ar1200-basic-config-guide.pd

7/15/2019 AR1200-Basic-Config-Guide.pd

http://slidepdf.com/reader/full/ar1200-basic-config-guidepd 1/208

Huawei AR1200-S Series Enterprise Routers

V200R001C01

Configuration Guide - Basic

Configuration

Issue 02

Date 2011-10-15

HUAWEI TECHNOLOGIES CO., LTD.



Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written

consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and the

customer. All or part of the products, services and features described in this document may not be within the

purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representations

of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 02 (2011-10-15) Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com/



About This Document

Intended Audience

This document provides the basic concepts, configuration procedures, and configuration

examples in different application scenarios of the Basic configuration supported by the AR1200-

S device.

This document describes how to configure the Basic configuration.

This document is intended for:

l Data configuration engineers

l Commissioning engineers

l Network monitoring engineers

l System maintenance engineers

Symbol Conventions

The symbols that may be found in this document are defined as follows.

Symbol Description

DANGER

Indicates a hazard with a high level of risk, which if not

avoided, will result in death or serious injury.

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

CAUTION

Indicates a potentially hazardous situation, which if not

avoided, could result in equipment damage, data loss,

performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or save

time.

NOTE Provides additional information to emphasize or supplement

important points of the main text.


Configuration Guide - Basic Configuration About This Document



ii



Command Conventions

The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by vertical

bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by vertical

bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be

selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by vertical

bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing

interface numbers on devices.

Change History

Changes between document issues are cumulative. Therefore, the latest document version

contains all updates made to previous versions.

Changes in Issue 02 (2011-10-15)

Based on issue 01 (2011-08-15), the document is updated as follows:

The following information is modified:

l 8.8.4 Example for Connecting the SFTP Client to the SSH Server

l 9.3.3 Downloading Resource Files

Changes in Issue 01 (2011-08-15)

Initial commercial release.


Configuration Guide - Basic Configuration About This Document



iii



Contents

About This Document.....................................................................................................................ii

1 Logging In to the System for the First Time............................................................................1

1.1 Introduction........................................................................................................................................................2

1.2 Logging In to the Device Through the Console Port or Mini USB Port............................................................21.2.1 Establishing the Configuration Task.........................................................................................................2

1.2.2 Establishing the Physical Connection........................................................................................................3

1.2.3 Logging in to the router.............................................................................................................................3

2 CLI Overview.................................................................................................................................6

2.1 CLI Introduction.................................................................................................................................................7

2.1.1 Command Line Interface...........................................................................................................................7

2.1.2 Command Levels.......................................................................................................................................7

2.1.3 Command Line Views.............................................................................................................................10

2.2 Online Help.......................................................................................................................................................112.2.1 Full Help..................................................................................................................................................11

2.2.2 Partial Help..............................................................................................................................................12

2.2.3 Error Messages of the Command Line Interface.....................................................................................12

2.3 CLI Features.....................................................................................................................................................13

2.3.1 Editing.....................................................................................................................................................13

2.3.2 Displaying................................................................................................................................................14

2.3.3 Regular Expressions................................................................................................................................14

2.3.4 Previously-Used Commands...................................................................................................................17

2.4 Shortcut Keys...................................................................................................................................................18

2.4.1 Classifying Shortcut Keys.......................................................................................................................18

2.4.2 Defining Shortcut Keys...........................................................................................................................19

2.4.3 Use of Shortcut Keys...............................................................................................................................20

2.5 Configuration Examples...................................................................................................................................20

2.5.1 Example for Using Tab............................................................................................................................21

2.5.2 Example for Using Shortcut Keys...........................................................................................................22

3 Basic Configuration.....................................................................................................................23

3.1 Configuring the Basic System Environment....................................................................................................24

3.1.1 Establishing the Configuration Task.......................................................................................................24

3.1.2 Configuring the Equipment Name...........................................................................................................24


Configuration Guide - Basic Configuration Contents



iv



3.1.3 Setting the System Clock.........................................................................................................................25

3.1.4 Configuring a Header..............................................................................................................................26

3.1.5 Configuring the Undo Command to Match in the Previous View Automatically..................................27

3.2 Displaying System Status Messages.................................................................................................................27

3.2.1 Displaying System Configuration...........................................................................................................28

3.2.2 Displaying System Status........................................................................................................................28

3.2.3 Collecting System Diagnostic Information.............................................................................................29

4 Configuring User Interface........................................................................................................30

4.1 User Interface Overview...................................................................................................................................31

4.2 Configuring the Console User Interface...........................................................................................................33

4.2.1 Esta blishing the Configuration Task..................................................................................... ..................33

4.2.2 Setting Physical Attributes of Console User Interface............................................................................34

4.2.3 Setting Terminal Attributes of Console User Interface...........................................................................35

4.2.4 Configuring User Priority of Console User Interface..............................................................................36

4.2.5 Configuring the User Authentication Mode of the Console User Interface............................................36

4.2.6 Checking the Configuration.....................................................................................................................38

4.3 Configuring VTY User Interface......................................................................................................................38


4.3.2 Configuring Maximum VTY User Interfaces.........................................................................................39

4.3.3 (Optional)Setting Limit on Incoming and Outgoing Calls of VTY User Interfaces...............................40

4.3.4 Setting Terminal Attributes of the VTY User Interface..........................................................................41

4.3.5 Setting User Priority of VTY User Interface...........................................................................................42

4.3.6 Setting User Authentication Mode of the VTY User Interface...............................................................434.3.7 Checking the Configuration.....................................................................................................................44

4.4 Configuring a TTY User Interface...................................................................................................................45


4.4.2 Setting Physical Attributes of a TTY User Interface...............................................................................46

4.4.3 Setting Terminal Attributes of TTY User Interface................................................................................47

4.4.4 Configuring User Priority of TTY User Interface...................................................................................48

4.4.5 Configuring the Authentication Mode on a TTY User Interface............................................................49


4.5 Configuration Examples...................................................................................................................................51

4.5.1 Example for Configuring Console User Interface...................................................................................51

4.5.2 Example for Configuring VTY User Interface........................................................................................53

4.5.3 Example for Configuring TTY User Interface........................................................................................54

5 Configuring User Login.............................................................................................................57

5.1 Overview of User Login...................................................................................................................................58

5.2 Logging in to the Devices Through the Console Port......................................................................................58

5.2.1 Esta blishing the Configuration Task..................................................................................... ..................58

5.2.2 Configuring Console User Interface........................................................................................................59

5.2.3 Logging in to the router Through a Console Port....................................................................................59






v



5.3 Logging in to the Devices by Using Telnet......................................................................................................60


5.3.2 Configuring VTY User Interface.............................................................................................................61

5.3.3 (Optional) Configuring Local Telnet Users.............................................................................................62

5.3.4 Enabling the Telnet Service.....................................................................................................................62

5.3.5 Logging in to the router by Using Telnet................................................................................................63


5.4 Logging in to the Devices by Using STelnet....................................................................................................65



5.4.3 Configuring SSH for the VTY User Interface.........................................................................................66

5.4.4 Conf iguring an SSH User and Specifying STelnet as One of Service Types.........................................67

5.4.5 Enabling the STelnet Server Function.....................................................................................................69

5.4.6 (Optional) Configuring the STelnet Server Parameters...........................................................................70

5.4.7 Logging in to the router by Using STelnet..............................................................................................71


5.5 Common Operations After Login.....................................................................................................................73


5.5.2 Switching User Levels.............................................................................................................................74

5.5.3 Lock ing User Interfaces...........................................................................................................................75

5.5.4 Sending Messages to Other User Interfaces............................................................................................75

5.5.5 Displaying Logged-in Users....................................................................................................................76

5.6 Configuration Examples...................................................................................................................................765.6.1 Example for Configuring User Login Through a Console Port..............................................................76

5.6.2 Example for Logging In by Telnet..........................................................................................................79

5.6.3 Example for Configuring User Login by Using STelnet.........................................................................80

6 Managing File System................................................................................................................83

6.1 File System Overview......................................................................................................................................84

6.1.1 File System..............................................................................................................................................84

6.1.2 Methods of File Management..................................................................................................................84

6.2 Performing File Operations by Means of the File System...............................................................................85

6.2.1 Establishing the Configuration Task.......................................................................................................856.2.2 Managing Storage Devices......................................................................................................................86

6.2.3 Managing the Directory...........................................................................................................................86

6.2.4 Managing Files........................................................................................................................................87

6.3 Performing File Operations by Means of FTP.................................................................................................89


6.3.2 Configuring a Local FTP User................................................................................................................90

6.3.3 (Optional) Specifying a Port Number for the FTP Server.......................................................................91

6.3.4 Enabling the FTP Server..........................................................................................................................92

6.3.5 (Optional) Configuring the FTP Server Parameters................................................................................92

6.3.6 (Optional) Configuring an FTP ACL......................................................................................................93





vi



6.3.7 Accessing the System by Using FTP.......................................................................................................94

6.3.8 Performing File Operations by Using FTP Commands...........................................................................94


6.4 Performing File Operations by Means of SFTP...............................................................................................97



6.4.3 Configuring SSH for the VTY User Interface.........................................................................................98

6.4.4 Conf iguring an SSH User and Specifying SFTP as One of Service Types.............................................99

6.4.5 Enabling the SFTP Service....................................................................................................................101

6.4.6 Accessing the System by Using SFTP..................................................................................................102

6.4.7 Performing File Operations by Using SFTP..........................................................................................103

6.4.8 Checking the Configuration...................................................................................................................104

6.5 Configuration Examples.................................................................................................................................105

6.5.1 Example for Performing File Operations by Means of the File System...............................................1056.5.2 Example for Performing File Operations by Means of FTP.................................................................107

6.5.3 Example for Performing File Operations by Means of SFTP...............................................................109

7 Configuring System Startup....................................................................................................112

7.1 System Startu p Overview...............................................................................................................................113

7.1.1 System Software....................................................................................................................................113

7.1.2 Configuration Files and Current Configurations...................................................................................113

7.2 Managing Configuration Files........................................................................................................................113

7.2.1 Establishing the Configuration Task.....................................................................................................114

7.2.2 Saving Configuration Files....................................................................................................................1147.2.3 Clearing a Configuration File................................................................................................................115

7.2.4 Compar ing Configuration Files.............................................................................................................116


7.3 Specifying a File for System Startup..............................................................................................................117


7.3.2 Configuring System Software for a router to Load for the Next Startup..............................................118

7.3.3 Conf iguring the Configuration File for Router to Load for the Next Startup.......................................118



7.4.1 Example for Configuring System Startup.............................................................................................120

8 Accessing Another Device.......................................................................................................122

8.1 Accessing Another Device Overview.............................................................................................................123

8.1.1 Telnet Method........................................................................................................................................123

8.1.2 FTP Method...........................................................................................................................................125

8.1.3 TFTP Method........................................................................................................................................125

8.1.4 SSH Method..........................................................................................................................................126

8.2 Logging in to Other Devices by Using Telnet................................................................................................127


8.2.2 (Optional) Configuring a Source IP Address for an Telnet Client........................................................128





vii



8.2.3 Logging in to Another Device by Using Telnet....................................................................................128


8.3 Using the Redirection Function to Connect to a Remote Device...................................................................129


8.3.2 Configuring the Redirection Function...................................................................................................132


8.4 Logging in to other Device by Using STelnet................................................................................................134


8.4.2 Conf iguring the First Successful Login to Another Device (Enabling the First-Time Authentication on

the SSH Client)...............................................................................................................................................134

8.4.3 Configuring the First Successful Login to Another Device (Allocating an RSA Public Key to the SSH

Server)............................................................................................................................................................135

8.4.4 Logging in to Another Device by Using STelnet..................................................................................136

8.4.5 Checking the configuration...................................................................................................................137

8.5 Accessing Files on Another Device by Using TFTP......................................................................................137


8.5.2 (Optional) Configuring a Source IP Address for a TFTP Client...........................................................138

8.5.3 (Optional) Configuring TFTP Access Authority...................................................................................139

8.5.4 Downloading Files by Using TFTP.......................................................................................................139

8.5.5 Uploading Files by Using TFTP............................................................................................................140


8.6 Accessing Files on Another Device by Using FTP........................................................................................141


8.6.2 (Optional) Configuring Source IP Address and Interface of the FTP Client........................................141

8.6.3 Connecting to Other Devices by Using FTP Commands......................................................................142

8.6.4 Operating Files by Using FTP Commands............................................................................................143

8.6.5 Changing Login Users...........................................................................................................................145

8.6.6 Disconnecting from the FTP Server......................................................................................................145


8.7 Accessing Files on Another Device by Using SFTP......................................................................................146


8.7.2 (Optional) Configuring a Source IP Address for an SFTP Client.........................................................147

8.7.3 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication onthe SSH Client)...............................................................................................................................................148

8.7.4 Configuring the First Successful Login to Another Device (Allocating an RSA Public Key to the SSH

Server)............................................................................................................................................................149

8.7.5 Connecting to Other Devices by Using SFTP.......................................................................................150

8.7.6 Operating Files by Using SFTP Commands..........................................................................................150



8.8.1 Example for Configuring Telnet Services.............................................................................................152

8.8.2 Example for Configuring the Device as the STelnet Client to Connect to the SSH Server..................155

8.8.3 Example for Configuring TFTP............................................................................................................159





viii



8.8.4 Example for Connecting the SFTP Client to the SSH Server...............................................................161

8.8.5 Example for Authenticating SSH Through RADIUS............................................................................166

9 Upgrade and Maintenance.......................................................................................................171

9.1 Upgrade and Maintenance Overview.............................................................................................................1729.1.1 License Authorization............................................................................................................................172

9.1.2 Software Upgrade..................................................................................................................................172

9.1.3 Patch Management................................................................................................................................172

9.1.4 CPU and Memory Usage Thresholds....................................................................................................173

9.1.5 Device Restart........................................................................................................................................173

9.2 Activating a GTL License File.......................................................................................................................173

9.2.1 Esta blishing the Configuration Task.....................................................................................................174

9.2.2 Uploading a GTL License File..............................................................................................................175

9.2.3 Activating the GTL License File...........................................................................................................175

9.2.4 (Optional) Enabling the Emergency State of the GTL License Module...............................................176


9.3 Upgrading System Software...........................................................................................................................177


9.3.2 Checking the System Before the Upgrade.............................................................................................178

9.3.3 Downloading Resource Files.................................................................................................................179

9.3.4 Specifying the System Software to Be Used at the Next Startup..........................................................181

9.3.5 Configuring a Backup Startup File........................................................................................................182

9.3.6 (Optional) Upgrading the BootROM of the LPU..................................................................................182

9.3.7 Restarting a Device................................................................................................................................183

9.3.8 (Optional) Activating a GTL License File............................................................................................183


9.4 Managing Patches...........................................................................................................................................185


9.4.2 Installing a Patch...................................................................................................................................185

9.4.3 Specifying a Patch File to Be Used at the Next Startup........................................................................186

9.4.4 Uninstalling a Patch...............................................................................................................................187


9.5 Monitoring CPU and Memory Usage.............................................................................................................1879.5.1 Establishing the Configuration Task.....................................................................................................188

9.5.2 Setting CPU Usage Thresholds.............................................................................................................188

9.5.3 Setting a Memory Usage Threshold......................................................................................................189


9.6 Restarting the Device......................................................................................................................................190

9.6.1 Esta blishing the Configuration Task.....................................................................................................190

9.6.2 Restarting the Device Immediately.......................................................................................................191

9.6.3 Configuring the Device to Restart as Scheduled...................................................................................191







ix



9.7.1 Example for Upgrading System Software.............................................................................................192

9.7.2 Example for Installing a Patch File.......................................................................................................196





x



1 Logging In to the System for the First Time

About This Chapter

You can log in to a new router through the console port or mini USB port to configure the

router.

1.1 Introduction

You can log in to the device that is powered on for the first time through the console port or mini

USB port to configure the device.

1.2 Logging In to the Device Through the Console Port or Mini USB Port

This section describes how to connect a terminal to a router through the console port or mini

USB port to establish the configuration environment.


Configuration Guide - Basic Configuration 1 Logging In to the System for the First Time



1



1.1 Introduction

You can log in to the device that is powered on for the first time through the console port or mini

USB port to configure the device.

A main control board provides a console port and a mini USB port. To configure a device,

connect the serial port of your terminal to the console port of the device or connect the USB port

of the user terminal to the mini USB port of the device.

NOTE

l If a device is powered on for the first time, you must log in to it through the console port or mini USB

port before logging in to the device using other login modes. For example, before configuring an IP

address to log in to a device using Telnet, log in to the device through the console port or mini USB

port.

l Before logging in to a device through the mini USB port, install the drive application of the mini USB

port on the user terminal.

l The mini USB port and console port cannot be used together.

1.2 Logging In to the Device Through the Console Port orMini USB Port

This section describes how to connect a terminal to a router through the console port or mini

USB port to establish the configuration environment.

1.2.1 Establishing the Configuration TaskBefore logging in to the router through the console port or mini USB port, familiarize yourself

with the applicable environment, complete the pre-configuration tasks, and obtain the required

data. This will help you complete the configuration task quickly and accurately.

Applicable Environment

When the router is powered on for the first time, you need to use the console port or mini USB

port to log in to the router to configure and manage the router.

Pre-configuration TasksBefore logging in to the router through the console port or mini USB port, complete the following

tasks:

l Installing terminal emulation program on the PC (such as Windows XP HyperTerminal)

l Preparing serial interface cables or mini USB interface cables.

NOTE

To log in to the device through the mini USB interface, install the drive program on the user terminal.

Data Preparation

To log in to the router through the console port or mini USB port, you need the following data.





2



No. Data

1 Terminal communication parameters

l Baud rate

l Data bit

l Parity

l Stop bit

l Flow-control mode

NOTE

When the router is logged in for the first time, the system automatically uses default parameter values.

1.2.2 Establishing the Physical ConnectionYou can connect the console port of the router to the COM port of a terminal, or connect the

mini USB port of the router to the USB port of the terminal through cables.

Procedure

Step 1 Power on all devices to perform a self-check.

Step 2 Connect the console port of the router to the COM port of a PC, or connect the mini USB port

of the router to the USB port of the PC through cables.

NOTE

The mini USB port and console port cannot be used together.

----End

1.2.3 Logging in to the router

You can log in to the router through the console portor mini USB port to configure and manage

the router that is powered on for the first time.

Context

You need to configure terminal attributes for the PC according to the attributes configured for

the console port, including the transmission rate, data bit, parity bit, stop bit, and flow controlmode. As the router is logged in for the first time, every terminal attribute uses the default value

of the router.

Procedure

Step 1 Start a terminal emulator on the PC, and create a new connection, as shown in Figure 1-1.





3



Figure 1-1 Connection creation

Step 2 Set interface,as shown in Figure 1-2.

Figure 1-2 Interface setting

Step 3 Set communication parameter, same as the default of router,as shown in Figure 1-3.





4



Figure 1-3 Communication parameter setting

Step 4 Press Enter. A command line prompt such as <Huawei> appears, and the system asks you to

configure the router. You can enter a command to configure the router. Enter a question mark

(?) whenever you need help.

NOTE

When you connect to the Console port of a AR1200-S that does not have a startup configuration file, the

system displays "Warning: Auto-Config is working. Do you want to stop Auto-Config? [y/n]:"

l To continue Auto-Config, enter n and press Enter.

l To stop Auto-Config, choose y and press Enter.

CAUTION

If you choose n but still perform configurations through the Console port, the DHCP, routing, DNS,

and VTY configurations that you have performed will be lost.

----End





5



2 CLI Overview

About This Chapter

The command line interface (CLI) is used to configure and maintain devices.

2.1 CLI Introduction

After you log in to the router, a prompt is displayed, indicating that you enter the command line

interface (CLI). The CLI is used by users to interact with the router.

2.2 Online Help

When inputting command lines or configuring services, you can use the online help function to

obtain real-time help.

2.3 CLI Features

The CLI provides the following features to help users flexibly use it.

2.4 Shortcut Keys

Using the system or user-defined shortcut keys makes it easier to enter commands.

2.5 Configuration Examples

This section provides several examples for using command lines.


Configuration Guide - Basic Configuration 2 CLI Overview



6



2.1 CLI Introduction

After you log in to the router, a prompt is displayed, indicating that you enter the command lineinterface (CLI). The CLI is used by users to interact with the router.

2.1.1 Command Line Interface

You can configure and manage the router by using the CLI commands.

The characteristics of CLI are as follows:

l Local configuration through console port.

l Local or remote configuration through Telnet or Secure Shell (SSH).

l The telnet command for directly logging in to and managing other routers.

l FTP service for file uploading and downloading.

l A user interface view for specific configuration management.

l Hierarchical command protection for users of different levels, that is, running the

commands of the corresponding levels.

l Three authentication modes are supported, namely, none-authentication, password

authentication, and Authentication, Authorization, and Accounting (AAA) authentication.

Password and AAA authentication prohibit unauthorized users from logging in to the

router, guaranteeing system security.

l Entering "?" for online help at any time.

l A command line interpreter provides intelligent command resolution methods such as key

word fuzzy match and context conjunction. These methods make it easy for users to enter

their commands.

l Network testing commands such as tracert and ping for rapidly diagnosing a network.

l Abundant debugging information to help in diagnosing the network.

l Running a command used previously on the device, like DosKey.

NOTE

l The system supports the command with a maximum of 512 characters. The command can be

incomplete. You can enter one or more initial characters of the command to match the whole command.

The incomplete command, however, must be unique in the system. For example, to use the displaycurrent-configuration command, enter d cu, di cu, or dis cu. You cannot enter d c or dis c because

they are not unique in the system.

l The system saves the incomplete command to the configuration files in complete form; therefore, the

command may have more than 512 characters. When the system is restarted, however, the incomplete

command cannot be restored. Therefore, pay attention to the length of the incomplete command.

2.1.2 Command Levels

The system manages commands in hierarchy for security. The administrator can set user levels

corresponding to command levels to implement user-specific access control.

The default command levels are as follows:





7



Table 2-1 Command line levels

Level Name Description

0 Visit level Commands of this level include commands of network

diagnosis tool (such as ping and tracert) and commands thatstart from the local device and visit external device (such

as Telnet client side).

1 Monitoring level Commands of this level, including the display commands,

are used for system maintenance and fault diagnosis.

2 Configuration

level

Commands of this level are service configuration

commands that provide direct network service to the user,

including routing and network layer commands.

3 Management level Commands of this level are commands that influence the

basic operation of the system and provide support to the

service. They include file system commands, FTPcommands, TFTP commands, configuration file switching

commands, power supply control commands, backup board

control commands, user management commands, level

setting commands, system internal parameter setting

commands, and debugging commands that are used for

fault diagnosis.

NOTE

l The default command level may be higher than the command level defined according to the commandrules in application.

l The level of the command that a user can run is determined by the level of this user.

l Login users have the same 16 levels as the command levels. The login users can use only the command

of the levels that are equal to or lower than their own levels. The user privilege level level command

sets the user level.

Searching Commands Based on Command Levels

You can search for all commands of a specific level simultaneously. The procedure is as follows:

1. Open the command reference (.chm.) file.

2. Click the "Search" tab. The search window will be displayed as shown in Figure 2-1.





8



Figure 2-1 Entering the search window

3. Enter a desired command level in the "Type in the word(s) to search for" textbox and click

"List Topics". All commands of the specified level will be displayed as shown in Figure

2-2.





9



Figure 2-2 Searching commands based on a specific level

2.1.3 Command Line Views

The command line interface has different command views. All the commands are registered in

one or more command views. You can run a command only when you enter the corresponding

command view.

The following part uses the user, system, and aaa views as an example:

# Establish connection to the router. If the router adopts the default configuration, you can enter

the user view with the prompt of <Huawei>.

<Huawei>

# Run the system-view command to enter the system view.

<Huawei> system-view[Huawei]

# Run the aaa command in the system view to enter the AAA view.

[Huawei] aaa[Huawei-aaa]





10



NOTE

l The command prompt "Huawei" is the default host name.

l The prompt indicates a specific view. For example, "<HUAWEI>" indicates the user view, and

"[HUAWEI-ui-console0]" indicates the console user interface view.

Some commands can be used in both system and other views, but have different effects.

2.2 Online HelpWhen inputting command lines or configuring services, you can use the online help function to

obtain real-time help.

2.2.1 Full Help

When inputting a command, you can use the full help function to obtain all keywords or

parameters of this command.

Procedure

l You can obtain the full help of a command line in the following manners.

– Enter a question mark (?) in any command line view to display all the commands and

their simple descriptions.

<Huawei> ?User view commands:

arp-ping ARP-

ping

autosave <Group> autosave commandgroup

backup Backup

informationcd Change current

directory

clock Specify the system

clockcls Clear screen

...

...

– Enter a command and a question mark (?) separated by a space. If the key word is at

this position, all key words and their simple descriptions are displayed. For example:

[Huawei] interface ?Bridge-if Bridge-if

interface

Cellular Cellular interface

...

...

Bridge-if and Cellular are keywords; Bridge-if interface and Cellular interface

describe the keywords respectively.

– Enter a command and a question mark (?) separated by a space, and if a parameter is at

this position, the related parameter names and parameter descriptions are displayed. For

example:

[Huawei] ftp timeout ?INTEGER<1-35791> The value of FTP timeout (in minutes)

[Huawei] ftp timeout 35 ?

<cr> Please press ENTER to execute command

[Huawei] ftp timeout 35

In the preceding display, INTEGER<1-35791> describes the parameter value; Thevalue of FTP timeout (in minutes) is a simple description of the parameter usage;





11



<cr> indicates that no parameter is at this position. The command is repeated in the next

command line. You can press Enter to run the command.

----End

2.2.2 Partial HelpIf you enter only the first one or a few characters of a command, you can use the partial help

function to obtain all keywords following the character or character string.

Procedure

l You can obtain the partial help of a command line in the following manners.

– Enter a character string with a question mark (?) closely following it to display all

commands that begin with this character string.

<Huawei> d?debugging <Group> debugging command

groupdelete Delete afile

dialer

Dialerdir List files on a

filesystem

display Display information

– Enter a command and a character string with a question mark (?) closely following it

to display all the key words that begin with this character string.

<Huawei> display b?bfd Specify BFD(Bidirectional Forwarding

Detection

) configuration

informationbgp BGP

information

bootp Bootstrap Protocol

bridge <Group> bridge command group

– Enter the first several letters of a key word in the command and then press Tab to display

the complete key word on the condition that the letters uniquely identify the key word.

Otherwise, if you continue to press Tab, different key words are displayed. You can

select the needed key word.

----End

2.2.3 Error Messages of the Command Line Interface

If an entered command passes the syntax check, the system executes it. Otherwise, the system

prompts an error message.

All the commands entered by the user are run correctly, if the grammar check has been passed.

Otherwise, error messages are reported to the user. See Table 2-2 for the common error

messages.





12



Table 2-2 Common error messages of the command line

Error messages Cause of the error

% Unknown command, the

error locates at "^"

The command cannot be found

The key word cannot be found

Error: Wrong parameter found

at '^' position.

Parameter type error

The parameter value exceeds the limit

% Incomplete command, the


Incomplete command entered

Error: Too many parameters

found at "^" position.

Too many parameters entered

% Ambiguous command, the


Indefinite parameters entered

2.3 CLI Features

The CLI provides the following features to help users flexibly use it.

2.3.1 Editing

The editing function of command lines helps you edit command lines or obtain help by using

certain keys.

The command line supports multi-line edition. The maximum length of each command is 512

characters.

Keys for editing that are often used are shown in Table 2-3.

Table 2-3 Keys for editing

Key Function

Common key Inserts a character in the current position of the cursor if the editing buffer is not full and the cursor moves to the right. Otherwise, an

alarm is generated.

Backspace Deletes the character on the left of the cursor that moves to the

left. When the cursor reaches the head of the command, an alarm

is generated.

Left cursor key← or

Ctrl_B

Moves the cursor to the left by the space of a character. When the

cursor reaches the head of the command, an alarm is generated.

Right cursor key→ or

Ctrl_F

Moves the cursor to the right by the space of a character. When

the cursor reaches the end of the command, an alarm is generated.





13



Key Function

Tab Press Tab after typing the incomplete key word and the system

runs the partial help:

l If the matching key word is unique, the system replaces thetyped one with the complete key word and displays it in a new

line with the cursor a space behind.

l If there are several matches or no match at all, the system

displays the prefix first. Then you can press Tab to view the

matching key word one by one. In this case, the cursor closely

follows the end of the word and you can type a space to enter

the next word.

l If a wrong key word is entered, press Tab and the word is

displayed in a new line.

2.3.2 Displaying

All command lines have the same displaying feature. You can construct the displaying mode as

required.

You can control the display of information on the CLI as follows:

l If output information cannot be displayed on a full screen, you have three options to view

the information, as shown in Table 2-4.

Table 2-4 Keys for displaying

Key Function

Ctrl_C Stops the display and running of the command.

Space Allows information to be displayed on the next screen.

Enter Allows information to be displayed on the next line.

2.3.3 Regular Expressions

The regular expression is an expression that describes a set of strings. It consists of common

characters (such as letters from "a" to "z") and particular characters (also named metacharacters).

The regular expression is a template according to which you can search for the required string.

Users can use regular expressions to filter output information to rapidly locate desired

information.

A regular expression can provide the following functions:

l Searching for and obtaining a sub-string that matches a rule in the string.

l Substituting a string according to a certain matching rule.





14



Formal Language Theory of the Regular Expression

The regular expression consists of common characters and particular characters.

l Common characters

Common characters are used to match themselves in a string, including all upper-case andlower-case letters, digits, punctuation, and special symbols. For example, a matches the

letter "a" in "abc", 202 matches the digit "202" in "202.113.25.155", and @ matches the

symbol "@" in "[email protected]".

l Particular characters

Particular characters are used together with common characters to match the complex or

particular string combination. Table 2-5 describes particular characters and their syntax.

Table 2-5 Description of particular characters

Particul

archaracter

Syntax Example

\ Defines an escape character, which

is used to mark the next character

(common or particular) as the

common character.

\* matches "*".

^ Matches the starting position of the

string.

^10 matches "10.10.10.1" instead of

"20.10.10.1".

$ Matches the ending position of the

string.

1$ matches "10.10.10.1" instead of

"10.10.10.2".

* Matches the preceding element zero

or more times.

10* matches "1", "10", "100", and

"1000".

(10)* matches "null", "10", "1010",

and "101010".

+ Matches the preceding element one

or more times

10+ matches "10", "100", and

"1000".

(10)+ matches "10", "1010", and

"101010".

? Matches the preceding element zeroor one time.

10? matches "1" and "10".

(10)? matches "null" and "10".

. Matches any single character. 0.0 matches "0x0" and "020".

.oo matches "book", "look", and

"tool".

() Defines a subexpression, which can

be null. Both the expression and the

subexpression should be matched.

100(200)+ matches "100200" and

"100200200".





15



Particularcharacter

Syntax Example

x|y Matches x or y. 100|200 matches "100" or "200".

1(2|3)4 matches "124" or "134",

instead of "1234", "14", "1224", and

"1334".

[xyz] Matches any single character in the

regular expression.

[123] matches the character 2 in

"255".

[^xyz] Matches any character that is not

contained within the brackets.

[^123] matches any character except

for "1", "2", and "3".

[a-z] Matches any character within the

specified range.

[0-9] matches any character ranging

from 0 to 9.

[^a-z] Matches any character beyond the

specified range.

[^0-9] matches all non-numeric

characters.

_ Matches a comma "," left brace "{",

right brace "}", left parenthesis "(",

and right parenthesis ")".

Matches the starting position of the

input string.

Matches the ending position of the

input string.

Matches a space.

_2008_ matches "2008", "space

2008 space", "space 2008", "2008

space", ",2008,", "{2008}",

"(2008)", "{2008)", and "(2008}".

NOTE

Unless otherwise specified, all characters in the preceding table are displayed on the screen.

l Degeneration of particular characters

Certain particular characters, when being placed at the following positions in the regular

expression, degenerate to common characters.

– The particular characters following "\" is transferred to match particular characters

themselves.

– The particular characters "*", "+", and "?" placed at the starting position of the regular

expression. For example, +45 matches "+45" and abc(*def) matches "abc*def".

– The particular character "^" placed at any position except for the start of the regular

expression. For example, abc^ matches "abc^".

– The particular character "$" placed at any position except for the end of the regular

expression. For example, 12$2 matches "12$2".

– The right bracket such as ")" or "]" being not paired with its corresponding left bracket

"(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".





16



NOTE

Unless otherwise specified, degeneration rules are applicable when preceding regular expressions

serve as subexpressions within parentheses.

l Combination of common and particular characters

In actual application, a regular expression combines multiple common and particular

characters to match certain strings.

Specifying a Filtering Mode in Command

CAUTION

The Huawei AR1200-S Series uses a regular expression to implement the filtering function of

the pipe character. A display command supports the pipe character only when there is excessive

output information.

When the output information is queried according to the filtering conditions, the first line of the

command output starts with the information containing the regular expression.

The command can carry the parameter | count to display the number of matching entries. The

parameter | count can be used together with other parameters.

For the commands supporting regular expressions, the three filtering methods are as follows:

l | begin regular-expression: displays the information that begins with the line that matches

regular expression.

l | exclude regular-expression: displays the information that excludes the lines that matchregular expression.

l | include regular-expression: displays the information that includes the lines that match

regular expression.

NOTE

The value of regular-expression is a string of 1 to 255 characters.

2.3.4 Previously-Used Commands

The CLI provides a function similar to DosKey to automatically save commands used previously

on the device. If you need to run a command that has been executed, you can call the commandfrom those have been used previously on the device. This facilitates user operation.

By default, the system saves a maximum of 10 previously-used commands for each user. You

can run the history-command max-size size-value command in the user view to set the number

of previously-used commands saved in the system. A maximum of 256 previously-used

commands can be saved in the system.

NOTE

Setting the number of saved previously-used commands to a proper value is recommended. If a large

number of previously-used commands are saved, it will take a long time to locate a needed previously-

used command, affecting efficiency.

The operations are shown in Table 2-6





17



Table 2-6 Access the previously-used commands

Action Key or Command Result

Display

previously-used

commands.

display history-

command

Display previously-used commands entered by

users.

Access the last

previously-

used

command.

Up cursor key (↑) or

Ctrl_P

Display the last previously-used command if there

is an earlier previously-used command. Otherwise,

an alarm is generated.

Access the next

previously-

used

command.

Down cursor key

(↓) or Ctrl_N

Display the next previously-used command if there

is a later previously-used command. Otherwise, the

command is cleared and an alarm is generated.

NOTE

On the HyperTerminal of Windows 9X, cursor key ↑ is invalid as the HyperTerminals of Windows 9X

define the keys differently. In this case, you can replace the cursor key↑ with Ctrl_P.

When you use previously-used commands, note the following points:

l The saved previously-used commands are the same as that those entered by users. For

example, if the user enters an incomplete command, the saved command also is incomplete.

l If the user runs the same command several times, the earliest command is saved. If thecommand is entered in different forms, they are considered as different commands.

For example, if the display ip routing-table command is run several times, only one

previously-used command is saved. If the display current-configuration command and

the display ip routing-table command are run, two previously-used commands are saved.

2.4 Shortcut Keys

Using the system or user-defined shortcut keys makes it easier to enter commands.

2.4.1 Classifying Shortcut Keys

There are two types of shortcut keys, namely, system shortcut keys and user-defined shortcut

keys. Familiarize yourself with shortcut keys so as to use them accurately.

The shortcut keys in the system are classified into the following types:

l User-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, and CTRL_U. The user can

correlate these shortcut keys with any commands. When the shortcut keys are pressed, the

system automatically runs the corresponding command. For details of defining the shortcut

keys, see 2.4.2 Defining Shortcut Keys.

l

System-defined shortcut keys: These shortcut keys with fixed functions are defined by thesystem. Table 2-7 lists the system-defined shortcut keys.





18



NOTE

Different terminal software defines these keys differently. Therefore, the shortcut keys on the terminal may

be different from those listed in this section.

Table 2-7 System-defined shortcut keys

Key Function

CTRL_A The cursor moves to the beginning of the current line.

CTRL_B The cursor moves to the left by the space of a character.

CTRL_C Terminates the running function.

CTRL_D Deletes the character where the cursor lies.

CTRL_E The cursor moves to the end of the current line.

CTRL_F The cursor moves to the right by the space of a character.

CTRL_H Deletes one character on the left of the cursor.

CTRL_N Displays the next command in the previously-used command

buffer.

CTRL_P Displays the previous command in the previously-used

command buffer.

CTRL_W Deletes a character string or character on the left of the cursor.

CTRL_X Deletes all the characters on the left of the cursor.

CTRL_Y Deletes all the characters on the place of the cursor and the right

of the cursor.

CTRL_Z Returns to the user view.

CTRL_] Terminates the inbound or redirection connections.

ESC_B The cursor moves to the left by the space of a word.

ESC_D Deletes a word on the right of the cursor.

ESC_F The cursor moves to the right to the end of next word.

2.4.2 Defining Shortcut Keys

If one or multiple commands are frequently used, you can correlate these commands with

shortcut keys. This facilitates user operation and improves efficiency. Only management-level

users have the rights to define shortcut keys.

Configure as follows in the system view.





19



Action Command

Define shortcut keys hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U }

command-text

NOTE

When defining the shortcut keys, use double quotation marks to define the command if this command

contains several commands words, that is, if spaces exist in the command.

By default, CTRL_G, CTRL_L and CTRL_O correspond to the following commands

respectively:

l CTRL_G: display current-configuration

l CTRL_L: undo idle-timeout

l CTRL_O: undo debugging all

By default, CTRL_U is not correlated with any command.

NOTE

Using the undo hotkey command, you can restore the default.

2.4.3 Use of Shortcut Keys

You can use the shortcut key at any position that allows a command to be entered. The system

executes an entered shortcut key and displays the corresponding command on the screen in the

same way as you enter a complete command.

l If you have typed part of a command and have not pressed Enter, you can press the shortcut

keys to clear the entered command and display the full corresponding command. This

operation has the same effect as that of deleting all commands and then re-entering the

complete command.

l The shortcut keys are run as the commands, the syntax is recorded to the command buffer

and log for fault location and querying.

NOTE

The terminal in use may affect the functions of the shortcut keys. For example, if the customized shortcut

keys of the terminal conflict with those of the router, the input shortcut keys are captured by the terminal

program and hence the shortcut keys do not function.

Run the following command in any view to display the use of shortcut keys.

Action Command

Check the usage of shortcut keys. display hotkey


This section provides several examples for using command lines.





20



2.5.1 Example for Using Tab

This example shows how to use the Tab key. After inputting an incomplete keyword, you can

press Tab and obtain all related keywords or verify the correctness of the input keyword.

Context

Usually, you do not need to input complete keywords. Instead, you can just input one or a few

beginning characters of a keyword and press Tab to complete the keyword. The Tab key helps

search for and use commands.

Procedure

l Tab can be used in three ways as shown in the following example.

– The matching key word is unique after the incomplete key word is input.

1. Input the incomplete key word.

[Huawei] info-

2. Press Tab.

The system replaces the input one with the complete key word and displays it in a

new line with the cursor leaving a space behind.

[Huawei] info-center

– There are several matches or no match after the incomplete key word is input.

# The keyword info-center can be followed by the following prefixes beginning with

log.

[Huawei] info-center log?logbuffer Setting of log buffer configuration

logfile <Group> logfile commandgroup

loghost Setting of logging host configuration

1. Input the incomplete key word.

[Huawei] info-center log

2. Press Tab.

The system first displays the prefix log.

[Huawei] info-center logbuffer

Press Tab repeatedly to select a keyword. The cursor is closely following the end

of the keyword.[Huawei] info-center logfile[Huawei] info-center loghost

Stop pressing Tab after the keyword logfile that you need is displayed.

3. Input a space to enter the next word path.

[Huawei] info-center logfile path

– Input an incorrect keyword and press Tab to check the correctness of the keyword.

1. Input a wrong keyword loglog.

[Huawei] info-center loglog

2. Press Tab.

[Huawei] info-center loglog





21



The system displays information in a new line, but the keyword loglog remains

unchanged and there is no space between the cursor and the keyword, indicating

that this keyword is inexistent.

----End

2.5.2 Example for Using Shortcut Keys

This example shows how to use shortcut keys. In this example, frequently-used commands are

correlated with shortcut keys. You can press the shortcut keys instead of inputting the commands.

This facilitates user operation and improves efficiency.

Context

If the login router is defined with shortcut keys, the shortcut keys can be used by any user

regardless of the user level.

Procedure

Step 1 Correlate Ctrl_U with the display local-user command and run the shortcut keys.

<Huawei> system-view[Huawei] hotkey ctrl_u "display local-user"

NOTE

When defining shortcut keys for a command, use double quotation marks to quote the command if the

command consisting of multiple words, which are separated by spaces. No double quotation marks are

required for single-word commands.

Step 2 Press Ctrl_U when the prompt [Huawei] appears.

[Huawei] display local-user----------------------------------------------------------------------------

User-name State AuthMask AdminLevel

----------------------------------------------------------------------------

admin A H -root A A -

----------------------------------------------------------------------------

Total 2 user(s)

----End





22



3 Basic Configuration

About This Chapter

This chapter describes how to configure the router to follow your using habits and the actual

environment requirements after logging in to the router.

3.1 Configuring the Basic System Environment

This section describes how to configure the basic system environment.

3.2 Displaying System Status Messages

This section describes how to use display commands to check basic configurations of the current

system.


Configuration Guide - Basic Configuration 3 Basic Configuration



23



3.1 Configuring the Basic System Environment

This section describes how to configure the basic system environment.

3.1.1 Establishing the Configuration Task

Before configuring the basic system environment, familiarize yourself with the applicable

environment, complete the pre-configuration tasks, and obtain the required data. This can help

you complete the configuration task quickly and accurately.


Before configuring services, you need to configure the basic system environment (such as time

and device name) to meet the environment requirement.

Pre-configuration Tasks

Before configuring the basic system environment, complete the following task:

l Powering on the router

Data Preparation

To configure the basic system environment, you need the following data.

No. Data

1 System time

2 Host name

3 Login information

4 Command level

3.1.2 Configuring the Equipment NameWhen multiple devices on the network need to be managed, you can identify them by setting an

equipment name for each device.

Context

The new equipment name takes effect immediately.

Procedure

Step 1 Run:system-view





24



The system view is displayed.

Step 2 Run:

sysname host-name

The equipment name is set.

By default, the equipment name of the router is Huawei.

You can change the name of the router that appears in the command prompt.

----End

3.1.3 Setting the System Clock

You need to set the system time properly to ensure the cooperation between the AR1200-S and

other devices.

Context

The system clock displays the current time and date of the system, time zone to which the system

belongs, and daylight saving time. The AR1200-S supports the configurations of the time zone

and the daylight saving time.

Do as follows in the user view:

Procedure

Step 1 Run:

clock datetime HH:MM:SS YYYY-MM-DD

The current date and time is set.

Step 2 Run:

clock timezone time-zone-name { add | minus } offset

The time zone is set.

l If add is configured, the current time is the UTC time plus the time offset. That is, the default

UTC time plus offset is equal to the time of time-zone-name.

l If minus is configured, the current time is the UTC time minus the time offset. That is, the

default UTC time minus offset is equal to the time of time-zone-name.

Step 3 Run:

clock daylight-saving-time time-zone-name one-year start-time start-date end-time end-date offset

or

clock daylight-saving-time time-zone-name repeating start-time { { first | second | third | fourth | last } weekday month | start-date } end-time { { first |

second | third | fourth | last } weekday month | end-date } offset [ start-year [ end-year ] ]

The daylight saving time is set.

By default, the daylight saving time is not set.





25



During the configuration of the daylight saving time, you can configure the starting time and

ending time in one of the following modes: date+date, week+week, date+week, and week+date.

For details, see clock daylight-saving-time.

NOTE

When the daylight saving time is used, the clock timezone time-zone-name { add | minus } offset commandcan be executed to set the time zone name. The display clock command displays the daylight saving time

name. After the daylight saving time is complete, the original time zone name is displayed.

----End

3.1.4 Configuring a Header

If you need to provide information for users logging in, you can configure a header that the

system displays during or after login.

Context

A header text is a message displayed by the system when and after a user is logging in to the

router.

If you need to provide information for login users, you can configure a header that the system

displays during login or after login.

Procedure

Step 1 Run:

system-view


Step 2 Run:

header login { information text | file file-name }

The header displayed during login is set.

Step 3 Run:

header shell { information text | file file-name }

The header displayed after login is set.

To display the header when the terminal connection has been activated but the user is not being

authenticated, configure the parameter login.

To display the header after the user logs in successfully, configure the parameter shell.

If the user can log in to the router without authentication, the system directly displays the header

after the login.





26



CAUTION

l The header text starts and ends with the same character. After a character is input and

Enter is pressed, an interactive interface is displayed. You can input the required informationended with the first character. The system then exits from the interactive interface.

l If file is specified, save the file containing the header in the root directory of the default

storage medium. If the file is saved in another directory, specify the full path in the file name;

otherwise, the configuration fails.

l If a user logs in to the router by using SSH1.X, the login header is not displayed during login,

but the shell header is displayed after login.

l If a user logs in to the router by using SSH2.0, both login and shell headers are displayed.

----End

3.1.5 Configuring the Undo Command to Match in the PreviousView Automatically

You can run the undo command in the current view and thus the system automatically matches

the previous view.

Context

If the user allows the undo command to automatically match the previous view and the user

runs the undo command that is not registered in the current view, the system searches the

undo command in the previous view.

Procedure

Step 1 Run:

system-view


Step 2 Run:

matched upper-view

The undo command is configured to match the upper level view.

By default, the undo command does not match the previous view automatically.

NOTE

l The matched upper-view command is valid for current login users who run this command.

l It is not recommended that you configure the undo command to automatically match the upper level

view, unless necessary.

----End

3.2 Displaying System Status Messages

This section describes how to use display commands to check basic configurations of the currentsystem.





27



Context

You can use the display commands to collect information about the system status. The display

commands are classified according to the following functions:

l Displays system configurations.

l Displays the running status of the system.

l Displays the diagnostic information about a system.

See the related sections for display commands for protocols and interfaces. The following part

only shows the system-level display commands.

Run the following commands in any view.

3.2.1 Displaying System Configuration

This section describes how to check the system version, system time, original configuration, and

current configuration by using command lines.

Prerequisite

Basic configuration are complete.

Procedure

l Run the display version command to display the system version.

l Run the display clock command to display the system time.

l Run the display saved-configuration command to display the original configuration.

l Run the display current-configuration command to display the current configuration.

NOTE

l The display version command can be used to display the software version of the system, the

chassis type, and the information about the main control board and interface board.

When a user runs the display current-configuration command to display configuration

information, other users cannot run the same command until all the command output is displayed.

l The original configuration refers to information about configuration files used by the device when

the device has been powered on and is being initialized. The current configuration refers to the

configuration files taking effect during the device operation. For details, see the chapter

"Configuring System Startup" in the AR1200-S Basic-Configuration.

----End

3.2.2 Displaying System Status

This section describes how to check the system operating status (the configuration of the current

view) by using command lines.

Prerequisite

Basic configurations are complete.

Procedure

l Run the display this command to display the configuration of the current view.





28



NOTE

When a user runs the display this command to display system status information, other users cannot

run the same command until all the command output is displayed.

----End

3.2.3 Collecting System Diagnostic Information

This section describes how to collect information about all modules in the system.

Context

When the system fails to perform routine maintenance, you need to collect a lot of information

to locate faults. Then, you have to run different display commands to collect all information. In

this case, you can use the display diagnostic-information command to collect all information

about the current running modules in the system.

Procedure

l Run:

display diagnostic-information

The system diagnosis information is displayed.

The display diagnostic-information command collects all information collected by

running the following commands, including display clock , display version, and so on.

----End





29



4 Configuring User Interface

About This Chapter

When a user logs in to the router by using the console port, the TTY port, Telnet, or SSH, the

system manages the session between the user and the router on the corresponding user interface.

4.1 User Interface Overview

The system supports console, and VTY user interfaces.

4.2 Configuring the Console User Interface

When a user logs in to the router by using a console port for local maintenance, you can configure

attributes for the corresponding console user interface are needed.

4.3 Configuring VTY User Interface

If you need to log in to the router for local or remote maintenance by using Telnet or SSH, you

can configure the corresponding VTY user interface as needed.

4.4 Configuring a TTY User Interface

The True Type Terminal (TTY) user interface view is a command line view and is used to

configure and manage physical interfaces working in asynchronous and interactive mode.

4.5 Configur ation Examples

This section provides examples for configuring console, TTY user interfaces, and VTY user

interfaces. These configuration examples explain networking requirements, configuration

roadmap, and configuration notes.


Configuration Guide - Basic Configuration 4 Configuring User Interface



30



4.1 User Interface Overview

The system supports console, and VTY user interfaces.

Each user interface has a corresponding user interface view. A user interface view is a command

line view provided by the system. It is used to configure and manage all the physical and logical

interfaces in asynchronous mode.

User Interfaces Supported by the System

l Console port (CON)

The console port is a serial port provided by the main control board of the router.

The main control board provides one EIA/TIA-232 DCE console port for local

configuration by directly connecting a terminal to a router.

l Virtual type terminal (VTY)

It is a logical terminal line. A VTY connection is set up when a router connects to a terminal

by means of Telnet. It is used for local or remote access to a router. A maximum of 16 users

can log in to the router by using the VTY user interface.

l TTY

The TTY is used to manage and monitor login users.

The TTY mode is the login mode by using the asynchronous serial port.

Numbering of a User Interface

After a user logs in to the router, the system assigns an idle user interface of the smallest number to the user according to the user's login mode. You can number a user interface in the following

manners:

l Relative numbering

The relative numbering is in the format of user interface type + number.

The relative numbering is available for interfaces of a specific type. It is used only to specify

one or a group of user interfaces of a specified type. Relative numbering must comply with

the following rules:

– Number of the console port: CON 0

– Number of the TTY: TTY 0 for the first line, TTY 1 for the second line, and so on

– Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on

l Absolute numbering

The absolute numbering is used to uniquely specify a user interface or a group of user

interfaces.

The number starts with 0. The ports are numbered in the sequence of CON→ TTY→

VTY. There is only one console port and 0-20 VTY interfaces (VTY interfaces 0 to 14 are

provided for Telnet/SSH users and VTY interfaces 16 to 20 are provided for network

management users). You can use the user-interface maximum-vty command to set the

maximum number of user interfaces. The default number is five.

By default, the system supports three types of user interfaces: CON, TTY, and VTY.

Table 4-1 shows the absolute numbers of the user interfaces in this system.





31



Table 4-1 Example for the absolute numbering

Absolute number User-interface

0 CON0

1 First TTY user interface (TTY0)

2 Second TTY user interface (TTY1)

3 Third TTY user interface (TTY2)

4 Fourth TTY user interface (TTY3)

5 Fifth TTY user interface (TTY4)

129 First virtual interface (VTY0)

130 Second virtual interface (VTY1)

131 Third virtual interface (VTY2)

132 Fourth virtual interface (VTY3)

133 Fifth virtual interface (VTY4)

NOTE

The absolute numbers allocated for TTY and VTY interfaces are device-specific.

The numbers from 1 to 32 are reserved for the TTY user interfaces.

Run the display user-interface command to view the absolute number of user interfaces.

Authentication of a User Interface

After a user is configured, the system authenticates the user during user login.

There are three user authentication modes: non-authentication, password authentication, and

AAA.

l Non-authentication: In this mode, users can log in to the router without entering usernames

or passwords. For security, this mode is not recommended.

l Password authentication: In this mode, users need to enter passwords, not usernames,during the login process.

l AAA authentication: In this mode, users need to enter passwords and usernames during the

login process. Telnet users are usually authenticated in this mode.

Priority of a User Interface

Users that log in to the router are managed according to their levels.

Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater the

number, the higher the user level.

The level of the command that a user can run is determined by the level of this user.





32



l In the case of non-authentication or password authentication, the level of the command that

the user can run is determined by the level of the user interface.

l In the case of AAA authentication, the command that the user can run is determined by the

level of the local user specified in the AAA configuration.

4.2 Configuring the Console User Interface

When a user logs in to the router by using a console port for local maintenance, you can configure

attributes for the corresponding console user interface are needed.


Before configuring the console user interface, familiarize yourself with the applicable




If you need to log in to the router for local maintenance by using a console port, you can configure

the corresponding console user interface, including the physical attributes, terminal attributes,

user priority, and user authentication mode. The preceding parameters have default values on

the router and additional configuration is not needed. You can configure these parameters as

needed.

Pre-configuration TasksBefore configuring a console user interface, complete the following tasks:

l Logging in to the router by using a terminal

Data Preparation

To configure a console user interface, you need the following data.

No. Data

1 Baud rate, flow-control mode, parity, stop bit, and data bit

2 Idle timeout period, number of lines displayed in a terminal screen, and the size of

history command buffer

3 User priority

4 User authentication method, user name, and password

NOTE

All the default values (excluding the password and username) are stored on the router and do not needadditional configuration.





33



4.2.2 Setting Physical Attributes of Console User Interface

You can configure the rate, flow control mode, parity mode, stop bit, and data bit for the console

port.

Context

Physical attributes of a console port have default values on the router and no additional

configuration is needed.

NOTE

When a user logs in to a router through a console port, the physical attributes set for the console port on

the HyperTerminal should be consistent with the attributes of the console user interface on the router.

Otherwise, the user cannot log in to the router.

ProcedureStep 1 Run:

system-view


Step 2 Run:

user-interface console interface-number

The console user interface view is displayed.

Step 3 Run:

speed speed-value

The baud rate is set.

By default, the baud rate is 9600 bit/s.

Step 4 Run:

flow-control { hardware | none | software }

The flow control mode is set. By default, the flow-control mode is none.

Step 5 Run:

parity { even | none | odd }

The parity mode is set.

By default, the value is none.

Step 6 Run:

stopbits { 1.5 | 1 | 2 }

The stop bit is set.

By default, the value is 1 bit.

Step 7 Run:

databits { 5 | 6 | 7 | 8 }

The data bit is set.





34



By default, the data bit is 8.

----End

4.2.3 Setting Terminal Attributes of Console User Interface

This section describes how to set terminal attributes of the console user interface, including the

user timeout disconnection function, number of lines displayed in a terminal screen, and size of

the history command buffer.

Context

Terminal attributes of the console user interface have default values on the router and you can

set them as needed.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

shell

The terminal service is started.

Step 4 Run:

idle-timeout minutes [ seconds ]

The idle timeout period is set.

If the connection keeps idle within the timeout period, the system automatically terminates the

connection.

By default, the idle timeout period on the user interface is 10 minutes.

Step 5 Run:

screen-length screen-length [temporary]

The length of a terminal screen is set.

The parameter temporary is used to display the number of lines to be temporarily displayed on

a terminal screen.

By default, the length of a terminal screen is 24 lines.

Step 6 Run:

history-command max-size size-value

The history command buffer is set.

By default, the size of history command buffer on a user interface is 10 entries.

----End





35



4.2.4 Configuring User Priority of Console User Interface

This section describes how to control users' authority of logging in to the router and improve

the security of managing the router by configuring the user priority.

Context

l Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater

the number, the higher the user level.

l This process is to set the priority for a user who logs in through the console port. A user

can only use the commands with the level corresponding to the user level.

For details about command levels, see "Command Level" in the chapter "CLI Overview" of

the Configuration Guide - Basic Configuration.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

user privilege level level

The priority of the user is set.

NOTE

l By default, users logging in through the console user interface can use commands at level 15, and users

logging in through other user interfaces can use commands at level 0.

l If the command level is inconsistent with the user level, the user level takes precedence.

----End

4.2.5 Configuring the User Authentication Mode of the ConsoleUser Interface

The system provides three authentication modes: AAA, password authentication, and non-

authentication. Configuring the user authentication mode can improve the security of the

router.

Context

By default, the user authentication mode of the console user interface is non-authentication.

Procedure

l Configuring AAA Authentication

1. Run:system-view





36




2. Run:



3. Run:

authentication-mode aaa

The authentication mode is set to AAA.

4. Run:

quit

Exit from the console user interface view.

5. Run:

aaa

The AAA view is displayed.6. Run:

local-user user-name password { simple | cipher } password

Name and password of the local user are created.

l Configuring Password Authentication

1. Run:

system-view


2. Run:

user-interface console

interface-number


3. Run:

authentication-mode password

You can set the authentication mode as password authentication.

4. Run:

set authentication password { cipher | simple } password

A password for authentication is set.

l Configuring Non-Authentication

1. Run:system-view


2. Run:



3. Run:

authentication-mode none

The authentication mode is set to non-authentication.

----End





37



4.2.6 Checking the Configuration

After configuring the console user interface, you can view information about the user interface,

physical attributes and configurations of the user interface, local user list, and online users.

Prerequisite

The configurations of the user management function are complete.

Procedure

l Run the display users [ all ] command to check information about the user interface.

l Run the display user-interface console ui-number1 [ summary ] command to check

physical attributes and configurations of the user interface.

l Run the display local-user command to check the local user list.

----End

Example

Run the display users command, and you can view information about the current user interface.

<Huawei> display usersUser-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag0 CON 0 00:00:44 pass no

Username : Unspecified

Run the display user-interface console ui-number1 [ summary ] command, and you can view

the physical attributes and configurations of the user interface.

<Huawei> display user-interface console 0

Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int0 CON 0 9600 - 3 - N -

+ : Current UI is active.F : Current UI is active and work in async mode.

Idx : Absolute index of UIs.

Type : Type and relative index of UIs.

Privi: The privilege of UIs.ActualPrivi: The actual privilege of user-interface.

Auth : The authentication mode of UIs.

A: Authenticate use AAA.

N: Current UI need not authentication.P: Authenticate use current UI's password.

Int : The physical location of UIs.

Run the display local-user command, and you can view the local user list.

<Huawei> display local-user----------------------------------------------------------------------------User-name State AuthMask AdminLevel

----------------------------------------------------------------------------

admin A H -

ftp A F -guest A A 15

----------------------------------------------------------------------------

Total 3 user(s)

4.3 Configuring VTY User Interface

If you need to log in to the router for local or remote maintenance by using Telnet or SSH, youcan configure the corresponding VTY user interface as needed.





38




Before configuring the VTY user interface, familiarize yourself with the applicable environment,

complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


If you need to log in to the router for local or remote maintenance by using Telnet or SSH, you

can configure the corresponding VTY user interface, including the maximum number of VTY

user interfaces, limit of incoming and outgoing calls, user priority, and user authentication mode.

The preceding parameters have default values on the router. You can also set these parameters

as needed.

Pre-configuration TasksBefore configuring VTY user interface, complete the following tasks:


Data Preparation

To configure a VTY user interface, you need the following data.

No. Data

1 Maximum VTY user interfaces

2 (Optional) ACL code to limit VTY user interface to call in and out

3 Idle timeout period, number of characters in each line displayed in a terminal screen

4 User priority

5 User authentication method, user name, and password

NOTE

All the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user

interfaces, password, and user name) have default values on the router, and no additional configuration is

needed.

4.3.2 Configuring Maximum VTY User Interfaces

This section describes how to limit the number of users logging in to the router by configuring

the maximum number of VTY user interfaces.

Context

The maximum number of VTY user interfaces is the total number of users logging in to therouter by using Telnet and SSH.





39



Procedure

Step 1 Run:

system-view


Step 2 Run:

user-interface maximum-vty number

The maximum VTY user interfaces that can log in to the router is set. By default, the maximum

number of VTY users is 5.

NOTE

When the maximum number of VTY user interfaces is set to zero, any user (including the NMS user) cannot

log in to the router by using a VTY user interface.

If the maximum number of VTY user interfaces to be configured is smaller than the maximum

number of current interfaces, current online users will not be affected and no additionconfiguration is needed.

If the maximum number of VTY user interfaces to be configured is larger than the maximum

number of current interfaces, the authentication mode and password need to be configured for

newly added user interfaces.

For newly added user interfaces, the system defaults to password authentication.

For example, a maximum of five users are allowed online. To allow 15 VTY users online at the

same time, you need to run the authentication-mode command and the set authentication

password command to configure authentication modes and passwords for user interfaces from

VTY 5 to VTY 14. The command is run as follows:

<Huawei> system-view[Huawei] user-interface maximum-vty 15[Huawei] user-interface vty 5 14[Huawei-ui-vty5-14] authentication-mode password [Huawei-ui-vty5-14] set authentication password cipher huawei

----End

4.3.3 (Optional)Setting Limit on Incoming and Outgoing Calls ofVTY User Interfaces

This section describes how to configure an ACL to limit incoming and outgoing calls of the

VTY user interface.

Context

Before setting the limit on incoming and outgoing calls of the VTY user interface, run the acl

command in the system view to create an ACL and enter the ACL view. Then, run the rule

command to add rules to the ACL.

NOTE

l The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging

from 3000 to 3999.

lFor details of ACL configuration, refer to the Huawei AR1200-S Series Enterprise RoutersConfiguration Guide - Security.





40



Procedure

Step 1 Run:

system-view


Step 2 Run:

user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.

Step 3 Run:

acl acl-number { inbound | outbound }

The limits to calling in/out of VTY are configured.

l When you need to prevent a user of certain address or segment address from logging in to

the router, use the inbound command.

l When you need to prevent a user who logs in to a router from accessing other routers, use

the outbound command.

----End

4.3.4 Setting Terminal Attributes of the VTY User Interface

This section describes how to configure terminal attributes of the VTY user interface, including

user idle timeout, number of lines displayed in a terminal screen, and size of the history command

buffer.

ContextTerminal attributes of the VTY user interface have default values on the router and you can set

them as needed.

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:

shell

VTY terminal service is enabled.

Step 4 Run:


User idle timeout is enabled.

If the connection keeps idle within the timeout period, the system automatically terminates theconnection.





41



By default, the timeout period is 10 minutes.

Step 5 Run:




a terminal screen.


Step 6 Run:


Set the size of the history command buffer.

By default, a maximum number of 10 commands can be cached in the history command buffer.

----End

4.3.5 Setting User Priority of VTY User Interface



Context



l This process is to set the priority for a user who logs in through the console port. A user

can only use the commands with the level corresponding to the user level.



Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:


The user priority is set.

By default, users logging in through the VTY user interface can use commands at level 0.





42



NOTE

If the command level configured in the VTY user interface view is inconsistent with the user priority, the

user priority takes effect.

----End

4.3.6 Setting User Authentication Mode of the VTY User Interface

The system provides three authentication modes: AAA, password authentication, and non-

authentication. Configuring the user authentication mode can improve the security of the

router.

Context

By default, the user authentication mode of the VTY user interface is password authentication.

Procedurel Configuring AAA Authentication

1. Run:

system-view


2. Run:



3. Run:


The authentication mode is set to AAA.

4. Run:

quit

Exit from the VTY user interface view.

5. Run:

aaa

The AAA view is displayed.

6. Run:



l Configuring Password Authentication

1. Run:

system-view


2. Run:



3. Run:





43




Set the authentication mode as password.

4. Run:


A password for this authentication mode is set.

l Configuring Non-Authentication

1. Do as follows on the router, run:

system-view


2. Run:



3. Run:authentication-mode none

The authentication mode is set to none.

----End


After configuring the VTY user interface, you can view information about user interfaces, the

maximum number of VTY user interfaces, and physical attributes and configurations of user

interfaces.

Prerequisite

The configurations of the VTY user interface are complete.

Procedure

l Run the display users [ all ] command to check information about user interfaces.

l Run the display user-interface maximum-vty command to check the maximum number

of VTY user interfaces.

l Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ]

command to check the physical attributes and configurations of user interfaces.


l Run the display vty mode command to check the VTY mode.

----End

Example

Run the display users command, and you can view information about the current user interfaces.

<Huawei> display usersUser-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag

34 VTY 0 00:00:12 TEL 10.138.77.38 no


+ 35 VTY 1 00:00:00 TEL 10.138.77.57 noUsername : Unspecified





44



Run the display user-interface maximum-vty command, and you can view the maximum

number of VTY user interfaces.

<Huawei> display user-interface maximum-vtyMaximum of VTY user:15

Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check

the physical attributes and configurations of user interfaces.

<Huawei> display user-interface vty 0Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int

+ 34 VTY 0 - 14 14 N -

+ : Current UI is active.

F : Current UI is active and work in async mode.Idx : Absolute index of UIs.

Type : Type and relative index of UIs.

Privi: The privilege of UIs.

ActualPrivi: The actual privilege of user-interface.Auth : The authentication mode of UIs.

A: Authenticate use AAA.

N: Current UI need not authentication.P: Authenticate use current UI's password.



<Huawei> display local-user----------------------------------------------------------------------------User-name State AuthMask AdminLevel

----------------------------------------------------------------------------

admin A H -

ftp A F -guest A A 15

----------------------------------------------------------------------------

Total 3 user(s)

Run the display vty mode command, and you can view the prompt message indicating that the

machine-to-machine interface is enabled. For example:

<Huawei> display vty modecurrent VTY mode is Machine-Machine interface

4.4 Configuring a TTY User Interface

The True Type Terminal (TTY) user interface view is a command line view and is used to

configure and manage physical interfaces working in asynchronous and interactive mode.


Before configuring the TTY user interface, familiarize yourself with the applicable environment,

complete the pre-configuration tasks, and obtain the required data. This can help you complete

the configuration task quickly and accurately.


If you need to log in to the router for local maintenance by using a asynchronous serial port, you

can configure the corresponding TTY user interface, including the physical attributes, terminal

attributes, and user priority. The preceding parameters have default values on the router andadditional configuration is not needed. You can configure these parameters as needed.





45




Before configuring a TTY user interface, complete the following tasks:


Data Preparation

To configure a TTY user interface, you need the following data.

No. Data

1 Baud rate, flow-control mode, parity, stop bit, and data bit

2 Idle timeout period, number of lines displayed in a terminal screen, and the size of

history command buffer

3 User priority

NOTE

All the default values (excluding the password and username) are stored on the router and do not need

additional configuration.

4.4.2 Setting Physical Attributes of a TTY User Interface

You can configure the rate, flow control mode, parity mode, stop bit, and data bit for an

asynchronous serial port.

Context

Physical attributes of an asynchronous serial port have default values on a router and no

additional configuration is needed.

NOTE

l If you need to log in to a router through an asynchronous serial port, install an SA or SA board on the

router. If an SA board installed, set the interface working mode to asynchronous mode on the SA board.

l The Hyper Terminal and router must use the same physical attributes, including the baud rate, flow

control mode, parity mode, stop bit, and data bit. If values of any attributes are different, you cannotlog in to the router.

Procedure

Step 1 Run:

system-view


Step 2 Run:

user-interface TTY interface-number

The TTY user interface view is displayed.





46



After a board registers successfully and a serial port on the board is configured to work in

asynchronous mode, the router generates a random TTY number for the asynchronous serial

port. To view the TTY number, run the display user-interface command.

Step 3 Run:

speed speed-value

The baud rate is set.

By default, the baud rate is 9600 bit/s.

Step 4 Run:

flow-control { hardware | none | software }

The flow control mode is set. By default, the flow-control mode is none.

Step 5 Run:

parity { even | none | odd }

The parity mode is set.

By default, the value is none.

Step 6 Run:

stopbits { 1.5 | 1 | 2 }

The stop bit is set.

By default, the value is 1 bit.

Step 7 Run:

databits { 5 | 6 | 7 | 8 }

The data bit is set.

By default, the data bit is 8.

----End

4.4.3 Setting Terminal Attributes of TTY User Interface

This section describes how to set terminal attributes of the TTY user interface, including the

user timeout disconnection function, number of lines displayed in a terminal screen, and size of

the history command buffer.

Context

Terminal attributes of the TTY user interface have default values on the router and you can set

them as needed.

Procedure

Step 1 Run:

system-view


Step 2 Run:user-interface tty interface-number





47




Step 3 Run:

shell

The terminal service is started.

Step 4 Run:


The idle timeout period is set.

If the connection keeps idle within the timeout period, the system automatically terminates the

connection.

By default, the idle timeout period on the user interface is 10 minutes.

Step 5 Run:




a terminal screen.


Step 6 Run:


The history command buffer is set.

By default, the size of history command buffer on a user interface is 10 entries.

----End

4.4.4 Configuring User Priority of TTY User Interface



Context



l This process is to set the priority for a user who logs in through the asynchronous serial

port. A user can only use the commands with the level corresponding to the user level.



Procedure

Step 1 Run:

system-view


Step 2 Run:





48



user-interface tty interface-number


Step 3 Run:


The priority of the user is set.

NOTE

l By default, users logging in through the TTY user interface can use commands at level 3, and users

logging in through other user interfaces can use commands at level 0.

l If the command level is inconsistent with the user level, the user level takes precedence.

----End

4.4.5 Configuring the Authentication Mode on a TTY User Interface

Context

By default, users are not authenticated on a TTY user interface.

Procedure

l Configuring AAA authentication

1. Run:

system-view


2. Run:user-interface tty first-ui-number [ last-ui-number ]


3. Run:


The authentication mode is set to AAA authentication.

4. Run:

quit

Exit the TTY user interface view.

5. Run:

aaa


6. Run:


The local user name and password are configured.

l Configuring password authentication

1. Run:

system-view






49



2. Run:

user-interface tty first-ui-number [ last-ui-number ]


3. Run:


The authentication mode is set to password authentication.

4. Run:


The authentication password is configured.

l Configuring non-authentication

1. Run:

system-view


2. Run:

user-interface tty first-ui-number [ last-ui-number ]


3. Run:

authentication-mode none

The authentication mode is set to none.

----End

4.4.6 Checking the ConfigurationAfter configuring the TTY user interface, you can view information about the user interface,

physical attributes and configurations of the user interface, local user list, and online users.

Prerequisite

The configurations of the user management function are complete.

Procedure


l Run the display user-interface tty ui-number1 [ summary ] command to check physical

attributes and configurations of the user interface.

----End

Example


<Huawei> display usersUser-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag0 TTY 0 00:00:44


Run the display user-interface tty ui-number1 [ summary ] command, and you can view the physical attributes and configurations of the user interface.





50



<Huawei> display user-interface tty 17Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int

17 TTY 17 9600 - 0 - N 2/0/0+ : Current UI is active.

F : Current UI is active and work in async mode.

Idx : Absolute index of UIs.

Type : Type and relative index of UIs.Privi: The privilege of UIs.

ActualPrivi: The actual privilege of user-interface.

Auth : The authentication mode of UIs.

A: Authenticate use AAA.N: Current UI need not authentication.

P: Authenticate use current UI's password.


4.5 Configuration ExamplesThis section provides examples for configuring console, TTY user interfaces, and VTY user

interfaces. These configuration examples explain networking requirements, configuration


4.5.1 Example for Configuring Console User Interface

This part provides an example describing how to configure the console user interface. In this

configuration example, to allow a user in password authentication mode to log in to the router

by using a console user interface, multiple attributes of the console user interface are set,

including physical attributes, terminal attributes, user priority, user authentication mode, and

password.

Networking Requirements

To initialize configurations of the router or locally maintain the router, a user can log in to the

router through a console user interface. To allow the user to log in, you can set attributes of the

console user interface as needed (for security reasons, for example).

In the console user interface view, the password authentication mode is set (the password is

huawei).

After a user logs in, if the user takes no action on the router for more than 30 minutes, the

connection between the user and the router is torn down.

Configuration Roadmap

The configuration roadmap is as follows:

1. Enter the interface view and set physical attributes of the console user interface.

2. Set terminal attributes of the console user interface.

3. Set the user priority of the console user interface.

4. Set the user authentication mode and password of the console user interface.

By default, the terminal service is enabled on all the user interfaces. If the terminal service is

disabled, run the shell command to enable the terminal service.

Data Preparation

To complete the configuration, you need the following data:





51



l Transmission rate of the console user interface: 4800 bit/s

l Flow control mode of the console user interface: None

l Parity of the console user interface: even

l

Stop bit of the console user interface: 2l Data bit of the console user interface: 8

l Timeout period for disconnecting from the console user interface: 30 minutes

l Number of lines that a terminal screen displays: 30

l Size of the history command buffer: 20

l User authentication mode: password (password: huawei)

Procedure

Step 1 Set physical attributes of the console user interface.

<Huawei> system-view[Huawei] user-interface console 0[Huawei-ui-console0] speed 4800[Huawei-ui-console0] flow-control none[Huawei-ui-console0] parity even[Huawei-ui-console0] stopbits 2[Huawei-ui-console0] databits 8

Step 2 Set terminal attributes of the console user interface.

[Huawei-ui-console0] shell[Huawei-ui-console0] idle-timeout 30[Huawei-ui-console0] screen-length 30[Huawei-ui-console0] history-command max-size 20

Step 3 Set the user authentication mode in the console user interface to password.[Huawei-ui-console0] authentication-mode password [Huawei-ui-console0] set authentication password simple huawei[Huawei-ui-console0] quit

After the console user interface is configured, a user in password authentication mode can log

in to the router through a console port, implementing local maintenance of the router. For details

on how a user logs in to the router, see the 5 Configuring User Login.

----End

Configuration Files#sysname Huawei

#

user-interface con 0

authentication-mode passworduser privilege level 15

set authentication password simple huawei

history-command max-size 20idle-timeout 30 0

screen-length 30

databits 8

parity evenstopbits 2

speed 4800

screen-length 30

#return





52



4.5.2 Example for Configuring VTY User Interface

This part provides an example describing how to configure the VTY user interface. In this

configuration example, to allow a user in password authentication mode to log in to the router

by using Telnet, multiple attributes of the VTY user interface are set, including the maximumnumber of VTY user interfaces, call-in and call-out limit, terminal attributes, authentication

mode, and password.


A user logs in to the router through a VTY channel by using Telnet or SSH. To allow the user

login, an operator can set attributes of the VTY user interface as needed (for security reasons,

for example).

In the VTY user interface, the user priority is set to 15, the authentication mode is set to password,

with the password of "huawei", and the user with the IP address of 10.1.1.1 is prohibitted from

logging in to the router.

After logging in, if the user takes no action on the router for more than 30 minutes, the connection

between the user and the router is torn down.



1. Enter the interface view and set the maximum number of VTY user interfaces to 15.

2. Set the call-in and call-out limit of the VTY user interface, limiting the access of an IP

address or an IP address segment to the router.

3. Set terminal attributes of the VTY user interface.

4. Set the user priority in the VTY user interface.

5. Set the authentication mode and password in the VTY user interface.

Data Preparation


l Maximum number of VTY user interfaces: 15

l ACL applied to limit call-in in the VTY user interface: 2000

l Timeout period for disconnecting from the VTY user interface: 30 minutes

l Number of lines that a terminal screen displays: 30l Size of the history command buffer: 20

l User priority: 15

l User authentication mode: password, password: huawei

Procedure

Step 1 Set the maximum number of VTY user interfaces.

<Huawei> system-view[Huawei] user-interface maximum-vty 15

Step 2 Set the limit on call-in and call-out in the VTY user interface.[Huawei] acl 2000





53



[Huawei-acl-basic-2000] rule deny source 10.1.1.1 0[Huawei-acl-basic-2000] rule permit source any[Huawei-acl-basic-2000] quit[Huawei] user-interface vty 0 14[Huawei-ui-vty0-14] acl 2000 inbound

Step 3 Set terminal attributes of the VTY user interface.[Huawei-ui-vty0-14] shell[Huawei-ui-vty0-14] idle-timeout 30[Huawei-ui-vty0-14] screen-length 30[Huawei-ui-vty0-14] history-command max-size 20

Step 4 Set the user priority in the VTY user interface.

[Huawei-ui-vty0-14] user privilege level 15

Step 5 Set the authentication mode and password in the VTY user interface.

[Huawei-ui-vty0-14] authentication-mode password [Huawei-ui-vty0-14] set authentication password simple huawei[Huawei-ui-vty0-14] quit

After the VTY user interface is configured, a user authenticated in password mode can log in tothe router by using Telnet or SSH (Stelnet), implementing local or remote maintenance of the

router. For details on how a user logs in to the router, see the 5 Configuring User Login.

----End

Configuration Files#

sysname Huawei#

acl number 2000

rule 5 deny source 10.1.1.1 0#

user-interface maximum-vty 15user-interface vty 0 14

acl 2000 inbounduser privilege level 15

set authentication password simple huawei

history-command max-size 20

idle-timeout 30 0screen-length 30

#

return

4.5.3 Example for Configuring TTY User Interface

This document describes the configurations of the TTY user interface, including physical

attributes, terminal attributes, and user priorities.


To initialize configurations of the router or locally maintain the router, a user can log in to the

router through a TTY user interface. To allow the user to log in, you can set attributes of the

TTY user interface.

After a user logs in, if the user takes no action on the router for more than 30 minutes, the

connection between the user and the router is torn down.







54



1. Enter the interface view and set physical attributes of the TTY user interface.

2. Set terminal attributes of the TTY user interface.

3. Set the user priority of the TTY user interface.

NOTE

By default, the terminal service is enabled on all user interfaces. If the terminal service is disabled, run the

shell command to enable the terminal service.

Data Preparation


l Transmission rate of the TTY user interface: 4800 bit/s

l Flow control mode of the TTY user interface: None

l Parity of the TTY user interface: even

lStop bit of the TTY user interface: 2

l Data bit of the TTY user interface: 6

l Timeout period for disconnecting from the TTY user interface: 30 minutes

l Number of lines that a terminal screen displays: 30

l Size of the history command buffer: 20

Procedure

Step 1 Set physical attributes of the TTY user interface.

<Huawei> system-view[Huawei] user-interface tty 0

[Huawei-ui-tty1] speed 4800[Huawei-ui-tty1] flow-control none[Huawei-ui-tty1] parity even[Huawei-ui-tty1] stopbits 2[Huawei-ui-tty1] databits 6

Step 2 Set terminal attributes of the TTY user interface.

[Huawei-ui-tty1] shell[Huawei-ui-tty1] idle-timeout 30[Huawei-ui-tty1] screen-length 30[Huawei-ui-tty1] history-command max-size 20

Step 3 Set the user priority of the TTY user interface.

[Huawei-ui-tty1] user privilege level 15

----End

Configuration Files#

sysname Huawei

#user-interface TTY 1

user privilege level 15

history-command max-size 20

idle-timeout 30 0screen-length 30

databits 6

parity even

stopbits 2speed 4800





55



screen-length 30

#

return





56



5 Configuring User Login

About This Chapter

A user can log in to the router through a console port, or by using Telnet or SSH (STelnet). After

the login, the user can maintain the router locally or remotely.

5.1 Overview of User Login

Users can manage and maintain the router only after logging in to the router. Users can log in

to the router by using the console port, Telnet, or STelnet (SSH Telnet).

5.2 Logging in to the Devices Through the Console Port

When a user needs to configure the router that is powered on for the first time or locally maintain

the router, the user can log in to the router through a console port.

5.3 Logging in to the Devices by Using Telnet

If multiple routers need to be configured and managed, you do not need to connect the routers

and maintain them locally one by one. Instead, you can log in to the routers from a terminal by

using Telnet. This implements remote maintenance of the router and greatly facilitates device

management.

5.4 Logging in to the Devices by Using STelnet

STelnet provides secured remote access over an insecure network. After the client/server

negotiation is complete and a secured connection is established, a user can log in to the router

in a similar way as Telnet.

5.5 Common Operations After Login

After logging in to the router, you can perform following operations as needed, such as user

priority switching and terminal window locking.


This section provides several examples describing how to configure user login by using a console

port, Telnet, or STelnet. You can understand the configuration procedures by referring to the

configuration flowchart. The configuration examples provide information about the networking

requirements, configuration notes, and configuration roadmap.


Configuration Guide - Basic Configuration 5 Configuring User Login



57



5.1 Overview of User Login

Users can manage and maintain the router only after logging in to the router. Users can log into the router by using the console port, Telnet, or STelnet (SSH Telnet).

To configure, monitor, and maintain the local or remote network devices running AR1200-S,

you need to configure the user interface, the user management, and the terminal service.

The user interface provides a login plane. The user management guarantees the login security

and the terminal service provides related processes of login protocol.

The AR1200-S supports the following login methods:

l Login through the console port

l Local or remote login through Telnet or STelnet

Table 5-1 User login modes

Login Mode Application

Console port Users log in to the router through the console port to configure the router

locally. Login through the console port is required when the router is

powered on for the first time.

Telnet Users log in to the router by using Telnet for local and remote maintenance.

Telnet helps users maintain remote devices but brings security threats.

SSH (STelnet) SSH (STelnet) provides security protection for users logging in to therouter to maintain the router locally or remotely.

NOTE

Logins by using Telnet bring security risks because no secure authentication mechanism is available and

data is transmitted by using TCP in plain text mode. Unlike Telnet, SSH guarantees secure data transmission

on a conventional insecure network by authenticating the client and encrypting data in both directions. SSH

supports security Telnet (STelnet).

For detailed information about SSH, see the AR1200-S Feature Description - Basic Configurations.

5.2 Logging in to the Devices Through the Console Port

When a user needs to configure the router that is powered on for the first time or locally maintain

the router, the user can log in to the router through a console port.


Before configuring user login through a console port, familiarize yourself with the applicable

environment, complete the pre-configuration tasks, and obtain the required data. This will help






58




A user can log in to the router locally through a console port. If the router is powered on for the

first time, the user has to log in through a console port.


Before configuring user login through a console port, complete the following tasks:

l Configuring the PC/terminal (including the serial port and RS-232 cable)

l Installing the terminal emulator (such as HyperTerminal of Windows XP) to the PC

Data Preparation

To configure user login through a console port, you need the following data.

No. Data

1 l Transmission rate, flow control mode, parity mode, stop bit, data bit

l Number of lines displayed in a terminal screen, size of the history command buffer

l User priority

l User authentication mode, user name, and password

5.2.2 Configuring Console User Interface

To allow users to log in to the router through a console port, configure attributes of the consoleuser interface.

Context

Attributes of an console user interface have default values on the router, and generally need no

additional settings. To meet specific application requirements or ensure network security, you

can set attributes of the console user interface, such as terminal attributes and user authentication

mode.

For detailed settings, see Configuring Console User Interface.

5.2.3 Logging in to the router Through a Console Port

A user can log in to the router by connecting a terminal with the router through a console port.

Context

For details, see Login Through the Console Portrouter.

NOTE

l Communication parameters of the user terminal must be consistent with the physical attribute

parameters of the console user interface on the router.

lIf a user authentication mode is specified in the console user interface, a user can log in to the router only after passing the authentication. This enhances network security.





59




After a user logs in through a console port, the user can view information on the console user

interface, such as use information, physical attributes and configurations, local user list, and

online users.

Prerequisite

Configurations of user login through a console port are complete.

Procedure


l Run the display user-interface console ui-number1 [ summary ] command to check

physical attributes and configurations of the user interface.


----End

Example



0 CON 0 00:00:44 pass no


Run the display user-interface console ui-number1 [ summary ] command, and you can view

the physical attributes and configurations of the user interface.

<Huawei> display user-interface console 0Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int0 CON 0 9600 - 3 - N -

+ : Current UI is active.

F : Current UI is active and work in async mode.

Idx : Absolute index of UIs.Type : Type and relative index of UIs.

Privi: The privilege of UIs.

ActualPrivi: The actual privilege of user-interface.

Auth : The authentication mode of UIs.A: Authenticate use AAA.

N: Current UI need not authentication.

P: Authenticate use current UI's password.



<Huawei> display local-user----------------------------------------------------------------------------

User-name State AuthMask AdminLevel----------------------------------------------------------------------------

admin A H -

ftp A F -

guest A A 15----------------------------------------------------------------------------

Total 3 user(s)

5.3 Logging in to the Devices by Using Telnet

If multiple routers need to be configured and managed, you do not need to connect the routersand maintain them locally one by one. Instead, you can log in to the routers from a terminal by





60



using Telnet. This implements remote maintenance of the router and greatly facilitates device

management.

5.3.1 Establishing the Configuration TaskBefore configuring user login by using Telnet, familiarize yourself with the applicable




If you have known the IP address of the router to be accessed, you can log in to the router from

a terminal by using Telnet, and remotely maintain the device. This allows you to maintain

multiple routers on the same terminal, greatly facilitating device management.

Note that IP addresses of the routers need to be preset through console ports.


Before configuring user login in Telnet mode, complete the following tasks:

l Configuring reachable routes between the terminal and the device

Data Preparation

Before configuring user login in Telnet mode, you need the following data.

No. Data

1 l Maximum number of VTY user interfaces

l (Optional) ACL for limiting call-in and call-out in VTY user interfaces

l Connection timeout period of terminal users, number of lines displayed in a

terminal screen, size of the history command buffer

l User priority

l User authentication mode, user name, password

2 TCP port number for the remote router to provide Telnet services, VPN instance name

3 IPv4 address or host name of the router

5.3.2 Configuring VTY User Interface

To log in to the router by using Telnet, configure attributes of the VTY user interface.

Context

By default, the user authentication mode in the VTY user interface is password. Therefore, before

a user logs in to the router by using Telnet, the user authentication mode in the VTY user interfacemust be set. Otherwise, the user cannot log in to the router.





61



You can log in to the router through a console port to set the user authentication mode in the

VTY user interface.

Other attributes of the VTY user interface in the router, such as terminal attributes and user

priorities, can also be set as needed. These attributes, however, generally do not need to be set

because they have default values.

For detailed settings, see Configuring VTY User Interface.

5.3.3 (Optional) Configuring Local Telnet Users

If the user authentication mode is AAA in the VTY user interface, the access type of local users

needs to be specified. Local users with the access type of Telnet are Telnet users.

Context

If the user authentication mode of the VTY user interface is non-authentication or passwordauthentication, the following configurations are not needed.

By default, a local user can apply for any access type. You can specify an access type to allow

only users configured with the specified access type to log in to the router.

Do as follows on the router that functions as a Telnet server:

Procedure

Step 1 Run:

system-view


Step 2 Run:

aaa


Step 3 Run:


The local user name and password are set.

----End

5.3.4 Enabling the Telnet Service

Before a terminal establishes a Telnet connection with the router, enable the Telnet server

function on the router.

Context

By default, the function of the Telnet server is enabled.

Do as follows on the router that serves as an Telnet server.





62



Procedure

Step 1 For the IPv4 network

1. Run:system-view


2. Run:telnet server enable

The Telnet service is enabled.

Step 2 For the IPv6 network

1. Run:system-view


2. Run:telnet ipv6 server enable

The Telnet service is enabled.

NOTE

l If the undo telnet [ipv6] server enable command is run when a user logs in by using Telnet, the

command does not take effect.

l After the Telnet server function is disabled, you can log in to the device only using SSH or an

asynchronous serial port rather than using Telnet.

----End

5.3.5 Logging in to the router by Using TelnetAfter the router is configured, you can log in to the router from a terminal by using Telnet,

implementing remote maintenance of the router.

Context

If you need to log in to the router by using Telnet, you can use either windows command lines

or a third-party software in the terminal. In this part, the windows command line prompt is used.

Do as follows on the user terminal:

Procedure

Step 1 Use the windows command line.

Step 2 Run the telnet ip-address command to telnet the router.

1. Input the IP address of the Telnet server.





63



2. Press "Enter" to display the command line prompt of the system view, such as

<HUAWEI>. This indicates that you have accessed the Telnet server.

----End


After users log in to the system by using Telnet, you can view the connection status of the current

user interface, connection status of each user interface, and status of all established TCP

connections.

Prerequisite

Configurations of logins by using Telnet are complete.

Procedure

l Run the display users [ all ] command to check information about logged-in users on user

interfaces.

l Run the display tcp status command to check TCP connections.

l Run the display telnet server status command to check the configuration and status of the

Telnet server.

----End

Example

Run the display users command to view information about the currently-used user interface.


34 VTY 0 00:00:12 TEL 10.138.77.38 noUsername : Unspecified

+ 35 VTY 1 00:00:00 TEL 10.138.77.57 no


Run the display tcp status command to view TCP connections. In the command output,Established indicates that a TCP connection has been established.





64



<Huawei> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID

State39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0

Closed

32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849

Listening34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0

Established

Run the display telnet server status command to view the configuration and status of the Telnet

server.

<Huawei> display telnet server statusTelnet IPV4 server :Enable

Telnet server port :23

5.4 Logging in to the Devices by Using STelnet

STelnet provides secured remote access over an insecure network. After the client/server negotiation is complete and a secured connection is established, a user can log in to the router

in a similar way as Telnet.


Before configuring users to log in by using STelnet, familiarize yourself with the applicable



Applicable EnvironmentLogins by using Telnet bring security risks because no secure authentication mechanism is

available and data is transmitted by using TCP in plain text mode. Unlike Telnet, SSH guarantees

secure data transmission on a conventional insecure network by authenticating the client and

encrypting data in both directions.

STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the same manner

as using the Telnet service.


Before configuring users to log in by using STelnet, complete the following task:


Data Preparation

To configure users to log in by using STelnet, you need the following data:

No. Data

1 Maximum number of VTY user interfaces, (optional) ACL for limiting call-in and

call-out in VTY user interfaces, connection timeout period of terminal users, number

of rows displayed in a terminal screen, size of the history command buffer, user

authentication mode, user name, and password





65



No. Data

2 User name, password, authentication mode, and service type of an SSH user and

remote public RSA key pair allocated to the SSH user

3 (Optional) Name of an SSH server, number of the port monitored by the SSH server, preferred encryption algorithm from the STelnet client to the SSH server, preferred

encrypted algorithm from the SSH server to the STelnet client, preferred HMAC

algorithm from the STelnet client to the SSH server, preferred HMAC algorithm from

the SSH server to the STelnet client, preferred algorithm of key exchange, name of

the outgoing interface, and source address


To allow a user to log in to the router by using STelnet, configure attributes of the VTY user interface.

Context


a user logs in to the router by using STelnet, the user authentication mode in the VTY user

interface must be set. Otherwise, the user cannot log in to the router.

You can log in to the router through a console port to set the user authentication mode in the

VTY user interface.

Other attributes of the VTY user interf ace in the router, such as terminal attributes and user




5.4.3 Configuring SSH for the VTY User Interface

To allow users to log in to the router by using STelnet, you need to configure VTY user interfaces

to support SSH.

Context

By default, user interfaces support Telnet. If no user interface is configured to support SSH,users cannot log in to the router by using STelnet.

Do as follows on the router that serves as an SSH server:

Procedure

Step 1 Run:

system-view


Step 2 Run:user-interface [ vty ] first-ui-number [ last-ui-number ]





66



The VTY user interface is displayed.

Step 3 Run:


The AAA authentication mode is configured.

Step 4 Run:

protocol inbound ssh

The VTY user interface is configured to support SSH.

NOTE

If a VTY user interface is configured to support SSH, the VTY user interface must be configured with

AAA authentication. Otherwise, the protocol inbound ssh command cannot be configured.

----End

5.4.4 Configuring an SSH User and Specifying STelnet as One ofService Types

To allow a user to log in to the router by using STelnet, you must configure an SSH user,

configure the router to generate a local RSA key pair, configure a user authentication mode, and

specify a service type for the SSH user.

Context

l SSH users can be authenticated in four modes: RSA, password, password-rsa, and all. You

must create a local user with the specified user name in the AAA view.

l Configuring the router to generate a local RSA key pair is a key step for SSH login. If an

SSH user logs in to an SSH server in password authentication mode, configure the server

to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA

authentication mode, configure both the server and the client to generate local RSA key

pairs.

NOTE

Password-rsa authentication requires success of both password authentication and RSA authentication. The

all authentication mode requires success of either password authentication or RSA authentication.

Do as follows on the router that functions as an SSH server:

Procedure

Step 1 Run:

system-view


Step 2 Run:

aaa


Step 3 Run:local-user user-name password { simple | cipher } password





67




Step 4 Run:

quit

Quit the AAA view.

Step 5 Run:

rsa local-key-pair create

A local RSA key pair is generated.

NOTE

l Before performing the other SSH configurations, you must configure the rsa local-key-pair create

command to generate a local key pair.

l After generating the local key pair,you can perform the display rsa local-key-pair public command

to view the public key in the local key pair.

Step 6 Run:ssh user user-name authentication-type { password | rsa | password-rsa | all }

The authentication mode for SSH users is configured.

Perform the following as required:

l Authenticate the SSH user through the password.

– Run:

ssh user user-name authentication-type password

The password authentication is configured for the SSH user.

l Authenticate the SSH user through RSA.

1. Run:

ssh user user-name authentication-type rsa

The RSA authentication is configured for the SSH user.

2. Run:

rsa peer-public-key key-name

The public key view is displayed.

3. Run:

public-key-code begin

The public key editing view is displayed.

4. Run:

hex-data

The public key is edited.

NOTE

l In the public key view, only hexadecimal strings complying with the public key format can be

typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals

for SSH client software.

l After the public key editing view is displayed, the RSA public key generated on the client can

be sent to the server. Copy the RSA public key to the router that serves as the SSH server.

5. Run: public-key-code end





68



Quit the public key editing view.

l If the specified hex-data is invalid, the public key cannot be generated after the peer-

public-key end command is run.

l If the specified key-name is deleted in other views, the system prompts that the key does

not exist after the peer-public-key end command is run and the system view is

displayed.

6. Run:

peer-public-key end

Return to the system view from the public key view.

7. Run:

ssh user user-name assign rsa-key key-name

The public key is assigned to the SSH user.

Step 7 (Optional) Configuring the Basic Authentication Information for SSH Users

1. Run:

ssh server rekey-interval interval

The interval for updating the server key pair is configured.

By default, the interval for updating the key pair of the SSH server is 0 that indicates no

updating.

2. Run:

ssh server auth-timeout timeout_interval

The timeout period of the SSH authentication is set.

By default, the timeout period is 60 seconds.3. Run:

ssh server authentication-retries auth-times

The number of retry times of the SSH authentication is set.

By default, the retry times is 3.

----End

5.4.5 Enabling the STelnet Server Function

To allow users to log in to the router by using STelnet, you must enable the STelnet server

function on the router.

Context

By default, no router is enabled with the STelnet server function. Users can establish connections

to the router by using STelnet only after the router is enabled with the STelnet server function.


Procedure






69




Step 2 Run:

stelnet server enable

The STelnet server function is enabled.

By default, the STelnet server function is disabled.

----End

5.4.6 (Optional) Configuring the STelnet Server Parameters

You can configure a device to be compatible with the SSH protocol of earlier versions, configure

or change the listening port number of an SSH server, set an inter val at which the key pair of

the SSH server is updated, and specify the source interface.

ContextTable 5-2 lists server parameters.

Table 5-2 Server parameters

ServerParameter

Description

Earlier SSH

version

compatibility

SSH has two versions: SSH1.X (earlier than SSH2.0) and SSH2.0. Compared

with SSH1.X, SSH2.0 is extended in structure and supports more

authentication modes and key exchange methods. SSH2.0 also supports more

advanced services such as SFTP. The Huawei AR1200-S Series supports

SSH versions ranging from 1.3 to 2.0.

Interval at

which the key

pair of the

SSH server is

updated

After the interval is set, the key pair of the SSH server is updated periodically

to improve security.


Procedure

Step 1 Run:

system-view


Step 2 Perform one or more operations shown in Table 5-3 as needed.





70



Table 5-3 Configurations of server parameters

ServerParameter

Operation

Earlier SSHversion

compatibility

Run the ssh server compatible-ssh1x enable command.By default, an SSH server running SSH2.0 is compatible with SSH1.X. To

prevent clients running SSH1.3 to SSH1.99 to log in, run the undo ssh server

compatible-ssh1x enable command to disable the system from supporting

earlier SSH protocol versions.

Interval at

which the key

pair of the

SSH server is

updated

Run the ssh server rekey-interval rekey-interval command.

By default, the interval is 0, indicating that the key pair will never be updated.

----End

5.4.7 Logging in to the router by Using STelnet

After the router is configured, a user can log in to the router from a terminal by using STelnet,

implementing remote maintenance of the router.

Context

In STelnet login mode, a third-party software can be used in the terminal. In this part, the third-

party software OpenSSH and windows command line are used.After installing OpenSSH in the user terminal, do as follows on the user terminal:

NOTE

For details on how to install OpenSSH, refer to the installation guide of the software.

For details on how to use OpenSSH commands to log in to the router, refer to the help document of the

software.

Procedure


Step 2 Run relevant OpenSSH commands to log in to the router in STelnet mode.





71



----End


After configuring users to log in by using STelnet, you can view the SSH server configuration.

Prerequisite

Configurations of logins by using STelnet are complete.

Procedure

l Run the display ssh user-information username command on the SSH server to check

information about SSH users.

l Run the display ssh server status command on the SSH server to check its configurations.

l Run the display ssh server session command on the SSH server to check sessions for SSH

users.

----End

Example

Run the display ssh user-information username command to view information about a

specified SSH user.

<Huawei> display ssh user-information client001





72



-------------------------------------------------------------------------------

Username Auth-type User-public-key-name

-------------------------------------------------------------------------------guest password null

rsa rsa RsaKey001

password password null

-------------------------------------------------------------------------------

If no SSH user is specified, information about all SSH users logging in to an SSH server will be

displayed.

Run the display ssh server status command to view configurations of an SSH server.

<Huawei> display ssh server statusSSH version :1.99

SSH connection timeout :60 seconds

SSH server key generating interval :0 hoursSSH Authentication retries :3 times

SFTP Server :Enable

Stelnet server :Enable

Run the display ssh server session command. The command output shows that the sessioninformation between SSH server and client.

<Huawei> display ssh server sessionSession 1:

Conn : VTY 3Version : 2.0State : started

Username : client001

Retry : 1CTOS Cipher : aes128-cbc

STOC Cipher : aes128-cbc

CTOS Hmac : hmac-md5

STOC Hmac : hmac-md5Kex : diffie-hellman-group-exchange-sha1

Service Type : stelnetAuthentication Type : password

5.5 Common Operations After Login

After logging in to the router, you can perform following operations as needed, such as user

priority switching and terminal window locking.


Before performing operations after login, familiarize yourself with the applicable environment,




To ensure that the operator manages routers safely, you need to configure the switching of user

levels, and enable message sending between user interfaces.


Before performing operations after login, complete the following tasks:

l Connecting the terminal to the router





73



Data Preparations

Before performing operations after login, you need the following data:

No. Data

1 Password used for switching user levels

2 Type and number of the user interface

3 Contents of the message to be sent

5.5.2 Switching User Levels

If a user wants to upgrade from a lower level to a higher level after logging in to the router, a

password is required. The password needs to be configured in advance.

Context

To prevent an unauthorized user from using high-level commands, a password is required to

increase the user level.

Procedure

Step 1 Run:

system-view


Step 2 Run:

super password [ level user-level ] { simple | cipher } password

The password for switching user levels is configured.

By default, the password for the user is set to Level 3.

CAUTION

If simple is configured, the password is saved in the configuration file in plain text. This means

that low-level login users can easily obtain and change the password by checking the

configuration file, compromising the network security. Therefore, selecting cipher to save the

password in the cipher text is recommended.

If cipher is used to set the password, the password cannot be obtained from the system. Save

the password to avoid oblivion or missing.

Step 3 Run:

quit

Return to the user view.

Step 4 Run:





74



super [ level ]

User levels are switched.

By default, the level is 3.

Step 5 Follow the prompt and enter a password.

If the password entered is correct, the user can switch to a higher level. If the user enters a

password incorrectly for three consecutive times, the user remains at the current login level and

returns to the user view.

NOTE

When the login user of lower level is switched to the user of higher level through the super command, the

system automatically sends trap messages and records the switchover in a log. When the switched level

is lower than that of the current level, the system only records the switchover in a log.

----End

5.5.3 Locking User Interfaces

When you leave the operation terminals for a moment, you can lock the user interface to prevent

unauthorized users from operating the interface.

Context

The user interface can be classified into the Console user interface and VTY user interface.

Procedure

Step 1 Run:

lock

The user interface is locked.

Step 2 Follow the system prompt and input an unlock password, and then confirm the input.

<Huawei> lockEnter Password:

Confirm Password:

If the locking is successful, the system prompts that the user interface is locked.

You must enter a correct password to unlock the user interface.

----End

5.5.4 Sending Messages to Other User Interfaces

Messages can be exchanged between the current user interface and other user interfaces.

Context

Users logging in to the router can send messages from the current user interface to users in other user interfaces as needed.





75



Procedure

Step 1 Run:

send { all | ui-type ui-number | ui-number1 }

You can enable message sending between user interfaces.

Step 2 Following the prompt, you can view the message to be sent. You can press Ctrl _ Z or Enter to

end the display, and press Ctrl _ C to abort the display.

Step 3 At the system prompt, enter Y to send the message or enter N to cancel message sending.

----End

5.5.5 Displaying Logged-in Users

After users log in, you can query information about logged-in users.

Context

User information includes the user name, address, and authentication and authorization

information.

Procedure

l Run the display users [ all ] command to view information about logged-in users.

If all is configured, information about logged-in users on all user interfaces is displayed.

----End

5.6 Configuration ExamplesThis section provides several examples describing how to configure user login by using a console

port, Telnet, or STelnet. You can understand the configuration procedures by referring to the

configuration flowchart. The configuration examples provide information about the networking


5.6.1 Example for Configuring User Login Through a Console Port

This part provides an configuration example describing how to configure user login through a

console port. In this configuration example, certain login settings are performed on the PC,enabling the access to the router through a console port.


If a user modifies default values of certain parameters in the console user interface, the user

needs to reset corresponding parameters in the PC when logging in to the router through the

console port next time.

Figure 5-1 Networking diagram of user login through a console port

Router PC





76




1. Connect a PC to the router through a console port.

2. Perform login settings on the PC.

3. Log in to the router.

NOTE

In this example, a terminal emulator is used.

Data Preparation

Communication parameters of the PC (baud rate: 4800 bps, data bit: 6, parity: even, stop bit: 2,

flow control mode: none)

Procedure

Step 1 Establish the configuration environment by connecting the serial port of the PC to the console

port of the router through standard RS-232 cable.

Step 2 Start a terminal emulator on the PC, and set the communication parameters of the PC, as shown

in Figure 5-2 to Figure 5-4.

Figure 5-2 Connection creation





77



Figure 5-3 Interface setting

Figure 5-4 Communication parameter setting

Step 3 Power on the router and wait for the completion of the self-check. After the router starts normallyand finishes the self-check, the system prompts you to press Enter.





78



Wait till the prompt (mostly the <Huawei>) appears, and then you can use a command to view

the running status of the router or configure the router.

----End

5.6.2 Example for Logging In by TelnetIn this example, you can set user login parameters to log in to the router from the PC or other

terminals using Telnet.


You can log in to the router on other network segments through the PC or other terminals to

perform remote maintenance.

Figure 5-5 Establishing the configuration environment over the WAN

WAN

Router Target

Router PC

Eth1/0/0

202.38.160.92/16



1. Establish the physical connection.

2. Set user login parameters.

3. Log in to the router from the client side.

Data Preparation

To complete the configuration, you need the following data

l IP address of the PC

l IP address of the Ethernet interface on the router

l User information (including the user name, password, and authentication mode)

l Reachable route between the PC and target router

Procedure

Step 1 Connect the PC and the router to the network.

Step 2 Set login user parameters on the target router.

# Configure the login address.





79



<Huawei> system-view[Huawei] interface gigabitethernet 1/0/0[Huawei-GigabitEthernet1/0/0] ip address 202.38.160.92 255.255.0.0[Huawei-GigabitEthernet1/0/0] quit

# Configure the login authentication mode

[Huawei] aaa[Huawei-aaa] local-user huawei password cipher hello[Huawei-aaa] local-user huawei service-type telnet[Huawei-aaa] local-user huawei privilege level 3[Huawei-aaa] quit[Huawei] user-interface vty 0 4[Huawei-ui-vty0-14] authentication-mode aaa

Step 3 Configure the client login.

Run the Telnet on the PC, as shown in Figure 5-6.

Figure 5-6 Running the Telnet program on the PC

Click OK .

Enter the user name and password in the login window. After authentication, a command line

prompt such as <Huawei> appears. Enter the configuration environment in the user view.

----End

5.6.3 Example for Configuring User Login by Using STelnet

This part provides an example describing how to configure user login by using STelnet.. In this

example, after generating the local key pair on the SSH server, configuring the name and

password of the SSH user on the SSH server, and enabling the STelnet service on the SSH server,

you can connect the Stelnet client to the SSH server.


As shown in Figure 5-7, after the STelnet service is enabled on the SSH server, the STelnet

client can log in to the SSH server with the password, RSA, password-rsa, or all authentication

mode.

In this configuration example, the password authentication mode is used.





80



Figure 5-7 Networking diagram of configuring user login by using STelnet

PC

Network

SSH Server

GE1/0/0

10.137.217.223/16



1. Configure a local key pair on the SSH server for secure data exchange between the STelnet

client and the SSH server.

2. Configure the VTY user interface on the SSH server.

3. Configure an SSH client, which involves the setting of the user authentication mode, user

name, and password.

4. Enable the STelnet server function on the SSH server and configure a user service type.

Data Preparation


l SSH user authentication mode: password, user name: client001, password: huawei

l User level of client001: 3

l

IP address of the SSH server: 10.137.217.223

Procedure

Step 1 Generate a local key pair on the server.

<Huawei> system-view[Huawei] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: Huawei_Host

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys...

.......++++++++++++

..........++++++++++++

...................................++++++++

......++++++++

Step 2 Configure the VTY user interface.

[SSH Server] user-interface vty 0 4[SSH Server-ui-vty0-4] authentication-mode aaa[SSH Server-ui-vty0-4] protocol inbound ssh[SSH Server-ui-vty0-4] quit

NOTE

If SSH is configured as the login protocol, the AR1200-S automatically disables Telnet.

Step 3 Configure the password of the SSH user Client001 to huawei.[SSH Server] aaa





81



[SSH Server-aaa] local-user client001 password cipher huawei[SSH Server-aaa] local-user client001 privilege level 3[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

Step 4 Verify the configuration.

# Log in the SSH server by using OpenSSH.

----End

Configuration Files

l Configuration file of the SSH server

#sysname SSH Server

#

aaa

local-user client001 password cipher huaweilocal-user client001 privilege level 3

local-user client001 service-type ssh#interface GigabitEthernet1/0/0

ip address 10.137.217.223 255.255.0.0

#

ssh user client001 authentication-type password#

user-interface vty 0 4


protocol inbound ssh#

return





82



6Managing File System

About This Chapter

The file system manages the files and directories in the storage devices on the router. It can move

and delete a f ile or directory and display the contents of the file.

6.1 File System Overview

The router ef fectively manages all files by means of the file system.

6.2 Performing File Operations by Means of the File System

Users can per form file operations by means of the file system, including managing storage

devices, directories, and files.

6.3 Performing File Operations by Means of FTP

FTP can transmit files between local and remote hosts, and is widely used for version upgrade,

log downloading, file transmission, and configuration saving.

6.4 Performing File Operations by Means of SFTP

SFTP enables users to log in to the router securely from the remote device to manage files. This

improves the security of data transmission for the remote end to update its system.


This section provides an example for performing files by accessing the system and using FTP

or SFTP.These configuration examples explain networking requirements, configuration



Configuration Guide - Basic Configuration 6 Managing File System



83



6.1 File System Overview

The router effectively manages all files by means of the file system.

6.1.1 File System

The file system manages the files and directories in the storage devices. It can create, delete,

modify, and rename a file or directory and display the contents of the file.

The file system has two functions: managing the storage devices and managing the files that are

stored in those storage devices.

Performing File Operations by Means of the File System

After logging in to the router by using the console port, Telnet, or STelnet, you can managestorage devices, directories, and files.

l Storage Devices

Storage devices are hardware devices for storing messages.

At present, the router supports the storage devices such as flash memory and USB disk.

l Files

The file is a mechanism with which the system stores and manages messages.

l Directories

The directory is a mechanism with which the system integrates and organizes the file,

serving as a logical container of the file.

6.1.2 Methods of File Management

You can manage files by means of the file system, FTP or SFTP.

Performing File Operations by Means of FTP

You can configure the router as the FTP server, and log in to the router from the user terminal

to transmit files and manage directories on the FTP server.

Performing File Operations by Means of SFTPSSH supports Secure File Transfer Protocol (SFTP), which enables users to remotely and

securely log in to the router to manage files. SSH guarantees secure data transmission on a

conventional insecure network by authenticating the client and encrypting data in both

directions.

Table 6-1 File management methods

File Management Method Implementation

Logging in to the system You can log in to the system through the

Console or by using Telnet or STelnet to

manage files.





84



File Management Method Implementation

FTP The router needs to be enabled with FTP.

Most terminals support the FTP client

function.

SFTP l SFTP provides secure file transfer

services based on SSH, irrelevant to the

standard FTP protocol.

l The router needs to be enabled with SFTP.

Terminals need to be installed with the

SFTP client software.

6.2 Performing File Operations by Means of the File SystemUsers can perform file operations by means of the file system, including managing storage

devices, directories, and files.


Before performing file operations by means of the file system, familiarize yourself with the

applicable environment, complete the pre-configuration tasks, and obtain the required data. This

can help you complete the configuration tasks quickly and accurately.


When the router fails to save or obtain data, you can log in to the file system to repair the faulty

storage devices or manage files or directories on the router. You can especially manage storage

devices by logging in to the file system.


Before performing file operations by logging in to the file system, complete the following tasks:

l Connecting the client with the server correctly

Data Preparation

To perform file operations by logging in to the file system, you need the following data:

No. Data

1 Storage device name

2 Directory name

3 File name





85



6.2.2 Managing Storage Devices

When the file system of the storage devices on the router functions abnormally, you need to

repair and format the file system before managing the storage devices.

Context

When the file system on a storage device fails, the terminal of the router prompts you to rectify

the fault.

NOTE

The storage devices can be flash memory, or USB flash drive. The router has a built-in flash memory.

The router provides two reserved USB slots (usb0 and usb1).

Only Huawei-certified storage devices can be used.

You can format a storage device when you fail to repair the file system or you do not need any

data saved on the storage device.

CAUTION

Formatting storage devices may lead to data loss. Therefore, exercise caution when perform this

operation.

Procedure

l Run:

fixdisk device-name

The storage devices with file system troubles is repaired.

NOTE

After this command is run, if the prompt that the system should be repaired is still received, it indicates

that the physical medium may be damaged.

l Run:

format device-name

The storage device is formatted.

NOTE

If the storage device cannot work after running the format device-name command, a fault may occur

to the hardware.

----End

6.2.3 Managing the Directory

You can manage directories to logically store files in hierarchy.

Context

You can manage directories by changing and displaying directories, displaying files indirectories and sub-directories, and creating and deleting directories.





86



Procedure

l Run:

cd { directory | device-name }

A directory is specified.l Run:

pwd

The current directory is displayed.

l Run:

dir [ /all ] [ filename ] [ device-name ]

The file and sub-directory list in the directory is displayed.

l Run:

mkdir { directory | device-name }

The directory is created.l Run:

rmdir { directory | device-name }

The directory is deleted.

----End

6.2.4 Managing Files

You can log in to the file system to view, delete, or rename the files on the router.

Contextl Managing files include: displaying contents, copying, moving, renaming, compressing,

deleting, undeleting, deleting files in the recycle bin, running files in batch and configuring

prompt modes.

l You can run the cd { directory | device-name } command to enter the required directory

from the current directory.

Procedure

l Run:

more [ /binary ] { filename | device-name } [ offset ] [ all ]

The content of the file is displayed.

By specifying parameters in the more command, you can view files flexibly:

– By running the more file-name command, you can view the file named file-name.

Contents of a text file are displayed screen after screen. If you hold and press the

spacebar on the current terminal, all contents of the current file can be displayed.

There are two preconditions if you want to display the contents of a text file screen after

screen:

– The value configured by screen-length screen-length temporary command must

be larger than 0.

–The total lines of the file must be larger than the value configured by screen-length command.





87



– By running the more file-name offset command, you can view the file named file-

name. Contents of a text file are displayed from the line specified by offset screen after

screen. If you hold and press the spacebar on the current terminal, all contents of the

current file can be displayed.

There are two preconditions if you want to display the contents of a text file screen after screen:

– The value configured by screen-length screen-length command must be larger than

0.

– The result of the number of file characters subtracted by the value of offset must be

larger than the value configured by screen-length command.

– By running the more file-name all command, you can view the file named file-name.

Contents of a text file are completely displayed without pausing after each screenful of

information.

l Run:

copy source-filename destination-filename

The file is copied.

NOTE

The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.

l Run:

move source-filename destination-filename

The file is moved.

l Run:

rename source-filename destination-filename

The file is renamed.

l Run:

zip source-filename destination-filename

The file is compressed.

l Run:

delete [ /unreserved ] [ /force ] { filename | device-name } [ all ]

The file is deleted.

If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored

after being deleted.

l Run:undelete filename

The deleted file is recovered.

NOTE

If the current directory is not the parent directory, you must operate the file by using the absolute

path.

l Run:

reset recycle-bin [ filename ]

The file is deleted.

You can permanently delete files in the recycle bin.





88



l Running Files in Batch

You can upload the files and then process the files in batches. The edited batch files need

to be saved in the storage devices on the router.

When the batch file is created, you can run the batch file to implement routine tasksautomatically.

1. Run:

system-view


2. Run:

execute filename

The batched file is executed.

l Configuring Prompt Modes

The system displays prompts or warning messages when you operate the device (especially

the operations leading to data loss). If you need to change the prompt mode for file

operations, you can configure the prompt mode of the file system.

1. Run:

system-view


2. Run:

file prompt { alert | quiet }

The prompt mode of the file system is configured.

By default, the prompt mode is alert.

CAUTION

If the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation.

----End

6.3 Performing File Operations by Means of FTP




Before performing file operations by means of FTP, familiarize yourself with the applicable

environment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.





89




When the router serves as the FTP server, after the client logs in to the router through FTP, the

user can transfer files between the client and the server.


Before performing file operations by means of FTP, complete the following task:

l Connecting the FTP client to the server

Data Preparation

To perform file operations by means of FTP, you need the following data:

NOTE

For FTP secure server connection, perform step 2.

No. Data

1 FTP user name and password, File directory authorized to the FTP user

2 (Optional) Listening port number specified on the FTP server

3 (Optional) Source IP address or source interface of the FTP server

(Optional) Timeout period of the disconnection from the FTP server

4 IP address or host name of the FTP server

6.3.2 Configuring a Local FTP User

You can configure the authorization mode and authorization directory for FTP users. In this

case, unauthorized users cannot access the specific directory, which guarantees the security.

Context

To perform file operations by means of FTP, you need to configure a local user name and a

password on the router and specify the service type and the directories that can be accessed.

Otherwise, you cannot access the router by using FTP.

Do as follows on the router that serves as the FTP server:

Procedure

Step 1 Run:

system-view


Step 2 Run:

set default ftp-directory directory

The default FTP working directory is configured.





90



NOTE

The configuration in this step is valid for only TACACS users.

Step 3 Run:

aaa


Step 4 Run:


The local user name and the password are configured.

Step 5 Run:

local-user user-name ftp-directory directory

The authorization directory about the FTP user is configured.

----End

6.3.3 (Optional) Specifying a Port Number for the FTP Server

You can configure or change the monitoring port number of the FTP server. After the port

number is changed, only the user knows the current port number, which guarantees the security.

Context

By default, the listening port number of an FTP server is 21. Users can directly log in to the

router by using the default listening port number. Attackers probably access the default listening

port, reducing available bandwidth, affecting performance of the server, and causing valid users

unable to access the server. After the listening port number of the FTP server is changed, attackersdo not know the new listening port number. This effectively prevents attackers from accessing

the listening port.

NOTE

If the FTP is not enabled, change the FTP port as required.

If the FTP service is enabled, run the undo ftp server command to disable the FTP service, and then change

the FTP port.


Procedure

Step 1 Run:

system-view


Step 2 Run:

ftp server port port-number

The port number of the FTP server is configured.

If a new number of a monitored port is configured, the FTP server interrupts all the FTP

connections and monitors the port of the new number.

----End





91



6.3.4 Enabling the FTP Server

Before using FTP to perform file operations, you need to enable the FTP sever on the router.

ContextBy default, the FTP server is disabled on the router. Therefore, you must enable the FTP server

before using FTP.


Procedure

Step 1 Run:

system-view


Step 2 Run:

ftp server enable

The FTP server is enabled.

NOTE

When the file operation between clients and the router ends, run the undo ftp server command to disable

the FTP server function. This ensures the security of the router.

----End

6.3.5 (Optional) Configuring the FTP Server ParametersThe FTP server parameters include the source address of the FTP server and the timeout period

for FTP connection.

Context

l You can configure a source IP address for the FTP server. This limits the destination address

that the client can access and therefore guarantee the security.

l You can configure the timeout period for FTP connections on the FTP server. When the

timeout period of an FTP connection expires, the system breaks the connection to release

resources.


Procedure

Step 1 Run:

system-view


Step 2 Run:

ftp server-source { -a ip-address | -iinterface-type interface-number }

The source IP address and source interface of an FTP server is configured.





92



To log in to the FTP server, you must specify the same source IP address in the ftp command.

Otherwise, you cannot log in to the FTP server.

Step 3 Run:

ftp timeout minutes

The timeout period of the FTP server is configured.

If the client is idle for the configured time, the connection is removed from the FTP server.

By default, the timeout value is 30 minutes.

----End

6.3.6 (Optional) Configuring an FTP ACL

After an FTP ACL is configured, only the specified clients can access the devicerouter.

Context

When the routerdevice functions as an FTP server, you can configure an ACL to allow the clients

that meet the matching rules to access the FTP server.


Procedure

Step 1 Run:

system-view


Step 2 Run:

acl acl-number

The ACL view is displayed.

Step 3 Run:

rule [ rule-id ] { deny | permit } [ { fragment | none-first-fragment } | source

{ source-address source-wildcard | any } | time-range time-name ] *

The ACL rule is configured.

NOTE

FTP supports only the basic ACL.

Step 4 Run:

quit

Return the system view.

Step 5 Run:

ftp acl acl-number

The basic FTP ACL is configured.

----End





93



6.3.7 Accessing the System by Using FTP

After the FTP server is configured, you can access the router from the PC by using FTP to manage

the files on the router.

Context

If you need to log in to the router by using FTP, you can use either windows command line

prompt or a third-party software. Here uses the windows command line prompt as an example.

Do as follows on the PC:

Procedure


Step 2 Run the ftp ip-address command to log in to the router by using FTP.

Enter the user name and password at the prompt, and press Enter. When the windows command

line prompts are displayed in the FTP client view, such as ftp>, you have entered the working

directory of the FTP server.

----End

6.3.8 Performing File Operations by Using FTP Commands

After logging in to the router that functions as an FTP server by using FTP, you can upload files

to or download files from the router, and manage the directories on the router.

Context

After logging in to the FTP server, you can perform the following operations:

l Configuring data type for the file

l Uploading or downloading files

l Creating directories on or deleting directories from the FTP server





94



l Displaying information about a specified remote directory or a file of the FTP server, or

deleting a specified file from the FTP server

After logging in to the FTP server and entering the FTP client view, you can perform the

following one or more operations:

Procedure

l Configuring data type and transmission mode for the file.

– Run:

ascii or binary

The data type of the file to be transmitted is ascii or binary mode.

NOTE

FTP supports the ASCII type and the binary type. Their differences are as follows:

l In ASCII transmission mode, ASCII characters are used to separate carriage returned from

line feeds.l In binary transmission mode, characters can be transferred without format conversion or

formatting.

The selection of the FTP transmission mode is client-customized. The system defaults to the

ASCII transmission mode. The client can use a mode switch command to switch between the

ASCII mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary

mode is used to transmit binary files.

l Upload or download files.

– Upload or download a file.

– Run:

put local-filename [ remote-filename ]

The local file is uploaded to the remote FTP server.

– Run:

get remote-filename [ local-filename ]

The FTP file is downloaded from the FTP server and saved to the local file.

l Run one or more commands in the following order to manage directories.

– Run:

cd pathname

The working path of the remote FTP server is specified.

– Run:

pwd

The specified directory of the FTP server is displayed.

– Run:

lcd [ local-directory ]

The directory of the FTP client is displayed or changed.

– Run:

mkdir remote-directory

A directory is created on the FTP server.

– Run:

rmdir remote-directory

A directory is removed from the FTP server.





95



l Run one or more commands in the following to manage files.

– Run:

ls [ remote-filename ] [ local-filename ]

The specified directory or file on the remote FTP server is displayed.

If the directory name is not specified when a specific remote file is selected, the system

searches the working directory for the specific file.

– Run:

dir [ remote-filename ] [ local-filename ]

The specified directory or file on the local FTP server is displayed.



– Run:

delete remote-filename

The specified file on the FTP server is deleted.



When local-filename is set, related information about the file can be downloaded locally.

NOTE

If you need other FTP operations,you can perform the help [ command ] command to get help in the

Windows command line.

----End


After configuring a router to be the FTP server, you can view the configuration and status of the

FTP server as well as information about login FTP users.

Prerequisite

The configuration of the Router to be the FTP Server are complete.

Procedure

l Run the display ftp-server the configuration and running information about the FTP server.

l Run the display ftp-users command to check the login FTP user.

----End

Example

After configuring the FTP server, run the display ftp-server command. You can view that the

FTP server is working.

<Huawei> display ftp-serverFTP server is running

Max user number 5User count 0

Timeout value(in minute) 30

Listening Port 21

Acl number 0FTP server's source address 1.1.1.1





96



Run the display ftp-users command to view the user name, port number, authorization directory

of the FTP user configured presently.

<Huawei> display ftp-usersusername host port idle topdir

zll 100.2.150.226 1383 3 flash:

6.4 Performing File Operations by Means of SFTP

SFTP enables users to log in to the router securely from the remote device to manage files. This

improves the security of data transmission for the remote end to update its system.


Before performing file operations by using SFTP, familiarize yourself with the applicable




SSH guarantees secure data transmission on a conventional insecure network by authenticating

the client and encrypting data in both directions. SSH supports SFTP.

SFTP is a secure FTP service and enables users to log in to the FTP server for data transmission.


Before performing file operations by using SFTP, complete the following task:


Data Preparation

Before performing file operations by using SFTP, you need the following data.

No. Data

1 Maximum number of VTY user interfaces, (optional) ACL for limiting call-in and

call-out in VTY user interfaces, connection timeout period of terminal users, number

of rows displayed in a terminal screen, size of the history command buffer, user

authentication mode, user name, and password

2 User name, password, authentication mode, and service type of an SSH user and

remote public RSA key pair allocated to the SSH user, SFTP working directory of

the SSH user

3 (Option) Number of the port monitored by the SSH server

(Option) The interval for updating the key pair on the SSH server





97



No. Data

4 Name of the SSH server,Number of the port monitored by the SSH server,Preferred

encrypted algorithm from the SFTP client to the SSH server,Preferred encrypted

algorithm from the SSH server to the SFTP client,Preferred HMAC algorithm from

the SFTP client to the SSH server,Preferred HMAC algorithm from the SSH server

to the SFTP client,Preferred algorithm of key exchange,Name of the outgoing

interface,Source address

5 Directory name and File name


To allow a user to log in to the router by using SFTP, you need to configure attributes of the

VTY user interface.

Context


a user logs in to the router by using SFTP, the user authentication mode in the VTY user interface

must be set. Otherwise, the user cannot log in to the router.

Other attributes of the VTY user interface in the router, such as terminal attributes and user




6.4.3 Configuring SSH for the VTY User Interface

To allow users to log in to the router by using SFTP, you need to configure VTY user interfaces

to support SSH.

Context

By default, user interfaces support Telnet. If no user interface is configured to support SSH,

users cannot log in to the router by using SFTP.

Procedure

Step 1 Run:

system-view


Step 2 Run:

user-interface [ vty ] first-ui-number [ last-ui-number ]

The VTY user interface is displayed.

Step 3 Run:authentication-mode aaa





98



The AAA authentication mode is configured.

Step 4 Run:

protocol inbound ssh

The VTY user interface is configured to support SSH.

NOTE

If a VTY user interface is configured to support SSH, the VTY user interface must be configured with

AAA authentication. Otherwise, the protocol inbound ssh command cannot be configured.

----End

6.4.4 Configuring an SSH User and Specifying SFTP as One ofService Types

To allow a user to log in to the router by using SFTP, you must configure an SSH user, configure

the router to generate a local RSA key pair, configure a user authentication mode, specify aservice type and authorized directory for the SSH user.

Context

l SSH users can be authenticated in four modes: RSA, password, password-rsa, and all. You

must create a local user with the specified user name in the AAA view.

l Configuring the router to generate a local RSA key pair is a key step for SSH login. If an

SSH user logs in to an SSH server in password authentication mode, configure the server

to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA

authentication mode, configure both the server and the client to generate local RSA key

pairs.

NOTE

Password-rsa authentication requires success of both password authentication and RSA authentication. The

all authentication mode requires success of either password authentication or RSA authentication.

Do as follows on the router that functions as an SSH server:

Procedure

Step 1 Run:

system-view


Step 2 Run:

aaa


Step 3 Run:



Step 4 Run:

rsa local-key-pair create

A local RSA key pair is generated.





99



NOTE

l Before performing the other SSH configurations, you must configure the rsa local-key-pair create

command to generate a local key pair.

l After generating the local key pair,you can perform the display rsa local-key-pair public command

to view the public key in the local key pair.

Step 5 Run:

ssh user user-name authentication-type { password | rsa | password-rsa | all }

The authentication mode for SSH users is configured.


l Authenticate the SSH user through the password.

– Run:

ssh user user-name authentication-type password

The password authentication is configured for the SSH user.

l Authenticate the SSH user through RSA.

1. Run:

ssh user user-name authentication-type rsa

The RSA authentication is configured for the SSH user.

2. Run:



3. Run:



4. Run:

hex-data


NOTE

l In the public key view, only hexadecimal strings complying with the public key format can be

typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals

for SSH client software.

l After the public key editing view is displayed, the RSA public key generated on the client can

be sent to the server. Copy the RSA public key to the router that serves as the SSH server.

5. Run:

public-key-code end


l If the specified hex-data is invalid, the public key cannot be generated after the peer-

public-key end command is run.

l If the specified key-name is deleted in other views, the system prompts that the key does

not exist after the peer-public-key end command is run and the system view is

displayed.

6. Run: peer-public-key end





100




7. Run:

ssh user user-name assign rsa-key key-name

The public key is assigned to the SSH user.

Step 6 (Optional) Configuring the Basic Authentication Information for SSH Users

1. Run:

ssh server rekey-interval interval

The interval for updating the server key pair is configured.

By default, the interval for updating the key pair of the SSH server is 0 that indicates no

updating.

2. Run:

ssh server auth-timeout timeout_interval

The timeout period of the SSH authentication is set.

By default, the timeout period is 60 seconds.

3. Run:

ssh server authentication-retries auth-times

The number of retry times of the SSH authentication is set.

By default, the retry times is 3.

----End

6.4.5 Enabling the SFTP ServiceBefore enjoying the STelnet service, you need to enable it.

Context

By default, the router is not enabled with the SFTP server function. Users can establish

connections with the router by using SFTP only after the router is enabled with the SFTP server

function.


Procedure

Step 1 Run:

system-view


Step 2 Run:

sftp server enable

The SFTP service is enabled.

By default, the SFTP service is disabled.

----End





101



6.4.6 Accessing the System by Using SFTP

After the configuration is complete, users can log in to the router from the user terminal by using

SFTP to manage files on the router.

Context

The third-party software can be used to access the router from the user terminal by using SFTP.

Here uses the third-party software OpenSSH and windows command line as an example.

After installing OpenSSH on the user terminal, do as follows on the user terminal:

NOTE

For details on how to install OpenSSH, see the installation guide of the software.

For details on how to use OpenSSH commands to log in to the router, see the help document of the software.

Procedure


Step 2 Run relevant OpenSSH commands to log in to the router in SFTP mode.

When the command line prompt is displayed in the SFTP client view, such as sftp>, users have

entered the working directory of the SFTP server.

----End





102



6.4.7 Performing File Operations by Using SFTP

On the SFTP client, you can log in to the SSH server to create or delete directories on the SSH

server.

Context

After logging in to the SFTP server, you can perform the following operations:

l Displaying the SFTP client command help

l Managing the directory on the SFTP server

l Managing the directory on the SFTP server

After logging in to the SFTP server and entering the SFTP client view, you can perform the

following one or more operations.

Procedure

l Run:

help [ all | command-name ]

The SFTP client command help is displayed.

l You can perform one or multiple of the following operations as required.

– Run:

cd [ remote-directory ]

The current operating directory of users is changed.

– Run:

pwd

The current operating directory of users is displayed.

– Run:

dir [ -l -a ] [ path ]

The file list in the specified directory is displayed.

– Run:

rmdir remote-directory &<1-10>

– The directory on the server is deleted.

– Run:


A directory is created on the server.

l You can perform one or multiple of the following operations as required.

– Run:

rename old-name new-name

The name of the specified file on the server is changed.

– Run:


The file on the remote server is downloaded.

– Run:






103



The local file is uploaded to the remote server.

– Run:

rmdir remote-directory &<1-10>

The file on the server is removed.

----End


After performing file operations by using SFTP, you can view SSH user information and global

configurations of the SSH server.

Prerequisite

The configuration of SSH Users are complete.

Procedurel Run the display ssh user-information username command to check the information about

the SSH client on the SSH server.

l Run the display ssh server status command on the SSH server to check its global

configurations.

l Run the display ssh server session command on the SSH server to check information about

connection sessions with SSH clients.

----End

Example

Run the display ssh user-information username command. It shows that the SSH user named

clinet001 is authenticated by password, and its service type is sftp.

[Huawei] display ssh user-information client001-------------------------------------------------------------------------------Username Auth-type User-public-key-name

-------------------------------------------------------------------------------

client001 password null

-------------------------------------------------------------------------------

If no SSH user is specified, information about all SSH users logging in to an SSH server will be

displayed.

Run the display ssh server status command to view configurations of an SSH server.

<Huawei> display ssh server statusSSH version : 1.99SSH connection timeout : 60 seconds

SSH server key generating interval : 2 hours

SSH Authentication retries : 5 times

SFTP Server : Enable

NOTE

If the default interception port is in use, information about the current interception port is not displayed.

Run the display ssh server session command. The command output shows that the sessioninformation between SSH server and client.





104



<Huawei> display ssh server sessionSession 2:

Conn : VTY 4Version : 2.0

State : started

Username : client002

Retry : 1CTOS Cipher : aes128-cbc

STOC Cipher : aes128-cbc

CTOS Hmac : hmac-md5

STOC Hmac : hmac-md5Kex : diffie-hellman-group-exchange-sha1

Authentication Type : password


This section provides an example for performing files by accessing the system and using FTP

or SFTP.These configuration examples explain networking requirements, configuration


6.5.1 Example for Performing File Operations by Means of the FileSystem

This section describes how to perform file operations by means of the file system. In this

example, you can log in to the router to view and copy directories.


You can log in to the router through the Console interface, Telnet, or STelnet to perform fileoperations on the router.

The file path in the storage device must be correct. If the user does not specify a target file name,

the source file name is the name of the target file by default.



1. Check the files under a certain directory.

2. Copy a file to this directory.

3. Check this directory and view that the file is copied successfully to the specified directory.

Data Preparation


l Source file name and target file name

l Source file path and target file path

Procedure

Step 1 Display the file information in the current directory, flash:/ is the flash memory identifier.<Huawei> dir





105



Directory of flash:/

Idx Attr Size(Byte) Date Time(LMT) FileName0 -rw- 47,584,256 Sep 17 2107 14:54:23 ar1201_23316_1220.cc

1 -rw- 4 Jun 30 2010 01:01:16 voip_feature.efs

2 -rw- 4 Jul 27 2005 11:02:05 voip_protocol.efs

3 -rw- 45,794,304 Sep 03 2107 12:38:38 ar1117_20921_1220.cc4 -rw- 1,751,678 Jan 26 2008 16:24:13 web.zip

5 -rw- 3,856 Jan 28 2008 00:00:09 iascfg.zip

6 -rw- 396 Jan 11 2008 18:09:53 rsa_host_key.efs

7 -rw- 6 Dec 01 2007 15:35:31 1.txt8 -rw- 3,315 Dec 07 2007 12:54:45 ma5600_license.dat

9 -rw- 6,656 Dec 07 2007 12:55:14 patch_lic.pat

10 -rw- 7,533 Dec 07 2007 12:55:50 pdt_keyfile.txt11 -rw- 6,656 Dec 07 2007 13:13:39 patch_lic2.pat

12 -rw- 526,003 Jan 27 2008 00:00:36 private-data.txt

13 -rw- 540 Jan 11 2008 18:10:07 rsa_server_key.efs

14 -rw- 16 Jan 12 2008 14:53:53 dulei.tbl15 -rw- 0 Dec 27 2007 15:27:49 dictionary.xml

16 -rw- 2,016,467 Dec 28 2007 17:58:26 arweb.zip

17 -rw- 477 Jan 10 2008 14:46:12 elabel.fls

18 -rw- 2,810 Jan 15 2008 13:57:02 aa.txt19 -rw- 68,750,848 Jan 26 2008 15:40:15 ar0312_34479_1220.cc

20 -rw- 0 Jan 28 2008 14:47:29 ar.txt

217,168 KB total (4,320 KB free)

Step 2 Copy files from usb0:/sample.txt to flash:/sample.txt

<Huawei> copy usb0:/sample.txt flash:/sample1.txtCopy usb0:/sample.txt to flash:/sample1.txt?[Y/N]:y100% complete

Info:Copied file usb0:/sample.txt to flash:/sample1.txt...Done

Step 3 Display the file information about the current directory, and you can view that the file is copied

to the specified directory.

<Huawei> dir

Directory of flash:/

Idx Attr Size(Byte) Date Time(LMT) FileName

0 -rw- 47,584,256 Sep 17 2107 14:54:23 ar1201_23316_1220.cc

1 -rw- 4 Jun 30 2010 01:01:16 voip_feature.efs

2 -rw- 4 Jul 27 2005 11:02:05 voip_protocol.efs3 -rw- 45,794,304 Sep 03 2107 12:38:38 ar1117_20921_1220.cc

4 -rw- 1,751,678 Jan 26 2008 16:24:13 web.zip

5 -rw- 3,856 Jan 28 2008 00:00:09 iascfg.zip

6 -rw- 396 Jan 11 2008 18:09:53 rsa_host_key.efs7 -rw- 6 Dec 01 2007 15:35:31 1.txt

8 -rw- 3,315 Dec 07 2007 12:54:45 ma5600_license.dat

9 -rw- 6,656 Dec 07 2007 12:55:14 patch_lic.pat10 -rw- 7,533 Dec 07 2007 12:55:50 pdt_keyfile.txt

11 -rw- 6,656 Dec 07 2007 13:13:39 patch_lic2.pat

12 -rw- 526,003 Jan 27 2008 00:00:36 private-data.txt13 -rw- 540 Jan 11 2008 18:10:07 rsa_server_key.efs14 -rw- 16 Jan 12 2008 14:53:53 dulei.tbl

15 -rw- 0 Dec 27 2007 15:27:49 dictionary.xml

16 -rw- 2,016,467 Dec 28 2007 17:58:26 arweb.zip

17 -rw- 477 Jan 10 2008 14:46:12 elabel.fls18 -rw- 2,810 Jan 15 2008 13:57:02 aa.txt

19 -rw- 68,750,848 Jan 26 2008 15:40:15 ar0312_34479_1220.cc

20 -rw- 0 Jan 28 2008 14:47:29 ar.txt

21 -rw- 1,605 Oct 24 2009 11:14:39sample1.txt

217,169 KB total (4,319 KB free)

----End





106



6.5.2 Example for Performing File Operations by Means of FTP

This section provides an example for operating files by means of FTP. In this example, a PC

connected to the router logs in to the FTP server by entering the correct user name and password

using FTP, and then downloads files to the memory of the FTP client.


As shown in Figure 6-1, after the FTP server is enabled on the router, you can log in to the FTP

server from the HyperTerminal to upload or download files.

Figure 6-1 Networking for performing file operations by using FTP

PC

Network

FTP Server

GE1/0/0

10.137.217.221/16



1. Configure the IP address of the FTP server.

2. Enable the FTP server.3. Configure the authentication information, authorization mode, and directories to be

accessed for an FTP user.

4. Log in to the FTP server by using the correct user name and password.

5. Upload files to or download files from the FTP server.

NOTE

Ensure that the PC can communicate with the FTP server.

Data Preparation


l IP address of the FTP server, that is, 10.137.217.221

l Timeout period for the FTP connection, that is, 20 minutes

l FTP username as huawei and password as huawei on the server

l Destination file name and its position in the FTP client

Procedure

Step 1 Configure the IP address of the FTP server.

[server] interface giga bitethernet1/0/0

[server-GigabitEthernet1/0/0] ip address 10.137.217.221 255.255.0.0[server-GigabitEthernet1/0/0] quit





107



Step 2 Enable the FTP server.

<Huawei> system-view[Huawei] sysname server[server] ftp server enable[server] ftp timeout 20

Step 3 Configure the authentication information, authorization mode, and authorized directories for an

FTP user on the FTP server.

[server] aaa[server-aaa] local-user huawei password simple huawei[server-aaa] local-user huawei service-type ftp[server-aaa] local-user huawei ftp-directory flash:[server-aaa] quit

Step 4 Run the FTP commands at the windows command line prompt, and enter the correct user name

and password to set up an FTP connection with the FTP server.

Figure 6-2 Logging in to the FTP Server

Step 5 Upload and download files, as shown in the following figure.

Figure 6-3 Performing file operations by means of FTP





108



NOTE

You can run the dir command before downloading a file or after uploading a file to view the detailed

information of the file.

----End

Configuration Files

l Configuration file of the FTP server.

#sysname Server

#

FTP server enable

#interface GigabitEthernet1/0/0

ip address 10.137.217.221 255.255.0.0

#aaalocal-user huawei password simple Huawei

local-user huawei service-type ftp

local-user huawei ftp-directory flash:

authentication-scheme default#

authorization-scheme default

#accounting-scheme default

#

domain default

#return

6.5.3 Example for Performing File Operations by Means of SFTPThis section provides an example for operating files by using SFTP. In this example, a local key

pair is configured on the SSH server, and a user name and a password are configured on the

server for an SSH user. After SFTP services are enabled on the server and the SFTP client is

connected to the server, you can operate files between the client and the server.


As shown in Figure 6-4, after SFTP services are enabled on the router functioning as an SSH

server, you can log in to the server in password, RSA, password-rsa, or all authentication mode

from a PC on the SFTP client.

Configure a user to log in to the SSH server in password authentication mode.

Figure 6-4 Networking diagram for operating files by using SFTP

PC

Network

SSH Server

GE1/0/0

10.137.217.225/16





109





1. Configure a local key pair on the SSH server to securely exchange data between the SFTP

client and the SSH server.

2. Configure VTY user interfaces on the SSH server.

3. Configure an SSH user, including user name and password.

4. Enable SFTP services on the SSH server and configure a user service type.

Data Preparation


l SSH user authentication mode: password, user name: client001, password: huawei

l User level of client001: 3

l IP address of the SSH server: 10.137.217.225

Procedure

Step 1 Configure a local key pair on the SSH server.

<Huawei> system-view[Huawei] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: Host



It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys...

.......++++++++++++

..........++++++++++++

...................................++++++++

......++++++++

Step 2 Configure VTY user interfaces on the SSH server.


Step 3 Configure the SSH user name and password on the SSH server.[SSH Server] aaa[SSH Server-aaa] local-user client001 password cipher huawei[SSH Server-aaa] local-user client001 privilege level 3[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] local-user client001 ftp-directory flash:[SSH Server-aaa] quit

Step 4 Enable SFTP.

[SSH Server] sftp server enable

Step 5 Verify the configurations.

# Access the SFTP server by using the OpenSSH software.





110



Figure 6-5 Accessing Interface

----End

Configuration Files


#

sysname SSH Server

#

aaalocal-user client001 password cipher huawei

local-user client001 privilege level 3

local-user client001 service-type ssh

local-user client001 ftp-directory flash:#

interface GigabitEthernet1/0/0

ip address 10.137.217.225 255.255.0.0

#sftp server enable

#


authentication-mode aaaprotocol inbound ssh

#

return





111



7 Configuring System Startup

About This Chapter

When the router starts, system software is started and configuration files are loaded. To ensure

smooth running of the router, you need to efficiently manage system software and configuration

files.

7.1 System Startup Overview

When the router starts, system software is started and configuration files are loaded.

7.2 Managing Configuration Files

You can manage the configuration files for the current and next startup operations on the

router.

7.3 Specifying a File for System Startup

You can specify a file for system startup by specifying the system software and configuration

file for the next startup of the router.


This section provides an example for configuring system startup.These configuration examples

explain networking requirements, configuration roadmap, and configuration notes.


Configuration Guide - Basic Configuration 7 Configuring System Startup



112



7.1 System Startup Overview

When the router starts, system software is started and configuration files are loaded.

7.1.1 System Software

System software is the operation system of the router, and is the basis for the router to run

properly and provide various services.

The extension name of the system software file is .cc. The file must be saved in the root directory

of the storage device.

7.1.2 Configuration Files and Current ConfigurationsDuring the running of the router, configuration files and current configurations are differently

defined.

The concepts of configuration files and current configurations are as follows:

Concept Identifying Method

Configuration Files Initial configurations: On

powering on, the router

retrieves the configuration

files from a default save path

to initiate itself. If configuration files do not

exist in the default save path,

the router uses the default

parameters.

l Run the display startup

command to view the

configuration files for the

current and next startup

operations on the router.

l Run the display saved-

configuration command

to view the configuration

file for the next startup

operation on the router.

Current Configurations Current configurations:

indicates the effective

configurations of the

currently running router.

Run the display current-

configuration command to

view the current

configurations on the router.

Users can modify the current configurations of the router through the command line interface.

Use the save command to save the current configuration to the configuration file of the default

storage devices, and the current configuration becomes the initial configuration of the router

when the router is powered on next time.

7.2 Managing Configuration Files

You can manage the configuration files for the current and next startup operations on the

router.





113




Before managing configuration files, familiarize yourself with the applicable environment,




You can manage configuration files by saving, clearing, and comparing configuration files. To

upgrade the router, take preventive measures, repair configuration files, and view configurations

after the router starts, you need to manage configuration files.


Before managing configuration files, complete the following task:

l Installing the router and starting it properly

Data Preparation

To manage configuration files, you need the following data.

No. Data

1 Configuration file and its name

2 Saving configuration files interval and delay interval

3 The number of the start line from which the comparison of the configuration files

begins

7.2.2 Saving Configuration Files

The system can save configuration files periodically or immediately to prevent data loss when

the router is powered off or accidentally restarted.

Context

Run one of the following commands to save configuration files.

Procedure

l Configure the system to periodically save configuration files.

WARNING

If an LPU is not running on the router, related configurations may be lost when the system

automatically saves the configuration file.





114



1. Run:autosave interval { time } | { value } | { configuration time }

The system is configured to save the configuration file periodically.

If interval time is specified, the system saves the configuration file at the specified

interval regardless of whether the configuration is changed.– By default, the interval at which the system saves the configuration file is 0

seconds, indicating that the system does not save the configuration file

automatically.

– After automatic configuration saving is enabled, the default interval is 30 minutes

if time is not specified.

l Save the current configuration immediately.

– Run:save [ all ] [ configuration-file ]

The current configuration is saved.

The configuration file name extension must be .cfg or .zip, and the system startupconfiguration file must be saved in the root directory of the storage device.

If you modify the current configuration and want to use the modified configuration as

the next startup configuration, run the save command to save the new configuration to

the storage device.

The save all command saves all the current configurations to the default directory,

including the configurations of the boards that are not running on the router.

----End

7.2.3 Clearing a Configuration File

You can clear the configuration file that has been loaded to a device.

Context

The configuration file needs to be cleared in the following cases:

l The system software does not match the configuration file after the router has been

upgraded.

l The configuration file is destroyed or an incorrect configuration file has been loaded.

Procedure

l Run the reset saved-configuration command to clear the currently loaded configuration

file.

– If the configuration file of the router used for the current startup is the same as that used

for the next startup, running the reset saved-configuration command will clear both

the configuration files. The router will uses the default configuration file for the next

startup.

– If the configuration file of the router used for the current startup is different from that

used at the next startup, running the reset saved-configuration command will clear the

configuration file used for the current startup.

– If the configuration file of the router used for the current startup is empty, the system

will prompt you that the configuration file does not exist after you run the reset saved-configuration command.





115



If you do not run the startup saved-configuration configuration-file command to specify

a new correct configuration file, or do not run the save command to save the configuration

file after the configuration file is cleared, the router will use the default configuration file

at the next startup.

----End

7.2.4 Comparing Configuration Files

You can compare the current configuration with the initial configuration.

Context

Do as follows on the router:

Procedure

Step 1 Run:

compare configuration [ configuration-file [ current-line-number save-line-

number ] ]

The current configuration is compared with the configuration file for next startup.

If no parameter is set, the comparison begins with the first lines of configuration files. current-

line-number and save-line-number are used to continue the comparison by ignoring the

differences between the configuration files.

When comparing differences between the configuration files, the system displays the contents

of the current configuration file and saved configuration file from the first different line. By

default, 120 characters are displayed for each configuration file. If the number of characters fromthe first different line to the end is less than 120, the contents after the first different line are all

displayed.

In comparing the current configurations with the configuration file for next startup, if the

configuration file for next startup is unavailable or its contents are null, the system prompts that

reading files fails.

----End


After managing configuration files has been configured, you can view the current configurationfiles, configuration files to be loaded at the next startup, files for the device startup, and files

saved in the storage device.

Prerequisite

The configuration of managing configuration files are complete.

Procedure

l Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]

[ feature feature-name [ filter filter-expression ] | filter filter-expression ] or displaycurrent-configuration [ all | inactive ] command to view the current configuration files.





116



l Run the display startup command to check files for startup.

l Run the dir [ /all ] [ filename ] [ device-name ] command to check files saved in the storage

device.

l Run the display saved-configuration [ last | time | configuration ] command to view

configuration files to be loaded at the next startup.

l Run the display autosave configuration command to view configurations of the autosave

function, including the status of the autosave function and time for autosave check.

l Run the display this command to view configurations in the current view.

----End

Example

Run the display startup command to check files for startup.

<Huawei> display startup

MainBoard:Startup system software: usb0:/ar0210_30735_1220.ccNext startup system software: usb0:/ar0210_30735_1220.cc

Backup system software for next startup: null

Startup saved-configuration file: flash:/arcfg.cfg

Next startup saved-configuration file: flash:/arcfg.cfgStartup license file: null

Next startup license file: null

Startup patch package: null

Next startup patch package: nullStartup voice-files: null

Next startup voice-files: null

7.3 Specifying a File for System StartupYou can specify a file for system startup by specifying the system software and configuration

file for the next startup of the router.


Before specifying a file for system startup, familiarize yourself with the applicable environment,



Applicable EnvironmentTo enable the router to provide user-defined configurations during the next startup, you need to

correctly specify the system software and configuration file for the next startup.


Before specifying a file for the system startup, complete the following task:

l Installing the router and powering it on properly

Data Preparation

To specify a file for system startup, you need the following data.





117



No. Data

1 System software and its file name on the AR1200-S

2 Configuration file and its file name on the AR1200-S

7.3.2 Configuring System Software for a router to Load for the NextStartup

To upgrade the system software of a router, you can specify the AR1200-S system software to

be loaded for the next startup.

Context

If no system software is specified for the next startup operation of the router, the system software

loaded this time will be started during the next startup operation. To change system software for

the next startup operation, you need to specify the required one.

The filename extension of the system software must be .cc and must be stored in the root directory

of a storage device.

Procedure

Step 1 Run:

startup system-software filename

The AR1200-S system software for the router to load next time when it starts is configured.

----End

7.3.3 Configuring the Configuration File for Router to Load for theNext Startup

Before restarting a router, you can specify the configuration files that are loaded for the next

startup.

Context

You can run the display startup command on the router to check whether the configuration file

to be loaded during the next startup operation is specified. If no configuration file is specified,

the default configuration file is loaded during the next startup operation.

The filename extension of the configuration file must be .cfg or .zip, and must be stored in the

root directory of a storage device.

When the router turns on, it initiates by reading the configuration file from the flash memory by

default. Thus, the configuration in this configuration file is called initial configuration. If no

configuration file is saved in the flash, the router initiates with default parameters.





118



Procedure

l Run:

startup saved-configuration configuration-file

Configuration file is saved for the router to load next time on startup.

----End


After specifying a file for system startup, you can check the contents of the configuration file to

be loaded and the information about the file to be used during the next startup on the router.

Prerequisite

The file has been specified for system startup.

Procedure

l Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]

[ feature feature-name [ filter filter-expression ] | filter filter-expression ] command to

check current configurations.

l Run the display saved-configuration [ last | time ] command to check the contents of the

configuration file to be loaded during the next startup.

l Run the display startup command to check information about the files to be used during

the next startup.

----End

Example

Run the display startup command to check information about the files to be used during the

next startup.

<Huawei> display startupMainBoard:

Startup system software: usb0:/ar0210_30735_1220.cc

Next startup system software: usb0:/ar0210_30735_1220.ccBackup system software for next startup: null

Startup saved-configuration file: flash:/arcfg.zip

Next startup saved-configuration file: flash:/arcfg.zipStartup license file: null






This section provides an example for configuring system startup.These configuration examples

explain networking requirements, configuration roadmap, and configuration notes.





119



7.4.1 Example for Configuring System Startup

This section provides an example for configuring system startup. In this example, the

configuration file is saved and the system software and configuration file to be loaded during

the next startup are specified so that the router can start in a required manner.


After the router is configured, new configurations take effect after the system restarts.



1. Save the current configuration.

2. Specify the configuration file to be loaded during the next startup of the router.

3. Specify the system software to be loaded during the next startup of the router.

Data Preparation


l Name of the configuration file

l File name of the system software

Procedure

Step 1 Check the configuration file and system software that are used during the current startup.<Huawei> display startupMainBoard:

Startup system software: usb0:/ar0312.ccNext startup system software: usb0:/ar0312.cc

Backup system software for next startup: null

Startup saved-configuration file: flash:/iascfg.zip

Next startup saved-configuration file: flash:/iascfg.zipStartup license file: null





Step 2 Save the current configuration to the specified file.<Huawei> save vrpcfg.cfg

The system prompts you whether to save the current configuration to the file named vrpcfg.cfg

on the main control board. After entering y at the prompt, you save the configuration

successfully.

Step 3 Specify the configuration file to be loaded during the next startup of the router.

<Huawei> startup saved-configuration usb0:/arcfg.cfg

Step 4 Specify the system software to be loaded during the next startup of the router.

Specify the system software to be loaded during the next startup of the main control board.

<Huawei> startup system-software usb0:/arsoft.cc





120



NOTE

The software package arsoft.cc has been loaded to the AR1200-S. For details on how to upload the software

package, see 6.3 Performing File Operations by Means of FTP .


After the configuration is complete, run the following command to check the configuration file

and system software to be loaded during the next startup of the router.


Startup system software: usb0:/ar0312.cc

Next startup system software: usb0:/arsoft.cc Backup system software for next startup: null


Next startup saved-configuration file: usb0:/arcfg.cfg Startup license file: null



Next startup patch package: null

Startup voice-files: nullNext startup voice-files: null

----End

Configuration Files

None.





121



8 Accessing Another Device

About This Chapter

To manage configurations or operate files of another device, you can access the device by using

Telnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to.

8.1 Accessing Another Device Overview

This section describes how to access another device on the network by using Telnet, FTP, TFTP,

or SSH.

8.2 Logging in to Other Devices by Using Telnet

On the network, a large number of routers need to be managed and maintained. Not all routers,

however, can be connected to terminal PCs. In addition, there are not reachable routes between

some routers and terminal PCs. To manage and maintain routers remotely, you can log in to

them by using Telnet from a device that you have logged in to.

8.3 Using the Redirection Function to Connect to a Remote Device

To manage a remote device that can transmit data only through a serial interface, configure the

redirection function on the AR1200-S.

8.4 Logging in to other Device by Using STelnet

STelnet ensures secure Telnet services. You can log in to another router from the router that you

have logged in to by using STelnet, and thus to manage the device remotely.

8.5 Accessing Files on Another Device by Using TFTP

You can configure the router as a TFTP client, and log in to the TFTP server to upload and

download files.

8.6 Accessing Files on Another Device by Using FTP

This section describes how to configure the router as an FTP client to log in to the FTP server,

and to upload files to or download files from the server.

8.7 Accessing Files on Another Device by Using SFTP

SFTP is a secure FTP service. After the router is configured as an SFTP client. The SFTP server

authenticates the client and encrypts data in both directions to provide secure data transmission.


This section describes examples for access another device. The examples explain networkingrequirements, configuration notes, and configuration roadmap.


Configuration Guide - Basic Configuration 8 Accessing Another Device



122



8.1 Accessing Another Device OverviewThis section describes how to access another device on the network by using Telnet, FTP, TFTP,

or SSH.

Figure 8-1 Networking diagram for accessing another device from the router

Network Network

PC Client

Server

As shown in Figure 8-1, when you run the terminal emulation program or Telnet program on a

PC to connect to the router successfully, the router can still function as a client to access another

device on the network by using the following one or more methods.

8.1.1 Telnet Method

To configure and manage remote device on the network, you can use the router that you have

logged in to as a client to log in to the device, or use the redirection terminal service on

therouter to log in to the device.

Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login and

a virtual terminal service through the network.

The AR1200-S provides the following Telnet services:

l Telnet server: You can run the Telnet client program on a PC to log in to the router,

configure and manage it. The router acts as a Telnet server.

l Telnet client: You can run the terminal emulation program or the Telnet client program on

a PC to connect with the router. With the telnet command, you can log in to other routers

to configure and manage them. As shown in Figure 8-2,Router A serves as both the Telnet

server and the Telnet client.

Figure 8-2 Telnet client services

RouterAPC RouterB

Telnet Session 1 Telnet Session2

Telnet Server

l Redirection terminal services: You can run the Telnet client program on a PC to log in to

the router through a specified port number. Then connect with the serial interface devices

that are connected with the asynchronous interface of the router, as shown in Figure 8-3.

The typical application is to connect the asynchronous interface of the router with multipledevices for their remote configuration and maintenance.





123



Figure 8-3 Telnet redirection services

Ethernet

PC

Router

Router2ModemSwitchRouter1

Async0

Async1 Async2

Async3

NOTE

Only the devices that provide the asynchronous interface support the Telnet redirection service.

l Interruption of Telnet services

In Telnet connection, you can use two types of shortcut keys to interrupt the connection.

As shown in Figure 8-4, Router A logs in to Router B through Telnet, and Router B logs

in to Router C through Telnet. Thus, a cascade network is formed. In this case, Router A

is the client of Router B and Router B is the client of Router C. Figure 8-4 illustrates the

usage of the two types of shortcut keys.

Figure 8-4 Usage of Telnet shortcut keys

RouterB RouterC

Telnet Session 1 Telnet Session2

Telnet

Server

RouterA

Telnet

Client

<Ctrl_]>: The server interrupts the connection.

If the network connection is normal, when you press Ctrl _ ], the Telnet server interrupts

the current Telnet connection actively. For example:

<RouterC>

Press <Ctrl_]> to return to the prompt of Router B.

Configuration console exit, please retry to log on

The connection was closed by the remote host<RouterB>

Press <Ctrl_]> to return to the prompt of Router A.

Configuration console exit, please retry to log on

The connection was closed by the remote host<RouterA>





124



NOTE

If the network disconnects, the shortcut keys become invalid. The instruction cannot be sent to the

server.

<Ctrl_T>: The client interrupts the connection.

When the server fails and the client is unaware of the failure, the server does not respondto the input of the client. In this case, if you press Ctrl _ T, the Telnet client interrupts the

connection actively and quits the Telnet connection.

For example:

<RouterC>

Press <Ctrl_T> to directly interrupt the connection and quit Telnet connection.

<RouterA>

CAUTION

When the number of remote login users reaches to the maximum number of VTY user

interfaces, the system prompts that all user interfaces are in use and you cannot use Telnet

to log in.

8.1.2 FTP Method

To access files on a remote FTP server, you can establish a connection between the router that

you have logged in to and the remote FTP server by using FTP.

FTP can transmit files between hosts, and provide users with common FTP commands to simply

manage file system. To be specific, through the FTP client program outside the router, users canupload or download the files and access the directories on the router; through the FTP client

program inside the router, users can transfer files to the FTP servers of other devices.



8.1.3 TFTP Method

On the network, if a client communicates with a server in a comparatively simple interaction

environment, you can enable TFTP services on the router that functions as a client to access files

on the TFTP server.

Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.

Compared with FTP, TFTP does not have a complex interactive access interface and

authentication control. TFTP is applicable in an environment where there is no complex

interaction between the client and the server. For example, TFTP is used to obtain the memory

image of the system when the system starts up.

TFTP is implemented based on the User Datagram Protocol (UDP).

The client initiates the TFTP transfer. To download files, the client sends a read request packet

to the TFTP server, receives packets from the server, and sends acknowledgement to the server.

To upload files, the client sends a write request packet to the TFTP server, sends packets to the

server, and receives acknowledgement from the server.

TFTP transfers the files in two formats:





125



l The binary format: transfers program files.

l The ASCII format: transfers text files.

At present, the AR1200-S serves only as the TFTP client and transfers files in the binary format.

8.1.4 SSH Method

To securely access another device on the network, you can log in to it by using SSH (including

STelnet,SFTP) from the router that you have logged in to.

SSH Overview

When users on an insecure network log in to the router through Telnet, the Secure Shell (SSH)

feature ensures information security and authentication. It protects the router from attacks such

as IP address spoofing and interception of plain text password.

The SSH client function allows users to establish SSH connections with router serving as SSH

server or with UNIX hosts.

SSH Client Function

The AR1200-S supports the STelnet client function ,the SFTP client function.

l STelnet client

The Telnet protocol does not provide secure authentication. The TCP transmits data in plain

text. This leads to security problems. The system also faces serious threats from DOS

(Denial of Service) attacks, the host IP address spoofing, and routing spoofing. Telnet

services are prone to network attacks.

SSH implements secure remote access on insecure networks and it has the followingadvantages compared with Telnet:

– SSH supports Remote Subscriber Access (RSA) authentication. In RSA authentication,

SSH generates and exchanges public and private keys compliant with asymmetric

encipherment system to ensure the session security.

– SSH supports Data Encryption Standard (DES), 3DES, and AES authentications.

– The user name and the password are both encrypted in the communication between the

SSH client and the SSH server. This prevents password interception.

– SSH encrypts the transmitted data.

When the STelnet server or the connection to the client is faulty, the client must detect the

fault in time and release the connection voluntarily. To implement this, when logging in to

the server through Stelnet, the client must be configured with the interval for sending the

keepalive packet and the number of times for no reply restriction on the server if no packet

is received by the client. If a client does not receive any packet within specified period, the

client sends a keepalive packet to the server. If the number of times of no reply restriction

exceeds the specified number, the client releases the connection voluntarily.

l SFTP client

SFTP is short for Secure FTP. You can log in to a device from the secure remote end to

manage files. This improves the security of data transmission when the remote system is

updated. Meanwhile, the client function enables you to log in to the remote device through

SFTP for secure file transmission.

When the SFTP server or the connection between it and the client is faulty, the client mustdetect the fault in time and releases the connection voluntarily. To implement this, when





126



logging in to the server through SFTP, the client must be configured with the period of

sending the keepalive packet and the number of times for no reply restriction on the server

if no packet is received by the client. If a client does not receive any packet within specified

period, the client sends a keepalive packet to the server. If the number of times of no reply

restriction exceeds the specified number, the client takes the initiative to release the

connection.

8.2 Logging in to Other Devices by Using Telnet

On the network, a large number of routers need to be managed and maintained. Not all routers,

however, can be connected to terminal PCs. In addition, there are not reachable routes between

some routers and terminal PCs. To manage and maintain routers remotely, you can log in to

them by using Telnet from a device that you have logged in to.

8.2.1 Establishing the Configuration TaskBefore establishing the configuration task of logging in to another router from the router that

you have logged in to, familiarize yourself with the applicable environment, complete the pre-

configuration tasks, and obtain the required data. This can help you complete the configuration

task quickly and accurately.


Figure 8-5 Networking diagram for accessing another device from the router that you have

logged in to

Network Network

PC RouterA RouterB

As shown in Figure 8-5, you can log in to Router A from a PC by using Telnet, but cannot

manage Router B remotely. This is because there is no reachable route between the PC and

Router B. To manage Router B remotely, you can log in to it from Router A by using Telnet.

In this situation, Router A functions as a Telnet client, and Router B that you attempt to log in

to functions as a server.


Before logging in to another device on the network by using Telnet, complete the following

tasks:

l Ensuring that the router that you attempt to log in to works properly, and enabling Telnet

services on the device

l

Ensuring that there is a reachable route between the router that you have logged into andthe router that you attempt to log in to





127



Data Preparation

To log in to another device by using Telnet, you need the following data:

No. Data

1 IP address or host name of RouterB

2 Number of the TCP port used by the RouterB to provide Telnet services

8.2.2 (Optional) Configuring a Source IP Address for an TelnetClient

You can configure a source IP address for an Telnet client. Then, you can set up an Telnet

connection from the Telnet client to the server through a specific route by using this source IPaddress.

Context

An IP address is configured for an interface on the router and functions as the source IP address

of an telnet connection. In this manner, security checks can be implemented.

The source address of a client can be configured as a source interface or a source IP address.

Do as follows on a router that functions as an Telnet client.


system-view


Step 2 Run:

telnet client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address of an Telnet client is configured.

After the configuration, the source IP address of the Telnet client displayed on the Telnet server

must be the same as the configured one.

----End

8.2.3 Logging in to Another Device by Using Telnet

You can log in to another router and manage it by using Telnet.

Context

Telnet provides an interactive CLI for users to log in to a remote server. Users can log in to a

host, and then remotely log in to another host by using Telnet to configure and manage the remote

host. In this manner, not each host is required to connect to a hardware terminal.

Do as follows on the router that serves as a Telnet client:





128



Procedure

l Run:

telnet [-a source-ip-address ] host-name [ port-number ]

Log in to the router and manage other routers.

----End


When you log in to another router successfully from the router that you have logged in to, you

can check information about the established TCP connection.

Prerequisite

All configurations for logging in to another device are complete.

Procedure

l Run the display tcp status command to check the status of all TCP connections.

----End

Example

Run the display tcp status command to view the status of TCP connections. The Established

status indicates that a TCP connection has been established.

<Huawei> display tcp status

TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0Closed

32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849

Listening34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0

Established

8.3 Using the Redirection Function to Connect to a RemoteDevice

To manage a remote device that can transmit data only through a serial interface, configure the

redirection function on the AR1200-S.


Before configuring the redirection function, familiarize yourself with the applicable

environment, complete the pre-configuration tasks, and obtain the data required for the

configuration. This will help you complete the configuration task quickly and accurately.


To manage a remote device that can transmit data only through a serial interface, configure theredirection function on the AR1200-S.





129



A remote device can be a router, a switch, an electricity terminal, a finance terminal, or other

terminals that use serial interfaces to transmit data.

l Managing remote routers and switches

Figure 8-6 Using redirection to connect to remote routers and switches

Ethernet

PC

Router

Router2Switch2Switch1Router1

Async0

Async1 Async2

Async3

As shown in Figure 8-6, there are two routers and two switches connected to the Router

(an AR1200-S). To manage these devices through their serial interfaces, connectasynchronous serial interfaces of the Router to serial interfaces of the devices, and configure

the redirection function on the Router. After the configuration is complete, you can use an

operation terminal to manage and maintain these devices remotely.

l Managing terminals such intelligent electricity meters, intelligent water meters, and

automatic teller machines





130



Figure 8-7 Using redirection to connect to remote intelligent terminals

Router

Async0

Async1 Async2

Async3

Nework

Intelligent Electricity

Meters 1

Monitor Device


Meters 2


Meters 3


Meters 4

As shown in Figure 8-7, the redirection function is enabled on the Router. The Router

listens to the specified TCP port number and receives data flows from the terminals through

asynchronous serial interfaces. After receiving data packets, the Router encapsulates the

packets into Ethernet frames so that they can be transmitted over an Ethernet network. In

this way, the intelligent terminals can be managed by a remote operation terminal.


Before configuring the redirection function, complete the following tasks:

l Starting the remote devices

l Directly connecting the remote devices to the 8AS board of the router through asynchronous

serial cables and ensuring that the 8AS board has registered successfully and the

asynchronous serial interfaces are in Up state

Data PreparationTo configure the redirection function, you need the following data.

No. Data

1 IP address of the router

2 (Optional) Port number of the redirection function





131



8.3.2 Configuring the Redirection Function

After configuring the redirection function on a router, you can use an operation terminal to

manage remote serial interface devices.

Prerequisite

The 8AS board on the router has registered successfully and the asynchronous serial interfaces

are in Up state.

Context

Do as follows on the router.

Procedure



Step 2 Run:

interface async interface-number

The asynchronous serial interface view is displayed.

Step 3 Run:

async mode flow

The asynchronous serial interface is configured to work in flow mode.

By default, an asynchronous serial interface works in protocol mode.

Step 4 Run:

quit

Exit from the asynchronous serial interface view.

Step 5 Run:

user-interface tty tty-number


After the 8AS board registers successfully, the router generates random numbers for TTY user

interfaces. Run the display user-interface command to view the TTY number mapping anasynchronous serial interface.

Step 6 Run:

redirect enable

The redirection function is enabled.

Step 7 Run:

undo shell

The terminal service is disabled.

Step 8 (Optional) Run:redirect binding vpn-instance vpn-instance-name





132



The redirection function is associated with a VPN instance.

By default, the redirection function is not associated with any VPN instance, and all users on

public and private networks can use the redirection function to log in to remote devices.

Step 9 (Optional) Run:redirect listen-port port-num

The port number is set for the redirection function.

The default port number is 2000 plus tty-number . When the default port number is used by

another service, perform this step to set a new port number.

NOTE

l The terminal attributes of a TTY user interface must be the same as the physical attributes of the terminal

connected to the corresponding asynchronous serial interface. For details on how to configure terminal

attributes of a TTY user interface, see 4.4.3 Setting Terminal Attributes of TTY User Interface .

l If the modem function is enabled on a TTY user interface, the redirection function does not take effect.

----End

Follow-up Procedure

Run the telnet host-name port-number command to log in to a remote device. In the command,

host-name is the IP address or host name of the router with the redirection function enabled, and

port-number is the default port number or the port number configured by running the redirect

listen-port command.

8.3.3 Checking the ConfigurationAfter completing the configuration of the redirection function, check the TCP connection status

to verify the configuration.

Prerequisite

All configurations of the redirection function are complete.

Context

l Run the display tcp status command to check the status of the current TCP connection.

Example

Run the display tcp status to check the TCP connection status.

<Huawei> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State

1973f250 9 /2 0.0.0.0:22 0.0.0.0:0 23553 Listening1973f0ec 9 /1 0.0.0.0:23 0.0.0.0:0 23553 Listening

1973ef88 109/1 0.0.0.0:80 0.0.0.0:0 23553 Listening

1a16a204 9 /14 0.0.0.0:2046 0.0.0.0:0 23553 Listening

1973e9f8 7 /1 0.0.0.0:7547 0.0.0.0:0 0 Listening1a169c74 9 /15 10.137.217.211:23 10.138.77.61:2120 0 Established





133



8.4 Logging in to other Device by Using STelnetSTelnet ensures secure Telnet services. You can log in to another router from the router that you

have logged in to by using STelnet, and thus to manage the device remotely.


Before establishing the configuration task of logging in to another device by using Stelnet,

familiarize yourself with the applicable environment, complete the pre-configuration tasks, and

obtain the required data. This can help you complete the configuration task quickly and

accurately.


Logins by using Telnet bring security risks because no secure authentication mechanism isavailable and data is transmitted by using TCP in plain text mode.

STelnet is short for SSH Telnet that is a secure Telnet protocol. STelnet is on the basis of SSH.

SSH users can use STelnet services as Telnet services.

In this configuration, the Router that you have logged in to functions as a Telnet client, and

theRouter that you attempt to log in to functions as an SSH server.


Before logging in to another device by using STelnet, complete the following tasks:

l Configuring a reachable route between the client and SSH server

Data Preparation

To log in to another device by using STelnet, you need the following data:

No. Data

1 Name of the SSH server,Public key that is assigned by the client to the SSH server

2 IPv4 address or host name of the SSH server,Number of the port monitored by the

SSH server,Preferred encrypted algorithm from the SFTP client to the SSH

server,Preferred encrypted algorithm from the SSH server to the SFTP

client,Preferred HMAC algorithm from the SFTP client to the SSH server,Preferred

HMAC algorithm from the SSH server to the SFTP client,Preferred algorithm of key

exchange

The user information for logging in to the SSH server

8.4.2 Configuring the First Successful Login to Another Device(Enabling the First-Time Authentication on the SSH Client)

After the first-time authentication on the SSH client is enabled, the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time.





134



Context

If the first-time authentication on the SSH client is enabled, the STelnet client does not check

the validity of the RSA public key when logging in to the SSH server for the first time. After

the login, the system automatically allocates the RSA public key and saves it for authentication

in next login.

Do as follows on the router that serves as an SSH client:

Procedure

Step 1 Run:

system-view


Step 2 Run:ssh client first-time enable

The first-time authentication on the SSH client is enabled.

By default, the first-time authentication on the SSH client is disabled.

NOTE

l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity

of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first

time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH

server.

lIf the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to theSSH server for the first time, the STelnet client fails to pass the check on the RSA public key validity

and cannot log in to the server.

TIP

To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSA

public key in advance to the SSH server on the SSH client in addition to enabling the first-time

authentication on the SSH client.

----End

8.4.3 Configuring the First Successful Login to Another Device

(Allocating an RSA Public Key to the SSH Server)To configure the first successful login to another device on the SSH client, you need to allocate

an RSA public key to the SSH server before the login.

Context

If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in

to the SSH server for the first time, the STelnet client fails to pass the check on the RSA public

key validity and cannot log in to the server.So you need to allocate an RSA public key to the

SSH server before the STelnet client logs in to the SSH server.






135



Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:



Step 4 Run:

hex-data


The public key must be a string of hexadecimal alphanumeric characters. It is automatically

generated by an SSH client. You can run the display rsa local-key-pair public command to

view a generated public key.

NOTE

Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSH

server and must be configured on the SSH client. Then, the STelnet client client can successfully undergo

the validity check on the RSA public key of the SSH server.

Step 5 Run: public-key-code end


l If the specified hex-data is invalid, the public key cannot be generated after the peer-public-

key end command is run.

l If the specified key-name is deleted in other views, the system prompts that the key does not

exist after the peer-public-key end command is run and the system view is displayed.

Step 6 Run:

peer-public-key end


----End

8.4.4 Logging in to Another Device by Using STelnet

You can log in to the SSH server from the SSH client by using STelnet.

Context

When accessing an SSH server, the STelnet client can carry the source address and choose the

key exchange algorithm, encryption algorithm, or HMAC algorithm, and configure the keepalivefunction.





136




Procedure



Step 2 Run the stelnet [ -a source-address ] host-ipv4 [ port ] [ [ -vpn-instance vpn-instance-name ] |

[ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des |

aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 |

sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -

ki aliveinterval [ -kc alivecountmax ] ] command. You can log in to the SSH server through

STelnet.

----End

8.4.5 Checking the configuration

After the configuration task of logging in to another device by using STelnet is established, you

can check the global configurations of the SSH servers and the sessions between the SSH servers

and the STelnet client.

Prerequisite

The configurations for logging in to another device by using STelnet are complete.

Procedure

l Run the display ssh server status command to view the status of the SSH server.

----End

Example

Run the display ssh server status to view the status of the SSH server.

<Huawei> display ssh server statusSSH version :1.99

SSH connection timeout :60 secondsSSH server key generating interval :0 hours

SSH Authentication retries :3 times

SFTP Server :Enable

8.5 Accessing Files on Another Device by Using TFTP

You can configure the router as a TFTP client, and log in to the TFTP server to upload and

download files.


Before accessing another device by using TFTP, familiarize yourself with the applicable

environment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.





137




You can transfer files through TFTP between the server and the client in a simple interaction

environment.

The current Router functions as a TFTP client, and theRouter to be accessed functions as a TFTPserver.


Before accessing another device by using TFTP, complete the following tasks:

l Configuring a reachable route between the client and TFTP server

Data Preparation

To access another device by using TFTP, you need the following data.

No. Data

1 (Optional) Source address or source interface of the router that functions as a TFTP

client

2 IP address or host name of the TFTP server

3 Name of the specific file in the TFTP server and the file directory

8.5.2 (Optional) Configuring a Source IP Address for a TFTP Client

You can configure a source IP address for a TFTP client. Then, you can set up a TFTP connection

from the TFTP client to the server through a specific route by using this source IP address.

Context


of a TFTP connection. In this manner, security checks can be implemented.


Do as follows on a router that functions as a TFTP client.

Procedure

Step 1 Run:

system-view


Step 2 Run:

tftp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address of a TFTP client is configured.





138



After the configuration, the source IP address of the TFTP client displayed on the TFTP server

must be the same as the configured one.

----End

8.5.3 (Optional) Configuring TFTP Access AuthorityThis section describes how to use an ACL rule to authorize the users to specify the TFTP servers

that can be accessed by using TFTP from the router that you have logged in to.

Context

An Access Control List (ACL) is a set of sequential rules. These rules are described based on

the source address, destination address, and port number of a packet. Routers use the ACL rules

to filter packets. With the rule applied to the interface on a router, the router permits or denies

the packets.

Each ACL can define multiple rules. ACL rules are classified into the interface ACL, basic ACL,and advanced ACL based on the functions of ACL rules.

NOTE

TFTP supports only the basic ACL (whose number ranges from 2000 to 2999).

Do as follows on the router that serves as the TFTP client:

Procedure

Step 1 Run:

system-view


Step 2 Run:

acl acl-number

The ACL view is displayed.

Step 3 Run:

rule [ rule-id ] { deny | permit } [ { fragment | none-first-fragment } | source

{ source-address source-wildcard | any } | time-range time-name ] *

The ACL rule is configured.

Step 4 Run:quit


Step 5 Run the tftp-server acl acl-number command. You can use the ACL to limit the access to the

TFTP server.

----End

8.5.4 Downloading Files by Using TFTP

You can download files from the TFTP server to the TFTP client.






139



Procedure

l Run:

tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-

server get source-filename [ destination-filename ]

The router is configured to download files through TFTP.

----End

8.5.5 Uploading Files by Using TFTP

You can upload files from the TFTP client to the TFTP server.


Procedure

l Run:tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-

server put source-filename [ destination-filename ]

The router is configured to upload files through TFTP.

----End


When a device is configured to be a TFTP client, you can check the source address of the client

and the configured ACl rule.

Prerequisite

Configurations of using the device as a TFTP client are complete.

Procedure

l Run the display tftp-client command to check the device address that is set to the source

address of the TFTP client.

l Run the display acl { name acl-name | acl-number | all } command to check the ACL rule

that is configured on the TFTP client.

----End

Example

Run the display tftp-client command to view the source address of the TFTP client.

<Huawei> display tftp-clientInfo: The source address of TFTP client is 1.1.1.1.

Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured

on the TFTP client.

<Huawei> display acl 2001Basic acl 2001, 2 rules,

Acl's step is 5

rule 5 permitrule 10 permit source 1.1.1.1 0





140



8.6 Accessing Files on Another Device by Using FTP

This section describes how to configure the router as an FTP client to log in to the FTP server,

and to upload files to or download files from the server.


Before establishing the configuration task of accessing files on another device by using FTP,


obtain the required data. This can help you complete the configuration task quickly and

accurately.


Before transmitting files between a client and a remote FTP server, or managing directories of

the server, you can configure the router that you have logged in to as an FTP client. Then, you

can access the FTP server by using FTP for file transmission or directory management.


Before establishing the configuration task of accessing files on another device by using FTP,

complete the following tasks:

l Configuring a reachable route between the router and the FTP server

Data Preparation

To establish the configuration task of accessing files on another device by using FTP, you need

the following data:

No. Data

1 (Optional) Source IP address or source interface of the router functioning as an FTP

client

2 Host name or IP address of the FTP server, port number of connecting FTP, login

username and password3 Local file name and file name on the remote FTP server,working directory name of

the remote FTP server, local working directory of the FTP client, or directory name

of the remote FTP server

8.6.2 (Optional) Configuring Source IP Address and Interface of theFTP Client

This section describes how to configure the source IP address and interface of FTP client toestablish the connection with FTP server.





141



Prerequisite


of an FTP connection. In this manner, security checks can be implemented.


The interface configuration is possible, only if the system has a loopback interface.

Procedure

Step 1 Run:

system-view


Step 2 Run:

ftp client-source { -a ip-address }

The source IP address of the FTP client is configured.

or

ftp client-source { -i interface-type interface-number }

The loopback addresses of the FTP client is configured.

NOTE

Then, run the display ftp-client command on the router to view the current configuration of the FTP client.

----End

8.6.3 Connecting to Other Devices by Using FTP Commands

You can run FTP commands to log in to other devices from the router that functions as the FTP

client.

Context

You can log in to the FTP server in the user view or the FTP view.

Do as follows on the router that serves as the client:

Procedurel In the user view, establish a connection to the FTP server.

Run:

ftp [ -a source-ip-address | -i interface-type interface-number ] host [ port-

number ] [ public-net | vpn-instance vpn-instace-name ]

The router is connected to the FTP server.

l In the FTP view, establish a connection to the FTP server.

1. In the user view, Run:

ftp

The FTP view is displayed.





142



2. Run:

open [ -a source-ip-address | -i interface-type interface-number ] host

[ port-number ] [ vpn-instance vpn-instance-name ]

The router is connected to the FTP server.

----End

8.6.4 Operating Files by Using FTP Commands

After logging in to a FTP server, you can operate files by using FTP commands. File operations

include configuring a file transmission method, checking online help about FTP commands,

uploading or downloading files, and managing directories and files.

Context

After logging in to the FTP server, you can perform the following operations:

l Configure a data type for transmission files and a file transmission method.

l Check the online help about FTP commands in the FTP client view.

l Upload local files to the remote FTP server, or download files from the FTP server and

save them locally.

l Create directories on or delete directories from the FTP server.

l Display information about a specified remote directory or a file of the FTP server, or delete

a specified file from the FTP server.

After logging in to the router that functions as a client and entering the FTP client view, you can

perform the following steps:

Procedure

l Configuring data type and transmission mode for the file.

– Run:

ascii | binary

The data type of the file to be transmitted is ascii or binary mode.

NOTE

FTP supports the ASCII type and the binary type. Their differences are as follows:

l In ASCII transmission mode, ASCII characters are used to separate carriage returned from

line feeds.

l In binary transmission mode, characters can be transferred without format conversion or

formatting.

The selection of the FTP transmission mode is client-customized. The system defaults to the

ASCII transmission mode. The client can use a mode switch command to switch between the

ASCII mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary

mode is used to transmit binary files.

– Run:

passive

The passive file transfer mode is configured.

– Run:

verbose

The verbose mode for FTP is enabled.





143



When verbose is enabled, all FTP responses are displayed. After file transmission, the

statistics about transmission efficiency will be displayed.

l Viewing online help of the FTP command.

remotehelp [ command ]

The online help of the FTP command is displayed.

l Upload or download files.

– Upload or download a file.

– Run:


The local file is uploaded to the remote FTP server.

– Run:


The FTP file is downloaded from the FTP server and saved to the local file.

l Run one or more commands in the following order to manage directories.

– Run:

cd pathname

The working path of the remote FTP server is specified.

– Run:

cdup

The working path of the FTP server is switched to the upper-level directory.

– Run:

pwd

The specified directory of the FTP server is displayed.

– Run:

lcd [ local-directory ]

The directory of the FTP client is displayed or changed.

– Run:


A directory is created on the FTP server.

– Run:

rmdir remote-directory

A directory is removed from the FTP server.

NOTE

l The directory to be created can comprise letters and digits, but not special characters such as

<, >, ?, \ and :.

l When running the mkdir /abc command, you create a sub-directory named "abc".

l Run one or more commands in the following to manage files.

– Run:

ls [ remote-filename ] [ local-filename ]

The specified directory or file on the remote FTP server is displayed.



– Run:





144



dir [ remote-filename ] [ local-filename ]

The specified directory or file on the local FTP server is displayed.



– Run:

delete remote-filename

The specified file on the FTP server is deleted.



When local-filename is set, related information about the file can be downloaded locally.

----End

8.6.5 Changing Login Users

After logging in to an FTP server, you can change the username on the client and re-log in to

the server with the new username.

Context

From the AR1200-S (an FTP client) that you have logged in to, you can log in to the FTP server

by using another username without logging out of the FTP client view. The established FTP

connection is identical with that established by running the ftp command.

Perform the following steps on the router that functions as a client:

Procedurel Run:

user user-name [ password ]

The user that have logged in to the FTP server is changed and the new user logs in to the

server.

When the username that is used to log in to the FTP server is changed, the original

connection between the user and the FTP server is interrupted.

----End

8.6.6 Disconnecting from the FTP ServerYou can terminate the connection with the FTP server and return to the user view or FTP view.

Context

You can select different commands to terminate the connection with the FTP server in the FTP

client view.

Do as follows on the router that serves as the client.

Procedure

l Run the following commands according to different configurations.





145



– Run:

bye

Or,

quit

The client router is disconnected from the FTP server.

Return to the user view.

– Run:

close

Or,

disconnect

The client router is disconnected from the FTP server.

Return to the FTP view.

----End


After the configurations of accessing other devices by using FTP are complete, you can view

the source parameters configured on the FTP client.

Prerequisite

The configurations of accessing other devices by using FTP are complete.

Procedurel Run the display ftp-client command to view the source parameters of the FTP client.

----End

Example

Run the display ftp-client command to view the source parameters of the FTP client.

<Huawei> display ftp-clientInfo: The source address of FTP client is 1.1.1.1.

8.7 Accessing Files on Another Device by Using SFTP

SFTP is a secure FTP service. After the router is configured as an SFTP client. The SFTP server

authenticates the client and encrypts data in both directions to provide secure data transmission.


Before establishing the configuration task of accessing files on another device by using SFTP,


obtain the required data. This can help you complete the configuration task quickly andaccurately.





146




SFTP is short for SSH FTP that is a secure FTP protocol. SFTP is on the basis of SSH. It ensures

that users can log in to a remote device securely for file management and transmission, and

enhances the security in data transmission. In addition, you can log in to a remote SSH server

from the router that functions as an SFTP client.


Before establishing the configuration task of accessing files on another device by using SFTP,

complete the following tasks:

l Configuring a reachable route between the client and SSH server

Data Preparation

To access files on another device by using SFTP, you need the following data:

No. Data

1 (Optional) Source address of the device that functions as the SFTP client

2 (Optional) Name of the SSH server

3 (Optional) Public key that is assigned by the client to the SSH server

4 IPv4 address or host name of the SSH server

5 Number of the port monitored by the SSH server,Preferred encrypted algorithm from

the SFTP client to the SSH server,Preferred encrypted algorithm from the SSH server to the SFTP client,Preferred HMAC algorithm from the SFTP client to the SSH

server,Preferred HMAC algorithm from the SSH server to the SFTP client,Preferred

algorithm of key exchange,Name of the outgoing interface,Source address

The user information for logging in to the SSH server

6 Name and directory of a specified file on the SSH server

8.7.2 (Optional) Configuring a Source IP Address for an SFTP Client

You can configure a source IP address for an SFTP client. Then, you can set up an SFTP

connection from the SFTP client to the server through a specific route by using this source IP

address.

Context


of an FTP connection. In this manner, security checks can be implemented.


Do as follows on a router that functions as an SFTP client.





147



Procedure

Step 1 Run:

system-view


Step 2 Run:

sftp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address is configured for an SFTP client.

----End

8.7.3 Configuring the First Successful Login to Another Device(Enabling the First-Time Authentication on the SSH Client)

After the first-time authentication on the SSH client is enabled, the SFTP client does not check the validity of the RSA public key when logging in to the SSH server for the first time.

Context

If the first-time authentication on the SSH client is enabled, the SFTP client does not check the

validity of the RSA public key when logging in to the SSH server for the first time. After the

login, the system automatically allocates the RSA public key and saves it for authentication in

next login.



system-view


Step 2 Run:

ssh client first-time enable

The first-time authentication on the SSH client is enabled.

By default, the first-time authentication on the SSH client is disabled.

NOTE

l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity

of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first

time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH

server.

l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to the

SSH server for the first time, the STelnet client fails to pass the check on the RSA public key validity

and cannot log in to the server.

TIP

To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSA

public key in advance to the SSH server on the SSH client in addition to enabling the first-time

authentication on the SSH client.

----End





148



8.7.4 Configuring the First Successful Login to Another Device(Allocating an RSA Public Key to the SSH Server)

To configure the first successful login to another device on the SSH client, you need to allocate

an RSA public key to the SSH server before the login.

Context

If the first-time authentication is not enabled on the SSH client, when the SFTP client logs in to

the SSH server for the first time, the SFTP client fails to pass the check on the RSA public key

validity and cannot log in to the server.

Do as follows on the router functioning as an SSH client:

Procedure

Step 1 Run:

system-view


Step 2 Run:



Step 3 Run:



Step 4 Run:

hex-data


The public key must be a string of hexadecimal alphanumeric characters. It is automatically

generated by an SSH client. You can run the display rsa local-key-pair public command to

view a generated public key.

NOTE

Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSH

server and must be configured on the SSH client. Then, the STelnet client client can successfully undergothe validity check on the RSA public key of the SSH server.

Step 5 Run:

public-key-code end


l If the specified hex-data is invalid, the public key cannot be generated after the peer-public-

key end command is run.

l If the specified key-name is deleted in other views, the system prompts that the key does not

exist after the peer-public-key end command is run and the system view is displayed.

Step 6 Run:





149



peer-public-key end


----End

8.7.5 Connecting to Other Devices by Using SFTP

You can log in to the SSH server from the SSH client through SFTP.

Context

The command of enabling the SFTP client is similar to that of the STelnet. When accessing the

SSH server, the SFTP can carry the source address and the name of the VPN instance and choose

the key exchange algorithm, encrypted algorithm and HMAC algorithm, and configure the

keepalive function.

Do as follows on the router that serves as an SSH client.

Procedure

Step 1 Run:

system-view


Step 2 Run:

sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ]

[ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 |

dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] |[ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 |

sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ]* [ -ki aliveinterval [ -kc alivecountmax ] ]

You can log in to the SSH server through SFTP.

----End

8.7.6 Operating Files by Using SFTP Commands

You can manage directories and files on the SSH server from the SFTP client, and check the

command help on the SFTP client.

Context

After logging in to the SSH server from the SFTP client, you can perform the following

operations on the SFTP client:

l Create or delete a directory on the SSH server, and display the current working directory,

the specified directory and information about the file in the specified directory.

l Change a file name, delete a file, display a file list, and upload or download a file.

l Displaying the SFTP client command help.

After logging in to the router that functions as an SSH client and entering the SFTP client view,you can perform the following steps:





150



Procedure

l Managing the directory


– Run:

cd [ remote-directory ]

The current operating directory of users is changed.

– Run:

cdup

The operating directory of users is switched to the upper-level directory.

– Run:

pwd

The current operating directory of users is displayed.

– Run:

dir [ -l -a ] [ path ]

The file list in the specified directory is displayed.

– Run:

rmdir remote-directory & <1-10>

– The directory on the server is deleted.

– Run:


A directory is created on the server.

l Managing the file


– Run:

rename old-name new-name

The name of the specified file on the server is changed.

– Run:

get remote-filename [local-filename]

The file on the remote server is downloaded.

– Run: put local-filename [remote-filename]

The local file is uploaded to the remote server.

– Run:

remove remote-filename

The file on the server is removed.

l Displaying the SFTP client command help

help [all | command-name ]

The SFTP client command help is displayed.

----End





151




After logging in to another device by using SFTP, you can view the source address of the SSH

client, the mappings between all SSH servers and the RSA public keys on the client, the global

configurations of the SSH servers, and the sessions between the SSH servers and the client.

Prerequisite

The configuration of accessing files on another device by using SFTP is complete.

Procedure

l Run the display sftp-client command to check the source IP address of the SFTP client on

the SSH client.

----End

Example

Run the display sftp-client command on the client to view the source parameters of the device

functioning as an SFTP client.

<Huawei> display sftp-clientInfo: The source address of SFTP client is 1.1.1.1


This section describes examples for access another device. The examples explain networking


8.8.1 Example for Configuring Telnet Services

In this example, the authentication mode and password are configured for users to log in using

Telnet.


As shown in Figure 8-8, Router A and Router B can ping each other successfully. A user logs

in to Router B from Router A using Telnet.

Figure 8-8 Networking diagram for configuring Telnet services

RouterA RouterB

GE1/0/0

1.1.1.1/24

GE1/0/0

1.1.1.2/24







152



1. On Router B, configure the authentication mode and password for VTY0 to VTY4.

2. Configure users to use passwords to log in to Router B from Router A using Telnet.

3. Configure a Telnet server port number on Router B to ensure that users log in through this

port only.

Data Preparation


l Host address of Router B

l Authentication mode and password

l Telnet server port number

l User level 15

Procedure

Step 1 Configure IP addresses.

# Configure Router A.

<Huawei> system-view[Huawei] sysname RouterA [RouterA] interface gigabitethernet1/0/0[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24[RouterA-GigabitEthernet1/0/0] quit[RouterA] quit

# Configure Router B.

<Huawei> system-view[Huawei] sysname RouterB[RouterB] interface gigabitethernet1/0/0[RouterB-GigabitEthernet1/0/0] ip address 1.1.1.2 24[RouterB-GigabitEthernet1/0/0] quit

Step 2 Configure the authentication mode and password for Telnet services on Router B.

[RouterB] user-interface vty 0 4[RouterB-ui-vty0-4] authentication-mode password [RouterB-ui-vty0-4] set authentication password simple hello[RouterB-ui-vty0-4] quit

To configure an ACL for Telnet services, run the following commands on Router B.

[RouterB] acl 2000[RouterB-acl-basic-2000] rule permit source 1.1.1.1 0[RouterB-acl-basic-2000] quit[RouterB] user-interface vty 0 4[RouterB-ui-vty0-4] acl 2000 inbound

NOTE

You can choose to configure an ACL for Telnet services.

Step 3 Log in to Router B from Router A using Telnet.

<RouterA> telnet 1.1.1.2Press CTRL_] to quit telnet mode

Trying 1.1.1.2 ...Connected to 1.1.1.2 ...

User Access Verification





153



>>User password:

Huawei Integrated Access SoftwareAR.

Copyright(C) Huawei Technologies Co., Ltd. 2010-2011. All rights reserved.

<RouterB>

Step 4 Configure a Telnet server port number on Router B.

<RouterB> system-view[RouterB]sysman service telnet port 1028After the command is executed, logging in to the port through telnet fails, al

l the telnet users exit, and a new port is created. If you need to set the port

through telnet again, wait for at least two minutes and then set the port again.

Are you sure to continue?(y/n)[n]: y

Step 5 Use the port number 1028 to log in to Router B from Router A using Telnet.

<RouterA> telnet 1.1.1.2 1028Press CTRL_] to quit telnet mode

Trying 1.1.1.2 ...

Connected to 1.1.1.2 ...

User Access Verification

>>User password:

Huawei Integrated Access SoftwareAR.

Copyright(C) Huawei Technologies Co., Ltd. 2010-2011. All rights reserved.

<RouterB>

----End

Configuration Filesl Configuration file of Router A

#

sysname RouterA

#

interface GigabitEthernet1/0/0ip address 1.1.1.1 255.255.255.0

#

return

l Configuration file of Router B

#

sysname RouterB

#

acl number 2000rule 5 permit source 1.1.1.1 0


ip address 1.1.1.2 255.255.255.0

#

user-interface con 0user-interface vty 0 4

acl 2000 inbound

set authentication password simple hello

#return





154



8.8.2 Example for Configuring the Device as the STelnet Client toConnect to the SSH Server

In this example, the local key pairs are generated on the STelnet client and the SSH server; the

public RSA key is generated on the SSH server and then bound to the STelnet client. In thismanner, the STelnet client can connect to the SSH server.


As shown in Figure 8-9, after the STelnet service is enabled on the SSH server, the STelnet

client can log in to the SSH server with the password, RSA, password-rsa, or all authentication

mode.

Configure two login clients:

l Configure Client001 with the password as huawei and adopt the password authentication.

l Configure Client002, adopt the RSA authentication and assign the public key RsaKey001to Client002.

The user interface supports only SSH.

Figure 8-9 Networking diagram of configuring the device as the STelnet client to connect to

the SSH server

Client002

GE1/0/0

10.164.39.221/24

SSH Server

GE1/0/0

10.164.39.222/24

Client001

GE1/0/0

10.164.39.220/24



1. Configure Client001 and Client002 on the SSH server.

2. Generate the local key pairs on the STelnet client and the SSH server respectively.

3. Generate the RSA public key on SSH server and bind the RSA public key of SSH client to

Client002.

4. Enable STelnet service on the SSH server.

5. Users Client001 and Client002 log in to the SSH server through STelnet.

Data Preparation






155



l Name and the authentication mode of the SSH user

l Password or the RSA public key of the SSH user

l Name of the SSH server

Procedure

Step 1 Generate a local key pair on the SSH server.

<Huawei> system-view[Huawei] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: HostThe range of public key size is (512 ~ 2048).


It will take a few minutes.

Input the bits in the modulus[default = 512]: 768Generating keys...

.......++++++++++++

..........++++++++++++

...................................++++++++

......++++++++

Step 2 Create SSH users on the server.

# Configure a VTY user interface.


l Create an SSH user named Client001.

# Create an SSH user named Client001, configure password authentication for the user, and

set the password to huawei.

[SSH Server] aaa[SSH Server-aaa] local-user client001 password cipher huawei[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit


# Create an SSH user named Client002, set the password to huawei, and configure RSA

authentication for the user.

[SSH Server] aaa[SSH Server-aaa] local-user client002 password cipher huawei[SSH Server-aaa] local-user client002 service-type ssh[SSH Server-aaa] quit[SSH Server] ssh user client002 authentication-type rsa

Step 3 Configure the RSA public key on the server.

# Generate a local key pair for Client002.

<Huawei> system-view[Huawei] sysname client002[client002] rsa local-key-pair create

# Check the RSA public key of the client.

[client002] display rsa local-key-pair public=====================================================Time of Key pair created: 2007-12-29 16:19:59+08:00

Key name: Host

Key type: RSA encryption Key

=====================================================Key code:





156



3047

0240

BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8

EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43

1D7E3E1B

0203010001

=====================================================

Time of Key pair created: 2007-12-29 16:20:05+08:00

Key name: ServerKey type: RSA encryption Key

=====================================================

Key code:3067

0260

BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB

D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E749B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27

1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E

BC89D3DB 5A83698C 9063DB39 A279DD89

0203010001

[client002]

# Send the RSA public key of the client to the server.

[SSH Server] rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".

NOTE: The number of the bits of public key must be between 769 and 2048.[SSH Server-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".

[SSH Server-rsa-key-code] 3047[SSH Server-rsa-key-code] 0240[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43

[SSH Server-rsa-key-code] 1D7E3E1B[SSH Server-rsa-key-code] 0203[SSH Server-rsa-key-code] 010001[SSH Server-rsa-key-code] public-key-code end [SSH Server-rsa-public-key] peer-public-key end

Step 4 Bind the RSA public key of the SSH client to Client002.

[SSH Server] ssh user client002 assign rsa-key RsaKey001

Step 5 Connect to the SSH server.

# Enable initial authentication on the SSH client if it logs in for the first time.

<Huawei> system-view[Huawei] sysname client001

[client001] ssh client first-time enable<Huawei> system-view[Huawei] sysname client002[client002] ssh client first-time enable

# Log in to the SSH server from Client001 in password authentication mode by entering the user

name and password.

<client001> system-view[client001] stelnet 10.164.39.222Please input the username:client001

Trying 10.164.39.222 ...

Press CTRL+K to abort

Connected to 10.164.39.222 ...Enter password:

Enter the password huawei. The following information indicates that the login succeeds.





157



Info: The max number of VTY users is 20, and the number

of current VTY users on line is 6.

The current login time is 2010-09-06 11:42:42.<SSH Server>

# Log in to the SSH server from Client002 in RSA authentication mode.

<client002> system-view[client002] stelnet 10.164.39.222Please input the username: client002

Trying 10.164.39.222 ...Press CTRL+K to abort

Connected to 10.164.39.222 ...

The server is not authenticated. Do you continue to access it?(Y/N):y

Save the server's public key? [Y/N] :yThe server's public key will be saved with the name: 10.164.39.222. Please wait...

Info: The max number of VTY users is 20, and the number

of current VTY users on line is 6.The current login time is 2010-09-06 11:42:42.

<SSH Server>


After the configuration is complete, run the display ssh server status and display ssh server

session commands. You can see that the STelnet clients have logged in to the server successfully.

# Check the status of the SSH server.

[SSH Server] display ssh server statusSSH version : 1.99

SSH connection timeout : 60 seconds

SSH server key generating interval : 0 hoursSSH Authentication retries : 3 times

SFTP Server : Enable

# Check the SSH session status.

[SSH Server] display ssh server session--------------------------------------------------------------------

Conn Ver Encry State Auth-type Username--------------------------------------------------------------------

VTY 3 2.0 AES run password

client001VTY 4 2.0 AES run rsa client002

--------------------------------------------------------------------

# Check information about the SSH users.

[SSH Server] display ssh user-information-------------------------------------------------------------------------------

Username Auth-type User-public-key-name-------------------------------------------------------------------------------

client001 password nullclient002 rsa RsaKey001

-------------------------------------------------------------------------------

----End

Configuration Files


#

sysname SSH Server#

rsa peer-public-key rsakey001


30470240





158



BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E

519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43

1D7E3E1B 0203010001

public-key-code end

peer-public-key end

#aaa

local-user client001 password cipher huawei

local-user client002 password cipher huawei

local-user client001 service-type sshlocal-user client002 service-type ssh

#

ssh user client002 authentication-type rsassh user client002 assign rsa-key RsaKey001

#



#

return

l Configuration file of Client001 on SSH client#

sysname client001#

interface GigabitEthernet1/0/0

ip address 10.164.39.220 255.255.255.0

#ssh client first-time enable

#

return

l Configuration file of Client002 on SSH client

#

sysname client002#


#


#

return

8.8.3 Example for Configuring TFTP

In this example, the TFTP application is run on the TFTP server and the location of the source

file on the server is set. After that, you can upload and download files.


As shown in Figure 8-10, the IP address of the TFTP server is 10.111.16.160/24.

Log in to the router from the HyperTerminal and then download the file ar.cc from the TFTP

server.

Figure 8-10 Networking diagram of configuring TFTP

TFTP Client TFTP Server PC

10.111.16.160/24





159





1. Run the TFTP application on the TFTP server, and set the location of the file on the server.

2. Use the TFTP command on the router to download the file.

3. Use the TFTP command on the router to upload the file.

Data Preparation


l The TFTP application installed on the TFTP server

l The path of the file on the TFTP server

l The destination file name and its path on the router

Procedure

Step 1 Start the TFTP server, and set its Current Directory as the directory where the ar.cc file resides.

Figure 8-11shows the interface.

Figure 8-11 Setting the Base Directory of the TFTP server

NOTE

The display may be different depending on different TFTP server applications run in the computer.

Step 2 Log in to the router from the computer HyperTerminal and enter the following command to

download the file.<Huawei> tftp 10.111.16.160 get ar.cc flash:/





160



Info: Transfer file in binary mode.

Downloading the file from the remote TFTP server. Please wait...

69143936 bytes received in 42734second.

TFTP: Downloading the file successfully.

Step 3 Run the dir command to check whether the downloaded file is saved in the specified directoryon the router.<Huawei> dir flash:/Directory of flash:/

Idx Attr Size(Byte) Date Time(LMT) FileName

0 -rw- 1,738,816 Mar 28 2011 17:00:24 web.zip

1 -rw- 396 Feb 11 2008 14:34:17 rsa_host_key.efs2 -rw- 540 Feb 11 2008 14:35:10 rsa_server_key.efs

3 -rw- 1,498 Apr 01 2011 09:49:37 iascfg.zip

4 -rw- 525,337 Apr 01 2011 09:50:00 private-data.txt

5 -rw- 1,215 Mar 26 2011 11:32:27 iascfg_autobackup.zip6 -rw- 1,703,936 Feb 27 2008 10:00:10 ar_smk2.cc

7 drw- - Mar 07 2008 15:44:46 dd

8 -rw- 69,143,936 Mar 28 2008 07:34:54 ar.cc

9 -rw- 8,996 Apr 07 2008 14:56:24 1.cap10 -rw- 5,602 May 27 2011 13:59:31 ab.cap

11 -rw- 220 Mar 28 2011 16:51:16 elab.txt

12 -rw- 1,686 Mar 28 2011 17:04:53 lic_ar.dat

217,168 KB total (145,536 KB free)

Step 4 Log in to the router from the computer HyperTerminal and enter the following command to

upload the file.<Huawei> tftp 10.111.16.160 put flash:/iascfg.zipInfo: Transfer file in binary mode.

Uploading the file to the remote TFTP server. Please wait...TFTP: Uploading the file successfully.

3856 bytes send in 1 second.

----End

8.8.4 Example for Connecting the SFTP Client to the SSH Server

In this example, the local key pairs are generated on the SFTP client and the SSH server

respectively; the public RSA key is generated on the SSH server and bind the RSA public key

to the SFTP client. In this manner, the SFTP client can connect to the SSH server.


As shown in Figure 8-12, after the SFTP service is enabled on the SSH server, the SFTP Client

can log in to the SSH server with the password, RSA, password-rsa, or all authentication.

Figure 8-12 Networking diagram of connecting the SFTP client to the SSH server

Client002

GE1/0/0

10.164.39.221/24

SSH Server

GE1/0/0

10.164.39.222/24

Client001

GE1/0/0

10.164.39.220/24





161




The configuration roadmap is as follows:1. Configure Client001 and Client002 on the SSH server.

2. Generate the local key pairs on the SFTP client and SSH server .

3. Generate the RSA public key on the SSH server and bind the RSA public key of SSH client

to Client002.

4. Enable the SFTP service on the SSH server.

5. Configure the service mode and authorization directory for the SSH user.

6. Client001 and Client002 log in to the SSH server through SFTP.

Data PreparationTo complete the configuration, you need the following data:

l Name and the authentication mode of the SSH user

l Password or the RSA public key of the SSH user

l Name of the SSH server

Procedure


<Huawei> system-view

[Huawei] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: Host


NOTES: If the key modulus is greater than 512,It will take a few minutes.

Input the bits in the modulus[default = 512]: 768Generating keys............++++++++

......................++++++++

......................+++++++++

.....+++++++++

Step 2 Create SSH users on the server.

# Configure a VTY user interface.[SSH Server] user-interface vty 0 4[SSH Server-ui-vty0-4] authentication-mode aaa[SSH Server-ui-vty0-4] protocol inbound ssh[SSH Server-ui-vty0-4] quit


# Create an SSH user named Client001, configure password authentication for the user, and

set the password to huawei.

[SSH Server] aaa[SSH Server-aaa] local-user client001 password cipher huawei[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] local-user client001 ftp-directory flash:[SSH Server-aaa] quit






162



# Create an SSH user named Client002, set the password to huawei, and configure RSA

authentication for the user.

[SSH Server] aaa[SSH Server-aaa] local-user client002 password cipher huawei[SSH Server-aaa] local-user client002 service-type ssh

[SSH Server-aaa] local-user client002 ftp-directory flash:[SSH Server-aaa] quit[SSH Server] ssh user client002 authentication-type rsa


# Generate a local key pair for Client002.

<Huawei> system-view[Huawei] sysname client002[client002] rsa local-key-pair create


[client002] display rsa local-key-pair public

=====================================================Time of Key pair created: 2007-12-29 16:19:59+08:00Key name: Host


=====================================================Key code:

3047

0240

BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8


1D7E3E1B

0203010001

=====================================================

Time of Key pair created: 2007-12-29 16:20:05+08:00Key name: ServerKey type: RSA encryption Key

=====================================================

Key code:3067

0260

BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB

D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E749B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27


BC89D3DB 5A83698C 9063DB39 A279DD89

0203010001

[client002]


[SSH Server] rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".

NOTE: The number of the bits of public key must be between 769 and 2048.[SSH Server-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".

[SSH Server-rsa-key-code] 3047[SSH Server-rsa-key-code] 0240[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43[SSH Server-rsa-key-code] 1D7E3E1B[SSH Server-rsa-key-code] 0203[SSH Server-rsa-key-code] 010001

[SSH Server-rsa-key-code] public-key-code end [SSH Server-rsa-public-key] peer-public-key end





163



Step 4 Bind the RSA public key of the SSH client to Client002.

[SSH Server] ssh user client002 assign rsa-key RsaKey001

Step 5 Enable the SFTP service on the SSH server

# Enable the SFTP service.[SSH Server] sftp server enable

Step 6 Connect to the SSH server.


<Huawei> system-view[Huawei] sysname client001[client001] ssh client first-time enable<Huawei> system-view[Huawei] sysname client002[client002] ssh client first-time enable

# Log in to the SSH server from Client001 in password authentication mode.

<client001> system-view[client001] sftp 10.164.39.222Please input the username:client001

Trying 10.164.39.222 ...



sftp-client>

# Log in to the SSH server from Client002 in RSA authentication mode.

<client002> system-view[client002] sftp 10.164.39.222Please input the username: client002

Trying 10.164.39.222 ...Press CTRL+K to abort

Connected to 10.164.39.222 ...

sftp-client>


After the configuration is complete, run the display ssh server status and display ssh server

session commands. You can see that the SFTP service has been enabled, and the SFTP clients

have logged in to the server successfully.

# Check the status of the SSH server.

[SSH Server] display ssh server statusSSH version :1.99

SSH connection timeout :60 secondsSSH server key generating interval :0 hoursSSH Authentication retries :3 times

SFTP Server :Enable


[SSH Server] display ssh server session--------------------------------------------------------------------

Conn Ver Encry State Auth-type Username

--------------------------------------------------------------------

VTY 3 2.0 AES run passwordclient001

VTY 4 2.0 AES run rsa client002

--------------------------------------------------------------------

# Check information about the SSH users.





164



[SSH Server] display ssh user-information-------------------------------------------------------------------------------

Username Auth-type User-public-key-name-------------------------------------------------------------------------------

client001 password null

client002 rsa RsaKey001

-------------------------------------------------------------------------------

----End

Configuration Files

l Configuration file of the SSH server.

#

sysname SSH Server

#

rsa peer-public-key rsakey001public-key-code begin

3047

0240

C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B

0203

010001public-key-code end

peer-public-key end

#

aaalocal-user client001 password simple huawei

local-user client001 service-type ssh

local-user client001 ftp-directory flash:

local-user client002 ftp-directory flash:#

sftp server enable

ssh user client002 authentication-type rsa

ssh user client002 assign rsa-key RsaKey001#



#

Return

l Configuration file of Client001 on the SSH client

#

sysname client001


ip address 10.164.39.220 255.255.255.0

#


#return

l Configuration file of Client002 on the SSH client

#

sysname client002

#


#


#return





165



8.8.5 Example for Authenticating SSH Through RADIUS

In this example, a user that attempts to access the SSH server is authenticated by the RADIUS

server, and the SSH server determines whether to set up a connection with the user according

to the authentication result.


When an RADIUS user is connected to an SSH server, the SSH server sends the user name and

password of the SSH client to the RADIUS server (compatible with the TACACS server) for

authentication.

The RADIUS server authenticates the user and sends the result (passed or failed) back to the

SSH server. If the authentication is successful, the user level is sent along with the result. The

SSH server determines whether the SSH client is allowed to set up a connection according to

the authentication result.

Figure 8-13 shows the networking diagram.

Figure 8-13 Networking diagram of authenticating the SSH through RADIUS

SSH Client SSH Server Radius Server

GE1/0/0

10.164.39.222/24

GE1/0/0

10.164.39.221/24 10.164.6.49/24



1. Configure the RADIUS template on the SSH server.

2. Configure a domain on the SSH server.

3. Create a user on the RADIUS server.

4. Generate the local key pair on STelnet client and SSH server respectively.

5. Generate the local key pair on the client and SSH server .

6. Generate the RSA public key on SSH server and bind the RSA public key of the SSH client

to [email protected].

7. Enable the STelnet and SFTP services on the SSH server.

8. Configure the service mode and authorization directory of the SSH user.

9. Users [email protected] and [email protected] log in to the SSH server through STelnet and

SFTP respectively.

Data Preparation


l Configure the password authentication for the two SSH users .





166



l RADIUS authentication

l Name of the RADIUS template

l Name of the RADIUS domain

l Name and password of the RADIUS user

Procedure


<Huawei> system-view[Huawei] rsa local-key-pair createThe key name will be: Host

The range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++

..........++++++++++++

...................................++++++++

......++++++++


# Generate a local key pair on the client.

<Huawei> system-view[Huawei] sysname client[client] rsa local-key-pair create


[client] display rsa local-key-pair public=====================================================

Time of Key pair created: 16:38:51 2007/5/25Key name: Host

Key type: RSA encryption Key=====================================================

Key code:

3047

0240BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB

203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8


1D7E3E1B0203

010001

=====================================================Time of Key pair created: 16:38:51 2007/5/25

Key name: Server


=====================================================Key code:

3067

0260

BCFAC085 49A2E70E 1284F901 937D7B63 D7A077ABD2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74

9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27


BC89D3DB 5A83698C 9063DB39 A279DD890203

010001

[client]


[Huawei] rsa peer-public-key RsaKey001





167



Enter "RSA public key" view, return system view with "peer-public-key end".

[Huawei-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[Huawei-rsa-key-code] 3047[Huawei-rsa-key-code] 0240[Huawei-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB

[Huawei-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8[Huawei-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43[Huawei-rsa-key-code] 1D7E3E1B[Huawei-rsa-key-code] 0203[Huawei-rsa-key-code] 010001[Huawei-rsa-key-code] public-key-code end [Huawei-rsa-public-key] peer-public-key end

Step 3 Create SSH users.

Create users [email protected] and [email protected] on the RADIUS server. Specify the NAS's IP

address 10.164.39.222 and set the password to huawei. The NAS's IP address is the IP address

of the SSH server connected to the RADIUS server.

# Configure VTY user interfaces on the SSH server.

[Huawei] user-interface vty 0 4[Huawei-ui-vty0-4] authentication-mode aaa[Huawei-ui-vty0-4] protocol inbound ssh[Huawei-ui-vty0-4] quit

# Create users [email protected] and [email protected] on the SSH server and set the authentication

mode.

[Huawei] aaa[Huawei-aaa] local-user [email protected] password cipher huawei[Huawei-aaa] local-user [email protected] password cipher huawei[Huawei-aaa] quit

Step 4 Configure a RADIUS server template.

# Configure an authentication scheme newscheme and set the authentication mode to RADIUS

authentication.

[Huawei] aaa[Huawei-aaa] authentication-scheme newscheme[Huawei-aaa-authen-newscheme] authentication-mode radius[Huawei-aaa-authen-newscheme] quit

# Configure a RADIUS server template ssh on the SSH server.

[Huawei] radius-server template ssh

# Specify the RADIUS server at 10.164.6.49 as the RADIUS authentication and set the

authentication port number to 1812.

[Huawei-radius-ssh] radius-server authentication 10.164.6.49 1812

# Set the shared key of the RADIUS server to huawei.

[Huawei-radius-ssh] radius-server shared-key cipher huawei[Huawei-radius-ssh] quit

Step 5 Configure the RADIUS domain name on the SSH server.

# Set the RADIUS domain name to ssh.com and apply the authentication scheme newscheme

and RADIUS server template ssh to the RADIUS domain.

[Huawei] aaa[Huawei-aaa] domain ssh.com

[Huawei-aaa-domain-ssh.com] authentication-scheme newscheme[Huawei-aaa-domain-ssh.com] radius-server ssh





168



[Huawei-aaa-domain-ssh.com] quit[Huawei-aaa] quit

Step 6 Connect the SSH client to the SSH server.

# Enable the SFTP service on the SSH server.

[Huawei] sftp server enable


[client] ssh client first-time enable[client] quit

# Log in to the SSH server from the STelnet client in RADIUS authentication mode.

<client> system-view[client] stelnet 10.164.39.222Please input the username: [email protected]

Trying 10.164.39.222 ...

Press CTRL+K to abortConnected to 10.164.39.222 ...

The server is not authenticated. Do you continue to access it?(Y/N):ySave the server's public key? [Y/N] :y

The server's public key will be saved with the name: 10.164.39.222. Please wait...Enter password:

Enter the password huawei. The following information indicates that the login succeeds.

Info: The max number of VTY users is 10, and the current number

of VTY users on line is 2.<Huawei>

# Log in to the SSH server from the SFTP client in RADIUS authentication mode.

<client> system-view[client] sftp 10.164.39.222

Please input the username: [email protected] 10.164.39.222 ...



sftp-client>


After the preceding configuration is complete, run the display radius-server configuration and

display ssh server session commands on the SSH server to view the RADIUS server

configuration and the SSH session status. You can see that the STelnet and SFTP clients have

logged in to the SSH server.

# View the configuration of the RADIUS server.

[Huawei-aaa] display radius-server configuration-------------------------------------------------------------------

Server-template-name : ssh

Protocol-version : standard

Traffic-unit : BShared-secret-key : N`C55QK<`=/Q=^Q`MAF4<1!!

Timeout-interval(in second) : 5

Primary-authentication-server : 10.164.6.49 :1812 LoopBack:NULLPrimary-accounting-server : 0.0.0.0 :0 LoopBack:NULL

Secondary-authentication-server : 0.0.0.0 :0 LoopBack:NULL

Secondary-accounting-server : 0.0.0.0 :0 LoopBack:NULL

Retransmission : 3Domain-included : YES

-------------------------------------------------------------------






169



[Huawei] display ssh server session--------------------------------------------------------------------

Conn Ver Encry State Auth-type Username--------------------------------------------------------------------

VTY 0 2.0 AES run password [email protected]

VTY 1 2.0 AES run password [email protected]

--------------------------------------------------------------------

----End

Configuration Files

Configuration file of the SSH server

#

radius-server template ssh

radius-server authentication 10.164.6.49 1812

#rsa peer-public-key rsakey001


30470240C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325

A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B

0203

010001public-key-code end

peer-public-key end

#aaa

authentication-scheme newscheme

authentication-mode radius

#domain ssh.com

authentication-scheme newscheme

radius-server ssh

#sftp server enable

ssh user [email protected]

ssh user [email protected]

ssh user [email protected] assign rsa-key RsaKey001#



#

return





170



9 Upg rade and Maintenance

About This Chapter

Upgrade and maintenance of the router can optimize device performance, monitor device

operation status, simplify operation and maintenance, and reduce carriers' Operation

Expenditure (OPEX).

9.1 Upgrade and Maintenance Overview

Devices can be upgraded and maintained by activating GTL license files, upgrading system

software, managing patches, monitoring CPU and memory usage, or restarting devices.

9.2 Activating a GTL License File

A GTL license file is an authorization file that controls the capacity and functions of a device.

9.3 Upgrading System Software

Software upgrade can optimize device performance, add new features, and update the current

software version.

9.4 Managing Patches

This section describes several operations that can be performed on patches. You can install

patches to upgrade the system without interrupting services, specify the patch file to be used

after the next startup, uninstall patches to deactivate the patches that do not meet system

requirements, or delete the unwanted patches to release the memory of the patch area on the

MPU.

9.5 Monitoring CPU and Memory Usage

Configuring CPU and memory usage thresholds allows CPU and memory usage to be monitored

and system performance to be known in time.

9.6 Restarting the Device

After the system software of the router is upgraded, the router must be restarted to make the

configuration take effect. To prevent the system from breaking down due to a large number of

temporary files, the router also must be restarted.


This section provides configuration examples for upgrade and maintenance, including

networking requirements, precautions, and configuration roadmap. The configuration flowchart

will help you understand the configuration procedures.


Configuration Guide - Basic Configuration 9 Upgrade and Maintenance



171



9.1 Upgrade and Maintenance Overview

Devices can be upgraded and maintained by activating GTL license files, upgrading system

software, managing patches, monitoring CPU and memory usage, or restarting devices.

9.1.1 License Authorization

The AR1200-S provides a management platform of license authorization. You can apply for,

upgrade, and activate license files to obtain corresponding rights.

If new devices are deployed, you can purchase new licenses as needed to enable license-

controlled features and functions on the devices. This reduces purchase costs. If the capacities

of the existing devices are expanded, you can update the licenses used on the devices to enable

more license-controlled features and functions.

9.1.2 Software Upgrade

Software upgrade meets users' requirements for new functions by upgrading the patch file,

system software, configuration file, PAF file, and license file.

Software upgrade involves software downloading and software loading. Software downloading

includes:

l Remote downloading

l Local downloading

9.1.3 Patch ManagementLoading a patch onto the system software allows the system software to be upgraded in service

without interrupting services on the device. This also improves Quality of Service (QoS).

During device operation, the system software may need to be modified due to system bugs or

new function requirements. The traditional way is to upgrade the system software after powering

off the device. This, however, interrupts services and affects QoS.

By means of patch management, the system software can be upgraded in service without

interrupting services.

Table 9-1 provides details on patch status.

Table 9-1 Description of patch status

Patch Status Description Patch Status Transition

None A patch file is saved to the storage

medium but has not been loaded to

the patch area in memory.

The patch file will be in the running

state after being loaded from the

storage medium to the patch area in

memory.





172



Patch Status Description Patch Status Transition

Running A patch file is in the running state

when it is stored in the patch area

and run permanently. If a board is

reset, the patch files in the running

state on the board remain in the

running state.

A patch file in the running state can

be deleted from the patch area in

memory.

Figure 9-1 shows patch status transition.

Figure 9-1 Patch status transition

Upload and

Run patch

Delete patch

Patch Status:Patch Status:

none running

9.1.4 CPU and Memory Usage Thresholds

Configuring CPU and memory usage thresholds allows CPU and memory usage and system

performance to be monitored.

l A log is recorded when CPU usage exceeds the configured threshold.

If CPU usage exceeds the threshold, an alarm will be generated and logged. You can query

the log to know CPU usage.

l A log is recorded when memory usage exceeds the configured threshold.

If memory usage exceeds the threshold, an alarm will be generated and logged. Users can

query the log to know memory usage.

9.1.5 Device Restart

A device can be restarted immediately or as scheduled.

In some special cases, for example, during system upgrade, the router must be restarted to make

the configuration take effect.

In addition to powering off a device, the AR1200-S supports the following methods of restarting

the router:

l Immediate restart

l Scheduled restart

9.2 Activating a GTL License File

A GTL license file is an authorization file that controls the capacity and functions of a device.





173




A GTL license file must be activated if license-controlled features need to be used on a newly

purchased device, or the activated GTL license file on the existing device has expired.


l Activating a new GTL license for the first time

If you have purchased a new device, you need to apply for and purchase a GTL license file

to obtain the authorization of related service modules. After the GTL license file is

activated, the license-controlled service modules can be used.

l Activating an updated GTL license file

If a device has an activated GTL license file but the GTL license file has expired, you need

to apply for a new GTL license file, update it, and then activate it. Otherwise, the GTL

license file will become invalid upon expiration. As a result, function modules will be

disabled and services will be interrupted.

Before updating a GTL license file, check whether a new GTL license needs to be applied

for. If the authorization value of the new GTL license file is smaller than that of the current

GTL license file, an interactive message is displayed to prompt you whether to activate the

new GTL license file.

– If you enter Y, the system informs you of a GTL license file update success.

– If you enter N, the system informs you of a GTL license update failure, and displays

the status of the current GTL license file.

Before activating a GTL license file, check that the GTL license file is suffixed with .dat. After

obtaining a GTL license file, use a notepad program to check whether the ESN on the MPU is

the same as that in the GTL license file.

NOTE

The GTL license file is suffixed with .dat.

A GTL license file has two versions, namely, Demo and Comm.

Version Period of Validity Reservation Period

COMM As defined in a contract Usually 90 days and at most

180 days

DEMO Usually 60 days, whichvaries according to products

Usually 60 days, whichvaries according to products

You can run the display

license state command to

view how long a license in the

Demo version will expire.

The reservation period refers to the number of days for which you can continue to use a function

after the relevant license expires. The system prompts you with a message in the reservation

period. If you intend to continue to use the GTL license file, apply for a new GTL license.





174




Before activating a GTL license file, complete the following tasks:

l Applying for a GTL license file

l Installing the GTL license file

Data Preparation

To activate a GTL license file, you need the following data.

No. Data

1 GTL license file name

9.2.2 Uploading a GTL License File

The GTL license file that has been applied for can be activated only after the file has been

uploaded to the storage medium on a device.

Context

Before uploading a GTL license file, run the dir command to check the remaining space of the

storage media on the device. Make sure that there is enough space in the storage media to store

the GTL license file.

Procedure

Step 1 Run:

dir device-name

Check whether the GTL license file is existed.

The license file is in the .dat format and can be stored in the flash memory or USB flash drive.

NOTE

l A user who uses the GTL license for the first time must buy the GTL license from Huawei, and then

load the GTL license file to the main control board.

l A user who wants to upgrade the GTL license needs to run the license revoke command to obtain aninvalidation code, and then apply to Huawei for a new GTL license by using the invalidation code. The

user also needs to load the new GTL license file to the main control board.

----End

9.2.3 Activating the GTL License File

After activating the GTL license, you are allowed to operate the corresponding service modules.

Context

Before activating the GTL license, run the dir *.dat command to verify that the license file has been loaded to the USB flash drive, or flash memory..





175



Procedure

l Activate the GTL license for the first time.

1. Run:

license active file-name

The GTL license is activated and you obtained permission.

NOTE

If you use the GTL license for the first time, buy the GTL license file from Huawei.

l Upgrade the GTL license.

1. Run:

license revoke

The GTL license invalidation code is returned.

NOTE

Apply to Huawei for a new GTL license by using the invalidation code.

2. Run:


The GTL license is activated and you obtained permission.

----End

9.2.4 (Optional) Enabling the Emergency State of the GTL LicenseModule

Enabling the Emergency state of the GTL license module allows a device to use the maximum

specification of each feature or function.

Context

The Emergency state of a GTL license module can be enabled on the router in any of the

following situations:

l The GTL license file of the Comm version has been activated and is in the Normal state.

l The GTL license file of the Demo version has been activated and is in the Demo state.

l The Emergency state can be enabled again only on the last day of the previous enabling

operation.


license emergency

The Emergency state of the GTL license module is enabled.

NOTE

After the Emergency state is enabled, note the following points:

l The Emergency state cannot be cancelled manually.

l The Emergency state can only be enabled three times, and can last seven days every time it is enabled.

l The Emergency state can be enabled again only on the last day of the previous enabling operation.

----End





176




After the GTL license file has been activated, you can view information about the GTL license

file on the master and slave MPUs.

Prerequisite

The configurations of activating the GTL license file are complete.

Procedure

l Run the display license command to check information about the GTL license file on the

master and slave MPUs.

l Run the display license state command to check the license type.

----End

Example<Huawei> display license<Huawei> display licenseActive License on master board: flash:/LIC_ON77076_A6D2CE1AEC3_AR.dat

Active license : flash:/LIC_ON77076_A6D2CE1AEC3_AR.dat

License state : Demo

Revoke ticket : No ticket

Product name : AR

Product version : V200R001

License file ESN : AR00050123456789,AR00060123456789,AR00070123456789,AR00080123456789

License Serial No : LIC20110309010210

Creator : Huawei Technologies Co., Ltd.

Created Time : 2011-03-09 19:36:14Country : China

Custom : R&D of Huawei Technologies Co., Ltd.

Office : Shenzhen

Feature name : ACCESS

Authorize type : DEMO

Expired date : 2011-06-07

Trial days : 60

Item name : LLE0IPPBX01

Item type : FunctionControl value : 1

Used value : 1

Item state : Normal

Item expired date : 2011-06-07Item trial days : 60

Description : LLE0IPPBX01

9.3 Upgrading System SoftwareSoftware upgrade can optimize device performance, add new features, and update the current

software version.


To add new features or optimize device performance based on customer requirements, you canupgrade the current system software.





177




Before upgrading system software, you can select resource files as needed.

NOTE

Note the following points before upgrading system software:

l Obtain the new system software and relevant documents for the upgrade from Huawei.

l Refer to the related Upgrade Guide officially released by Huawei when upgrading a device, because

system software versions differ in different types of products.

l Enable the logging function to record all operations during the upgrade. This facilitates fault analysis

and location in case of an upgrade failure.

l If the device is restarted due to improper resource file configurations, the device will automatically

roll the resource file back to the source version after the device has been restarted.


Before upgrading system software, complete the following task:

l Making sure that the router to be upgraded is working properly, and logging in to the

router successfully

Data Preparation

To upgrade system software, you need the following data.

No. Data

1 Baud rate of a serial interface

2 IP address of an FTP server or the router

3 User name and password used for login by means of FTP

4 (Optional) New system software, configuration files, PAF file, license file, and patch

file

9.3.2 Checking the System Before the Upgrade

To ensure that a device can be upgraded smoothly, the device must be strictly checked againstthe checklist.

Procedure

Step 1 Prepare hardware as needed, for example, clear memory space to store new system software and

related upgrade files.

Step 2 Check whether a new GTL license file needs to be applied for. If it is needed, obtain it from

Huawei.

NOTE

l A new GTL License needs to be applied for when a device is upgraded to a new R version or V version.

l The obtained new GTL license file is consistent with the system software.





178



To view GTL license-controlled features, use the Text Editor to open the GTL license file. The

contents in the Resource and Function fields are the resource and function items controlled by

the GTL license file.

Step 3 Obtain software required for the upgrade. The new system software (.cc file) and relevant

documents for the upgrade must be obtained from Huawei.

Step 4 In the user view, run the display version command to view the current system software. If the

current system software is the same as or later than new system software, the software upgraded

is not needed.

Step 5 Run the following commands to check the device operation status:

Run the display memory-usage command in the user view to check the memory usage of MPUs

to ensure that the MPUs are working properly.

Run the display health command in the user view and record the command output. If you cannot

locate faults that have occurred during the upgrade, provide the information to Huawei technical

personnel for troubleshooting.

Step 6 Set up an environment where software upgrade can be performed by means of TFTP or FTP.

This helps to back up the original resource files before the upgrade and upload the new resource

files required for the upgrade.

When the system software is upgraded by means of FTP:

l If the device to be upgraded functions as a client and a PC functions as a server, you need to

install the FTP server software on the PC. You need to purchase and install the FTP server

software yourself, because the device is not installed with such software by default.

l If the device to be upgraded functions as a server and a PC functions as a client, you do not

need to install the FTP server software on the PC. By default, the FTP server function on thedevice to be upgraded is disabled. To enable the function, run the ftp server enable

command.

When the system software is upgraded by means of TFTP, the device to be upgraded can only

function as a client and does not provide the TFTP server function. In this case, you must install

the TFTP server software on the PC.

Step 7 Back up the important data stored in the storage media on the device to be upgraded.

Step 8 Check the remaining space of the storage media to make sure that there is enough space to store

the new system software and related upgrade files.

----End

9.3.3 Downloading Resource Files

Before upgrading the system software, download the required resource files from the server to

your local computer and configure a local FTP server.

Context

You can download resource files to the router by using the serial port of a computer or the

Ethernet port of the router.

This section describes how to download resource files to the router using the serial port.





179



Procedure

Step 1 Log in to the router from the console port. For details, see 1.2 Logging In to the Device Through

the Console Port or Mini USB Port.

Step 2 Restart the router. Press Ctrl+B to enter the BootROM menu when the following informationis displayed.

Sep 16 2011,17:14:28

Copying Data : Done

Uncompressing : Done

Initializing SMI Bus:OKInit flash, please wait......

Base Address: 0xfffffffffc000000

Size is: 0x20000000OKflash drv init.

Initializing FlashPiece Module:

FlashPiece start offset at: 0x300000

FlashPiece size is: 0x100000Initializing FlashDynamic Module:

FlashDynamic start offset at: 0x400000FlashDynamic size is: 0x200000

Initializing I2C Bus:OKUSB2 Host Stack Initialized.

USB Hub Driver Initialized

USBD Wind River Systems, Inc

EHCI Controller found.Waiting to attach to USBD...0xbfffdf0 (tRootTask): usb1_base = 0xbff22000Done.

0xbfffdf0 (tRootTask): usbBulkDevInit() returned OK

Press Ctrl+B to break auto startup ... Attached TCP/IP interface to teth1.

NOTE

l If a password is configured, you must enter the password after pressing Ctrl+B to display the BootROM

menu (the default password is huawei ).

l You can change the password under the BootROM menu. Make a note of your password and keep it

in a safe place. The password cannot be restored if it is lost.

Step 3 Select choice 3 to enter the network menu.

Enter Password:

Main Menu

1. Default Startup

2. Serial Menu

3. Network Menu

4. Startup Select5. File Manager

6. Reboot

Enter your choice(1-6):3

Step 4 Select choice 2 to modify the parameter.

NetWork Menu

1. Display parameter

2. Modify parameter

3. Save parameter4. Download file

0. Return

Enter your choice(1-10): 2

Set the FTP type, resource file name, management interface address, FTP server address, andFTP user name and password.





180



NOTE

l FTP types include FTP and TFTP.

l Management interface refers to gigabitethernet 0/0/0 on the MPU.

Step 5 After the system returns to the network menu, select choice 4 to download the specified resourcefile from the local FTP server.

NetWork Menu

1. Display parameter2. Modify parameter

3. Save parameter

4. Download file

0. ReturnEnter your choice(1-10): 4

Step 6 Select the location for storing the resource file.

Download file to: [ 1:flash 2:usb0 ]:

Enter the corresponding numeral to select the storage media.

NOTE

The device uses the flash as default setting. The other storage medium such as USB flash drive will be

displayed only after they are installed.

Step 7 After the resource file is downloaded, restart the router.

----End

9.3.4 Specifying the System Software to Be Used at the Next Startup

After the system software to be used by the router at the next startup is specified, the patch status

file to be used at the next startup must be reset.

Context

Before specifying the system software to be used at the next startup, perform the following

operations:

Upload the system software to the master and slave MPUs. For details, see the contents of

uploading and downloading files in Performing File Operations by Using FTP Commands.

Make sure that the storage media on the MPUs have sufficient space to store the system software.

NOTE

Verify the system software to be uploaded by checking its size and date.

Do as follows on the router to be upgraded:

Procedure

Step 1 In the user view, run:

startup system-software system-file

The system software to be used at the next startup is specified for the MPU.

Step 2 (Optional) If the upgraded system software needs a corresponding patch file, perform thefollowing operations:





181



l Run:

startup patch file-name

A patch file to be used at the next startup is specified for the MPU.

Step 3 (Optional) Run:startup saved-configuration configuration-file

The configuration file to be used at the next startup is specified for the MPUs.

Step 4 (Optional) Run:

startup license file-name

The license file to be used at the next startup is specified for the MPU.

----End

9.3.5 Configuring a Backup Startup FileAfter a backup startup software package is configured, the system can restart properly if a fault

occurs.

Context

If the storage device where the startup software package is stored is damaged, you can use the

backup software package to make the system start.

NOTE

l The file name extension of the system software package must be .cc and the package must be stored

in the root directory.

l The backup startup software package can be the same as or different from the current startup software

package, but it can be used to make the system start.

Procedure

Step 1 Run:startup system-software filename backupThe backup startup software package is

specified.

----End

9.3.6 (Optional) Upgrading the BootROM of the LPUAfter the system software is upgraded successfully, you need to manually upgrade the BootROM

of the 2FE and 1GEC.

Context

After the system software is upgraded successfully, you need to manually upgrade the BootROM

of the 2FE and 1GEC.

NOTE

Run the display device command to check whether the device is configured with the successfully registered2FE or 1GEC.





182



Procedure

Step 1 Run:

upgrade slot slot-id startup bootrom

The BootROM is upgraded.

Step 2 Run:

reset slot slot-id

The LPU is reset.

After the LPU is reset, run the display version slot slot-id command to check whether the

BootROM is upgraded successfully.

----End

9.3.7 Restarting a DeviceThe specified system software to be used at the next startup will take effect only after the device

is restarted.

Context

During the upgrade, the device must be restarted in the following situations:

l The system software and configuration file to be used at the next startup have been specified.

CAUTION

Before restarting the router, run the save command to save the current configuration file.

The router restarts with the specified startup files. If the specified startup files are damaged, the

router restarts with the backup startup files. If the router fails to restart with the backup startup

files, it searches valid startup files on the storage devices in the sequence "Flash memory-> USB

flash drive." When the router finds valid system software packages and configuration files on

the storage device, it selects a rollback version within 24 minutes and restarts with the selected

version. If the router does not find valid system software and configuration file, it stops at the

BootROM menu.

Procedure

l In the user view, run:

reboot [ fast | save diagnostic-information ]

The router is restarted.

----End

9.3.8 (Optional) Activating a GTL License File

Activating a GTL license file allows the GTL license-controlled features to be used on a device.





183



Context

Before activating the GTL license, run the dir command to verify that the license file has been

loaded to the storage device (Flash memory or USB flash drive).

Procedure

l Run:


The GTL license file is activated, and the license-controlled features on the device can be

used.

----End


After the system software is upgraded, you can check information about interface parameters

and version consistency between resource files.

Prerequisite

The configurations of upgrading system software are complete.

Procedure

l Run the display patch-information command to check information about all patches.

l Run the display startup command to check that the values of the "Startup system software"

and "Startup saved-configuration file" fields in the command output are the needed ones.

----End

Example

After the patch is installed, run the display patch-information command. You can view the

patch status on each board.

<Huawei> display patch-informationPatch version : ARV200R001C00SPH100

Patch packet name: flash:/patch_lic2.pat

Run the display startup command. You can view the names of the system software and the

configuration file used at the startup. For example:


Startup system software: flash:/ar0215_31345_1220.cc

Next startup system software: flash:/ar0215_31345_1220.ccBackup system software for next startup: null


Next startup saved-configuration file: flash:/iascfg.zip

Startup license file: nullNext startup license file: null


Next startup patch package: null

Startup voice-files: nullNext startup voice-files: null





184



9.4 Managing Patches

This section describes several operations that can be performed on patches. You can install

patches to upgrade the system without interrupting services, specify the patch file to be used

after the next startup, uninstall patches to deactivate the patches that do not meet system

requirements, or delete the unwanted patches to release the memory of the patch area on the

MPU.


To rectify system vulnerabilities or defects, you can install patches in the system. Installing

patches allows the system to be upgraded without interrupting services.

Applicable EnvironmentDuring patch installation, the patch is installed onto the MPU and all LPUs.

You can use either of the following methods to install patches:

l Installing a patch file immediately: The patch file takes effect after a command is used to

run the patch file, without having to restart the device. For details, see Installing a

Patch.

l Specifying a patch file to be used at the next startup: The patch file takes effect after the

device is restarted.


Before managing patches, complete the following tasks:

l Making sure that the router is working properly

l Storing patches in the storage medium on the router

Data Preparation

To manage patches, you need the following data.

No. Data

1 Patch file

9.4.2 Installing a Patch

You can load and run a patch in the user view. This allows the device performance to be

optimized.

Context

Only one patch file can be run in the system at a time. Therefore, display patch-informationrun the command before patch installation to check information about all patches, including the





185



running patches. If the command output shows that there is a running patch file in the system,

delete the running patch file.

In addition, perform the following operations before patch installation:

l Upload a patch file to the master MPU. For details, see the contents of uploading and

downloading files in Performing File Operations by Using FTP Commands.

Procedure

Step 1 Enter the user view.

Step 2 Run:

patch load patchname all run

The patch is activated.

NOTE

l The patch load patchname all run command can activate only one patch file each time.

l Each patch is developed incrementally based on the earlier version. If the incremental patch

patchB.pat is activated when the system is running the earlier version patchA.pat, patchB.pat takes

effect. To run patchA.pat again, run the patch delete all command to delete patches in the system,

and load and activate patchA.pat. Alternatively, run the startup patch command to specify

patchA.pat as the next startup patch, and then restart the device to mak e patchA.pat effective.

----End

9.4.3 Specifying a Patch File to Be Used at the Next Startup

If you do not want the patch file that has been uploaded to the storage media to take effect, you

can specify a patch file to be used at the next startup. In this manner, the patch file will take

effect after the device is restarted.

Context

Before specifying a patch file to be used at the next startup, the following tasks must be

completed:

l Upload the specified patch file to the storage medium on the master MPU. For details, see

the contents of uploading and downloading files in Performing File Operations by Using

FTP Commands.

Procedure

Step 1 In the use view, run:

startup patch file-name

The patch file (*.pat) to be used at the next startup is specified for the master and slave MPUs.

----End

Follow-up Procedure

After the patch file to be used at the next startup has been specified, run the display startupcommand to view the value of the "Next startup patch package" field on the MPUs.





186



9.4.4 Uninstalling a Patch

If an installed patch does not meet system requirements, or more storage space of the patch area

is needed, you can uninstall the patch by running a command in the user view.

Context

Only one patch file can be run in the system during patch installation. Therefore, delete the

running patch file from the patch area before loading and running a new patch file.

Procedure

Step 1 Enter the user view.

Step 2 Run: patch delete all

All patches in the system are deleted.

----End

Follow-up Procedure

After patch files have been deleted, run the following command to verify the configuration.

l Run the display patch-information command to check the patch status.

<Huawei> display patch-informationInfo: No patch in the system

9.4.5 Checking the ConfigurationAfter patch installation is complete, you can view patch information, such as the patch status.

Prerequisite

The configurations of patch installation are complete.

Procedure

l Run the display patch-information command to check information about all patches.

----End

Example

After a patch has been installed, run the display patch-information command. You can view

the patch status on each board.

<Huawei> display patch-informationPatch version : ARV200R001C00SPH100

Patch packet name: flash:/patch_lic2.pat

9.5 Monitoring CPU and Memory Usage

Configuring CPU and memory usage thresholds allows CPU and memory usage to be monitoredand system performance to be known in time.





187




Before setting CPU and memory usage thresholds, familiarize yourself with the applicable

environment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.


The CPU and memory are a key part of a device. A lot of routing information or fast route

algorithms in the system will consume a large number of CPU resources, affecting system

performance. As a result, the device is unable to process data in time, a lot of packets may be

lost, or the system may break down. All these will bring an incalculable loss to customers.

If alarms of high CPU and memory usage can be generated during data processing on the

router, the CPU and memory usage can be effectively monitored, and the system performance

can be optimized. This also allows the system to work properly.


Before setting CPU and memory usage thresholds, complete the following task:


Data Preparation

To set CPU and memory usage thresholds, you need the following data.

No. Data

1 CPU usage thresholds, including an alarm threshold and a clear alarm threshold

2 Memory usage threshold

9.5.2 Setting CPU Usage Thresholds

Setting CPU usage thresholds allows CPU usage to be monitored.

Context

Two CPU usage thresholds are set:

l Alarm threshold: indicates that the system generates an alarm when the CPU usage reaches

the alarm threshold.

l Clear alarm threshold: indicates that the alarm is cleared when the CPU usage falls below

the clear alarm threshold.

Procedure






188




Step 2 Run:

set cpu-usage threshold threshold-value [ restore restore-threshold-value ] [ slot slot-id ]

An alarm threshold and a clear alarm threshold are set for the CPU usage on an MPU or an LPU

in a specified slot.

NOTE

By default, the alarm threshold of CPU usage is 80%, and the clear alarm threshold of CPU usage is 75%.

----End

9.5.3 Setting a Memory Usage Threshold

Setting a memory usage threshold allows memory usage to be monitored.

Context

Alarm threshold of memory usage: indicates that the system generates an alarm when the

memory usage reaches the alarm threshold.

Procedure

Step 1 Run:

system-view


Step 2 Run:set memory-usage threshold threshold-value

An alarm threshold is set for memory usage.

Default settings are as follows:

l If the memory of an LPU is smaller than 128 MB, the alarm threshold of memory usage is

80%.

l If the memory of an LPU ranges from 128 MB to 256 MB, the alarm threshold of memory

usage is 85%.

l If the memory of an LPU ranges from 256 MB to 512 MB, the alarm threshold of memory

usage is 90%.l If the memory of an LPU is larger than 512 MB, the alarm threshold of memory usage is

95%.

----End


After CPU and memory usage thresholds are set, you can view information about the CPU usage

and memory usage.

Prerequisite

The configurations of CPU and memory usage are complete.





189



Procedure

l Run the display cpu-usage command to check CPU usage.

l Run the display cpu-usage [ configuration ] [ slot slot-id ] command to check CPU usage.

l Run the display memory-usage thresholdcommand to check memory usage.

----End

9.6 Restarting the Device




9.6.1 Establishing the Configuration TaskBefore restarting the router, familiarize yourself with the applicable environment, complete the

pre-configuration tasks, and obtain the data required for the configuration. This will help you

complete the configuration task quickly and accurately.





The AR1200-S provides two methods of restarting the router:

l Immediate restart

l Scheduled restart


Before restarting the router, complete the following tasks:


l

Making sure that the local and remote connections are working properly

Data Preparation

To restart the router, you need the following data.

No. Data

1 Time to restart the router

2 Wait time before restarting the router





190



9.6.2 Restarting the Device Immediately

Before restarting the router, you must choose whether to save the current configuration file of

the router.

Context

CAUTION

Running the reboot command is not recommended, because this will interrupt network services

in a short period. Before restarting the router, choose whether to save the configuration file of

the router.

Procedure

l Run:

reboot [ fast ]

The router is restarted immediately.

----End

9.6.3 Configuring the Device to Restart as Scheduled

You can configure the router to restart as scheduled by setting the restart time or the wait time before the restart.

Context

Do as follows on the router that needs to restart as scheduled:

Procedure

Step 1 Run:

schedule reboot at exact-time

The router is configured to restart as scheduled, and the restart time is set.

Step 2 Run:

schedule reboot delay interval

The router is configured to restart as scheduled, and the wait time before the restart is set.

You can choose either Step 1 or Step 2 to configure the router to restart as scheduled. If you

need to perform other operations before the device restart, perform Step 2 to set the wait time

before the restart.

By default, the function of configuring a device to restart as scheduled is disabled.

----End





191




After the router has been configured to restart as scheduled, you can view parameters set for the

scheduled restart.

Prerequisite

The configurations of restarting the router as scheduled are complete.

Procedure

l Run the display schedule reboot command to check the parameters set for the scheduled

restart of the router.

----End

Example

# View the configuration of the router restart, with the restart time at 00:00.

<Huawei> display schedule rebootInfo:System will reboot at 00:00:00 2009/07/01 (in 12 hours and 33 minutes).

# View the configuration of the router restart, with the wait time of 12 hours before the restart.

<Huawei> display schedule rebootInfo:System will reboot at 23:27:14 2009/06/30 (in 11 hours and 59 minutes).


This section provides configuration examples for upgrade and maintenance, includingnetworking requirements, precautions, and configuration roadmap. The configuration flowchart

will help you understand the configuration procedures.

9.7.1 Example for Upgrading System Software

This section provides detailed procedures for upgrading system software. This will help you to

complete the upgrade task quickly and accurately.


The current system software needs to be upgraded if it cannot provide additional features or

larger specifications required by customers.

As shown in Figure 9-2, the system software of the cannot meet customer's requirements and

needs to be upgraded. Huawei has provided related upgrade files for the customer to perform

software upgrade on the.

Figure 9-2 Networking diagram for upgrading system software

MPLS Core

PE

FTP Server

PC

10.1.1.2/24

GE2/0/0

10.1.1.1/24





192



Precautions

l The key data in the storage medium on the device must be backed up to the PC.

l The remaining space of the storage media must be checked to make sure that there is enough

space to store new system software.



1. Specify FTP as the mode of uploading the system software, the device as the FTP server,

user 1 as the user name, and huawei as the user password.

2. Specify the system software and configuration file to be used at the next startup.

3. Save the configuration file and restart the device.

4. Verify the configuration.

Data Preparation


l System software version before the upgrade, which is V200R001C00_ch.ccin this example

l New system software version, which is V200R001C00_ch.cc in this example

l Backup startup software version, which is V200R001C00_backup.cc

l Size of the remaining space of the storage media

Procedure

Step 1 Upload the new system software.

# Configure the device as an FTP server.<Huawei> system-view[Huawei] sysname HuaWei[HuaWei] ftp server enableInfo: Succeeded in starting the FTP server.

[HuaWei] aaa[HuaWei-aaa] local-user user1 password simple huaweiinfo: A new user added

[HuaWei-aaa] local-user user1 service-type ftp[HuaWei-aaa] local-user user1 ftp-directory flash:/[HuaWei-aaa] quit[HuaWei] quit

After the preceding configurations are complete, run the display local-user command to check

information about the user.<HuaWei> display local-user----------------------------------------------------------------------------

User-name State AuthMask AdminLevel

----------------------------------------------------------------------------user1 A H -

user2 A A -

----------------------------------------------------------------------------

Total 2 user(s)

# On the PC, specify the binary format as the file transfer mode, and c:\temp as the workingdirectory.





193



NOTE

The Windows XP operating system is used as an example.

Store the uploaded file in the specified directory (C:\temp in this example). Choose Start >

Run and enter cmd. Then, press Enter. Enter FTP 10.1.1.1. At the prompt of "user", enter theuser name. At the prompt of "password", enter the password. The following configurations are

displayed:C:\Documents and Settings\Administrator> ftp 10.1.1.1Connect to 10.1.1.1.

220 FTP server ready.User <10.1.1.1:<none>>:user1

331 Please specify the password.

Password:

230 User logged in.

Specify a directory and a file transfer mode on the FTP client to store the uploaded file.ftp> binary200 Type set to I.

ftp> lcd c:\temp

Local directory now c:\temp.

# On the PC, upload the new system software (*.cc) to the device.ftp> put V200R001C00_ch.cc200 Port command okay.

226 Transfer complete.

Step 2 Specify the system software and configuration file to be used at the next startup.

# Specify the system software to be used at the next startup.

<HuaWei> startup system-software flash:/V200R001C00_ch.ccThis operation will take several minutes, please wait..........

Info: Succeeded in setting the file for booting system

# Specify the configuration file to be used at the next startup.

<HuaWei> startup saved-configuration aa.cfgThis operation will take several minutes, please wait...

Info: Succeeded in setting the file for booting system

# View the system software and configuration file to be used at the next startup, and check that

the system software is the specified one.

<HuaWei> display startupMainBoard :

Startup system software : flash:/V200R001C00_ch.cc

Next startup system software : flash:/ V200R001C00_ch.ccBackup system software for next startup: null

Startup saved-configuration file: flash:/iascfg.zipNext startup saved-configuration file : flash:/aa.cfgStartup license file: nullNext startup license file: null




Step 3 Specify the backup startup software.

# After a backup startup software package is configured, the system can restart properly if a fault

occurs.

<HuaWei> startup system-software V200R001C00_backup.cc backup

This operation will take several minutes, please wait...Info: Succeeded in setting the backup file for booting system





194



Step 4 Save the configuration file and restart the device.

# Save the configuration file.

<HuaWei> saveThe current configuration will be written to the device.

Are you sure to continue? [Y/N]:yIt will take several minutes to save configuration file, please wait...

Configuration file had been saved successfully

Note: The configuration file will take effect after being activated

# Restart the device.

<HuaWei> rebootInfo: The system is comparing the configuration, please wait.

Warning: All the configuration will be saved to the next startup configuration.

Continue ? [y/n]:yIt will take several minutes to save configuration file, please wait........Configuration file had been saved successfully

Note: The configuration file will take effect after being activated

System will reboot! Continue ? [y/n]:y

Info: system is rebooting ,please wait...


After the device has been restarted, run the display version command. You can view that the

current system software is a new version. It means that the system software upgrade is successful.

<Huawei> system-view[Huawei] sysname HuaWei[HuaWei] display versionHuawei Versatile Routing Platform Software

VRP (R) software, Version 5.90 (AR1220-S V200R001C00)Copyright (C) 2000-2010 Huawei Technologies Co., LTDHuawei AR1220-S Router uptime is 0 week, 0 day, 3 hours, 59 minutes

BKP 0 version information:

1. PCB Version : AR01BAK1A VER.C2. If Supporting PoE : Yes3. Board Type : AR1220-S

4. MPU Slot Quantity : 1

5. LPU Slot Quantity : 2

MPU 0(Master) : uptime is 0 week, 0 day, 3 hours, 59 minutes

SDRAM Memory Size : 512 M bytes

Flash Memory Size : 256 M bytesNVRAM Memory Size : 512 K bytes

MPU version information :

1. PCB Version : AR01SRU1A VER.A

2. MAB Version : 03. Board Type : AR1220-S

4. CPLD1 Version : 100

5. BootROM Version : -

LPU 1 : uptime is 0 week, 0 day, 3 hours, 53 minutes


Flash Memory Size : 64 M bytes

LPU version information :1. PCB Version : AR01SDCE2A VER.A

2. MAB Version : 0

3. Board Type : 2T1-M4. CPLD1 Version : 0

5. CPLD2 Version : 0

6. BootROM Version : 906

LPU 2 : uptime is 0 week, 0 day, 3 hours, 53 minutes


Flash Memory Size : 64 M bytes

LPU version information :1. PCB Version : AR01SDSA2A VER.A





195



2. MAB Version : 0

3. Board Type : 1SA

4. CPLD1 Version : 05. CPLD2 Version : 0

6. BootROM Version : 906

----End

9.7.2 Example for Installing a Patch File

This section provides an example for installing a patch without interrupting services.


The device performance needs to be optimized without affecting the use of the current version

on the device.

As shown in Figure 9-3, the performance of the device needs to be optimized. Huawei has

provided a patch file for the customer to install.

Figure 9-3 Networking diagram for installing a patch file

MPLS Core

PE

FTP Server PC

10.1.1.2/24

GE2/0/0

10.1.1.1/24



1. Upload the patch file to the storage medium on the MPU.

2. Load and run the patch file.

3. Verify the configuration.

Data Preparation


l Patch file name, which is SPH-1.1.952.pat in this example

l Patch file storage path on the master MPU, which is flash in this example

Procedure

Step 1 Upload the patch file mapping the current system software.

# Upload the patch file mapping the current system software to the device from the PC.ftp> put SPH-1.1.952.pat200 Port command okay.

226 Transfer complete.

Step 2 Load and run the patch.





196



<HuaWei> patch load SPH-1.1.952.pat all runPatch operation succeeded


After the configuration is complete, run the display patch-information command to view

information about the running patch.

<HuaWei> display patch-informationPatch version : ARV200R001C00SPH100Patch packet name: flash:/SPH-1.1.952.pat

----End

