Beruflich Dokumente
Kultur Dokumente
V200R002C00
02
Date
2012-03-30
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 02 (2012-03-30)
Commissioning engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
Issue 02 (2012-03-30)
TIP
NOTE
ii
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
iii
Contents
Contents
About This Document.....................................................................................................................ii
1 Logging In to the System for the First Time............................................................................1
1.1 Introduction........................................................................................................................................................2
1.2 Logging In to the Device Through the Console Port..........................................................................................2
1.2.1 Establishing the Configuration Task.........................................................................................................2
1.2.2 Establishing the Physical Connection........................................................................................................3
1.2.3 Logging In to the Device...........................................................................................................................3
1.3 Logging In to a Router Through Telnet..............................................................................................................5
1.3.1 Establishing the Configuration Task.........................................................................................................5
1.3.2 Establishing a Physical Connection...........................................................................................................5
1.3.3 Logging In to the Router...........................................................................................................................6
2 CLI Overview.................................................................................................................................7
2.1 CLI Introduction.................................................................................................................................................8
2.1.1 Command Line Interface...........................................................................................................................8
2.1.2 Command Levels.......................................................................................................................................8
2.1.3 Command Line Views.............................................................................................................................11
2.2 Online Help.......................................................................................................................................................12
2.2.1 Full Help..................................................................................................................................................12
2.2.2 Partial Help..............................................................................................................................................13
2.2.3 Error Messages of the Command Line Interface.....................................................................................13
2.3 CLI Features.....................................................................................................................................................14
2.3.1 Editing.....................................................................................................................................................14
2.3.2 Displaying................................................................................................................................................15
2.3.3 Regular Expressions................................................................................................................................15
2.3.4 Previously-Used Commands...................................................................................................................18
2.4 Shortcut Keys...................................................................................................................................................19
2.4.1 Classifying Shortcut Keys.......................................................................................................................19
2.4.2 Defining Shortcut Keys...........................................................................................................................20
2.4.3 Use of Shortcut Keys...............................................................................................................................21
2.5 Configuration Examples...................................................................................................................................21
2.5.1 Example for Using Tab............................................................................................................................21
2.5.2 Example for Using Shortcut Keys...........................................................................................................23
Issue 02 (2012-03-30)
iv
Contents
3 Basic Configuration.....................................................................................................................24
3.1 Configuring the Basic System Environment....................................................................................................25
3.1.1 Establishing the Configuration Task.......................................................................................................25
3.1.2 Configuring the Equipment Name...........................................................................................................25
3.1.3 Setting the System Clock.........................................................................................................................26
3.1.4 Configuring a Header..............................................................................................................................32
3.1.5 Configuring Command Levels................................................................................................................33
3.1.6 Configuring the undo Command to Automatically Match the Higher-Level View................................33
3.1.7 (Optional) Setting Factory Configurations..............................................................................................34
3.2 Displaying System Status Messages.................................................................................................................35
3.2.1 Displaying System Configuration...........................................................................................................35
3.2.2 Displaying System Status........................................................................................................................35
3.2.3 Collecting System Diagnostic Information.............................................................................................36
3.2.4 Displaying Factory Configuration Information.......................................................................................36
Contents
vi
Contents
vii
Contents
viii
Contents
Issue 02 (2012-03-30)
ix
Issue 02 (2012-03-30)
1.1 Introduction
You can configure a device that is powered on for the first time by logging in through the console
port or Telnet.
A main control board provides a console port and multiple LAN ports. To configure a device,
connect the user terminal serial port to the device console port or log in to the device through
Telnet after connecting the network port of the terminal to a LAN port of the device.
Applicable Environment
When the router is powered on for the first time, you could use the console port to log in to the
router to configure and manage the router.
Pre-configuration Tasks
Before logging in to the router through the console port, complete the following tasks:
l
Data Preparation
To log in to the router through the console port, you need the following data.
No.
Data
Issue 02 (2012-03-30)
NOTE
The system automatically uses default parameter values for the first login.
Procedure
Step 1 Power on all devices to perform a self-check.
Step 2 Use a cable to connect the console port of the router to the COM port of a PC.
----End
Context
PC terminal attributes, including the transmission rate, data bit, parity bit, stop bit, and flow
control mode must be configured to match those configured for the console port. Default values
for terminal attributes are used during the first login to the device.
Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 1-1.
Figure 1-1 Connection creation
Step 3 Set communication parameters to match the router defaults, as shown in Figure 1-3.
Figure 1-3 Communication parameter settings
Issue 02 (2012-03-30)
Step 4 Press Enter. At the command-line prompt such as <Huawei>, enter a command to configure
the router or enter a question mark (?) if you need help.
NOTE
When you connect to the console port of a AR150/200 that does not have a startup configuration file, the
system displays "Auto-Config is working. Before configuring the device, stop Auto-Config. If you perform
configurations when Auto-Config is running, the DHCP, routing, DNS, and VTY configurations will be
lost. Do you want to stop Auto-Config? [y/n]:"
l To continue Auto-Config, enter n and press Enter.
l To stop Auto-Config, choose y and press Enter.
CAUTION
If you choose n but still perform configurations through the console port, the DHCP, routing, DNS,
and VTY configurations that you have performed will be lost.
----End
Applicable Environment
To configure and manage a router that is powered on for the first time, log in to the router through
Telnet.
By default, the IP addresses of all LAN ports are 192.168.1.1, and the user name and password
are admin. You can log in to the router using Telnet by connecting the PC network adapter to
any LAN port of the router with the twisted pair.
Pre-configuration Tasks
Before configuring a router through Telnet, complete the following tasks:
l
Obtaining the twisted pair that is used to connect to a LAN port of the router
Data Preparation
None.
Procedure
Step 1 Power on all the devices and ensure a successful self-check.
Step 2 Use the twisted pair to connect a LAN port of the router to the network port of a PC.
Step 3 Configure an IP address and subnet mask for the network port of the PC. The IP address must
be within the network segment 192.168.1.0/24 (recommended: 192.168.1.100), and the subnet
mask is 255.255.255.0.
Step 4 Check the physical connection. Ping 192.168.1.1 on the PC. If 192.168.1.1 can be pinged, the
physical connection has been established.
NOTE
l If the ping operation fails, check whether the PC IP address is correct ore replace the network cable.
----End
Context
After the physical connection is established successfully, log in to the router through Telnet.
Procedure
Step 1 Open the command-line window of Windows.
Step 2 Run the telnet 192.168.1.1 command to log in to the router.
telnet 192.168.1.1
Step 3 Enter the initial user name (admin) and password (admin). The command-line prompt of the
user view is displayed, for example, <HUAWEI>. Then, you enter the configuration
environment of the user view.
Username:admin
Password:
-----------------------------------------------------------------------------------User last login information:
-----------------------------------------------------------------------------------Access Type: Telnet
IP-Address : 192.168.1.100
Time
: 2011-09-07 17:27:17+00:00
-----------------------------------------------------------------------------------<HUAWEI>
----End
Issue 02 (2012-03-30)
2 CLI Overview
CLI Overview
Issue 02 (2012-03-30)
2 CLI Overview
The telnet command for directly logging in to and managing other routers.
Hierarchical command protection structure giving certain levels of users permission to run
certain levels of commands.
A command line interpreter provides intelligent text entry methods such as key word fuzzy
match and context conjunction. These methods help users to enter commands easily and
correctly.
Network test commands such as tracert and ping for fast network diagnostics.
l The system supports commands that contain a maximum of 512 characters. A command does not have
to be entered in full, as long as the part of the command entered is unique within the system. For
example, to use the display current-configuration command, entering d cu, di cu, or dis cu will run
the command. Entering d c or dis c will not run the command, because these entries are not unique to
the command.
l The system saves the complete form of incomplete commands to configuration files. Saved commands
may have more than 512 characters. When the system is restarted, incomplete commands cannot be
restored. Therefore, pay attention to the full length of incomplete commands before saving them.
Issue 02 (2012-03-30)
2 CLI Overview
By default, the command level of a user is a value ranging from 0 to 3, and the user access level
is a value ranging from 0 to 15. Table 2-1 lists the association between user access levels and
command levels.
Table 2-1 Association between user access levels and command levels
User
Level
Com
man
d
Level
Level
Name
Description
Visit
level
0 and
1
Monitor
ing
level
0, 1,
and 2
Configu
ration
level
3-15
0, 1,
2, and
3
Manage
ment
level
NOTE
l The default command level may be higher than the command level defined according to the command
rules in application.
l The level of the command that a user can run is determined by the level of this user.
l Login users have 16 levels. The login users can use only the command of the levels that are equal to
or lower than their own levels. The user privilege level level command sets the user level.
2.
Click the "Search" tab. The search window will be displayed as shown in Figure 2-1.
Issue 02 (2012-03-30)
2 CLI Overview
3.
Issue 02 (2012-03-30)
Enter the command level you want in the "Type in the word(s) to search for" textbox and
click "List Topics". All commands of the specified level will be displayed as shown in
Figure 2-2.
10
2 CLI Overview
# Run the aaa command in the system view to enter the AAA view.
[Huawei] aaa
[Huawei-aaa]
Issue 02 (2012-03-30)
11
2 CLI Overview
NOTE
The prompt indicates a specific view. For example, "Huawei" indicates the user view, and
"[HUAWEI-ui-console0]" indicates the console user interface view.
Some commands can be used in more than one view, but their effects vary from view to view.
Procedure
l
Use any of the following methods to obtain full help from a command line.
Enter a question mark (?) in any command line view to display command names and
their descriptions for all commands of that view.
<Huawei> ?
User view commands:
arp-ping
ping
autosave
group
backup
information
cd
directory
clock
clock
cls
...
...
Enter a command and a question mark (?) separated by a space. All keywords associated
with this command, as well as simple descriptions, are displayed. For example:
[Huawei] interface ?
Bridge-if
interface
Cellular
...
...
Bridge-if
Cellular interface
Bridge-if and Cellular are keywords; Bridge-if interface and Cellular interface
describe the keywords respectively.
Enter a command and a question mark (?) separated by a space. Parameter names for
this command, as well as parameter descriptions, are displayed. For example:
[Huawei] ftp timeout ?
INTEGER<1-35791> The value of FTP timeout (in minutes)
[Huawei] ftp timeout 35 ?
<cr>
[Huawei] ftp timeout 35
In this command output, INTEGER<1-35791> describes the parameter value and The
value of FTP timeout, the default value is 30 minutes is a simple description of what
Issue 02 (2012-03-30)
12
2 CLI Overview
the parameter sets. A display of <cr> indicates that no parameters are associated with
this command. The command is repeated in the next command line. You can press
Enter to run the command.
----End
Procedure
l
Use any of the following methods to obtain partial help from a command line.
Enter a character string followed directly by a question mark (?) to display all commands
that begin with this character string.
<Huawei> d?
debugging
group
delete
file
dialer
Dialer
dir
filesystem
display
List files on a
Display information
Enter a command and a character string followed directly by a question mark (?) to
display all key words that begin with this character string.
<Huawei> display b?
bfd
Detection
information
bgp
information
bootp
bridge
BGP
Bootstrap Protocol
<Group> bridge command group
Enter the first several letters of a key word in the command and then press Tab to display
a complete key word. A complete keyword is displayed only if the partial string of letters
uniquely identifies a specific key word. If they do not identify a specific key work,
continuing to press Tab will display different key words. You can select the needed key
word.
----End
Issue 02 (2012-03-30)
13
2 CLI Overview
Error:Incomplete command
found at '^' position.
Error:Ambiguous command
found at '^' position.
2.3.1 Editing
The command line editing function allows you to edit command lines or obtain help by using
certain keys.
The command line of AR150/200 supports multi-line edition. The maximum length of each
command is 512 characters.
Keys for editing that are often used are shown in Table 2-3.
Table 2-3 Keys for editing
Issue 02 (2012-03-30)
Key
Function
Common key
Backspace
Moves the cursor to the left and deletes the character at that
position. When the cursor reaches the head of the command, an
alarm is generated.
Moves the cursor to the left a single space at a time. When the
cursor reaches the head of the command, an alarm is generated.
Moves the cursor to the right a single space at a time. When the
cursor reaches the end of the command, an alarm is generated.
14
2 CLI Overview
Key
Function
Tab
Press Tab after typing a partial key word and the system runs
partial help:
l If the matching key word is unique, the system replaces the
typed character string with a complete key word and displays
it in a new line with the cursor placed at the end of the word.
l If there are several matches or no match, the system displays
the prefix first. Then you can press Tab to view any matching
key words one at a time. The cursor directly follows the end of
the word. You can press the spacebar to enter the next word.
l If a non-existent or incorrect key word is entered, press Tab
and the word is displayed on a new line.
2.3.2 Displaying
Command lines have a feature to control how they are displayed. You can set the command line
display mode as required.
You can control the display of information on the CLI as follows:
l
If output information cannot be displayed on a full screen, you have three viewing options,
as shown in Table 2-4.
Function
Ctrl_C
Space
Enter
15
2 CLI Overview
Common characters
Common characters, including all upper-case and lower-case letters, digits, punctuation
marks, and special symbols, match themselves in a string. For example, "a" matches the
letter "a" in "abc", "202" matches the digit "202" in "202.113.25.155", and "@" matches
the symbol "@" in "xxx@xxx.com".
Special characters
Special characters are used together with common characters to match complex or special
string combination. Table 2-5 describes special characters and their syntax.
Table 2-5 Description of special characters
Special
characte
r
Syntax
Example
\* matches "*".
x|y
Matches x or y.
Issue 02 (2012-03-30)
16
2 CLI Overview
Special
characte
r
Syntax
Example
[xyz]
[^xyz]
[a-z]
[^a-z]
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Unless otherwise specified, degeneration rules also apply when preceding regular expressions are
subexpressions within parentheses.
Issue 02 (2012-03-30)
17
2 CLI Overview
CAUTION
The Huawei AR150&200 Series uses a regular expression to implement the pipe character
filtering function. A display command supports the pipe character only when there is excessive
output information.
When filtering conditions are set to query output, the first line of the command output starts with
information containing the regular expression.
Some commands can carry the parameter | count to display the number of matching entries. The
parameter | count can be used together with other parameters.
For commands that support regular expressions, three filtering methods are as follows:
l
| begin regular-expression: displays information that begins with the line that matches
regular expression.
| exclude regular-expression: displays information that excludes the lines that match
regular expression.
| include regular-expression: displays information that includes the lines that match regular
expression.
NOTE
Setting the number of saved previously-used commands to a reasonably low value is recommended. If a
large number of previously-used commands are saved, locating a command can be time-consuming and
affect efficiency.
Issue 02 (2012-03-30)
18
2 CLI Overview
Key or Command
Result
Display
previouslyused
commands.
display historycommand
NOTE
Windows 9X defines keys differently and the cursor key is cannot be used with Windows 9X
HyperTerminals. You may use Ctrl_P instead.
Previously-used commands are saved exactly as they are entered by users. For example, if
a user enters an incomplete command, the saved command is also incomplete.
A command is saved the first time it is run and subsequent runnings are not saved. If a
command is entered in different forms or with different parameters, each entry is considered
to be a different command.
For example, if the display ip routing-table command is run several times, only one
previously-used command is saved. If the display current-configuration command and
the display ip routing-table command are run, two previously-used commands are saved.
User-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, and CTRL_U. The user can
assign these shortcut keys to any commands. When a shortcut key is pressed, the system
automatically runs the assigned command. For details about defining the shortcut keys, see
2.4.2 Defining Shortcut Keys.
System-defined shortcut keys: The system defines a number of shortcut keys with fixed
functions. Table 2-7 lists the system-defined shortcut keys.
Issue 02 (2012-03-30)
19
2 CLI Overview
NOTE
Different terminal software defines these keys differently. The shortcut keys on your terminal may be
different than those listed in this section.
Function
CTRL_A
CTRL_B
CTRL_C
CTRL_D
CTRL_E
CTRL_F
CTRL_H
CTRL_N
CTRL_P
CTRL_W
CTRL_X
CTRL_Y
CTRL_Z
CTRL_]
ESC_B
ESC_D
ESC_F
Issue 02 (2012-03-30)
Action
Command
20
2 CLI Overview
CTRL_G, CTRL_L and CTRL_O are assigned to run the following commands by default:
l
If you have typed part of a command and have not pressed Enter, you can press the shortcut
keys to clear what you have entered and display the full command. This operation has the
same effect as that of deleting a command and then re-entering the complete command.
The shortcut keys are run like the commands. The syntax is recorded to the command buffer
and logged for fault location and querying.
NOTE
The terminal in use may affect the functions of shortcut keys. For example, if customized shortcut keys
for the terminal conflict with those for the router, the input shortcut keys are captured by the terminal
program and hence the shortcut keys do not function.
Run the following command in any view to display the use of shortcut keys.
Action
Command
display hotkey
21
2 CLI Overview
Context
You do not always need to input complete keywords. Instead, input one or more of the first
characters of a keyword and press Tab to complete the keyword. The Tab key helps search for
and use commands.
Procedure
l
2.
Press Tab.
The system replaces the incomplete input with a single key word and displays it
in a new line with the cursor leaving a space behind.
[Huawei] info-center
After the incomplete key word is input and the Tab key is pressed, several matches are
displayed or no match is displayed.
# Several prefixes beginning with log can follow the keyword info-center.
[Huawei] info-center log?
logbuffer
logfile
group
loghost
1.
2.
Press Tab.
The system first displays the prefix log.
[Huawei] info-center logbuffer
Press Tab repeatedly to select the keywords one at a time. The cursor is placed
directly after the end of each keyword.
[Huawei] info-center logfile
[Huawei] info-center loghost
Stop pressing Tab after the keyword logfile that you need is displayed.
3.
Input an incorrect keyword and press Tab to check the correctness of the keyword.
1.
2.
Press Tab.
[Huawei] info-center loglog
The system displays information in a new line, but the keyword loglog remains
unchanged and there is no space between the cursor and the keyword, indicating
that this keyword is non-existent.
----End
Issue 02 (2012-03-30)
22
2 CLI Overview
Context
If the login router supports shortcut keys, any user regardless of user level can use these shortcut
keys.
Procedure
Step 1 Correlate Ctrl_U with the display local-user command and run the shortcut keys.
<Huawei> system-view
[Huawei] hotkey ctrl_u "display local-user"
NOTE
When defining shortcut keys for a command, use double quotation marks to quote the command if the
command consisting of multiple words, which are separated by spaces. No double quotation marks are
required for single-word commands.
----End
Issue 02 (2012-03-30)
23
3 Basic Configuration
Basic Configuration
Issue 02 (2012-03-30)
24
3 Basic Configuration
Applicable Environment
Before configuring services, you need to configure the basic system environment (such as time
and device name) to meet the environment requirement.
Pre-configuration Tasks
Before configuring the basic system environment, complete the following task:
l
Data Preparation
To configure the basic system environment, you need the following data.
No.
Data
System time
Host name
Login information
Command level
Context
New equipment names take effect immediately.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
25
3 Basic Configuration
Context
The system clock is the time indicated by the system timestamp. Because the rules governing
local time differ in different regions, the system clock can be configured to comply with the
rules of any given region.
The system clock is calculated using the following formula: System clock = Coordinated
Universal Time (UTC) + Time zone offset + Daylight saving time offset.
Set the system clock to the correct time to ensure that the device operates properly with other
devices.
Perform the following steps in the user view to set the system clock:
Procedure
Step 1 Run:
clock datetime HH:MM:SS YYYY-MM-DD
If the time zone has not been configured or is set to 0, the date and time set by this command are considered
to be UTC. Set the time zone and UTC correctly.
Step 2 Run:
clock timezone time-zone-name { add | minus } offset
or
clock daylight-saving-time time-zone-name repeating start-time { { first | second
| third | fourth | last } weekday month | start-date } end-time { { first |
Issue 02 (2012-03-30)
26
3 Basic Configuration
If the daylight saving time is used, the clock timezone time-zone-name { add | minus } offset command
can be executed to set the time zone name. The display clock command displays the daylight saving time
name. After the daylight saving time is complete, the original time zone name is displayed.
----End
If none of the preceding three commands have been run, the original system time will be
displayed after running the display clock command.
The preceding three commands can also be run in combination with one another to
configure the system clock, as listed in Table 3-1.
In the following examples, the original system time is 08:00:00 January 1, 2010.
l
1: The clock datetime command is run to set the current date and time to date-time.
2: The clock timezone command is run to configure the time zone with the time zone offset
zone-offset.
3: The clock daylight-saving-time command is run to configure the daylight saving time
with the offset offset.
Configured System
Time
Example
date-time
Issue 02 (2012-03-30)
27
3 Basic Configuration
Operation
Configured System
Time
Example
1, 2
[1], 2, 1
date-time
Issue 02 (2012-03-30)
28
3 Basic Configuration
Operation
Configured System
Time
Example
1, 3
date-time if date-time is
not during the configured
daylight saving time
period
[1], 3, 1
date-time if date-time is
not during the configured
daylight saving time
period
Issue 02 (2012-03-30)
29
Operation
3 Basic Configuration
Configured System
Time
Example
date-time if date-time is
during the configured
daylight saving time
period
2, 3 or 3, 2
Issue 02 (2012-03-30)
30
3 Basic Configuration
Operation
Configured System
Time
Example
1, 2, 3, or 1,
3, 2
date-time if date-time is
not during the configured
daylight saving time
period
[1], 2, 3, 1
or [1], 3, 2,
1
Issue 02 (2012-03-30)
31
Operation
3 Basic Configuration
Configured System
Time
Example
date-time if date-time is
during the configured
daylight saving time
period
Run the clock timezone BJ add 8, clock daylightsaving-time BJ one-year 1:0 2011-1-1 1:0
2011-9-1 2, and clock datetime 3:0:0 2011-1-1
commands.
Configured system time:
2011-01-01 03:00:03+08:00 DST
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00
Saving time : 02:00:00
Context
A header is a text message displayed by the system at the time a user logs in to the router.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
32
3 Basic Configuration
CAUTION
l The header message starts and ends with the same character. Enter the first character of the
header and press Enter. An interactive interface for setting the header is displayed. Input the
required information and end the header by entering the first character when you are finished.
The system then exits from the interactive interface.
l If file is specified, save the file containing the header in the root directory of the default
storage medium. If the file is saved in another directory, specify the full path in the file name,
or the file will be inaccessible.
l If a user logs in to the router using SSH1.X, the login header is not displayed during login,
but the shell header is displayed after login.
l If a user logs in to the router using SSH2.0, both login and shell headers are displayed.
----End
Context
Changing the default level of a command is not recommended. If the default level of a command
is changed, some users may be unable to use the command any longer.
Procedure
Step 1 Run:
system-view
The command level is configured. With the command, you can specify the level and view
multiple commands at one time (command-key).
All commands have default command views and levels. You do not need to reconfigure them.
----End
33
3 Basic Configuration
progressively searches higher-level views for the command until reaching the system view. If
not found in the higher-level view, the undo command will not be executed.
Procedure
Step 1 Run:
system-view
The undo command is configured to automatically search higher-level views if run in a view
where it is not registered.
By default, the undo command does not automatically search higher-level views.
NOTE
l The matched upper-view command is valid for current login users who run this command.
l Configuring the undo command to automatically match the upper level view is recommended only if
necessary.
----End
Context
To restore factory configurations of a router, hold down the reset button for at least 5 seconds.
This operation makes the device restart and clears user-defined configuration.
To solve this problem, set the self-defined basic configurations as factory configurations.
Procedure
Step 1 Run:
set factory-configuration from { current-configuration | filename }
The current configuration or the existing configuration file is set as factory configurations.
Step 2 (Optional) Run:
set factory-configuration operate-mode { reserve-configuration | deleteconfiguration }
34
3 Basic Configuration
Context
You can use display commands to collect information about system status. The display
commands perform the following functions:
l
See related sections concerning display commands for information on protocols and interfaces.
This section only shows system-level display commands.
Run the following commands in any view.
Procedure
l
l The display version command displays the software version of the system, the chassis type, and
information about the main control board and interface board.
When a user runs the display current-configuration command, other users cannot run the same
command until all the command output is displayed.
l The original configuration refers to information about configuration files used by the device when
it is powered on and initialized. The current configuration refers to the configuration files that
take effect when the device is in use. For details, see the chapter "Configuring System Startup"
in the AR150/200 Basic-Configuration.
----End
35
3 Basic Configuration
Procedure
l
Run the display this command to display the configuration of the current view.
NOTE
When a user runs the display this command, other users cannot run the same command until all the
command output is displayed.
----End
Context
If you cannot perform routine maintenance, you must run the various display commands to
collect information needed to locate faults. The display diagnostic-information command
gathers information about all system modules currently running.
Procedure
l
Run:
display diagnostic-information
Procedure
l
Run:
display factory-configuration
If factory configurations of the router are modified, the display factory-configuration command
displays the modified factory configurations.
Run:
display factory-configuration operate-mode
Issue 02 (2012-03-30)
36
Issue 02 (2012-03-30)
37
Relative numbering
Relative numbering uses a user interface type + number format.
Relative numbering is used to specify user interfaces of a particular type. It can be used to
number single user interfaces or user interface groups and must adhere to the following
rules:
Number of the console port: CON 0
Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on
Absolute numbering
Absolute numbering is used to give a single user interface or a group of user interfaces a
unique number.
Absolute numbering starts with 0. Ports are numbered in a sequence beginning with CON
-> VTY. There is only one console port and 0-20 VTY interfaces (VTY interfaces 0 to 14
are reserved for Telnet/SSH users and VTY interfaces 16 to 20 are reserved for network
management users). You can use the user-interface maximum-vty command to set the
maximum number of user interfaces. The default number is five.
By default, the system supports two types of user interfaces: CON, and VTY.
Table 4-1 shows absolute numbers for user interfaces in this system.
Issue 02 (2012-03-30)
38
User-interface
CON0
129
130
131
132
133
NOTE
Run the display user-interface command to view the absolute number of user interfaces.
Non-authentication: Users can log in to the router without username or password. This
mode is a security risk and not recommended.
Password authentication: Users must enter a password, but not a username, during the login
process.
AAA authentication: Users must enter a password and a username during the login process.
Telnet users are usually authenticated in this mode.
In the case of non-authentication or password authentication, the level of the command that
the user can run is determined by the level of the user interface.
In the case of AAA authentication, the command that the user can use is determined by the
level of the local user specified in the AAA configuration.
Issue 02 (2012-03-30)
39
Applicable Environment
If you need to log in to the router through a console port to perform local maintenance, you can
configure the corresponding console user interface, including the physical attributes, terminal
attributes, user priority, and user authentication mode. These parameters have default values that
require no additional configuration, but you may modify these parameters as needed.
Pre-configuration Tasks
Before configuring a console user interface, complete the following tasks:
l
Data Preparation
To configure a console user interface, you need the following data.
No.
Data
Baud rate, flow-control mode, parity, stop bit, and data bit
Idle timeout period, terminal screen length, and the size of history command buffer
User priority
NOTE
All the default values (excluding the password and username) are stored on the router and do not need
additional configuration.
Context
Physical attributes of a console port have default values on the router and no additional
configuration is needed.
NOTE
When a user logs in to a router through a console port, the physical attributes set for the console port on
the HyperTerminal must be consistent with the attributes of the console user interface on the router, or the
user will not be able to log in.
Issue 02 (2012-03-30)
40
Procedure
Step 1 Run:
system-view
Context
Terminal attributes of the console user interface have default values on the router that you may
modify as needed.
Procedure
Step 1 Run:
system-view
41
Step 2 Run:
user-interface console interface-number
The system automatically adjusts the terminal screen length, so you do not need to set it manually.
Step 6 Run:
history-command max-size size-value
Context
l
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
42
Procedure
Step 1 Run:
system-view
l By default, users logging in through the console user interface can use commands at level 15, and users
logging in through other user interfaces can use commands at level 0.
l If the command level and user level are inconsistent, the user level takes precedence.
----End
Context
The system provides three authentication modes as shown in Table 4-2.
Table 4-2 Authentication Modes
Authen
tication
Mode
Advantage
Disadvantage
AAA
Issue 02 (2012-03-30)
Passwor
d
authenti
cation
Nonauthenti
cation
It is insecure.
43
By default, the user authentication mode for the console user interface is non-authentication.
Procedure
l
Run:
system-view
Run:
user-interface console interface-number
Run:
authentication-mode aaa
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
Run:
quit
Run:
system-view
Run:
user-interface console interface-number
Run:
authentication-mode password
Run:
set authentication password { cipher | simple } password
Configuring Non-Authentication
1.
Run:
system-view
Run:
user-interface console interface-number
Issue 02 (2012-03-30)
44
Run:
authentication-mode none
Prerequisites
The configurations of the user management function are complete.
Procedure
l
Run the display users [ all ] command to check information about the user interface.
Run the display local-user command to check the local user list.
----End
Example
Run the display users command to view information about the current user interface.
<Huawei> display users
User-Intf
Delay
0
CON 0
00:00:44
Username : Unspecified
Type
Network Address
AuthenStatus
AuthorcmdFlag
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<Huawei> display user-interface console 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
0
CON 0
9600
3
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Int
-
Run the display local-user command to view the local user list.
<Huawei> display local-user
---------------------------------------------------------------------------User-name
State AuthMask AdminLevel
---------------------------------------------------------------------------admin
A
H
ftp
A
F
-
Issue 02 (2012-03-30)
45
guest
A
A
15
---------------------------------------------------------------------------Total 3 user(s)
Applicable Environment
If you need to log in to the router using Telnet or SSH to perform local or remote maintenance,
you can configure a VTY user interface. You can configure the maximum number of VTY user
interfaces, restrictions on incoming and outgoing calls, terminal property, user priority, and user
authentication mode.
Pre-configuration Tasks
Before configuring a VTY user interface, complete the following tasks:
l
Data Preparation
To configure a VTY user interface, you need the following data.
No.
Data
(Optional) ACL code to restrict incoming and outgoing calls on VTY user interfaces
Idle timeout period, number of characters in each line displayed on a terminal screen
User priority
NOTE
All the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user
interfaces, user authentication method, username, and password) have default values that require no
additional configuration.
Issue 02 (2012-03-30)
46
Context
The maximum number of VTY user interfaces equals the total number of users allowed to log
in to the router using Telnet or SSH.
Procedure
Step 1 Run:
system-view
The maximum number of VTY user interfaces is set. By default, the maximum number of VTY
user interfaces is 5.
NOTE
When the maximum number of VTY user interfaces is set to zero, no user (including the network
administrator) can use a VTY user interface to log in to the router.
If the set maximum number of VTY user interfaces is smaller than the maximum number of
online users, current online users will not be affected and no additional configuration is required.
If the set maximum number of VTY user interfaces is greater than the maximum number of
current interfaces, the authentication mode and password must be set for newly added user
interfaces.
Password authentication is the default authentication mode for newly added user interfaces.
Consider, for example, a system that allows a maximum of five users to be online. To allow 15
VTY users online at the same time, you must run the authentication-mode and set
authentication password commands to configure authentication modes and passwords for VTY
user interfaces from 5 to 14. The commands are run as follows:
<Huawei> system-view
[Huawei] user-interface maximum-vty 15
[Huawei] user-interface vty 5 14
[Huawei-ui-vty5-14] authentication-mode password
[Huawei-ui-vty5-14] set authentication password cipher huawei
----End
47
Context
Before setting restrictions for incoming and outgoing calls on a VTY user interface, run the
acl command in the system view to create an ACL. Enter the ACL view and run the rule command
to add rules to the ACL.
NOTE
l The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging
from 3000 to 3999.
l For ACL configuration details, refer to the Configuration Guide - SecurityHuawei AR150&200
Series Enterprise Routers Configuration Guide - Security.
Procedure
Step 1 Run:
system-view
Restrictions for incoming and outgoing calls on the VTY interface are configured.
l If you want to prevent a user with a specific address or segment address from logging in to
the router, use the inbound command.
l If you want to prevent a user who logs in to a router from accessing other routers, use the
outbound command.
----End
Context
Terminal attributes of a VTY user interface have default values on the router and you can set
them as needed.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
48
The system automatically adjusts the terminal screen length, so you do not need to set it manually.
Step 6 Run:
history-command max-size size-value
Context
l
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
49
If the command level configured in the VTY user interface view and user priority are inconsistent, user
priority takes precedence.
----End
Context
The system provides three authentication modes as shown in Table 4-3.
Table 4-3 Authentication Modes
Authen
tication
Mode
Advantage
Disadvantage
AAA
Nonauthenti
cation
It is insecure.
50
Procedure
l
Run:
system-view
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
authentication-mode aaa
Run:
quit
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
Run:
system-view
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
authentication-mode password
Run:
set authentication password { cipher | simple } password
Configuring Non-Authentication
1.
Run:
system-view
Run:
user-interface vty first-ui-number [ last-ui-number ]
51
3.
Run:
authentication-mode none
Prerequisites
The configurations of the VTY user interface are complete.
Procedure
l
Run the display users [ all ] command to check information about user interfaces.
Run the display user-interface maximum-vty command to check the maximum number
of VTY user interfaces.
Run the display local-user command to check the local user list.
Run the display vty mode command to check the VTY mode.
----End
Example
Run the display users command to view information about current user interfaces.
<Huawei> display users
User-Intf
Delay
Type
34 VTY 0
00:00:12 TEL
Username : Unspecified
+ 35 VTY 1
00:00:00 TEL
Username : Unspecified
Network Address
10.138.77.38
AuthenStatus
AuthorcmdFlag
10.138.77.57
Run the display user-interface maximum-vty command to view the maximum number of VTY
user interfaces.
<Huawei> display user-interface maximum-vty
Maximum of VTY user:15
Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check
the physical attributes and configurations of user interfaces.
<Huawei> display user-interface vty 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
+ 34
VTY 0
14
14
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
Issue 02 (2012-03-30)
Int
-
52
Run the display local-user command to view the local user list.
<Huawei> display local-user
---------------------------------------------------------------------------User-name
State AuthMask AdminLevel
---------------------------------------------------------------------------admin
A
H
ftp
A
F
guest
A
A
15
---------------------------------------------------------------------------Total 3 user(s)
Run the display vty mode command to view the message indicating that the machine-to-machine
interface is enabled. For example:
<Huawei> display vty mode
current VTY mode is Machine-Machine interface
Networking Requirements
A user uses the console user interface to log in to the router to initialize router configurations or
perform local router maintenance. You can set console user interface attributes as needed (for
example, security considerations) to allow user logins.
The password authentication mode has been set in the console user interface view (the password
is huawei).
If there is no user activity and a connection is idle for more than 30 minutes after login, the
connection is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enter the interface view and set physical attributes of the console user interface.
2.
3.
4.
Set the user authentication mode and password of the console user interface.
Issue 02 (2012-03-30)
53
Data Preparation
To complete the configuration, you need the following data:
l
Timeout period for disconnecting from the console user interface: 30 minutes
User priority: 15
Procedure
Step 1 Set physical attributes of the console user interface.
<Huawei> system-view
[Huawei] user-interface console 0
[Huawei-ui-console0] speed 4800
[Huawei-ui-console0] parity even
[Huawei-ui-console0] stopbits 2
[Huawei-ui-console0] databits 8
Step 4 Set the user authentication mode in the console user interface to password.
[Huawei-ui-console0] authentication-mode password
[Huawei-ui-console0] set authentication password simple huawei
[Huawei-ui-console0] quit
After the console user interface is configured, a user in password authentication mode can use
a console port to log in and perform local maintenance on the router. For details on how a user
logs in to the router, see the 5 Configuring User Login.
----End
Configuration Files
#
sysname Huawei
#
user-interface con 0
authentication-mode password
user privilege level 15
set authentication password simple huawei
history-command max-size 20
idle-timeout 30 0
databits 8
parity even
stopbits 2
speed 9600
Issue 02 (2012-03-30)
54
#
return
Networking Requirements
A user uses Telnet or SSH to log in to the router using a VTY channel. You can set VTY user
interface attributes as needed (for example, security considerations) to allow user logins.
In the VTY user interface, the user priority is set to 15, the authentication mode is set to password
authentication, with the password of "huawei", and a user with the IP address of 10.1.1.1 is
prohibited from logging in to the router.
If there is no user activity and a connection is idle for more than 30 minutes after login, the
connection is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enter the interface view and set the maximum number of VTY user interfaces to 15.
2.
Set restrictions for incoming and outgoing calls on the VTY user interface to prevent an IP
address or an IP address segment for accessing the router.
3.
4.
5.
Set the authentication mode and password of the VTY user interface.
Data Preparation
To complete the configuration, you need the following data:
l
ACL applied to restrict incoming calls on the VTY user interface: 2000
Timeout period for disconnecting from the VTY user interface: 30 minutes
User priority: 15
By default, the terminal service is enabled on all user interfaces. If the terminal service is disabled, run the
shell command to enable the terminal service.
Procedure
Step 1 Set the maximum number of VTY user interfaces.
Issue 02 (2012-03-30)
55
<Huawei> system-view
[Huawei] user-interface maximum-vty 15
Step 2 Set the limit on call-in and call-out in the VTY user interface.
[Huawei] acl 2000
[Huawei-acl-basic-2000]
[Huawei-acl-basic-2000]
[Huawei-acl-basic-2000]
[Huawei] user-interface
[Huawei-ui-vty0-14] acl
shell
idle-timeout 30
screen-length 30
history-command max-size 20
Step 5 Set the authentication mode and password of the VTY user interface.
[Huawei-ui-vty0-14] authentication-mode password
[Huawei-ui-vty0-14] set authentication password simple huawei
[Huawei-ui-vty0-14] quit
----End
Configuration Files
#
sysname Huawei
#
acl number 2000
rule 5 deny source 10.1.1.1 0
rule permit source any
#
user-interface maximum-vty 15
user-interface vty 0 14
acl 2000 inbound
user privilege level 15
authentication-mode password
set authentication password simple huawei
history-command max-size 20
idle-timeout 30 0
screen-length 30
#
return
Issue 02 (2012-03-30)
56
Issue 02 (2012-03-30)
57
Applicable Scenario
Remarks
5.2 Logging in to
the Devices
Through the
Console Port
Issue 02 (2012-03-30)
58
Login Mode
Applicable Scenario
Remarks
5.3 Logging in to
Devices Using
Telnet
Issue 02 (2012-03-30)
59
Login Mode
Applicable Scenario
Remarks
5.4 Logging in to
Devices Using
STelnet
NOTE
Logging in using Telnet is insecure because a secure authentication mechanism is not used and data is
transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts data in
both directions to guarantee secure transmissions on a conventional insecure network. SSH supports
security Telnet (STelnet).
For detailed information about SSH, see AR150/200 Feature Description - Basic Configurations.
60
Applicable Environment
A user can log in to a device locally through a console port. The user must log in through a
console port when a router is powered on for the first time.
l
If a user cannot access the device remotely, the user can log in to the device locally using
the console port.
A user can log in using the console port to diagnose a fault if the device fails to start or to
enter the BootROM to upgrade the system.
Pre-configuration Tasks
Before configuring user login through a console port, complete the following tasks:
l
Installing the terminal emulator (for example, the Windows XP HyperTerminal) to the PC
Data Preparation
To configure user login through a console port, you need the following data.
No.
Data
l Transmission rate, flow control mode, parity mode, stop bit, data bit
l Number of lines displayed in a terminal screen, size of the history command buffer
l User priority
l User authentication mode, username, and password
Context
l
Communication parameters of the user terminal must match physical attribute parameters
of the console user interface on the device.
If a user authentication mode is configured on the console user interface, a user can log in
to the device only after being successfully authenticated. Authentication enhances network
security.
Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 5-1.
Issue 02 (2012-03-30)
61
Step 3 Set communication parameters to match the router defaults, as shown in Figure 5-3.
Issue 02 (2012-03-30)
62
Step 4 Press Enter. At the command-line prompt such as <Huawei>, enter a command to configure
the router or enter a question mark (?) if you need help.
NOTE
When you connect to the console port of a AR150/200 that does not have a startup configuration file, the
system displays "Auto-Config is working. Before configuring the device, stop Auto-Config. If you perform
configurations when Auto-Config is running, the DHCP, routing, DNS, and VTY configurations will be
lost. Do you want to stop Auto-Config? [y/n]:"
l To continue Auto-Config, enter n and press Enter.
l To stop Auto-Config, choose y and press Enter.
CAUTION
If you choose n but still perform configurations through the console port, the DHCP, routing, DNS,
and VTY configurations that you have performed will be lost.
----End
63
Context
Console user interface attributes have default values on the device, and generally need no
modification. To meet specific user requirements or ensure network security, you can modify
console user interface attributes, such as terminal attributes and user authentication mode.
For detailed settings, see Configuring Console User Interface.
NOTE
Changes to console user interface attributes take effect immediately. Therefore, the connection may be
interrupted if console user interface attributes are modified when logged in to the device through the console
port. For this reason, logging into the device using another login mode is recommended when modifying
console user interface attributes. To log in to the device through the console port after changing the default
console user interface attributes, ensure that the configuration of the terminal emulator running on the PC
is consistent with the console user interface attributes configured on the device.
Prerequisites
Configurations for user login through a console port are complete.
Procedure
l
Run the display users [ all ] command to check information about the user interface.
Run the display local-user command to check the local user list.
----End
Example
Run the display users command to view information about the current user interface.
<Huawei> display users
User-Intf
Delay
0
CON 0
00:00:44
Username : Unspecified
Type
Network Address
AuthenStatus
AuthorcmdFlag
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<Huawei> display user-interface console 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
0
CON 0
9600
3
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Issue 02 (2012-03-30)
Int
-
64
Run the display local-user command to view the local user list.
<Huawei> display local-user
---------------------------------------------------------------------------User-name
State AuthMask AdminLevel
---------------------------------------------------------------------------admin
A
H
ftp
A
F
guest
A
A
15
---------------------------------------------------------------------------Total 3 user(s)
Applicable Environment
If you know the IP address of a remote router, you can use Telnet to log in to the router from a
local terminal. Telnet login allows you to maintain multiple remote routers from one local
terminal, greatly facilitating device management.
Note that router IP addresses must be preset through console ports.
Pre-configuration Tasks
Before configuring users to log in using Telnet, you must log in to the device through the console
port to change the default configurations on the device, so that users can remotely log in to the
device using Telnet to manage and maintain the device. The following default configurations
must be changed:
l
Configuring the IP address of the management network port on the device and ensuring
that a reachable route exists between the user terminal and the device
5.3.2 Configuring the User Access Level and User Authentication Mode of the VTY
User Interface for remote device management and maintenance
5.3.3 Enabling the Telnet Service so that users can remotely log in to the device through
Telnet
Data Preparation
BBefore configuring Telnet user login, you need the following data.
Issue 02 (2012-03-30)
65
No.
Data
l User priority
TCP port number used by the remote device to provide Telnet services, VPN instance
name
Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see Configuring the VTY User
Interface.
The sequence of the following steps is not fixed but all the configurations are mandatory.
Procedure
l
Run:
system-view
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
user privilege level level
Issue 02 (2012-03-30)
66
Table 5-2 Association between user access levels and command levels
User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
Visit
level
0 and
1
Monit
oring
level
0, 1,
and 2
Config
uration
level
3-15
0, 1,
2,
and 3
Manag
ement
level
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level lower than or equal to the command
level of the user. This ensures the security of the device to some extent.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
Run:
system-view
67
2.
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
authentication-mode none
Run:
system-view
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
authentication-mode password
Run:
set authentication password { cipher | simple } password
Run:
system-view
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
Run:
local-user user-name service-type telnet
Run:
quit
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
authentication-mode aaa
Issue 02 (2012-03-30)
68
Context
By default, the function of the Telnet server is enabled.
Procedure
Step 1 Run the following command as required.
Step 2 For the IPv4 network
1.
Run:
system-view
Run:
telnet server enable
Run:
system-view
Run:
telnet ipv6 server enable
l If the undo telnet [ipv6] server enable command is run when a user logs in by using Telnet, the
command does not take effect.
l After the Telnet server function is disabled, you can log in to the device only using SSH or an
asynchronous serial port rather than using Telnet.
----End
Context
Use either the Windows CLI or third-party software in the terminal to log in to the router through
Telnet. This section describes use of the Windows command line prompt.
Issue 02 (2012-03-30)
69
Procedure
Step 1 Open the Windows CLI.
Step 2 Run the telnet ip-address command to telnet the device.
1.
2.
Press Enter to display the command line prompt, such as <HUAWEI>, for the system
view. This indicates that you have accessed the Telnet server.
If the password or AAA authentication mode has been set on the device, you must enter
the login user name and password, and press Enter. The command line prompt of the user
view is displayed, as shown in Figure 5-5.
Figure 5-5 Login
----End
70
Prerequisites
Configurations for Telnet logins are complete.
Procedure
l
Run the display users [ all ] command to check information about users logged in to user
interfaces.
Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display users command to view information about the currently-used user interface.
<Huawei> display users
User-Intf
Delay
34 VTY 0
00:00:12
Username : Unspecified
+ 35 VTY 1
00:00:00
Username : Unspecified
Type
TEL
Network Address
10.138.77.38
TEL
10.138.77.57
AuthenStatus
AuthorcmdFlag
Run the display tcp status command to view TCP connections. In the command output,
Established indicates that a TCP connection has been established.
<Huawei> display tcp status
TCPCB
Tid/Soid
Local Add:port
State
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established
Foreign Add:port
VPNID
0.0.0.0:0
0.0.0.0:0
14849
10.164.6.13:1147
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<Huawei> display telnet server status
Telnet IPV4 server
Telnet server port
:Enable
:23
71
Applicable Environment
Telnet logins bring security risks because no secure authentication mechanism exists and data
is transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts
data in both directions to guarantee secure transmissions on a conventional insecure network.
SSH supports STelnet, and SFTP.
STelnet is a secure Telnet protocol. SSH users can use the STelnet service in the same way they
use the Telnet service.
Pre-configuration Tasks
Before configuring users to log in using STelnet, you must log in to the device through the
console port to change the default configurations on the device, so that users can remotely log
in to the device using Telnet to manage and maintain the device. The following default
configurations must be changed:
l
Configuring the IP address of the management network port on the device and ensuring
that a reachable route exists between the user terminal and the device
Configuring the user access level and authentication mode of the VTY user
interface for remote device management and maintenance.
Configuring the VTY user interface to support the SSH protocol, configuring the SSH
user and specify STelnet as a service mode for the SSH user, and enabling the STelnet
server function so that the user can remotely log in to the device through STelnet
Data Preparation
To configure users to log in using STelnet, you need the following data:
No.
Data
Username, password, authentication mode, and service type of an SSH user and
remote public RSA key pair allocated to the SSH user
(Optional) Name of an SSH server, number of the port monitored by the SSH server,
preferred encryption algorithm from the STelnet client to the SSH server, preferred
encryption algorithm from the SSH server to the STelnet client, preferred HMAC
algorithm from the STelnet client to the SSH server, preferred HMAC algorithm from
the SSH server to the STelnet client, preferred algorithm for key exchange, name of
the outgoing interface, and source address
72
must log in to the device through the console port to change the user access level and user
authentication mode.
Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see Configuring the VTY User
Interface.
The sequence of the following steps is not fixed but all the configurations are mandatory.
Procedure
l
Run:
system-view
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
user privilege level level
Co
mm
and
Lev
el
Level
Name
Description
Visit
level
0 and
1
Monit
oring
level
Issue 02 (2012-03-30)
0, 1,
and 2
Config
uration
level
73
User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
3-15
0, 1,
2,
and 3
Manag
ement
level
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level lower than or equal to the command
level of the user. This ensures the security of the device to some extent.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
Run:
system-view
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
authentication-mode none
Run:
system-view
Run:
aaa
Run:
local-user user-name password { simple | cipher } password
Issue 02 (2012-03-30)
74
Run:
local-user user-name service-type ssh
Run:
quit
Run:
user-interface vty first-ui-number [ last-ui-number ]
Run:
authentication-mode aaa
Context
By default, user interfaces support Telnet. A user interface must be configured to support SSH
for users to log in to the device using STelnet.
NOTE
A VTY user interface configured to support SSH must also be configured with AAA authentication.
Otherwise, the protocol inbound ssh command cannot be configured.
Procedure
Step 1 Run:
system-view
75
Context
l
SSH users can be authenticated in four modes: RSA, password, password-rsa, and all. You
must create a local user with the specified user name in the AAA view.
Configuring the router to generate a local RSA key pair is a key step for SSH login. If an
SSH user logs in to an SSH server in password authentication mode, configure the server
to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Password-rsa authentication requires success of both password authentication and RSA authentication. The
all authentication mode requires success of either password authentication or RSA authentication.
Procedure
Step 1 Run:
system-view
l Before performing the other SSH configurations, you must configure the rsa local-key-pair create
command to generate a local key pair.
l After generating the local key pair,you can perform the display rsa local-key-pair public command
to view the public key in the local key pair.
Issue 02 (2012-03-30)
76
Step 6 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
Run:
ssh user user-name authentication-type rsa
Run:
rsa peer-public-key key-name
Run:
public-key-code begin
Run:
hex-data
l In the public key view, only hexadecimal strings complying with the public key format can be
typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals
for SSH client software.
l After the public key editing view is displayed, the RSA public key generated on the client can
be sent to the server. Copy the RSA public key to the router that serves as the SSH server.
5.
Run:
public-key-code end
Run:
peer-public-key end
Run:
ssh user user-name assign rsa-key key-name
77
Step 7 (Optional) Configuring the Basic Authentication Information for SSH Users
1.
Run:
ssh server rekey-interval interval
Run:
ssh server auth-timeout timeout_interval
Run:
ssh server authentication-retries auth-times
Context
By default, no device is enabled with the STelnet server function. Users can establish connections
to the device using STelnet only after the device is enabled with the STelnet server function.
Do as follows on the device that serves as an SSH server:
Procedure
Step 1 Run:
system-view
78
Context
Third-party software can be used on a terminal for STelnet login. This section describes the use
of third-party software OpenSSH and the Windows CLI.
After installing OpenSSH on the user terminal, do as follows on the user terminal:
NOTE
For details on how to install OpenSSH, refer to the software installation guide.
For details about how to use OpenSSH commands to log in to the system, see the help document of the
software.
Procedure
Step 1 Open the Windows CLI.
Step 2 Run relevant OpenSSH commands to log in to the router in STelnet mode.
Figure 5-6 Logging in to the device in STelnet mode
----End
79
Context
Table 5-4 lists server parameters.
Table 5-4 Server parameters
Server
Parameter
Description
Earlier SSH
version
compatibility
There are two SSH versions: SSH1.X (earlier than SSH2.0) and SSH2.0.
SSH2.0 has an extended structure and supports more authentication modes
and key exchange methods than SSH1.X. SSH2.0 also supports more
advanced services such as SFTP. The Huawei AR150&200 Series supports
SSH versions ranging from 1.3 to 2.0.
Listening port
number of an
SSH server
The default listening port number of an SSH server is 22. Users can log in to
the device by using the default listening port number. Attackers may access
the default listening port, consuming bandwidth, deteriorating server
performance, and causing authorized users unable to access the server. After
the listening port number of the SSH server is changed, attackers do not know
the new port number. This effectively prevents attackers from accessing the
listening port and improves security.
Interval for
updating the
SSH server
key pair
If this interval is set, the SSH server key pair will be updated periodically to
improve security.
Procedure
Step 1 Run:
system-view
Operation
Earlier SSH
version
compatibility
Listening port
number of the
SSH server
Issue 02 (2012-03-30)
80
Server
Parameter
Operation
Interval for
updating the
SSH server
key pair
----End
Prerequisites
Configurations for STelnet login are complete.
Procedure
l
Run the display ssh user-information username command on the SSH server to check
information about SSH users.
Run the display ssh server status command on the SSH server to check its configurations.
Run the display ssh server session command on the SSH server to check sessions for SSH
users.
----End
Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<Huawei> display ssh user-information client001
Sftp-directory
: Service-type
: sftp
------------------------------------------------------------------------------Username
Auth-type
User-public-key-name
------------------------------------------------------------------------------guest
password
null
rsa
rsa
RsaKey001
password
password
null
-------------------------------------------------------------------------------
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view configurations of an SSH server.
<Huawei> display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH Authentication retries
SFTP Server
Stelnet server
Issue 02 (2012-03-30)
:1.99
:60 seconds
:0 hours
:3 times
:Enable
:Enable
81
Run the display ssh server session command. The command output shows that the session
information between SSH server and client.
<Huawei> display ssh server session
-------------------------------------------------------------------Conn
Ver
Encry
State Auth-type
Username
-------------------------------------------------------------------VTY 0 1.5
BLOWFISH run
password
john
--------------------------------------------------------------------
Applicable Environment
Configure user level switching and enable messaging between user interfaces to ensure that
operators can manage routers safely.
Pre-configuration Tasks
Before performing operations after login, complete the following tasks:
l
Data Preparations
Before performing operations after login, you need the following data:
No.
Data
Issue 02 (2012-03-30)
82
Context
A password is required to increase user level. This prevents unauthorized users from gaining
access to high-level commands.
Procedure
Step 1 Run:
system-view
CAUTION
If simple is selected, the password is saved in plain text. A low-level login user can easily obtain
and change the password by checking the configuration file, compromising network security.
Selecting cipher to save the password in encrypted text is recommended.
If a password set with cipher is lost or forgotten, it cannot be retrieved by querying the system.
Be sure to save a copy of the encrypted password in a secure location.
Step 3 Run:
quit
When the super command is used to switch a user from a lower to a higher level, the system automatically
sends trap messages and records the switchover in a log. When a user is switched from a higher to a lower
level, the system only records the switchover in a log.
----End
83
Context
The user interface can be a console user interface or a VTY user interface.
Procedure
Step 1 Run:
lock
If the locking is successful, the system prompts that the user interface is locked.
You must enter the password previously set to unlock the user interface.
----End
Context
Users logged in to the router can send messages from their user interface to users on other user
interfaces.
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
Context
User name, address, and authentication and authorization information can be queried.
Procedure
l
Issue 02 (2012-03-30)
Run the display users [ all ] command to view information about logged-in users.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
84
If all is configured, information about users logged in to all user interfaces is displayed.
----End
Networking Requirements
If default values for console user interface parameters are modified, corresponding parameters
on the PC must be reset before another login to the router can be implemented.
Figure 5-7 Networking diagram of user login using a console port
PC
Router
Configuration Roadmap
1.
2.
3.
Data Preparation
Communication parameters for the PC (baud rate: 4800 bps, data bit: 7, parity: even, stop bit:
2, flow control mode: none)
Procedure
Step 1 Use a standard RS-232 cable to connect the serial port of the PC to the console port of the
router.
Step 2 Run the terminal emulator on the PC. As shown in Figure 5-8, set communication parameters
for the PC to Figure 5-10. Set the transmission rate to 4800 bit/s, data bit to 7, parity bit to even,
stop bit to 2, and flow control mode to none.
Issue 02 (2012-03-30)
85
Issue 02 (2012-03-30)
86
Step 3 Power on the router. After the self-check is complete and the router is started, you are prompted
to press Enter.
At the prompt (usually <Huawei>), you can run commands to view the status of the router or
configure the router.
----End
Networking Requirements
You can log in to the router on other network segments through the PC or other terminals to
perform remote maintenance.
Issue 02 (2012-03-30)
87
Eth1/0/0
202.38.160.92/16
WAN
PC
Router
Target
Router
Configuration Roadmap
1.
2.
3.
Data Preparation
l
IP address of the PC
User information (including the user name, password, and authentication mode)
Procedure
Step 1 Connect the PC and the router to the network.
Step 2 Set login user parameters on the target router.
# Configure the login address.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.38.160.92 255.255.0.0
[Huawei-Ethernet1/0/0] quit
Issue 02 (2012-03-30)
88
Click OK.
Enter the user name and password in the login window. After authentication, a command line
prompt such as <Huawei> appears. Enter the configuration environment in the user view.
----End
Networking Requirements
As shown in Figure 5-13, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, or all authentication
mode.
In this configuration example, the password authentication mode is used.
Figure 5-13 Networking diagram of configuring user login by using STelnet
Network
Eth1/0/0
10.137.217.223/16
PC
SSH Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
Issue 02 (2012-03-30)
Configure a local key pair on the SSH server for secure data exchange between the STelnet
client and the SSH server.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
89
2.
3.
Configure an SSH client, which involves the setting of the user authentication mode, user
name, and password.
4.
Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
To complete the configuration, you need the following data:
l
SSH user authentication mode: password, user name: client001, password: huawei
Procedure
Step 1 Generate a local key pair on the server.
<Huawei> system-view
[Huawei] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Huawei_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
NOTE
If SSH is configured as the login protocol, the AR150/200 automatically disables Telnet.
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Issue 02 (2012-03-30)
90
----End
Configuration Files
l
Issue 02 (2012-03-30)
91
Issue 02 (2012-03-30)
92
Storage devices
Storage devices are hardware devices for storing data.
At present, the router supports the storage devices such as flash memory and USB disk.
Files
A file is resources for storing and managing data.
Directories
A directory is a logical container that the system uses to organize files.
Control connection: issues commands from the client to the server and transmits replies
from the server to the client, minimizing the transmission delay.
Data connection: transmits data between the client and server, maximizing the throughput.
Binary mode: is used to transfer program files, such as .app, .bin, and .btm files.
ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
Issue 02 (2012-03-30)
FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to
the device, and run the ftp command to establish a connection between the device and a
remote FTP server to access and operate files on the server.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
93
FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
If the client does not receive any packet within the specified period, the client sends a
Keepalive packet to the server.
If the maximum number of times that the server does not respond exceeds the specified
value, the client proactively releases the connection.
Logging in to the device through the console port and loading a digital certificate to the
sub-directory named security of the system directory on the FTPS server
94
Applicable Environment
Use the file system to manage files or directories on the router. If the router is unable to save or
obtain data, log in to the file system to repair the faulty storage devices.
Pre-configuration Tasks
Before logging in to the file system to manage files, complete the following tasks:
l
Data Preparation
To manage files by logging in to the file system, you need the following data:
No.
Data
Directory name
File name
Context
When the file system on a storage device fails, the terminal of the router prompts you to rectify
the fault.
NOTE
The storage devices can be flash memory, or USB flash drives. The router has a built-in flash memory.
Only Huawei-certified storage devices can be used.
You can format a storage device if you are unable to repair the file system or do not need any
data saved on the storage device.
CAUTION
Formatting storage devices can lead to data loss. Exercise caution when performing this
operation.
Procedure
l
Run:
fixdisk device-name
95
NOTE
If, after running this command, the prompt still says the system should be repaired, there may be
damage to the physical storage medium.
Run:
format device-name
If the storage device does not work after you run this command, there may be a hardware fault.
----End
Context
You can manage directories by changing or displaying directories, displaying files in directories
or sub-directories, and creating or deleting directories.
Procedure
l
Run:
cd { directory | device-name }
A directory is specified.
l
Run:
pwd
Run:
dir [ /all ] [ filename ] [ device-name ]
Run:
mkdir { directory | device-name }
Run:
rmdir { directory | device-name }
Issue 02 (2012-03-30)
96
Context
l
You can run the cd { directory | device-name } command to enter the required directory
from the current directory.
Run:
Procedure
more [ /binary ] { filename | device-name } [ offset ] [ all ]
Run:
copy source-filename destination-filename
Run:
move source-filename destination-filename
Run:
rename source-filename destination-filename
Run:
zip source-filename destination-filename
97
Run:
delete [ /unreserved ] [ /force ] { filename | device-name } [ all ]
CAUTION
If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored
after being deleted.
l
Run:
undelete filename
If the current directory is not the parent directory, you must use the absolute path to the file to perform
operations.
Run:
reset recycle-bin [ filename ]
Run:
system-view
Run:
execute filename
Run:
system-view
Run:
file prompt { alert | quiet }
98
CAUTION
If the prompt mode is set to quiet, no prompt appears when data is lost due to
inappropriate operating procedures.
----End
Applicable Environment
When an FTP client logs in to a router serving as an FTP server, the user can transfer files
between the client and the server.
Pre-configuration Tasks
Before using FTP to manage files, complete the following task:
l
Data Preparation
To use FTP to manage files, you need the following data:
No.
Data
FTP username and password, and authorized FTP file directory name
99
Context
To use FTP to manage files, you must configure a local username and a password on the
router and specify a service type and the directories that can be accessed.
Perform the following operations on the router that functions as the FTP server:
Procedure
Step 1 Run:
system-view
The configuration in this step takes effect only with TACACS users.
Step 3 Run:
aaa
Context
The default listening port number for an FTP server is 21. Users can log in to the router directly
by using the default listening port number. Attackers can also access the default listening port
to launch attacks that reduce available bandwidth and affect server performance, preventing
valid users from accessing the server. Changing the FTP server listening port number effectively
prevents attackers from accessing the server through the listening port.
Issue 02 (2012-03-30)
100
NOTE
Procedure
Step 1 Run:
system-view
Context
The FTP server is disabled by default on the router. It must be enabled before FTP can be used.
Do as follows on the router that serves as the FTP server:
Procedure
Step 1 Run:
system-view
When file operations between clients and the router are complete, run the undo ftp [ ipv6 ] server command
to disable the FTP server function. This protects router security.
----End
101
Context
l
You can configure a source IP address for the FTP server. The FTP client can only access
this address and this protects system security.
You can configure the timeout period for FTP connections on the FTP server. When the
timeout period for an FTP connection expires, the system terminates the connection to
release resources.
Procedure
Step 1 Run:
system-view
Context
When the routerfunctions as an FTP server, you can configure an ACL to allow the clients that
meet matching rules to access the FTP server.
Do as follows on the router that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
102
l By default, the deny action in an ACL rule is taken for all the packets. To allow packets to pass through,
define the permit action in the ACL rule. For example, to discard packets with the source IP address
of 10.1.1.10, define two rules in an ACL:
l rule deny source 10.1.1.10 0
l rule permit source any
If rule permit source any is not defined, packets with other source IP addresses but not 10.1.1.10 0
are also discarded.
l FTP supports only basic ACLs.
Step 4 Run:
quit
Context
You can use either the Windows command line prompt or third-party software to log in to the
router. The example here uses the Windows command line prompt as an example.
Do as follows on the PC:
Procedure
Step 1 Open the Windows CLI.
Step 2 Run the ftp ip-address command to log in to the router using FTP.
Enter a username and password at the prompt, and press Enter. When the Windows command
line prompt are displayed in the FTP client view, such as ftp>, you have entered the working
directory of the FTP server.
Issue 02 (2012-03-30)
103
----End
Context
After logging in to the FTP server, you can perform the following operations:
l
Displaying information about a specific remote directory or a file of the FTP server, or
deleting a specific file from the FTP server
After logging in to the FTP server and entering the FTP client view, you can perform the
following operations:
Procedure
l
Issue 02 (2012-03-30)
104
NOTE
FTP supports ASCII and the binary files. The difference the two is:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
An FTP transmission mode can be set for each client. The system uses ASCII transmission mode
by default, but a mode switch command can switch a client between ASCII and binary modes.
The ASCII mode is used to transmit .txt files and the binary mode is used to transmit binary files.
The FTP file is downloaded from the FTP server and saved to the local file.
l
105
Run:
delete remote-filename
If you need more information about FTP operations, run the help [ command ] command in the
Windows CLI.
----End
Prerequisites
The configuration of the Router to be the FTP Server are complete.
Procedure
l
Run the display ftp-server the configuration and running information about the FTP server.
Run the display ftp-users command to check the login FTP user.
----End
Example
After configuring the FTP server, run the display ftp-server command. You can view that the
FTP server is working.
<Huawei> display ftp-server
FTP server is running
Max user number
User count
Timeout value(in minute)
Listening Port
Acl number
FTP server's source address
5
0
30
21
0
1.1.1.1
Run the display ftp-users command to view the user name, port number, authorization directory
of the FTP user configured presently.
<Huawei> display ftp-users
username host
zll
100.2.150.226
port
1383
idle
3
topdir
flash:
Issue 02 (2012-03-30)
106
Applicable Environment
SSH authenticates clients and encrypts data in both directions to guarantee secure data
transmission on conventional networks. SSH supports SFTP.
SFTP is a secure FTP service that enables users to log in to the FTP server for data transmission.
Pre-configuration Tasks
Before using SFTP to manage files, complete the following task:
l
Data Preparation
Before using SFTP to manage files, you need the following data.
No.
Data
Maximum number of VTY user interfaces, (optional) ACL for restricting incoming
and outgoing calls on VTY user interfaces, connection timeout period of terminal
users, number of rows displayed in a terminal screen, size of the history command
buffer, user authentication mode, username, and password
Username, password, authentication mode, and service type of an SSH user, remote
public RSA key pair allocated to the SSH user, and SFTP working directory of the
SSH user
Name of the SSH server, number of the port monitored by the SSH server, preferred
encryption algorithm from the SFTP client to the SSH server, preferred encryption
algorithm from the SSH server to the SFTP client, preferred HMAC algorithm from
the SFTP client to the SSH server, preferred HMAC algorithm from the SSH server
to the SFTP client, preferred algorithm of key exchange, name of the outgoing
interface, source address
107
Context
By default, the user authentication mode in the VTY user interface is password. Therefore, before
a user logs in to the device by using SFTP, the user authentication mode in the VTY user interface
must be set. Otherwise, the user cannot log in to the device.
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see Configuring the VTY User
Interface.
Context
By default, user interfaces support Telnet. If no user interface is configured to support SSH, you
cannot log in to the router using SFTP.
Procedure
Step 1 Run:
system-view
Context
l
Issue 02 (2012-03-30)
SSH users can be authenticated in four modes: RSA, password, password-RSA, and All.
You must create a local user with the specified user name in the AAA view.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
108
Configuring the router to generate a local RSA key pair is a key step for SSH login. If an
SSH user logs in to an SSH server in password authentication mode, configure the server
to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Procedure
Step 1 Run:
system-view
l Before performing other SSH configurations, run the rsa local-key-pair create command to generate
a local key pair.
l After generating the local key pair, you can perform the display rsa local-key-pair public command
to view the public key in the local key pair.
Run:
ssh user user-name authentication-type rsa
Issue 02 (2012-03-30)
109
Run:
rsa peer-public-key key-name
Run:
public-key-code begin
Run:
hex-data
l In the public key view, only hexadecimal strings complying with the public key format can be
typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals
for SSH client software.
l After the public key editing view is displayed, the RSA public key generated on the client can
be sent to the server. Copy the RSA public key to the router that serves as the SSH server.
5.
Run:
public-key-code end
Run:
peer-public-key end
Run:
ssh user user-name assign rsa-key key-name
110
In All authentication mode, the SSH server authenticates a client by checking the public key
or password. The client can be authenticated only when either the public key or the password
meet the requirement.
Step 7 (Optional) Configure basic authentication information for SSH users.
1.
Run:
ssh server rekey-interval interval
Run:
ssh server auth-timeout timeout_interval
Run:
ssh server authentication-retries auth-times
Context
By default, the SFTP server function is not enabled on the router. You can use SFTP to establish
connections with the router only after the SFTP server function is enabled on the router.
Do as follows on the router that serves as an SSH server:
Procedure
Step 1 Run:
system-view
111
Context
Third-party software can be used to access the router from the user terminal using SFTP. The
example here uses third-party software OpenSSH and the Windows CLI.
Install OpenSSH on the user terminal and then do as follows:
NOTE
For details on how to install OpenSSH, see the software installation guide.
For details on how to use OpenSSH commands to log in to the router, see help documentation for the
software.
Procedure
Step 1 Open the Windows CLI.
Step 2 Run relevant OpenSSH commands to log in to the router in SFTP mode.
When a command line prompt, such as sftp>, is displayed in the SFTP client view, you have
entered the working directory of the SFTP server.
Figure 6-2 Using SFTP to log in to the device
----End
Issue 02 (2012-03-30)
112
Context
After logging in to the SFTP server, you can perform the following operations:
l
After logging in to the SFTP server and entering the SFTP client view, you can perform one or
more of the following operations.
Procedure
l
Run:
help [ all | command-name ]
Issue 02 (2012-03-30)
113
Prerequisites
The configurations of SSH users are complete.
Procedure
l
Run the display ssh user-information username command on the SSH server to check
information about the SSH client.
Run the display ssh server status command on the SSH server to check its global
configurations.
Run the display ssh server session command on the SSH server to check information about
connection sessions with SSH clients.
----End
Example
Run the display ssh user-information username command. It shows that the SSH user named
clinet001 is authenticated by password, and its service type is sftp.
[Huawei] display ssh user-information client001
Sftp-directory
: Service-type
: sftp
------------------------------------------------------------------------------Username
Auth-type
User-public-key-name
------------------------------------------------------------------------------client001
password
null
-------------------------------------------------------------------------------
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view configurations of an SSH server.
<Huawei> display ssh server status
<Huawei> display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH Authentication retries
SFTP Server
Stelnet server
:
:
:
:
:
:
1.99
60 seconds
2 hours
5 times
Enable
Enable
NOTE
If the default interception port is in use, information about the current interception port is not displayed.
<Huawei> display ssh server session
--------------------------------------------------------------------
Issue 02 (2012-03-30)
114
Conn
Ver
Encry
State Auth-type
Username
-------------------------------------------------------------------VTY 0 1.5
BLOWFISH run
password
john
--------------------------------------------------------------------
Networking Requirements
You can log in to the router through the console port, Telnet, or STelnet to manage files on the
router.
The path to the file on the storage device must be entered correctly. If the user does not specify
a target file name, the source file name is the name of the target file by default.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Display the file information in the current directory. flash:/ is the flash memory identifier.
<Huawei> dir
Directory of flash:/
Idx
0
1
2
3
4
5
6
7
8
Issue 02 (2012-03-30)
Attr
-rw-rw-rw-rw-rw-rw-rw-rw-rw-
Size(Byte)
47,584,256
4
4
45,794,304
1,751,678
3,856
396
6
3,315
Date
Sep 17
Jun 30
Jul 27
Sep 03
Jan 26
Jan 28
Jan 11
Dec 01
Dec 07
2107
2010
2005
2107
2008
2008
2008
2007
2007
Time(LMT)
14:54:23
01:01:16
11:02:05
12:38:38
16:24:13
00:00:09
18:09:53
15:35:31
12:54:45
FileName
ar1201_23316_1220.cc
voip_feature.efs
voip_protocol.efs
ar1117_20921_1220.cc
web.zip
iascfg.zip
rsa_host_key.efs
1.txt
ma5600_license.dat
115
-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-
6,656
7,533
6,656
526,003
540
16
0
2,016,467
477
2,810
68,750,848
0
07
07
07
27
11
12
27
28
10
15
26
28
2007
2007
2007
2008
2008
2008
2007
2007
2008
2008
2008
2008
12:55:14
12:55:50
13:13:39
00:00:36
18:10:07
14:53:53
15:27:49
17:58:26
14:46:12
13:57:02
15:40:15
14:47:29
patch_lic.pat
pdt_keyfile.txt
patch_lic2.pat
private-data.txt
rsa_server_key.efs
dulei.tbl
dictionary.xml
arweb.zip
elabel.fls
aa.txt
ar0312_34479_1220.cc
ar.txt
Step 3 Display the file information about the current directory to check that the file has been copied to
the specified directory.
<Huawei> dir
Directory of flash:/
Idx Attr
0 -rw1 -rw2 -rw3 -rw4 -rw5 -rw6 -rw7 -rw8 -rw9 -rw10 -rw11 -rw12 -rw13 -rw14 -rw15 -rw16 -rw17 -rw18 -rw19 -rw20 -rw21 -rwsample1.txt
Size(Byte)
47,584,256
4
4
45,794,304
1,751,678
3,856
396
6
3,315
6,656
7,533
6,656
526,003
540
16
0
2,016,467
477
2,810
68,750,848
0
1,605
Date
Sep 17
Jun 30
Jul 27
Sep 03
Jan 26
Jan 28
Jan 11
Dec 01
Dec 07
Dec 07
Dec 07
Dec 07
Jan 27
Jan 11
Jan 12
Dec 27
Dec 28
Jan 10
Jan 15
Jan 26
Jan 28
Oct 24
2107
2010
2005
2107
2008
2008
2008
2007
2007
2007
2007
2007
2008
2008
2008
2007
2007
2008
2008
2008
2008
2009
Time(LMT)
14:54:23
01:01:16
11:02:05
12:38:38
16:24:13
00:00:09
18:09:53
15:35:31
12:54:45
12:55:14
12:55:50
13:13:39
00:00:36
18:10:07
14:53:53
15:27:49
17:58:26
14:46:12
13:57:02
15:40:15
14:47:29
11:14:39
FileName
ar1201_23316_1220.cc
voip_feature.efs
voip_protocol.efs
ar1117_20921_1220.cc
web.zip
iascfg.zip
rsa_host_key.efs
1.txt
ma5600_license.dat
patch_lic.pat
pdt_keyfile.txt
patch_lic2.pat
private-data.txt
rsa_server_key.efs
dulei.tbl
dictionary.xml
arweb.zip
elabel.fls
aa.txt
ar0312_34479_1220.cc
ar.txt
----End
Networking Requirements
As shown in Figure 6-3, after the FTP server is enabled on the router, you can log in to the FTP
server from the HyperTerminal to upload or download files.
Issue 02 (2012-03-30)
116
Network
Eth1/0/0
10.137.217.221/16
PC
FTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Log in to the FTP server by using the correct user name and password.
5.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the IP address of the FTP server.
<Huawei> system-view
[Huawei] sysname server
[server] interface ethernet1/0/0
[server-Ethernet1/0/0] ip address 10.137.217.221 255.255.0.0
[server-Ethernet1/0/0] quit
Step 3 Configure the authentication information, authorization mode, and authorized directories for an
FTP user on the FTP server.
[server] aaa
[server-aaa]
[server-aaa]
[server-aaa]
[server-aaa]
Step 4 Run the FTP commands at the windows command line prompt, and enter the correct user name
and password to set up an FTP connection with the FTP server.
Issue 02 (2012-03-30)
117
NOTE
You can run the dir command before downloading a file or after uploading a file to view the detailed
information of the file.
----End
Configuration Files
l
Issue 02 (2012-03-30)
118
interface Ethernet1/0/0
ip address 10.137.217.221 255.255.0.0
#
aaa
local-user huawei password simple Huawei
local-user huawei service-type ftp
local-user huawei ftp-directory flash:
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
return
Networking Requirements
As shown in Figure 6-6, after SFTP services are enabled on the router functioning as an SSH
server, you can log in to the server in password, RSA, password-rsa, or all authentication mode
from a PC on the SFTP client.
Configure a user to log in to the SSH server in password authentication mode.
Figure 6-6 Networking diagram for operating files by using SFTP
Network
Eth1/0/0
10.137.217.225/16
PC
SSH Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure a local key pair on the SSH server to securely exchange data between the SFTP
client and the SSH server.
2.
3.
4.
Enable SFTP services on the SSH server and configure a user service type.
Data Preparation
To complete the configuration, you need the following data:
Issue 02 (2012-03-30)
119
SSH user authentication mode: password, user name: client001, password: huawei
Procedure
Step 1 Configure a local key pair on the SSH server.
<Huawei> system-view
[Huawei] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 3 Configure the SSH user name and password on the SSH server.
[SSH
[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
local-user
local-user
local-user
local-user
quit
client001
client001
client001
client001
Issue 02 (2012-03-30)
120
----End
Configuration Files
l
Issue 02 (2012-03-30)
121
Issue 02 (2012-03-30)
122
Identifying Method
Configuration files
Current configurations
Current configurations:
indicates the configurations
in effect on the router when it
is actually running.
You can use the command line interface to modify current router configurations. Use the save
command to save modified configurations to the configuration file on the default storage devices.
This configuration file will be used to initialize the router when the router is powered on next
time.
Issue 02 (2012-03-30)
123
Applicable Environment
Configuration files can be saved, cleared, and compared. Configuration file management is
required to upgrade the router, take preventive measures, repair configuration files, and view
configurations after the router starts.
Pre-configuration Tasks
Before managing configuration files, complete the following task:
l
Data Preparation
To manage configuration files, you need the following data.
No.
Data
Number of the start line from which the comparison of the configuration files
begins
Procedure
l
WARNING
If an LPU is not running on the router, related configurations may be lost when the system
automatically saves the configuration file.
1.
Run:
autosave interval { time } | { value } | { configuration time }
124
By default, the interval at which the system saves the configuration file is 0
seconds, indicating that the system does not save the configuration file
automatically.
After automatic configuration saving is enabled, the default interval is 30 minutes
if time is not specified.
l
Context
The configuration file needs to be cleared in the following cases:
l
The system software does not match the configuration file after the router has been
upgraded.
The configuration file is destroyed or an incorrect configuration file has been loaded.
Run the reset saved-configuration command to clear the currently loaded configuration
file.
Procedure
If the configuration file of the router used for the current startup is the same as that used
for the next startup, running the reset saved-configuration command will clear both
the configuration files. The router will uses the default configuration file for the next
startup.
If the configuration file of the router used for the current startup is different from that
used at the next startup, running the reset saved-configuration command will clear the
configuration file used for the current startup.
If the configuration file of the router used for the current startup is empty, the system
will prompt you that the configuration file does not exist after you run the reset savedconfiguration command.
If you do not run the startup saved-configuration configuration-file command to specify
a new correct configuration file, or do not run the save command to save the configuration
file after the configuration file is cleared, the router will use the default configuration file
at the next startup.
----End
Issue 02 (2012-03-30)
125
Context
Do as follows on the router:
Procedure
Step 1 Run:
compare configuration [ configuration-file [ current-line-number save-linenumber ] ]
The current configuration is compared with the configuration file for next startup.
If no parameter is set, the comparison begins with the first lines of configuration files. currentline-number and save-line-number are used to continue the comparison by ignoring the
differences between the configuration files.
When comparing differences between the configuration files, the system displays the contents
of the current configuration file and saved configuration file from the first different line. By
default, 120 characters are displayed for each configuration file. If the number of characters from
the first different line to the end is less than 120, the contents after the first different line are all
displayed.
In comparing the current configurations with the configuration file for next startup, if the
configuration file for next startup is unavailable or its contents are null, the system prompts that
reading files fails.
----End
Prerequisites
The configuration of managing configuration files are complete.
Procedure
l
Run the dir [ /all ] [ filename ] [ device-name ] command to check files saved in the storage
device.
Issue 02 (2012-03-30)
126
Run the display autosave configuration command to view configurations of the autosave
function, including the status of the autosave function and time for autosave check.
Run the display this command to view configurations in the current view.
----End
Example
Run the display startup command to check files for startup.
<Huawei> display startup
MainBoard:
Startup system software:
Next startup system software:
Backup system software for next startup:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
Startup voice-files:
Next startup voice-files:
usb0:/ar0210_30735_1220.cc
usb0:/ar0210_30735_1220.cc
null
flash:/arcfg.cfg
flash:/arcfg.cfg
null
null
null
null
null
null
Applicable Environment
To enable the router to provide user-defined configurations during the next startup, you need to
correctly specify the system software and configuration file for the next startup.
Pre-configuration Tasks
Before specifying a file for system startup, complete the following task:
l
Data Preparation
To specify a file for system startup, you need the following data.
Issue 02 (2012-03-30)
No.
Data
127
7.3.2 Configuring System Software for a router to Load for the Next
Startup
If you need to upgrade system software of a router, you can specify the router system software
to be loaded at the next startup.
Context
The system will continue to load the current system software at each startup until different system
software is specified for the next system startup. To change system software for the next startup,
you need to specify the system software you require.
The filename extension of the system software must be .cc and the file must be stored in the root
directory of a storage device.
Procedure
Step 1 Run:
startup system-software filename
The AR150/200 system software to be loaded at the next startup of the router is configured.
----End
Context
Run the display startup command on the router to check whether a specific configuration file
is set to be loaded at the next startup. If a specific configuration file is not specified, the default
configuration file will be loaded at the next startup.
The filename extension of the configuration file must be .cfg or .zip, and the file must be stored
in the root directory of a storage device.
When the router is powered on, it reads the configuration file from the flash memory by default
to initialize. The data in this configuration file is the initial configuration. If no configuration
file is saved in the flash memory, the router uses default parameters to initiate.
Procedure
l
Run:
startup saved-configuration configuration-file
128
Prerequisites
A configuration file has been specified for system startup.
Procedure
l
Run the display saved-configuration [ last | time ] command to check the contents of the
configuration file to be loaded at next startup.
Run the display startup command to check information about the files to be used at next
startup.
----End
Example
Run the display startup command to check information about the files to be used at next startup.
<Huawei> display startup
MainBoard:
Startup system software:
Next startup system software:
Backup system software for next startup:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
Startup voice-files:
Next startup voice-files:
usb0:/ar0210_30735_1220.cc
usb0:/ar0210_30735_1220.cc
null
flash:/arcfg.zip
flash:/arcfg.zip
null
null
null
null
null
null
Networking Requirements
After the router is configured, new configurations take effect at next system startup.
Issue 02 (2012-03-30)
129
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Specify the configuration file to be loaded at the next startup of the router.
3.
Specify the system software to be loaded at the next startup of the router.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Check the configuration file and system software that were used during the current startup.
<Huawei> display startup
MainBoard:
Startup system software:
Next startup system software:
Backup system software for next startup:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
Startup voice-files:
Next startup voice-files:
usb0:/ar0312.cc
usb0:/ar0312.cc
null
flash:/iascfg.zip
flash:/iascfg.zip
null
null
null
null
null
null
The system asks you whether you want to save the current configuration to the file named
arcfg.cfg on the main control board. Enter y to save the configuration.
Step 3 Specify the configuration file to be loaded at the next startup of the router.
<Huawei> startup saved-configuration usb0:/arcfg.cfg
Step 4 Specify the system software to be loaded at the next startup of the router.
Specify the system software to be loaded at the next startup of the main control board.
<Huawei> startup system-software usb0:/arsoft.cc
NOTE
The software package arsoft.cc has been loaded to the AR150/200. For details on how to upload the
software package, see 6.3 Managing Files Using FTP.
Issue 02 (2012-03-30)
usb0:/ar0312.cc
usb0:/arsoft.cc
null
130
----End
Configuration Files
None.
Issue 02 (2012-03-30)
131
Issue 02 (2012-03-30)
132
Network
Server
Network
Client
PC
As shown in Figure 8-1, when you run a terminal emulation or Telnet program on a PC to
connect to the router, the router can still function as a client to access another device on the
network. There are several ways to accomplish this.
Telnet server: You can run the Telnet client program on a PC to log in to a router to complete
configuration and management tasks. The router acts as a Telnet server.
Telnet client: You can run the terminal emulation program or the Telnet client program on
a PC to connect with the router. You can then run the telnet command to log in to other
routers to configure and manage them. As shown in Figure 8-2,Router A serves as both a
Telnet server and a Telnet client.
Figure 8-2 Telnet client services
Telnet Session2
Telnet Session 1
Telnet Server
PC
RouterA
RouterB
Issue 02 (2012-03-30)
133
is the client of Router B and Router B is the client of Router C. Figure 8-3 illustrates the
usage of shortcut keys.
Figure 8-3 Usage of Telnet shortcut keys
Telnet Session 1
Telnet Session2
Telnet
Client
Telnet
Server
RouterA
RouterB
RouterC
If a router becomes disconnected from the network, these shortcut keys are invalid. Instructions
cannot be sent to the server.
CAUTION
If remote login users are using all of the maximum number of VTY user interfaces allowed,
the system prompts that all user interfaces are in use and does not allow additional Telnet
logins.
134
FTP can transmit files between hosts and it provides users with common FTP commands for file
system management. That is, using an FTP client program not residing on the router, you can
upload or download the files and access the directories on the router; using an FTP client program
residing on the router, you can transfer files to the FTP servers of other devices.
FTP can transmit files between local and remote hosts, and is widely used for version upgrade,
log downloading, file transmission, and configuration saving.
At present, the AR150/200 can only serve as a TFTP client and can only transfer files in binary
format.
SSH Overview
When users on an insecure network use Telnet to log in to the router, the Secure Shell (SSH)
feature provides authentication and keeps data secure. SSH defends the router from IP address
spoofing and other such attacks, and protects the router against the interception of plain text
passwords.
The SSH client function allows users to establish SSH connections with routers serving as SSH
servers or with UNIX hosts.
STelnet client
STelnet is short for Secure Telnet.
Issue 02 (2012-03-30)
135
Telnet does not provide secure authentication and TCP transmits data in plain text. This
creates security vulnerabilities. Denial of service (DOS) attacks, host IP address spoofing,
and route spoofing also threaten system security. Telnet services are vulnerable to network
attacks.
SSH implements secure remote access on insecure networks and has the following
advantages compared with Telnet:
SSH supports Remote Subscriber Access (RSA) authentication. SSH uses RSA
authentication to generate and exchange public and private keys compliant with an
asymmetric encryption system that protects session security.
SSH supports Data Encryption Standard (DES), 3DES, and AES authentications.
SSH usernames and the passwords are encrypted in communication between an SSH
client and server. This prevents password interception.
SSH encrypts transmitted data.
If the STelnet server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at a configured time interval. If there is no reply from the server to a configured number of
keepalive packets, the client determines that there is a fault and releases the connection.
l
SFTP client
SFTP is short for Secure FTP. You can log in to a device from a secure remote end to
manage files. This improves data transmission security when the remote system is updated.
The client function allows you to use SFTP to log in to the remote device for secure file
transmission.
If the SFTP server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at a configured time interval. If there is no reply from the server to a configured number of
keepalive packets, the client determines that there is a fault and releases the connection.
Issue 02 (2012-03-30)
136
Applicable Environment
Figure 8-4 Networking diagram for accessing another device from the device that you have
logged in to
Network
PC
Network
RouterA
RouterB
As shown in Figure 8-4, you can use Telnet to log in to Router A from a PC. You cannot,
however, manage Router B remotely, because there is no reachable route between the PC and
Router B. To manage Router B remotely, you must use Telnet to log in to it from Router A.
In this situation, Router A functions as a Telnet client and Router B functions as a server.
Pre-configuration Tasks
Before using Telnet to log in to another device on the network, complete the following tasks:
l
Data Preparation
To log in to another device by using Telnet, you need the following data:
No.
Data
Number of the TCP port used by the RouterB to provide Telnet services
Context
An IP address is configured for an interface on the router and functions as the source IP address
of a Telnet connection. This allows for implementation of security checks.
The source of a client can be a source interface or a source IP address.
Do as follows on a router that functions as a Telnet client.
Issue 02 (2012-03-30)
137
Procedure
Step 1 Run:
system-view
Context
Telnet provides an interactive CLI for users to log in to a remote server. Users can first use Telnet
to log in to a host, and then remotely use Telnet again to log in to a remote host. This host can
then be remotely configured and managed. Not all hosts need to be connected directly to a
hardware terminal.
Do as follows on the router that serves as a Telnet client:
Procedure
l
Select and perform one of the following two steps for IPv4 or IPv6.
Run:
telnet [ vpn-instance vpn-instance-name ] [-a source-ip-address ] hostname [ port-number ]
Prerequisites
All configurations for logging in to another device are complete.
Issue 02 (2012-03-30)
138
Procedure
l
Run the display tcp status command to check the status of all TCP connections.
----End
Example
Run the display tcp status command to view the status of TCP connections. The Established
status indicates that a TCP connection has been established.
<Huawei> display tcp status
TCPCB
Tid/Soid
Local Add:port
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established
Foreign Add:port
0.0.0.0:0
VPNID
0
0.0.0.0:0
14849
10.164.6.13:1147
State
Applicable Environment
Telnet logins are insecure because no secure authentication mechanism is available and data is
transmitted over TCP connections in plain text mode.
STelnet is a secure Telnet protocol. STelnet is based on SSH. SSH users can use STelnet services
in place of ordinary Telnet services.
In this configuration, the device that you have logged in to functions as a Telnet client, and the
device that you want to log in to functions as an SSH server.
Pre-configuration Tasks
Before logging in to another device by using STelnet, complete the following tasks:
l
Data Preparation
To log in to another device using STelnet, you need the following data.
Issue 02 (2012-03-30)
139
No.
Data
Name of the SSH server, and public key that is assigned by the client to the SSH server
IPv4 address or host name of the SSH server, number of the port monitored by the
SSH server, preferred encryption algorithm for data from the SFTP client to the SSH
server, preferred encryption algorithm for data from the SSH server to the SFTP client,
preferred HMAC algorithm for data from the SFTP client to the SSH server, preferred
HMAC algorithm for data from the SSH server to the SFTP client, preferred algorithm
of key exchange
The user information for logging in to the SSH server
Context
If first-time authentication on the SSH client is enabled, the STelnet client does not check the
validity of the RSA public key when logging in to the SSH server for the first time. After the
login, the system automatically allocates the RSA public key and saves it for authentication at
next login.
Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA public key on the SSH server when an STelnet client logs in to the SSH server for the first
time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH
server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the check of the RSA public key validity and cannot
log in to the server.
Issue 02 (2012-03-30)
140
TIP
To ensure that an STelnet client can log in to an SSH server at the first attempt, you can assign an RSA
public key in advance to the SSH server on the SSH client in addition to enabling first-time authentication
on the SSH client.
----End
Context
If first-time authentication is not enabled on the SSH client, when the STelnet client logs in to
the SSH server for the first time, the STelnet client fails to pass the RSA public key validity
check and cannot log in to the server. You must allocate an RSA public key to the SSH server
before the STelnet client logs in to the SSH server.
Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view
l The RSA public key assigned to the SSH server must be generated on the server. Otherwise, the validity
check for the RSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA public key generated on the server to the
router that functions as the client.
Step 5 Run:
public-key-code end
141
l If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does not
exist after the peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign rsa-key command to cancel the association between the SSH client and the SSH server. Then, run
the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH
server.
----End
Context
When accessing an SSH server, the STelnet client can carry the source address and choose the
key exchange algorithm, encryption algorithm, or HMAC algorithm, and configure the keepalive
function.
Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view
142
Prerequisites
The configurations for logging in to another device by using STelnet are complete.
Procedure
l
Run the display ssh server status command to view the status of the SSH server.
----End
Example
Run the display ssh server status to view the status of the SSH server.
<Huawei> display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH Authentication retries
SFTP Server
:1.99
:60 seconds
:0 hours
:3 times
:Enable
Applicable Environment
You can use TFTP to in a simple interaction environment to transfer files between a server and
a client.
The current Router functions as a TFTP client, and theRouter to be accessed functions as a TFTP
server.
Pre-configuration Tasks
Before configuring access to another device using TFTP, complete the following tasks:
l
Data Preparation
To access another device using TFTP, you need the following data.
Issue 02 (2012-03-30)
No.
Data
(Optional) Source address or source interface of the router that functions as a TFTP
client
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
143
No.
Data
Name of the specific file in the TFTP server and the file directory
Context
An IP address is configured for an interface on the router and functions as the source IP address
of a TFTP connection. This allows implementation of security checks.
The source address of a client can be configured as a source interface or a source IP address.
Do as follows on a router that functions as a TFTP client.
Procedure
Step 1 Run:
system-view
Context
An Access Control List (ACL) is a set of sequential rules. These rules are described based on
the source address, destination address, and port number of a packet. Routers use the ACL rules
to filter packets. With the rule applied to the interface on a router, the router permits or denies
the packets.
Each ACL can define multiple rules. ACL rules are classified into the interface ACL, basic ACL,
and advanced ACL based on the functions of ACL rules.
NOTE
TFTP supports only the basic ACL (whose number ranges from 2000 to 2999).
Issue 02 (2012-03-30)
144
Procedure
Step 1 Run:
system-view
By default, the deny action in an ACL rule is taken for all the packets. To allow packets to pass through,
define the permit action in the ACL rule. For example, to discard packets with the source IP address of
10.1.1.10, define two rules in an ACL:
l rule deny source 10.1.1.10 0
l rule permit source any
If rule permit source any is not defined, packets with other source IP addresses but not 10.1.1.10 0 are
also discarded.
Step 4 Run:
quit
Procedure
l
Run the following commands according to the type of the server IP addresses.
The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net get source-filename [ destination-filename ]
Issue 02 (2012-03-30)
145
Procedure
l
Run the following commands according to the type of the server IP addresses.
The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net put source-filename [ destination-filename ]
Prerequisites
Configurations for using the device as a TFTP client are complete.
Procedure
l
Run the display tftp-client command to check the device address that is set to the source
address of the TFTP client.
Run the display acl { name acl-name | acl-number | all } command to check the ACL rule
that is configured on the TFTP client.
----End
Example
Run the display tftp-client command to view the source address of the TFTP client.
<Huawei> display tftp-client
Info: The source address of TFTP client is 1.1.1.1.
Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured
on the TFTP client.
<Huawei> display acl 2001
Basic acl 2001, 2 rules,
Acl's step is 5
rule 5 deny source 10.1.1.10 0
rule 10 permit
Issue 02 (2012-03-30)
146
Applicable Environment
Before transmitting files between a client and a remote FTP server or managing directories on
the server, you can configure the router that you have logged in to as an FTP client. You can
then use FTP to access the FTP server for file transmission or directory management.
Pre-configuration Tasks
Before configuring the use of FTP to access files on another device, complete the following
tasks:
l
Configuring a reachable route between the router and the FTP server
Data Preparation
To configure the use of FTP to access files on another device, you need the following data:
No.
Data
Host name or IP address of the FTP server, port number of connecting FTP, login
username and password
Local file names and file names on the remote FTP server, name of the working
directory on the remote FTP server, name of the working directory on the local FTP
client, or directory name of the remote FTP server
Issue 02 (2012-03-30)
147
Prerequisites
An IP address is configured for an interface on the router and functions as the source IP address
for an FTP connection. This allows implementation of security checks.
The source of a client can be a source interface or a source IP address.
Configuring a source interface as the source for a client is possible only if the system has a
loopback interface.
Procedure
Step 1 Run:
system-view
Context
You can log in to the FTP server in the user view or the FTP view.
Do as follows on the router that serves as the client:
Procedure
l
Issue 02 (2012-03-30)
148
1.
Run:
open [ -a source-ip-address | -i interface-type interface-number ]
host [ port-number ] [ vpn-instance vpn-instance-name ]
Run:
open ipv6 host-ipv6-address [ port-number ]
Context
After logging in to an FTP server, you can perform the following operations:
l
Configure a data type for transmission files and a file transmission method.
Check the online help about FTP commands in the FTP client view.
Upload local files to the remote FTP server, or download files from the FTP server and
save them locally.
Display information about a specified remote directory or a file of the FTP server, or delete
a specified file from the FTP server.
After logging in to the router that functions as a client and entering the FTP client view, you can
perform the following steps:
Procedure
l
Issue 02 (2012-03-30)
149
NOTE
FTP supports both ASCII and binary files. Their differences are as follows:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
Clients can select an FTP transmission mode ad required. The system defaults to the ASCII
transmission mode. The client can use a mode switch command to switch between the ASCII
mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary mode is
used to transmit binary files.
Run:
passive
The FTP file is downloaded from the FTP server and saved to the local file.
l
Run one or more of the the following commands order to manage directories.
Run:
cd pathname
The working path of the FTP server is switched to the upper-level directory.
Run:
pwd
Issue 02 (2012-03-30)
150
l A directory name can use letters and digits, but not special characters such as <, >, ?, \ and :.
l When running the mkdir /abc command, you create a sub-directory named "abc".
Context
If you are logged in to the AR150/200 functioning as an FTP client, you can switch to a different
username and log in to the FTP server without logging out of the FTP client view. The FTP
connection established in this way is identical to that established by running the ftp command.
Perform the following steps on the router that functions as a client:
Procedure
l
Run:
user user-name [ password ]
The user that logged in to the FTP server earlier is changed and the new user logs in to the
server.
Issue 02 (2012-03-30)
151
When the username that is used to log in to the FTP server is changed, the original
connection between the user and the FTP server is interrupted.
----End
Context
Various commands can be used from the FTP client view to terminate a connection with an FTP
server.
Do as follows on the router that serves as the client.
Procedure
l
Or,
quit
Or,
disconnect
Prerequisites
The configurations for accessing other devices using FTP are complete.
Procedure
l
Run the display ftp-client command to view the source parameters of the FTP client.
----End
Example
Run the display ftp-client command to view the source parameters of the FTP client.
Issue 02 (2012-03-30)
152
Applicable Environment
SFTP is a secure FTP protocol. SFTP is based on SSH. It allows users to log in to a remote
device and transmit or manage files securely. You can log in to a remote SSH server from the
router that functions as an SFTP client.
Pre-configuration Tasks
Before configuring the use of SFTP to access files on another device, complete the following
tasks:
l
Data Preparation
To use SFTP to access files on another device, you need the following data:
No.
Data
(Optional) Source address of the device that functions as the SFTP client
(Optional) Public key that is assigned by the client to the SSH server
Number of the port monitored by the SSH server, preferred encryption algorithm for
data from the SFTP client to the SSH server, preferred encryption algorithm for data
from the SSH server to the SFTP client, preferred HMAC algorithm for data from the
SFTP client to the SSH server, preferred HMAC algorithm for data from the SSH
server to the SFTP client, preferred algorithm of key exchange, name of the outgoing
interface, source address
User information for logging in to the SSH server
Issue 02 (2012-03-30)
153
Context
An IP address is configured for an interface on the router and functions as the source IP address
of an FTP connection. This allows implementation of security checks.
The source address of a client can be configured as a source interface or a source IP address.
Do as follows on a router that functions as an SFTP client.
Procedure
Step 1 Run:
system-view
Context
If first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the RSA public key when logging in to the SSH server for the first time. After the
login, the system automatically allocates the RSA public key and saves it for authentication at
next login.
Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view
154
NOTE
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA public key on the SSH server when an STelnet client logs in to the SSH server for the first
time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH
server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the check of the RSA public key validity and cannot
log in to the server.
TIP
To ensure that an STelnet client can log in to an SSH server at the first attempt, you can assign an RSA
public key in advance to the SSH server on the SSH client in addition to enabling first-time authentication
on the SSH client.
----End
Context
If first-time authentication is not enabled on an SSH client, when the SFTP client logs in to an
SSH server for the first time, the SFTP client fails to pass the RSA public key validity check
and cannot log in to the server.
Do as follows on the router functioning as an SSH client:
Procedure
Step 1 Run:
system-view
155
NOTE
l The RSA public key assigned to the SSH server must be generated on the server. Otherwise, the validity
check for the RSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA public key generated on the server to the
router that functions as the client.
Step 5 Run:
public-key-code end
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign rsa-key command to cancel the association between the SSH client and the SSH server. Then, run
the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH
server.
----End
Context
The command of enabling the SFTP client is similar to that of the STelnet. When accessing the
SSH server, the SFTP can carry the source address and the name of the VPN instance and choose
the key exchange algorithm, encrypted algorithm and HMAC algorithm, and configure the
keepalive function.
Do as follows on the router that serves as an SSH client.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
156
Context
After logging in to an SSH server from an SFTP client, you can use the SFTP client to perform
the following operations:
l
Create or delete directories on the SSH server, display the current working directory, or
display the specified directory and information about the file in the specified directory.
Change file names, delete files, display a file list, and upload or download files.
After logging in to the router that functions as an SSH client and entering the SFTP client view,
you can perform the following steps:
Procedure
l
Manage directories.
Perform the following steps as required:
Run:
cd [ remote-directory ]
157
Manage files.
Perform the following steps as required:
Run:
rename old-name new-name
Prerequisites
The configuration for using SFTP to access files on another device is complete.
Procedure
l
Run the display sftp-client command to check the source IP address of the SFTP client on
the SSH client.
----End
Example
Run the display sftp-client command on the client to view the source parameters of the device
functioning as an SFTP client.
<Huawei> display sftp-client
Info: The source address of SFTP client is 1.1.1.1
Issue 02 (2012-03-30)
158
Networking Requirements
As shown in Figure 8-5, Router A and Router B can ping each other. A user logs in to Router
B from Router A using Telnet.
Figure 8-5 Networking diagram for configuring user login with Telnet services
Eth1/0/0
1.1.1.1/24
Eth1/0/0
1.1.1.2/24
RouterA
RouterB
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure passwords for users to log in to Router B from Router A using Telnet.
3.
Configure a Telnet server port number on Router B so that users log in through a single
specific port only.
Data Preparation
To complete the configuration, you need the following data:
l
User level 15
Procedure
Step 1 Configure IP addresses.
# Configure Router A.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface ethernet1/0/0
[RouterA-Ethernet1/0/0] ip address 1.1.1.1 24
[RouterA-Ethernet1/0/0] quit
[RouterA] quit
# Configure Router B.
<Huawei> system-view
[Huawei] sysname RouterB
Issue 02 (2012-03-30)
159
Step 2 Configure the authentication mode and password for Telnet services on Router B.
[RouterB] user-interface vty 0 4
[RouterB-ui-vty0-4] authentication-mode password
[RouterB-ui-vty0-4] set authentication password simple hello
[RouterB-ui-vty0-4] quit
To configure an ACL for Telnet services, run the following commands on Router B.
[RouterB] acl 2000
[RouterB-acl-basic-2000] rule permit source 1.1.1.1 0
[RouterB-acl-basic-2000] quit
[RouterB] user-interface vty 0 4
[RouterB-ui-vty0-4] acl 2000 inbound
NOTE
Step 5 Use the port number 1028 to log in to Router B from Router A using Telnet.
<RouterA> telnet 1.1.1.2 1028
Press CTRL_] to quit telnet mode
Trying 1.1.1.2 ...
Connected to 1.1.1.2 ...
Login authentication
Password:
<RouterB>
----End
Configuration Files
l
Issue 02 (2012-03-30)
160
Networking Requirements
As shown in Figure 8-6, after the STelnet service is enabled on the SSH server, the STelnet
client can use the password, RSA, password-rsa, or all authentication mode to log in to the SSH
server.
Configure two login clients:
l
Configure Client001 with the password huawei and use the password authentication mode.
Configure Client002, use the RSA authentication mode, and assign the public key
RsaKey001 to this client.
SSH Server
Eth1/0/0
10.164.39.222/24
Eth1/0/0
10.164.39.220/24
Client001
Issue 02 (2012-03-30)
Eth1/0/0
10.164.39.221/24
Client002
161
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Generate the local key pairs on the STelnet client and the SSH server.
3.
Generate the RSA public key on the SSH server and bind the RSA public key of SSH client
to Client002.
4.
5.
Users Client001 and Client002 log in to the SSH server using STelnet.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Generate a local key pair on the SSH server.
<Huawei> system-view
[Huawei] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server] ssh
Issue 02 (2012-03-30)
162
Step 4 Bind the RSA public key of the SSH client to Client002.
[SSH Server] ssh user client002 assign rsa-key RsaKey001
163
<Huawei> system-view
[Huawei] sysname client001
[client001] ssh client first-time enable
<Huawei> system-view
[Huawei] sysname client002
[client002] ssh client first-time enable
# Log in to the SSH server from Client001 in password authentication mode by entering the user
name and password.
<client001> system-view
[client001] stelnet 10.164.39.222
Please input the username:client001
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
Enter password:
Enter the password huawei. The following information indicates that the login succeeded.
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 6.
The current login time is 2010-09-06 11:42:42.
<SSH Server>
Issue 02 (2012-03-30)
164
------------------------------------------------------------------------------Username
Auth-type
User-public-key-name
------------------------------------------------------------------------------client001
password
null
client002
rsa
RsaKey001
-------------------------------------------------------------------------------
----End
Configuration Files
l
165
Networking Requirements
As shown in Figure 8-7, the IP address of the TFTP server is 10.111.16.160/24.
Log in to the router from the HyperTerminal and then download the file ar.cc from the TFTP
server.
Figure 8-7 Networking diagram of configuring TFTP
10.111.16.160/24
PC
TFTP Client
TFTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
Run the TFTP application on the TFTP server, and set the location of the file on the server.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Start the TFTP server and set its Current Directory to the directory where the ar.cc file resides.
Figure 8-8 shows the interface.
Issue 02 (2012-03-30)
166
NOTE
The display on your computer may be different, depending on the TFTP server application you are running.
Step 2 Log in to the router from the computer HyperTerminal and enter the following command to
download a file.
<Huawei> tftp 10.111.16.160 get ar.cc flash:/
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...
69143936 bytes received in 42734
second.
TFTP: Downloading the file successfully.
Step 3 Run the dir command to check whether the downloaded file is saved in the directory specified
on the router.
<Huawei> dir flash:/
Directory of flash:/
Idx
0
1
2
3
4
5
6
7
8
9
10
11
12
Attr
-rw-rw-rw-rw-rw-rw-rwdrw-rw-rw-rw-rw-rw-
Size(Byte)
1,738,816
396
540
1,498
525,337
1,215
1,703,936
69,143,936
8,996
5,602
220
1,686
Date
Mar 28
Feb 11
Feb 11
Apr 01
Apr 01
Mar 26
Feb 27
Mar 07
Mar 28
Apr 07
May 27
Mar 28
Mar 28
2011
2008
2008
2011
2011
2011
2008
2008
2008
2008
2011
2011
2011
Time(LMT)
17:00:24
14:34:17
14:35:10
09:49:37
09:50:00
11:32:27
10:00:10
15:44:46
07:34:54
14:56:24
13:59:31
16:51:16
17:04:53
FileName
web.zip
rsa_host_key.efs
rsa_server_key.efs
iascfg.zip
private-data.txt
iascfg_autobackup.zip
ar_smk2.cc
dd
ar.cc
1.cap
ab.cap
elab.txt
lic_ar.dat
Step 4 Log in to the router from the computer HyperTerminal and enter the following command to
upload a file.
Issue 02 (2012-03-30)
167
----End
8.7.4 Example for Connecting the SFTP Client to the SSH Server
This example shows how to configure an SFTP client to connect to an SSH server. Local key
pairs are generated on the SFTP client and the SSH server, and a public RSA key is generated
on the SSH server and bound to the SFTP client.
Networking Requirements
As shown in Figure 8-9, after the SFTP service is enabled on the SSH server, the SFTP Client
can use the password, RSA, password-rsa, or all authentication mode to log in to the SSH server.
Figure 8-9 Networking diagram for connecting the SFTP client to the SSH server
SSH Server
Eth1/0/0
10.164.39.222/24
Eth1/0/0
10.164.39.220/24
Client001
Eth1/0/0
10.164.39.221/24
Client002
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Generate the local key pairs on the SFTP client and the SSH server .
3.
Generate the RSA public key on the SSH server and bind the RSA public key of SSH client
to Client002.
4.
5.
Configure the service mode and authorization directory for the SSH user.
6.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 02 (2012-03-30)
168
Procedure
Step 1 Generate a local key pair on the SSH server.
<Huawei> system-view
[Huawei] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.........++++++++
......................++++++++
......................+++++++++
.....+++++++++
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
Server] ssh
Issue 02 (2012-03-30)
169
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
=====================================================
Time of Key pair created: 2007-12-29 16:20:05+08:00
Key name: Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]
Step 4 Bind the RSA public key of the SSH client to Client002.
[SSH Server] ssh user client002 assign rsa-key RsaKey001
Issue 02 (2012-03-30)
170
:1.99
:60 seconds
:0 hours
:3 times
:Enable
----End
Configuration Files
l
Issue 02 (2012-03-30)
171
peer-public-key end
#
aaa
local-user client001 password simple huawei
local-user client001 service-type ssh
local-user client001 ftp-directory flash:
local-user client002 ftp-directory flash:
#
sftp server enable
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
Return
Networking Requirements
When a RADIUS user is connected to an SSH server, the SSH server sends the username and
password of the SSH client to the RADIUS server (compatible with the TACACS server) for
authentication.
The RADIUS server authenticates the user and sends the result (pass or fail) back to the SSH
server. If authentication succeeded, the user level is sent along with the result. The SSH server
determines whether the SSH client is allowed to set up a connection based on the authentication
result.
Figure 8-10 shows the networking diagram.
Issue 02 (2012-03-30)
172
SSH Client
SSH Server
10.164.6.49/24
Radius Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Generate the local key pair on SSH client and the SSH server.
5.
Generate the RSA public key on SSH server and bind the RSA public key of the SSH client
to ssh2@ssh.com.
6.
7.
Configure the service mode and authorization directory of the SSH user.
8.
Users ssh1@ssh.com and ssh2@ssh.com log in to the SSH server through STelnet and
SFTP respectively.
Data Preparation
To complete the configuration, you need the following data:
l
RADIUS authentication
Procedure
Step 1 Generate a local key pair on the SSH server.
<Huawei> system-view
[Huawei] rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
Issue 02 (2012-03-30)
173
......++++++++
174
# Create users ssh1@ssh.com and ssh2@ssh.com on the SSH server and set the authentication
mode.
[Huawei] aaa
[Huawei-aaa]
[Huawei-aaa]
[Huawei-aaa]
[Huawei] ssh
[Huawei] ssh
[Huawei] ssh
# Specify the RADIUS server at 10.164.6.49 as the RADIUS authentication and set the
authentication port number to 1812.
[Huawei-radius-ssh] radius-server authentication 10.164.6.49 1812
# Log in to the SSH server from the STelnet client in RADIUS authentication mode.
<client> system-view
[client] stelnet 10.164.39.222
Please input the username: ssh1@ssh.com
Issue 02 (2012-03-30)
175
Enter the password huawei. The following information indicates that the login succeeds.
Info: The max number of VTY users is 10, and the current number
of VTY users on line is 2.
<Huawei>
# Log in to the SSH server from the SFTP client in RADIUS authentication mode.
<client> system-view
[client] sftp 10.164.39.222
Please input the username: ssh2@ssh.com
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
Enter password:
sftp-client>
----End
Configuration Files
Configuration file of the SSH server
#
radius-server template ssh
Issue 02 (2012-03-30)
176
Issue 02 (2012-03-30)
177
Issue 02 (2012-03-30)
178
Issue 02 (2012-03-30)
Patch Status
Description
None
179
Patch Status
Description
Running
Patch Status:
none
Upload and
Run patch
Delete patch
Patch Status:
running
A log entry is recorded when CPU usage exceeds the configured threshold.
If CPU usage exceeds the threshold, an alarm is generated and logged. You can query the
log to view CPU usage.
A log entry is recorded when memory usage exceeds the configured threshold.
If memory usage exceeds the threshold, an alarm will be generated and logged. You can
query the log to view memory usage.
Immediate restart
Scheduled restart
180
Applicable Environment
l
Before activating a GTL license file, check that the extension of the GTL license file name is .dat.
After obtaining a GTL license file, use a notepad program like Windows Notepad to check
whether the ESN on the MPU is the same as that in the GTL license file.
NOTE
A GTL license file must be one of the two versions, COMM or DEMO.
Version
Period of Validity
Reservation Period
COMM
As defined in a contract
DEMO
The system prompts you with a message each day in the reservation period. If you intend to
continue using the service modules, you need to apply for a new GTL license.
Issue 02 (2012-03-30)
181
NOTE
The reservation period refers to the number of days for which you can continue to use service modules
after the GTL license expires.
Pre-configuration Tasks
Before activating a GTL license file, complete the following tasks:
l
Data Preparation
To activate a GTL license file, you need the following data.
No.
Data
Context
Before uploading a GTL license file, run the dir command to check that the storage media has
adequate free space to store the GTL license file.
Procedure
Step 1 Run:
dir device-name
A user who wants to upgrade a GTL license must run the license revoke command to obtain an invalidation
code, and then use this code to apply to Huawei for a new GTL license. This user also needs to load the
new GTL license file to the main control board.
----End
Procedure
l
Run:
license active file-name
Issue 02 (2012-03-30)
182
If you use the GTL license for the first time, buy the GTL license file from Huawei.
Run:
license revoke
Apply to Huawei for a new GTL license by using the invalidation code.
2.
Run:
license active file-name
Context
The Emergency state of a GTL license module can be enabled on the router in any of the
following situations:
l
A Comm version of the GTL license file has been activated and is in the Normal state.
A Demo version of the GTL license file has been activated and is in the Demo state.
When the time period for enabling the Emergency state comes to an end, the state can be
enabled again on the final day of the first period.
Procedure
Step 1 Run:
license emergency
----End
183
Prerequisites
The configurations for activating the GTL license file are complete.
Procedure
l
Run the display license command to check information about the GTL license file on the
master and slave MPUs.
Run the display license state command to check the license type.
----End
Example
<Huawei> display license
Active License on master board: flash:/LIC_ON77076_A6D2CE1AEC3_AR.dat
Active license
License state
Revoke ticket
Product
Product
License
23456789
License
Creator
Created
Country
Custom
Office
name
version
file ESN
: flash:/LIC_ON77076_A6D2CE1AEC3_AR.dat
: Demo
: No ticket
: AR
: V200R002
: AR00050123456789,AR00060123456789,AR00070123456789,AR000801
Serial No :
:
Time
:
:
:
:
LIC20110309010210
Huawei Technologies Co., Ltd.
2011-03-09 19:36:14
China
R&D of Huawei Technologies Co., Ltd.
Shenzhen
Feature name
Authorize type
Expired date
Trial days
:
:
:
:
ACCESS
DEMO
2011-06-07
60
Item name
Item type
Control value
Used value
Item state
Item expired date
Item trial days
Description
:
:
:
:
:
:
:
:
LLE0IPPBX01
Function
1
1
Normal
2011-06-07
60
LLE0IPPBX01
Applicable Environment
Before upgrading system software, you can select resource files as needed.
Issue 02 (2012-03-30)
184
NOTE
Obtain the new system software and relevant upgrade documents from Huawei.
Different products use different system software versions. For information about particular products,
refer to the official Huawei upgrade guide when upgrading a device.
Enable the logging function to record all operations during the upgrade. This facilitates fault analysis
and location in case of an upgrade failure.
If the device restarts due to incorrect resource file configurations, the device will automatically roll
the resource file back to the source version after the device has been restarted.
Pre-configuration Tasks
Before upgrading system software, complete the following task:
l
Making sure that the router to be upgraded is working properly, and logging in to the router
Data Preparation
To upgrade system software, you need the following data.
No.
Data
(Optional) New system software, configuration files, license file, and patch file
Procedure
Step 1 Prepare hardware as needed, for example, free up memory space to store new system software
and related upgrade files.
Step 2 Check whether a new GTL license file is required and, If so, obtain it from Huawei.
NOTE
l A new GTL License must be obtained when a device is upgraded to a new R version or V version.
l The new GTL license file must be consistent with the system software.
To view GTL license-controlled features, use a text editor like Windows Notepad to open the
GTL license file. The contents of the Resource and Function fields are the resource and function
items controlled by the GTL license file.
Step 3 Obtain software required for the upgrade. The new system software (.cc file) and relevant
upgrade documents must be obtained from Huawei.
Issue 02 (2012-03-30)
185
Step 4 In the user view, run the display version command to view the current system software. If the
current system software is the same as or later than new system software, an upgrade is
unnecessary.
Step 5 Run the following commands to check the device operation status:
Run the display memory-usage command in the user view to check the memory usage of MPUs
to ensure that the MPUs are working properly.
Run the display health command in the user view and record the command output. If you cannot
locate faults that have occurred during the upgrade, provide this information to Huawei technical
personnel for troubleshooting.
Step 6 Set up an environment where TFTP or FTP can be used to perform software upgrade. This helps
to back up the original resource files before the upgrade and upload the new resource files
required for the upgrade.
When the system software is upgraded with FTP:
l If the device to be upgraded functions as a client and a PC functions as a server, you must
install FTP server software on the PC. You need to purchase and install FTP server software
yourself, because the device does not have such software installed by default.
l If the device to be upgraded functions as a server and a PC functions as a client, you do not
need to install FTP server software on the PC. By default, the FTP server function on the
device to be upgraded is disabled. To enable the function, run the ftp server enable
command.
When the system software is upgraded with TFTP, the device to be upgraded can only function
as a client and does not provide the TFTP server function. In this case, you must install TFTP
server software on the PC.
Step 7 Back up important data stored in the storage media on the device to be upgraded.
Step 8 Check that the device storage media has adequate free space to store the new system software
and related upgrade files.
----End
Procedure
l
Issue 02 (2012-03-30)
Uploading a system file to the AR150/200 using the AR150/200 as the FTP server and
the PC as the FTP client
1.
2.
Run the ftp server enable command to enable the FTP server.
3.
4.
186
5.
Run the local-user user-name service-type ftp command to set the service type of
the local user to FTP.
6.
7.
On the PC (running a Windows operating system for example), choose Start >
Run. Enter cmd and press Enter to enter the command line window.
8.
9.
10. Run the binary command on the router to set the file transfer mode to binary.
NOTE
FTP supports two file transfer modes: ASCII and binary. Their differences are as follows:
l The ASCII transfer mode uses ASCII characters and separates carriage returns from line
feed characters.
l The binary transfer mode transfers characters without format conversion or formatting.
The client specifies which file transfer mode to use. The default file transfer mode is ASCII
transfer. You can use use a command to change the file transfer mode. Transfer text files in
ASCII mode and binary files in binary mode. When transfer the system file, use the binary
mode.
11. Run the put remote-filename [ local-filename ] command to upload the system file
from the PC to the router.
12. Run the dir command on the router to check whether the system file exists in the
current directory.
Issue 02 (2012-03-30)
187
NOTE
If the size of the system file in the current directory on the router is different from that on the
PC, an error may occur during file transfer. Upload the system file again.
Uploading a system file to the AR150/200 using the AR150/200 as the FTP client and
the PC as the FTP server
1.
Run an FTP server program on the PC. This procedure uses WFTPD32 as an example,
as shown in Figure 9-3.
Figure 9-3 Running an FTP server program on the PC
2.
Choose Security > Users/rights to configure a user name, password, and FTP
working directory on the PC, as shown in Figure 9-4.
Click New User to set the user name and password. Here, the user name is AR and
the password is 123456. Specify the FTP working directory on the PC in the Home
Directory text box, for example, D:\ftp. Place the system file to this directory and
click Done to close the dialog box.
Issue 02 (2012-03-30)
188
3.
Run the ftp host [ port-number ] command on the router to log in to the PC.
NOTE
Before downloading the system file from the PC, ensure that there is enough space on the
router to store the system file. Enter the configured user name and password to log in to the
PC.
4.
Run the binary command to set the file transfer mode to binary.
5.
Run the get remote-filename [ local-filename ] command to download the system file
from the PC.
6.
After the system file is downloaded, run the bye or quit command to terminate the
connection with the PC and return to the user view.
7.
Run the dir command on the router to check whether the system file exists in the
current directory.
NOTE
If the size of the system file in the current directory on the router is different from the PC, an
error may occur in file transfer. Upload the system file again.
Uploading a system file to the AR150/200 using the AR150/200 as the TFTP client and
the PC as the TFTP server
NOTE
The AR150/200 can function only as a TFTP client but not a TFTP server.
1.
Issue 02 (2012-03-30)
Run a TFTP server program on the PC. This procedure uses TFTP32 as an example,
as shown in Figure 9-5.
189
2.
Set Current Directory to the directory of the backup system file by clicking
Browse, and place the system file to the specified directory. Set Server Interface to
the IP address of the TFTP server. The IP address is usually displayed automatically.
3.
Before downloading the system file from the PC, ensure that there is enough space on the
router to store the system file.
4.
Run the dir command on the router to check whether the system file exists in the
current directory.
NOTE
If the size of the system file in the current directory on the router is different from that on the
PC, an error may occur during file transfer. Upload the system file again.
This method is not recommended because the upgrade procedure is complicated. Use this method
only when the router system software cannot start.
Connect the router's management interface to the PC.
The management interface varies according to the device model:
l AR150: Ethernet0/0/3
l AR200: Ethernet0/0/6
l AR1200: GigabitEthernet0/0/0
l AR2200: GigabitEthernet0/0/0
l AR2240: GigabitEthernet0/0/2
l AR3200: GigabitEthernet0/0/2
Issue 02 (2012-03-30)
190
1.
Run an FTP server program (for example, WFTPD32) on a terminal or PC, specify
the directory of the system file, and configure an FTP user name and password
according to Step 2.
2.
Log in to the router from the console port. For details, see 1.2 Logging In to the
Device Through the Console Port.
3.
Restart the router. Press Ctrl+B to enter the BootROM menu when the following
information is displayed.
Sep 16 2011,17:14:28
Copying Data : Done
Uncompressing : Done
Initializing SMI Bus:OK
Init flash, please wait......
Base Address: 0xfffffffffc000000
Size is: 0x20000000OK
flash drv init.
Initializing FlashPiece Module:
FlashPiece start offset at: 0x300000
FlashPiece size is: 0x100000
Initializing FlashDynamic Module:
FlashDynamic start offset at: 0x400000
FlashDynamic size is: 0x200000
Initializing I2C Bus:OK
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc
EHCI Controller found.
Waiting to attach to USBD...0xbfffdf0 (tRootTask): usb1_base =
0xbff22000Done.
0xbfffdf0 (tRootTask): usbBulkDevInit() returned OK
Press Ctrl+B to break auto startup ... Attached TCP/IP interface to teth1.
NOTE
l To access the BootROM menu, you must enter the initial password huawei after pressing
Ctrl+B.
4.
Default Startup
Serial Menu
Network Menu
Startup Select
File Manager
Reboot
5.
Configure the FTP service type, system file name, network management interface
address, FTP server address, FTP user name, and FTP password.
NOTE:
Ftp type define:
Issue 02 (2012-03-30)
0(ftp), 1(tftp),
191
6.
:
:
:
:
:
:
:
:
0
ar.cc
192.168.200.174
ffffff00
192.168.200.1
ar
ar
After the system returns to the network menu, select choice 4 to download the specified
system file from the PC.
NetWork Menu
1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return
Enter your choice(1-10): 4
7.
Enter the corresponding number to select the storage media. For example, 1 indicates
the flash memory.
NOTE
The device uses the flash as default settings. The other storage media such as USB flash drive
will be displayed only after they are installed.
8.
After the system file is downloaded to the router, restart the router.
----End
Context
Before specifying the system software to be used at the next startup, perform the following
operations:
Upload the system software to the master and slave MPUs. For details, see information about
uploading and downloading files in Managing Files Using FTP Commands.
Make sure that the storage media on the MPUs have sufficient space to store the system software.
NOTE
Check the size and release date of the system software to be uploaded.
Procedure
Step 1 In the user view, run:
startup system-software system-file
Issue 02 (2012-03-30)
192
The system software to be used at the next startup is specified for the MPU.
Step 2 (Optional) If the upgraded system software needs a corresponding patch file, perform the
following operations:
l Run:
startup patch file-name
A patch file to be used at the next startup is specified for the MPU.
Step 3 (Optional) Run:
startup saved-configuration configuration-file
The configuration file to be used at the next startup is specified for the MPUs.
----End
Context
If the storage device where the startup software package is stored is damaged, you can use the
backup software package to make the system start.
NOTE
l The file name extension of the system software package must be .cc and the package must be stored
in the root directory.
l The backup startup software package can be identical with or different than the current startup software
package. Either can be used to start the system.
Procedure
Step 1 Run:startup system-software filename backup. A backup startup software package is
specified.
----End
Context
NOTE
Run the display device command to check whether the device is configured with a registered 2FE .
Procedure
Step 1 Run:
upgrade slot slot-id startup bootrom
193
Step 2 Run:
reset slot slot-id
Context
During the upgrade, the device must be restarted in the following situations:
l
The system software and configuration file to be used at the next startup have been specified.
CAUTION
Before restarting the router, run the save command to save the current configuration file.
The router restarts with the specified startup files. If the specified startup files are damaged, the
router restarts with the backup startup files. If the router fails to restart with the backup startup
files, it searches valid startup files on the storage devices in the sequence "Flash memory-> USB
flash drive." If a storage device has multiple startup files, it uses the startup file that is found
first for startup. When the router finds valid system software packages and configuration files
on the storage device, it selects a rollback version within 24 minutes and restarts with the selected
version. If the router does not find valid system software and configuration file, it stops at the
BootROM menu.
Procedure
l
Prerequisites
The configurations for upgrading system software are complete.
Procedure
l
Issue 02 (2012-03-30)
Run the display patch-information command to check information about all patches.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
194
Run the display startup command to check that the values of the "Startup system software"
and "Startup saved-configuration file" fields in the command output are the values you
require.
----End
Example
After the patch is installed, run the display patch-information command. You can view the
patch status on each board.
<Huawei> display patch-information
Patch version
:
ARV200R001C00SPH100
Patch packet name:
flash:/patch_lic2.pat
Run the display startup command. You can view the names of the system software and the
configuration file used at the startup. For example:
<Huawei> display startup
MainBoard:
Startup system software:
Next startup system software:
Backup system software for next startup:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
Startup voice-files:
Next startup voice-files:
flash:/ar0215_31345_200.cc
flash:/ar0215_31345_200.cc
null
flash:/iascfg.zip
flash:/iascfg.zip
null
null
null
null
null
null
Applicable Environment
The installation process installs a patch to the MPU and all LPUs.
You can use either of the following methods to install patches:
l
Installing a patch file immediately: The patch file takes effect after a command is used to
run the patch file, without having to restart the device. For details, see Installing a
Patch.
Specifying a patch file to be used at the next startup: The patch file takes effect after the
device is restarted.
Issue 02 (2012-03-30)
195
Pre-configuration Tasks
Before managing patches, complete the following tasks:
l
Data Preparation
To manage patches, you need the following data.
No.
Data
Patch file
Context
Only one patch file can be run in the system at a time. Therefore, display patch-information
run the command before patch installation to check information about all patches, including the
running patches. If the command output shows that there is a running patch file in the system,
delete the running patch file.
In addition, perform the following operations before patch installation:
l
Upload a patch file to the master MPU. For details, see the contents of uploading and
downloading files in Performing File Operations by Using FTP Commands.
Procedure
Step 1 Enter the user view.
Step 2 Run:
patch load patchname all run
l The patch load patchname all run command can activate only one patch file each time.
l Each patch is developed incrementally based on the earlier version. If the incremental patch
patchB.pat is activated when the system is running the earlier version patchA.pat, patchB.pat takes
effect. To run patchA.pat again, run the patch delete all command to delete patches in the system,
and load and activate patchA.pat. Alternatively, run the startup patch command to specify
patchA.pat as the next startup patch, and then restart the device to make patchA.pat effective.
----End
Issue 02 (2012-03-30)
196
Context
Before specifying a patch file to be used at the next startup, the following tasks must be
completed:
l
Upload the specified patch file to the storage medium on the master MPU. For details, see
the contents of uploading and downloading files in Managing Files Using FTP
Commands.
Procedure
Step 1 In the user view, run:
startup patch file-name
The patch file (*.pat) to be used at the next startup is specified for the master and slave MPUs.
----End
Follow-up Procedure
After the patch file to be used at the next startup has been specified, run the display startup
command to view the value of the "Next startup patch package" field on the MPUs.
Context
Only one patch file can be run in the system during patch installation. Therefore, delete the
running patch file from the patch area before loading and running a new patch file.
Procedure
Step 1 Run:
patch delete all
Follow-up Procedure
After patch files have been deleted, run the following command to verify the configuration.
l
Issue 02 (2012-03-30)
197
Prerequisites
The configurations for patch installation are complete.
Procedure
l
Run the display patch-information command to check information about all patches.
----End
Example
After a patch has been installed, run the display patch-information command to view the patch
status on each board.
<Huawei> display patch-information
Patch version
:
ARV200R002C00SPH100
Patch packet name:
flash:/patch_lic2.pat
Applicable Environment
The CPU and memory are key parts of a device. Routing information and fast route algorithms
can consume a large amount of CPU resources, affecting system performance. If resource usage
is too great, the device is unable to process data in a timely manner, packets may be lost, or the
system may break down. Customers must bear the losses from such occurrences.
If alarms warn of high CPU or memory usage during data processing on the router, CPU and
memory usage can be effectively monitored, and the system performance can be optimized. This
facilitates normal system operations.
Pre-configuration Tasks
Before setting CPU and memory usage thresholds, complete the following task:
l
Data Preparation
To set CPU and memory usage thresholds, you need the following data.
Issue 02 (2012-03-30)
198
No.
Data
CPU usage thresholds, including an alarm threshold and a clear alarm threshold
Context
Two CPU usage thresholds are set:
l
Alarm threshold: indicates that the system generates an alarm when CPU usage reaches
this alarm threshold.
Clear alarm threshold: indicates that the alarm is cleared when CPU usage falls below this
clear alarm threshold.
Procedure
Step 1 Run:
system-view
An alarm threshold and a clear alarm threshold are set for CPU usage on an MPU or an LPU in
a specified slot.
NOTE
By default, the alarm threshold for CPU usage is 80%, and the clear alarm threshold for CPU usage is 75%.
----End
Context
Two memory usage thresholds are set:
l
Alarm threshold of memory usage: indicates that the system generates an alarm when the
memory usage reaches the alarm threshold.
Clear alarm threshold of memory usage: indicates that the alarm is cleared when the CPU
usage falls below the clear alarm threshold.
Procedure
Step 1 Run:
Issue 02 (2012-03-30)
199
system-view
Prerequisites
The configurations of for CPU and memory usage thresholds are complete.
Procedure
l
----End
Example
# Display the CPU usage of the MPU. The CPU usage is displayed in the CPU column.
<Huawei> display cpu-usage
CPU Usage Stat. Cycle: 60 (Second)
CPU Usage
: 0% Max: 100%
CPU Usage Stat. Time : 2011-01-30 15:41:37
CPU utilization for five seconds: 0%: one minute: 0%: five minutes: 0%.
TaskName
BOX
_TIL
VCLK
TICK
co0
TAD
RTMR
IPCQ
IPCK
VP
IPCW
Issue 02 (2012-03-30)
CPU
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
200
Issue 02 (2012-03-30)
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
201
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
100%
RSVP task
LDP task
CSPF task
GRESM task
GEM
GEM RUN
UTSK
APP
IP
LINK
VRPT
HOTT
TNQAC
TTNQAS
TARPING
TTVPLS
L2
VRRP
L2_PR
ARP
PBBL
RMONRemote monitoring
Operation System
Applicable Environment
After the system software of the router is upgraded, the router must be restarted for configurations
to take effect. Restarting the router also prevents the system failure due a an excessive number
of temporary files.
The AR150/200 provides two methods of restarting the router:
l
Immediate restart
Scheduled restart
Issue 02 (2012-03-30)
202
Pre-configuration Tasks
Before restarting the router, complete the following tasks:
l
Data Preparation
To restart the router, you need the following data.
No.
Data
Context
CAUTION
Using the reboot command is not recommended. It can cause transient service interruption.
Procedure
l
Run:
reboot [ fast ]
Context
Do as follows on the router that needs to restart at a scheduled time:
Procedure
Step 1 Run:
schedule reboot at exact-time
Issue 02 (2012-03-30)
203
The router is configured to restart at a scheduled time, and the restart time is set.
Step 2 Run:
schedule reboot delay interval
The router is configured to restart at a scheduled time, and the wait time before the restart is set.
You can choose either Step 1 or Step 2 to configure the router to restart at a scheduled time.
By default, the function for configuring a device to restart at a scheduled time is disabled.
NOTE
You can run the undo schedule reboot command to disable the function of restarting the router at a fixed
time.
----End
Prerequisites
The configurations for restarting the router at a scheduled time are complete.
Procedure
l
Run the display schedule reboot command to check the parameters set for the scheduled
restart of the router.
----End
Example
# View the configuration of the router restart, with the restart time at 00:00.
<Huawei> display schedule reboot
Info:System will reboot at 00:00:00 2009/07/01 (in 12 hours and 33 minutes).
# View the configuration of the router restart with a wait time set to 12 hours before the restart.
<Huawei> display schedule reboot
Info:System will reboot at 23:27:14 2009/06/30 (in 11 hours and 59 minutes).
204
Networking Requirements
The current system software needs to be upgraded if it cannot provide additional features or
larger specifications required by customers.
As shown in Figure 9-6, the system software of the cannot meet customer's requirements and
needs to be upgraded. Huawei has provided related upgrade files for the customer to perform
software upgrade on the.
Figure 9-6 Networking diagram for upgrading system software
Eth2/0/0
10.1.1.1/24
PC
10.1.1.2/24
FTP Server
Precautions
l
The key data in the storage medium on the device must be backed up to the PC.
The remaining space of the storage media must be checked to make sure that there is enough
space to store new system software.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Specify FTP as the mode of uploading the system software, the device as the FTP server,
user 1 as the user name, and huawei as the user password.
2.
Specify the system software and configuration file to be used at the next startup.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
System software version before the upgrade, which is V200R001C00.cc in this example
Size of the remaining space of the storage media, which can store the system software
package
Procedure
Step 1 Upload the new system software.
# Configure the device as an FTP server.
<Huawei> system-view
[Huawei] ftp server enable
Issue 02 (2012-03-30)
205
After the preceding configurations are complete, run the display local-user command to check
information about the user.
<Huawei> display local-user
---------------------------------------------------------------------------User-name
State AuthMask AdminLevel
---------------------------------------------------------------------------user1
A
H
user2
A
A
---------------------------------------------------------------------------Total 2 user(s)
# On the PC, specify the binary format as the file transfer mode, and c:\temp as the working
directory.
NOTE
Store the uploaded file in the specified directory (C:\temp in this example). Choose Start >
Run and enter cmd. Then, press Enter. Enter FTP 10.1.1.1. At the prompt of "user", enter the
user name. At the prompt of "password", enter the password. The following configurations are
displayed:
C:\Documents and Settings\Administrator> ftp 10.1.1.1
Connect to 10.1.1.1.
220 FTP server ready.
User <10.1.1.1:<none>>:user1
331 Please specify the password.
Password:
230 User logged in.
Specify a directory and a file transfer mode on the FTP client to store the uploaded file.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now c:\temp.
# On the PC, upload the new system software (*.cc) to the device.
ftp> put V200R002C00.cc
200 Port command okay.
226 Transfer complete.
Step 2 Specify the system software and configuration file to be used at the next startup.
# Specify the system software to be used at the next startup.
<Huawei> startup system-software flash:/V200R002C00.cc
This operation will take several minutes, please wait..........
Info: Succeeded in setting the file for booting system
# View the system software and configuration file to be used at the next startup, and check that
the system software is the specified one.
<Huawei> display startup
Issue 02 (2012-03-30)
206
flash:/V200R001C00.cc
flash:/V200R002C00.cc
null
flash:/iascfg.zip
flash:/aa.cfg
null
null
null
null
null
null
----End
Issue 02 (2012-03-30)
207
Configuration Files
#
ftp server enable
#
local-user user1 password simple huawei
local-user user1 ftp-directory flash::
local-user user1 service-type ftp
#
Startup system software:
Next startup system software:
#
return
flash::/V200R001C00.cc
flash::/V200R002C00.cc
Networking Requirements
As shown in Figure 9-7, the performance of the device needs to be optimized. Huawei has
provided a patch file for the customer to install.
Figure 9-7 Networking diagram for installing a patch file
Eth2/0/0
10.1.1.1/24
PC
10.1.1.2/24
FTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Patch file storage path on the master MPU, which is flash in this example
Procedure
Step 1 Upload the patch file mapping the current system software.
# Upload the patch file mapping the current system software to the device from the PC.
ftp> put SPH-1.1.952.pat
200 Port command okay.
226 Transfer complete.
Issue 02 (2012-03-30)
208
----End
Issue 02 (2012-03-30)
209