Configuration Guide - Basic Configuration(V100R006C01_01)

Quidway S9300 Terabit Routing SwitchV100R006C01

Configuration Guide - BasicConfiguration

Issue 01

Date 2011-10-26

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 01 (2011-10-26) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

Intended AudienceThis document provides the basic concepts, basic configuration procedures, and configurationexamples supported by the S9300.

This document is intended for:

l Data configuration engineersl Commissioning engineersl Network monitoring engineersl System maintenance engineers

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

DANGERIndicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

CAUTIONIndicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize or supplementimportant points of the main text.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration About This Document


ii

Command ConventionsThe command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Change HistoryUpdates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Changes in Issue 01 (2011-10-26)Initial commercial release.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration About This Document


iii

Contents

About This Document.....................................................................................................................ii

1 Logging In to Switch.....................................................................................................................11.1 Introduction........................................................................................................................................................2

1.1.1 Login Through the Console.......................................................................................................................21.1.2 Login Through Telnet................................................................................................................................2

1.2 Logging In to the Device Through the Console Port..........................................................................................21.2.1 Establishing the Configuration Task.........................................................................................................31.2.2 Establishing the Physical Connection........................................................................................................31.2.3 Configuring Terminals..............................................................................................................................41.2.4 Logging In to the Device...........................................................................................................................4

1.3 Logging In to Device Through Telnet................................................................................................................41.3.1 Establishing the Configuration Task.........................................................................................................51.3.2 Establishing the Physical Connection........................................................................................................51.3.3 Configuring Login User Parameters..........................................................................................................61.3.4 Logging In from the Telnet Client.............................................................................................................6

1.4 Configuration Examples.....................................................................................................................................61.4.1 Example for Logging In Through the Console Port..................................................................................61.4.2 Example for Logging In Through Telnet..................................................................................................9

2 CLI Overview...............................................................................................................................112.1 CLI Introduction...............................................................................................................................................12

2.1.1 Command Line Interface.........................................................................................................................122.1.2 Command Levels.....................................................................................................................................122.1.3 Command Views.....................................................................................................................................13

2.2 Online Help.......................................................................................................................................................152.2.1 Full Help..................................................................................................................................................162.2.2 Partial Help..............................................................................................................................................162.2.3 Error Messages of the Command Line Interface.....................................................................................17

2.3 Features of Command Line Interface...............................................................................................................172.3.1 Editing.....................................................................................................................................................172.3.2 Displaying................................................................................................................................................182.3.3 Regular Expressions................................................................................................................................192.3.4 History Commands..................................................................................................................................22

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration Contents


iv

2.3.5 Batch Command Execution.....................................................................................................................232.4 Shortcut Keys...................................................................................................................................................23

2.4.1 Classifying Shortcut Keys.......................................................................................................................232.4.2 Defining Shortcut Keys...........................................................................................................................252.4.3 Use of Shortcut Keys...............................................................................................................................25

2.5 Configuration Examples...................................................................................................................................252.5.1 Example for Running Commands in Batches..........................................................................................262.5.2 Example for Using the Tab Key..............................................................................................................262.5.3 Example for Defining Hotkeys................................................................................................................272.5.4 Example for Copying a Command by Using Hotkeys............................................................................28

3 How to Use Interfaces.................................................................................................................293.1 Introduction to Interfaces..................................................................................................................................303.2 Setting Basic Parameters of an Interface..........................................................................................................33

3.2.1 Establishing the Configuration Task.......................................................................................................333.2.2 Entering the Interface View.....................................................................................................................343.2.3 Viewing All the Commands in the Interface View.................................................................................343.2.4 Configuring the Description for an Interface...........................................................................................353.2.5 Starting and Shutting Down an Interface................................................................................................353.2.6 Further Configuration an Interface..........................................................................................................363.2.7 Checking the Configuration.....................................................................................................................36

3.3 Configuring the Loopback Interface.................................................................................................................373.3.1 Establishing the Configuration Task.......................................................................................................373.3.2 Configuring IPv4 Parameters of the Loopback Interface........................................................................373.3.3 Checking the Configuration.....................................................................................................................38

3.4 Maintaining the Interface..................................................................................................................................383.4.1 Clearing Statistics Information on the Interface......................................................................................383.4.2 Debugging the Interface..........................................................................................................................39

4 Basic Configuration.....................................................................................................................404.1 Basic Configuration Introduction.....................................................................................................................414.2 Configuring the Basic System Environment....................................................................................................41

4.2.1 Establishing the Configuration Task.......................................................................................................414.2.2 Switching the Language Mode................................................................................................................424.2.3 Configuring the Equipment Name...........................................................................................................424.2.4 Setting the System Clock.........................................................................................................................434.2.5 Configuring a Header..............................................................................................................................444.2.6 Configuring Command Levels................................................................................................................444.2.7 Configuring the Undo Command to Match in the Previous View Automatically..................................45

4.3 Configuring Basic User Environment..............................................................................................................464.3.1 Establishing the Configuration Task.......................................................................................................464.3.2 Configuring the Password for Switching User Levels............................................................................474.3.3 Switching User Levels.............................................................................................................................474.3.4 Locking User Interfaces...........................................................................................................................48



v

4.4 Displaying System Status Messages.................................................................................................................484.4.1 Displaying System Configuration...........................................................................................................494.4.2 Displaying System Status........................................................................................................................494.4.3 Collecting System Diagnostic Information.............................................................................................49

5 User Management........................................................................................................................515.1 User Management Introduction........................................................................................................................52

5.1.1 User Interface..........................................................................................................................................525.1.2 User Authentication.................................................................................................................................53

5.2 Logging In to the S9300 Through the Console Port.........................................................................................555.2.1 Establishing the Configuration Task.......................................................................................................555.2.2 Logging In to the S9300 Through the Console Interface........................................................................56

5.3 Configuring Console User Interface.................................................................................................................595.3.1 Establishing the Configuration Task.......................................................................................................595.3.2 Configuring Console Interface Attributes...............................................................................................605.3.3 Setting Console Terminal Attributes.......................................................................................................615.3.4 Configuring User Priority........................................................................................................................625.3.5 Configuring User Authentication............................................................................................................635.3.6 Checking the Configuration.....................................................................................................................64

5.4 Configuring VTY User Interface......................................................................................................................645.4.1 Establishing the Configuration Task.......................................................................................................645.4.2 Configuring Maximum VTY User Interfaces.........................................................................................655.4.3 (Optional)Configuring Limits for Incoming Calls and Outgoing Calls..................................................665.4.4 Configuring VTY Terminal Attributes....................................................................................................665.4.5 Configuring User Authentication............................................................................................................675.4.6 Checking the Configuration.....................................................................................................................69

5.5 Managing User Interfaces.................................................................................................................................695.5.1 Establishing the Configuration Task.......................................................................................................695.5.2 Sending Messages to Other User Interfaces............................................................................................705.5.3 Clearing Online User...............................................................................................................................705.5.4 Checking the Configuration.....................................................................................................................71

5.6 Configuring User Management........................................................................................................................715.6.1 Establishing the Configuration Task.......................................................................................................715.6.2 Configuring Authentication Mode...........................................................................................................725.6.3 Configuring Authentication Password.....................................................................................................725.6.4 Setting Username and Password for AAA Local Authentication...........................................................735.6.5 Configuring Non-Authentication.............................................................................................................735.6.6 Configuring User Priority........................................................................................................................745.6.7 Checking the Configuration.....................................................................................................................74

5.7 Configuration Examples...................................................................................................................................755.7.1 Example for Configuring Logging In to the Switch Through Password.................................................755.7.2 Example for Logging In to the Device Through AAA............................................................................76

6 File System Management...........................................................................................................78



vi

6.1 Overview of the File System............................................................................................................................796.2 Managing a Storage Device..............................................................................................................................79

6.2.1 Establishing the Configuration Task.......................................................................................................796.2.2 Restoring Storage Devices with File System Troubles...........................................................................806.2.3 (Optional) Formatting a Storage Device.................................................................................................80

6.3 Managing the Directory....................................................................................................................................806.3.1 Establishing the Configuration Task.......................................................................................................806.3.2 Viewing the Current Directory................................................................................................................816.3.3 Switching a Directory..............................................................................................................................816.3.4 Displaying a Directory or File.................................................................................................................826.3.5 Creating a Directory................................................................................................................................826.3.6 Deleting a Directory................................................................................................................................82

6.4 Managing Files.................................................................................................................................................836.4.1 Establishing the Configuration Task.......................................................................................................836.4.2 Displaying Contents of Files...................................................................................................................846.4.3 Copying Files...........................................................................................................................................846.4.4 Moving Files............................................................................................................................................846.4.5 Renaming Files........................................................................................................................................856.4.6 Compressing Files...................................................................................................................................856.4.7 Deleting Files...........................................................................................................................................856.4.8 Deleting Files in the Recycle Bin............................................................................................................866.4.9 Undeleting Files.......................................................................................................................................866.4.10 Running Files in Batch..........................................................................................................................876.4.11 Configuring Prompt Modes...................................................................................................................87

6.5 Configuration Examples...................................................................................................................................886.5.1 Example for Managing Files...................................................................................................................88

7 Management of Configuration Files........................................................................................907.1 Management of Configuration Files Introduction............................................................................................91

7.1.1 Configuration Files..................................................................................................................................917.1.2 Configuration Files and Current Configurations.....................................................................................91

7.2 Managing Configuration Files..........................................................................................................................917.2.1 Establishing the Configuration Task.......................................................................................................927.2.2 Configuring System Software for a switch to Load for the Next Startup...............................................927.2.3 Configuring the Configuration File for Switch to Load for the Next Startup.........................................937.2.4 Saving Configuration Files......................................................................................................................937.2.5 Clearing a Configuration File..................................................................................................................957.2.6 Comparing Configuration Files...............................................................................................................957.2.7 Checking the Configuration.....................................................................................................................96

8 FTP and TFTP...............................................................................................................................988.1 FTP and TFTP Introduction.............................................................................................................................99

8.1.1 FTP..........................................................................................................................................................998.1.2 TFTP........................................................................................................................................................99



vii

8.2 Configuring the Switch to be the FTP Server...................................................................................................998.2.1 Establishing the Configuration Task.....................................................................................................1008.2.2 (Optional) Specifying a Port Number for the FTP Server.....................................................................1008.2.3 Enabling the FTP Server........................................................................................................................1018.2.4 Configuring the Source IP Address of the FTP Server.........................................................................1018.2.5 (Optional) Configuring the Timeout Period..........................................................................................1028.2.6 Configuring the Local Username and the Password.............................................................................1028.2.7 Configuring the Service Type and Authorization Information..............................................................1038.2.8 Checking the Configuration...................................................................................................................103

8.3 Configuring FTP ACL....................................................................................................................................1048.3.1 Establishing the Configuration Task.....................................................................................................1048.3.2 Enabling the FTP Server........................................................................................................................1058.3.3 Configuring a Basic ACL......................................................................................................................1058.3.4 Configuring the Basic FTP ACL...........................................................................................................1058.3.5 Checking the Configuration...................................................................................................................106

8.4 Configuring the Switch to Be the FTP Client.................................................................................................1068.4.1 Establishing the Configuration Task.....................................................................................................1078.4.2 (Optional) Configuring Source IP Address and Interface of the FTP Client........................................1088.4.3 Logging In to the FTP Server................................................................................................................1088.4.4 Configuring Data Type and Transmission Mode for the File...............................................................1098.4.5 (Optional) Viewing Online Help of the FTP Command.......................................................................1108.4.6 Uploading or Downloading Files..........................................................................................................1108.4.7 Managing Directories............................................................................................................................1108.4.8 Managing Files......................................................................................................................................1118.4.9 (Optional) Changing Login Users.........................................................................................................1128.4.10 Disconnecting from the FTP Server....................................................................................................1128.4.11 Checking the Configuration.................................................................................................................113

8.5 Configuring the Switch to Be the TFTP Client..............................................................................................1138.5.1 Establishing the Configuration Task.....................................................................................................1138.5.2 (Optional) Configuring a Source IP Address for a TFTP Client...........................................................1148.5.3 Downloading Files Through TFTP........................................................................................................1148.5.4 Uploading Files Through TFTP............................................................................................................115

8.6 Limiting the Access to the TFTP Server........................................................................................................1158.6.1 Establishing the Configuration Task.....................................................................................................1158.6.2 Configuring the Basic ACL...................................................................................................................1168.6.3 Configuring the Basic TFTP ACL.........................................................................................................116

8.7 Configuration Examples.................................................................................................................................1178.7.1 Example for Configuring the FTP Server..............................................................................................1178.7.2 Example for Configuring an ACL of the FTP Server...........................................................................1198.7.3 Example for Configuring the FTP Client..............................................................................................1218.7.4 Example for Configuring the TFTP Client............................................................................................123

9 Telnet and SSH..........................................................................................................................126



viii

9.1 Telnet and SSH Introduction..........................................................................................................................1279.1.1 Overview of User Login........................................................................................................................1279.1.2 Telnet Terminal Services.......................................................................................................................1279.1.3 SSH Terminal Services..........................................................................................................................128

9.2 Configuring Telnet Terminal Services...........................................................................................................1299.2.1 Establishing the Configuration Task.....................................................................................................1299.2.2 Enabling the Telnet Service...................................................................................................................1309.2.3 Establishing a Telnet Connection..........................................................................................................1319.2.4 (Optional) Configuring a Telnet Server Port Number...........................................................................1329.2.5 (Optional) Scheduled Telnet Disconnection..........................................................................................1329.2.6 Checking the Configuration...................................................................................................................133

9.3 Configuring SSH Users..................................................................................................................................1339.3.1 Establishing the Configuration Task.....................................................................................................1349.3.2 Creating SSH User.................................................................................................................................1349.3.3 Configuring SSH for the VTY User Interface.......................................................................................1359.3.4 Generating a Local RSA Key Pair.........................................................................................................1369.3.5 Configuring the Authentication Mode for SSH Users...........................................................................1369.3.6 (Optional) Configuring the Basic Authentication Information for SSH Users.....................................1389.3.7 (Optional) Authorizing SSH Users Through the Command Line.........................................................1389.3.8 Configuring the Service Type of SSH Users.........................................................................................1399.3.9 (Optional) Configuring the Authorized Directory of the SFTP Service for SSH Users.......................1399.3.10 Checking the Configuration.................................................................................................................140

9.4 Configuring the SSH Server Function............................................................................................................1409.4.1 Establishing the Configuration Task.....................................................................................................1409.4.2 Enabling the STelnet Service................................................................................................................1419.4.3 Enabling the SFTP Service....................................................................................................................1419.4.4 Enabling SCP Services..........................................................................................................................1429.4.5 (Optional) Enabling the Earlier Version - Compatible Function...........................................................1429.4.6 (Optional) Configuring the Number of the Port Monitored by the SSH Server....................................1439.4.7 (Optional) Configuring the Interval for Updating the Key Pair on the SSH Server..............................1439.4.8 Checking the Configuration...................................................................................................................144

9.5 Configuring the STelnet Client Function.......................................................................................................1449.5.1 Establishing the Configuration Task.....................................................................................................1459.5.2 Enabling the First-Time Authentication on the SSH Client..................................................................1459.5.3 (Optional) Assigning an RSA Public Key to the SSH Server...............................................................1469.5.4 Enabling the STelnet Client...................................................................................................................1479.5.5 Checking the Configuration...................................................................................................................148

9.6 Configuring the SFTP Client Function...........................................................................................................1499.6.1 Establishing the Configuration Task.....................................................................................................1499.6.2 (Optional) Configuring a Source IP Address for an SFTP Client.........................................................1509.6.3 Configuring the First-Time Authentication on the SSH Client.............................................................1509.6.4 (Optional) Assigning an RSA Public Key to the SSH Server...............................................................151



ix

9.6.5 Enabling the SFTP Client......................................................................................................................1529.6.6 (Optional) Managing the Directory.......................................................................................................1539.6.7 (Optional) Managing the File................................................................................................................1549.6.8 (Optional) Displaying the SFTP Client Command Help.......................................................................1559.6.9 Checking the Configuration...................................................................................................................156

9.7 Configuring the SCP Client............................................................................................................................1579.7.1 Establishing the Configuration Task.....................................................................................................1579.7.2 (Optional) Configuring a Source IP Address for the SCP Client..........................................................1589.7.3 Copying Files.........................................................................................................................................1589.7.4 Checking the Configuration...................................................................................................................159

9.8 Configuration Examples.................................................................................................................................1599.8.1 Example for Configuring the Telnet Terminal Service.........................................................................1599.8.2 Example for Configuring the PC as the STelnet Client to Connect to the SSH Server........................1629.8.3 Example for Configuring the Switch as the STelnet Client to Connect to the SSH Server .................1659.8.4 Example for Connecting the SFTP Clinet and the SSH Server.............................................................1719.8.5 Example for Configuring the SSH Server to Support the Access from Another Port...........................1779.8.6 Example for Authenticating SSH Through RADIUS............................................................................1849.8.7 Example for Configuring the SCP Client..............................................................................................189

10 Web System Configuration...................................................................................................19210.1 Overview of Web System.............................................................................................................................19310.2 Starting Web System....................................................................................................................................193

10.2.1 Logging In to the S9300 Through the Console Interface....................................................................19310.2.2 Setting the Management IP Address of the S9300..............................................................................19710.2.3 Uploading Web Page Files..................................................................................................................19810.2.4 Loading a Web Page File.....................................................................................................................19910.2.5 Creating a Web Account......................................................................................................................19910.2.6 Logging In to the Web System............................................................................................................200

11 SSL Configuration...................................................................................................................20211.1 SSL...............................................................................................................................................................20311.2 SSL Features Supported by the S9300.........................................................................................................20411.3 Configuring Login to an FTPS Server from a User Terminal......................................................................205

11.3.1 Establishing the Configuration Task...................................................................................................20511.3.2 Configuring an SSL Policy and Loading a Digital Certificate............................................................20611.3.3 Enabling the FTPS Function................................................................................................................20711.3.4 Accessing an FTPS Server..................................................................................................................20811.3.5 Checking the Configuration.................................................................................................................208

11.4 Configuring Login to an FTPS Server from an FTPS Client.......................................................................20911.4.1 Establishing the Configuration Task...................................................................................................20911.4.2 Configuring the FTPS Client...............................................................................................................21011.4.3 Configuring the FTPS Server..............................................................................................................21211.4.4 Accessing an FTPS Server..................................................................................................................21311.4.5 Checking the Configuration.................................................................................................................215



x

11.5 Configuring Secure Web Network Management.........................................................................................21611.5.1 Establishing the Configuration Task...................................................................................................21711.5.2 Configuring an SSL Policy and Loading a Digital Certificate............................................................21811.5.3 Loading a Web Page File.....................................................................................................................21911.5.4 Enabling the HTTPS Function............................................................................................................21911.5.5 Creating a Web Account......................................................................................................................22011.5.6 Logging In to the Web System............................................................................................................22111.5.7 Checking the Configuration.................................................................................................................221

11.6 Configuration Examples...............................................................................................................................22211.6.1 Example for Configuring Login to an FTPS Server from a User Terminal........................................22211.6.2 Example for Configuring Login to an FTPS Server from an FTPS Client.........................................22611.6.3 Example for Configuring Secure Web Network Management............................................................234



xi

1 Logging In to Switch

About This Chapter

Before configuring switches, you need to log in to the switch.

1.1 IntroductionYou can log in to switches through console port or Telnet.

1.2 Logging In to the Device Through the Console PortThis section describes how to connect a terminal to a switch through the console port to establishthe configuration environment.

1.3 Logging In to Device Through TelnetThis section describes how to connect a terminal to a switch through Telnet to establish theconfiguration environment.

1.4 Configuration ExamplesThis section provides examples for configuring users to log in to the switch through the consoleport or Telnet together with the configuration flowchart. The configuration examples explainnetworking requirements, configuration notes, and configuration roadmap.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration 1 Logging In to Switch


1

1.1 IntroductionYou can log in to switches through console port or Telnet.

1.1.1 Login Through the ConsoleWhen a switch is powered on for the first time or a switch needs to be locally configured, youcan log in to the switch through the console port.

In the following cases, a switch can be configured only through the console port:

l The switch is powered on for the first time.

l The subscriber cannot login through Telnet.

1.1.2 Login Through TelnetIf you know the IP address of a switch, you can log in to the switch through Telnet to performlocal or remote configurations.

YYou need to pre-configure the IP addresses of interfaces, the user account, the authenticationmode, and the incoming and outgoing call restriction through the console interface on theswitch. Also, ensure that directly-connected or reachable switch exist between terminals and theswitch.

The destination switch authenticates the user based on the configured parameters in three modes:

l Password authentication: indicates that the login user should enter the correct password.

l AAA local authentication: indicates that the login user should enter the correct user nameand password.

l None authentication: indicates that the login user need not enter the user name or password.

If the login succeeds, a command line prompt such as <Quidway> appears on the Telnet clientinterface.

Enter a command to check the running status of the switch or to configure the switch.

Enter "?" for help.

NOTE

Do not modify the IP address of the switch when you configure the switch through Telnet because themodification may terminate Telnet connection. Otherwise, set up the connection again after entering a newIP address.

1.2 Logging In to the Device Through the Console PortThis section describes how to connect a terminal to a switch through the console port to establishthe configuration environment.



2

1.2.1 Establishing the Configuration TaskBefore configuring login to the switch through the console port, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data. Thiscan help you complete the configuration task quickly and accurately.

Applicable EnvironmentIf you log in to the switch for the first time or perform the local configuration, you need to login to the switch through the console port.

NOTE

If you cannot log in to the switch through the telnet, you need to log in to the switch through the consoleport.

Pre-configuration TasksBefore configuring login to the switch through the console port, complete the following tasks:

l Preparing the PC/terminal (including serial port and RS-232 cable)l Installing terminal emulation program on the PC (such as Windows XP HyperTerminal)

Data PreparationTo login the switch through the console port, you need the following data.

NOTE

If the AAA authentication mode is configured for users to log in to the switch through the console interface,the correct user name and password must be entered for a successful login.

No. Data

1 Terminal communication parametersl Baud ratel Data bitl Parityl Stop bitl Flow-control mode

2 (Optional) User name and password to be entered for a successful login in AAAauthentication mode

1.2.2 Establishing the Physical ConnectionThis part describes how to physically connect a terminal to a switch before login to the switchthrough the console port.

ContextDo as follows on the switch:



3

Procedure

Step 1 Connect the COM port on the PC and the console port on the switch by a cable.

Step 2 Power on all devices to perform a self-check.

----End

1.2.3 Configuring TerminalsThis part describes how to configure the terminal before login to the switch through the consoleport.

ContextDo as follows on the PC:

Procedure

Step 1 Run the terminal emulation program on the PC, setting the communication parameters asfollows:l Baud rate: 9600 bpsl Data bit: 8l Stop bit: 1l Parity: nonel Flow control: none

----End

1.2.4 Logging In to the DeviceThis part describes how to log in to the switch through the console port.

ContextDo as follows on the PC:

Procedure

Step 1 Press Enter until a command line prompt such as <Quidway> appears. Now the user view isdisplayed for you to configure the switch.

NOTE

If the AAA or Password authentication mode is configured for users to log in to the switch through theconsole interface, the correct user name and password must be entered for a successful login.

----End

1.3 Logging In to Device Through TelnetThis section describes how to connect a terminal to a switch through Telnet to establish theconfiguration environment.



4

1.3.1 Establishing the Configuration TaskBefore configuring login to the switch through Telnet, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable Environment

If you know the IP address of the switch, you can log in to the switch through Telnet for localor remote configuration.

Pre-configuration Tasks

Before configuring the switch through Telnet, complete the following tasks:

l Powering on devices and performing a self-check

l Preparing the PC (including the serial port and Ethernet crossover/direct cable)

Data Preparation

To log in to the switch through Telnet, you need the following data.

No. Data

1 IP address of the PC

2 IP address of the Ethernet interface on the switch

3 User information accessed through Telnet:l User namel Passwordl Authentication mode

1.3.2 Establishing the Physical ConnectionThis part describes how to physically connect a terminal to a switch before login to the switchthrough Telnet.

PrerequisiteEstablishing the Physical Connection are complete.

Procedure

Step 1 Connect the switch and the PC directly or connect the switch and the PC to the network throughcables.

----End



5

1.3.3 Configuring Login User ParametersThis part describes how to configure user parameters for login to the switch through Telnet.

Context

Do as follows on the switch:

Procedure

Step 1 Configure the authentication mode of login users.

Step 2 Configure the authority limitation of login user.

For details, see 5.4 Configuring VTY User Interface and 5.6 Configuring UserManagement.

----End

1.3.4 Logging In from the Telnet ClientThis part describes how to log in to the switch through Telnet.

Context

Do as follows on the PC:

Procedure

Step 1 Run the Telnet program on the PC that functions as a client, and enter the IP address of theinterface on the destination switch that provides the Telnet service.

Step 2 Enter the user name and password in the login window. After authentication, a command lineprompt such as <Quidway> appears. Now enter the configuration environment in the user view.

----End

1.4 Configuration ExamplesThis section provides examples for configuring users to log in to the switch through the consoleport or Telnet together with the configuration flowchart. The configuration examples explainnetworking requirements, configuration notes, and configuration roadmap.

1.4.1 Example for Logging In Through the Console PortIn this example, you can configure the PC so as to log in to the switch through the console port.

Networking Requirements

Initialize the configuration of the switch when the switch is powered on for the first time.



6

Figure 1-1 Networking diagram of logging in through the console port

SwitchPC

Configuration RoadmapThe configuration roadmap is as follows:

1. Connect the PC and the switch through the console port.2. Configure the login on the PC end.3. Log in to the switch.

Data PreparationTo complete the configuration, you need the terminal communication parameters (includingbaud rate, data bit, parity, stop bit, and flow control).

Procedure

Step 1 Connect the serial port of the PC (or terminal) to the console port of the switch through a standardRS-232 cable. The local configuration environment is established.

Step 2 Run the terminal emulation program on the PC. Set the terminal communication parameters tobe 9600 bps, data bit to be 8, stop bit to be 1. Specify no parity and no flow control as shownfrom Figure 1-2 to Figure 1-4.

Figure 1-2 New connection



7

Figure 1-3 Setting the port

Figure 1-4 Setting the port communication parameters



8

Step 3 Power on the switch to perform a self-check and the system performs automatic configuration.When the self-check ends, you are prompted to press Enter until a command line prompt suchas <Quidway> appears.

Enter the command to check the running status of the switch or configure the switch.

Enter "?" for help.

----End

1.4.2 Example for Logging In Through TelnetIn this example, you can configure user parameters so as to log in to the switch from the PC orother terminals through Telnet.


You can log in to the switch on other network segments through the PC or other terminals toperform remote maintenance.

Figure 1-5 Establishing the configuration environment through WAN

IPNetwork

Switch TargetSwitch

PC

Configuration Roadmap

The configuration roadmap is as follows:

1. Establish the physical connection.2. Configure user login parameters.3. Log in to the switch from the client side.

Data Preparation

To complete the configuration, you need the following data

l IP address of the PCl IP address of the Ethernet interface on the switchl User information accessed through Telnet (including the user name, password, and

authentication mode)

Procedure

Step 1 Connect the PC and the switch to the network.



9

Step 2 Configure login user parameters on the target switch.

# Configure the login address

<Quidway> system-view[Quidway] vlan 10[Quidway-vlan10] quit[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] port link-type hybrid[Quidway-GigabitEthernet1/0/0] port hybrid pvid vlan 10[Quidway-GigabitEthernet1/0/0] port untagged vlan 10[Quidway-GigabitEthernet1/0/0] quit[Quidway]interface vlanif 10[Quidway-vlanif10] ip address 202.38.160.92 255.255.0.0[Quidway-vlanif10] quit

# Configure login authentication mode

[Quidway] aaa[Quidway-aaa] local-user huawei password cipher hello[Quidway-aaa] local-user huawei service-type telnet[Quidway-aaa] local-user huawei level 3[Quidway-aaa] quit[Quidway] user-interface vty 0 4[Quidway-ui-vty0-14] authentication-mode aaa

Step 3 Configure the client login.

Run the Telnet on the PC, as shown in Figure 1-6.

Figure 1-6 Running the Telnet program on the PC

Click OK.

Enter the user name and password in the login window. After authentication, a command lineprompt such as <Quidway> appears. Now enter the configuration environment in the user view.

NOTEBefore logging in to the switch, ensure that the PC and switch can ping each other.

----End



10

2 CLI Overview

About This Chapter

Users operate devices, that is, configure the device and perform routine maintenance, by enteringcommand lines.

2.1 CLI IntroductionThe command line interface (CLI) is the common tool for running commands.

2.2 Online HelpWhen you enter command lines or configure services, online help offers real-time help inaddition to the configuration guide.

2.3 Features of Command Line InterfaceYou can edit command lines, display command lines, use the regular expression for commandlines, and invoke historical commands.

2.4 Shortcut KeysUsing the system or user-defined shortcut keys makes it easier to enter commands.

2.5 Configuration ExamplesThis section provides several examples for using command lines.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration 2 CLI Overview


11

2.1 CLI IntroductionThe command line interface (CLI) is the common tool for running commands.

2.1.1 Command Line InterfaceYou can configure and manage a switch by using the CLI commands.

When a prompt appears, you enter the command line interface (CLI) and interact with switchthrough CLI.

The system provides a series of configuration commands. You can configure and manage theswitch by entering commands on CLI.

The characteristics of CLI are as follows:

l Local configuration through console port.l Local or remote configuration through Telnet or Secure Shell (SSH).l A user interface view for specific configuration management.l Hierarchical command protection for users of different levels, that is, running the

commands of the corresponding level.l None authentication, password authentication and Authentication, Authorization and

Accounting (AAA) to prevent the unauthorized user from accessing the switch.l Entering "?" for online help at any time.l Network testing commands such as tracert and ping for rapidly diagnosing a network.l Abundant debugging information to help in diagnosing the network.l The telnet command for directly logging in to and manage other switch.l FTP service for file uploading and downloading.l Running a history command, like DosKey.l A command line interpreter provides intelligent command resolution methods such as key

word fuzzy match and context conjunction. These methods make it easy for users to entertheir commands.

NOTE

l The system supports the command with up to 512 characters. The command can be incomplete.

l The system saves the incomplete command to the configuration files in the complete form; therefore,the command may have more than 512 characters. When the system is restarted, however, theincomplete command cannot be restored. Therefore, pay attention to the length of the incompletecommand.

2.1.2 Command LevelsThe system adopts a hierarchical protection mode that has 16 command levels.

The default command levels are as follows:

l Level 0-Visit level: Commands of this level include commands of network diagnosis tool(such as ping and tracert) and commands that start from the local device and visit externaldevice (such as Telnet client side).



12

l Level 1-Monitoring level: Commands of this level, including the display commands, areused for system maintenance and fault diagnosis.

l Level 2-Configuration level: Commands of this level are service configuration commandsthat provide direct network service to the user, including routing and network layercommands.

l Level 3-Management level: Commands of this level are commands that influence the basicoperation of the system and provide support to the service. They include file systemcommands, FTP commands, TFTP commands, XModem downloading commands,configuration file switching commands, power supply control commands, backup boardcontrol commands, user management commands, level setting commands, system internalparameter setting commands, and debugging commands that are used for fault diagnosis.

CAUTIONNot all display commands are of the monitoring level. For example, the display current-configuration and display saved-configuration commands are of the management level. Forthe level of a command, see the Quidway S9300 Command Reference.

To implement efficient management, you can increase the command levels to 0-15. For theincrease in the command levels, refer to Chapter 4 "Basic Configuration" ConfiguringCommand Levels in the Quidway S9300 Configuration Guide - Basic Configurations.

NOTE

l The default command level may be higher than the command level defined according to the commandrules in application.

l Login users have the same 16 levels as the command levels. The login users can use only the commandof the levels that are equal to or lower than their own levels. For details of login user levels, refer toUser Management.

2.1.3 Command ViewsThe command line interface has different command views. All the commands must register inone or more command views. You can run a command only when you enter the correspondingcommand view.

Basic Concepts of Command Views

# Establish connection with the switch. If the switch adopts the default configuration, you canenter the user view with the prompt of <Quidway>.

<Quidway>

# Type system-view, and you can enter the system view.

<Quidway> system-view[Quidway]

# Type aaa in the system view, and you can enter the AAA view.

[Quidway] aaa[Quidway-aaa]



13

NOTE

The prompt <Quidway> indicates the default switch name. The prompt <> indicates the user view and theprompt [] indicates other views.

Some commands that are implemented in the system view can also be implemented in the otherviews; however, the functions that can be implemented are command view-specific.

Common Views

The S9300 provides various command line views. For the methods of entering the commandline views except the following views, see the Quidway S9300 Command Reference.

l User View

Item Description

Function Displays the running status and statistics of the S9300.

Entry command Enters the user view after the connection is set up.

Prompt uponentry

<Quidway>

Quit command <Quidway>quit

Prompt uponquit

None.

l System View

Item Description

Function Sets the system parameters of the S9300, and enters other functionviews from this view.

Entry command <Quidway> system-view

Prompt uponentry

[Quidway]

Quit command [Quidway] quit

Prompt uponquit

<Quidway>

l Ethernet Interface View

– Fast Ethernet (FE) interface view

Item Description

Function Sets parameters related to FE interfaces of the S9300 and managesthe FE interfaces.

Entrycommand

[Quidway] interface ethernet X/Y/Z



14

Item Description

Prompt uponentry

[Quidway-EthernetX/Y/Z]

Quit command [Quidway-EthernetX/Y/Z] quit

Prompt uponquit

[Quidway]

NOTE

X/Y/Z indicates the number of an FE interface that needs to be configured. It is in the format ofslot number/sub card number/interface sequence number.

– GE interface view

Item Description

Function Configures related parameters about the GE interfaces of theS9300 and manages the GE interfaces.

Entrycommand

[Quidway] interface GigabitEthernet X/Y/Z

Prompt uponentry

[Quidway-GigabitEthernetX/Y/Z]

Quit command [Quidway-GigabitEthernetX/Y/Z] quit

Prompt uponquit

[Quidway]

NOTE

X/Y/Z indicates the number of a GE interface that needs to be configured. It is in the format ofslot number/sub card number/interface sequence number.

If an LPU provides GE interfaces and 10GE interfaces, the difference lies in the subcard wherethe 10GE interfaces reside. Generally, the sequence number of a 10GE interface is 1. If an LPUprovides only 10GE interfaces, the method of entering the 10GE interface view is the same asthe method of entering the GE interface view.

2.2 Online HelpWhen you enter command lines or configure services, online help offers real-time help inaddition to the configuration guide.

Context

The command line of S9300 provides three types of online help:

l Full help



15

l Partial helpl Error Messages of the Command Line Interface

2.2.1 Full HelpWhen you enter a command line, you can view the description of keywords or parameters in thecommand line through the Full Help.

ContextYou can obtain the full help of the command line in the following ways.

Procedurel Enter "?" in any command line view to display all the commands and their simple

descriptions.<Quidway> ?

l Enter a command and "?" separated by a space. If the key word is at this position, all keywords and their simple descriptions are displayed. For example:<Quidway> language-mode ?Chinese Chinese environmentEnglish English environment

Chinese and English are keywords; Chinese environment and English environmentdescribe the keywords respectively.

l Enter a command and "?" separated by a space, and if a parameter is at this position, therelated parameter names and parameter descriptions are displayed. For example:[Quidway] ftp timeout ? INTEGER<1-35791> The value of FTP timeout (in minutes)[Quidway] ftp timeout 35 ?<cr>

In the preceding display, INTEGER<1-35791> describes the parameter value; The valueof FTP timeout (in minutes) is a simple description of the parameter usage; <cr> indicatesthat no parameter is at this position. The command is repeated in the next command line.You can press Enter to run the command.

----End

2.2.2 Partial HelpWhen you enter a command line, you can obtain prompts on the keywords or parameters at thebeginning of the string through the Partial Help.

ContextYou can obtain the partial help of the command line in the following ways.

Procedurel Enter a character string with a "?" closely following it to display all commands that begin

with this character string.<Quidway> d? debugging delete dir display



16

l Enter a command and a character string with "?" closely following it to display all the keywords that begin with this character string.<Quidway> display b? bfd bgp bpdu bpdu-tunnel buffer bulk-stat

l Enter the first several letters of a key word in the command and then press Tab to displaythe complete key word on the condition that the letters uniquely identify the key word.Otherwise, if you continue to press Tab, different key words are displayed. You can selectthe needed key word.

----End

2.2.3 Error Messages of the Command Line InterfaceIf an entered command passes the syntax check, the system executes it. Otherwise, the systemprompts an error message.

All the commands entered by the user are run correctly, if the grammar check has been passed.Otherwise, error messages are reported to the user. See Table 2-1 for the common errormessages.

Table 2-1 Common error messages of the command line

Error messages Cause of the error

Unrecognized command The command cannot be found

The key word cannot be found

Wrong parameter Parameter type error

The parameter value exceeds the limit

Incomplete command Incomplete command entered

Too many parameters Too many parameters entered

Ambiguous command Indefinite parameters entered

2.3 Features of Command Line InterfaceYou can edit command lines, display command lines, use the regular expression for commandlines, and invoke historical commands.

2.3.1 EditingThe editing function of command lines helps you edit command lines or obtain help by usingcertain keys.

The command line supports multi-line edition. The maximum length of each command is 512characters.

Keys for editing that are often used are shown in Table 2-2.



17

Table 2-2 Keys for editing

Key Function

Common key Inserts a character in the current position of the cursor if the editingbuffer is not full and the cursor moves to the right. Otherwise, analarm is generated.

Backspace Deletes the character on the left of the cursor that moves to theleft. When the cursor reaches the head of the command, an alarmis generated.

Left cursor key ← orCtrl_B

Moves the cursor to the left by the space of a character. When thecursor reaches the head of the command, an alarm is generated.

Right cursor key → orCtrl_F

Moves the cursor to the right by the space of a character. Whenthe cursor reaches the end of the command, an alarm is generated.

Tab Press Tab after typing the incomplete key word and the systemruns the partial help:l If the matching key word is unique, the system replaces the

typed one with the complete key word and displays it in a newline with the cursor a space behind.

l If there are several matches or no match at all, the systemdisplays the prefix first. Then you can press Tab to view thematching key word one by one. In this case, the cursor closelyfollows the end of the word and you can type a space to enterthe next word.

l If a wrong key word is entered, press Tab and the word isdisplayed in a new line.

2.3.2 DisplayingAll command lines have the same displaying feature. You can construct the displaying mode asrequired.

You can control the display of information on CLI as follows:

l Display prompt and help information in both Chinese and English.

l When the information displayed exceeds a full screen, it provides the pause function. Inthis case, the user has three choices as shown in Table 2-3.

Table 2-3 Keys for displaying

Key Function

Ctrl_C Stops the display and running of the command.NOTE

You can also press any of the keys except the spacebar and Enter keyto stop the display and running of the command.

Space Continues to display the information on the next screen.



18

Key Function

Enter Continues to display the information on the next line.

2.3.3 Regular ExpressionsThe regular expression is a mode matching tool. You can construct the matching mode basedon certain rules, and then match the mode with the target object.

The regular expression is an expression that describes a set of strings. It consists of commoncharacters (such as letters from "a" to "z") and particular characters (also named metacharacters).The regular expression is a template according to which you can search for the required string.

A regular expression can provide the following functions:l Searching for and obtaining a sub-string that matches a rule in the string.l Substituting a string according to a certain matching rule.

Formal Language Theory of the Regular ExpressionThe regular expression consists of common characters and particular characters.

l Common charactersCommon characters are used to match themselves in a string, including all upper-case andlower-case letters, digits, punctuations, and special symbols. For example, a matches theletter "a" in "abc", 202 matches the digit "202" in "202.113.25.155", and @ matches thesymbol "@" in "[email protected]".

l Particular charactersParticular characters are used together with common characters to match the complex orparticular string combination. Table 2-4 describes particular characters and their syntax.

Table 2-4 Description of particular characters

Particularcharacter

Syntax Example

\ Defines an escape character, whichis used to mark the next character(common or particular) as thecommon character.

\* matches "*".

^ Matches the starting position of thestring.

^10 matches "10.10.10.1" instead of"20.10.10.1".

$ Matches the ending position of thestring.

1$ matches "10.10.10.1" instead of"10.10.10.2".



19

Particularcharacter

Syntax Example

* Matches the preceding element zeroor more times.

10* matches "1", "10", "100", and"1000".(10)* matches "null", "10", "1010",and "101010".

+ Matches the preceding element oneor more times

10+ matches "10", "100", and"1000".(10)+ matches "10", "1010", and"101010".

? Matches the preceding element zeroor one time.

10? matches "1" and "10".(10)? matches "null" and "10".

. Matches any single character. 0.0 matches "0x0" and "020"..oo matches "book", "look", and"tool".

() Defines a subexpression, which canbe null. Both the expression and thesubexpression should be matched.

100(200)+ matches "100200" and"100200200".

x|y Matches x or y. 100|200 matches "100" or "200".1(2|3)4 matches "124" or "134",instead of "1234", "14", "1224", and"1334".

[xyz] Matches any single character in theregular expression.

[123] matches the character 2 in"255".

[^xyz] Matches any character that is notcontained within the brackets.

[^123] matches any character exceptfor "1", "2", and "3".

[a-z] Matches any character within thespecified range.

[0-9] matches any character rangingfrom 0 to 9.

[^a-z] Matches any character beyond thespecified range.

[^0-9] matches all non-numericcharacters.

_ Matches a comma "," left brace "{",right brace "}", left parenthesis "(",and right parenthesis ")".Matches the starting position of theinput string.Matches the ending position of theinput string.Matches a space.

_2008_ matches "2008", "space2008 space", "space 2008", "2008space", ",2008,", "{2008}","(2008)", "{2008", and "(2008}".



20

NOTE

Unless otherwise specified, all characters in the preceding table are displayed on the screen.

l Degeneration of particular charactersCertain particular characters, when being placed at the following positions in the regularexpression, degenerate to common characters.– The particular characters following "\" is transferred to match particular characters

themselves.– The particular characters "*", "+", and "?" placed at the starting position of the regular

expression. For example, +45 matches "+45" and abc(*def) matches "abc*def".– The particular character "^" placed at any position except for the start of the regular

expression. For example, abc^ matches "abc^".– The particular character "$" placed at any position except for the end of the regular

expression. For example, 12$2 matches "12$2".– The right bracket such as ")" or "]" being not paired with its corresponding left bracket

"(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".

NOTE

Unless otherwise specified, degeneration rules are applicable when preceding regular expressionsserve as subexpressions within parentheses.

l Combination of common and particular charactersIn actual application, a regular expression combines multiple common and particularcharacters to match certain strings.

Specifying a Filtering Mode in Command

CAUTIONThe Quidway S9300 uses a regular expression to implement the filtering function of the pipecharacter. A display command supports the pipe character only when there is excessive outputinformation.When the output information is queried according to the filtering conditions, the first line of thecommand output starts with the information containing the regular expression.

The command can carry the parameter | count to display the number of matching entries. Theparameter | count can be used together with other parameters.

For the commands supporting regular expressions, the three filtering methods are as follows:

l | begin regular-expression: displays the information that begins with the line that matchesregular expression.

l | exclude regular-expression: displays the information that excludes the lines that matchregular expression.

l | include regular-expression: displays the information that includes the lines that matchregular expression.

NOTE

The value of regular-expression is a string of 1 to 255 characters.



21

Specify a Filtering Mode when Information is Displayed

When a lot of information is displayed, you can specify a filtering mode in the prompt "---- More----".

l /regular-expression: displays the information that begins with the line that matches regularexpression.

l -regular-expression: displays the information that excludes lines that match regularexpression.

l +regular-expression: displays the information that includes lines that match regularexpression.

2.3.4 History CommandsThe command line interface provides a function similar to DosKey, which can automaticallysave historical commands. You can invoke the historical commands saved on the command lineinterface at any time and run them again.

By default, the system saves 10 history commands at most for each user. The operations are asshown in Table 2-5.

Table 2-5 Access the history commands

Action Key or Command Result

Display thehistorycommands.

display history-command

Display the history commands entered by users.

Access the lasthistorycommand.

Up cursor key↑ orCtrl_P

Display the last history command if there is anearlier history command. Otherwise, a bell isgenerated.

Access the nexthistorycommand.

Down cursor key ↓or Ctrl_N

Display the next history command if there is a laterhistory command. Otherwise, the command iscleared and a bell is generated.

NOTE

On the HyperTerminal of Windows 9X, cursor key ↑ is invalid as the HyperTerminals of Windows 9Xdefine the keys differently. In this case, you can replace the cursor key ↑ with Ctrl_P.

When you use the history commands, note the following:

l The saved history commands are the same as that those entered by users. For example, ifthe user enters an incomplete command, the saved command also is incomplete.

l If the user runs the same command several times, the earliest command is saved. If thecommand is entered in different forms, they are considered as different commands.

For example, if the display ip routing-table command is run several times, only one historycommand is saved. If the disp ip routing command and the display ip routing-tablecommand are run, two history commands are saved.



22

2.3.5 Batch Command ExecutionBy running pre-defined command lines in batches, you can simplify the operation of enteringcommon commands and improve efficiency.

ContextLog in to the switch from the client and do as follows:

Procedure

Step 1 Run the batch-cmd edit to edit commands to be run in batches.

The batch-cmd edit command can be used by only one user at a time.

The maximum length of a command (including the incomplete command) to be entered is 512characters.

When editing commands, press Enter to complete the editing of each command.

NOTE

After running the batch-cmd edit command to successfully edit the commands to be executed in batches,the system deletes the original commands to be run in batches.

The commands that are already edited are saved in memory and are deleted for ever when the system isrestarted.

Step 2 After all commands are edited, you can press the shortcut buttons Ctrl+Z to exit the editing stateand return to the user view.

Step 3 Run the batch-cmd execute to execute commands in batches.

The batch-cmd execute command can be used by only one user at a time.

The sequence of running commands is the same as the sequence of editing commands.

----End

2.4 Shortcut KeysUsing the system or user-defined shortcut keys makes it easier to enter commands.

2.4.1 Classifying Shortcut KeysThere are two types of shortcut keys, namely, system shortcut keys and user-defined shortcutkeys. Familiarize yourself with shortcut keys so as to use them accurately.

The shortcut keys in the system are classified into the following types:

l User-oriented and user-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, andCTRL_U. The user can correlate these shortcut keys with any commands. When theshortcut keys are pressed, the system automatically runs the corresponding command. Fordetails of defining the shortcut keys, see 2.4.2 Defining Shortcut Keys.

l System-defined shortcut keys: These shortcut keys with fixed functions are defined by thesystem. Table 2-6 lists the system-defined shortcut keys.



23

NOTE

Different terminal software defines these keys differently. Therefore, the shortcut keys on the terminal maybe different from those listed in this section.

Table 2-6 System-defined shortcut keys

Key Function

CTRL_A The cursor moves to the beginning of the current line.

CTRL_B The cursor moves to the left by the space of a character.

CTRL_C Terminates the running function.

CTRL_D Deletes the character where the cursor lies.

CTRL_E The cursor moves to the end of the current line.

CTRL_F The cursor moves to the right by the space of a character.

CTRL_H Deletes one character on the left of the cursor.

CTRL_K Stops the creation of the outbound connection.

CTRL_N Displays the next command in the history command buffer.

CTRL_P Displays the previous command in the history command buffer.

CTRL_R Repeats the display of the information of the current line.

CTRL_T Terminates the outbound connection.

CTRL_V Pastes the contents on the clipboard.

CTRL_W Deletes a character string or character on the left of the cursor.

CTRL_X Deletes all the characters on the left of the cursor.

CTRL_Y Deletes all the characters on the right of the cursor.

CTRL_Z Returns to the user view.

CTRL_] Terminates the inbound or redirection connections.

ESC_B The cursor moves to the left by the space of a word.

ESC_D Deletes a word on the right of the cursor.

ESC_F The cursor moves to the right to the end of next word.

ESC_N The cursor moves downward to the next line.

ESC_P The cursor moves upward to the previous line.

ESC_SHIFT_< Sets the position of the cursor to the beginning of the content tobe pasted into the clipboard.

ESC_SHIFT_> Sets the position of the cursor to the end of the content to bepasted into the clipboard.



24

2.4.2 Defining Shortcut KeysOnly management-level users have the rights to define shortcut keys.

NOTE

When defining the shortcut keys, use double quotation marks to define the command if this commandcontains several commands words, that is, if spaces exist in the command.

Configure as follows in the system view.

Action Command

Define shortcut keys hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U }command-text

By default, CTRL_G, CTRL_L and CTRL_O correspond to the following commandsrespectively:

l CTRL_G: display current-configurationl CTRL_L: display ip routing-tablel CTRL_O: undo debugging all

The default commands of the other shortcut keys are null.

2.4.3 Use of Shortcut KeysYou can use the shortcut key at any position that allows a command to be entered. The systemexecutes an entered shortcut key and displays the corresponding command on the screen in thesame way as you enter a complete command.

l If you have typed part of a command and have not pressed Enter, you can press the shortcutkeys to clear the entered command and display the full corresponding command. Thisoperation has the same effect as that of deleting all commands and then re-entering thecomplete command.

l The shortcut keys are run as the commands, the syntax is recorded to the command bufferand log for fault location and querying.

NOTE

The terminal in use may affect the functions of the shortcut keys. For example, if the customized shortcutkeys of the terminal conflict with those of the switch, the input shortcut keys are captured by the terminalprogram and hence the shortcut keys do not function.

Run the following command in any view to display the use of shortcut keys.

Action Command

Check the usage of shortcut keys. display hotkey

2.5 Configuration ExamplesThis section provides several examples for using command lines.



25

2.5.1 Example for Running Commands in BatchesThis part provides an example for running commands in batches. In this example, by editing thecommands to be run in batches, you can configure the system to automatically run the commandsin batches.

ContextLog in to the switch and do as follows:

Procedure

Step 1 Edit the display users, display startup, and display clock commands to be run in batches.

<Quidway> batch-cmd editInfo: Begin editing batch commands. Press CTRL+Z to abort this session.display usersdisplay startupdisplay clock<Quidway>

Step 2 Run the commands in batches.<Quidway> batch-cmd execute<Quidway>batch-cmd execute command: display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag

0 CON 0 00:00:00Username : Unspecified

<Quidway>batch-cmd execute command: display startup

MainBoard: Configured startup system software: cfcard:/s9300v100r006c02b118.cc Startup system software: cfcard:/s9300v100r006c02b118.cc Next startup system software: cfcard:/s9300v100r006c02b118.cc Startup saved-configuration file: cfcard:/vrpcfg.zip Next startup saved-configuration file: cfcard:/vrpcfg.zip Startup paf file: default Next startup paf file: default Startup license file: default Next startup license file: default Startup patch package: NULL Next startup patch package: NULL <Quidway>batch-cmd execute command: display clock

2009-11-23 14:27:20-08:00MondayTime Zone(China Standard Time) : UTC-08:00<Quidway>batch-cmd execute finished.

----End

2.5.2 Example for Using the Tab KeyYou can obtain prompts on keywords or check whether the entered keywords are correct bypressing Tab.

Procedurel If only one keyword contains the incomplete keyword,



26

do as follows on the S9300.1. Enter an incomplete keyword.

[Quidway] info-2. Press Tab.

The system replaces the incomplete keyword with a complete keyword and displaysthe complete keyword in another line. There is only one space between the cursor andthe end of the keyword.

[Quidway] info-centerl If more than one keyword contains the incomplete keyword,

do as follows on the S9300.

# The keyword info-center can be followed by the following keywords.

[Quidway] info-center log?logbuffer logfileloghost1. Enter an incomplete keyword.

[Quidway] info-center l2. Press Tab.

The system displays the prefix of all the matched keywords. The prefix in this exampleis log.

[Quidway] info-center log3. Continue to press Tab to display all the keywords. There is no space between the

cursor and the end of the keywords.[Quidway] info-center loghost[Quidway] info-center logbuffer[Quidway] info-center logfile

Stop pressing Tab when you find the required keyword logfile.4. Enter a space and enter the next keyword channel.

[Quidway] info-center logfile channel

----End

2.5.3 Example for Defining HotkeysIf the login switch is defined with shortcut keys, the shortcut keys can be used by any userregardless of the user level.

Procedure

Step 1 Define the hotkeys CTRL_U on the S9300 and assign the display ip routing-table commandto the hotkeys. Then, run the command.<Quidway> system-view[Quidway] hotkey ctrl_u "display ip routing-table"

Step 2 Type Ctrl+U following [Quidway] to display the display ip routing-table command.[Quidway] display ip routing-tableRoute Flags: R - relied, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 9 Routes : 9Destination/Mask Proto Pre Cost Flags NextHop Interface



27

1.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 44.0.0.0/24 Direct 0 0 D 44.0.0.1 Vlanif44 44.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/16 Direct 0 0 D 192.168.32.9 Ethernet0/0/0 192.168.32.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0

----End

2.5.4 Example for Copying a Command by Using HotkeysYou can copy commands by using shortcut keys in any view.

Procedure

Step 1 Enter a command in any view on the S9300. Move the cursor to the beginning of the command,and then press ESC_SHIFT_<. Move the cursor to the end of the command, and then pressESC_SHIFT_>. Then, the contents are written to the clipboard.<Quidway> display ip routing-table

Step 2 After the command is copied, run the display clipboard command to view the contents of theclipboard.<Quidway> display clipboard---------------- CLIPBOARD-----------------display ip routing-table

Step 3 Press CTRL_SHIFT_V to view the contents of the clipboard in any view.<Quidway> display ip routing-table

----End



28

3 How to Use Interfaces

About This Chapter

This chapter describes the concept of the interface and the basic configuration about the interface.

3.1 Introduction to InterfacesThis section describes different types of interfaces. The interfaces are provided by the S9300 toreceive and send data.

3.2 Setting Basic Parameters of an InterfaceThis section describes how to set the basic parameters of an interface.

3.3 Configuring the Loopback InterfaceThis section describes how to configure the loopback interface.

3.4 Maintaining the InterfaceThis section describes how to maintain the interface.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration 3 How to Use Interfaces


29

3.1 Introduction to InterfacesThis section describes different types of interfaces. The interfaces are provided by the S9300 toreceive and send data.

Interfaces are classified into management interfaces and service interfaces based on theirfunctions; interfaces are classified into physical interfaces and logical interfaces based on theirphysical forms.

NOTE

A physical interface is sometimes called a port. Both physical interfaces and logical interfaces are calledinterfaces in this document.

Management Interface

Management interfaces are used to manage and configure a device. You can log in to theS9300 through a management interface to configure and manage the S9300. Managementinterfaces do not transmit service data.

The S9300 provides the following management interfaces:

l Console interface

l Eth interface

Table 3-1 Description of management interfaces

Name Usage

Console interface It is connected to the COM port of a configuration terminal and usedto set up an onsite configuration environment.

Eth interface The Eth interface is connected to the network interface of aconfiguration terminal or network management workstation to establishthe configuration environment onsite or remotely.

The S9300 series consist of three models: S9303, S9306, and S9312. The console interface andEth interface are on the main control board.

The following table shows the rule for numbering management interfaces.

Table 3-2 Management interface numbers

Name Number

Console interface Console 0.

Eth interface Ethernet 0/0/0.



30

Classification of Service InterfacesService interfaces are used to transmit service data. They are classified into 100 Mbit/s interfaces,1 Gbit/s interfaces and 10 Gbit/s interfaces according to their rates; they are classified intoelectrical interfaces and optical interfaces according to their electrical properties.

On the S9300, all the service interfaces are located on the Line Processing Units (LPUs).

The rules for numbering service interfaces are as follows:

The interfaces of the S9300 are numbered in the format slot ID/subcard ID/interface sequencenumber when the stacking function is disabled.

After the stacking function is enabled, interfaces are numbered in the format frame ID/slot ID/subcard ID/interface sequence number.

l Frame ID: indicates the ID of a switch in a stack system. The value is 1 or 2.l Slot ID: indicates the ID of the slot where an LPU is located.l Subcard ID: indicates the ID of a subcard. The value is 0.l Interface sequence number: indicates the sequence number of an interface on an LPU.

Table 3-3 Service interface numbering rule

InterfaceRowNo.

Figure of Interface Numbering Description

1 0 1 2...

The left most interface isnumbered 1. and the otherinterfaces are numbered inascending order from left to right.

20

1

2

3

4

5

...

...

...

The LPU has two rows ofinterfaces with the upper-leftinterface numbered 0. The otherinterfaces are numbered inascending order from up to bottom,and then from left to right.

For example: If an LPU is installed in slot 3 of the S9300, the fifth interface on the LPU frombottom to up and from left to right is numbered GE 3/0/4. If the stacking function is enabled andthe frame ID of the S9300 is 1, the interface is numbered Ethernet 1/3/0/4.

Physical InterfacesPhysical interfaces are interfaces that actually exist on the S9300.

Physical interfaces include management interfaces and service interfaces.

The S9300 supports the following physical interfaces:

l Console interface



31

l Eth interfacel POS interfacel EPON interfacel Fast Ethernet interfacel Gigabit Ethernet interfacel 10 Gigabit Ethernet interface

Physical interfaces are located on the main control board and LPUs of the S9300.

Logical InterfacesLogical interfaces do not exist and are set up by configurations.

The S9300 supports the following logical interfaces:

l Eth-TrunkThe Eth-Trunk consists of Ethernet links only.The Eth-Trunk technique has the following advantages:– Increased bandwidth: The bandwidth of an Eth-Trunk is the total bandwidth of all

member interfaces.– Improved reliability: When a link fails, traffic is automatically switched to other

available links. This ensures link reliability.For details about the Eth-Trunk configuration, see "Configuring the Eth-Trunk" in theQuidway S9300 Terabit Routing Switch Configuration Guide - Ethernet.

l IP-TrunkThe IP-Trunk consists of POS links only.The IP-Trunk technique has the following advantages:– Increased bandwidth: The bandwidth of an IP-Trunk is the total bandwidth of all

member interfaces.– Improved reliability: When a link fails, traffic is automatically switched to other

available links. This ensures link reliability.For details about the IP-Trunk configuration, see "Configuring an IP-Trunk Interface" inthe Quidway S9300 Terabit Routing Switch Configuration Guide - WAN.

l Loopback interfaceA loopback interface is a virtual interface. The TCP/IP protocol suite defines IP address127.0.0.0 as a loopback address. When the system starts, it automatically creates aninterface using the loopback address 127.0.0.1 to receive all data packets sent to the localdevice.Some applications such as mutual access between virtual private networks need a localinterface with a specified IP address without affecting the configuration of physicalinterfaces. This IP address has a 32-bit mask (to save IP addresses) and can be advertisedby routing protocols.The status of a loopback interface is always Up; therefore, the IP address of the loopbackinterface can be used as the router ID, the label switching router (LSR) ID, or be land to atunnel.For details, see 3.3 Configuring the Loopback Interface.

l Null interface



32

Null interfaces are similar to null devices supported by certain operating systems. Any datapackets sent to a null interface are discarded. Null interfaces are used for route selectionand policy-based routing (PBR). For example, if a packet matches no route during routeselection, the packet is sent to the null interface.

l Tunnel interfaceA tunnel interface can be used as the backup interface of other interfaces and used to setup Generic Routing Encapsulation (GRE) tunnels or Multiprotocol Label Switching(MPLS) Traffic Engineering (TE) tunnels.For details about the configuration, see "Configuring the Tunnel Interface" in the QuidwayS9300 Terabit Routing Switch Configuration Guide - IP Service.

l MTunnel interfaceAn MTunnel interface (MTI) is the ingress or egress of a multicast tunnel (MT). The localprovider edge (PE) sends data of the private network through the MTI, and the remote PEreceives data of the private network through MTI.For details about the configuration, see "Configuring the MTI" in the Quidway S9300Terabit Routing Switch Configuration Guide - Multicast.

l Sub-interfaceThe sub-interface provides a solution to creating multiple logical interfaces or networkinterconnections on a physical interface. Several logical interfaces are associated with aphysical interface and use the same parameter values. The link-layer parameters andnetwork-layer parameters of the logical interfaces are different. For the configuration ofsub-interfaces, see "Configuring the sub-interface" in the Quidway S9300 Terabit RoutingSwitch Configuration Guide - Ethernet.

l VLANIF interfaceWhen the S9300 needs to communicate with devices at the network layer, you can createa logical interface of the Virtual Local Area Network (VLAN) on the S9300, namely, aVLANIF interface. You can assign IP addresses to VLANIF interfaces because VLANIFinterfaces work at the network layer. The S9300 then communicates with devices at thenetwork layer through VLANIF interfaces.For details about the configuration, see "Configuring the VLANIF Interface" in theQuidway S9300 Terabit Routing Switch Configuration Guide - Ethernet.

3.2 Setting Basic Parameters of an InterfaceThis section describes how to set the basic parameters of an interface.

3.2.1 Establishing the Configuration TaskBefore configuring advanced functions of an interface such as the working mode and routes,you need to complete the basic configuration of the interface.

Applicable EnvironmentTo facilitate the configuration and maintenance of an interface, the S9300 provides interfaceviews. The commands related to the interface are valid only in the interface views.

The basic interface configurations include entering an interface view, configuring interfacedescription, enabling an interface, and disabling an interface.



33

Pre-configuration TasksInstalling the LPU on the S9300

Data PreparationTo set parameters of an interface, you need the following data.

No. Data

1 Type and number of the interface to be configured

2 Description of the interface

3.2.2 Entering the Interface ViewTo configure an interface, you need to enter the interface view.

ContextDo as follows on the S9300.

Procedure

Step 1 Run:system-view

The system view is displayed.

Step 2 Run:interface interface-type interface-number

The view of a specified interface is displayed.

interface-type specifies the type of the interface and interface-number specifies the number ofthe interface.

----End

3.2.3 Viewing All the Commands in the Interface ViewAfter entering the interface view, you can view all the commands in the interface view.

ContextDo as follows on the S9300.

Procedure





34



Step 3 Run:?

All the commands in the view of the specified interface are displayed.

----End

3.2.4 Configuring the Description for an InterfaceThe description configured for an interface on the S9300 helps you identify and memorize theusage of the interface, which facilitates the management.

Procedure





Step 3 Run:description description

The description is configured for the interface.

----End

3.2.5 Starting and Shutting Down an InterfaceWhen a physical interface is idle and is not connected to a cable, shut down this interface toprotect the interface against interference. To use a shutdown interface, you need to start theinterface.

Context

NOTE

l A null interface is always Up and cannot be shut down by command.

l A loopback interface is always Up and cannot be shut down by command.

Procedurel Shutting down the interface

Do as follows on the S9300.

1. Run:system-view



35

The system view is displayed.2. Run:

interface interface-type interface-number

The view of a specified interface is displayed.3. Run:

shutdown

The interface is shut down.

NOTE

By default, an interface is enabled.

l Starting an interface

Do as follows on the S9300.

1. Run:system-view


interface interface-type interface-number

The view of a specified interface is displayed.3. Run:

undo shutdown

The interface is started.

----End

3.2.6 Further Configuration an InterfaceAfter configuring basic parameters, configure the interface as required.

ContextWhen you access a network through an interface, you need to further setting multiple parametersof the interface based on the networking requirements in addition to performing basicconfigurations on the interface.

Further configurations of an interface include:

l Configuring the operation mode of an interfacel Configuring routes

For the detailed Configuration, please see the other configuration manuals of S9300.

For the detailed Configuration, please see Quidway S9300 Terabit Routing SwitchConfiguration Guide - Ethernet and Quidway S9300 Terabit Routing Switch ConfigurationGuide - IP Routing.

3.2.7 Checking the ConfigurationAfter completing the basic configuration of an interface, you can use the display commands tocheck the configuration.



36

Procedure

Step 1 Run the display interface [ interface-type [ interface-number ] ] command to check the runningstatus of the interface and the statistics on the interface.

Step 2 Run the display interface description command to check the brief information about theinterface

Step 3 Run the display ip interface [ interface-type interface-number ] command to check the mainconfigurations of the interface.

Step 4 Run the display ip interface brief [ interface-type interface-number ] command to check thebrief state of the interface.

----End

3.3 Configuring the Loopback InterfaceThis section describes how to configure the loopback interface.

3.3.1 Establishing the Configuration TaskThe users can create or delete a loopback interface. When being created, the loopback interfaceremains in the Up state until you delete it.

Applicable EnvironmentSome applications such as mutual access between virtual private networks need to be configuredwith a local interface with a specified IP address when the configuration of a physical interfaceis not affected. In this case, the IP address of the local interface needs to be advertised by routingprotocols. Loopback interfaces are used to improve the reliability of the configuration.

Pre-configuration TasksBefore configuring the loopback interface, complete the following task:l Switching on the S9300

Data PreparationTo configure the loopback interface, you need the following data.

No. Data

1 Number of the loopback interface

2 IP address of the loopback interface

3.3.2 Configuring IPv4 Parameters of the Loopback InterfaceA loopback interface can be assigned an IPv4 address, bound to a VPN instance, and configuredto check the source IPv4 addresses of packets.



37

Procedure



Step 2 Run:interface loopback interface-number

A loopback interface is created.

The value of interface-number ranges from 0 to 1023. A maximum of 1024 loopback interfacescan be created.

Step 3 (Optional) Run:ip binding vpn-instance vpn-instance-name

The loopback interface is bound to the VPN instance.

Step 4 Run:ip address ip-address { mask | mask-length } [ sub ]

An IPv4 address is assigned to the loopback interface.

Step 5 (Optional) Run:ip verify source-address

The loopback interface is configured to check the source IPv4 addresses of packets.

----End

3.3.3 Checking the ConfigurationAfter configuring a loopback interface, run the following commands to check the configuration.

Procedure

Step 1 Run the display interface loopback [ number ] command to check the status of the loopbackinterface.

----End

3.4 Maintaining the InterfaceThis section describes how to maintain the interface.

3.4.1 Clearing Statistics Information on the InterfaceThe statistics on the interface cannot be restored after you clear them. So, confirm the actionbefore you use the command.



38

Procedure

Step 1 Run the reset counters interface [ interface-type [ interface-number ] ] command in the userview to clear the statistics on the interface.

----End

3.4.2 Debugging the InterfaceWhen an interface works abnormally, you can debug the interface.

Context

CAUTIONDebugging affects the performance of the system. So, after debugging, run the undo debuggingall command to disable it immediately.

For the description about debugging commands, see the Quidway S9300 Terabit Routing SwitchDebugging Reference.

For details about debugging commands on an interface, see the following chapters.



39

4 Basic Configuration

About This Chapter

This chapter describes how to configure the basic system environment and the basic userenvironment.

4.1 Basic Configuration IntroductionThis section describes the meaning and scope of the basic configuration.

4.2 Configuring the Basic System EnvironmentThis section describes how to configure the basic system environment according to user habitsor the requirements of the actual environment.

4.3 Configuring Basic User EnvironmentThis section describes the configuration of the basic user environment for user level switching.

4.4 Displaying System Status MessagesThis section describes the display commands that are used for displaying basic systemconfigurations.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration 4 Basic Configuration


40

4.1 Basic Configuration IntroductionThis section describes the meaning and scope of the basic configuration.

Before configuring services, users often need to perform basic configurations for actualoperation and maintenance.

The S9300 provides configurations of two kinds of basic environments:

l Basic system environment: includes the language mode, host name, system name, systemtime, header text, and command level for actual environment.

l Basic user environment: includes password for changing levels and the terminal lock.

4.2 Configuring the Basic System EnvironmentThis section describes how to configure the basic system environment according to user habitsor the requirements of the actual environment.

4.2.1 Establishing the Configuration TaskBefore configuring the basic system environment, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentBefore configuring the services, you need to configure the basic system environments to meetthe requirements of the actual environments.

By default, the S9300 supports commands of Level 0 to Level 3, namely, visit level, monitoringlevel, configuration level, and management level.

If the user needs to define more levels, or refine management privileges on the device, the usercan extend the range of command line level from the range of Level 0 to Level 3 to the range ofLevel 0 to Level 15.

Pre-configuration TasksBefore configuring basic system environment, complete the following task:

l Powering on the switch

Data PreparationTo configure basic system environment, you need the following data.

No. Data

1 Language mode

2 System time



41

No. Data

3 Host name

4 Login information

5 Command level

4.2.2 Switching the Language ModeYou can switch between the Chinese mode and the English mode as required.

Context


Procedure

Step 1 Run:language-mode language-name

The language mode is switched.

By default, the English mode is used.

The help information on the switch can be in English and in Chinese. The language mode isstored in the system software and need not be loaded.

----End

4.2.3 Configuring the Equipment NameYou can change the equipment name as required. The new equipment name takes effectimmediately.

Context


Procedure



Step 2 Run:sysname host-name

The equipment name is set.

You can change the name of the switch that appears in the command prompt.



42

By default, the host name of the switch is Quidway.

----End

4.2.4 Setting the System ClockTo ensure that devices on the network work with the same clock, you need to set or change thesystem clock.

Context

You need to set the system time properly to ensure the cooperation between the S9300 and otherdevices. The S9300 supports the configurations of the time zone and the daylight saving time.

NOTE

UTC indicates the Universal Time Coordinated.


Procedure

Step 1 Run:clock datetime HH:MM:SS YYYY-MM-DD

The current date and time is set.

Step 2 Run:clock timezone time-zone-name { add | minus } offset

The time zone is set.

l If add is configured, the current time is the UTC time plus the time offset. That is, the defaultUTC time plus offset is equal to the time of time-zone-name.

l If minus is configured, the current time is the UTC time minus the time offset. That is, thedefault UTC time minus offset is equal to the time of time-zone-name.

Step 3 Run:clock daylight-saving-time time-zone-name one-year start-time start-date end-time end-date offset

or

clock daylight-saving-time time-zone-name repeating start-time { { first | second | third | fourth | last } weekday month | start-date } end-time { { first | second | third | fourth | last } weekday month | end-date } offset [ start-year [ end-year ] ]

The daylight saving time is set.

During the configuration of the daylight saving time, you can configure the start time and endtime in one of the following modes: date+date, week+week, date+week, and week+date. Fordetails, see clock daylight-saving-time.



43

NOTEWhen the current time is within the daylight saving time, running the clock timezone time-zone-name{ add | minus } offset command can successfully set the time zone name. If the display clock commandis run to view the time zone name at the moment, the time zone name, however, is displayed as the nameof the daylight saving time. After the daylight saving time ends, the set time zone name can be displayed.

----End

4.2.5 Configuring a HeaderIf you need to provide information for login users, you can configure a header that the systemdisplays during login or after login.


Procedure



Step 2 Run:header login { information text | file file-name }

The header displayed during login is set.

Run:

header shell { information text | file file-name }

The header displayed after login is set.

A header is a system prompt displayed when a user logs in to the switch or starts interactiveconfiguration with the switch. The header provides detailed instruction.

NOTE

l If a user logs in to the switch by using SSH1.X, the login header is not displayed during login, but theshell header is displayed after login.

l If a user logs in to the switch by using SSH2.0, both login and shell headers are displayed.

----End

4.2.6 Configuring Command LevelsBy default, commands are registered in the sequence of Level 0 to Level 3. If refined rightsmanagement is required, you can divide commands in to 16 levels, that is, from Level 0 to Level15.

ContextIf the user does not adjust a command level separately, after the command level is updated, alloriginally-registered command lines adjust automatically according to the following rules:

l The commands of Level 0 and Level 1 remain unchanged.



44

l The command Level 2 is updated to Level 10 and Level 3 is updated to Level 15.

l No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjustthe command lines to these levels separately to refine the management of privilege.

NOTE

The updation of command Level 2 to Level 10 and Level 3 to Level 15 is not a two-step process but one-step by batch.


Procedure



Step 2 Run:command-privilege level rearrange

Update the command level in batch.

When no password is configured for a Level 15 user, the system prompts the user to set a super-password for the level 15 user. At the same time, the system asks if the user wants to continueto update the command line level. Then, just select "N" to set a password. If you select "Y", thecommand level can be updated in batch directly. This results in the user not logging in throughthe Console port and failing to update the level.

Step 3 Run:command-privilege level level view view-name command-key

The command level is configured. With the command, you can specify the level and viewmultiple commands at one time (command-key).

All commands have default command views and levels. You need not reconfigure them.

----End

4.2.7 Configuring the Undo Command to Match in the PreviousView Automatically

You can run the undo command in the current view and thus the system automatically matchesthe previous view.

Context

If the user allows the undo command to automatically match the previous view and the userruns the undo command that is not registered in the current view, the system searches theundo command in the previous view.

The undo command has disadvantages due to automatically matching. For example, when theuser runs the undo ospf command in the interface view where the command is not registered,the system searches in system view automatically. This may lead to global deletion of the OSPFfeature.



45

NOTE

l By default, the undo command does not automatically match the upper level view.

l The matched upper-view command is valid for current login users who run this command.

l It is not recommended that you configure the undo command to automatically match the upper levelview, unless necessary.


Procedure



Step 2 Run:matched upper-view

The undo command is configured to match the upper level view.

By default, the undo command does not match the previous view automatically.

----End

4.3 Configuring Basic User EnvironmentThis section describes the configuration of the basic user environment for user level switching.

4.3.1 Establishing the Configuration TaskBefore configuring the basic user environment, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentThe user can log in to a switch with lower level to perform simple configurations or viewconfigurations. When the configuration is complicated, the user needs to switch to a high level.Thus, it requires the user to configure the basic environment for switching levels.

Pre-configuration TasksBefore configuring the basic environment for the user, complete the following task:

l Powering on the switch properly

Data PreparationTo configure the basic environment for the user, you need the following data:

No. Data

1 Password for the user level switching



46

4.3.2 Configuring the Password for Switching User LevelsPasswords need to be set for users that are switched from lower levels to higher levels.

ContextWhen users log in to the switch with a lower user level, they switch to a higher user level toperform advanced operations by entering the corresponding password. The password needs tobe configured in advance.

CAUTIONWhen simple is used, the password is saved in the configuration files in simple text. Login userswith lower level can obtain the password by viewing the configuration. This may cause securityproblems. Therefore, cipher is used to save the password in encrypted text.If the pass word is set in cipher mode, the password cannot be resumed from the system. Savethe password to avoid oblivion or miss.


Procedure



Step 2 Run:super password [ level user-level ] { simple | cipher } password

The password for switching user levels is configured.

----End

4.3.3 Switching User LevelsYou need to enter the set password when being switched from a lower level to a higher level.

ContextAn accurate password must be entered when the user is switched from a lower level to a higherlevel.


Procedure

Step 1 Run:super [ level ]



47

User levels are switched.

Step 2 Follow the prompt and enter a password.

If the password entered is correct, the user can switch to a higher level. If the user enters apassword incorrectly for three consecutive times, the user remains at the current login level andreturns to the user view.

NOTE

When the login user of lower level is switched to the user of higher level through the super command, thesystem automatically sends trap messages and records the switchover in a log. When the switched levelis lower than that of the current level, the system only records the switchover in a log.

----End

4.3.4 Locking User InterfacesYou can enter the set password to unlock the locked user interface.

ContextWhen you leave the operation terminals for a moment, you can lock the user interface to preventunauthorized users from operating the interface.


Procedure

Step 1 Run:lock

The user interface is locked.

Step 2 Follow the system prompt and input an unlock password, and then confirm.<Quidway> lockEnter Password:Confirm Password:

If the locking is successful, the system prompts that the user interface is locked.

You must enter a correct password to unlock the user interface.

----End

4.4 Displaying System Status MessagesThis section describes the display commands that are used for displaying basic systemconfigurations.

ContextYou can use the display commands to collect information about the system status. The displaycommands are classified according to the following functions:

l Displays system configurations.l Displays the running status of the system.



48

l Displays the diagnostic information about a system.l Displays the restart information about the main control board.

See the related sections for display commands for protocols and interfaces. The following onlyshows the system display commands.

Run the following commands in any view.

4.4.1 Displaying System ConfigurationYou can view information about the system version, system time, original configuration, andcurrent configuration.

PrerequisiteBasic Configuration are complete.

Procedurel Run the display version command to display the system version.l Run the display clock command to display the system time.l Run the display saved-configuration command to display the original configuration.l Run the display current-configuration command to display the current configuration.

----End

4.4.2 Displaying System StatusYou can view the configuration of the current view.

PrerequisiteBasic configuration are complete.

Procedurel Run the display this command to display the configuration of the current view.

----End

4.4.3 Collecting System Diagnostic InformationYou can view the system diagnosis information.

ContextBasic configuration is complete.

Procedure

Step 1 Run:display diagnostic-information [ file-name ]

The system diagnosis information is displayed.



49

When the system fails or performs the routine maintenance, you need to collect a lot ofinformation to locate faults. Then, you have to run different display commands to collect allinformation. In this case, you can use the display diagnostic-information command to collectall information about the current running modules in the system.

The display diagnostic-information command collects all information collected by runningthe following commands, including display clock, display version, display cpu-usage, displayinterface, display current-configuration, display saved-configuration, display history-command, and so on.

----End



50

5 User Management

About This Chapter

This chapter describes user interfaces and the configuration of users' login.

5.1 User Management IntroductionThis section describes basic concepts of user interfaces and user management.

5.2 Logging In to the S9300 Through the Console PortThis section describes how to log in to the S9300 through the console port.

5.3 Configuring Console User InterfaceYou can configure the console user interface so as to maintain a switch on the local device.

5.4 Configuring VTY User InterfaceYou can configure the VTY user interface to maintain a remote switch.

5.5 Managing User InterfacesYou need to configure user management to ensure that the operator manages switchs safely.

5.6 Configuring User ManagementThrough user management, you can create users for switchs, set user passwords, and manageusers.

5.7 Configuration ExamplesThis section provides examples for configuring users to log in to a switch in different modes.These configuration examples explain networking requirements, configuration roadmap, andconfiguration notes.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration 5 User Management


51

5.1 User Management IntroductionThis section describes basic concepts of user interfaces and user management.

5.1.1 User InterfaceA user interface (UI) enables users to log in to the S9300. Through a user interface, you canconfigure the parameters on all physical and logical interfaces that work in asynchronous andinteractive modes. In this manner, you can manage, authenticate, and authorize the login users.

Types of User Interfaces

Table 5-1 describes the types of user interfaces supported by the S9300.

Table 5-1 Types of user interfaces

Type Purpose Description

CON Local login through theconsole interface

It is a linear interface conforming to the EIA/TIA-232standard. The type of the interface is DCE. Each maincontrol board provides a console interface.

VTY Local or remote loginthrough Telnet or SSH

It is a virtual interface and indicates a logical terminalline. When you log in to the S9300 through Telnet,FTP, or SSH, a VTY connection is set up.

Numbering of User Interfaces

You can number a user interface in the following ways:

l Relative numbering

Relative numbering indicates that the interfaces of the same type are numbered. The relativenumbering uniquely specifies a user interface of a specified type.

The format of the relative numbering is: user interface type + number. It must comply withthe following rules:

– Number of the CON interface: console0

– Default number of the VTY: vty0, vty1, vty2, vty3, and vty4

l Absolute numbering

The S9300 uniquely specifies the default numbers of 0, 34~38 for the user interfaces ofCON and VTY. You can enter a specific user interface view by entering any of thesenumbers.

l Mapping between relative numbering and absolute numbering

Figure 5-1 shows the mapping between relative and absolute numbering of a user interface.



52

Figure 5-1 Numbering of user interfaces on the S9300

CON

VTY

console0

Relativenumbering

Types ofsetinterface

vty0

vty1

vty2

vty3

vty4

Obsolutenumbering

0

34

35

36

37

38

……

In the figure, console 0 and 0 indicate the same user interface; vty1 and 35 indicate thesame user interface.

NOTE

On the S9300, the absolute number can be 0 or 34 to 48.

5.1.2 User AuthenticationWhen a user logs in to the S9300, the S9300 authenticates the user according to the configurationto ensure system security.

When the S9300 is switched on for the first time, no authentication information for login isavailable in the system. In this case, you can log in to the S9300 through the console interfacewithout being authenticated.

If a user logs in to the S9300 through Telnet on an Ethernet interface, the login user must beauthenticated for the sake of security. If the authentication succeeds, the user can log in to theS9300 to configure and maintain the S9300.

To manage users that try to log in to the S9300, these users are assigned with passwords andclassified into different levels.

Classifying Login Users

Login users on the S9300 are classified according to service types and assigned rights assigned,as shown in Table 5-2.

Table 5-2 Types of login users

User Type Description Authentication

Super users Logs in to the S9300 through the console interfaceand have all rights.

Not authenticated forthe first login butrecommended later



53

User Type Description Authentication

Telnet users Logs in to the S9300 through the Ethernet interfaceusing Telnet and have limited rights. A Telnetconnection is set up between the user terminal and theS9300.

Recommended

SSH users Logs in to the S9300 through the Ethernet interfaceusing SSH and have limited rights. An SSHconnection is set up between the user terminal and theS9300.

Recommended

FTP users Logs in to the S9300 through FTP on the Ethernetinterface and have limited rights. An FTP connectionis set up between the user terminal and the S9300.

Recommended

The rights that can be obtained by users logging in to the S9300 through Telnet, SSH, and FTPdepend on the priorities of the user interfaces through which they log in to. The S9300 providesmultiple services for a user. To ensure login convenience and security, login users must beclassified, and then assigned levels.

Priorities of UsersThe system manages super users and Telnet users according to user levels.

Similar to the command levels, users are classified into 16 levels numbered 0 to 15. The greaterthe number, the higher the user level.

NOTE

If the user levels are not set, the four default user levels are used, namely, levels 0 to 3.

The level of the command that a user can run is determined by the level of this user.

l In the case of non-authentication or password authentication, the level of the command thatthe user can run depends on the level of the user interface.

l In the case of AAA authentication, the command that the user can run depends on the levelof the local user specified in AAA configuration.

Users of a level can access the commands of this level or lower levels.

Assuming that user levels 0 to 3 are used in the system, users of level 2 can access commandsof levels 0, 1, and 2, and users of level 3 can access commands at all levels.

Authenticating Login UsersAfter users are configured on the S9300, the system authenticates the users when they log in tothe S9300. The S9300 provides three authentication modes, as shown in Table 5-3.



54

Table 5-3 Authentication modes of login users

Authentication Mode

Description

Non-authentication

Users can log in to the S9300 without entering the user name and password.There is a great potential security risk.

Passwordauthentication

Users can log in to the S9300 by entering only the password. In thismanner, security is ensured.

AAAauthentication

Users need to enter both the user name and password to log in to theS9300. The S9300 then authenticates the users according to the configureduser information. This further improves security. It applies to the userslogging in to the S9300 through the console interface and Telnet users.

5.2 Logging In to the S9300 Through the Console PortThis section describes how to log in to the S9300 through the console port.

5.2.1 Establishing the Configuration Task

Applicable EnvironmentYou need to log in to the S9300 through the console interface, as shown in Figure 5-2. In thefigure, Switch is an S9300.

Figure 5-2 Logging in to the S9300 through the console interface

PC

Console interfaceRS-232 serial interface

Switch

NOTE

If the S9300 is switched on for the first time and you need to manage and configure the S9300, you canlog in to the S9300 through the console interface only.

Pre-configuration TasksBefore logging in to the S9300 through the console interface, complete the following tasks:

l Connecting the PC and the S9300 correctlyl Starting the S9300 normally

Data PreparationNone.



55

5.2.2 Logging In to the S9300 Through the Console Interface

ContextWhen setting up a local configuration environment through the console interface, you canconnect the PC and the S9300 through the Windows HyperTerminal.

Procedure

Step 1 Enable the HyperTerminal on the PC.

Choose Start > All Programs > Accessories > Communications > HyperTerminal to startthe HyperTerminal.

Step 2 Set up a new connection.

As shown in Figure 5-3, enter the name of the new connection in the Name text box and choosean icon. Click OK.

Figure 5-3 Setting up a new connection

Step 3 Set the connection port.

After entering the Connect window as shown in Figure 5-4, select a serial port from theConnect drop-down list box according to the port used by the PC or the configuration terminal.Select COM1 in this case, and click OK.



56

Figure 5-4 Setting the connection port

Step 4 Set communication parameters.

After entering the COM1 Properties window as shown in Figure 5-5, set the communicationparameters according to the description in Table 5-4.

NOTEIn other Windows operating systems, Bits per second may be described as Baud rate; Flow control maybe described as Traffic control.



57

Figure 5-5 Setting communication parameters for the port

Table 5-4 Communication parameters

Parameter Value

Bit per second (Baud rate) 9600

Data bit 8

Parity check None

Stop bit 1

Flow control (Traffic control) None

Step 5 After the HyperTerminal is started, select File Attributes to enter the Connect Propertieswindow as shown in Figure 5-6. Choose the Setting tab, select Auto detect or VT100 from theEmulation drop-down list box. Click OK to complete the setting.



58

Figure 5-6 Selecting a terminal type

After the preceding steps are complete, press Enter. If the prompt <Quidway> is displayed, itindicates that you have logged in to the S9300. At this time, you can enter the command toconfigure and manage the S9300.

----End

5.3 Configuring Console User InterfaceYou can configure the console user interface so as to maintain a switch on the local device.

5.3.1 Establishing the Configuration TaskBefore configuring a console interface, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentA console user interface is required for maintaining the local switch.

Pre-configuration TasksBefore configuring a console interface, complete the following tasks:



59

l Powering on the switchl Connecting a PC to the switch

Data PreparationTo configure a console interface, you need the following data.

No. Data

1 Baud rate, flow-control mode, parity, stop bit, and data bit

2 Idle timeout period, number of lines displayed in a terminal screen, number ofcharacters in each line displayed in a terminal screen,and the size of history commandbuffer

3 User priority

4 User authentication method, user name, and password

NOTE

All the configuration items of the switch, excluding the user name and password, have default values anddo not need to be configured additionally.

5.3.2 Configuring Console Interface AttributesYou can configure the rate, flow control mode, parity mode, stop bit, and data bit for the consoleport.

ContextDo as follows on the switch that the user logs in to:

Procedure



Step 2 Run:user-interface console interface-number

The console user interface view is displayed.

Step 3 (Optional) Run:speed speed-value

The baud rate is set.

By default, the baud rate is 9600 bit/s.

Step 4 (Optional) Run:flow-control { hardware | none | software }



60

The flow control mode is set. By default, the flow-control mode is none.

Step 5 (Optional) Run:parity { even | mark | none | odd | space }

The parity mode is set.

By default, the value is none.

Step 6 (Optional) Run:stopbits { 1.5 | 1 | 2 }

The stop bit is set.

By default, the value is 1 bit.

Step 7 (Optional) Run:databits { 5 | 6 | 7 | 8 }

The data bit is set.

By default, the data bit is 8.

NOTE

When the user logs in to a switch through a console port, the configured attributes for the console port onthe HyperTerminal should be in accordance with the attributes of the interface on the switch. Otherwise,the user cannot log in to the switch.

----End

5.3.3 Setting Console Terminal AttributesYou can configure the timeout period for idle users, maximum number of lines to displayed oneach screenor the maximum number of characters in each line, and the size of historical commandbuffer for the console interface.

ContextDo as follows on the switch to which a user logs in:

Procedure




The console interface view is displayed.

Step 3 Run:shell

The terminal service is started.

Step 4 Run:idle-timeout minutes [ seconds ]



61

The timeout period for idle users is set.

By default, the timeout period for idle users is 10 minutes.

Step 5 Run:screen-length screen-length

The number of lines to be displayed on each screen is set.

By default, a terminal displays 24 lines on each screen.

You can run the screen-length screen-length temporary command to specify the number oflines that a terminal displays on each screen.

Step 6 Run:screen-width screen-width

The maximum number of characters in each line displayed on a terminal screen is set.

By default, each line displayed on a terminal screen has a maximum of 80 characters.

Step 7 Run:history-command max-size size-value

The buffer of the history command is set.

By default,the history command buffer on a user interface can cache a maximum of 10commands.

----End

5.3.4 Configuring User PriorityYou can set the priority for a user who logs in through the console port.

Context

Do as follows on the switch that the user logs in to:

Procedure




The console user interface view is displayed.

Step 3 Run:user privilege level level

The priority of the user is set.

This process is to set the priority for a user who logs in through the console port. A user can onlyuse the command of the level corresponding to the user level.



62

For more information about the command priority, see "Command Level" in Chapter 3 "CLIOverview".

----End

5.3.5 Configuring User AuthenticationThe system provides three authentication modes, namely, AAA, password, and none.

Procedurel Configuring AAA Authentication

1. Run:system-view


user-interface console interface-number

The console user interface view is displayed.3. Run:

authentication-mode aaa

The authentication mode is set to AAA.4. Run:

quit

Exit from the console user interface view.5. Run:

aaa

The AAA view is displayed.6. Run:

local-user user-name password { simple | cipher } password

Name and password of the local user are created.l Configuring Password Authentication

1. Run:system-view




authentication-mode password

You can set the authentication mode as password authentication.4. Run:

set authentication password { cipher | simple } password

A password for authentication is set.



63

l Configuring Non-Authentication1. Run:

system-view




authentication-mode none

The authentication mode is set to non-authentication.

----End

5.3.6 Checking the ConfigurationAfter configuring the console user interface, you can view the usage information of the userinterface, physical attributes and configurations of the user interface, local user list, and onlineusers.

PrerequisiteThe configurations of the User Management function are complete.

Procedurel Run the display users [ all ] command to check information about user interface.

l Run the display user-interface console ui-number1 [ summary ] command to checkphysical attributes and configurations of the user interface.

l Run the display local-user command to check the local user list.

l Run the display access-user command to check online users.

----End

5.4 Configuring VTY User InterfaceYou can configure the VTY user interface to maintain a remote switch.

5.4.1 Establishing the Configuration TaskBefore configuring a VTY interface, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


If you want to log in to the switch using Telnet or SSH to perform management or configurationoperations, .a VTY interface is required.



64


Before configuring a VTY user interface, complete the following tasks:


l Connecting a PC to the switch correctly

Data Preparation

To configure a VTY user interface, you need the following data.

No. Data

1 Maximum VTY user interfaces

2 (Optional) Number of the ACL for limiting incoming and outgoing calls of userslogging in using VTY user interfaces

3 Timeout period for idle users, maximum number of lines to be displayed on eachscreen , maximum number of characters in each line, and the size of the historycommand buffer

4 User authentication mode, user name, and password

5.4.2 Configuring Maximum VTY User InterfacesYou can configure the maximum number of VTY user interfaces through which users log in toa switch.

Context


Procedure



Step 2 Run:user-interface maximum-vty number

The maximum VTY user interfaces that can log in to the switch is set.

NOTE

When the maximum number of VTY user interfaces is set to zero, any user including the NMS user cannotlog in to a switch.

If the maximum number of VTY user interfaces to be configured is smaller than the maximumnumber of current interfaces, other parameters need not be configured.



65

If the maximum number of VTY user interfaces to be configured is larger than the maximumnumber of current interfaces, the authentication mode and password need to be configured fornewly added user interfaces.

For newly added user interfaces, the system applies password authentication by default.

For example, a maximum of five users are allowed online. To allow 15 VTY users online at thesame time, you need to run the authentication-mode command and the set authenticationpassword command to configure authentication modes and passwords for user interfaces fromVTY 5 to VTY 14. The command is run as follows:

<Quidway> system-view[Quidway] user-interface maximum-vty 15[Quidway] user-interface vty 5 14[Quidway-ui-vty5-14] authentication-mode password[Quidway-ui-vty5-14] set authentication password cipher huawei

----End

5.4.3 (Optional)Configuring Limits for Incoming Calls andOutgoing Calls

You can set the limit on incoming and outgoing calls for VTY user interfaces.

Context


Procedure



Step 2 Run:user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.

Step 3 Run:acl acl-number { inbound | outbound }

The limits to calling in/out of VTY are configured.

When you need to prevent a user of certain address or segment address from logging in to theswitch, use the inbound command; when you need to prevent a user who logs in to a switchfrom accessing other switchs, use the outbound command.

----End

5.4.4 Configuring VTY Terminal AttributesYou can configure the timeout period for idle users, maximum number of lines to be displayedon each screenor the maximum number of characters in each line, and the size of the historicalcommand buffer for a VTY interface.



66


Procedure



Step 2 Run:user-interface vty number1 [ number2 ]

The VTY interface view is displayed.

Step 3 Run:shell

Terminal services are enabled.


The timeout period for idle users is set.

Step 5 Run:screen-length screen-length

The maximum number of lines to be displayed on each screen is set.

By default, a maximum of 24 lines are displayed on each screen.

You can run the screen-length screen-length temporary command to specify the maximumnumber of lines to be temporarily displayed on each terminal screen.

Step 6 Run:screen-width screen-width

The maximum number of characters in each line displayed on a terminal screen is set.

By default, each line displayed on a terminal screen has a maximum of 80 characters.

Step 7 Run:history-command max-size size-value

The size of the history command buffer is set.

By default, the history command buffer on a user interface can cache a maximum of 10commands.

----End

5.4.5 Configuring User AuthenticationThe system provides three authentication modes, namely, AAA, password, and none.

ContextThe switch supports user authentication of three types:



67

l AAA authentication: requires the user name and password.l Password authentication: requires no user name but a password must be set. Otherwise, the

user can log in to the switch only through the console interface.l None: requires neither user name nor password. No authentication is needed when the user

logs in to the switch.

Procedurel Configuring AAA Authentication

1. Run:system-view


user-interface vty number1 [ number2 ]

The VTY user interface view is displayed.3. Run:

authentication-mode aaa

The authentication mode is set to AAA.4. Run:

quit

Exit from the VTY user interface view.5. Run:

aaa



Name and password of the local user are created.l Configuring Password Authentication

1. Run:system-view




authentication-mode password

Set the authentication mode as password.4. Run:

set authentication password { cipher | simple } password

A password for this authentication mode is set.l Configuring Non-Authentication

1. Do as follows on the switch, run:



68

system-view




authentication-mode none

The authentication mode is set to none.

----End

5.4.6 Checking the ConfigurationAfter configuring the VTY user interface, you can view the usage information of the userinterface, the maximum number of VTY user interfaces, and physical attributes andconfigurations of the user interface.

PrerequisiteThe configuration of VTY User Interface are complete.

Procedurel Run the display users [ all ] command to check the usage information of the user interface.l Run the display user-interface maximum-vty command to check the number of maximum

VTY user interfaces.l Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ]

command to check the physical attributes and configurations of the user interface.

----End

5.5 Managing User InterfacesYou need to configure user management to ensure that the operator manages switchs safely.

5.5.1 Establishing the Configuration TaskBefore configuring user management interfaces, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentTo ensure that the operator managesswitchs safely, you need to send messages between userinterfaces and clear designated user.

Pre-configuration TasksBefore managing the user interface, complete the following tasks:



69

l Powering on the switchl Connecting the PC with the switch properly

Data PreparationsTo manage the user interface, you need the following data:

No. Data

1 Type and number of the user interface

2 Contents of the message to be sent

5.5.2 Sending Messages to Other User InterfacesYou can configure messaging between user interfaces.


Procedure

Step 1 Run:send { all | ui-type ui-number | ui-number1 }

You can enable message sending between user interfaces.

Step 2 Following the prompt, you can enter the message to be sent. You can press Ctrl_Z or Enter toend, and press Ctrl_C to abort.

----End

5.5.3 Clearing Online UserYou can clear specified online users.


Procedure

Step 1 Run:free user-interface { ui-number | ui-type ui-number1 }

Online users are cleared.

Step 2 On receiving the prompts, you can confirm whether the designated online users have to becleared.

----End



70

5.5.4 Checking the ConfigurationAfter configuring user management interfaces, you can view the usage information of userinterfaces.

PrerequisiteThe configuration of User Interfaces are complete.

Procedure

Step 1 Run the display users [ all ] command to check the usage information of the user interface.

----End

5.6 Configuring User ManagementThrough user management, you can create users for switchs, set user passwords, and manageusers.

5.6.1 Establishing the Configuration TaskBefore configuring user management, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentAfter the IP address is assigned to the main control board or the interface board, any remote usercan use Telnet to log in to the switch, or connect the switch through PPP to access networks.This compromises the security. To ensure network security and ease user management, configurea user name and the user password for the switch.

Pre-configuration TasksBefore configuring a user, complete the following tasks:

l Powering on the switchl Connecting the PC with the switch properly

Data PreparationTo configure a user, you need the following data.

No. Data

1 Authentication mode

2 User name and password

3 User priority



71

5.6.2 Configuring Authentication ModeThe system provides three authentication modes, namely, AAA local authentication, passwordauthentication, and none authentication.


Procedure



Step 2 Run:user-interface [ ui-type ] first-ui-number [ last-ui-number ]

The user interface view is displayed.

Step 3 Run:authentication-mode { aaa | password | none }

The user authentication mode is configured.

----End

5.6.3 Configuring Authentication PasswordYou can configure a plain or cipher text password for authentication.


Procedure





Step 3 Run:authentication-mode password

The authentication mode is set to Password.

Step 4 Run:set authentication password { cipher | simple } password

The authentication password is configured.



72

NOTE

The default authentication mode is the password authentication.

----End

5.6.4 Setting Username and Password for AAA LocalAuthentication

You can configure a plain or cipher text password for AAA local authentication.

Context


Procedure





Step 3 Run:authentication-mode aaa

The authentication mode is set to AAA.

Step 4 Run:quit

Return to the system view.

Step 5 Run:aaa

The AAA view is displayed.

Step 6 Run:local-user user-name password { simple | cipher } password

The local username and the password are configured.

----End

5.6.5 Configuring Non-AuthenticationYou can configure users to log in to a switch without being authenticated.



73

Context

CAUTIONConfiguring the non-authentication mode may cause security problems of the switch.


Procedure





Step 3 Run:authentication-mode none

The non-authentication mode is configured.

NOTE

l If the authentication mode is non-authentication or password authentication, the priority of the user-interface determines the command level that the users can access.

l If the authentication mode needs the username and the password, the priority of the user determinesthe command level that the users can access.

----End

5.6.6 Configuring User PriorityYou can configure the user priority.

ContextRefer to the Quidway S9300 Configuration Guide - Security.

5.6.7 Checking the ConfigurationAfter configuring user management, you can view the usage information of user interfaces, localuser list, and online users.

PrerequisiteThe configuration of User Management are complete.

Procedurel Run the display users [ all ] command to check the user information.



74

l Run the display local-user command to check the local user list.

l Run the display access-user command to check online users.

----End

5.7 Configuration ExamplesThis section provides examples for configuring users to log in to a switch in different modes.These configuration examples explain networking requirements, configuration roadmap, andconfiguration notes.

Context

CAUTIONAfter the first and second configuration examples are complete, the commands with prioritieshigher than 2 cannot be run if the current user is VTY0. Ensure that users can log in totheswitch in other methods to delete configurations.

5.7.1 Example for Configuring Logging In to the Switch ThroughPassword

In this example, the VTY0 priority, authentication mode, and disconnection time are configured,which enables users to log in to the switch through a password.


The COM port of the PC is connected with the Console port. Set the priority of VTY0 to 2 andauthenticate the passwords of users. Users need to enter the password Huawei to log insuccessfully.

After login, if the operations are not carried out in 30 minutes, it means that the user-interfaceis disconnected from the switch.



1. Enter the user interface, and configure the priority of VTY0 as 2.

2. Configure the simple authentication and the disconnect time.

Data Preparation

To complete the configuration, you need the following data:

l The password of the authentication mode

l The disconnect time



75

ProcedureStep 1 Configure the priority of VTY0 to be 2 on the Switch.

<Quidway> system-view[Quidway] user-interface vty0[Quidway-ui-vty0] user privilege level 2

Step 2 Configuring password and disconnect time.[Quidway-ui-vty0] authentication-mode password[Quidway-ui-vty0] set authentication password simple huawei[Quidway-ui-vty0] idle-timeout 30

----End

Configuration Files# sysname Quidway#aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default#user-interface vty 0 user privilege level 2 set authentication password simple huawei idle-timeout 30 #return

5.7.2 Example for Logging In to the Device Through AAAIn this example, the VTY0 priority and disconnection time are configured and the idle-outfunction is enabled for local users, which enables users to log in to the switch through AAAauthentication.

Networking RequirementsThe COM port of the PC and the console port of the switch are connected.

Configure the priority of VTY0 to be 2, perform AAA authentication on the user that logs inthrough VTY0. The login user must enter the username "huawei" and the password "huawei".

After login, if the user does not operate the switch within 30 minutes, the connection with theswitch is disabled.


1. Enter the user interface view to configure the priority of VTY0 to be 2 and the disconnectiontime.

2. Enter the AAA view to configure the username, the password, and the user level.3. Switch on the idle timeout for the local user in the AAA view.

Data PreparationTo complete the configuration, you need the following data:



76

l Username and password for authenticationl Disconnect time

Procedure

Step 1 Configure the priority of VTY0 to be 2 and the disconnection time within 30 minutes.<Quidway> system-view[Quidway] user-interface vty0[Quidway-ui-vty0] user privilege level 2[Quidway-ui-vty0] authentication-mode aaa[Quidway-ui-vty0] idle-timeout 30[Quidway-ui-vty0] quit

Step 2 Configuring the local username, the password, and user level.[Quidway] aaa[Quidway-aaa] local-user huawei password cipher huawei[Quidway-aaa] local-user huawei privilege level 2

----End

Configuration Files# sysname Quidway#aaa local-user huawei password cipher N`C55QK<`=/Q=^Q`MAF4<1!! local-user huawei privilege level 2local-user huawei idle-cut# authorization-scheme default # accounting-scheme default # domain default#user-interface vty 0 authentication-mode aaa user privilege level 2 idle-timeout 30#return



77

6 File System Management

About This Chapter

This chapter describes the basic knowledge of the file system, including the methods of managingfiles, directories, and storage devices.

6.1 Overview of the File SystemThis section describes the concepts of the file system.

6.2 Managing a Storage DeviceThis section describes how to format a storage device.

6.3 Managing the DirectoryYou can manage directories to logically store files in hierarchy.

6.4 Managing FilesYou can view, create, delete, and rename files.

6.5 Configuration ExamplesThis section provides several configuration examples of the file system.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration 6 File System Management


78

6.1 Overview of the File SystemThis section describes the concepts of the file system.

Basic Concepts of the File SystemA file system allows you to manage files and directories on the storage devices. In the file system,you can create, delete, modify, and rename a file or a directory, and view contents of a file.

The file system provides the following functions:l Managing the files that are stored on the storage devicesl Managing the storage devices

Storage DeviceA storage device is a hardware device used to store data.

Different products support different storage devices. Currently, the S9300 supports the flashmemory and the Compact Flash (CF) card.

FileA file stores and manages information.

DirectoryA directory collects and organizes files. It is a logical container of files.

6.2 Managing a Storage DeviceThis section describes how to format a storage device.

6.2.1 Establishing the Configuration Task

Pre-configuration TasksBefore managing a storage device, complete the following tasks:

l Installing the S9300 and switching it on properlyl Client logging in to the S9300

Data PreparationTo manage a storage device, you need the following data.

No. Data

1 Device name



79

6.2.2 Restoring Storage Devices with File System TroublesWhen the file system on a storage device fails, the terminal of the switch prompts you to rectifythe fault.


Procedure

Step 1 Run:fixdisk device-name

The storage devices with file system troubles is repaired.

NOTE

After this command is run, if the prompt that the system should be repaired is still received, it indicatesthat the physical medium may be damaged.

----End

6.2.3 (Optional) Formatting a Storage Device

Context

CAUTIONAfter the format device-name command is run, the files and directories in the specified storagedevice are cleared and cannot be restored. So, confirm the action before you use the command.

Procedure

Step 1 Run the following command in the user view:format device-name

A storage device is formatted.

----End

6.3 Managing the DirectoryYou can manage directories to logically store files in hierarchy.

6.3.1 Establishing the Configuration TaskBefore managing directories, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.



80

Applicable EnvironmentWhen you need to transfer files between the client and the server, configure the directory byusing the file system.

Pre-configuration TasksBefore configuring the management directory, complete the following tasks:

l Powering on the switchl Connecting the client with the server correctly

Data PreparationTo configure a management directory, you need the following data.

No. Data

1 Directory name to be created

2 Directory name to be deleted

6.3.2 Viewing the Current DirectoryYou can view the current directory to know its information.

ContextDo as follows on the switch.

Procedure

Step 1 Run:pwd

The current directory is displayed.

----End

6.3.3 Switching a DirectoryYou can switch the current directory to another directory.


Procedure

Step 1 Run:cd directory



81

A directory is specified.

Step 2 Run:pwd

The current directory is displayed.

----End

6.3.4 Displaying a Directory or FileYou can view a directory or files in the directory.


ProcedureStep 1 Run:

cd directory

A directory is specified and the specified directory is displayed.

Step 2 Run:dir [ /all ] [ filename | cfcard: | flash: | slave#cfcard: | slave#flash: ]

The file and sub-directory list in the directory is displayed.

Either the absolute path or relative path is applicable.

----End

6.3.5 Creating a DirectoryYou can create a directory in the specified directory on a specified storage device.



cd directory

The parent directory of the directory to be created is displayed.

Step 2 Run:mkdir directory

The directory is created.

----End

6.3.6 Deleting a DirectoryYou can delete an unneeded directory.



82

Context


Procedure


The parent directory of the directory to be deleted is displayed.

Step 2 Run:rmdir directory

The directory is deleted.

----End

6.4 Managing FilesYou can view, create, delete, and rename files.

6.4.1 Establishing the Configuration TaskBefore managing files, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configurationtask quickly and accurately.


To view, delete, or rename files on the switch, you need to configure files using the file system.


Before configuring the file system, complete the following tasks:


l Connecting the client with the server correctly

Data Preparation

To configure a file system, you need the following data.

No. Data

1 File name to be viewed

2 File name to be deleted

3 File name to be renamed



83

6.4.2 Displaying Contents of FilesYou can view the contents of a file, which are displayed in texts.


Procedure


The directory of the file is displayed.

Step 2 Run:more filename

The content of the file is displayed.

----End

6.4.3 Copying FilesYou can copy files.


Procedure



Step 2 Run:copy source-filename destination-filename

The file is copied.

NOTE

The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.

----End

6.4.4 Moving FilesYou can move files to a specified directory.




84

Procedure



Step 2 Run:move source-filename destination-filename

The file is moved.

----End

6.4.5 Renaming FilesYou can rename files.


Procedure



Step 2 Run:rename source-filename destination-filename

The file is renamed.

----End

6.4.6 Compressing FilesYou can compress files to reduce the size of the files.

ContextDo as follows on the switch.

Procedure

Step 1 Run:zip source-filename destination-filename

The file is compressed.

----End

6.4.7 Deleting FilesYou can delete unneeded files.



85


Procedure



Step 2 Run:delete [ /unreserved ] filename

The file is deleted.

----End

6.4.8 Deleting Files in the Recycle BinYou can permanently delete files in the recycle bin.


Procedure

Step 1 Run:reset recycle-bin [ filename ]

The file is deleted.

----End

6.4.9 Undeleting FilesYou can undelete files.


Procedure

Step 1 Run:undelete filename

The deleted file is recovered.

NOTE

l If the current directory is not the parent directory, you must operate the file by using the absolute path.l If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored after being

deleted.

----End



86

6.4.10 Running Files in BatchYou can upload the files and then process the files in batches.

PrerequisiteUploading the batched files on the client end to the switch.

ContextWhen the batch file is created, you can run the batch file to implement routine tasksautomatically.

Procedure



Step 2 Run:execute filename

The batched file is executed.

----End

6.4.11 Configuring Prompt ModesThe system displays prompts or warning messages when you operate the device. If you need tochange the prompt mode for file operations, you can configure the prompt mode of the filesystem.

PrerequisiteBefore configuring a file system, complete the following tasks:

l Powering on the switchl Logging in to the switchfrom the client end

ContextThe data may be lost or damaged during the process, and the prompt is required.

Procedure



Step 2 Run:file prompt { alert | quiet }

The prompt mode of the file system is configured.



87

By default, the prompt mode is alert.

CAUTIONIf the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation.

----End

6.5 Configuration ExamplesThis section provides several configuration examples of the file system.

6.5.1 Example for Managing FilesThis section describes how to manage files.

Networking RequirementsAfter configuring the file system of the S9300, you can copy files to the specified directorythrough the console interface on the S9300. The path of a file in the storage device must becorrect. If the destination file name is not specified, the source file name is used by default. Thatis, the name of the destination file is the same as that of the source file.


1. Check the files in a certain directory.2. Copy the files to the directory.3. Check the directory, and find that the files in the directory are copied to a specified directory.


l Names of the source file and destination filel Paths of the source file and destination file

Procedure

Step 1 Display information about the files in the current directory.<Quidway> dirDirectory of cfcard:/

Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw- 2,210 Mar 25 2009 10:24:30 vrpcfg.zip 1 -rw- 198 May 20 2009 10:10:08 $_patchstate_a 2 drw- - May 22 2009 15:28:48 logfile 3 -rw- 4 May 25 2009 11:34:20 snmpnotilog.txt 4 -rw- 4,309 May 20 2009 16:51:42 private-data.txt 5 -rw- 0 Apr 03 2009 17:49:04 stickymac.txt



88

6 -rw- 140,708 Apr 03 2009 18:06:56 patchhistory 7 -rw- 198 Mar 30 2009 18:42:28 $_patchstate_a.backup 8 -rw- 22,064,779 Mar 11 2009 18:26:08 s9300v100r006c02b118.cc 9 -rw- 10,405 Mar 31 2009 14:17:52 bfd.pat 10 -rw- 2,449 Mar 19 2009 15:20:10 vrpcfg0319.zip 11 -rw- 5,344 Mar 25 2009 16:20:28 vrrp0320.zip 12 -rw- 11,077 Apr 02 2009 16:13:18 bfd_slave0402.pat 13 -rw- 9,893 Apr 02 2009 17:11:16 bfd_slave0402_1.pat 14 -rw- 10,021 Apr 02 2009 17:19:32 bfd_slave0402_2.pat 15 -rw- 10,605 Apr 02 2009 19:11:38 bfd_slave111.pat 16 -rw- 13,717 Apr 02 2009 19:52:36 bfd_slave112.pat 17 -rw- 1,481 Nov 27 2008 12:02:52 backupvrpcfg.zip 18 -rw- 0 Nov 28 2008 11:39:28 epon.zip 19 -rw- 16,981 Apr 02 2009 20:17:32 bfd_slave113.pat 20 -rw- 3,249 May 20 2009 16:51:42 vrpcfg0325.zip 21 -rw- 12,885 Apr 03 2009 18:06:14 bfd_slave22.pat 22 -rw- 1,664 Feb 20 2009 09:14:50 on1018399.dat

506,744 KB total (446,192 KB free)

Step 2 Copy the files from flash:/hostkey to cfcard:/hostkey.<Quidway> copy flash:/hostkey cfcard:/hostkeyCopy flash:/hostkey to cfcard:/hostkey?[Y/N]:y 100% complete\ Info: Copied file flash:/hostkey to cfcard:/hostkey...Done.

Step 3 Display information about the files in the current directory, and you can view that the files arecopied to the specified directory.<Quidway> dirDirectory of cfcard:/

Idx Attr Size(Byte) Date Time FileName 0 -rw- 2,210 Mar 25 2009 10:24:30 vrpcfg.zip 1 -rw- 198 May 20 2009 10:10:08 $_patchstate_a 2 drw- - May 22 2009 15:28:48 logfile 3 -rw- 4 May 25 2009 11:34:20 snmpnotilog.txt 4 -rw- 4,309 May 20 2009 16:51:42 private-data.txt 5 -rw- 0 Apr 03 2009 17:49:04 stickymac.txt 6 -rw- 140,708 Apr 03 2009 18:06:56 patchhistory 7 -rw- 198 Mar 30 2009 18:42:28 $_patchstate_a.backup 8 -rw- 22,064,779 Mar 11 2009 18:26:08 s9300v100r006c02b118.cc 9 -rw- 10,405 Mar 31 2009 14:17:52 bfd.pat 10 -rw- 2,449 Mar 19 2009 15:20:10 vrpcfg0319.zip 11 -rw- 5,344 Mar 25 2009 16:20:28 vrrp0320.zip 12 -rw- 11,077 Apr 02 2009 16:13:18 bfd_slave0402.pat 13 -rw- 9,893 Apr 02 2009 17:11:16 bfd_slave0402_1.pat 14 -rw- 10,021 Apr 02 2009 17:19:32 bfd_slave0402_2.pat 15 -rw- 10,605 Apr 02 2009 19:11:38 bfd_slave111.pat 16 -rw- 13,717 Apr 02 2009 19:52:36 bfd_slave112.pat 17 -rw- 1,481 Nov 27 2008 12:02:52 backupvrpcfg.zip 18 -rw- 0 Nov 28 2008 11:39:28 epon.zip 19 -rw- 16,981 Apr 02 2009 20:17:32 bfd_slave113.pat 20 -rw- 3,249 May 20 2009 16:51:42 vrpcfg0325.zip 21 -rw- 12,885 Apr 03 2009 18:06:14 bfd_slave22.pat 22 -rw- 1,664 Feb 20 2009 09:14:50 on1018399.dat 23 -rw- 684 May 25 2009 17:53:38 hostkey

506,744 KB total (445,508 KB free)

----End

Configuration Files

None.



89

7 Management of Configuration Files

About This Chapter

This chapter describes current configurations, configuration files, detection of master/slaveconfiguration consistency, and configuration recovery.

7.1 Management of Configuration Files IntroductionThe configuration file is the add-in configuration item when restarting the switch this time ornext time.

7.2 Managing Configuration FilesYou can manage configuration files to ensure that the switch starts normally.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration 7 Management of Configuration Files


90

7.1 Management of Configuration Files IntroductionThe configuration file is the add-in configuration item when restarting the switch this time ornext time.

7.1.1 Configuration FilesThis part describes basic concepts of configuration files.

The configuration file is the add-in configuration item when restarting the switch this time ornext time.

The configuration file is a text file in the following formats:

l It is saved in the command format.

l To save space, default parameters are not saved. For the default values of the configurationparameters, see following sections.

l Commands are organized on the basis of the command view. All commands of the identicalcommand view are grouped into a section. Every two command sections are separated byone or several blank lines or comment lines (beginning with "#").

l The sequence of command sections is global configuration, logic interface configuration,physical interface configuration, routing protocol configuration and so on.

NOTE

l The system can run the command with the maximum length of 512 characters, including the commandin an incomplete form.

l If the configuration is in the incomplete form, the command is saved in complete form. Therefore, thecommand length in the configuration file may exceed 512 characters. When the system restarts, thesecommands cannot be restored.

7.1.2 Configuration Files and Current ConfigurationsThe part describes basic concepts of configuration files and current configurations.

l Initial configurations: On powering on, the switch retrieves the configuration files from adefault save path to initiate itself. If configuration files do not exist in the default save path,the switch uses the default parameters.

l Current configurations: indicates the effective configurations of the currently runningswitch.

l Users can modify the current configurations of the switch through the command lineinterface. Use the save command to save the current configuration to the configuration fileof the default storage devices, and the current configuration becomes the initialconfiguration of the switch when the switch is powered on next time.

7.2 Managing Configuration FilesYou can manage configuration files to ensure that the switch starts normally.



91

7.2.1 Establishing the Configuration TaskBefore managing configuration files, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentIn one of the following situations, you need to manage configuration files:

l To start the switch normally, you need to select the correct S9300 system software andconfiguration file for the switch to load.

l After modifying current configurations, you need to save the modified contents.l You need to view the configuration of the switch.

Pre-configuration TasksBefore managing configuration files, complete the following task:l Installing the switch and starting it properly

Data PreparationTo manage configuration files, you need the following data.

No. Data

1 S9300 System software and its file name

2 Configuration file and its name

3 The number of the start line from which the comparison of the configuration filesbegins

7.2.2 Configuring System Software for a switch to Load for the NextStartup

To upgrade the system software of a switch, you can specify the S9300 system software to beloaded for the next startup.



startup system-software system-file [ slave-board ]

The S9300 system software for the switch to load next time when it starts is configured.

The filename extension of the system software must be .cc and must be stored in the root directoryof a storage device.



92

You can specify the system-file and use the system software for the next startup that is saved onthe device.

slave-board is valid only on the switch with dual main control boards.

----End

7.2.3 Configuring the Configuration File for Switch to Load for theNext Startup

Before restarting a switch, you can specify the configuration files that are loaded for the nextstartup.


Procedure

Step 1 Run:startup saved-configuration configuration-file

Configuration file is saved for the switch to load next time on startup.

The filename extension of the configuration file must be .cfg or .zip, and must be stored in theroot directory of a storage device.

When the switch turns on, it initiates by reading the configuration file from the cfcard memoryby default. Thus, the configuration in this configuration file is called initial configuration. If noconfiguration file is saved in the cfcard, the switch initiates with default parameters.

The effective configuration when a switch is working is called current configuration.

----End

7.2.4 Saving Configuration FilesYou can save configuration files periodically or immediately.

ContextThe system can save the configuration files periodically or in real time to prevent data loss whenthe switch is powered off or accidentally restarted.

Run one of the following commands to save configuration files.

Procedurel Run:

1. system-viewThe system view is displayed.

2. set save-configuration [ interval interval | cpu-limit cpu-usage | delay delay-interval ] *

The configuration file is saved at intervals.



93

After the parameter interval interval is specified, the device saves the configurationfile at specified intervals regardless of whether the configuration file is changed.

– If the set save-configuration command is not run, the system does notautomatically save configurations.

– If the set save-configuration command without specified interval is run, thesystem automatically saves configurations at 30-minute intervals.

When you configure the automatic saving function, to prevent that function fromaffecting system performance, you can set the upper limit of the CPU usage for thesystem during automatic saving. When automatic saving is triggered by the expiry ofthe timer, the CPU usage is checked. If the CPU usage is higher than the set upperlimit, automatic saving will be canceled.

After delay delay-interval is specified, if the configuration is changed, the deviceautomatically saves the configuration after the specified delay.

After automatic saving of configurations is configured, the system automatically savesthe changed configurations to the configuration file for the next startup andconfiguration files are changed accordingly with the saved configurations.

Before configuring the automatic configure file saving on the server, you need to runthe set save-configuration backup-to-server server server-ip [ transport-type{ ftp | sftp } ] user user-name password password [ path folder ] or set save-configuration backup-to-server server server-ip transport-type tftp [ pathfolder ] command to configure the server, including the IP address, user name,password of the server, destination path, and mode of transporting the configurationfile to the server.

NOTEIf configuration files transmitted in TFTP mode are saved, the tftp client-source commandcan be run to configure the address of a loopback interface of the switch as a source address ofa client to ensure security.

WARNINGWhen the automatic saving function is enabled and the LPU is not properly installed,corresponding configurations may be lost.

l Run:save [ all ] [ configuration-file ]

The current configurations are saved.

The filename extension of the configuration file must be .cfg or .zip. The system startupconfiguration file must be saved in the root directory of a storage device.

The user can modify the current configuration through the command line interface. To setthe current configuration as initial configuration when the switch starts next time, you canuse the save command to save the current configuration in the cfcard memory.

You can use the save all command to save all the current configurations, including theconfigurations of the boards that are not inserted, to the default directory.

----End



94

7.2.5 Clearing a Configuration FileYou can clear the configuration file that has been loaded to a device, or clear the inactiveconfigurations of the boards that are not installed in slots.

ContextThe configuration file stored in cfcard memory needs to be cleared in the following cases:

l The system software does not match the configuration file after the switch has beenupgraded.

l The configuration file is destroyed or an incorrect configuration file has been loaded.

Procedurel Clear the currently loaded configuration file.

Run the reset saved-configuration command to clear the currently loaded configurationfile.– If the configuration file of the switch used for the current startup is the same as that used

for the next startup, running the reset saved-configuration command will clear boththe configuration files. The switch will uses the default configuration file for the nextstartup.

– If the configuration file of the switch used for the current startup is different from thatused at the next startup, running the reset saved-configuration command will clear theconfiguration file used for the current startup.

– If the configuration file of the switch used for the current startup is empty, the systemwill prompt you that the configuration file does not exist after you run the reset saved-configuration command.

If you do not run the startup saved-configuration configuration-file command to specifya new correct configuration file, or do not run the save command to save the configurationfile after the configuration file is cleared, the switch will use the default configuration fileat the next startup.

l Clear the inactive configurations of the boards that are not installed in slots.

1. Run the system-view command to enter the system view.2. Run the clear inactive-configuration slot command to clear the inactive

configurations of the boards that are not installed in slots.

----End

7.2.6 Comparing Configuration FilesYou can compare the current configuration with the initial configuration.


Procedure

Step 1 Run:



95

compare configuration [ configuration-file ] [ current-line-number save-line-number ]

The current configuration is compared with the configuration file for next startup.

If no parameter is set, the comparison begins with the first lines of configuration files. current-line-number and save-line-number are used to continue the comparison by ignoring thedifferences between the configuration files.

When comparing differences between the configuration files, the system displays the contentsof the current configuration file and saved configuration file from the first different line. Bydefault, 150 characters are displayed for each configuration file. If the number of characters fromthe first different line to the end is less than 150, the contents after the first different line are alldisplayed.

In comparing the current configurations with the configuration file for next startup, if theconfiguration file for next startup is unavailable or its contents are null, the system prompts thatreading files fails.

----End

7.2.7 Checking the ConfigurationAfter managing configuration files has been configured, you can view the current configurationfiles, configuration files to be loaded at the next startup, files for the device startup, and filessaved in the storage device.

PrerequisiteThe configuration of managing configuration files are complete.

Procedurel Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ][ feature feature-name [ filter filter-expression ] | filter filter-expression ] or displaycurrent-configuration [ all | inactive ] command to view the current configuration files.

l Run the display saved-configuration [ last | time | configuration ] command to viewconfiguration files to be loaded at the next startup.

l Run the display startup command to view files for the device startup.

l Run the dir [ /all ] [ filename ] command to view files saved in the storage device.

l Run the display default-parameter servicename command to view default configurationsin the system.

----End

Example

After the configurations succeed, run the preceding commands, and you can find the followingresults:

l The current configuration of the switch is correct without any redundant configuration.

l The current configuration of the switch is saved in the storage device.



96

l The S9300 system software and configuration file to be loaded at the next startup are correctand saved in the root directory of the storage device.



97

8 FTP and TFTP

About This Chapter

This chapter describes the fundamentals, configuration procedures and configuration examplesof FTP and TFTP.

8.1 FTP and TFTP IntroductionThis section describes the basic concepts of FTP and TFTP.

8.2 Configuring the Switch to be the FTP ServerAfter a switch is configured with basic functions of the FTP server, you can run the FTP clientapplication to log in to the switch, and then access files on the switch.

8.3 Configuring FTP ACLYou can configure the FTP ACL on a switch to allow only specified users to log in to theswitch.

8.4 Configuring the Switch to Be the FTP ClientYou can configure a switch to be an FTP client and then log in to the FTP server.

8.5 Configuring the Switch to Be the TFTP ClientYou can configure a switch to be an FTP client and then log in to the FTP server.

8.6 Limiting the Access to the TFTP ServerYou can configure the maximum number of TFTP servers that a TFTP client can access todetermine which TFTP servers the TFTP client can log in to.

8.7 Configuration ExamplesThis section provides several configuration examples for FTP and TFTP together with theconfiguration flowchart. The configuration examples explain networking requirements,configuration notes, and configuration roadmap.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration 8 FTP and TFTP


98

8.1 FTP and TFTP IntroductionThis section describes the basic concepts of FTP and TFTP.

8.1.1 FTPYou can transfer files between local and remote hosts through FTP. FTP is commonly used inversion upgrade, log downloading, file transfer, and configuration saving.

File Transfer Protocol (FTP) is an application layer protocol in the TCP/IP protocol suite. Itimplements file transfer between local and remote hosts based on related file systems. The FTPprotocol is implemented based on corresponding file system.

The switch provides the following FTP services:

l FTP server service. Users can run the FTP client program to log in to the switch and accessthe files on the switch.

l FTP client service. Users can establish a connection with the switch by running a terminalemulation program or a Telnet program on a PC. Enter an FTP command to connect withthe remote FTP server and access the files on the remote host.

8.1.2 TFTPTFTP does not have a complex interactive access interface and authentication control. TFTP isapplicable when there is no complex interaction between the client and server.

The Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.

Compared with FTP, TFTP does not have a complex interactive access interface andauthentication control. TFTP is applicable in an environment where there is no complexinteraction between the client and the server. For example, TFTP is used to obtain the memoryimage of the system when the system starts up.

TFTP is implemented based on the User Datagram Protocol (UDP).

The client initiates the TFTP transfer. To download files, the client sends a read request packetto the TFTP server, receives packets from the server, and sends acknowledgement to the server.To upload files, the client sends a write request packet to the TFTP server, sends packets to theserver, and receives acknowledgement from the server.

TFTP transfers the files in two formats:

l The binary format: transfers program files.l The ASCII format: transfers text files.

At present, the S9300 serves only as the TFTP client and transfers files in the binary format.

8.2 Configuring the Switch to be the FTP ServerAfter a switch is configured with basic functions of the FTP server, you can run the FTP clientapplication to log in to the switch, and then access files on the switch.



99

8.2.1 Establishing the Configuration TaskBefore configuring a switch to be the FTP server, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.


When the switch serves as the FTP server, after the client logs in to the switch through FTP, theuser can transfer files between the client and the server.


Before configuring the switch as the FTP server, complete the following tasks:


l Connecting the FTP client to the server

Data Preparation

To configure the switch as the FTP server, you need the following data.

NOTEFor FTP secure server connection, perform step 2.

No. Data

1 (Optional) Listening port number specified on the FTP server

2 Configuring FTP Server Certificate-key and Chain-key

3 Enabling FTP Server

4 (Optional) Source IP address or source interface of the FTP server

5 (Optional) Timeout period of the disconnection from the FTP server

6 FTP username and password

7 File directory authorized to the FTP user

8.2.2 (Optional) Specifying a Port Number for the FTP ServerYou can configure or change the monitoring port number of the FTP server. After the portnumber is changed, only the user knows the current port number, which guarantees the security.

Context

If the FTP is not enabled, change the FTP port as required.

If the FTP service is enabled, run the undo ftp server command to disable the FTP service, andthen change the FTP port.



100

Procedure



Step 2 Run:ftp [ ipv6 ] server port port-number

The port number of the FTP server is configured.

If a new number of a monitored port is configured, the FTP server interrupts all the FTPconnections and monitors the port of the new number. By default, the number of the portmonitored by the FTP server is 21.

----End

8.2.3 Enabling the FTP ServerThis section describes how to enable FTP server.

Procedure



Step 2 Run:ftp [ ipv6 ] server enable

The FTP server is enabled.

NOTE

When the file operation between clients and the switch ends, run the undo ftp [ ipv6 ] server commandto disable the FTP server function. This ensures the security of the switch.

----End

8.2.4 Configuring the Source IP Address of the FTP ServerThe source address of the FTP server can be specified to allow only authorized users to accessthe FTP server. This ensures security.

ContextDo as follows on the switch that functions as an FTP server:

Procedure



Step 2 Run:



101

ftp server-source -a source-ip-address

The source IP address of an FTP server is configured.

After the source address is configured, the address specified in the ftp command for login to theFTP server must be the configured source address. Otherwise, the login fails.

----End

8.2.5 (Optional) Configuring the Timeout PeriodThis section describes how to configure the timeout period of the FTP server.

ContextIf the client is idle for the configured time, the connection is removed from the FTP server.

By default, the timeout value is 10 minutes.

Procedure



Step 2 Run:ftp timeout minutes

The timeout period of the FTP server is configured.

----End

8.2.6 Configuring the Local Username and the PasswordYou can configure the authentication information for FTP users, which prevents unauthorizedusers from performing operations on the device and thus guarantees the security.

ContextDo as follows on the switch that serves as the FTP server:

Procedure



Step 2 Run:aaa





102

The local username and the password are configured.

----End

8.2.7 Configuring the Service Type and Authorization InformationYou can configure the authorization mode and authorization directory for FTP users. In thiscase, unauthorized users cannot access the restricted directory, which guarantees the security.


Procedure



Step 2 (Optional) Run:set default ftp-directory directory

The default FTP working directory is configured.

Step 3 Run:aaa


Step 4 Run:local-user user-name service-type ftp

The FTP service type is configured.

Step 5 Run:local-user user-name ftp-directory directory

The authorization directory about the FTP user is configured.

----End

8.2.8 Checking the ConfigurationAfter configuring a switch to be the FTP server, you can view the configuration and status ofthe FTP server as well as information about login FTP users.

PrerequisiteThe configuration of the Switch to be the FTP Server are complete.

Procedurel Run the display [ ipv6 ] ftp-server the configuration and running information about the

FTP server.l Run the display ftp-users command to check the login FTP user.

----End



103

Example

After configuring the FTP server, run the display [ ipv6 ] ftp-server command. You can viewthat the parameters of the current FTP server.

<Quidway> display ftp-server FTP server is running Max user number 5 User count 0 Timeout value(in minute) 30 Listening Port 1080 Acl number 0 FTP server's source address 1.1.1.1

Run the display ftp-users command to view the user name, port number, authorization directoryof the FTP user configured presently.

<Quidway> display ftp-users username host port idle topdir zll 100.2.150.226 1383 3 cfcard:

8.3 Configuring FTP ACLYou can configure the FTP ACL on a switch to allow only specified users to log in to theswitch.

8.3.1 Establishing the Configuration TaskBefore configuring the FTP ACL, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


When the switch serves as the FTP server, for security, you can configure the switch by theaccess control list (ACL) to be accessed by only those clients that meet the matching conditions.


Before configuring the FTP ACL, complete the following tasks:


l Connecting the FTP client with the server

Data Preparation

To configure the FTP ACL, you need the following data.

No. Data

1 ACL number



104

8.3.2 Enabling the FTP ServerThe FTP server is disabled by default. You need to enable the FTP server before using FTPfunctions.


Procedure



Step 2 Run:ftp [ ipv6 ] server enable

The FTP server is started.

----End

8.3.3 Configuring a Basic ACLYou can configure a basic ACL and define rules by specifying the source IP address.


Procedure



Step 2 Run:acl acl-number

The ACL view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address source-wildcard | any } | time-range time-name ] *

The ACL rule is configured.

NOTE

FTP supports only the basic ACL.

----End

8.3.4 Configuring the Basic FTP ACLYou can configure the basic FTP ACL.



105

Context

Do as follows on the switch that serves as the FTP server:

Procedure



Step 2 Run:ftp [ ipv6 ] acl acl-number

The basic FTP ACL is configured.

----End

8.3.5 Checking the ConfigurationAfter configuring the FTP ACL, you can view the configuration and status of the FTP server aswell as information about login FTP users.

PrerequisiteThe configuration of FTP ACL are complete.

Procedurel Run the display ftp-server [ ] command to check the configuration and status of the FTP

server.

----End

Example

After configuring an FTP server, you can run the display ftp-server command and view thatthe ACL number allocated for the FTP server is 2345.

<Quidway> display ftp-server FTP server is running Max user number 5 User count 0 Timeout value(in minute) 30 Listening Port 1080 Acl number 2345 FTP server's source address 1.1.1.1 SSL security status Disabled

8.4 Configuring the Switch to Be the FTP ClientYou can configure a switch to be an FTP client and then log in to the FTP server.



106

8.4.1 Establishing the Configuration TaskBefore configuring a switch to be an FTP client, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentWhen a switch serves as an FTP client, you can log in to the FTP server through the switch andthen transmit files or manage server directory.

Pre-configuration TasksBefore configuring the switch as an FTP client, complete the following tasks:

l Powering on the switchl Connecting the FTP client to the server

Data PreparationTo configure the switch as an FTP client, you need the following data.

NOTEFor FTP secure server connection, perform step 2, 3 and 4.

No. Data

1 (Optional) Source IP address or source interface of the device functioning as an FTPclient

2 Configuring FTP Client Trusted-CA

3 (Optional) Configuring FTP Client CRL

4 (Optional) Configuring FTP Client Set Verify Depth

5 Logging into the FTP Server

6 Host name or IP address of the FTP server

7 Port number of connecting FTP

8 FTP protocol command

9 Local file name and file name on the remote FTP server

10 Working directory name of the remote FTP server, local working directory of theFTP client, or directory name of the remote FTP server

11 Login username and password



107

8.4.2 (Optional) Configuring Source IP Address and Interface of theFTP Client

This section describes how to configure the source IP address and interface of FTP client toestablish the connection with FTP server.

PrerequisiteThe interface configuration is possible, only if the system has a loopback interface.

Procedure



Step 2 Run:ftp client-source { -a ip-address }

The source IP address of the FTP client is configured.

or

ftp client-source { -i interface-type interface-number }

The loopback addresses of the FTP client is configured.

NOTE

Then, run the display ftp-client command on the switch to view the current configuration of the FTP client.

----End

8.4.3 Logging In to the FTP ServerYou can log in to the FTP server in the user view or the FTP view.

ContextDo as follows on the switch that serves as the client:

Procedure

Step 1 Run the following commands according to types of the server IP address.l If the IP address of the server is an IPv4 address, do as follows:

– In the user view, establish a connection to the FTP server.Run:ftp [ [ -a source-ip-address | -i interface-type interface-number ] host [ port-number ] [ public-net | vpn-instance vpn-instace-name ]The switch is connected to the FTP server.

– In the FTP view, establish a connection to the FTP server.

1. Run:ftp



108

The FTP view is displayed.2. Run:

open [-a source-ip-address | -i interface-type interface-number ] host [ port-number ] [ vpn-instance vpn-instance-name ]The switch is connected to the FTP server.

NOTE

Before logging in to the FTP server, you can run the set net-manager vpn-instancecommand to configure a default VPN instance. After that, the default VPN instance is usedin the FTP operation.

l If the IP address of the server is an IPv6 address, do as follows:– In the user view, establish a connection to the FTP server.

Run:ftp ipv6 host [ port-number ]The switch is connected to the FTP server.

– In the FTP view, establish a connection to the FTP server.

1. Run:ftpThe FTP view is displayed.

2. Run:open ipv6 host [ port-number ]The switch is connected to the FTP server.

----End

8.4.4 Configuring Data Type and Transmission Mode for the FileThis section describes how to configure the data type and transmission mode for the file.


Procedure

Step 1 Run:ascii | binary

The data type of the file to be transmitted is ascii or binary mode.

NOTEFTP server supports ascii mode for data transmission. But in Quidway S9300, user has to switch to binary modefor data transfer.

Step 2 Run:passive

The passive file transfer mode is configured.

Step 3 Run:verbose

The verbose mode for FTP is enabled.



109

When verbose is enabled, all FTP responses are displayed. After file transmission, the statisticsabout transmission efficiency will be displayed.

----End

8.4.5 (Optional) Viewing Online Help of the FTP CommandThis section describes how to view the online help of the FTP command.

Context

This configuration provides help information for protocol commands.

Procedure

Step 1 Run:remotehelp command

The online help of the FTP command is displayed.

----End

8.4.6 Uploading or Downloading FilesYou can upload local files to a remote FTP server, download files of the FTP server, and savethe files on the local device.

Context

Do as follows on the switch that serves as the client:

Procedure

Step 1 Upload or download files.l Run:

put local-filename [ remote-filename ]

The local file is uploaded to the remote FTP server.l Run:

get remote-filename [ local-filename ]

The FTP file is downloaded from the FTP server and saved to the local file.

----End

8.4.7 Managing DirectoriesYou can perform management operations, such as creating and deleting directories, on the FTPserver.

Context

Do as follows on the switch that serves as the client:



110

Procedure

Step 1 Run one or more commands in the following order to manage directories.l Run:

cd pathnameThe working path of the remote FTP server is specified.

l Run:cdupThe working path of the FTP server is switched to the upper-level directory.

l Run:pwdThe specified directory of the FTP server is displayed.

l Run:lcd [ local-directory ]The directory of the FTP client is displayed or changed.

l Run:mkdir remote-directoryA directory is created on the FTP server.

l Run:rmdir remote-directoryA directory is removed from the FTP server.

NOTE

l The directory to be created can comprise letters and digits, but not special characters such as <,>, ?, \ and :.

l When running the mkdir /abc command, you create a sub-directory named "abc".

----End

8.4.8 Managing FilesYou can view a specified directory or file on the remote FTP server or delete a specified filefrom the FTP server.


Procedure

Step 1 Run one or more commands in the following to manage directories.l Run:

ls [ remote-filename ] [ local-filename ]The specified directory or file on the remote FTP server is displayed.If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

l Run:dir [ remote-filename ] [ local-filename ]



111

The specified directory or file on the local FTP server is displayed.If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

l Run:delete remote-filenameThe specified file on the FTP server is deleted.If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

When local-filename is set, related information about the file can be downloaded locally.

----End

8.4.9 (Optional) Changing Login UsersThis section describes how to change the username and password for remote login.

PrerequisiteThis configuration must be performed in FTP view.

ContextThe username and password are of string data type. The string length for username must be inthe range of 1 to 85 case-insensitive characters and password must be in the range of 1 to 16case-insensitive characters.

Procedure

Step 1 Run:user username [ password ]

The current login user is changed and the user logs in again.

----End

8.4.10 Disconnecting from the FTP ServerThis section describes how the client switch disconnects from FTP server.

PrerequisiteThe configurations must be performed in the FTP view.

Procedure

Step 1 Run:bye

or

quit

The client switch is disconnected from the FTP server.



112

Return to the user view.

Step 2 Run:close

or

disconnect

The client switch is disconnected from the FTP server.

This command terminates the FTP session.

----End

8.4.11 Checking the ConfigurationThis section describes how to check the FTP client configuration.

PrerequisiteThe FTP client must be configured before running the below mentioned command. Otherwisethe system does not display any data.

Procedurel Run the display ftp-client command to check the configuration status of FTP client.

----End

Examplel Run the display ftp-client command to view the source parameters of the FTP client.

<Quidway> display ftp-clientThe source address of FTP client is 1.1.1.1.

8.5 Configuring the Switch to Be the TFTP ClientYou can configure a switch to be an FTP client and then log in to the FTP server.

8.5.1 Establishing the Configuration TaskBefore configuring TFTP, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.

Applicable EnvironmentYou can transfer files through TFTP between the server and the client in a simple interactionenvironment.

Pre-configuration TasksBefore configuring TFTP, complete the following tasks:



113

l Powering on the switchl Connecting the TFTP client with the server

Data PreparationTo configure TFTP, you need the following data.

No. Data

1 IP address of the TFTP server

2 Name of the specific file in the TFTP server

3 File directory

8.5.2 (Optional) Configuring a Source IP Address for a TFTP ClientYou can configure a source IP address for a TFTP client. Then, you can set up a TFTP connectionfrom the TFTP client to the server through a specific route by using this source IP address.

ContextDo as follows on a switch that functions as a TFTP client.

Procedure



Step 2 Run:tftp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address of a TFTP client is configured.

After the configuration, the source IP address of the TFTP client displayed on the TFTP servermust be the same as the configured one.

----End

8.5.3 Downloading Files Through TFTPYou can download files from the TFTP server to the TFTP client.

ContextDo as follows on the switch that serves as the TFTP client:

Procedure

Step 1 Run the following commands according to the type of the server IP addresses.



114

l The IP address of the server is IPv4 address, run:tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ public-net | vpn-instance vpn-instance-name ] get source-filename [ destination-filename ]

The switch is configured to download files through TFTP.l The IP address of the server is IPv6 address, run:

tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type interface-number ] get source-filename [ destination-filename ]

The switch is configured to download files through TFTP.

----End

8.5.4 Uploading Files Through TFTPYou can upload files from the TFTP client to the TFTP server.


Procedure

Step 1 Run the following commands according to the type of the server IP addresses.l The IP address of the server is IPv4 address, run:

tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ public-net | vpn-instance vpn-instance-name ] put source-filename [ destination-filename ]

The switch is configured to upload files through TFTP.l The IP address of the server is IPv6 address, run:

tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type interface-number ] put source-filename [ destination-filename ]

The switch is configured to upload files through TFTP.

----End

8.6 Limiting the Access to the TFTP ServerYou can configure the maximum number of TFTP servers that a TFTP client can access todetermine which TFTP servers the TFTP client can log in to.

8.6.1 Establishing the Configuration TaskBefore configuring a limit to access TFTP servers, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentWhen the switch serves as the TFTP client, you can configure the ACL on the switch. After theconfiguration, you can control the TFTP server to which the device can log in through TFTP.



115


Before configuring a limit to access the TFTP server, complete the following tasks:

l Powering on the switchl Connecting the TFTP client to the server

Data Preparation

To configure a limit to access to the TFTP server, you need the following data.

No. Data

1 Source IP address of the TFTP client

2 IP address of the TFTP server

3 ACL number

8.6.2 Configuring the Basic ACLYou can configure ACL rules.

ContextNOTE

TFTP supports only the basic ACL.

Do as follows on the switch that serves as the TFTP client:

Procedure



Step 2 Run:acl acl-number

The ACL view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address source-wildcard | any } | time-range time-name ] *

The ACL rule is configured.

----End

8.6.3 Configuring the Basic TFTP ACLYou can configure the basic TFTP ACL.



116


Procedure



Step 2 According to the address type of the TFTP server, select and run one of the following twocommands.l For IPv4 addresses,

Run the tftp-server acl acl-number command. You can use the ACL to limit the access tothe TFTP server.

l For IPv6 addresses,Run the tftp-server ipv6 acl acl6-number command. You can use the ACL to limit the accessto the TFTP server.

----End

8.7 Configuration ExamplesThis section provides several configuration examples for FTP and TFTP together with theconfiguration flowchart. The configuration examples explain networking requirements,configuration notes, and configuration roadmap.

8.7.1 Example for Configuring the FTP ServerIn this example, a PC connected to a switch logs in to the FTP server by entering the correctuser name and password through FTP, and then downloads files to the memory of the switch.

Networking RequirementsAs shown in Figure 8-1, the local PC functions as the FTP client of which the IP address is10.1.1.1/24.

The Switch acts as the FTP server. VLAN 10 is created on the Switch andGigabitEthernet3/0/1 is added to VLAN 10. The IP address 10.1.1.2/24 is assigned to VLANIF10.

The PC uploads files to the Switch.



117

Figure 8-1 Networking diagram of the Switch functioning as the FTP server

VLAN10

PC

FTP Client FTP Server

L2 Switch Switch

FTP Session

Ethernet Ethernet

Switch Interface VLANIF interface IP address

FTP Server GigabitEthernet3/0/1 VLANIF 10 10.1.1.2/24



1. Set the correct FTP user name and password on the Switch that functions as the FTP server.2. Log in to the Switch through FTP from the PC.3. Upload files to the FTP server.

Data Preparation


l IP address of the FTP serverl Name of the FTP user set as u1 and the password set as ftppwd on the serverl Correct path of the source file on the PCl Name of the destination file and position where the destination files are located on the

Switch

Procedure

Step 1 Create VLAN 10 on the Switch and assign the IP address 10.1.1.2/24 to VLANIF 10.<Quidway> system-view[Quidway] vlan 10[Quidway-vlan10] quit[Quidway] interface gigabitethernet 3/0/1[Quidway-GigabitEthernet3/0/1] port hybrid pvid vlan 10[Quidway-GigabitEthernet3/0/1] port hybrid untagged vlan 10[Quidway-GigabitEthernet3/0/1] quit[Quidway] interface vlanif 10[Quidway-Vlanif10] ip address 10.1.1.2 24

Step 2 Start the FTP server on the Switch, and set the FTP user name to u1 and password to ftpwd.[Quidway] ftp server enable[Quidway] aaa[Quidway-aaa] local-user u1 password simple ftppwd[Quidway-aaa] local-user u1 service-type ftp[Quidway-aaa] local-user u1 ftp-directory cfcard:/[Quidway-aaa] return



118

Step 3 On the PC, initiate a connection to the Switch with the user name u1 and the passwordftppwd.

Use Windows XP on the FTP client to illustrate the preceding operations.

C:\WINDOWS\Desktop> ftp 10.1.1.2Connected to 10.1.1.2.220 FTP service ready. User (10.1.1.1:(none)): u1331 Password required for u1Password:230 User logged in.ftp>

Step 4 Set the mode of transferring files to binary and the local directory on the PC.ftp> binary200 Type set to I.ftp> lcd c:\tempLocal directory now C:\temp.

Step 5 Upload d006.cc and vrpcfg.cfg to the Switch on the PC.ftp> put d006.cc d006.cc200 Port command okay.150 Opening BINARY mode data connection for d006.cc.ftp> put vrpcfg.cfg vrpcfg.cfg200 Port command okay.150 Opening BINARY mode data connection for vrpcfg.cfg.ftp> quitC:\WINDOWS\Desktop>

----End

Configuration Files# sysname Quidway# FTP server enable# vlan batch 10#interface Vlanif10 ip address 10.1.1.2 255.255.255.0#interface GigabitEthernet3/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10#aaa local-user u1 password simple ftppwd local-user u1 ftp-directory cfcard:/ local-user u1 service-type ftp#Return

8.7.2 Example for Configuring an ACL of the FTP ServerIn this example, an ACL is configured to allow only a certain host to log in to the FTP server.

Networking RequirementsAs shown in Figure 8-2, the IP address of the FTP server is 172.16.104.110/24.

The routes between PC1, PC2, and FTP server are reachable. On the S9300 that functions as theFTP server, it is required that the FTP server should permit only PC1 with the IP address as



119

172.16.104.111 to download and upload files through FTP, and PC2 should not connect to theFTP server after the ACL is configured.

Figure 8-2 Networking diagram for configuring an ACL of the FTP server

172.16.104.110/24

PC2

172.16.105.111/24

PC1

172.16.104.111/24

FTP Server


1. Perform basic configurations on the FTP server.2. Configure the ACL on the FTP server.


l Name of the FTP user set as u1 and password set as huawei on the serverl Number of the ACL

Procedure

Step 1 Configure basic FTP functions.

For details, see 8.7.1 Example for Configuring the FTP Server.

Step 2 Configure an ACL.<Quidway> system-view[Quidway] acl number 2001[Quidway-acl-basic-2001] rule permit source 172.16.104.111 0.0.0.0[Quidway-acl-basic-2001] quit

Step 3 Configure the ACL supported by the FTP server.[Quidway] ftp acl 2001

Step 4 Connect PC1 to the FTP server.

This step needs to be performed on the DOS of the PC.

c:\ ftp 172.16.104.110Connected to 172.16.104.110.220 FTP service ready.User (100.2.150.40:(none)):u1



120

331 Password required for u1Password:230 User logged in.ftp>

Step 5 Connect PC2 to the FTP server.

This step needs to be performed on the DOS of the PC.c:\ ftp 172.16.104.110Connected to 172.16.104.110.Info:Connection was denied by remote host according to ACL!Connection closed by remote host.

----End

Configuration FilesConfiguration file of the FTP server# sysname Quidway# FTP server enable FTP acl 2001#acl number 2001 rule 5 permit source 172.16.104.111 0# vlan batch 10#interface Vlanif10 ip address 10.1.1.2 255.255.255.0#interface GigabitEthernet3/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10#aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default local-user u1 password simple huawei local-user u1 ftp-directory cfcard:/ local-user u1 service-type ftp#return

8.7.3 Example for Configuring the FTP ClientIn this example, a switch is configured to be an FTP client. Then, the switch logs in to the FTPserver and downloads system software and configuration software.

Networking RequirementsAs shown in Figure 8-3, the remote server at 10.1.1.2 serves as the FTP server. The Switch andthe FTP server are directly connected and on the same network segment. The Switch has areachable route to the FTP server.

The Switch acts as the FTP client. Interfaces ranging from GigabitEthernet3/0/1 toGigabitEthernet3/0/4 can be used to set up FTP connections and they share the IP address10.1.1.1.

The Switch downloads files from the FTP server.



121

Figure 8-3 Networking diagram of the Switch functioning as the FTP client

PCconfiguration

cable FTP Server

FTP session

FTP Client


1. Log in to the FTP server from the FTP client.2. Download files from the server to the storage device of the client.


l IP address of the FTP serverl Name of the destination file and position where the destination files are located on the

Switchl Name of the FTP user set as u1 and the password set as ftppwd on the client

Procedure

Step 1 Enable FTP on the remote FTP server. Add an FTP user named u1 and set the password toftppwd.

Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1 to VLANIF10.<Quidway> system-view[Quidway] vlan 10[Quidway-vlan10] quit[Quidway] interface gigabitethernet 3/0/1[Quidway-GigabitEthernet3/0/1] port hybrid pvid vlan 10[Quidway-GigabitEthernet3/0/1] port hybrid untagged vlan 10[Quidway-GigabitEthernet3/0/1] quit[Quidway] interface gigabitethernet 3/0/2[Quidway-GigabitEthernet3/0/2] port hybrid pvid vlan 10[Quidway-GigabitEthernet3/0/2] port hybrid untagged vlan 10[Quidway-GigabitEthernet3/0/2] quit[Quidway] interface gigabitethernet 3/0/3[Quidway-GigabitEthernet3/0/3] port hybrid pvid vlan 10[Quidway-GigabitEthernet3/0/3] port hybrid untagged vlan 10[Quidway-GigabitEthernet3/0/3] quit[Quidway] interface gigabitethernet 3/0/4[Quidway-GigabitEthernet3/0/4] port hybrid pvid vlan 10[Quidway-GigabitEthernet3/0/4] port hybrid untagged vlan 10[Quidway-GigabitEthernet3/0/4] quit[Quidway] interface vlanif 10[Quidway-Vlanif10] ip address 10.1.1.3 24

Step 3 On the Switch, initiate a connection to the FTP server with the user name tpuser and the passwordftppwd.<Quidway> ftp 10.1.1.2



122

Trying 10.1.1.2 ...Press CTRL+K to abortConnected to 10.1.1.2.220 FTP service ready.User(10.1.1.2:(none)):u1331 Password required for u1.Enter password:230 User logged in.

[ftp]

Step 4 On the Switch, set the mode of transferring files to binary and the flash directory.[ftp] binary200 Type set to I.[ftp] lcd flash:/The current local directory is flash:.

Step 5 Download the vrpcfg.cfg file from the remote FTP server on the Switch.[ftp] get vrpcfg.cfg vrpcfg.cfg200 Port command okay.150 Opening BINARY mode data connection for vrpcfg.cfg.

226 Transfer complete.FTP: 9124 byte(s) received in 3.100 second(s) 2.94Kbyte(s)/sec. [ftp] quit<Quidway>

----End

Configuration Files# sysname Quidway# vlan batch 10#interface Vlanif10 ip address 10.1.1.3 255.255.255.0#interface GigabitEthernet3/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10#interface GigabitEthernet3/0/2 port hybrid pvid vlan 10 port hybrid untagged vlan 10#interface GigabitEthernet3/0/3 port hybrid pvid vlan 10 port hybrid untagged vlan 10#interface GigabitEthernet3/0/4 port hybrid pvid vlan 10 port hybrid untagged vlan 10#return

8.7.4 Example for Configuring the TFTP ClientIn this example, the TFTP application is run on the TFTP server and the location of the sourcefile on the server is set. After that, you can upload and download files.

Networking RequirementsAs shown in Figure 8-4, the Switch cannot function as the TFTP server. The remote server at10.1.1.2 functions as the TFTP server.



123

The Switch acts as a TFTP client. VLAN 10 is created on the Switch, andGigabitEthernet3/0/1 is added to VLAN 10. The IP address 10.1.1.1/24 is assigned to VLANIF10.

The Switch downloads files from the TFTP server.

Figure 8-4 Networking diagram for configuring TFTP

PCconfiguration

cable TFTP Server

TFTP session

TFTP Client



1. Run the TFTP software on the TFTP server and set the position where the source file islocated on the Switch.

2. Download files through TFTP commands on the Switch.

Data Preparation


l TFTP software installed on the TFTP server

l Path of the source file on the TFTP server

l Name of the destination file and position where the destination file is located on the Switch

Procedure

Step 1 Enable TFTP on the remote server to ensure that the TFTP application software is started.

Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1/24 to VLANIF 10.<Quidway> system-view[Quidway] vlan 10[Quidway-vlan10] quit[Quidway] interface gigabitethernet 3/0/1[Quidway-GigabitEthernet3/0/1] port hybrid pvid vlan 10[Quidway-GigabitEthernet3/0/1] port hybrid untagged vlan 10[Quidway-GigabitEthernet3/0/1] quit[Quidway] interface vlanif 10[Quidway-Vlanif10] ip address 10.1.1.1 24

Step 3 On the Switch, initiate a connection to the TFTP server and download the 8031.cc file.<Quidway> tftp 10.1.1.2 get 8031.cc 8031new.ccInfo: Transfer file in binary mode.Downloading the file from the remote tftp server, please wait...

----End



124

Configuration Files# sysname Quidway# vlan batch 10#interface Vlanif10 ip address 10.1.1.1 255.255.255.0#interface GigabitEthernet3/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10#Return



125

9 Telnet and SSH

About This Chapter

Telnet and SSH can provide a terminal which enables users to remotely log in to and access aserver.

9.1 Telnet and SSH IntroductionThis section explains basic concepts of user login by means of Telnet and SSH.

9.2 Configuring Telnet Terminal ServicesThis section explains how to log in to a switch by means of Telnet and configure the switch.

9.3 Configuring SSH UsersSSH users must be configured to ensure that STelnet or SFTP clients are able to log in to SSHservers.

9.4 Configuring the SSH Server FunctionThis section describes how to configure the SSH server. STelnet or SFTP must first be enabledon the SSH server.

9.5 Configuring the STelnet Client FunctionThis section describes how to configure the STelnet client. A secure connection between theclient and server can be established through negotiation, and the client will be able to log in tothe server similarly to using Telnet services.

9.6 Configuring the SFTP Client FunctionThis section explains how to configure the SFTP client. The authentication and bidirectionaldata encryption of the SFTP client can be manually configured, which will ensure secure filetransmission on the network.

9.7 Configuring the SCP ClientThis section describes how to configure the SCP client. The SCP client sets up a secureconnection with the SCP server so that the client can upload files to the server or download filesfrom the server.

9.8 Configuration ExamplesThis section provides configuration examples for Telnet and SSH along with a configurationflowchart. The configuration examples explain networking requirements, configuration notes,and configuration roadmap.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration 9 Telnet and SSH


126

9.1 Telnet and SSH IntroductionThis section explains basic concepts of user login by means of Telnet and SSH.

9.1.1 Overview of User LoginYou can locally or remotely log in to a switch through the console port, Telnet, or SSH.

To configure, monitor, and maintain the local or remote S9300, you need to configure the userinterface, the user management, and the terminal service.

The user interface provides a login plane. The user management guarantees the login securityand the terminal service provides related processes of login protocol.

The S9300 supports the following login methods:

l Login through the console port

l Local or remote login through Telnet or SSH

9.1.2 Telnet Terminal ServicesThe S9300 provides Telnet services including Telnet server and Telnet client.

Telnet Services

Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login anda virtual terminal service through the network.

The S9300 provides the following Telnet services:

l Telnet server: You can run the Telnet client program on a PC to log in to the switch,configure and manage it. The switch acts as a Telnet server.

l Telnet client: You can run the terminal emulation program or the Telnet client program ona PC to connect with the switch. With the telnet command, you can log in to otherswitchs to configure and manage them. As shown in Figure 9-1, Switch A serves as boththe Telnet server and the Telnet client.

Figure 9-1 Telnet client services

SwitchAPC SwitchB

Telnet Session 1 Telnet Session2

TelnetServer



127

9.1.3 SSH Terminal ServicesThe S9300 supports the basic SSH protocol, client function, SFTP protocol, STelnet protocoland SCP.

Introduction to SSH

SSH works at the application layer in the TCP/IP protocol suite. SSH provides remote login andvirtual terminal on the network where security is guaranteed. Based on TCP connections, SSHguarantees security and provides authentication for transmitted information, preventing thefollowing attacks shown in Figure 9-2:l IP spoofingl Interception of the password in plain textl Denial of Service (DoS)In the figure, Switch is an S9300.

Figure 9-2 Establishing a local SSH connection between the PC and the S9300

PC

SSHClient

SSHServer

Switch

Telnet SessionVLAN1

Ethernet EthernetL2 Switch

SSH adopts the client/server model and sets up multiple secure transmission channels. TheSwitch, as the SSH server, can be connected to multiple PCs that function as SSH clients. ALayer 2 switch may exist between the PC and the SSH server. In the actual networking, a routeis required to be reachable between the PC and the Switch.

Advantages of SSH

The applications of SSH include STelnet and SFTP.

Different from Telnet and FTP terminal services, SSH provides secure remote access on thenetwork without security guaranteed. The advantages of SSH are described as follows:

l STelnet client functionsThere is a potential risk on security for login through Telnet because there is noauthentication and the data transmitted through TCP is in plain text. The insecure accessresults in malicious attacks including DoS attacks, IP spoofing attacks, and route spoofingattacks.SSH provides secure remote access on an insecure network by supporting the followingfunctions:

– Supporting Revest-Shamir-Adleman Algorithm (RSA) authentication



128

– Supporting Data Encryption Standard (DES) and 3DES

– Supporting the encrypted transfer of the user name or password

– Supporting the encrypted transfer of interactive data

SSH adopts RSA. After the public key and the private key are generated according to theencryption principle of the asymmetric encryption system, the following information istransmitted with security between the SSH client and the SSH server:

– Key

– User name or password

– Interactive data

l SFTP client functions

SFTP provides the following types of applications:

– By using SFTP, you can securely log in to the S9300 to manage files from the remotedevice. In this manner, the security of data transmission is improved when files need tobe transferred during the upgrade of the remote system.

– The S9300 can function as the client to log in to the remote device through FTP totransfer files with security.

l SCP client

SCP enables you to log in to the device securely from a remote device to upload or downloadfiles. Data transfer in this mode is much safer for remote system update. In addition, SCPprovides the client function so that a local device can log in to a remote device for securedata transfer.

Unlike SFTP, SCP simplifies the file transfer process by combing user authentication andfile transfer, thus improving the configuration efficiency.

Setting Up an SSH Connection

The procedure for setting up an SSH connection is as follows:

1. Negotiating the SSH version

2. Negotiating the key

3. Authenticating the user identity

4. Initiating a session request

5. Performing the interactive session

9.2 Configuring Telnet Terminal ServicesThis section explains how to log in to a switch by means of Telnet and configure the switch.

9.2.1 Establishing the Configuration TaskBefore configuring Telnet terminal services, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.



129

Applicable EnvironmentTo remotely log in to the switch through the Telnet protocol for maintenance and management,you need to configure Telnet terminal services.

Pre-configuration TasksBefore configuring Telnet terminal services, complete the following tasks:

l Ensuring that the switch runs normallyl Ensuring that the IP addresses of interfaces on the switch are configured correctlyl Configuring the user account, correct login authentication mode, and call-in and call-out

restrictionl Ensuring that reachable routes exist between the terminal and the switch

Data PreparationTo configure Telnet terminal services, you need the following data.

No. Data

1 IP address of the switch

2 Name of the VPN instance

3 IPv4/IPv6 address or host name of the remote switch

4 Number of the TCP port that is used by the remote switch to provide Telnet services

5 (Optional) Timeout period after which the server terminates the connection with theuser interface

6 (Optional) Source IP address or source interface of the device functioning as an Telnetclient

9.2.2 Enabling the Telnet ServiceBefore establishing a Telnet connection with the server, you need to enable the Telnet service.

ContextDo as follows on the switch that serves as an Telnet server.

Select and perform one of the following two steps for IPv4 or IPv6.

Procedurel For the IPv4 network

1. Run:system-view




130

2. Run:telnet server enable

The Telnet service is enabled.

NOTE

l By default, the function of the Telnet server is enabled.

l If the undo telnet server enable command is run when Telnet login is in progress, thecommand does not take effect.

l After the Telnet server function is disabled, you can log in to the device only through SSHor an asynchronous serial interface rather than through Telnet.

l For the IPv6 network1. Run:

system-view


telnet ipv6 server enable

The Telnet service is enabled.

NOTE

l By default, the function of the Telnet server is enabled.

l If the telnet ipv6 server enable command is run when Telnet login is in progress, thecommand does not take effect.

l After the Telnet server function is disabled, you can log in to the device only through SSHor an asynchronous serial interface rather than through Telnet.

----End

9.2.3 Establishing a Telnet ConnectionYou can log in to and manage a switch through Telnet.

Context

Do as follows on the switch that serves as a Telnet client:

Select and perform one of the following two steps for IPv4 or IPv6.

Procedurel Run:

telnet [ vpn-instance vpn-instance-name ] [-a source-ip-address ] host-name [ port-number ]

Log in to the switch and manage other switchs.l Run:

telnet ipv6 [ -a source-ip-address ] [ vpn6-instance vpn6-instance-name ] host-name [ -i interface-type interface-number ] [ port-number ]

Log in to the switch and manage other switchs.

----End



131

9.2.4 (Optional) Configuring a Telnet Server Port NumberA user can configure or change the Telnet server port number. After the port number is changed,only the user knows the port number, improving security.

Context

Do as follows on the switch that functions as a Telnet server:

Procedure



Step 2 Run:telnet server port port-number

A Telnet server port number is set.

If a new port number is set, the Telnet server terminates all established Telnet connections, andthen uses the new port number to listen to new requests for Telnet connections. By default, theTelnet server port number is 23.

----End

9.2.5 (Optional) Scheduled Telnet DisconnectionYou can set the idle-timeout period for Telnet connections. In this manner, if the Telnetconnections keep idle during the specified period, the system automatically terminates the Telnetconnections.

Context

Do as follows on the switch that serves as a Telnet client:

Procedure






The scheduled Telnet disconnection is enabled.

----End



132

9.2.6 Checking the ConfigurationAfter configuring Telnet terminal services, you can view the connection status of the currentuser interface, connection status of each user interface, and status of all established TCPconnections.

PrerequisiteThe configuration of Telnet Terminal Services are complete.

Procedurel Run the display users command to check information about connected users.l Run the display users all command to check information about all users, including

connected and disconnected users.l Run the display tcp status command to check TCP connections.l Run the display telnet-client command to check the source address or source interface of

the device that functions as a Telnet client.l Run the display telnet server status command to check the configuration and status of the

Telnet server.

----End

Example

Run the display tcp status command to view TCP connections. In the command output,Established indicates that a TCP connection has been established.

<Quidway> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0 Closed32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849 Listening34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0 Established

Run the display telnet-client command, and you can view source IP address or source interfaceof the Telnet client.

<Quidway> display telnet-client The source address of telnet client is 1.1.1.1.

Run the display telnet server status command to view the configuration and status of the Telnetserver.

<Quidway> display telnet server status TELNET IPV4 server :Enable TELNET IPV6 server :Enable TELNET server port :23

9.3 Configuring SSH UsersSSH users must be configured to ensure that STelnet or SFTP clients are able to log in to SSHservers.



133

9.3.1 Establishing the Configuration TaskBefore configuring SSH users, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.


The STelnet or SFTP client can log in to the SSH server to perform operations only after SSHusers are correctly configured on the SSH server.


Before configuring SSH users, complete the following tasks:

l Creating a local user

l Configuring an RSA public key for the SSH client on the SSH server

Data Preparation

To configure SSH users, you need the following data.

No. Data

1 Name and password of SSH users

2 Authentication mode of SSH users

3 Service type of SSH users

4 Name of the peer RSA public key assigned to SSH users

5 Operating directory of the SFTP service for SSH users

9.3.2 Creating SSH UserAAA does not support RSA authentication. Therefore, when RSA authentication or password-rsa authentication is adopted, you need to create an SSH user. When password authentication isadopted, you need to create a local user with the same name in the AAA view.

ContextNOTE

Besides creating an SSH user separately, you can also create an SSH user when you configure the following.

l Configuring the Authentication Mode for SSH Users

l Configuring the Service Type of SSH Users

Do as follows on the switch that serves as an SSH server:



134


system-view


Step 2 Run:ssh user user-name

If you want to create an SSH user in the password authentication mode, you need to create alocal user with the same name in the AAA view.

1. Run:aaa



Name and password of the local user are created.

----End

9.3.3 Configuring SSH for the VTY User InterfaceYou can configure SSH for the VTY user interface.

ContextDo as follows on the switch that serves as an SSH server:


system-view


Step 2 Run:user-interface [ vty ] first-ui-number [ last-ui-number ]

The VTY user interface is displayed.

Step 3 Run:authentication-mode aaa

The AAA authentication mode is configured.

Step 4 Run:protocol inbound ssh

The VTY is configured to support SSH.

NOTE

The authentication mode of the VTY user interface must be set to AAA. Otherwise, the protocolinbound ssh command cannot be configured successfully.

----End



135

9.3.4 Generating a Local RSA Key PairYou need to create an RSA key before configuring SSH.

ContextDo as follows on the switchs that serve as a client or a server:

Procedure



Step 2 Run:rsa local-key-pair create

A local RSA key pair is generated.

NOTE

To log in to an SSH server, the local RSA key pair must be configured and generated first. Before performingthe other SSH configurations, you must configure the rsa local-key-pair create command to generate alocal key pair.

----End

9.3.5 Configuring the Authentication Mode for SSH UsersYou can configure the password or RSA authentication mode for SSH users.


Procedure



Step 2 Run:ssh user user-name authentication-type { password | rsa | password-rsa | all }

The authentication mode for SSH users is configured.

Perform the following as required:

l Authenticate the SSH user through the password.– Run:

ssh user user-name authentication-type passwordThe password authentication is configured for the SSH user.

– Run:ssh authentication-type default password



136

The default password authentication is configured for the SSH user.

For the local authentication or HWTACACS authentication, if the number of SSH usersis small, you can adopt the former command; if the number of SSH users is large, adoptthelater command to simplify the configuration.

l Authenticate the SSH user through RSA.

1. Run:ssh user user-name authentication-type rsa

The RSA authentication is configured for the SSH user.

2. Run:rsa peer-public-key key-name

The public key view is displayed.

3. Run:public-key-code begin

The public key editing view is displayed.

4. Run:hex-data

The public key is edited.

The public key must be a string of hexadecimal alphanumeric characters. It is automaticallygenerated by an SSH client. You can run the display rsa local-key-pair public commandto view a generated public key.

5. Run:public-key-code end

Quit the public key editing view.

If the specified hex-data is invalid, the public key cannot be generated after the peer-public-key end command is run; If the specified key-name is deleted in other views, the systemprompts that the key does not exist after the peer-public-key end command is run and thesystem view is displayed.

6. Run:peer-public-key end

Return to the system view from the public key view.

7. Run:ssh user user-name assign rsa-key key-name

The public key is assigned to the SSH user.

NOTE

l After the public key editing view is displayed, the RSA public key generated on the client can be sentto the server. Copy the RSA public key to the switch that serves as the SSH server.

l Before the peer RSA public key is assigned to the SSH users, the SSH server must be configured andthe peer RSA public key must be the RSA public key of the SSH client.

----End



137

9.3.6 (Optional) Configuring the Basic Authentication Informationfor SSH Users

You can configure the interval for updating the server key pair, timeout period of the SSHauthentication, and retry times of the SSH authentication.

Context


Procedure



Step 2 Run:ssh server rekey-interval interval

The interval for updating the server key pair is configured.

By default, the interval for updating the key pair of the SSH server is 0 that indicates no updating.

Step 3 Run:ssh server timeout seconds

The timeout period of the SSH authentication is set.

By default, the timeout period is 60 seconds.

Step 4 Run:ssh server authentication-retries times

The number of retry times of the SSH authentication is set.

By default, the retry times is 3.

----End

9.3.7 (Optional) Authorizing SSH Users Through the CommandLine

If RSA authentication is adopted, you need to configure command line authorization for SSHusers.

ContextNOTE

There are four authentication modes for an SSH user, namely, password, rsa, password-rsa, and all. Fordetails of the configuration of the command line authorization for password authentication, refer to thechapter "AAA and User Management" in the Quidway S9300 Configuration Guide - Security. This sectiondescribes how to configure the command line authorization for RSA authentication.




138

Procedure



Step 2 Run:ssh user user-name authorization-cmd aaa

The command line authorization is configured for the specified SSH user.

----End

Follow-up Procedure

After configuring the authorization through command lines for the SSH user to perform RSAauthentication, you have to configure the AAA authorization. Otherwise, the command lineauthorization for the SSH user does not take effect.

9.3.8 Configuring the Service Type of SSH UsersYou can set the service type of SSH users to SFTP, STelnet, or all.

Context

Do as follows on the switch that functions as an SSH server:

Procedure



Step 2 Run:ssh user username service-type { sftp | stelnet | all }

The service type for the SSH user is configured.

By default, the service type of the SSH user is not configured.

----End

9.3.9 (Optional) Configuring the Authorized Directory of the SFTPService for SSH Users

You can configure a directory as an authorized directory to allow SSH users to use SFTP services.

Context




139

Procedure



Step 2 Run:ssh user username sftp-directory directoryname

The authorized directory of the SFTP service for SSH users is configured.

By default, the authorized directory of the SFTP service for the SSH user is cfcard:.

----End

9.3.10 Checking the ConfigurationAfter configuring SSH users, you can view SSH user information.

PrerequisiteThe configuration of SSH Users are complete.

Procedurel Run the display ssh user-information command to check the information about the SSH

client on the SSH server.l Run the display ssh user-information username command to check the information about

the specified SSH client on the SSH server.

----End

ExampleRun the display ssh user-information username command. It shows that the SSH user namedclinet001 is authenticated by password, and its service type is sftp.

[Quidway] display ssh user-information client001 User Name : client001 Authentication-type : password User-public-key-name : - Sftp-directory : - Service-type : sftp Authorization-cmd : No

9.4 Configuring the SSH Server FunctionThis section describes how to configure the SSH server. STelnet or SFTP must first be enabledon the SSH server.

9.4.1 Establishing the Configuration TaskBefore configuring the SSH server, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.



140

Applicable EnvironmentBefore configuring the SSH server, you must enable STelnet, SFTP, or SCP on the SSH server.You can change the number of the port monitored by the SSH server to other port numbers. Thiscan prevent attackers from accessing standard ports of the SSH server and thus save bandwidthand system resources.

Pre-configuration TasksBefore configuring the SSH server, complete the following tasks:

l Connecting the SSH client to the SSH server correctlyl Ensuring that the SSH client and the SSH server are routablel Configuring the VTY interface on the SSH server to support SSHl Configuring the SSH client on the SSH serverl Creating the local RSA key pair on the SSH server

Data PreparationTo configure the SSH server, you need the following data.

No. Data

1 Number of the port monitored by the SSH server

9.4.2 Enabling the STelnet ServiceBefore enjoying the STelnet service, you need to enable it.


Procedure



Step 2 Run:stelnet server enable

The STelnet service is enabled.

By default, STelnet services are disabled.

----End

9.4.3 Enabling the SFTP ServiceBefore enjoying the STelnet service, you need to enable it.



141


Procedure



Step 2 Run:sftp server enable

The SFTP service is enabled.

By default, the SFTP service is disabled.

----End

9.4.4 Enabling SCP ServicesSCP services become available only after being enabled.

ContextDo as follows on the S9300 functioning as the SCP server:

Procedure



Step 2 Run:scp server enable

SCP services are enabled.

By default, SCP services are disabled.

----End

9.4.5 (Optional) Enabling the Earlier Version - Compatible FunctionYou can configure whether SSH of earlier versions are compatible.


Procedure




142


Step 2 Run:ssh server compatible-ssh1x enable

The earlier version-compatible function is enabled.

By default, the server configured with the SSH2.0 protocol is compatible with the serverconfigured with SSH1.X. If the client of SSH1.3 to SSH1.99 (protocol version ranges from 1.3to 1.99) is denied access to log in, you can run the undo ssh server compatible-ssh1x enablecommand to disable the switch to be compatible with the earlier protocol version.

NOTE

l Compared with SSH1.X, SSH2.0 is extended in structure to more authentication modes and keyexchange modes with higher service capability, such as SFTP.

l The S9300 supports the SSH protocol of version 1.3 to version 2.0.

----End

9.4.6 (Optional) Configuring the Number of the Port Monitored bythe SSH Server

You can configure or change the monitoring port number of the SSH server. After the portnumber is changed, only the user knows the current port number, which guarantees the security.



system-view


Step 2 Run:ssh server port port-number

The number of the port monitored by the SSH server is configured.

If a new number of a monitored port is configured, the SSH server interrupts all the STelnet andSFTP connections and monitors the port of the new number. By default, the number of the portmonitored by the SSH server is 22.

----End

9.4.7 (Optional) Configuring the Interval for Updating the Key Pairon the SSH Server

You can configure the interval for updating the key pair of the SSH server, which can guaranteethe security.




143

Procedure



Step 2 Run:ssh server rekey-interval interval

The interval for updating the key pair is set.

By default, the interval for updating the key pair of the SSH server is 0, which means that thekey pair is never updated.

----End

9.4.8 Checking the ConfigurationAfter configuring the SSH server, you can view the global configuration of the SSH server.

PrerequisiteThe configurations of the SSH server are complete.

Procedure

Step 1 Run the display ssh server status command to view the global configuration of the SSH server.

----End

Example

Run the display ssh server status command, and you can view that the SSH version of the SSHsession is 1.99, and the times for re-establishing the SSH session is 5.

<Quidway> display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 2 hours SSH Authentication retries : 5 times SFTP server : Enable Stelnet server : Enable Scp server : Enable SSH server port : 55535

NOTE

If the number of the monitored port is the default number, information about the currently monitored portwill not be displayed.

9.5 Configuring the STelnet Client FunctionThis section describes how to configure the STelnet client. A secure connection between theclient and server can be established through negotiation, and the client will be able to log in tothe server similarly to using Telnet services.



144

9.5.1 Establishing the Configuration TaskBefore configuring an STelnet client, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the same manneras using the Telnet service.


Before connecting the STelnet client to the SSH server, complete the following tasks:

l Generating the local RSA key pair on the SSH serverl Configuring the STelnet user on the SSH serverl Enabling the STelnet service on the SSH server

Data Preparation

To connect the STelnet client to the SSH server, you need the following data:

No. Data

1 Name of the SSH server


3 Preferred encrypted algorithm from the STelnet client to the SSH server

4 Preferred encrypted algorithm from the SSH server to the STelnet client

5 Preferred HMAC algorithm from the STelnet client to the SSH server

6 Preferred HMAC algorithm from the SSH server to the STelnet client

7 Preferred algorithm of key exchange

8 Name of the outgoing interface

9 Source address

9.5.2 Enabling the First-Time Authentication on the SSH ClientAfter the first-time authentication on the SSH client is enabled, the STelnet client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time.

Context

If the first-time authentication on the SSH client is enabled, the STelnet client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time. After



145

the login, the system automatically allocates the RSA public key and saves it for authenticationin next login.

To simplify user operations, you are recommended to enable the first-time authentication on theSSH client.

Do as follows on the switch that serves as an SSH client:

Procedure



Step 2 Run:ssh client first-time enable

The first-time authentication on the SSH client is enabled.

By default, the first-time authentication on the SSH client is disabled.

NOTE

l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validityof the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the firsttime. The check is skipped because the STelnet server has not saved the RSA public key of the SSHserver.

l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to theSSH server for the first time, the STelnet client fails to pass the check on the RSA public key validityand cannot log in to the server.

TIP

To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSApublic key in advance to the SSH server on the SSH client in addition to enabling the first-timeauthentication on the SSH client.

----End

9.5.3 (Optional) Assigning an RSA Public Key to the SSH ServerYou can assign an RSA public key to the SSH server.

ContextIf the first-time authentication on the SSH client is disabled, you need to allocate an RSA publickey to the SSH server before the STelnet client logs in to the SSH server.


Procedure



Step 2 Run:rsa peer-public-key key-name



146


Step 3 Run:public-key-code begin


Step 4 Run:hex-data


The public key must be a string of hexadecimal alphanumeric characters. It is automaticallygenerated by an SSH client. You can run the display rsa local-key-pair public command toview a generated public key.

Step 5 Run:public-key-code end


If the specified hex-data is invalid, the public key cannot be generated after the peer-public-key end command is run; If the specified key-name is deleted in other views, the system promptsthat the key does not exist after the peer-public-key end command is run and the system viewis displayed.

Step 6 Run:peer-public-key end


Step 7 Run:ssh client servername assign rsa-key keyname

The RSA public key is assigned to the SSH server.

NOTE

l Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from theSSH server and must be configured on the SSH client. Then, the STelnet client client can successfullyundergo the validity check on the RSA public key of the SSH server.

l If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servernameassign rsa-key command to cancel the association between the SSH client and the SSH server. Then,run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key tothe SSH server.

----End

9.5.4 Enabling the STelnet ClientYou can log in to the SSH server from the SSH client through STelnet.

ContextNOTE

When accessing an SSH server, the STelnet client can carry the source address and the VPN instance nameand choose the key exchange algorithm, encryption algorithm, or HMAC algorithm, and configure thekeepalive function..




147

Procedure



Step 2 According to the address type of the SSH server, select and run one of the following twocommands.l For IPv4 addresses,

Run the stelnet [ -a source-address ] host-ipv4 [ port ] [ [ -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 |sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. Youcan log in to the SSH server through STelnet.

l For IPv6 addresses,Run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ][ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 |sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. Youcan log in to the SSH server through STelnet.

----End

9.5.5 Checking the ConfigurationAfter configuring the STelnet client, you can view the global configuration of the SSH server.

PrerequisiteThe configuration of the STelnet Client Function are complete.

Procedurel Run the display ssh server-info command to check the mapping between the RSA public

key and the SSH client on the SSH client.l Run the display ssh server session command to check the session of the SSH client on the

SSH server.

----End

ExampleWhen running the display ssh server session command, you can view that the client logs infrom VTY3, with Stelent service by password authentication.

<Quidway> display ssh server sessionSession 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc



148

STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password

9.6 Configuring the SFTP Client FunctionThis section explains how to configure the SFTP client. The authentication and bidirectionaldata encryption of the SFTP client can be manually configured, which will ensure secure filetransmission on the network.

9.6.1 Establishing the Configuration TaskBefore configuring the SFTP client, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


SFTP enables users to log in to the device from a secure remote end to manage files. Thisimproves the security of data transmission for the remote end to update its system. The SFTPclient function also enables you to log in to the remote device through SFTP for the secure filetransmission.


Before connecting the SFTP client to the SSH server, complete the following tasks:

l Creating a local RSA key pair on an SSH server

l Configuring an SFTP client on the SSH server

l Enabling the SFTP service on the SSH server

Data Preparation

To connect an SFTP client to an SSH server, you need the following data.

No. Data

1 Name of the SSH server


3 Preferred encrypted algorithm from the SFTP client to the SSH server

4 Preferred encrypted algorithm from the SFTP server to the SSH client

5 Preferred HMAC algorithm from the SFTP client to the SSH server

6 Preferred HMAC algorithm from the SFTP server to the SSH client

7 Preferred algorithm of key exchange



149

No. Data

8 Name of the outgoing interface

9 Source address

10 Directory name

11 File name

9.6.2 (Optional) Configuring a Source IP Address for an SFTP ClientYou can configure a source IP address for an SFTP client. Then, you can set up an SFTPconnection from the SFTP client to the server through a specific route by using this source IPaddress.

Context

Do as follows on a switch that functions as an SFTP client.

Procedure



Step 2 Run:sftp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address is configured for an SFTP client.

----End

9.6.3 Configuring the First-Time Authentication on the SSH ClientAfter the first-time authentication on the SSH client is enabled, the STelnet client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time.

Context

If the first-time authentication on the SSH client is enabled, the STelnet client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time. Afterthe login, the system automatically allocates the RSA public key and saves it for authenticationin next login.

To simplify user operations, you are recommended to enable the first-time authentication on theSSH client.




150

Procedure



Step 2 Run:ssh client first-time enable

Enable the SSH client with the first authentication.

By default, first-time authentication is disabled on SSH clients.

NOTE

l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validityof the RSA public key of the SSH server when the SFTP client logs in to the SSH server for the firsttime. The check is skipped because the SFTP server has not saved the RSA public key of the SSHserver.

l If the first-time authentication is not enabled on the SSH client, when the SFTP client logs in to theSSH server for the first time, the SFTP client fails to pass the check on the RSA public key validityand cannot log in to the server.

TIP

Except for enabling the first-time authentication on the SSH client, the SFTP client can assign the RSApublic key in advance to the SSH server on the SSH client to log in to the server successfully for the firsttime.

----End

9.6.4 (Optional) Assigning an RSA Public Key to the SSH ServerYou can assign an RSA public key on the SSH client to the SSH server.

Context

If the first-time authentication on the SSH client is disabled, you need to assign an RSA publickey to the SSH server before the STelnet client logs in to the SSH server.


Procedure



Step 2 Run:rsa peer-public-key key-name


Step 3 Run:public-key-code begin




151

Step 4 Run:hex-data


The public key must be a string of hexadecimal alphanumeric characters. It is automaticallygenerated by an SSH client. You can run the display rsa local-key-pair public command toview a generated public key.

Step 5 Run:public-key-code end


If the specified hex-data is invalid, the public key cannot be generated after the peer-public-key end command is run; If the specified key-name is deleted in other views, the system promptsthat the key does not exist after the peer-public-key end command is run and the system viewis displayed.

Step 6 Run:peer-public-key end


Step 7 Run:ssh client servername assign rsa-key keyname

Assign a public key to the SSH server.

NOTE

l Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from theSSH server and must be configured on the SSH client. Then, the SFTP client can successfully undergothe validity check on the RSA public key of the SSH server.

l If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servernameassign rsa-key command to cancel the association between the SSH client and the SSH server. Then,run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key tothe SSH server.

----End

9.6.5 Enabling the SFTP ClientYou can log in to the SSH server from the SSH client through SFTP.

ContextNOTE

The command of enabling the SFTP client is similar to that of the STelnet. When accessing the SSH server,the SFTP can carry the source address and the name of the VPN instance and choose the key exchangealgorithm, encrypted algorithm and HMAC algorithm, and configure the keepalive function.

Do as follows on the switch that serves as an SSH client.

Procedure




152


Step 2 According to the address type of the SSH server, select and perform one of the two configurationsbelow.l For IPv4 addresses,

Run:sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]You can log in to the SSH server through SFTP.

l For IPv6 addresses,Run:sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

----End

9.6.6 (Optional) Managing the DirectoryOn the SFTP client, you can log in to the SSH server to create or delete directories on the SSHserver.

ContextNOTE

After the SFTP client logs in to the SSH server, the SFTP client can create or delete the directory on theSSH server, display the current operating directory and information about a specified directory and its files.


Procedure




Run:sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]



153

You can log in to the SSH server through SFTP.l For IPv6 addresses,

Run:sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

Step 3 Perform the following as required:l Run:

cd [ remote-directory ]

The current operating directory of users is changed.l Run:

cdup

The operating directory of users is switched to the upper-level directory.l Run:

pwd

The current operating directory of users is displayed.l Run:

dir / ls [ remote-directory ]

The file list in the specified directory is displayed.l Run:

rmdir remote-directory & <1-10>

l The directory on the server is deleted.l Run:

mkdir remote-directory

A directory is created on the server.

----End

9.6.7 (Optional) Managing the FileOn the SFTP client, you can view specified remote directories or files on the SFTP server ordelete specified files on the SFTP server.

ContextNOTE

After the SFTP client logs in to the SSH server, SFTP client can change file names, delete files, displaythe file list, upload and download files on the SFTP server.

Do as follows on the login switch.

Procedure




154



Run:sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

You can log in to the SSH server through SFTP.l For IPv6 addresses,

Run:sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

Step 3 Run the command.l Run:

rename old-name new-name

The name of the specified file on the server is changed.l Run:

get remote-filename [local-filename]

The file on the remote server is downloaded.l Run:

put local-filename [remote-filename]

The local file is uploaded to the remote server.l Run:

remove remote-filename

The file on the server is removed.

----End

9.6.8 (Optional) Displaying the SFTP Client Command HelpYou can view the SFTP client command help.

ContextDo as follows on the login switch:

Procedure




155



Run:sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]You can log in to the SSH server through SFTP.

l For IPv6 addresses,Run:sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

Step 3 Run:help [all | command-name ]

The SFTP client command help is displayed.

----End

9.6.9 Checking the ConfigurationAfter configuring the SFTP client, you can view the global configuration of the SSH server.

PrerequisiteThe configuration of the SFTP Client Function are complete.

Procedurel Run the display sftp-client command to check the source IP address of the SFTP client on

the SSH client.l Run the display ssh server-info command to check the mapping between the SSH server

and the RSA public key on the SSH client.l Run the display ssh server session command to check the session of the SSH client on the

SSH server.

----End

ExampleRun the display ssh server session command, and you can view that the client logs in from theVTY4 through the sftp service in rsa authentication mode.

[Quidway] display ssh server sessionSession 2: Conn : VTY 4



156

Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : rsa

9.7 Configuring the SCP ClientThis section describes how to configure the SCP client. The SCP client sets up a secureconnection with the SCP server so that the client can upload files to the server or download filesfrom the server.

9.7.1 Establishing the Configuration TaskBefore configuring the SCP client, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.


SCP is a secure file transfer method based on SSH2.0. Unlike SFTP, SCP allows file uploadingor downloading without user authentication and public key assignment, and also supports fileuploading or downloading in batches.


Before configuring the SCP client, complete the following tasks:

l Generating a local RSA key pair on the SCP server

l Configuring SCP users on the SCP server

l Enabling SCP services on the SCP server

Data Preparation

To configure the SCP client, you need the following data.

No. Data

1 (Optional) Source IPv4 or IPv6 address and source interface of the local switch

2 Port number of the remote SCP server, VPN instance name, encryption algorithm foruploading or downloading files, source files to be uploaded or downloaded, anddestination files to be uploaded or downloaded



157

9.7.2 (Optional) Configuring a Source IP Address for the SCP ClientIt is more secure to configure a source IP address for the SCP client, and use the specified sourceIP address to set up an SCP connection between the client and server.

Context

Do as follows on the switch functioning as the SCP client:

Procedure



Step 2 Run:scp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address or a source interface is configured for the SCP client.

At present, the available source interface must be a loobpack interface. A loopback interface isrecommended to improve network security.

----End

9.7.3 Copying FilesYou can use SCP to upload files from the client to the server or download files from the serverto the client.

ContextNOTE

When logging in to the SCP server, the SCP client can carry source IP address and VPN instance name,and select an encryption algorithm.

Do as follows on the switch functioning as the SCP client:

Procedure



Step 2 Files are uploaded from the SCP client to the remote SCP server or downloaded from the remoteSCP server to the SCP client.l Basing on IPv4 address

scp [ -port port-number | public-net | vpn-instance vpn-instance-name | -a sourceaddress| -i interface-type interface-number | -r | -cipher { des | 3des | aes128 } | -c ]* sourcefiledestinationfile

l Basing on IPv6 address



158

scp ipv6 [ -port port-number | public-net | vpn-instance vpn-instance-name | -asourceipv6address | -r | -cipher { des | 3des | aes128 } | -c ]* sourcefile destinationfile [ -iinterface-type interface-number ]

----End

9.7.4 Checking the ConfigurationAfter the SCP client is successfully configured, you can view configurations of the SCPconnection.

PrerequisiteThe configurations of the SCP client are complete.

Contextl Run the display scp-client command to view the source IP address or source interface of

the SCP client.

ExampleRun the display scp-client command, and you can view the source IP address of the SCP client.

<Quidway> display scp-client The source of SCP ipv4 client: 1.1.1.1 The source of SCP ipv6 client: --

9.8 Configuration ExamplesThis section provides configuration examples for Telnet and SSH along with a configurationflowchart. The configuration examples explain networking requirements, configuration notes,and configuration roadmap.

9.8.1 Example for Configuring the Telnet Terminal ServiceIn this example, the authentication mode and password are configured for users to log in to theswitch through Telnet.

Networking RequirementsAs shown in Figure 9-3, after logging in to Switch A, the user logs in to Switch B through Telnetby using the default interface 23.



159

Figure 9-3 Networking diagram of the remote login of the Ethernet user

SwitchA SwitchBPC10.10.10.9/2410.10.10.8/24


SwitchA GigabitEthernet1/0/1 VLANIF 2 10.10.10.8/24

SwitchB GigabitEthernet1/0/1 VLANIF 2 10.10.10.9/24


1. Assign IP addresses to Switch A and Switch B.2. Configure an authentication mode and password on Switch B.3. Log in to Switch B from Switch A.


l ID of the VLANl IP address and number of the interface on the Switch A that functions as the Telnet clientl IP address and number of the interface on the Switch B that functions as the Telnet serverl Authentication mode and the password for a user to log in to Switch B through Telnet

Procedure

Step 1 Assign IP addresses.

# Assign IP address to Switch A that functions as the Telnet client.

<SwitchA> system-view[SwitchA] vlan 2[SwitchA-vlan2] quit[SwitchA] interface gigabitethernet 1/0/1[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 2[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2[SwitchA-GigabitEthernet1/0/1] quit[SwitchA] interface vlanif 2[SwitchA-Vlanif2] ip address 10.10.10.8 255.255.255.0[SwitchA-Vlanif2] quit[SwitchA]

# Assign an IP address to Switch B that functions as the Telnet server.

<SwitchB> system-view[SwitchB] vlan 2[SwitchB-vlan2] quit



160

[SwitchB] interface gigabitethernet 1/0/1[SwitchB-GigabitEthernet1/0/1] port hybrid pvid vlan 2[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 2[SwitchB-GigabitEthernet1/0/1] quit[SwitchB] interface vlanif 2[SwitchB-Vlanif2] ip address 10.10.10.9 255.255.255.0[SwitchB-Vlanif2] quit[SwitchB]

Step 2 Configure the authentication mode and password for Switch B.[SwitchB] user-interface vty 0 4[SwitchB-ui-vty0-4] authentication-mode password [SwitchB-ui-vty0-4] set authentication password simple 123456[SwitchB-ui-vty0-4] quit[SwitchB]

Step 3 Verify the configuration.

# Log in to Switch B on Switch A through Telnet.

<SwitchA> telnet 10.10.10.9Trying 10.10.10.9 ...Press CTRL+K to abortConnected to 10.10.10.9 ...Login authentication

Password:info: The max number of VTY users is 20, and the current number of VTY users on line is 1.<SwitchB>

----End

Configuration Filesl Configuration file of Switch A

# sysname SwitchA# vlan batch 2#interface Vlanif2 ip address 10.10.10.8 255.255.255.0#interface GigabitEthernet1/0/1 port hybrid pvid vlan 2 port hybrid untagged vlan 2 #return

l Configuration file of Switch B# sysname SwitchB# vlan batch 2#interface Vlanif2 ip address 10.10.10.9 255.255.255.0#interface GigabitEthernet1/0/1 port hybrid pvid vlan 2 port hybrid untagged vlan 2 #user-interface vty 0 4set authentication password simple 123456#return



161

9.8.2 Example for Configuring the PC as the STelnet Client toConnect to the SSH Server

This part provides an example for configuring the PC as the STelnet client to connect to the SSHserver. In this example, after generating the local key pair on the SSH server, configuring thename and password of the SSH user on the SSH server, and enabling the STelnet service on theSSH server, you can connect the Stelnet client to the SSH server.

Networking RequirementsAs shown in Figure 9-4, after the STelnet service is enabled on the SSH server, the STelnetclient can log in to the SSH server with the password, RSA, password-rsa, or all authenticationmode.

Configure Client001 with the password as huawei and adopt the password authentication.

The IP address of the SSH server is 192.168.1.1.

The user interface supports only SSH.

Figure 9-4 Networking diagram of configuring the PC as the STelnet client to connect to theSSH server

SSH Client SSH Server

IP Network


1. Configure Client001 on the SSH server.2. Enable STelnet service on the SSH server.3. Configure password authentication as the default authentication mode on the SSH server.


l Name and the authentication mode of the SSH userl Password of the SSH userl Name of the SSH server

Procedure

Step 1 Generate a local key pair on the server.<Quidway> system-view



162

[Quidway] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: Quidway_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++..........++++++++++++...................................++++++++......++++++++

Step 2 Configure the VTY user interface.[SSH Server] user-interface vty 0 4[SSH Server-ui-vty0-4] authentication-mode aaa[SSH Server-ui-vty0-4] protocol inbound ssh[SSH Server-ui-vty0-4] quit

NOTE

If SSH is configured as the login protocol, the S9300 automatically disables Telnet.

Step 3 Configure the password of the SSH user Client001 to huawei.[SSH Server] aaa[SSH Server-aaa] local-user client001 password cipher huawei[SSH Server-aaa] local-user client001 privilege level 3[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

Step 4 Enable the STelnet service on the SSH server.[SSH Server] stelnet server enable[SSH Server] ssh authentication-type default password


# Log in to the device through the software putty, and specify the IP address of the device being192.168.1.1 and the login protocol being SSH.



163

# Log in to the device through the software putty, and enter the user name client001 and thepassword huawei.



164

----End

Configuration Filesl Configuration file of the SSH server

# sysname SSH Server#aaa local-user client001 password cipher N`C55QK<`=/Q=^Q`MAF4<1!! local-user client001 privilege level 3 local-user client001 service-type ssh# stelnet server enable ssh authentication-type default password#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#return

9.8.3 Example for Configuring the Switch as the STelnet Client toConnect to the SSH Server

In this example, the local key pairs are generated on the STelnet client and the SSH server; thepublic RSA key is generated on the SSH server and then bound to the STelnet client. In thismanner, the STelnet client can connect to the SSH server.

Networking RequirementsWhen you need to log in from a switch to other switches to configure the switches, you canconfigure the switch as an STelnet client.

As shown in Figure 9-5, after the STelnet service is enabled on the SSH server, the STelnetclient can log in to the SSH server in the authentication mode of password, RSA, password-rsa,or all.

The following login users need to be configured.

l Client001, with the password as huawei and the authentication mode as passwordl Client002, with the password as rsakey001 and the authentication mode as RSA

The user interface supports only the SSH protocol.



165

Figure 9-5 Networking diagram of connecting the STelnet client and the SSH server

Client00110.164.39.220/24

SSH Server

10.164.39.222/24

Client002

10.164.39.221/24


SSH server GigabitEthernet1/0/1 VLANIF 10 10.164.39.222/24

Client001 GigabitEthernet1/0/1 VLANIF 10 10.164.39.220/24



1. Create a VLAN that each interface belongs to and assign an IP address to each VLANIFinterface.

2. Configure Client001 and Client002 on the SSH server.3. Create a local key pair on the STelnet client and SSH server separately.4. Generate an RSA public key on the SSH server and bind the RSA public key of the SSH

client to Client002.5. Enable the STelnet service on the SSH server.6. Client001 and Client002 log in to the SSH server through STelnet.


l IP addresses of the FTP server and client, as shown in Figure 9-5l SSH user name and authentication model Password or RSA public keyl SSH server name

Procedure

Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.

Create VLAN 10 on the Switch that functions as the server and assign IP address10.164.39.222/24 to interface VLANIF10.

<Quidway> system-view[Quidway] vlan 10[Quidway-vlan10] quit



166

[Quidway] interface gigabitethernet 1/0/1[Quidway-GigabitEthernet1/0/1] port hybrid pvid vlan 10[Quidway-GigabitEthernet1/0/1] port hybrid untagged vlan 10[Quidway-GigabitEthernet1/0/1] quit[Quidway] interface vlanif 10[Quidway-Vlanif10] ip address 10.164.39.222 24

Assigning an IP address to the Switch that functions as Client001 or Client002 is the same asassigning an IP address to VLANIF 10, and is not mentioned here.

Step 2 Create a local key pair on the SSH server.<Quidway> system-view [Quidway] rsa local-key-pair createThe key name will be: Quidway_HostThe range of public key size is (512 ~ 2048).NOTES:If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]:Generating keys..........++++++++++++..........++++++++++++...................................++++++++......++++++++

Step 3 Create an SSH user on the server.

NOTE

SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.

l Before configuring the authentication mode of password or password-rsa, you must configure a localuser.

l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSApublic key of the SSH client to the server.

# Configure a VTY user interface.

[Quidway] user-interface vty 0 4[Quidway-ui-vty0-4] authentication-mode aaa[Quidway-ui-vty0-4] protocol inbound ssh[Quidway-ui-vty0-4] quitl Create an SSH user named Client001.

# Create an SSH user named Client001 and configure the authentication mode aspassword for the user.[Quidway] ssh user client001[Quidway] ssh user client001 authentication-type password# Set the password of Client001 to huawei.[Quidway] aaa[Quidway-aaa] local-user client001 password simple huawei[Quidway-aaa] local-user client001 service-type ssh

l # Create an SSH user named Client002 and configure the authentication mode as RSA forthe user.[Quidway] ssh user client002[Quidway] ssh user client002 authentication-type rsa

Step 4 Configure the RSA public key on the server.

# Create a local key pair on the client.

<Quidway> system-view[Quidway] sysname client002[client002] rsa local-key-pair create

# Check the RSA public key generated on the client.



167

[client002] display rsa local-key-pair public=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001

Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b---- END SSH2 PUBLIC KEY ----

Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001[client002]

# Send the RSA public key generated on the client to the server.

[Quidway] rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".[Quidway-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[Quidway-rsa-key-code] 3047[Quidway-rsa-key-code] 0240[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43[Quidway-rsa-key-code] 1D7E3E1B[Quidway-rsa-key-code] 0203[Quidway-rsa-key-code] 010001[Quidway-rsa-key-code] public-key-code end[Quidway-rsa-public-key] peer-public-key end

Step 5 Bind the RSA public key of the SSH client to Client002.[Quidway] ssh user client002 assign rsa-key RsaKey001

Step 6 Enable the STelnet service on the SSH server.

# Enable the STelnet service.

[Quidway] stelnet server enable

Step 7 Set the service type of Client001 and Client002 to STelnet.



168

[Quidway] ssh user client001 service-type stelnet[Quidway] ssh user client002 service-type stelnet

Step 8 Connect the STelnet and the SSH server.

# You must enable the initial authentication on the SSH client for the first login.

[client001] ssh client first-time enable[client002] ssh client first-time enable

# Client001 logs in to the SSH server in password authentication mode by entering the username and password.

<client001> system-view[client001] stelnet 10.164.39.222 Please input the username:client001Trying 10.164.39.222 ...Press CTRL+K to abortConnected to 10.164.39.222 ...The server is not authenticated. Continue to access it?(Y/N):ySave the server's public key?(Y/N):yThe server's public key will be saved with the name: 10.164.39.222. Please wait...Enter password:

Enter the password huawei, and information indicating that the login succeeds is displayed asfollows:

info: The max number of VTY users is 20, and the current number of VTY users on line is 1. <Quidway>

# Client002 logs in to the SSH server in RSA authentication mode.

<client002> system-view[client002] stelnet 10.164.39.222Please input the username: client002Trying 10.164.39.222 ...Press CTRL+K to abortConnected to 10.164.39.222 ... ***********************************************************info: The max number of VTY users is 20, and the current number of VTY users on line is 1. <Quidway>


After the configuration, run the commands of display ssh server status and display ssh serversession on the SSH server. You can view that the STelnet service is enabled, and that the STelnetclient logs in to the server successfully.

# Check the status of the SSH server.

[Quidway] display ssh server status SSH version :1.99 SSH connection timeout :60 seconds SSH server key generating interval :0 hours SSH Authentication retries :3 times SFTP server :Disable Stelnet server :Enable Scp server :Disable

# Check the connection of the SSH server.

[Quidway] display ssh server sessionSession 1: Conn: VTY 3 Version: 2.0 State: started



169

Username: client001 Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: stelnet Authentication Type: password Session 1: Conn: VTY 4 Version: 2.0 State: started Username: client002 Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: stelnet Authentication Type: rsa

# Check information about the SSH user.[Quidway] display ssh user-informationUser 1: User Name: client001 Authentication-type: password User-public-key-name: - Sftp-directory: - Service-type: stelnet Authorization-cmd: No User 2: User Name: client002 Authentication-type: rsa User-public-key-name: RsaKey001 Sftp-directory: - Service-type: stelnet Authorization-cmd: No

----End

Configuration Filesl Configuration file of the Quidway, the SSH server

# sysname Quidway# vlan batch 10#interface Vlanif10 ip address 10.164.39.222 255.255.255.0# rsa peer-public-key rsakey001 public-key-code begin 3047 0240BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 public-key-code end peer-public-key end#aaa local-user client001 password simple huawei local-user client001 service-type ssh#



170

stelnet server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type stelnet #interface GigabitEthernet1/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#return

l Configuration file of Client001, the SSH client# sysname client001# vlan batch 10#interface Vlanif10 ip address 10.164.39.220 255.255.255.0#ssh client first-time enable#interface GigabitEthernet1/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10#return


9.8.4 Example for Connecting the SFTP Clinet and the SSH ServerIn this example, the local key pairs are generated on the SFTP client and the SSH serverrespectively; the public RSA key is generated on the SSH server and bind the RSA public keyto the SFTP client. In this manner, the SFTP client can connect to the SSH server.

Networking RequirementsAs shown in Figure 9-6, after the SFTP service is enabled on the SSH server, the SFTP clientcan log in to the SSH server in the authentication mode of password, RSA, password-rsa, or all.



171

Figure 9-6 Networking diagram for connecting the SFTP client and the SSH server

Client00110.164.39.220/24

SSH Server

10.164.39.222/24

Client002

10.164.39.221/24







2. Configure Client001 and Client002 on the SSH server.3. Create a local key pair on the SFTP client and SSH server separately.4. Create an RSA public key on the SSH server and bind the RSA public key of the SSH client

to Client002.5. Enable the SFTP service on the SSH server.6. Configure the type of service and authenticated directory for the SSH user.7. Client001 and Client002 log in to the SSH server through SFTP.


l IP addresses of the FTP server and client, as shown in Figure 9-6l SSH user name and authentication model Password or RSA public key of the SSH userl SSH server name

ProcedureStep 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.

Create VLAN 10 on the S9300 that functions as the server and assign IP address10.164.39.222/24 to VLANIF 10.<Quidway> system-view[Quidway] vlan 10



172

[Quidway] quit[Quidway] interface gigabitethernet 1/0/1[Quidway-GigabitEthernet1/0/1] port hybrid pvid vlan 10[Quidway-GigabitEthernet1/0/1] port hybrid untagged vlan 10[Quidway-GigabitEthernet1/0/1] quit[Quidway] interface vlanif 10[Quidway-Vlanif10] ip address 10.164.39.222 24

Assigning an IP address to the S9300 that functions as Client001 or Client002 is the same asassigning an IP address to VLANIF 10, and is not mentioned here.

Step 2 Create a local key pair on the SSH server.<Quidway> system-view [Quidway] rsa local-key-pair createThe key name will be: Quidway_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]:Generating keys..............++++++++++++..................++++++++++++...++++++++...........++++++++

Step 3 Create an SSH user on the server.NOTE

SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.l In password or password-rsa authentication mode, you must configure a local user.l In RSA or all authentication mode, you must copy the RSA public key of the SSH client to the server.


[Quidway] user-interface vty 0 4[Quidway-ui-vty0-4] authentication-mode aaa[Quidway-ui-vty0-4] protocol inbound ssh[Quidway-ui-vty0-4] quitl Create an SSH user named Client001.

# Create an SSH user named Client001 and configure the authentication mode aspassword for the user.[Quidway] ssh user client001[Quidway] ssh user client001 authentication-type password# Set the password of Client001 to huawei.[Quidway] aaa[Quidway-aaa] local-user client001 password simple huawei[Quidway-aaa] local-user client001 service-type ssh

l # Create an SSH user named Client002 and configure the authentication mode as RSA forthe user.[Quidway] ssh user client002[Quidway] ssh user client002 authentication-type rsa




# Check the RSA public key created on the client.

[client002] display rsa local-key-pair public



173

=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001[client]

# Send the RSA public key created on the client to the server.


Step 5 Bind the RSA public key of the SSH client to Client002.[Quidway] ssh user client002 assign rsa-key RsaKey001

Step 6 Enable the SFTP service on the SSH server.

# Enable the SFTP service.

[Quidway] sftp server enable

Step 7 On the SSH server, set the type of service for the SSH user and the authorized directory.

Two SSH users are configured on the SSH server: Client001 in the password authenticationmode and Client002 in the RSA authentication mode.



174

[Quidway] ssh user client001 service-type sftp[Quidway] ssh user client001 sftp-directory cfcard:/[Quidway] ssh user client002 service-type sftp[Quidway] ssh user client002 sftp-directory cfcard:/

Step 8 Connect the SFTP client and the SSH server.



# Client001 logs in to the SSH server in password authentication mode.

<client001> system-view[client001] sftp 10.164.39.222 Input Username:client001Trying 10.164.39.222 ...Press CTRL+K to abortEnter password: sftp-client>

# Client002 logs in to the SSH server in RSA authentication mode.

<client002> system-view[client002] sftp 10.164.39.222Input Username: client002Trying 10.164.39.222 ...Press CTRL+K to abortsftp-client>


After the configuration, run the display ssh server status and display ssh server sessioncommands on the SSH server. You can view that the SFTP service is enabled, and that the SFTPclient logs in to the server successfully.


[Quidway] display ssh server status SSH version :1.99 SSH connection timeout :60 seconds SSH server key generating interval :0 hours SSH Authentication retries :3 times SFTP server :Enable Stelnet server :Disable Scp server :Disable


[Quidway] display ssh server sessionSession 1: Conn: VTY 3 Version: 2.0 State: started Username: client001 Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: sftp Authentication Type: password Session 2: Conn: VTY 4 Version: 2.0 State: started Username: client002



175

Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: sftp Authentication Type: rsa

# Check information about the SSH user.

[Quidway] display ssh user-informationUser 1: User Name: client001 Authentication-type: password User-public-key-name: - Sftp-directory: flash: Service-type: sftp Authorization-cmd: No User 2: User Name: client002 Authentication-type: rsa User-public-key-name: RsaKey001 Sftp-directory: flash: Service-type: sftp Authorization-cmd: No

----End


# sysname Quidway# vlan batch 10#interface Vlanif10 ip address 10.164.39.222 255.255.255.0# rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end#aaa local-user client001 password simple huawei local-user client001 service-type ssh#sftp server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type sftp ssh user client002 service-type sftp ssh user client001 sftp-directory cfcard:/ ssh user client002 sftp-directory cfcard:/#interface GigabitEthernet1/0/1 port hybrid pvid vlan 10



176

port hybrid untagged vlan 10#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#return



9.8.5 Example for Configuring the SSH Server to Support the Accessfrom Another Port

In this example, the monitoring port number of the SSH server is set to a port number other thanthe standard monitoring port number so that only valid users can set up connections with theSSH server.


The standard listening port is numbered 22, as defined in the SSH protocol. If attackers accessthe standard port continuously, the bandwidth is consumed and the performance of the server isdegraded. As a result, other valid users cannot access the port.

If the listening port on the SSH server is changed to a non-default one, attackers will not awareof this change and continue to send a request for the socket connection to port 22. In this case,the SSH server detects that it is not the listening port, and then denies the the request forestablishing the socket connection.

Therefore, only valid users can use the specified listening port to set up a socket connectionthrough the following procedures:



177

l Negotiating the version of the SSH protocoll Negotiating the algorithml Generating the session keyl Authenticatingl Sending a request for a sessionl Performing the interactive session

Figure 9-7 Networking diagram for configuring the SSH server to support the access fromanother port

Client00110.164.39.220/24

SSH Server

10.164.39.222/24

Client002

10.164.39.221/24







2. Configure Client001 and Client002 on the SSH server.3. Create a local key pair on the SFTP client and SSH server separately.4. Generate an RSA public key on the SSH server and bind the RSA public key of the SSH

client to Client002.5. Enable the STelnet and SFTP services on the SSH server.6. Configure the type of the service and authenticated directory for the SSH user.7. Set the listening port number on the SSH server.8. Client001 and Client002 log in to the SSH server through STelnet and SFTP separately.


l IP addresses of the FTP server and client, as shown in Figure 9-7



178

l SSH user name and authentication model Password or RSA public key of the SSH userl Server namel Listening port number on the SSH server

Procedure

Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.

Create VLAN 10 on the Switch that functions as the server and assign IP address10.164.39.222/24 to VLANIF 10.

<Quidway> system-view[Quidway] vlan 10[Quidway-vlan10] quit[Quidway] interface gigabitethernet 1/0/1[Quidway-GigabitEthernet1/0/1] port hybrid pvid vlan 10[Quidway-GigabitEthernet1/0/1] port hybrid untagged vlan 10[Quidway-GigabitEthernet1/0/1] quit[Quidway] interface vlanif 10[Quidway-Vlanif10] ip address 10.164.39.222 24

Assigning an IP address to theSwitch that functions as Client001 or Client002 is the same asassigning an IP address to VLANIF 10, and is not mentioned here.

Step 2 A local key pair generated on the SSH server<Quidway> system-view [Quidway] rsa local-key-pair createThe key name will be: Quidway_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]:Generating keys..............++++++++++++..................++++++++++++...++++++++...........++++++++




# Check the RSA public key generated on the client.

[client002] display rsa local-key-pair public=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001



179

Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b---- END SSH2 PUBLIC KEY ----

Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001[client002]



Step 4 Create an SSH user on the server.

NOTE

SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.

l Before configuring the authentication mode of password or password-rsa, you must configure a localuser.

l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSApublic key of the SSH client to the server.


[Quidway] user-interface vty 0 4[Quidway-ui-vty0-4] authentication-mode aaa[Quidway-ui-vty0-4] protocol inbound ssh[Quidway-ui-vty0-4] quit

# Create an SSH user named Client001, and configure the authentication mode as passwordfor the user.

[Quidway] ssh user client001[Quidway] ssh user client001 authentication-type password

# Set the password of Client001 to huawei.



180

[Quidway] aaa[Quidway-aaa] local-user client001 password simple huawei[Quidway-aaa] local-user client001 service-type ssh[Quidway-aaa] quit

# Set the type of service of Client001 to STelnet.

[Quidway] ssh user client001 service-type stelnet

# Create an SSH user named Client002, and configure the authentication mode as RSA for theuser. Bind the RSA public key of the SSH client to Client002.

[Quidway] ssh user client002[Quidway] ssh user client002 authentication-type rsa[Quidway] ssh user client002 assign rsa-key RsaKey001

# Set the type of service of Client002 to SFTP and the authorized directory as cfcard:/.

[Quidway] ssh user client002 service-type sftp[Quidway] ssh user client002 sftp-directory cfcard:/

Step 5 Enable the STelnet and SFTP services on the SSH server.[Quidway] stelnet server enable[Quidway] sftp server enable

Step 6 Configure the new listening port number on the SSH server.[Quidway] ssh server port 1025

Step 7 Connect the SSH client and the SSH server.



# The STelnet client logs in to the SSH server by using the new listening port.

[client001] stelnet 10.164.39.222 1025Please input the username:client001Trying 10.164.39.222 ...Press CTRL+K to abortConnected to 10.164.39.222 ...The server is not authenticated. Do you continue to access it?(Y/N):yDo you want to save the server's public key?(Y/N):yThe server's public key will be saved with the name: 10.164.39.222. Please wait...Enter password:

Enter the password huawei, and information indicating that the login succeeds is displayed asfollows:

info: The max number of VTY users is 20, and the current number of VTY users on line is 1. <Quidway>

# The SFTP client logs in to the SSH server by using the new listening port.

[client002]sftp 10.164.39.222 1025Please input the username:client002Trying 10.164.39.222 ...Press CTRL+K to abortThe server's public key does not match the one we cached.The server is not authenticated. Do you continue to access it?(Y/N):yDo you want to update the server's public key we cached?(Y/N):ysftp-client>


Attackers fail to log in to the SSH server by using port 22.



181

[client002] sftp 10.164.39.222Please input the username:client002Trying 10.164.39.222 ...Press CTRL+K to abortCan't establish tcp connection to server

After the configuration, run the commands of display ssh server status and display ssh serversession on the SSH server. You can check the current listening port number on the SSH server,and that the STelnet or SFTP client logs in to the server successfully.


[Quidway] display ssh server status SSH version :1.99 SSH connection timeout :60 seconds SSH server key generating interval :0 hours SSH Authentication retries :3 times SFTP server :Enable Stelnet server :Enable Scp server :Disable SSH server port :1025


[Quidway] display ssh server sessionSession 1: Conn: VTY 3 Version: 2.0 State: started Username: client001 Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: stelnet Authentication Type: password Session 2: Conn: VTY 4 Version: 2.0 State: started Username: client002 Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: sftp Authentication Type: rsa

----End


# sysname Quidway# vlan batch 10#interface Vlanif10 ip address 10.164.39.222 255.255.255.0# rsa peer-public-key rsakey001 public-key-code begin 3047



182

0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end#aaa local-user client001 password simple huawei local-user client001 service-type ssh# sftp server enable stelnet server enable ssh server port 1025 ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type sftp ssh user client002 sftp-directory cfcard:/ #interface GigabitEthernet1/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#return

l Configuration file of Client001, the SSH client# sysname client001# vlan batch 10#interface Vlanif10 ip address 10.164.39.220 255.255.255.0# ssh client first-time enable#interface GigabitEthernet1/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10#return

l Configuration file of Client002, the SSH client# sysname client002# vlan batch 10#interface Vlanif10 ip address 10.164.39.221 255.255.255.0# ssh client first-time enable#interface GigabitEthernet1/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10#return



183

9.8.6 Example for Authenticating SSH Through RADIUSIn this example, a user that attempts to access the SSH server is authenticated by the RADIUSserver, and the SSH server determines whether to set up a connection with the user accordingto the authentication result.

Networking RequirementsWhen an RADIUS user is connected to an SSH server, the SSH server sends the user name andpassword of the SSH client to the RADIUS server (compatible with the TACACS server) forauthentication.

The RADIUS server authenticates the user and sends the result (passed or failed) back to theSSH server. If the authentication is successful, the user level is sent along with the result. TheSSH server determines whether the SSH client is allowed to set up a connection according tothe authentication result.

Figure 9-8 shows the networking diagram.

Figure 9-8 Networking diagram of authenticating the SSH through RADIUS

SSH Client SSH Server Radius Server10.164.39.222/2410.164.39.221/24 10.164.6.49/24


1. Configure the RADIUS template on the SSH server.2. Configure a domain on the SSH server.3. Create a user on the RADIUS server.4. Generate the local key pair on STelnet client and SSH server respectively. The SSH server

monitors the port number.5. Generate the local key pair on the client and SSH server .6. Generate the RSA public key on SSH server and bind the RSA public key of the SSH client

to [email protected]. Enable the STelnet and SFTP services on the SSH server.8. Configure the service mode and authorization directory of the SSH user.9. Users [email protected] and [email protected] log in to the SSH server through STelnet and

SFTP respectively.




184

l Configure the password authentication for the two SSH users .l RADIUS authenticationl Name of the RADIUS templatel Name of the RADIUS domainl Name and password of the RADIUS user

Procedure

Step 1 Generate a local key pair on the SSH server.<Quidway> system-view [Quidway] rsa local-key-pair createThe key name will be: Quidway_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys..........++++++++++++..........++++++++++++...................................++++++++......++++++++

Step 2 Configure the RSA public key of the server.

# Generate a local key pair of client on the client.

<Quidway> system-view[Quidway] sysname client[client] rsa local-key-pair create

# View the RSA public key generated on the client.

[client] display rsa local-key-pair public=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: Quidway_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: Quidway_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74



185

9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001[client]



Step 3 Create the SSH user.

On the RADIUS server, add two users named [email protected] and [email protected] ; in addition,designate the NAS address 10.164.39.222 and the key huawei. The NAS address refers to theaddress of the SSH server that connects to the RADIUS server.

# Configure the VTY user interface on the SSH server.

[Quidway] user-interface vty 0 4[Quidway-ui-vty0-4] authentication-mode aaa[Quidway-ui-vty0-4] protocol inbound ssh[Quidway-ui-vty0-4] quit

# Create SSH users [email protected] and [email protected] on the SSH server.

[Quidway] ssh user [email protected][Quidway] ssh user [email protected] authentication-type password [Quidway] ssh user [email protected] service-type stelnet[Quidway] ssh user [email protected][Quidway] ssh user [email protected] authentication-type password[Quidway] ssh user [email protected] service-type sftp[Quidway] ssh user client001 sftp-directory cfcard:/

Step 4 Configure the RADIUS template.

# Configure the authentication scheme newscheme and authentication mode RADIUS.

[Quidway] aaa[Quidway-aaa] authentication-scheme newscheme[Quidway-aaa-authen-newscheme] authentication-mode radius[Quidway-aaa-authen-newscheme] quit

# Configure the RADIUS template of SSH server as ssh.

[Quidway] radius-server template ssh

# Configure the IP address as 10.164.6.49 and port of the RADIUS authentication server as 1812.

[Quidway-radius-ssh] radius-server authentication 10.164.6.49 1812

# Configure the key of RADIUS server as huawei.

[Quidway-radius-ssh] radius-server shared-key huawei[Quidway-radius-ssh] quit



186

Step 5 Configure RADIUS domain name.

# Configure the RADIUS domain of SSH server as ssh.com, applying authentication schemenewscheme and RADIUS template ssh.

[Quidway] aaa[Quidway-aaa] domain ssh.com[Quidway-aaa-domain-ssh.com] authentication-scheme newscheme [Quidway-aaa-domain-ssh.com] radius-server ssh [Quidway-aaa-domain-ssh.com] quit[Quidway-aaa] quit

Step 6 Connect the SSH client and the SSH server.

# Enable STelnet and SFTP services on the SSH server.

[Quidway] stelnet server enable[Quidway] sftp server enable

# For the first login, you need to enable the first authentication on SSH client.

[client] ssh client first-time enable[client] quit

# Connect the STelnet client to the SSH server in the RADIUS authentication.

<client> system-view[client] stelnet 10.164.39.222Please input the username: [email protected] 10.164.39.222 ...Press CTRL+K to abortConnected to 10.164.39.222 ...he server is not authenticated. Do you continue to access it?(Y/N):yDo you want to save the server's public key?(Y/N):yhe server's public key will be saved with the name: 10.164.39.222. Please wait...Enter password:

Enter the password Huawei and view as follows:

Info: The max number of VTY users is 10, and the current number of VTY users on line is 2. <Quidway>

# Connect the SFTP client to the SSH server in the RADIUS authentication.

<client> system-view[client] sftp 10.164.39.222 Please input the username: [email protected] 10.164.39.222 ...Press CTRL+K to abortConnected to 10.164.39.222 ...Enter password: sftp-client>


After the configuration, run the display radius-server configuration and display ssh serversession commands on the SSH server. You can view the configuration of the RADIUS serveron the SSH server. You can also view that the STelnet or SFTP client is connected to the SSHserver successfully with RADIUS authentication.

# Display the configuration of the RADIUS server.

[Quidway-aaa] display radius-server configuration------------------------------------------------------------------- Server-template-name : ssh Protocol-version : standard Traffic-unit : B



187

Shared-secret-key : huawei Timeout-interval(in second) : 5 Primary-authentication-server : 10.164.6.49 :1812 LoopBack:NULL Primary-accounting-server : 0.0.0.0 :0 LoopBack:NULL Secondary-authentication-server : 0.0.0.0 :0 LoopBack:NULL Secondary-accounting-server : 0.0.0.0 :0 LoopBack:NULL Retransmission : 3 Domain-included : YES Calling-station-id MAC-format : xxxx-xxxx-xxxx ------------------------------------------------------------------- Total of radius template :1

# Display the connection of the SSH server.[Quidway] display ssh server sessionSession 1: Conn : VTY 0 Version : 2.0 State : started Username : [email protected] Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password Session 2: Conn : VTY 1 Version : 2.0 State : started Username : [email protected] Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : password

----End

Configuration FilesConfiguration file of the SSH server# sysname Quidway#radius-server template ssh radius-server authentication 10.164.6.49 1812# rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end#aaaauthentication-scheme newschemeauthentication-mode radius #



188

domain ssh.com authentication-scheme newscheme radius-server ssh ##sftp server enablestelnet server enable ssh user [email protected] ssh user [email protected] ssh user [email protected] authentication-type password ssh user [email protected] authentication-type password ssh user [email protected] assign rsa-key RsaKey001 ssh user [email protected] service-type stelnet ssh user [email protected] service-type sftpssh user client001 sftp-directory cfcard:/#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#Return

9.8.7 Example for Configuring the SCP ClientThis section provides an example for configuring the SCP client. In this example, the SCP clientaccesses the SCP server to download files.


As shown in Figure 9-9, the switch functioning as the SCP client has a reachable route to theSCP server, and can download files from the SCP server.

Figure 9-9 Networking diagram of the SCP client

SCP Client

1.1.1.1/32

SCP Server

172.16.104.110/24



1. Create a local RSA key pair on the SSH server.2. Create an SSH user on the SSH server.3. Enable SCP services on the SSH server.4. Enable first-time authentication on the SSH client.



189

5. Configure an IP address of the source interface on the SCP client.6. Download files from the SSH server to the SCP client.


l SSH user name, authentication mode, and authentication passwordl IP address of the source interface on the SCP clientl The name and path of the destination files and the source files.

Procedure

Step 1 Create a local RSA key pair on the SSH server.<Quidway> system-view[Quidway] sysname SSH Server[SSH Server] rsa local-key-pair createThe key name will be: SSH Server_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 512Generating keys........++++++++++++....++++++++++++......++++++++................................++++++++

Step 2 Create an SSH user on the SCP server.

# Configure the VTY user interface.

[SSH Server] user-interface vty 0 4[SSH Server-ui-vty0-4] authentication-mode aaa[SSH Server-ui-vty0-4] protocol inbound ssh[SSH Server-ui-vty0-4] quit

# Configure the password authentication for the SSH user Client001.

[SSH Server] ssh user client001[SSH Server] ssh user client001 authentication-type password

# Configure the password of the SSH user Client001 to huawei.

[SSH Server] aaa[SSH Server-aaa] local-user client001 password cipher huawei[SSH Server-aaa] local-user client001 service-type ssh[SSH Server-aaa] quit

# Configure the service type for the SSH users Client001 to all.

[SSH Server] ssh user client001 service-type all

Step 3 Enable SCP services on the SCP server.[SSH Server] scp server enable

Step 4 Download files from the SCP server to the SCP client.

# For the first login, you need to enable the first authentication on SSH client.

<Quidway> system-view[Quidway] sysname SCP Client[SCP Client] ssh client first-time enable



190

# Configure the IP address 1.1.1.1 of a loopback interface as the source IP address for the SCPclient.

[SCP Client] scp client-source -a 1.1.1.1

# Use 3des to encrypt the file license.txt, and then download the file to the local workingdirectory from the remote SCP server with the IP address of 172.16.104.110.

[SCP Client] scp -a 1.1.1.1 -cipher 3des [email protected]:license.txt license.txt


Run the display scp-client command on the SCP client. The command output is as follows:

<Quidway> display scp-client The source of SCP ipv4 client: 1.1.1.1

The IP address of the source interface on the SCP client is 1.1.1.1.

----End

Configuration Filesl Configuration file of the SCP server

# sysname SSH Server# aaa local-user client001 password simple huawei local-user client001 service-type ssh# scp server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type all #user-interface vty 0 4 authentication-mode aaa protocol inbound ssh #return

l Configuration file of the SCP client# sysname SCP Client# ssh client first-time enable scp client-source 1.1.1.1#return



191

10 Web System Configuration

About This Chapter

Before configuring the S9300 in Web mode, you need to configure the S9300 as the Web server.

10.1 Overview of Web SystemThrough the Web system, users can manage and maintain the S9300 in the graphical userinterface (GUI).

10.2 Starting Web SystemThis topic describes how to load the Web system and create an account of the Web system.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration 10 Web System Configuration


192

10.1 Overview of Web SystemThrough the Web system, users can manage and maintain the S9300 in the graphical userinterface (GUI).

To facilitates the use and maintenance of the S9300 , Huawei develops the Web system forS9300.

The S9300 is installed with a built-in Web server. Thus, the terminal (such as a PC) connectedto the S9300 can access the S9300 through the Web browser.

Figure 10-1 shows the running environment of the Web system.

Figure 10-1 Running environment of the Web System

HTTPConnection

Switch

PC

10.2 Starting Web SystemThis topic describes how to load the Web system and create an account of the Web system.

10.2.1 Logging In to the S9300 Through the Console Interface

Context

When setting up a local configuration environment through the console interface, you canconnect the PC and the S9300 through the Windows HyperTerminal.

Procedure

Step 1 Enable the HyperTerminal on the PC.



193

Choose Start > All Programs > Accessories > Communications > HyperTerminal to startthe HyperTerminal.

Step 2 Set up a new connection.

As shown in Figure 10-2, enter the name of the new connection in the Name text box and choosean icon. Click OK.

Figure 10-2 Setting up a new connection

Step 3 Set the connection port.

After entering the Connect window as shown in Figure 10-3, select a serial port from theConnect drop-down list box according to the port used by the PC or the configuration terminal.Select COM1 in this case, and click OK.



194

Figure 10-3 Setting the connection port

Step 4 Set communication parameters.

After entering the COM1 Properties window as shown in Figure 10-4, set the communicationparameters according to the description in Table 10-1.

NOTEIn other Windows operating systems, Bits per second may be described as Baud rate; Flow control maybe described as Traffic control.



195

Figure 10-4 Setting communication parameters for the port

Table 10-1 Communication parameters

Parameter Value

Bit per second (Baud rate) 9600

Data bit 8

Parity check None

Stop bit 1

Flow control (Traffic control) None

Step 5 After the HyperTerminal is started, select File Attributes to enter the Connect Propertieswindow as shown in Figure 10-5. Choose the Setting tab, select Auto detect or VT100 fromthe Emulation drop-down list box. Click OK to complete the setting.



196

Figure 10-5 Selecting a terminal type

After the preceding steps are complete, press Enter. If the prompt <Quidway> is displayed, itindicates that you have logged in to the S9300. At this time, you can enter the command toconfigure and manage the S9300.

----End

10.2.2 Setting the Management IP Address of the S9300This section describes how to configure the management IP address of the S9300.

Procedure

Step 1 Run:

system-view


Step 2 Run:interface ethernet 0/0/0

The Ethernet interface view is displayed.

Step 3 Run:ip address ip-address { mask | mask-length } [ sub ]



197

The IP address of the interface is configured.

----End

10.2.3 Uploading Web Page FilesThis section describes how to obtain the Web page files and upload them to the S9300 throughFTP.

PrerequisiteTo obtain the Web page file of the S9300, log in to http://support.huawei.com, and then chooseSoftware Center > Version Software > Data Communication Product Line > EthernetSwitch > Quidway S9300. Download the software package of the current version. The Webpage file is contained in the software package. The file name is Product Name + the Versionof Software.web.zip.

Before uploading the Web page file, copy the Web page file to the client from which you log into the S9300.

ContextNOTEYou can also download Web files through TFTP. In this case, the S9300 functions as the TFTP client, andthe terminal that stores the Web files functions as the TFTP server. For details, see 8.5.3 DownloadingFiles Through TFTP.

Procedure



Step 2 Run:ftp server enable

The FTP server is enabled.

Step 3 Run:aaa



An FTP client is configured and the password is set to huawei.

Step 5 Run:local-user user-name ftp-directory directory

The directory is set for the FTP client.

Step 6 Run:local-user user-name service-type ftp

The service type of an FTP login user is set.



198

Step 7 Run the following command in the cmd view of the PC:ftp ip-address

The user name and password are displayed. The PC can log in to the S9300.

C:\>ftp 10.1.1.132 Connected to 10.1.1.132.220 FTP service ready.User (10.1.1.132:(none)): client331 Password required for client.Password:230 User logged in.ftp>

Step 8 Run the following command in the FTP view:put local-filename

The web.zip file is uploaded from the PC to the S9300.

ftp> put web.zip200 Port command okay.150 Opening ASCII mode data connection for web.zip.226 Transfer complete.ftp: 251047 bytes sent in 3.36Seconds 74.74Kbytes/sec.ftp>

----End

10.2.4 Loading a Web Page FileThis section describes how to load a Web file.

Context

Before loading the Web page file, upload it to the S9300.

Procedure



Step 2 Run:http server load file-name

The Web page file is loaded to the S9300.

----End

10.2.5 Creating a Web AccountBefore logging in to the S9300 in Web mode, you need to create a Web account on the S9300.

Context

Before enabling the HTTP server,load the Web Page File to S9300.



199

Procedure



Step 2 Run:http server enable

The HTTP server is enabled.

Step 3 Run:aaa



An HTTP client is configured and the password of the client is set.

NOTE

You are recommended to set the password in the cipher text. Simple user name and password should notbe used for the sake of security.

Step 5 Run:local-user user-name service-type http

The access type of the user named admin is set to HTTP.

Step 6 Run:quit

Return to the system view.

Step 7 (Optional) Run:http timeout timeout

The timeout period of an HTTP connection is set.

By default, the timeout period of an HTTP connection is 20 minutes.

----End

10.2.6 Logging In to the Web SystemThis section describes how to log in to the S9300 in Web mode.

Procedure

Step 1 Open the Web browser on the PC, and then enter the management address of the S9300 in theaddress bar (the PC and the S9300 have reachable routes to each other). Then, press Enter todisplay the Login dialog box. As shown in Figure 10-6, enter the pre-set Web user name,password and verify code, and then choice the language.



200

Figure 10-6 Login

NOTE

If you select Save my password before clicking Login, you do not need to enter the password at nextlogin.

Step 2 Click Login or press enter to display the homepage of the Web system.You can configure the S9300 after logging in to the Web system. For details on how to configurethe S9300 on the Web system, see the Quidway S9300 Terabit Routing Switch Web NetworkManagement System Client Operation Guide.

----End



201

11 SSL Configuration

About This Chapter

The Secure Sockets Layer (SSL) protocol is used to authenticate the identities of a client and aserver and encrypt data transmitted between the client and the server. SSL ensures that onlyauthorized users can log in to the server.

11.1 SSLCurrently, SSL is only used for the File Transfer Protocol-SSL (FTPS) and the HypertextTransfer Protocol-SSL (HTTPS) applications (secure Web network management is an HTTPSapplication).

11.2 SSL Features Supported by the S9300Currently, SSL is only used for FTPS and HTTPS applications (secure Web networkmanagement is an HTTPS application).

11.3 Configuring Login to an FTPS Server from a User TerminalFTPS that adds support for SSL is an extension to the commonly used FTP. Using SSL toauthenticate the identities of the client and server and encrypt data to be transmitted, FTPSimplements security management of devices.

11.4 Configuring Login to an FTPS Server from an FTPS ClientThe FTPS client and FTPS server authenticate each other's identities to ensure that onlyauthorized users can access the FTPS server, improving access security.

11.5 Configuring Secure Web Network ManagementAn SSL policy is configured on and a digital certificate is loaded to an HTTP server. The digitalcertificate is used by a client to verify the identity of the server.

11.6 Configuration Examples

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Basic Configuration 11 SSL Configuration


202

11.1 SSLCurrently, SSL is only used for the File Transfer Protocol-SSL (FTPS) and the HypertextTransfer Protocol-SSL (HTTPS) applications (secure Web network management is an HTTPSapplication).

Overview

SSL is a cryptographic protocol that provides communication security over the Internet. It allowsa client and a server to communicate across a network in a way designed to preventeavesdropping by authenticating the server or the client. SSL has the following advantages:

l Provides high security assurance. It uses data encryption, authentication, and a messageintegrity check to ensure secure data transmission over the network.

l Supports various application layer protocols. SSL is originally designed for securing WorldWide Web traffic. As SSL functions between the application layer and the transport layer,it secures data transmission based on TCP connections for any application layer protocol.

l Is easy to deploy. Currently, SSL has become a world-wide communications standard forauthenticating Web site and Web page users and encrypting data transmitted betweenbrowser users and Web servers.

SSL improves device security from the following aspects:

l Helps authorized users to securely access servers and prevents unauthorized users fromaccessing servers.

l Encrypts data transmitted between a client and a server for data transmission security andcomputes a digest for data integrity, which implements security management for devices.

l Defines an access control policy on a device based on certificate attributes to control theaccess rights of clients, which prevents unauthorized users from attacking the device.

Basic Conceptsl Certificate Authority (CA)

A CA is an entity that issues, manages, and abolishes digital certificates. A CA checks thevalidity of digital certificate owners, signs digital certificates to prevent eavesdropping andtampering, and manages certificates and keys. The world-wide trusted CA is called a rootCA. The root CA can authorize other CAs as subordinate CAs. The CA identity is describedin a trusted-CA file.

For example, CA1 functions as the root CA and issues a certificate for CA2, CA2 thenissues a certificate for CA3 and so on, until CAn issues the final server certificate.

If CA3 issues the server certificate, certificate authentication on the client starts from servercertificate authentication. The CA3 certificate is used to authenticate the server certificate.If authentication succeeds, the CA2 certificate is used to authenticate the CA3 certificate.Finally, the CA1 certificate is used to authenticate the CA2 certificate. Server certificateauthentication succeeds only when the CA2 certificate has been authenticated by the CA1certificate.

Figure 11-1 shows the certificate issuing and authentication processes.



203

Figure 11-1 Schematic diagram for certificate issuing and authentication

CA1

Certificate issuing

Certificate authentication

CA2 CAn Server'scertificate

l Digital certificate

A digital certificate is an electronic document which uses a digital signature to bind a publickey with an identity. The digital certificate includes information such as the name of aperson or an organization that applies for the certificate, public key, digital-signed signatureof the CA that issues the digital certificate, and validity period of the digital certificate. Adigital certificate validates the identities of two communicating parties, improvingcommunication reliability.

A user must obtain the public key certificate of the information sender in advance to decryptand authenticate information in the certificate. In addition, the user also needs the CAcertificate of the information sender to verify the identity of the information sender.

l Certificate Revocation List (CRL)

A CRL is a list of certificates that have been revoked, and therefore should not be reliedupon. The CRL is issued by a CA.

The lifetime of a digital certificate is limited. A CA can revoke a digital certificate to shortenits lifetime. The lifetime of a CRL is usually shorter than the lifetime of certificates in theCRL. If a CA revokes a digital certificate, the key pair defined in the certificate can nolonger be used even if the digital certificate does not expire. After a certificate in a CRLexpires, the certificate is deleted from the CRL to shorten the CRL.

Before using a digital certificate, the client checks the CRL. If the digital certificate is inthe CRL, the corresponding CA marks the digital certificate as expired, and adds acertificate expiration list (CEL) when issuing a new CRL. After the CEL expires, it isautomatically deleted from the CRL.

11.2 SSL Features Supported by the S9300Currently, SSL is only used for FTPS and HTTPS applications (secure Web networkmanagement is an HTTPS application).

FTPS

FTPS that adds support for SSL is an extension to the commonly used FTP.

Using SSL to authenticate the identities of the client and server, encrypt data to be transmitted,and check message integrity, FTPS provides a secure FTP server access.

l Login to an FTPS server from a user terminal

an SSL policy is configured on the FTP server. After a digital certificate is loaded and theFTPS server function is enabled on the server, you can log in to the server from a terminalon which the SSL-capable FTP client software is installed to securely operate filestransmitted between the terminal and the server.



204

l Login to an FTPS server from an FTPS client– An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an

FTP client to verify the identify of the certificate owner, sign a digital certificate toprevent eavesdropping and tampering, and manage the certificate and key.

– An SSL policy needs to be configured on and a digital certificate needs to be loaded toan FTP server to verify the validity of the trusted-CA file. This ensures that onlyauthorized clients can log in to the server.

HTTPSHTTPS that adds support for SSL is an extension to the commonly used HTTP.

Using SSL to authenticate the identities of the client and server, encrypt data to be transmitted,and check message integrity, HTTPS provides a secure Web access.

an SSL policy is configured on the device that functions as an HTTP server. After a digitalcertificate is loaded to and the HTTPS server function is enabled on the server, users can log into the server to remotely manage the server using Web pages.

11.3 Configuring Login to an FTPS Server from a UserTerminal

FTPS that adds support for SSL is an extension to the commonly used FTP. Using SSL toauthenticate the identities of the client and server and encrypt data to be transmitted, FTPSimplements security management of devices.

11.3.1 Establishing the Configuration TaskBefore configuring login to an FTPS server from a user terminal, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the data required forthe configuration. This will help you complete the configuration task quickly and accurately.

Applicable EnvironmentTraditional FTP does not have a security mechanism. It transmits data in plain text. If the FTPserver is configured with login user names and passwords, the FTP server can authenticateclients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,bringing security threats.An SSL policy can be configured on the FTP server to improve security.SSL allows data encryption, identity authentication, and message integrity verification,improving data transmission security. In addition, SSL provides secure connections for the FTPserver, greatly improving security of the FTP server.

As shown in Figure 11-2, an SSL policy is configured on the FTP server. After a digitalcertificate is loaded and the FTPS server function is enabled on the server, you can log in to theserver from a terminal on which the SSL-capable FTP client software is installed to securelyoperate files transmitted between the terminal and the server.



205

Figure 11-2 Networking diagram for a PC to log in to an FTPS server

Network

PC FTP-Server

VLANIF10192.168.0.1/24

Pre-configuration TasksBefore configuring login to an FTPS server from a user terminal, complete the following tasks:

l Loading a digital certificate to the sub-directory named security of the system directoryon the FTPS server

l Installing the SSL-capable FTP client software on the PC

Data PreparationTo configure login to an FTPS server from a user terminal, you need the following data.

No. Data

1 SSL policy name and digital certificate

2 IP address of the FTPS server

11.3.2 Configuring an SSL Policy and Loading a Digital CertificateA client uses a digital certificate to authenticate the identity of a server for secure communication.

ContextThe FTPS server needs to obtain a digital certificate from a CA. The client that will access theserver needs the CA certificate from the CA to verify the validity of the digital certificate of theserver.

NOTE

A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to theFTPS server must be obtained from a corresponding CA.

A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:l The PEM format is most commonly used. The file name extension of a PEM digital

certificate is .pem.The PEM format is applicable to text transmission between systems.

l The ASN1 format is a universal digital certificate format. The file name extension of anASN1 digital certificate is .der.The ASN1 format is the default format for most browsers.

l The PFX format is a universal digital certificate format. The file name extension of a PFXdigital certificate is .pfx.



206

The PFX format is a binary format that can be converted into the PEM or ASN1 format.

Perform the following steps on the device that functions as an FTPS server:

Procedure



Step 2 Run:ssl policy policy-name

An SSL policy is configured and the SSL policy view is displayed.

Step 3 Load a digital certificate.

Run one of the following commands as required:l Run:

certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-filename auth-code auth-code

A PEM digital certificate is loaded.l Run:

certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-filename

An ASN1 digital certificate is loaded.l Run:

certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code | key-file key-filename } auth-code auth-code

A PFX digital certificate is loaded.l Run:

certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-filename auth-code auth-code

A PEM digital certificate chain is loaded.

NOTE

Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chainhas been loaded, unload the certificate or certificate chain before loading a new certificate or certificatechain.

----End

11.3.3 Enabling the FTPS FunctionAfter a device is configured with an SSL policy and enabled with the FTPS server function, thedevice functions as an FTPS server to provide SSL-based FTP services.

ContextNOTE

Before enabling the FTPS server function, disable the FTP server function.




207

Procedure



Step 2 Run:ftp secure-server ssl-policy policy-name

An SSL policy is configured for the device.

Step 3 Run:ftp secure-server enable

The FTPS server function is enabled.

By default, the FTPS server function is disabled.

----End

11.3.4 Accessing an FTPS ServerYou can use a PC with the SSL-capable FTP client software or an FTPS client to access an FTPSserver for secure management of files on the FTPS server.

Before accessing an FTPS server, install the SSL-capable FTP client software on a PC, and thenuse a third-party software to log in to the FTPS server from the PC to securely manage files onthe FTPS server.

11.3.5 Checking the ConfigurationAfter the configuration of login to an FTPS server from a user terminal is complete, you canview the SSL policy, digital certificate, and status of the FTPS server.

PrerequisiteThe configurations of login to an FTPS server from a user terminal are complete.

Procedurel Run the display ssl policy command to check the configured SSL policy and loaded digital

certificate.l Run the display ftp-server command to check the SSL policy name and the FTPS server

status.

----End

ExampleRun the display ssl policy command on the FTPS server. The command output shows detailedinformation about the configured SSL policy and loaded digital certificate.<Quidway> display ssl policy SSL Policy Name: ftp_server Policy Applicants: FTP secure-server Key-pair Type: RSA Certificate File Type: PEM Certificate Type: certificate



208

Certificate Filename: 1_servercert_pem_rsa.pem Key-file Filename: 1_serverkey_pem_rsa.pem Auth-code: 123456 MAC: CRL File: Trusted-CA File:

Run the display ftp-server command on the FTP server. The command output shows that theSSL policy name is ftp_server and the FTPS server is running.<Quidway> display ftp-server FTP server is stopped Max user number 5 User count 1 Timeout value(in minute) 30 Listening port 21 Acl number 0 FTP server's source address 0.0.0.0 FTP SSL policy ftp_server FTP Secure-server is running

11.4 Configuring Login to an FTPS Server from an FTPSClient

The FTPS client and FTPS server authenticate each other's identities to ensure that onlyauthorized users can access the FTPS server, improving access security.

11.4.1 Establishing the Configuration TaskBefore configuring login to an FTPS server from an FTPS client, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the data required forthe configuration. This will help you complete the configuration task quickly and accurately.


Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTPserver is configured with login user names and passwords, the FTP server can authenticateclients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,bringing security threats. To improve security, perform the following steps on the FTP clientand server:

l Configure an SSL policy on the FTP client and load a trusted-CA file to the client.

l Configure an SSL policy on the FTP server and load a digital certificate to the server.

The client uses the trusted-CA file and digital certificate to authenticate the server so that theauthorized client can access the correct server.

As shown in Figure 11-3,

l An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTPclient to verify the identify of the certificate owner, sign a digital certificate to preventeavesdropping and tampering, and manage the certificate and key.

l An SSL policy needs to be configured on and a digital certificate needs to be loaded to anFTP server to verify the validity of the trusted-CA file. This ensures that only authorizedclients can log in to the server.



209

Figure 11-3 Accessing an FTPS server from an FTPS client

Network

PC1

VLANIF301.1.1.2/24

FTP-Client

VLANIF40192.168.0.2/24

FTP-Server

PC2

VLANIF201.1.1.1/24

VLANIF10192.168.0.1/24

If the FTPS client and server are routable, you can log in to the FTPS server from the FTPSclient to remotely manage files.


Before configuring login to an FTPS server from an FTPS client, complete the following tasks:

l Loading a trusted-CA file to the sub-directory named security of the system directory onthe FTPS client

l Loading a digital certificate to the sub-directory named security of the system directoryon the FTPS server

Data Preparation

To configure login to an FTPS server from an FTPS client, you need the following data.

No. Data

1 SSL policy name, trusted-CA file, (optional) CRL file, and IP address of the FTPSclient

2 Digital certificate and IP address of the FTPS server

11.4.2 Configuring the FTPS ClientAn SSL policy needs to be configured on and a trusted-CA file needs to be loaded to an FTPclient. The FTPS client can use the trusted-CA file to authenticate an FTPS server to ensure thatonly authorized users can log in to the FTPS server.

Context

A trusted-CA file can be in the PEM, ASN1, or PFX format. Details are as follows:

l The PEM format is most commonly used. The file name extension of a PEM digitalcertificate is .pem.



210

l The ASN1 format is a universal digital certificate format. The file name extension of anASN1 digital certificate is .der.

l The PFX format is a universal digital certificate format. The file name extension of a PFXdigital certificate is .pfx.

A CRL file can be in either the ASN1 or PEM format. These two formats represent the samecontents.

Procedure





Step 3 Load a trusted-CA file.

Run one of the following commands as required:

l Run:trusted-ca load pem-ca ca-filename

A PEM trusted-CA file is loaded.

l Run:trusted-ca load asn1-ca ca-filename

An ASN1 trusted-CA file is loaded.

l Run:trusted-ca load pfx-ca ca-filename auth-code auth-code

A PFX trusted-CA file is loaded.

A maximum of four trusted-CA files can be loaded to an SSL policy. If multiple trusted-CAfiles are loaded, these files will be added to the existing trusted-CA file list.

NOTE

l If the trusted-CA file configured on the FTPS server contains only one certificate, configure all thetrusted-CA certificates of upper levels to the root CA certificate on the client.

l If a certificate chain is configured on the FTPS server, configure only the root CA certificate on theclient.

Step 4 (Optional) Run:crl load { pem-crl | asn1-crl } crl-filename

A CRL is loaded.

A maximum of two CRL files can be loaded to an SSL policy. If multiple CRL files are loaded,these files will be added to the existing CRL file list.

----End



211

11.4.3 Configuring the FTPS ServerFTPS that adds support for SSL is an extension to the commonly used FTP. Using SSL toauthenticate the identities of the client and server and encrypt data to be transmitted, FTPSimplements security management of devices.

ContextThe FTPS server needs to obtain a digital certificate from a CA. The client that will access theserver needs the CA certificate from the CA to verify the validity of the digital certificate of theserver.

NOTE

A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to theFTPS server must be obtained from a corresponding CA.


certificate is .pem.The PEM format is applicable to text transmission between systems.

l The ASN1 format is a universal digital certificate format. The file name extension of anASN1 digital certificate is .der.The ASN1 format is the default format for most browsers.

l The PFX format is a universal digital certificate format. The file name extension of a PFXdigital certificate is .pfx.The PFX format is a binary format that can be converted into the PEM or ASN1 format.


Procedure








A PEM digital certificate is loaded.l Run:

certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-filename

An ASN1 digital certificate is loaded.



212

l Run:certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code | key-file key-filename } auth-code auth-code

A PFX digital certificate is loaded.l Run:

certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-filename auth-code auth-code


NOTE


Step 4 Run:ftp secure-server ssl-policy policy-name

An SSL policy is configured for the device.

Step 5 Run:ftp secure-server enable

The FTPS server function is enabled.

By default, the FTPS server function is disabled.

NOTE

Before enabling the FTPS server function, disable the FTP server function.

----End

11.4.4 Accessing an FTPS ServerYou can use specified commands to log in to an FTPS server from an FTPS client to remotelymanage the FTPS server.

Procedurel On an IPv4 network:

In the user view, run:

ftp ssl-policy policy-name [ [ -a source-ip-address | -i interface-type interface-number ] host [ port-number ] [ public-net | vpn-instance vpn-instance-name ] ]

A control connection is established with a remote FTPS server and the FTP client view isdisplayed.

l On an IPv6 network:

In the user view, run:

ftp ssl-policy policy-name ipv6 host [ port-number ]

A control connection is established with a remote FTPS server and the FTP client view isdisplayed.

----End



213

Follow-up ProcedureThe client can log in to the server only after the entered user name and password are authenticatedby the server. After logging in to the FTPS server, you can operate files on the FTPS server inthe same way as that on an FTP server. Table 11-1 lists file operations on an FTP server.

Table 11-1 File operations

File Operation Operation

Managing files

Configuring thefile type

l Run the ascii command to set the file type to ASCII.l Run the binary command to set the file type to binary.The FTP file type is determined by the client. By default,the ASCII type is used.

Configuring thedata connectionmode

l Run the passive command to set the data connectionmode to PASV.

l Run the undo passive command to set the dataconnection mode to PORT.

By default, the PASV mode is used.

Uploading files l Run the put local-filename [ remote-filename ]command to upload a file from the local device to aremote server.

l Run the mput local-filenames command to upload filesfrom the local device to a remote server.

Downloadingfiles

l Run the get remote-filename [ local-filename ] commandto download a file from a remote server and save the fileon the local device.

l Run the mget remote-filenames command to downloadfiles from a remote server and save the files on the localdevice.

Enabling the filetransfer promptfunction

l If the prompt command is run in the FTP client view toenable the file transfer prompt function, the systemprompts you to confirm the uploading or downloadingoperation during file uploading or downloading.

l If the prompt command is run again in the FTP clientview, the file transfer prompt function is disabled.

NOTEThe prompt command is applicable to the scenario where themput or mget command is used to upload or download files. If thelocal device has the files to be downloaded by running the mgetcommand, the system prompts you whether to override the existingones regardless of whether the file transfer prompt function isenabled.

Enabling the FTPverbose function

Run the verbose command.After the verbose function is enabled, all FTP responseinformation is displayed. After file transfer is complete,statistics about the transmission rate are displayed.



214

File Operation Operation

Managingdirectories

Changing theworking path of aremote FTP server

Run the cd pathname command.

Changing theworking path of anFTP server to theparent directory

Run the cdup command.

Displaying theworking path of anFTP server

Run the pwd command.

Displaying files inthe directory andthe list of sub-directories

Run the dir [ remote-directory [ local-filename ] ] command.If no path name is specified for a specified remote file, thesystem will search the file in the authorized directory of theuser.

Displaying aspecified remotedirectory or file onan FTP server

Run the ls [ remote-directory [ local-filename ] ] command.

Displaying orchanging theworking path of anFTP client

Run the lcd [ directory ] command.The lcd command displays the local working path of the FTPclient, whereas the pwd command displays the working pathof the remote FTP server.

Creating adirectory on anFTP server

Run the mkdir remote-directory command.The directory can be a combination of letters and numbers,excluding special characters such as "<", ">", "?", "\", or ":".

Deleting adirectory from anFTP server

Run the rmdir remote-directory command.

Displaying online help for anFTP command

Run the remotehelp [ command ] command.

Changing an FTP user Run the user username [ password ] command.

11.4.5 Checking the ConfigurationAfter the configuration of login to an FTPS server from an FTPS client is complete, you canview the FTPS client, SSL policy configured on the FTPS server, trusted-CA file loaded to theFTPS client, and digital certificate loaded to the FTPS server.

Prerequisite

The configurations of login to an FTPS server from an FTPS client are complete.



215

Procedurel Run the display ssl policy command to check the SSL policy configured on and trusted-

CA certificate loaded to the FTPS client as well as the SSL policy configured on and digitalcertificate loaded to the FTPS server.

l Run the display ftp-server command to check the SSL policy name and the FTPS serverstatus.

----End

ExampleRun the display ssl policy command on the FTPS client. The command output shows detailedinformation about the configured SSL policy and loaded trusted-CA file.

<Quidway> display ssl policy SSL Policy Name: ftp_client Policy Applicants: Key-pair Type: Certificate File Type: Certificate Type: Certificate Filename: Key-file Filename: Auth-code: MAC: CRL File: Trusted-CA File: Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem

Run the display ssl policy command on the FTPS server. The command output shows detailedinformation about the configured SSL policy and loaded digital certificate.<Quidway> display ssl policy SSL Policy Name: ftp_server Policy Applicants: FTP secure-server Key-pair Type: RSA Certificate File Type: PEM Certificate Type: certificate Certificate Filename: 1_servercert_pem_rsa.pem Key-file Filename: 1_serverkey_pem_rsa.pem Auth-code: 123456 MAC: CRL File: Trusted-CA File:

Run the display ftp-server command on the FTP server. The command output shows that theSSL policy name is ftp_server and the FTPS server is running.<Quidway> display ftp-server FTP server is stopped Max user number 5 User count 1 Timeout value(in minute) 30 Listening port 21 Acl number 0 FTP server's source address 0.0.0.0 FTP SSL policy ftp_server FTP Secure-server is running

11.5 Configuring Secure Web Network ManagementAn SSL policy is configured on and a digital certificate is loaded to an HTTP server. The digitalcertificate is used by a client to verify the identity of the server.



216

11.5.1 Establishing the Configuration TaskBefore configuring an HTTPS server, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and efficiently.


After a device that supports Web network management is enabled with the HTTP function, thedevice can function as a Web server. Users can log in to the device using HTTP and use Webpages to access and control the device. HTTP does not provide a mechanism that allows usersto authenticate a Web server or protects privacy of data transmission. To address this problem,you can configure HTTPS on the device. HTTPS that adds support for SSL is an extension tothe commonly used HTTP. SSL allows the client and server to authenticate each other andencrypts data to be transmitted.

As shown in Figure 11-4, an SSL policy is configured on the device that functions as an HTTPserver. After a digital certificate is loaded to and the HTTPS server function is enabled on theserver, users can log in to the server to remotely manage the server using Web pages.

Figure 11-4 Networking diagram for accessing another device by using HTTPS

Network

PC HTTP-Server

VLANIF10192.168.0.1/24


Before configuring an HTTPS server, complete the following tasks:

l Uploading a digital certificate to a device that will function as an HTTPS server and copyingthe certificate to the sub-directory named security of the system directory on the HTTPSserver

l Installing a Web browser on a PC

Data Preparation

To configure an HTTPS server, you need the following data.

No. Data

1 SSL policy name and digital certificate

2 IP address, Web page file, and Web account of the HTTPS server



217

11.5.2 Configuring an SSL Policy and Loading a Digital CertificateA digital certificate is used to authenticate the identities of both the user terminal and the HTTPSserver to ensure secure communication.

ContextBefore using HTTPS to securely manage files, the HTTPS server needs to obtain a digitalcertificate from a CA. The digital certificate is used to authenticate clients. This ensures thatonly authorized clients can log in to the HTTPS server.

NOTE

A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to theHTTPS server can be generated using a third-party tool such as OpenSSL. OpenSSL can be considered asa CA. For the procedure for generating a digital certificate, see the OpenSSL usage guide.

The digital certificate includes information such as the name of a person or an organization thatapplies for the certificate, public key, digital-signed signature of the CA that issues the digitalcertificate, and validity period of the digital certificate. A CA can issue a certificate chain alongwith a digital certificate. After receiving a certificate chain, the receiver owns all the certificateson the chain.


certificate is .pem. A PEM certificate contains only a public key but not a private key, andthe public key is usually encrypted.The PEM format is applicable to text transmission between systems.

l The ASN1 format is a universal digital certificate format. The file name extension of anASN1 digital certificate is .der. An ANS1 certificate contains only a public key but not aprivate key, and the public key is not encrypted.The ASN1 format is the default format for most browsers.

l The PFX format is a universal digital certificate format. The file name extension of a PFXdigital certificate is .pfx. A PFX certificate can contain a private key, and the key is usuallyencrypted.The PFX format is a binary format that can be converted into the PEM or ASN1 format.

Procedure




An SSL policy is configured.






218

A PEM digital certificate is loaded.

l Run:certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-filename

An ASN1 digital certificate is loaded.

l Run:certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code | key-file key-filename } auth-code auth-code

A PFX digital certificate is loaded.

l Run:certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-filename auth-code auth-code


NOTE


----End

11.5.3 Loading a Web Page FileTo manage and maintain a device on a graphical user interface (GUI), you can configure theWeb network management function. Before using the Web network management function, loadthe related Web page file.

Procedure



Step 2 Run:http server load file-name

A Web page file is loaded.

----End

11.5.4 Enabling the HTTPS FunctionAfter a device is configured with an SSL policy and enabled with the HTTPS function, the devicefunctions as an HTTPS server to provide SSL-based HTTP services.

ContextNOTE

Before enabling the HTTPS server function, disable the HTTP server function.



219

Procedure



Step 2 Run:http secure-server ssl-policy policy-name

An SSL policy is configured for a device.

Step 3 Run:http secure-server enable

The HTTPS server function is enabled.

By default, the HTTPS server function is disabled.

Step 4 (Optional) Run:http secure-server port port-number

The listening port number is configured for the HTTPS server.

The default listening port number of the HTTPS server is 443. When using the default listeningport number to access and control the HTTPS server, you do not need to specify the port numberin commands. Attackers may access the default listening port, consuming bandwidth, affectingperformance of the server, and causing authorized users unable to access the server. To improvesecurity, run this command to change the listening port number of the HTTPS server. After that,attackers are deprived of information about the newly configured listening port number, and theHTTPS server is thus well protected.

----End

11.5.5 Creating a Web AccountSetting the HTTP user name and password is recommended for secure login to a Web server.

Procedure



Step 2 Run:aaa



The HTTP user name and password are set.

NOTE

Setting the password in cipher text is recommended. Simple user names and passwords are insecure.

Step 4 Run:



220

local-user user-name service-type http

HTTP is configured as the service type.

----End

11.5.6 Logging In to the Web SystemAfter logging in to the Web system, you can manage and maintain a device on a GUI.

Open the Web browser on the PC. Enter the IP address of the HTTPS server in the address bar.Press Enter and the dialog box shown in Figure 11-5 is displayed.

Figure 11-5 Login GUI

Enter the HTTP user name, password, and verification code. Click Login or press Enter to enterthe Web system.

11.5.7 Checking the ConfigurationAfter secure Web network management is configured, you can view the configured SSL policyand loaded digital certificate on the HTTPS server as well as the HTTPS server status.

PrerequisiteThe configurations of secure Web network management are complete.

Procedurel Run the display ssl policy command to check the configured SSL policy and loaded digital

certificate.l Run the display http server command to check the SSL policy name and the HTTPS server

status.

----End



221

ExampleRun the display ssl policy command. The command output shows detailed information aboutthe configured SSL policy and loaded digital certificate.

<Quidway> display ssl policy SSL Policy Name: http_server Policy Applicants: WEB secure-server Key-pair Type: RSA Certificate File Type: PEM Certificate Type: certificate Certificate Filename: 1_servercert_pem_rsa.pem Key-file Filename: 1_serverkey_pem_rsa.pem Auth-code: 123456 MAC: CRL File: Trusted-CA File:

Run the display http server command. The command output shows the SSL policy name andthe HTTPS server status.

<Quidway> display http server HTTP Server Status : disabled HTTP Server Port : 80(80) HTTP Timeout Interval : 20 Current Online Users : 0 Maximum Users Allowed : 5 HTTP Secure-server Status : enabled HTTP Secure-server Port : 443(443) HTTP SSL Policy : http_server

11.6 Configuration Examples

11.6.1 Example for Configuring Login to an FTPS Server from a UserTerminal

You can use a terminal on which the SSL-capable FTP client software is installed to log in toan FTPS server to securely operate files transmitted between the terminal and the server.

Networking RequirementsTraditional FTP does not have a security mechanism. It transmits data in plain text. If the FTPserver is configured with login user names and passwords, the FTP server can authenticateclients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,bringing security threats.An SSL policy can be configured on the FTP server to improve security.SSL allows data encryption, identity authentication, and message integrity verification,improving data transmission security. In addition, SSL provides secure connections for the FTPserver, greatly improving security of the FTP server.

As shown in Figure 11-6, an SSL policy is configured on the FTP server. After a digitalcertificate is loaded and the FTPS server function is enabled on the server, you can log in to theserver from a terminal on which the SSL-capable FTP client software is installed to securelyoperate files transmitted between the terminal and the server.



222

Figure 11-6 Operating files using FTPS

Network

PC FTP-Server

VLANIF10192.168.0.1/24


1. Upload a digital certificate.Upload the digital certificate saved on the PC to the FTP server.

2. Load the digital certificate.Copy the digital certificate from the system directory of the FTP server to the sub-directorynamed security, configure an SSL policy, and load the digital certificate.

3. Enable the FTPS server function.4. Install the SSL-capable FTP client software on the PC


l IP address of the FTP serverl FTP user name and passwordl SSL digital certificate

Procedure

Step 1 Upload a digital certificate.

# Configure an IP address for the FTP server so that the PC and FTP server are routable.<Quidway> system-view[Quidway] sysname FTP-Server[FTP-Server] interface gigabitethernet1/0/1[FTP-Server-GigabitEthernet1/0/1] port link-type access[FTP-Server-GigabitEthernet1/0/1] quit[FTP-Server] vlan 10[FTP-Server-vlan10] port gigabitethernet1/0/1[FTP-Server-vlan10] quit[FTP-Server] interface vlanif 10[FTP-Server-Vlanif10] ip address 192.168.0.1 24[FTP-Server-Vlanif10] quit

# Enable the FTP server function.[FTP-Server] ftp server enable

# Configure the authentication information, authorization mode, and authorized directory for anFTP user on the FTP server.[FTP-Server] aaa[FTP-Server-aaa] local-user huawei password simple huawei[FTP-Server-aaa] local-user huawei service-type ftp



223

[FTP-Server-aaa] local-user huawei ftp-directory cfcard:[FTP-Server-aaa] quit[FTP-Server] quit

# Run the ftp ftp-server-address commands at the Windows command prompt. Enter the correctuser name and password to set up an FTP connection to the FTP server, as shown in Figure11-7.

Figure 11-7 Logging in to an FTP server from a user terminal

Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure11-8.

Figure 11-8 Uploading a digital certificate



224

After the preceding configurations are complete, run the dir command on the FTP server. Thecommand output shows that the digital certificate has been successfully uploaded to the server.

<FTP-Server> dirDirectory of cfcard:/

Idx Attr Size(Byte) Date Time(LMT) FileName 0 drw- - May 10 2011 05:05:40 src 1 -rw- 524,575 May 10 2011 05:05:53 private-data.txt 2 -rw- 446 May 10 2011 05:05:51 vrpcfg.zip 3 -rw- 1,302 May 10 2011 05:32:05 1_servercert_pem_rsa.pem 4 -rw- 951 May 10 2011 05:32:44 1_serverkey_pem_rsa.pem

304,292 KB total (303,770 KB free)

Step 2 Configure an SSL policy and load the digital certificate.

# Create a sub-directory named security and copy the digital certificate to this sub-directory.<FTP-Server> mkdir security/<FTP-Server> copy 1_servercert_pem_rsa.pem security/<FTP-Server> copy 1_serverkey_pem_rsa.pem security/

After the preceding configurations are complete, run the dir command in the security sub-directory on the FTP server. The command output shows that the digital certificate has beensuccessfully uploaded to the server.<FTP-Server> cd security/<FTP-Server> dirDirectory of cfcard:/security/

Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw- 1,302 May 10 2011 05:44:34 1_servercert_pem_rsa.pem 1 -rw- 951 May 10 2011 05:45:22 1_serverkey_pem_rsa.pem

304,292 KB total (303,766 KB free)

# Create an SSL policy and load the PEM digital certificate.<FTP-Server> system-view[FTP-Server] ssl policy ftp_server[FTP-Server-ssl-policy-ftp_server] certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code 123456[FTP-Server-ssl-policy-ftp_server] quit

Step 3 Enable the FTPS server function.

NOTE

Before enabling the FTPS server function, disable the FTP server function.[FTP-Server] undo ftp server[FTP-Server] ftp secure-server ssl-policy ftp_server[FTP-Server] ftp secure-server enable

Step 4 Install the SSL-capable FTP client software on the PC.For details about the operation procedure, see the help document about the third-party software.


# Run the display ssl policy command on the FTPS server. The command output shows detailedinformation about the loaded certificate.

[FTP-Server] display ssl policy SSL Policy Name: ftp_server Policy Applicants: FTP secure-server Key-pair Type: RSA Certificate File Type: PEM Certificate Type: certificate Certificate Filename: 1_servercert_pem_rsa.pem



225

Key-file Filename: 1_serverkey_pem_rsa.pem Auth-code: 123456 MAC: CRL File: Trusted-CA File:

# Run the display ftp-server command on the FTPS server. The command output shows thatthe configured SSL policy name is ftp_server and the FTPS server is running.

[FTP-Server] display ftp-server FTP server is stopped Max user number 5 User count 1 Timeout value(in minute) 30 Listening port 21 Acl number 0 FTP server's source address 0.0.0.0 FTP SSL policy ftp_server FTP Secure-server is running

You can establish a connection with the FTPS server using the SSL-capable FTP client softwareand upload files to and download files from the server.

----End

Configuration FilesConfiguration file of the FTPS server# sysname FTP-Server# FTP secure-server enable ftp secure-server ssl-policy ftp_server# vlan batch 10#ssl policy ftp_server certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code 123456#aaa authentication-scheme default authorization-scheme default accounting-scheme default local-user huawei password simple huawei local-user huawei service-type ftp local-user huawei ftp-directory cfcard:/#interface Vlanif10 ip address 192.168.0.1 255.255.255.0 #interface GigabitEthernet1/0/1 port link-type access port default vlan 10#return

11.6.2 Example for Configuring Login to an FTPS Server from anFTPS Client

You can log in to an FTPS server from an FTPS client to operate files transmitted between theserver and the client.



226


Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTPserver is configured with login user names and passwords, the FTP server can authenticateclients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,bringing security threats.An SSL policy can be configured on the FTP server to improve security.SSL allows data encryption, identity authentication, and message integrity verification,improving data transmission security. In addition, SSL provides secure connections for the FTPserver, greatly improving security of the FTP server.

As shown in Figure 11-9,

l An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTPclient to verify the identify of the certificate owner, sign a digital certificate to preventeavesdropping and tampering, and manage the certificate and key.

l An SSL policy needs to be configured on and a digital certificate needs to be loaded to anFTP server to verify the validity of the trusted-CA file. This ensures that only authorizedclients can log in to the server.

Figure 11-9 Accessing an FTPS server from an FTPS client

Network

PC1

VLANIF301.1.1.2/24

FTP-Client

VLANIF40192.168.0.2/24

FTP-Server

PC2

VLANIF201.1.1.1/24

VLANIF10192.168.0.1/24

If the FTPS client and server are routable, you can log in to the FTPS server from the FTPSclient to remotely manage files.



1. Upload certificates.

l Upload the digital certificate saved on PC2 to the FTP server.

l Upload the trusted-CA file saved on PC1 to the FTP client.

2. Load the certificates and configure SSL policies.

l Copy the digital certificate from the system directory of the FTP server to thesecurity sub-directory, configure an SSL policy, and load the digital certificate.

l Copy the trusted-CA file from the system directory of the FTP client to the securitysub-directory, configure an SSL policy, and load the trusted-CA file.

3. Enable the FTPS server function on the FTP server.



227

4. Configure IP addresses for the interfaces that interconnect the FTP client and server toensure that the client and server are routable.

5. Run the ftp command on the FTP client to log in to the FTPS server to remotely managefiles.


l IP addresses of the FTP client and serverl FTP user name and passwordl SSL trusted-CA file and digital certificate

Procedure

Step 1 Upload certificates.l Perform the following steps on the FTP server:

# Configure an IP address for the FTP server so that the PC and FTP server are routable.<Quidway> system-view[Quidway] sysname FTP-Server[FTP-Server] interface gigabitethernet1/0/1[FTP-Server-GigabitEthernet1/0/1] port link-type access[FTP-Server-GigabitEthernet1/0/1] quit[FTP-Server] vlan 10[FTP-Server-vlan10] port gigabitethernet1/0/1[FTP-Server-vlan10] quit[FTP-Server] interface vlanif 10[FTP-Server-Vlanif10] ip address 192.168.0.1 24[FTP-Server-Vlanif10] quit# Enable the FTP server function.[FTP-Server] ftp server enable# Configure the authentication information, authorization mode, and authorized directory foran FTP user on the FTP server.[FTP-Server] aaa[FTP-Server-aaa] local-user huawei password simple huawei[FTP-Server-aaa] local-user huawei service-type ftp[FTP-Server-aaa] local-user huawei ftp-directory cfcard:[FTP-Server-aaa] quit[FTP-Server] quit# Run the ftp ftp-server-address commands at the Windows command prompt. Enter thecorrect user name and password to set up an FTP connection to the FTP server, as shown inFigure 11-10.



228

Figure 11-10 Logging in to an FTP server from a user terminal

Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure11-11.


After the preceding configurations are complete, run the dir command on the FTP server.The command output shows that the digital certificate has been successfully uploaded to theserver.<FTP-Server> dirDirectory of cfcard:/

Idx Attr Size(Byte) Date Time(LMT) FileName 0 drw- - May 10 2011 05:05:40 src 1 -rw- 524,575 May 10 2011 05:05:53 private-data.txt 2 -rw- 446 May 10 2011 05:05:51 vrpcfg.zip



229

3 -rw- 1,302 May 10 2011 05:32:05 1_servercert_pem_rsa.pem 4 -rw- 951 May 10 2011 05:32:44 1_serverkey_pem_rsa.pem 5 drw- - May 10 2011 05:43:39 security

304,292 KB total (303,766 KB free) l Perform the following steps on the FTP client:

The procedure for uploading the trusted-CA file to the FTP client is similar to the procedurefor uploading the digital certificate to the FTP server. For detailed configurations, see theconfiguration file of the FTP client in this example.After the trusted-CA file is uploaded to the FTP client, run the dir command on the FTPclient. The command output shows that the trusted-CA file has been successfully uploadedto the FTP client.<FTP-Client> dirDirectory of cfcard:/

Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw- 524,558 May 10 2011 04:50:39 private-data.txt 1 -rw- 1,237 May 10 2011 05:55:33 1_cacert_pem_rsa.pem 2 -rw- 1,241 May 10 2011 05:55:44 1_rootcert_pem_rsa.pem 3 drw- - Apr 09 2011 19:46:14 src 4 -rw- 421 Apr 09 2011 19:46:14 vrpcfg.zip 5 -rw- 1,308,478 Apr 14 2011 19:22:45 web.zip 6 drw- - Apr 10 2011 01:35:54 logfile 7 -rw- 4 Apr 19 2011 04:24:28 snmpnotilog.txt 8 drw- - Apr 11 2011 16:18:53 security 9 drw- - Apr 13 2011 11:37:40 lam

304,292 KB total (300,270 KB free)

Step 2 Load the certificates and configure SSL policies.l Perform the following steps on the FTP server:

# Create a sub-directory named security and copy the digital certificate to this sub-directory.<FTP-Server> mkdir security/<FTP-Server> copy 1_servercert_pem_rsa.pem security/<FTP-Server> copy 1_serverkey_pem_rsa.pem security/After the preceding configurations are complete, run the dir command in the security sub-directory on the FTP server. The command output shows that the digital certificate has beensuccessfully uploaded to the server.<FTP-Server> cd security/<FTP-Server> dirDirectory of cfcard:/security/

Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw- 1,302 May 10 2011 05:44:34 1_servercert_pem_rsa.pem 1 -rw- 951 May 10 2011 05:45:22 1_serverkey_pem_rsa.pem

304,292 KB total (303,766 KB free)# Create an SSL policy and load the PEM digital certificate.<FTP-Server> system-view[FTP-Server] ssl policy ftp_server[FTP-Server-ssl-policy-ftp_server] certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code 123456[FTP-Server-ssl-policy-ftp_server] quitAfter the preceding configurations are complete, run the display ssl policy command on theFTP server. The command output shows detailed information about the loaded certificate.[FTP-Server] display ssl policy SSL Policy Name: ftp_server Policy Applicants: FTP secure-server Key-pair Type: RSA Certificate File Type: PEM



230

Certificate Type: certificate Certificate Filename: 1_servercert_pem_rsa.pem Key-file Filename: 1_serverkey_pem_rsa.pem Auth-code: 123456 MAC: CRL File: Trusted-CA File:

l Configure the FTP client.# Create a sub-directory named security and copy the trusted-CA file to this sub-directory.The configuration procedure is similar to that on the FTP server. For detailed configurations,see the configuration file of the FTP client in this example.After the trusted-CA file is copied to the security sub-directory, run the dir command in thissub-directory. The command output shows that the trusted-CA file has been successfullycopied to this sub-directory.<FTP-Client> cd security/<FTP-Client> dirDirectory of cfcard:/security/

Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw- 1,237 May 10 2011 05:57:15 1_cacert_pem_rsa.pem 1 -rw- 1,241 May 10 2011 05:57:29 1_rootcert_pem_rsa.pem

304,292 KB total (300,266 KB free)# Create an SSL policy and load the trusted-CA file.<FTP-Client> system-view[FTP-Client] ssl policy ftp_client[FTP-Client-ssl-policy-ftp_client] trusted-ca load pem-ca 1_cacert_pem_rsa.pem[FTP-Client-ssl-policy-ftp_client] trusted-ca load pem-ca 1_rootcert_pem_rsa.pem[FTP-Client-ssl-policy-ftp_client] quitAfter the preceding configurations are complete, run the display ssl policy command on theFTP client. The command output shows detailed information about the trusted-CA file.[FTP-Client] display ssl policy SSL Policy Name: ftp_client Policy Applicants: Key-pair Type: Certificate File Type: Certificate Type: Certificate Filename: Key-file Filename: Auth-code: MAC: CRL File: Trusted-CA File: Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem

Step 3 Enable the FTPS server function.

NOTE

Before enabling the FTPS server function, disable the FTP server function.[FTP-Server] undo ftp server[FTP-Server] ftp secure-server ssl-policy ftp_server[FTP-Server] ftp secure-server enable

Step 4 Configure IP addresses for the interfaces that interconnect the FTP client and server.

# Configure the FTP server.

[FTP-Server] interface gigabitethernet 1/0/2[FTP-Server-GigabitEthernet1/0/2] port link-type access[FTP-Server-GigabitEthernet1/0/2] quit[FTP-Server] vlan 30



231

[FTP-Server-vlan30] port gigabitethernet 1/0/2[FTP-Server-vlan30] quit[FTP-Server] interface vlanif 30[FTP-Server-Vlanif30] ip address 1.1.1.2 24[FTP-Server-Vlanif30] quit

# Configure the FTP client.

[FTP-Client] interface gigabitethernet 1/0/2[FTP-Client-GigabitEthernet1/0/2] port link-type access[FTP-Client-GigabitEthernet1/0/2] quit[FTP-Client] vlan 20[FTP-Client-vlan20] port gigabitethernet 1/0/2[FTP-Client-vlan20] quit[FTP-Client] interface vlanif 20[FTP-Client-Vlanif20] ip address 1.1.1.1 24[FTP-Client-Vlanif20] quit[FTP-Client] quit

Step 5 Run the ftp command on the FTP client to log in to the FTPS server to remotely manage files.<FTP-Client> ftp ssl-policy ftp_client 1.1.1.2Trying 1.1.1.2 ...Press CTRL+K to abortConnected to 1.1.1.2.220 FTP service ready.234 AUTH command successfully, Security mechanism accepted.200 PBSZ is ok.200 Data channel security level is changed to private.User(1.1.1.2:(none)):huawei331 Password required for huawei.Enter password:230 User logged in.

[ftp]

The client can log in to the FTP server only after the correct user name and password are entered.


# Run the display ftp-server command on the FTPS server. The command output shows thatthe configured SSL policy name is ftp_server and the FTPS server is running.

[FTP-Server] display ftp-server FTP server is stopped Max user number 5 User count 1 Timeout value(in minute) 30 Listening port 21 Acl number 0 FTP server's source address 0.0.0.0 FTP SSL policy ftp_server FTP Secure-server is running

You can use the FTP client to remotely manage files on the FTPS server.

----End

Configuration Filesl Configuration file of the FTP server

# sysname FTP-Server# FTP secure-server enable ftp secure-server ssl-policy ftp_server# vlan batch 10 30



232

#ssl policy ftp_server certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code 123456#aaa authentication-scheme default authorization-scheme default accounting-scheme default local-user huawei password simple huawei local-user huawei service-type ftp local-user huawei ftp-directory cfcard:/#interface Vlanif10 ip address 192.168.0.1 255.255.255.0 #interface Vlanif30 ip address 1.1.1.2 255.255.255.0 #interface GigabitEthernet1/0/1 port link-type access port default vlan 10#interface GigabitEthernet1/0/2 port link-type access port default vlan 30#return

l Configuration file of the FTP client# sysname FTP-Client# FTP server enable# vlan batch 20 40#ssl policy ftp_client trusted-ca load pem-ca 1_cacert_pem_rsa.pem trusted-ca load pem-ca 1_rootcert_pem_rsa.pem#aaa authentication-scheme default authorization-scheme default accounting-scheme default local-user huawei password simple huawei local-user huawei service-type ftp local-user huawei ftp-directory cfcard:/#interface Vlanif20 ip address 1.1.1.1 255.255.255.0 #interface Vlanif40 ip address 192.168.0.2 255.255.255.0 #interface GigabitEthernet1/0/1 port link-type access port default vlan 40#interface GigabitEthernet1/0/2 port link-type access port default vlan 20#return



233

11.6.3 Example for Configuring Secure Web Network ManagementUsing SSL to authenticate the identities of the client and server, encrypt data to be transmitted,and check message integrity, secure Web network management provides a secure Web access.

Networking RequirementsAfter a device that supports Web network management is enabled with the HTTP function, thedevice can function as a Web server. Users can log in to the device using HTTP and use Webpages to access and control the device. HTTP does not provide a mechanism that allows usersto authenticate a Web server or protects privacy of data transmission. To address this problem,you can configure HTTPS on the device. HTTPS that adds support for SSL is an extension tothe commonly used HTTP. SSL allows the client and server to authenticate each other andencrypts data to be transmitted.

As shown in Figure 11-12, an SSL policy is configured on the device that functions as an HTTPserver. After a digital certificate is loaded to and the HTTPS server function is enabled on theserver, users can log in to the server to remotely manage the server using Web pages.

Figure 11-12 Networking diagram for accessing another device by using HTTPS

Network

PC HTTP-Server

VLANIF10192.168.0.1/24


1. Upload a digital certificate and a Web page file.Upload the digital certificate and Web page file saved on the PC to the device that functionsas an HTTP server.

2. Load the digital certificate.Copy the digital certificate from the system directory of the HTTP server to the securitysub-directory, configure an SSL policy, and load the digital certificate.

3. Load the Web page file.4. Create a Web account.5. Log in to the Web system.


l IP addresses of the HTTP serverl HTTP user name and passwordl SSL digital certificate



234

l Web accountl Web page file

ProcedureStep 1 Upload the digital certificate and Web page file.

# Configure an IP address for the device that functions as an HTTP server so that the PC andHTTP server are routable.<Quidway> system-view[Quidway] sysname HTTP-Server[HTTP-Server] interface gigabitethernet1/0/1[HTTP-Server-GigabitEthernet1/0/1] port link-type access[HTTP-Server-GigabitEthernet1/0/1] quit[HTTP-Server] vlan 10[HTTP-Server-vlan10] port gigabitethernet1/0/1[HTTP-Server-vlan10] quit[HTTP-Server] interface vlanif 10[HTTP-Server-Vlanif10] ip address 192.168.0.1 24[HTTP-Server-Vlanif10] quit

# Enable the FTP server function.[HTTP-Server] ftp server enable

# Configure the authentication information, authorization mode, and authorized directory forFTP users.[HTTP-Server] aaa[HTTP-Server-aaa] local-user huawei password simple huawei[HTTP-Server-aaa] local-user huawei service-type ftp[HTTP-Server-aaa] local-user huawei ftp-directory cfcard:[HTTP-Server-aaa] quit[HTTP-Server] quit

# Upload the digital certificate and Web page file from the PC to the HTTP server, as shown inFigure 11-13.




235

After the preceding configurations are complete, run the dir command on the HTTP server. Thecommand output shows that the digital certificate and Web page file have been successfullyuploaded to the server.

<HTTP-Server> dirDirectory of cfcard:/

Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw- 524,558 Apr 14 2011 16:24:39 private-data.txt 1 -rw- 1,302 Apr 14 2011 19:22:30 1_servercert_pem_rsa.pem 2 -rw- 951 Apr 14 2011 19:22:35 1_serverkey_pem_rsa.pem 3 drw- - Apr 09 2011 19:46:14 src 4 -rw- 421 Apr 09 2011 19:46:14 vrpcfg.zip 5 -rw- 1,308,478 Apr 14 2011 19:22:45 web.zip 6 drw- - Apr 10 2011 01:35:54 logfile 7 -rw- 4 Apr 14 2011 04:56:35 snmpnotilog.txt 8 drw- - Apr 11 2011 16:18:53 security 9 drw- - Apr 13 2011 11:37:40 lam

304,292 KB total (300,782 KB free)

Step 2 Configure an SSL policy and load the digital certificate.

# Create a sub-directory named security and copy the digital certificate to this sub-directory.

<HTTP-Server> mkdir security/<HTTP-Server> copy 1_servercert_pem_rsa.pem<HTTP-Server> copy 1_serverkey_pem_rsa.pem security/

After the preceding configurations are complete, run the dir command in the security sub-directory on the HTTP server. The command output shows that the digital certificate has beensuccessfully uploaded to the server.

<HTTP-Server> cd security/<HTTP-Server> dirDirectory of cfcard:/security/

Idx Attr Size(Byte) Date Time(LMT) FileName 1 -rw- 1,302 Apr 13 2011 14:29:31 1_servercert_pem_rsa.pem 2 -rw- 951 Apr 13 2011 14:29:49 1_serverkey_pem_rsa.pem

304,292 KB total (303,404 KB free)

# Create an SSL policy and load the PEM digital certificate.

<HTTP-Server> system-view[HTTP-Server] ssl policy http_server[HTTP-Server-ssl-policy-http_server] certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code 123456[HTTP-Server-ssl-policy-http_server] quit

After the preceding configurations are complete, run the display ssl policy command on theHTTP server. The command output shows detailed information about the loaded certificate.

[HTTP-Server] display ssl policy SSL Policy Name: http_server Policy Applicants: WEB secure-server Key-pair Type: RSA Certificate File Type: PEM Certificate Type: certificate Certificate Filename: 1_servercert_pem_rsa.pem Key-file Filename: 1_serverkey_pem_rsa.pem Auth-code: 123456 MAC:



236

CRL File: Trusted-CA File:

Step 3 Load the Web page file.[HTTP-Server] http server load web.zip

Step 4 Create a Web account.

# Enable the HTTPS server function.

NOTE

Before enabling the HTTPS server function, disable the HTTP server function.[HTTP-Server] undo http server enable[HTTP-Server] http secure-server ssl-policy http_server[HTTP-Server] http secure-server enable

# Configure authentication information and authorization mode for HTTP users.[HTTP-Server] aaa[HTTP-Server-aaa] local-user http password simple http[HTTP-Server-aaa] local-user http service-type http[HTTP-Server-aaa] quit

Step 5 Log in to the Web system.

Open the Web browser on the PC. Enter the IP address of the HTTP server in the address bar.Press Enter and the dialog box shown in Figure 11-14 is displayed.

Figure 11-14 Login GUI

Enter the HTTP user name, password, and verification code. Click Login or press Enter to enterthe Web system.


# Run the display http server command on the HTTPS server. The command output shows theSSL policy name and the HTTPS server status.[HTTP-Server] display http-server HTTP Server Status : disabled HTTP Server Port : 80(80)



237

HTTP Timeout Interval : 20 Current Online Users : 0 Maximum Users Allowed : 5 HTTP Secure-server Status : enabled HTTP Secure-server Port : 443(443) HTTP SSL Policy : http_server

----End

Configuration FilesConfiguration file of the HTTPS server# sysname FTP-Server# FTP server enable# undo http server enable http server load web.zip http secure-server ssl-policy http_server http secure-server enable# vlan batch 10#ssl policy http_server certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code 123456#aaa authentication-scheme default authorization-scheme default accounting-scheme default local-user http password simple http local-user http service-type http local-user huawei password simple huawei local-user huawei service-type ftp local-user huawei ftp-directory cfcard:#interface Vlanif10 ip address 192.168.0.1 255.255.255.0 #interface GigabitEthernet1/0/1 port link-type access port default vlan 10#return



238

Documents

Configuration Guide - Basic Configuration(V100R006C01_01)