manualshive.com logo in svg

Huawei AR2200 Series, Configuration Manual

Share
Download
Huawei AR2200 Series Configuration Manual Download Page 110

Step 3

Run:

authentication-mode

 

aaa

The AAA authentication mode is configured.

Step 4

Run:

protocol inbound

 

ssh

The VTY user interface is configured to support SSH.

NOTE

If a VTY user interface is configured to support SSH, the VTY user interface must be configured with
AAA authentication. Otherwise, the 

protocol inbound

 

ssh

 command cannot be configured.

----End

6.4.4 Configuring an SSH User and Specifying SFTP as One of
Service Types

To allow a user to log in to the router by using SFTP, you must configure an SSH user, configure
the router to generate a local RSA key pair, configure a user authentication mode, specify a
service type and authorized directory for the SSH user.

Context

l

SSH users can be authenticated in four modes: RSA, password, password-rsa, and all. You
must create a local user with the specified user name in the AAA view.

l

Configuring the router to generate a local RSA key pair is a key step for SSH login. If an
SSH user logs in to an SSH server in password authentication mode, configure the server
to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.

NOTE

Password-rsa authentication requires success of both password authentication and RSA authentication. The
all authentication mode requires success of either password authentication or RSA authentication.

Do as follows on the router that functions as an SSH server:

Procedure

Step 1

Run:

system-view

The system view is displayed.

Step 2

Run:

aaa

The AAA view is displayed.

Step 3

Run:

local-user

 

user-name

 

password

 { 

simple

 | 

cipher

 } 

password

Name and password of the local user are created.

Huawei AR2200 Series Enterprise Routers
Configuration Guide - Basic Configuration

6 Managing File System

Issue 02 (2011-10-15)

Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd.

99

Summary of Contents for AR2200 Series

Page 1: ...Huawei AR2200 Series Enterprise Routers V200R001C01 Configuration Guide Basic Configuration Issue 02 Date 2011 10 15 HUAWEI TECHNOLOGIES CO LTD ...

Page 2: ...be within the purchase scope or the usage scope Unless otherwise specified in the contract all statements information and recommendations in this document are provided AS IS without warranties guarantees or representations of any kind either express or implied The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensu...

Page 3: ...R Indicates a hazard with a high level of risk which if not avoided will result in death or serious injury WARNING Indicates a hazard with a medium or low level of risk which if not avoided could result in minor or moderate injury CAUTION Indicates a potentially hazardous situation which if not avoided could result in equipment damage data loss performance degradation or unexpected results TIP Ind...

Page 4: ...o item can be selected 1 n The parameter before the sign can be repeated 1 to n times A line starting with the sign is comments Interface Numbering Conventions Interface numbers used in this manual are examples In device configuration use the existing interface numbers on devices Change History Changes between document issues are cumulative Therefore the latest document version contains all update...

Page 5: ...ommand Line Interface 12 2 3 CLI Features 13 2 3 1 Editing 13 2 3 2 Displaying 14 2 3 3 Regular Expressions 14 2 3 4 Previously Used Commands 17 2 4 Shortcut Keys 18 2 4 1 Classifying Shortcut Keys 18 2 4 2 Defining Shortcut Keys 19 2 4 3 Use of Shortcut Keys 20 2 5 Configuration Examples 20 2 5 1 Example for Using Tab 21 2 5 2 Example for Using Shortcut Keys 22 3 Basic Configuration 23 3 1 Config...

Page 6: ...f the VTY User Interface 41 4 3 5 Setting User Priority of VTY User Interface 42 4 3 6 Setting User Authentication Mode of the VTY User Interface 43 4 3 7 Checking the Configuration 44 4 4 Configuring a TTY User Interface 45 4 4 1 Establishing the Configuration Task 45 4 4 2 Setting Physical Attributes of a TTY User Interface 46 4 4 3 Setting Terminal Attributes of TTY User Interface 47 4 4 4 Conf...

Page 7: ...s 75 5 5 4 Sending Messages to Other User Interfaces 75 5 5 5 Displaying Logged in Users 76 5 6 Configuration Examples 76 5 6 1 Example for Configuring User Login Through a Console Port 76 5 6 2 Example for Logging In by Telnet 79 5 6 3 Example for Configuring User Login by Using STelnet 80 6 Managing File System 83 6 1 File System Overview 84 6 1 1 File System 84 6 1 2 Methods of File Management ...

Page 8: ...nfigurations 113 7 2 Managing Configuration Files 113 7 2 1 Establishing the Configuration Task 114 7 2 2 Saving Configuration Files 114 7 2 3 Clearing a Configuration File 115 7 2 4 Comparing Configuration Files 116 7 2 5 Checking the Configuration 116 7 3 Specifying a File for System Startup 117 7 3 1 Establishing the Configuration Task 117 7 3 2 Configuring System Software for a router to Load ...

Page 9: ...shing the Configuration Task 141 8 6 2 Optional Configuring Source IP Address and Interface of the FTP Client 141 8 6 3 Connecting to Other Devices by Using FTP Commands 142 8 6 4 Operating Files by Using FTP Commands 143 8 6 5 Changing Login Users 145 8 6 6 Disconnecting from the FTP Server 145 8 6 7 Checking the Configuration 146 8 7 Accessing Files on Another Device by Using SFTP 146 8 7 1 Esta...

Page 10: ...ed at the Next Startup 184 9 3 5 Configuring a Backup Startup File 185 9 3 6 Optional Upgrading the BootROM of the LPU 185 9 3 7 Restarting a Device 186 9 3 8 Optional Activating a GTL License File 186 9 3 9 Checking the Configuration 187 9 4 Managing Patches 188 9 4 1 Establishing the Configuration Task 188 9 4 2 Installing a Patch 188 9 4 3 Specifying a Patch File to Be Used at the Next Startup ...

Page 11: ...ading System Software 195 9 7 2 Example for Installing a Patch File 199 Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Configuration Contents Issue 02 2011 10 15 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd x ...

Page 12: ...mini USB port to configure the device 1 2 Logging In to the Device Through the Console Port or Mini USB Port This section describes how to connect a terminal to a router through the console port or mini USB port to establish the configuration environment Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Configuration 1 Logging In to the System for the First Time Issue 02 2011 10 15...

Page 13: ...mini USB port to establish the configuration environment 1 2 1 Establishing the Configuration Task Before logging in to the router through the console port or mini USB port familiarize yourself with the applicable environment complete the pre configuration tasks and obtain the required data This will help you complete the configuration task quickly and accurately Applicable Environment When the ro...

Page 14: ...port and console port cannot be used together End 1 2 3 Logging in to the router You can log in to the router through the console portor mini USB port to configure and manage the router that is powered on for the first time Context You need to configure terminal attributes for the PC according to the attributes configured for the console port including the transmission rate data bit parity bit sto...

Page 15: ...tep 3 Set communication parameter same as the default of router as shown in Figure 1 3 Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Configuration 1 Logging In to the System for the First Time Issue 02 2011 10 15 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 4 ...

Page 16: ... displays Warning Auto Config is working Do you want to stop Auto Config y n l To continue Auto Config enter n and press Enter l To stop Auto Config choose y and press Enter CAUTION If you choose n but still perform configurations through the Console port the DHCP routing DNS and VTY configurations that you have performed will be lost End Huawei AR2200 Series Enterprise Routers Configuration Guide...

Page 17: ...iguring services you can use the online help function to obtain real time help 2 3 CLI Features The CLI provides the following features to help users flexibly use it 2 4 Shortcut Keys Using the system or user defined shortcut keys makes it easier to enter commands 2 5 Configuration Examples This section provides several examples for using command lines Huawei AR2200 Series Enterprise Routers Confi...

Page 18: ... These methods make it easy for users to enter their commands l Network testing commands such as tracert and ping for rapidly diagnosing a network l Abundant debugging information to help in diagnosing the network l Running a command used previously on the device like DosKey NOTE l The system supports the command with a maximum of 512 characters The command can be incomplete You can enter one or m...

Page 19: ...rol commands user management commands level setting commands system internal parameter setting commands and debugging commands that are used for fault diagnosis NOTE l The default command level may be higher than the command level defined according to the command rules in application l The level of the command that a user can run is determined by the level of this user l Login users have the same ...

Page 20: ...rch for textbox and click List Topics All commands of the specified level will be displayed as shown in Figure 2 2 Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Configuration 2 CLI Overview Issue 02 2011 10 15 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 9 ...

Page 21: ...a views as an example Establish connection to the router If the router adopts the default configuration you can enter the user view with the prompt of Huawei Huawei Run the system view command to enter the system view Huawei system view Huawei Run the aaa command in the system view to enter the AAA view Huawei aaa Huawei aaa Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Configu...

Page 22: ...lock Specify the system clock cls Clear screen Enter a command and a question mark separated by a space If the key word is at this position all key words and their simple descriptions are displayed For example Huawei interface Bridge if Bridge if interface Cellular Cellular interface Bridge if and Cellular are keywords Bridge if interface and Cellular interface describe the keywords respectively E...

Page 23: ... character string Huawei display b bfd Specify BFD Bidirectional Forwarding Detection configuration information bgp BGP information bootp Bootstrap Protocol bridge Group bridge command group Enter the first several letters of a key word in the command and then press Tab to display the complete key word on the condition that the letters uniquely identify the key word Otherwise if you continue to pr...

Page 24: ...th of each command is 512 characters Keys for editing that are often used are shown in Table 2 3 Table 2 3 Keys for editing Key Function Common key Inserts a character in the current position of the cursor if the editing buffer is not full and the cursor moves to the right Otherwise an alarm is generated Backspace Deletes the character on the left of the cursor that moves to the left When the curs...

Page 25: ...e options to view the information as shown in Table 2 4 Table 2 4 Keys for displaying Key Function Ctrl_C Stops the display and running of the command Space Allows information to be displayed on the next screen Enter Allows information to be displayed on the next line 2 3 3 Regular Expressions The regular expression is an expression that describes a set of strings It consists of common characters ...

Page 26: ...ext character common or particular as the common character matches Matches the starting position of the string 10 matches 10 10 10 1 instead of 20 10 10 1 Matches the ending position of the string 1 matches 10 10 10 1 instead of 10 10 10 2 Matches the preceding element zero or more times 10 matches 1 10 100 and 1000 10 matches null 10 1010 and 101010 Matches the preceding element one or more times...

Page 27: ...ecified all characters in the preceding table are displayed on the screen l Degeneration of particular characters Certain particular characters when being placed at the following positions in the regular expression degenerate to common characters The particular characters following is transferred to match particular characters themselves The particular characters and placed at the starting positio...

Page 28: ... displays the information that excludes the lines that match regular expression l include regular expression displays the information that includes the lines that match regular expression NOTE The value of regular expression is a string of 1 to 255 characters 2 3 4 Previously Used Commands The CLI provides a function similar to DosKey to automatically save commands used previously on the device If...

Page 29: ...n different forms they are considered as different commands For example if the display ip routing table command is run several times only one previously used command is saved If the display current configuration command and the display ip routing table command are run two previously used commands are saved 2 4 Shortcut Keys Using the system or user defined shortcut keys makes it easier to enter co...

Page 30: ...W Deletes a character string or character on the left of the cursor CTRL_X Deletes all the characters on the left of the cursor CTRL_Y Deletes all the characters on the place of the cursor and the right of the cursor CTRL_Z Returns to the user view CTRL_ Terminates the inbound or redirection connections ESC_B The cursor moves to the left by the space of a word ESC_D Deletes a word on the right of ...

Page 31: ...ve not pressed Enter you can press the shortcut keys to clear the entered command and display the full corresponding command This operation has the same effect as that of deleting all commands and then re entering the complete command l The shortcut keys are run as the commands the syntax is recorded to the command buffer and log for fault location and querying NOTE The terminal in use may affect ...

Page 32: ...s input The keyword info center can be followed by the following prefixes beginning with log Huawei info center log logbuffer Setting of log buffer configuration logfile Group logfile command group loghost Setting of logging host configuration 1 Input the incomplete key word Huawei info center log 2 Press Tab The system first displays the prefix log Huawei info center logbuffer Press Tab repeatedl...

Page 33: ...y user regardless of the user level Procedure Step 1 Correlate Ctrl_U with the display local user command and run the shortcut keys Huawei system view Huawei hotkey ctrl_u display local user NOTE When defining shortcut keys for a command use double quotation marks to quote the command if the command consisting of multiple words which are separated by spaces No double quotation marks are required f...

Page 34: ...em Environment This section describes how to configure the basic system environment 3 2 Displaying System Status Messages This section describes how to use display commands to check basic configurations of the current system Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Configuration 3 Basic Configuration Issue 02 2011 10 15 Huawei Proprietary and Confidential Copyright Huawei ...

Page 35: ...nment requirement Pre configuration Tasks Before configuring the basic system environment complete the following task l Powering on the router Data Preparation To configure the basic system environment you need the following data No Data 1 System time 2 Host name 3 Login information 4 Command level 3 1 2 Configuring the Equipment Name When multiple devices on the network need to be managed you can...

Page 36: ... offset The time zone is set l If add is configured the current time is the UTC time plus the time offset That is the default UTC time plus offset is equal to the time of time zone name l If minus is configured the current time is the UTC time minus the time offset That is the default UTC time minus offset is equal to the time of time zone name Step 3 Run clock daylight saving time time zone name ...

Page 37: ...r is logging in to the router If you need to provide information for login users you can configure a header that the system displays during login or after login Procedure Step 1 Run system view The system view is displayed Step 2 Run header login information text file file name The header displayed during login is set Step 3 Run header shell information text file file name The header displayed aft...

Page 38: ...ew and thus the system automatically matches the previous view Context If the user allows the undo command to automatically match the previous view and the user runs the undo command that is not registered in the current view the system searches the undo command in the previous view Procedure Step 1 Run system view The system view is displayed Step 2 Run matched upper view The undo command is conf...

Page 39: ...TE l The display version command can be used to display the software version of the system the chassis type and the information about the main control board and interface board When a user runs the display current configuration command to display configuration information other users cannot run the same command until all the command output is displayed l The original configuration refers to inform...

Page 40: ...ent display commands to collect all information In this case you can use the display diagnostic information command to collect all information about the current running modules in the system Procedure l Run display diagnostic information The system diagnosis information is displayed The display diagnostic information command collects all information collected by running the following commands incl...

Page 41: ...to the router for local or remote maintenance by using Telnet or SSH you can configure the corresponding VTY user interface as needed 4 4 Configuring a TTY User Interface The True Type Terminal TTY user interface view is a command line view and is used to configure and manage physical interfaces working in asynchronous and interactive mode 4 5 Configuration Examples This section provides examples ...

Page 42: ...rface in the following manners l Relative numbering The relative numbering is in the format of user interface type number The relative numbering is available for interfaces of a specific type It is used only to specify one or a group of user interfaces of a specified type Relative numbering must comply with the following rules Number of the console port CON 0 Number of the TTY TTY 0 for the first ...

Page 43: ...ication modes non authentication password authentication and AAA l Non authentication In this mode users can log in to the router without entering usernames or passwords For security this mode is not recommended l Password authentication In this mode users need to enter passwords not usernames during the login process l AAA authentication In this mode users need to enter passwords and usernames du...

Page 44: ...u can configure the corresponding console user interface including the physical attributes terminal attributes user priority and user authentication mode The preceding parameters have default values on the router and additional configuration is not needed You can configure these parameters as needed Pre configuration Tasks Before configuring a console user interface complete the following tasks l ...

Page 45: ... Run system view The system view is displayed Step 2 Run user interface console interface number The console user interface view is displayed Step 3 Run speed speed value The baud rate is set By default the baud rate is 9600 bit s Step 4 Run flow control hardware none software The flow control mode is set By default the flow control mode is none Step 5 Run parity even none odd The parity mode is s...

Page 46: ...e timeout minutes seconds The idle timeout period is set If the connection keeps idle within the timeout period the system automatically terminates the connection By default the idle timeout period on the user interface is 10 minutes Step 5 Run screen length screen length temporary The length of a terminal screen is set The parameter temporary is used to display the number of lines to be temporari...

Page 47: ...rface view is displayed Step 3 Run user privilege level level The priority of the user is set NOTE l By default users logging in through the console user interface can use commands at level 15 and users logging in through other user interfaces can use commands at level 0 l If the command level is inconsistent with the user level the user level takes precedence End 4 2 5 Configuring the User Authen...

Page 48: ... number The console user interface view is displayed 3 Run authentication mode password You can set the authentication mode as password authentication 4 Run set authentication password cipher simple password A password for authentication is set l Configuring Non Authentication 1 Run system view The system view is displayed 2 Run user interface console interface number The console user interface vi...

Page 49: ...physical attributes and configurations of the user interface Huawei display user interface console 0 Idx Type Tx Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 3 N Current UI is active F Current UI is active and work in async mode Idx Absolute index of UIs Type Type and relative index of UIs Privi The privilege of UIs ActualPrivi The actual privilege of user interface Auth The authentication mod...

Page 50: ...gure a VTY user interface you need the following data No Data 1 Maximum VTY user interfaces 2 Optional ACL code to limit VTY user interface to call in and out 3 Idle timeout period number of characters in each line displayed in a terminal screen 4 User priority 5 User authentication method user name and password NOTE All the preceding parameters excluding the ACL for limiting incoming and outgoing...

Page 51: ...d and the set authentication password command to configure authentication modes and passwords for user interfaces from VTY 5 to VTY 14 The command is run as follows Huawei system view Huawei user interface maximum vty 15 Huawei user interface vty 5 14 Huawei ui vty5 14 authentication mode password Huawei ui vty5 14 set authentication password cipher huawei End 4 3 3 Optional Setting Limit on Incom...

Page 52: ... interface including user idle timeout number of lines displayed in a terminal screen and size of the history command buffer Context Terminal attributes of the VTY user interface have default values on the router and you can set them as needed Procedure Step 1 Run system view The system view is displayed Step 2 Run user interface vty first ui number last ui number The VTY user interface view is di...

Page 53: ...d levels users are classified into 16 levels numbered 0 to 15 The greater the number the higher the user level l This process is to set the priority for a user who logs in through the console port A user can only use the commands with the level corresponding to the user level For details about command levels see Command Level in the chapter CLI Overview of the Configuration Guide Basic Configurati...

Page 54: ... is displayed 2 Run user interface vty first ui number last ui number The VTY user interface view is displayed 3 Run authentication mode aaa The authentication mode is set to AAA 4 Run quit Exit from the VTY user interface view 5 Run aaa The AAA view is displayed 6 Run local user user name password simple cipher password Name and password of the local user are created l Configuring Password Authen...

Page 55: ...n the display users all command to check information about user interfaces l Run the display user interface maximum vty command to check the maximum number of VTY user interfaces l Run the display user interface ui type ui number1 ui number summary command to check the physical attributes and configurations of user interfaces l Run the display local user command to check the local user list l Run ...

Page 56: ...ompt message indicating that the machine to machine interface is enabled For example Huawei display vty mode current VTY mode is Machine Machine interface 4 4 Configuring a TTY User Interface The True Type Terminal TTY user interface view is a command line view and is used to configure and manage physical interfaces working in asynchronous and interactive mode 4 4 1 Establishing the Configuration ...

Page 57: ...text Physical attributes of an asynchronous serial port have default values on a router and no additional configuration is needed NOTE l If you need to log in to a router through an asynchronous serial port install an SA or SA board on the router If an SA board installed set the interface working mode to asynchronous mode on the SA board l The Hyper Terminal and router must use the same physical a...

Page 58: ... value is 1 bit Step 7 Run databits 5 6 7 8 The data bit is set By default the data bit is 8 End 4 4 3 Setting Terminal Attributes of TTY User Interface This section describes how to set terminal attributes of the TTY user interface including the user timeout disconnection function number of lines displayed in a terminal screen and size of the history command buffer Context Terminal attributes of ...

Page 59: ...entries End 4 4 4 Configuring User Priority of TTY User Interface This section describes how to control users authority of logging in to the router and improve the security of managing the router by configuring the user priority Context l Similar to command levels users are classified into 16 levels numbered 0 to 15 The greater the number the higher the user level l This process is to set the prio...

Page 60: ...ace Procedure l Configuring AAA authentication 1 Run system view The system view is displayed 2 Run user interface tty first ui number last ui number The TTY user interface view is displayed 3 Run authentication mode aaa The authentication mode is set to AAA authentication 4 Run quit Exit the TTY user interface view 5 Run aaa The AAA view is displayed 6 Run local user user name password simple cip...

Page 61: ...terface local user list and online users Prerequisite The configurations of the user management function are complete Procedure l Run the display users all command to check information about the user interface l Run the display user interface tty ui number1 summary command to check physical attributes and configurations of the user interface End Example Run the display users command and you can vi...

Page 62: ...cation mode and password Networking Requirements To initialize configurations of the router or locally maintain the router a user can log in to the router through a console user interface To allow the user to log in you can set attributes of the console user interface as needed for security reasons for example In the console user interface view the password authentication mode is set the password ...

Page 63: ...timeout 30 Huawei ui console0 screen length 30 Huawei ui console0 history command max size 20 Step 3 Set the user authentication mode in the console user interface to password Huawei ui console0 authentication mode password Huawei ui console0 set authentication password simple huawei Huawei ui console0 quit After the console user interface is configured a user in password authentication mode can l...

Page 64: ...uration roadmap is as follows 1 Enter the interface view and set the maximum number of VTY user interfaces to 15 2 Set the call in and call out limit of the VTY user interface limiting the access of an IP address or an IP address segment to the router 3 Set terminal attributes of the VTY user interface 4 Set the user priority in the VTY user interface 5 Set the authentication mode and password in ...

Page 65: ...ing User Login End Configuration Files sysname Huawei acl number 2000 rule 5 deny source 10 1 1 1 0 user interface maximum vty 15 user interface vty 0 14 acl 2000 inbound user privilege level 15 set authentication password simple huawei history command max size 20 idle timeout 30 0 screen length 30 return 4 5 3 Example for Configuring TTY User Interface This document describes the configurations o...

Page 66: ...30 l Size of the history command buffer 20 Procedure Step 1 Set physical attributes of the TTY user interface Huawei system view Huawei user interface tty 0 Huawei ui tty1 speed 4800 Huawei ui tty1 flow control none Huawei ui tty1 parity even Huawei ui tty1 stopbits 2 Huawei ui tty1 databits 6 Step 2 Set terminal attributes of the TTY user interface Huawei ui tty1 shell Huawei ui tty1 idle timeout...

Page 67: ... 30 return Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Configuration 4 Configuring User Interface Issue 02 2011 10 15 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 56 ...

Page 68: ...ts remote maintenance of the router and greatly facilitates device management 5 4 Logging in to the Devices by Using STelnet STelnet provides secured remote access over an insecure network After the client server negotiation is complete and a secured connection is established a user can log in to the router in a similar way as Telnet 5 5 Common Operations After Login After logging in to the router...

Page 69: ...net provides security protection for users logging in to the router to maintain the router locally or remotely NOTE Logins by using Telnet bring security risks because no secure authentication mechanism is available and data is transmitted by using TCP in plain text mode Unlike Telnet SSH guarantees secure data transmission on a conventional insecure network by authenticating the client and encryp...

Page 70: ...ace Context Attributes of an console user interface have default values on the router and generally need no additional settings To meet specific application requirements or ensure network security you can set attributes of the console user interface such as terminal attributes and user authentication mode For detailed settings see Configuring Console User Interface 5 2 3 Logging in to the router T...

Page 71: ...ibutes and configurations of the user interface Huawei display user interface console 0 Idx Type Tx Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 3 N Current UI is active F Current UI is active and work in async mode Idx Absolute index of UIs Type Type and relative index of UIs Privi The privilege of UIs ActualPrivi The actual privilege of user interface Auth The authentication mode of UIs A Au...

Page 72: ...ata Preparation Before configuring user login in Telnet mode you need the following data No Data 1 l Maximum number of VTY user interfaces l Optional ACL for limiting call in and call out in VTY user interfaces l Connection timeout period of terminal users number of lines displayed in a terminal screen size of the history command buffer l User priority l User authentication mode user name password...

Page 73: ...configurations are not needed By default a local user can apply for any access type You can specify an access type to allow only users configured with the specified access type to log in to the router Do as follows on the router that functions as a Telnet server Procedure Step 1 Run system view The system view is displayed Step 2 Run aaa The AAA view is displayed Step 3 Run local user user name pa...

Page 74: ...5 Logging in to the router by Using Telnet After the router is configured you can log in to the router from a terminal by using Telnet implementing remote maintenance of the router Context If you need to log in to the router by using Telnet you can use either windows command lines or a third party software in the terminal In this part the windows command line prompt is used Do as follows on the us...

Page 75: ...and to check TCP connections l Run the display telnet server status command to check the configuration and status of the Telnet server End Example Run the display users command to view information about the currently used user interface Huawei display users User Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 34 VTY 0 00 00 12 TEL 10 138 77 38 no Username Unspecified 35 VTY 1 00 00 00 T...

Page 76: ...nment Logins by using Telnet bring security risks because no secure authentication mechanism is available and data is transmitted by using TCP in plain text mode Unlike Telnet SSH guarantees secure data transmission on a conventional insecure network by authenticating the client and encrypting data in both directions STelnet is a secure Telnet protocol The SSH user can use the STelnet service in t...

Page 77: ... set Otherwise the user cannot log in to the router You can log in to the router through a console port to set the user authentication mode in the VTY user interface Other attributes of the VTY user interface in the router such as terminal attributes and user priorities can also be set as needed These attributes however generally do not need to be set because they have default values For detailed ...

Page 78: ...ecified user name in the AAA view l Configuring the router to generate a local RSA key pair is a key step for SSH login If an SSH user logs in to an SSH server in password authentication mode configure the server to generate a local RSA key pair If an SSH user logs in to an SSH server in RSA authentication mode configure both the server and the client to generate local RSA key pairs NOTE Password ...

Page 79: ...H user l Authenticate the SSH user through RSA 1 Run ssh user user name authentication type rsa The RSA authentication is configured for the SSH user 2 Run rsa peer public key key name The public key view is displayed 3 Run public key code begin The public key editing view is displayed 4 Run hex data The public key is edited NOTE l In the public key view only hexadecimal strings complying with the...

Page 80: ...indicates no updating 2 Run ssh server auth timeout timeout_interval The timeout period of the SSH authentication is set By default the timeout period is 60 seconds 3 Run ssh server authentication retries auth times The number of retry times of the SSH authentication is set By default the retry times is 3 End 5 4 5 Enabling the STelnet Server Function To allow users to log in to the router by usin...

Page 81: ... earlier than SSH2 0 and SSH2 0 Compared with SSH1 X SSH2 0 is extended in structure and supports more authentication modes and key exchange methods SSH2 0 also supports more advanced services such as SFTP The Huawei AR2200 Series supports SSH versions ranging from 1 3 to 2 0 Interval at which the key pair of the SSH server is updated After the interval is set the key pair of the SSH server is upd...

Page 82: ...ed a user can log in to the router from a terminal by using STelnet implementing remote maintenance of the router Context In STelnet login mode a third party software can be used in the terminal In this part the third party software OpenSSH and windows command line are used After installing OpenSSH in the user terminal do as follows on the user terminal NOTE For details on how to install OpenSSH r...

Page 83: ...isplay ssh server status command on the SSH server to check its configurations l Run the display ssh server session command on the SSH server to check sessions for SSH users End Example Run the display ssh user information username command to view information about a specified SSH user Huawei display ssh user information client001 Huawei AR2200 Series Enterprise Routers Configuration Guide Basic C...

Page 84: ...an group exchange sha1 Service Type stelnet Authentication Type password 5 5 Common Operations After Login After logging in to the router you can perform following operations as needed such as user priority switching and terminal window locking 5 5 1 Establishing the Configuration Task Before performing operations after login familiarize yourself with the applicable environment complete the pre co...

Page 85: ...ple cipher password The password for switching user levels is configured By default the password for the user is set to Level 3 CAUTION If simple is configured the password is saved in the configuration file in plain text This means that low level login users can easily obtain and change the password by checking the configuration file compromising the network security Therefore selecting cipher to...

Page 86: ... unauthorized users from operating the interface Context The user interface can be classified into the Console user interface and VTY user interface Procedure Step 1 Run lock The user interface is locked Step 2 Follow the system prompt and input an unlock password and then confirm the input Huawei lock Enter Password Confirm Password If the locking is successful the system prompts that the user in...

Page 87: ... console port Telnet or STelnet You can understand the configuration procedures by referring to the configuration flowchart The configuration examples provide information about the networking requirements configuration notes and configuration roadmap 5 6 1 Example for Configuring User Login Through a Console Port This part provides an configuration example describing how to configure user login th...

Page 88: ...edure Step 1 Establish the configuration environment by connecting the serial port of the PC to the console port of the router through standard RS 232 cable Step 2 Start a terminal emulator on the PC and set the communication parameters of the PC as shown in Figure 5 2 to Figure 5 4 Figure 5 2 Connection creation Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Configuration 5 Con...

Page 89: ...etion of the self check After the router starts normally and finishes the self check the system prompts you to press Enter Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Configuration 5 Configuring User Login Issue 02 2011 10 15 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 78 ...

Page 90: ...on Roadmap The configuration roadmap is as follows 1 Establish the physical connection 2 Set user login parameters 3 Log in to the router from the client side Data Preparation To complete the configuration you need the following data l IP address of the PC l IP address of the Ethernet interface on the router l User information including the user name password and authentication mode l Reachable ro...

Page 91: ...nfiguration environment in the user view End 5 6 3 Example for Configuring User Login by Using STelnet This part provides an example describing how to configure user login by using STelnet In this example after generating the local key pair on the SSH server configuring the name and password of the SSH user on the SSH server and enabling the STelnet service on the SSH server you can connect the St...

Page 92: ...ress of the SSH server 10 137 217 223 Procedure Step 1 Generate a local key pair on the server Huawei system view Huawei sysname SSH Server SSH Server rsa local key pair create The key name will be Huawei_Host The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Input the bits in the modulus default 512 768 Generating keys Step 2 Configur...

Page 93: ... SSH Server aaa local user client001 password cipher huawei local user client001 privilege level 3 local user client001 service type ssh interface GigabitEthernet1 0 0 ip address 10 137 217 223 255 255 0 0 ssh user client001 authentication type password user interface vty 0 4 authentication mode aaa protocol inbound ssh return Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Confi...

Page 94: ...remote hosts and is widely used for version upgrade log downloading file transmission and configuration saving 6 4 Performing File Operations by Means of SFTP SFTP enables users to log in to the router securely from the remote device to manage files This improves the security of data transmission for the remote end to update its system 6 5 Configuration Examples This section provides an example fo...

Page 95: ...th which the system stores and manages messages l Directories The directory is a mechanism with which the system integrates and organizes the file serving as a logical container of the file 6 1 2 Methods of File Management You can manage files by means of the file system FTP or SFTP Performing File Operations by Means of FTP You can configure the router as the FTP server and log in to the router f...

Page 96: ... familiarize yourself with the applicable environment complete the pre configuration tasks and obtain the required data This can help you complete the configuration tasks quickly and accurately Applicable Environment When the router fails to save or obtain data you can log in to the file system to repair the faulty storage devices or manage files or directories on the router You can especially man...

Page 97: ...ice when you fail to repair the file system or you do not need any data saved on the storage device CAUTION Formatting storage devices may lead to data loss Therefore exercise caution when perform this operation Procedure l Run fixdisk device name The storage devices with file system troubles is repaired NOTE After this command is run if the prompt that the system should be repaired is still recei...

Page 98: ...d End 6 2 4 Managing Files You can log in to the file system to view delete or rename the files on the router Context l Managing files include displaying contents copying moving renaming compressing deleting undeleting deleting files in the recycle bin running files in batch and configuring prompt modes l You can run the cd directory device name command to enter the required directory from the cur...

Page 99: ...en length command must be larger than 0 The result of the number of file characters subtracted by the value of offset must be larger than the value configured by screen length command By running the more file name all command you can view the file named file name Contents of a text file are completely displayed without pausing after each screenful of information l Run copy source filename destinat...

Page 100: ...sages when you operate the device especially the operations leading to data loss If you need to change the prompt mode for file operations you can configure the prompt mode of the file system 1 Run system view The system view is displayed 2 Run file prompt alert quiet The prompt mode of the file system is configured By default the prompt mode is alert CAUTION If the prompt is in the quiet mode no ...

Page 101: ...ized to the FTP user 2 Optional Listening port number specified on the FTP server 3 Optional Source IP address or source interface of the FTP server Optional Timeout period of the disconnection from the FTP server 4 IP address or host name of the FTP server 6 3 2 Configuring a Local FTP User You can configure the authorization mode and authorization directory for FTP users In this case unauthorize...

Page 102: ...1 Users can directly log in to the router by using the default listening port number Attackers probably access the default listening port reducing available bandwidth affecting performance of the server and causing valid users unable to access the server After the listening port number of the FTP server is changed attackers do not know the new listening port number This effectively prevents attack...

Page 103: ...r command to disable the FTP server function This ensures the security of the router End 6 3 5 Optional Configuring the FTP Server Parameters The FTP server parameters include the source address of the FTP server and the timeout period for FTP connection Context l You can configure a source IP address for the FTP server This limits the destination address that the client can access and therefore g...

Page 104: ... clients can access the devicerouter Context When the routerdevice functions as an FTP server you can configure an ACL to allow the clients that meet the matching rules to access the FTP server Do as follows on the router that serves as the FTP server Procedure Step 1 Run system view The system view is displayed Step 2 Run acl acl number The ACL view is displayed Step 3 Run rule rule id deny permi...

Page 105: ...tp ip address command to log in to the router by using FTP Enter the user name and password at the prompt and press Enter When the windows command line prompts are displayed in the FTP client view such as ftp you have entered the working directory of the FTP server End 6 3 8 Performing File Operations by Using FTP Commands After logging in to the router that functions as an FTP server by using FTP...

Page 106: ...ithout format conversion or formatting The selection of the FTP transmission mode is client customized The system defaults to the ASCII transmission mode The client can use a mode switch command to switch between the ASCII mode and the binary mode The ASCII mode is used to transmit txt files and the binary mode is used to transmit binary files l Upload or download files Upload or download a file R...

Page 107: ...e is selected the system searches the working directory for the specific file When local filename is set related information about the file can be downloaded locally NOTE If you need other FTP operations you can perform the help command command to get help in the Windows command line End 6 3 9 Checking the Configuration After configuring a router to be the FTP server you can view the configuration...

Page 108: ... transmission on a conventional insecure network by authenticating the client and encrypting data in both directions SSH supports SFTP SFTP is a secure FTP service and enables users to log in to the FTP server for data transmission Pre configuration Tasks Before performing file operations by using SFTP complete the following task l Configuring reachable routes between the terminal and the device D...

Page 109: ...sing SFTP the user authentication mode in the VTY user interface must be set Otherwise the user cannot log in to the router Other attributes of the VTY user interface in the router such as terminal attributes and user priorities can also be set as needed These attributes however generally do not need to be set because they have default values For detailed settings see Configuring VTY User Interfac...

Page 110: ... l Configuring the router to generate a local RSA key pair is a key step for SSH login If an SSH user logs in to an SSH server in password authentication mode configure the server to generate a local RSA key pair If an SSH user logs in to an SSH server in RSA authentication mode configure both the server and the client to generate local RSA key pairs NOTE Password rsa authentication requires succe...

Page 111: ...on is configured for the SSH user 2 Run rsa peer public key key name The public key view is displayed 3 Run public key code begin The public key editing view is displayed 4 Run hex data The public key is edited NOTE l In the public key view only hexadecimal strings complying with the public key format can be typed in Each string is randomly generated on an SSH client For detailed operations see ma...

Page 112: ...e timeout period of the SSH authentication is set By default the timeout period is 60 seconds 3 Run ssh server authentication retries auth times The number of retry times of the SSH authentication is set By default the retry times is 3 End 6 4 5 Enabling the SFTP Service Before enjoying the STelnet service you need to enable it Context By default the router is not enabled with the SFTP server func...

Page 113: ... as follows on the user terminal NOTE For details on how to install OpenSSH see the installation guide of the software For details on how to use OpenSSH commands to log in to the router see the help document of the software Procedure Step 1 Use the windows command line Step 2 Run relevant OpenSSH commands to log in to the router in SFTP mode When the command line prompt is displayed in the SFTP cl...

Page 114: ... or multiple of the following operations as required Run cd remote directory The current operating directory of users is changed Run pwd The current operating directory of users is displayed Run dir l a path The file list in the specified directory is displayed Run rmdir remote directory 1 10 The directory on the server is deleted Run mkdir remote directory A directory is created on the server l Y...

Page 115: ...o check information about connection sessions with SSH clients End Example Run the display ssh user information username command It shows that the SSH user named clinet001 is authenticated by password and its service type is sftp Huawei display ssh user information client001 Username Auth type User public key name client001 password null If no SSH user is specified information about all SSH users ...

Page 116: ...This section describes how to perform file operations by means of the file system In this example you can log in to the router to view and copy directories Networking Requirements You can log in to the router through the Console interface Telnet or STelnet to perform file operations on the router The file path in the storage device must be correct If the user does not specify a target file name th...

Page 117: ...tory of flash Idx Attr Size Byte Date Time LMT FileName 0 rw 1 241 Jun 16 2011 09 15 58 rootcert pem 1 rw 2 688 Apr 27 2011 17 06 50 pat1 pat 2 rw 396 Mar 21 2011 08 25 25 rsa_host_key efs 3 rw 540 Mar 21 2011 08 25 43 rsa_server_key efs 4 rw 705 Apr 13 2011 11 23 45 iascfg zip 5 rw 88 942 Jul 01 2011 15 18 22 creat_vlanif bat 6 rw 80 783 Jul 01 2011 16 28 32 undovlanif bat 7 rw 56 523 Jun 15 2011...

Page 118: ...TP username as huawei and password as huawei on the server l Destination file name and its position in the FTP client Procedure Step 1 Configure the IP address of the FTP server server interface gigabitethernet1 0 0 server GigabitEthernet1 0 0 ip address 10 137 217 221 255 255 0 0 server GigabitEthernet1 0 0 quit Step 2 Enable the FTP server Huawei system view Huawei sysname server server ftp serv...

Page 119: ... Figure 6 3 Performing file operations by means of FTP NOTE You can run the dir command before downloading a file or after uploading a file to view the detailed information of the file End Configuration Files l Configuration file of the FTP server sysname Server Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Configuration 6 Managing File System Issue 02 2011 10 15 Huawei Proprie...

Page 120: ...s shown in Figure 6 4 after SFTP services are enabled on the router functioning as an SSH server you can log in to the server in password RSA password rsa or all authentication mode from a PC on the SFTP client Configure a user to log in to the SSH server in password authentication mode Figure 6 4 Networking diagram for operating files by using SFTP PC Network SSH Server GE1 0 0 10 137 217 225 16 ...

Page 121: ...SSH server SSH Server user interface vty 0 4 SSH Server ui vty0 4 authentication mode aaa SSH Server ui vty0 4 protocol inbound ssh SSH Server ui vty0 4 quit Step 3 Configure the SSH user name and password on the SSH server SSH Server aaa SSH Server aaa local user client001 password cipher huawei SSH Server aaa local user client001 privilege level 3 SSH Server aaa local user client001 service type...

Page 122: ... service type ssh local user client001 ftp directory flash interface GigabitEthernet1 0 0 ip address 10 137 217 225 255 255 0 0 sftp server enable user interface vty 0 4 authentication mode aaa protocol inbound ssh return Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Configuration 6 Managing File System Issue 02 2011 10 15 Huawei Proprietary and Confidential Copyright Huawei Te...

Page 123: ...the current and next startup operations on the router 7 3 Specifying a File for System Startup You can specify a file for system startup by specifying the system software and configuration file for the next startup of the router 7 4 Configuration Examples This section provides an example for configuring system startup These configuration examples explain networking requirements configuration roadm...

Page 124: ...display startup command to view the configuration files for the current and next startup operations on the router l Run the display saved configuration command to view the configuration file for the next startup operation on the router Current Configurations Current configurations indicates the effective configurations of the currently running router Run the display current configuration command t...

Page 125: ...configuration files you need the following data No Data 1 Configuration file and its name 2 Saving configuration files interval and delay interval 3 The number of the start line from which the comparison of the configuration files begins 7 2 2 Saving Configuration Files The system can save configuration files periodically or immediately to prevent data loss when the router is powered off or accide...

Page 126: ...2 3 Clearing a Configuration File You can clear the configuration file that has been loaded to a device Context The configuration file needs to be cleared in the following cases l The system software does not match the configuration file after the router has been upgraded l The configuration file is destroyed or an incorrect configuration file has been loaded Procedure l Run the reset saved config...

Page 127: ...are displayed for each configuration file If the number of characters from the first different line to the end is less than 120 the contents after the first different line are all displayed In comparing the current configurations with the configuration file for next startup if the configuration file for next startup is unavailable or its contents are null the system prompts that reading files fail...

Page 128: ...startup patch package null Startup voice files null Next startup voice files null 7 3 Specifying a File for System Startup You can specify a file for system startup by specifying the system software and configuration file for the next startup of the router 7 3 1 Establishing the Configuration Task Before specifying a file for system startup familiarize yourself with the applicable environment comp...

Page 129: ...ng the Configuration File for Router to Load for the Next Startup Before restarting a router you can specify the configuration files that are loaded for the next startup Context You can run the display startup command on the router to check whether the configuration file to be loaded during the next startup operation is specified If no configuration file is specified the default configuration file...

Page 130: ...up command to check information about the files to be used during the next startup End Example Run the display startup command to check information about the files to be used during the next startup Huawei display startup MainBoard Startup system software usb0 ar0210_30735_1220 cc Next startup system software usb0 ar0210_30735_1220 cc Backup system software for next startup null Startup saved conf...

Page 131: ...t startup system software usb0 ar0312 cc Backup system software for next startup null Startup saved configuration file flash iascfg zip Next startup saved configuration file flash iascfg zip Startup license file null Next startup license file null Startup patch package null Next startup patch package null Startup voice files null Next startup voice files null Step 2 Save the current configuration ...

Page 132: ...ware usb0 ar0312 cc Next startup system software usb0 arsoft cc Backup system software for next startup null Startup saved configuration file flash iascfg zip Next startup saved configuration file usb0 arcfg cfg Startup license file null Next startup license file null Startup patch package null Next startup patch package null Startup voice files null Next startup voice files null End Configuration...

Page 133: ...ng STelnet STelnet ensures secure Telnet services You can log in to another router from the router that you have logged in to by using STelnet and thus to manage the device remotely 8 5 Accessing Files on Another Device by Using TFTP You can configure the router as a TFTP client and log in to the TFTP server to upload and download files 8 6 Accessing Files on Another Device by Using FTP This secti...

Page 134: ...er You can run the Telnet client program on a PC to log in to the router configure and manage it The router acts as a Telnet server l Telnet client You can run the terminal emulation program or the Telnet client program on a PC to connect with the router With the telnet command you can log in to other routers to configure and manage them As shown in Figure 8 2 Router A serves as both the Telnet se...

Page 135: ...rtcut keys Figure 8 4 Usage of Telnet shortcut keys RouterB RouterC Telnet Session 1 Telnet Session2 Telnet Server RouterA Telnet Client Ctrl_ The server interrupts the connection If the network connection is normal when you press Ctrl_ the Telnet server interrupts the current Telnet connection actively For example RouterC Press Ctrl_ to return to the prompt of Router B Configuration console exit ...

Page 136: ... other devices FTP can transmit files between local and remote hosts and is widely used for version upgrade log downloading file transmission and configuration saving 8 1 3 TFTP Method On the network if a client communicates with a server in a comparatively simple interaction environment you can enable TFTP services on the router that functions as a client to access files on the TFTP server Trivia...

Page 137: ...t system to ensure the session security SSH supports Data Encryption Standard DES 3DES and AES authentications The user name and the password are both encrypted in the communication between the SSH client and the SSH server This prevents password interception SSH encrypts the transmitted data When the STelnet server or the connection to the client is faulty the client must detect the fault in time...

Page 138: ...ent complete the pre configuration tasks and obtain the required data This can help you complete the configuration task quickly and accurately Applicable Environment Figure 8 5 Networking diagram for accessing another device from the router that you have logged in to Network Network PC RouterA RouterB As shown in Figure 8 5 you can log in to Router A from a PC by using Telnet but cannot manage Rou...

Page 139: ...t Procedure Step 1 Run system view The system view is displayed Step 2 Run telnet client source a source ip address i interface type interface number A source IP address of an Telnet client is configured After the configuration the source IP address of the Telnet client displayed on the Telnet server must be the same as the configured one End 8 2 3 Logging in to Another Device by Using Telnet You ...

Page 140: ... 0 0 0 Closed 32af9074 59 1 0 0 0 0 21 0 0 0 0 0 14849 Listening 34042c80 73 17 10 164 39 99 23 10 164 6 13 1147 0 Established 8 3 Using the Redirection Function to Connect to a Remote Device To manage a remote device that can transmit data only through a serial interface configure the redirection function on the AR2200 8 3 1 Establishing the Configuration Task Before configuring the redirection f...

Page 141: ...0 To manage these devices through their serial interfaces connect asynchronous serial interfaces of the Router to serial interfaces of the devices and configure the redirection function on the Router After the configuration is complete you can use an operation terminal to manage and maintain these devices remotely l Managing terminals such intelligent electricity meters intelligent water meters an...

Page 142: ...ork In this way the intelligent terminals can be managed by a remote operation terminal Pre configuration Tasks Before configuring the redirection function complete the following tasks l Starting the remote devices l Directly connecting the remote devices to the 8AS board of therouter through asynchronous serial cables and ensuring that the 8AS board has registered successfully and the asynchronou...

Page 143: ... an asynchronous serial interface works in protocol mode Step 4 Run quit Exit from the asynchronous serial interface view Step 5 Run user interface tty tty number The TTY user interface view is displayed After the 8AS board registers successfully the router generates random numbers for TTY user interfaces Run the display user interface command to view the TTY number mapping an asynchronous serial ...

Page 144: ...mmand host name is the IP address or host name of the router with the redirection function enabled and port number is the default port number or the port number configured by running the redirect listen port command 8 3 3 Checking the Configuration After completing the configuration of the redirection function check the TCP connection status to verify the configuration Prerequisite All configurati...

Page 145: ...in to another device by using STelnet complete the following tasks l Configuring a reachable route between the client and SSH server Data Preparation To log in to another device by using STelnet you need the following data No Data 1 Name of the SSH server Public key that is assigned by the client to the SSH server 2 IPv4 address or host name of the SSH server Number of the port monitored by the SS...

Page 146: ... first time the STelnet client fails to pass the check on the RSA public key validity and cannot log in to the server TIP To ensure that the STelnet client can log in to the SSH server at the first attempt you can assign the RSA public key in advance to the SSH server on the SSH client in addition to enabling the first time authentication on the SSH client End 8 4 3 Configuring the First Successfu...

Page 147: ...uit the public key editing view l If the specified hex data is invalid the public key cannot be generated after the peer public key end command is run l If the specified key name is deleted in other views the system prompts that the key does not exist after the peer public key end command is run and the system view is displayed Step 6 Run peer public key end Return to the system view from the publ...

Page 148: ...STelnet are complete Procedure l Run the display ssh server status command to view the status of the SSH server End Example Run the display ssh server status to view the status of the SSH server Huawei display ssh server status SSH version 1 99 SSH connection timeout 60 seconds SSH server key generating interval 0 hours SSH Authentication retries 3 times SFTP Server Enable 8 5 Accessing Files on A...

Page 149: ...dress for a TFTP Client You can configure a source IP address for a TFTP client Then you can set up a TFTP connection from the TFTP client to the server through a specific route by using this source IP address Context An IP address is configured for an interface on the router and functions as the source IP address of a TFTP connection In this manner security checks can be implemented The source ad...

Page 150: ...the functions of ACL rules NOTE TFTP supports only the basic ACL whose number ranges from 2000 to 2999 Do as follows on the router that serves as the TFTP client Procedure Step 1 Run system view The system view is displayed Step 2 Run acl acl number The ACL view is displayed Step 3 Run rule rule id deny permit fragment none first fragment source source address source wildcard any time range time n...

Page 151: ... of the client and the configured ACl rule Prerequisite Configurations of using the device as a TFTP client are complete Procedure l Run the display tftp client command to check the device address that is set to the source address of the TFTP client l Run the display acl name acl name acl number all command to check the ACL rule that is configured on the TFTP client End Example Run the display tft...

Page 152: ... configuration task of accessing files on another device by using FTP complete the following tasks l Configuring a reachable route between the router and the FTP server Data Preparation To establish the configuration task of accessing files on another device by using FTP you need the following data No Data 1 Optional Source IP address or source interface of the router functioning as an FTP client ...

Page 153: ...to view the current configuration of the FTP client End 8 6 3 Connecting to Other Devices by Using FTP Commands You can run FTP commands to log in to other devices from the router that functions as the FTP client Context You can log in to the FTP server in the user view or the FTP view Do as follows on the router that serves as the client Procedure l In the user view establish a connection to the ...

Page 154: ...nformation about a specified remote directory or a file of the FTP server or delete a specified file from the FTP server After logging in to the router that functions as a client and entering the FTP client view you can perform the following steps Procedure l Configuring data type and transmission mode for the file Run ascii binary The data type of the file to be transmitted is ascii or binary mod...

Page 155: ...p The working path of the FTP server is switched to the upper level directory Run pwd The specified directory of the FTP server is displayed Run lcd local directory The directory of the FTP client is displayed or changed Run mkdir remote directory A directory is created on the FTP server Run rmdir remote directory A directory is removed from the FTP server NOTE l The directory to be created can co...

Page 156: ... client that you have logged in to you can log in to the FTP server by using another username without logging out of the FTP client view The established FTP connection is identical with that established by running the ftp command Perform the following steps on the router that functions as a client Procedure l Run user user name password The user that have logged in to the FTP server is changed and...

Page 157: ...he source parameters of the FTP client Huawei display ftp client Info The source address of FTP client is 1 1 1 1 8 7 Accessing Files on Another Device by Using SFTP SFTP is a secure FTP service After the router is configured as an SFTP client The SFTP server authenticates the client and encrypts data in both directions to provide secure data transmission 8 7 1 Establishing the Configuration Task ...

Page 158: ...the SSH server Preferred encrypted algorithm from the SSH server to the SFTP client Preferred HMAC algorithm from the SFTP client to the SSH server Preferred HMAC algorithm from the SSH server to the SFTP client Preferred algorithm of key exchange Name of the outgoing interface Source address The user information for logging in to the SSH server 6 Name and directory of a specified file on the SSH ...

Page 159: ...rst time enable The first time authentication on the SSH client is enabled By default the first time authentication on the SSH client is disabled NOTE l The purpose of enabling the first time authentication on the SSH client is to skip checking the validity of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first time The check is skipped because the ...

Page 160: ... be a string of hexadecimal alphanumeric characters It is automatically generated by an SSH client You can run the display rsa local key pair public command to view a generated public key NOTE Before being assigned to the SSH server the assigned peer RSA public key must be obtained from the SSH server and must be configured on the SSH client Then the STelnet client client can successfully undergo ...

Page 161: ...96 md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_96 ki aliveinterval kc alivecountmax You can log in to the SSH server through SFTP End 8 7 6 Operating Files by Using SFTP Commands You can manage directories and files on the SSH server from the SFTP client and check the command help on the SFTP client Context After logging in to the SSH server from the SFTP client you can perform the following ...

Page 162: ...server l Managing the file Perform the following as required Run rename old name new name The name of the specified file on the server is changed Run get remote filename local filename The file on the remote server is downloaded Run put local filename remote filename The local file is uploaded to the remote server Run remove remote filename The file on the server is removed l Displaying the SFTP c...

Page 163: ...e address of SFTP client is 1 1 1 1 8 8 Configuration Examples This section describes examples for access another device The examples explain networking requirements configuration notes and configuration roadmap 8 8 1 Example for Configuring Telnet Services In this example the authentication mode and password are configured for users to log in using Telnet Networking Requirements As shown in Figur...

Page 164: ...gabitEthernet1 0 0 ip address 1 1 1 2 24 RouterB GigabitEthernet1 0 0 quit Step 2 Configure the authentication mode and password for Telnet services on Router B RouterB user interface vty 0 4 RouterB ui vty0 4 authentication mode password RouterB ui vty0 4 set authentication password simple hello RouterB ui vty0 4 quit To configure an ACL for Telnet services run the following commands on Router B ...

Page 165: ...TRL_ to quit telnet mode Trying 1 1 1 2 Connected to 1 1 1 2 User Access Verification User password Huawei Integrated Access SoftwareAR Copyright C Huawei Technologies Co Ltd 2010 2011 All rights reserved RouterB End Configuration Files l Configuration file of Router A sysname RouterA interface GigabitEthernet1 0 0 ip address 1 1 1 1 255 255 255 0 return l Configuration file of Router B sysname Ro...

Page 166: ...A RouterB Async2 0 1 Session GE0 0 1 10 1 1 1 24 vpna Configuration Roadmap The configuration roadmap is as follows 1 Connect the console port of RouterB to an asynchronous serial interface of RouterA 2 Enable the redirection function on RouterA Data Preparation To complete the configuration you need the following data l IP address of the network side interface on RouterA 10 1 1 1 24 Procedure Ste...

Page 167: ...rt Foreign Add port VPNID State 19fde824 9 2 0 0 0 0 22 0 0 0 0 0 23553 Listening 19fde6c0 9 1 0 0 0 0 23 0 0 0 0 0 23553 Listening 19fde130 109 1 0 0 0 0 80 0 0 0 0 0 23553 Listening 19fdef18 9 4 0 0 0 0 2042 0 0 0 0 0 23553 Listening 19fde55c 7 1 0 0 0 0 7547 0 0 0 0 0 0 Listening 19fdf07c 9 9 10 137 217 211 23 10 138 77 61 2567 0 Established 19fdf344 9 10 10 137 217 211 23 10 138 77 69 2824 0 T...

Page 168: ... the SSH server the STelnet client can log in to the SSH server with the password RSA password rsa or all authentication mode Configure two login clients l Configure Client001 with the password as huawei and adopt the password authentication l Configure Client002 adopt the RSA authentication and assign the public key RsaKey001 to Client002 The user interface supports only SSH Figure 8 10 Networkin...

Page 169: ... Create SSH users on the server Configure a VTY user interface SSH Server user interface vty 0 4 SSH Server ui vty0 4 authentication mode aaa SSH Server ui vty0 4 protocol inbound ssh SSH Server ui vty0 4 quit l Create an SSH user named Client001 Create an SSH user named Client001 configure password authentication for the user and set the password to huawei SSH Server aaa SSH Server aaa local user...

Page 170: ...c key end NOTE The number of the bits of public key must be between 769 and 2048 SSH Server rsa public key public key code begin Enter RSA key code view return last view with public key code end SSH Server rsa key code 3047 SSH Server rsa key code 0240 SSH Server rsa key code BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB SSH Server rsa key code 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 SSH Serve...

Page 171: ...d with the name 10 164 39 222 Please wait Info The max number of VTY users is 20 and the number of current VTY users on line is 6 The current login time is 2010 09 06 11 42 42 SSH Server Step 6 Verify the configuration After the configuration is complete run the display ssh server status and display ssh server session commands You can see that the STelnet clients have logged in to the server succe...

Page 172: ...ser interface vty 0 4 authentication mode aaa protocol inbound ssh return l Configuration file of Client001 on SSH client sysname client001 interface GigabitEthernet1 0 0 ip address 10 164 39 220 255 255 255 0 ssh client first time enable return l Configuration file of Client002 on SSH client sysname client002 interface GigabitEthernet1 0 0 ip address 10 164 39 221 255 255 255 0 ssh client first t...

Page 173: ...mand on the router to download the file 3 Use the TFTP command on the router to upload the file Data Preparation To complete the configuration you need the following data l The TFTP application installed on the TFTP server l The path of the file on the TFTP server l The destination file name and its path on the router Procedure Step 1 Start the TFTP server and set its Current Directory as the dire...

Page 174: ...2011 17 00 24 web zip 1 rw 396 Feb 11 2008 14 34 17 rsa_host_key efs 2 rw 540 Feb 11 2008 14 35 10 rsa_server_key efs 3 rw 1 498 Apr 01 2011 09 49 37 iascfg zip 4 rw 525 337 Apr 01 2011 09 50 00 private data txt 5 rw 1 215 Mar 26 2011 11 32 27 iascfg_autobackup zip 6 rw 1 703 936 Feb 27 2008 10 00 10 ar_smk2 cc 7 drw Mar 07 2008 15 44 46 dd 8 rw 69 143 936 Mar 28 2008 07 34 54 ar cc 9 rw 8 996 Apr...

Page 175: ...SFTP client to the SSH server Client002 GE1 0 0 10 164 39 221 24 SSH Server GE1 0 0 10 164 39 222 24 Client001 GE1 0 0 10 164 39 220 24 Configuration Roadmap The configuration roadmap is as follows 1 Configure Client001 and Client002 on the SSH server 2 Generate the local key pairs on the SFTP client and SSH server 3 Generate the RSA public key on the SSH server and bind the RSA public key of SSH ...

Page 176: ...e type ssh SSH Server aaa local user client001 ftp directory flash SSH Server aaa quit l Create an SSH user named Client002 Create an SSH user named Client002 set the password to huawei and configure RSA authentication for the user SSH Server aaa SSH Server aaa local user client002 password cipher huawei SSH Server aaa local user client002 service type ssh SSH Server aaa local user client002 ftp d...

Page 177: ... code 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 SSH Server rsa key code EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 SSH Server rsa key code 1D7E3E1B SSH Server rsa key code 0203 SSH Server rsa key code 010001 SSH Server rsa key code public key code end SSH Server rsa public key peer public key end Step 4 Bind the RSA public key of the SSH client to Client002 SSH Server ssh user client002 assig...

Page 178: ...ation retries 3 times SFTP Server Enable Check the SSH session status SSH Server display ssh server session Conn Ver Encry State Auth type Username VTY 3 2 0 AES run password client001 VTY 4 2 0 AES run rsa client002 Check information about the SSH users SSH Server display ssh user information Username Auth type User public key name client001 password null client002 rsa RsaKey001 End Configuration...

Page 179: ...mple a user that attempts to access the SSH server is authenticated by the RADIUS server and the SSH server determines whether to set up a connection with the user according to the authentication result Networking Requirements When an RADIUS user is connected to an SSH server the SSH server sends the user name and password of the SSH client to the RADIUS server compatible with the TACACS server fo...

Page 180: ...on directory of the SSH user 9 Users ssh1 ssh com and ssh2 ssh com log in to the SSH server through STelnet and SFTP respectively Data Preparation To complete the configuration you need the following data l Configure the password authentication for the two SSH users l RADIUS authentication l Name of the RADIUS template l Name of the RADIUS domain l Name and password of the RADIUS user Procedure St...

Page 181: ...ublic key view return system view with peer public key end Huawei rsa public key public key code begin Enter RSA key code view return last view with public key code end Huawei rsa key code 3047 Huawei rsa key code 0240 Huawei rsa key code BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB Huawei rsa key code 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 Huawei rsa key code EA91FC4B B9E18836 5E74BFD5 4C68...

Page 182: ... ssh quit Step 5 Configure the RADIUS domain name on the SSH server Set the RADIUS domain name to ssh com and apply the authentication scheme newscheme and RADIUS server template ssh to the RADIUS domain Huawei aaa Huawei aaa domain ssh com Huawei aaa domain ssh com authentication scheme newscheme Huawei aaa domain ssh com radius server ssh Huawei aaa domain ssh com quit Huawei aaa quit Step 6 Con...

Page 183: ... View the configuration of the RADIUS server Huawei aaa display radius server configuration Server template name ssh Protocol version standard Traffic unit B Shared secret key N C55QK Q Q MAF4 1 Timeout interval in second 5 Primary authentication server 10 164 6 49 1812 LoopBack NULL Primary accounting server 0 0 0 0 0 LoopBack NULL Secondary authentication server 0 0 0 0 0 LoopBack NULL Secondary...

Page 184: ...adius domain ssh com authentication scheme newscheme radius server ssh sftp server enable ssh user ssh1 ssh com ssh user ssh2 ssh com ssh user ssh2 ssh com assign rsa key RsaKey001 user interface vty 0 4 authentication mode aaa protocol inbound ssh return Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Configuration 8 Accessing Another Device Issue 02 2011 10 15 Huawei Proprietar...

Page 185: ...ch file to be used after the next startup uninstall patches to deactivate the patches that do not meet system requirements or delete the unwanted patches to release the memory of the patch area on the MPU 9 5 Monitoring CPU and Memory Usage Configuring CPU and memory usage thresholds allows CPU and memory usage to be monitored and system performance to be known in time 9 6 Restarting the Device Af...

Page 186: ...ftware loading Software downloading includes l Remote downloading l Local downloading 9 1 3 Patch Management Loading a patch onto the system software allows the system software to be upgraded in service without interrupting services on the device This also improves Quality of Service QoS During device operation the system software may need to be modified due to system bugs or new function requirem...

Page 187: ... will be generated and logged You can query the log to know CPU usage l A log is recorded when memory usage exceeds the configured threshold If memory usage exceeds the threshold an alarm will be generated and logged Users can query the log to know memory usage 9 1 5 Device Restart A device can be restarted immediately or as scheduled In some special cases for example during system upgrade the rou...

Page 188: ... GTL license file If you enter Y the system informs you of a GTL license file update success If you enter N the system informs you of a GTL license update failure and displays the status of the current GTL license file Before activating a GTL license file check that the GTL license file is suffixed with dat After obtaining a GTL license file use a notepad program to check whether the ESN on the MP...

Page 189: ...e stored in the flash memory SD card or USB flash drive NOTE l A user who uses the GTL license for the first time must buy the GTL license from Huawei and then load the GTL license file to the main control board l A user who wants to upgrade the GTL license needs to run the license revoke command to obtain an invalidation code and then apply to Huawei for a new GTL license by using the invalidatio...

Page 190: ...nabled on the router in any of the following situations l The GTL license file of the Comm version has been activated and is in the Normal state l The GTL license file of the Demo version has been activated and is in the Demo state l The Emergency state can be enabled again only on the last day of the previous enabling operation Procedure Step 1 Run license emergency The Emergency state of the GTL...

Page 191: ...0123456789 AR000801 23456789 License Serial No LIC20110309010210 Creator Huawei Technologies Co Ltd Created Time 2011 03 09 19 36 14 Country China Custom R D of Huawei Technologies Co Ltd Office Shenzhen Feature name ACCESS Authorize type DEMO Expired date 2011 06 07 Trial days 60 Item name LLE0IPPBX01 Item type Function Control value 1 Used value 1 Item state Normal Item expired date 2011 06 07 I...

Page 192: ...g in to the router successfully Data Preparation To upgrade system software you need the following data No Data 1 Baud rate of a serial interface 2 IP address of an FTP server or the router 3 User name and password used for login by means of FTP 4 Optional New system software configuration files PAF file license file and patch file 9 3 2 Checking the System Before the Upgrade To ensure that a devi...

Page 193: ...server you need to install the FTP server software on the PC You need to purchase and install the FTP server software yourself because the device is not installed with such software by default l If the device to be upgraded functions as a server and a PC functions as a client you do not need to install the FTP server software on the PC By default the FTP server function on the device to be upgrade...

Page 194: ...Init returned OK Press Ctrl B to break auto startup Attached TCP IP interface to teth1 NOTE l If a password is configured you must enter the password after pressing Ctrl B to display the BootROM menu the default password is huawei l You can change the password under the BootROM menu Make a note of your password and keep it in a safe place The password cannot be restored if it is lost Step 3 Select...

Page 195: ... used by the router at the next startup is specified the patch status file to be used at the next startup must be reset Context Before specifying the system software to be used at the next startup perform the following operations Upload the system software to the master and slave MPUs For details see the contents of uploading and downloading files in Performing File Operations by Using FTP Command...

Page 196: ...be cc and the package must be stored in the root directory l The backup startup software package can be the same as or different from the current startup software package but it can be used to make the system start Procedure Step 1 Run startup system software filename backupThe backup startup software package is specified End 9 3 6 Optional Upgrading the BootROM of the LPU After the system softwar...

Page 197: ... damaged the router restarts with the backup startup files If the router fails to restart with the backup startup files it searches valid startup files on the storage devices in the sequence Flash memory SD card USB flash drive When the router finds valid system software packages and configuration files on the storage device it selects a rollback version within 24 minutes and restarts with the sel...

Page 198: ...es End Example After the patch is installed run the display patch information command You can view the patch status on each board Huawei display patch information Patch version ARV200R001C00SPH100 Patch packet name sd1 patch_lic2 pat Run the display startup command You can view the names of the system software and the configuration file used at the startup For example Huawei display startup MainBo...

Page 199: ...ffect after a command is used to run the patch file without having to restart the device For details see Installing a Patch l Specifying a patch file to be used at the next startup The patch file takes effect after the device is restarted Pre configuration Tasks Before managing patches complete the following tasks l Making sure that the router is working properly l Storing patches in the storage m...

Page 200: ...vice to make patchA pat effective End 9 4 3 Specifying a Patch File to Be Used at the Next Startup If you do not want the patch file that has been uploaded to the storage media to take effect you can specify a patch file to be used at the next startup In this manner the patch file will take effect after the device is restarted Context Before specifying a patch file to be used at the next startup t...

Page 201: ... patch in the system 9 4 5 Checking the Configuration After patch installation is complete you can view patch information such as the patch status Prerequisite The configurations of patch installation are complete Procedure l Run the display patch information command to check information about all patches End Example After a patch has been installed run the display patch information command You ca...

Page 202: ...nd the system performance can be optimized This also allows the system to work properly Pre configuration Tasks Before setting CPU and memory usage thresholds complete the following task l Making sure that the router is working properly Data Preparation To set CPU and memory usage thresholds you need the following data No Data 1 CPU usage thresholds including an alarm threshold and a clear alarm t...

Page 203: ...old threshold value An alarm threshold is set for memory usage Default settings are as follows l If the memory of an LPU is smaller than 128 MB the alarm threshold of memory usage is 80 l If the memory of an LPU ranges from 128 MB to 256 MB the alarm threshold of memory usage is 85 l If the memory of an LPU ranges from 256 MB to 512 MB the alarm threshold of memory usage is 90 l If the memory of a...

Page 204: ...on task quickly and accurately Applicable Environment After the system software of the router is upgraded the router must be restarted to make the configuration take effect To prevent the system from breaking down due to a large number of temporary files the router also must be restarted The AR2200 provides two methods of restarting the router l Immediate restart l Scheduled restart Pre configurat...

Page 205: ...llows on the router that needs to restart as scheduled Procedure Step 1 Run schedule reboot at exact time The router is configured to restart as scheduled and the restart time is set Step 2 Run schedule reboot delay interval The router is configured to restart as scheduled and the wait time before the restart is set You can choose either Step 1 or Step 2 to configure the router to restart as sched...

Page 206: ...ntenance including networking requirements precautions and configuration roadmap The configuration flowchart will help you understand the configuration procedures 9 7 1 Example for Upgrading System Software This section provides detailed procedures for upgrading system software This will help you to complete the upgrade task quickly and accurately Networking Requirements The current system softwar...

Page 207: ...Backup startup software version which is V200R001C00_backup cc l Size of the remaining space of the storage media Procedure Step 1 Upload the new system software Configure the device as an FTP server Huawei system view Huawei sysname HuaWei HuaWei ftp server enable Info Succeeded in starting the FTP server HuaWei aaa HuaWei aaa local user user1 password simple huawei info A new user added HuaWei a...

Page 208: ...fy the configuration file to be used at the next startup HuaWei startup saved configuration aa cfg This operation will take several minutes please wait Info Succeeded in setting the file for booting system View the system software and configuration file to be used at the next startup and check that the system software is the specified one HuaWei display startup MainBoard Startup system software sd...

Page 209: ...sysname HuaWei HuaWei display version Huawei Versatile Routing Platform Software VRP R software Version 5 90 AR2200 V200R001C00 Copyright C 2000 2010 Huawei Technologies Co LTD Huawei AR2240 Router uptime is 0 week 0 day 3 hours 59 minutes BKP 0 version information 1 PCB Version AR01BAK1A VER C 2 If Supporting PoE Yes 3 Board Type AR2240 4 MPU Slot Quantity 1 5 LPU Slot Quantity 2 MPU 0 Master upt...

Page 210: ...0 10 1 1 1 24 Configuration Roadmap The configuration roadmap is as follows 1 Upload the patch file to the storage medium on the MPU 2 Load and run the patch file 3 Verify the configuration Data Preparation To complete the configuration you need the following data l Patch file name which is SPH 1 1 952 pat in this example l Patch file storage path on the master MPU which is sd1 in this example Pro...

Page 211: ... patch information command to view information about the running patch HuaWei display patch information Patch version ARV200R001C00SPH100 Patch packet name sd1 SPH 1 1 952 pat End Huawei AR2200 Series Enterprise Routers Configuration Guide Basic Configuration 9 Upgrade and Maintenance Issue 02 2011 10 15 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 200 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands