Configuration Guide - Basic Configuration (V200R002C00 - 02)

Huawei AR150&200 Series Enterprise Routers
V200R002C00
Configuration Guide - Basic

Configuration
Issue
02
Date
2012-03-30
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2012. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 02 (2012-03-30)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

Configuration Guide - Basic Configuration
About This Document
About This Document

Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the Basic configuration supported by the
AR150/200 device.
This document describes how to configure the Basic configuration.
This document is intended for:
l
Data configuration engineers
Commissioning engineers
Network monitoring engineers
System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
Issue 02 (2012-03-30)
Indicates a hazard with a high level of risk, which if not

avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
TIP
Indicates a tip that may help you solve a problem or save

time.
NOTE
Provides additional information to emphasize or supplement

important points of the main text.

ii

About This Document
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by vertical

bars. One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by vertical

bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by vertical

bars. A minimum of one item or a maximum of all items can be
selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by vertical

bars. Several items or no item can be selected.
&<1-n>
The parameter before the & sign can be repeated 1 to n times.
A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Changes in Issue 02 (2012-03-30)

Based on issue 01 (2011-12-30), the document is updated as follows:
The following information is modified:
l
1.2.3 Logging In to the Device
Changes in Issue 01 (2011-12-30)

Initial commercial release.
Issue 02 (2012-03-30)

iii

Contents
Contents
About This Document.....................................................................................................................ii
1 Logging In to the System for the First Time............................................................................1
1.1 Introduction........................................................................................................................................................2
1.2 Logging In to the Device Through the Console Port..........................................................................................2
1.2.1 Establishing the Configuration Task.........................................................................................................2
1.2.2 Establishing the Physical Connection........................................................................................................3
1.2.3 Logging In to the Device...........................................................................................................................3
1.3 Logging In to a Router Through Telnet..............................................................................................................5
1.3.1 Establishing the Configuration Task.........................................................................................................5
1.3.2 Establishing a Physical Connection...........................................................................................................5
1.3.3 Logging In to the Router...........................................................................................................................6
2 CLI Overview.................................................................................................................................7
2.1 CLI Introduction.................................................................................................................................................8
2.1.1 Command Line Interface...........................................................................................................................8
2.1.2 Command Levels.......................................................................................................................................8
2.1.3 Command Line Views.............................................................................................................................11
2.2 Online Help.......................................................................................................................................................12
2.2.1 Full Help..................................................................................................................................................12
2.2.2 Partial Help..............................................................................................................................................13
2.2.3 Error Messages of the Command Line Interface.....................................................................................13
2.3 CLI Features.....................................................................................................................................................14
2.3.1 Editing.....................................................................................................................................................14
2.3.2 Displaying................................................................................................................................................15
2.3.3 Regular Expressions................................................................................................................................15
2.3.4 Previously-Used Commands...................................................................................................................18
2.4 Shortcut Keys...................................................................................................................................................19
2.4.1 Classifying Shortcut Keys.......................................................................................................................19
2.4.2 Defining Shortcut Keys...........................................................................................................................20
2.4.3 Use of Shortcut Keys...............................................................................................................................21
2.5 Configuration Examples...................................................................................................................................21
2.5.1 Example for Using Tab............................................................................................................................21
2.5.2 Example for Using Shortcut Keys...........................................................................................................23
Issue 02 (2012-03-30)

iv

Contents
3 Basic Configuration.....................................................................................................................24
3.1 Configuring the Basic System Environment....................................................................................................25
3.1.1 Establishing the Configuration Task.......................................................................................................25
3.1.2 Configuring the Equipment Name...........................................................................................................25
3.1.3 Setting the System Clock.........................................................................................................................26
3.1.4 Configuring a Header..............................................................................................................................32
3.1.5 Configuring Command Levels................................................................................................................33
3.1.6 Configuring the undo Command to Automatically Match the Higher-Level View................................33
3.1.7 (Optional) Setting Factory Configurations..............................................................................................34
3.2 Displaying System Status Messages.................................................................................................................35
3.2.1 Displaying System Configuration...........................................................................................................35
3.2.2 Displaying System Status........................................................................................................................35
3.2.3 Collecting System Diagnostic Information.............................................................................................36
3.2.4 Displaying Factory Configuration Information.......................................................................................36
4 Configuring User Interfaces......................................................................................................37

4.1 User Interface Overview...................................................................................................................................38
4.2 Configuring the Console User Interface...........................................................................................................39
4.2.2 Setting Physical Attributes of the Console User Interface......................................................................40
4.2.3 Setting Terminal Attributes of the Console User Interface.....................................................................41
4.2.4 Configuring User Privilege of the Console User Interface......................................................................42
4.2.5 Configuring the User Authentication Mode of the Console User Interface............................................43
4.2.6 Checking the Configuration.....................................................................................................................45
4.3 Configuring the VTY User Interface................................................................................................................46
4.3.2 Configuring the Maximum Number of VTY User Interfaces.................................................................47
4.3.3 (Optional) Setting Restrictions for Incoming and Outgoing Calls on VTY User Interfaces...................47
4.3.4 Setting Terminal Attributes of the VTY User Interface..........................................................................48
4.3.5 Setting User Priority of the VTY User Interface.....................................................................................49
4.3.6 Setting the User Authentication Mode of the VTY User Interface.........................................................50
4.4.1 Example for Configuring Console User Interface...................................................................................53
4.4.2 Example for Configuring a VTY User Interface.....................................................................................55
5 Configuring User Login.............................................................................................................57

5.1 Overview of User Login...................................................................................................................................58
5.2 Logging in to the Devices Through the Console Port......................................................................................60
5.2.2 Logging In to the Device Using a Console Port......................................................................................61
5.2.3 (Optional) Configuring the Console User Interface................................................................................63
5.3 Logging in to Devices Using Telnet.................................................................................................................65
Issue 02 (2012-03-30)


Contents

5.3.2 Configuring the User Access Level and User Authentication Mode of the VTY User Interface...........66
5.3.3 Enabling the Telnet Service.....................................................................................................................69
5.3.4 Logging in to the Device Using Telnet...................................................................................................69
5.4 Logging in to Devices Using STelnet...............................................................................................................71
5.4.2 Configuring the User Access Level and User Authentication Mode of the VTY User Interface...........72
5.4.3 Configuring SSH for the VTY User Interface.........................................................................................75
5.4.4 Configuring an SSH User and Specifying STelnet as One of Service Types.........................................76
5.4.5 Enabling the STelnet Server Function.....................................................................................................78
5.4.6 Logging in to the Device Using STelnet.................................................................................................78
5.4.7 (Optional) Configuring the STelnet Server Parameters...........................................................................79
5.5 Common Operations After Login.....................................................................................................................82
5.5.2 Switching User Levels.............................................................................................................................82
5.5.3 Locking User Interfaces...........................................................................................................................83
5.5.4 Sending Messages to Other User Interfaces............................................................................................84
5.5.5 Displaying Login Users...........................................................................................................................84
5.6.1 Example for Configuring User Login Using a Console Port...................................................................85
5.6.2 Example for Logging In by Telnet..........................................................................................................87
5.6.3 Example for Configuring User Login by Using STelnet.........................................................................89
6 Managing the File System.........................................................................................................92

6.1 File System Overview......................................................................................................................................93
6.1.1 File System..............................................................................................................................................93
6.1.2 Methods of File Management..................................................................................................................93
6.2 Managing Files Using the File System.............................................................................................................94
6.2.2 Managing Storage Devices......................................................................................................................95
6.2.3 Managing Directories..............................................................................................................................96
6.2.4 Managing Files........................................................................................................................................96
6.3 Managing Files Using FTP...............................................................................................................................99
6.3.2 Configuring a Local FTP User................................................................................................................99
6.3.3 (Optional) Specifying a Port Number for the FTP Server.....................................................................100
6.3.4 Enabling the FTP Server........................................................................................................................101
6.3.5 (Optional) Configuring the FTP Server Parameters..............................................................................101
6.3.6 (Optional) Configuring an FTP ACL....................................................................................................102
6.3.7 Accessing the System by Using FTP.....................................................................................................103
6.3.8 Managing Files Using FTP Commands.................................................................................................104
Issue 02 (2012-03-30)

vi

Contents
6.3.9 Checking the Configuration...................................................................................................................106

6.4 Managing Files Using SFTP...........................................................................................................................106
6.4.1 Establishing the Configuration Task.....................................................................................................107
6.4.2 Configuring VTY User Interface...........................................................................................................107
6.4.3 Configuring SSH for the VTY User Interface.......................................................................................108
6.4.4 Configuring an SSH User and Specifying SFTP as One of Service Types...........................................108
6.4.5 Enabling the SFTP Service....................................................................................................................111
6.4.6 Accessing the System Using SFTP.......................................................................................................111
6.4.7 Managing Files Using SFTP..................................................................................................................113
6.5 Configuration Examples.................................................................................................................................115
6.5.1 Example for Managing Files Using the File System.............................................................................115
6.5.2 Example for Performing File Operations by Means of FTP.................................................................116
6.5.3 Example for Performing File Operations by Means of SFTP...............................................................119
7 Configuring System Startup....................................................................................................122

7.1 System Startup Overview...............................................................................................................................123
7.1.1 System Software....................................................................................................................................123
7.1.2 Configuration Files and Current Configurations...................................................................................123
7.2 Managing Configuration Files........................................................................................................................123
7.2.2 Saving Configuration Files....................................................................................................................124
7.2.3 Clearing a Configuration File................................................................................................................125
7.2.4 Comparing Configuration Files.............................................................................................................126
7.3 Specifying a File for System Startup..............................................................................................................127
7.3.2 Configuring System Software for a router to Load for the Next Startup..............................................128
7.3.3 Configuring the Configuration File for Router to Load at the Next Startup.........................................128
7.4.1 Example for Configuring System Startup.............................................................................................129
8 Accessing Another Device.......................................................................................................132

8.1 Accessing Another Device.............................................................................................................................133
8.1.1 Telnet Method........................................................................................................................................133
8.1.2 FTP Method...........................................................................................................................................134
8.1.3 TFTP Method........................................................................................................................................135
8.1.4 SSH Method..........................................................................................................................................135
8.2 Logging in to Other Devices Using Telnet.....................................................................................................136
8.2.2 (Optional) Configuring a Source IP Address for a Telnet Client..........................................................137
8.2.3 Logging in to Another Device by Using Telnet....................................................................................138
Issue 02 (2012-03-30)

vii

Contents
8.3 Logging in to Another Device Using STelnet................................................................................................139

8.3.2 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication on
the SSH Client)...............................................................................................................................................140
8.3.3 Configuring the First Successful Login to Another Device (Allocating an Public Key to the SSH Server)
........................................................................................................................................................................141
8.3.4 Logging in to Another Device by Using STelnet..................................................................................142
8.4 Accessing Files on Another Device Using TFTP...........................................................................................143
8.4.2 (Optional) Configuring a Source IP Address for a TFTP Client...........................................................144
8.4.3 (Optional) Configuring TFTP Access Authority...................................................................................144
8.4.4 Downloading Files Using TFTP............................................................................................................145
8.4.5 Uploading Files Using TFTP.................................................................................................................146
8.5 Accessing Files on Another Device Using FTP.............................................................................................147
8.5.2 (Optional) Configuring the Source IP Address and Interface of the FTP Client...................................147
8.5.3 Connecting to Other Devices by Using FTP Commands......................................................................148
8.5.4 Managing Files Using FTP Commands.................................................................................................149
8.5.5 Changing Login Users...........................................................................................................................151
8.5.6 Disconnecting from the FTP Server......................................................................................................152
8.6 Accessing Files on Another Device Using SFTP...........................................................................................153
8.6.2 (Optional) Configuring a Source IP Address for an SFTP Client.........................................................154
8.6.3 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication on
the SSH Client)...............................................................................................................................................154
8.6.4 Configuring the First Successful Login to Another Device (Allocating an Public Key to the SSH Server)
........................................................................................................................................................................155
8.6.5 Connecting to Other Devices by Using SFTP.......................................................................................156
8.6.6 Managing Files Using SFTP Commands..............................................................................................157
8.7.1 Example for Configuring Telnet Services.............................................................................................159
8.7.2 Example for Configuring the Device as the STelnet Client to Connect to the SSH Server..................161
8.7.3 Example for Configuring TFTP............................................................................................................165
8.7.4 Example for Connecting the SFTP Client to the SSH Server...............................................................168
8.7.5 Example for Authenticating SSH Through RADIUS............................................................................172
9 Upgrade and Maintenance.......................................................................................................178

9.1 Upgrade and Maintenance Overview.............................................................................................................179
9.1.1 License Authorization............................................................................................................................179
9.1.2 Software Upgrade..................................................................................................................................179
Issue 02 (2012-03-30)

viii

Contents
9.1.3 Patch Management................................................................................................................................179

9.1.4 CPU and Memory Usage Thresholds....................................................................................................180
9.1.5 Device Restart........................................................................................................................................180
9.2 Activating a GTL License File.......................................................................................................................180
9.2.2 Uploading a GTL License File..............................................................................................................182
9.2.3 Activating the GTL License File...........................................................................................................182
9.2.4 (Optional) Enabling the Emergency State of the GTL License Module...............................................183
9.3 Upgrading System Software...........................................................................................................................184
9.3.2 Checking the System Before the Upgrade.............................................................................................185
9.3.3 Downloading a System File...................................................................................................................186
9.3.4 Specifying the System Software to Be Used at the Next Startup..........................................................192
9.3.5 Configuring a Backup Startup File........................................................................................................193
9.3.6 (Optional) Upgrading the BootROM of the LPU..................................................................................193
9.3.7 Restarting a Device................................................................................................................................194
9.4 Managing Patches...........................................................................................................................................195
9.4.2 Installing a Patch...................................................................................................................................196
9.4.3 Specifying a Patch File to Be Used at the Next Startup........................................................................197
9.4.4 Uninstalling a Patch...............................................................................................................................197
9.5 Monitoring CPU and Memory Usage.............................................................................................................198
9.5.2 Setting CPU Usage Thresholds.............................................................................................................199
9.5.3 Setting a Memory Usage Threshold......................................................................................................199
9.6 Restarting the Device......................................................................................................................................202
9.6.2 Restarting the Device Immediately.......................................................................................................203
9.6.3 Configuring the Device to Restart as Scheduled...................................................................................203
9.7.1 Example for Upgrading System Software.............................................................................................204
9.7.2 Example for Installing a Patch File.......................................................................................................208
Issue 02 (2012-03-30)

ix

1 Logging In to the System for the First Time
Logging In to the System for the First Time
About This Chapter

You can log in to a new router through the console port, or connect to a LAN port of the
router and use Telnet to configure the router.
1.1 Introduction
You can configure a device that is powered on for the first time by logging in through the console
port or Telnet.
1.2 Logging In to the Device Through the Console Port
This section describes how to establish the configuration environment by using the console port
to connect a terminal to a router.
1.3 Logging In to a Router Through Telnet
To configure the network environment, use Telnet to log in to the router from a terminal.
Issue 02 (2012-03-30)


1.1 Introduction
You can configure a device that is powered on for the first time by logging in through the console
port or Telnet.
A main control board provides a console port and multiple LAN ports. To configure a device,
connect the user terminal serial port to the device console port or log in to the device through
Telnet after connecting the network port of the terminal to a LAN port of the device.
1.2 Logging In to the Device Through the Console Port

This section describes how to establish the configuration environment by using the console port
to connect a terminal to a router.
1.2.1 Establishing the Configuration Task

Before logging in to the router through the console port, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.
Applicable Environment
When the router is powered on for the first time, you could use the console port to log in to the
router to configure and manage the router.
Pre-configuration Tasks
Before logging in to the router through the console port, complete the following tasks:
l
Installing terminal emulation program on the PC (for example, Windows XP

HyperTerminal)
Preparing the console cable
Data Preparation
To log in to the router through the console port, you need the following data.
No.
Data
Terminal communication parameters

l Baud rate
l Data bit
l Parity
l Stop bit
l Flow-control mode
Issue 02 (2012-03-30)


NOTE
The system automatically uses default parameter values for the first login.
1.2.2 Establishing the Physical Connection

You can use a cable to connect the console port of the router to the COM port of a terminal.
Procedure
Step 1 Power on all devices to perform a self-check.
Step 2 Use a cable to connect the console port of the router to the COM port of a PC.
----End
1.2.3 Logging In to the Device

To manage a router that is powered on for the first time, you can log in to it using the console
port.
Context
PC terminal attributes, including the transmission rate, data bit, parity bit, stop bit, and flow
control mode must be configured to match those configured for the console port. Default values
for terminal attributes are used during the first login to the device.
Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 1-1.
Figure 1-1 Connection creation
Step 2 Set an interface, as shown in Figure 1-2.

Issue 02 (2012-03-30)


Figure 1-2 Interface settings
Step 3 Set communication parameters to match the router defaults, as shown in Figure 1-3.
Figure 1-3 Communication parameter settings
Issue 02 (2012-03-30)


Step 4 Press Enter. At the command-line prompt such as <Huawei>, enter a command to configure
the router or enter a question mark (?) if you need help.
NOTE
When you connect to the console port of a AR150/200 that does not have a startup configuration file, the
system displays "Auto-Config is working. Before configuring the device, stop Auto-Config. If you perform
configurations when Auto-Config is running, the DHCP, routing, DNS, and VTY configurations will be
lost. Do you want to stop Auto-Config? [y/n]:"
l To continue Auto-Config, enter n and press Enter.
l To stop Auto-Config, choose y and press Enter.
CAUTION
If you choose n but still perform configurations through the console port, the DHCP, routing, DNS,
and VTY configurations that you have performed will be lost.
----End
1.3 Logging In to a Router Through Telnet

To configure the network environment, use Telnet to log in to the router from a terminal.

Before configuring a router through Telnet, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
To configure and manage a router that is powered on for the first time, log in to the router through
Telnet.
By default, the IP addresses of all LAN ports are 192.168.1.1, and the user name and password
are admin. You can log in to the router using Telnet by connecting the PC network adapter to
any LAN port of the router with the twisted pair.
Before configuring a router through Telnet, complete the following tasks:
l
Obtaining the twisted pair that is used to connect to a LAN port of the router
Data Preparation
None.
1.3.2 Establishing a Physical Connection

To establish a physical connection between a PC and a router, use a twisted pair to connect the
network port of the PC to a LAN port of the device.
Issue 02 (2012-03-30)


Procedure
Step 1 Power on all the devices and ensure a successful self-check.
Step 2 Use the twisted pair to connect a LAN port of the router to the network port of a PC.
Step 3 Configure an IP address and subnet mask for the network port of the PC. The IP address must
be within the network segment 192.168.1.0/24 (recommended: 192.168.1.100), and the subnet
mask is 255.255.255.0.
Step 4 Check the physical connection. Ping 192.168.1.1 on the PC. If 192.168.1.1 can be pinged, the
physical connection has been established.
NOTE
l If the ping operation fails, check whether the PC IP address is correct ore replace the network cable.
----End
1.3.3 Logging In to the Router

To configure and manage the router that is powered on for the first time, log in to the router
through Telnet.
Context
After the physical connection is established successfully, log in to the router through Telnet.
Procedure
Step 1 Open the command-line window of Windows.
Step 2 Run the telnet 192.168.1.1 command to log in to the router.
telnet 192.168.1.1
Step 3 Enter the initial user name (admin) and password (admin). The command-line prompt of the
user view is displayed, for example, <HUAWEI>. Then, you enter the configuration
environment of the user view.
Username:admin
Password:
-----------------------------------------------------------------------------------User last login information:
-----------------------------------------------------------------------------------Access Type: Telnet
IP-Address : 192.168.1.100
Time
: 2011-09-07 17:27:17+00:00
-----------------------------------------------------------------------------------<HUAWEI>
----End
Issue 02 (2012-03-30)


2 CLI Overview
CLI Overview
About This Chapter

The command line interface (CLI) is used to configure and maintain devices.
2.1 CLI Introduction
After you log in to the router, a prompt is displayed and you can use the command line interface
(CLI). Users can interact with the router through the CLI.
2.2 Online Help
When inputting command lines or configuring services, you can use the online help to obtain
real-time help.
2.3 CLI Features
The CLI provides several features to help users flexibly use it.
2.4 Shortcut Keys
System or user-defined shortcut keys make it easier to enter commands.
2.5 Configuration Examples
This section provides several examples that illustrate the use of command lines.
Issue 02 (2012-03-30)


2 CLI Overview
2.1 CLI Introduction

After you log in to the router, a prompt is displayed and you can use the command line interface
(CLI). Users can interact with the router through the CLI.
2.1.1 Command Line Interface

You can use CLI commands to configure and manage the router.
The CLI provides users access to a number of features and capabilities:
l
Local configuration through the console port.
Local or remote configuration through Telnet or Secure Shell (SSH).
The telnet command for directly logging in to and managing other routers.
FTP service for file uploads and downloads.
A user interface view for specific configuration management.
Hierarchical command protection structure giving certain levels of users permission to run
certain levels of commands.
Three authentication modes are supported, namely, none-authentication, password

authentication, and Authentication, Authorization, and Accounting (AAA) authentication.
Password and AAA authentication protect system security by prohibiting unauthorized
users from logging in to the router.
Entering "?" for online help at any time.
Entering "?" for online help at any time.
A command line interpreter provides intelligent text entry methods such as key word fuzzy
match and context conjunction. These methods help users to enter commands easily and
correctly.
Network test commands such as tracert and ping for fast network diagnostics.
Abundant debugging information to with network diagnostics.
Running a command used previously on the device, like DosKey.

NOTE
l The system supports commands that contain a maximum of 512 characters. A command does not have
to be entered in full, as long as the part of the command entered is unique within the system. For
example, to use the display current-configuration command, entering d cu, di cu, or dis cu will run
the command. Entering d c or dis c will not run the command, because these entries are not unique to
the command.
l The system saves the complete form of incomplete commands to configuration files. Saved commands
may have more than 512 characters. When the system is restarted, incomplete commands cannot be
restored. Therefore, pay attention to the full length of incomplete commands before saving them.
2.1.2 Command Levels

The system structures access to command functions hierarchically to protect system security.
The system administrator sets user access levels that grant specific users access to specific
command levels.
Issue 02 (2012-03-30)


2 CLI Overview
By default, the command level of a user is a value ranging from 0 to 3, and the user access level
is a value ranging from 0 to 15. Table 2-1 lists the association between user access levels and
command levels.
Table 2-1 Association between user access levels and command levels
User
Level
Com
man
d
Level
Level
Name
Description
Visit
level
This level gives access to commands that run network diagnostic

tools (such as ping and tracert) and commands that start from a
local device, visit external devices (such as Telnet client side ),
and a part of display commands.
0 and
1
Monitor
ing
level
This level gives access to commands, like the display command,

that are used for system maintenance and fault diagnosis.
NOTE
Some display commands are not at this level. For example, the display
current-configuration and display saved-configuration commands
are at level 3. For details about command level, see Huawei AR150&200
Series Enterprise Routers Command Reference.
0, 1,
and 2
Configu
ration
level
This level gives access to commands that configure network

services provided directly to users, including routing and
network layer commands.
3-15
0, 1,
2, and
3
Manage
ment
level
This level gives access to commands that control basic system

operations and provide support for services. These commands
include file system commands, FTP commands, TFTP
commands, configuration file switching commands, power
supply control commands, backup board control commands,
user management commands, level setting commands, system
internal parameter setting commands, and debugging commands
for fault diagnosis.
NOTE
l The default command level may be higher than the command level defined according to the command
rules in application.
l The level of the command that a user can run is determined by the level of this user.
l Login users have 16 levels. The login users can use only the command of the levels that are equal to
or lower than their own levels. The user privilege level level command sets the user level.
Searching Commands Based on Command Levels

You can search for all commands at a specific level simultaneously. The procedure is as follows:
1.
Open the command reference (.chm.) file.
2.
Click the "Search" tab. The search window will be displayed as shown in Figure 2-1.
Issue 02 (2012-03-30)


2 CLI Overview
Figure 2-1 Entering the search window
3.
Issue 02 (2012-03-30)
Enter the command level you want in the "Type in the word(s) to search for" textbox and
click "List Topics". All commands of the specified level will be displayed as shown in
Figure 2-2.

10

2 CLI Overview
Figure 2-2 Searching commands based on a specific level
2.1.3 Command Line Views

The command line interface has different command views. Each command is registered to run
in one or more command views. You can run a command only after you enter an appropriate
command view.
The following example uses the user, system, and aaa views:
# Establish a connection to the router. If the router is using the default configurations, the
<Huawei> prompt indicates that you have entered the user view.
<Huawei>
# Run the system-view command to enter the system view.

<Huawei> system-view
[Huawei]
# Run the aaa command in the system view to enter the AAA view.
[Huawei] aaa
[Huawei-aaa]
Issue 02 (2012-03-30)

11

2 CLI Overview
NOTE
The command prompt "Huawei" is the default host name.
The prompt indicates a specific view. For example, "Huawei" indicates the user view, and
"[HUAWEI-ui-console0]" indicates the console user interface view.
Some commands can be used in more than one view, but their effects vary from view to view.
2.2 Online Help

When inputting command lines or configuring services, you can use the online help to obtain
real-time help.
2.2.1 Full Help

When inputting a command, you can use the full help function to obtain keywords or parameters
for the command.
Procedure
l
Use any of the following methods to obtain full help from a command line.
Enter a question mark (?) in any command line view to display command names and
their descriptions for all commands of that view.
<Huawei> ?
User view commands:
arp-ping
ping
autosave
group
backup
information
cd
directory
clock
clock
cls
...
...
ARP<Group> autosave command

Backup
Change current
Specify the system
Clear screen
Enter a command and a question mark (?) separated by a space. All keywords associated
with this command, as well as simple descriptions, are displayed. For example:
[Huawei] interface ?
Bridge-if
interface
Cellular
...
...
Bridge-if
Cellular interface
Bridge-if and Cellular are keywords; Bridge-if interface and Cellular interface
describe the keywords respectively.
Enter a command and a question mark (?) separated by a space. Parameter names for
this command, as well as parameter descriptions, are displayed. For example:
[Huawei] ftp timeout ?
INTEGER<1-35791> The value of FTP timeout (in minutes)
[Huawei] ftp timeout 35 ?
<cr>
[Huawei] ftp timeout 35
In this command output, INTEGER<1-35791> describes the parameter value and The
value of FTP timeout, the default value is 30 minutes is a simple description of what
Issue 02 (2012-03-30)

12

2 CLI Overview
the parameter sets. A display of <cr> indicates that no parameters are associated with
this command. The command is repeated in the next command line. You can press
Enter to run the command.
----End
2.2.2 Partial Help

If you enter only the first or first several characters of a command, partial help provides keywords
that begin with this character or character string.
Procedure
l
Use any of the following methods to obtain partial help from a command line.
Enter a character string followed directly by a question mark (?) to display all commands
that begin with this character string.
<Huawei> d?
debugging
group
delete
file
dialer
Dialer
dir
filesystem
display
<Group> debugging command

Delete a
List files on a
Display information
Enter a command and a character string followed directly by a question mark (?) to
display all key words that begin with this character string.
<Huawei> display b?
bfd
Detection
Specify BFD(Bidirectional Forwarding

) configuration
information
bgp
information
bootp
bridge
BGP
Bootstrap Protocol
<Group> bridge command group
Enter the first several letters of a key word in the command and then press Tab to display
a complete key word. A complete keyword is displayed only if the partial string of letters
uniquely identifies a specific key word. If they do not identify a specific key work,
continuing to press Tab will display different key words. You can select the needed key
word.
----End
2.2.3 Error Messages of the Command Line Interface

If a command is entered and passes the syntax check, the system executes it. Otherwise, the
system reports an error message.
Table 2-2 lists common error messages.
Issue 02 (2012-03-30)

13

2 CLI Overview
Table 2-2 Common error messages of the command line

Error messages
Cause of the error
Error: Unrecognized command

found at '^' position.
The command cannot be found
Error: Wrong parameter found

at '^' position.
Parameter type error
Error:Incomplete command
Incomplete command entered
Error: Too many parameters

found at "^" position.
Too many parameters entered
Error:Ambiguous command
Ambiguous parameters entered
The key word cannot be found
Parameter value out of range
2.3 CLI Features

The CLI provides several features to help users flexibly use it.
2.3.1 Editing
The command line editing function allows you to edit command lines or obtain help by using
certain keys.
The command line of AR150/200 supports multi-line edition. The maximum length of each
command is 512 characters.
Keys for editing that are often used are shown in Table 2-3.
Table 2-3 Keys for editing
Issue 02 (2012-03-30)
Key
Function
Common key
Inserts a character at the current position of the cursor if the editing

buffer is not full. The cursor then moves to the right. If the buffer
is full, an alarm is generated.
Backspace
Moves the cursor to the left and deletes the character at that
position. When the cursor reaches the head of the command, an
alarm is generated.
Left cursor key or

Ctrl_B
Moves the cursor to the left a single space at a time. When the
cursor reaches the head of the command, an alarm is generated.
Right cursor key or

Ctrl_F
Moves the cursor to the right a single space at a time. When the
cursor reaches the end of the command, an alarm is generated.

14

2 CLI Overview
Key
Function
Tab
Press Tab after typing a partial key word and the system runs
partial help:
l If the matching key word is unique, the system replaces the
typed character string with a complete key word and displays
it in a new line with the cursor placed at the end of the word.
l If there are several matches or no match, the system displays
the prefix first. Then you can press Tab to view any matching
key words one at a time. The cursor directly follows the end of
the word. You can press the spacebar to enter the next word.
l If a non-existent or incorrect key word is entered, press Tab
and the word is displayed on a new line.
2.3.2 Displaying
Command lines have a feature to control how they are displayed. You can set the command line
display mode as required.
You can control the display of information on the CLI as follows:
l
If output information cannot be displayed on a full screen, you have three viewing options,
as shown in Table 2-4.
Table 2-4 Display keys

Key
Function
Ctrl_C
Stops the display and the running of a command.
Space
Allows information to be displayed on the next screen.
Enter
Allows information to be displayed on the next line.
2.3.3 Regular Expressions

A regular expression describes a set of strings. It consists of common characters (such as letters
from "a" to "z") and special characters (called metacharacters). The regular expression is a
template upon which you can base searches for required strings. Users can use regular
expressions to filter output to locate needed information quickly.
A regular expression provides the following functions:
l
Search for sub-strings that match a rule in the main string.
String substitution based on specific matching rules.
Formal Language Theory of the Regular Expression

A regular expression consists of common characters and special characters.
Issue 02 (2012-03-30)

15

2 CLI Overview
Common characters
Common characters, including all upper-case and lower-case letters, digits, punctuation
marks, and special symbols, match themselves in a string. For example, "a" matches the
letter "a" in "abc", "202" matches the digit "202" in "202.113.25.155", and "@" matches
the symbol "@" in "xxx@xxx.com".
Special characters
Special characters are used together with common characters to match complex or special
string combination. Table 2-5 describes special characters and their syntax.
Table 2-5 Description of special characters
Special
characte
r
Syntax
Example
Defines an escape character, which

is used to mark the next character
(common or special) as the common
character.
\* matches "*".
Matches the starting position of the

string.
^10 matches "10.10.10.1" instead of

"20.10.10.1".
Matches the ending position of the

string.
1$ matches "10.10.10.1" instead of

"10.10.10.2".
Matches the preceding element zero

or more times.
10* matches "1", "10", "100", and

"1000".
(10)* matches "null", "10", "1010",
and "101010".
Matches the preceding element one

or more times
10+ matches "10", "100", and

"1000".
(10)+ matches "10", "1010", and
"101010".
Matches the preceding element zero

or one time.
10? matches "1" and "10".
Matches any single character.
0.0 matches "0x0" and "020".
(10)? matches "null" and "10".
.oo matches "book", "look", and

"tool".
()
Defines a subexpression, which can

be null. Both the expression and the
subexpression should be matched.
100(200)+ matches "100200" and

"100200200".
x|y
Matches x or y.
100|200 matches "100" or "200".

1(2|3)4 matches "124" or "134",
instead of "1234", "14", "1224", and
"1334".
Issue 02 (2012-03-30)

16

2 CLI Overview
Special
characte
r
Syntax
Example
[xyz]
Matches any single character in the

regular expression.
[123] matches the character 2 in

"255".
[^xyz]
Matches any character that is not

contained within the brackets.
[^123] matches any character except

for "1", "2", and "3".
[a-z]
Matches any character within the

specified range.
[0-9] matches any character ranging

from 0 to 9.
[^a-z]
Matches any character beyond the

specified range.
[^0-9] matches all non-numeric

characters.
Matches a comma "," left brace "{",

right brace "}", left parenthesis "(",
and right parenthesis ")".
_2008_ matches "2008", "space

2008 space", "space 2008", "2008
space", ",2008,", "{2008}",
"(2008)", "{2008)", and "(2008}".
Matches the starting position of the

input string.
Matches the ending position of the
input string.
Matches a space.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Degeneration of special characters

Certain special characters, when placed at certain positions in a regular expression,
degenerate to common characters.
The special characters following "\" match special characters themselves.
The special characters "*", "+", and "?" placed at the starting position of the regular
expression. For example, +45 matches "+45" and abc(*def) matches "abc*def".
The special character "^" placed at any position except for the start of the regular
expression. For example, abc^ matches "abc^".
The special character "$" placed at any position except for the end of the regular
expression. For example, 12$2 matches "12$2".
A right parenthesis ")" or right bracket "]" is not paired with a corresponding left
parenthesis "(" or bracket "[". For example, abc) matches "abc)" and 0-9] matches
"0-9]".
NOTE
Unless otherwise specified, degeneration rules also apply when preceding regular expressions are
subexpressions within parentheses.
Combinations of common and special characters

In actual usage, regular expressions combine multiple common and special characters to
match certain strings.
Issue 02 (2012-03-30)

17

2 CLI Overview
Specifying a Filtering Mode in a Command
CAUTION
The Huawei AR150&200 Series uses a regular expression to implement the pipe character
filtering function. A display command supports the pipe character only when there is excessive
output information.
When filtering conditions are set to query output, the first line of the command output starts with
information containing the regular expression.
Some commands can carry the parameter | count to display the number of matching entries. The
parameter | count can be used together with other parameters.
For commands that support regular expressions, three filtering methods are as follows:
l
| begin regular-expression: displays information that begins with the line that matches
regular expression.
| exclude regular-expression: displays information that excludes the lines that match
regular expression.
| include regular-expression: displays information that includes the lines that match regular
expression.
NOTE
The value of regular-expression is a string of 1 to 255 characters.regular-expression cannot contain

underlines (_).
2.3.4 Previously-Used Commands

The CLI provides a function similar to DosKey that automatically saves any command used on
the device. If you need to run a command that has been previously executed, you can use this
function to call up the command.
By default, the system saves 10 previously-used commands for each user. You can run the
history-command max-size size-value command in the user view to set the number of
previously-used commands saved by the system. A maximum of 256 previously-used commands
can be saved.
NOTE
Setting the number of saved previously-used commands to a reasonably low value is recommended. If a
large number of previously-used commands are saved, locating a command can be time-consuming and
affect efficiency.
The operations are shown in Table 2-6
Issue 02 (2012-03-30)

18

2 CLI Overview
Table 2-6 Access the previously-used commands

Action
Key or Command
Result
Display
previouslyused
commands.
display historycommand
Display previously-used commands entered by

users.
Access the last

previouslyused
command.
Up cursor key () or Display the last previously-used command if there

is an earlier previously-used command. Otherwise,
Ctrl_P
an alarm is generated.
Access the next

previouslyused
command.
Down cursor key

() or Ctrl_N
Display the next previously-used command if there

is a later previously-used command. Otherwise, the
command is cleared and an alarm is generated.
NOTE
Windows 9X defines keys differently and the cursor key is cannot be used with Windows 9X
HyperTerminals. You may use Ctrl_P instead.
When you use previously-used commands, note the following points:

l
Previously-used commands are saved exactly as they are entered by users. For example, if
a user enters an incomplete command, the saved command is also incomplete.
A command is saved the first time it is run and subsequent runnings are not saved. If a
command is entered in different forms or with different parameters, each entry is considered
to be a different command.
For example, if the display ip routing-table command is run several times, only one
previously-used command is saved. If the display current-configuration command and
the display ip routing-table command are run, two previously-used commands are saved.
2.4 Shortcut Keys

System or user-defined shortcut keys make it easier to enter commands.
2.4.1 Classifying Shortcut Keys

There are two types of shortcut keys: system shortcut keys and user-defined shortcut keys.
Familiarize yourself with shortcut keys so as to use them correctly.
The shortcut keys in the system are classified into the following types:
l
User-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, and CTRL_U. The user can
assign these shortcut keys to any commands. When a shortcut key is pressed, the system
automatically runs the assigned command. For details about defining the shortcut keys, see
2.4.2 Defining Shortcut Keys.
System-defined shortcut keys: The system defines a number of shortcut keys with fixed
functions. Table 2-7 lists the system-defined shortcut keys.
Issue 02 (2012-03-30)

19

2 CLI Overview
NOTE
Different terminal software defines these keys differently. The shortcut keys on your terminal may be
different than those listed in this section.
Table 2-7 System-defined shortcut keys

Key
Function
CTRL_A
The cursor moves to the beginning of the current line.
CTRL_B
The cursor moves to the left one space at a time.
CTRL_C
Terminates the running function.
CTRL_D
Deletes the character where the cursor lies.
CTRL_E
The cursor moves to the end of the current line.
CTRL_F
The cursor moves to the right one space at a time.
CTRL_H
Deletes one character to the left of the cursor.
CTRL_N
Displays the next command in the previously-used command

buffer.
CTRL_P
Displays the previous command in the previously-used

command buffer.
CTRL_W
Deletes a character string or character to the left of the cursor.
CTRL_X
Deletes all the characters to the left of the cursor.
CTRL_Y
Deletes all the characters to the right of the cursor.
CTRL_Z
Returns to the user view.
CTRL_]
Terminates the inbound or redirection connections.
ESC_B
The cursor moves to the left by one word.
ESC_D
Deletes a word to the right of the cursor.
ESC_F
The cursor moves to the right to the end of next word.
2.4.2 Defining Shortcut Keys

If you use one or more commands regularly, you can assign shortcut keys to run these commands.
This facilitates user operations and improves efficiency. Only management-level users have the
rights to define shortcut keys.
Configure these shortcut keys in the system view.
Issue 02 (2012-03-30)
Action
Command
Define shortcut keys
hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U }

command-text

20

2 CLI Overview
CTRL_G, CTRL_L and CTRL_O are assigned to run the following commands by default:
l
CTRL_G: display current-configuration
CTRL_L: undo idle-timeout
CTRL_O: undo debugging all
By default, CTRL_U is not assigned to any command.

When defining shortcut keys, mark the command with double quotation marks if the command
consists of several words or the command includes spaces, and do not mark the command with
double quotation marks if the command consists of only one word or the command includes no
space.
NOTE
To restore the defaults, run the undo hotkey command.
2.4.3 Use of Shortcut Keys

You can use a shortcut key at any position where a command can be entered. The system executes
an entered shortcut key and displays the corresponding command on the screen exactly as if you
had entered in the complete command.
l
If you have typed part of a command and have not pressed Enter, you can press the shortcut
keys to clear what you have entered and display the full command. This operation has the
same effect as that of deleting a command and then re-entering the complete command.
The shortcut keys are run like the commands. The syntax is recorded to the command buffer
and logged for fault location and querying.
NOTE
The terminal in use may affect the functions of shortcut keys. For example, if customized shortcut keys
for the terminal conflict with those for the router, the input shortcut keys are captured by the terminal
program and hence the shortcut keys do not function.
Run the following command in any view to display the use of shortcut keys.
Action
Command
Check the usage of shortcut keys.
display hotkey

This section provides several examples that illustrate the use of command lines.
2.5.1 Example for Using Tab

This example shows how to use the Tab key. After inputting an incomplete keyword, you can
press Tab and obtain all related keywords or check the accuracy of the input keyword.
Issue 02 (2012-03-30)

21

2 CLI Overview
Context
You do not always need to input complete keywords. Instead, input one or more of the first
characters of a keyword and press Tab to complete the keyword. The Tab key helps search for
and use commands.
Procedure
l
Tab can be used in three ways as shown in the following example.

After the incomplete key word is input and the Tab key is pressed, a unique matching
key word is displayed.
1.
Input the incomplete key word.

[Huawei] info-
2.
Press Tab.
The system replaces the incomplete input with a single key word and displays it
in a new line with the cursor leaving a space behind.
[Huawei] info-center
After the incomplete key word is input and the Tab key is pressed, several matches are
displayed or no match is displayed.
# Several prefixes beginning with log can follow the keyword info-center.
[Huawei] info-center log?
logbuffer
logfile
group
loghost
1.
Setting of log buffer configuration

<Group> logfile command
Setting of logging host configuration
Input the incomplete key word.

[Huawei] info-center log
2.
Press Tab.
The system first displays the prefix log.
[Huawei] info-center logbuffer
Press Tab repeatedly to select the keywords one at a time. The cursor is placed
directly after the end of each keyword.
[Huawei] info-center logfile
[Huawei] info-center loghost
Stop pressing Tab after the keyword logfile that you need is displayed.
3.
Input a space to enter the next word path.

[Huawei] info-center logfile path
Input an incorrect keyword and press Tab to check the correctness of the keyword.
1.
Input a wrong keyword loglog.

[Huawei] info-center loglog
2.
Press Tab.
[Huawei] info-center loglog
The system displays information in a new line, but the keyword loglog remains
unchanged and there is no space between the cursor and the keyword, indicating
that this keyword is non-existent.
----End
Issue 02 (2012-03-30)

22

2 CLI Overview
2.5.2 Example for Using Shortcut Keys

In this example, shortcut keys are assigned to frequently-used commands. You can press the
shortcut keys instead of inputting the commands. This facilitates user operations and improves
efficiency.
Context
If the login router supports shortcut keys, any user regardless of user level can use these shortcut
keys.
Procedure
Step 1 Correlate Ctrl_U with the display local-user command and run the shortcut keys.
[Huawei] hotkey ctrl_u "display local-user"
NOTE
When defining shortcut keys for a command, use double quotation marks to quote the command if the
command consisting of multiple words, which are separated by spaces. No double quotation marks are
required for single-word commands.
Step 2 Press Ctrl_U when the prompt [Huawei] appears.

[Huawei] display local-user
---------------------------------------------------------------------------User-name
State AuthMask AdminLevel
---------------------------------------------------------------------------admin
A
H
root
A
A
---------------------------------------------------------------------------Total 2 user(s)
----End
Issue 02 (2012-03-30)

23

3 Basic Configuration
Basic Configuration
About This Chapter

This chapter describes how to configure the router to work properly in the network environment
and to suit your needs.
3.1 Configuring the Basic System Environment
This section describes how to configure the basic system environment.
3.2 Displaying System Status Messages
This section describes how to use display commands to check basic system configurations.
Issue 02 (2012-03-30)

24

3.1 Configuring the Basic System Environment

This section describes how to configure the basic system environment.

Before configuring the basic system environment, familiarize yourself with the applicable
Before configuring services, you need to configure the basic system environment (such as time
and device name) to meet the environment requirement.
Before configuring the basic system environment, complete the following task:
l
Powering on the router
Data Preparation
To configure the basic system environment, you need the following data.
No.
Data
System time
Host name
Login information
Command level
3.1.2 Configuring the Equipment Name

If multiple devices on a network need to be managed, set equipment names to identify each
device.
Context
New equipment names take effect immediately.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)

25

The system view is displayed.

Step 2 Run:
sysname host-name
The equipment name is set.

By default, the equipment name of the router is Huawei.
You can change the name of the router that appears in the command prompt.
----End
3.1.3 Setting the System Clock

The system clock must be correctly set to ensure synchronization with other devices.
Context
The system clock is the time indicated by the system timestamp. Because the rules governing
local time differ in different regions, the system clock can be configured to comply with the
rules of any given region.
The system clock is calculated using the following formula: System clock = Coordinated
Universal Time (UTC) + Time zone offset + Daylight saving time offset.
Set the system clock to the correct time to ensure that the device operates properly with other
devices.
Perform the following steps in the user view to set the system clock:
Procedure
Step 1 Run:
clock datetime HH:MM:SS YYYY-MM-DD
The current date and time is set.

NOTE
If the time zone has not been configured or is set to 0, the date and time set by this command are considered
to be UTC. Set the time zone and UTC correctly.
Step 2 Run:
clock timezone time-zone-name { add | minus } offset
The time zone is set.

l If add is configured, the current time is the UTC time plus the time offset. That is, the default
UTC time plus offset is equal to the time of time-zone-name.
l If minus is configured, the current time is the UTC time minus the time offset. That is, the
default UTC time minus offset is equal to the time of time-zone-name.
Step 3 Run:
clock daylight-saving-time time-zone-name one-year start-time start-date end-time
end-date offset
or
clock daylight-saving-time time-zone-name repeating start-time { { first | second
| third | fourth | last } weekday month | start-date } end-time { { first |
Issue 02 (2012-03-30)

26

second | third | fourth | last } weekday month

[ end-year ] ]
| end-date } offset [ start-year
Daylight saving time is set.

By default, daylight saving time is not set.
Use one of these modes to configure the starting date and ending date for daylight saving time:
date+date, week+week, date+week, and week+date. For details, see clock daylight-savingtime.
NOTE
If the daylight saving time is used, the clock timezone time-zone-name { add | minus } offset command
can be executed to set the time zone name. The display clock command displays the daylight saving time
name. After the daylight saving time is complete, the original time zone name is displayed.
----End
System Clock Display

The system clock is determined by the clock datetime, clock timezone, and clock daylightsaving-time commands.
l
If none of the preceding three commands have been run, the original system time will be
displayed after running the display clock command.
The preceding three commands can also be run in combination with one another to
configure the system clock, as listed in Table 3-1.
In the following examples, the original system time is 08:00:00 January 1, 2010.
l
1: The clock datetime command is run to set the current date and time to date-time.
2: The clock timezone command is run to configure the time zone with the time zone offset
zone-offset.
3: The clock daylight-saving-time command is run to configure the daylight saving time
with the offset offset.
[1]: The clock datetime command configuration is optional.
Table 3-1 System clock configuration examples

Operation
Configured System
Time
Example
date-time
Run the clock datetime 8:0:0 2011-11-12

command.
Configured system time:
2011-11-12 08:00:03
Saturday
Time Zone(DefaultZoneName): UTC
Original system time +/zone-offset
Run the clock timezone BJ add 8 command.

2010-01-01 16:00:20+08:00
Friday
Time Zone(BJ): UTC+08:00
Issue 02 (2012-03-30)

27

Operation
Configured System
Time
Example
1, 2
date-time +/- zone-offset
Run the clock datetime 8:0:0 2011-11-12 and

clock timezone BJ add 8 commands.
2011-11-12 16:00:13+08:00
Saturday
[1], 2, 1
date-time
Run the lock timezone NJ add 8 and clock

datetime 9:0:0 2011-11-12 commands.
2011-11-12 09:00:02+08:00
Saturday
Time Zone(NJ): UTC+08:00
Issue 02 (2012-03-30)
Original system time if

the original system time
is not during the
configured daylight
saving time period
Run the clock daylight-saving-time BJ one-year

6:0 2011-8-1 6:0 2011-10-01 1 command.
Original system time +

offset if the original
system time is during the
configured daylight
saving time period

6:0 2011-1-1 6:0 2011-9-1 2 command.

2010-01-01 08:00:51
Friday
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
Saving time : 01:00:00

2010-01-01 10:00:34 DST
Friday
Time Zone(BJ): UTC
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00

28

Operation
Configured System
Time
Example
1, 3
date-time if date-time is
not during the configured
daylight saving time
period

clock daylight-saving-time BJ one-year 6:0
2012-8-1 6:0 2012-10-01 1 commands.
2011-11-12 09:00:26
Saturday
Name
: BJ
Start year : 2012
End year
: 2012
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
date-time + offset if datetime is during the

configured daylight
saving time period

clock daylight-saving-time BJ one-year 9:0
2011-11-12 6:0 2011-12-01 2 commands.
2011-11-12 11:02:21 DST
Saturday
Time Zone(BJ): UTC
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 11-12 09:00:00
End time
: 12-01 06:00:00
[1], 3, 1
period

6:0 2012-8-1 6:0 2012-10-01 1 and clock datetime
9:0 2011-11-12 commands.
2011-11-12 09:00:02
Saturday
Name
: BJ
Start year : 2012
End year
: 2012
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
Issue 02 (2012-03-30)

29

Operation
Configured System
Time
Example
during the configured
period

1:0 2011-1-1 1:0 2011-9-1 2 and clock datetime
3:0 2011-1-1 commands.
2011-01-01 03:00:19 DST
Saturday
Time Zone(BJ): UTC
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00
2, 3 or 3, 2
Issue 02 (2012-03-30)
Original system time +/zone-offset if the value of

Original system time +/zone-offset is not during
the configured daylight
saving time period
Run the clock timezone BJ add 8 and clock

daylight-saving-time BJ one-year 6:0 2011-1-1
6:0 2011-9-1 2 commands.
Original system time +/zone-offset +/- offset if

the value of Original
system time +/- zoneoffset is during the
configured daylight
saving time period

1:0 2010-1-1 1:0 2010-9-1 2 and clock timezone
BJ add 8 commands.

2010-01-01 16:01:29+08:00
Friday
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00

2010-01-01 18:05:31+08:00 DST
Friday
Name
: BJ
Start year : 2010
End year
: 2010
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00

30

Operation
Configured System
Time
Example
1, 2, 3, or 1,
3, 2

if the value of date-time
+/- zone-offset is not
period
Run the clock datetime 8:0:0 2011-11-12, clock

timezone BJ add 8, and clock daylight-savingtime BJ one-year 6:0 2012-1-1 6:0 2012-9-1 2
commands.

+ offset if the value of
is during the configured
period
Run the clock datetime 8:0:0 2011-1-1, clock

daylight-saving-time BJ one-year 6:0 2011-1-1
6:0 2011-9-1 2, and clock timezone BJ add 8
commands.
period

6:0 2012-1-1 6:0 2012-9-1 2, clock timezone BJ
add 8, and clock datetime 8:0:0 2011-11-12
commands.
[1], 2, 3, 1
or [1], 3, 2,
1

2011-11-12 16:01:40+08:00
Saturday
Name
: BJ
Start year : 2012
End year
: 2012
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00

2011-01-01 18:00:43+08:00 DST
Saturday
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00

2011-11-12 08:00:03+08:00
Saturday
Name
: BJ
Start year : 2012
End year
: 2012
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00
Issue 02 (2012-03-30)

31

Operation
Configured System
Time
Example
period
Run the clock timezone BJ add 8, clock daylightsaving-time BJ one-year 1:0 2011-1-1 1:0
2011-9-1 2, and clock datetime 3:0:0 2011-1-1
commands.
2011-01-01 03:00:03+08:00 DST
Saturday
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00
3.1.4 Configuring a Header

If you need to provide information for users logging in, you can configure a header that the
system displays during or after login.
Context
A header is a text message displayed by the system at the time a user logs in to the router.
Procedure
Step 1 Run:
system-view

Step 2 Run:
header login { information text | file file-name }
A header displayed during login is set.

Step 3 Run:
header shell { information text | file file-name }
A header displayed after login is set.

To display the header when the terminal connection has been activated but the user has not been
authenticated, configure the parameter login.
To display the header after the user has logged in, configure the parameter shell.
Issue 02 (2012-03-30)

32

CAUTION
l The header message starts and ends with the same character. Enter the first character of the
header and press Enter. An interactive interface for setting the header is displayed. Input the
required information and end the header by entering the first character when you are finished.
The system then exits from the interactive interface.
l If file is specified, save the file containing the header in the root directory of the default
storage medium. If the file is saved in another directory, specify the full path in the file name,
or the file will be inaccessible.
l If a user logs in to the router using SSH1.X, the login header is not displayed during login,
but the shell header is displayed after login.
l If a user logs in to the router using SSH2.0, both login and shell headers are displayed.
----End
3.1.5 Configuring Command Levels

This section describes how to configure command levels to ensure device security or allow lowlevel users to run high-level commands. By default, commands are registered in the sequence
of Level 0 to Level 3. If refined rights management is required, you can divide commands in to
16 levels, that is, from Level 0 to Level 15.
Context
Changing the default level of a command is not recommended. If the default level of a command
is changed, some users may be unable to use the command any longer.
Procedure
Step 1 Run:
system-view

Step 2 Run:
command-privilege level level view view-name command-key
The command level is configured. With the command, you can specify the level and view
multiple commands at one time (command-key).
All commands have default command views and levels. You do not need to reconfigure them.
----End
3.1.6 Configuring the undo Command to Automatically Match the

Higher-Level View
After performing this configuration, if a user runs the undo command when the undo command
is not registered in the current view, the system automatically switches to the view one level up
from the current view and searches for this command there. If the command is found, the
undo command takes effect. If the undo command does not exist in this view, the system
Issue 02 (2012-03-30)

33

progressively searches higher-level views for the command until reaching the system view. If
not found in the higher-level view, the undo command will not be executed.
Procedure
Step 1 Run:
system-view

Step 2 Run:
matched upper-view
The undo command is configured to automatically search higher-level views if run in a view
where it is not registered.
By default, the undo command does not automatically search higher-level views.
NOTE
l The matched upper-view command is valid for current login users who run this command.
l Configuring the undo command to automatically match the upper level view is recommended only if
necessary.
----End
3.1.7 (Optional) Setting Factory Configurations

You can set the current configurations or the existing configuration file on a router as factory
configurations.
Context
To restore factory configurations of a router, hold down the reset button for at least 5 seconds.
This operation makes the device restart and clears user-defined configuration.
To solve this problem, set the self-defined basic configurations as factory configurations.
Procedure
Step 1 Run:
set factory-configuration from { current-configuration | filename }
The current configuration or the existing configuration file is set as factory configurations.
Step 2 (Optional) Run:
set factory-configuration operate-mode { reserve-configuration | deleteconfiguration }
The mode of restoring factory configurations is set to reserve or delete.

Reserve mode: The original factory configurations will be reserved after you hold down the reset
button for at least 5 seconds.
Delete mode: The original factory configurations will be deleted after you hold down the reset
button for at least 5 seconds.
Issue 02 (2012-03-30)

34

Default mode: delete

----End
3.2 Displaying System Status Messages

This section describes how to use display commands to check basic system configurations.
Context
You can use display commands to collect information about system status. The display
commands perform the following functions:
l
Display system configurations.
Display system running status.
Display diagnostic information about a system.
See related sections concerning display commands for information on protocols and interfaces.
This section only shows system-level display commands.
Run the following commands in any view.
3.2.1 Displaying System Configuration

This section describes how to use command lines to check the system version, system time,
original configuration, and current configuration.
Procedure
l
Run the display version command to display the system version.
Run the display clock command to display the system time.
Run the display saved-configuration command to display the original configuration.
Run the display current-configuration command to display the current configuration.

NOTE
l The display version command displays the software version of the system, the chassis type, and
information about the main control board and interface board.
When a user runs the display current-configuration command, other users cannot run the same
command until all the command output is displayed.
l The original configuration refers to information about configuration files used by the device when
it is powered on and initialized. The current configuration refers to the configuration files that
take effect when the device is in use. For details, see the chapter "Configuring System Startup"
in the AR150/200 Basic-Configuration.
----End
3.2.2 Displaying System Status

This section describes how to use command lines to check system operating status (the
configuration of the current view).
Issue 02 (2012-03-30)

35

Procedure
l
Run the display this command to display the configuration of the current view.
NOTE
When a user runs the display this command, other users cannot run the same command until all the
command output is displayed.
----End
3.2.3 Collecting System Diagnostic Information

This section describes how to collect information about system modules.
Context
If you cannot perform routine maintenance, you must run the various display commands to
collect information needed to locate faults. The display diagnostic-information command
gathers information about all system modules currently running.
Procedure
l
Run:
display diagnostic-information
The system diagnostic information is displayed.

The display diagnostic-information command collects all information collected by
running the following commands, including display clock, display version, and so on.
----End
3.2.4 Displaying Factory Configuration Information

You can run the following command to view a router's factory configuration information.
Procedure
l
Run:
display factory-configuration
The factory configuration information is displayed.

NOTE
If factory configurations of the router are modified, the display factory-configuration command
displays the modified factory configurations.
Run:
display factory-configuration operate-mode
The mode of restoring factory configurations is displayed.

----End
Issue 02 (2012-03-30)

36

4 Configuring User Interfaces
Configuring User Interfaces
About This Chapter

When a user logs in to the router by using the console port, Telnet, or SSH, the system manages
the session between the user and the router on the corresponding user interface.
4.1 User Interface Overview
The system supports console and VTY user interfaces.
4.2 Configuring the Console User Interface
If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.
4.3 Configuring the VTY User Interface
If you need to log in to the router using Telnet or SSH to perform local or remote maintenance,
you can configure the VTY user interface as needed.
This section provides examples for configuring console and VTY user interfaces. These
configuration examples explain networking requirements, and provides configuration roadmaps
and configuration notes.
Issue 02 (2012-03-30)

37

4.1 User Interface Overview

The system supports console and VTY user interfaces.
Each user interface has a user interface view. A user interface view is a command line view
provided by the system. It is used to configure and manage all the physical and logical interfaces
in asynchronous mode.
User Interfaces Supported by the System

l
Console port (CON)

The console port is a serial port provided by the main control board of the device.
The main control board provides one EIA/TIA-232 DCE console port. A terminal can use
this port to connect directly to a device in order to perform local configurations.
Virtual type terminal (VTY)

A VTY is a logical terminal line. A VTY connection is set up when a device uses Telnet
to connect to a terminal by means of Telnet. This kind of connection is used for local or
remote access to a device. A maximum of 15 users can use the VTY user interface to log
in to the device.
Numbering of a User Interface

After a user logs in to the device, the system assigns the lowest numbered idle user interface to
the user. The type of interface assigned depends on the user's login mode. There are two ways
to number user interfaces:
l
Relative numbering
Relative numbering uses a user interface type + number format.
Relative numbering is used to specify user interfaces of a particular type. It can be used to
number single user interfaces or user interface groups and must adhere to the following
rules:
Number of the console port: CON 0
Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on
Absolute numbering
Absolute numbering is used to give a single user interface or a group of user interfaces a
unique number.
Absolute numbering starts with 0. Ports are numbered in a sequence beginning with CON
-> VTY. There is only one console port and 0-20 VTY interfaces (VTY interfaces 0 to 14
are reserved for Telnet/SSH users and VTY interfaces 16 to 20 are reserved for network
management users). You can use the user-interface maximum-vty command to set the
maximum number of user interfaces. The default number is five.
By default, the system supports two types of user interfaces: CON, and VTY.
Table 4-1 shows absolute numbers for user interfaces in this system.
Issue 02 (2012-03-30)

38

Table 4-1 Example for the absolute numbering

Absolute number
User-interface
CON0
129
First virtual interface (VTY0)
130
Second virtual interface (VTY1)
131
Third virtual interface (VTY2)
132
Fourth virtual interface (VTY3)
133
Fifth virtual interface (VTY4)
NOTE
The absolute numbers allocated for VTY interfaces are device-specific.
Run the display user-interface command to view the absolute number of user interfaces.
Authentication of a User Interface

After a user is configured, the system authenticates the user during user login.
There are three user authentication modes: non-authentication, password authentication, and
AAA.
l
Non-authentication: Users can log in to the router without username or password. This
mode is a security risk and not recommended.
Password authentication: Users must enter a password, but not a username, during the login
process.
AAA authentication: Users must enter a password and a username during the login process.
Telnet users are usually authenticated in this mode.
Priority of a User Interface

Users logged in to the router are managed according to their levels.
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher the
user level.
A user's level determines the level of commands that the user is authorized to run.
l
In the case of non-authentication or password authentication, the level of the command that
the user can run is determined by the level of the user interface.
In the case of AAA authentication, the command that the user can use is determined by the
level of the local user specified in the AAA configuration.
4.2 Configuring the Console User Interface

Issue 02 (2012-03-30)

39


Before configuring the console user interface, familiarize yourself with the applicable
If you need to log in to the router through a console port to perform local maintenance, you can
configure the corresponding console user interface, including the physical attributes, terminal
attributes, user priority, and user authentication mode. These parameters have default values that
require no additional configuration, but you may modify these parameters as needed.
Before configuring a console user interface, complete the following tasks:
l
Logging in to the router with a terminal
Data Preparation
To configure a console user interface, you need the following data.
No.
Data
Baud rate, flow-control mode, parity, stop bit, and data bit
Idle timeout period, terminal screen length, and the size of history command buffer
User priority
User authentication method, username, and password
NOTE
All the default values (excluding the password and username) are stored on the router and do not need
additional configuration.
4.2.2 Setting Physical Attributes of the Console User Interface

You can configure the rate, flow control mode, parity mode, stop bit, and data bit for the console
port.
Context
Physical attributes of a console port have default values on the router and no additional
configuration is needed.
NOTE
When a user logs in to a router through a console port, the physical attributes set for the console port on
the HyperTerminal must be consistent with the attributes of the console user interface on the router, or the
user will not be able to log in.
Issue 02 (2012-03-30)

40

Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface console interface-number
The console user interface view is displayed.

Step 3 Run:
speed speed-value
The baud rate is set.

By default, the baud rate is 9600 bit/s.
Step 4 Run:
parity { even | none | odd }
The parity mode is set.

By default, the value is none.
Step 5 Run:
stopbits { 1.5 | 1 | 2 }
The stop bit is set.

By default, the value is 1 bit.
Step 6 Run:
databits { 5 | 6 | 7 | 8 }
The data bit is set.

By default, the data bit is 8.
----End
4.2.3 Setting Terminal Attributes of the Console User Interface

This section describes how to set terminal attributes of the console user interface, including the
user timeout disconnection function, number of lines displayed in a terminal screen, and size of
the history command buffer.
Context
Terminal attributes of the console user interface have default values on the router that you may
modify as needed.
Procedure
Step 1 Run:
system-view

Issue 02 (2012-03-30)

41

Step 2 Run:

Step 3 Run:
shell
The terminal service is started.

Step 4 Run:
idle-timeout minutes [ seconds ]
The idle timeout period is set.

If a connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the idle timeout period on the user interface is 10 minutes.
Step 5 Run:
screen-length screen-length [temporary]
The terminal screen length is set.

The parameter temporary is used to display the number of lines to be temporarily displayed on
a terminal screen.
By default, the terminal screen length is 24 lines.
NOTE
The system automatically adjusts the terminal screen length, so you do not need to set it manually.
Step 6 Run:
history-command max-size size-value
The history command buffer is set.

By default, the size of history command buffer is 10 entries.
----End
4.2.4 Configuring User Privilege of the Console User Interface

This section describes how to control a user' authority to log in to the router and how to improve
router security by configuring user priority.
Context
l
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see "Command Level".

Issue 02 (2012-03-30)

42

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
user privilege level level
The user privilege is set.

NOTE
l By default, users logging in through the console user interface can use commands at level 15, and users
logging in through other user interfaces can use commands at level 0.
l If the command level and user level are inconsistent, the user level takes precedence.
----End
4.2.5 Configuring the User Authentication Mode of the Console

User Interface
The system provides threetwo authentication modes: AAA, password, and non-authentication.
Configuring user authentication modes improves router security.
Context
The system provides three authentication modes as shown in Table 4-2.
Table 4-2 Authentication Modes
Authen
tication
Mode
Advantage
Disadvantage
AAA
AAA provides user authentication with high

security.
The configuration is complex.

The user name and password for
AAA authentication must be
created.
The user name and password must be entered

for login.
Issue 02 (2012-03-30)
Passwor
d
authenti
cation
Password authentication is based on VTY

channels, providing security. The
configuration is simple and only the login
password is needed.
It provides lower security

compared with AAA.
Nonauthenti
cation
The configuration is simple.
It is insecure.

All users can log in to a device

using the login password for the
device.
43

By default, the user authentication mode for the console user interface is non-authentication.
Procedure
l
Configuring AAA Authentication

1.
Run:
system-view

2.
Run:

3.
Run:
authentication-mode aaa
The authentication mode is set to AAA authentication.

4.
Run:
aaa
The AAA view is displayed.

5.
Run:
local-user user-name password { simple | cipher } password
A username and password for the local user are created.

6.
Run:
quit
Exit from the AAA view.

l
Configuring Password Authentication

1.
Run:
system-view

2.
Run:

3.
Run:
authentication-mode password
The authentication mode is set to password authentication.

4.
Run:
set authentication password { cipher | simple } password
A password for password authentication is set.

l
Configuring Non-Authentication
1.
Run:
system-view

2.
Run:
Issue 02 (2012-03-30)

44


3.
Run:
authentication-mode none
The authentication mode is set to non-authentication.

----End
4.2.6 Checking the Configuration

After configuring the console user interface, you can view information about the user interface,
physical attributes and configurations of the user interface, local user list, and online users.
Prerequisites
The configurations of the user management function are complete.
Procedure
l
Run the display users [ all ] command to check information about the user interface.
Run the display user-interface console ui-number1 [ summary ] command to check

physical attributes and configurations of the user interface.
Run the display local-user command to check the local user list.
----End
Example
Run the display users command to view information about the current user interface.
<Huawei> display users
User-Intf
Delay
0
CON 0
00:00:44
Username : Unspecified
Type
Network Address
AuthenStatus
AuthorcmdFlag
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<Huawei> display user-interface console 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
0
CON 0
9600
3
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Int
-
Run the display local-user command to view the local user list.
<Huawei> display local-user
---------------------------------------------------------------------------User-name
---------------------------------------------------------------------------admin
A
H
ftp
A
F
-
Issue 02 (2012-03-30)

45

guest
A
A
15
---------------------------------------------------------------------------Total 3 user(s)
4.3 Configuring the VTY User Interface

you can configure the VTY user interface as needed.

Before configuring a VTY user interface, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration task quickly and correctly.
you can configure a VTY user interface. You can configure the maximum number of VTY user
interfaces, restrictions on incoming and outgoing calls, terminal property, user priority, and user
authentication mode.
Before configuring a VTY user interface, complete the following tasks:
l
Logging in to the router by using a terminal
Data Preparation
To configure a VTY user interface, you need the following data.
No.
Data
Maximum VTY user interfaces
(Optional) ACL code to restrict incoming and outgoing calls on VTY user interfaces
Idle timeout period, number of characters in each line displayed on a terminal screen
User priority
User authentication method, username, and password
NOTE
All the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user
interfaces, user authentication method, username, and password) have default values that require no
additional configuration.
Issue 02 (2012-03-30)

46

4.3.2 Configuring the Maximum Number of VTY User Interfaces

This section describes how to limit the number of users logging in to the router by configuring
the maximum number of VTY user interfaces.
Context
The maximum number of VTY user interfaces equals the total number of users allowed to log
in to the router using Telnet or SSH.
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface maximum-vty number
The maximum number of VTY user interfaces is set. By default, the maximum number of VTY
user interfaces is 5.
NOTE
When the maximum number of VTY user interfaces is set to zero, no user (including the network
administrator) can use a VTY user interface to log in to the router.
If the set maximum number of VTY user interfaces is smaller than the maximum number of
online users, current online users will not be affected and no additional configuration is required.
If the set maximum number of VTY user interfaces is greater than the maximum number of
current interfaces, the authentication mode and password must be set for newly added user
interfaces.
Password authentication is the default authentication mode for newly added user interfaces.
Consider, for example, a system that allows a maximum of five users to be online. To allow 15
VTY users online at the same time, you must run the authentication-mode and set
authentication password commands to configure authentication modes and passwords for VTY
user interfaces from 5 to 14. The commands are run as follows:
[Huawei] user-interface maximum-vty 15
[Huawei] user-interface vty 5 14
[Huawei-ui-vty5-14] authentication-mode password
[Huawei-ui-vty5-14] set authentication password cipher huawei
----End
4.3.3 (Optional) Setting Restrictions for Incoming and Outgoing

Calls on VTY User Interfaces
This section describes how to configure an ACL to restrict access of incoming and outgoing
calls on a VTY user interface to specific IP addresses or address segments.
Issue 02 (2012-03-30)

47

Context
Before setting restrictions for incoming and outgoing calls on a VTY user interface, run the
acl command in the system view to create an ACL. Enter the ACL view and run the rule command
to add rules to the ACL.
NOTE
l The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging
from 3000 to 3999.
l For ACL configuration details, refer to the Configuration Guide - SecurityHuawei AR150&200
Series Enterprise Routers Configuration Guide - Security.
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.

Step 3 Run:
acl acl-number { inbound | outbound }
Restrictions for incoming and outgoing calls on the VTY interface are configured.
l If you want to prevent a user with a specific address or segment address from logging in to
the router, use the inbound command.
l If you want to prevent a user who logs in to a router from accessing other routers, use the
outbound command.
----End
4.3.4 Setting Terminal Attributes of the VTY User Interface

This section describes how to configure terminal attributes of a VTY user interface, including
user idle timeout, number of lines displayed in a terminal screen, and size of the history command
buffer.
Context
Terminal attributes of a VTY user interface have default values on the router and you can set
them as needed.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2012-03-30)

48


Step 3 Run:
shell
VTY terminal service is enabled.

Step 4 Run:
idle-timeout minutes [ seconds ]
User idle timeout is enabled.

If the connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the timeout period is 10 minutes.
Step 5 Run:
screen-length screen-length [temporary]
The terminal screen length is set.

The parameter temporary is used to display the number of lines to be temporarily displayed on
a terminal screen.
By default, the terminal screen length is 24 lines.
NOTE
The system automatically adjusts the terminal screen length, so you do not need to set it manually.
Step 6 Run:
history-command max-size size-value
Set the size of the history command buffer.

By default, a maximum number of 10 commands can be cached in the history command buffer.
----End
4.3.5 Setting User Priority of the VTY User Interface

This section describes how to control a user' authority to log in to the router and how to improve
router security by configuring user priority.
Context
l
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see "Command Level".
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)

49


Step 2 Run:

Step 3 Run:
The user priority is set.

By default, users logging in through the VTY user interface can use commands at level 0.
NOTE
If the command level configured in the VTY user interface view and user priority are inconsistent, user
priority takes precedence.
----End
4.3.6 Setting the User Authentication Mode of the VTY User

Interface
The system provides threetwo authentication modes: AAA, password, and non-authentication.
Configuring user authentication modes improves router security.
Context
The system provides three authentication modes as shown in Table 4-3.
Table 4-3 Authentication Modes
Authen
tication
Mode
Advantage
Disadvantage
AAA
AAA provides user authentication with high

security.
The configuration is complex.

The user name and password for
AAA authentication must be
created.
The user name and password must be entered

for login.
Passwor
d
authenti
cation
Password authentication is based on VTY

channels, providing security. The
configuration is simple and only the login
password is needed.
It provides lower security

compared with AAA.
Nonauthenti
cation
The configuration is simple.
It is insecure.
All users can log in to a device

using the login password for the
device.
Password authentication is the default authentication mode of VTY user interfaces.

Issue 02 (2012-03-30)

50

Procedure
l

1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run:
quit
Exit from the VTY user interface view.

5.
Run:
aaa

6.
Run:

l

1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run:

l
1.
Run:
system-view

2.
Run:

Issue 02 (2012-03-30)

51

3.
Run:

----End

After configuring a VTY user interface, you can view information about user interfaces, the
maximum number of VTY user interfaces, and physical attributes and configurations of user
interfaces.
Prerequisites
The configurations of the VTY user interface are complete.
Procedure
l
Run the display users [ all ] command to check information about user interfaces.
Run the display user-interface maximum-vty command to check the maximum number
of VTY user interfaces.
Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ]

command to check the physical attributes and configurations of user interfaces.
Run the display vty mode command to check the VTY mode.
----End
Example
Run the display users command to view information about current user interfaces.
User-Intf
Delay
Type
34 VTY 0
00:00:12 TEL
+ 35 VTY 1
00:00:00 TEL
Network Address
10.138.77.38
AuthenStatus
AuthorcmdFlag
10.138.77.57
Run the display user-interface maximum-vty command to view the maximum number of VTY
user interfaces.
<Huawei> display user-interface maximum-vty
Maximum of VTY user:15
Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check
the physical attributes and configurations of user interfaces.
<Huawei> display user-interface vty 0
Idx Type
Tx/Rx
+ 34
VTY 0
14
14
N
+
F
Issue 02 (2012-03-30)

Int
-
52


---------------------------------------------------------------------------User-name
---------------------------------------------------------------------------admin
A
H
ftp
A
F
guest
A
A
15
---------------------------------------------------------------------------Total 3 user(s)
Run the display vty mode command to view the message indicating that the machine-to-machine
interface is enabled. For example:
<Huawei> display vty mode
current VTY mode is Machine-Machine interface

This section provides examples for configuring console and VTY user interfaces. These
configuration examples explain networking requirements, and provides configuration roadmaps
and configuration notes.
4.4.1 Example for Configuring Console User Interface

In this example, a console user interface is configured to allow a user in password authentication
mode to log in to the router. The physical attributes, terminal attributes, user priority, user
authentication mode, and password are set for the interface.
Networking Requirements
A user uses the console user interface to log in to the router to initialize router configurations or
perform local router maintenance. You can set console user interface attributes as needed (for
example, security considerations) to allow user logins.
The password authentication mode has been set in the console user interface view (the password
is huawei).
If there is no user activity and a connection is idle for more than 30 minutes after login, the
connection is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enter the interface view and set physical attributes of the console user interface.
2.
Set terminal attributes of the console user interface.
3.
Set the user priority of the console user interface.
4.
Set the user authentication mode and password of the console user interface.
Issue 02 (2012-03-30)

53

Data Preparation
To complete the configuration, you need the following data:
l
Transmission rate of the console user interface: 4800 bit/s
Parity of the console user interface: even
Stop bit of the console user interface: 2
Data bit of the console user interface: 8
Timeout period for disconnecting from the console user interface: 30 minutes
Number of lines that a terminal screen displays: 30
Size of the history command buffer: 20
User priority: 15
User authentication mode: password (password: huawei)
Procedure
Step 1 Set physical attributes of the console user interface.
[Huawei] user-interface console 0
[Huawei-ui-console0] speed 4800
[Huawei-ui-console0] parity even
[Huawei-ui-console0] stopbits 2
[Huawei-ui-console0] databits 8
Step 2 Set terminal attributes of the console user interface.

[Huawei-ui-console0] idle-timeout 30
[Huawei-ui-console0] screen-length 30
[Huawei-ui-console0] history-command max-size 20
Step 3 Set the user priority of the console user interface.

[Huawei-ui-console0] user privilege level 15
Step 4 Set the user authentication mode in the console user interface to password.
[Huawei-ui-console0] authentication-mode password
[Huawei-ui-console0] set authentication password simple huawei
[Huawei-ui-console0] quit
After the console user interface is configured, a user in password authentication mode can use
a console port to log in and perform local maintenance on the router. For details on how a user
logs in to the router, see the 5 Configuring User Login.
----End
Configuration Files
#
sysname Huawei
#
user-interface con 0
user privilege level 15
set authentication password simple huawei
history-command max-size 20
idle-timeout 30 0
databits 8
parity even
stopbits 2
speed 9600
Issue 02 (2012-03-30)

54

#
return
4.4.2 Example for Configuring a VTY User Interface

In this example, a VTY user interface is configured to allow a user in password authentication
mode to use Telnet to log in to the router. The maximum number of VTY user interfaces allowed,
restrictions for incoming and outgoing calls, terminal attributes, authentication mode, and
password are set for the interface.
A user uses Telnet or SSH to log in to the router using a VTY channel. You can set VTY user
interface attributes as needed (for example, security considerations) to allow user logins.
In the VTY user interface, the user priority is set to 15, the authentication mode is set to password
authentication, with the password of "huawei", and a user with the IP address of 10.1.1.1 is
prohibited from logging in to the router.
If there is no user activity and a connection is idle for more than 30 minutes after login, the
connection is torn down.
1.
Enter the interface view and set the maximum number of VTY user interfaces to 15.
2.
Set restrictions for incoming and outgoing calls on the VTY user interface to prevent an IP
address or an IP address segment for accessing the router.
3.
Set terminal attributes of the VTY user interface.
4.
Set the user priority of the VTY user interface.
5.
Set the authentication mode and password of the VTY user interface.
Data Preparation
l
Maximum number of VTY user interfaces: 15
ACL applied to restrict incoming calls on the VTY user interface: 2000
Timeout period for disconnecting from the VTY user interface: 30 minutes
Number of lines that a terminal screen displays: 30
Size of the history command buffer: 20
User priority: 15
User authentication mode: password, password: huawei

NOTE
By default, the terminal service is enabled on all user interfaces. If the terminal service is disabled, run the
shell command to enable the terminal service.
Procedure
Step 1 Set the maximum number of VTY user interfaces.
Issue 02 (2012-03-30)

55

[Huawei] user-interface maximum-vty 15
Step 2 Set the limit on call-in and call-out in the VTY user interface.
[Huawei] acl 2000
[Huawei-acl-basic-2000]
[Huawei] user-interface
[Huawei-ui-vty0-14] acl
rule deny source 10.1.1.1 0

rule permit source any
quit
vty 0 14
2000 inbound
Step 3 Set terminal attributes of the VTY user interface.

[Huawei-ui-vty0-14]
[Huawei-ui-vty0-14]
[Huawei-ui-vty0-14]
[Huawei-ui-vty0-14]
shell
idle-timeout 30
screen-length 30
Step 4 Set the user priority of the VTY user interface.

[Huawei-ui-vty0-14] user privilege level 15
Step 5 Set the authentication mode and password of the VTY user interface.
[Huawei-ui-vty0-14] authentication-mode password
[Huawei-ui-vty0-14] set authentication password simple huawei
[Huawei-ui-vty0-14] quit
----End
Configuration Files
#
sysname Huawei
#
acl number 2000
rule 5 deny source 10.1.1.1 0
rule permit source any
#
user-interface maximum-vty 15
user-interface vty 0 14
acl 2000 inbound
user privilege level 15
set authentication password simple huawei
idle-timeout 30 0
screen-length 30
#
return
Issue 02 (2012-03-30)

56

5 Configuring User Login
Configuring User Login
About This Chapter

A user can log in to the router through a console port, or by using Telnet or SSH (STelnet). The
user can maintain the router locally or remotely after login.
5.1 Overview of User Login
A user must successfully log in to the device to manage and maintain it. The user can log in to
the device using the console port, Telnet, or STelnet.
5.2 Logging in to the Devices Through the Console Port
When a user needs to configure a router that is powered on for the first time or maintain a
router locally, the user can log in through a console port.
5.3 Logging in to Devices Using Telnet
When multiple routers need to be configured and managed, there is no need to maintain each
router locally. Instead, you can use Telnet to log in to the routers remotely to perform
maintenance. This greatly facilitates device management.
5.4 Logging in to Devices Using STelnet
STelnet provides secure remote access over an insecure network. After the client/server
negotiation is complete and a secure connection is established, STelnet login is similar to Telnet
login.
5.5 Common Operations After Login
After logging in to the router, you can perform user priority switching, terminal window locking,
and other operations as needed.
This section provides several examples describing how to configure users to log in through a
console port, Telnet, or STelnet. The configuration examples provide information and diagrams
for networking requirements, configuration notes, and configuration roadmaps.
Issue 02 (2012-03-30)

57

5.1 Overview of User Login

A user must successfully log in to the device to manage and maintain it. The user can log in to
the device using the console port, Telnet, or STelnet.
Table 5-1 lists the modes by which a user can log in to the device to configure and manage it.
Table 5-1 User login modes
Login Mode
Applicable Scenario
Remarks
5.2 Logging in to
the Devices
Through the
Console Port
A user logs in to the device

using the console port on the
user terminal to power on
and configure the device for
the first time.
By default, a user can directly log in to

the device using the console port. The
authentication mode is None, indicating
that a username and password are not
required during authentication. The user
access level is 3.
l If a user cannot access

the device remotely, the
user can log in to the
device locally using the
console port.
l A user can log in using
the console port to
diagnose a fault if the
device fails to start or to
enter the BootROM to
upgrade the system.
Issue 02 (2012-03-30)

58

Login Mode
Applicable Scenario
Remarks
5.3 Logging in to
Devices Using
Telnet
A user accesses the network

using a user terminal and
logs in to the device using
Telnet to perform local or
remote configuration. The
target device authenticates
the user using the
configured login
parameters.
By default, a user cannot log in to the

device directly using Telnet. To enable
Telnet login, log in to the device locally
using the console port and perform the
following configuration tasks:
The Telnet login mode

facilitates remote device
management and
maintenance.
l Configure the IP address of the

management network port on the
device and ensure that a reachable
route exists between the user terminal
and the device. By default, an IP
address is not configured on the
device.
l Configure the user authentication
mode of the VTY user interface. By
default, password authentication is
used for the VTY user interface.
l Configure the user access level of the
VTY user interface. By default, the
user access level of the VTY user
interface is 0.
l Enable the Telnet server function. By
default, the Telnet server function is
enabled.
Issue 02 (2012-03-30)

59

Login Mode
Applicable Scenario
Remarks
5.4 Logging in to
Devices Using
STelnet
A user accesses the network

using a user terminal. If the
network is insecure, use the
Secure Shell (SSH) protocol
to increase the security of
the transmission and utilize
a powerful authentication
mechanism. SSH protects
the device system against
attacks, such as IP proofing
and plain text password
interception.
By default, a user cannot log in to the

device directly using STelnet. To enable
STelnet login, log in to the device locally
using the console port and perform the
following configuration tasks:
The STelnet login mode

better ensures the security of
the exchanged data.
l Configure the user authentication

mode of the VTY user interface. By
default, password authentication is
used for the VTY user interface.
l Configure the IP address of the

management network port on the
device and ensure that a reachable
route exists between the user terminal
and the device. By default, an IP
address is not configured on the
device.
l Configure the user access level of the

VTY user interface. By default, the
user access level of the VTY user
interface is 0.
l Configure the VTY user interface to
support the SSH protocol. By default,
the VTY user interface supports the
Telnet protocol.
l Enable the STelnet server function.
By default, the STelnet server
function is disabled.
NOTE
Logging in using Telnet is insecure because a secure authentication mechanism is not used and data is
transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts data in
both directions to guarantee secure transmissions on a conventional insecure network. SSH supports
security Telnet (STelnet).
For detailed information about SSH, see AR150/200 Feature Description - Basic Configurations.
5.2 Logging in to the Devices Through the Console Port

When a user needs to configure a router that is powered on for the first time or maintain a
router locally, the user can log in through a console port.

Before configuring user login through a console port, familiarize yourself with the applicable
Issue 02 (2012-03-30)

60

A user can log in to a device locally through a console port. The user must log in through a
console port when a router is powered on for the first time.
l
If a user cannot access the device remotely, the user can log in to the device locally using
the console port.
A user can log in using the console port to diagnose a fault if the device fails to start or to
enter the BootROM to upgrade the system.
Before configuring user login through a console port, complete the following tasks:
l
Preparing the console cable
Installing the terminal emulator (for example, the Windows XP HyperTerminal) to the PC
Data Preparation
To configure user login through a console port, you need the following data.
No.
Data
l Transmission rate, flow control mode, parity mode, stop bit, data bit
l Number of lines displayed in a terminal screen, size of the history command buffer
l User priority
l User authentication mode, username, and password
5.2.2 Logging In to the Device Using a Console Port

A user can log in by connecting a terminal to the device using a console port.
Context
l
Communication parameters of the user terminal must match physical attribute parameters
of the console user interface on the device.
If a user authentication mode is configured on the console user interface, a user can log in
to the device only after being successfully authenticated. Authentication enhances network
security.
Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 5-1.
Issue 02 (2012-03-30)

61

Step 2 Set an interface, as shown in Figure 5-2.

Figure 5-2 Interface settings
Step 3 Set communication parameters to match the router defaults, as shown in Figure 5-3.
Issue 02 (2012-03-30)

62

Step 4 Press Enter. At the command-line prompt such as <Huawei>, enter a command to configure
the router or enter a question mark (?) if you need help.
NOTE
When you connect to the console port of a AR150/200 that does not have a startup configuration file, the
system displays "Auto-Config is working. Before configuring the device, stop Auto-Config. If you perform
configurations when Auto-Config is running, the DHCP, routing, DNS, and VTY configurations will be
lost. Do you want to stop Auto-Config? [y/n]:"
l To continue Auto-Config, enter n and press Enter.
l To stop Auto-Config, choose y and press Enter.
CAUTION
If you choose n but still perform configurations through the console port, the DHCP, routing, DNS,
and VTY configurations that you have performed will be lost.
----End
5.2.3 (Optional) Configuring the Console User Interface

Issue 02 (2012-03-30)

63

Context
Console user interface attributes have default values on the device, and generally need no
modification. To meet specific user requirements or ensure network security, you can modify
console user interface attributes, such as terminal attributes and user authentication mode.
For detailed settings, see Configuring Console User Interface.
NOTE
Changes to console user interface attributes take effect immediately. Therefore, the connection may be
interrupted if console user interface attributes are modified when logged in to the device through the console
port. For this reason, logging into the device using another login mode is recommended when modifying
console user interface attributes. To log in to the device through the console port after changing the default
console user interface attributes, ensure that the configuration of the terminal emulator running on the PC
is consistent with the console user interface attributes configured on the device.

After logging in through a console port, a user can view the usage information, physical attributes
and configurations, local user list, and online users on the console user interface.
Prerequisites
Configurations for user login through a console port are complete.
Procedure
l
Run the display users [ all ] command to check information about the user interface.
Run the display user-interface console ui-number1 [ summary ] command to check

physical attributes and configurations of the user interface.
----End
Example
Run the display users command to view information about the current user interface.
User-Intf
Delay
0
CON 0
00:00:44
Type
Network Address
AuthenStatus
AuthorcmdFlag
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<Huawei> display user-interface console 0
Idx Type
Tx/Rx
0
CON 0
9600
3
N
+
F
Issue 02 (2012-03-30)

Int
-
64

---------------------------------------------------------------------------User-name
---------------------------------------------------------------------------admin
A
H
ftp
A
F
guest
A
A
15
---------------------------------------------------------------------------Total 3 user(s)

When multiple routers need to be configured and managed, there is no need to maintain each
router locally. Instead, you can use Telnet to log in to the routers remotely to perform
maintenance. This greatly facilitates device management.

Before configuring user login using Telnet, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for configuration. This will
help you complete the configuration task quickly and correctly.
If you know the IP address of a remote router, you can use Telnet to log in to the router from a
local terminal. Telnet login allows you to maintain multiple remote routers from one local
terminal, greatly facilitating device management.
Note that router IP addresses must be preset through console ports.
Before configuring users to log in using Telnet, you must log in to the device through the console
port to change the default configurations on the device, so that users can remotely log in to the
device using Telnet to manage and maintain the device. The following default configurations
must be changed:
l
Configuring the IP address of the management network port on the device and ensuring
that a reachable route exists between the user terminal and the device
5.3.2 Configuring the User Access Level and User Authentication Mode of the VTY
User Interface for remote device management and maintenance
5.3.3 Enabling the Telnet Service so that users can remotely log in to the device through
Telnet
Data Preparation
BBefore configuring Telnet user login, you need the following data.
Issue 02 (2012-03-30)

65

No.
Data
l User priority
l User authentication mode, username, password

l (Optional) Maximum number of VTY user interfaces allowed
l (Optional) ACL to restrict incoming and outgoing calls on VTY user interfaces
l (Optional) Connection timeout period of terminal users, number of lines displayed
in a terminal screen, size of the history command buffer
2
IPv4/IPv6 address or host name of the router
TCP port number used by the remote device to provide Telnet services, VPN instance
name
5.3.2 Configuring the User Access Level and User Authentication

Mode of the VTY User Interface
By default, the user access level of the VTY user interface is 0, and password authentication is
used for the VTY user interface. To enable a user terminal to log in to the device remotely using
Telnet for maintenance and management, log in to the device using the console port, change the
user access level and user authentication mode for the VTY user interface.
Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see Configuring the VTY User
Interface.
The sequence of the following steps is not fixed but all the configurations are mandatory.
Procedure
l
Configure the user access level of the VTY user interface.

1.
Run:
system-view

2.
Run:

3.
Run:
The user access level is set.

By default, the user access level of the VTY user interface is 0. Table 5-2 describes
the relationship between the user access levels and command levels.
Issue 02 (2012-03-30)

66

User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
Visit
level
This level gives access to commands that run network

diagnostic tools (such as ping and tracert) and commands
that start from a local device and visit external devices
(such as Telnet client side).
0 and
1
Monit
oring
level
This level gives access to commands, like the display

command, that are used for system maintenance and fault
diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display savedconfiguration commands are at level 3. For details about
command level, see Huawei AR150&200 Series Enterprise
Routers Command Reference.
0, 1,
and 2
Config
uration
level
This level gives access to commands that configure

network services provided directly to users, including
routing and network layer commands.
3-15
0, 1,
2,
and 3
Manag
ement
level
This level gives access to commands that control basic

system operations and provide support for services. These
commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
backup board control commands, user management
commands, level setting commands, system internal
parameter setting commands, and debugging commands
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level lower than or equal to the command
level of the user. This ensures the security of the device to some extent.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
Configure the user authentication mode of the VTY user interface.

Three authentication modes are available: non-authentication, password authentication,
and AAA authentication. Select one of them as needed.
1.
Run:
system-view

Issue 02 (2012-03-30)

67

2.
Run:

3.
Run:

1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run:

When the user authentication mode of the VTY user interface is set to AAA
authentication, the access type of the local user must be specified.
1.
Run:
system-view

2.
Run:
aaa

3.
Run:

4.
Run:
local-user user-name service-type telnet
The access type of the local user is set to Telnet.

5.
Run:
quit

6.
Run:

7.
Run:
Issue 02 (2012-03-30)

68


----End
5.3.3 Enabling the Telnet Service

Before a terminal establishes a Telnet connection with the router, enable the Telnet server
function on the router.
Context
By default, the function of the Telnet server is enabled.
Procedure
Step 1 Run the following command as required.
Step 2 For the IPv4 network
1.
Run:
system-view

2.
Run:
telnet server enable
The Telnet service is enabled.

Step 3 For the IPv6 network
1.
Run:
system-view

2.
Run:
telnet ipv6 server enable
The Telnet service is enabled.

NOTE
l If the undo telnet [ipv6] server enable command is run when a user logs in by using Telnet, the
command does not take effect.
l After the Telnet server function is disabled, you can log in to the device only using SSH or an
asynchronous serial port rather than using Telnet.
----End
5.3.4 Logging in to the Device Using Telnet

After a remote device is configured, use Telnet to log in to the device from a terminal and perform
remote maintenance on the device.
Context
Use either the Windows CLI or third-party software in the terminal to log in to the router through
Telnet. This section describes use of the Windows command line prompt.
Issue 02 (2012-03-30)

69

Do as follows on the user terminal:
Procedure
Step 1 Open the Windows CLI.
Step 2 Run the telnet ip-address command to telnet the device.
1.
Input the IP address of the Telnet server.

Figure 5-4 Windows CLI
2.
Press Enter to display the command line prompt, such as <HUAWEI>, for the system
view. This indicates that you have accessed the Telnet server.
If the password or AAA authentication mode has been set on the device, you must enter
the login user name and password, and press Enter. The command line prompt of the user
view is displayed, as shown in Figure 5-5.
Figure 5-5 Login
----End

After logging in to the system using Telnet, you can view the connection status of each user
interface including the current user interface, and status of all established TCP connections.
Issue 02 (2012-03-30)

70

Prerequisites
Configurations for Telnet logins are complete.
Procedure
l
Run the display users [ all ] command to check information about users logged in to user
interfaces.
Run the display tcp status command to check TCP connections.
Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display users command to view information about the currently-used user interface.
User-Intf
Delay
34 VTY 0
00:00:12
+ 35 VTY 1
00:00:00
Type
TEL
Network Address
10.138.77.38
TEL
10.138.77.57
AuthenStatus
AuthorcmdFlag
Run the display tcp status command to view TCP connections. In the command output,
Established indicates that a TCP connection has been established.
<Huawei> display tcp status
TCPCB
Tid/Soid
Local Add:port
State
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established
Foreign Add:port
VPNID
0.0.0.0:0
0.0.0.0:0
14849
10.164.6.13:1147
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<Huawei> display telnet server status
Telnet IPV4 server
Telnet server port
:Enable
:23

STelnet provides secure remote access over an insecure network. After the client/server
negotiation is complete and a secure connection is established, STelnet login is similar to Telnet
login.

Before configuring users to log in using STelnet, familiarize yourself with the applicable
Issue 02 (2012-03-30)

71

Telnet logins bring security risks because no secure authentication mechanism exists and data
is transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts
data in both directions to guarantee secure transmissions on a conventional insecure network.
SSH supports STelnet, and SFTP.
STelnet is a secure Telnet protocol. SSH users can use the STelnet service in the same way they
use the Telnet service.
Before configuring users to log in using STelnet, you must log in to the device through the
console port to change the default configurations on the device, so that users can remotely log
in to the device using Telnet to manage and maintain the device. The following default
configurations must be changed:
l
Configuring the IP address of the management network port on the device and ensuring
that a reachable route exists between the user terminal and the device
Configuring the user access level and authentication mode of the VTY user
interface for remote device management and maintenance.
Configuring the VTY user interface to support the SSH protocol, configuring the SSH
user and specify STelnet as a service mode for the SSH user, and enabling the STelnet
server function so that the user can remotely log in to the device through STelnet
Data Preparation
To configure users to log in using STelnet, you need the following data:
No.
Data
user authentication mode, username, and password, (optional)Maximum number of

VTY user interfaces allowed, (optional) ACL for restricting incoming and outgoing
calls on VTY user interfaces, (optional)connection timeout period for terminal users,
number of rows displayed in a terminal screen, size of the history command buffer
Username, password, authentication mode, and service type of an SSH user and
remote public RSA key pair allocated to the SSH user
(Optional) Name of an SSH server, number of the port monitored by the SSH server,
preferred encryption algorithm from the STelnet client to the SSH server, preferred
encryption algorithm from the SSH server to the STelnet client, preferred HMAC
algorithm from the STelnet client to the SSH server, preferred HMAC algorithm from
the SSH server to the STelnet client, preferred algorithm for key exchange, name of
the outgoing interface, and source address
5.4.2 Configuring the User Access Level and User Authentication

Mode of the VTY User Interface
By default, the user access level is 0, and password authentication is used for the VTY user
interface. Before logging in to the device using STelnet for maintenance and management, you
Issue 02 (2012-03-30)

72

must log in to the device through the console port to change the user access level and user
authentication mode.
Context
Interface.
The sequence of the following steps is not fixed but all the configurations are mandatory.
Procedure
l
Configure the user access level of the VTY user interface.

1.
Run:
system-view

2.
Run:

3.
Run:
The user access level is set.

By default, the user access level of the VTY user interface is 0. Table 5-3 describes
the relationship between the user access levels and command levels.
User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
Visit
level
This level gives access to commands that run network

diagnostic tools (such as ping and tracert) and commands
that start from a local device and visit external devices
(such as Telnet client side).
0 and
1
Monit
oring
level
This level gives access to commands, like the display

command, that are used for system maintenance and fault
diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display savedconfiguration commands are at level 3. For details about
command level, see Huawei AR150&200 Series Enterprise
Routers Command Reference.
Issue 02 (2012-03-30)
0, 1,
and 2
Config
uration
level
This level gives access to commands that configure

network services provided directly to users, including
routing and network layer commands.

73

User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
3-15
0, 1,
2,
and 3
Manag
ement
level
This level gives access to commands that control basic

system operations and provide support for services. These
commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
backup board control commands, user management
commands, level setting commands, system internal
parameter setting commands, and debugging commands
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level lower than or equal to the command
level of the user. This ensures the security of the device to some extent.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
Configure the user authentication mode of the VTY user interface.

The system provides non-authentication and AAA authentication for users to select.
1.
Run:
system-view

2.
Run:

3.
Run:

When the authentication mode of the VTY user interface is set to AAA authentication,
the access type of the local user must be specified.
1.
Run:
system-view

2.
Run:
aaa

3.
Run:
Issue 02 (2012-03-30)

74


4.
Run:
local-user user-name service-type ssh
The access type of the local user is set to SSH.

5.
Run:
quit

6.
Run:

7.
Run:

----End
5.4.3 Configuring SSH for the VTY User Interface

For users to log in to the device using STelnet, VTY user interfaces must be configured to support
SSH.
Context
By default, user interfaces support Telnet. A user interface must be configured to support SSH
for users to log in to the device using STelnet.
NOTE
A VTY user interface configured to support SSH must also be configured with AAA authentication.
Otherwise, the protocol inbound ssh command cannot be configured.
Do as follows on the router that serves as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
The VTY user interface is displayed.

Step 3 Run:
The AAA authentication mode is configured.

Step 4 Run:
protocol inbound ssh
The VTY user interface is configured to support SSH.

----End
Issue 02 (2012-03-30)

75

5.4.4 Configuring an SSH User and Specifying STelnet as One of

Service Types
To allow a user to log in to the router by using STelnet, you must configure an SSH user,
configure the router to generate a local RSA key pair, configure a user authentication mode, and
specify a service type for the SSH user.
Context
l
SSH users can be authenticated in four modes: RSA, password, password-rsa, and all. You
must create a local user with the specified user name in the AAA view.
Configuring the router to generate a local RSA key pair is a key step for SSH login. If an
SSH user logs in to an SSH server in password authentication mode, configure the server
to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Password-rsa authentication requires success of both password authentication and RSA authentication. The
all authentication mode requires success of either password authentication or RSA authentication.
Do as follows on the router that functions as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
Name and password of the local user are created.

Step 4 Run:
quit
Quit the AAA view.

Step 5 Run:
rsa local-key-pair create
A local RSA key pair is generated.

NOTE
l Before performing the other SSH configurations, you must configure the rsa local-key-pair create
command to generate a local key pair.
l After generating the local key pair,you can perform the display rsa local-key-pair public command
to view the public key in the local key pair.
Issue 02 (2012-03-30)

76

Step 6 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
The authentication mode for SSH users is configured.

Perform the following as required:
l Authenticate the SSH user through the password.
Run:
ssh user user-name authentication-type password
The password authentication is configured for the SSH user.

l Authenticate the SSH user through RSA.
1.
Run:
ssh user user-name authentication-type rsa
The RSA authentication is configured for the SSH user.

2.
Run:
rsa peer-public-key key-name
The public key view is displayed.

3.
Run:
public-key-code begin
The public key editing view is displayed.

4.
Run:
hex-data
The public key is edited.

NOTE
l In the public key view, only hexadecimal strings complying with the public key format can be
typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals
for SSH client software.
l After the public key editing view is displayed, the RSA public key generated on the client can
be sent to the server. Copy the RSA public key to the router that serves as the SSH server.
5.
Run:
public-key-code end
Quit the public key editing view.

l If the specified hex-data is invalid, the public key cannot be generated after the peerpublic-key end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does
not exist after the peer-public-key end command is run and the system view is
displayed.
6.
Run:
peer-public-key end
Return to the system view from the public key view.

7.
Run:
ssh user user-name assign rsa-key key-name
The public key is assigned to the SSH user.

Issue 02 (2012-03-30)

77

Step 7 (Optional) Configuring the Basic Authentication Information for SSH Users
1.
Run:
ssh server rekey-interval interval
The interval for updating the server key pair is configured.

By default, the interval for updating the key pair of the SSH server is 0 that indicates no
updating.
2.
Run:
ssh server auth-timeout timeout_interval
The timeout period of the SSH authentication is set.

By default, the timeout period is 60 seconds.
3.
Run:
ssh server authentication-retries auth-times
The number of retry times of the SSH authentication is set.

By default, the retry times is 3.
----End
5.4.5 Enabling the STelnet Server Function

By default, the STelnet server function is disabled. Before a user terminal logs in to the device
using STelnet, you must log in to the device through the console interface to enable the STelnet
server function on the device.
Context
By default, no device is enabled with the STelnet server function. Users can establish connections
to the device using STelnet only after the device is enabled with the STelnet server function.
Do as follows on the device that serves as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
stelnet server enable
The STelnet server function is enabled.

By default, the STelnet server function is disabled.
----End
5.4.6 Logging in to the Device Using STelnet

After you log in to the device through the console interface to complete relevant configurations,
users can remotely log in to the device using the Secure Shell (SSH) protocol from remote user
terminals to remotely maintain the device.
Issue 02 (2012-03-30)

78

Context
Third-party software can be used on a terminal for STelnet login. This section describes the use
of third-party software OpenSSH and the Windows CLI.
After installing OpenSSH on the user terminal, do as follows on the user terminal:
NOTE
For details on how to install OpenSSH, refer to the software installation guide.
For details about how to use OpenSSH commands to log in to the system, see the help document of the
software.
Procedure
Step 2 Run relevant OpenSSH commands to log in to the router in STelnet mode.
Figure 5-6 Logging in to the device in STelnet mode
----End
5.4.7 (Optional) Configuring the STelnet Server Parameters

You can configure a device to be compatible with earlier versions of the SSH protocol, configure
or change the listening port number of an SSH server, set an interval at which the key pair of
the SSH server is updated, and specify the source interface.
Issue 02 (2012-03-30)

79

Context
Table 5-4 lists server parameters.
Table 5-4 Server parameters
Server
Parameter
Description
Earlier SSH
version
compatibility
There are two SSH versions: SSH1.X (earlier than SSH2.0) and SSH2.0.
SSH2.0 has an extended structure and supports more authentication modes
and key exchange methods than SSH1.X. SSH2.0 also supports more
advanced services such as SFTP. The Huawei AR150&200 Series supports
SSH versions ranging from 1.3 to 2.0.
Listening port
number of an
SSH server
The default listening port number of an SSH server is 22. Users can log in to
the device by using the default listening port number. Attackers may access
the default listening port, consuming bandwidth, deteriorating server
performance, and causing authorized users unable to access the server. After
the listening port number of the SSH server is changed, attackers do not know
the new port number. This effectively prevents attackers from accessing the
listening port and improves security.
Interval for
updating the
SSH server
key pair
If this interval is set, the SSH server key pair will be updated periodically to
improve security.
Procedure
Step 1 Run:
system-view

Step 2 Perform one or both of the operations shown in Table 5-5 as needed.
Table 5-5 Configurations of server parameters
Server
Parameter
Operation
Earlier SSH
version
compatibility
Run the ssh server compatible-ssh1x enable command.
Listening port
number of the
SSH server
Issue 02 (2012-03-30)
By default, an SSH server running SSH2.0 is compatible with SSH1.X. To

prevent clients running SSH1.3 to SSH1.99 from logging in, run the undo
ssh server compatible-ssh1x enable command to disable support for earlier
SSH protocol versions.
Run the ssh server port port-number command.
If a new listening port is set, the SSH server cuts off all established STelnet
and SFTP connections, and uses the new port number to listen to connection
requests. By default, the listening port number is 22.
80

Server
Parameter
Operation
Interval for
updating the
SSH server
key pair
Run the ssh server rekey-interval rekey-interval command.

By default, the interval is 0, indicating that the key pair is never updated.
----End

After configuring users to log in using STelnet, you can view the SSH server configuration.
Prerequisites
Configurations for STelnet login are complete.
Procedure
l
Run the display ssh user-information username command on the SSH server to check
information about SSH users.
Run the display ssh server status command on the SSH server to check its configurations.
Run the display ssh server session command on the SSH server to check sessions for SSH
users.
----End
Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<Huawei> display ssh user-information client001
Sftp-directory
: Service-type
: sftp
------------------------------------------------------------------------------Username
Auth-type
User-public-key-name
------------------------------------------------------------------------------guest
password
null
rsa
rsa
RsaKey001
password
password
null
-------------------------------------------------------------------------------
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view configurations of an SSH server.
<Huawei> display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH Authentication retries
SFTP Server
Stelnet server
Issue 02 (2012-03-30)
:1.99
:60 seconds
:0 hours
:3 times
:Enable
:Enable

81

Run the display ssh server session command. The command output shows that the session
information between SSH server and client.
<Huawei> display ssh server session
-------------------------------------------------------------------Conn
Ver
Encry
State Auth-type
Username
-------------------------------------------------------------------VTY 0 1.5
BLOWFISH run
password
john
--------------------------------------------------------------------
5.5 Common Operations After Login

After logging in to the router, you can perform user priority switching, terminal window locking,
and other operations as needed.

Before performing operations after login, familiarize yourself with the applicable environment,
Configure user level switching and enable messaging between user interfaces to ensure that
operators can manage routers safely.
Before performing operations after login, complete the following tasks:
l
Connecting the terminal to the router
Data Preparations
Before performing operations after login, you need the following data:
No.
Data
Password used for switching user levels
Type and number of the user interface
Contents of the message to be sent
5.5.2 Switching User Levels

A user who wants to upgrade from a lower to a higher level after logging in to the router must
have a password already configured.
Issue 02 (2012-03-30)

82

Context
A password is required to increase user level. This prevents unauthorized users from gaining
access to high-level commands.
Procedure
Step 1 Run:
system-view

Step 2 Run:
super password [ level user-level ] { simple | cipher } password
The password for switching user levels is configured.

By default, the password for the user is set to Level 3.
CAUTION
If simple is selected, the password is saved in plain text. A low-level login user can easily obtain
and change the password by checking the configuration file, compromising network security.
Selecting cipher to save the password in encrypted text is recommended.
If a password set with cipher is lost or forgotten, it cannot be retrieved by querying the system.
Be sure to save a copy of the encrypted password in a secure location.
Step 3 Run:
quit
Return to the user view.

Step 4 Run:
super [ level ]
User levels are switched.

By default, the level is 3.
Step 5 Follow the prompt and enter a password.
If the password entered is correct, the user can switch to a higher level. If an incorrect password
is entered three times in a row, the user is returned to the user view at the original level.
NOTE
When the super command is used to switch a user from a lower to a higher level, the system automatically
sends trap messages and records the switchover in a log. When a user is switched from a higher to a lower
level, the system only records the switchover in a log.
----End
5.5.3 Locking User Interfaces

If you must be away from your work area, you can lock the user interface on a terminal to prevent
unauthorized access.
Issue 02 (2012-03-30)

83

Context
The user interface can be a console user interface or a VTY user interface.
Procedure
Step 1 Run:
lock
The user interface is locked.

Step 2 Step 2 Follow the system prompts and input a password to unlock the user interface.
<Huawei> lock
Enter Password:
Confirm Password:
If the locking is successful, the system prompts that the user interface is locked.
You must enter the password previously set to unlock the user interface.
----End
5.5.4 Sending Messages to Other User Interfaces

Users logged in to different interfaces can send messages to each other.
Context
Users logged in to the router can send messages from their user interface to users on other user
interfaces.
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
You can enable message sending between user interfaces.

Step 2 Follow the prompt to view the message to be sent. You can press Ctrl_Z or Enter to end the
display, and press Ctrl_C to abort the display.
Step 3 At the system prompt, enter Y to send the message or enter N to cancel message sending.
----End
5.5.5 Displaying Login Users

You can query information about login users.
Context
User name, address, and authentication and authorization information can be queried.
Procedure
l
Issue 02 (2012-03-30)
Run the display users [ all ] command to view information about logged-in users.
84

If all is configured, information about users logged in to all user interfaces is displayed.
----End

This section provides several examples describing how to configure users to log in through a
console port, Telnet, or STelnet. The configuration examples provide information and diagrams
for networking requirements, configuration notes, and configuration roadmaps.
5.6.1 Example for Configuring User Login Using a Console Port

This example describes how to configure user login using a console port. Login settings that
enable access to the router using a console port are configured on a PC.
If default values for console user interface parameters are modified, corresponding parameters
on the PC must be reset before another login to the router can be implemented.
Figure 5-7 Networking diagram of user login using a console port
PC
Router
1.
Connect a PC to the router through a console port.
2.
Set login parameters on the PC.
3.
Log in to the router.

NOTE
In this example, a terminal emulator is used.
Data Preparation
Communication parameters for the PC (baud rate: 4800 bps, data bit: 7, parity: even, stop bit:
2, flow control mode: none)
Procedure
Step 1 Use a standard RS-232 cable to connect the serial port of the PC to the console port of the
router.
Step 2 Run the terminal emulator on the PC. As shown in Figure 5-8, set communication parameters
for the PC to Figure 5-10. Set the transmission rate to 4800 bit/s, data bit to 7, parity bit to even,
stop bit to 2, and flow control mode to none.
Issue 02 (2012-03-30)

85

Figure 5-9 Interface setting
Issue 02 (2012-03-30)

86

Step 3 Power on the router. After the self-check is complete and the router is started, you are prompted
to press Enter.
At the prompt (usually <Huawei>), you can run commands to view the status of the router or
configure the router.
----End
5.6.2 Example for Logging In by Telnet

In this example, you can set user login parameters to log in to the router from the PC or other
terminals using Telnet.
You can log in to the router on other network segments through the PC or other terminals to
perform remote maintenance.
Issue 02 (2012-03-30)

87

Figure 5-11 Establishing the configuration environment over the WAN
Eth1/0/0
202.38.160.92/16
WAN
PC
Router
Target
Router
1.
Establish the physical connection.
2.
Set user login parameters.
3.
Log in to the router from the client side.
Data Preparation
l
IP address of the PC
IP address of the Ethernet interface on the router
User information (including the user name, password, and authentication mode)
Reachable route between the PC and target router
Procedure
Step 1 Connect the PC and the router to the network.
Step 2 Set login user parameters on the target router.
# Configure the login address.
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.38.160.92 255.255.0.0
[Huawei-Ethernet1/0/0] quit
# Configure the login authentication mode

[Huawei] aaa
[Huawei-aaa] local-user huawei password cipher hello
[Huawei-aaa] local-user huawei service-type telnet
[Huawei-aaa] local-user huawei privilege level 3
[Huawei-aaa] quit
[Huawei-ui-vty0-14] authentication-mode aaa
Step 3 Configure the client login.

Run the Telnet on the PC (use the Windows XP operating system as an example), as shown in
Figure 5-12.
Issue 02 (2012-03-30)

88

Figure 5-12 Running the Telnet program on the PC
Click OK.
Enter the user name and password in the login window. After authentication, a command line
prompt such as <Huawei> appears. Enter the configuration environment in the user view.
----End
5.6.3 Example for Configuring User Login by Using STelnet

This part provides an example describing how to configure user login by using STelnet.. In this
example, after generating the local key pair on the SSH server, configuring the name and
password of the SSH user on the SSH server, and enabling the STelnet service on the SSH server,
you can connect the Stelnet client to the SSH server.
As shown in Figure 5-13, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, or all authentication
mode.
In this configuration example, the password authentication mode is used.
Figure 5-13 Networking diagram of configuring user login by using STelnet
Network
Eth1/0/0
10.137.217.223/16
PC
SSH Server
1.
Issue 02 (2012-03-30)
Configure a local key pair on the SSH server for secure data exchange between the STelnet
client and the SSH server.
89

2.
Configure the VTY user interface on the SSH server.
3.
Configure an SSH client, which involves the setting of the user authentication mode, user
name, and password.
4.
Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
l
SSH user authentication mode: password, user name: client001, password: huawei
User level of client001: 3
IP address of the SSH server: 10.137.217.223
Procedure
Step 1 Generate a local key pair on the server.
[Huawei] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Huawei_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Configure the VTY user interface.

[SSH
[SSH
[SSH
[SSH
Server] user-interface vty 0 4

Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit
NOTE
If SSH is configured as the login protocol, the AR150/200 automatically disables Telnet.
Step 3 Configure the password of the SSH user Client001 to huawei.

[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
local-user client001 password cipher huawei

local-user client001 privilege level 3
local-user client001 service-type ssh
quit
Step 4 Configure the authentication mode of SSH user to password.

[SSH Server] ssh user client001 authentication-type password
Step 5 Enable the STelnet server function on the SSH server.

[SSH Server]stelnet server enable
Step 6 Verify the configuration.

# Log in the SSH server by using OpenSSH.
Issue 02 (2012-03-30)

90

----End
Configuration Files
l
Configuration file of the SSH server

#
sysname SSH Server
#
aaa
local-user client001 password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
interface Ethernet1/0/0
ip address 10.137.217.223 255.255.0.0
#
ssh user client001 authentication-type password
#
#
return
Issue 02 (2012-03-30)

91

6 Managing the File System
Managing the File System
About This Chapter

The file system manages the files and directories on the storage devices of the router. It can
move or delete a file or directory, or display the contents of a file.
6.1 File System Overview
The router uses the file system to manage all files.
6.2 Managing Files Using the File System
You can use the file system to manage storage devices, directories, and files.
6.3 Managing Files Using FTP
FTP can transmit files between local and remote hosts. It is widely used for version upgrade,
log downloading, file transmission, and configuration saving.
6.4 Managing Files Using SFTP
SFTP allows you to log in to the router securely from a remote device to manage files. This
makes transmission of data to the remote end more secure.
The examples in this section show how to use FTP, SFTP or FTPS to access the system and
manage files. These configuration examples explain networking requirements and provide
configuration roadmaps and configuration notes.
Issue 02 (2012-03-30)

92

6.1 File System Overview

The router uses the file system to manage all files.
6.1.1 File System

The file system manages files and directories on the storage devices. It can create, delete, modify,
or rename a file or directory, or display the contents of a file.
The file system has two functions: managing storage devices and managing the files that are
stored on those devices.
Managing Files Using the File System

After logging in to the router by using the console port, Telnet, or STelnet, you can manage
storage devices, directories, and files.
l
Storage devices
Storage devices are hardware devices for storing data.
At present, the router supports the storage devices such as flash memory and USB disk.
Files
A file is resources for storing and managing data.
Directories
A directory is a logical container that the system uses to organize files.
6.1.2 Methods of File Management

You can use the FTP, SFTP to manage files.
Managing Files Using FTP

FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transfer
files between local clients and remote servers. FTP uses two TCP connections to copy a file
from one system to another. The TCP connections are usually established in client-server mode,
one for control (the server port number is 21) and the other for data transmission (the sever port
number is 20).
l
Control connection: issues commands from the client to the server and transmits replies
from the server to the client, minimizing the transmission delay.
Data connection: transmits data between the client and server, maximizing the throughput.
FTP has two file transfer modes:

l
Binary mode: is used to transfer program files, such as .app, .bin, and .btm files.
ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
The device provides the following FTP functions:

l
Issue 02 (2012-03-30)
FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to
the device, and run the ftp command to establish a connection between the device and a
remote FTP server to access and operate files on the server.
93

FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
Managing Files Using SFTP

SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely
log in to the device to manage and transfer files. On the other hand, users can use the device
functioning as a client to log in to a remote server and transfer files securely.
When the SFTP server or the connection between the server and the client fails, the client needs
to detect the fault in time and removes the connection proactively. To help the client detect such
a fault in time, configure an interval at which Keepalive packets are sent if no packet is received
and the maximum number of times that the server does not respond for the client:
l
If the client does not receive any packet within the specified period, the client sends a
Keepalive packet to the server.
If the maximum number of times that the server does not respond exceeds the specified
value, the client proactively releases the connection.
Managing Files Using FTPS

FTPS that adds support for SSL is an extension to the commonly used FTP. Using SSL to
authenticate the identities of the client and server and encrypt data to be transmitted, FTPS
implements security management of devices.
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats.An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.
By default, a user cannot log in to the device using FTPS. To log into the device using FTPS,
perform the following steps:
l
Logging in to the device through the console port and loading a digital certificate to the
sub-directory named security of the system directory on the FTPS server
Installing the FTP client software that supports SSL on the PC
6.2 Managing Files Using the File System

You can use the file system to manage storage devices, directories, and files.

Before using the file system to manage files, familiarize yourself with the applicable
configuration. This will help you complete the configuration tasks quickly and correctly.
Issue 02 (2012-03-30)

94

Use the file system to manage files or directories on the router. If the router is unable to save or
obtain data, log in to the file system to repair the faulty storage devices.
Before logging in to the file system to manage files, complete the following tasks:
l
Connecting the client with the server correctly
Data Preparation
To manage files by logging in to the file system, you need the following data:
No.
Data
Storage device name
Directory name
File name
6.2.2 Managing Storage Devices

When a storage device file system on the router does not function properly, you must repair and
format the file system before managing the storage device.
Context
When the file system on a storage device fails, the terminal of the router prompts you to rectify
the fault.
NOTE
The storage devices can be flash memory, or USB flash drives. The router has a built-in flash memory.
Only Huawei-certified storage devices can be used.
You can format a storage device if you are unable to repair the file system or do not need any
data saved on the storage device.
CAUTION
Formatting storage devices can lead to data loss. Exercise caution when performing this
operation.
Procedure
l
Run:
fixdisk device-name
A storage device with file system problems is repaired.

Issue 02 (2012-03-30)

95

NOTE
If, after running this command, the prompt still says the system should be repaired, there may be
damage to the physical storage medium.
Run:
format device-name
The storage device is formatted.

NOTE
If the storage device does not work after you run this command, there may be a hardware fault.
----End
6.2.3 Managing Directories

You can manage directories to store files in logical hierarchy.
Context
You can manage directories by changing or displaying directories, displaying files in directories
or sub-directories, and creating or deleting directories.
Procedure
l
Run:
cd { directory | device-name }
A directory is specified.
l
Run:
pwd
The current directory is displayed.

l
Run:
dir [ /all ] [ filename ] [ device-name ]
A list of files and sub-directories in the directory is displayed.

l
Run:
mkdir { directory | device-name }
The directory is created.

l
Run:
rmdir { directory | device-name }
The directory is deleted.

----End
6.2.4 Managing Files

You can log in to the file system to view, delete, or rename files on the router.
Issue 02 (2012-03-30)

96

Context
l
Managing files includes: displaying contents, copying, moving, renaming, compressing,

deleting, undeleting, deleting files in the recycle bin, running files in batch and configuring
prompt modes.
You can run the cd { directory | device-name } command to enter the required directory
from the current directory.
Run:
Procedure
more [ /binary ] { filename | device-name } [ offset ] [ all ]
The content of a file is displayed.

Specify parameters in the more command for file viewing options:
Running the more file-name command to view the file named file-name. Contents of a
text file are displayed screen by screen. Hold and press the spacebar on the current
terminal to display all contents of the current file.
Two preconditions must be set to display the contents of a text file screen by screen:
The value configured by screen-length screen-length temporary command must
be larger than 0.
The total number of lines in the file must be greater than the value configured by
screen-length command.
Running the more file-name offset command to view the file named file-name. Contents
of a text file are displayed screen by screen beginning with the line specified by offset.
Hold and press the spacebar on the current terminal to display all contents of the current
file.
Two preconditions must be met to display the contents of a text file screen by screen:
The value configured by screen-length screen-length command must be greater than
0.
The result difference between the number of file characters subtracted and the value
of offset must be greater than the value configured by the screen-length command.
Running the more file-name all command to view the file named file-name. Contents
of a text file are completely displayed without pausing after each screen of information.
l
Run:
copy source-filename destination-filename
The file is copied.

l
Run:
move source-filename destination-filename
The file is moved.

l
Run:
rename source-filename destination-filename
The file is renamed.

l
Run:
zip source-filename destination-filename
The file is compressed.

Issue 02 (2012-03-30)

97

Run:
delete [ /unreserved ] [ /force ] { filename | device-name } [ all ]
The file is deleted.
CAUTION
If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored
after being deleted.
l
Run:
undelete filename
The deleted file is recovered.

NOTE
If the current directory is not the parent directory, you must use the absolute path to the file to perform
operations.
Run:
reset recycle-bin [ filename ]
The file is deleted.

You can use this command to permanently delete files in the recycle bin.
l
Running Files in Batches

You can process uploaded files in batches. The edited batch files need to be saved to a
storage device on the router.
You can create and run a batch file to implement routine tasks.
1.
Run:
system-view

2.
Run:
execute filename
The batched file is executed.

l
Configuring Prompt Modes

The system displays prompts or warning messages when you operate the device (especially
if these operations lead to data loss). If you need to change the prompt mode for file
operations, you can configure the file system prompt mode.
1.
Run:
system-view

2.
Run:
file prompt { alert | quiet }
The file system prompt mode is configured.

The default prompt mode is alert.
Issue 02 (2012-03-30)

98

CAUTION
If the prompt mode is set to quiet, no prompt appears when data is lost due to
inappropriate operating procedures.
----End
6.3 Managing Files Using FTP

FTP can transmit files between local and remote hosts. It is widely used for version upgrade,

Before using FTP to manage files, familiarize yourself with the applicable environment,
When an FTP client logs in to a router serving as an FTP server, the user can transfer files
between the client and the server.
Before using FTP to manage files, complete the following task:
l
Connecting the FTP client to the server
Data Preparation
To use FTP to manage files, you need the following data:
No.
Data
FTP username and password, and authorized FTP file directory name
(Optional) Listening port number specified on the FTP server
(Optional) Source IP address or source interface of the FTP server

(Optional) Timeout period for disconnection from the FTP server
IP address or host name of the FTP server
6.3.2 Configuring a Local FTP User

You can configure a user authorization mode and an authorized directory for FTP users to access.
Unauthorized users cannot access the specified directory, reducing security risks.
Issue 02 (2012-03-30)

99

Context
To use FTP to manage files, you must configure a local username and a password on the
router and specify a service type and the directories that can be accessed.
Perform the following operations on the router that functions as the FTP server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
set default ftp-directory directory
The default FTP working directory is configured.

NOTE
The configuration in this step takes effect only with TACACS users.
Step 3 Run:
aaa

Step 4 Run:
The local user name and password are configured.

Step 5 Run:
local-user user-name service-type ftp
The FTP service type is configured.

Step 6 Run:
local-user user-name ftp-directory directory
The authorized directory for the FTP user is configured.

----End
6.3.3 (Optional) Specifying a Port Number for the FTP Server

You can configure or change the listening port number for an FTP server. After the port number
is changed, only the user knows the current port number and this protects system security.
Context
The default listening port number for an FTP server is 21. Users can log in to the router directly
by using the default listening port number. Attackers can also access the default listening port
to launch attacks that reduce available bandwidth and affect server performance, preventing
valid users from accessing the server. Changing the FTP server listening port number effectively
prevents attackers from accessing the server through the listening port.
Issue 02 (2012-03-30)

100

NOTE
If FTP is not enabled, change the FTP port as required.

If FTP is enabled, run the undo ftp server command to disable FTP, and then change the FTP port.
Do as follows on the router that serves as the FTP server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp [ ipv6 ] server port port-number
The port number of the FTP server is configured.

Once a new listening port number is configured, the FTP server interrupts all existing FTP
connections and begins to use the new listening port.
----End
6.3.4 Enabling the FTP Server

You must enable an FTP sever on the router before using FTP to manage files.
Context
The FTP server is disabled by default on the router. It must be enabled before FTP can be used.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp [ ipv6 ] server enable
The FTP server is enabled.

NOTE
When file operations between clients and the router are complete, run the undo ftp [ ipv6 ] server command
to disable the FTP server function. This protects router security.
----End
6.3.5 (Optional) Configuring the FTP Server Parameters

FTP server parameters include the FTP server source address and the timeout period for FTP
connections.
Issue 02 (2012-03-30)

101

Context
l
You can configure a source IP address for the FTP server. The FTP client can only access
this address and this protects system security.
You can configure the timeout period for FTP connections on the FTP server. When the
timeout period for an FTP connection expires, the system terminates the connection to
release resources.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp server-source { -a ip-address | -i
interface-type interface-number }
The source IP address and source interface of an FTP server is configured.

To log in to the FTP server, you must specify the source IP address for the server in the ftp
command, or you cannot log in to the FTP server.
Step 3 Run:
ftp [ ipv6 ] timeout minutes
The timeout period for the FTP server is configured.

If the client is idle for the configured time, the connection to the FTP server is terminated.
By default, the timeout value is 30 minutes.
----End
6.3.6 (Optional) Configuring an FTP ACL

After an FTP ACL is configured, only specified clients can access the devicerouter.
Context
When the routerfunctions as an FTP server, you can configure an ACL to allow the clients that
meet matching rules to access the FTP server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
Issue 02 (2012-03-30)

102

The ACL view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ { fragment | none-first-fragment } | source
{ source-address source-wildcard | any } | time-range time-name ] *
The ACL rule is configured.

NOTE
l By default, the deny action in an ACL rule is taken for all the packets. To allow packets to pass through,
define the permit action in the ACL rule. For example, to discard packets with the source IP address
of 10.1.1.10, define two rules in an ACL:
l rule deny source 10.1.1.10 0
l rule permit source any
If rule permit source any is not defined, packets with other source IP addresses but not 10.1.1.10 0
are also discarded.
l FTP supports only basic ACLs.
Step 4 Run:
quit

Step 5 Run:
ftp [ ipv6 ] acl acl-number
The basic FTP ACL is configured.

----End
6.3.7 Accessing the System by Using FTP

After the FTP server is configured, you can use FTP to access the router from a PC and manage
the files on the router.
Context
You can use either the Windows command line prompt or third-party software to log in to the
router. The example here uses the Windows command line prompt as an example.
Do as follows on the PC:
Procedure
Step 2 Run the ftp ip-address command to log in to the router using FTP.
Enter a username and password at the prompt, and press Enter. When the Windows command
line prompt are displayed in the FTP client view, such as ftp>, you have entered the working
directory of the FTP server.
Issue 02 (2012-03-30)

103

Figure 6-1 Using FTP to log in to the device
----End
6.3.8 Managing Files Using FTP Commands

After logging in to the router that functions as an FTP server using FTP, you can upload and
download files to and from the router, or manage the directories on the router.
Context
After logging in to the FTP server, you can perform the following operations:
l
Configuring data type for the file
Uploading or downloading files
Creating directories or deleting directories on the FTP server
Displaying information about a specific remote directory or a file of the FTP server, or
deleting a specific file from the FTP server
After logging in to the FTP server and entering the FTP client view, you can perform the
following operations:
Procedure
l
Configuring the data type and transmission mode for a file

Run:
ascii or binary
The data type of the file to be transmitted is ascii or binary.
Issue 02 (2012-03-30)

104

NOTE
FTP supports ASCII and the binary files. The difference the two is:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
An FTP transmission mode can be set for each client. The system uses ASCII transmission mode
by default, but a mode switch command can switch a client between ASCII and binary modes.
The ASCII mode is used to transmit .txt files and the binary mode is used to transmit binary files.
Uploading or downloading files

Upload or download a file.
Run:
put local-filename [ remote-filename ]
The local file is uploaded to the remote FTP server.

Run:
get remote-filename [ local-filename ]
The FTP file is downloaded from the FTP server and saved to the local file.
l
Running one or more of the following commands to manage directories

Run:
cd pathname
The working path of the remote FTP server is specified.

Run:
pwd
The specified directory of the FTP server is displayed.

Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.

Run:
mkdir remote-directory
A directory is created on the FTP server.

Run:
rmdir remote-directory
A directory is removed from the FTP server.

l
Running one or more of the following commands to manage files

Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.

If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed.

Issue 02 (2012-03-30)

105

Run:
delete remote-filename
The specified file on the FTP server is deleted.

When local-filename is set, related information about the file can be downloaded locally.
NOTE
If you need more information about FTP operations, run the help [ command ] command in the
Windows CLI.
----End

After configuring a router to be the FTP server, you can view the configuration and status of the
FTP server as well as information about login FTP users.
Prerequisites
The configuration of the Router to be the FTP Server are complete.
Procedure
l
Run the display ftp-server the configuration and running information about the FTP server.
Run the display ftp-users command to check the login FTP user.
----End
Example
After configuring the FTP server, run the display ftp-server command. You can view that the
FTP server is working.
<Huawei> display ftp-server
FTP server is running
Max user number
User count
Timeout value(in minute)
Listening Port
Acl number
FTP server's source address
5
0
30
21
0
1.1.1.1
Run the display ftp-users command to view the user name, port number, authorization directory
of the FTP user configured presently.
<Huawei> display ftp-users
username host
zll
100.2.150.226
port
1383
idle
3
topdir
flash:
6.4 Managing Files Using SFTP

SFTP allows you to log in to the router securely from a remote device to manage files. This
makes transmission of data to the remote end more secure.
Issue 02 (2012-03-30)

106


Before using SFTP to manage files, familiarize yourself with the applicable environment,
SSH authenticates clients and encrypts data in both directions to guarantee secure data
transmission on conventional networks. SSH supports SFTP.
SFTP is a secure FTP service that enables users to log in to the FTP server for data transmission.
Before using SFTP to manage files, complete the following task:
l
Configuring reachable routes between the terminal and the device
Data Preparation
Before using SFTP to manage files, you need the following data.
No.
Data
Maximum number of VTY user interfaces, (optional) ACL for restricting incoming
and outgoing calls on VTY user interfaces, connection timeout period of terminal
users, number of rows displayed in a terminal screen, size of the history command
buffer, user authentication mode, username, and password
Username, password, authentication mode, and service type of an SSH user, remote
public RSA key pair allocated to the SSH user, and SFTP working directory of the
SSH user
(Option) Number of the port monitored by the SSH server

(Option) The interval for updating the key pair on the SSH server
Name of the SSH server, number of the port monitored by the SSH server, preferred
encryption algorithm from the SFTP client to the SSH server, preferred encryption
algorithm from the SSH server to the SFTP client, preferred HMAC algorithm from
the SFTP client to the SSH server, preferred HMAC algorithm from the SSH server
to the SFTP client, preferred algorithm of key exchange, name of the outgoing
interface, source address
Directory name and File name
6.4.2 Configuring VTY User Interface

To allow a user to log in to the device by using SFTP, you need to configure attributes of the
VTY user interface.
Issue 02 (2012-03-30)

107

Context
By default, the user authentication mode in the VTY user interface is password. Therefore, before
a user logs in to the device by using SFTP, the user authentication mode in the VTY user interface
must be set. Otherwise, the user cannot log in to the device.
Interface.
6.4.3 Configuring SSH for the VTY User Interface

Before users can log in to the router using SFTP, you must configure VTY user interfaces to
support SSH.
Context
By default, user interfaces support Telnet. If no user interface is configured to support SSH, you
cannot log in to the router using SFTP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
The VTY user interface is displayed.

Step 3 Run:
The AAA authentication mode is configured.

Step 4 Run:
The VTY user interface is configured to support SSH.

----End
6.4.4 Configuring an SSH User and Specifying SFTP as One of

Service Types
To allow a user to log in to the router by using SFTP, you must configure an SSH user, configure
the router to generate a local RSA key pair, configure a user authentication mode, and specify
a service type and authorized directory for the SSH user.
Context
l
Issue 02 (2012-03-30)
SSH users can be authenticated in four modes: RSA, password, password-RSA, and All.
You must create a local user with the specified user name in the AAA view.
108

Configuring the router to generate a local RSA key pair is a key step for SSH login. If an
SSH user logs in to an SSH server in password authentication mode, configure the server
to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Password-RSA authentication integrates password authentication and RSA authentication. All

authentication is equivalent to password authentication or RSA authentication.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
Name and password of the local user are created.

Step 4 Run:
quit
Return to the system view.

Step 5 Run:
rsa local-key-pair create
A local RSA key pair is generated.

NOTE
l Before performing other SSH configurations, run the rsa local-key-pair create command to generate
a local key pair.
l After generating the local key pair, you can perform the display rsa local-key-pair public command
to view the public key in the local key pair.
Step 6 Configure an authentication mode for SSH users.

Perform either of the following operations as needed.
l Authenticate SSH users using passwords.
Run:
ssh user user-name authentication-type password
Password authentication is configured for SSH users.

In local authentication or HWTACACS authentication, if there are a large number of
users, authenticate SSH users using passwords. This reduces the configuration.
l Authenticate SSH users through RSA.
1.
Run:
ssh user user-name authentication-type rsa
Issue 02 (2012-03-30)

109

RSA authentication is configured for SSH users.

2.
Run:

3.
Run:

4.
Run:
hex-data

NOTE
l In the public key view, only hexadecimal strings complying with the public key format can be
typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals
for SSH client software.
l After the public key editing view is displayed, the RSA public key generated on the client can
be sent to the server. Copy the RSA public key to the router that serves as the SSH server.
5.
Run:
public-key-code end

l If the specified hex-data is invalid, the public key cannot be generated after the peerpublic-key end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does
not exist after the peer-public-key end command is run and the system view is
displayed.
6.
Run:
peer-public-key end

7.
Run:
ssh user user-name assign rsa-key key-name
The public key is assigned to the SSH user.

l Authenticate SSH users through Password-RSA authentication.
Run:
ssh user user-name authentication-type password-rsa
Password-RSA authentication is configured for SSH users.

In Password-RSA authentication mode, the SSH server authenticates a client by checking
both the public key and the password. The client can be authenticated only when both the
public key and the password meet the requirement.
l Authenticate SSH users through All authentication.
Run:
ssh user user-name authentication-type all
All authentication is configured for SSH users.

Issue 02 (2012-03-30)

110

In All authentication mode, the SSH server authenticates a client by checking the public key
or password. The client can be authenticated only when either the public key or the password
meet the requirement.
Step 7 (Optional) Configure basic authentication information for SSH users.
1.
Run:
ssh server rekey-interval interval
The interval for updating the server key pair is configured.

By default, the interval for updating the key pair of the SSH server is 0, indicating that the
key pair is not updated.
2.
Run:
ssh server auth-timeout timeout_interval
The timeout interval of SSH authentication is set.

By default, the timeout interval is 60 seconds.
3.
Run:
ssh server authentication-retries auth-times
The number of retry times of SSH authentication is set.

By default, the retry times is 3.
----End
6.4.5 Enabling the SFTP Service

The STelnet service must be enabled before it can be used.
Context
By default, the SFTP server function is not enabled on the router. You can use SFTP to establish
connections with the router only after the SFTP server function is enabled on the router.
Do as follows on the router that serves as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
sftp server enable
The SFTP service is enabled.

By default, the SFTP service is disabled.
----End
6.4.6 Accessing the System Using SFTP

After the configuration is complete, you can use SFTP to log in to the router from a user terminal
and manage files on the router.
Issue 02 (2012-03-30)

111

Context
Third-party software can be used to access the router from the user terminal using SFTP. The
example here uses third-party software OpenSSH and the Windows CLI.
Install OpenSSH on the user terminal and then do as follows:
NOTE
For details on how to install OpenSSH, see the software installation guide.
For details on how to use OpenSSH commands to log in to the router, see help documentation for the
software.
Procedure
Step 2 Run relevant OpenSSH commands to log in to the router in SFTP mode.
When a command line prompt, such as sftp>, is displayed in the SFTP client view, you have
entered the working directory of the SFTP server.
Figure 6-2 Using SFTP to log in to the device
----End
Issue 02 (2012-03-30)

112

6.4.7 Managing Files Using SFTP

You can log in to the SSH server from an SFTP client to create or delete directories on the SSH
server.
Context
After logging in to the SFTP server, you can perform the following operations:
l
Displaying the SFTP client command help
Managing directories on the SFTP server
Managing files on the SFTP server
After logging in to the SFTP server and entering the SFTP client view, you can perform one or
more of the following operations.
Procedure
l
Run:
help [ all | command-name ]
The SFTP client command help is displayed.

l
Perform one or multiple of the following operations as required.

Run:
cd [ remote-directory ]
The current operating directory of users is changed.

Run:
pwd
The current operating directory of users is displayed.

Run:
dir [ -l -a ] [ path ]
A list of files in the specified directory is displayed.

Run:
rmdir remote-directory &<1-10>
The directory on the server is deleted.

Run:
A directory is created on the server.

l
Perform one or multiple of the following operations as required.

Run:
rename old-name new-name
The name of the specified file on the server is changed.

Run:
The file on the remote server is downloaded.

Run:
Issue 02 (2012-03-30)

113

The local file is uploaded to the remote server.

Run:
rmdir remote-directory &<1-10>
The file on the server is removed.

----End

After using SFTP to manage files, you can view SSH user information and global configurations
for the SSH server.
Prerequisites
The configurations of SSH users are complete.
Procedure
l
Run the display ssh user-information username command on the SSH server to check
information about the SSH client.
Run the display ssh server status command on the SSH server to check its global
configurations.
Run the display ssh server session command on the SSH server to check information about
connection sessions with SSH clients.
----End
Example
Run the display ssh user-information username command. It shows that the SSH user named
clinet001 is authenticated by password, and its service type is sftp.
[Huawei] display ssh user-information client001
Sftp-directory
: Service-type
: sftp
------------------------------------------------------------------------------Username
Auth-type
------------------------------------------------------------------------------client001
password
null
-------------------------------------------------------------------------------
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view configurations of an SSH server.
SSH version
SFTP Server
Stelnet server
:
:
:
:
:
:
1.99
60 seconds
2 hours
5 times
Enable
Enable
NOTE
If the default interception port is in use, information about the current interception port is not displayed.
<Huawei> display ssh server session
--------------------------------------------------------------------
Issue 02 (2012-03-30)

114

Conn
Ver
Encry
State Auth-type
Username
-------------------------------------------------------------------VTY 0 1.5
BLOWFISH run
password
john
--------------------------------------------------------------------

The examples in this section show how to use FTP, SFTP or FTPS to access the system and
manage files. These configuration examples explain networking requirements and provide
configuration roadmaps and configuration notes.
6.5.1 Example for Managing Files Using the File System

This example shows how to use the file system to manage files. In the example, you log in to
the router to view and copy directories.
You can log in to the router through the console port, Telnet, or STelnet to manage files on the
router.
The path to the file on the storage device must be entered correctly. If the user does not specify
a target file name, the source file name is the name of the target file by default.
1.
Check the files in a certain directory.
2.
Copy a file to this directory.
3.
Check that the file has been copied to the directory.
Data Preparation
l
Source file name and target file name
Source file path and target file path
Procedure
Step 1 Display the file information in the current directory. flash:/ is the flash memory identifier.
<Huawei> dir
Directory of flash:/
Idx
0
1
2
3
4
5
6
7
8
Issue 02 (2012-03-30)
Attr
-rw-rw-rw-rw-rw-rw-rw-rw-rw-
Size(Byte)
47,584,256
4
4
45,794,304
1,751,678
3,856
396
6
3,315
Date
Sep 17
Jun 30
Jul 27
Sep 03
Jan 26
Jan 28
Jan 11
Dec 01
Dec 07
2107
2010
2005
2107
2008
2008
2008
2007
2007
Time(LMT)
14:54:23
01:01:16
11:02:05
12:38:38
16:24:13
00:00:09
18:09:53
15:35:31
12:54:45
FileName
ar1201_23316_1220.cc
voip_feature.efs
voip_protocol.efs
ar1117_20921_1220.cc
web.zip
iascfg.zip
rsa_host_key.efs
1.txt
ma5600_license.dat

115

9
10
11
12
13
14
15
16
17
18
19
20
-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-
6,656
7,533
6,656
526,003
540
16
0
2,016,467
477
2,810
68,750,848
0

Dec
Dec
Dec
Jan
Jan
Jan
Dec
Dec
Jan
Jan
Jan
Jan
07
07
07
27
11
12
27
28
10
15
26
28
2007
2007
2007
2008
2008
2008
2007
2007
2008
2008
2008
2008
12:55:14
12:55:50
13:13:39
00:00:36
18:10:07
14:53:53
15:27:49
17:58:26
14:46:12
13:57:02
15:40:15
14:47:29
patch_lic.pat
pdt_keyfile.txt
patch_lic2.pat
private-data.txt
rsa_server_key.efs
dulei.tbl
dictionary.xml
arweb.zip
elabel.fls
aa.txt
ar0312_34479_1220.cc
ar.txt
217,168 KB total (4,320 KB free)
Step 2 Copy files from usb0:/sample.txt to flash:/sample.txt

<Huawei> copy usb0:/sample.txt flash:/sample1.txt
Copy usb0:/sample.txt to flash:/sample1.txt?[Y/N]:y
100% complete
Info:Copied file usb0:/sample.txt to flash:/sample1.txt...Done
Step 3 Display the file information about the current directory to check that the file has been copied to
the specified directory.
<Huawei> dir
Idx Attr
0 -rw1 -rw2 -rw3 -rw4 -rw5 -rw6 -rw7 -rw8 -rw9 -rw10 -rw11 -rw12 -rw13 -rw14 -rw15 -rw16 -rw17 -rw18 -rw19 -rw20 -rw21 -rwsample1.txt
Size(Byte)
47,584,256
4
4
45,794,304
1,751,678
3,856
396
6
3,315
6,656
7,533
6,656
526,003
540
16
0
2,016,467
477
2,810
68,750,848
0
1,605
Date
Sep 17
Jun 30
Jul 27
Sep 03
Jan 26
Jan 28
Jan 11
Dec 01
Dec 07
Dec 07
Dec 07
Dec 07
Jan 27
Jan 11
Jan 12
Dec 27
Dec 28
Jan 10
Jan 15
Jan 26
Jan 28
Oct 24
2107
2010
2005
2107
2008
2008
2008
2007
2007
2007
2007
2007
2008
2008
2008
2007
2007
2008
2008
2008
2008
2009
Time(LMT)
14:54:23
01:01:16
11:02:05
12:38:38
16:24:13
00:00:09
18:09:53
15:35:31
12:54:45
12:55:14
12:55:50
13:13:39
00:00:36
18:10:07
14:53:53
15:27:49
17:58:26
14:46:12
13:57:02
15:40:15
14:47:29
11:14:39
FileName
ar1201_23316_1220.cc
voip_feature.efs
voip_protocol.efs
ar1117_20921_1220.cc
web.zip
iascfg.zip
rsa_host_key.efs
1.txt
ma5600_license.dat
patch_lic.pat
pdt_keyfile.txt
patch_lic2.pat
private-data.txt
rsa_server_key.efs
dulei.tbl
dictionary.xml
arweb.zip
elabel.fls
aa.txt
ar0312_34479_1220.cc
ar.txt
217,169 KB total (4,319 KB free)
----End
6.5.2 Example for Performing File Operations by Means of FTP

This section provides an example for operating files by means of FTP. In this example, a PC
connected to the router logs in to the FTP server by entering the correct user name and password
using FTP, and then downloads files to the memory of the FTP client.
As shown in Figure 6-3, after the FTP server is enabled on the router, you can log in to the FTP
server from the HyperTerminal to upload or download files.
Issue 02 (2012-03-30)

116

Figure 6-3 Networking for performing file operations by using FTP
Network
Eth1/0/0
10.137.217.221/16
PC
FTP Server
1.
Configure the IP address of the FTP server.
2.
Enable the FTP server.
3.
Configure the authentication information, authorization mode, and directories to be

accessed for an FTP user.
4.
Log in to the FTP server by using the correct user name and password.
5.
Upload files to or download files from the FTP server.
Data Preparation
l
IP address of the FTP server, that is, 10.137.217.221
Timeout period for the FTP connection, that is, 20 minutes
FTP username as huawei and password as huawei on the server
Destination file name and its position in the FTP client
Ensure that the PC can communicate with the FTP server.
Procedure
Step 1 Configure the IP address of the FTP server.
[Huawei] sysname server
[server] interface ethernet1/0/0
[server-Ethernet1/0/0] ip address 10.137.217.221 255.255.0.0
[server-Ethernet1/0/0] quit
Step 2 Enable the FTP server.

[server] ftp server enable
[server] ftp timeout 20
Step 3 Configure the authentication information, authorization mode, and authorized directories for an
FTP user on the FTP server.
[server] aaa
[server-aaa]
[server-aaa]
[server-aaa]
[server-aaa]
local-user huawei password simple huawei

local-user huawei service-type ftp
local-user huawei ftp-directory flash:
quit
Step 4 Run the FTP commands at the windows command line prompt, and enter the correct user name
and password to set up an FTP connection with the FTP server.
Issue 02 (2012-03-30)

117

Figure 6-4 Logging in to the FTP Server
Step 5 Upload and download files, as shown in the following figure.

Figure 6-5 Performing file operations by means of FTP
NOTE
You can run the dir command before downloading a file or after uploading a file to view the detailed
information of the file.
----End
Configuration Files
l
Configuration file of the FTP server.

#
sysname Server
#
ftp server enable
ftp timeout 20
#
Issue 02 (2012-03-30)

118

ip address 10.137.217.221 255.255.0.0
#
aaa
local-user huawei password simple Huawei
local-user huawei service-type ftp
local-user huawei ftp-directory flash:
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
return
6.5.3 Example for Performing File Operations by Means of SFTP

This section provides an example for operating files by using SFTP. In this example, a local key
pair is configured on the SSH server, and a user name and a password are configured on the
server for an SSH user. After SFTP services are enabled on the server and the SFTP client is
connected to the server, you can operate files between the client and the server.
As shown in Figure 6-6, after SFTP services are enabled on the router functioning as an SSH
server, you can log in to the server in password, RSA, password-rsa, or all authentication mode
from a PC on the SFTP client.
Configure a user to log in to the SSH server in password authentication mode.
Figure 6-6 Networking diagram for operating files by using SFTP
Network
Eth1/0/0
10.137.217.225/16
PC
SSH Server
1.
Configure a local key pair on the SSH server to securely exchange data between the SFTP
client and the SSH server.
2.
Configure VTY user interfaces on the SSH server.
3.
Configure an SSH user, including user name and password.
4.
Enable SFTP services on the SSH server and configure a user service type.
Data Preparation
Issue 02 (2012-03-30)

119

SSH user authentication mode: password, user name: client001, password: huawei
User level of client001: 3
IP address of the SSH server: 10.137.217.225
Procedure
Step 1 Configure a local key pair on the SSH server.
The key name will be: Host
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Configure VTY user interfaces on the SSH server.

[SSH
[SSH
[SSH
[SSH

Step 3 Configure the SSH user name and password on the SSH server.
[SSH
[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
local-user
local-user
local-user
local-user
quit
client001
client001
client001
client001
password cipher huawei

privilege level 3
service-type ssh
ftp-directory flash:
Step 4 Enable SFTP.

[SSH Server] sftp server enable
Step 5 Verify the configurations.

# Access the SFTP server by using the OpenSSH software.
Issue 02 (2012-03-30)

120

Figure 6-7 Accessing Interface
----End
Configuration Files
l

#
sysname SSH Server
#
aaa
local-user client001 ftp-directory flash:
#
ip address 10.137.217.225 255.255.0.0
#
sftp server enable
#
#
return
Issue 02 (2012-03-30)

121

7 Configuring System Startup
Configuring System Startup
About This Chapter

When the router is powered on, system software starts and configuration files are loaded. To
ensure smooth running of the router, you need to manage system software and configuration
files efficiently.
7.1 System Startup Overview
When the router is powered on, system software starts and configuration files are loaded.
7.2 Managing Configuration Files
You can manage the configuration files for the current and next startup operations on the
router.
7.3 Specifying a File for System Startup
You can specify a file to be used for system startup by specifying the system software and
configuration file for the next startup of the router.
The example in this section shows how to configure system startup. The example explains
networking requirements, and provides a configuration roadmap and configuration notes.
Issue 02 (2012-03-30)

122

7.1 System Startup Overview

When the router is powered on, system software starts and configuration files are loaded.
7.1.1 System Software

System software provides an operating system for the router. System software must be set up
correctly for the router to run properly and provide services.
The extension for the system software file is .cc. The file must be saved in the root directory of
the storage device.
7.1.2 Configuration Files and Current Configurations

When the router is running, current configurations differ from configuration files.
The concepts of configuration files and current configurations are as follows.
Concept
Identifying Method
Configuration files
Current configurations
Initial configurations: When

powered on, the router
retrieves configuration files
from a default save path to
initialize itself. If
configuration files do not
exist in the default save path,
the router uses default
initialization parameters.
l Run the display startup

command to view the
configuration files for the
current startup and next
startup on the router.
Current configurations:
indicates the configurations
in effect on the router when it
is actually running.
Run the display currentconfiguration command to

view current configurations
on the router.
l Run the display savedconfiguration command

to view the configuration
file for the next startup on
the router.
You can use the command line interface to modify current router configurations. Use the save
command to save modified configurations to the configuration file on the default storage devices.
This configuration file will be used to initialize the router when the router is powered on next
time.
7.2 Managing Configuration Files

You can manage the configuration files for the current and next startup operations on the
router.
Issue 02 (2012-03-30)

123


Before managing configuration files, familiarize yourself with the applicable environment,
Configuration files can be saved, cleared, and compared. Configuration file management is
required to upgrade the router, take preventive measures, repair configuration files, and view
configurations after the router starts.
Before managing configuration files, complete the following task:
l
Installing and powering on the router
Data Preparation
To manage configuration files, you need the following data.
No.
Data
Configuration file and its name
Configuration file saving interval and delay interval
Number of the start line from which the comparison of the configuration files
begins
7.2.2 Saving Configuration Files

The system can save configuration files periodically or immediately to prevent data loss when
the router is powered off or accidentally restarted.
Procedure
l
Configure the system to periodically save configuration files.
WARNING
If an LPU is not running on the router, related configurations may be lost when the system
automatically saves the configuration file.
1.
Run:
autosave interval { time } | { value } | { configuration time }
The system is configured to save the configuration file periodically.

If interval time is specified, the system saves the configuration file at the specified
interval regardless of whether the configuration is changed.
Issue 02 (2012-03-30)

124

By default, the interval at which the system saves the configuration file is 0
seconds, indicating that the system does not save the configuration file
automatically.
After automatic configuration saving is enabled, the default interval is 30 minutes
if time is not specified.
l
Save the current configuration immediately.

Run:
save [ all ] [ configuration-file ]
The current configuration is saved.

The configuration file name extension must be .cfg or .zip, and the system startup
configuration file must be saved in the root directory of the storage device.
If you modify the current configuration and want to use the modified configuration as
the next startup configuration, run the save command to save the new configuration to
the storage device.
The save all command saves all the current configurations to the default directory,
including the configurations of the boards that are not running on the router.
----End
7.2.3 Clearing a Configuration File

You can clear the configuration file that has been loaded to a device.
Context
The configuration file needs to be cleared in the following cases:
l
The system software does not match the configuration file after the router has been
upgraded.
The configuration file is destroyed or an incorrect configuration file has been loaded.
Run the reset saved-configuration command to clear the currently loaded configuration
file.
Procedure
If the configuration file of the router used for the current startup is the same as that used
for the next startup, running the reset saved-configuration command will clear both
the configuration files. The router will uses the default configuration file for the next
startup.
If the configuration file of the router used for the current startup is different from that
used at the next startup, running the reset saved-configuration command will clear the
configuration file used for the current startup.
If the configuration file of the router used for the current startup is empty, the system
will prompt you that the configuration file does not exist after you run the reset savedconfiguration command.
If you do not run the startup saved-configuration configuration-file command to specify
a new correct configuration file, or do not run the save command to save the configuration
file after the configuration file is cleared, the router will use the default configuration file
at the next startup.
----End
Issue 02 (2012-03-30)

125

7.2.4 Comparing Configuration Files

You can compare the current configuration with the initial configuration.
Context
Do as follows on the router:
Procedure
Step 1 Run:
compare configuration [ configuration-file [ current-line-number save-linenumber ] ]
The current configuration is compared with the configuration file for next startup.
If no parameter is set, the comparison begins with the first lines of configuration files. currentline-number and save-line-number are used to continue the comparison by ignoring the
differences between the configuration files.
When comparing differences between the configuration files, the system displays the contents
of the current configuration file and saved configuration file from the first different line. By
default, 120 characters are displayed for each configuration file. If the number of characters from
the first different line to the end is less than 120, the contents after the first different line are all
displayed.
In comparing the current configurations with the configuration file for next startup, if the
configuration file for next startup is unavailable or its contents are null, the system prompts that
reading files fails.
----End

After managing configuration files has been configured, you can view the current configuration
files, configuration files to be loaded at the next startup, files for the device startup, and files
saved in the storage device.
Prerequisites
The configuration of managing configuration files are complete.
Procedure
l
Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] or display
current-configuration [ all | inactive ] command to view the current configuration files.
Run the display startup command to check files for startup.
Run the dir [ /all ] [ filename ] [ device-name ] command to check files saved in the storage
device.
Run the display saved-configuration [ last | time | configuration ] command to view

configuration files to be loaded at the next startup.
Issue 02 (2012-03-30)

126

Run the display autosave configuration command to view configurations of the autosave
function, including the status of the autosave function and time for autosave check.
Run the display this command to view configurations in the current view.
----End
Example
Run the display startup command to check files for startup.
<Huawei> display startup
MainBoard:
Startup system software:
Next startup system software:
Backup system software for next startup:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
Startup voice-files:
Next startup voice-files:
usb0:/ar0210_30735_1220.cc
usb0:/ar0210_30735_1220.cc
null
flash:/arcfg.cfg
flash:/arcfg.cfg
null
null
null
null
null
null
7.3 Specifying a File for System Startup

You can specify a file to be used for system startup by specifying the system software and
configuration file for the next startup of the router.

Before specifying a file for system startup, familiarize yourself with the applicable environment,
To enable the router to provide user-defined configurations during the next startup, you need to
correctly specify the system software and configuration file for the next startup.
Before specifying a file for system startup, complete the following task:
l
Installing the router and powering it on properly
Data Preparation
To specify a file for system startup, you need the following data.
Issue 02 (2012-03-30)
No.
Data
System software and its file name on the AR150/200
Configuration file and its file name on the device

127

7.3.2 Configuring System Software for a router to Load for the Next
Startup
If you need to upgrade system software of a router, you can specify the router system software
to be loaded at the next startup.
Context
The system will continue to load the current system software at each startup until different system
software is specified for the next system startup. To change system software for the next startup,
you need to specify the system software you require.
The filename extension of the system software must be .cc and the file must be stored in the root
directory of a storage device.
Procedure
Step 1 Run:
startup system-software filename
The AR150/200 system software to be loaded at the next startup of the router is configured.
----End
7.3.3 Configuring the Configuration File for Router to Load at the

Next Startup
Before restarting a router, you can specify which configuration files will be loaded at the next
startup.
Context
Run the display startup command on the router to check whether a specific configuration file
is set to be loaded at the next startup. If a specific configuration file is not specified, the default
configuration file will be loaded at the next startup.
The filename extension of the configuration file must be .cfg or .zip, and the file must be stored
in the root directory of a storage device.
When the router is powered on, it reads the configuration file from the flash memory by default
to initialize. The data in this configuration file is the initial configuration. If no configuration
file is saved in the flash memory, the router uses default parameters to initiate.
Procedure
l
Run:
startup saved-configuration configuration-file
A configuration file is saved for the router to load at next startup.

----End
Issue 02 (2012-03-30)

128


After specifying a configuration file for system startup, you can check the content of the
configuration file and information about the files to be used at the next startup on the router.
Prerequisites
A configuration file has been specified for system startup.
Procedure
l
Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] command to
check current configurations.
Run the display saved-configuration [ last | time ] command to check the contents of the
configuration file to be loaded at next startup.
Run the display startup command to check information about the files to be used at next
startup.
----End
Example
Run the display startup command to check information about the files to be used at next startup.
MainBoard:
usb0:/ar0210_30735_1220.cc
usb0:/ar0210_30735_1220.cc
null
flash:/arcfg.zip
flash:/arcfg.zip
null
null
null
null
null
null

The example in this section shows how to configure system startup. The example explains
networking requirements, and provides a configuration roadmap and configuration notes.
7.4.1 Example for Configuring System Startup

This example shows how to configure system startup. In the example, a configuration file is
saved and the system software and configuration file to be loaded at the next startup are specified
so that the router can start in a required manner.
After the router is configured, new configurations take effect at next system startup.
Issue 02 (2012-03-30)

129

1.
Save the current configuration.
2.
Specify the configuration file to be loaded at the next startup of the router.
3.
Specify the system software to be loaded at the next startup of the router.
Data Preparation
l
Name of the configuration file
File name of the system software
Procedure
Step 1 Check the configuration file and system software that were used during the current startup.
MainBoard:
usb0:/ar0312.cc
usb0:/ar0312.cc
null
flash:/iascfg.zip
flash:/iascfg.zip
null
null
null
null
null
null
Step 2 Save the current configuration to the specified file.

<Huawei> save vrpcfg.cfg
The system asks you whether you want to save the current configuration to the file named
arcfg.cfg on the main control board. Enter y to save the configuration.
Step 3 Specify the configuration file to be loaded at the next startup of the router.
<Huawei> startup saved-configuration usb0:/arcfg.cfg
Step 4 Specify the system software to be loaded at the next startup of the router.
Specify the system software to be loaded at the next startup of the main control board.
<Huawei> startup system-software usb0:/arsoft.cc
NOTE
The software package arsoft.cc has been loaded to the AR150/200. For details on how to upload the
software package, see 6.3 Managing Files Using FTP.

After the configuration is complete, run the following command to check which configuration
file and system software will be loaded at the next startup of the router.
MainBoard:
Issue 02 (2012-03-30)
usb0:/ar0312.cc
usb0:/arsoft.cc
null

130


flash:/iascfg.zip
usb0:/arcfg.cfg
null
null
null
null
null
null
----End
Configuration Files
None.
Issue 02 (2012-03-30)

131

8 Accessing Another Device
Accessing Another Device
About This Chapter

To manage configurations or operate files of another device, you can access the device by using
Telnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to.
8.1 Accessing Another Device
To manage configurations or use files on a device other than the device you are logged in to,
you can use Telnet, FTP, TFTP, or SSH to access that device.
8.2 Logging in to Other Devices Using Telnet
On most networks, multiple routers need to be managed and maintained, but it may be impossible
to connect some of these routers to a PC terminal. In other cases, there may be no reachable
route between a router and a PC terminal. You can log in to a local router and then use Telnet
to log in to remote routers to complete management and maintenance tasks.
8.3 Logging in to Another Device Using STelnet
STelnet provides secure Telnet services. You can use STelnet to log in to another router from
the router that you have logged in to and manage the device remotely.
8.4 Accessing Files on Another Device Using TFTP
You can configure the router as a TFTP client, and log in to the TFTP server to upload and
download files.
8.5 Accessing Files on Another Device Using FTP
This section describes how to configure a router as an FTP client to log in to a FTP server, and
to upload files to or download files from the server.
8.6 Accessing Files on Another Device Using SFTP
SFTP is a secure FTP service. After the router is configured as an SFTP client, the SFTP server
authenticates the client and encrypts data in both directions to provide secure data transmission.
This section describes examples for access another device. The examples explain networking
requirements, configuration notes, and configuration roadmap.
Issue 02 (2012-03-30)

132

8.1 Accessing Another Device

To manage configurations or use files on a device other than the device you are logged in to,
you can use Telnet, FTP, TFTP, or SSH to access that device.
Figure 8-1 Networking diagram for accessing another device from the router
Network
Server
Network
Client
PC
As shown in Figure 8-1, when you run a terminal emulation or Telnet program on a PC to
connect to the router, the router can still function as a client to access another device on the
network. There are several ways to accomplish this.
8.1.1 Telnet Method

To configure and manage a remote device on the network, you can use the router that you have
logged in to as a client to log in to that device, or use a redirection terminal service on
therouter to log in to that device.
Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login and
a virtual terminal service.
The AR150/200 provides the following Telnet services:
l
Telnet server: You can run the Telnet client program on a PC to log in to a router to complete
configuration and management tasks. The router acts as a Telnet server.
Telnet client: You can run the terminal emulation program or the Telnet client program on
a PC to connect with the router. You can then run the telnet command to log in to other
routers to configure and manage them. As shown in Figure 8-2,Router A serves as both a
Telnet server and a Telnet client.
Figure 8-2 Telnet client services
Telnet Session2
Telnet Session 1
Telnet Server
PC
RouterA
RouterB
Interruption of Telnet services

In Telnet connection, two shortcut key combinations can terminate the connection.
As shown in Figure 8-3, Router A logs in to Router B through Telnet, and Router B logs
in to Router C through Telnet. Thus, a cascade network is formed. In this case, Router A
Issue 02 (2012-03-30)

133

is the client of Router B and Router B is the client of Router C. Figure 8-3 illustrates the
usage of shortcut keys.
Figure 8-3 Usage of Telnet shortcut keys
Telnet Session 1
Telnet Session2
Telnet
Client
Telnet
Server
RouterA
RouterB
RouterC
Ctrl_]: The server interrupts the connection.

If the network connection is normal and you press Ctrl_], the Telnet server terminates the
current Telnet connection. For example:
<RouterC>
Press Ctrl_] to return to the prompt of Router B.

Configuration console exit, please retry to log on
The connection was closed by the remote host
<RouterB>
Press Ctrl_] to return to the prompt of Router A.

Configuration console exit, please retry to log on
The connection was closed by the remote host
<RouterA>
NOTE
If a router becomes disconnected from the network, these shortcut keys are invalid. Instructions
cannot be sent to the server.
Ctrl_]: The client interrupts the connection.

If the server fails and the client is unaware of the failure, the client continues to transmit
data but the server does not respond. In this case, press Ctrl_T to terminate the Telnet
connection.
For example:
<RouterC>
Press Ctrl_T to terminate and quit a Telnet connection.

<RouterA>
CAUTION
If remote login users are using all of the maximum number of VTY user interfaces allowed,
the system prompts that all user interfaces are in use and does not allow additional Telnet
logins.
8.1.2 FTP Method

To access files on a remote FTP server, you can use FTP to establish a connection between the
router that you have logged in to and the remote FTP server.
Issue 02 (2012-03-30)

134

FTP can transmit files between hosts and it provides users with common FTP commands for file
system management. That is, using an FTP client program not residing on the router, you can
upload or download the files and access the directories on the router; using an FTP client program
residing on the router, you can transfer files to the FTP servers of other devices.
FTP can transmit files between local and remote hosts, and is widely used for version upgrade,
8.1.3 TFTP Method

If network client/server interaction requirements are relatively simple, you can enable the TFTP
service on the router that functions as a TFTP client to access files on a TFTP server.
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.
Unlike FTP, TFTP does not have a complex interactive access interface and authentication
control. TFTP is for use in environments where there is no complex interaction between the
client and the server. For example, TFTP is used to obtain a memory image of the system when
the system starts up.
Implementation of TFTP is based on the User Datagram Protocol (UDP).
The client initiates a TFTP transfer. To download files, the client sends a read request packet to
the TFTP server, receives packets from the server, and returns an acknowledgement to the server.
To upload files, the client sends a write request packet to the TFTP server, sends packets to the
server, and receives acknowledgement from the server.
TFTP uses two formats for file transfer:
l
Binary format: transfers program files.
ASCII format: transfers text files.
At present, the AR150/200 can only serve as a TFTP client and can only transfer files in binary
format.
8.1.4 SSH Method

Logging in to a remote device using SSH (including STelnet,SFTP) provides secure
communications between the remote device and the router you are logged in to.
SSH Overview
When users on an insecure network use Telnet to log in to the router, the Secure Shell (SSH)
feature provides authentication and keeps data secure. SSH defends the router from IP address
spoofing and other such attacks, and protects the router against the interception of plain text
passwords.
The SSH client function allows users to establish SSH connections with routers serving as SSH
servers or with UNIX hosts.
SSH Client Function

The AR150/200 supports the STelnet client function and SFTP client function.
l
STelnet client
STelnet is short for Secure Telnet.
Issue 02 (2012-03-30)

135

Telnet does not provide secure authentication and TCP transmits data in plain text. This
creates security vulnerabilities. Denial of service (DOS) attacks, host IP address spoofing,
and route spoofing also threaten system security. Telnet services are vulnerable to network
attacks.
SSH implements secure remote access on insecure networks and has the following
advantages compared with Telnet:
SSH supports Remote Subscriber Access (RSA) authentication. SSH uses RSA
authentication to generate and exchange public and private keys compliant with an
asymmetric encryption system that protects session security.
SSH supports Data Encryption Standard (DES), 3DES, and AES authentications.
SSH usernames and the passwords are encrypted in communication between an SSH
client and server. This prevents password interception.
SSH encrypts transmitted data.
If the STelnet server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at a configured time interval. If there is no reply from the server to a configured number of
keepalive packets, the client determines that there is a fault and releases the connection.
l
SFTP client
SFTP is short for Secure FTP. You can log in to a device from a secure remote end to
manage files. This improves data transmission security when the remote system is updated.
The client function allows you to use SFTP to log in to the remote device for secure file
transmission.
If the SFTP server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at a configured time interval. If there is no reply from the server to a configured number of
keepalive packets, the client determines that there is a fault and releases the connection.
8.2 Logging in to Other Devices Using Telnet

On most networks, multiple routers need to be managed and maintained, but it may be impossible
to connect some of these routers to a PC terminal. In other cases, there may be no reachable
route between a router and a PC terminal. You can log in to a local router and then use Telnet
to log in to remote routers to complete management and maintenance tasks.

Before configuring login to another device from the device that you have logged in to, familiarize
yourself with the applicable environment, complete the pre-configuration tasks, and obtain any
data required for the configuration. This will help you complete the configuration task quickly
and correctly.
Issue 02 (2012-03-30)

136

Figure 8-4 Networking diagram for accessing another device from the device that you have
logged in to
Network
PC
Network
RouterA
RouterB
As shown in Figure 8-4, you can use Telnet to log in to Router A from a PC. You cannot,
however, manage Router B remotely, because there is no reachable route between the PC and
Router B. To manage Router B remotely, you must use Telnet to log in to it from Router A.
In this situation, Router A functions as a Telnet client and Router B functions as a server.
Before using Telnet to log in to another device on the network, complete the following tasks:
l
Configuring a reachable route between the client and Telnet server
Data Preparation
To log in to another device by using Telnet, you need the following data:
No.
Data
IP address or host name of RouterB
Number of the TCP port used by the RouterB to provide Telnet services
8.2.2 (Optional) Configuring a Source IP Address for a Telnet Client

You can configure a source IP address for a Telnet client and then use this address to set up a
Telnet connection from the client to server along a specific route.
Context
An IP address is configured for an interface on the router and functions as the source IP address
of a Telnet connection. This allows for implementation of security checks.
The source of a client can be a source interface or a source IP address.
Do as follows on a router that functions as a Telnet client.
Issue 02 (2012-03-30)

137

Procedure
Step 1 Run:
system-view

Step 2 Run:
telnet client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of a Telnet client is configured.

After the configuration, the source IP address of the Telnet client displayed on the Telnet server
must be the same as the configured one.
----End
8.2.3 Logging in to Another Device by Using Telnet

You can use Telnet to log in to and manage another router.
Context
Telnet provides an interactive CLI for users to log in to a remote server. Users can first use Telnet
to log in to a host, and then remotely use Telnet again to log in to a remote host. This host can
then be remotely configured and managed. Not all hosts need to be connected directly to a
hardware terminal.
Do as follows on the router that serves as a Telnet client:
Procedure
l
Select and perform one of the following two steps for IPv4 or IPv6.
Run:
telnet [ vpn-instance vpn-instance-name ] [-a source-ip-address ] hostname [ port-number ]
Log in to the router and manage other routers.

Run:
telnet ipv6 host-name [ port-number ]
Log in to the router and manage other routers.

----End

When you log in to another router successfully from the router that you have logged in to, you
can check information about the established TCP connection.After you have logged in to another
router from the router that you have logged in to, you can check information about the established
TCP connection.
Prerequisites
All configurations for logging in to another device are complete.
Issue 02 (2012-03-30)

138

Procedure
l
Run the display tcp status command to check the status of all TCP connections.
----End
Example
Run the display tcp status command to view the status of TCP connections. The Established
status indicates that a TCP connection has been established.
<Huawei> display tcp status
TCPCB
Tid/Soid
Local Add:port
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established
Foreign Add:port
0.0.0.0:0
VPNID
0
0.0.0.0:0
14849
10.164.6.13:1147
State
8.3 Logging in to Another Device Using STelnet

STelnet provides secure Telnet services. You can use STelnet to log in to another router from
the router that you have logged in to and manage the device remotely.

Before configuring login to another device using Stelnet, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any date required for the
Telnet logins are insecure because no secure authentication mechanism is available and data is
transmitted over TCP connections in plain text mode.
STelnet is a secure Telnet protocol. STelnet is based on SSH. SSH users can use STelnet services
in place of ordinary Telnet services.
In this configuration, the device that you have logged in to functions as a Telnet client, and the
device that you want to log in to functions as an SSH server.
Before logging in to another device by using STelnet, complete the following tasks:
l
Configuring a reachable route between the client and SSH server
Data Preparation
To log in to another device using STelnet, you need the following data.
Issue 02 (2012-03-30)

139

No.
Data
Name of the SSH server, and public key that is assigned by the client to the SSH server
IPv4 address or host name of the SSH server, number of the port monitored by the
SSH server, preferred encryption algorithm for data from the SFTP client to the SSH
server, preferred encryption algorithm for data from the SSH server to the SFTP client,
preferred HMAC algorithm for data from the SFTP client to the SSH server, preferred
HMAC algorithm for data from the SSH server to the SFTP client, preferred algorithm
of key exchange
The user information for logging in to the SSH server
8.3.2 Configuring the First Successful Login to Another Device

(Enabling the First-Time Authentication on the SSH Client)
After first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the RSA public key when logging in to the SSH server for the first time.
Context
If first-time authentication on the SSH client is enabled, the STelnet client does not check the
validity of the RSA public key when logging in to the SSH server for the first time. After the
login, the system automatically allocates the RSA public key and saves it for authentication at
next login.
Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh client first-time enable
First-time authentication on the SSH client is enabled.

By default, first-time authentication on the SSH client is disabled.
NOTE
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA public key on the SSH server when an STelnet client logs in to the SSH server for the first
time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH
server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the check of the RSA public key validity and cannot
log in to the server.
Issue 02 (2012-03-30)

140

TIP
To ensure that an STelnet client can log in to an SSH server at the first attempt, you can assign an RSA
public key in advance to the SSH server on the SSH client in addition to enabling first-time authentication
on the SSH client.
----End

(Allocating an Public Key to the SSH Server)
To configure the first successful login to another device on an SSH client, you must allocate an
RSA public key to the SSH server before the login.
Context
If first-time authentication is not enabled on the SSH client, when the STelnet client logs in to
the SSH server for the first time, the STelnet client fails to pass the RSA public key validity
check and cannot log in to the server. You must allocate an RSA public key to the SSH server
before the STelnet client logs in to the SSH server.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

Step 4 Run:
hex-data

The public key is a string of hexadecimal alphanumeric characters automatically generated by
an SSH client.
NOTE
l The RSA public key assigned to the SSH server must be generated on the server. Otherwise, the validity
check for the RSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA public key generated on the server to the
router that functions as the client.
Step 5 Run:
public-key-code end

Issue 02 (2012-03-30)

141

l If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does not
exist after the peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end

Step 7 Run:
ssh client servername assign rsa-key keyname
The RSA public key is assigned to the SSH server

NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign rsa-key command to cancel the association between the SSH client and the SSH server. Then, run
the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH
server.
----End
8.3.4 Logging in to Another Device by Using STelnet

You can log in to the SSH server from the SSH client by using STelnet.
Context
When accessing an SSH server, the STelnet client can carry the source address and choose the
key exchange algorithm, encryption algorithm, or HMAC algorithm, and configure the keepalive
function.
Procedure
Step 1 Run:
system-view

Step 2 Run the stelnet [ -a source-address ] host-ipv4 [ port ] [ [ -vpn-instance vpn-instance-name ] |
[ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des |
aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 |
sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ ki aliveinterval [ -kc alivecountmax ] ] command. You can log in to the SSH server through
STelnet.
----End

After configuring login to another device using STelnet, you can check the global configurations
of the SSH servers and information about sessions between the SSH servers and the STelnet
client.
Issue 02 (2012-03-30)

142

Prerequisites
The configurations for logging in to another device by using STelnet are complete.
Procedure
l
Run the display ssh server status command to view the status of the SSH server.
----End
Example
Run the display ssh server status to view the status of the SSH server.
SSH version
SFTP Server
:1.99
:60 seconds
:0 hours
:3 times
:Enable
8.4 Accessing Files on Another Device Using TFTP

You can configure the router as a TFTP client, and log in to the TFTP server to upload and
download files.

Before configuring access to another device using TFTP, familiarize yourself with the applicable
You can use TFTP to in a simple interaction environment to transfer files between a server and
a client.
The current Router functions as a TFTP client, and theRouter to be accessed functions as a TFTP
server.
Before configuring access to another device using TFTP, complete the following tasks:
l
Configuring a reachable route between the client and TFTP server
Data Preparation
To access another device using TFTP, you need the following data.
Issue 02 (2012-03-30)
No.
Data
(Optional) Source address or source interface of the router that functions as a TFTP
client
143

No.
Data
IP address or host name of the TFTP server
Name of the specific file in the TFTP server and the file directory
8.4.2 (Optional) Configuring a Source IP Address for a TFTP Client

You can configure a source IP address for a TFTP client and then use the source IP address to
set up a TFTP connection from the TFTP client to the server along a specific route.
Context
of a TFTP connection. This allows implementation of security checks.
The source address of a client can be configured as a source interface or a source IP address.
Do as follows on a router that functions as a TFTP client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of a TFTP client is configured.

After the configuration, the source IP address of the TFTP client displayed on the TFTP server
must be the same as the configured one.
----End
8.4.3 (Optional) Configuring TFTP Access Authority

This section describes how to use an ACL rule to authorize the users to specify the TFTP servers
that can be accessed by using TFTP from the router that you have logged in to.
Context
An Access Control List (ACL) is a set of sequential rules. These rules are described based on
the source address, destination address, and port number of a packet. Routers use the ACL rules
to filter packets. With the rule applied to the interface on a router, the router permits or denies
the packets.
Each ACL can define multiple rules. ACL rules are classified into the interface ACL, basic ACL,
and advanced ACL based on the functions of ACL rules.
NOTE
TFTP supports only the basic ACL (whose number ranges from 2000 to 2999).
Issue 02 (2012-03-30)

144

Do as follows on the router that serves as the TFTP client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
The ACL view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ { fragment | none-first-fragment } | source
{ source-address source-wildcard | any } | time-range time-name ] *
The ACL rule is configured.

NOTE
By default, the deny action in an ACL rule is taken for all the packets. To allow packets to pass through,
define the permit action in the ACL rule. For example, to discard packets with the source IP address of
10.1.1.10, define two rules in an ACL:
l rule deny source 10.1.1.10 0
l rule permit source any
If rule permit source any is not defined, packets with other source IP addresses but not 10.1.1.10 0 are
also discarded.
Step 4 Run:
quit

Step 5 Run the tftp-server acl acl-number command. You can use the ACL to limit the access to the
TFTP server.
----End
8.4.4 Downloading Files Using TFTP

You can download files from a TFTP server to a TFTP client.
Procedure
l
Run the following commands according to the type of the server IP addresses.
The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net get source-filename [ destination-filename ]
The router is configured to download files using TFTP.

tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type
interface-number ] get source-filename [ destination-filename ]
Issue 02 (2012-03-30)

145

The router is configured to download files using TFTP.

----End
8.4.5 Uploading Files Using TFTP

You can upload files from a TFTP client to a TFTP server.
Procedure
l
Run the following commands according to the type of the server IP addresses.
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net put source-filename [ destination-filename ]
The router is configured to upload files using TFTP.

tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type
interface-number ] put source-filename [ destination-filename ]
The router is configured to upload files using TFTP.

----End

When a device is configured as a TFTP client, you can check the source address of the client
and the configured ACL rule.
Prerequisites
Configurations for using the device as a TFTP client are complete.
Procedure
l
Run the display tftp-client command to check the device address that is set to the source
address of the TFTP client.
Run the display acl { name acl-name | acl-number | all } command to check the ACL rule
that is configured on the TFTP client.
----End
Example
Run the display tftp-client command to view the source address of the TFTP client.
<Huawei> display tftp-client
Info: The source address of TFTP client is 1.1.1.1.
Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured
on the TFTP client.
<Huawei> display acl 2001
Basic acl 2001, 2 rules,
Acl's step is 5
rule 5 deny source 10.1.1.10 0
rule 10 permit
Issue 02 (2012-03-30)

146

8.5 Accessing Files on Another Device Using FTP

This section describes how to configure a router as an FTP client to log in to a FTP server, and
to upload files to or download files from the server.

Before configuring the use of FTP to access files on another device, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain any data required
for the configuration. This will help you complete the configuration task quickly and correctly.
Before transmitting files between a client and a remote FTP server or managing directories on
the server, you can configure the router that you have logged in to as an FTP client. You can
then use FTP to access the FTP server for file transmission or directory management.
Before configuring the use of FTP to access files on another device, complete the following
tasks:
l
Configuring a reachable route between the router and the FTP server
Data Preparation
To configure the use of FTP to access files on another device, you need the following data:
No.
Data
(Optional) Source IP address or source interface of the router functioning as an FTP

client
Host name or IP address of the FTP server, port number of connecting FTP, login
username and password
Local file names and file names on the remote FTP server, name of the working
directory on the remote FTP server, name of the working directory on the local FTP
client, or directory name of the remote FTP server
8.5.2 (Optional) Configuring the Source IP Address and Interface

of the FTP Client
This section describes how to configure the source IP address and interface of an FTP client to
connect to an FTP server.
Issue 02 (2012-03-30)

147

Prerequisites
for an FTP connection. This allows implementation of security checks.
The source of a client can be a source interface or a source IP address.
Configuring a source interface as the source for a client is possible only if the system has a
loopback interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp client-source { -a source-ip-address | -i interface-type interface-number }
The source address of the FTP client is configured.

After the source address of the FTP client is configured, you can run the display ftp-users
command on the FTP server to check that the displayed source address of the FTP client is the
same as the configured one.
----End
8.5.3 Connecting to Other Devices by Using FTP Commands

You can run FTP commands to log in to other devices from the router that functions as the FTP
client.
Context
You can log in to the FTP server in the user view or the FTP view.
Do as follows on the router that serves as the client:
Procedure
l
In the user view, establish a connection to the FTP server.

If the IP address of the server is an IPv4 address, do as follows:
Run:
ftp [ -a source-ip-address | -i interface-type interface-number ] host
[ port-number ] [ public-net | vpn-instance vpn-instace-name ]
The router is connected to the FTP server.

Run:
ftp ipv6 host [ port-number ]

l
In the FTP view, establish a connection to the FTP server.

Issue 02 (2012-03-30)

148

1.
In the user view, Run:

ftp
The FTP view is displayed.

2.
Run:
open [ -a source-ip-address | -i interface-type interface-number ]
host [ port-number ] [ vpn-instance vpn-instance-name ]

1.
In the user view, Run:

ftp
The FTP view is displayed.

2.
Run:
open ipv6 host-ipv6-address [ port-number ]

----End
8.5.4 Managing Files Using FTP Commands

After logging in to an FTP server, you can use FTP commands to manage files. File operations
include configuring a file transmission method, checking online help about FTP commands,
uploading or downloading files, and managing directories and files.
Context
After logging in to an FTP server, you can perform the following operations:
l
Configure a data type for transmission files and a file transmission method.
Check the online help about FTP commands in the FTP client view.
Upload local files to the remote FTP server, or download files from the FTP server and
save them locally.
Create directories on or delete directories from the FTP server.
Display information about a specified remote directory or a file of the FTP server, or delete
a specified file from the FTP server.
After logging in to the router that functions as a client and entering the FTP client view, you can
perform the following steps:
Procedure
l
Configuring data type and transmission mode for the file.

Run:
ascii | binary
The data type of the file to be transmitted is ascii or binary mode.
Issue 02 (2012-03-30)

149

NOTE
FTP supports both ASCII and binary files. Their differences are as follows:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
Clients can select an FTP transmission mode ad required. The system defaults to the ASCII
transmission mode. The client can use a mode switch command to switch between the ASCII
mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary mode is
used to transmit binary files.
Run:
passive
The passive file transfer mode is configured.

Run:
verbose
The verbose mode for FTP is enabled.

When verbose is enabled, all FTP responses are displayed. After file transmission
efficiency statistics will be displayed.
l
View online help for FTP commands.

remotehelp [ command ]
The online help of the FTP command is displayed.

l
Upload or download files.

Upload or download a file.
Run:
The local file is uploaded to the remote FTP server.

Run:
The FTP file is downloaded from the FTP server and saved to the local file.
l
Run one or more of the the following commands order to manage directories.
Run:
cd pathname
The working path of the remote FTP server is specified.

Run:
cdup
The working path of the FTP server is switched to the upper-level directory.
Run:
pwd
The specified directory of the FTP server is displayed.

Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.

Run:
Issue 02 (2012-03-30)

150

A directory is created on the FTP server.

Run:
rmdir remote-directory
A directory is removed from the FTP server.

NOTE
l A directory name can use letters and digits, but not special characters such as <, >, ?, \ and :.
l When running the mkdir /abc command, you create a sub-directory named "abc".
Run one or more of the the following commands to manage files.

Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.

If local-filename is configured, the remote file can be saved in another local file.
Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed.

If local-filename is configured, the remote file can be saved in another local file.
Run:
delete remote-filename
The specified file on the FTP server is deleted.

----End
8.5.5 Changing Login Users

After logging in to an FTP server, you can change the username on the client and re-log in to
the server with the new username.
Context
If you are logged in to the AR150/200 functioning as an FTP client, you can switch to a different
username and log in to the FTP server without logging out of the FTP client view. The FTP
connection established in this way is identical to that established by running the ftp command.
Perform the following steps on the router that functions as a client:
Procedure
l
Run:
user user-name [ password ]
The user that logged in to the FTP server earlier is changed and the new user logs in to the
server.
Issue 02 (2012-03-30)

151

When the username that is used to log in to the FTP server is changed, the original
connection between the user and the FTP server is interrupted.
----End
8.5.6 Disconnecting from the FTP Server

You can terminate the connection with an FTP server and return to the user view or FTP view.
Context
Various commands can be used from the FTP client view to terminate a connection with an FTP
server.
Do as follows on the router that serves as the client.
Procedure
l
Run one of the following commands depending on your system configurations.

Run:
bye
Or,
quit
The client router is disconnected from the FTP server.

Return to the user view.
Run:
close
Or,
disconnect
The client router is disconnected from the FTP server.

Return to the FTP view.
----End

After the configurations for accessing other devices using FTP are complete, you can view the
source parameters configured on the FTP client.
Prerequisites
The configurations for accessing other devices using FTP are complete.
Procedure
l
Run the display ftp-client command to view the source parameters of the FTP client.
----End
Example
Run the display ftp-client command to view the source parameters of the FTP client.
Issue 02 (2012-03-30)

152

<Huawei> display ftp-client

Info: The source address of FTP client is 1.1.1.1.
8.6 Accessing Files on Another Device Using SFTP

SFTP is a secure FTP service. After the router is configured as an SFTP client, the SFTP server
authenticates the client and encrypts data in both directions to provide secure data transmission.

Before configuring the use of SFTP to access files on another device, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain any data required
for the configuration. This will help you complete the configuration task quickly and correctly.
SFTP is a secure FTP protocol. SFTP is based on SSH. It allows users to log in to a remote
device and transmit or manage files securely. You can log in to a remote SSH server from the
router that functions as an SFTP client.
Before configuring the use of SFTP to access files on another device, complete the following
tasks:
l
Configuring a reachable route between the client and SSH server
Data Preparation
To use SFTP to access files on another device, you need the following data:
No.
Data
(Optional) Source address of the device that functions as the SFTP client
(Optional) Name of the SSH server
(Optional) Public key that is assigned by the client to the SSH server
IPv4 or IPv6 address or host name of the SSH server
Number of the port monitored by the SSH server, preferred encryption algorithm for
data from the SFTP client to the SSH server, preferred encryption algorithm for data
from the SSH server to the SFTP client, preferred HMAC algorithm for data from the
SFTP client to the SSH server, preferred HMAC algorithm for data from the SSH
server to the SFTP client, preferred algorithm of key exchange, name of the outgoing
interface, source address
User information for logging in to the SSH server
Issue 02 (2012-03-30)
Name and directory of a specified file on the SSH server

153

8.6.2 (Optional) Configuring a Source IP Address for an SFTP Client

You can configure a source IP address for an SFTP client and then use this source address to set
up an SFTP connection from the client to server along a specific route.
Context
of an FTP connection. This allows implementation of security checks.
The source address of a client can be configured as a source interface or a source IP address.
Do as follows on a router that functions as an SFTP client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
sftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address is configured for an SFTP client.

----End

(Enabling the First-Time Authentication on the SSH Client)
After first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the RSA public key when logging in to the SSH server for the first time.
Context
If first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the RSA public key when logging in to the SSH server for the first time. After the
login, the system automatically allocates the RSA public key and saves it for authentication at
next login.
Procedure
Step 1 Run:
system-view

Step 2 Run:
First-time authentication on the SSH client is enabled.

By default, first-time authentication on the SSH client is disabled.
Issue 02 (2012-03-30)

154

NOTE
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA public key on the SSH server when an STelnet client logs in to the SSH server for the first
time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH
server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the check of the RSA public key validity and cannot
log in to the server.
TIP
To ensure that an STelnet client can log in to an SSH server at the first attempt, you can assign an RSA
public key in advance to the SSH server on the SSH client in addition to enabling first-time authentication
on the SSH client.
----End

(Allocating an Public Key to the SSH Server)
To configure the first successful login to another device on an SSH client, you must allocate an
RSA public key to the SSH server before the login.
Context
If first-time authentication is not enabled on an SSH client, when the SFTP client logs in to an
SSH server for the first time, the SFTP client fails to pass the RSA public key validity check
and cannot log in to the server.
Do as follows on the router functioning as an SSH client:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

Step 4 Run:
hex-data

The public key is a string of hexadecimal alphanumeric characters automatically generated by
an SSH client.
Issue 02 (2012-03-30)

155

NOTE
l The RSA public key assigned to the SSH server must be generated on the server. Otherwise, the validity
check for the RSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA public key generated on the server to the
router that functions as the client.
Step 5 Run:
public-key-code end

l If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does not
exist after the peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end

Step 7 Run:
ssh client servername assign rsa-key keyname
The RSA public key is assigned to the SSH server

NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign rsa-key command to cancel the association between the SSH client and the SSH server. Then, run
the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH
server.
----End
8.6.5 Connecting to Other Devices by Using SFTP

You can log in to the SSH server from the SSH client through SFTP.
Context
The command of enabling the SFTP client is similar to that of the STelnet. When accessing the
SSH server, the SFTP can carry the source address and the name of the VPN instance and choose
the key exchange algorithm, encrypted algorithm and HMAC algorithm, and configure the
keepalive function.
Do as follows on the router that serves as an SSH client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ]
[ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 |
Issue 02 (2012-03-30)

156

dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] |

[ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 |
sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ]
* [ -ki aliveinterval [ -kc alivecountmax ] ]
You can log in to the SSH server through SFTP.

----End
8.6.6 Managing Files Using SFTP Commands

You can use an SFTP client to manage directories and files on the SSH server, and check the
command help on the SFTP client.
Context
After logging in to an SSH server from an SFTP client, you can use the SFTP client to perform
the following operations:
l
Create or delete directories on the SSH server, display the current working directory, or
display the specified directory and information about the file in the specified directory.
Change file names, delete files, display a file list, and upload or download files.
Display the SFTP client command help.
After logging in to the router that functions as an SSH client and entering the SFTP client view,
you can perform the following steps:
Procedure
l
Manage directories.
Perform the following steps as required:
Run:
cd [ remote-directory ]
The current operating directory of users is changed.

Run:
cdup
The view is switched to a directory one level up.

Run:
pwd
The current operating directory of users is displayed.

Run:
dir [ -l -a ] [ path ]
A list of files in the specified directory is displayed.

Run:
rmdir remote-directory & <1-10>
The directory on the server is deleted.

Run:
A directory is created on the server.

Issue 02 (2012-03-30)

157

Manage files.
Perform the following steps as required:
Run:
rename old-name new-name
The name of the specified file on the server is changed.

Run:
get remote-filename [local-filename]
The file on the remote server is downloaded.

Run:
put local-filename [remote-filename]
The local file is uploaded to the remote server.

Run:
remove remote-filename
The file on the server is removed.

l
Display the SFTP client command help.

help [all | command-name ]
The SFTP client command help is displayed.

----End

After using SFTP to log in to another device, you can view the source address of the SSH client,
mappings between all SSH servers and the RSA public keys on the client, global configurations
of the SSH servers, and sessions between the SSH servers and the client.
Prerequisites
The configuration for using SFTP to access files on another device is complete.
Procedure
l
Run the display sftp-client command to check the source IP address of the SFTP client on
the SSH client.
----End
Example
Run the display sftp-client command on the client to view the source parameters of the device
functioning as an SFTP client.
<Huawei> display sftp-client
Info: The source address of SFTP client is 1.1.1.1

This section describes examples for access another device. The examples explain networking
requirements, configuration notes, and configuration roadmap.
Issue 02 (2012-03-30)

158

8.7.1 Example for Configuring Telnet Services

This example shows how to configure authentication modes and passwords for users to log in
using Telnet.
As shown in Figure 8-5, Router A and Router B can ping each other. A user logs in to Router
B from Router A using Telnet.
Figure 8-5 Networking diagram for configuring user login with Telnet services
Eth1/0/0
1.1.1.1/24
Eth1/0/0
1.1.1.2/24
RouterA
RouterB
1.
On Router B, configure authentication modes and passwords for VTY0 to VTY4.
2.
Configure passwords for users to log in to Router B from Router A using Telnet.
3.
Configure a Telnet server port number on Router B so that users log in through a single
specific port only.
Data Preparation
l
Host address of Router B
Authentication mode and password
Telnet server port number
User level 15
Procedure
Step 1 Configure IP addresses.
# Configure Router A.
[Huawei] sysname RouterA
[RouterA] interface ethernet1/0/0
[RouterA-Ethernet1/0/0] ip address 1.1.1.1 24
[RouterA-Ethernet1/0/0] quit
[RouterA] quit
# Configure Router B.
[Huawei] sysname RouterB
Issue 02 (2012-03-30)

159

[RouterB] interface ethernet1/0/0

[RouterB-Ethernet1/0/0] ip address 1.1.1.2 24
[RouterB-Ethernet1/0/0] quit
[RouterB] quit
Step 2 Configure the authentication mode and password for Telnet services on Router B.
[RouterB] user-interface vty 0 4
[RouterB-ui-vty0-4] authentication-mode password
[RouterB-ui-vty0-4] set authentication password simple hello
[RouterB-ui-vty0-4] quit
To configure an ACL for Telnet services, run the following commands on Router B.
[RouterB] acl 2000
[RouterB-acl-basic-2000] rule permit source 1.1.1.1 0
[RouterB-acl-basic-2000] quit
[RouterB] user-interface vty 0 4
[RouterB-ui-vty0-4] acl 2000 inbound
NOTE
Configuring an ACL for Telnet services is optional.

Log in to Router B from Router A using Telnet.
<RouterA> telnet 1.1.1.2
Press CTRL_] to quit telnet mode
Trying 1.1.1.2 ...
Connected to 1.1.1.2 ...
Login authentication
Password:
<RouterB>
Step 4 Configure a Telnet server port number on Router B.

<RouterB> system-view
[RouterB] telnet server port 1028
After the command is executed, logging in to the port through telnet fails, al
l the telnet users exit, and a new port is created. If you need to set the port
through telnet again, wait for at least two minutes and then set the port again.
Are you sure to continue?(y/n)[n]: y
Step 5 Use the port number 1028 to log in to Router B from Router A using Telnet.
<RouterA> telnet 1.1.1.2 1028
Press CTRL_] to quit telnet mode
Trying 1.1.1.2 ...
Connected to 1.1.1.2 ...
Login authentication
Password:
<RouterB>
----End
Configuration Files
l
Configuration file of Router A

#
sysname RouterA
#
Issue 02 (2012-03-30)

160

ip address 1.1.1.1 255.255.255.0

#
return
Configuration file of Router B

#
sysname RouterB
#
acl number 2000
rule 5 permit source 1.1.1.1 0
#
ip address 1.1.1.2 255.255.255.0
#
user-interface con 0
acl 2000 inbound
set authentication password simple hello
#
return
8.7.2 Example for Configuring the Device as the STelnet Client to

Connect to the SSH Server
This example shows how to configure an STelnet client to connect to an SSH server. Local key
pairs are generated on the STelnet client and the SSH server, and the public RSA key is generated
on the SSH server and then bound to the STelnet client.
As shown in Figure 8-6, after the STelnet service is enabled on the SSH server, the STelnet
client can use the password, RSA, password-rsa, or all authentication mode to log in to the SSH
server.
Configure two login clients:
l
Configure Client001 with the password huawei and use the password authentication mode.
Configure Client002, use the RSA authentication mode, and assign the public key
RsaKey001 to this client.
The user interface supports only SSH.

Figure 8-6 Networking diagram for configuring the STelnet client to connect to the SSH server
SSH Server
Eth1/0/0
10.164.39.222/24
Eth1/0/0
10.164.39.220/24
Client001
Issue 02 (2012-03-30)
Eth1/0/0
10.164.39.221/24
Client002

161

1.
Configure Client001 and Client002 on the SSH server.
2.
Generate the local key pairs on the STelnet client and the SSH server.
3.
Generate the RSA public key on the SSH server and bind the RSA public key of SSH client
to Client002.
4.
Enable STelnet service on the SSH server.
5.
Users Client001 and Client002 log in to the SSH server using STelnet.
Data Preparation
l
Name and the authentication mode of the SSH user
Password or the RSA public key of the SSH user
Name of the SSH server
Procedure
Step 1 Generate a local key pair on the SSH server.
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Create SSH users on the server.

# Configure a VTY user interface.
[SSH
[SSH
[SSH
[SSH

l Create an SSH user named Client001.

# Create an SSH user named Client001, configure password authentication for the user, and
set the password to huawei.
[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server] ssh

quit
user client001 authentication-type password

# Create an SSH user named Client002, set the password to huawei, and configure RSA
authentication for the user.
[SSH Server] aaa
[SSH Server-aaa] local-user client002 password cipher huawei
Issue 02 (2012-03-30)

162

[SSH Server-aaa] local-user client002 service-type ssh

[SSH Server-aaa] quit
[SSH Server] ssh user client002 authentication-type rsa
Step 3 Configure the RSA public key on the server.

# Generate a local key pair for Client002.
[Huawei] sysname client002
[client002] rsa local-key-pair create
# Check the RSA public key of the client.

[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 2007-12-29 16:19:59+08:00
Key name: Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
=====================================================
Key name: Server
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]
# Send the RSA public key of the client to the server.

[SSH Server] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
NOTE: The number of the bits of public key must be between 769 and 2048.
[SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[SSH Server-rsa-key-code] 3047
[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[SSH Server-rsa-key-code] 1D7E3E1B
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end
Step 4 Bind the RSA public key of the SSH client to Client002.
[SSH Server] ssh user client002 assign rsa-key RsaKey001
Step 5 Connect to the SSH server.

# Enable initial authentication for use by SSH clients at first time logins.
Issue 02 (2012-03-30)

163

[client001] ssh client first-time enable
# Log in to the SSH server from Client001 in password authentication mode by entering the user
name and password.
<client001> system-view
[client001] stelnet 10.164.39.222
Please input the username:client001
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
Enter password:
Enter the password huawei. The following information indicates that the login succeeded.
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 6.
The current login time is 2010-09-06 11:42:42.
<SSH Server>
# Log in to the SSH server from Client002 in RSA authentication mode.

[client002] stelnet 10.164.39.222
Please input the username: client002
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
The server is not authenticated. Do you continue to access it?(Y/N):y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name: 10.164.39.222. Please wait...
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 6.
The current login time is 2010-09-06 11:42:42.
<SSH Server>

After the configuration is complete, run the display ssh server status and display ssh server
session commands. You can see that the STelnet clients have logged in to the server.
# Check the status of the SSH server.
[SSH Server] display ssh server status
SSH version
: 1.99
: 60 seconds
SSH server key generating interval : 0 hours
: 3 times
SFTP Server
: Enable
# Check the SSH session status.

[SSH Server] display ssh server session
-------------------------------------------------------------------Conn
Ver
Encry
State Auth-type
Username
-------------------------------------------------------------------VTY 3 2.0
AES
run
password
client001
VTY 4 2.0
AES
run
rsa
client002
--------------------------------------------------------------------
# Check information about the SSH users.

[SSH Server] display ssh user-information
Issue 02 (2012-03-30)

164

------------------------------------------------------------------------------Username
Auth-type
------------------------------------------------------------------------------client001
password
null
client002
rsa
RsaKey001
-------------------------------------------------------------------------------
----End
Configuration Files
l

#
sysname SSH Server
#
rsa peer-public-key rsakey001
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
public-key-code end
peer-public-key end
#
aaa
#
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
#
#
return
Configuration file of Client001 on SSH client

#
sysname client001
#
ip address 10.164.39.220 255.255.255.0
#
#
return
Configuration file of Client002 on SSH client

#
sysname client002
#
ip address 10.164.39.221 255.255.255.0
#
#
return
8.7.3 Example for Configuring TFTP

This example shows how to configure TFTP to upload and download files. The TFTP application
is run on a TFTP server and the location of a source file on the server is set.
Issue 02 (2012-03-30)

165

As shown in Figure 8-7, the IP address of the TFTP server is 10.111.16.160/24.
Log in to the router from the HyperTerminal and then download the file ar.cc from the TFTP
server.
Figure 8-7 Networking diagram of configuring TFTP
10.111.16.160/24
PC
TFTP Client
TFTP Server
1.
Run the TFTP application on the TFTP server, and set the location of the file on the server.
2.
Use the TFTP command on the router to download the file.
3.
Use the TFTP command on the router to upload the file.
Data Preparation
l
The TFTP application installed on the TFTP server
The path to the file on the TFTP server
The destination file name and its path on the router
Procedure
Step 1 Start the TFTP server and set its Current Directory to the directory where the ar.cc file resides.
Figure 8-8 shows the interface.
Issue 02 (2012-03-30)

166

Figure 8-8 Setting the Base Directory of the TFTP server
NOTE
The display on your computer may be different, depending on the TFTP server application you are running.
Step 2 Log in to the router from the computer HyperTerminal and enter the following command to
download a file.
<Huawei> tftp 10.111.16.160 get ar.cc flash:/
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...
69143936 bytes received in 42734
second.
TFTP: Downloading the file successfully.
Step 3 Run the dir command to check whether the downloaded file is saved in the directory specified
on the router.
<Huawei> dir flash:/
Idx
0
1
2
3
4
5
6
7
8
9
10
11
12
Attr
-rw-rw-rw-rw-rw-rw-rwdrw-rw-rw-rw-rw-rw-
Size(Byte)
1,738,816
396
540
1,498
525,337
1,215
1,703,936
69,143,936
8,996
5,602
220
1,686
Date
Mar 28
Feb 11
Feb 11
Apr 01
Apr 01
Mar 26
Feb 27
Mar 07
Mar 28
Apr 07
May 27
Mar 28
Mar 28
2011
2008
2008
2011
2011
2011
2008
2008
2008
2008
2011
2011
2011
Time(LMT)
17:00:24
14:34:17
14:35:10
09:49:37
09:50:00
11:32:27
10:00:10
15:44:46
07:34:54
14:56:24
13:59:31
16:51:16
17:04:53
FileName
web.zip
rsa_host_key.efs
rsa_server_key.efs
iascfg.zip
private-data.txt
iascfg_autobackup.zip
ar_smk2.cc
dd
ar.cc
1.cap
ab.cap
elab.txt
lic_ar.dat
217,168 KB total (145,536 KB free)
Step 4 Log in to the router from the computer HyperTerminal and enter the following command to
upload a file.
Issue 02 (2012-03-30)

167

<Huawei> tftp 10.111.16.160 put flash:/iascfg.zip

Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait...
TFTP: Uploading the file successfully.
3856 bytes send in 1 second.
----End
8.7.4 Example for Connecting the SFTP Client to the SSH Server
This example shows how to configure an SFTP client to connect to an SSH server. Local key
pairs are generated on the SFTP client and the SSH server, and a public RSA key is generated
on the SSH server and bound to the SFTP client.
As shown in Figure 8-9, after the SFTP service is enabled on the SSH server, the SFTP Client
can use the password, RSA, password-rsa, or all authentication mode to log in to the SSH server.
Figure 8-9 Networking diagram for connecting the SFTP client to the SSH server
SSH Server
Eth1/0/0
10.164.39.222/24
Eth1/0/0
10.164.39.220/24
Client001
Eth1/0/0
10.164.39.221/24
Client002
1.
Configure Client001 and Client002 on the SSH server.
2.
Generate the local key pairs on the SFTP client and the SSH server .
3.
Generate the RSA public key on the SSH server and bind the RSA public key of SSH client
to Client002.
4.
Enable the SFTP service on the SSH server.
5.
Configure the service mode and authorization directory for the SSH user.
6.
Client001 and Client002 log in to the SSH server through SFTP.
Data Preparation
l
Issue 02 (2012-03-30)
Name and the authentication mode of the SSH user

168

Password or the RSA public key of the SSH user
Name of the SSH server
Procedure
Generating keys...
.........++++++++
......................++++++++
......................+++++++++
.....+++++++++
Step 2 Create SSH users on the server.

# Configure a VTY user interface.
[SSH
[SSH
[SSH
[SSH


# Create an SSH user named Client001, configure password authentication for the user, and
set the password to huawei.
[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]

quit

# Create an SSH user named Client002, set the password to huawei, and configure RSA
authentication for the user.
[SSH
[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Server] ssh

quit
user client002 authentication-type rsa

# Generate a local key pair for Client002.
[client002] rsa local-key-pair create

[client002] display rsa local-key-pair public
=====================================================
Key name: Host
=====================================================
Key code:
Issue 02 (2012-03-30)

169

3047
0240
1D7E3E1B
0203
010001
=====================================================
Key name: Server
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]

[SSH Server] rsa peer-public-key RsaKey001
NOTE: The number of the bits of public key must be between 769 and 2048.
[SSH Server-rsa-public-key] public-key-code begin
[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[SSH Server-rsa-key-code] 1D7E3E1B
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end
Step 4 Bind the RSA public key of the SSH client to Client002.
[SSH Server] ssh user client002 assign rsa-key RsaKey001
Step 5 Enable the SFTP service on the SSH server

# Enable the SFTP service.
[SSH Server] sftp server enable
Step 6 Connect to the SSH server.

# Enable initial authentication for use by the SSH client at first time logins.
# Log in to the SSH server from Client001 in password authentication mode.

[client001] sftp 10.164.39.222
Please input the username:client001
Trying 10.164.39.222 ...
Issue 02 (2012-03-30)

170


Connected to 10.164.39.222 ...
Enter password:
sftp-client>
# Log in to the SSH server from Client002 in RSA authentication mode.

[client002] sftp 10.164.39.222
Please input the username: client002
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
sftp-client>

After the configuration is complete, run the display ssh server status and display ssh server
session commands. You can see that the SFTP service has been enabled, and that the SFTP
clients have logged in to the server.
# Check the status of the SSH server.
[SSH Server] display ssh server status
SSH version
SFTP Server
:1.99
:60 seconds
:0 hours
:3 times
:Enable

[SSH Server] display ssh server session
-------------------------------------------------------------------Conn
Ver
Encry
State Auth-type
Username
-------------------------------------------------------------------VTY 3 2.0
AES
run
password
client001
VTY 4 2.0
AES
run
rsa
client002
--------------------------------------------------------------------
# Check information about the SSH users.

[SSH Server] display ssh user-information
------------------------------------------------------------------------------Username
Auth-type
------------------------------------------------------------------------------client001
password
null
client002
rsa
RsaKey001
-------------------------------------------------------------------------------
----End
Configuration Files
l
Configuration file of the SSH server.

#
sysname SSH Server
#
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
Issue 02 (2012-03-30)

171

peer-public-key end
#
aaa
local-user client001 password simple huawei
#
sftp server enable
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
#
#
Return
Configuration file of Client001 on the SSH client

#
sysname client001
#
ip address 10.164.39.220 255.255.255.0
#
#
return
Configuration file of Client002 on the SSH client

#
sysname client002
#
ip address 10.164.39.221 255.255.255.0
#
#
return
8.7.5 Example for Authenticating SSH Through RADIUS

This example shows how to configure a RADIUS server to authenticate a user who attempts to
access the SSH server. The SSH server determines whether to grant the user access and set up
a connection based on the authentication result.
When a RADIUS user is connected to an SSH server, the SSH server sends the username and
password of the SSH client to the RADIUS server (compatible with the TACACS server) for
authentication.
The RADIUS server authenticates the user and sends the result (pass or fail) back to the SSH
server. If authentication succeeded, the user level is sent along with the result. The SSH server
determines whether the SSH client is allowed to set up a connection based on the authentication
result.
Figure 8-10 shows the networking diagram.
Issue 02 (2012-03-30)

172

Figure 8-10 Networking diagram for authenticating SSH through RADIUS

Eth1/0/0
10.164.39.222/24
Eth1/0/0
10.164.39.221/24
SSH Client
SSH Server
10.164.6.49/24
Radius Server
1.
Configure the RADIUS template on the SSH server.
2.
Configure a domain on the SSH server.
3.
Create a user on the RADIUS server.
4.
Generate the local key pair on SSH client and the SSH server.
5.
Generate the RSA public key on SSH server and bind the RSA public key of the SSH client
to ssh2@ssh.com.
6.
Enable the STelnet and SFTP services on the SSH server.
7.
Configure the service mode and authorization directory of the SSH user.
8.
Users ssh1@ssh.com and ssh2@ssh.com log in to the SSH server through STelnet and
SFTP respectively.
Data Preparation
l
Configure the password authentication for the STelnet user
Configure the RSA authentication for the SFTP user
RADIUS authentication
Name of the RADIUS template
Name of the RADIUS domain
Name and password of the RADIUS user
Procedure
[Huawei] rsa local-key-pair create
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
Issue 02 (2012-03-30)

173

......++++++++

# Generate a local key pair on the client.
[Huawei] sysname client
[client] rsa local-key-pair create

[client] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: Host
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
010001
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: Server
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]

[Huawei] rsa peer-public-key RsaKey001
[Huawei-rsa-public-key] public-key-code begin
[Huawei-rsa-key-code] 3047
[Huawei-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Huawei-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Huawei-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Huawei-rsa-key-code] 1D7E3E1B
[Huawei-rsa-key-code] public-key-code end
[Huawei-rsa-public-key] peer-public-key end
Step 3 Create SSH users.

Create users ssh1@ssh.com and ssh2@ssh.com on the RADIUS server. Specify the NAS's IP
address 10.164.39.222 and set the password to huawei. The NAS's IP address is the IP address
of the SSH server connected to the RADIUS server.
# Configure VTY user interfaces on the SSH server.
Issue 02 (2012-03-30)

174


[Huawei-ui-vty0-4] authentication-mode aaa
[Huawei-ui-vty0-4] protocol inbound ssh
[Huawei-ui-vty0-4] quit
# Create users ssh1@ssh.com and ssh2@ssh.com on the SSH server and set the authentication
mode.
[Huawei] aaa
[Huawei-aaa]
[Huawei-aaa]
[Huawei-aaa]
[Huawei] ssh
[Huawei] ssh
[Huawei] ssh
local-user ssh1@ssh.com password cipher huawei

local-user ssh2@ssh.com password cipher huawei
quit
user ssh1@ssh.com authentication-type password
user ssh2@ssh.com authentication-type rsa
user ssh2@ssh.com assign rsa-key RsaKey001
Step 4 Configure a RADIUS server template.

# Configure an authentication scheme newscheme and set the authentication mode to RADIUS
authentication.
[Huawei] aaa
[Huawei-aaa] authentication-scheme newscheme
[Huawei-aaa-authen-newscheme] authentication-mode radius
[Huawei-aaa-authen-newscheme] quit
# Configure a RADIUS server template ssh on the SSH server.

[Huawei] radius-server template ssh
# Specify the RADIUS server at 10.164.6.49 as the RADIUS authentication and set the
authentication port number to 1812.
[Huawei-radius-ssh] radius-server authentication 10.164.6.49 1812
# Set the shared key of the RADIUS server to huawei.

[Huawei-radius-ssh] radius-server shared-key cipher huawei
[Huawei-radius-ssh] quit
Step 5 Configure the RADIUS domain name on the SSH server.

# Set the RADIUS domain name to ssh.com and apply the authentication scheme newscheme
and RADIUS server template ssh to the RADIUS domain.
[Huawei] aaa
[Huawei-aaa] domain ssh.com
[Huawei-aaa-domain-ssh.com] authentication-scheme newscheme
[Huawei-aaa-domain-ssh.com] radius-server ssh
[Huawei-aaa-domain-ssh.com] quit
[Huawei-aaa] quit
Step 6 Connect the SSH client to the SSH server.

# Enable the SFTP service on the SSH server.
[Huawei] sftp server enable
# Enable initial authentication for use by SSH clients at first-time logins.

[client] ssh client first-time enable
[client] quit
# Log in to the SSH server from the STelnet client in RADIUS authentication mode.
<client> system-view
[client] stelnet 10.164.39.222
Please input the username: ssh1@ssh.com
Issue 02 (2012-03-30)

175

Trying 10.164.39.222 ...

Connected to 10.164.39.222 ...
The server is not authenticated. Do you continue to access it?(Y/N):y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:
Enter the password huawei. The following information indicates that the login succeeds.
Info: The max number of VTY users is 10, and the current number
of VTY users on line is 2.
<Huawei>
# Log in to the SSH server from the SFTP client in RADIUS authentication mode.
<client> system-view
[client] sftp 10.164.39.222
Please input the username: ssh2@ssh.com
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
Enter password:
sftp-client>

After the preceding configuration is complete, run the display radius-server configuration and
display ssh server session commands on the SSH server to view the RADIUS server
configuration and the SSH session status. You can see that the STelnet and SFTP clients have
logged in to the SSH server.
# View the configuration of the RADIUS server.
[Huawei-aaa] display radius-server configuration
------------------------------------------------------------------Server-template-name
: ssh
Protocol-version
: standard
Traffic-unit
: B
Shared-secret-key
: N`C55QK<`=/Q=^Q`MAF4<1!!
Timeout-interval(in second)
: 5
Primary-authentication-server
: 10.164.6.49
:1812
LoopBack:NULL
Primary-accounting-server
: 0.0.0.0
:0
LoopBack:NULL
Secondary-authentication-server : 0.0.0.0
:0
LoopBack:NULL
Secondary-accounting-server
: 0.0.0.0
:0
LoopBack:NULL
Retransmission
: 3
Domain-included
: YES
-------------------------------------------------------------------

[Huawei] display ssh server session
-------------------------------------------------------------------Conn
Ver
Encry
State Auth-type
Username
-------------------------------------------------------------------VTY 0 2.0
AES
run
password
ssh1@ssh.com
VTY 1 2.0
AES
run
rsa
ssh2@ssh.com
--------------------------------------------------------------------
----End
Configuration Files
#
radius-server template ssh
Issue 02 (2012-03-30)

176

radius-server authentication 10.164.6.49 1812

#
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
authentication-scheme newscheme
authentication-mode radius
#
domain ssh.com
authentication-scheme newscheme
radius-server ssh
#
sftp server enable
ssh user ssh1@ssh.com
ssh user ssh2@ssh.com
ssh user ssh2@ssh.com assign rsa-key RsaKey001
#
#
return
Issue 02 (2012-03-30)

177

9 Upgrade and Maintenance
Upgrade and Maintenance
About This Chapter

router upgrade and maintenance can optimize device performance, monitor device operation
status, simplify operations, and reduce operating expenditure (OPEX).
9.1 Upgrade and Maintenance Overview
Devices can be upgraded and maintained by activating GTL license files, upgrading system
software, managing patches, monitoring CPU and memory usage, or restarting devices.
9.2 Activating a GTL License File
A GTL(Global Trotter License) license file is an authorization file that controls the capacity and
functions of a device.
9.3 Upgrading System Software
Software upgrade can optimize device performance, add new features, and update the current
software version.
9.4 Managing Patches
This section describes several operations related to patches. You can install patches to upgrade
the system without interrupting services, specify a patch file to be used after the next startup,
uninstall patches that do not meet system requirements, or delete the unwanted patches to release
the memory of the patch area on the MPU.
9.5 Monitoring CPU and Memory Usage
Configure CPU and memory usage thresholds to monitor system performance.
9.6 Restarting the Device
After the system software of the router is upgraded, the router must be restarted for configurations
to take effect. Restarting the router also prevents the system failure due to an excessive number
of temporary files.
The examples explain networking requirements and precautions, and provide configuration
roadmaps.
Issue 02 (2012-03-30)

178

9.1 Upgrade and Maintenance Overview

Devices can be upgraded and maintained by activating GTL license files, upgrading system
software, managing patches, monitoring CPU and memory usage, or restarting devices.
9.1.1 License Authorization

The AR150/200 provides a platform to manage license authorizations. You can apply for,
upgrade, and activate license files to obtain corresponding rights.
When new devices are deployed, purchase new licenses to enable the license-controlled features
and functions you need. If the capacities of the existing devices are expanded, you can update
the licenses used on the devices to enable more license-controlled features and functions.
To use the SSL VPN function, apply for a license.
To use the PBX function on the AR150/200, apply for a license.
9.1.2 Software Upgrade

Software upgrade satisfy user needs for new functions by upgrading the patch file, system
software, configuration file, PAF file, and license file.
Software upgrade involves software downloading and software loading.
9.1.3 Patch Management

Loading a patch onto the system software allows the system software to be upgraded in service
without interrupting services on the device. This also improves Quality of Service (QoS).
During device operation, the system software may need to be modified due to system bugs or
new function requirements. The traditional way is to upgrade the system software after powering
off the device. This, however, interrupts services and affects QoS.
By means of patch management, the system software can be upgraded in service without
interrupting services.
Table 9-1 provides details on patch status.
Table 9-1 Description of patch status
Issue 02 (2012-03-30)
Patch Status
Description
Patch Status Transition
None
A patch file is saved to the storage

medium but has not been loaded to
the patch area in memory.
The patch file will be in the running

state after being loaded from the
storage medium to the patch area in
memory.

179

Patch Status
Description
Patch Status Transition
Running
A patch file is in the running state

when it is stored in the patch area
and run permanently. If a board is
reset, the patch files in the running
state on the board remain in the
running state.
A patch file in the running state can

be deleted from the patch area in
memory.
Figure 9-1 shows patch status transition.

Figure 9-1 Patch status transition
Patch Status:
none
Upload and
Run patch
Delete patch
Patch Status:
running
9.1.4 CPU and Memory Usage Thresholds

Configuring CPU and memory usage thresholds allows system performance to be monitored.
l
A log entry is recorded when CPU usage exceeds the configured threshold.
If CPU usage exceeds the threshold, an alarm is generated and logged. You can query the
log to view CPU usage.
A log entry is recorded when memory usage exceeds the configured threshold.
If memory usage exceeds the threshold, an alarm will be generated and logged. You can
query the log to view memory usage.
9.1.5 Device Restart

A device can be restarted immediately or as scheduled.
In certain situations, for example, during system upgrade, the router must be restarted for
configurations to take effect.
In addition to powering off the device, the AR150/200 supports the following methods of
restarting the router:
l
Immediate restart
Scheduled restart
9.2 Activating a GTL License File

A GTL(Global Trotter License) license file is an authorization file that controls the capacity and
functions of a device.
Issue 02 (2012-03-30)

180


If you have purchased a new device, you need to apply for and purchase a GTL license file to
obtain the authorization of related service modules. If a GTL license file has already been
activated on the device but the license file expires, you need to apply for a new license file, and
then upgrade and activate the license file.
l
Activating a new GTL license

If you purchase a new device, you must also purchase a GTL license file to obtain
authorization to use the service modules you require. After the GTL license file has been
activated, the license-controlled service modules can be used.
Activating an updated GTL license file

If a device has a previously activated GTL license file that has expired, you must apply for
a new GTL license file, update the old file, and then activate the new file. If a GTL license
file is not updated and expires, functions are disabled and services are interrupted.
Before updating a GTL license file, check whether you must apply for a new GTL license.
If the authorization value of the new GTL license file is smaller than that of the current
GTL license file, an interactive message is displayed to prompt you whether to activate the
new GTL license file.
If you enter Y, the system informs you of a GTL license file update success.
If you enter N, the system informs you of a GTL license update failure, and displays
the status of the current GTL license file.
Before activating a GTL license file, check that the extension of the GTL license file name is .dat.
After obtaining a GTL license file, use a notepad program like Windows Notepad to check
whether the ESN on the MPU is the same as that in the GTL license file.
NOTE
The extension of the GTL license file name is .dat.
A GTL license file must be one of the two versions, COMM or DEMO.
Version
Period of Validity
Reservation Period
COMM
As defined in a contract
Usually 90 days and at most

180 days
DEMO
Usually 60 days; actual time

varies according to product
Usually 60 days; actual time

varies according to products
You can run the display
license state command to
view how long a license in the
Demo version will expire.
The system prompts you with a message each day in the reservation period. If you intend to
continue using the service modules, you need to apply for a new GTL license.
Issue 02 (2012-03-30)

181

NOTE
The reservation period refers to the number of days for which you can continue to use service modules
after the GTL license expires.
Before activating a GTL license file, complete the following tasks:
l
Applying for a GTL license file
Data Preparation
To activate a GTL license file, you need the following data.
No.
Data
GTL license file name
9.2.2 Uploading a GTL License File

The GTL license file that has been applied for can be activated only after the file has been
uploaded to the storage medium on a device.
Context
Before uploading a GTL license file, run the dir command to check that the storage media has
adequate free space to store the GTL license file.
Procedure
Step 1 Run:
dir device-name
Check whether the GTL license file is existed.

The license file is in the *.dat format and can be stored in the flash memory or USB flash drive.
NOTE
A user who wants to upgrade a GTL license must run the license revoke command to obtain an invalidation
code, and then use this code to apply to Huawei for a new GTL license. This user also needs to load the
new GTL license file to the main control board.
----End
9.2.3 Activating the GTL License File

After activating the GTL license, you are allowed to operate the corresponding service modules.
Procedure
l
Activate the GTL license for the first time.

1.
Run:
license active file-name
Issue 02 (2012-03-30)

182

The GTL license is activated and you obtained permission.

NOTE
If you use the GTL license for the first time, buy the GTL license file from Huawei.
Upgrade the GTL license.

1.
Run:
license revoke
The GTL license invalidation code is returned.

NOTE
Apply to Huawei for a new GTL license by using the invalidation code.
2.
Run:
license active file-name
The GTL license is activated and you obtained permission.

----End
9.2.4 (Optional) Enabling the Emergency State of the GTL License

Module
When the Emergency state of the GTL license module is enabled, a device can use the maximum
specification for each feature or function.
Context
The Emergency state of a GTL license module can be enabled on the router in any of the
following situations:
l
A Comm version of the GTL license file has been activated and is in the Normal state.
A Demo version of the GTL license file has been activated and is in the Demo state.
When the time period for enabling the Emergency state comes to an end, the state can be
enabled again on the final day of the first period.
Procedure
Step 1 Run:
license emergency
The Emergency state of the GTL license module is enabled.

NOTE
Note the following concerning the Emergency state:

l The Emergency state cannot be cancelled manually.
l The Emergency state can only be enabled three times, each time for seven days.
l The Emergency state can be re-enabled only on the last day of the previous enabling period.
----End

After the GTL license file has been activated, you can view information about the file on the
master and slave MPUs.
Issue 02 (2012-03-30)

183

Prerequisites
The configurations for activating the GTL license file are complete.
Procedure
l
Run the display license command to check information about the GTL license file on the
master and slave MPUs.
Run the display license state command to check the license type.
----End
Example
<Huawei> display license
Active License on master board: flash:/LIC_ON77076_A6D2CE1AEC3_AR.dat
Active license
License state
Revoke ticket
Product
Product
License
23456789
License
Creator
Created
Country
Custom
Office
name
version
file ESN
: flash:/LIC_ON77076_A6D2CE1AEC3_AR.dat
: Demo
: No ticket
: AR
: V200R002
: AR00050123456789,AR00060123456789,AR00070123456789,AR000801
Serial No :
:
Time
:
:
:
:
LIC20110309010210
Huawei Technologies Co., Ltd.
2011-03-09 19:36:14
China
R&D of Huawei Technologies Co., Ltd.
Shenzhen
Feature name
Authorize type
Expired date
Trial days
:
:
:
:
ACCESS
DEMO
2011-06-07
60
Item name
Item type
Control value
Used value
Item state
Item expired date
Item trial days
Description
:
:
:
:
:
:
:
:
LLE0IPPBX01
Function
1
1
Normal
2011-06-07
60
LLE0IPPBX01
9.3 Upgrading System Software

Software upgrade can optimize device performance, add new features, and update the current
software version.

To add new features or optimize device performance based on customer requirements, you can
upgrade the current system software.
Before upgrading system software, you can select resource files as needed.
Issue 02 (2012-03-30)

184

NOTE
Note the following points before upgrading system software:

l
Obtain the new system software and relevant upgrade documents from Huawei.
Different products use different system software versions. For information about particular products,
refer to the official Huawei upgrade guide when upgrading a device.
Enable the logging function to record all operations during the upgrade. This facilitates fault analysis
and location in case of an upgrade failure.
If the device restarts due to incorrect resource file configurations, the device will automatically roll
the resource file back to the source version after the device has been restarted.
Before upgrading system software, complete the following task:
l
Making sure that the router to be upgraded is working properly, and logging in to the router
Data Preparation
To upgrade system software, you need the following data.
No.
Data
Baud rate of a serial interface
IP address of an FTP server or the router
Username and password used for FTP login
(Optional) New system software, configuration files, license file, and patch file
9.3.2 Checking the System Before the Upgrade

Carefully check a device to be upgraded against an upgrade checklist to ensure that the upgrade
can proceed smoothly.
Procedure
Step 1 Prepare hardware as needed, for example, free up memory space to store new system software
and related upgrade files.
Step 2 Check whether a new GTL license file is required and, If so, obtain it from Huawei.
NOTE
l A new GTL License must be obtained when a device is upgraded to a new R version or V version.
l The new GTL license file must be consistent with the system software.
To view GTL license-controlled features, use a text editor like Windows Notepad to open the
GTL license file. The contents of the Resource and Function fields are the resource and function
items controlled by the GTL license file.
Step 3 Obtain software required for the upgrade. The new system software (.cc file) and relevant
upgrade documents must be obtained from Huawei.
Issue 02 (2012-03-30)

185

Step 4 In the user view, run the display version command to view the current system software. If the
current system software is the same as or later than new system software, an upgrade is
unnecessary.
Step 5 Run the following commands to check the device operation status:
Run the display memory-usage command in the user view to check the memory usage of MPUs
to ensure that the MPUs are working properly.
Run the display health command in the user view and record the command output. If you cannot
locate faults that have occurred during the upgrade, provide this information to Huawei technical
personnel for troubleshooting.
Step 6 Set up an environment where TFTP or FTP can be used to perform software upgrade. This helps
to back up the original resource files before the upgrade and upload the new resource files
required for the upgrade.
When the system software is upgraded with FTP:
l If the device to be upgraded functions as a client and a PC functions as a server, you must
install FTP server software on the PC. You need to purchase and install FTP server software
yourself, because the device does not have such software installed by default.
l If the device to be upgraded functions as a server and a PC functions as a client, you do not
need to install FTP server software on the PC. By default, the FTP server function on the
device to be upgraded is disabled. To enable the function, run the ftp server enable
command.
When the system software is upgraded with TFTP, the device to be upgraded can only function
as a client and does not provide the TFTP server function. In this case, you must install TFTP
server software on the PC.
Step 7 Back up important data stored in the storage media on the device to be upgraded.
Step 8 Check that the device storage media has adequate free space to store the new system software
and related upgrade files.
----End
9.3.3 Downloading a System File

Context
This section describes how to download a system file to the AR150/200.
Procedure
l
Issue 02 (2012-03-30)
Uploading a system file to the AR150/200 using the AR150/200 as the FTP server and
the PC as the FTP client
1.
Run the system-view command to enter the system view.
2.
Run the ftp server enable command to enable the FTP server.
3.
Run the aaa command to enter the AAA view.
4.
Run the local-user user-name password { simple | cipher } password command to

configure a local user name and password.
186

5.
Run the local-user user-name service-type ftp command to set the service type of
the local user to FTP.
6.
Run the local-user user-name ftp-directory directory command to specify an FTP

working directory for the FTP user.
7.
On the PC (running a Windows operating system for example), choose Start >
Run. Enter cmd and press Enter to enter the command line window.
8.
Place the system file to a specified directory, for example, D:\ftp.
9.
Run the ftp ip-address command to log in to the router.

Enter the configured user name and password as prompted, and press Enter. When
the command line prompt of the FTP client view, such as ftp>, is displayed, you are
in the working directory of the FTP server, as shown in Figure 9-2.
Figure 9-2 Logging in to the FTP server from the PC
10. Run the binary command on the router to set the file transfer mode to binary.
NOTE
FTP supports two file transfer modes: ASCII and binary. Their differences are as follows:
l The ASCII transfer mode uses ASCII characters and separates carriage returns from line
feed characters.
l The binary transfer mode transfers characters without format conversion or formatting.
The client specifies which file transfer mode to use. The default file transfer mode is ASCII
transfer. You can use use a command to change the file transfer mode. Transfer text files in
ASCII mode and binary files in binary mode. When transfer the system file, use the binary
mode.
11. Run the put remote-filename [ local-filename ] command to upload the system file
from the PC to the router.
12. Run the dir command on the router to check whether the system file exists in the
current directory.
Issue 02 (2012-03-30)

187

NOTE
If the size of the system file in the current directory on the router is different from that on the
PC, an error may occur during file transfer. Upload the system file again.
Uploading a system file to the AR150/200 using the AR150/200 as the FTP client and
the PC as the FTP server
1.
Run an FTP server program on the PC. This procedure uses WFTPD32 as an example,
as shown in Figure 9-3.
Figure 9-3 Running an FTP server program on the PC
2.
Choose Security > Users/rights to configure a user name, password, and FTP
working directory on the PC, as shown in Figure 9-4.
Click New User to set the user name and password. Here, the user name is AR and
the password is 123456. Specify the FTP working directory on the PC in the Home
Directory text box, for example, D:\ftp. Place the system file to this directory and
click Done to close the dialog box.
Issue 02 (2012-03-30)

188

Figure 9-4 Configuring an FTP user
3.
Run the ftp host [ port-number ] command on the router to log in to the PC.
NOTE
Before downloading the system file from the PC, ensure that there is enough space on the
router to store the system file. Enter the configured user name and password to log in to the
PC.
4.
Run the binary command to set the file transfer mode to binary.
5.
Run the get remote-filename [ local-filename ] command to download the system file
from the PC.
6.
After the system file is downloaded, run the bye or quit command to terminate the
connection with the PC and return to the user view.
7.
Run the dir command on the router to check whether the system file exists in the
current directory.
NOTE
If the size of the system file in the current directory on the router is different from the PC, an
error may occur in file transfer. Upload the system file again.
Uploading a system file to the AR150/200 using the AR150/200 as the TFTP client and
the PC as the TFTP server
NOTE
The AR150/200 can function only as a TFTP client but not a TFTP server.
1.
Issue 02 (2012-03-30)
Run a TFTP server program on the PC. This procedure uses TFTP32 as an example,
as shown in Figure 9-5.

189

Figure 9-5 Running a TFTP server program on the PC
2.
Set Current Directory to the directory of the backup system file by clicking
Browse, and place the system file to the specified directory. Set Server Interface to
the IP address of the TFTP server. The IP address is usually displayed automatically.
3.
Run the tftp tftp-server get source-filename [ destination-filename ] command on the

router to download the system file from the PC.
NOTE
Before downloading the system file from the PC, ensure that there is enough space on the
router to store the system file.
4.
Run the dir command on the router to check whether the system file exists in the
current directory.
NOTE
If the size of the system file in the current directory on the router is different from that on the
PC, an error may occur during file transfer. Upload the system file again.
Downloading a system file to the AR150/200 using the BootROM menurouter

NOTE
This method is not recommended because the upgrade procedure is complicated. Use this method
only when the router system software cannot start.
Connect the router's management interface to the PC.
The management interface varies according to the device model:
l AR150: Ethernet0/0/3
l AR200: Ethernet0/0/6
l AR1200: GigabitEthernet0/0/0
Issue 02 (2012-03-30)

190

1.
Run an FTP server program (for example, WFTPD32) on a terminal or PC, specify
the directory of the system file, and configure an FTP user name and password
according to Step 2.
2.
Log in to the router from the console port. For details, see 1.2 Logging In to the
Device Through the Console Port.
3.
Restart the router. Press Ctrl+B to enter the BootROM menu when the following
information is displayed.
Sep 16 2011,17:14:28
Copying Data : Done
Uncompressing : Done
Initializing SMI Bus:OK
Init flash, please wait......
Base Address: 0xfffffffffc000000
Size is: 0x20000000OK
flash drv init.
Initializing FlashPiece Module:
FlashPiece start offset at: 0x300000
FlashPiece size is: 0x100000
Initializing FlashDynamic Module:
FlashDynamic start offset at: 0x400000
FlashDynamic size is: 0x200000
Initializing I2C Bus:OK
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc
EHCI Controller found.
Waiting to attach to USBD...0xbfffdf0 (tRootTask): usb1_base =
0xbff22000Done.
0xbfffdf0 (tRootTask): usbBulkDevInit() returned OK
Press Ctrl+B to break auto startup ... Attached TCP/IP interface to teth1.
NOTE
l To access the BootROM menu, you must enter the initial password huawei after pressing
Ctrl+B.
4.
Select choice 3 to enter the network menu.

Enter Password:
Main Menu
1.
2.
3.
4.
5.
6.
Default Startup
Serial Menu
Network Menu
Startup Select
File Manager
Reboot
Enter your choice(1-6):3
5.
Select choice 2 to modify parameters.

NetWork Menu
1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return
Enter your choice(1-10): 2
Configure the FTP service type, system file name, network management interface
address, FTP server address, FTP user name, and FTP password.
NOTE:
Ftp type define:
Issue 02 (2012-03-30)
0(ftp), 1(tftp),

191

ENTER = no change; '.' = clear;

Ftp type
File name
Ethernet ip address
Ethernet ip mask
Gateway ip address
Ftp host ip address
Ftp user
Ftp password
6.
:
:
:
:
:
:
:
:
0
ar.cc
192.168.200.174
ffffff00
192.168.200.1
ar
ar
After the system returns to the network menu, select choice 4 to download the specified
system file from the PC.
NetWork Menu
1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return
Enter your choice(1-10): 4
7.
Specify the location to save the system file.

Download file to: [ 1:flash 2:usb0 ]:
Enter the corresponding number to select the storage media. For example, 1 indicates
the flash memory.
NOTE
The device uses the flash as default settings. The other storage media such as USB flash drive
will be displayed only after they are installed.
8.
After the system file is downloaded to the router, restart the router.
----End
9.3.4 Specifying the System Software to Be Used at the Next Startup

After the system software to be used by the router at the next startup is specified, the patch status
file to be used at the next startup must be reset.
Context
Before specifying the system software to be used at the next startup, perform the following
operations:
Upload the system software to the master and slave MPUs. For details, see information about
uploading and downloading files in Managing Files Using FTP Commands.
Make sure that the storage media on the MPUs have sufficient space to store the system software.
NOTE
Check the size and release date of the system software to be uploaded.
Do as follows on the router to be upgraded:
Procedure
Step 1 In the user view, run:
startup system-software system-file
Issue 02 (2012-03-30)

192

The system software to be used at the next startup is specified for the MPU.
Step 2 (Optional) If the upgraded system software needs a corresponding patch file, perform the
following operations:
l Run:
startup patch file-name
A patch file to be used at the next startup is specified for the MPU.
Step 3 (Optional) Run:
startup saved-configuration configuration-file
The configuration file to be used at the next startup is specified for the MPUs.
----End
9.3.5 Configuring a Backup Startup File

After a backup startup software package is configured, the system can restart properly if a fault
occurs.
Context
If the storage device where the startup software package is stored is damaged, you can use the
backup software package to make the system start.
NOTE
l The file name extension of the system software package must be .cc and the package must be stored
in the root directory.
l The backup startup software package can be identical with or different than the current startup software
package. Either can be used to start the system.
Procedure
Step 1 Run:startup system-software filename backup. A backup startup software package is
specified.
----End
9.3.6 (Optional) Upgrading the BootROM of the LPU

After the system software is upgraded, you need to manually upgrade the BootROM of the 2FE .
Context
NOTE
Run the display device command to check whether the device is configured with a registered 2FE .
Procedure
Step 1 Run:
upgrade slot slot-id startup bootrom
The BootROM is upgraded.

Issue 02 (2012-03-30)

193

Step 2 Run:
reset slot slot-id
The LPU is reset.

After the LPU is reset, run the display version slot slot-id command to check whether the
BootROM has been upgraded.
----End
9.3.7 Restarting a Device

The system software to be used at the next startup will take effect only after the device is restarted.
Context
During the upgrade, the device must be restarted in the following situations:
l
The system software and configuration file to be used at the next startup have been specified.
CAUTION
Before restarting the router, run the save command to save the current configuration file.
The router restarts with the specified startup files. If the specified startup files are damaged, the
router restarts with the backup startup files. If the router fails to restart with the backup startup
files, it searches valid startup files on the storage devices in the sequence "Flash memory-> USB
flash drive." If a storage device has multiple startup files, it uses the startup file that is found
first for startup. When the router finds valid system software packages and configuration files
on the storage device, it selects a rollback version within 24 minutes and restarts with the selected
version. If the router does not find valid system software and configuration file, it stops at the
BootROM menu.
Procedure
l
In the user view, run:

reboot [ fast ]
The router is restarted.

----End

After the system software is upgraded, you can check information about interface parameters
and version consistency between resource files.
Prerequisites
The configurations for upgrading system software are complete.
Procedure
l
Issue 02 (2012-03-30)
Run the display patch-information command to check information about all patches.
194

Run the display startup command to check that the values of the "Startup system software"
and "Startup saved-configuration file" fields in the command output are the values you
require.
----End
Example
After the patch is installed, run the display patch-information command. You can view the
patch status on each board.
<Huawei> display patch-information
Patch version
:
ARV200R001C00SPH100
Patch packet name:
flash:/patch_lic2.pat
Run the display startup command. You can view the names of the system software and the
configuration file used at the startup. For example:
MainBoard:
flash:/ar0215_31345_200.cc
flash:/ar0215_31345_200.cc
null
flash:/iascfg.zip
flash:/iascfg.zip
null
null
null
null
null
null
9.4 Managing Patches

This section describes several operations related to patches. You can install patches to upgrade
the system without interrupting services, specify a patch file to be used after the next startup,
uninstall patches that do not meet system requirements, or delete the unwanted patches to release
the memory of the patch area on the MPU.

To rectify system vulnerabilities or defects, you can install patches. Installing patches allows
the system to be upgraded without interrupting services.
The installation process installs a patch to the MPU and all LPUs.
You can use either of the following methods to install patches:
l
Installing a patch file immediately: The patch file takes effect after a command is used to
run the patch file, without having to restart the device. For details, see Installing a
Patch.
Specifying a patch file to be used at the next startup: The patch file takes effect after the
device is restarted.
Issue 02 (2012-03-30)

195

Before managing patches, complete the following tasks:
l
Making sure that the router is working properly
Storing patches in the storage medium on the router
Data Preparation
To manage patches, you need the following data.
No.
Data
Patch file
9.4.2 Installing a Patch

You can load and run a patch in the user view. This allows the device performance to be
optimized.
Context
Only one patch file can be run in the system at a time. Therefore, display patch-information
run the command before patch installation to check information about all patches, including the
running patches. If the command output shows that there is a running patch file in the system,
delete the running patch file.
In addition, perform the following operations before patch installation:
l
Upload a patch file to the master MPU. For details, see the contents of uploading and
downloading files in Performing File Operations by Using FTP Commands.
Procedure
Step 1 Enter the user view.
Step 2 Run:
patch load patchname all run
The patch is activated.

NOTE
l The patch load patchname all run command can activate only one patch file each time.
l Each patch is developed incrementally based on the earlier version. If the incremental patch
patchB.pat is activated when the system is running the earlier version patchA.pat, patchB.pat takes
effect. To run patchA.pat again, run the patch delete all command to delete patches in the system,
and load and activate patchA.pat. Alternatively, run the startup patch command to specify
patchA.pat as the next startup patch, and then restart the device to make patchA.pat effective.
----End
Issue 02 (2012-03-30)

196

9.4.3 Specifying a Patch File to Be Used at the Next Startup

If you do not want the patch file that has been uploaded to the storage media to take effect, you
can specify a different patch file to be used at the next startup. This patch file will take effect
after the device is restarted.
Context
Before specifying a patch file to be used at the next startup, the following tasks must be
completed:
l
Upload the specified patch file to the storage medium on the master MPU. For details, see
the contents of uploading and downloading files in Managing Files Using FTP
Commands.
Procedure
Step 1 In the user view, run:
startup patch file-name
The patch file (*.pat) to be used at the next startup is specified for the master and slave MPUs.
----End
Follow-up Procedure
After the patch file to be used at the next startup has been specified, run the display startup
command to view the value of the "Next startup patch package" field on the MPUs.
9.4.4 Uninstalling a Patch

If an installed patch does not meet system requirements, or more storage space of the patch area
is needed, you can uninstall the patch by running a command in the user view.
Context
Only one patch file can be run in the system during patch installation. Therefore, delete the
running patch file from the patch area before loading and running a new patch file.
Procedure
Step 1 Run:
patch delete all
All patches in the system are deleted.

----End
Follow-up Procedure
After patch files have been deleted, run the following command to verify the configuration.
l
Run the display patch-information command to check the patch status.

Info: No patch in the system
Issue 02 (2012-03-30)

197


After patch installation is complete, you can view patch information, such as the patch status.
Prerequisites
The configurations for patch installation are complete.
Procedure
l
Run the display patch-information command to check information about all patches.
----End
Example
After a patch has been installed, run the display patch-information command to view the patch
status on each board.
Patch version
:
ARV200R002C00SPH100
Patch packet name:
flash:/patch_lic2.pat
9.5 Monitoring CPU and Memory Usage

Configure CPU and memory usage thresholds to monitor system performance.

Before setting CPU and memory usage thresholds, familiarize yourself with the applicable
The CPU and memory are key parts of a device. Routing information and fast route algorithms
can consume a large amount of CPU resources, affecting system performance. If resource usage
is too great, the device is unable to process data in a timely manner, packets may be lost, or the
system may break down. Customers must bear the losses from such occurrences.
If alarms warn of high CPU or memory usage during data processing on the router, CPU and
memory usage can be effectively monitored, and the system performance can be optimized. This
facilitates normal system operations.
Before setting CPU and memory usage thresholds, complete the following task:
l
Data Preparation
To set CPU and memory usage thresholds, you need the following data.
Issue 02 (2012-03-30)

198

No.
Data
CPU usage thresholds, including an alarm threshold and a clear alarm threshold
Memory usage threshold
9.5.2 Setting CPU Usage Thresholds

Setting CPU usage thresholds allows CPU usage to be monitored.
Context
Two CPU usage thresholds are set:
l
Alarm threshold: indicates that the system generates an alarm when CPU usage reaches
this alarm threshold.
Clear alarm threshold: indicates that the alarm is cleared when CPU usage falls below this
clear alarm threshold.
Procedure
Step 1 Run:
system-view

Step 2 Run:
set cpu-usage threshold threshold-value
An alarm threshold and a clear alarm threshold are set for CPU usage on an MPU or an LPU in
a specified slot.
NOTE
By default, the alarm threshold for CPU usage is 80%, and the clear alarm threshold for CPU usage is 75%.
----End
9.5.3 Setting a Memory Usage Threshold

Setting a memory usage threshold allows memory usage to be monitored.
Context
Two memory usage thresholds are set:
l
Alarm threshold of memory usage: indicates that the system generates an alarm when the
memory usage reaches the alarm threshold.
Clear alarm threshold of memory usage: indicates that the alarm is cleared when the CPU
usage falls below the clear alarm threshold.
Procedure
Step 1 Run:
Issue 02 (2012-03-30)

199

system-view

Step 2 Run:
set memory-usage threshold threshold-value
An alarm threshold is set for memory usage.

Default settings are as follows:
l If the memory of an LPU is equal to or smaller than 128 MB, the alarm threshold for memory
usage is 90%.
l If the memory of an LPU ranges from 128 MB to 256 MB, the alarm threshold for memory
usage is 95%.
l If the memory of an LPU ranges from 256 MB to 512 MB, the alarm threshold for memory
usage is 95%.
l If the memory of an LPU is larger than 512 MB, the alarm threshold for memory usage is
95%.
----End

After CPU and memory usage thresholds are set, you can view information about the CPU usage
and memory usage.
Prerequisites
The configurations of for CPU and memory usage thresholds are complete.
Procedure
l
Run the display cpu-usage configuration command to check CPU usage.
Run the display memory-usage thresholdcommand to check memory usage.
----End
Example
# Display the CPU usage of the MPU. The CPU usage is displayed in the CPU column.
<Huawei> display cpu-usage
CPU Usage Stat. Cycle: 60 (Second)
CPU Usage
: 0% Max: 100%
CPU Usage Stat. Time : 2011-01-30 15:41:37
CPU utilization for five seconds: 0%: one minute: 0%: five minutes: 0%.
TaskName
BOX
_TIL
VCLK
TICK
co0
TAD
RTMR
IPCQ
IPCK
VP
IPCW
Issue 02 (2012-03-30)
CPU
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
Runtime(CPU Tick High/Tick Low) Task Explanation

0/ 7097de
BOX Output
0/
0
Infinite loop event task
0/ d90e00
0/ 38b72ad
0/ 1e677b
co0 Line user's task
0/
0
TAD Transmission Alarm Damping
0/ 18a307e
RTMR
0/ 1c181c4
IPCQIPC task for single queue
0/
0
IPCKIPC task for ack message
0/
38700
VP Virtual path task
0/
1a167
IPCWIPC task of WVRP

200

VPWV
RPCQ
VFS
VMON
HACK
MTP
STND
CFA
INFO
SAPP
NQAC
NQAS
VOAM
MINM
APS
ISC6
FIB6
BFD
TNLM
OAM
LSPA
L2V
SNPG
CCTL
TCTL
NAP
PM
PMF
EOAM
1731
TRAF
SLAG
ITSK
CDM
CSBR
NFPT
SOCK
VTRU
FIB
MFIB
IFNT
U 0
PDTT
VTYD
RSA
GRSA
AGNT
TRAP
AGT6
FMAT
MDMT
NTPT
CFM
HS2M
ISSU
WEBS
CMDA
MACR
SNP
AAA
RDS
TACH
WEB
UCM
LAM
GTL
CPPS
ROUT
LSPM
Issue 02 (2012-03-30)
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

0/ 19540d
0/ 1540dc
0/
0
0/
59002
0/
0
0/
0
0/ 5de440
0/ 28c9fa
0/
e7e7
0/
39569
0/
0
0/
0
0/
0
0/ 532c94
0/ 570eda
0/
0
0/
0
0/ 8557f7
0/ 16dc594
0/ 7e0fb2
0/
0
0/ 12eb43
0/ 552703
0/
0
0/
0
0/
0
0/
e509c
0/
0
0/
6c0c8
0/
bbbaf
0/
0
0/
0
0/ 176169
0/
9d3ca
0/
0
0/
aab1f
0/ 61e702
0/
0
0/
0
0/
22b68
0/
0
0/
0
0/
0
0/ 180a11
0/
0
0/
0
0/
0
0/ ec52e5
0/
0
0/ 262b90
0/ e825a5
0/ 1b3d998
0/
0
0/
0
0/
0
0/ add886
0/
0
0/
10c76
0/
0
0/
0
0/
0
0/ 5d0a21
0/
0
0/
bd69
0/
0
0/
0
0/
0
0/ 1dbd703
0/ 1c0a41
VPWVP task of WVRP

RPCQRemote procedure call
VFS Virtual file system
VMONSystem monitor
HACKtask for HA ACK
MTP
STNDStandby task
CFA Configuration agent
INFOInformation center
SAPP
NQAC
NQAS
VOAM
MINMMac in Mac
APS Automatic Protection Switch
ISC6
FIB6IPv6 FIB
BFD Bidirection Forwarding Detect
TNLM
OAM OAM
LSPA
L2V
SNPG
CCTLBulk stat connect control
TCTLBulk stat transmit control
NAP
PM
PMF
EOAMEthernet OAM 802.1ag
1731Ethernet OAM Y1731
TRAFTraffic Statistics
SLAG
ITSKIPOS common task
CDM
CSBRCompare slave buildrun-info
NFPTNFP timer task
SOCKPacket schedule and process
VTRUNK
FIB Forward Information Base
MFIBMulticast forward info
IFNTIfnet task
U 0 user command process task
PDTTPDT timer task
VTYDVirtual terminal
RSA RSA public-key algorithms
GRSA
AGNTSNMP agent task
TRAPSNMP trap task
AGT6SNMP AGT6 task
FMATFault Manage task
MDMTModem task
NTPTNetwork time protocol task
CFM Configuration file management
HS2MHigh available task
ISSU
WEBSERVER
CMDA
MACRO
SNP DHCP snooping function
AAA AAA
RDS RADIUS
TACHWTACACS
WEB WEB Authentication
UCM User Connection Management
LAM Local Accounting Management
GTL
CPPS
ROUTRoute task
LSPMLsp management

201

RSVP
LDP
CSPF
GRES
GEM
GEM
UTSK
APP
IP
LINK
VRPT
HOTT
TNQA
TTNQ
TARP
TTVP
L2
VRRP
L2_P
ARP
PBBL
RMON
OS
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
100%

0/
0
0/ cffb6c
0/
cd083
0/
0
0/
0
0/
0
0/
0
0/
16649
0/
9ff0c
0/ 1f0b816
0/
8da6a
0/
0
0/
d9e0e
0/
0
0/
0
0/
0
0/ 67387b
0/ 25d5a0c
0/ b18764
0/
0
0/
0
0/
ab97a
20/98434960
RSVP task
LDP task
CSPF task
GRESM task
GEM
GEM RUN
UTSK
APP
IP
LINK
VRPT
HOTT
TNQAC
TTNQAS
TARPING
TTVPLS
L2
VRRP
L2_PR
ARP
PBBL
RMONRemote monitoring
Operation System
# Display the CPU usage of the MPU.

<Huawei> display cpu-usage configuration
The CPU usage monitor is turned on.
The current monitor cycle is 60 seconds.
The current monitor warning threshold is 80%.
The current monitor restore threshold is 75%.
# Check the memory usage of the MPU.

<Huawei> display memory-usage threshold
Current memory threshold of the main board is 90%.
9.6 Restarting the Device

to take effect. Restarting the router also prevents the system failure due to an excessive number
of temporary files.

Before restarting the router, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain any data required for the configuration. This will help you
complete the configuration task quickly and correctly.
to take effect. Restarting the router also prevents the system failure due a an excessive number
of temporary files.
The AR150/200 provides two methods of restarting the router:
l
Immediate restart
Scheduled restart
Issue 02 (2012-03-30)

202

Before restarting the router, complete the following tasks:
l
Data Preparation
To restart the router, you need the following data.
No.
Data
Time to restart the router
Wait time before restarting the router
9.6.2 Restarting the Device Immediately

Before restarting the router, you must choose whether to save the current configuration file of
the router.
Context
CAUTION
Using the reboot command is not recommended. It can cause transient service interruption.
Procedure
l
Run:
reboot [ fast ]
The router is restarted immediately.

----End
9.6.3 Configuring the Device to Restart as Scheduled

You can configure the router to restart at a scheduled time by setting a restart time or a wait time
before the restart.
Context
Do as follows on the router that needs to restart at a scheduled time:
Procedure
Step 1 Run:
schedule reboot at exact-time
Issue 02 (2012-03-30)

203

The router is configured to restart at a scheduled time, and the restart time is set.
Step 2 Run:
schedule reboot delay interval
The router is configured to restart at a scheduled time, and the wait time before the restart is set.
You can choose either Step 1 or Step 2 to configure the router to restart at a scheduled time.
By default, the function for configuring a device to restart at a scheduled time is disabled.
NOTE
You can run the undo schedule reboot command to disable the function of restarting the router at a fixed
time.
----End

After the router has been configured to restart at a scheduled time, you can view parameters set
for the scheduled restart.
Prerequisites
The configurations for restarting the router at a scheduled time are complete.
Procedure
l
Run the display schedule reboot command to check the parameters set for the scheduled
restart of the router.
----End
Example
# View the configuration of the router restart, with the restart time at 00:00.
<Huawei> display schedule reboot
Info:System will reboot at 00:00:00 2009/07/01 (in 12 hours and 33 minutes).
# View the configuration of the router restart with a wait time set to 12 hours before the restart.
<Huawei> display schedule reboot
Info:System will reboot at 23:27:14 2009/06/30 (in 11 hours and 59 minutes).

The examples explain networking requirements and precautions, and provide configuration
roadmaps.
9.7.1 Example for Upgrading System Software

This section provides detailed procedures for upgrading system software. This will help you to
complete the upgrade task quickly and accurately.
Issue 02 (2012-03-30)

204

The current system software needs to be upgraded if it cannot provide additional features or
larger specifications required by customers.
As shown in Figure 9-6, the system software of the cannot meet customer's requirements and
needs to be upgraded. Huawei has provided related upgrade files for the customer to perform
software upgrade on the.
Figure 9-6 Networking diagram for upgrading system software
Eth2/0/0
10.1.1.1/24
PC
10.1.1.2/24
FTP Server
Precautions
l
The key data in the storage medium on the device must be backed up to the PC.
The remaining space of the storage media must be checked to make sure that there is enough
space to store new system software.
1.
Specify FTP as the mode of uploading the system software, the device as the FTP server,
user 1 as the user name, and huawei as the user password.
2.
Specify the system software and configuration file to be used at the next startup.
3.
Save the configuration file and restart the device.
4.
Verify the configuration.
Data Preparation
l
System software version before the upgrade, which is V200R001C00.cc in this example
New system software version, which is V200R002C00.cc in this example
Backup startup software version, which is V200R001C00_backup.cc
Size of the remaining space of the storage media, which can store the system software
package
Procedure
Step 1 Upload the new system software.
# Configure the device as an FTP server.
[Huawei] ftp server enable
Issue 02 (2012-03-30)

205

Info: Succeeded in starting the FTP server.

[Huawei] aaa
[Huawei-aaa] local-user user1 password simple huawei
info: A new user added
[Huawei-aaa] local-user user1 service-type ftp
[HuaWei-aaa] local-user user1 ftp-directory flash:/
[Huawei-aaa] quit
[Huawei] quit
After the preceding configurations are complete, run the display local-user command to check
information about the user.
---------------------------------------------------------------------------User-name
---------------------------------------------------------------------------user1
A
H
user2
A
A
---------------------------------------------------------------------------Total 2 user(s)
# On the PC, specify the binary format as the file transfer mode, and c:\temp as the working
directory.
NOTE
The Windows XP operating system is used as an example.
Store the uploaded file in the specified directory (C:\temp in this example). Choose Start >
Run and enter cmd. Then, press Enter. Enter FTP 10.1.1.1. At the prompt of "user", enter the
user name. At the prompt of "password", enter the password. The following configurations are
displayed:
C:\Documents and Settings\Administrator> ftp 10.1.1.1
Connect to 10.1.1.1.
220 FTP server ready.
User <10.1.1.1:<none>>:user1
331 Please specify the password.
Password:
230 User logged in.
Specify a directory and a file transfer mode on the FTP client to store the uploaded file.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now c:\temp.
# On the PC, upload the new system software (*.cc) to the device.
ftp> put V200R002C00.cc
200 Port command okay.
226 Transfer complete.
Step 2 Specify the system software and configuration file to be used at the next startup.
# Specify the system software to be used at the next startup.
<Huawei> startup system-software flash:/V200R002C00.cc
This operation will take several minutes, please wait..........
Info: Succeeded in setting the file for booting system
# Specify the configuration file to be used at the next startup.

<Huawei> startup saved-configuration aa.cfg
This operation will take several minutes, please wait...
Info: Succeeded in setting the file for booting system
# View the system software and configuration file to be used at the next startup, and check that
the system software is the specified one.
Issue 02 (2012-03-30)

206

MainBoard:
Startup system software :
Next startup system software :
Next startup saved-configuration file :
flash:/V200R001C00.cc
flash:/V200R002C00.cc
null
flash:/iascfg.zip
flash:/aa.cfg
null
null
null
null
null
null
Step 3 Specify the backup startup software.

# After a backup startup software package is configured, the system can restart properly if a fault
occurs.
<Huawei> startup system-software V200R001C00_backup.cc backup
This operation will take several minutes, please wait...
Info: Succeeded in setting the backup file for booting system
Step 4 Save the configuration file and restart the device.

# Save the configuration file.
<Huawei> save
The current configuration will be written to the device.
Are you sure to continue? [Y/N]:y
It will take several minutes to save configuration file, please wait...
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
# Restart the device.

<Huawei> reboot
Info: The system is comparing the configuration, please wait.
Warning: All the configuration will be saved to the next startup configuration.
Continue ? [y/n]:y
It will take several minutes to save configuration file, please wait........
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
System will reboot! Continue ? [y/n]:y
Info: system is rebooting ,please wait...

After the device has been restarted, run the display version command. You can view that the
current system software is a new version. It means that the system software upgrade is successful.
[Huawei] display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.100 (AR200 V200R002C00)
Copyright (C) 2011 HUAWEI TECH CO., LTD
Huawei AR200 Router uptime is 1 week, 0 day, 20 hours, 12 minutes
MPU 0(Master) : uptime is 1 week, 0 day, 20 hours, 12 minutes
SDRAM Memory Size
: 512
M bytes
Flash Memory Size
: 512
M bytes
MPU version information :
1. PCB
Version : AR01SRU0A VER.A
2. MAB
Version : 0
3. Board
Type
: AR206
4. CPLD1
Version : 0
5. BootROM Version : 106
----End
Issue 02 (2012-03-30)

207

Configuration Files
#
ftp server enable
#
local-user user1 password simple huawei
local-user user1 ftp-directory flash::
local-user user1 service-type ftp
#
#
return
flash::/V200R001C00.cc
flash::/V200R002C00.cc
9.7.2 Example for Installing a Patch File

This section provides an example for installing a patch without interrupting services.
As shown in Figure 9-7, the performance of the device needs to be optimized. Huawei has
provided a patch file for the customer to install.
Figure 9-7 Networking diagram for installing a patch file
Eth2/0/0
10.1.1.1/24
PC
10.1.1.2/24
FTP Server
1.
Upload the patch file to the storage medium on the MPU.
2.
Load and run the patch file.
3.
Verify the configuration.
Data Preparation
l
Patch file name, which is SPH-1.1.952.pat in this example
Patch file storage path on the master MPU, which is flash in this example
Procedure
Step 1 Upload the patch file mapping the current system software.
# Upload the patch file mapping the current system software to the device from the PC.
ftp> put SPH-1.1.952.pat
200 Port command okay.
226 Transfer complete.
Issue 02 (2012-03-30)

208

Step 2 Load and run the patch.

<Huawei> patch load SPH-1.1.952.pat all run
Patch operation succeeded

After the configuration is complete, run the display patch-information command to view
information about the running patch.
Patch version
:
ARV200R001C00SPH100
Patch packet name:
flash:/SPH-1.1.952.pat
----End
Issue 02 (2012-03-30)

209

Configuration Guide - Basic Configuration (V200R002C00 - 02)

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Configuration Guide - Basic Configuration (V200R002C00 - 02)

Hochgeladen von

Copyright:

Verfügbare Formate

Huawei AR150&200 Series Enterprise Routers