure 6-4, after SFTP services are enabled on the router functioning as an SSHserver, you can log in to the server in password, RSA, password-rsa, or all authentication modefrom a PC on the SFTP client.

Configure a user to log in to the SSH server in password authentication mode.

Figure 6-4 Networking diagram for operating files by using SFTP

Network

PC SSH Server

GE1/0/110.137.217.225/16



1. Configure a local key pair on the SSH server to securely exchange data between the SFTPclient and the SSH server.

2. Configure VTY user interfaces on the SSH server.



135

3. Configure an SSH user, including user authentication mode, user name, password, andauthorization directory.

4. Enable SFTP services on the SSH server and configure a user service type.


l SSH user authentication mode: password, user name: client001, password: huaweil User level of client001: 3l IP address of the SSH server: 10.137.217.225

Procedure

Step 1 Configure a local key pair on the SSH server.<HUAWEI> system-view[HUAWEI] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: HUAWEI_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++..........++++++++++++...................................++++++++......++++++++

Step 2 Configure VTY user interfaces on the SSH server.[SSH Server] user-interface vty 0 4[SSH Server-ui-vty0-4] authentication-mode aaa[SSH Server-ui-vty0-4] protocol inbound ssh[SSH Server-ui-vty0-4] quit

Step 3 Configure the SSH user name and password on the SSH server.[SSH Server] aaa[SSH Server-aaa] local-user client001 password cipher huawei[SSH Server-aaa] local-user client001 level 3[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

Step 4 Enable SFTP and configure the user service type to be SFTP.[SSH Server] sftp server enable[SSH Server] ssh user client001 authentication-type password

Step 5 Configure the authorization directory for the SSH user.[SSH Server] ssh user client001 service-type sftp

Step 6 Verify the configurations.



136

Figure 6-5 Accessing Interface

----End


# sysname SSH Server#aaa local-user client001 password cipher huawei local-user client001 level 3 local-user client001 service-type ssh#interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.225 255.255.255.0# sftp server enable ssh user client001 authentication-type password#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#return

6.6.4 Example for Performing File Operations by Means of XmodemIn this example, you run the HyperTerminal on a PC and then log in to a router to downloadfiles through the AUX port.


The router is connected to PC through the AUX port. Log in to the router through the AUX port,to receive files from the AUX port and save the received files to the cfcard.



137


1. Run the HyperTerminal on the PC and log in to the router.2. Use the xmodem get command to download files on the router, and specify the file path

on the HyperTerminal.


l Files that are copied to the PCl The path of the file in the PC

Procedure

Step 1 Log in to the router through the AUX port.

Refer to Chapter 2 "Logging in to the Devices Through the AUX Port" in the NE80E/40EConfiguration Guide - Basic Configuration.

Step 2 Use the XModem protocol to receive the file form the AUX port.

The received file is saved on the cfcard memory of the router and the file name is paf.txt.

<HUAWEI> xmodem get cfcard:/paf.txt**** WARNING ****xmodem is a slow transfer protocol limited to the current speedsettings of the auxiliary ports.During the course of the download no exec input/output will beavailable! ---- ******* ----Proceed?[Y/N]yDestination filename [cfcard:/ paf.txt]?Before press ENTER you must choose 'YES' or 'NO'[Y/N]:yDownload with XMODEM protocol....

Step 3 Specify the file to be sent on the HyperTerminal.

Figure 6-6 Specifying the file to be sent

After the configuration, press Send to send the file.



138

Step 4 The system prompts that the file is sent successfully. Then, you can view the directory of thefiled named cfcard.

<HUAWEI>Download successful!<HUAWEI> dirDirectory of cfcard:/ Idx Attr Size(Byte) Date Time FileName 0 -rw- 10014764 Jun 20 2005 15:00:28 ne20-vrp5.10-c01b070.bin 1 -rw- 98776 Jul 27 2005 09:36:12 matnlog.dat 2 -rw- 28 Jul 27 2005 09:34:39 private-data.txt 3 -rw- 480 May 10 2003 11:25:18 vrpcfg.zip 4 -rw- 10103172 Jul 22 2005 16:40:37 ne20-vrp5.10-c01db90.bin 5 -rw- 1515 Jul 19 2005 17:39:55 vrpcfg.cfg 6 -rw- 3844 Jul 14 2004 11:51:45 exception.dat 7 -rw- 8628372 Jun 01 2005 10:14:34 ne20-vrp330-0521.01.bin 8 -rw- 45 Jul 27 2005 10:51:26 paf.txt

----End



139

7 Configuring System Startup

About This Chapter

When the router starts, system software is started and configuration files are loaded. To ensuresmooth running of the router, you need to efficiently manage system software and configurationfiles.

7.1 System Startup OverviewWhen the router starts, system software is started and configuration files are loaded.

7.2 Managing Configuration FilesYou can manage the configuration files for the current and next startup operations on therouter.

7.3 Specifying a File for System StartupYou can specify a file for system startup by specifying the system software and configurationfile for the next startup of the router.

7.4 Configuration ExamplesThis section provides an example for configuring system startup.These configuration examplesexplain networking requirements, configuration roadmap, and configuration notes.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations 7 Configuring System Startup


140

7.1 System Startup OverviewWhen the router starts, system software is started and configuration files are loaded.

7.1.1 System SoftwareSystem software is the operation system of the router, and is the basis for the router to runproperly and provide various services.

The extension name of the system software file is .cc. The file must be saved in the root directoryof the storage device.

7.1.2 Configuration FilesThe configuration file is the add-in configuration item when restarting the router this time ornext time.

The configuration file is a text file in the following formats:

l It is saved in the command format.l To save space, default parameters are not saved.l Commands are organized on the basis of the command view. All commands of the identical

command view are grouped into a section. Every two command sections are separated byone or several blank lines or comment lines (beginning with "#").

l The sequence of command sections is global configuration, physical interfaceconfiguration, logic interface configuration, routing protocol configuration and so on.

l The filename extension of the configuration file must be .cfg or .zip, and must be stored inthe root directory of a storage device.

NOTE

l The system can run the command with the maximum length of 512 characters, including the commandin an incomplete form.

l If the configuration is in the incomplete form, the command is saved in complete form. Therefore, thecommand length in the configuration file may exceed 512 characters. When the system restarts, thesecommands cannot be restored.

7.1.3 Configuration Files and Current ConfigurationsDuring the running of the router, configuration files and current configurations are differentlydefined.

The concepts of configuration files and current configurations are as follows:



141

Concept Identifying Method

Configuration Files Initial configurations: Onpowering on, the routerretrieves the configurationfiles from a default save pathto initiate itself. Ifconfiguration files do notexist in the default save path,the router uses the defaultparameters.

l Run the display startupcommand to view theconfiguration files for thecurrent and next startupoperations on the router.

l Run the display saved-configuration commandto view the configurationfile for the next startupoperation on the router.

Current Configurations Current configurations:indicates the effectiveconfigurations of thecurrently running router.

Run the display current-configuration command toview the currentconfigurations on the router.

Users can modify the current configurations of the router through the command line interface.Use the save command to save the current configuration to the configuration file of the defaultstorage devices, and the current configuration becomes the initial configuration of the routerwhen the router is powered on next time.

7.2 Managing Configuration FilesYou can manage the configuration files for the current and next startup operations on therouter.

7.2.1 Establishing the Configuration TaskBefore managing configuration files, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


You can manage configuration files by saving, clearing, and comparing configuration files. Toupgrade the router, take preventive measures, repair configuration files, and view configurationsafter the router starts, you need to manage configuration files.


Before managing configuration files, complete the following task:l Installing the router and starting it properly

Data Preparation

To manage configuration files, you need the following data.



142

No. Data

1 Configuration file and its name

2 Saving configuration files interval and delay interval

3 The number of the start line from which the comparison of the configuration filesbegins

7.2.2 Saving Configuration FilesThe configurations completed by using command lines are valid for only the current operationon the router. To allow the configurations to be valid for the next startup operation, you need tosave the current configurations to configuration files before restarting the router.

ContextThe system can save the configuration files periodically or in real time to prevent data loss whenthe router is powered off or accidentally restarted.

Run one of the following commands to save configuration files.

Procedurel Run:

CAUTIONWhen the automatic saving function is enabled and the LPU is not properly installed,corresponding configurations may be lost.

1. system-view

The system view is displayed.2. set save-configuration [ interval interval | cpu-limit cpu-usage |delay

delay-interval ] *

The configuration file is saved at intervals.After the parameter interval interval is specified, the device saves the configurationfile at specified intervals regardless of whether the configuration file is changed.– If the set save-configuration command is not run, the system does not

automatically save configurations.– If the set save-configuration command without specified interval is run, the

system automatically saves configurations at 30-minute intervals.When you configure the automatic saving function, to prevent that function fromaffecting system performance, you can set the upper limit of the CPU usage for thesystem during automatic saving. When automatic saving is triggered by the expiry ofthe timer, the CPU usage is checked. If the CPU usage is higher than the set upperlimit, automatic saving will be canceled.



143

After delay delay-interval is specified, if the configuration is changed, the deviceautomatically saves the configuration after the specified delay.

After automatic saving of configurations is configured, the system automatically savesthe changed configurations to the configuration file for the next startup andconfiguration files are changed accordingly with the saved configurations.

Before configuring the automatic configure file saving on the server, you need to runthe set save-configuration backup-to-server server server-ip [ transport-type{ ftp | sftp } ] user user-name password password [ path folder ] or set save-configuration backup-to-server server server-ip transport-type tftp [ pathfolder ] command to configure the server, including the IP address, user name,password of the server, destination path, and mode of transporting the configurationfile to the server.

NOTEIf TFTP is used, run the tftp client-source command to configure a loopback interface address as aclient source IP address on the router, improving security.

l Run:save [ all ] [ configuration-file ]

The current configurations are saved.

The filename extension of the configuration file must be .cfg or .zip. The system startupconfiguration file must be saved in the root directory of a storage device.

The user can modify the current configuration through the command line interface. To setthe current configuration as initial configuration when the router starts next time, you canuse the save command to save the current configuration in the cfcard memory.

You can use the save all command to save all the current configurations, including theconfigurations of the boards that are not inserted, to the default directory.

NOTE

When saving the configuration file for the first time, if you do not specify the optional parameterconfiguration-file, the router asks you whether to save the file as "vrpcfg.zip" or not. "vrpcfg.zip" isthe default configuration file and initially contains no configuration.

----End

7.2.3 Clearing a Configuration FileYou can clear the configuration file that has been loaded to a device, or clear the inactiveconfigurations of the boards that are not installed in slots.

Context

The configuration file stored in cfcard memory needs to be cleared in the following cases:

l The system software does not match the configuration file after the router has beenupgraded.

l The configuration file is destroyed or an incorrect configuration file has been loaded.

Do as follows to clear the contents of a configuration file:



144

Procedurel Clear the currently loaded configuration file.

Run the reset saved-configuration command to clear the currently loaded configurationfile.– If the configuration file of the router used for the current startup is the same as that used

for the next startup, running the reset saved-configuration command will clear boththe configuration files. The router will uses the default configuration file for the nextstartup.

– If the configuration file of the router used for the current startup is different from thatused at the next startup, running the reset saved-configuration command will clear theconfiguration file used for the current startup.

– If the configuration file of the router used for the current startup is empty, the systemwill prompt you that the configuration file does not exist after you run the reset saved-configuration command.

CAUTIONl After the contents of a configuration file are cleared, the empty configuration file with

the original file name is left.l If you do not run the startup saved-configuration configuration-file command to

specify a new correct configuration file, or do not run the save command to save theconfiguration file after the configuration file is cleared, the router will use the defaultconfiguration file at the next startup.

l Exercise caution when running this command. If necessary, do it under the guidance ofHuawei technical support personnel.

l Clear the inactive configurations of the boards that are not installed in slots.

1. Run the system-view command to enter the system view.2. Run the clear inactive-configuration slot command to clear the inactive

configurations of the boards that are not installed in slots.

----End

7.2.4 Comparing Configuration FilesYou can determine whether the current configuration file is the same as the one for the nextstartup operation or a specified one on the router by comparing them.

ContextYou can determine whether to specify the current configuration file as the one for the next startupoperation by comparing the current configuration file with the one for the next startup operation.

Procedurel Run:

compare configuration [ configuration-file ] [ current-line-number save-line-number ]

The current configuration is compared with the configuration file for next startup.



145

– If configuration-file is configured, the system checks whether the current configurationfile is the same as the specified configuration file.

– If no parameter is set, the comparison begins with the first lines of configuration files.current-line-number and save-line-number are used to continue the comparison byignoring the differences between the configuration files.

When comparing differences between the configuration files, the system displays thecontents of the current configuration file and saved configuration file from the first differentline. By default, 150 characters are displayed for each configuration file. If the number ofcharacters from the first different line to the end is less than 150, the contents after the firstdifferent line are all displayed.

NOTE

In comparing the current configurations with the configuration file for next startup, if theconfiguration file for next startup is unavailable or its contents are null, the system prompts thatreading files fails.

----End

7.2.5 Checking the ConfigurationAfter managing configuration files, you can view the current configuration files and files in thestorage device.

PrerequisiteThe configuration of Managing Configuration Files are complete.

Procedurel Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ][ feature feature-name [ filter filter-expression ] | filter filter-expression ] or displaycurrent-configuration [ all | inactive ]command to check current configurations.

l Run the display startup command to check files for startup.l Run the dir [ /all ] [ filename ] command to check files saved in the storage device.l Run the display saved-configuration configuration command to view configurations of

the autosave function, including the status of the autosave function, time for autosave check,threshold for the CPU usage, and period during which configurations are unchanged (whenthe period expires, configurations are automatically saved).

l Run the display changed-configuration time command to check the time of the lastconfiguration change.

----End

ExampleRun the display startup command to check files for startup.

<HUAWEI> display startupMainBoard: Configured startup system software: cfcard:/V600R003C00SPC300.cc Startup system software: cfcard:/V600R003C00SPC300.cc Next startup system software: cfcard:/V600R003C00SPC300.cc Startup saved-configuration file: cfcard:/vrp.cfg



146

Next startup saved-configuration file: cfcard:/vrp.cfg Startup paf file: default Next startup paf file: default Startup license file: default Next startup license file: default Startup patch package: NULL Next startup patch package: NULL

7.3 Specifying a File for System StartupYou can specify a file for system startup by specifying the system software and configurationfile for the next startup of the router.

7.3.1 Establishing the Configuration TaskBefore specifying a file for system startup, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentTo enable the router to provide user-defined configurations during the next startup, you need tocorrectly specify the system software and configuration file for the next startup.

Pre-configuration TasksBefore specifying a file for the system startup, complete the following task:

l Installing the router and powering it on properly

Data PreparationTo specify a file for system startup, you need the following data.

No. Data

1 System software and its file name on the NE80E/40E

2 Configuration file and its file name on the NE80E/40E

7.3.2 Configuring System Software for a router to Load for the NextStartup

To upgrade the system software of a router, you can specify the NE80E/40E system software tobe loaded for the next startup.

ContextIf no system software is specified for the next startup operation of the router, the system softwareloaded this time will be started during the next startup operation. To change system software forthe next startup operation, you need to specify the required one.



147

The filename extension of the system software must be .cc and must be stored in the root directoryof a storage device.

Procedure

Step 1 Run:startup system-software system-file [ slave-board ]

The NE80E/40E system software for the router to load next time when it starts is configured.

You can specify the system-file and use the system software for the next startup that is saved onthe device.

slave-board is valid only on the router with dual main control boards.

----End

7.3.3 Configuring the Configuration File for Router to Load for theNext Startup

Before restarting a router, you can specify the configuration files that are loaded for the nextstartup.

Context

You can run the display startup command on the router to check whether the configuration fileto be loaded during the next startup operation is specified. If no configuration file is specified,the default configuration file is loaded during the next startup operation.

The filename extension of the configuration file must be .cfg or .zip, and must be stored in theroot directory of a storage device.

When the router turns on, it initiates by reading the configuration file from the cfcard memoryby default. Thus, the configuration in this configuration file is called initial configuration. If noconfiguration file is saved in the cfcard, the router initiates with default parameters.

Procedurel Run:

startup saved-configuration configuration-file

Configuration file is saved for the router to load next time on startup.

----End

7.3.4 Checking the ConfigurationAfter specifying a file for system startup, you can check the contents of the configuration file tobe loaded and the information about the file to be used during the next startup on the router.

PrerequisiteThe file has been specified for system startup.



148

Procedurel Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ][ feature feature-name [ filterfilter-expression ] | filterfilter-expression ] command tocheck current configurations.

l Run the display saved-configuration [ last | time | configuration ] command to check thecontents of the configuration file to be loaded during the next startup.

l Run the display startup command to check information about the files to be used duringthe next startup.

l Run the display current-configuration slave command to check the configuration of theslave board.

----End

ExampleRun the display startup command to check information about the files to be used during thenext startup.

<HUAWEI> display startupMainBoard: Configured startup system software: cfcard:/V600R003C00SPC300.cc Startup system software: cfcard:/V600R003C00SPC300.cc Next startup system software: cfcard:/V600R003C00SPC300.cc Startup saved-configuration file: cfcard:/vrp.cfg Next startup saved-configuration file: cfcard:/vrp.cfg Startup paf file: default Next startup paf file: default Startup license file: default Next startup license file: default Startup patch package: NULL Next startup patch package: NULL

7.4 Configuration ExamplesThis section provides an example for configuring system startup.These configuration examplesexplain networking requirements, configuration roadmap, and configuration notes.

7.4.1 Example for Configuring System StartupThis section provides an example for configuring system startup. In this example, theconfiguration file is saved and the system software and configuration file to be loaded duringthe next startup are specified so that the router can start in a required manner.

Networking RequirementsThe router is installed with double main control boards. After the router is configured, newconfigurations take effect after the system restarts.


1. Save the current configuration.



149

2. Specify the configuration file to be loaded during the next startup of the router.3. Specify the system software to be loaded during the next startup of the router.


l Name of the configuration filel File name of the system software

Procedure

Step 1 Check the configuration file and system software that are used during the current startup.<HUAWEI> display startupMainBoard: Configured startup system software: cfcard:/V600R003C00SPC300.cc Startup system software: cfcard:/V600R003C00SPC300.cc Next startup system software: cfcard:/V600R003C00SPC300.cc Startup saved-configuration file: cfcard:/vrp.cfg Next startup saved-configuration file: cfcard:/vrp.cfg Startup paf file: default Next startup paf file: default Startup license file: default Next startup license file: default Startup patch package: NULL Next startup patch package: NULL

Step 2 Save the current configuration to the specified file.<HUAWEI> save vrpcfg.cfg

The system prompts you whether to save the current configuration to the file named vrpcfg.cfgon the master and slave main control boards. After entering y at the prompt, you save theconfiguration successfully.

Step 3 Specify the configuration file to be loaded during the next startup of the router.<HUAWEI> startup saved-configuration vrpcfg.cfg

Step 4 Specify the system software to be loaded during the next startup of the router.

Specify the system software to be loaded during the next startup of the master main controlboard.

<HUAWEI> startup system-software V600R003C00SPC300.cc

Specify the system software to be loaded during the next startup of the slave main control board.

<HUAWEI> startup system-software V600R003C00SPC300.cc slave-board

NOTE

l The slave main control board automatically synchronizes with the master main control board after theconfiguration file to be loaded during the next startup is specified for the master main control board.

l Ensure that the system software to be loaded during the next startup of the router is saved on the masterand slave main control boards of the router. Configure the system software to be loaded during the nextstartup of the master and slave main control boards respectively.


After the configuration is complete, run the following command to check the configuration fileand system software to be loaded during the next startup of the router.

<HUAWEI> display startup



150

MainBoard: Configured startup system software: cfcard:/V600R003C00SPC300.cc Startup system software: cfcard:/V600R003C00SPC300.cc Next startup system software: cfcard:/V600R003C00SPC300.cc Startup saved-configuration file: cfcard:/vrp.cfg Next startup saved-configuration file: cfcard:/vrpcfg.cfg Startup paf file: default Next startup paf file: default Startup license file: default Next startup license file: default Startup patch package: NULL Next startup patch package: NULL

----End

Configuration FilesNone.



151

8 Accessing Another Device

About This Chapter

To manage configurations or operate files of another device, you can access the device by usingTelnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to.

8.1 Accessing Another DeviceThis section describes how to access another device on the network by using Telnet, FTP, TFTP,or SSH.

8.2 Logging in to Other Devices by Using TelnetOn the network, a large number of routers need to be managed and maintained. Not all routers,however, can be connected to terminal PCs. In addition, there are not reachable routes betweensome routers and terminal PCs. To manage and maintain routers remotely, you can log in tothem by using Telnet from a device that you have logged in to.

8.3 Connecting to Another Device by Using the Telnet Redirection FunctionIf the client is not connected to the remote device on an IP network, you can manage the deviceby using the Telnet redirection function on the router.

8.4 Logging in to Another Device by Using STelnetSTelnet ensures secure Telnet services. You can log in to another router from the router that youhave logged in to by using STelnet, and thus to manage the device remotely.

8.5 Accessing Files on Another Device by Using TFTPYou can configure the router as a TFTP client, and log in to the TFTP server to upload anddownload files.

8.6 Accessing Files on Another Device by Using FTPThis section describes how to configure the router as an FTP client to log in to the FTP server,and to upload files to or download files from the server.

8.7 Accessing Files on Another Device by Using SFTPSFTP is a secure FTP service. After the router is configured as an SFTP client. The SFTP serverauthenticates the client and encrypts data in both directions to provide secure data transmission.

8.8 Configuration ExamplesThis section describes examples for access another device. The examples explain networkingrequirements, configuration notes, and configuration roadmap.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations 8 Accessing Another Device


152

8.1 Accessing Another DeviceThis section describes how to access another device on the network by using Telnet, FTP, TFTP,or SSH.

Figure 8-1 Networking diagram for accessing another device from the router

Network Network

PC Client

Server

As shown in Figure 8-1, when you run the terminal emulation program or Telnet program on aPC to connect to the router successfully, the router can still function as a client to access anotherdevice on the network by using the following one or more methods.

8.1.1 Telnet MethodTo configure and manage remote device on the network, you can use the router that you havelogged in to as a client to log in to the device, or use the redirection terminal service ontherouter to log in to the device.

Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login anda virtual terminal service through the network.

The NE80E/40E provides the following Telnet services:

l Telnet server: You can run the Telnet client program on a PC to log in to the router,configure and manage it. The router acts as a Telnet server.

l Telnet client: You can run the terminal emulation program or the Telnet client program ona PC to connect with the router. With the telnet command, you can log in to other routersto configure and manage them. As shown in Figure 8-2,Router A serves as both the Telnetserver and the Telnet client.

Figure 8-2 Telnet client services

RouterAPC RouterB

Telnet Session 1 Telnet Session2

Telnet Server

l Redirection terminal services: You can run the Telnet client program on a PC to log in to

the router through a specified port number. Then connect with the serial interface devicesthat are connected with the asynchronous interface of the router, as shown in Figure 8-3.The typical application is to connect the asynchronous interface of the router with multipledevices for their remote configuration and maintenance.



153

Figure 8-3 Telnet redirection services

Ethernet

PC

Router

Router2ModemSwitchRouter1

Async0

Async1 Async2

Async3

NOTE

Only the devices that provide the asynchronous interface support the Telnet redirection service.

l Interruption of Telnet servicesIn Telnet connection, you can use two types of shortcut keys to interrupt the connection.As shown in Figure 8-4, Router A logs in to Router B through Telnet, and Router B logsin to Router C through Telnet. Thus, a cascade network is formed. In this case, Router Ais the client of Router B and Router B is the client of Router C. Figure 8-4 illustrates theusage of the two types of shortcut keys.

Figure 8-4 Usage of Telnet shortcut keys

RouterB RouterC

Telnet Session 1 Telnet Session2

TelnetServer

RouterA

TelnetClient

<Ctrl_]>: The server interrupts the connection.If the network connection is normal, when you press Ctrl_], the Telnet server interruptsthe current Telnet connection actively. For example:<RouterC> Press <Ctrl_]> to return to the prompt of Router B.Info: The max number of VTY users is 10, and the current numberof VTY users on line is 1.Info: The connection was closed by the remote host.<RouterB>Press <Ctrl_]> to return to the prompt of Router A.Info: The max number of VTY users is 10, and the current numberof VTY users on line is 1.Info: The connection was closed by the remote host.



154

<RouterA>

NOTE

If the network disconnects, the shortcut keys become invalid. The instruction cannot be sent to theserver.

<Ctrl_T>: The client interrupts the connection.When the server fails and the client is unaware of the failure, the server does not respondto the input of the client. In this case, if you press Ctrl_T, the Telnet client interrupts theconnection actively and quits the Telnet connection.For example:<RouterC>Press <Ctrl_T> to directly interrupt the connection and quit Telnet connection.<RouterA>

CAUTIONWhen the number of remote login users reaches to the maximum number of VTY userinterfaces, the system prompts that all user interfaces are in use and you cannot use Telnetto log in.

8.1.2 FTP MethodTo access files on a remote FTP server, you can establish a connection between the router thatyou have logged in to and the remote FTP server by using FTP.

FTP can transmit files between hosts, and provide users with common FTP commands to simplymanage file system. To be specific, through the FTP client program outside the router, users canupload or download the files and access the directories on the router; through the FTP clientprogram inside the router, users can transfer files to the FTP servers of other devices.

FTP can transmit files between local and remote hosts, and is widely used for version upgrade,log downloading, file transmission, and configuration saving.

8.1.3 TFTP MethodOn the network, if a client communicates with a server in a comparatively simple interactionenvironment, you can enable TFTP services on the router that functions as a client to access fileson the TFTP server.

Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.

Compared with FTP, TFTP does not have a complex interactive access interface andauthentication control. TFTP is applicable in an environment where there is no complexinteraction between the client and the server. For example, TFTP is used to obtain the memoryimage of the system when the system starts up.

TFTP is implemented based on the User Datagram Protocol (UDP).

The client initiates the TFTP transfer. To download files, the client sends a read request packetto the TFTP server, receives packets from the server, and sends acknowledgement to the server.To upload files, the client sends a write request packet to the TFTP server, sends packets to theserver, and receives acknowledgement from the server.



155

TFTP transfers the files in two formats:

l The binary format: transfers program files.l The ASCII format: transfers text files.

At present, the NE80E/40E serves only as the TFTP client and transfers files in the binary format.

8.1.4 SSH MethodTo securely access another device on the network, you can log in to it by using SSH (includingSTelnet,SFTP) from the router that you have logged in to.

SSH OverviewWhen users on an insecure network log in to the router through Telnet, the Secure Shell (SSH)feature ensures information security and authentication. It protects the router from attacks suchas IP address spoofing and interception of plain text password.

The SSH client function allows users to establish SSH connections with router serving as SSHserver or with UNIX hosts.

SSH Client FunctionThe NE80E/40E supports the STelnet client function ,the SFTP client function.

l STelnet clientThe Telnet protocol does not provide secure authentication. The TCP transmits data in plaintext. This leads to security problems. The system also faces serious threats from DOS(Denial of Service) attacks, the host IP address spoofing, and routing spoofing. Telnetservices are prone to network attacks.SSH implements secure remote access on insecure networks and it has the followingadvantages compared with Telnet:– SSH supports Remote Subscriber Access (RSA) authentication. In RSA authentication,

SSH generates and exchanges public and private keys compliant with asymmetricencipherment system to ensure the session security.

– SSH supports Data Encryption Standard (DES), 3DES, and AES authentications.– The user name and the password are both encrypted in the communication between the

SSH client and the SSH server. This prevents password interception.– SSH encrypts the transmitted data.When the STelnet server or the connection to the client is faulty, the client must detect thefault in time and release the connection voluntarily. To implement this, when logging in tothe server through Stelnet, the client must be configured with the interval for sending thekeepalive packet and the number of times for no reply restriction on the server if no packetis received by the client. If a client does not receive any packet within specified period, theclient sends a keepalive packet to the server. If the number of times of no reply restrictionexceeds the specified number, the client releases the connection voluntarily.

l SFTP clientSFTP is short for Secure FTP. You can log in to a device from the secure remote end tomanage files. This improves the security of data transmission when the remote system isupdated. Meanwhile, the client function enables you to log in to the remote device throughSFTP for secure file transmission.



156

When the SFTP server or the connection between it and the client is faulty, the client mustdetect the fault in time and releases the connection voluntarily. To implement this, whenlogging in to the server through SFTP, the client must be configured with the period ofsending the keepalive packet and the number of times for no reply restriction on the serverif no packet is received by the client. If a client does not receive any packet within specifiedperiod, the client sends a keepalive packet to the server. If the number of times of no replyrestriction exceeds the specified number, the client takes the initiative to release theconnection.

8.2 Logging in to Other Devices by Using TelnetOn the network, a large number of routers need to be managed and maintained. Not all routers,however, can be connected to terminal PCs. In addition, there are not reachable routes betweensome routers and terminal PCs. To manage and maintain routers remotely, you can log in tothem by using Telnet from a device that you have logged in to.

8.2.1 Establishing the Configuration TaskBefore establishing the configuration task of logging in to another router from the router thatyou have logged in to, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configurationtask quickly and accurately.


Figure 8-5 Networking diagram for accessing another device from the router that you havelogged in to

Network Network

PC RouterA RouterB

As shown in Figure 8-5, you can log in to Router A from a PC by using Telnet, but cannotmanage Router B remotely. This is because there is no reachable route between the PC andRouter B. To manage Router B remotely, you can log in to it from Router A by using Telnet.

In this situation, Router A functions as a Telnet client, and Router B that you attempt to log into functions as a server.


Before logging in to another device on the network by using Telnet, complete the followingtasks:

l Ensuring that the router that you attempt to log in to works properly, and enabling Telnetservices on the device



157

l Ensuring that there is a reachable route between the router that you have logged into andthe router that you attempt to log in to

Data Preparation

To log in to another device by using Telnet, you need the following data:

No. Data

1 IP address or host name of RouterB

2 Number of the TCP port used by the RouterB to provide Telnet services

8.2.2 (Optional) Configuring a Source IP Address for an TelnetClient

You can configure a source IP address for an Telnet client. Then, you can set up an Telnetconnection from the Telnet client to the server through a specific route by using this source IPaddress.

Context

An IP address is configured for an interface on the router and functions as the source IP addressof an telnet connection. In this manner, security checks can be implemented.

The source address of a client can be configured as a source interface or a source IP address.

Do as follows on a router that functions as an Telnet client.

Procedure



Step 2 Run:telnet client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address of an Telnet client is configured.

After the configuration, the source IP address of the Telnet client displayed on the Telnet servermust be the same as the configured one.

----End

8.2.3 Logging in to Another Device by Using TelnetYou can log in to another router and manage it by using Telnet.



158

ContextTelnet provides an interactive CLI for users to log in to a remote server. Users can log in to ahost, and then remotely log in to another host by using Telnet to configure and manage the remotehost. In this manner, not each host is required to connect to a hardware terminal.

Do as follows on the router that serves as a Telnet client:

Procedurel Select and perform one of the following two steps for IPv4 or IPv6.

– Run:telnet [ vpn-instance vpn-instance-name ] [-a source-ip-address ] host-name [ port-number ]Log in to the router and manage other routers.

– Run:telnet ipv6 [ -a source-ip-address ] [ vpn-instance vpn-instance-name ] host-name [ -i interface-type interface-number ] [ port-number ]Log in to the router and manage other routers.

----End

8.2.4 Checking the ConfigurationWhen you log in to another router successfully from the router that you have logged in to, youcan check information about the established TCP connection.

PrerequisiteAll configurations for logging in to another device are complete.

Procedurel Run the display tcp status command to check the status of all TCP connections.

----End

ExampleRun the display tcp status command to view the status of TCP connections. The Establishedstatus indicates that a TCP connection has been established.

<HUAWEI> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0 Closed32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849 Listening34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0 Established



159

8.3 Connecting to Another Device by Using the TelnetRedirection Function

If the client is not connected to the remote device on an IP network, you can manage the deviceby using the Telnet redirection function on the router.

8.3.1 Establishing the Configuration TaskBefore establishing the configuration task of redirecting the client login to another device,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.


If a remote device needs to be managed and maintained but is not connected with the terminalPC on the IP network, such as a new device on the network, you can log in to the remote devicefrom a router by using the Telnet redirection function.

The remote device can be a device that supports serial interfaces, such as a router, a switch, ora modem.

Figure 8-6 Schematic diagram of redirecting the client login to another device by using Telnet

NetworkConsole

PC RouterA RouterB

Aux

Session

As shown in Figure 8-6, remote Router B is not connected with the client over the IP network.If Router B needs to be managed remotely, you can use the Telnet redirection function ofRouter A. That is, connect the asynchronous serial interface of Router A to the serial interfaceof Router B. This allows you to run the Telnet client program on the PC to log in to Router Bby using a specified interface, and thus to manage and maintain the device remotely.

Router B in the diagram above has been configured with serial interfaces. Router A is directlyconnected with Router B.


Before redirecting the client to another device by using Telnet, complete the following tasks:

l Configuring a reachable route between the client and Router Al Powering on the remote device



160

l routeris directly connected with the remote device by configuring cable

Data Preparation

To log in to another device by using the Telnet redirection function, you need the following data:

No. Data

1 IP address of routerRouter A

8.3.2 Enabling the Telnet Redirection FunctionAfter the redirection function is enabled on the router that functions as a Telnet client, you canlog in to a remote device from a specified interface of the client to manage and maintain theremote device.

Context

The Telnet redirection function is supported by the products whose AUX ports or TTY interfacescan be configured with this function.

Perform the following steps on the router:

Procedure



Step 2 Run:user-interface aux 0

The AUX0 user interface is displayed.

Step 3 Run:undo shell

Terminal services are disabled on the AUX0 user interface.

Step 4 Run:redirect

The Telnet redirection function is enabled on the AUX0 user interface.

NOTE

l After the Telnet redirection function is enabled, the interface number used for redirection will beassigned. AUX0 is numbered as 33, and the interface number is therefore 2033.

l You can log in to the remote device that needs to be managed and maintained from the Telnet clientby using the specified interface.

----End



161

8.3.3 Connecting Another Device by Using the Telnet RedirectionFunction

You can log in to a device to be managed from the router functioning as a Telnet client by usingthe Telnet redirection function.

Context

Users attempt to log in to another device by using a specified interface of the client.

Perform the following step on the client:

Procedurel Run:

telnet host-name port-number

Logging in to the remote device succeeds.

The host-name parameter specifies the IP address or host name of the router that has enabledthe redirection function.

----End

8.3.4 Checking the ConfigurationAfter logging in to another device remotely by using Telnet, you can check status informationabout the current TCP connection.

PrerequisiteThe configurations for logging in to another device by using the Telnet redirection function arecomplete.

Contextl Run the display tcp status command to check status information about the established TCP

connection.

Example

Run the display tcp status command to view status information about the established TCPconnection.

<HUAWEI> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State348d3c50 6 /1 0.0.0.0:21 0.0.0.0:0 23553 Listening3b558554 128/1 0.0.0.0:23 0.0.0.0:0 23553 Listening31cf1978 128/4 0.0.0.0:2033 0.0.0.0:0 23553 Listening31cf1bb0 128/6 0.0.0.0:4033 0.0.0.0:0 23553 Listening11a22ad8 128/3 10.137.217.225:23 10.138.77.38:3670 0 Established



162

8.4 Logging in to Another Device by Using STelnetSTelnet ensures secure Telnet services. You can log in to another router from the router that youhave logged in to by using STelnet, and thus to manage the device remotely.

8.4.1 Establishing the Configuration TaskBefore establishing the configuration task of logging in to another device by using Stelnet,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.

Applicable EnvironmentLogins by using Telnet bring security risks because no secure authentication mechanism isavailable and data is transmitted by using TCP in plain text mode.

STelnet is short for SSH Telnet that is a secure Telnet protocol. STelnet is on the basis of SSH.SSH users can use STelnet services as Telnet services.

In this configuration, the Router that you have logged in to functions as a Telnet client, andtheRouter that you attempt to log in to functions as an SSH server.

Pre-configuration TasksBefore logging in to another device by using STelnet, complete the following tasks:

l Configuring a reachable route between the client and SSH server

Data PreparationTo log in to another device by using STelnet, you need the following data:

No. Data

1 Name of the SSH server,Public key that is assigned by the client to the SSH server

2 IPv4 or IPv6 address or host name of the SSH server,Number of the port monitoredby the SSH server,Preferred encrypted algorithm from the SFTP client to the SSHserver,Preferred encrypted algorithm from the SSH server to the SFTPclient,Preferred HMAC algorithm from the SFTP client to the SSH server,PreferredHMAC algorithm from the SSH server to the SFTP client,Preferred algorithm of keyexchangeThe user information for logging in to the SSH server

8.4.2 Configuring the First Successful Login to Another Device(Enabling the First-Time Authentication on the SSH Client)

After the first-time authentication on the SSH client is enabled, the STelnet client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time.



163

Context

If the first-time authentication on the SSH client is enabled, the STelnet client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time. Afterthe login, the system automatically allocates the RSA public key and saves it for authenticationin next login.

Do as follows on the router that serves as an SSH client:

Procedure



Step 2 Run:ssh client first-time enable

The first-time authentication on the SSH client is enabled.

By default, the first-time authentication on the SSH client is disabled.

NOTE

l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validityof the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the firsttime. The check is skipped because the STelnet server has not saved the RSA public key of the SSHserver.

l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to theSSH server for the first time, the STelnet client fails to pass the check on the RSA public key validityand cannot log in to the server.

TIP

To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSApublic key in advance to the SSH server on the SSH client in addition to enabling the first-timeauthentication on the SSH client.

----End

8.4.3 Configuring the First Successful Login to Another Device(Allocating an RSA Public Key to the SSH Server)

To configure the first successful login to another device on the SSH client, you need to allocatean RSA public key to the SSH server before the login.

Context

If the first-time authentication is not enabled on the SSH client, when the STelnet client logs into the SSH server for the first time, the STelnet client fails to pass the check on the RSA publickey validity and cannot log in to the server.So you need to allocate an RSA public key to theSSH server before the STelnet client logs in to the SSH server.




164

Procedure



Step 2 Run:rsa peer-public-key key-name

The public key view is displayed.

Step 3 Run:public-key-code begin

The public key editing view is displayed.

Step 4 Run:hex-data


The public key must be a string of hexadecimal alphanumeric characters. It is automaticallygenerated by an SSH client. You can run the display rsa local-key-pair public command toview a generated public key.

NOTE

Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSHserver and must be configured on the SSH client. Then, the STelnet client client can successfully undergothe validity check on the RSA public key of the SSH server.

Step 5 Run:public-key-code end



l If the specified key-name is deleted in other views, the system prompts that the key does notexist after the peer-public-key end command is run and the system view is displayed.

Step 6 Run:peer-public-key end

Return to the system view from the public key view.

Step 7 Run:ssh client servername assign rsa-key keyname

The RSA public key is assigned to the SSH server.

NOTE

If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servernameassign rsa-key command to cancel the association between the SSH client and the SSH server. Then, runthe ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSHserver.

----End



165

8.4.4 Logging in to Another Device by Using STelnetYou can log in to the SSH server from the SSH client by using STelnet.

Context

When accessing an SSH server, the STelnet client can carry the source address and the VPNinstance name and choose the key exchange algorithm, encryption algorithm, or HMACalgorithm, and configure the keepalive function.


Procedure



Step 2 According to the address type of the SSH server, select and run one of the following twocommands.

l For IPv4 addresses,

Run the stelnet [ -a source-address ] host-ipv4 [ port ] [ [ -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 |sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. Youcan log in to the SSH server through STelnet.


Run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ][ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 |sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. Youcan log in to the SSH server through STelnet.

----End

8.4.5 Checking the configurationAfter the configuration task of logging in to another device by using STelnet is established, youcan check the mappings between all SSH servers of the STelnet client and the RSA public keyson the client, the global configurations of the SSH servers, and the sessions between the SSHservers and the STelnet client.

PrerequisiteThe configurations for logging in to another device by using STelnet are complete.



166

Procedurel Run the display ssh server-info command to check the mappings between all SSH servers

of the SSH client and the RSA public keys on the client.

----End

Example

Run the display ssh server-info to view the mappings between all servers of the SSH client andthe RSA public keys on the SSH client.

<HUAWEI> display ssh server-infoServer Name(IP) Server public key name________________________________________________________________________ 1000::1 1000::1 10.164.39.223 10.164.39.223 11.11.11.23 11.11.11.23 10.164.39.204 10.164.39.204 10.164.39.222 10.164.39.222

8.5 Accessing Files on Another Device by Using TFTPYou can configure the router as a TFTP client, and log in to the TFTP server to upload anddownload files.

8.5.1 Establishing the Configuration TaskBefore accessing another device by using TFTP, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.


You can transfer files through TFTP between the server and the client in a simple interactionenvironment.

The current Router functions as a TFTP client, and theRouter to be accessed functions as a TFTPserver.


Before accessing another device by using TFTP, complete the following tasks:

l Configuring a reachable route between the client and TFTP server

Data Preparation

To access another device by using TFTP, you need the following data.

No. Data

1 (Optional) Source address or source interface of the router that functions as a TFTPclient



167

No. Data

2 IP address or host name of the TFTP server

3 Name of the specific file in the TFTP server and the file directory

8.5.2 (Optional) Configuring a Source IP Address for a TFTP ClientYou can configure a source IP address for a TFTP client. Then, you can set up a TFTP connectionfrom the TFTP client to the server through a specific route by using this source IP address.

ContextAn IP address is configured for an interface on the router and functions as the source IP addressof a TFTP connection. In this manner, security checks can be implemented.


Do as follows on a router that functions as a TFTP client.

Procedure



Step 2 Run:tftp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address of a TFTP client is configured.

After the configuration, the source IP address of the TFTP client displayed on the TFTP servermust be the same as the configured one.

----End

8.5.3 (Optional) Configuring TFTP Access AuthorityThis section describes how to use an ACL rule to authorize the users to specify the TFTP serversthat can be accessed by using TFTP from the router that you have logged in to.

ContextAn Access Control List (ACL) is a set of sequential rules. These rules are described based onthe source address, destination address, and port number of a packet. Routers use the ACL rulesto filter packets. With the rule applied to the interface on a router, the router permits or deniesthe packets.

Each ACL can define multiple rules. ACL rules are classified into the interface ACL, basic ACL,and advanced ACL based on the functions of ACL rules.

NOTE

TFTP supports only the basic ACL (whose number ranges from 2000 to 2999).



168

Do as follows on the router that serves as the TFTP client:

Procedure



Step 2 Run:acl acl-number

The ACL view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *

The ACL rule is configured.

Step 4 Run:quit


Step 5 Run:tftp-server acl acl-number

The ACL can be used to limit the access to the TFTP server.

----End

8.5.4 Downloading Files by Using TFTPYou can download files from the TFTP server to the TFTP client.


Procedurel Run the following commands according to the type of the server IP addresses.

– The IP address of the server is IPv4 address, run:tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ public-net | vpn-instance vpn-instance-name ] get source-filename [ destination-filename ]The router is configured to download files through TFTP.

– The IP address of the server is IPv6 address, run:tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type interface-number ] get source-filename [ destination-filename ]The router is configured to download files through TFTP.

----End

8.5.5 Uploading Files by Using TFTPYou can upload files from the TFTP client to the TFTP server.




169

Procedurel Run the following commands according to the type of the server IP addresses.

– The IP address of the server is IPv4 address, run:tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ public-net | vpn-instance vpn-instance-name ] put source-filename [ destination-filename ]

The router is configured to upload files through TFTP.

– The IP address of the server is IPv6 address, run:tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type interface-number ] put source-filename [ destination-filename ]

The router is configured to upload files through TFTP.

----End

8.5.6 Checking the ConfigurationWhen a device is configured to be a TFTP client, you can check the source address of the clientand the configured ACl rule.

PrerequisiteConfigurations of using the device as a TFTP client are complete.

Procedurel Run the display tftp-client command to check the device address that is set to the source

address of the TFTP client.

l Run the display acl { name acl-name | acl-number | all } command to check the ACL rulethat is configured on the TFTP client.

----End

Example

Run the display tftp-client command to view the source address of the TFTP client.

<HUAWEI> display tftp-clientThe source address of TFTP client is 1.1.1.1.

Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configuredon the TFTP client.

<HUAWEI> display acl 2001Basic acl 2001, 2 rules,Acl's step is 5 rule 5 permit rule 10 permit source 1.1.1.1 0

8.6 Accessing Files on Another Device by Using FTPThis section describes how to configure the router as an FTP client to log in to the FTP server,and to upload files to or download files from the server.



170

8.6.1 Establishing the Configuration TaskBefore establishing the configuration task of accessing files on another device by using FTP,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.


Before transmitting files between a client and a remote FTP server, or managing directories ofthe server, you can configure the router that you have logged in to as an FTP client. Then, youcan access the FTP server by using FTP for file transmission or directory management.


Before establishing the configuration task of accessing files on another device by using FTP,complete the following tasks:

l Configuring a reachable route between the router and the FTP server

Data Preparation

To establish the configuration task of accessing files on another device by using FTP, you needthe following data:

No. Data

1 (Optional) Source IP address or source interface of the router functioning as an FTPclient

2 Host name or IP address of the FTP server, port number of connecting FTP, loginusername and password

3 Local file name and file name on the remote FTP server,working directory name ofthe remote FTP server, local working directory of the FTP client, or directory nameof the remote FTP server

8.6.2 (Optional) Configuring Source IP Address and Interface of theFTP Client

This section describes how to configure the source IP address and interface of FTP client toestablish the connection with FTP server.

Prerequisite

An IP address is configured for an interface on the router and functions as the source IP addressof an FTP connection. In this manner, security checks can be implemented.


The interface configuration is possible, only if the system has a loopback interface.



171

Procedure



Step 2 Run:ftp client-source { -a ip-address }

The source IP address of the FTP client is configured.

or

ftp client-source { -i interface-type interface-number }

The loopback addresses of the FTP client is configured.

NOTE

Then, run the display ftp-client command on the router to view the current configuration of the FTP client.

----End

8.6.3 Connecting to Other Devices by Using FTP CommandsYou can run FTP commands to log in to other devices from the router that functions as the FTPclient.

Context

You can log in to the FTP server in the user view or the FTP view.

Do as follows on the router that serves as the client:

Procedure

Step 1 Run the following commands according to types of the server IP address.

l If the IP address of the server is an IPv4 address, do as follows:

– In the user view, establish a connection to the FTP server.Run:ftp [ -a source-ip-address | -i interface-type interface-number ] host [ port-number ] [ public-net | vpn-instance vpn-instace-name ]

The router is connected to the FTP server.

– In the FTP view, establish a connection to the FTP server.

1. In the user view,Run:ftp

The FTP view is displayed.2. Run:

open [-a source-ip-address | -i interface-type interface-number ] host [ port-number ] [ vpn-instance vpn-instance-name ]




172

NOTE

Before logging in to the FTP server, you can run the set net-manager vpn-instancecommand to configure a default VPN instance. After that, the default VPN instance is usedin the FTP operation.

l If the IP address of the server is an IPv6 address, do as follows:

– In the user view, establish a connection to the FTP server.

Run:ftp ipv6 host [ port-number ]


– In the FTP view, establish a connection to the FTP server.

1. In the user view,Run:ftp

The FTP view is displayed.

2. Run:open ipv6 host-ipv6-address [ port-number ]


----End

8.6.4 Operating Files by Using FTP CommandsAfter logging in to a FTP server, you can operate files by using FTP commands. File operationsinclude configuring a file transmission method, checking online help about FTP commands,uploading or downloading files, and managing directories and files.

Context

After logging in to the FTP server, you can perform the following operations:

l Configure a data type for transmission files and a file transmission method.

l Check the online help about FTP commands in the FTP client view.

l Upload local files to the remote FTP server, or download files from the FTP server andsave them locally.

l Create directories on or delete directories from the FTP server.

l Display information about a specified remote directory or a file of the FTP server, or deletea specified file from the FTP server.

After logging in to the router that functions as a client and entering the FTP client view, you canperform the following steps:

Procedurel Configuring data type and transmission mode for the file.

– Run:ascii | binary

The data type of the file to be transmitted is ascii or binary mode.



173

NOTE

FTP supports the ASCII type and the binary type. Their differences are as follows:

l In ASCII transmission mode, ASCII characters are used to separate carriage returned fromline feeds.

l In binary transmission mode, characters can be transferred without format conversion orformatting.

The selection of the FTP transmission mode is client-customized. The system defaults to theASCII transmission mode. The client can use a mode switch command to switch between theASCII mode and the binary mode. The ASCII mode is used to transmit .txt files and the binarymode is used to transmit binary files.

– Run:passiveThe passive file transfer mode is configured.

– Run:verboseThe verbose mode for FTP is enabled.When verbose is enabled, all FTP responses are displayed. After file transmission, thestatistics about transmission efficiency will be displayed.

l Viewing online help of the FTP command.remotehelp [ command ]

The online help of the FTP command is displayed.l Upload or download files.

– Upload or download a file.– Run:

put local-filename [ remote-filename ]The local file is uploaded to the remote FTP server.

– Run:get remote-filename [ local-filename ]The FTP file is downloaded from the FTP server and saved to the local file.

– Upload or download multiple files.– Run the mput local-filenames command to upload multiple local files

synchronously to the remote FTP server.– Run the mget remote-filenames command to download multiple files from the FTP

server and save them locally.

NOTE

l When you are uploading or downloading files, and the prompt command is run in the FTP clientview to enable the file transmission prompt function, the system will prompt you to confirm theuploading or downloading operation.

l If the prompt command is run again in the FTP client view, the file transmission prompt functionwill be disabled.

l Run one or more commands in the following order to manage directories.– Run:

cd pathnameThe working path of the remote FTP server is specified.

– Run:



174

cdup

The working path of the FTP server is switched to the upper-level directory.

– Run:pwd

The specified directory of the FTP server is displayed.

– Run:lcd [ local-directory ]

The directory of the FTP client is displayed or changed.

– Run:mkdir remote-directory

A directory is created on the FTP server.

– Run:rmdir remote-directory

A directory is removed from the FTP server.

NOTE

l The directory to be created can comprise letters and digits, but not special characters such as<, >, ?, \ and :.

l When running the mkdir /abc command, you create a sub-directory named "abc".

l Run one or more commands in the following to manage files.

– Run:ls [ remote-filename ] [ local-filename ]

The specified directory or file on the remote FTP server is displayed.

If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

– Run:dir [ remote-filename ] [ local-filename ]

The specified directory or file on the local FTP server is displayed.


– Run:delete remote-filename

The specified file on the FTP server is deleted.


When local-filename is set, related information about the file can be downloaded locally.

----End

8.6.5 Changing Login UsersAfter logging in to an FTP server, you can change the username on the client and re-log in tothe server with the new username.



175

ContextFrom the NE80E/40E (an FTP client) that you have logged in to, you can log in to the FTP serverby using another username without logging out of the FTP client view. The established FTPconnection is identical with that established by running the ftp command.

Perform the following steps on the router that functions as a client:

Procedurel Run:

user user-name [ password ]

The user that have logged in to the FTP server is changed and the new user logs in to theserver.

When the username that is used to log in to the FTP server is changed, the originalconnection between the user and the FTP server is interrupted.

----End

8.6.6 Disconnecting from the FTP ServerYou can terminate the connection with the FTP server and return to the user view or FTP view.

ContextYou can select different commands to terminate the connection with the FTP server in the FTPclient view.

Do as follows on the router that serves as the client.

Procedurel Run the following commands according to different configurations.

– Run:byeOr,quitThe client router is disconnected from the FTP server.Return to the user view.

– Run:closeOr,disconnectThe client router is disconnected from the FTP server.Return to the FTP view.

----End

8.6.7 Checking the ConfigurationAfter the configurations of accessing other devices by using FTP are complete, you can viewthe source parameters configured on the FTP client.



176

PrerequisiteThe configurations of accessing other devices by using FTP are complete.

Procedurel Run the display ftp-client command to view the source parameters of the FTP client.

----End

ExampleRun the display ftp-client command to view the source parameters of the FTP client.

<HUAWEI> display ftp-clientThe source address of FTP client is 1.1.1.1.

8.7 Accessing Files on Another Device by Using SFTPSFTP is a secure FTP service. After the router is configured as an SFTP client. The SFTP serverauthenticates the client and encrypts data in both directions to provide secure data transmission.

8.7.1 Establishing the Configuration TaskBefore establishing the configuration task of accessing files on another device by using SFTP,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.

Applicable EnvironmentSFTP is short for SSH FTP that is a secure FTP protocol. SFTP is on the basis of SSH. It ensuresthat users can log in to a remote device securely for file management and transmission, andenhances the security in data transmission. In addition, you can log in to a remote SSH serverfrom the router that functions as an SFTP client.

Pre-configuration TasksBefore establishing the configuration task of accessing files on another device by using SFTP,complete the following tasks:

l Configuring a reachable route between the client and SSH server

Data PreparationTo access files on another device by using SFTP, you need the following data:

No. Data

1 (Optional) Source address of the device that functions as the SFTP client

2 (Optional) Name of the SSH server



177

No. Data

3 (Optional) Public key that is assigned by the client to the SSH server

4 IPv4 or IPv6 address or host name of the SSH server

5 Number of the port monitored by the SSH server,Preferred encrypted algorithm fromthe SFTP client to the SSH server,Preferred encrypted algorithm from the SSH serverto the SFTP client,Preferred HMAC algorithm from the SFTP client to the SSHserver,Preferred HMAC algorithm from the SSH server to the SFTP client,Preferredalgorithm of key exchange,Name of the outgoing interface,Source addressThe user information for logging in to the SSH server

6 Name and directory of a specified file on the SSH server

8.7.2 (Optional) Configuring a Source IP Address for an SFTP ClientYou can configure a source IP address for an SFTP client. Then, you can set up an SFTPconnection from the SFTP client to the server through a specific route by using this source IPaddress.

ContextAn IP address is configured for an interface on the router and functions as the source IP addressof an FTP connection. In this manner, security checks can be implemented.


Do as follows on a router that functions as an SFTP client.

ProcedureStep 1 Run:

system-view


Step 2 Run:sftp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address is configured for an SFTP client.

----End

8.7.3 Configuring the First Successful Login to Another Device(Enabling the First-Time Authentication on the SSH Client)

After the first-time authentication on the SSH client is enabled, the SFTP client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time.

ContextIf the first-time authentication on the SSH client is enabled, the SFTP client does not check thevalidity of the RSA public key when logging in to the SSH server for the first time. After the



178

login, the system automatically allocates the RSA public key and saves it for authentication innext login.


Procedure



Step 2 Run:ssh client first-time enable

The first-time authentication on the SSH client is enabled.

By default, the first-time authentication on the SSH client is disabled.

NOTE

l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validityof the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the firsttime. The check is skipped because the STelnet server has not saved the RSA public key of the SSHserver.

l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to theSSH server for the first time, the STelnet client fails to pass the check on the RSA public key validityand cannot log in to the server.

TIP

To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSApublic key in advance to the SSH server on the SSH client in addition to enabling the first-timeauthentication on the SSH client.

----End

8.7.4 Configuring the First Successful Login to Another Device(Allocating an RSA Public Key to the SSH Server)

To configure the first successful login to another device on the SSH client, you need to allocatean RSA public key to the SSH server before the login.

ContextIf the first-time authentication is not enabled on the SSH client, when the SFTP client logs in tothe SSH server for the first time, the SFTP client fails to pass the check on the RSA public keyvalidity and cannot log in to the server.

Do as follows on the router functioning as an SSH client:

Procedure



Step 2 Run:



179

rsa peer-public-key key-name

The public key view is displayed.

Step 3 Run:public-key-code begin

The public key editing view is displayed.

Step 4 Run:hex-data


The public key must be a string of hexadecimal alphanumeric characters. It is automaticallygenerated by an SSH client. You can run the display rsa local-key-pair public command toview a generated public key.

NOTE

Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSHserver and must be configured on the SSH client. Then, the STelnet client client can successfully undergothe validity check on the RSA public key of the SSH server.

Step 5 Run:public-key-code end



l If the specified key-name is deleted in other views, the system prompts that the key does notexist after the peer-public-key end command is run and the system view is displayed.

Step 6 Run:peer-public-key end

Return to the system view from the public key view.

Step 7 Run:ssh client servername assign rsa-key keyname

The RSA public key is assigned to the SSH server.

NOTE

If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servernameassign rsa-key command to cancel the association between the SSH client and the SSH server. Then, runthe ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSHserver.

----End

8.7.5 Connecting to Other Devices by Using SFTPYou can log in to the SSH server from the SSH client through SFTP.

ContextThe command of enabling the SFTP client is similar to that of the STelnet. When accessing theSSH server, the SFTP can carry the source address and the name of the VPN instance and choose



180

the key exchange algorithm, encrypted algorithm and HMAC algorithm, and configure thekeepalive function.

Do as follows on the router that serves as an SSH client.

Procedure



Step 2 According to the address type of the SSH server, select and perform one of the two configurationsbelow.


Run:sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

You can log in to the SSH server through SFTP.


Run:sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

----End

8.7.6 Operating Files by Using SFTP CommandsYou can manage directories and files on the SSH server from the SFTP client, and check thecommand help on the SFTP client.

Context

After logging in to the SSH server from the SFTP client, you can perform the followingoperations on the SFTP client:

l Create or delete a directory on the SSH server, and display the current working directory,the specified directory and information about the file in the specified directory.

l Change a file name, delete a file, display a file list, and upload or download a file.

l Displaying the SFTP client command help.

After logging in to the router that functions as an SSH client and entering the SFTP client view,you can perform the following steps:



181

Procedurel Managing the directory


– Run:cd [ remote-directory ]

The current operating directory of users is changed.

– Run:cdup

The operating directory of users is switched to the upper-level directory.

– Run:pwd

The current operating directory of users is displayed.

– Run:dir / ls [ remote-directory ]

The file list in the specified directory is displayed.

– Run:rmdir remote-directory & <1-10>

– The directory on the server is deleted.

– Run:mkdir remote-directory

A directory is created on the server.

l Managing the file


– Run:rename old-name new-name

The name of the specified file on the server is changed.

– Run:get remote-filename [local-filename]

The file on the remote server is downloaded.

– Run:put local-filename [remote-filename]

The local file is uploaded to the remote server.

– Run:remove remote-filename

The file on the server is removed.

l Displaying the SFTP client command helphelp [all | command-name ]

The SFTP client command help is displayed.

----End



182

8.7.7 Checking the ConfigurationAfter logging in to another device by using SFTP, you can view the source address of the SSHclient, the mappings between all SSH servers and the RSA public keys on the client, the globalconfigurations of the SSH servers, and the sessions between the SSH servers and the client.

PrerequisiteThe configuration of accessing files on another device by using SFTP is complete.

Procedurel Run the display sftp-client command to check the source IP address of the SFTP client on

the SSH client.l Run the display ssh server-info command to check the mapping between the SSH server

and the RSA public key on the SSH client.

----End

Example

Run the display sftp-client command on the client to view the source parameters of the devicefunctioning as an SFTP client.

<HUAWEI> display sftp-clientThe source address of SFTP client is 1.1.1.1

Run the display ssh server-info command to view the mappings between all servers and theRSA public keys on the SSH client.

<HUAWEI> display ssh server-infoServer Name(IP) Server public key name________________________________________________________________________ 1000::1 1000::1 10.164.39.223 10.164.39.223 11.11.11.23 11.11.11.23 10.164.39.204 10.164.39.204 10.164.39.222 10.164.39.222

8.8 Configuration ExamplesThis section describes examples for access another device. The examples explain networkingrequirements, configuration notes, and configuration roadmap.

8.8.1 Example for Logging in to Another Device by Using TelnetThis section provides an example for logging in to another device by using Telnet.In thisexample, the authentication mode and password are configured for users to log in through Telnet.


As shown in Figure 8-7, users can telnet Router A but cannot telnet Router B. The route betweenRouter A and Router B is reachable. In this case, users can telnet Router B from Router A toremotely configure and manage Router B.



183

Figure 8-7 Networking diagram for logging in to another device by using Telnet

Network Network

PC RouterA RouterB

Session Session

GE1/0/12.1.1.1/24

GE1/0/11.1.1.1/24


1. On Router B, configure the authentication mode and password for users on Router A to login to Router B..

2. Configure a Telnet server port number on Router B to ensure that users log in through thisport only.


l Host address of Router B is 2.1.1.1l Password hello for users' loginl Telnet server port number is 1028

Procedure

Step 1 Configure the authentication mode and password for Telnet services on Router B.<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] user-interface vty 0 4[RouterB-ui-vty0-4] authentication-mode password[RouterB-ui-vty0-4] set authentication password simple hello[RouterB-ui-vty0-4] quit

To configure an ACL for Telnetting another device, run the following commands on Router B.

[RouterB] acl 2000[RouterB-acl-basic-2000] rule permit source 1.1.1.1 0[RouterB-acl-basic-2000] quit[RouterB] user-interface vty 0 4[RouterB-ui-vty0-4] acl 2000 inbound[RouterB-ui-vty0-4] quit

NOTE

It is optional to configure an ACL for Telnet services.

Step 2 Log in to Router B from Router A through Telnet.<HUAWEI> system-view[HUAWEI] sysname RouterA



184

[RouterA] quit<RouterA> telnet 2.1.1.1Trying 2.1.1.1 ...Press CTRL+K to abortConnected to 2.1.1.1 ...Login authenticationPassword:Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. The current login time is 2010-02-22 14:31:01.<RouterB>

Step 3 Configure a Telnet server port number on Router B.<RouterB> system-view[RouterB] telnet server port 1028Warning: This operation will cause all the online Telnet users to be offline. Continue?[Y/N]: yInfo: Succeeded in changing the listening port of telnet server.

Step 4 Use the port number 1028 to log in to Router B from Router A through Telnet.<RouterA> telnet 2.1.1.1 1028Trying 2.1.1.1 ...Press CTRL+K to abortConnected to 2.1.1.1 ...Login authenticationPassword:Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. The current login time is 2010-02-22 14:33:48.<RouterB>

----End

Configuration Filesl Configuration file of Router A

# sysname RouterA#interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0#return

l Configuration file of Router B# sysname RouterB#acl number 2000 rule 5 permit source 1.1.1.1 0#interface GigabitEthernet1/0/1 undo shutdown ip address 2.1.1.1 255.255.255.0#user-interface con 0user-interface vty 0 4 acl 2000 inbound set authentication password simple hello#return



185

8.8.2 Example for Logging in to Another Device by Using the TelnetRedirection Function

This section describes an example for logging in to another device on the network by using theTelnet redirection function. This allows users to manage the device remotely.


As shown in Figure 8-8, there is a reachable route between the PC and Router A, and Router Ais not connected with Router B on the IP network. To manage Router B remotely, you can enablethe Telnet redirection function on Router A, and connect the asynchronous serial interface ofRouter A to the serial interface of Router B. Then, you can log in toRouter B remotely from theterminal PC by using the specified port number of Router A to manage Router B.

Figure 8-8 Networking of logging in to another device by using the Telnet redirection function

NetworkConsole

PC RouterA RouterB

Aux

Session

GE1/0/110.1.1.1/24



1. Use the AUX interface of Router A to connect withRouter B.2. Enable the Telnet redirection function on Router A.

Data Preparation


l IP address of Router A: 10.1.1.1

Procedure

Step 1 Open the AUX interface of Router A.<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] interface Aux 0/0/1[RouterA-Aux0/0/1] undo shutdown[RouterA-Aux0/0/1] quit

Step 2 Enable the redirection function on Router A.[RouterA] user-interface aux 0[RouterA-ui-aux0] undo shell[RouterA-ui-aux0] redirect



186

Step 3 View the port number.<RouterA> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State37b26538 6 /1 0.0.0.0:21 0.0.0.0:0 23553 Listening37b20808 135/4 0.0.0.0:22 0.0.0.0:0 23553 Listening15b8a270 135/1 0.0.0.0:23 0.0.0.0:0 23553 Listening32fa2744 135/15 0.0.0.0:2033 0.0.0.0:0 23553 Listening32facdac 135/17 0.0.0.0:4033 0.0.0.0:0 23553 Listening32f9e4b4 88 /1 0.0.0.0:6000 0.0.0.0:0 23553 Listening2ff6bbcc 135/9 10.137.217.226:23 10.138.77.21:2993 0 Established

Step 4 Verify the configuration.Run the telnet 10.1.1.1 2033(or 4033) command on the PC to log in to Router B.

----End


# sysname RouterA#interface Aux0/0/1 undo shutdown#interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.1 255.255.255.0#user-interface con 0user-interface aux 0 undo shell redirect#return

8.8.3 Example for Logging in to Another Device by Using Telnet ona VPN

This section provides an example for logging in to another device by using Telnet on a VPN.Inthis example, the authentication mode and password are configured for users on a VPN so as tolog in to the router through Telnet.

Networking RequirementsAs shown in Figure 8-9, Router A and Router B can ping through each other. Users can log into Router A from Router B through Telnet.

Figure 8-9 Networking diagram for logging in to another device by using Telnet on a VPN

RouterA RouterB

GE1/0/01.1.1.1 24

GE1/0/01.1.1.2 24

VPN ttIP Network



187



1. Configure a VPN on Router B.2. Configure the authentication mode and the password of the user interface VTY0 to VTY4

on Router B.3. Set the user to enter the password to log in to Router B from Router A in Telnet mode.

Data Preparation


l Host IP address of Router Bl Authentication mode and passwordl VPN instance

Procedure

Step 1 Configure the VPN instance and IP address.

# Configure Router A.

<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] interface gigabitethernet1/0/0[RouterA-GigabitEthernet1/0/0] undo shutdown[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24

# Configure Router B.

<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] ip vpn-instance tt[RouterB-vpn-instance-tt] route-distinguisher 1000:1[RouterB-vpn-instance-tt] quit[RouterB] interface gigabitethernet1/0/0[RouterB-GigabitEthernet1/0/0] undo shutdown[RouterB-GigabitEthernet1/0/0] ip binding vpn-instance tt[RouterB-GigabitEthernet1/0/0] ip address 1.1.1.2 24[RouterB-GigabitEthernet1/0/0] quit[RouterB] quit

Step 2 Configure the Telnet authentication mode and password on Router B.<RouterB> system-view[RouterB] user-interface vty 0 4[RouterB-ui-vty0-4] authentication-mode password[RouterB-ui-vty0-4] set authentication password simple hello[RouterB-ui-vty0-4] quit

To configure Telnet terminal services based on the ACL, do as follows on Router B.

[RouterB] acl 2000[RouterB-acl-basic-2000] rule permit vpn-instance tt source 1.1.1.1 0[RouterB-acl-basic-2000] quit[RouterB] user-interface vty 0 4[RouterB-ui-vty0-4] acl 2000 inbound

NOTE

Configuring Telnet terminal services based on the ACL is optional.



188


After the configuration is complete, you can log in to Router B from Router A through Telnet.

<RouterA> telnet 1.1.1.2Trying 1.1.1.2 ...Press CTRL+K to abortConnected to 1.1.1.2 ...Login authenticationPassword:Note: The max number of VTY users is 10, and the current numberof VTY users on line is 1.<RouterB>

----End


# sysname RouterA#interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.1 255.255.255.0#return

l Configuration file of Router B# sysname RouterB#ip vpn-instance tt route-distinguisher 1000:1#acl number 2000 rule 5 permit vpn-instance tt source 1.1.1.1 0#interface GigabitEthernet1/0/0 undo shutdown ip binding vpn-instance tt ip address 1.1.1.2 255.255.255.0#user-interface con 0user-interface vty 0 4 acl 2000 inbound set authentication password simple hello#return

8.8.4 Example for Configuring the Device as the STelnet Client toConnect to the SSH Server

This section provides an example for logging in to another device by using STelnet.In thisexample, the local key pairs are generated on the STelnet client and the SSH server; the publicRSA key is generated on the SSH server and then bound to the STelnet client. In this manner,the STelnet client can connect to the SSH server.

Networking RequirementsAs shown in Figure 8-10, after the STelnet service is enabled on the SSH server, the STelnetclient can log in to the SSH server with the password, RSA, password-rsa, or all authenticationmode. In this example, the Huawei router functions as an SSH server.



189

Two users client001 and client002 are configured to log in to the SSH server in the authenticationmode of password and RSA respectively.

Figure 8-10 Networking diagram for logging in to another device by Using STelnet

Client 002

GE1/0/110.10.3.3/16

SSH ServerGE1/0/110.10.1.1/16

Client 001

GE1/0/110.10.2.2/16


1. Configure Client001 and Client002 to log in to the SSH server in different authenticationmodes.

2. Create a local RSA key pair on the STelnet client Client002 and the SSH server, and bindthe client client002 to an RSA key to authenticate the client when the client attempts to login to the server.

3. Enable STelnet service on the SSH server.4. Set the service type of Client001 and Client002 to STelnet.5. Enable first-time authentication on the SSH client.6. Users Client001 and Client002 log in to the SSH server through STelnet.


l Client001 with the password as huawei and adopt the password authentication.l Client002, adopt the RSA authentication and assign the public key RsaKey001 to

Client002.l IP address of the SSH server is 10.10.1.1.

Procedure

Step 1 Generate a local key pair on the server.<HUAWEI> system-view[HUAWEI] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: SSH Server_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++..........++++++++++++



190

...................................++++++++

......++++++++

Step 2 Create an SSH user on the server.

NOTE

The SSH user can be authenticated in four modes: password, RSA, password-rsa, and all.

l When the SSH adopts the password or password-rsa authentication mode, configure a local user withthe same name.

l When the SSH user adopts the RSA, password-rsa, or all authentication modes, the server should savethe RSA public key for the SSH client.

# Configure the VTY user interface.

[SSH Server] user-interface vty 0 4[SSH Server-ui-vty0-4] authentication-mode aaa[SSH Server-ui-vty0-4] protocol inbound ssh[SSH Server-ui-vty0-4] quitl Create SSH user Client001.

# Configure the password authentication for the SSH user Client001.[SSH Server] ssh user client001[SSH Server] ssh user client001 authentication-type password# Configure the password of the SSH user Client001 to huawei.[SSH Server] aaa[SSH Server-aaa] local-user client001 password cipher huawei[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

l Create SSH user Client002.# Configure the RSA authentication for the SSH user Client002.[SSH Server] ssh user client002[SSH Server] ssh user client002 authentication-type rsa

Step 3 Configure the RSA public key on the server.

# Generate a local key pair on the client.

<HUAWEI> system-view[HUAWEI] sysname client002[client002] rsa local-key-pair create

# View the RSA public key generated on the client.

[client002] display rsa local-key-pair public=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :



191

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001[client002]

# Send the RSA public key generated on the client software to the server.

[SSH Server]rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".[SSH Server-rsa-public-key]public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[SSH Server-rsa-key-code]3047[SSH Server-rsa-key-code]0240[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43[SSH Server-rsa-key-code] 1D7E3E1B[SSH Server-rsa-key-code]0203[SSH Server-rsa-key-code]010001[SSH Server-rsa-key-code]public-key-code end[SSH Server-rsa-public-key]peer-public-key end

Step 4 Bind the SSH user Client002 to the RSA public key of the SSH client.[SSH Server] ssh user client002 assign rsa-key RsaKey001

Step 5 Enable the STelnet service on the SSH server.

# Enable the STelnet service.

[SSH Server] stelnet server enable

Step 6 Configure the STelnet service for the SSH users Client001 and Client002.[SSH Server] ssh user client001 service-type stelnet[SSH Server] ssh user client002 service-type stelnet

Step 7 Connect the STelnet client to the SSH server.

# For the first login, you need to enable the first authentication on SSH client.

Enabling the first authentication on Client001.

<HUAWEI> system-view[HUAWEI] sysname client001[client001] ssh client first-time enable



# Client001 of the STelnet connects to SSH server with the password authentication mode . Enterthe user name and password.

<client001> system-view



192

[client001] stelnet 10.10.1.1Please input the username:client001Trying 10.10.1.1 ...Press CTRL+K to abortConnected to 10.10.1.1 ...The server is not authenticated. Continue to access it?(Y/N):ySave the server's public key?(Y/N):yThe server's public key will be saved with the name 10.10.1.1. Please wait...Enter password:

Enter the password huawei. It shows that the login is successful, as follows:

Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2010-09-06 11:42:42.<SSH Server>

# Connect the STelnet client Client002 to the SSH server with the RSA authentication mode.

<client002> system-view[client002] stelnet 10.10.1.1Please input the username: client002Trying 10.10.1.1 ...Press CTRL+K to abortConnected to 10.10.1.1 ... The server is not authenticated. Continue to access it?(Y/N):ySave the server's public key?(Y/N):yThe server's public key will be saved with the name 10.10.1.1. Please wait... Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2010-09-06 11:42:42.<SSH Server>


After the configuration, run the display ssh server status and display ssh server sessioncommands. You can view that the STelnet service is enabled and the STelnet client is connectedto the SSH server successfully.

# Display the SSH status.

[SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server : Disable Stelnet server : Enable

# Display the connection of the SSH server.

[SSH Server] display ssh server sessionSession 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password Session 2: Conn : VTY 4 Version : 2.0 State : started



193

Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : rsa

# Display the information about the SSH user.

[SSH Server] display ssh user-informationUser 1: User Name : client001 Authentication-type : password User-public-key-name : - Sftp-directory : - Service-type : stelnet Authorization-cmd : No User 2: User Name : client002 Authentication-type : rsa User-public-key-name : RsaKey001 Sftp-directory : - Service-type : stelnet Authorization-cmd : No

----End


# sysname SSH Server# rsa peer-public-key rsakey001 public-key-code begin 3047 0240BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 public-key-code end peer-public-key end#aaa local-user client001 password cipher huawei local-user client001 service-type ssh#interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0# stelnet server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type stelnet#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#



194

returnl Configuration file of Client001 on SSH client

# sysname client001#interface GigabitEthernet1/0/1 ip address 10.10.2.2 255.255.0.0#ssh client first-time enable#return

l Configuration file of Client002 on SSH client# sysname client002#interface GigabitEthernet1/0/1 ip address 10.10.3.3 255.255.0.0#ssh client first-time enable#return

8.8.5 Example for Accessing Files on Another Device by Using TFTPIn this example, the TFTP application is run on the TFTP server and the location of the sourcefile on the server is set. After that, you can upload and download files.

Networking RequirementsAs shown in Figure 8-11, the IP address of the TFTP server is 10.111.16.160/24.

Log in to the router from the HyperTerminal and then download the fileV600R003C00SPC300.cc from the TFTP server.

Figure 8-11 Networking diagram for accessing files on another device by using TFTP

TFTP Client TFTP ServerPC

10.111.16.160/24


1. Run the TFTP application on the TFTP server, and set the location of the file on the server.2. Use the TFTP command on the router to download the file.3. Use the TFTP command on the router to upload the file.


l The TFTP application installed on the TFTP server



195

l The path of the file on the TFTP serverl The destination file name and its path on the router

Procedure

Step 1 Start the TFTP server, and set its Current Directory as the directory where theV600R003C00SPC300.cc file resides. Figure 8-12 shows the interface.

Figure 8-12 Setting the Base Directory of the TFTP server

NOTE

The display may be different depending on different TFTP server applications run in the computer.

Step 2 Log in to the router from the computer HyperTerminal and enter the following command todownload the file.<HUAWEI>tftp 10.111.16.160 get V600R003C00SPC300.cc cfcard:/V600R003C00SPC300.cc Info: Transfer file in binary mode. Downloading the file from the remote TFTP server. Please wait...| TFTP: Downloading the file successfully. 15805100 bytes received in 42734 second.

Step 3 Run the dir command to check whether the downloaded file is saved in the specified directoryon the router.<HUAWEI> dir cfcard:Directory of cfcard:/ Idx Attr Size(Byte) Date Time FileName 1 -rw- 40 Jun 24 2006 09:30:40 private-data.txt 2 -rw- 396 May 19 2006 15:00:10 rsahostkey.dat 3 -rw- 540 May 19 2006 15:00:10 rsaserverkey.dat 4 -rw- 2718 Jun 21 2006 17:46:46 1.cfg 5 -rw- 14343 May 19 2006 15:00:10 paf.txt 6 -rw- 1004 Feb 05 2001 09:51:22 vrp1.zip 7 -rw- 6247 May 19 2006 15:00:10 license.txt 8 -rw- 14343 May 16 2006 14:13:42 paf.txt.bak 9 -rw- 86235884 Feb 05 2001 10:23:46 V600R003C00SPC300.cc



196

Step 4 Log in to the router from the computer HyperTerminal and enter the following command toupload the file.<HUAWEI> tftp 10.111.16.160 put cfcard:/vrpcfg.zip Info: Transfer file in binary mode. Uploading the file to the remote TFTP server. Please wait.../ TFTP: Uploading the file successfully. 1217 bytes send in 1 second.

----End

8.8.6 Example for Configuring the Access of the TFTP Server on thePublic Network When the Management VPN Instance Is Used

This part provides an example for configuring the access of the TFTP server on the publicnetwork when the management VPN instance is used. In this example, after logging in to therouter that is configured with the management VPN instance, you can download files from theTFTP server on the public network.

Networking RequirementsAs shown in Figure 8-13, a management VPN instance is configured on the router. Users usethe VPN instance to access the FTP server from the router. To enable the client to access theTFTP server on the public network, you need to connect the router to the TFTP server on thepublic network.

Log in to the router from the HyperTerminal and then download the fileV600R003C00SPC300.cc from the TFTP server.

Figure 8-13 Networking diagram of configuring the access of the TFTP server on the publicnetwork when the management VPN instance is used

PC TFTP Client

TFTP Server10.111.16.160/24

Network


1. Run the TFTP application on the TFTP server, and set the location of the file on the server.2. Use the TFTP command on the router to download the file.3. Use the TFTP command on the router to upload the file.


l The TFTP application installed on the TFTP server



197

l The path of the file on the TFTP serverl The destination file name and its path on the router

Procedure

Step 1 Start the TFTP server, and set its Current Directory as the directory where theV600R003C00SPC300.cc file resides. Figure 8-14 shows the interface.

Figure 8-14 Setting the Base Directory of the TFTP server

NOTE

The display may be different depending on different TFTP server applications run in the computer.

Step 2 Log in to the router from the computer HyperTerminal and enter the following command todownload the file.<HUAWEI>tftp 10.111.16.160 public-net get V600R003C00SPC300.cc cfcard:/V600R003C00SPC300.cc Info: Transfer file in binary mode. Downloading the file from the remote TFTP server. Please wait...| TFTP: Downloading the file successfully. 15805100 bytes received in 42734 second.

Step 3 Run the dir command to check whether the downloaded file is saved in the specified directoryon the router.<HUAWEI> dir cfcard:Directory of cfcard:/ Idx Attr Size(Byte) Date Time FileName 1 -rw- 40 Jun 24 2006 09:30:40 private-data.txt 2 -rw- 396 May 19 2006 15:00:10 rsahostkey.dat 3 -rw- 540 May 19 2006 15:00:10 rsaserverkey.dat 4 -rw- 2718 Jun 21 2006 17:46:46 1.cfg 5 -rw- 14343 May 19 2006 15:00:10 paf.txt 6 -rw- 1004 Feb 05 2001 09:51:22 vrp1.zip 7 -rw- 6247 May 19 2006 15:00:10 license.txt 8 -rw- 14343 May 16 2006 14:13:42 paf.txt.bak



198

9 -rw- 86235884 Feb 05 2001 10:23:46 V600R003C00SPC300.cc

Step 4 Log in to the router from the computer HyperTerminal and enter the following command toupload the file.<HUAWEI> tftp 10.111.16.160 public-net put cfcard:/vrpcfg.zip Info: Transfer file in binary mode. Uploading the file to the remote TFTP server. Please wait.../ TFTP: Uploading the file successfully. 1217 bytes send in 1 second.

----End


8.8.7 Example for Accessing Files on Another Device by Using FTPThis section provides an example for accessing files on another device by using FTP. In thisexample, a user logs in to the FTP server from the router to download system software andconfiguration software from the FTP server.

Networking RequirementsAs shown in Figure 8-15, the route between Router A that functions as the FTP client and theFTP server is reachable. A user needs to download system software and configuration softwarefrom the FTP server. The Huawei router functions as an FTP server.

Figure 8-15 Networking diagram for accessing files on another device by using FTP

GE1/0/11.1.1.1/24

GE1/0/12.1.1.1/24

FTP ServerRouterA

Network


1. Configure the user name and password for an FTP user to log in to the FTP server.2. Enable the FTP server on the router.3. Run certain login commands to log in to the FTP server.4. Configure the file transmission mode and directories for the client before downloading

required files from the FTP server.


l User name huawei and password 123 for a user's loginl IP address of the FTP server, that is, 1.1.1.1



199

l Target file and its location on Router A

ProcedureStep 1 Configure an FTP user on the FTP server.

<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] local-user huawei password simple 123[HUAWEI-aaa] local-user huawei service-type ftp[HUAWEI-aaa] local-user huawei ftp-directory cfcard:[HUAWEI-aaa] quit

Step 2 Enable the FTP server.[HUAWEI] ftp server enable

Step 3 Log in to the FTP server from Router A.<HUAWEI> ftp 1.1.1.1Trying 1.1.1.1 ...Press CTRL+K to abortConnected to 1.1.1.1.220 FTP service ready.User(1.1.1.1:(none)):huawei331 Password required for huawei.Enter password:230 User logged in. [ftp]

Step 4 On Router A, configure the binary format as the file transfer mode and flash:/ as the workingdirectory.

[ftp] binary200 Type set to I.[ftp] lcd cfcard:/Info: Local directory now cfcard:.

Step 5 On Router A, download the latest system software from the remote FTP server.[ftp] get V600R003C00SPC300.cc200 Port command okay.150 Opening ASCII mode data connection for V600R003C00SPC300.cc.226 Transfer complete.FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.[ftp] quit

You can run the dir command to check whether the required file is downloaded to the client.

----End

Configuration Filesl Configuration file on the FTP server

# FTP server enable#aaa local-user huawei password simple 123 local-user huawei service-type ftp local-user huawei ftp-directory cfcard:#interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 Return

l Configuration file on the FTP client#



200

interface GigabitEthernet1/0/1 undo shutdown ip address 2.1.1.1 255.255.255.0 Return

8.8.8 Example for Configuring the Access of the FTP Server on thePublic Network When the Management VPN Instance Is Used

This part provides an example for configuring the access of the FTP server on the public networkwhen the management VPN instance is used. In this example, after logging in to the router thatis configured with the management VPN instance, you can download files from the FTP serveron the public network.

Networking RequirementsAs shown in Figure 8-16, a management VPN instance is configured on Router A. Users usethe VPN instance to access the FTP server. To enable Router A to access the FTP server on thepublic network, you need to connect the router to the FTP server on the public network.

The route between router that functions as the FTP client and the FTP server is reachable. Auser needs to download system software and configuration software from the FTP server on thepublic network.

Figure 8-16 Networking diagram of configuring the access of the FTP server on the publicnetwork when the management VPN instance is used

GE1/0/11.1.1.1/24

GE1/0/12.1.1.1/24

FTP ServerRouterA

Network

Configuration Roadmap1. Log in to the FTP server from the FTP client on the Public Network.2. Download the system files form the server to the storage devices on the client side.


l IP address of the FTP server is 1.1.1.1l User name huawei and password huaweil The destination file name and its position in the router

Procedure

Step 1 Log in to the FTP server from the router.<HUAWEI> ftp 1.1.1.1 public-netTrying 1.1.1.1Press CTRL+K to abort



201

Connected to 1.1.1.1220 FTP service ready.User(ftp 1.1.1.1:(none)):huawei331 Password required for huaweiPassword:230 User logged in.

Step 2 Configure the transmission mode to the binary format and configure the directory of the cfcardmemory on the router..

[ftp] binary200 Type set to I.[ftp] lcd cfcard:/Info: Local directory now cfcard:.

Step 3 Download the newest system software from the remote FTP server on the router.[ftp] get V600R003C00SPC300.cc200 Port command okay.150 Opening ASCII mode data connection for V600R003C00SPC300.cc.226 Transfer complete.FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.[ftp] quit

----End

Configuration Files

None.

8.8.9 Example for Accessing Files on Another Device by Using SFTPIn this example, the local key pairs are generated on the SFTP client and the SSH serverrespectively; the public RSA key is generated on the SSH server and bind the RSA public keyto the SFTP client. In this manner, the SFTP client can connect to the SSH server.


As shown in Figure 8-17, after the SFTP service is enabled on the SSH server, the SFTP Clientcan log in to the SSH server with the password, RSA, password-rsa, or all authentication. In thisexample, the Huawei router functions as an SSH server.

Two users client001 and client002 are configured to log in to the SSH server in the authenticationmode of password and RSA respectively.

Figure 8-17 Networking diagram for accessing files on another device by using SFTP

Client 002

GE1/0/110.10.3.3/16

SSH ServerGE1/0/110.10.1.1/16

Client 001

GE1/0/110.10.2.2/16



202


1. Configure Client001 and Client002 to log in to the SSH server in different authenticationmodes.


3. Enable the SFTP service on the SSH server.4. Configure the service mode and authorization directory for the SSH user.5. Client001 and Client002 log in to the SSH server by using SFTP to access files on the

server.




ProcedureStep 1 Generate a local key pair on the server.

<HUAWEI> system-view [HUAWEI] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: SSH Server_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys............++++++++......................++++++++......................+++++++++.....+++++++++

Step 2 Create an SSH user on the server.NOTE

The SSH user can be authenticated in four modes: password, RSA, password-rsa, and all.l When the SSH adopts the password or password-rsa authentication, configure a local user with the

same name.l When the SSH user adopts the RSA, password-rsa, or all authentication, the server should save the

RSA public key for the SSH client.

# Configure the VTY user Interface.[SSH Server] user-interface vty 0 4[SSH Server-ui-vty0-4] authentication-mode aaa[SSH Server-ui-vty0-4] protocol inbound ssh[SSH Server-ui-vty0-4] quitl Create Client001 for the SSH user.

# Create an SSH user with the name Client001. The authentication mode is password.



203

[SSH Server] ssh user client001[SSH Server] ssh user client001 authentication-type password# Set huawei as the password for the Client001 of the SSH user.[SSH Server] aaa[SSH Server-aaa] local-user client001 password simple huawei[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

l Create Client002 for the SSH user.# Create an SSH user with user name Client002 and RSA authentication.[SSH Server] ssh user client002[SSH Server] ssh user client002 authentication-type rsa

Step 3 Configure the RSA public key of the server.

# Generate a local key pair on the client.



[client002] display rsa local-key-pair public=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001[client]

# Send the RSA public key generated on the client to the server.

[SSH Server] rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".[SSH Server-rsa-public-key] public-key-code begin



204

Enter "RSA key code" view, return last view with "public-key-code end".[SSH Server-rsa-key-code] 3047[SSH Server-rsa-key-code] 0240[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43[SSH Server-rsa-key-code] 1D7E3E1B[SSH Server-rsa-key-code] 0203[SSH Server-rsa-key-code] 010001[SSH Server-rsa-key-code] public-key-code end[SSH Server-rsa-public-key] peer-public-key end

Step 4 Bind the RSA public key of SSH client to Client002 of the SSH user.[SSH Server] ssh user client002 assign rsa-key RsaKey001



[SSH Server] sftp server enable

Step 6 Configure the service type and authorized directory of the SSH user.

Two SSH users are configured on the SSH server, namely, Client001 and Client002. Thepassword authentication mode is configured for Client001 and the RSA authentication mode isconfigured for Client002.

[SSH Server] ssh user client001 service-type sftp[SSH Server] ssh user client001 sftp-directory cfcard:[SSH Server] ssh user client002 service-type sftp[SSH Server] ssh user client002 sftp-directory cfcard:


# For the first login, you need to enable the first authentication on the SSH client.





# Connect the STelnet client Client001 to the SSH server with the password authentication mode.

<client001> system-view[client001] sftp 10.10.1.1Please input the username:client001Trying 10.10.1.1 ...Press CTRL+K to abortThe server is not authenticated. Continue to access it? [Y/N] :y Save the server's public key? [Y/N] : yThe server's public key will be saved with the name 10.10.1.1. Please wait...Enter password: sftp-client>


<client002> system-view[client002] sftp 10.10.1.1Please input the username: client002Trying 10.10.1.1 ...



205

Press CTRL+K to abortThe server is not authenticated. Continue to access it? [Y/N] :y Save the server's public key? [Y/N] :y The server's public key will be saved with the name 10.10.1.1. Please wait...sftp-client>


After the configuration, run the display ssh server status and display ssh server sessioncommands. You can view that the STelnet service is enabled and the SFTP client is connectedto the SSH server successfully.


[SSH Server] display ssh server statusSSH version : 1.99SSH connection timeout : 60 secondsSSH server key generating interval : 0 hoursSSH Authentication retries : 3 timesSFTP server: Enable Stelnet server: Disable


[SSH Server] display ssh server sessionSession 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : password Session 2: Conn : VTY 4 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : rsa

# Display information about the SSH user.

[SSH Server]display ssh user-informationUser 1: User Name : client001 Authentication-type : password User-public-key-name : - Sftp-directory : cfcard: Service-type : sftp Authorization-cmd : No User 2: User Name : client002 Authentication-type : rsa User-public-key-name : RsaKey001 Sftp-directory : cfcard: Service-type : sftp



206

Authorization-cmd : No

----End

Configuration Filesl Configuration file of the SSH server.

# sysname SSH Server# rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end#aaa local-user client001 password simple huawei local-user client001 service-type ssh#interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0# sftp server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type sftp ssh user client002 service-type sftp ssh user client001 sftp-directory cfcard:. ssh user client002 sftp-directory cfcard:. #user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#Return

l Configuration file of Client001 on the SSH client# sysname client001#interface GigabitEthernet1/0/1 ip address 10.10.2.2 255.255.0.0# ssh client first-time enable#return

l Configuration file of Client002 on the SSH client# sysname client002#interface GigabitEthernet1/0/1ip address 10.10.3.3 255.255.0.0# ssh client first-time enable#return



207

8.8.10 Example for Configuring the Access of the SFTP Server onthe Public Network When the Management VPN Instance Is Used

This part provides an example for configuring the access of the SFTP server on the publicnetwork when the management VPN instance is used. In this example, after generating the localkey pair on the SFTP client and SSH server, generating the RSA public key on the SSH server,and binding the RSA public key to the client, you can connect the SFTP client to the SFTP serveron the public network when using the management VPN instance.

Networking RequirementsAs shown in Figure 8-18, a management VPN instance is configured for Client001 andClient002. Users use the VPN instance to access the FTP server. To enable the client to accessthe SFTP server on the public network, you need to connect the router to the SFTP server on thepublic network.

The Huawei router functions as an SSH server. Two users client001 and client002 are configuredto access the SSH server in the authentication mode of password and RSA respectively.

Figure 8-18 Networking diagram of configuring the access of the SFTP server on the publicnetwork when the management VPN instance is used

Client 002

GE1/0/110.10.3.3/16

SSH ServerGE1/0/110.10.1.1/16

Client 001

GE1/0/110.10.2.2/16


1. Configure Client001 and Client002 to log in to the SSH server in different authenticationmodes..


3. Enable the SFTP service on the SSH server.4. Configure the service mode and authorization directory for the SSH user.5. Configure Client001 and Client002 to log in to the SSH server on the Public Network

through SFTP..




208



ProcedureStep 1 Generate a local key pair on the server.

<HUAWEI> system-view [HUAWEI] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: HUAWEI_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys............++++++++......................++++++++......................+++++++++.....+++++++++


The SSH user can be authenticated in four modes: password, RSA, password-rsa, and all.l When the SSH adopts the password or password-rsa authentication, configure a local user with the

same name.l When the SSH user adopts the RSA, password-rsa, or all authentication, the server should save the


# Configure the VTY user Interface.[SSH Server] user-interface vty 0 4[SSH Server-ui-vty0-4] authentication-mode aaa[SSH Server-ui-vty0-4] protocol inbound ssh[SSH Server-ui-vty0-4] quitl Create Client001 for the SSH user.

# Create an SSH user with the name Client001. The authentication mode is password.[SSH Server] ssh user client001[SSH Server] ssh user client001 authentication-type password# Set huawei as the password for the Client001 of the SSH user.[SSH Server] aaa[SSH Server-aaa] local-user client001 password simple huawei[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

l Create Client002 for the SSH user.# Create an SSH user with user name Client002 and RSA authentication.[SSH Server] ssh user client002[SSH Server] ssh user client002 authentication-type rsa


# Generate a local key pair on the client.<HUAWEI> system-view[HUAWEI] sysname client002[client002] rsa local-key-pair create




209

[client002] display rsa local-key-pair public=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001[client]


[SSH Server] rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".[SSH Server-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[SSH Server-rsa-key-code] 3047[SSH Server-rsa-key-code] 0240[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43[SSH Server-rsa-key-code] 1D7E3E1B[SSH Server-rsa-key-code] 0203[SSH Server-rsa-key-code] 010001[SSH Server-rsa-key-code] public-key-code end[SSH Server-rsa-public-key] peer-public-key end

Step 4 Bind the RSA public key of SSH client to Client002 of the SSH user.[SSH Server] ssh user client002 assign rsa-key RsaKey001



[SSH Server] sftp server enable

Step 6 Configure the service type and authorized directory of the SSH user.



210

Two SSH users are configured on the SSH server, namely, Client001 and Client002. Thepassword authentication mode is configured for Client001 and the RSA authentication mode isconfigured for Client002.

[SSH Server] ssh user client001 service-type sftp[SSH Server] ssh user client001 sftp-directory cfcard:[SSH Server] ssh user client002 service-type sftp[SSH Server] ssh user client002 sftp-directory cfcard:


# For the first login, you need to enable the first authentication on the SSH client.





# Connect the STelnet client Client001to the SSH server with the password authentication mode.

<client001> system-view[client001] sftp 10.10.1.1 public-netPlease input the username:client001Trying 10.10.1.1 ...Press CTRL+K to abortConnected to 10.10.1.1 ...Enter password: sftp-client>


<client002> system-view[client002] sftp 10.10.1.1 public-netPlease input the username: client002Trying 10.10.1.1 ...Press CTRL+K to abortConnected to 10.10.1.1 ...sftp-client>


After the configuration, run the display ssh server status and display ssh server sessioncommands. You can view that the STelnet service is enabled and the SFTP client is connectedto the SSH server successfully.


[SSH Server] display ssh server statusSSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server: Enable STELNET server: Disable


[SSH Server] display ssh server sessionSession 1: Conn : VTY 3 Version : 2.0



211

State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : password Session 2: Conn : VTY 4 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : rsa

# Display information about the SSH user.

[SSH Server] display ssh user-informationUser 1: User Name : client001 Authentication-type : password User-public-key-name : - Sftp-directory : cfcard: Service-type : sftp Authorization-cmd : No User 2: User Name : client002 Authentication-type : rsa User-public-key-name : RsaKey001 Sftp-directory : cfcard: Service-type : sftp Authorization-cmd : No

----End


# sysname SSH Server# rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end#aaa local-user client001 password simple huawei local-user client001 service-type ssh#interface GigabitEthernet1/0/1 undo shutdownip address 10.10.1.1 255.255.0.0



212

# sftp server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001ssh user client001 service-type sftp ssh user client002 service-type sftpssh user client001 sftp-directory cfcard:. ssh user client002 sftp-directory cfcard:. #user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#Return



8.8.11 Example for Accessing the SSH Server Through Other PortNumbers

This section provides an example for accessing the SSH server through other port numbers.Inthis example, the monitoring port number of the SSH server is set to a port number other thanthe standard monitoring port number so that only valid users can set up connections with theSSH server.


The standard monitored port number of the SSH protocol is 22. The frequent malicious accessesto the standard port consume bandwidth and affect the performance of the server, and other userscannot access the standard port.

After the number of the port monitored by the SSH server is set to other port numbers, the attackerdoes not know the change of the number of the monitored port and keeps sending socketconnection requests with the standard port 22. After detecting that the port number intheconnection requests is not the number of the monitored port, the SSH does not set up the socketconnection.

Thus, only the valid user can set up the socket connection through the non-standard monitoredport set by the SSH server, and follow the procedure of negotiating the SSH version number,



213

negotiating the algorithm, generating the session key, authenticating, sending session request,and performing the interactive session.

The Huawei router functions as an SSH server. The client client001 is configured to log in tothe SSH server by using STelnet in the authentication mode of password; the client client002 isconfigured to log in to the SSH server by using SFTP in the authentication mode of RSA.

Figure 8-19 Networking diagram of accessing the SSH server through other port numbers

Client 002

GE1/0/110.10.3.3/16

SSH ServerGE1/0/110.10.1.1/16

Client 001

GE1/0/110.10.2.2/16


1. Configure Client001 and Client002 to log in to the SSH server in different authenticationmodes..


3. Enable the STelnet and SFTP service on the SSH server.4. Configure the service mode and authorization directory of the SSH user.5. Configure the interception port number for the SSH server so that the client can access the

server through other port numbers.6. Client001 and Client002 log in to the SSH server through STelnet and SFTP respectively.



Client002.l IP address of the SSH server is 10.10.1.1.l Number of the port monitored by the SSH server is 1025.

Procedure

Step 1 Generate a local key pair on the server.<HUAWEI> system-view [HUAWEI] sysname SSH Server[SSH Server] rsa local-key-pair create



214

The key name will be: SSH Server_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++..........++++++++++++...................................++++++++......++++++++


# Generate a local key pair of client on the client.



[client002] display rsa local-key-pair public=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001


[SSH Server] rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".[SSH Server-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[SSH Server-rsa-key-code] 3047[SSH Server-rsa-key-code] 0240[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8



215

[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43[SSH Server-rsa-key-code] 1D7E3E1B[SSH Server-rsa-key-code] 0203[SSH Server-rsa-key-code] 010001[SSH Server-rsa-key-code] public-key-code end[SSH Server-rsa-public-key] peer-public-key end


The SSH user can be authenticated in four modes: password, RSA, password-rsa, and all.l When the SSH adopts the password or password-rsa authentication mode, configure a local user at the

same name.l When the SSH user adopts the RSA, password-rsa, or all authentication modes, the server should save

the RSA public key for the SSH client.

# Configure the VTY user Interface.

[SSH Server] user-interface vty 0 4[SSH Server-ui-vty0-4] authentication-mode aaa[SSH Server-ui-vty0-4] protocol inbound ssh[SSH Server-ui-vty0-4] quitl Create Client001 for the SSH user.

# Create an SSH user with the name Client001. The authentication mode is password.[SSH Server] ssh user client001[SSH Server] ssh user client001 authentication-type password# Set huawei as the password toSSH user Client001.[SSH Server] aaa[SSH Server-aaa] local-user client001 password simple huawei[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit# Configure Client001 with service type of STelnet.[SSH Server] ssh user client001 service-type stelnet

l Create Client002 for the SSH user.Create an SSH user with the name of Client002 and RSA authentication, bound to RSA publickey of the SSH client.[SSH Server] ssh user client002[SSH Server] ssh user client002 authentication-type rsa[SSH Server] ssh user client002 assign rsa-key RsaKey001# Configure the service type of Client002 as SFTP and the authorization directory.[SSH Server] ssh user client002 service-type sftp[SSH Server] ssh user client002 sftp-directory cfcard:

Step 4 Enable the STelnet service and the SFTP service on the SSH server.

# Enable the STelnet service and the SFTP service.

[SSH Server] stelnet server enable[SSH Server] sftp server enable

Step 5 Configure a new number of the port monitored by the SSH server. [SSH Server] ssh server port 1025




<HUAWEI> system-view



216

[HUAWEI] sysname client001[client001] ssh client first-time enable



# Connect the STelnet client to the SSH server through the new port number.

[client001] stelnet 10.10.1.1 1025Please input the username:client001Trying 10.10.1.1 ...Press CTRL+K to abortConnected to 10.10.1.1 ...he server is not authenticated. Continue to access it?(Y/N):ySave the server's public key?(Y/N):yhe server's public key will be saved with the name 10.10.1.1. Please wait...Enter password:

Enter the password Huawei and view as follows:

Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. <SSH Server>

# Connect the SFTP client to the SSH server through the new port number.

[client002] sftp 10.10.1.1 1025Please input the username:client002Trying 10.10.1.1 ...Press CTRL+K to abortThe server is not authenticated. Continue to access it?(Y/N):ySave the server's public key?(Y/N):yThe server's public key will be saved with the name 10.10.1.1. Please wait...sftp-client>


The attacker fails to access the SSH server through port 22.

[client002] sftp 10.10.1.1Please input the username:client002Trying 10.10.1.1 ...Press CTRL+K to abortError: Failed to connect to the server.

After the configuration, run the display ssh server status and display ssh server sessioncommands. You can view the number of the port monitored by the SSH server and that theSTelnet client or SFTP client is connected to the SSH server successfully.


[SSH Server] display ssh server statusSSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server: Enable STELNET server: Enable SSH server port: 1025


[SSH Server] display ssh server sessionSession 1: Conn : VTY 3



217

Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password Session 2: Conn : VTY 4 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : rsa

----End


# sysname SSH Server# rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end#aaa local-user client001 password simple huawei local-user client001 service-type ssh#interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0# sftp server enable stelnet server enable ssh server port 1025 ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type RSA ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type sftpssh user client002 sftp-directory cfcard:.#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#



218

returnl Configuration file of Client001 on the SSH client

# sysname client001#interface GigabitEthernet1/0/1ip address 10.10.2.2 255.255.0.0#ssh client first-time enable#return

l Configuration file of Client002 on the SSH client# sysname client002#interface GigabitEthernet1/0/1 ip address 10.10.3.3 255.255.0.0#ssh client first-time enable#return

8.8.12 Example for an SSH Client in the Public Network to Accessan SSH Server in the Private Network

In this example, SSH attributes of users on the public network are configured so as to access theSSH server on the private network through STelnet or SFTP.

Networking RequirementsAs shown in Figure 8-20, PE1 as an SSH client resides on an MPLS backbone network, andCE1 as an SSH server is located at a private network of AS 65410. The users in the publicnetwork can safely access and manage CE1 on the private network through PE1.

The Huawei router functions as an SSH server. The client client001 is configured to log in tothe SSH server by using STelnet in the authentication mode of password; the client client002 isconfigured to log in to the SSH server by using SFTP in the authentication mode of RSA.



219

Figure 8-20 Networking diagram of configuring the SSH client in public network accessing theSSH server in the private network

PE1(SSH

Client)POS1/0/1

100.1.1.2/30GE1/0/110.1.1.2/24

Loopback11.1.1.9/32

Loopback13.3.3.9/32

Loopback12.2.2.9/32

POS1/0/1100.1.1.1/30

POS1/0/2200.1.1.1/30 GE1/0/1

10.1.2.2/24

POS1/0/1200.1.1.2/30

MPLS BackboneAS:100

PE2

P

GE1/0/110.1.1.1/24

GE1/0/110.1.2.1/24CE1

(SSHserver)

CE2

VPN Site VPN Site


The roadmap for configuring SSH supporting access from the private network as follows:

1. Configure a VPN instance on the PE functioning as an SSH client so that the CE can accessthe PE.

2. Set up EBGP peer relationships between PEs and CEs and import VPN routes.


4. Enable the STelnet and SFTP service on the SSH server.

5. Users in the public network access devices in the private network through STelent andSFTP.

Data Preparation

To complete the configuration, you need the following data.

l Name of vpn-instance vpn1 on PE

l VPN-target on PE is 111:1

l IP address 10.1.1.2 of PE1; IP address 10.1.2.2 of PE2

l Client001 with the password as huawei and adopt the password authentication

l Client002, adopt the RSA authentication and assign the public key RsaKey001 to Client002

l IP address of the SSH server CE1 on the private network, that is, 10.1.1.1



220

Procedure

Step 1 Configure the MPLS backbone network

With IGP configured on the MPLS backbone network, the PE on the backbone network cancommunicate with P; configure the MPLS basic capability and MPLS LDP, and create LDPLSPs.

The detailed configurations are not mentioned here. For more information, refer to theconfiguration file of this example.

Step 2 Configure the VPN instance. Configure VPN on PE and connect CE to PE.

# Configure PE1.

[PE1] ip vpn-instance vpn1[PE1-vpn-instance-vpn1] route-distinguisher 100:1[PE1-vpn-instance-vpn1] vpn-target 111:1 both[PE1-vpn-instance-vpn1] quit[PE1] interface gigabitethernet 1/0/1[PE1-GigabitEthernet1/0/1] ip binding vpn-instance vpn1[PE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24[PE1-GigabitEthernet1/0/1] quit

# Configure PE2.

[PE2] ip vpn-instance vpn1[PE2-vpn-instance-vpn1] route-distinguisher 200:1[PE2-vpn-instance-vpn1] vpn-target 111:1 both[PE2-vpn-instance-vpn1] quit[PE2] interface gigabitethernet 1/0/1[PE2-GigabitEthernet1/0/1] ip binding vpn-instance vpn1[PE2-GigabitEthernet1/0/1] undo shutdown[PE2-GigabitEthernet1/0/1] ip address 10.1.2.2 24[PE2-GigabitEthernet1/0/1] quit

# Configure IP addresses of interfaces on CEs as shown in Figure 8-20. The detailedconfigurations are not mentioned here.

After the configuration, run the display ip vpn-instance verbose command on PE. You canview the configuration of VPN. Each PE can ping through the accessed CE.

NOTE

In case of several VPN interfaces bound with PE, you have to run the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping the CE that connects to the peer PE. Thesource IP address must be specified. Otherwise, it may fail to ping through.

Take PE1 and CE1 for example:

[PE1] display ip vpn-instance verbose Total VPN-Instances configured : 1 VPN-Instance Name and ID : vpn1, 1 Create date : 2007/06/08 11:42:58 Up time : 0 days, 00 hours, 03 minutes and 27 seconds Route Distinguisher : 100:1 Export VPN Targets : 111:1 Import VPN Targets : 111:1 Label policy : label per route The diffserv-mode Information is : uniform The ttl-mode Information is : uniform Interfaces : GigabitEthernet2/0/0[PE1] ping -vpn-instance vpn1 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=260 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=70 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=60 ms



221

Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=60 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=90 ms --- 10.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 60/108/260 ms

Step 3 Establish EBGP peer relationship between PEs and CEs and import VPN router.

# Configure CE1.

[CE1] bgp 65410[CE1-bgp] peer 10.1.1.2 as-number 100[CE1-bgp] import-route direct[CE1-bgp] quit

# Configure PE1.

[PE1] bgp 100[PE1-bgp] ipv4-family vpn-instance vpn1[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410[PE1-bgp-vpn1] import-route direct[PE1-bgp-vpn1] quit[PE1-bgp] quit

# Configure CE2.

[CE2] bgp 65420[CE2-bgp] peer 10.1.2.2 as-number 100[CE2-bgp] import-route direct[CE2-bgp] quit

# Configure PE2.

[PE2] bgp 100[PE2-bgp] ipv4-family vpn-instance vpn1[PE2-bgp-vpn1] peer 10.1.2.1 as-number 65420[PE2-bgp-vpn1] import-route direct[PE2-bgp-vpn1] quit[PE2-bgp] quit

After configuration, run the display bgp vpnv4 vpn-instance peer command on PE. You canview that the BGP peer relationship between PE and CE is created and in the established state.

Take the peer relationship between PE 1 and CE 1 as an example.

[PE1] display bgp vpnv4 vpn-instance vpn1 peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 10.1.1.1 4 65410 3 3 0 00:00:37 Established 1

# Establish MP-BGP peer relationship between PEs.

The detailed configurations are not mentioned here. For more information, refer to theconfiguration file of this example.

Step 4 Generate a local key pair on the server.[CE1] rsa local-key-pair createThe key name will be: CE1_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++



222

..........++++++++++++

...................................++++++++

......++++++++


# Generate a local key pair of client on the client.

[PE1] rsa local-key-pair createThe key name will be: PE1_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++..........++++++++++++...................................++++++++......++++++++


[PE1] display rsa local-key-pair public=====================================================Time of Key pair created: 12:02:09 2007/6/8Key name: PE1_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D E2EE8EB5 0203 010001 Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg72x/w0h8F2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg72x/w0h8F2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61 rsa-key=====================================================Time of Key pair created: 12:02:09 2007/6/8Key name: PE1_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3 0203 010001


[CE1] rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".[CE1-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[CE1-rsa-key-code] 3067[CE1-rsa-key-code] 0240[CE1-rsa-key-code] BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376



223

[CE1-rsa-key-code] 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695[CE1-rsa-key-code] 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D[CE1-rsa-key-code] E2EE8EB5[CE1-rsa-key-code] 0203[CE1-rsa-key-code] 010001[CE1-rsa-key-code] public-key-code end[CE1-rsa-public-key] peer-public-key end[CE1-rsa-public-key] quit


The SSH user can be authenticated in four modes namely, password, RSA, password-rsa, and all.l When the SSH adopts the password or password-rsa authentication, a local user must be configured

with the same name.l When the SSH user adopts the RSA, password-rsa, or all authentication, the server should save the


# Configure the VTY user interface.

[CE1] user-interface vty 0 4[CE1-ui-vty0-4] authentication-mode aaa[CE1-ui-vty0-4] protocol inbound ssh[CE1-ui-vty0-4] quitl Create Client001 for the SSH user.

# Create an SSH user with the name Client001. The authentication mode is password.[CE1] ssh user client001[CE1] ssh user client001 authentication-type password# Set huawei as the password for the Client001 of the SSH user.[CE1] aaa[CE1-aaa] local-user client001 password simple huawei[CE1-aaa] local-user client001 service-type ssh[CE1-aaa] quit# Configure service type of Client001 as STelnet.[CE1] ssh user client001 service-type stelnet

l Create an SSH user with the name of Client002 and RSA authentication, bound to RSA publickey of the SSH client.[CE1] ssh user client002[CE1] ssh user client002 authentication-type rsa[CE1] ssh user client002 assign rsa-key RsaKey001# Configure the service type of Client002 as SFTP and the authorization directory.[CE1] ssh user client002 service-type sftp[CE1] ssh user client002 sftp-directory cfcard:

Step 7 Enable STelnet and SFTP services on the SSH server.[CE1] stelnet server enable[CE1] sftp server enable

Step 8 PE logs in to CE as the SSH client.


[PE1] ssh client first-time enable

# Log in to the SSH server through STelnet.

[PE1] stelnet 10.1.1.1 -vpn-instance vpn1Please input the username:client001Trying 10.1.1.1 ...Press CTRL+K to abortConnected to 10.1.1.1 ...



224

The server is not authenticated. Do you continue to access it?(Y/N):yDo you want to save the server's public key?(Y/N):yThe server's public key will be saved with the name:10.1.1.1. Please wait...Enter password:

Enter the password huawei. The following information is displayed:

Info: The max number of VTY users is 10, and the current number of VTY users on line is 1.<CE1>

# Log in to the SSH server by SFTP.

[PE1] sftp 10.1.1.1 -vpn-instance vpn1Please input the username:client002Trying 10.1.1.1 ...Press CTRL+K to abortThe server is not authenticated. Do you continue to access it?(Y/N):yDo you want to save the server's public key?(Y/N):yThe server's public key will be saved with the name:10.1.1.1. Please wait...

After successful login, the following information is displayed, and then you can continue.

sftp-client>

Step 9 Check the Configuration

When running the display this command in the PE interface view, you can view that theconfiguration of the VPN instance is successful; when running the display ssh server sessioncommand on CE, you can view that the STelnet client or SFTP client is connected to the SSHserver successfully.

# View information about SSH server connection.

[PE1] display ssh server session Session 1: Conn : VTY 0 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password

----End

Configuration Filesl Configuration file of CE1

# sysname CE1# rsa peer-public-key RsaKey001 public-key-code begin 3067 0260 9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3 0203 010001 public-key-code end



225

peer-public-key end#interface GigabitEthernet1/0/1 ip address 10.1.1.1 255.255.255.0#bgp 65410 peer 10.1.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.1.2 enable#aaa local-user client001 password simple huawei local-user client001 service-type ssh authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default# sftp server enable stelnet server enablessh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type RSA ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type sftp ssh user client002 sftp-directory cfcard#user-interface con 0user-interface vty 0 4 authentication-mode aaa protocol inbound sshuser-interface vty 16 20#return

l Configuration file of PE1# sysname PE1#ip vpn-instance vpn1 ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity# mpls lsr-id 1.1.1.9 mpls#mpls ldp#interface GigabitEthernet1/0/1 ip binding vpn-instance vpn1 ip address 10.1.1.2 255.255.255.0#interface Pos1/0/1 link-protocol ppp ip address 100.1.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 1.1.1.9 255.255.255.255



226

#bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 3.3.3.9 enable # ipv4-family vpn-instance vpn1 import-route direct peer 10.1.1.1 as-number 65410#ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 100.1.1.0 0.0.0.255# ssh client first-time enable#user-interface con 0user-interface vty 0 4user-interface vty 16 20#return

l Configuration file of P# sysname P# mpls lsr-id 2.2.2.9 mpls#mpls ldp#interface Pos1/0/1 link-protocol ppp ip address 100.1.1.2 255.255.255.0 mpls mpls ldp#interface Pos1/0/2 link-protocol ppp ip address 200.1.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 2.2.2.9 255.255.255.255#ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 100.1.1.0 0.0.0.255 network 200.1.1.0 0.0.0.255#return

l Configuration file of PE2# sysname PE2#ip vpn-instance vpn1 ipv4-family route-distinguisher 200:1 vpn-target 111:1 export-extcommunity



227

vpn-target 111:1 import-extcommunity# mpls lsr-id 3.3.3.9 mpls#mpls ldp#interface GigabitEthernet1/0/1 ip binding vpn-instance vpn1 ip address 10.1.2.2 255.255.255.0#interface Pos1/0/1 link-protocol ppp ip address 200.1.1.2 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 3.3.3.9 255.255.255.255#bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpn1 import-route direct peer 10.1.2.1 as-number 65420#ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 200.1.1.0 0.0.0.255#return

l Configuration file of CE2# sysname CE2#interface GigabitEthernet1/0/1 ip address 10.1.2.1 255.255.255.0#bgp 65420 peer 10.1.2.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.2.2 enable#return



228

9 Clock Synchronization Configuration

About This Chapter

Clock synchronization is used to keep differences in clock frequency and phase among networkelements within a tolerable range. Effective clock synchronization improves the transmissionperformance of a network.

9.1 Introduction of Clock Synchronization ConfigurationClock synchronization ensures that digital pulse signals are sent and received in a specifictimeslot.

9.2 Setting Basic Configurations for Clock SynchronizationThis section describes how to set basic configurations for clock synchronization.

9.3 Configuring an External BITS Clock SourceYou can run commands on the routerto configure the device to trace different types of externalBITS clock sources.

9.4 Configuring a Clock Reference Source Manually or ForciblyThis section describes how to manually or forcibly configure a clock reference source.

9.5 Configuring Clock Protection Switching Based on SSM LevelsThe higher its SSM level, the more accurate a clock is. By default, a clock board uses the mostaccurate clock source available.

9.6 Configuring Clock Protection Switching Based on PrioritiesIf clock sources are configured with different priorities, then the clock source with the secondhighest priority becomes effective immediately after the clock source with the highest priorityfails.

9.7 Configuring Ethernet Clock SynchronizationEthernet clock synchronization implements clock synchronization among devices on an IPbearer network.

9.8 Configuration Examples of Clock SynchronizationThis section provides examples for configuring clock protection switching and for configuringEthernet clock synchronization.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations 9 Clock Synchronization Configuration


229

9.1 Introduction of Clock Synchronization ConfigurationClock synchronization ensures that digital pulse signals are sent and received in a specifictimeslot.

9.1.1 Overview of Clock Synchronization ConfigurationClock synchronization ensures that digital pulse signals are sent and received in a specifictimeslot.

Definition

Synchronization must be maintained on Data Communications Networks (DCN). The sendingend places a pulse in a specified timeslot at the end of the digital pulse signal. The receiving endextracts the pulse in the specified timeslot, so that normal communications between sending andreceiving ends are guaranteed. A clock ensures that signals are sent in a certain timeslot and thenreceived and extracted from that timeslot.

Purpose

Clock synchronization is used to keep differences in clock frequency and phase among networkelements on a digital network within a specific range. If the differences exceed the specifiedrange, bit errors and jitter occur and transmission performance is degraded.

9.1.2 Clock Synchronization Supported by the NE80E/40E

Clock Transmission

The clock signals can be transmitted on the Ethernet network, Asynchronous Transfer Mode(ATM) network, and Synchronous Digital Hierarchy (SDH) network.

Tracing BITS Clock

For the Building Integrated Timing Supply System (BITS) clock source, the clock moduleextracts Synchronization Status Messages (SSMs) from the 2.048 Mbit/s stream signals, or theMain Processing Unit (MPU) sets a preset SSM level for the 2.048 MHz clock signals.

Stratum-3 Clock Source

The device that provides the clock signals for the local device is called the clock source. Thelocal device may have multiple clock sources. Include BITS0, BITS1, BITS2 and PTP.

9.2 Setting Basic Configurations for Clock SynchronizationThis section describes how to set basic configurations for clock synchronization.



230

9.2.1 Establishing the Configuration Task

Applicable EnvironmentBefore configuring clock synchronization, you must set basic configurations.

Pre-configuration TasksNone.

Data PreparationNone.

9.2.2 Setting Basic Configurations for Clock Synchronization

ContextDo as follows on every router on the clock synchronization network.

Procedure



Step 2 Run:clock ethernet-synchronization enable

The Ethernet clock synchronization function is enabled.

Step 3 Run:clock source { bits0 | bits1 | bits2 | ptp } synchronization enable

The clock synchronization function is enabled.

Step 4 Run:interface interface-type interface-number

or

controller { e1 | cpos } controller-number

The interface view is displayed.

Step 5 Run:clock synchronization enable

The clock synchronization function is enabled on a port.

Step 6 Run:quit

Return to the system view from the interface view.

Step 7 (Optional) Run:



231

clock ssm-control { on | off }

SSM control is enabled.

By default, SSM control is enabled.

Step 8 (Optional) Run:clock run-mode

The running mode of the Ethernet Equipment Clock (EEC) is set. By default, an EEC works innormal mode.

Step 9 (Optional) Run:clock switch { revertive | non-revertive }

The recovery mode for a clock is configured. By default, a clock is revertive.

Step 10 (Optional) Run:clock wtr

The Wait to Recovery (WTR) time is configured.

By default, the WTR time is five minutes.

Step 11 (Optional) Run:clock source-lost holdoff-time

The holdoff time is set for a clock when the timing signal is invalid.

By default, the holdoff time is 1000 ms.

Step 12 (Optional) Run:clock max-out-ssm

The max out ssm value of the interface clock source is configured.

Step 13 (Optional) Run:clock freq-deviation-detect enable

Clock frequency offset detection is enabled. By default, clock frequency offset detection isdisabled.

----End

9.2.3 Checking the Configuration

Procedurel Run:

display clock config

Check whether basic configurations for clock synchronization take effect.

----End

9.3 Configuring an External BITS Clock SourceYou can run commands on the routerto configure the device to trace different types of externalBITS clock sources.



232

9.3.1 Establishing the Configuration TaskBefore configuring the router to trace an external BITS clock source, familiarize yourself withthe applicable environment, complete the pre-configuration tasks, and obtain the data requiredthe configuration. This will help you complete the configuration task quickly and accurately.

Applicable EnvironmentOn a synchronous Ethernet network, if the site where the router is located has a BITS clock, therouter must be set to trace the BITS clock. The router serves as the primary clock to provide aclock source for the entire synchronous Ethernet network.

There are four types of BITS clocks: 2.048 MHz, 2.048 Mbit/s, 1 pps, and DCLS. You can usecommands to specify the type of external BITS clock source on the clock board.



9.3.2 Configuring the Lower Threshold of the Clock Signals Outputby the BITS Clock

ContextDo as follows on all routers on the clock synchronization network.

Procedure



Step 2 Run:clock bits output-threshold

The lower threshold (the lowest quality level) of clock signals output by the BITS clock isconfigured.

----End

9.3.3 Configuring an External Clock Source and Its Signal Type onthe router

The router supports four types of signals (2mhz, 2mbps, dcls, and 1pps).

ContextDo as follows on every routers on the clock synchronization network.



233

Procedure



Step 2 Run:clock bits-type

An external BITS clock source and its signal type are configured.

For information about clock source IDs and signal types, refer to the HUAWEI NetEngine80E/40E Router - Command Reference.

----End


ContextRun the following commands to check the previous configuration.

Procedurel Run the display clock source command to check the status and attributes of the clock

reference source.l Run the display clock config command to check the configuration informations of the

clock reference source.

----End

9.4 Configuring a Clock Reference Source Manually orForcibly

This section describes how to manually or forcibly configure a clock reference source.


Applicable EnvironmentManually configuring the clock reference source and forcibly configuring the clock referencesource differ in the following aspects:l The clock reference source cannot be configured manually in the following situations:

– The clock reference source is not enabled with the clock synchronization enablecommand.

– The clock reference source is in the Abnormal state.– The quality level of the clock reference source is QL-DNU or is not the highest.

l The clock reference source cannot be configured forcibly in the following situations:– The clock reference source is not enabled with the clock synchronization enable

command.



234

– The clock reference source is in the Abnormal state.

– The QL of the clock reference source is QL-DNU.

– The clock works in hold mode.

You can switch the mode of configuring the clock reference source from manual to forciblethrough command lines.

The clock reference source should be specified on the master clock, as shown in Figure 9-1. OnRouter A, the external clock interface, bits0, on the master clock board is connected to BITS0,one reference clock source; the external clock interface, bits0, on the slave clock board isconnected to BITS1, another reference clock source. The output clock signals of BITS0 andBITS1 are same.

Router A is manually or forcibly configured to trace the clock signal input through bits0. Innormal situations, Router A traces the BITS0 clock reference source. When the master clockboard fails, a switchover of the clock boards is performed. After that, Router A traces the BITS1clock reference source.

Figure 9-1 Diagram of configuring the clock reference source manually

BITS0

CLK-IN

Router A

CLK-IN

BITS1

ETH ETH

Router B Router C


Before configuring the clock reference source manually, complete the following tasks:Configuring an External Clock Reference Source and Its Signal Type on the device.

l Configuring an external clock reference source

l Configuring signal type of the external clock reference source

Data Preparation

None.

9.4.2 Configuring a Clock Reference Source

Context

Do as follows on all routers on the clock synchronization network.



235

Procedurel Configure a clock reference source manually.

1. Run:system-view

The system view is displayed.2. (Optional) Run:

clock clear [ 2msync-1 | 2msync-2 ]

Forcible specification of a clock reference source is cancelled.

If forcible specification of a clock reference source has been configured, you need torun the clock clear command to cancel the configuration before configuring manualspecification of a clock reference source.

3. Run:clock manual { 2msync-1 | 2msync-2 } source interface interface-type interface-number

or

clock manual source { bits0 | bits1 | bits2 | ptp | interface interface-type interface-number}

A clock reference source is manually configured.l Configure a clock reference source forcibly.

1. Run:system-view


clock force { 2msync-1 | 2msync-2 } source interface interface-type interface-number

or

clock force source { bits0 | bits1 | bits2 | ptp | interface interface-type interface-number}

A clock reference source is forcibly configured.

----End



Procedure

Step 1 Run:display clock { config | source }

View the information about the clock source attributes.

----End



236

9.5 Configuring Clock Protection Switching Based on SSMLevels

The higher its SSM level, the more accurate a clock is. By default, a clock board uses the mostaccurate clock source available.


Applicable EnvironmentSynchronous Ethernet signals can be used to carry SSM messages. The system then selects oneclock source based on the SSM levels of all the available clock sources. If clock sources areconfigured with SSM levels, the configured SSM levels are used; if clock sources are notconfigured with SSM levels, the SSM levels carried in the SSM messages are extracted for use.

The SSM levels include Primary Reference Clock (PRC), primary level SSU (SSU-A), secondlevel SSU (SSU-B), SDH Equipment Clock (SEC), Do Not Use for synchronization (DNU),and UNK in the descending order. If the SSM level of a clock source is DNU and SSM is enabled,the clock source is not selected during protection switchover.

The BITS clock has two types of signal. When the BITS clock signal is 2.048 Mbit/s, the clockboard extracts the SSM from the signal. When the BITS clock signal is 2.048 MHz, set the SSMlevel manually.

Pre-configuration TasksBefore configuring protection switchover of clock sources based on SSM levels, complete thefollowing tasks:l Configuring an external clock reference source and its signal type on the device.

Data PreparationTo configure protection switchover of clock sources based on SSM levels, you need SSM levelsof clock sources.

9.5.2 Configuring the Router to Automatically Select Clock Sources

ContextDo as follows on all routers in the clock synchronization network:

Procedure



Step 2 Run:clock clear [ 2msync-1 | 2msync-2 ]



237

The router is configured to automatically select clock sources.

NOTEIf the clock sources are manually or forcibly specified, you need to run the clock clear command to enablethe system to automatically select clock sources. By default, the router automatically selects clock sources.

Step 3 Run:clock run-mode normal

The Ethernet Equipment Clock (EEC) is configured to work in normal mode.

By default, the EEC works in normal mode.

----End

9.5.3 Enabling SSMSSM must be enabled for the system to perform clock protection switching based on SSM levels.

ContextDo as follows on every router on the clock synchronization network:

Procedure



Step 2 Run:clock ssm-control on

SSM is enabled.

----End

9.5.4 Configuring the SSM Level of the Clock Reference Source

ContextDo as follows on the router that are connected with external clock sources:

Procedurel Configuring the SSM level of the clock reference source

1. Run:system-view


clock source { bits0 | bits1 | bits2 | ptp } ssm { prc | ssua | ssub | sec | dnu | unk }

The SSM level of the external clock reference source is configured.



238

l Configuring the SSM level of the clock reference source on the interface1. Run:

system-view


interface interface-type interface-number

or


The interface view is displayed.3. Run:

clock ssm { dnu | prc | sec | ssua | ssub | unk }

The SSM level of the clock reference source on the interface is configured.

----End

9.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal toCarry SSMs

ContextDo as follows on the router that are connected with external BITS clock sources:

Procedure



Step 2 Run:clock sa-bit { sa4 | sa5 | sa6 | sa7 | sa8 } source { bits0 | bits1 | bits2 }

The setting timeslot of the 2.048 Mbit/s BITS clock signal is set to carry SSMs.

----End

9.5.6 Setting the Modes of Extracting SSM Levels

ContextSSM levels can be configured in one of the following modes:

l Forcibly configuring an SSM levell Extracting the SSM level from the interface

By default, the SSM level is extracted from the interface. If the SSM level is forcibly set, theforcibly-set SSM level takes effect.

Do as follows on all routers in the clock synchronization network:



239

Procedurel Forcibly configuring the SSM levels of clock reference sources

1. Run:system-view


clock source { bits0 | bits1 | bits2 | ptp }ssm { dnu | prc | sec | ssua | ssub | unk }

The SSM level of the clock reference source is configured.

NOTE

Repeat Step 2 to configure SSM levels for multiple clock reference sources.

To forcibly configure the SSM level of a clock reference source on the interface, you canfirst enter the corresponding interface view and run the clock ssm { dnu | prc | sec | ssua| ssub | unk } commands. This can achieve the same effect as that of Step 2.

l Extracting the SSM level of the clock reference source from the interface1. Run:

system-view


undo clock source { bits0 | bits1 | bits2 | ptp }ssm { dnu | prc | sec | ssua | ssub | unk }

Forcibly configuring the SSM level of a clock reference source is disabled.

To extract the SSM level of a clock reference source from the interface, you can first enterthe corresponding interface view and run the undo clock ssm command. This can achievethe same effect as that of Step 2.

NOTE

The current version only supports extracting the SSM level of a clock reference source from theEthernet interface, GigabitEthernet interface and CE1 interface.To extract the SSM level of a clock reference source from the CE1 interface , you need to configurethe frame format as crc4.

----End



Procedurel Run:

display clock { config | source }


----End



240

9.6 Configuring Clock Protection Switching Based onPriorities

If clock sources are configured with different priorities, then the clock source with the secondhighest priority becomes effective immediately after the clock source with the highest priorityfails.



When you configure protection switchover of clock sources based on priorities, you need to runthe command clock ssm-control off to disable SSM.

When there are multiple clock sources, you can set different priorities for them. Normally, theclock uses the clock source with the highest priority. When the clock source with the highestpriority is faulty, the clock uses the clock source with the second highest priority. By default thepriority of a clock reference source is not set, it indicates that this clock reference source doesnot participate in selecting the clock source.


Before configuring protection switchover of clock sources based on priorities, complete thefollowing tasks:

l Configuring an external clock reference source and its signal type on the device.

Data Preparation

To configure protection switchover of clock sources based on priorities, you need the prioritiesof different clock sources.

9.6.2 Configuring the Router to Automatically Select Clock Sources

Context

Do as follows on all router in the clock synchronization network:

Procedure



Step 2 Run:clock clear [ 2msync-1 | 2msync-2 ]

The router is configured to automatically select clock sources.



241

NOTEIf the clock sources are manually or forcibly specified, you need to run the clock clear [ 2msync-1 |2msync-2 ] command to enable the system to automatically select clock sources. By default, the routerautomatically selects clock sources.

Step 3 Run:clock run-mode normal

Set the Ethernet Equipment Clock (EEC) to work in normal mode.

By default, the EEC work in normal mode.

----End

9.6.3 Disabling SSM

ContextDo as follows on all router in the clock synchronization network:

Procedure



Step 2 Run:clock ssm-control off

SSM is disabled.

NOTE

When SSM is disabled, the router selects a clock source based on priorities.

----End

9.6.4 Setting Priorities of Clock Reference Sources

ContextDo as follows on all routers in the clock synchronization network.

Procedurel Setting priorities for the clock reference sources BITS and 1588

1. Run:system-view


clock source { bits0 | bits1 | bits2 | ptp } priority priority-value

Priorities are set for the clock reference sources BITS and 1588.



242

– Repeat the preceding step to configure priorities for multiple clock referencesources.

– You can set the same priority for multiple clock reference sources. The clockreference source is selected according to the priority. In the case of the samepriority, the clock reference source is selected based on the type of the clockreference source and port number.

l Setting the priority of a clock reference source on the interface1. Run:

system-view



or



clock [ 2msync-1 | 2msync-2 ] priority priority-value

The priority of the clock reference source on the interface is set.

----End



Procedure

Step 1 Run:display clock { config | source }


----End

9.7 Configuring Ethernet Clock SynchronizationEthernet clock synchronization implements clock synchronization among devices on an IPbearer network.


Applicable EnvironmentAs shown in Figure 9-2, the IP and Ethernet technology is adopted on the IP bearer networkbetween the Radio Network Controller (RNC) and the Base Transceiver Station (BTS) in theapplication of wireless service. The clock signals sent by the devices on the bearer network are



243

sent to the data communication devices that connect the BTS after pass through the Ethernetclock synchronization. The Ethernet clock synchronization can ensure reliable quality of clocktransmission.

Figure 9-2 Networking diagram of applying Ethernet clock synchronization

BTS

FE

FE

BTS

BTS

GE

GE GE

Router C

Router B

GE

RNC

BITS

FE

Router A


Before configuring the Ethernet clock synchronization, complete the following tasks:

l Configuring the parameters of the link layer protocols and assign IP addresses to theinterfaces so that the link layer protocol status of the interface is Up.

l Configuring a static route or the Interior gateway protocol (IGP) protocol to so that thereis reachable IP route between the nodes.

Data Preparation

To configure the Ethernet clock synchronization, you need the following data.

l Slot number, sub-card number, and port number of the Ethernet clock source

9.7.2 Enabling Ethernet Clock Synchronization

ContextNOTE

Ethernet clock signals can be transmitted only after the Ethernet clock synchronization is enabled on allthe router in an IP bearer network.

Do as follows on all router in the clock synchronization network:



244

Procedure



Step 2 Run:clock ethernet-synchronization enable

The Ethernet clock synchronization is enabled.

----End

9.7.3 Configuring Ethernet Clock Source

ContextDo as follows on all router in the clock synchronization network:

Procedure




or



Step 3 Run:clock synchronization enable

The Ethernet clock synchronization function is enabled.

Step 4 Run:clock [ 2msync-1 | 2msync-2 ] priority priority-value

The priority of the clock reference source is configured.

Step 5 Run:clock ssm { dnu | prc | sec | ssua | ssub | unk }

The SSM level of the clock source is configured.

----End





245

Procedurel Run:

display clock { config | source }

View information about the attributes of the clock source.

----End

9.8 Configuration Examples of Clock SynchronizationThis section provides examples for configuring clock protection switching and for configuringEthernet clock synchronization.

Follow-up ProcedureNOTE

This document takes interface numbers and link types of the NE40E-X8 as an example. In workingsituations, the actual interface numbers and link types may be different from those used in this document.

9.8.1 Example for Configuring Protection Switchover of ClockSources

Networking RequirementsAs shown in Figure 9-3, there are two BITS clock sources on the network, and the master BITSclock source is used to synchronize the clock of the entire network. If the NEs cannot trace theclock signal from the master BITS clock source, they change to trace the clock signal from theslave BITS clock source. As shown in Figure 9-3, Router A to Router F trace the clock signalfrom BITS0. The figure shows the direction of clock tracing in normal situations.



246

Figure 9-3 Networking diagram of configuring clock source tracing

BITS 0

BITS 1

GE1/0/0W

GE1/0/0 E

WGE2/0/0

E

GE1/0/040.1.1.2

W

GE1/0/040.1.1.1

EGE2/0/050.1.1.1

W GE2/0/030.1.1.2

E GE2/0/030.1.1.1

W GE1/0/020.1.1.2

E GE1/0/020.1.1.1

WGE2/0/010.1.1.2

EGE2/0/010.1.1.1

Router A

Router B Router F

Router C

Router D

Router E


1. Configure the external BITS clock signal types of Router A and Router D.2. Configure the priorities of all clock sources for the router.


Table 9-1 Clock sources of all router and the priorities

Router Current ClockSource

Available ClockSources

Priority

Router A BITS0 BITS0 1

Router A BITS0 GE1/0/0 2

Router A BITS0 Internal clock 3

Router B GE1/0/0 GE1/0/0 1

Router B GE1/0/0 GE2/0/0 2

Router B GE1/0/0 Internal clock 3



247

Router Current ClockSource

Available ClockSources

Priority

Router C GE2/0/0 GE2/0/0 1

Router C GE2/0/0 GE1/0/0 2

Router C GE2/0/0 Internal clock 3

Router D GE1/0/0 GE1/0/0 1

Router D GE1/0/0 BITS1 2

Router D GE1/0/0 Internal clock 3

Router E GE1/0/0 GE1/0/0 1

Router E GE1/0/0 GE2/0/0 2

Router E GE1/0/0 Internal clock 3

Router F GE2/0/0 GE2/0/0 1

Router F GE2/0/0 GE1/0/0 2

Router F GE2/0/0 Internal clock 3

Procedure

Step 1 Connect the router and the BITS clock sources as shown inFigure 9-3

Step 2 Configure the IP addresses of the interfaces.

The details are not mentioned here.

Step 3 Set the priorities of all clock sources for the router as shown inFigure 9-3.

# Configure Router A

<RouterA> system-view[RouterA] clock ethernet-synchronization enable[RouterA] clock source bits0 synchronization enable[RouterA] clock source bits0 ssm prc[RouterA] clock source bits0 priority 1 [RouterA] interface GigabitEthernet 1/0/0[RouterA-GigabitEthernet1/0/0] clock synchronization enable[RouterA-GigabitEthernet1/0/0] clock priority 2[RouterA-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0[RouterA-GigabitEthernet2/0/0] clock synchronization enable

# Configure Router B

<RouterB> system-view[RouterB] clock ethernet-synchronization enable[RouterB] interface GigabitEthernet 1/0/0[RouterB-GigabitEthernet1/0/0] clock synchronization enable[RouterB-GigabitEthernet1/0/0] clock priority 1[RouterB-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0[RouterB-GigabitEthernet2/0/0] clock synchronization enable[RouterB-GigabitEthernet2/0/0] clock priority 2

# Configure Router C



248

<RouterC> system-view[RouterC] clock ethernet-synchronization enable[RouterC] interface GigabitEthernet 1/0/0[RouterC-GigabitEthernet1/0/0] clock synchronization enable[RouterC-GigabitEthernet1/0/0] clock priority 2[RouterC-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0[RouterC-GigabitEthernet2/0/0] clock synchronization enable[RouterC-GigabitEthernet2/0/0] clock priority 1

# Configure Router D

<RouterD> system-view[RouterD] clock ethernet-synchronization enable[RouterD] clock source bits1 synchronization enable[RouterD] clock source bits1 ssm ssua[RouterD] clock source bits1 priority 2[RouterD] interface GigabitEthernet 1/0/0 [RouterD-GigabitEthernet1/0/0] clock synchronization enable[RouterD-GigabitEthernet1/0/0] clock priority 1[RouterD-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0[RouterD-GigabitEthernet2/0/0] clock synchronization enable

# Configure Router E

<RouterE> system-view[RouterE] clock ethernet-synchronization enable[RouterE] interface GigabitEthernet 1/0/0[RouterE-GigabitEthernet1/0/0] clock synchronization enable[RouterE-GigabitEthernet1/0/0] clock priority 1[RouterE-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterE-GigabitEthernet2/0/0] clock synchronization enable[RouterE-GigabitEthernet2/0/0] clock priority 2

# Configure Router F

<RouterF> system-view[RouterF] clock ethernet-synchronization enable[RouterF] interface GigabitEthernet 1/0/0[RouterF-GigabitEthernet1/0/0] clock synchronization enable[RouterF-GigabitEthernet1/0/0] clock priority 2[RouterF-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterF-GigabitEthernet2/0/0] clock synchronization enable[RouterF-GigabitEthernet2/0/0] clock priority 1

Step 4 Check the clock source attributes of Router A.<RouterA> display clock sourceSystem trace source State: lock mode into pull-in range Current system trace source: bits0 Current 2M-1 trace source: system PLL Current 2M-2 trace source: system PLL Master board source Pri(sys/2m-1/2m-2) In-SSM Out-SSM State -------------------------------------------------------------------------- bits0 1 /---/--- prc dnu normal GigabitEthernet1/0/0 2 /---/--- dnu prc normal GigabitEthernet2/0/0 ---/---/--- dnu prc normal Slave board source In-SSM Out-SSM State -------------------------------------------------------------------------- bits0 prc dnu normal

Step 5 Check the clock source attributes of other router.

# The displayed information about Router B, Router C, Router D, Router E, and Router F issimilar. The following uses Router B as an example.



249

<RouterB> display clock sourceSystem trace source State: lock mode into pull-in range Current system trace source: GigabitEthernet1/0/0 Current 2M-1 trace source: system PLL Current 2M-2 trace source: system PLL Master board source Pri(sys/2m-1/2m-2) In-SSM Out-SSM State -------------------------------------------------------------------------- GigabitEthernet1/0/0 1 /---/--- prc dnu normal GigabitEthernet2/0/0 2 /---/--- dnu prc normal Slave board source In-SSM Out-SSM State --------------------------------------------------------------------------


When the master BITS clock source fails, all NEs trace the clock signal from the slave BITSclock source.

The following takes Router A as an example.

# Run the following command on Router A.

<RouterA> display clock sourceSystem trace source State: lock mode into pull-in range Current system trace source: GigabitEthernet1/0/0 Current 2M-1 trace source: system PLL Current 2M-2 trace source: system PLL Master board source Pri(sys/2m-1/2m-2) In-SSM Out-SSM State -------------------------------------------------------------------------- bits0 1 /---/--- prc ssua abnormal GigabitEthernet1/0/0 2 /---/--- ssua dnu normal GigabitEthernet2/0/0 ---/---/--- ssua ssua normal Slave board source In-SSM Out-SSM State -------------------------------------------------------------------------- bits0 prc ssua abnormal

# After the connection between the BITS clock source and Router A is closed, all router performclock source tracing switchover/

Figure 9-4shows the clock source tracing after the connection between the BITS clock sourceand Router A is closed.



250

Figure 9-4 Networking diagram of the clock source tracing after the connection between theBITS clock source and Router A is closed

W

E

W

E

W

E

W

E

W

E

W

E

Router A

Router B Router F

Router C

Router D

Router E

BITS 1

----End

Configuration Filesl Router A Configuration Files

# sysname RouterA# clock ethernet-synchronization enable clock source bits0 priority 1 clock source bits0 ssm prc clock source bits0 synchronization enable# interface GigabitEthernet1/0/0 undo shutdown clock priority 2 clock synchronization enable# interface GigabitEthernet2/0/0 undo shutdown clock synchronization enable#return

l Router B Configuration Files# sysname RouterB# clock ethernet-synchronization enable# interface GigabitEthernet1/0/0 undo shutdown clock priority 1 clock synchronization enable# interface GigabitEthernet2/0/0



251

undo shutdown clock priority 2 clock synchronization enable#return

l Router C Configuration Files# sysname RouterC# clock ethernet-synchronization enable# interface GigabitEthernet1/0/0 undo shutdown clock priority 2 clock synchronization enable# interface GigabitEthernet2/0/0 undo shutdown clock priority 1 clock synchronization enable#return

l Router D Configuration Files# sysname RouterD# clock ethernet-synchronization enable clock source bits1 priority 2 clock source bits1 ssm ssua clock source bits1 synchronization enable# interface GigabitEthernet1/0/0 undo shutdown clock priority 1 clock synchronization enable# interface GigabitEthernet2/0/0 undo shutdown clock synchronization enable#return

l Router E Configuration Files# sysname RouterE#clock ethernet-synchronization enable# interface GigabitEthernet1/0/0 undo shutdown clock priority 1 clock synchronization enable# interface GigabitEthernet2/0/0 undo shutdown clock priority 2 clock synchronization enable#return

l Router F Configuration Files# sysname RouterF#clock ethernet-synchronization enable# interface GigabitEthernet1/0/0



252

undo shutdown clock priority 2 clock synchronization enable # interface GigabitEthernet2/0/0 undo shutdown clock priority 1 clock synchronization enable#return



253

10 Device Maintenance

About This Chapter

With routine device maintenance, you can detect potential operation threats on devices and theneradicate the potential threats in time to ensure that the system runs securely, stably, and reliably.

10.1 Introduction of Device MaintenanceDevice maintenance involves replacing boards and monitoring the internal environment.

10.2 Powering off the MPUTo ensure non-stop services, you can power off the slave MPU only. If the device has only oneMPU, confirm the action before powering off the MPU.

10.3 Powering off the SFUWhen the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU.

10.4 Powering off the NPUThis section describes how to power off the NPU.

10.5 Powering off the LPUWhen the LPU is faulty or you need to routinely maintain the LPU, you can power off the LPU.

10.6 Restoring the Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/sTo restore the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s, you need tobind a valid Global Trotter License (GTL) file to the NPU.

10.7 Switching Between the Operation Modes of the LPUF-10You can run a command to configure the LPUF-10 to work in either FR or ATM mode.

10.8 Configuring a Working Mode for an LPUF-40 or LPUF-20/21LPUF-20/21 or LPUF-40 support various service modes, which can be configured usingcommands.

10.9 Configuring the CMU

10.10 Configuring a Cleaning Cycle for the Air FilterThis section describes the procedure for configuring a cleaning cycle for the air filter.

10.11 Monitoring the Device StatusMonitoring the device status facilitates fault location and cause analysis.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations 10 Device Maintenance


254

10.12 Board MaintenceBoard Maintenance involves resetting a board and clearing the maximum CPU usage.

10.13 Configuring NAP-based Remote DeploymentUsing NAP, you can remotely log in to devices with empty configurations to implement remotedeployment.

10.14 Configuration Examples of the Device MaintenanceThis section provides examples for powering off different types of boards to describe commondevice maintenance operations.



255

10.1 Introduction of Device MaintenanceDevice maintenance involves replacing boards and monitoring the internal environment.

10.1.1 Overview of Device MaintenanceDevice maintenance involves replacing boards and monitoring the internal environment.

Concept

The stable running of a routerdepends on the mature network planning and the routinemaintenance. In addition, fast location of the hidden hazards is necessary.

The maintenance personnel must check the alarm information in time and deal with the faultproperly to keep the device in normal operation and reduce the failure rate. Thus, the systemruns in a safe, stable, and reliable environment.

Maintenance Operation

Maintenance such as board replacement and internal environment check ensures the normaloperation of the router.

10.1.2 Maintenance Features Supported by the NE80E/40EThe NE80E/40Eboards to be powered off and allows the operation status to be monitored.

Powering off

You can power on or power off the boards through command lines to perform hot pluggingwithout interrupting the services on the router.

Monitoring

In routine maintenance of the device, you can run the display commands to view the workingstatus of the router. This can help the maintenance personnel fast locate the fault during thetroubleshooting procedure.

10.2 Powering off the MPUTo ensure non-stop services, you can power off the slave MPU only. If the device has only oneMPU, confirm the action before powering off the MPU.

10.2.1 Establishing the Configuration TaskBefore powering off the MPU, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.



256


The two Main Processing Units (MPUs) are in 1:1 backup mode. During operation, one MPUserves as the master MPU and the other as the slave MPU. Remove the MPUs in the followingsituations:

l Maintenance of the MPU such as dust removing

l Upgrade of the hardware on the MPUs such as memory capacity extending

l Failure of the MPU


Before powering off the MPU, complete the following tasks:

l Checking the slot of the MPU to be powered off

l Running the display device command to check the status of the MPUIf the MPU is the master MPU, perform the master and slave switchover first.

Data Preparation

To power off the MPU, you need the following data.

No. Data

1 Slot number of the MPU to be powered off

10.2.2 Powering off the Slave MPUWhen the MPU is faulty or you need to routinely maintain the MPU, you can power off theMPU.

Context

WARNINGThe router cannot work with a single MPU for a long time. If the single MPU fails, the wholesystem breaks down. After powering off the slave MPU, restore the MPU immediately.

Do as follows on the router to be configured:

Procedure

Step 1 Run:power off slot slot-id

The slave MPU is powered off.



257

NOTE

If there is no terminal on the deployment site, you can power off the slave MPU by using the OFL (offline)button. The OFL button is in the upper part of the slave MPU. Press the button for six seconds.

If the OFL indicator is on, it means that the slave MPU is powered off successfully.

----End

10.2.3 Checking the ConfigurationAfter the MPU is powered off, you can run the display device command to check whether theMPU has been powered off.

Context

Run the following commands to check the previous configuration.

Procedurel Run:

display device

Check the registration of the SRU/MPU.

----End

Example

After the power-off operation, run the display device command. If the slave SRU/MPU is inthe abnormal state, it means that the operation succeeds. For example:

<HUAWEI> display deviceNE80E's Device status:

Slot # Type Online Register Status Primary- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - -

5 LPU Present Registered Normal NA6 LPU Present Registered Normal NA 9 LPU Present Registered Normal NA 12 LPU Present Registered Normal NA 11 LPU Present Registered Normal NA 16 LPU Present Registered Normal NA 17 MPU Present Unregistered Abnormal Slave18 MPU Present NA Normal Master19 SFU Present Registered Normal NA20 SFU Present Registered Normal NA21 SFU Present Registered Normal NA 22 SFU Present Registered Normal NA23 CLK Present Registered Normal NA24 CLK Present Registered Normal NA25 PWR Present Registered Normal NA26 PWR Present Registered Normal NA27 FAN Present Registered Normal NA28 FAN Present Registered Normal NA

10.3 Powering off the SFUWhen the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU.



258

NOTE

SFUs are not supported on the X1 and X2 models of the NE80E/40E.

10.3.1 Establishing the Configuration TaskBefore powering off the SFU, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.


During normal operation of the device, four Switch and Fabric Units (SFUs) work in 3+1 loadbalancing mode. Remove the SFUs in the following situations:

l Maintenance of the SFU such as dust removing

l Failure of the SFU and replacement or repair of the SFU


Before powering off the SFU, complete the following tasks:

l Checking the slot of the SFU to be powered off

Data Preparation

To power off the SFU, you need the following data.

No. Data

1 Slot number of the SFU to be powered off

10.3.2 Powering off the SFUYou can power off the SFU by using a command or pressing the OFL button.

Context


Procedure


The SFU is powered off.



259

NOTE

SFU is not supported on the X1 and X2 models of the NE80E/40E.If there is no terminal on the deployment site, you can power off the slave SFU by using the OFL button.The OFL button is in the upper part of the slave SFU. Press the button for six seconds. If the OFL indicatoris on, it means that powering off the SFU succeeds.

----End

10.3.3 Checking the ConfigurationAfter the SFU is powered off, you can run the display device command to check whether theSFU has been powered off.


Procedure

Step 1 Run:display device

Check the registration of the SFU.

----End

ExampleAfter the power-off operation, run the display device command. If the SFU is in the unregisteredstate, it means that the operation succeeds. For example:



5 LPU Present Registered Normal NA6 LPU Present Registered Normal NA 9 LPU Present Registered Normal NA 12 LPU Present Registered Normal NA 11 LPU Present Registered Normal NA 16 LPU Present Registered Normal NA 17 MPU Present Registered Normal Slave18 MPU Present NA Normal Master19 SFU Present Unregistered Abnormal NA20 SFU Present Registered Normal NA21 SFU Present Registered Normal NA 22 SFU Present Registered Normal NA23 CLK Present Registered Normal NA24 CLK Present Registered Normal NA25 PWR Present Registered Normal NA26 PWR Present Registered Normal NA27 FAN Present Registered Normal NA28 FAN Present Registered Normal NA

10.4 Powering off the NPUThis section describes how to power off the NPU.



260

NOTE

NPUs are only supported on the X1 and X2 models of the NE80E/40E.



Remove the NPU in the following situations:

l Maintenance of the NPU such as dust removing

l Failure of the NPU and replacement or repair of the NPU


Before powering off the NPU, complete the following tasks:

None.

Data Preparation

To power off the NPU, you need the following data.

No. Data

1 Slot number of the NPU to be powered off

10.4.2 Powering off the NPU

Context


Procedure


The NPU is powered off.

NOTE

If there is no terminal on the deployment site, you can power off the slave NPU by using the OFL button.The OFL button is in the upper part of the slave NPU. Press the button for six seconds. If the OFL indicatoris on, it means that powering off the NPU succeeds.

----End



261



Procedure

Step 1 Run:display device

Check the registration of the NPU.

----End

ExampleAfter the power-off operation, run the display device command. If the NPU is in the unregisteredstate, it means that the operation succeeds. For example:

<HUAWEI> display deviceNE40E-X1's Device status:Slot # Type Online Register Status Primary- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 NPU Present Unregistered Abnormal NA2 PIC Present Registered Normal NA3 PIC Present Registered Normal NA4 PIC Present Registered Normal NA5 PIC Present Registered Normal NA7 MPU Present NA Normal Master8 PWR Present Registered Normal NA10 FAN Present Registered Normal NA12 CLK Present Registered Normal Master

10.5 Powering off the LPUWhen the LPU is faulty or you need to routinely maintain the LPU, you can power off the LPU.

10.5.1 Establishing the Configuration TaskBefore powering off the LPU, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.

Applicable EnvironmentPower off the LPU in the following situations:

l Maintenance of the LPU such as dust removingl Failure of the LPU and replacement of the LPU

Pre-configuration TasksBefore powering off the LPU, you need finish the following task:

l prepare a slave LPU.



262

Data Preparation

To power off the LPU, you need the following data:

No. Data

1 The slot number of the LPU to be powered off

2 A slave LPU whose board type and Physical Interface Card (PIC) type are the sameas those of the LPU to be powered off

10.5.2 Powering off the LPUYou can power off the LPU by using a command or pressing the OFL button.

Context


Procedure


The LPU is powered off.

NOTE

l To power off the sub-cards of the FPICs, Run:power off slot slot-id card card-idcommand.

l If there is no terminal on the deployment site, you can power off the LPU by using the OFL button.The OFL button is in the upper part of the LPU. Press the button for six seconds. If the OFL indicatoris on, it means that powering off the LPU succeeds.

----End

10.5.3 Checking the ConfigurationAfter the LPU is powered off, you can run the display device command to check whether theLPU has been powered off.

Context

Run the following commands to check the previous configuration.

Procedurel Run:

display device

Check the registration of the LPU.

----End



263

ExampleAfter the power-off operation, run the display device command. If the LPU is in the unregisteredstate, it means that the operation succeeds. Take powering off the LPU in slot 5 for example:



5 LPU Present Unregistered Abnormal NA6 LPU Present Registered Normal NA 9 LPU Present Registered Normal NA 12 LPU Present Registered Normal NA 11 LPU Present Registered Normal NA 16 LPU Present Registered Normal NA 17 MPU Present Registered Normal Slave18 MPU Present NA Normal Master19 SFU Present Registered Normal NA20 SFU Present Registered Normal NA21 SFU Present Registered Normal NA 22 SFU Present Registered Normal NA23 CLK Present Registered Normal NA24 CLK Present Registered Normal NA25 PWR Present Registered Normal NA26 PWR Present Registered Normal NA27 FAN Present Registered Normal NA28 FAN Present Registered Normal NA

10.6 Restoring the Bandwidth of 10GE LAN/WANInterfaces on an NPU to 10 Gbit/s

To restore the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s, you need tobind a valid Global Trotter License (GTL) file to the NPU.

NOTE

NPUs are only supported on the X1 and X2 models of the NE80E/40E.

10.6.1 Establishing the Configuration TaskBefore restoring the bandwidth of 10GE LAN/WAN interfaces on the NPU to 10 Gbit/s ,familiarize yourself with the applicable environment, complete the pre-configuration tasks, andobtain the required data. This can help you complete the configuration task quickly andaccurately.

Application EnvironmentBy default, the bandwidth of 10GE LAN/WAN interfaces on an NPU is 10 Mbit/s. To restorethe bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, purchase a legitimate GTL file.




264

Data PreparationTo restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, you need the followingdata.

No. Data

1 GTL file used to restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s

10.6.2 Restoring the bandwidth of 10GE LAN/WAN interfaces onan NPU to 10 Gbit/s

To restoring the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s , you needto bind a valid Global Trotter License (GTL) file to the NPU.

ContextBy default, the bandwidth of 10GE LAN/WAN interfaces on an NPU is 10 Mbit/s. To restorethe bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, purchase a legitimate GTL file.

Procedure

Step 1 Run:license active file-name

The GTL file for enabling 10GE LAN/WAN interfaces is activated.



Step 3 Run:slot slot-id

The slot view is displayed.

Step 4 Run:active 10ge-interface

The GTL file used to restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s is boundto the NPU.

NOTE

The active 10ge-interface command takes effect only in the view of the slot where the NPU resides.After binding the GTL file to the NPU, you are recommended to run the save command to save theconfiguration. Otherwise, you need to bind the GTL file again once the device is restarted.

----End

10.6.3 Checking the ConfigurationAfter enabling the 10GE LAN/WAN interface on an NPU, you can check the current PIC cardson the device.



265

ContextRun the following command to check the previous configuration.

Procedure

Step 1 Run the display device pic-status command to view the current PIC cards on the device.

----End

Example# View the current PIC cards on the device.

<HUAWEI> display device pic-status

Pic-status information in Chassis 1:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -SLOT PIC Status Type Port_count Init_result Logic down7 0 Registered LAN_WAN_2x10GX_V_CARD 2 SUCCESS SUCCESS7 6 Registered ETH_8xGF_B_CARD 8 SUCCESS SUCCESS- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

10.7 Switching Between the Operation Modes of theLPUF-10

You can run a command to configure the LPUF-10 to work in either FR or ATM mode.

NOTE

LPUF-10 is not supported on the X1 and X2 models of the NE80E/40E.

10.7.1 Establishing the Configuration TaskBefore configuring the operation mode of the LPUF-10, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Application EnvironmentWhen configuring FR or ATM services on the LPUF-10, you need to manually switch theoperation mode of the LPUF-10. An LPUF-10 can operate in either of the following modes:

l support-atm modeWhen operating in support-atm mode, the LPUF-10 can support ATM services, instead ofFR services.

l support-fr modeWhen operating in support-fr mode, the LPUF-10 can support FR services, instead of ATMservices.

Pre-configuration TasksBefore switching the operation mode of the LPUF-10, complete the following task:

l Identifying the current operation mode of the LPUF-10



266

Data PreparationTo switch the operation mode of the LPUF-10, you need the following data.

No. Data

1 Slot ID of the LPU and the ID of the subcardwhose operation mode needs to beswitched

10.7.2 Switching Between the Operation Modes of the LPUF-10FR and ATM services cannot be configured together on the LPUF-10.

ContextDo as follows on the router:

Procedure



Step 2 Run:slot slot-id

The slot view is displayed.

Step 3 Run:switch lpuf work-mode {support-atm | support-fr}

The operation mode of the LPUF-10 is switched.

----End


l FR and ATM services are mutually exclusive on an LPUF-10.

l When the board is switched to a slot where FR is configured for a POS interface, the operation modeof the LPUF-10 is automatically switched to support-fr. The FR configuration for the POS interfaceneeds to be deleted if ATM services are required to be configured.

l If the operation mode of the board is not set, the board adopts the support-atm mode by default whenstarting.

10.7.3 Checking the ConfigurationAfter the operation mode of the LPUF-10 is configured, you can check the configuration.

ContextRun the following command to check the previous configuration.



267

ProcedureStep 1 Run the display work-mode [slot slot-id] command to view the operation mode of the board.

----End

Example# View the current operation mode of the board in slot 1.<HUAWEI> display work-mode slot 1

NE40E-4's current work-mode on lpuf-10:Slot Type Current-workmode- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 LPUF-10 SUPPORT-ATM

10.8 Configuring a Working Mode for an LPUF-40 orLPUF-20/21

LPUF-20/21 or LPUF-40 support various service modes, which can be configured usingcommands.

NOTE

LPUs are not supported on NE80E/40E-X1s and NE80E/40E-X2s.

10.8.1 Establishing the Configuration TaskBefore configuring a service mode for an LPU, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.

Applicable EnvironmentAn LPUF-20/21 or LPUF-40 cannot be configured with the 1588v2 ACR server function andNetStream at the same time. Before configuring either the 1588v2 ACR server function orNetStream, configure a corresponding service mode for the LPU.

l netstream-1-mode: When working in this mode, the LPU can be configured withNetStream, but not the 1588v2 ACR server function.

l ptp-1-mode: When working in this mode, the LPU can be configured with the 1588v2ACR server function, but not NetStream.

The LAN_WAN_10G_TM_CARD, ETH_10XGF_TM_CARD, or ETH_6XGF_TM_CARDsubcard can be configured with a service mode to support specified functions. The service modesand supported service types are as follows:

l reassemble-mode: When working in this mode, the subcard supports packet fragmentationand reassembly, but not 1588v2 or the 1588v2 ACR client function.

l ptp-slave-mode: When working in this mode, the subcard supports 1588v2 and the 1588v2ACR client function, but not packet reassembly.

Pre-configuration TasksBefore configuring a service mode for an LPU, complete the following task:



268

l Determining the current service mode of the LPU

Data PreparationTo configure a service mode for an LPU, you need the following data.

No. Data

1 Slot ID of the LPU whose service mode needs to be configured

2 Card ID of the subcard whose service mode needs to be configured

10.8.2 Configuring a Service Mode for an LPUF-20/21 or LPUF-40An LPUF-20/21 or LPUF-40 can work in different service modes. You can use the commandto change the service mode.

ContextAn LPUF-20/21 or LPUF-40 cannot be configured with the 1588v2 ACR server function andNetStream at the same time. Before configuring either the 1588v2 ACR server function orNetStream, configure the service mode for the LPU.

The LAN_WAN_10G_TM_CARD, or ETH_10XGF_TM_CARD subcard can be configuredwith a service mode to support specified functions. The service modes and supported servicetypes are as follows. You can configure a service mode for the subcard based on the requiredservice type.

l reassemble-mode: When working in this mode, the subcard supports packet fragmentationand reassembly, but not 1588v2 or the 1588v2 ACR client function.

l ptp-slave-mode: When working in this mode, the subcard supports packet fragmentation,1588v2, and the 1588v2 ACR client function, but not packet reassembly.

Perform the following steps on the router to configure a service mode for the LPU:

Procedure



Step 2 Run:set service-mode slot { slot-id | all } { netstream-1-mode | ptp-1-mode }

A service mode is configured for the LPU to support the 1588v2 ACR server function orNetStream.



269

CAUTIONThis command can take effect on the LPUF-20/21 or LPUF-40.

Step 3 Run:set service-mode slot { slot-id card card-id | all card all } { reassemble-mode | ptp-slave-mode }

A service mode is configured for a subcard.

The default service mode of a subcard is reassemble-mode.

The service mode of a subcard is irrelevant to the service mode of the LPU where the subcardresides.

CAUTIONThis command can take effect on a LAN_WAN_10G_TM_CARD orETH_10XGF_TM_CARD of the LPUF-21.To query the type of a subcard, run the display device pic-status command.

----End

10.8.3 Checking the ConfigurationAfter the preceding configuration is complete, you can check the service mode of an LPU or asubcard.

ContextRun the following command to check the configurations:

Procedure

Step 1 Run the display service-mode slot slot-id command to check the service mode of an LPU or asubcard.

----End

Example# Run the display service-mode command in the system view to display the current workingmode of the LPU in slot 1.

[HUAWEI] display service-mode slot 1The device can work under the following mode: =======================================================================: Service-mode Functions: NETSTREAM-1-MODE Support 2047 MPLS OAM sessions.support (2048 3.3ms | 2048 10ms) bfd sessions.can not suppo rt 1588 ACR serverSupport 4095 Mep,4095 Rmep, 4095 Ma EOAM/MPLS-TP sessions.Support Netstr eam.



270

PTP-1-MODE Support 2047 MPLS OAM sessions.support (2048 3.3ms | 2048 10ms) bfd sessions.support 1588 ACR serverSupport 4095 Mep,4095 Rmep,4095 Ma EOAM/MPLS-TP sessions.Does not Support Netst ream. =======================================================================: The current service-mode is PTP-1-MODE!

10.9 Configuring the CMU

10.9.1 Establishing the Configuration TaskBefore Configuring Monitor Items for a CMU, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Application EnvironmentIn remote and unattended equipment rooms, router providing the environment monitoringfunction can monitor the working environment in real time. Upon receiving an input signalindicating that a specific environment variable is abnormal, a router will generate an alarm. Then,the maintenance personnel can take immediate actions to adjust the environment variable,without having to wait on site for environment monitoring. This effectively reduces equipmentroom maintenance costs for carriers.

The CMU on the AUXQ can be connected to an environment monitoring device. Based on thereceived input signals from the environment monitoring device, the CMU generates an alarmand reports the alarm to the NMS so that the maintenance personnel can be informed of theproblem and come to the site to address the problem.



10.9.2 Configuring Monitor Items for a CMU

PrerequisiteIn remote and unattended equipment rooms, router providing the environment monitoringfunction can monitor the working environment in real time. Upon receiving an input signalindicating that a specific environment variable is abnormal, a router will generate an alarm. Then,the maintenance personnel can take immediate actions to adjust the environment variable,without having to wait on site for environment monitoring. This effectively reduces equipmentroom maintenance costs for carriers.

The CMU on the AUXQ can be connected to an environment monitoring device. Based on thereceived input signals from the environment monitoring device, the CMU generates an alarmand reports the alarm to the NMS so that the maintenance personnel can be informed of theproblem and come to the site to address the problem.



271

Procedure



Step 2 Run:cmu-switch switch-id slot slot-id name { voltage | door | humidity | fog | temperature } alarm-mode { 0 | 1 }

Monitor items such as objects to be monitored and an alarm mode are configured for a CMU.

NOTE

A router can monitor four types of environment variables at a time. You need to run the cmu-switchcommand to configure each environment variable that needs to be monitored and the associated alarmmode.

----End

10.10 Configuring a Cleaning Cycle for the Air FilterThis section describes the procedure for configuring a cleaning cycle for the air filter.

ContextNOTE

The X1 and X2 models of the NE80E/40E do not have air filter.


Application Environment

You need to clean the air filter after the air filter has been running for a period of time.


None.

Data Preparation

To configure a cleaning cycle for the air filter, you need the following data.

No. Data

1 Cleaning cycle of the air filter

10.10.2 Configuring a Cleaning Cycle for the Air Filter



272

Context


Procedure



Step 2 Rundustproof check-timer day days

The cleaning cycle for the air filtered is configured.

NOTE

The air filter is a component without memory. All the monitored information is saved on the MPU, whichmay be inserted, removed, switched, or replaced during usage. Therefore, the monitoring cycle may differfrom the set cycle, but this does not affect the monitoring function.

----End

10.10.3 Remonitoring the Cleaning Cycle of the Air Filter

Context

The system generates an alarm about cleaning the air filter. After ensuring that the air filter iscleaned or does not need to be cleaned, you need to clear the alarm and remonitor the cleaningcycle of the air filter.


Procedure

Step 1 Run:reset dustproof run-time

The alarm is cleared. The cleaning cycle of the air filter is monitored.

----End


Procedure

Step 1 Run:display dustproof

Information about the air filter is displayed.

----End



273

ExampleRun the display dustproof command. You can view information about the cleaning cycle ofthe air filter, the last time when the air filter was cleaned (referring to the time on the router),how many days the router had been run since the previous cleaning, and how long the alarmabout cleaning the air filter exists. For example:

<HUAWEI> display dustproofClean Dustproof-Net cycle : 365(days)Last clean date : 2009/02/07Up to last clean days : 1(day)Clean alarm existence days: 0(day)

10.11 Monitoring the Device StatusMonitoring the device status facilitates fault location and cause analysis.

10.11.1 Displaying the System Version InformationThe system version information includes the system software version and various hardwareversions.

Procedure

Step 1 Run:display version

The system version information is displayed.

In practice, using this command in any view, you can view the system version information. Themain information is as follows:

l System software versionl Hardware and software version of the MPUsl Hardware and software version of the SFUsl Hardware and software version of the LPUs

.l Hardware and software version of the Fan and Black Plane

.

----End

10.11.2 Displaying Basic Information About the RouterThe basic information includes detailed information about the LPU, MPU, SFU, clock board,power supply, and fan module.

Procedure

Step 1 Run:display device [ pic-status | slot-id]

Basic information about the router is displayed.



274

In practice, using this command in any view, you can view the basic device information. Enterslot-id to view information about the board in the specified slot.

l Choose a board in a certain slot. You can view basic information about this board.

l Run:

display device pic-status

Basic information about the PIC card of the LPU is displayed.

----End

10.11.3 Displaying the Electronic LabelThe electronic label information includes the type of the board/card, bar code, BOM code,English description, production date, supplier name, issuing number, Common LanguageEquipment Identification (CLEI) code, and sales BOM code.

Procedure

Step 1 Run:

The electronic label is displayed.

In practice, using this command in the user view, you can view information about the electroniclabel of the boards. Enter slot-id to view information about the electronic label of the board inthe specified slot.

NOTE

For the range of numbers of the slots on the router, refer to the HUAWEI NetEngine80E/40E RouterHardware Description.

Information displayed includes the type of the board and PIC card, bar code, BOM, Englishdescription, production date, supplier name, issuing number, CLEI (Common LanguageEquipment Identification) code, and sales BOM.

NOTE

You can back up the electronic label of the specified board in the following methods:

l Run the backup elabel filename [ backplane | slot-id ] command to back up the electronic label to theCF card on the router.

l Run the backup elabel ftp host filename username password [ backplane | slot-id ] command to backup the electronic label to the specified FTP server.

----End

10.11.4 Displaying the Soft Boot ModeBy default, the soft boot mode function is automatically enabled, which shortens the time spenton system restart.

Procedure

Step 1 Run the display system soft-bootmode command, you can view the soft boot mode.



275

NOTE

By default, the soft boot mode function is automatically enabled, which shortens the time spent on systemstartup during reset. You can run the undo set system soft-bootmode command in the system view todisable the boot function as required.

----End

10.11.5 Displaying the Threshold of the Memory UsageBy specifying the slot ID, you can check the memory usage of the MPU or of the LPU.

Procedure

Step 1 Run:display memory-usage [ slave | slot slot-id ]

The threshold of the memory usage of the main MPU and LPU are displayed.

NOTE

To set the threshold of the memory usage in the main MPU and LPU, you can run the set memory-usagethreshold threshold [ slot slot-id ]command.

----End

10.11.6 Displaying the Threshold of CPU UsageBy specifying the slot ID, you can check the CPU usage of the MPU or of the LPU.

Procedure

Step 1 Run:display cpu-usage entry-number [ offset ] [ verbose ] [ slave | slot slot-id ] [ history ]

The threshold of the CPU usage of the main MPU and LPU are displayed.

Select the following parameters as required when you run this command:

l entry-number: specifies the number of entries to be displayed.

l offset: specifies the entry with the offset value before the current entry.

l verbose: displays information about each record.

l history: displays history records of the CPU usage.

NOTE

To set the threshold of the CPU usage on the main MPU and LPU, you can run the set cpu-usagethreshold threshold-value [ slave | slot slot-id ] command, and run the [ slave | slot slot-id ] command candisplay the current configuration of the CPU usage.

----End

10.11.7 Displaying Alarm InformationThe alarm information includes the alarm level, alarm date and time, and alarm description.



276

Procedure

Step 1 Run:display alarm { slot-id | all }

Information about the alarm is displayed.

In the operation, using this command in any view, you can view current information about thealarm of the router. Alarm information includes the following:

l Alarm level

l Alarm date and time

l Alarm description

NOTE

After displaying the alarm of the router, you can run the clear alarm index index-id { send-trap | no-trap } command to clear the alarm at the specified index-id.

----End

10.11.8 Displaying the Board TemperatureThe temperature information includes the temperature status of each board, temperature alarmthresholds of a board, and actual temperature of a board.

Procedure

Step 1 Run:display temperature [ lpu | mpu | sfu | slot slot-id ]

The temperature of the specified board is displayed.

NOTE

l Run the display temperature [ lpu slot slot-id [ pic pic-id ] ] command to view the temperature of thespecified subcard in the specified slot.

l Run the display temperature command to view the temperature of each module of all the boards onthe router.

In practice, using this command in any view, you can view the current temperature of therouter.The temperature information includes the following:

l Current temperature status of the board

l Threshold to the alarm temperature of the board

l Actual temperature of the board

----End

10.11.9 Displaying the Board VoltageThe voltage information includes the number of voltage sensors on each board, working voltagesensor of each board, working status of the voltage sensor on each board, and voltage alarmthresholds of each board.



277

Procedure

Step 1 Run:display voltage [ lpu | mpu | sfu | slot slot-id]

The board voltage is displayed.

NOTE

l Run the display voltage [lpu | slot slot-id [pic pic-id]] command to view the voltage of the specifiedsubcard on the specified LPU.

l Run the display voltage command to view the voltage of all the boards on the router.

In practice, using this command in any view, you can view the voltage of all the boards. Thevoltage information includes the following:

l Number of the voltage sensorsl Working voltage sensorsl Working status of the voltage sensorsl Alarm field value of the voltagel Actual board voltagel Normal working temperature of the voltage sensors

----End

10.11.10 Displaying the Power Supply StatusThe power supply information includes the slot ID of the power supply module, whether thepower supply module is registered, working mode of the power supply module, and cable statusof the power supply module.

Procedure

Step 1 Run:display power[{environment-info|manufacture-info}slot slot-id|slot[slot-id]]

The power supply status is displayed.

In practice, using this command in any view, you can view the power supply status. The displayedinformation includes the following:

l Slot number of the power supply modulel Presence status of the power supply modulel Operation mode of the power supply modulel Cable status of the power supply module

----End

10.11.11 Displaying Current Information About Boards

ContextDo as follows on the router.



278

Procedure

Step 1 Run:display board-current [ slot slot-id ]

Current information about a specified board is displayed.

----End

10.11.12 Displaying Entironment Information About the DeviceYou can check environment information about the device that is installed with an environmentmonitoring board.

ContextDo as follows on the router:

Procedure

Step 1 Run:display device [ CMU-slotID ]

Entironment information about the device is displayed.

This command is supported only on the NE40E-X8 and NE40E-X16 on which the entironmentmonitoring board is installed and runs normally.

----End

10.11.13 Displaying the Fan StatusThe fan status information includes the slot ID of the fan module, whether a fan module isregistered, registration status, working status of the fan module, and speed mode of the fanmodule.

Procedure

Step 1 Run:display fan

The fan status is displayed.

In practice, using this command in any view, you can view the fan status. The informationincludes the following:

l Slot number of the fan modulel Presence and registration status of the fan modulel Working status of the fan modulel Fan speed mode of the fan module

----End

10.11.14 Displaying the Sequence Number of the MPUEach MPU has a globally unique equipment serial number (ESN).



279

Procedure

Step 1 Run:display esn

The sequence number of the MPU is displayed. In the operation, using this command in anyview, you can view the sequence number of the MPU on the router.

----End

10.11.15 Displaying the Next Start Mode of the BoardA board supports two startup modes, namely, fast startup and normal startup.

Procedure

Step 1 Run:display bootmode-next

The next start mode of the board is displayed.

In the operation, you can use the command in any view to check the next start mode of eachboard on the router, including the MPU, LPU, and SFU. The start modes are as follows:

l The fast start model The normal start mode

----End

10.11.16 Displaying the Number of the Registered SFUs By DefaultThe number of actually used SFUs must be greater than the number of SFUs that the systemrequires for registration by default; otherwise, an alarm will be generated.

ContextNOTE


Procedure



Step 2 Run:display least sfuboard

The number of the registered SFUs that the device requires by default is displayed.

In the operation, if the number of the SFUs that is actually used is smaller than the number ofthe SFUs that the device requires for registration, the trap is generated. Run the least



280

sfuboardindex-id command to change the number of the SFUs that the device requires forregistration.

----End

10.12 Board MaintenceBoard Maintenance involves resetting a board and clearing the maximum CPU usage.

10.12.1 Resetting a BoardYou need to back up important data before resetting a board.

ContextIn the case that a board is faulty, you can use the reset slot command to reset the board.

WARNINGBack up important data before resetting the board.


Procedure

Step 1 Run:reset slot slot-id [card card-id]

The board is reset.

NOTE

l If this command is run to reset a master MPU and no slave MPU exists, the master MPU is reset withthe CPU being powered on. If a slave MPU exists, this command performs master/slave MPUswitchover.

l If the board is still abnormal after being reset, contact the Huawei technical support personnel.

----End

10.12.2 Clearing the Maximum CPU UsageTo recalculate the maximum CPU usage, you can clear the original statistics.

Context

CAUTIONThe maximum CPU usage cannot be restored after you clear it. So, confirm the action beforeyou use the command.



281

To clear the maximum CPU usage statistics, run the following reset command in the systemview.

Procedure

Step 1 Run the reset cpu-usage record [ slot slot-id | slave ] command to clear the maximum CPUusage.

----End

10.13 Configuring NAP-based Remote DeploymentUsing NAP, you can remotely log in to devices with empty configurations to implement remotedeployment.

Context

CAUTIONAfter the device with an empty configuration is powered on and started, you must make surethat its interfaces connected to the devices on the current network are Up and support NAP;otherwise, the function of NAP-based remote deployment cannot take effect.

10.13.1 Establishing the Configuration TaskBefore configuring NAP-based remote deployment, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentTo deploy devices having empty configurations, you can use NAP to perform remote login tothe devices from a device in the current network. In this manner, you can implement remotedeployment of devices.

Pre-configuration TasksBefore configuring NAP-based remote deployment, complete the following tasks:

l Connecting the device having an empty configuration to a device in the current networkvia a single hop by using network cables

l Ensuring that the interfaces connecting the device with an empty configuration and thedevice in the current network are both in the Up state, and support NAP.



282

Data PreparationNOTE

l If the IP addresses used for establishing NAP connections are to be manually configured, you need toprepare the following data before configuring NAP.

l Conversely, if the IP addresses for establishing NAP connections are to be automatically configured,you can skip this.

To configure NAP-based remote deployment, you need the following data.

No. Data

1 Two primary IP addresses. The two IP addresses are primary IP addresses for themaster interface and the slave interface respectively, and should be on the samenetwork segment.

2 Two secondary IP addresses. The two IP addresses are secondary IP addresses forthe master interface and the slave interface respectively, and should be on the samenetwork segment.

10.13.2 Configuring and Starting the NAP Master InterfaceYou can assign an IP address to the NAP master interface or use the IP address that isautomatically allocated by the system to start the NAP master interface.

Context

CAUTIONIf commands affecting the IP address configuration or IP packet forwarding (such asconfigurations and commands related to the VPN, Eth-Trunk, IP-Tunk, or Layer 2 interface)exist on device of the master interface, NAP enabled on the master interface becomesunavailable. You are recommended to delete these commands and re-enable NAP.

Do as follows on the router to configure and start the NAP master interface.

In NAP, IP addresses can be allocated either automatically or manually.

Procedurel Automatic allocation of IP addresses

1. Run:system-view






283

3. Run:nap port master

The NAP Master interface is configured and started.l Manual IP address allocation

Two methods are available for manually allocating IP addresses. You can choose themethod according to actual needs.You can specify the NAP IP address pool. Then, IP addresses are automatically allocatedto the IP address pool. To use this method, do as follows.1. Run:

system-view


nap ip-pool ip-address mask-length

An IP address pool is configured for NAP.

The default IP address pool for establishing NAP connections is 10.167.253.0/24. Youcan run the nap ip-pool ip-address mask-length command to change the IP addresspool.

NOTE

After NAP is started on the master device, the IP address pool cannot be changed.

3. Run:interface interface-type interface-number


nap port master

The NAP Master interface is configured and started.You can also specify the NAP IP addresses. To use this method, do as follows.1. Run:

system-view




nap port master

The NAP master interface is configured and started.4. Run:

nap local-ip mast-inter-mast-ip sub-ip mast-inter-sub-ip peer-ip sub-inter-mast-ip sub-ip sub-inter-sub-ip mask-length

IP addresses are configured for establishing NAP connections.

The default IP address pool for establishing NAP connections is 10.167.253.0/24.



284

When configuring IP addresses, ensure that the primary IP addresses of both the masterand the slave interfaces are on the same network segment, and that the secondary IPaddresses of both the master and the slave interfaces are on the same network segment.

----End

10.13.3 Remote LoginAfter the neighbor relationship is set up, you can log in to the NAP slave device from the NAPmaster device.

Context

Using the display nap interface command, you can view the NAP status of an interface toensure that the interface is assigned a correct IP address.

Do as follows on the router where the NAP master interface is configured.

Procedure





Step 3 Run:nap login neighbor

The login to the slave device from the master device is performed.

l If the slave device has an empty configuration, you can log in to the slave device from themaster device without a user name and a password.

l If, however, the slave device is configured with user name(s) and password(s), you mustenter the correct user name and password to perform a NAP-based remote login to the slavedevice.

NOTETo ensure security for NAP, the slave device having an empty configuration checks the source address ofthe Telnet login. If the Telnet source address is the NAP address of the master device that is telnetting tothe slave device, the slave device allows the master device to directly log in without being authenticated.This is because by default, the user level of the remote login based on the NAP address is the same as thelogin through the console interface, which enjoys the highest user level. If the Telnet source address is notthe NAP address of the master device, the remote login fails.

----End

10.13.4 Disabling NAP on the Slave DeviceIf the NAP function is no longer required, you need to disable NAP on the slave interface of theslave device.



285

ContextThe master device has logged in to the slave device through Telnet. The NAP function is nolonger required, and to ensure security of the network, NAP should be globally disabled on theslave interface of the slave device.

Do as follows on the router that is configured as the NAP slave device.

Procedure



Step 2 Run:undo nap slave enable

NAP is disabled on the slave device.

----End

10.13.5 Checking the ConfigurationAfter configuring NAP-based remote deployment, you can view the NAP status globally or ona specified interface.

PrerequisiteNAP-based remote deployment has been completed.

Procedure

Step 1 Using the display nap status command, you can view the current NAP status.

Step 2 Using the display nap interface [ interface-type interface-number ] command, you can viewthe NAP status of the specified interface.

----End

ExampleRun the display nap status command to view the current NAP status.

<HUAWEI> display nap status Slave port status : Enable Nap ip-pool/Mask : 12.12.12.0/24

Run the display nap interface interface-type interface-number command to view the NAP statusof the specified interface.

<HUAWEI> display nap interface gigabitethernet1/0/1l If the interface is not assigned an IP address, the following information is displayed.

------------------------------------------------------ NAP master port list: Port count : 2------------------------------------------------------ Port property : Master Current status : DETECTING



286

Local port : GigabitEthernet1/0/1 Peer port : GigabitEthernet1/0/1 Local primary ip : NULL Peer primary ip : NULL Local secondary ip : NULL Peer secondary ip : NULL Hello time : 3s Linked time : 00:00:00------------------------------------------------------ Port property : Master Current status : DETECTING Local port : GigabitEthernet1/0/2 Peer port : GigabitEthernet1/0/2 Local primary ip : NULL Peer primary ip : NULL Local secondary ip : NULL Peer secondary ip : NULL Hello time : 3s Linked time : 00:00:00------------------------------------------------------

l If the interface is assigned an IP address, the following information is displayed.------------------------------------------------------ NAP master port list : Port count : 2------------------------------------------------------ Port property : Master Current status : IP-ASSIGNED Local port : GigabitEthernet1/0/1 Peer port : GigabitEthernet1/0/1 Local primary ip : 12.12.12.5 Peer primary ip : 12.12.12.6 Local secondary ip : 12.12.12.9 Peer secondary ip : 12.12.12.10 Hello time : 3s Linked time : 00:09:12------------------------------------------------------ Port property : Master Current status : IP-ASSIGNED Local port : GigabitEthernet1/0/2 Peer port : GigabitEthernet1/0/2 Local primary ip : 10.10.10.5 Peer primary ip : 10.10.10.6 Local secondary ip : 10.10.10.9 Peer secondary ip : 10.10.10.10 Hello time : 3s Linked time : 00:03:41------------------------------------------------------

10.14 Configuration Examples of the Device MaintenanceThis section provides examples for powering off different types of boards to describe commondevice maintenance operations.


This document takes interface numbers and link types of the NE40E-X8 as an example. In workingsituations, the actual interface numbers and link types may be different from those used in this document.

10.14.1 Example for Powering off the MPUOn a dual-MPU router, if the master MPU malfunctions or you need to routinely maintain themaster MPU, you can power off the master MPU after performing the master/slave switchover.



287

Networking RequirementsAfter checking the alarm information, you find that the hardware on the master MPU fails. Then,check the hardware by powering off the master MPU.


1. Switch the master MPU to the slave MPU through the master and slave switchover.2. Power off the slave MPU


l Slot number of the master MPUl In this example, the slot number of the master MPU is.17

Procedure

Step 1 Perform the master and slave switchover on the router.<HUAWEI> system-view [HUAWEI] slave switchover enable

Before performing the master and slave switchover, make sure that the user interfaces such asAUX, console, and VTY are connected to the two MPUs. Otherwise, the users that use theinterfaces connected with the former master MPU automatically quit the login after the masterand slave switchover.

[HUAWEI] slave switchoverCaution!!! Confirm switch slave to master[Y/N]?ySwitching............................................................................

Step 2 Power off the MPU in slot 17.<HUAWEI> power off slot 17Caution!!! This command may affect operation by wrong use, please carefully use it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y


# Check the registration status of the MPU. You can view that the MPU in slot 17 is in theunregistered and abnormal state. It means that powering off the MPU succeeds.



5 LPU Present Registered Normal NA6 LPU Present Registered Normal NA 9 LPU Present Registered Normal NA 12 LPU Present Registered Normal NA 11 LPU Present Registered Normal NA 16 LPU Present Registered Normal NA 17 MPU Present Unregistered Abnormal Slave18 MPU Present NA Normal Master



288

19 SFU Present Registered Normal NA20 SFU Present Registered Normal NA21 SFU Present Registered Normal NA 22 SFU Present Registered Normal NA23 CLK Present Registered Normal NA24 CLK Present Registered Normal NA25 PWR Present Registered Normal NA26 PWR Present Registered Normal NA27 FAN Present Registered Normal NA28 FAN Present Registered Normal NA

----End

Configuration FilesNone

10.14.2 Example for Powering off the SFUWhen the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU.

Networking RequirementsNOTE


You need to power off the SFUs before dust removing.


l Power off the SFU.


Slot number of the current SFU In this example, the slot number of the SFU is 19.

Procedure

Step 1 Power off the SFU in slot 19<HUAWEI> power off slot 19Caution!!! This command may affect operation by wrong use, please carefully use it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y


# Check the registration status of the SRU in slot 19. You can view that the SRU is in theunregistered and abnormal state. It means that powering off the SRU succeeds.



5 LPU Present Registered Normal NA6 LPU Present Registered Normal NA



289

9 LPU Present Registered Normal NA 12 LPU Present Registered Normal NA 11 LPU Present Registered Normal NA 16 LPU Present Registered Normal NA 17 MPU Present Registered Normal Slave18 MPU Present NA Normal Master19 SFU Present Unregistered Abnormal NA20 SFU Present Registered Normal NA21 SFU Present Registered Normal NA 22 SFU Present Registered Normal NA23 CLK Present Registered Normal NA24 CLK Present Registered Normal NA25 PWR Present Registered Normal NA26 PWR Present Registered Normal NA27 FAN Present Registered Normal NA28 FAN Present Registered Normal NA

----End

Configuration Files

None

10.14.3 Example for Powering off the LPUWhen the LPU is faulty or you need to routinely maintain the LPU, you can power off the LPU.

Networking RequirementsNOTE

LPUs are not supported on the X1 and X2 models of the NE80E/40E.

None



Replace the failed LPU.

Data Preparation


l Slot number of the LPU that needs replacementIn this example, the slot number of the LPU is 5.

l Service part whose PIC card type and board type are the same as that of the LPU to bereplaced

Procedure

Step 1 Power off the LPU in slot 5.<HUAWEI> power off slot 5Caution!!! This command may affect operation by wrong use, please carefully use it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y




290

# Check the registration status of the LPU in slot 51. You can view that the LPU is in theunregistered and abnormal state. It means that powering off the LPU succeeds.



5 LPU Present Unregistered Abnormal NA6 LPU Present Registered Normal NA 9 LPU Present Registered Normal NA 12 LPU Present Registered Normal NA 11 LPU Present Registered Normal NA 16 LPU Present Registered Normal NA 17 MPU Present Registered Normal Slave18 MPU Present NA Normal Master19 SFU Present Registered Normal NA20 SFU Present Registered Normal NA21 SFU Present Registered Normal NA 22 SFU Present Registered Normal NA23 CLK Present Registered Normal NA24 CLK Present Registered Normal NA25 PWR Present Registered Normal NA26 PWR Present Registered Normal NA27 FAN Present Registered Normal NA28 FAN Present Registered Normal NA

----End

Configuration Files

None

10.14.4 Example for Configuring the Operation Mode of theLPUF-10

You can set the working mode of the LPUF-10 to enable the LPUF-10 to support ATM or FRservices.

NOTE

LPUF-10 is not supported on the X1 and X2 models of the NE80E/40E.


It is required that the FR service be configured for the POS interface on the LPUF-10. If theLPUF-10 operates in support-atm mode, you need to switch the operation mode to support-fr.



1. Check the current operation mode of the LPUF-10.2. Switch the operation mode of the LPUF-10.

Data Preparation




291

l Slot number of the LPUF-10, that is, slot 1 in this example

Configuration Procedure1. Check the operation mode of the LPUF-10 in slot 1. You can find that the LPUF-10 operates

in support-atm mode.<HUAWEI> display work-mode slot 1

NE40E-4's current work-mode on lpuf-10:Slot Type Current-workmode- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 LPUF-10 SUPPORT-ATM

2. Switch the operation mode of the LPUF-10 to support-fr.<HUAWEI> system-view [HUAWEI] slot 1[HUAWEI-slot-1] switch lpuf work-mode support-fr

Warning: After this operation, ATM cards on this board will be powered off.Are you sure to switch[Y/N]?yNow begin to switch the working mode. Please wait.......................Info: The switch is successful and the current working mode on slot1 is SUPPORT-FR.

3. Verify the configuration.<HUAWEI> display work-mode slot 1

NE40E-4's current work-mode on lpuf-10:Slot Type Current-workmode- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 LPUF-10 SUPPORT-FRYou can find that the LPUF-10 in slot 1 operates in support-fr mode.


10.14.5 Example for Configuring NAP-based Remote Deploymentin Automatic Mode

In this example, the temporary neighbor relationship is set up between a router and anotherrouter that has the empty configuration to implement remote deployment in automatic mode.

Networking RequirementsAs shown in Figure 10-1, the user needs to perform a remote login to Router B from Router A.Router B is the master device, and temporary neighbor relationship is to be set up betweenRouter B and Router C having an empty configuration. Router B and Router C need to be directlyconnected via a single hop. Both the interfaces connecting Router B and Router C should be inthe Up state, and should support NAP.

Figure 10-1 Networking diagram of configuring NAP-based remote deployment

Network

RouterAPC RouterB RouterC

GE1/0/1



292


1. Configure a primary IP address and a secondary IP address on Router B.2. Configure the NAP master interface on Router B.3. Telnet to Router C from Router B by means of NAP.

Data PreparationNone

Procedure

Step 1 Configuring the NAP master interface

# Do as follows on Router B.

<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] interface gigabitethernet1/0/1[RouterB-GigabitEthernet1/0/1] undo shutdown[RouterB-GigabitEthernet1/0/1] nap port master

Step 2 Logging in to the slave device from the master device.

# Do as follows on Router B.

[RouterB-GigabitEthernet1/0/1] nap login neighborTrying 10.167.253.10 ...Press CTRL+K to abortConnected to 10.167.253.10 ...

Info: The max number of VTY users is 10, and the number of current VTY users on line is 1.<HUAWEI>

Step 3 Shutting down NAP on the slave device.

# Do as follows on Router C.

<HUAWEI> system-view[HUAWEI] sysname RouterC[RouterC] undo nap slave enable

----End


10.14.6 Example for Configuring NAP-based Remote Deploymentin Static Mode

In this example, the temporary neighbor relationship is set up between the router and the devicewith the empty configuration and IP addresses are assigned to the router and the device toimplement remote deployment in manual mode.



293

Networking RequirementsAs shown in Figure 10-2, the user needs to perform a remote login to Router B from Router A.Router B is the master device, and temporary neighbor relationship is to be set up betweenRouter B and Router C having an empty configuration. Router B and Router C need to be directlyconnected via a single hop. Both the interfaces connecting Router B and Router C should be inthe Up state, and should support NAP.

Figure 10-2 Networking diagram of configuring NAP-based remote deployment

Network

RouterAPC RouterB RouterC

GE1/0/1


1. Configure a NAP master interface on Router B.2. Configure an IP address for establishing a NAP connection on Router B.3. Use NAP to log in to Router C from Router B by means of Telnet.


l Two primary IP addresses. The two IP addresses are primary IP addresses for the masterinterface and the slave interface respectively, and should be on the same network segment.

l Two secondary IP addresses. The two IP addresses are secondary IP addresses for themaster interface and the slave interface respectively, and should be on the same networksegment.

ProcedureStep 1 Configure a NAP master interface on Router B

<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] interface gigabitethernet1/0/1[RouterB-GigabitEthernet1/0/1] nap port master

Step 2 Configure an IP address for establishing a NAP connection on Router B[RouterB-GigabitEthernet1/0/1] nap local-ip 12.12.12.5 sub-ip 12.12.12.9 peer-ip 12.12.12.6 sub-ip 12.12.12.10 30Are you sure to continue?[Y/N] y

# After the preceding configuration is complete, run the display nap status command onRouter B. You can view that NAP has been enabled on Router B. Then, run the display napinterface command. You can view that the primary and secondary IP addresses have beenassigned to the master and slave interfaces. For example:

[RouterB-GigabitEthernet1/0/1] display nap status



294

Slave port status : Enable Nap ip-pool/Mask : 10.167.253.0/24[RouterB-GigabitEthernet1/0/1] display nap interface------------------------------------------------------ NAP master port list Port count : 1------------------------------------------------------ Port property : Master Current status : IP-ASSIGNED Local port : GigabitEthernet1/0/1 Peer port : GigabitEthernet1/0/1 Local primary ip : 12.12.12.5 Peer primary ip : 12.12.12.6 Local secondary ip : 12.12.12.9 Peer secondary ip : 12.12.12.10 Hello time : 3s Linked time : 00:02:33------------------------------------------------------

Step 3 Log in to the slave device from the master device.

# Configure Router B.

[RouterB-GigabitEthernet1/0/1] nap login neighborTrying 12.12.12.10 ...Press CTRL+K to abortConnected to 12.12.12.10 ...

Info: The max number of VTY users is 10, and the number of current VTY users on line is 1.

Step 4 Disable NAP on the slave device.

# Configure Router C.

<HUAWEI> system-view[HUAWEI] sysname RouterC[RouterC] undo nap slave enable

----End




295

11 Device Upgrading

About This Chapter

When you need to add new features, optimize existing features, or solve problems in the currentversion, you can upgrade the device.

11.1 Overview of Device Upgrade

11.2 Upgrade Modes Supported by the NE80E/40E

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations 11 Device Upgrading


296

11.1 Overview of Device UpgradeA device is upgraded when new features need to be added, existing performance needs to beoptimized, and existing problems in the current version need to be solved.

Application Scenario of Device UpgradeTo perform the following actions, you need to upgrade the NE80E/40E:

l Adding new featuresl Optimizing the existing performancel Solving existing problems in the current version

NoteBefore upgrading the NE80E/40E, pay attention to the following items:

l When upgrading the NE80E/40E at the site, prepare a spare part for each board.l Obtain the new system software, the Product Adaptive File (PAF) or license file, and the

corresponding documents of the new version from Huawei.l Back up configuration files, and collect and save service configurations.l Enable the log function to record all the operations during the upgrade process.l Check software versions of all modules on each board, including versions of the BootROM,

Firmware, and MonitorBus.

11.2 Upgrade Modes Supported by the NE80E/40EAt present, the NE80E/40E can be upgraded by using the command line, mobile storage device,or BootROM.

Upgrade by Using the Command LineThis mode is applicable for the following situations. For operation details, refer to the"NE80E&40E V600R003C00 Version Upgrade Instructions" of the corresponding systemsoftware version.

l The NE80E/40E works properly and uses FTP/TFTP for the upgrade. Other devices canperform remote login to the NE80E/40E.

l The NE80E/40E is upgraded for the first time and has been loaded with the system softwarepackage. Other devices can log in to the NE80E/40E through the serial interface toconfigure the IP address or perform remote login to the NE80E/40E through NAP.

Upgrade by Using a Mobile Storage Device ( CF card or USB )Upgrading the NE80E/40E by using the CF card or USB is mainly used during the engineeringstage or troubleshooting process. Before the upgrade, prepare two CF cards or two USBs.

In this mode, the NE80E/40E is upgraded by replacing the CF card on the master and slaveMPU/SRU with CF cards containing the system software package or inserting a USB to any



297

USB interface on the MPU/SRU. For operation details, refer to the "Version UpgradeInstructions" of the corresponding system software version.

Upgrade by Using BootROMThis mode is applicable for the following situations. For operation details, refer to the"NE80E&40E V600R003C00 Version Upgrade Instructions" of the corresponding systemsoftware version:

l The NE80E/40E is upgraded for the first time, but the system software package of theNE80E/40E does not exist or is incorrect.

l After the NE80E/40E is upgraded and restarted, both the master and slave MPUs/SRUscannot be registered.

l After the NE80E/40E is upgraded, the master MPU/SRU can be registered but the slaveMPUs/SRUs cannot be registered.

l The MPU/SRU is replaced.l Other devices cannot log in to the NE80E/40E through Telnet.



298

12 Patch Management

About This Chapter

Patch management includes checking the running patch, loading patch files, and installingpatches.

12.1 Introduction of Patch ManagementThis section describes the basics of the patch.

12.2 Checking the Running of Patch in the SystemThe system allows only one patch to run. Therefore, confirm that no patch is running beforeloading a new patch.

12.3 Loading a PatchPatches can be loaded through FTP, TFTP, or XModem.

12.4 Installing a PatchTo repair the system that has vulnerabilities or defects, you can install a patch on the system.By installing a patch, you can upgrade the system without upgrading the system software.

12.5 (Optional) Unactivating the activating of PatchIf an installed patch does not take effect, you need to deactivate the patch.

12.6 Configuration Examples of the Patch ManagementThis section describes some Configuration Examples.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations 12 Patch Management


299

12.1 Introduction of Patch ManagementThis section describes the basics of the patch.

12.1.1 Overview of Patch ManagementYou can install patches to improve system functions.

Patch OverviewDuring the operation of the device, you need to revise the system software sometimes such asremove the system defects or add new functions for service requirements. We used to upgradethe software after shutting down the system. This static upgrade affects the service on the deviceand does not improve the communication. If we load a patch to the system software, we canupgrade it online without interrupting the operation of the device. This dynamic upgrade doesnot affect the service and can improve the communication.

Patch AreaIn the memory of the Main Processing Unit (MPU) and Line Processing Unit (LPU), a certainspace is reserved to save the patch. This space is called patch area.

To install the patch, save the patch to the patch area in advance in the memory of the board.

The patch saved in the patch area is numbered uniquely. Up to 200 patches can be saved to thepatch area in the memory of the MPU or LPU.

Patch StatesPatch status can be idle, deactive, active, and running. For details, seeTable 12-1,

Table 12-1 Patch states

State Description States Conversion

No patch(idle)

The patch file is saved to the CFcard but not loaded to the patcharea in the memory.

When the patch is loaded to the patcharea, the patch status is set to deactive.

deactive The patch is loaded to the patcharea but disabled.

The patch in the deactive state can be asfollows:l Uninstalled, that is, deleted from the

patch area.l Enabled temporarily and turns to the

active state.



300

State Description States Conversion

active The patch is loaded to the patcharea and enabled temporarily.If the board is reset, the activepatch on that board turns to thedeactive state.

The patch in the active state can be asfollows:l Uninstalled, that is, deleted from the

patch area.l Enabled temporarily and turned into

the active state.l Enabled permanently, and turns to

the running state.

running The patch is loaded to the patcharea and enabled permanently.If the board is reset, the patch onthe board keeps in the runningstate.

The patch in the running state can beuninstalled and deleted from the patcharea.

Figure 12-1shows the conversion between patch states.

Figure 12-1 Conversion between the statuses of a patch

DeactivatedNo patch

Running Activated

Delete patchDelete patch

Run patch

Deactive patch Active patch

Delete patch

Load patch

12.1.2 Patches Supported by the NE80E/40EThe NE80E/40E allows patches to be loaded to the system or a certain board.



301

Patch Functions

Installing patches can improve system functions or fix bugs. By installing a patch, you canupgrade the system without upgrading the system software.

In some special scenarios, you can install patches specific to an MPU or LPU to optimize boardfunctions.

Logic Relationships Between Configuration Tasks

Figure 12-2Shows the logic relationships between the configuration tasks.

Figure 12-2 Logical relationships between configuration tasks

Run VRP

Normally run

End

Resort totechnical

support fornew patch

Enable patchtemporarily Bug removed Disable patch

Unload patch

No

Yes

No

Yes

12.2 Checking the Running of Patch in the SystemThe system allows only one patch to run. Therefore, confirm that no patch is running beforeloading a new patch.

12.2.1 Establishing the Configuration TaskBefore checking the running patch, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


At a certain time, the system allows the running of only one patch. Therefore, you need to confirmno patch is running in the current system before installing a patch. If a patch runs, delete thepatch before installing the new patch.



302


Before checking the running of patch in the system, complete the following tasks:

l Ensuring that the router is started normally after power-onl Ensuring that the router can be logged in to

Data Preparation

None

12.2.2 Checking the Running of Patch in the SystemBy running the display patch-information command, you can view information about therunning patch units, activated patch units, and deactivated patch units.

ContextDo as follows on the router to be upgraded:

Procedure

Step 1 Run:display patch-information

All the information about the current patch is displayed, including information about the patchunits that are running, the patch units that are activated, and the patch units that are deactivated.

----End

Example<PE> display patch-informationInfo: No patch exists.

This indicates that no patch runs in the current system.

NOTEIf there are patches running, you must delete them before loading new patches.

12.2.3 (Optional) Deleting a PatchThe system allows only one patch to run. If there is a running patch, you need to delete it beforeloading a new patch.

Context

Before installing a patch, you need to delete the running patch.

Do as follows on the router to be upgraded.

Procedure

Step 1 Run:patch delete all



303

The running patch is deleted.

----End

12.3 Loading a PatchPatches can be loaded through FTP, TFTP, or XModem.

12.3.1 Establishing the Configuration TaskBefore loading a patch, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configurationtask quickly and accurately.


Before a patch is installed, it should be uploaded to the root directory of the CF card of the masterand slave MPUs. Upload the patch to the root directory of the CF card of the master MPU. Then,copy the patch to the root directory of the CF card of the slave MPU.

The three methods to upload a patch are FTP, TFTP and XModem.


Before loading a patch, complete the following tasks:

l Ensuring that the router is started normally after power-onl Ensuring that the router can be logged in to

Data Preparation

Before running a patch, you need to obtain a patch that is consistent with the board.

No. Data

1 Uploading a Patch to the Root Directory of the CF Card of the Master MPU

2 Copying a Patch to the Root Directory of the CF Card of the Slave MPU

12.3.2 Loading a PatchOn a dual-MPU router, you need to load a patch to both the master MPU and the slave MPU.


Procedure

Step 1 Upload a patch to the root directory of the CF card of the master MPU.



304

The router supports the uploading of files through FTP, TFTP and XModem, for moreinfirmation ,please see: "FTP, TFTP and XModem". Choose an uploading method based on therequirements.

Step 2 Run:copy source-filename slave#cfcard:/destination-filename

The patch is copied to the root directory of the CF card of the slave MPU.

Step 3 Run:startup patch file-name

The patch package is specified for the master MPU on the next startup.

Step 4 Run:startup patch file-name slave-board

The patch package is specified for the slave MPU on the next startup.

----End

12.3.3 Checking the ConfigurationAfter a patch is loaded, you can check patch information.


Procedurel Run:

dir cfcard:/

Check the files on the MPU.l Run:

dir slave#cfcard:/

Check the files on the slave MPU.l Run:

display startup

Check the patch file used in the next system startup.

----End

ExampleAfter uploading the files, run the commands of dir cfcard:/ and dir slave#cfcard:/. Thepatch.pat file is contained in the files on the CF card.

For example, check the files on the CF card of the master MPU:

<HUAWEI> dir cfcard:/Directory of cfcard:/

Idx Attr Size(Byte) Date Time FileName



305

0 -rw- 64 Nov 15 2006 13:07:44 patchnpstate.dat1 -rw- 418 Jul 26 2007 19:52:14 vrpcfg.zip2 -rw- 38017 Aug 01 2007 11:02:00 paf.txt3 -rw- 2292 Aug 21 2006 15:35:50 vrp.zip4 -rw- 7041 Aug 02 2007 11:02:00 license.txt5 -rw- 117013076 Jul 13 2007 10:40:44 V600R003C00SPC300.cc6 -rw- 134213212 Nov 18 2007 05:30:11 V600R003C00SPC300.cc7 -rw- 4041 Nov 02 2007 11:04:00 patch.pat500192 KB total (347760 KB free)

For example, check the files on the CF card of the slave MPU:

<HUAWEI> dir slave#cfcard:/Directory of slave#cfcard:/

Idx Attr Size(Byte) Date Time FileName0 -rw- 64 Nov 15 2006 13:07:44 patchnpstate.dat1 -rw- 418 Jul 26 2007 19:52:14 vrpcfg.zip2 -rw- 38017 Aug 01 2007 11:02:00 paf.txt3 -rw- 2292 Aug 21 2006 15:35:50 vrp.zip4 -rw- 7041 Aug 02 2007 11:02:00 license.txt5 -rw- 117013076 Jul 13 2007 10:40:44 V600R003C00SPC300.cc6 -rw- 134213212 Nov 18 2007 05:30:11 V600R003C00SPC300.cc7 -rw- 4041 Nov 02 2007 11:04:00 patch.pat500192 KB total (343160 KB free)

For example, check the patch file used in the next system startup.

<HUAWEI>display startup

MainBoard: Configed startup system software: cfcard:/V600R003C00SPC300.cc Startup system software: cfcard:/V600R003C00SPC300.cc Next startup system software: cfcard:/V600R003C00SPC300.cc Startup saved-configuration file: cfcard:/current_cfg.cfg Next startup saved-configuration file: cfcard:/current_cfg.cfg Startup paf file: cfcard:/paf-V600R003C00SPC300.txt Next startup paf file: cfcard:/paf-V600R003C00SPC300.txt Startup license file: cfcard:/license-V600R003C00SPC300.txt Next startup license file: cfcard:/license-V600R003C00SPC300.txt Startup patch package: Null Next startup patch package: cfcard:/patch.pat

12.4 Installing a PatchTo repair the system that has vulnerabilities or defects, you can install a patch on the system.By installing a patch, you can upgrade the system without upgrading the system software.

12.4.1 Establishing the Configuration TaskBefore installing a patch on the system, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.



306


CAUTIONWhen installing a patch, it is recommended to specify all to install the patch for all boards atone time rather than specify slot to install the patch for boards one by one. In some specialscenarios, you must specify slot to install a patch for the master and slave MPUs, and then forall LPUs one by one.

Installing patches can fix system vulnerabilities or correct system defects. By installing a patch,you can upgrade the system without upgrading the system software.

When a patch is uploaded, the system checks that the patch version is the same as the systemversion. If the two versions are not the same, the system prompts that the patch uploading fails.

Pre-configuration TasksBefore installing a patch, upload the patch to the root directory of the CF card of the master andslave MPUs.

Data PreparationNone

12.4.2 Loading a PatchA patch can be successfully loaded only when the patch version matches the system softwareversion.


ProcedureStep 1 Run:

patch load file-name all

The patch is loaded.

----End

Follow-up ProcedureWhen a patch is loaded, the system checks that the patch version is the same as the systemversion. If the two versions are not the same, the system prompts that the patch loading fails.

When the patch is loaded successfully, it's status is Deactive and keeps Deactive after the boardis reset.

12.4.3 Activating a PatchA patch can be activated only when it is correctly loaded and is in the deactivated state.



307


Procedure

Step 1 Run:patch active all

The patch is activated.

----End

Follow-up ProcedureA patch can be activated only when it is correctly loaded and is in the deactivated state. Whena patch is activated, it becomes valid immediately. After the board is reset, however, the statusof the patch becomes Deactive , and the patch does not remain valid.

12.4.4 Running a PatchA patch can be run only after it is activated. Running a patch means that the patch is activatedpermanently.

ContextDo as follows on the router be upgraded:

Procedure

Step 1 Run:patch run all

The patch is run.

----End

Follow-up ProcedureA patch can be run only after it is activated. Running a patch means that the patch is activatedpermanently and the patch remains valid after the board is reset. The status of the patch keepsRunning.

12.4.5 (Optional) Synchronizing PatchesAfter patches on the active and standby MPUs are synchronized, the patches on the active andstandby MPUs are the same.

Context




308

Procedure

Step 1 Enter the user view.

Step 2 Run:patch configuration-synchronize

The patch is synchronized to the standby MPU.

After patch configurations and patch files are synchronized from the active MPU to the standbyMPU, the patch files, patch configurations, and patch status can remain unchanged if the active-standby MPU switchover occurs.

----End

12.4.6 Checking the ConfigurationAfter a patch is installed on the system, you can check the patch status and the patch for the nextstartup.

Procedurel Run:

display patch-information

Check the patch state.

----End

ExampleAfter the patch is loaded, run the display patch-information command. The results are asfollows:

<HUAWEI> display patch-information

Service pack Version:V600R003C00SPH001Pack file name cfcard:/patch.pat

----------The patch information of slot 3---------- This slot does not need patch



----------The patch information of slot 33---------- Total Patch Unit : 1Running Patch Unit : Active Patch Unit : Deactive Patch Unit : 1 - 1

----------The patch information of slot 34---------- Total Patch Unit : 1Running Patch Unit : Active Patch Unit : Deactive Patch Unit : 1 - 1<HUAWEI>display patch-information configure-file

Codes: M(Max patch ID in the board)-------------------------------------------------------------



309

Slot State Run Active Deactive NPPatch------------------------------------------------------------- 1 registered - - M deactive 2 registered - - M deactive 3 unregistered - - M deactive 4 unregistered - - M deactive 5 unregistered - - M deactive 6 unregistered - - M deactive 7 unregistered - - M deactive 8 unregistered - - M deactive 9 unregistered - - M deactive 10 unregistered - - M deactive 11 unregistered - - M deactive 12 unregistered - - M deactive 13 unregistered - - M deactive 14 unregistered - - M deactive 15 unregistered - - M deactive 16 unregistered - - M deactive 17 registered - - M idle 18 registered - - M idle-------------------------------------------------------<HUAWEI>display patch-information configure-file next-startup

Codes: M(Max patch ID in the board)----------------------------------------- Slot Run Active Deactive NPPatch----------------------------------------- 1 - - M deactive 2 - - M deactive 3 - - M deactive 4 - - M deactive 5 - - M deactive 6 - - M deactive 7 - - M deactive 8 - - M deactive 9 - - M deactive 10 - - M deactive 11 - - M deactive 12 - - M deactive 13 - - M deactive 14 - - M deactive 15 - - M deactive 16 - - M deactive 17 - - M idle 18 - - M idle--------------------------------------

After the patch is actived, run the display patch-information command. The results are asfollows:<HUAWEI> display patch-information





----------The patch information of slot 33---------- Total Patch Unit : 1Running Patch Unit : Active Patch Unit : 1 - 1Deactive Patch Unit :



310

----------The patch information of slot 34---------- Total Patch Unit : 1Running Patch Unit : Active Patch Unit : 1 - 1Deactive Patch Unit : <HUAWEI>display patch-information configure-file

Codes: M(Max patch ID in the board)------------------------------------------------------------- Slot State Run Active Deactive NPPatch------------------------------------------------------------- 1 registered - M - active 2 registered - M - active 3 unregistered - M - active 4 unregistered - M - active 5 unregistered - M - active 6 unregistered - M - active 7 unregistered - M - active 8 unregistered - M - active 9 unregistered - M - active 10 unregistered - M - active 11 unregistered - M - active 12 unregistered - M - active 13 unregistered - M - active 14 unregistered - M - active 15 unregistered - M - active 16 unregistered - M - active 17 registered - M - idle 18 registered - M - idle-------------------------------------------------------<HUAWEI>display patch-information configure-file next-startup

Codes: M(Max patch ID in the board)----------------------------------------- Slot Run Active Deactive NPPatch----------------------------------------- 1 - M - active 2 - M - active 3 - M - active 4 - M - active 5 - M - active 6 - M - active 7 - M - active 8 - M - active 9 - M - active 10 - M - active 11 - M - active 12 - M - active 13 - M - active 14 - M - active 15 - M - active 16 - M - active 17 - M - idle 18 - M - idle--------------------------------------

After running the patch , run the display patch-information command. The results are asfollows:<HUAWEI> display patch-information






311


----------The patch information of slot 33---------- Total Patch Unit : 1Running Patch Unit : 1 - 1Active Patch Unit : Deactive Patch Unit :

----------The patch information of slot 34---------- Total Patch Unit : 1Running Patch Unit : 1 - 1Active Patch Unit : Deactive Patch Unit : <HUAWEI>display patch-information configure-file

Codes: M(Max patch ID in the board)------------------------------------------------------------- Slot State Run Active Deactive NPPatch------------------------------------------------------------- 1 registered M - - run 2 registered M - - run 3 unregistered M - - run 4 unregistered M - - run 5 unregistered M - - run 6 unregistered M - - run 7 unregistered M - - run 8 unregistered M - - run 9 unregistered M - - run 10 unregistered M - - run 11 unregistered M - - run 12 unregistered M - - run 13 unregistered M - - run 14 unregistered M - - run 15 unregistered M - - run 16 unregistered M - - run 17 registered M - - idle 18 registered M - - idle-------------------------------------------------------<HUAWEI>display patch-information configure-file next-startup

Codes: M(Max patch ID in the board)----------------------------------------- Slot Run Active Deactive NPPatch----------------------------------------- 1 M - - run 2 M - - run 3 M - - run 4 M - - run 5 M - - run 6 M - - run 7 M - - run 8 M - - run 9 M - - run 10 M - - run 11 M - - run 12 M - - run 13 M - - run 14 M - - run 15 M - - run 16 M - - run 17 M - - idle 18 M - - idle--------------------------------------



312

12.5 (Optional) Unactivating the activating of PatchIf an installed patch does not take effect, you need to deactivate the patch.

12.5.1 Establishing the Configuration TaskBefore deactivating a patch, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.


After a patch is activated, you need to judge that the patch has achieved the expected effect. Ifthe patch does not become valid, you need to activate the patch.

A patch can be deactivated only after it is activated.


None

Data Preparation

None

12.5.2 Deactivating a PatchDeactivating a patch makes an active patch become inactive.

Procedure

Step 1 Run:patch deactive all

The patch is deactivated.

----End

12.5.3 Checking the ConfigurationAfter a patch is deactivated, you can run the display command to check the patch status.

Procedurel Run:

display patch-information

Check the patch state.

----End



313

ExampleAfter the preceding configuration succeeds, run the display patch-information command. Theresults are as follows:

<HUAWEI> display patch-information







12.6 Configuration Examples of the Patch ManagementThis section describes some Configuration Examples.

12.6.1 Example for Installing a PatchWhen the system has vulnerabilities or defects, you can install a patch to repair the system.

Networking RequirementsFigure 12-3shows that some urgent bug occurs to the system software at the Provider Edge (PE)connected to the Internet. Huawei provides the patch file to remove the bug. The patch in thispatch file must be installed to remove the bug.

Figure 12-3 Networking diagram of installing a patch

MPLS Core

PE

FTP Server

GE0/0/010.1.1.1/24

PC

10.1.1.2/24

10.1.1.3/24



314


1. Save the patch file to the root directory of the CF card on the master and slave MPUs.2. Load the patch.3. Activate the patch.4. Run the patch.


l File name of the patch: patch.patl Path the patch saved to on the MPU: cfcard:/

Procedure

Step 1 Upload the patch file for the system software.

# Log in to the FTP server.

<PE> ftp 10.1.1.2Trying 10.1.1.2 ...Press CTRL+K to abortConnected to 192.168.1.2.220 FTP service ready.User(10.1.1.2:(none)):huawei331 Password required for huawei.Password:230 User logged in.[ftp]

# Configure the binary transmission format and the working directory of the CF card on PE.

[ftp] binary200 Type set to I.[ftp] lcd cfcard:/% Local directory now cfcard:.

# Load the patch file for the current system software from the remote FTP server.

[ftp] get patch.pat200 Port command okay.150 Opening ASCII mode data connection for license.txt.226 Transfer complete.FTP: 6309 byte(s) received in 0.188 second(s) 33.55Kbyte(s)/sec. [ftp] bye221 Server closing.<PE>

# Copy the patch file to the CF card on the slave MPU.

<PE> copy cfcard:/patch.pat slave#cfcard:/Copy cfcard:/patch.pat to slave#cfcard:/patch.pat?[Y/N]:y100% completeInfo:Copied file cfcard:/ patch.pat to slave#cfcard:/ patch.pat...Done

Step 2 Load the patch.



315

<PE> patch load patch.pat all

Step 3 Activate the patch.<PE> patch active all

Step 4 Run the patch.<PE> patch run all

Step 5 Verify the configuration<PE> display patch-information Patch Package Name :cfcard:/patch.patPatch Package Version:V600R003C00SPH001

************************************************************************* The hot patch information, as follows: *************************************************************************

Slot Type State Count------------------------------------------------------------ 7 C Running 1

************************************************************************* The cold patch information, as follows: *************************************************************************

all slots do not need cold patch

----End




316

A Glossary

This appendix collates frequently used terms in this document.

A

Accounting A network security service that records the user's access to thenetwork.

Agent A process that is used in all managed devices. It receives requestpackets from the NM Station and performs the Read or Writeoperation on managed variables according to packet types andgenerates response packets and sends them to the NM Station.

AH Authentication Header. A security protocol that provides dataauthentication and integrity for IP packets. AH is used in thetransmission mode and in the tunneling mode.

ASSP Analogue Sensor Signal Processes. An error tolerance protocolthat provides the interface backup in the multiple access, multicastand broadcast in LAN (such as Ethernet).

Authentication A method used to prove user identity.

Authorization A method used to prove identity of users to use the service.

B

Backup center A mechanism in which the interfaces on a device back up eachother and trace the status of the interface. If an interface is Down,the backup center provides a backup interface to undertake theservice.

BFD Bidirectional Forwarding Detection. A unified detectionmechanism that is used to detect and monitor the link or IP routesforwarding at a fast pace.

Black list A filtering mode that is used to filter the packet according to thesource IP address. Compared with the ACL, the black list can filterthe packet at a high speed because its matching region is simple.It can shield the packet from the specified IP address.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations A Glossary


317

C

CLI Command Line Interface. An interface that allows the user tointeract with the operating system. Users can configure andmanage the NE80E/40E by entering commands through the CLI.

Congestion avoidance A flow control mechanism by which the network overload isrelieved by adjusting the network traffic. When the congestionoccurs and becomes worse, the packet is discarded by monitoringthe network resource.

Congestion management A flow control measure to solve the problem of network resourcecompetition. When the network congestion occurs, it places thepacket into the queue for buffer and determines the order offorwarding the packet.

Command line level The priority of the system command that is divided into 4 levels.Users of a level can run the command only of the same or lowerlevel.

E

Ethernet A baseband LAN specification created by Xerox and developedby Xerox, Intel, and Digital Equipment Corporation (DEC). Thisspecification is similar to IEEE802.3.

Ethernet_II An encapsulation format of the Ethernet frame. Ethernet_II thatcontains a 16-bit protocol type field is the standard ARPA EthernetVersion 2.0 encapsulation.

Ethernet_SNAP An encapsulation format of the Ethernet frame. The frame formatcomplies with RFC 1042 and enables the transmission of theEthernet frame on the IEEE 802.2 media.

F

FIFO First In First Out. A queuing scheme in which the first data intothe network is also the fist data out of the network.

File system A method in which files and directories in the storage devices aremanaged, such as creating a file system, creating, deleting,modifying and renaming a file or directory or displaying thecontents of the file.

FTP File Transfer Protocol. An application protocol in the TCP/IPstack, used for transferring files between remote hosts. FTP isimplemented based on the file system.

H



318

HGMPv2 Huawei Group Management Protocol Version 2. A protocol withwhich the discovery, topology collection, centralized managementand remote maintenance are implemented on Layer 2 devices of acluster that are connected with the router.

I

Information center The information hinge in the MA5200G that can classify and filterthe output information.

Interface mirroring A method of copying the packet of the mirrored interface to theother mirroring interfaces to forward the packet.

IPv6 Internet Protocol Version 6. Replacement for the current versionof IP (version 4) designed by the IETF. It is the second generationstandard protocol of the internet layer and it is also called IPng(next generation). The length of the IP address in IPv6 is 128 bitsand the length of the IP address in IPv4 is 32 bits.

IP negotiated An attribute of the interface. When the user accesses the Internetthrough the ISP, the IP address is usually allocated by the peerserver. The PPP packet must be encapsulated and the IP addressnegotiated attribute must be configured on the interface so that thelocal interface accepts the IP address allocated by the peer endthrough the PPP negotiation.

IP unnumbered A mechanism in which the interface that is not configured with anIP address can borrow the IP address of the interface that isconfigured with an IP address to save the IP address resource.

ISATAP tunnel Intra-site Automatic Tunnel Addressing Protocol. A protocol thatis used for the IPv4/IPv6 host in the IPv4 network to access theIPv6 network. The ISATAP tunnel can be established between theISATAP hosts or between the ISATAP host and the ISATAProuter.

ISIS-TE Traffic engineering of IS-IS. (For the information of IS-IS, referto )

L

LAN interface Local Area Network interface. Often an Ethernet interface throughwhich the router can exchange data with the network device in aLAN.

License Permission of some features that dynamically control the product.

Logical interface A configured interface that can exchange data but does not existphysically. A logical interface can be a sub-interface, virtual-template interface, virtual Ethernet interface, Loopback interface,Null interface and Tunnel interface.



319

M

MIB Management Information Base. A database of variables of themonitored network device. It can uniquely define a managedobject.

Modem Modulator-demodulator. Device that converts digital and analogsignals.

Multicast A process of transmitting packets of data from one source to manydestinations. The destination address of the multicast packet usesClass D address, that is, the IP address ranges from 224.0.0.0 to239.255.255.255. Each multicast address represents a multicastgroup rather than a host.

N

NDP Neighbor Discovery Protocol. A protocol that is used to discoverthe information of the neighboring Huawei device that isconnected with the local device.

NMS Network Management System. A system that sends various querypackets and receives the response packet and trap packet from themanaged devices and displays all the information.

NTDP A protocol that is used to collect the information of the adjacencyand the backup switch of each device in the network.

NTP Network Time Protocol. An application protocol that is used tosynchronize the distributed server and the client side.

O

OSPF-TE Traffic engineering of OSPF. (For the information of OSPF, referto )

P

Policy-based routing A routing scheme that forwards packets to specific interfaces basedon user-configured policies.

R

Regular expression When a lot of information is output, you can filter the unnecessarycontents out with regular expressions and display the necessarycontents.

RMON Remote monitoring. An MIB agent specification defined by theIETF that defines functions for the remote monitoring of the dataflow of a network segment or the whole network.



320

router A device on the network layer that selects routes in the network.The router selects the optimal route according to the destinationaddress of the received packet through a network and forwards thepacket to the next router. The last router is responsible for sendingthe packet to the destination host.

RRPP Rapid Ring Protection Protocol. A protocol that is applied on thedata link layer. When the Ethernet ring is complete, it can preventthe broadcast storm caused by the data loop. When a link isdisconnected on an Ethernet ring, it can rapidly restore thecommunication link between the nodes on the ring network.

RSVP-TE Traffic engineering of RSVP. (For the information of RSVP, referto )

S

Service tracing A method of service debugging, diagnosis and error detection thatis mainly used for service personnel to locate the fault in useraccess. The service tracing can output the status change and theresult of the protocol processing of the specified user during theaccess to the terminal or the server for the reference and analysisof the service personnel.

SSH Secure Shell. A protocol that provides a secure connection to arouter through a TCP application.

Static ARP A protocol that binds some IP addresses to a specified gateway.The packet of these IP addresses must be forwarded through thisgateway.

System environment Basic parameters for running the MA5200G such as host name,language mode and system time. After configuration, the systemenvironment can meet the requirements of the actual environment.

T

Telnet An application protocol of the TCP/IP stack that provides virtualterminal services for a wide variety of remote systems.

Terminal A device that is connected with other devices through the serialport. The keyboard and the display have no disk drives.

Traffic policing A process used to measure the actual traffic flow across a givenconnection and compare it to the total admissible traffic flow forthat connection. When the traffic exceeds the flow that is agreedupon , some restrictions or penalties are adopted to protect theinterest and the network resource of the operator.

Traffic shaping A flow control measure to shape the flow rate. It is often used tocontrol the flow in regular amounts to ensure that the traffic iswithin the traffic stipulated for the downstream router and preventsunnecessary discard and congestion.



321

Tunnel Secure communication path between two peers in the VPN thatprotect the internal information of the VPN from the interruption.

V

VPN Virtual Private Network. A new technology developed with theInternet to provide an apparent single private network over a publicnetwork. "Virtual" means the network is a logical network.

VPR Versatile Routing Platform. A versatile routing operating systemplatform developed for all data communication products ofHuawei. With the IP service as its core, the NE80E/40E adopts thecomponentized architecture. The NE80E/40E realizes richfunctions and provides tailorability and scalability based onapplications.

VRRP Virtual router Redundancy Protocol. An error tolerant protocoldefined in RFC 2338. It forms a backup group for a group ofrouter in a LAN that functions as a virtual router.

VTY Virtual type terminal. A terminal line that is used to access arouter through Telnet.

W

X

X.25 A protocol applied on the data link layer that defines howconnections between DTE and DCE are maintained for remoteterminal access and computer communications in PDNs.

XModem A transmission protocol in the format of the binary code.

XOT X.25 over TCP. A protocol that implements the interconnectionbetween two X.25 networks through the TCP packet bearing X.25frames.



322

B Acronyms and Abbreviations

This appendix collates frequently used acronyms and abbreviations in this document.

Numerics

3DES Triple Data Encryption Standard

A

AAA Authentication, Authorization and Accounting

ACL Access Control List

ARP Address Resolution Protocol

AES Advanced Encryption Standard

ASPF Application Specific Packet Filter

AUX Auxiliary port

B

BGP Border Gateway Protocol

C

CBQ Class-based Queue

CHAP Challenge Handshake Authentication Protocol

CQ Custom Queuing

CR-LDP Constraint-based Routing LDP

D

DES Data Encryption Standard

HUAWEI NetEngine80E/40E RouterConfiguration Guide - Basic Configurations B Acronyms and Abbreviations


323

DHCP Dynamic Host Configuration Protocol

DNS Domain Name System

E

ESP Encapsulating Security Payload

F

FR Frame Relay

G

GRE Generic Routing Encapsulation

H

HDLC High Level Data Link Control

I

IETF Internet Engineering Task Force

IKE Internet Key Exchange

IPSec IP Security

IS-IS Intermediate System-to-Intermediate System intra-domainrouting information exchange protocol

ITU-T International Telecommunication Union TelecommunicationsStandardization Sector

L

L2TP Layer Two Tunneling Protocol

LAPB Link Access Procedure Balanced

LDP Label Distribution Protocol

M

MAC Medium Access Control

MBGP Multiprotocol Extensions for BGP-4

MFR Multiple Frame Relay



324

MP MultiLink PPP

MPLS Multiprotocol Label Switching

MSDP Multicast Source Discovery Protocol

MTU Maximum Transmission Unit

N

NAT Network Address Translation

NAT-PT Network Address Translation - Protocol Translation

O

OAM Operation, Administration and Maintenance

OSPF Open Shortest Path First

P

PAP Password Authentication Protocol

PE Provider Edge

Ping Ping (Packet Internet Groper)

PPP Point-to-Point Protocol

PPPoA PPP over AAL5

PPPoE Point-to-Point Protocol over Ethernet

PPPoEoA PPPoE on AAL5

PQ Priority Queuing

Q

QoS Quality of Service

R

RADIUS Remote Authentication Dial In User Service

RIP Routing Information Protocol

RPR Resilient Packet Ring

RSVP Resource Reservation Protocol



325

S

SFTP SSH File Transfer Protocol

T

TE Traffic Engineering

TCP Transmission Control Protocol

TFTP Trivial File Transfer Protocol

V

VPN Virtual Private Network

VRP Versatile Routing Platform

VRRP Virtual Router Redundancy Protocol

W

WAN Wide Area Network

WFQ Weighted Fair Queuing

WRED Weighted Random Early Detection

X

XOT X.25 Over TCP



326

Documents

NE40 Configuration Guide - Basic Configurations(V600R003C00_02)