HUAWEI NetEngine Router Configuration Guide

HUAWEI NetEngine80E/40E Router V600R008C10 Configuration Guide - Basic Configurations Issue 02 Date 2014-09-30 HUAWEI TECHNOLOGIES CO., LTD. Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: http://www.huawei.com Email: support@huawei.com Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. i HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations About This Document About This Document Purpose This section describes the organization, product version, intended audience, conventions, and change history of this document. NOTE l This document provides examples of the NE40E-X8 interface numbers and link types. The actual interface numbers and link types may be different from those provided in this document. l On the NE80E/40E series excluding NE40E-X1 and NE40E-X2, line processing boards are called Line Processing Units (LPUs) and switching fabric boards are called Switching Fabric Units (SFUs). On the NE40E-X1 and NE40E-X2, there are no LPUs or SFUs, and NPUs implement the same functions of LPUs and SFUs to exchange and forward packets. NOTICE Note the following precautions: l The encryption algorithms DES/3DES/SKIPJACK/RC2/RSA (RSA-1024 or lower)/MD2/ MD4/MD5 (in digital signature scenarios and password encryption)/SHA1 (in digital signature scenarios) have a low security, which may bring security risks. If protocols allowed, using more secure encryption algorithms, such as AES/RSA (RSA-2048 or higher)/SHA2/ HMAC-SHA2, is recommended. l If the plain parameter is specified, the password will be saved in plaintext in the configuration file, which has a high security risk. Therefore, specifying the cipher parameter is recommended. To further improve device security, periodically change the password. l Do not set both the start and end characters of a password to "%$%$." This causes the password to be displayed directly in the configuration file. Related Versions The following table lists the product versions related to this document. Issue 02 (2014-09-30) Product Name Version HUAWEI NetEngine80E/40E Router V600R008C10 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. ii HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations About This Document Intended Audience This document is intended for: l Commissioning engineers l Data configuration engineers l Network monitoring engineers l System maintenance engineers Symbol Conventions The symbols that may be found in this document are defined as follows. Symbol Description Indicates an imminently hazardous situation which, if not avoided, will result in death or serious injury. Indicates a potentially hazardous situation which, if not avoided, could result in death or serious injury. Indicates a potentially hazardous situation which, if not avoided, may result in minor or moderate injury. Indicates a potentially hazardous situation which, if not avoided, could result in equipment damage, data loss, performance deterioration, or unanticipated results. NOTICE is used to address practices not related to personal injury. Calls attention to important information, best practices and tips. NOTE is used to address information not related to personal injury, equipment damage, and environment deterioration. Command Conventions The command conventions that may be found in this document are defined as follows. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. iii HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations About This Document Convention Description Boldface The keywords of a command line are in boldface. Italic Command arguments are in italics. [] Items (keywords or arguments) in brackets [ ] are optional. { x | y | ... } Optional items are grouped in braces and separated by vertical bars. One item is selected. [ x | y | ... ] Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. { x | y | ... }* Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. [ x | y | ... ]* Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. &<1-n> The parameter before the & sign can be repeated 1 to n times. # A line starting with the # sign is comments. Change History Changes between document issues are cumulative. The latest document issue contains all the changes made in earlier issues. Changes in Issue 02 (2014-09-30) This issue is the second official release. Changes in Issue 01 (2014-06-30) This issue is the first official release. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. iv HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Contents Contents About This Document.....................................................................................................................ii 1 Logging In to the System for the First Time............................................................................1 1.1 Introduction to Log In to the Device for the First Time.................................................................................................2 1.2 Logging In to the Device Through the Console Port......................................................................................................2 1.2.1 Before You Start..........................................................................................................................................................2 1.2.2 Establishing the Physical Connection..........................................................................................................................3 1.2.3 Logging In to the Device.............................................................................................................................................3 1.3 Logging In to the router That Supports the Plug-and-Play Function.............................................................................6 2 CLI Overview.................................................................................................................................8 2.1 CLI Introduction.............................................................................................................................................................9 2.1.1 Command Line Interface.............................................................................................................................................9 2.1.2 Command Levels.........................................................................................................................................................9 2.1.3 Command Line Views...............................................................................................................................................12 2.2 Online Help...................................................................................................................................................................13 2.2.1 Full Help....................................................................................................................................................................13 2.2.2 Partial Help................................................................................................................................................................14 2.2.3 Command Line Interface Error Messages.................................................................................................................14 2.3 CLI Features.................................................................................................................................................................15 2.3.1 Editing.......................................................................................................................................................................15 2.3.2 Displaying..................................................................................................................................................................16 2.3.3 Regular Expressions..................................................................................................................................................16 2.3.4 Previously-Used Commands.....................................................................................................................................20 2.3.5 Batch Command Execution.......................................................................................................................................21 2.4 Shortcut Keys...............................................................................................................................................................23 2.4.1 Classifying Shortcut Keys.........................................................................................................................................23 2.4.2 Defining Shortcut Keys.............................................................................................................................................24 2.4.3 Using Shortcut Keys..................................................................................................................................................25 2.5 Configuration Examples...............................................................................................................................................25 2.5.1 Running Commands in Batches................................................................................................................................25 2.5.2 Using the Tab Key.....................................................................................................................................................26 2.5.3 Using Shortcut Keys..................................................................................................................................................27 2.5.4 Copying Commands Using Shortcut Keys................................................................................................................28 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. v HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Contents 3 Basic Configuration.....................................................................................................................30 3.1 Configuring the Basic System Environment................................................................................................................31 3.1.1 Before You Start........................................................................................................................................................31 3.1.2 Switching the Language Mode..................................................................................................................................31 3.1.3 Configuring the Equipment Name.............................................................................................................................32 3.1.4 Setting the System Clock...........................................................................................................................................32 3.1.5 Configuring a Header................................................................................................................................................39 3.1.6 Configuring Command Levels..................................................................................................................................40 3.1.7 Configuring the undo Command to Automatically Match the Higher-Level View..................................................41 3.2 Displaying System Status Messages.............................................................................................................................42 3.2.1 Displaying System Configuration.............................................................................................................................42 3.2.2 Displaying the System Status....................................................................................................................................43 3.2.3 Collecting System Diagnostic Information...............................................................................................................43 4 Configuring User Interfaces......................................................................................................44 4.1 User Interface Overview...............................................................................................................................................45 4.2 Configuring the Console User Interface.......................................................................................................................47 4.2.1 Before You Start........................................................................................................................................................47 4.2.2 Setting Physical Attributes of the Console User Interface........................................................................................48 4.2.3 Setting Terminal Attributes of the Console User Interface.......................................................................................49 4.2.4 Configuring the User Privilege of the Console User Interface..................................................................................50 4.2.5 Configuring the User Authentication Mode of the Console User Interface..............................................................51 4.2.6 Checking the Configuration.......................................................................................................................................52 4.3 Configuring the AUX User Interface...........................................................................................................................53 4.3.1 Before You Start........................................................................................................................................................54 4.3.2 Setting Physical Attributes of the AUX User Interface.............................................................................................54 4.3.3 Setting Terminal Attributes of the AUX User Interface............................................................................................55 4.3.4 Setting the User Priority of the AUX User Interface.................................................................................................56 4.3.5 Setting Modem Attributes of the AUX User Interface..............................................................................................57 4.3.6 (Optional) Configuring Auto-Execute Commands of the AUX User Interface........................................................58 4.3.7 Setting the User Authentication Mode of the AUX User Interface...........................................................................59 4.3.8 Checking the Configuration.......................................................................................................................................60 4.4 Configuring the VTY User Interface............................................................................................................................61 4.4.1 Before You Start........................................................................................................................................................61 4.4.2 Configuring the Maximum Number of VTY User Interfaces...................................................................................62 4.4.3 (Optional) Setting Restrictions for Incoming and Outgoing Calls on VTY User Interfaces.....................................63 4.4.4 Setting the Terminal Attributes of the VTY User Interface......................................................................................65 4.4.5 Setting the User Priority of the VTY User Interface.................................................................................................66 4.4.6 Setting the User Authentication Mode of the VTY User Interface...........................................................................66 4.4.7 (Optional) Configuring NMS Users to Log In Through VTY User Interfaces.........................................................68 4.4.8 Checking the Configuration.......................................................................................................................................69 4.5 Configuration Examples...............................................................................................................................................71 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. vi HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Contents 4.5.1 Example for Configuring the Console User Interface...............................................................................................71 4.5.2 Example for Configuring the AUX User Interface....................................................................................................73 4.5.3 Example for Configuring a VTY User Interface.......................................................................................................75 5 Configuring User Login.............................................................................................................77 5.1 User Login Overview...................................................................................................................................................78 5.2 Logging In to Devices Through the Console Port........................................................................................................81 5.2.1 Before You Start........................................................................................................................................................81 5.2.2 Logging In to the Device Using a Console Port........................................................................................................81 5.2.3 (Optional) Configuring the Console User Interface..................................................................................................84 5.2.4 Checking the Configuration.......................................................................................................................................85 5.3 Logging In to Devices Through the AUX Port............................................................................................................86 5.3.1 Before You Start........................................................................................................................................................86 5.3.2 Logging In to the Device Through an AUX Port......................................................................................................87 5.3.3 (Optional) Configuring the AUX User Interface.......................................................................................................91 5.3.4 Checking the Configuration.......................................................................................................................................92 5.4 Using Telnet to Log In to Devices................................................................................................................................93 5.4.1 Before You Start........................................................................................................................................................93 5.4.2 Configuring the User Access Level and User Authentication Mode of the VTY User Interface.............................94 5.4.3 Enabling the Telnet Service.......................................................................................................................................97 5.4.4 Using Telnet to Log In to the Device........................................................................................................................98 5.4.5 (Optional) Configuring the Listening Port Number of the Telnet Server.................................................................99 5.4.6 (Optional) Configuring Telnet Access Control.......................................................................................................100 5.4.7 Checking the Configuration.....................................................................................................................................101 5.5 Using STelnet to Log In to Devices...........................................................................................................................102 5.5.1 Before You Start......................................................................................................................................................102 5.5.2 Configuring the User Access Level and User Authentication Mode of the VTY User Interface...........................103 5.5.3 Configuring SSH for the VTY User Interface.........................................................................................................105 5.5.4 Configuring an SSH User and Specifying the Service Types.................................................................................106 5.5.5 Enabling the STelnet Server Function.....................................................................................................................112 5.5.6 Using STelnet to Log In to the Device....................................................................................................................112 5.5.7 (Optional) Configuring the STelnet Server Parameters...........................................................................................113 5.5.8 Checking the Configuration.....................................................................................................................................116 5.6 Common Operations After Login...............................................................................................................................117 5.6.1 Before You Start......................................................................................................................................................117 5.6.2 Locking User Interfaces...........................................................................................................................................117 5.6.3 Sending Messages to Other User Interfaces............................................................................................................118 5.6.4 Displaying Login Users...........................................................................................................................................118 5.6.5 Clearing Logged-in Users........................................................................................................................................119 5.6.6 Configuring Configuration Locking........................................................................................................................119 5.7 Configuration Examples.............................................................................................................................................120 5.7.1 Example for Using a Console Port to Configure User Login..................................................................................120 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. vii HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Contents 5.7.2 Example for Logging In Through the AUX Port....................................................................................................123 5.7.3 Example for Configuring User Login Through Telnet............................................................................................124 5.7.4 Example for Using STelnet to Configure User Login.............................................................................................127 6 Managing the File System.......................................................................................................131 6.1 File System Overview................................................................................................................................................132 6.1.1 File System..............................................................................................................................................................132 6.1.2 File Management Methods......................................................................................................................................132 6.2 Using the File System to Manage Files......................................................................................................................134 6.2.1 Before You Start......................................................................................................................................................134 6.2.2 Managing Storage Devices......................................................................................................................................134 6.2.3 Managing Directories..............................................................................................................................................135 6.2.4 Managing Files........................................................................................................................................................136 6.3 Using FTP to Manage Files........................................................................................................................................138 6.3.1 Before You Start......................................................................................................................................................138 6.3.2 Configuring a Local FTP User................................................................................................................................139 6.3.3 (Optional) Specifying a Port Number for the FTP Server.......................................................................................140 6.3.4 Enabling the FTP Server..........................................................................................................................................140 6.3.5 (Optional) Configuring the FTP Server Parameters................................................................................................141 6.3.6 (Optional) Configuring an FTP ACL......................................................................................................................142 6.3.7 Using FTP to Access the System.............................................................................................................................143 6.3.8 Using FTP Commands to Manage Files..................................................................................................................144 6.3.9 Checking the Configuration.....................................................................................................................................146 6.4 Using SFTP to Manage Files......................................................................................................................................147 6.4.1 Before You Start......................................................................................................................................................147 6.4.2 Configuring the VTY User Interface.......................................................................................................................148 6.4.3 Configuring SSH for the VTY User Interface.........................................................................................................148 6.4.4 Configuring an SSH User and Specifying SFTP as One of the Service Types.......................................................149 6.4.5 Enabling the SFTP Service......................................................................................................................................155 6.4.6 (Optional) Configuring the SFTP Server Parameters..............................................................................................156 6.4.7 Using SFTP to Access the System..........................................................................................................................158 6.4.8 Using SFTP to Manage Files...................................................................................................................................159 6.4.9 Checking the Configuration.....................................................................................................................................160 6.5 Using Xmodem to Manage Files................................................................................................................................162 6.5.1 Before You Start......................................................................................................................................................162 6.5.2 Obtaining a File Through Xmodem.........................................................................................................................162 6.6 Configuration Examples.............................................................................................................................................163 6.6.1 Example for Using the File System to Manage Files..............................................................................................163 6.6.2 Example for Using FTP to Manage Files................................................................................................................165 6.6.3 Example for Using SFTP to Manage Files..............................................................................................................167 6.6.4 Example for Using Xmodem to Perform File Operations.......................................................................................170 7 Configuring System Startup....................................................................................................172 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. viii HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Contents 7.1 System Startup Overview...........................................................................................................................................173 7.1.1 System Software......................................................................................................................................................173 7.1.2 Configuration Files..................................................................................................................................................173 7.1.3 Configuration Files and Current Configurations.....................................................................................................173 7.2 Managing Configuration Files....................................................................................................................................174 7.2.1 Before You Start......................................................................................................................................................174 7.2.2 Saving Configuration Files......................................................................................................................................175 7.2.3 Clearing a Configuration File..................................................................................................................................177 7.2.4 Comparing Configuration Files...............................................................................................................................178 7.2.5 Checking the Configuration.....................................................................................................................................179 7.3 Specifying a File for System Startup..........................................................................................................................180 7.3.1 Before You Start......................................................................................................................................................180 7.3.2 Configuring System Software for the router to Load at the Next Startup...............................................................180 7.3.3 Configuring the Configuration File for the Router to Load at the Next Startup.....................................................181 7.3.4 Checking the Configuration.....................................................................................................................................181 7.4 Configuration Examples.............................................................................................................................................182 7.4.1 Example for Configuring System Startup...............................................................................................................182 8 Accessing Another Device.......................................................................................................185 8.1 Accessing Another Device.........................................................................................................................................187 8.1.1 Telnet Method..........................................................................................................................................................187 8.1.2 FTP Method.............................................................................................................................................................189 8.1.3 TFTP Method..........................................................................................................................................................189 8.1.4 SSH Method............................................................................................................................................................190 8.2 Using Telnet to Log In to Other Devices...................................................................................................................191 8.2.1 Before You Start......................................................................................................................................................191 8.2.2 (Optional) Configuring a Source IP Address for a Telnet Client............................................................................192 8.2.3 Using Telnet to Log In to Another Device..............................................................................................................193 8.2.4 Checking the Configuration.....................................................................................................................................193 8.3 Using Telnet Redirection to Connect to Another Device...........................................................................................194 8.3.1 Before You Start......................................................................................................................................................194 8.3.2 Enabling Telnet Redirection....................................................................................................................................195 8.3.3 Using Telnet Redirection to Connect to Another Device........................................................................................196 8.3.4 Checking the Configuration.....................................................................................................................................196 8.4 Using STelnet to Log In to Another Device...............................................................................................................197 8.4.1 Before You Start......................................................................................................................................................197 8.4.2 Enabling First-Time Authentication on the SSH Client..........................................................................................198 8.4.3 Allocating a Public Key to the SSH Server.............................................................................................................199 8.4.4 Using STelnet to Log In to Another Device............................................................................................................200 8.4.5 Checking the Configuration.....................................................................................................................................201 8.5 Using TFTP to Access Files on Another Device........................................................................................................202 8.5.1 Before You Start......................................................................................................................................................202 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. ix HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Contents 8.5.2 (Optional) Configuring a Source IP Address for a TFTP Client.............................................................................202 8.5.3 (Optional) Configuring TFTP Access Authority.....................................................................................................203 8.5.4 Using TFTP to Download Files...............................................................................................................................204 8.5.5 Using TFTP to Upload Files....................................................................................................................................205 8.5.6 Checking the Configuration.....................................................................................................................................205 8.6 Using FTP to Access Files on Another Device..........................................................................................................206 8.6.1 Before You Start......................................................................................................................................................206 8.6.2 (Optional) Configuring the Source IP Address and Interface of the FTP Client.....................................................206 8.6.3 Connecting to Other Devices Using FTP Commands.............................................................................................207 8.6.4 Using FTP Commands to Manage Files..................................................................................................................208 8.6.5 Changing Login Users.............................................................................................................................................211 8.6.6 Disconnecting from the FTP Server........................................................................................................................211 8.6.7 Checking the Configuration.....................................................................................................................................212 8.7 Using SFTP to Access Files on Another Device........................................................................................................212 8.7.1 Before You Start......................................................................................................................................................212 8.7.2 (Optional) Configuring a Source IP Address for an SFTP Client...........................................................................213 8.7.3 Enabling the First-Time Authentication on the SSH Client....................................................................................213 8.7.4 Allocating a Public Key to the SSH Server.............................................................................................................214 8.7.5 Using SFTP to Connect to Other Devices...............................................................................................................216 8.7.6 Using SFTP Commands to Manage Files................................................................................................................217 8.7.7 Checking the Configuration.....................................................................................................................................219 8.8 Configuration Examples.............................................................................................................................................220 8.8.1 Example for Using Telnet to Log In to Another Device.........................................................................................220 8.8.2 Example for Using Telnet Redirection to Log In to Another Device......................................................................222 8.8.3 Example for Using Telnet on a VPN to Log In to Another Device........................................................................224 8.8.4 Example for Using STelnet (RSA Authentication Mode) to Log In to the SSH Server.........................................226 8.8.5 Example for Using STelnet (DSA Authentication Mode) to Log In to the SSH Server.........................................232 8.8.6 Example for Using TFTP to Access Files on Another Device................................................................................238 8.8.7 Example for Configuring Access to the TFTP Server on the Public Network When the Management VPN Instance Is Used..............................................................................................................................................................................241 8.8.8 Example for Using FTP to Access Files on Another Device..................................................................................243 8.8.9 Example for Configuring Access to the FTP Server on the Public Network When the Management VPN Instance Is Used..................................................................................................................................................................................245 8.8.10 Example for Using SFTP (RSA Authentication Mode) to Access Files on Another Device................................246 8.8.11 Example for Using SFTP (DSA Authentication Mode) to Log In to the SSH Server..........................................252 8.8.12 Example for Configuring Access to the SFTP Server on the Public Network When the Management VPN Instance Is Used..............................................................................................................................................................................258 8.8.13 Example for Accessing the SSH Server Through Other Ports..............................................................................264 9 Clock Synchronization Configuration..................................................................................271 9.1 Introduction to Clock Synchronization Configuration...............................................................................................272 9.1.1 Overview of Clock Synchronization Configuration................................................................................................272 9.1.2 Clock Synchronization Supported by the NE80E/40E............................................................................................272 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. x HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Contents 9.2 Setting Basic Clock Synchronization Configurations................................................................................................272 9.2.1 Before You Start......................................................................................................................................................273 9.2.2 Setting Basic Configurations for Clock Synchronization........................................................................................273 9.2.3 Checking the Configuration.....................................................................................................................................274 9.3 Configuring an External BITS Clock Source.............................................................................................................275 9.3.1 Before You Start......................................................................................................................................................275 9.3.2 Configuring the Lower Threshold of the Clock Signals Output by the BITS Clock..............................................276 9.3.3 Configuring an External Clock Source and Its Signal Type on the router..............................................................276 9.3.4 Checking the Configuration.....................................................................................................................................277 9.4 Configuring a Clock Reference Source Manually or Forcibly...................................................................................277 9.4.1 Before You Start......................................................................................................................................................277 9.4.2 Configuring a Clock Reference Source...................................................................................................................278 9.4.3 Checking the Configuration.....................................................................................................................................279 9.5 Configuring Clock Protection Switching Based on SSM Levels...............................................................................280 9.5.1 Before You Start......................................................................................................................................................280 9.5.2 Configuring the Router to Automatically Select Clock Sources.............................................................................280 9.5.3 Enabling SSM..........................................................................................................................................................281 9.5.4 Configuring the SSM Level of the Clock Reference Source...................................................................................281 9.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal to Carry SSMs............................................................282 9.5.6 Setting the Modes of Extracting SSM Levels.........................................................................................................282 9.5.7 (Optional)Configuring the Extended SSM .............................................................................................................283 9.5.8 Checking the Configuration.....................................................................................................................................285 9.6 Configuring Clock Protection Switching Based on Priorities....................................................................................285 9.6.1 Establishing the Configuration Task.......................................................................................................................285 9.6.2 Configuring the Router to Automatically Select Clock Sources.............................................................................285 9.6.3 Disabling SSM.........................................................................................................................................................286 9.6.4 Setting Priorities of Clock Reference Sources........................................................................................................286 9.6.5 Checking the Configuration.....................................................................................................................................287 9.7 Configuring Ethernet Clock Synchronization............................................................................................................288 9.7.1 Before You Start......................................................................................................................................................288 9.7.2 Enabling Ethernet Clock Synchronization..............................................................................................................289 9.7.3 Configuring Ethernet Clock Source........................................................................................................................289 9.7.4 Checking the Configuration.....................................................................................................................................290 9.8 Configuration Examples of Clock Synchronization...................................................................................................292 9.8.1 Example for Configuring Protection Switchover of Clock Sources........................................................................292 10 1588v2 Configuration..............................................................................................................300 10.1 Overview of 1588v2.................................................................................................................................................302 10.1.1 Introduction...........................................................................................................................................................302 10.1.2 1588v2 Features Supported by the NE80E/40E....................................................................................................307 10.2 Configuring 1588v2 on OC......................................................................................................................................309 10.2.1 Before You Start....................................................................................................................................................309 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. xi HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Contents 10.2.2 Configuring 1588v2 Globally................................................................................................................................310 10.2.3 Configuring 1588v2 on an Interface......................................................................................................................311 10.2.4 Configuring Time Attributes for 1588v2 Packets.................................................................................................312 10.2.5 Configuring Encapsulation Modes for 1588v2 Packets........................................................................................314 10.2.6 Checking the Configurations.................................................................................................................................316 10.3 Configuring 1588v2 on BC......................................................................................................................................317 10.3.1 Before You Start....................................................................................................................................................317 10.3.2 Configuring 1588v2 Globally................................................................................................................................319 10.3.3 Configuring 1588v2 on an Interface......................................................................................................................320 10.3.4 Configuring Time Attributes for 1588v2 Packets.................................................................................................321 10.3.5 Configuring Encapsulation Types for 1588v2 Packets.........................................................................................323 10.3.6 Checking the Configurations.................................................................................................................................325 10.4 Configuring 1588v2 on TC.......................................................................................................................................328 10.4.1 Establishing the Configuration Task.....................................................................................................................328 10.4.2 Configuring 1588v2 Globally................................................................................................................................330 10.4.3 Configuring 1588v2 on an Interface......................................................................................................................331 10.4.4 Configuring Time Attributes for 1588v2 Packets.................................................................................................332 10.4.5 Configuring Encapsulation Types for 1588v2 Packets.........................................................................................333 10.4.6 Checking the Configurations.................................................................................................................................335 10.5 Configuring 1588v2 on TCandBC...........................................................................................................................336 10.5.1 Before You Start....................................................................................................................................................336 10.5.2 Configuring 1588v2 Globally................................................................................................................................338 10.5.3 Configuring 1588v2 on an Interface......................................................................................................................339 10.5.4 Configuring Time Attributes for 1588v2 Packets.................................................................................................341 10.5.5 Configuring Encapsulation Types for 1588v2 Packets.........................................................................................342 10.5.6 Checking the Configurations.................................................................................................................................344 10.6 Configuring the 1588v2 Time Source......................................................................................................................346 10.6.1 Before You Start....................................................................................................................................................346 10.6.2 Configuring BITS Signals to Participate in the BMC Calculation........................................................................346 10.6.3 Configuring Attributes for the 1588v2 Time Source.............................................................................................349 10.6.4 Checking the Configurations.................................................................................................................................350 10.7 Configuring 1588 ACR............................................................................................................................................351 10.7.1 Checking the Configurations.................................................................................................................................351 10.7.2 Configuring the Unicast Negotiation Function for a Client..................................................................................352 10.7.3 Configuring the Unicast Negotiation Function for a Server..................................................................................354 10.7.4 (Optional) Adjusting Parameters for Establishing a Unicast Negotiation Connection.........................................355 10.7.5 Checking the Configurations.................................................................................................................................357 10.8 Maintaining 1588v2..................................................................................................................................................359 10.8.1 Clearing 1588v2 Statistics.....................................................................................................................................359 10.8.2 Monitoring 1588v2................................................................................................................................................360 10.9 1588 ACR Maintenance...........................................................................................................................................362 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. xii HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Contents 10.9.1 Clearing 1588 ACR Statistics................................................................................................................................363 10.10 Configuration Examples.........................................................................................................................................363 10.10.1 Example for Configuring the BITS as the 1588v2 Clock Source.......................................................................363 10.10.2 Example for Restoring Frequency Synchronization Between an IP Clock Server and NodeBs Through 1588v2 Packets..............................................................................................................................................................................368 10.10.3 Example for Synchronizing Frequencies Through the Integration of the 1588v2 Clock, Synchronous Ethernet Clock, and WAN Clock....................................................................................................................................................369 10.10.4 Checking the Configurations...............................................................................................................................373 10.10.5 Example for Configuring Clock Synchronization of an Entire Network Through Multicast MAC-Encapsulated 1588v2 Packets.................................................................................................................................................................374 10.10.6 Example for Configuring 1588 ACR Clock Synchronization in a Single-Server Scenario................................378 11 Device Maintenance................................................................................................................382 11.1 Introduction of Device Maintenance........................................................................................................................384 11.1.1 Overview of Device Maintenance.........................................................................................................................384 11.1.2 Maintenance Features Supported by the NE80E/40E...........................................................................................384 11.2 Configuring an E-label for the Backplane of the NE80E.........................................................................................384 11.3 Configuring an Energy Saving Mode.......................................................................................................................385 11.4 Configuring the System MAC Address....................................................................................................................386 11.5 Powering off the MPU..............................................................................................................................................386 11.5.1 Before You Start....................................................................................................................................................386 11.5.2 Powering off the Slave MPU.................................................................................................................................387 11.5.3 Checking the Configuration...................................................................................................................................388 11.6 Powering off the SFU...............................................................................................................................................388 11.6.1 Before You Start....................................................................................................................................................389 11.6.2 Powering off the SFU............................................................................................................................................389 11.6.3 Checking the Configuration...................................................................................................................................390 11.7 Powering off the NPU..............................................................................................................................................391 11.7.1 Before You Start....................................................................................................................................................391 11.7.2 Powering off the NPU...........................................................................................................................................391 11.7.3 Checking the Configuration...................................................................................................................................392 11.8 Powering Off the LPU..............................................................................................................................................392 11.8.1 Before You Start....................................................................................................................................................392 11.8.2 Powering Off the LPU...........................................................................................................................................393 11.8.3 Checking the Configuration...................................................................................................................................393 11.9 (Optional) Configuring the NE80E with 5000 W power consumption to Power on LPUF-40s/LPUI-40s.............394 11.10 Configuring the Input Power of a Power Module..................................................................................................395 11.11 Restoring the Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s..............................................396 11.11.1 Before You Start..................................................................................................................................................396 11.11.2 Restoring the Outbound Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s..........................397 11.11.3 Checking the Configuration.................................................................................................................................398 11.12 Configuring an Access Mode for a Device.............................................................................................................398 11.12.1 Before You Start..................................................................................................................................................398 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. xiii HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Contents 11.12.2 Configuring an Access Mode for a Device..........................................................................................................399 11.12.3 Checking the Configuration.................................................................................................................................400 11.13 Configuring a Working Mode for an LPU.............................................................................................................401 11.13.1 Before You Start..................................................................................................................................................401 11.13.2 Configuring a Working Mode for an LPU..........................................................................................................402 11.13.3 Checking the Configuration.................................................................................................................................403 11.14 Configuring a Working Mode for an LPUF-40 or LPUF-20/21............................................................................404 11.14.1 Before You Start..................................................................................................................................................404 11.14.2 Configuring a Service Mode for an LPUF-20/21 or LPUF-40...........................................................................405 11.14.3 Checking the Configuration.................................................................................................................................406 11.15 Configuring Automatic Board Reset......................................................................................................................407 11.16 Setting the Working Mode of the 1-Port OC-192c/STM-64c POS-XFP Flexible Card on the LPUF-10.............408 11.16.1 Before You Start..................................................................................................................................................408 11.16.2 Setting the Working Mode of the 1-Port OC-192c/STM-64c POS-XFP Flexible Card on the LPUF-10..........409 11.17 (Optional) Configuring Periodic Reliability Detection on 2-Port OC-12c/STM-4c ATM-SFP Flexible Cards on LPUF-10s..........................................................................................................................................................................410 11.18 Configuring the CMU.............................................................................................................................................410 11.18.1 Before You Start..................................................................................................................................................410 11.18.2 Configuring Monitor Items for a CMU...............................................................................................................411 11.18.3 Checking the Configuration.................................................................................................................................412 11.19 Configuring Link-heartbeat Loopback Detection...................................................................................................412 11.20 Configuring a Cleaning Cycle for the Air Filter.....................................................................................................415 11.20.1 Before You Start..................................................................................................................................................415 11.20.2 Configuring a Cleaning Cycle for the Air Filter..................................................................................................415 11.20.3 Monitoring the Cleaning Cycle of the Air Filter After Cleaning It.....................................................................416 11.20.4 Checking the Configuration.................................................................................................................................416 11.21 Monitoring the Device Status.................................................................................................................................417 11.21.1 Displaying the System Version Information.......................................................................................................417 11.21.2 Displaying Basic Information About the Router.................................................................................................417 11.21.3 Displaying the Electronic Label..........................................................................................................................418 11.21.4 Displaying the Soft Boot Mode...........................................................................................................................418 11.21.5 Displaying the Threshold of the Memory Usage.................................................................................................419 11.21.6 Displaying the Threshold of CPU Usage............................................................................................................419 11.21.7 Displaying Alarm Information............................................................................................................................419 11.21.8 Displaying the Board Temperature......................................................................................................................420 11.21.9 Displaying the Board Voltage.............................................................................................................................420 11.21.10 Displaying the Power Supply Status.................................................................................................................421 11.21.11 Displaying Current Information About Boards.................................................................................................421 11.21.12 Displaying Entironment Information About the Device...................................................................................422 11.21.13 Displaying the Fan Status..................................................................................................................................422 11.21.14 Displaying the Sequence Number of the MPU.................................................................................................423 11.21.15 Displaying the Next Start Mode of the Board...................................................................................................423 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. xiv HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Contents 11.21.16 Displaying the Number of the Registered SFUs By Default.............................................................................423 11.22 Board Maintence ....................................................................................................................................................424 11.22.1 Resetting a Board.................................................................................................................................................424 11.22.2 Clearing CPU Usage Statistics............................................................................................................................424 11.23 Configuration Examples of the Device Maintenance.............................................................................................425 11.23.1 Example for Powering off the MPU....................................................................................................................425 11.23.2 Example for Powering off the SFU.....................................................................................................................426 11.23.3 Example for Powering off the LPU.....................................................................................................................428 12 Device Upgrading....................................................................................................................430 12.1 Device Upgrade Overview.......................................................................................................................................431 12.2 Upgrade Modes Supported by the NE80E/40E........................................................................................................431 13 Patch Management..................................................................................................................433 13.1 Patch Management Introduction...............................................................................................................................434 13.1.1 Patch Management Overview................................................................................................................................434 13.1.2 Patches Supported by the NE80E/40E..................................................................................................................436 13.2 Checking Whether a Patch is Running in the System..............................................................................................437 13.2.1 Before You Start....................................................................................................................................................437 13.2.2 Checking the Running of a Patch in the System...................................................................................................438 13.2.3 (Optional) Deleting a Patch...................................................................................................................................438 13.3 Loading a Patch........................................................................................................................................................438 13.3.1 Before You Start....................................................................................................................................................439 13.3.2 Loading a Patch.....................................................................................................................................................439 13.3.3 Checking the Configuration...................................................................................................................................440 13.4 Installing a Patch......................................................................................................................................................441 13.4.1 Establishing the Configuration Task.....................................................................................................................441 13.4.2 Loading a Patch.....................................................................................................................................................442 13.4.3 Activating a Patch..................................................................................................................................................442 13.4.4 Running a Patch.....................................................................................................................................................443 13.4.5 Checking the Configuration...................................................................................................................................443 13.5 (Optional) Deactivating the Patch............................................................................................................................445 13.5.1 Before You Start....................................................................................................................................................445 13.5.2 Deactivating a Patch..............................................................................................................................................445 13.5.3 Checking the Configuration...................................................................................................................................445 13.6 Configuration Examples for Patch Management......................................................................................................446 13.6.1 Example for Installing a Patch...............................................................................................................................446 A Glossary......................................................................................................................................449 B Acronyms and Abbreviations.................................................................................................455 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. xv HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 1 1 Logging In to the System for the First Time Logging In to the System for the First Time About This Chapter This chapter describes how to log in to a new router and configure it through the console port or with the plug-and-play function. 1.1 Introduction to Log In to the Device for the First Time You can use the console port or plug-and-play function to log in to and configure a router that is being powered on for the first time. 1.2 Logging In to the Device Through the Console Port This section describes how to establish the configuration environment by using the console port to connect a terminal to a router. 1.3 Logging In to the router That Supports the Plug-and-Play Function The plug-and-play function enables the router to automatically access the network and obtains an IP address after being powered on, which allows engineers to remotely log in to the router and perform basic configurations. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time 1.1 Introduction to Log In to the Device for the First Time You can use the console port or plug-and-play function to log in to and configure a router that is being powered on for the first time. Logging in to the router Through the Console Port The console port is a linear port on the main control board. Each main control board provides one DCE console port that conforms to the EIA/TIA-232 standard. You can directly connect the serial interface of a terminal to the console port on the router and then configure the router on the terminal. NOTE When a device is powered on for the first time, log in to the device through the console port because this login is a prerequisite for other login modes. For example, you must log in to the device through the console port to configure the IP address for Telnet login. Logging in to the router Using the Plug-and-Play Function NOTE The plug-and-play function only can be configured on the X1 , X2 and X3 models of the NE80E/40E. When sites are being deployed, routers are installed far from equipment rooms. Sending software commissioning engineers to deploy a network at the physical site is rather costly. When the plugand-play function is enabled, however, the router automatically obtains an IP address. After installation engineers finish installing the hardware, software commissioning engineers are able to remotely deliver configurations to the router through the NMS. This remote configuration greatly simplifies the installation process and minimizes the number of required site visits, thereby reducing costs. The plug-and-play function is controlled by a PAF file, which users do not need to configure manually. This function is automatically disabled after the router correctly obtains an IP address. 1.2 Logging In to the Device Through the Console Port This section describes how to establish the configuration environment by using the console port to connect a terminal to a router. 1.2.1 Before You Start Before logging in to the router through the console port, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This preparation will help you complete the configuration task quickly and accurately. Applicable Environment When you power on the router for the first time, use the console port to log in to, configure, and manage the router. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time Pre-configuration Tasks Before logging in to the router through the console port, complete the following tasks: l Install a terminal emulation program, for example, Windows XP HyperTerminal, on the PC. l Preparing the RS-232 cable Data Preparation To log in to the router through the console port, you need the following data. No. Data 1 Terminal communication parameters l Baud rate l Data bit l Parity l Stop bit l Flow-control mode NOTE The system automatically uses default parameter values for the first login. 1.2.2 Establishing the Physical Connection Use a console cable to connect the console port of the router to the COM port of a terminal. Procedure Step 1 Power on all devices and perform a self-check. Step 2 Use a cable to connect the COM port on the PC with the console port on the router. ----End 1.2.3 Logging In to the Device To manage a router that is being powered on for the first time, you can use the console port to log in to it. Context PC terminal attributes, including the transmission rate, data bit, parity bit, stop bit, and flow control mode must be configured to match those configured for the console port. Default values for terminal attributes are used when first logging in to the device. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 3 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time Procedure Step 1 Start a terminal emulation program, such as the HyperTerminal of Windows XP, on the PC and establish a connection as shown in Figure 1-1. NOTE In the case of a Windows OS that does not provide the HyperTerminal, access Microsoft website and download the HyperTerminal. Figure 1-1 Creating a connection Step 2 Set an interface, as shown in Figure 1-2. Figure 1-2 Settings an interface Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time Step 3 Set communication parameters to match the router defaults, as shown in Figure 1-3. Figure 1-3 Setting communication parameter Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system automatically saves the new password. An initial password is required for the first login via the console. Set a password and keep it safe! Otherwise you will not be able to login via the console. Please configure the login password (8-16) Enter Password: Confirm Password: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 5 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time NOTE l If the device has the default password before delivery, enter the default password Admin@huawei.com to log in. The password is insecure, so you must change it immediately. For details on how to change the password, see 4.2.5 Configuring the User Authentication Mode of the Console User Interface. l After you set the password for the user interface, you must use this user interface to log in to the system again. Use password authentication mode and enter the new password. l The passwords must meet the following requirements: l The password input is in man-machine interaction mode, and the system does not display the entered password. l The password is a string of 8 to 16 case-sensitive characters. The password must contain at least two of the following characters: upper-case characters, lower-case characters, numbers, and special characters. Special character except the question mark (?) and space. The configured password is displayed in the configuration file in ciphertext. l After you restart the device using the console port, press Enter after the following information is displayed. Recover configuration...OK! Press ENTER to get started. ----End 1.3 Logging In to the router That Supports the Plug-and-Play Function The plug-and-play function enables the router to automatically access the network and obtains an IP address after being powered on, which allows engineers to remotely log in to the router and perform basic configurations. Context NOTE The plug-and-play function only can be configured on the X1, X2 and X3 models of the NE80E/40E. The plug-and-play function takes effect only when the device is connected with a Dynamic Host Configuration Protocol (DHCP) server. This device can only be connected with Huawei U2000, which acts as a DHCP server. When sites are being deployed, routers are installed far from equipment rooms. Sending software commissioning engineers to deploy a network at the physical site is rather costly. When the plugand-play function is enabled, however, the router automatically obtains an IP address. After installation engineers finish installing the hardware, software commissioning engineers are able to remotely deliver configurations to the router through the NMS. This remote configuration greatly simplifies the installation process and minimizes the number of required site visits, thereby reducing costs. The plug-and-play function is controlled by a PAF file, which users do not need to configure manually. This function is automatically disabled after the router correctly obtains an IP address. The process of logging in to the router that supports the plug-and-play function is as follows: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time Procedure Step 1 After planning the network, network planning engineers provide a planning list for software commissioning engineers. Step 2 Based on this planning list, software commissioning engineers configure the mappings between the router locations and IP addresses on the DHCP server, compile configuration scripts, and configure the mappings between these router locations and scripts. Step 3 Hardware installation personnel install the router at the site and power it on. Step 4 The router sends a DHCPREQUEST message to the DHCP server, and then the interface connecting to the DHCP server obtains an IP address. Step 5 The NMS delivers configurations to the router. ----End Follow-up Procedure When the router serves as the DHCP client that supports the plug-and-play function, you can run the display pnp dhcp-option command to check the Options usage, which is carried in the packet delivered by the DHCP server. For example: <HUAWEI> display pnp dhcp-option ******************************************************************************** sub 1 software version : NE40E-X3V600R005C00 sub 2 system name : sub 3 Vlanif ID : 0 sub 4 Subif ID : 0,vlan ID : 0 config type : 0 (0 :SubIf and MainIf,1 :VlanIf,2 :Config failed) sub 5 VPN NAME : ******************************************************************************** If no DHCP server is configured on the network or the router cannot obtain an IP address for some reason, the router displays the following information: PNP State!!!PLEASE UNDO PNP enable for manual Setup! view with "undo pnp enable" You can undo PNP in system Perform the following to disable the plug-and-play function: 1. Run the system-view command to enter the system view. 2. Run the undo pnp enable command to disable the plug-and-play function. 3. Run the undo pnp default route [ vpn-instance instance-name ] command to delete the default route generated by the plug-and-play function. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview 2 CLI Overview About This Chapter The command line interface (CLI) is used to configure and maintain devices. 2.1 CLI Introduction After you log in to the router, a prompt is displayed, informing you that you can interact with the router through the command line interface (CLI). 2.2 Online Help When inputting command lines or configuring services, you can use the online help to obtain immediate assistance. 2.3 CLI Features The CLI provides several features that make it easy to use. 2.4 Shortcut Keys System or user-defined shortcut keys make it easier to enter commands. 2.5 Configuration Examples This section provides several examples that illustrate the use of command lines. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview 2.1 CLI Introduction After you log in to the router, a prompt is displayed, informing you that you can interact with the router through the command line interface (CLI). 2.1.1 Command Line Interface You can use CLI commands to configure and manage the router. The CLI enables you to access the following features and capabilities: l Local or remote configuration through the AUX port. l Local configuration through the console port. l Local or remote configuration through Telnet or Secure Shell (SSH). l Remote configuration by using Modem dialup to log in to an asynchronous serial interface on the router. l The telnet command for directly logging in to and managing other routers. l FTP service for uploading and downloading files. l A user interface view for specific configuration management. l A hierarchical command protection structure, which givs certain levels of users permission to run certain levels of commands. l The ability to enter "?" anytime for online help. l Two authentication modes, namely, password authentication, and Authentication, Authorization, and Accounting (AAA) authentication. Password and AAA authentication protect system security by prohibiting unauthorized users from logging in to the router. l A command line interpreter, which provides intelligent text entry methods such as key word fuzzy match and context conjunction. These methods help users to enter commands easily and correctly. l Network test commands such as tracert and ping, and abundant debugging information for fast network diagnostics. l The ability to run a command, such as DosKey, that was used previously on the device. NOTE l The system supports commands that contain a maximum of 510 characters. A command does not have to be entered in full, as long as the part of the command entered is unique within the system. For example, to run the display current-configuration command, enter d cu, di cu, or dis cu. Entering d c or dis c will not run the command because these entries are not unique to the command. l The system saves the complete form of incomplete commands to configuration files. Saved commands may have more than 510 characters. When the system restarts, incomplete commands cannot be restored. Therefore, pay attention to the length of incomplete commands before saving them. 2.1.2 Command Levels The system hierarchically structures access to command functions to protect system security. The system administrator sets user access levels that grant specific users access to specific command levels. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview By default, the user command level is a value ranging from 0 to 3, and the user access level is a value ranging from 0 to 15. Table 2-1 lists the association between user access levels and command levels. Table 2-1 Association between user access levels and command levels User Level Com man d Level Level Name Description 0 0 Visiting level This level gives users access to commands that run network diagnostic tools (such as ping and tracert) and commands that start from a local device, visit external devices (such as Telnet client side ), and are a part of display commands. 1 0 and 1 Monitor ing level This level gives access to commands, like the display command, that are used for system maintenance and fault diagnosis. NOTE Some display commands are not found at this level. For example, the display current-configuration and display saved-configuration commands are found in level 3. For details about command levels, see NE80E/40E Command Reference. 2 0, 1, and 2 Configu ration level This level gives access to commands that configure network services provided directly to users, including routing and network layer commands. 3-15 0, 1, 2, and 3 Manage ment level These levels give access to commands that control basic system operations and provide support for services, such as the following command types: file system , FTP , TFTP , XModem downloading , configuration file switching , power supply control , backup board control , user management , level setting , and debugging for fault diagnosis. To manage efficiently, you can increase the command levels to 0-15. For details on how to increase the increase in the command levels, refer to Chapter 4 "Basic Configuration" Configuring Command LevelsConfiguring Command Levels in the HUAWEI NetEngine80E/ 40E Configuration Guide - Basic Configurations. NOTE l The default command level may be higher than the actual command level. l The level of command a user can run is determined by the user level. l The user level is corresponding with command level. The login users can only use the commands in levels that are less than or equal to theirs. The user privilege level level command sets the user level. Searching Commands Based on Command Levels You can search for all commands at a specific level by performing the following steps: 1. Issue 02 (2014-09-30) Open the command reference (.chm.) file. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 10 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2. 2 CLI Overview Click the "Search" tab. The search window is displayed, as shown in Figure 2-1. Figure 2-1 Search window 3. Issue 02 (2014-09-30) Enter the desired command level in the "Type in the word(s) to search for" textbox and click "List Topics". All commands in the specified level are displayed as shown in Figure 2-2. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview Figure 2-2 Searching for commands in a specific level 2.1.3 Command Line Views The command line interface has different command views. Each command is registered to run in one or more command views. You can run a command only after you enter an appropriate command view. The following example describes how you can open the BFD views. # Establish a connection to the router. If the router is using the default configurations, the <HUAWEI> prompt indicates that you have entered the user view. <HUAWEI> # Run the system-view command to enter the system view. <HUAWEI> system-view [HUAWEI] # Run the aaa command in the system view to enter the AAA view. [HUAWEI] aaa [HUAWEI-aaa] Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview NOTE l The command prompt "HUAWEI" is the default host name. l The prompt indicates a specific view. For example, "HUAWEI" indicates the user view, and "[HUAWEI-ui-console0]" indicates the console user interface view. l You can enter ! or # followed by a character string in any view. All entered content (including ! and #) is displayed as comments. That is, the corresponding configuration is not generated. Some commands can be used in more than one view, but their effects vary from view to view. For example, the mpls command can be run in the system view to enable MPLS globally or in the interface view to enable MPLS only on this interface. 2.2 Online Help When inputting command lines or configuring services, you can use the online help to obtain immediate assistance. 2.2.1 Full Help When inputting a command, you can use the full help function to obtain keywords or parameters for the command. Procedure l When you are inputting commands, you can use any of the following methods to obtain full help: – Enter a question mark (?) in any command line view to display command names and descriptions for all commands in that view. <HUAWEI> ? User view commands: arp-ping backup batch-cmd board-channel-check capture-packet cd ... ... ARP-ping Backup information Batch commands Board-Channel-Check enable/disable enable capturing packet Change current directory – Enter a command and a question mark (?) separated by a space. All keywords associated with this command, as well as simple descriptions, are displayed. For example: <HUAWEI> language-mode ? Chinese Chinese environment English English environment Chinese and English are keywords; Chinese environment and English environment describe the keywords. – Enter a command and a question mark (?) separated by a space. Parameter names for this command, as well as parameter descriptions, are displayed. For example: [HUAWEI] ftp timeout ? INTEGER<1-35791> The value of FTP timeout, the default value is 30 minutes [HUAWEI] ftp timeout 35 ? <cr> [HUAWEI] ftp timeout 35 In this command output, INTEGER<1-35791> describes the parameter value and The value of FTP timeout, the default value is 30 minutes is a simple description of what Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 13 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview the parameter sets. <cr> indicates that no parameters are associated with this command, which is repeated in the next command line. You can press Enter to run the command. ----End 2.2.2 Partial Help If you enter only the first or first character several characters of a command, partial help provides keywords that begin with this character or character string. Procedure l Use any of the following methods to obtain partial help from a command line. – Enter a character string followed directly by a question mark (?) to display all commands that begin with this character string. <HUAWEI> d? debugging dir delete display – Enter a command and a character string followed directly by a question mark (?) to display all key words that begin with this character string. <HUAWEI> display b? bas-interface bgp board-power bootmode-current bootrom buffer bfd board-current board-type bootmode-next btv bulk-stat – Enter the first several letters of a key word in the command and then press Tab to display a complete key word. A complete keyword is displayed only if the partial string of letters uniquely identifies a specific key word. If they do not identify a specific key word, continue pressing Tab to display different key words. You can then select the desired key word. ----End 2.2.3 Command Line Interface Error Messages If you enter a command and it passes the syntax check, the system executes it. Otherwise, the system reports an error message. Table 2-2 lists common error messages. Table 2-2 Common command line error messages Error message Cause of the error Unrecognized command The command cannot be found. The key word cannot be found. Wrong parameter The wrong parameter type is entered. The parameter value is out of range. Incomplete command Issue 02 (2014-09-30) An incomplete command is entered. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 14 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview Error message Cause of the error Too many parameters Too many parameters are entered. Ambiguous command Ambiguous parameters are entered. 2.3 CLI Features The CLI provides several features that make it easy to use. 2.3.1 Editing The command line editing function allows you to use certain keys to edit command lines or obtain help. Keys that are frequently used for command line editing are shown in Table 2-3. Table 2-3 Command line editing keys Key Function Common key Inserts a character at the current cursor position as long as the editing buffer is not full. The cursor then moves to the right. If the buffer is full, an alarm is generated. Backspace Moves the cursor to the left and deletes the character in that position. When the cursor reaches the head of the command, an alarm is generated. Left cursor key ← or Ctrl_B Moves the cursor to the left one space at a time. When the cursor reaches the head of the command, an alarm is generated. Right cursor key → or Ctrl_F Moves the cursor to the right one space at a time. When the cursor reaches the end of the command, an alarm is generated. Tab Press Tab after typing a partial key word and the system runs partial help: l If the matching key word is unique, the system replaces the typed character string with a complete key word and displays it in a new line with the cursor placed at the end of the word. l If there are several matches or no match, the system displays the prefix first. Then you can press Tab to view any matching key words one at a time. The cursor directly follows the end of the word. You can press the spacebar to enter the next word. l If a non-existent or incorrect key word is entered, press Tab and the word is displayed on a new line. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 15 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview 2.3.2 Displaying Command lines have a feature thats control how they are displayed. You can enable this feature on the CLI as follows: l You can use the language-mode language-name command to change the language mode to display prompts and help information in Chinese or English. l If output information cannot be displayed on a full screen, you have three viewing options, as shown in Table 2-4. Table 2-4 Display keys Key Function Ctrl_C Stops the display and running of a command. NOTE You can also press any key except the spacebar and Enter to stop the display and running of a command. Space Displays information on the next screen. Enter Displays information on the next line. 2.3.3 Regular Expressions A regular expression describes a set of strings. It consists of common characters (such as letters from "a" to "z") and special characters (called metacharacters). The regular expression is a template that enables you to search for required strings. You can use regular expressions to filter output to locate needed information quickly. A regular expression provides the following functions: l Searches for sub-strings that match a rule in the main string. l Substitutes strings based on specific matching rules. Formal Language Theory of the Regular Expression A regular expression consists of common characters and special characters. l Common characters Common characters, including all upper-case and lower-case letters, digits, underline, punctuation marks, and special symbols, match themselves in a string. For example, "a" matches the letter "a" in "abc", "202" matches the digit "202" in "202.113.25.155", and "@" matches the symbol "@" in "xxx@xxx.com". l Special characters Special characters are used together with common characters to match complex or special string combinations. Table 2-5 describes special characters and their syntax. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 16 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview Table 2-5 Description of special characters Special characte r Syntax Example \ Defines an escape character, which is used to mark the next character (common or special) as the common character. \* matches "*". ^ Matches the starting position of the string. ^10 matches "10.10.10.1" instead of "20.10.10.1". $ Matches the ending position of the string. 1$ matches "10.10.10.1" instead of "10.10.10.2". * Matches the preceding element zero or more times. 10* matches "1", "10", "100", and "1000". (10)* matches "null", "10", "1010", and "101010". + Matches the preceding element one or more times 10+ matches "10", "100", and "1000". (10)+ matches "10", "1010", and "101010". ? Matches the preceding element zero or one time. 10? matches "1" and "10". (10)? matches "null" and "10". NOTE Huawei datacom devices do not support regular expressions with ?. When regular expressions with ? are entered on Huawei datacom devices, helpful information is provided. . Matches any single character. 0.0 matches "0x0" and "020". .oo matches "book", "look", and "tool". () Defines a subexpression, which can be null. Both the expression and the subexpression should be matched. 100(200)+ matches "100200" and "100200200". x|y Matches x or y. 100|200 matches "100" or "200". 1(2|3)4 matches "124" or "134", instead of "1234", "14", "1224", and "1334". Issue 02 (2014-09-30) [xyz] Matches any single character in the regular expression. [123] matches the character 2 in "255". [^xyz] Matches any character that is not contained within the brackets. [^123] matches any character except for "1", "2", and "3". Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 17 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview Special characte r Syntax Example [a-z] Matches any character within the specified range. [0-9] matches any character ranging from 0 to 9. [^a-z] Matches any character beyond the specified range. [^0-9] matches all non-numeric characters. NOTE Unless otherwise specified, all characters in the preceding table are displayed on the screen. l Degeneration of special characters A special character becomes a common character when following \. In the following situations, the special characters listed in Table 2-6 function as common characters. – If the special character "*", "+", or "?" is placed at the beginning of a regular expression, a special character becomes a common character. For example, +45 matches "+45" and abc(*def) matches "abc*def". – If the special character "^" is placed in any position except for the beginning of a regular expression, a special character becomes a common character. For example, abc^ matches "abc^". – If the special character "$" is placed in any position except for the end of a regular expression, a special character becomes a common character. For example, 12$2 matches "12$2". – If a right parenthesis ")" or right bracket "]" is not paired with a corresponding left parenthesis "(" or bracket "[", a special character becomes a common character. For example, abc) matches "abc)" and 0-9] matches "0-9]". NOTE Unless otherwise specified, degeneration rules also apply when the preceding regular expressions are subexpressions within parentheses. l Combinations of common and special characters In actual usage, regular expressions combine multiple common and special characters to match certain strings. Regular Expression Examples The key to using regular expressions is to design them accurately. Table 2-6 shows how to design regular expressions using special characters and describes the meaning of those regular expressions. Table 2-6 Regular expression examples Issue 02 (2014-09-30) Regular Expression Description ^100 Matches strings beginning with 100, for example, 100085. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 18 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview Regular Expression Description 200$ Matches strings ending with 200, for example, 255.255.100.200. [0-9]+ Matches strings of repeated digits ranging from 0 to 9, for example, 007. (abc)* Matches strings with abc occurring zero or more times, for example, d and dabc. ^100([0-9]+)*200$ Matches strings beginning with 100 and ending with 200, including those with zero or several digits in the middle, for example, 100200. Windows (95|98| 2000|XP) Matches Windows 95, Windows 98, Windows 2000, or Windows XP. 100[^0-9]? Matches strings beginning with 100 followed by zero or one non-digit character, for example, 100 or 100@. .\.\* Matches a string beginning with a single character except \n followed by . and *, for example, 1.* or a.*. ^172\.16\.(10)\. ([0-9]+)$ Matches an IP address in a line, for example, 172.16.10.X. Specifying a Filtering Mode in a Command NOTICE The HUAWEI NetEngine80E/40E uses a regular expression to implement the pipe character filtering function. A display command supports the pipe character only when there is excessive output information. When filtering conditions are set to query output, the first line of the command output starts with information containing the regular expression. Some commands can carry the parameter | count to display the number of matching entries. The parameter | count can be used together with other parameters. For commands that support regular expressions, three filtering methods are available: l | begin regular-expression: displays information that begins with the line that matches regular expression. l | exclude regular-expression: displays information that excludes the lines that match regular expression. l | include regular-expression: displays information that includes the lines that match regular expression. NOTE The value of regular-expression is a string of 1 to 255 characters. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 19 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview After the command output is filtered, the displayed information is displayed with its context. Context rules are as follows: l before before-line-number: displays lines that match filtering rules and the preceding before-line-number lines. l after after-line-number: displays lines that match filtering rules and the subsequent afterline-number lines. l before before-line-number + after after-line-number or after after-line-number + before before-line-number: displays lines that match filtering rules, the preceding before-linenumber lines, and the subsequent after-line-number lines. NOTE Values of before-line-number and after-line-number are a string of 1 to 999 characters. Specify a Filtering Mode When Information Is Displayed Screen by Screen NOTE When the output of the following commands is displayed screen by screen, you can specify a filtering mode: l display current-configuration l display interface l display arp When a large amount of information is displayed screen by screen, you can specify a filtering mode in the prompt "---- More ----". l /regular-expression: displays the information that begins with the line that matches regular expression. l -regular-expression: displays the information that excludes lines that match regular expression. l +regular-expression: displays the information that includes lines that match regular expression. 2.3.4 Previously-Used Commands The CLI provides a function similar to DosKey that automatically saves any command used on the device. If you need to run a command that has been previously executed, you can use this function to recall the command. By default, the system saves 10 previously-used commands for each user. You can run the history-command max-size size-value command in the user view to set the number of previously-used commands saved by the system. A maximum of 256 previously-used commands can be saved. NOTE Set the number of saved previously-used commands to a reasonably low value. If a large number of previously-used commands are saved, locating a command can be time-consuming and inefficient. The keys and commands for accessing previously-used commands are shown in Table 2-7 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 20 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview Table 2-7 Keys and commands for accessing previously-used commands Action Key or Command Result Display previouslyused commands. display historycommand [ allusers ] Display previously-used commands entered by users. Access the last previouslyused command. Up arrow key (↑) or Ctrl_P Display the last previously-used command if there are more than one. Otherwise, an alarm is generated. Access the next previouslyused command. Down arrow key (↓) or Ctrl_N Display the next previously-used command if there are more than one. Otherwise, the command is cleared and an alarm is generated. NOTE Windows 9X defines keys differently and the arrow key ↑ cannot be used with Windows 9X HyperTerminals. You can use Ctrl_P instead. When you use previously-used commands, note the following points: l Previously-used commands are saved exactly as they are entered by users. For example, if a user enters an incomplete command, the saved command is also incomplete. l A command is only saved the first time it is run. If a command is entered in different forms or with different parameters, each entry is considered to be a different command. For example, if the display ip routing-table command is run several times, only one previously-used command is saved. If the disp ip routing command and the display ip routing-table command are run, two previously-used commands are saved. 2.3.5 Batch Command Execution If multiple commands are frequently used consecutively, you can edit these commands to be executed in batches. This simplifies command input and improves efficiency. Context Two operating modes allow the system to execute commands in batches and You can run the batch-cmd edit command to import the commands that need to be executed in batches, then run the batch-cmd execute command to execute the commands in batches. The other mode is the maintenance assistant task. You can use a *.bat file to import commands that need to be executed in batches. Then the system automatically executes the commands at the scheduled time. Procedure Step 1 Manually execute the commands in batches. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 21 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 1. 2 CLI Overview In the user view, run: batch-cmd edit Commands are edited to be executed in batches. The batch-cmd edit command can be used by only one user at a time. The maximum length of a command (including the incomplete command) to be entered is 510 characters. When editing commands, press Enter to complete the editing of each command. NOTE l After the batch-cmd edit command is run successfully to edit the commands to be executed in batches, the system deletes the original commands to be run in batches. l The commands that are already edited are saved in memory and are deleted for ever when the system is restarted. 2. After all commands are edited, you can press the shortcut buttons Ctrl_Z to exit the editing state and return to the user view. 3. In the user view, run: batch-cmd execute The commands are executed in batches. The batch-cmd execute command can be used by only one user at a time. The sequence of running commands is the same as the sequence of editing commands. You can view the execution of these commands on the CLI. After the execution is complete, the user view is displayed. NOTE If the batch-cmd edit or batch-cmd execute command is among the commands to be executed in batches, the system displays an error when executing the batch-cmd edit or batch-cmd execute command and continues to execute the following commands. Step 2 Configure a maintenance assistant task for the system to automatically execute commands in batches at a scheduled time. 1. Run: system-view The system view is displayed. 2. Run: assistant task task-name The maintenance assistant task is created, and the maintenance assistant view is displayed. 3. Run: if-match timer cron seconds minutes hours days-of-month months days-of-week [ years ] The time at which the system automatically executes commands is scheduled. 4. Run: perform priority batch-file file-name The maintenance assistant task is performed. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 22 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview file-name is a .bat file that needs to be edited and then sent to the device before you run this command. The value of this parameter must not contain file directory information, and the file specified by this parameter must be in the root directory of the user/bat folder. ----End 2.4 Shortcut Keys System or user-defined shortcut keys make it easier to enter commands. 2.4.1 Classifying Shortcut Keys There are two types of shortcut keys: system shortcut keys and user-defined shortcut keys. Familiarize yourself with the shortcut keys so you can use them correctly. The shortcut keys in the system are classified into the following two types: l User-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, and CTRL_U. The user can assign these shortcut keys to any commands. When a shortcut key is pressed, the system automatically runs the assigned command. For details about defining the shortcut keys, see section 2.4.2 Defining Shortcut Keys. l System-defined shortcut keys: The system defines a number of shortcut keys with fixed functions. Table 2-8 lists the system-defined shortcut keys. NOTE Different terminal software defines these keys differently. The shortcut keys on your terminal may be different from those listed in this section. Table 2-8 System-defined shortcut keys Issue 02 (2014-09-30) Key Function CTRL_A The cursor moves to the beginning of the current line. CTRL_B The cursor moves to the left one space at a time. CTRL_C Terminates the running function. CTRL_D Deletes the character where the cursor lies. CTRL_E The cursor moves to the end of the current line. CTRL_F The cursor moves to the right one space at a time. CTRL_H Deletes the character to the left of the cursor. CTRL_K Stops the creation of the outbound connection. CTRL_N Displays the next command in the previously-used command buffer. CTRL_P Displays the previous command in the previously-used command buffer. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 23 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview Key Function CTRL_R Repeats the information displayed on the current line. CTRL_T Terminates the outbound connection. CTRL_V Pastes the contents onto the clipboard. CTRL_W Deletes the character string or character to the left of the cursor. CTRL_X Deletes all the characters to the left of the cursor. CTRL_Y Deletes all the characters to the right of the cursor. CTRL_Z Returns to the user view. CTRL_] Terminates the inbound or redirection connections. ESC_B The cursor moves one word to the left. ESC_D Deletes the word to the right of the cursor. ESC_F The cursor moves to the end of the word to the right. ESC_N The cursor moves downward to the next line. ESC_P The cursor moves upward to the previous line. ESC_SHIFT_< Sets the position of the cursor to the beginning of the clipboard. ESC_SHIFT_> Sets the position of the cursor to the end of the clipboard. 2.4.2 Defining Shortcut Keys If you regularly use one or more commands, you can assign shortcut keys to run them, which facilitates user operations and improves efficiency. Only management-level users have the right to define shortcut keys. Configure the following shortcut keys in the system view. Action Command Define shortcut keys hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U } command-text CTRL_G, CTRL_L, CTRL_O and CTRL_U are assigned to run the following commands by default: l CTRL_G: display current-configuration l CTRL_L: display ip routing-table l CTRL_O: undo debugging all Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 24 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l 2 CLI Overview CTRL_U: By default, CTRL_U is not assigned to any command. If no command is specified for CTRL_U, this shortcut key deletes an entered character or command. When defining shortcut keys, mark the command with double quotation marks if the command consists of more than one word or includes spaces. 2.4.3 Using Shortcut Keys You can use a shortcut key in any position you can enter a command. The system executes the entered shortcut key and displays the corresponding command on the screen exactly as if you had entered the complete command. l If you have typed part of a command and have not pressed Enter, you can press the shortcut keys to clear what you have entered or display the full command. This operation has the same effect as that of deleting a command and then re-entering the complete command. l The shortcut keys are run like the commands. The syntax is recorded in the command buffer and logged for fault location and querying. NOTE The terminal being used may affect the shortcut key functions. For example, if shortcut keys customized for the terminal conflict with those for the router, the input shortcut keys are captured by the terminal program and do not function. Run the following command in any view to display the shortcut keys being used. Action Command Check the shortcut keys being used. display hotkey 2.5 Configuration Examples This section provides several examples that illustrate the use of command lines. 2.5.1 Running Commands in Batches In this example, you can edit the commands to be run in batches to configure the system to automatically run them in batches. Context If you frequently run commands in a particular order, you can run them in batches to improve efficiency. This is particularly effective if you run a large number of commands in a row. For example, you can run commands in batches during a preventive maintenance inspection (PMI). By running commands in batches, you can enter all PMI commands at once and then send all the command output information to the PMI tool, which can improve the PMI efficiency. To run commands in batches, log in to the router and perform the following: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 25 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview Procedure Step 1 Edit the display users, display startup, and display clock commands to be run in batches. <HUAWEI> batch-cmd edit Info: Begin editing batch commands. Press "Ctrl+Z" to abort this session. display users display startup display clock <HUAWEI> Step 2 Run the commands in batches. <HUAWEI> batch-cmd execute <HUAWEI>batch-cmd execute command: display users User-Intf Delay Type Network Address AuthenStatus 35 VTY 1 00:00:00 TEL 190.120.2.19 Username : Unspecified <HUAWEI>batch-cmd execute command: display startup MainBoard: Configured startup system software: Startup system software: Next startup system software: Startup saved-configuration file: Next startup saved-configuration file: Startup paf file: Next startup paf file: Startup license file: Next startup license file: Startup patch package: Next startup patch package: <HUAWEI> batch-cmd execute command: display clock AuthorcmdFlag no cfcard:/V600R008C10.cc cfcard:/V600R008C10.cc cfcard:/V600R008C10.cc cfcard:/vrp.cfg cfcard:/vrp.cfg default default default default NULL NULL 2011-01-27 01:25:24 Thursday Time Zone(DefaultZoneName) : UTC <HUAWEI> batch-cmd execute finished. ----End 2.5.2 Using the Tab Key After inputting part of a keyword, you can press Tab to obtain all the related keywords or check the accuracy of the input keyword. Context You do not always need to input complete keywords. Instead, input one or more of the first characters of a keyword and press Tab to complete the keyword. The Tab key helps search for and use commands. Procedure l Tab can be used in three ways as shown in the following example. – After you enter part of a key word and press the Tab key, a unique matching key word is displayed. 1. Issue 02 (2014-09-30) Input part of a key word. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 26 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview [HUAWEI] info- 2. Press Tab. The system replaces the incomplete key word with a complete key word and displays it on a new line followed by a cursor. [HUAWEI] info-center – After you enter part of a key word and press the Tab key, several matches or no matches are displayed. # info-center can be followed by three key words. [HUAWEI] info-center log? logbuffer logfile loghost 1. Input the incomplete key word. [HUAWEI] info-center l 2. Press Tab. The system displays the prefix first. In this example, the prefix is "log". [HUAWEI] info-center log Continue pressing Tab. The cursor comes right after the end of the word. [HUAWEI] info-center loghost [HUAWEI] info-center logbuffer [HUAWEI] info-center logfile When you find the key word you need, for example, logfile, stop pressing Tab. 3. Enter a space and the next word, channel, is displayed. [HUAWEI] info-center logfile channel – Input an incorrect keyword and press Tab to check the accuracy of the keyword. 1. For example, input the incorrect keyword loglog. [HUAWEI] info-center loglog 2. Press Tab. [HUAWEI] info-center loglog The system displays information on a new line, but the keyword loglog remains unchanged and there is no space between the cursor and the keyword. This result indicates that this keyword is non-existent. ----End 2.5.3 Using Shortcut Keys In this example, you assign shortcut keys to frequently-used commands. Then, you can press the shortcut keys instead of inputting the commands to facilitate user operations and improve efficiency. Context If the login router supports shortcut keys, any user, regardless of their user level, can use them. Procedure Step 1 Assign Ctrl_U to the display ip routing-table command and run the shortcut keys. <HUAWEI> system-view [HUAWEI] hotkey ctrl_u "display ip routing-table" Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 27 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview NOTE When assigning shortcut keys to a command, enclose the command in quotation marks if it consists of two or more words separated by spaces. Step 2 Press Ctrl_U when the prompt [HUAWEI] appears. [HUAWEI] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost Flags NextHop Interface 51.51.51.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.0.0/16 Direct 0 0 D 100.2.150.51 GigabitEthernet0/ 0/0 100.2.150.51/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 --------------------------------------------------------------------- ----End 2.5.4 Copying Commands Using Shortcut Keys In this example, you can use shortcut keys to copy a specified command and then use the shortcut keys Ctrl_Shift_V to paste the command. Context If you need to repeatedly run a command, you can use shortcut keys to copy the command. The copied command is saved on the clipboard and is available only for the current user. After the user logs out, the clipboard is cleared. You can use shortcut keys to copy a command in any view. Procedure Step 1 Move the cursor to the beginning of the command and press Esc_Shift_<. Move the cursor to the end of the command and press Esc_Shift_>. <HUAWEI> display ip routing-table Step 2 Run the display clipboard command to view the contents on the clipboard. <HUAWEI> display clipboard ---------------- CLIPBOARD----------------display ip routing-table Step 3 Enter the command in any view, and press Ctrl_Shift_V to paste the contents of clipboard. <HUAWEI> display ip routing-table Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 28 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2 CLI Overview NOTE If you press shortcut keys to copy a new command, you can use shortcut keys to paste only the new command. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 29 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 3 Basic Configuration 3 Basic Configuration About This Chapter This chapter describes how to configure the router to suit your network environment. 3.1 Configuring the Basic System Environment This section describes how to configure the basic system environment. 3.2 Displaying System Status Messages This section describes how to use display commands to check basic system configurations. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 30 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 3 Basic Configuration 3.1 Configuring the Basic System Environment This section describes how to configure the basic system environment. 3.1.1 Before You Start Before configuring the basic system environment, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment Before configuring services, you need to configure the basic system environment (for example, the language mode, system time, device name, login information, and command level) to meet environmental requirements. Pre-configuration Tasks Before configuring the basic system environment, power on the router. Data Preparation To configure the basic system environment, you need the following data. No. Data 1 Language mode 2 System time 3 Host name 4 Login information 5 Command level 3.1.2 Switching the Language Mode You can switch between the Chinese mode and the English mode as needed. Context After the language mode is switched, the system displays prompts and command line outputs in the specified language. Language information (Chinese and English) has been stored in the system software and does not need to be loaded. In the user view, perform the following: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 31 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 3 Basic Configuration Procedure l Run: language-mode { chinese | english } The language mode is switched. By default, the English mode is used. The help information on the router can be in English or in Chinese. The language mode is stored in the system software and does not need to be loaded. ----End 3.1.3 Configuring the Equipment Name If multiple devices on a network need to be managed, set equipment names to identify each device. Context New equipment names take effect immediately. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: sysname host-name The equipment name is set. By default, the equipment name of the router is HUAWEI. You can change the name of the router that appears in the command prompt. ----End 3.1.4 Setting the System Clock The system clock must be correctly set to ensure synchronization with other devices. Context The system clock is the time indicated by the system timestamp. Because the rules governing local time differ in different regions, the system clock can be configured to comply with the rules of any given region. The system clock is calculated using the following formula: System clock = Coordinated Universal Time (UTC) + Time zone offset + Daylight saving time offset. Set the system clock to the correct time to ensure that the device effectively operates with other devices. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 32 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 3 Basic Configuration Setting the system clocks of all the devices on a network manually is time-consuming and cannot ensure the clock accuracy. Network Time Protocol (NTP) can address this problem by synchronizing all clocks of devices on the network so that the devices can provide uniform timebased applications. NOTE A local system running NTP can be synchronized by other clock sources or acts as a clock source to synchronize other clocks. In addition, mutual synchronization can be implemented through NTP packet exchanges. By default, the system clock of NTP-enabled devices is UTC. The time zone and daylight saving time vary with the country and region, and if a time zone and daylight saving time are configured on an NTP server, the same time zone and daylight saving time must be configured on NTP clients. For details about NTP, see the NTP chapter in NE80E/40E Feature Description - System Management. For details about NTP configurations, see the NTP Configuration chapter in NE80E/40E Configuration Guide - System Management. Perform the following steps in the user view to set the system clock: Procedure Step 1 Run: clock datetime HH:MM:SS YYYY-MM-DD The current date and time are set. NOTE If the time zone has not been configured or is set to 0, the date and time set by this command are considered to be UTC. Set the time zone and UTC correctly. Step 2 Run: system-view The system view is displayed. Step 3 Run: clock timezone time-zone-name { add | minus } offset The time zone is set. l If add is configured, the current time is the UTC time plus the time offset. That is, the default UTC time plus offset is equal to the time of time-zone-name. l If minus is configured, the current time is the UTC time minus the time offset. That is, the default UTC time minus offset is equal to the time of time-zone-name. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 33 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 3 Basic Configuration NOTE UTC stands for the Universal Time Coordinated. After the time zone is set: l The time format of local logs is Original system time ± zone-offset, for example, Oct 30 2013 22:21:11 +08:00. l The time format of logs sent to the log host is the UTC time, for example, Oct 30 2013 07:58:20. After the info-center loghost local-time command is run to set the time format to local time, the time format of user logs is Original system time ± zone-offset, for example, Oct 30 2013 22:21:11+08:00. Step 4 Run: clock daylight-saving-time time-zone-name one-year start-time start-date end-time end-date offset or clock daylight-saving-time time-zone-name repeating start-time { { first | second | third | fourth | last } weekday month | start-date } end-time { { first | second | third | fourth | last } weekday month | end-date } offset [ start-year [ end-year ] ] Daylight saving time is set. By default, daylight saving time is not set. The start time is the local mean time (LMT), and the end time is the daylight saving time (DST). The start time and end time can be set to date+data, week+week, date+week, or week+date format. To configure the daylight saving time, run the clock daylight-saving-time command. NOTICE When the device is upgraded from an earlier version to the V600R008C10 version, the configured daylight saving time does not take effect and needs to be reconfigured. ----End System Clock Display The system clock is determined by the clock datetime, clock timezone, and clock daylightsaving-time commands. l If none of the preceding three commands have been run, the original system time is displayed after you run the display clock command. l You can also run the three preceding commands in combination with one another to configure the system clock, as listed in Table 3-1. In the following examples, the original system time is 08:00:00 January 1, 2010. l 1: Run the clock datetime command to set the current date and time to date-time. l 2: Run the clock timezone command to configure the time zone with the time zone offset zone-offset. l 3: Run the clock daylight-saving-time command to configure the daylight saving time with the offset offset. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 34 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l 3 Basic Configuration [1]: The clock datetime command configuration is optional. Table 3-1 System clock configuration examples Operation Configured System Time Example 1 date-time Run the clock datetime 8:0:0 2011-11-12 command. Configured system time: 2011-11-12 08:00:03 Saturday Time Zone(DefaultZoneName): UTC 2 Original system time +/zone-offset Run the clock timezone BJ add 8 command. Configured system time: 2010-01-01 16:00:20+08:00 Friday Time Zone(BJ): UTC+08:00 1, 2 date-time +/- zone-offset Run the clock datetime 8:0:0 2011-11-12 and clock timezone BJ add 8 commands. Configured system time: 2011-11-12 16:00:13+08:00 Saturday Time Zone(BJ): UTC+08:00 [1], 2, 1 date-time Run the lock timezone NJ add 8 and clock datetime 9:0:0 2011-11-12 commands. Configured system time: 2011-11-12 09:00:02+08:00 Saturday Time Zone(NJ): UTC+08:00 3 Issue 02 (2014-09-30) Original system time if the original system time is not during the configured daylight saving time period Run the clock daylight-saving-time BJ one-year 6:0 2011-8-1 6:0 2011-10-01 1 command. Configured system time: 2010-01-01 08:00:51 Friday Time Zone(DefaultZoneName): UTC Daylight saving time : Name : BJ Repeat mode : one-year Start year : 2011 End year : 2011 Start time : 08-01 06:00:00 End time : 10-01 06:00:00 Saving time : 01:00:00 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 35 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Operation 1, 3 3 Basic Configuration Configured System Time Example Original system time + offset if the original system time is during the configured daylight saving time period Run the clock daylight-saving-time BJ one-year 6:0 2011-1-1 6:0 2011-9-1 2 command. date-time if date-time is not during the configured daylight saving time period Run the clock datetime 9:0:0 2011-11-12 and clock daylight-saving-time BJ one-year 6:0 2012-8-1 6:0 2012-10-01 1 commands. Configured system time: 2010-01-01 10:00:34 DST Friday Time Zone(BJ): UTC Daylight saving time : Name : BJ Repeat mode : one-year Start year : 2011 End year : 2011 Start time : 01-01 06:00:00 End time : 09-01 06:00:00 Saving time : 02:00:00 Configured system time: 2011-11-12 09:00:26 Saturday Time Zone(DefaultZoneName): UTC Daylight saving time : Name : BJ Repeat mode : one-year Start year : 2012 End year : 2012 Start time : 08-01 06:00:00 End time : 10-01 06:00:00 Saving time : 01:00:00 date-time + offset if datetime is during the configured daylight saving time period Run the clock datetime 9:0:0 2011-11-12 and clock daylight-saving-time BJ one-year 9:0 2011-11-12 6:0 2011-12-01 2 commands. Configured system time: 2011-11-12 11:02:21 DST Saturday Time Zone(BJ): UTC Daylight saving time : Name : BJ Repeat mode : one-year Start year : 2011 End year : 2011 Start time : 11-12 09:00:00 End time : 12-01 06:00:00 Saving time : 02:00:00 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 36 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 3 Basic Configuration Operation Configured System Time Example [1], 3, 1 date-time if date-time is not during the configured daylight saving time period Run the clock daylight-saving-time BJ one-year 6:0 2012-8-1 6:0 2012-10-01 1 and clock datetime 9:0 2011-11-12 commands. Configured system time: 2011-11-12 09:00:02 Saturday Time Zone(DefaultZoneName): UTC Daylight saving time : Name : BJ Repeat mode : one-year Start year : 2012 End year : 2012 Start time : 08-01 06:00:00 End time : 10-01 06:00:00 Saving time : 01:00:00 date-time if date-time is during the configured daylight saving time period Run the clock daylight-saving-time BJ one-year 1:0 2011-1-1 1:0 2011-9-1 2 and clock datetime 3:0 2011-1-1 commands. Configured system time: 2011-01-01 03:00:19 DST Saturday Time Zone(BJ): UTC Daylight saving time : Name : BJ Repeat mode : one-year Start year : 2011 End year : 2011 Start time : 01-01 01:00:00 End time : 09-01 01:00:00 Saving time : 02:00:00 2, 3 or 3, 2 Issue 02 (2014-09-30) Original system time +/zone-offset if the value of Original system time +/zone-offset is not during the configured daylight saving time period Run the clock timezone BJ add 8 and clock daylight-saving-time BJ one-year 6:0 2011-1-1 6:0 2011-9-1 2 commands. Configured system time: 2010-01-01 16:01:29+08:00 Friday Time Zone(BJ): UTC+08:00 Daylight saving time : Name : BJ Repeat mode : one-year Start year : 2011 End year : 2011 Start time : 01-01 06:00:00 End time : 09-01 06:00:00 Saving time : 02:00:00 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 37 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Operation 1, 2, 3, or 1, 3, 2 Issue 02 (2014-09-30) 3 Basic Configuration Configured System Time Example Original system time +/zone-offset +/- offset if the value of Original system time +/- zoneoffset is during the configured daylight saving time period Run the clock daylight-saving-time BJ one-year 1:0 2010-1-1 1:0 2010-9-1 2 and clock timezone BJ add 8 commands. date-time +/- zone-offset if the value of date-time +/- zone-offset is not during the configured daylight saving time period Run the clock datetime 8:0:0 2011-11-12, clock timezone BJ add 8, and clock daylight-savingtime BJ one-year 6:0 2012-1-1 6:0 2012-9-1 2 commands. date-time +/- zone-offset + offset if the value of date-time +/- zone-offset is during the configured daylight saving time period Run the clock datetime 8:0:0 2011-1-1, clock daylight-saving-time BJ one-year 6:0 2011-1-1 6:0 2011-9-1 2, and clock timezone BJ add 8 commands. Configured system time: 2010-01-01 18:05:31+08:00 DST Friday Time Zone(BJ): UTC+08:00 Daylight saving time : Name : BJ Repeat mode : one-year Start year : 2010 End year : 2010 Start time : 01-01 01:00:00 End time : 09-01 01:00:00 Saving time : 02:00:00 Configured system time: 2011-11-12 16:01:40+08:00 Saturday Time Zone(BJ): UTC+08:00 Daylight saving time : Name : BJ Repeat mode : one-year Start year : 2012 End year : 2012 Start time : 01-01 06:00:00 End time : 09-01 06:00:00 Saving time : 02:00:00 Configured system time: 2011-01-01 18:00:43+08:00 DST Saturday Time Zone(BJ): UTC+08:00 Daylight saving time : Name : BJ Repeat mode : one-year Start year : 2011 End year : 2011 Start time : 01-01 06:00:00 End time : 09-01 06:00:00 Saving time : 02:00:00 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 38 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 3 Basic Configuration Operation Configured System Time Example [1], 2, 3, 1 or [1], 3, 2, 1 date-time if date-time is not during the configured daylight saving time period Run the clock daylight-saving-time BJ one-year 6:0 2012-1-1 6:0 2012-9-1 2, clock timezone BJ add 8, and clock datetime 8:0:0 2011-11-12 commands. Configured system time: 2011-11-12 08:00:03+08:00 Saturday Time Zone(BJ): UTC+08:00 Daylight saving time : Name : BJ Repeat mode : one-year Start year : 2012 End year : 2012 Start time : 01-01 06:00:00 End time : 09-01 06:00:00 Saving time : 02:00:00 date-time if date-time is during the configured daylight saving time period Run the clock timezone BJ add 8, clock daylightsaving-time BJ one-year 1:0 2011-1-1 1:0 2011-9-1 2, and clock datetime 3:0:0 2011-1-1 commands. Configured system time: 2011-01-01 03:00:03+08:00 DST Saturday Time Zone(BJ): UTC+08:00 Daylight saving time : Name : BJ Repeat mode : one-year Start year : 2011 End year : 2011 Start time : 01-01 01:00:00 End time : 09-01 01:00:00 Saving time : 02:00:00 3.1.5 Configuring a Header If you need to provide information for users logging in, you can configure a header that the system displays during or after login. Context A header is a text message displayed by the system at the time a user logs in to the router. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 39 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 3 Basic Configuration header login { information text | file file-name } A header displayed during login is set. Step 3 Run: header shell { information text | file file-name } A header displayed after login is set. To display the header when the terminal connection has been activated but the user has not been authenticated, configure the parameter login. To display the header after the user has logged in, configure the parameter shell. NOTICE l The header message starts and ends with the same character. Enter the first character of the header and press Enter. An interactive interface for setting the header is displayed. Input the required information and, when you are finished, end the header by entering the first character again. The system then exits from the interactive interface. l If a user logs in to the router using SSH1.X, the login header is not displayed during login, but the shell header is displayed after login. l If a user logs in to the router using SSH2.0, both the login and shell headers are displayed. ----End 3.1.6 Configuring Command Levels This section describes how to configure command levels to ensure device security or allow lowlevel users to run high-level commands. By default, commands are registered in the sequence of Level 0 to Level 3. If refined rights management is required, you can divide commands in to 16 levels, that is, from Level 0 to Level 15. Context If you do not adjust a command level, after the command level is updated, all originallyregistered command lines adjust automatically according to the following rules: l The Level 0 and Level 1 commands remain unchanged. l The Level 2 commands are updated to Level 10 and the Level 3 commands are updated to Level 15. l No command lines exist in Level 2 to Level 9 or in Level 11 to Level 14. You can adjust the command lines to these levels to refine the management of privileges. NOTICE Do not change the default level of a command. Otherwise, some users may be unable to continue using the command. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 40 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 3 Basic Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: command-privilege level rearrange Update the command levels in batches. Step 3 Run: command-privilege level level view view-name command-key The command level is configured. With this command, you can specify the level for each command and view multiple commands at one time (command-key). All commands have default command views and levels. You do not need to reconfigure them. ----End 3.1.7 Configuring the undo Command to Automatically Match the Higher-Level View After performing this configuration, if a user runs the undo command but it is not registered in the current view, the system automatically switches to the view one level up from the current view to search for this command. If the command is found, the undo command takes effect. If the undo command does not exist in this view, the system progressively searches higher-level views for the command until it reaches the system view. If the undo command is not found in the higher-level view, it will not be executed. Context NOTICE The undo command has disadvantages due to automatic matching. For example, when the user runs the undo ospf command in the interface view where the command is not registered, the system automatically searches the system view. This may lead to the global deletion of the OSPF feature. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: matched upper-view Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 41 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 3 Basic Configuration The undo command is configured to automatically search higher-level views if it is run in a view where it is not registered. By default, the undo command does not automatically search higher-level views. NOTE l The matched upper-view command is valid for current login users who run this command. l Configuring the undo command to automatically match the upper level view is recommended only if necessary. ----End 3.2 Displaying System Status Messages This section describes how to use display commands to check basic system configurations. Context You can use display commands to collect information about the system status. The display commands display the following information: l System configurations l System running status l Diagnostic information about a system. l Restart information about the main control board See related sections concerning display commands for information on protocols and interfaces. This section only shows system-level display commands. 3.2.1 Displaying System Configuration This section describes how to use command lines to check the system version, system time, original configuration, and current configuration. Context Run the following commands in any view: Procedure l Run the display version command to display the system version. l Run the display clock [ utc ] command to display the system time. l Run the display calendar command to display system calendar. l Run the display saved-configuration command to display the original configuration. l Run the display current-configuration command to display the current configuration. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 42 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 3 Basic Configuration NOTE l The display version command displays the software version of the system, the chassis type, and information about the main control board and interface board. l The original configuration refers to information about configuration files the device uses when it powers on and initializes. The current configuration refers to the configuration files that take effect when the device is in use. For details, see the chapter "Configuring System Startup" in the NE80E/40E Basic-Configuration. l Run the display history-command command to display the executed command history command for all users. ----End 3.2.2 Displaying the System Status This section describes how to use command lines to check the system operating status (the configuration of the current view). Procedure l Run the display this command to display the configuration of the current view. ----End 3.2.3 Collecting System Diagnostic Information This section describes how to collect information about system modules. Context If you cannot perform routine maintenance, run the various display commands to collect the information you need to locate faults. The display diagnostic-information command gathers information about all currently running system modules. Procedure l Run: display diagnostic-information [ file-name ] System diagnostic information is displayed. The display diagnostic-information command collects the same information as many other individual commands, such as display clock, display version, display cpu-usage, display interface, display current-configuration, display saved-configuration, and display history-command. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 43 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 4 Configuring User Interfaces Configuring User Interfaces About This Chapter When a user uses a console port, AUX port, Telnet, or SSH (STelnet) to log in to a router, the system manages the session between the user and the router on the corresponding user interface. 4.1 User Interface Overview The system supports console, AUX, and Virtual Type Terminal (VTY) user interfaces. 4.2 Configuring the Console User Interface If you log in to the device through a console port to perform local maintenance, you can configure attributes for the console user interface as needed. 4.3 Configuring the AUX User Interface When you use the AUX port to log in to a device for local or remote configuration, you must configure attributes in the corresponding AUX user interface. 4.4 Configuring the VTY User Interface If you need to use Telnet or SSH to log in to the router and perform local or remote maintenance, you can configure the VTY user interface as needed. 4.5 Configuration Examples This section provides examples for configuring console, AUX, and VTY user interfaces. These configuration examples explain the networking requirements and provide configuration roadmaps and notes. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 44 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces 4.1 User Interface Overview The system supports console, AUX, and Virtual Type Terminal (VTY) user interfaces. Each user interface has a user interface view. A user interface view is a command line view the system provides to configure and manage all the physical and logical interfaces in asynchronous mode. User Interfaces Supported by the System l Console port (CON) The console port is a serial port provided by the main control board of the device. The main control board provides one EIA/TIA-232 DCE console port. A terminal can use this port to connect directly to a device to perform local configurations. l Auxiliary port (AUX) The auxiliary port is a linear port provided by the main control board of the device that uses a modem to support dialup. Each main control board provides one AUX port of type EIA/TIA-232 DTE. A terminal can remotely access the device through the modem on the AUX port. l Virtual type terminal (VTY) A VTY is a logical terminal line. A VTY connection is set up when a device uses Telnet to connect to a terminal. This kind of connection is used to locally or remotely access a device. Numbering of a User Interface After a user logs in to the device, the system assigns the user the lowest numbered idle user interface. The type of interface assigned depends on the user's login mode. There are two ways to number user interfaces: l Relative numbering Relative numbering uses a user interface type + number format. Relative numbering is used to specify user interfaces of a particular type. It can be used to number single user interfaces or user interface groups and must adhere to the following rules: – Number of the console port: CON 0 – Number of the auxiliary port: AUX 0 – Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on l Absolute numbering Absolute numbering is used to give a single user interface or a group of user interfaces a unique number. Absolute numbering starts with 0. Ports are numbered in a sequence beginning with CON -> AUX -> VTY. There is only one console port, one AUX port, and 0-15 VTY interfaces. You can use the user-interface maximum-vty command to set the maximum number of user interfaces. By default, the system supports three types of user interfaces: CON, AUX, and VTY. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 45 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces Table 4-1 shows absolute numbers for the user interfaces in this system. Table 4-1 Description of absolute and relative numbers for user interfaces User interface Description Absolute Number Relative Number Console user interface Manages and monitors users that log in through the console port. 0 0 AUX user interface Manages and monitors users that log in through the AUX port. 33 0 34 to 48, and 50 to 54 l Absolute numbers 34 to 48 correspond to relative numbers TTY 0 to TTY 14. The Modem dialup function of AUX ports is frequently used. VTY user interface Manages and monitors users that use Telnet or SSH to log in. Among the absolute numbers, 49 is reserved for future use and 50 to 54 are reserved for the network management system. l Absolute numbers 50 to 54 correspond to relative numbers TTY 16 to TTY 20. Among the relative numbers, VTY 15 is reserved for future use and VTY 16 to VTY 20 are reserved for the network management system. NOTE The absolute numbers allocated for AUX and VTY interfaces are device-specific. Numbers 1 to 32 are reserved for TTY user interfaces. Run the display user-interface command to view the absolute number of user interfaces. Authentication of a User Interface After a user is configured, the system authenticates the user during login. There are two user authentication modes: password and AAA, which are described as follows: l Issue 02 (2014-09-30) Password authentication: Users must enter a password, but not a username, during the login process. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 46 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l 4 Configuring User Interfaces AAA authentication: Users must enter a password and a username during the login process. Telnet users are usually authenticated in this mode. NOTE When the user logs in to the NE80E/40E by using Telnet or SSH and so on, the NE80E/40E defaults the user to default_admin. Priority of a User Interface Users logged in to the router are managed according to their levels. A user's level determines the level of commands the user is authorized to run. l In the case of password authentication, the level of the command the user can run is determined by the level of the user interface. l In the case of AAA authentication, the level of the command the user can run is determined by the level of the local user specified in the AAA configuration. 4.2 Configuring the Console User Interface If you log in to the device through a console port to perform local maintenance, you can configure attributes for the console user interface as needed. 4.2.1 Before You Start Before configuring the console user interface, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment If you need to log in to the router through a console port to perform local maintenance, you can configure the corresponding console user interface, including the physical attributes, terminal attributes, user priority, and user authentication mode. These parameters have default values that require no additional configuration, but you may modify these parameters as needed. Pre-configuration Tasks Before configuring a console user interface, use a terminal to log in to the router. Data Preparation To configure a console user interface, you need the following data. Issue 02 (2014-09-30) No. Data 1 Baud rate, flow-control mode, parity, stop bit, and data bit 2 Idle timeout period, terminal screen length, number of characters in each line displayed in a terminal screen,and the size of the history command buffer Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 47 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations No. Data 3 User priority 4 User authentication method, username, and password 4 Configuring User Interfaces NOTE All the default values (excluding the password and username) are stored on the router and do not need additional configuration. 4.2.2 Setting Physical Attributes of the Console User Interface You can configure the rate, flow control mode, parity mode, stop bit, and data bit for the console port. Context Physical attributes of a console port have default values on the router. No additional configuration is needed. NOTE When a user logs in to a router through a console port, the physical attributes set for the console port on the HyperTerminal must be consistent with the attributes of the console user interface on the router, or the user will not be able to log in. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface console interface-number The console user interface view is displayed. Step 3 Run: speed speed-value The baud rate is set. By default, the baud rate is 9600 bit/s. Step 4 Run: flow-control { hardware | none | software } The flow control mode is set. By default, the flow-control mode is none. Step 5 Run: parity { even | mark | none | odd | space } The parity mode is set. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 48 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces By default, the value is none. Step 6 Run: stopbits { 1.5 | 1 | 2 } The stop bit is set. By default, the value is 1 bit. Step 7 Run: databits { 5 | 6 | 7 | 8 } The data bit is set. By default, the data bit is 8. ----End 4.2.3 Setting Terminal Attributes of the Console User Interface This section describes how to set terminal attributes of the console user interface, including the user timeout disconnection function, number of lines or number of characters in each line displayed on a terminal screen, and size of the history command buffer. Context Terminal attributes of the console user interface have default values on the router that you may modify as needed. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface console interface-number The console user interface view is displayed. Step 3 Run: shell The terminal service is started. Step 4 Run: idle-timeout minutes [ seconds ] The idle timeout period is set. If a connection remains idle for the timeout period, the system automatically terminates the connection. By default, the idle timeout period on the user interface is 10 minutes. Step 5 Run: screen-length screen-length [ temporary ] Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 49 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces The terminal screen length is set. The parameter temporary is used to display the number of lines to be temporarily displayed on a terminal screen. By default, the terminal screen length is 24 lines. Step 6 Run: screen-widthscreen-width The maximum number of characters in each line displayed on a terminal screen is set. By default, each line displayed on a terminal screen has a maximum of 80 characters. Step 7 Run: history-command max-size size-value The history command buffer is set. By default, the size of the history command buffer is 10 entries. ----End 4.2.4 Configuring the User Privilege of the Console User Interface This section describes how to control a user's authority to log in to the router and how to configure a user's priority to improve router security. Context l Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher the user level. l This procedure sets the priority of a user who logs in through the console port. A user's level determines the level of commands the user is authorized to run. For details about command levels, see section 2.1.2 "Command Levels". Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface console interface-number The console user interface view is displayed. Step 3 Run: user privilege level level The user privilege is set. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 50 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces NOTE l By default, users that log in through the console user interface can use level 15 commands, and users logging in through other user interfaces can use commands at level 0. l If the command level and user level are inconsistent, the user level takes precedence. ----End 4.2.5 Configuring the User Authentication Mode of the Console User Interface The system provides two authentication modes: AAA and password. Configuring user authentication modes improves router security. Context The system provides two authentication modes, as described in Table 4-2. Table 4-2 Authentication Modes Authen tication Mode Advantage Disadvantage AAA AAA provides user authentication with high security. The configuration is complex. The user name and password for AAA authentication must be created. The user name and password must be entered for login. Passwor d authenti cation Password authentication is based on VTY channels, which provides security. The configuration is simple and only the login password is needed. It provides less security than AAA. All users can use the login password to log in to a device. Procedure l Configure AAA authentication 1. Run: system-view The system view is displayed. 2. Run: aaa The AAA view is displayed. 3. Run: local-user user-name password { cipher cipher-password | irreversiblecipher irreversible--password } A username and password are created for the local user. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 51 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4. 4 Configuring User Interfaces Run: quit Exit the AAA view. 5. Run: user-interface console interface-number The console user interface view is displayed. 6. Run: authentication-mode aaa The authentication mode is set to AAA authentication. l Configure password authentication 1. Run: system-view The system view is displayed. 2. Run: user-interface console interface-number The console user interface view is displayed. 3. Run: authentication-mode password The authentication mode is set to password authentication. 4. Run: set authentication password [ cipher password ] A password for password authentication is set. NOTE Passwords must meet the following requirements: l If you do not enter cipher, the password is input in man-machine interaction mode, and the system does not display the entered password. The password is a string of 8 to 16 case-sensitive characters. The password must contain at least two of the following characters: upper-case characters, lower-case characters, numbers, and special characters. Special character except the question mark (?) and space. l When you enter cipher, the password is displayed in either plaintext or ciphertext. l When you input the password in plaintext, the password requirements are the same as those when you do not enter cipher. l When you input the password in ciphertext, the password must be a string of 56 consecutive characters. The password is displayed in ciphertext in the configuration file regardless of whether you input it in plaintext or ciphertext. ----End 4.2.6 Checking the Configuration After configuring the console user interface, you can view information about the user interface, physical attributes and configurations of the user interface, local user list, and online users. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 52 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces Prerequisites The configurations of the user management function are complete. Procedure l Run the display users [ all ] command to check information about the user interface. l Run the display user-interface console ui-number1 [ summary ] command to check physical attributes and configurations of the user interface. l Run the display local-user command to check the local user list. l Run the display access-user command to check the local user list. ----End Example Run the display users command to view information about the current user interface. <HUAWEI> display users User-Intf Delay Type 0 CON 0 00:00:44 Username : Unspecified Network Address AuthenStatus pass AuthorcmdFlag no Run the display user-interface console ui-number1 [ summary ] command to view the physical attributes and configurations of the user interface. <HUAWEI> display user-interface console 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth 0 CON 0 9600 3 N + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs. Int - Run the display local-user command to view the local user list. <HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------user123 Active All Dft No 0 ll Active F Dft No 0 user1 Active F Dft No 0 ---------------------------------------------------------------------------Total 3,3 printed 4.3 Configuring the AUX User Interface When you use the AUX port to log in to a device for local or remote configuration, you must configure attributes in the corresponding AUX user interface. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 53 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces 4.3.1 Before You Start Before configuring the AUX user interface, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Applicable Environment If you need to use an AUX port to log in to a router for remote maintenance, you can configure the corresponding AUX user interface by setting the physical attributes, terminal attributes, user priority, and user authentication mode. The preceding parameters have default values on the router and therefore do not require additional configuration. Pre-configuration Tasks Before configuring an AUX user interface, use a terminal to log in to the router. Data Preparation Before configuring an AUX user interface, you need the following data. No. Data 1 Baud rate, flow-control mode, parity, stop bit, and data bit 2 Idle timeout period, number of lines displayed in a terminal screen, number of characters in each line displayed in a terminal screen, and the size of the history command buffer 3 User priority 4 Modem attributes 5 (Optional) Auto-execute commands 6 User authentication method, user name, and password NOTE All the default values (excluding the auto-run commands, password, and username) are stored on the router and do not need additional configuration. 4.3.2 Setting Physical Attributes of the AUX User Interface Physical attributes of the AUX user interface include the transmission rate, flow control mode, parity mode, stop bit, and data bit of the AUX port. Context Physical attributes of the AUX user interface have default values on the router. No additional configuration is required. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 54 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface aux interface-number The AUX user interface view is displayed. Step 3 Run: speed speed-value The transmission rate is set. By default, the baud rate is 9600 bit/s. Step 4 Run: flow-control { hardware | none | software } The flow control mode is set. By default, the flow-control mode is none. Step 5 Run: parity { even | mark | none | odd | space } The parity mode is set. By default, the value is none. Step 6 Run: stopbits { 1.5 | 1 | 2 } The stop bit is set. By default, the value is 1 bit. Step 7 Run: databits { 5 | 6 | 7 | 8 } The data bit is set. By default, the value is 8. NOTE When a user logs in to a router through an AUX port, the configured attributes for the console port on the HyperTerminal should be in accordance with the attributes of the AUX user interface on the router. Otherwise, the user cannot log in to the router. ----End 4.3.3 Setting Terminal Attributes of the AUX User Interface This section describes how to configure terminal attributes of the AUX user interface, including the user idle timeout, number of lines or number of characters in each line displayed in a terminal screen, and size of the history command buffer. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 55 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces Context Terminal attributes of the AUX user interface have default values on the router. You can configure them as needed. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface aux interface-number The AUX user interface view is displayed. Step 3 Run: shell The AUX terminal service is enabled. Step 4 Run: idle-timeout minutes [ seconds ] User idle timeout is enabled. If the connection remains idle within the timeout period, the system automatically terminates the connection. By default, the idle timeout period on the interface is 10 minutes. Step 5 Run: screen-length screen-length [ temporary ] The length of a terminal screen is set. The parameter temporary is used to display the number of lines to be temporarily displayed on a terminal screen. By default, the length of a terminal screen is 24 lines. Step 6 Run: history-command max-size size-value The size of the history command buffer is configured. By default, the size of the history command buffer on the user interface is 10 entries. ----End 4.3.4 Setting the User Priority of the AUX User Interface This section describes how to control a user's authority to log in to the router and how to configure a user's priority to improve router security. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 56 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces Context l Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher the user level. l This procedure sets the priority of a user who logs in through the console port. A user's level determines the level of commands the user is authorized to run. For details about command levels, see section 2.1.2 "Command Levels". Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface aux interface-number The AUX user interface view is displayed. Step 3 Run: user privilege level level The user priority is set. NOTE l By default, users log in through the AUX user interface and can use commands at level 0. l If the authority to use commands is inconsistent with the user level, the user level takes precedence. ----End 4.3.5 Setting Modem Attributes of the AUX User Interface You can set the following attributes on the modem: time period from which it picks up the signal until it detects the carrier when a call is established, whether it functions modem for only incoming calls or for both incoming and outgoing calls, and whether automatic answer is enabled. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface aux interface-number The AUX user interface view is displayed. Step 3 Run: modem timer answer seconds The period between the time at which the system receives the ring signal and the system waits for the CD_UP is set. This period is the time that elapses between the signal being picked up and the carrier being detected because this is when the call is established. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 57 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces By default, the waiting time is 30 seconds. Step 4 Run: modem [ both | call-in ] The switch of the incoming or outgoing call is set. By default, incoming and outgoing calls are prohibited. Step 5 Run: modem auto-answer Automatic answer is enabled. By default, manual answering is enabled. ----End 4.3.6 (Optional) Configuring Auto-Execute Commands of the AUX User Interface You can set a command to be executed automatically. Context NOTICE After you run the auto-execute command command, you cannot use a terminal to perform general system configurations. Before configuring the auto-execute command and save commands to save the existing configurations, make sure you can use other methods to log in to the system and delete the configurations. Perform the following on the router to which the user logs in: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface aux 0 The AUX user interface view is displayed. Step 3 Run: auto-execute command command A command is specified as an auto-execute command. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 58 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces Generally, the auto-execute command command is run to configure Telnet on a terminal. After the configuration, the user can automatically connect to a designated host. ----End 4.3.7 Setting the User Authentication Mode of the AUX User Interface The system provides two authentication modes: AAA and password. Configuring user authentication modes improves router security. Context By default, the user authentication mode of the AUX user interface is not configured. Administrators must manually set a user authentication mode for the AUX user interface. If no user authentication mode is set, users cannot log in to the device on the AUX user interface. Procedure l Configuring AAA Authentication 1. Run: system-view The system view is displayed. 2. Run: user-interface aux interface-number The AUX user interface view is displayed. 3. Run: authentication-mode aaa The authentication mode is set to AAA authentication. 4. Run: quit You have exited the AUX user interface view. 5. Run: aaa The AAA view is displayed. 6. Run: local-user user-name password { cipher | irreversible-cipher } password The local user and password are configured. l Configuring Password Authentication 1. Run: system-view The system view is displayed. 2. Run: user-interface aux interface-number Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 59 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces The AUX user interface view is displayed. 3. Run: authentication-mode password The authentication mode is set to password authentication. 4. Run: set authentication password [ cipher password ] A password is set. NOTE Passwords must meet the following requirements: l If you do not enter cipher, the password is input in man-machine interaction mode, and the system does not display the entered password. The password is a string of 8 to 16 case-sensitive characters. The password must contain at least two of the following characters: upper-case characters, lower-case characters, numbers, and special characters. Special character except the question mark (?) and space. l When you enter cipher, the password is displayed in either plaintext or ciphertext. l When you input the password in plaintext, the password requirements are the same as those when you do not enter cipher. l When you input the password in ciphertext, the password must be a string of 56 consecutive characters. The password is displayed in ciphertext in the configuration file regardless of whether you input it in plaintext or ciphertext. ----End 4.3.8 Checking the Configuration After configuring the AUX user interface, you can view its usage information, including physical attributes and configurations, the local user list, and online users. Prerequisites Configurations of the AUX user interface are complete. Procedure l Run the display users [ all ] command to check usage information about the AUX user interface. l Run the display user-interface aux interface-number [ summary ] command to check the physical attributes and configurations of the user interface. l Run the display local-user command to check the local user list. l Run the display access-user command to check the local user list. ----End Example To view information about the current user interface, run the display users command: <HUAWEI> display users Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 60 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations User-Intf Delay Type 33 AUX 0 00:00:44 Username : Unspecified 4 Configuring User Interfaces Network Address AuthenStatus pass AuthorcmdFlag no Run the display user-interface aux ui-number1 [ summary ] command, and you can view the physical attributes and configurations of the user interface. <HUAWEI> display user-interface aux 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth 33 AUX 0 9600 0 N + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs. Int - Run the display local-user command, and you can view the local user list. <HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------user123 Active All Dft No 0 ll Active F Dft No 0 user1 Active F Dft No 0 ---------------------------------------------------------------------------Total 3,3 printed 4.4 Configuring the VTY User Interface If you need to use Telnet or SSH to log in to the router and perform local or remote maintenance, you can configure the VTY user interface as needed. 4.4.1 Before You Start Before configuring a VTY user interface, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment If you need to use Telnet or SSH to log in to the router and perform local or remote maintenance, you can configure a VTY user interface. You can configure the maximum number of VTY user interfaces, restrictions on incoming and outgoing calls, terminal property, user priority, and user authentication mode. Pre-configuration Tasks Before configuring a VTY user interface, use a terminal to log in to the router. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 61 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces Data Preparation To configure a VTY user interface, you need the following data. No. Data 1 Maximum VTY user interfaces 2 (Optional) ACL code to restrict incoming and outgoing calls on VTY user interfaces 3 Idle timeout period, number of characters in each line displayed on a terminal screen, and size of the history command buffer 4 User priority 5 User authentication method, username, and password NOTE All of the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user interfaces, user authentication method, username, and password) have default values that require no additional configuration. 4.4.2 Configuring the Maximum Number of VTY User Interfaces This section describes how to configure the maximum number of VTY user interfaces to limit the number of users that log in to the router. Context The maximum number of VTY user interfaces equals the total number of users that can use Telnet or SSH to log in to the router. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface maximum-vty number The maximum number of VTY user interfaces is set. NOTE When the maximum number of VTY user interfaces is set to zero, no user (including the network administrator) can use a VTY user interface to log in to the router. If the set maximum number of VTY user interfaces is less than the maximum number of online users, a message is displayed indicating that the configuration failed. If the set maximum number of VTY user interfaces is greater than the maximum number of current interfaces, the authentication mode and password must be set for the newly added user interfaces. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 62 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces Consider, for example, a system that permits a maximum of five users to be online. To enable 15 VTY users to be online at the same time, run the authentication-mode command to configure authentication modes for VTY user interfaces from 5 to 14. The commands are run as follows: <HUAWEI> system-view [HUAWEI] user-interface maximum-vty 15 [HUAWEI] user-interface vty 5 14 [HUAWEI-ui-vty5-14] authentication-mode password ----End 4.4.3 (Optional) Setting Restrictions for Incoming and Outgoing Calls on VTY User Interfaces This section describes how to configure an ACL to restrict access of incoming and outgoing calls on a VTY user interface to specific IP addresses or address segments. Context Perform the following steps on the device that functions as a server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Compared to a basic ACL that filters packets based on source addresses, an advanced ACL supports richer filtering rules: not only based on packet source addresses but also based on packet destination address or priorities. Run either of the following commands: l For a basic ACL: To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name [ basic ] [ number acl-number2 ] } [ match-order { auto | config } ] command. To enter the ACL6 view, run the acl ipv6 { [ number ] acl6-number1 | name acl-name [ number acl-number2 ] } [ match-order { auto | config } ] command. l For an advanced ACL: To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name [ advance ] [ number acl-number2 ] } [ match-order { auto | config } ] command. To enter the ACL6 view, run the acl ipv6 { [ number ] acl6-number1 | name acl-name [ number acl-number2 ] } [ match-order { auto | config } ] command. The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging from 3000 to 3999. Step 3 Run either of the following commands: l For a basic ACL: To configure a basic ACL rule, run the rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range timename | vpn-instance vpn-instance-name ] * command. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 63 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces To configure a basic ACL6 rule, run the rule [ rule-id ] { deny | permit } [ fragmenttype fragment-type-name | source { source-ip-address source-wildcard | any } | timerange time-name | vpn-instance vpn-instance-name ] * command. l For an advanced ACL: To configure an advanced ACL rule, run the rule [ rule-id ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ipaddress source-wildcard | any } | time-range time-name | vpn-instance vpn-instancename ] * command. To configure an advanced ACL6 rule, run the rule [ rule-id ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | source { source-ipv6-address 3prefix-length | source-ipv6-address/prefix-length | any } | timerange time-name | vpn-instance vpn-instance-name ] * command. NOTE l By default, the deny action in an ACL rule is taken for all the login user packets. Only users whose source IP addresses match the ACL rule with a permit action can log in to the device. In the following example, two rules are configured to prohibit users with the IP address 10.1.1.10 from logging in to the device while allowing the other users to log in to the device: l rule deny source 10.1.1.10 0 l rule permit source any If the rule permit source any command is not configured, users whose source IP addresses are not 10.1.1.10 will also be prohibited from logging in to the device. l If a user's source IP address does not match the ACL rule that allows login, the user is prohibited from logging in to the device. l If the ACL referenced by VTY does not contain any rules or does not exist, any user can log in to the device. Step 4 Run: quit The system view is displayed. Step 5 Run: user-interface vty first-ui-number [ last-ui-number ] The VTY user interface view is displayed. Step 6 Run: acl [ ipv6 ] acl-number { inbound | outbound } Restrictions for incoming and outgoing calls on the VTY interface are configured. l If you want to prevent a user with a specific address or segment address from logging in to the router, use the inbound command. l If you want to enable a user to log in to the router but prevent the user from accessing other routers, use the outbound command. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 64 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces 4.4.4 Setting the Terminal Attributes of the VTY User Interface This section describes how to configure the terminal attributes of a VTY user interface, including the user idle timeout, number of lines or characters displayed in each line in a terminal screen, and size of the history command buffer. Context On the router, the terminal attributes of the VTY user interface have default values, which you can reconfigure as needed. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface vty number1 [ number2 ] The VTY user interface view is displayed. Step 3 Run: shell The VTY terminal service is enabled. Step 4 Run: idle-timeout minutes [ seconds ] The user idle timeout is enabled. If the connection remains idle for the timeout period, the system automatically terminates the connection. By default, the timeout period is 10 minutes. Step 5 Run: screen-length screen-length [ temporary ] The terminal screen length is set. The parameter temporary is used to display the number of lines to be temporarily displayed on the terminal screen. By default, the terminal screen length is 24 lines. Step 6 Run: history-command max-size size-value Set the size of the history command buffer. By default, a maximum number of 10 commands can be cached in the history command buffer. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 65 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces 4.4.5 Setting the User Priority of the VTY User Interface This section describes how to control a user's authority to log in to the router and how to configure a user's priority to improve router security. Context l Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher the user level. l This procedure sets the priority of a user who logs in through the console port. A user's level determines the level of commands the user is authorized to run. For details about command levels, see section 2.1.2 "Command Levels". Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface vty interface-number The VTY user interface view is displayed. Step 3 Run: user privilege level level The user priority is set. By default, users who log in through the VTY user interface can use commands at level 0. NOTE If the command level configured in the VTY user interface view and user priority are inconsistent, user priority takes precedence. ----End 4.4.6 Setting the User Authentication Mode of the VTY User Interface The system provides two authentication modes: AAA and password. Configuring user authentication modes improves router security. Context The system provides two authentication modes, as described in Table 4-3. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 66 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces Table 4-3 Authentication Modes Authen tication Mode Advantage Disadvantage AAA AAA provides user authentication with high security. The configuration is complex. The user name and password for AAA authentication must be created. The user name and password must be entered for login. Passwor d authenti cation Password authentication is based on VTY channels, which provides security. The configuration is simple and only the login password is needed. It provides less security than AAA. All users can use the login password to log in to a device. Procedure l Configuring AAA authentication 1. Run: system-view The system view is displayed. 2. Run: user-interface vty number1 [ number2 ] The VTY user interface view is displayed. 3. Run: authentication-mode aaa The authentication mode is set to AAA authentication. 4. Run: quit You have exited the VTY user interface view. 5. Run: aaa The AAA view is displayed. 6. Run: local-user user-name password { cipher cipher-password | irreversiblecipher irreversible--password } A username and password are created for the local user. l Configuring password authentication 1. Run: system-view The system view is displayed. 2. Run: user-interface vty number1 [ number2 ] Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 67 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces The VTY user interface view is displayed. 3. Run: authentication-mode password The authentication mode is set to password authentication. 4. Run: set authentication password [ cipher password ] A password is set. NOTE Passwords must meet the following requirements: l If you do not enter cipher, the password is input in man-machine interaction mode, and the system does not display the entered password. The password is a string of 8 to 16 case-sensitive characters. The password must contain at least two of the following characters: upper-case characters, lower-case characters, numbers, and special characters. Special character except the question mark (?) and space. l When you enter cipher, the password is displayed in either plaintext or ciphertext. l When you input the password in plaintext, the password requirements are the same as those when you do not enter cipher. l When you input the password in ciphertext, the password must be a string of 56 consecutive characters. The password is displayed in ciphertext in the configuration file regardless of whether you input it in plaintext or ciphertext. ----End 4.4.7 (Optional) Configuring NMS Users to Log In Through VTY User Interfaces Network Management System (NMS) users can log in to a device through VTY user interfaces to set device parameters. Context NMS users can log in to the router through VTY user interfaces to set router parameters. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: aaa The AAA view is displayed. Step 3 Run: local-user user-name password { cipher | irreversible-cipher } password Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 68 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces A local user is created. Step 4 Run: local-user user-name user-type netmanager The local user is set as an NM user. Step 5 Run: quit The system view is displayed. Step 6 Run: user-interface vty first-ui-number [ last-ui-number ] The user interface view is displayed. Step 7 Run: authentication-mode aaa An authentication mode for logging in to the user interface is configured. NOTE The system reserves five VTYs (VTY 16-VTY 20) for an NMS user. The five VTYs are used as special network management channels. The channels do not support the RSA authentication mode, but they do support password authentication. Step 8 Run: quit The system view is displayed. Step 9 Run: mmi-mode enable The system is switched to the machine-to-machine mode. NOTE l This command is invisible to terminals and cannot be obtained by using the online help. In man-tomachine mode, exercise caution when using this command. l In the VTY machine-to-machine mode, the system reserves five user interfaces to which an NMS user can log in through VTYs. A common user cannot use the five reserved user interfaces to log in through Telnet. l In the machine-to-machine mode, the system does not output logs, alarms, or debugging information to the screen. l In the machine-to-machine mode, the save and reboot commands can be used directly. l In the machine-to-machine mode, a maximum of 512 lines are displayed by default. You can use the screen-length command to adjust this value. In addition, you can run the screen-length temporary command to adjust the number of lines temporarily displayed on the screen. ----End 4.4.8 Checking the Configuration After configuring a VTY user interface, you can view the maximum number of VTY user interfaces, and physical attributes and configurations of user interfaces. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 69 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces Prerequisites The configurations of the VTY user interface are complete. Procedure l Run the display users [ all ] command to check information about user interfaces. l Run the display user-interface maximum-vty command to check the maximum number of VTY user interfaces. l Run the display user-interface [ ui-type ui-number1 | ui-number ] [ summary ] command to check the physical attributes and configurations of user interfaces. l Run the display local-user command to check the local user list. l Run the display vty mode command to check the VTY mode. ----End Example Run the display users command to view information about current user interfaces. <HUAWEI> display users User-Intf Delay Type 34 VTY 0 00:00:12 TEL Username : Unspecified + 35 VTY 1 00:00:00 TEL Username : Unspecified Network Address 10.138.77.38 AuthenStatus 10.138.77.57 AuthorcmdFlag no no Run the display user-interface maximum-vty command to view the maximum number of VTY user interfaces. <HUAWEI> display user-interface maximum-vty Maximum of VTY user:15 Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check the physical attributes and configurations of user interfaces. <HUAWEI> display user-interface vty 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth + 34 VTY 0 14 14 N + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs. Int - Run the display local-user command to view the local user list. <HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------user123 Active All Dft No 0 ll Active F Dft No 0 user1 Active F Dft No 0 ---------------------------------------------------------------------------- Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 70 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces Total 3,3 printed Run the display vty mode command to view the message indicating that the machine-to-machine mode is enabled. For example: <HUAWEI> display vty mode Current user-interface mode is Human-Machine interface. 4.5 Configuration Examples This section provides examples for configuring console, AUX, and VTY user interfaces. These configuration examples explain the networking requirements and provide configuration roadmaps and notes. 4.5.1 Example for Configuring the Console User Interface In this example, a console user interface is configured to allow a user in password authentication mode to log in to the router. The physical attributes, terminal attributes, user priority, user authentication mode, and password are set for the interface. Networking Requirements A user uses the console user interface to log in to the router to initialize router configurations or perform local router maintenance. You can set console user interface attributes (for example, security considerations) to allow user logins. In the console user interface view, the user priority is set to 15, and the password authentication mode is set (the password is Huawei-123). If no user activity occurs and a connection is idle for more than 30 minutes after login, the connection is torn down. Configuration Roadmap The configuration roadmap is as follows: 1. Enter the interface view and set physical attributes of the console user interface. 2. Set terminal attributes of the console user interface. 3. Set the user priority of the console user interface. 4. Set the user authentication mode and password of the console user interface. Data Preparation To complete the configuration, you need the following data: l Transmission rate of the console user interface: 4800 bit/s l Flow control mode of the console user interface: None l Parity of the console user interface: even l Stop bit of the console user interface: 2 l Data bit of the console user interface: 6 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 71 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces l Timeout period for disconnecting from the console user interface: 30 minutes l Number of lines a terminal screen displays: 30 l Number of characters a terminal screen displays: 60 l Size of the history command buffer: 20 l User priority: 15 l User authentication mode: password (password: Huawei-123) Procedure Step 1 Set physical attributes of the console user interface. <HUAWEI> system-view [HUAWEI] user-interface console 0 [HUAWEI-ui-console0] speed 4800 [HUAWEI-ui-console0] flow-control none [HUAWEI-ui-console0] parity even [HUAWEI-ui-console0] stopbits 2 [HUAWEI-ui-console0] databits 6 Step 2 Set terminal attributes of the console user interface. [HUAWEI-ui-console0] [HUAWEI-ui-console0] [HUAWEI-ui-console0] [HUAWEI-ui-console0] [HUAWEI-ui-console0] shell idle-timeout 30 screen-length 30 screen-width 60 history-command max-size 20 Step 3 Set the user priority of the console user interface. [HUAWEI-ui-console0] user privilege level 15 Step 4 Set the user authentication mode in the console user interface to password. [HUAWEI-ui-console0] authentication-mode password [HUAWEI-ui-console0] set authentication password cipher Huawei-123) [HUAWEI-ui-console0] quit After the console user interface is configured, a user in password authentication mode can use a console port to log in and perform local maintenance on the router. For details on how a user logs in to the router, see chapter 5 Configuring User Login. ----End Configuration Files # sysname HUAWEI # user-interface con 0 authentication-mode password user privilege level 15 set authentication password cipher $1a$.]U;PI9EtF$%$qzNQb7:,PNeT*K+i_#UYW% @qVRrNa0`\.t*^%@$ history-command max-size 20 idle-timeout 30 0 screen-length 30 databits 6 parity even stopbits 2 speed 9600 # return Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 72 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces 4.5.2 Example for Configuring the AUX User Interface This section provides an example describing how to configure the AUX user interface. In the configuration example, to enable a user in AAA authentication mode to use an AUX interface to log in to a router, you must set multiple attributes of the console user interface, including physical attributes, terminal attributes, user priority, user authentication mode, and password. Networking Requirements To locally or remotely maintain the router, a user can log in to the router through an AUX user interface. To enable user login, an operator can set attributes of the AUX user interface as needed (for security reasons, for example). In the AUX user interface, the user priority is set to 15, and the authentication mode is set to AAA. The user name is user123 and the password is Huawei-123. After a user logs in, if the user takes no action on the router for more than 30 minutes, the connection between the user and the router is torn down. Configuration Roadmap The configuration roadmap is as follows: 1. Enter the interface view and set the physical attributes of the AUX user interface. 2. Set the terminal attributes of the AUX user interface. 3. Set the user priority of the AUX user interface. 4. Set the modem attributes of the AUX user interface. 5. Set the authentication mode and password in the AUX user interface. Data Preparation To complete the configuration, you need the following data: l Transmission rate of the AUX user interface: 9600 bit/s l Flow control mode of the AUX user interface: None l Parity of the AUX user interface: None l Stop bit of the AUX user interface: 1 l Data bit of the AUX user interface: 8 l Timeout period for disconnecting from the AUX user interface: 30 minutes l Number of lines a terminal screen displays: 30 l Number of characters a terminal screen displays: 60 l Size of the history command buffer: 20 l User priority: 15 l Modem attributes: idle timeout from off-hook to carrier detection (45 seconds), call-in permission, and automatic response l User authentication mode and password in the AUX user interface Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 73 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces Procedure Step 1 Set physical attributes of the AUX user interface. <HUAWEI> system-view [HUAWEI] user-interface aux 0 [HUAWEI-ui-aux0] speed 9600 [HUAWEI-ui-aux0] flow-control none [HUAWEI-ui-aux0] parity none [HUAWEI-ui-aux0] stopbits 1 [HUAWEI-ui-aux0] databits 8 All of the preceding physical attributes of the AUX user interface are set with default values. In fact, if a user chooses to use the default values, the user does not need to set them. The preceding settings only serve to provide the configuration method. Step 2 Set terminal attributes of the AUX user interface. [HUAWEI-ui-aux0] [HUAWEI-ui-aux0] [HUAWEI-ui-aux0] [HUAWEI-ui-aux0] [HUAWEI-ui-aux0] shell idle-timeout 30 screen-length 30 screen-width 60 history-command max-size 20 Step 3 Set the user priority of the AUX user interface. [HUAWEI-ui-aux0] user privilege level 15 Step 4 Set modem attributes of the AUX user interface. [HUAWEI-ui-aux0] modem timer answer 45 [HUAWEI-ui-aux0] modem call-in [HUAWEI-ui-aux0] modem auto-answer Step 5 Set the authentication mode of the AUX user interface to AAA. [HUAWEI-ui-aux0] authentication-mode aaa [HUAWEI-ui-aux0] quit [HUAWEI] aaa [HUAWEI-aaa] local-user user123 password cipher Huawei-123 [HUAWEI-aaa] quit After the AUX user interface is configured, a user in AAA authentication mode can log in to the router through an AUX port to maintain the router. For details on how a user logs in to the router, refer to chapter 5 Configuring User Login. ----End Configuration Files # sysname HUAWEI # user-interface aux 0 authentication-mode aaa user privilege level 15 history-command max-size 20 idle-timeout 30 0 modem call-in modem auto-answer modem timer answer 45 screen-length 30 screen-width 60 # return Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 74 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces 4.5.3 Example for Configuring a VTY User Interface In this example, a VTY user interface is configured to enable a user in password authentication mode to use Telnet or SSH (Stelnet) to log in to the router. The maximum number of VTY user interfaces permitted, restrictions for incoming and outgoing calls, terminal attributes, authentication mode, and password are set for the interface. Networking Requirements A user uses Telnet or SSH to log in to the router using a VTY channel. You can set VTY user interface attributes as needed (for example, security considerations) to enable user logins. In the VTY user interface, the user priority is set to 15, the authentication mode is set to password authentication, and the password is "Huawei-123". A user with the IP address of 10.1.1.1 is prohibited from logging in to the router. If no user activity occurs and a connection is idle for more than 30 minutes after login, the connection is torn down. Configuration Roadmap The configuration roadmap is as follows: 1. Enter the interface view and set the maximum number of VTY user interfaces to 15. 2. Set restrictions for incoming and outgoing calls on the VTY user interface to prevent an IP address or an IP address segment for accessing the router. 3. Set terminal attributes of the VTY user interface. 4. Set the user priority of the VTY user interface. 5. Set the authentication mode and password of the VTY user interface. Data Preparation To complete the configuration, you need the following data: l Maximum number of VTY user interfaces: 15 l ACL applied to restrict incoming calls on the VTY user interface: 2000 l Timeout period for disconnecting from the VTY user interface: 30 minutes l Number of lines a terminal screen displays: 30 l Number of characters a terminal screen displays: 60 l Size of the history command buffer: 20 l User priority: 15 l User authentication mode: password (password: Huawei-123) Procedure Step 1 Set the maximum number of VTY user interfaces. <HUAWEI> system-view [HUAWEI] user-interface maximum-vty 15 Step 2 Set the limit on call-in and call-out in the VTY user interface. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 75 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 4 Configuring User Interfaces [HUAWEI] acl 2000 [HUAWEI-acl-basic-2000] [HUAWEI-acl-basic-2000] [HUAWEI] user-interface [HUAWEI-ui-vty0-14] acl rule deny source 10.1.1.1 0 quit vty 0 14 2000 inbound Step 3 Set terminal attributes of the VTY user interface. [HUAWEI-ui-vty0-14] [HUAWEI-ui-vty0-14] [HUAWEI-ui-vty0-14] [HUAWEI-ui-vty0-14] [HUAWEI-ui-vty0-14] shell idle-timeout 30 screen-length 30 screen-width 60 history-command max-size 20 Step 4 Set the user priority of the VTY user interface. [HUAWEI-ui-vty0-14] user privilege level 15 Step 5 Set the authentication mode and password of the VTY user interface. [HUAWEI-ui-vty0-14] authentication-mode password [HUAWEI-ui-vty0-14] set authentication password cipher Huawei-123 [HUAWEI-ui-vty0-14] quit After the VTY user interface is configured, a user authenticated in password mode can use Telnet or SSH (Stelnet) to log in to the router and perform local or remote maintenance on the router. For details on how a user logs in to the router, see the 5 Configuring User Login. ----End Configuration Files # sysname HUAWEI # acl number 2000 rule 5 deny source 10.1.1.1 0 rule permit source any # user-interface maximum-vty 15 user-interface vty 0 14 acl 2000 inbound user privilege level 15 authentication-mode password $1a$.]U;PI9EtF$%$qzNQb7:,PNeT*K+i_#UYW%@qVRrNa0`\.t*^%@$ history-command max-size 20 idle-timeout 30 0 screen-length 30 # return Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 76 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login 5 Configuring User Login About This Chapter A user can log in to the router through a console port, an AUX port, or by using Telnet or SSH (STelnet). The user can maintain the router locally or remotely after login. 5.1 User Login Overview When the device works as the server, a user can log in to the device through a console port, Telnet, STelnet, or web. 5.2 Logging In to Devices Through the Console Port When a user needs to maintain a router locally or configure a router that is being powered on for the first time, the user can log in through a console port. 5.3 Logging In to Devices Through the AUX Port When a user terminal and the router have no reachable route between each other, the user can log in to the router through an AUX port to remotely configure and manage or locally maintain the router. 5.4 Using Telnet to Log In to Devices When multiple routers need to be configured and managed, you do not need to maintain each router locally. Instead, you can use Telnet to remotely log in to the routers and perform maintenance, which greatly facilitates device management. 5.5 Using STelnet to Log In to Devices STelnet provides secure remote access over an insecure network. After the client/server negotiation is complete and a secure connection is established, STelnet login is similar to Telnet login. 5.6 Common Operations After Login After logging in to the router, you can perform user priority switching, terminal window locking, and other operations as needed. 5.7 Configuration Examples This section provides several examples describing how to configure users to log in through a console port, Telnet, or STelnet. The configuration examples provide information and diagrams for networking requirements, configuration notes, and configuration roadmaps. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 77 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login 5.1 User Login Overview When the device works as the server, a user can log in to the device through a console port, Telnet, STelnet, or web. Table 5-1 lists the modes by which a user can log in to the device to configure and manage it. Table 5-1 User login modes Login Mode Applicable Scenario Remarks 5.2 Logging In to Devices Through the Console Port A user logs in to the device using the console port on the user terminal to power on and configure the device for the first time. By default, a user can directly log in to the device using the console port. The authentication mode is password authentication, indicating that a password is required for authentication. The command access level is 3. l If a user cannot access the device remotely, the user can log in to the device locally using the console port. l A user can log in using the console port to diagnose a fault if the device fails to start or to enter the BootROM to upgrade the system. 5.3 Logging In to Devices Through the AUX Port When a reachable route does not exist between the user terminal and the device, a user cannot log in to the device using Telnet. In this case, however, the user can log in to the device using the AUX port. By default, the user authentication mode of the AUX user interface is not configured. Administrators must manually set a user authentication mode for the AUX user interface. If no user authentication mode is set for the AUX user interface, users cannot log in to the device using the AUX user interface. A user can use the AUX port to log in to the device but cannot use the AUX port to manage or maintain the device. To enable management and maintenance of the device using the AUX port, log in to the device locally using the console port, and change the user access level of the AUX user interface. By default, the command access level of the AUX user is 0. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 78 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Login Mode Applicable Scenario Remarks 5.4 Using Telnet to Log In to Devices A user accesses the network using a user terminal and logs in to the device using Telnet to perform local or remote configuration. The target device authenticates the user using the configured login parameters. By default, a user cannot log in to the device directly using Telnet. To enable Telnet login, log in to the device locally using the console port and perform the following configuration tasks: The Telnet login mode facilitates remote device management and maintenance. l Configure the IP address of the management network port on the device and ensure that a reachable route exists between the user terminal and the device. By default, an IP address is not configured on the device. l Configure the user authentication mode of the VTY user interface. (By default, the user authentication mode of the VTY user interface is not configured. Administrators must manually set a user authentication mode for the VTY user interface.) l Configure the user access level of the VTY user interface. By default, the user access level of the VTY user interface is 0. l Enable the Telnet server function. By default, the Telnet server function is enabled. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 79 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Login Mode Applicable Scenario Remarks 5.5 Using STelnet to Log In to Devices A user accesses the network using a user terminal. If the network is insecure, use the Secure Shell (SSH) protocol to increase the security of the transmission and utilize a powerful authentication mechanism. SSH protects the device system against attacks, such as IP proofing and plain text password interception. By default, a user cannot log in to the device directly using STelnet. To enable STelnet login, log in to the device locally using the console port and perform the following configuration tasks: The STelnet login mode better ensures the security of the exchanged data. l Configure the user authentication mode of the VTY user interface. (By default, the user authentication mode of the VTY user interface is not configured. Administrators must manually set a user authentication mode for the VTY user interface.) l Configure the IP address of the management network port on the device and ensure that a reachable route exists between the user terminal and the device. By default, an IP address is not configured on the device. l Configure the user access level of the VTY user interface. By default, the user access level of the VTY user interface is 0. l Configure the VTY user interface to support the SSH protocol. By default, the VTY user interface supports the Telnet protocol. l Configure the SSH user and specify STelnet as a service mode. By default, the SSH user is not configured on the device, and the service mode of SSH users is null (no service mode is supported). l Enable the STelnet server function. By default, the STelnet server function is disabled. NOTE Logging in using Telnet is insecure because a secure authentication mechanism is not used and data is transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts data in both directions to guarantee secure transmissions on a conventional insecure network. SSH supports security Telnet (STelnet). For detailed information about SSH, see NE80E/40E Feature Description - Basic Configurations. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 80 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login 5.2 Logging In to Devices Through the Console Port When a user needs to maintain a router locally or configure a router that is being powered on for the first time, the user can log in through a console port. 5.2.1 Before You Start Before configuring user login through a console port, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment A user can locally log in to a device through a console port. The user must log in through a console port when a router is being powered on for the first time. l If a user cannot access the device remotely, the user can log in to the device locally using the console port. l A user can log in using the console port to diagnose a fault if the device fails to start or to enter the BootROM to upgrade the system. Pre-configuration Tasks Before configuring user login through a console port, complete the following tasks: l Configure the PC/terminal (including the serial port and RS-232 cable) l Install the terminal emulator (for example, the Windows XP HyperTerminal) to the PC Data Preparation To configure user login through a console port, you need the following data. No. Data 1 l Transmission rate, flow control mode, parity mode, stop bit, and data bit l Number of lines displayed in a terminal screen, number of characters displayed in a terminal screen, and size of the history command buffer l User priority l User authentication mode, username, and password 5.2.2 Logging In to the Device Using a Console Port A user can log in by using a console port to connect a terminal to the device. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 81 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Context l Communication parameters of the user terminal must match physical attribute parameters of the console user interface on the device. l A user authentication mode must be configured on the console user interface. Authentication enhances network security because a user can log in to the device only after being successfully authenticated. NOTE If the master main control board fails, a user can log in to the slave main control board, if available, through the console port to query configurations on the slave main control board. This login option facilitates fault locating. Procedure Step 1 Start a terminal emulation program, such as the HyperTerminal of Windows XP, on the PC and establish a connection as shown in Figure 5-1. NOTE In the case of a Windows OS that does not provide the HyperTerminal, access Microsoft website and download the HyperTerminal. Figure 5-1 Creating a connection Step 2 Set an interface, as shown in Figure 5-2. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 82 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Figure 5-2 Settings an interface Step 3 Set communication parameters to match the router defaults, as shown in Figure 5-3. Figure 5-3 Setting communication parameter Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 83 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system automatically saves the new password. An initial password is required for the first login via the console. Set a password and keep it safe! Otherwise you will not be able to login via the console. Please configure the login password (8-16) Enter Password: Confirm Password: NOTE l If the device has the default password before delivery, enter the default password Admin@huawei.com to log in. The password is insecure, so you must change it immediately. For details on how to change the password, see 4.2.5 Configuring the User Authentication Mode of the Console User Interface. l After you set the password for the user interface, you must use this user interface to log in to the system again. Use password authentication mode and enter the new password. l The passwords must meet the following requirements: l The password input is in man-machine interaction mode, and the system does not display the entered password. l The password is a string of 8 to 16 case-sensitive characters. The password must contain at least two of the following characters: upper-case characters, lower-case characters, numbers, and special characters. Special character except the question mark (?) and space. The configured password is displayed in the configuration file in ciphertext. l After you restart the device using the console port, press Enter after the following information is displayed. Recover configuration...OK! Press ENTER to get started. ----End 5.2.3 (Optional) Configuring the Console User Interface If you log in to the device through a console port to perform local maintenance, you can configure attributes for the console user interface as needed. Context Console user interface attributes have default values on the device, and generally need no modification. To meet specific user requirements or ensure network security, you can modify console user interface attributes, such as terminal attributes and the user authentication mode. For detailed settings, see section 4.2 Configuring Console User Interface. NOTE Changes to console user interface attributes take effect immediately. Therefore, the connection may be interrupted if console user interface attributes are modified when you log in to the device through the console port. For this reason, use another login mode to log into the device when you modify console user interface attributes. To log in to the device through the console port after you chang the default console user interface attributes, ensure that the configuration of the terminal emulator running on the PC is consistent with the console user interface attributes configured on the device. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 84 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login 5.2.4 Checking the Configuration After logging in through a console port, a user can view the usage information, physical attributes and configurations, local user list, and online users on the console user interface. Prerequisites Configurations that enable a user to log in through a console port are complete. Procedure l Run the display users [ all ] command to check information about the user interface. l Run the display user-interface console ui-number1 [ summary ] command to check physical attributes and configurations of the user interface. l Run the display local-user command to check the local user list. l Run the display access-user command to check the local user list. ----End Example Run the display users command to view information about the current user interface. <HUAWEI> display users User-Intf Delay Type 0 CON 0 00:00:44 Username : Unspecified Network Address AuthenStatus pass AuthorcmdFlag no Run the display user-interface console ui-number1 [ summary ] command to view the physical attributes and configurations of the user interface. <HUAWEI> display user-interface console 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth 0 CON 0 9600 3 N + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs. Int - Run the display local-user command to view the local user list. <HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------user123 Active All Dft No 0 ll Active F Dft No 0 user1 Active F Dft No 0 ---------------------------------------------------------------------------Total 3,3 printed Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 85 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login 5.3 Logging In to Devices Through the AUX Port When a user terminal and the router have no reachable route between each other, the user can log in to the router through an AUX port to remotely configure and manage or locally maintain the router. 5.3.1 Before You Start Before configuring user login through an AUX port, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This will help you complete the configuration task quickly and accurately. Applicable Environment You can configure and maintain the router locally or remotely through an AUX port. When you locally configure the router, the AUX login method is similar to the console login method. The only difference between the two login methods lies in the default user priority: The default user priority of the console user interface is 3, whereas that of the AUX user interface is 0. Therefore, using the console method to login is recommended in the local configuration. The following section describes how to log in and configure the router through an AUX port. NOTE To manage and maintain the router through an AUX port, first modify the user priority of the AUX user interface. When no reachable route is available between a PC and the router, you can use a modem to connect the serial port of the PC to the AUX port of the router. In this manner, you can use the Public Switched Telephone Network (PSTN) to configure and maintain the router remotely. As shown in Figure 5-4, The COM interface of the PC is connected to the modem that is connected to the PSTN. The AUX port of the router is connected to another modem that is connected to the PSTN. Figure 5-4 Networking diagram of remote login through an AUX port PSTN PC Modem Modem Router Pre-configuration Tasks Before configuring user login through an AUX port, complete the following tasks: l Issue 02 (2014-09-30) Connect the PC to the router through modems Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 86 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login l Configure the modems l Install a terminal emulator (such as HyperTerminal of Windows XP) on the PC Data Preparation To configure user login through an AUX port, you need the following data. No. Data 1 l Transmission rate, flow control mode, parity, stop bit, and data bit l Number of lines displayed in a terminal screen, number of characters displayed in a terminal screen, and size of the history command buffer l User priority l Modem attributes l (Optional) Auto-run commands l User authentication mode, user name, and password 2 Telephone number of the modem at the remote router side. 5.3.2 Logging In to the Device Through an AUX Port You can establish a connection between a terminal and the device through an AUX port. Context NOTE By default, the user access level of the AUX user is 0. The AUX user cannot directly manage or maintain the device after logging in to the device through the AUX port. To enable the AUX user to remotely manage and maintain the device, locally log in to the device through the console port to change the user access level of the AUX user interface. Procedure Step 1 After logging in to the device through the console port, perform the following steps: 1. Run: system-view The system view is displayed. 2. Run: user-interface aux interface-number The AUX user interface view is displayed. 3. Run: user privilege level level The user access level is set. 4. Run: authentication-mode password The authentication mode is set to password authentication. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 87 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5. 5 Configuring User Login Run:set authentication password [ cipher password ] A password for password authentication is set. NOTE Passwords must meet the following requirements: l If you do not enter cipher, the password is input in man-machine interaction mode, and the system does not display the entered password. The password is a string of 8 to 16 case-sensitive characters. The password must contain at least two of the following characters: upper-case characters, lower-case characters, numbers, and special characters. Special character except the question mark (?) and space. l When you enter cipher, the password is displayed in either plaintext or ciphertext. l When you input the password in plaintext, the password requirements are the same as those when you do not enter cipher. l When you input the password in ciphertext, the password must be a string of 56 consecutive characters. The password is displayed in ciphertext in the configuration file regardless of whether you input it in plaintext or ciphertext. Step 2 Start a terminal emulator (such as HyperTerminal of Windows XP) in the PC to establish a connection with the router, as shown in Figure 5-5. Figure 5-5 Creating a connection Step 3 Set the dialing information, as shown in Figure 5-6. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 88 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Figure 5-6 Setting the dialing information Step 4 Establish a connection with the router, as shown in Figure 5-7. Figure 5-7 Establishing a connection with the router If you need to modify communication parameters, click Modify in the Connect box shown in Figure 5-7 to open the AuxCon Properties box, as shown in Figure 5-8. Then press Set, as shown in Figure 5-9. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 89 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Figure 5-8 Modifying the connection attribute Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 90 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Figure 5-9 Setting the communication parameters Step 5 Press Dialing. If user authentication is needed, input the corresponding authentication information, and wait until the command line prompt of the user view, such as <HUAWEI>, appears. This indicates that you have entered the user view and can input configurations. ----End 5.3.3 (Optional) Configuring the AUX User Interface When you use the AUX port to log in to a device for local or remote configuration, you must configure attributes in the corresponding AUX user interface. Context Attributes of an AUX user interface have default values on the device, and generally need no additional settings. To meet specific application requirements or ensure network security, you can also set attributes of the AUX user interface, such as terminal attributes and the user authentication mode. For detailed settings, see section 4.3 Configuring AUX User Interface. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 91 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login 5.3.4 Checking the Configuration After a user logs in through an AUX port, the user can view information on the console user interface, such as user information, physical attributes and configurations, the local user list, and online users. Prerequisites User login configurations through the AUX port are complete. Procedure l Run the display users [ all ] command to check usage information about the AUX user interface. l Run the display user-interface aux interface-number [ summary ] command to check the physical attributes and configurations of the user interface. l Run the display local-user command to check the local user list. l Run the display access-user command to check the local user list. ----End Example To view information about the current user interface, run the display users command: <HUAWEI> display users User-Intf Delay Type 33 AUX 0 00:00:44 Username : Unspecified Network Address AuthenStatus pass AuthorcmdFlag no Run the display user-interface aux ui-number1 [ summary ] command, and you can view the physical attributes and configurations of the user interface. <HUAWEI> display user-interface aux 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth 33 AUX 0 9600 0 N + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs. Int - Run the display local-user command, and you can view the local user list. <HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------user123 Active All Dft No 0 ll Active F Dft No 0 user1 Active F Dft No 0 ---------------------------------------------------------------------------Total 3,3 printed Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 92 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login 5.4 Using Telnet to Log In to Devices When multiple routers need to be configured and managed, you do not need to maintain each router locally. Instead, you can use Telnet to remotely log in to the routers and perform maintenance, which greatly facilitates device management. Context The Telnet protocol poses a security risk, and therefore the STelnet protocol is recommended. 5.4.1 Before You Start Before using Telnet to configure user login, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment If you know the IP address of a remote router, you can use Telnet to log in to the router from a local terminal. Telnet login allows you to maintain multiple remote routers from one local terminal, which greatly facilitates device management. Note that router IP addresses must be preset through console ports. Pre-configuration Tasks Before using Telnet to configure user login, you must log in to the device through the console port to change the following default configurations on the device. Then users can use Telnet to remotely log in to the device to manage and maintain it. l Configure the IP address of the management network port on the device and ensure that a reachable route exists between the user terminal and the device l 5.4.2 Configuring the User Access Level and User Authentication Mode of the VTY User Interface for remote device management and maintenance l 5.4.3 Enabling the Telnet Service so that users can remotely log in to the device through Telnet Data Preparation Before configuring Telnet user login, you need the following data. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 93 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations No. Data 1 l User priority 5 Configuring User Login l User authentication mode, username, and password l (Optional) Maximum number of VTY user interfaces permitted l (Optional) ACL to restrict incoming and outgoing calls on VTY user interfaces l (Optional) Connection timeout period of terminal users, number of lines displayed in a terminal screen, number of characters displayed in a terminal screen, and size of the history command buffer 2 IPv4/IPv6 address or host name of the router 3 TCP port number the remote device uses to provide Telnet services, and the VPN instance name 5.4.2 Configuring the User Access Level and User Authentication Mode of the VTY User Interface By default, the user access level of the VTY user interface is 0. To enable a user terminal to use Telnet to remotely log in to the device for maintenance and management, log in to the device using the console port, change the user access level, and set a user authentication mode for the VTY user interface. Context In general, the default values of other VTY user interface attributes do not need to be modified. These attributes can be changed if necessary. For details, see section 4.4 Configuring the VTY User Interface. The sequence of the following steps is not fixed but all the configurations are mandatory. Procedure l Configure the user access level of the VTY user interface. 1. Run: system-view The system view is displayed. 2. Run: user-interface vty first-ui-number [ last-ui-number ] The VTY user interface view is displayed. 3. Run: user privilege level level The user access level is set. By default, the user access level of the VTY user interface is 0. Table 5-2 describes the relationship between the user access levels and command levels. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 94 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Table 5-2 Association between user access levels and command levels User Lev el Co mm and Lev el Level Name Description 0 0 Visit level This level gives access to commands that run network diagnostic tools, such as ping and tracert, and commands that start from a local device and visit external devices, such as Telnet client side. 1 0 and 1 Monit oring level This level gives access to commands, such as the display command, that are used for system maintenance and fault diagnosis. NOTE Some display commands are not at this level. For example, the display current-configuration and display savedconfiguration commands are at level 3. For details about command levels, see HUAWEI NetEngine80E/40E Command Reference. 2 0, 1, and 2 Config uration level This level gives access to commands that configure network services provided directly to users, including routing and network layer commands. 3-15 0, 1, 2, and 3 Manag ement level This level gives access to commands that control basic system operations and provide support for services. These commands include file system commands, FTP commands, TFTP commands, XModem downloading commands, configuration file switching commands, power supply control commands, backup board control commands, user management commands, level setting commands, and debugging commands for fault diagnosis. NOTE l Different user access levels are associated with different command levels. A user at a certain access level can use only commands that have a level less than or equal to the command level of the user. This helps ensure the security of the device. l If the configured command level of the user interface conflicts with the operation rights of the username, the operation rights of the username take precedence. l Configure the user authentication mode of the VTY user interface. Two authentication modes are available: password authentication, and AAA authentication. – Configuring Password Authentication 1. Run: system-view The system view is displayed. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 95 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2. 5 Configuring User Login Run: user-interface vty first-ui-number [ last-ui-number ] The VTY user interface view is displayed. 3. Run: authentication-mode password The authentication mode is set to password authentication. 4. Run: set authentication password [ cipher password ] A password in the encrypted text for password authentication is set. NOTE Passwords must meet the following requirements: l If you do not enter cipher, the password is input in man-machine interaction mode, and the system does not display the entered password. The password is a string of 8 to 16 case-sensitive characters. The password must contain at least two of the following characters: upper-case characters, lower-case characters, numbers, and special characters. Special character except the question mark (?) and space. l When you enter cipher, the password is displayed in either plaintext or ciphertext. l When you input the password in plaintext, the password requirements are the same as those when you do not enter cipher. l When you input the password in ciphertext, the password must be a string of 56 consecutive characters. The password is displayed in ciphertext in the configuration file regardless of whether you input it in plaintext or ciphertext. – Configuring AAA Authentication When the user authentication mode of the VTY user interface is set to AAA authentication, the access type of the local user must be specified. A management user belongs to the default_admin domain by default. 1. Run: system-view The system view is displayed. 2. Run: aaa The AAA view is displayed. 3. Run: local-user user-name password { cipher cipher-password | irreversiblecipher irreversible--password } A username and password for the local user are created. 4. Run: local-user user-name service-type telnet The access type of the local user is set to Telnet. 5. Run: quit You have exited the AAA view. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 96 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6. 5 Configuring User Login Run: user-interface vty first-ui-number [ last-ui-number ] The VTY user interface view is displayed. 7. Run: authentication-mode aaa The authentication mode is set to AAA authentication. ----End 5.4.3 Enabling the Telnet Service Before a user terminal establishes a Telnet connection with the device, log in to the device through the console interface to enable the Telnet server function on the device. Then the user terminal can use Telnet to remotely log in to the device. Context By default, the Telnet server function is enabled. On the device that serves as a Telnet server, select and perform the following steps for either IPv4 or IPv6. Procedure l For the IPv4 network 1. Run: system-view The system view is displayed. 2. Run: telnet server enable The Telnet service is enabled. l For the IPv6 network 1. Run: system-view The system view is displayed. 2. Run: telnet ipv6 server enable The Telnet service is enabled. NOTE l If the undo telnet [ipv6] server enable command is run when a user uses Telnet to log in, the command does not take effect. l After the Telnet server function is disabled, you can only use SSH or an asynchronous serial port (rather than Telnet) to log in to the device. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 97 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login 5.4.4 Using Telnet to Log In to the Device After a remote device is configured, use Telnet to log in to the device from a terminal and perform remote maintenance on the device. Context Use either the Windows CLI or third-party software in the terminal to log in to the router through Telnet. This section describes how to use the Windows command line prompt. On the user terminal, perform the following steps:: Procedure Step 1 Open the Windows CLI. Step 2 Run the telnet ip-address command to Telnet the device. 1. Input the IP address of the Telnet server, as shown in Figure 5-10. Figure 5-10 Windows CLI 2. Press Enter to display the command line prompt, such as <HUAWEI>, for the system view. This indicates that you have accessed the Telnet server. If the password or AAA authentication mode has been set on the device, you must enter the login user name and password, and press Enter. The command line prompt of the user view is displayed, as shown in Figure 5-11. Figure 5-11 Login Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 98 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login ----End 5.4.5 (Optional) Configuring the Listening Port Number of the Telnet Server Setting appropriate parameters for the Telnet server, such as the listening port number and source interface, improves network security. Context l Listening port number By default, the listening port number of a Telnet server is 23. Users can use the default listening port number to directly log in to the router. Attackers may access the default listening port, which consumes bandwidth, deteriorates server performance, and causes authorized users to be unable to access the server. After the listening port number of the Telnet server is changed, attackers do not know the new listening port number. This effectively prevents attackers from accessing the listening port. l Source interface By default, a Telnet server receives connection requests from all interfaces, and therefore, the system is vulnerable to attacks. To enhance system security, you can specify the source interface of the Telnet server. This sets a login condition, and then only authorized users can log in to the Telnet server. After the source interface is specified, the system only allows Telnet users to log in to the Telnet server through this source interface, and Telnet users logging in through other interfaces are denied. Note that setting this parameter only affects Telnet users that attempt to log in to the Telnet server, and it does not affect Telnet users that have logged in to the server. Perform the following on the router that functions as a Telnet server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Configure Telnet server parameters. l Run: telnet server port port-number The listening port number of the Telnet server is set. If a new listening port number is set, the Telnet server terminates all established Telnet connections, and uses the new port number to listen to new requests for Telnet connections. l Run: telnet server-source -i loopback interface-number The source interface of the Telnet server is set. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 99 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login NOTE Before specifying the source interface of the Telnet server, ensure that the loopback interface to be specified as the source interface has been created. If the loopback interface has not been created, the telnet server-source command cannot be correctly executed. ----End 5.4.6 (Optional) Configuring Telnet Access Control An ACL can be configured to allow only specified clients to access an Telnet server. Context When a device functions as an Telnet server, you can configure an ACL to allow only the clients that meet the rules specified in the ACL to access the Telnet server. Do as follows on the device that functions as an Telnet server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl { [ number ] acl-number1 | name acl-name [ basic ] [ number acl-number2 ] } [ matchorder { auto | config } ] or acl ipv6 { [ number ] acl6-number1 | name acl-name [ number acl-number2 ] } [ match-order { auto | config } ] The ACL or ACL6 view is displayed. Step 3 Run: rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] * or rule [ rule-id ] { deny | permit } [ fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] * The ACL or ACL6 rule is configured. NOTE l By default, the deny action in an ACL rule is taken for all the login user packets. Only users whose source IP addresses match the ACL rule with a permit action can log in to the device. In the following example, two rules are configured to prohibit users with the IP address 10.1.1.10 from logging in to the device while allowing the other users to log in to the device: l rule deny source 10.1.1.10 0 l rule permit source any If the rule permit source any command is not configured, users whose source IP addresses are not 10.1.1.10 will also be prohibited from logging in to the device. l If a user's source IP address does not match the ACL rule that allows login, the user is prohibited from logging in to the device. l If the ACL referenced by FTP does not contain any rules or does not exist, any user can log in to the device. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 100 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Step 4 Run: quit The system view is displayed. Step 5 Run: telnet [ ipv6 ] server acl { acl-number | acl-name } An ACL is configured to filter Telnet users. ----End 5.4.7 Checking the Configuration After you use Telnet to log in to the system, you can view the connection status of each user interface, including the current user interface, and the status of all established TCP connections. Prerequisites Telnet login configurations are complete. Procedure l Run the display users [ all ] command to check information about users logged in to user interfaces. l Run the display tcp status command to check TCP connections. l Run the display telnet server status command to check the configuration and status of the Telnet server. ----End Example Run the display users command to view information about the currently-used user interface. <HUAWEI> display users User-Intf Delay Type 34 VTY 0 00:00:12 TEL Username : Unspecified + 35 VTY 1 00:00:00 TEL Username : Unspecified Network Address 10.138.77.38 AuthenStatus 10.138.77.57 AuthorcmdFlag no no Run the display tcp status command to view TCP connections. In the command output, Established indicates that a TCP connection has been established. <HUAWEI> display tcp status TCPCB Tid/Soid Local Add:port State 39952df8 36 /1509 0.0.0.0:0 Closed 32af9074 59 /1 0.0.0.0:21 Listening 34042c80 73 /17 10.164.39.99:23 Established Foreign Add:port VPNID 0.0.0.0:0 0 0.0.0.0:0 14849 10.164.6.13:1147 0 Run the display telnet server status command to view the configuration and status of the Telnet server. <HUAWEI> display telnet server status Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 101 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations TELNET IPV4 server TELNET IPV6 server TELNET server port TELNET Server Source address ACL4 number ACL6 number 5 Configuring User Login :Enable :Enable :23 :0.0.0.0 :0 :0 5.5 Using STelnet to Log In to Devices STelnet provides secure remote access over an insecure network. After the client/server negotiation is complete and a secure connection is established, STelnet login is similar to Telnet login. 5.5.1 Before You Start Before configuring users to log in using STelnet, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment Telnet logins present security risks because no secure authentication mechanism exists and data is transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts data in both directions to guarantee secure transmissions on a conventional insecure network. SSH supports STelnet, and SFTP. STelnet is a secure Telnet protocol. SSH users can use the STelnet service in the same way they use the Telnet service. Pre-configuration Tasks Before configuring users to log in using STelnet, you must log in to the device through the console port to change the following default configurations on the device. Then users can remotely log in to the device using Telnet to manage and maintain the device. l Configure the IP address of the management network port on the device and ensure that a reachable route exists between the user terminal and the device l Configure the user access level and authentication mode of the VTY user interface for remote device management and maintenance. l Configure the VTY user interface to support the SSH protocol, configure the SSH user and specify STelnet as a service mode for the SSH user, and enable the STelnet server function so that the user can remotely log in to the device through STelnet Data Preparation To configure users to log in using STelnet, you need the following data: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 102 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login No. Data 1 User authentication mode, username, password, (optional)maximum number of VTY user interfaces permitted, (optional) ACL for restricting incoming and outgoing calls on VTY user interfaces, (optional)connection timeout period for terminal users, number of rows displayed in a terminal screen, and size of the history command buffer 2 Username, password, authentication mode, and service type of an SSH user, and remote public Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature Algorithm (DSA) key pair allocated to the SSH user 3 (Optional) Name of an SSH server, number of the port monitored by the SSH server, preferred encryption algorithm from the STelnet client to the SSH server, preferred encryption algorithm from the SSH server to the STelnet client, preferred Hashed message authentication code (HMAC) algorithm from the STelnet client to the SSH server, preferred HMAC algorithm from the SSH server to the STelnet client, preferred algorithm for key exchange, name of the outgoing interface, and source address 5.5.2 Configuring the User Access Level and User Authentication Mode of the VTY User Interface By default, the user access level is 0. Before logging in to the device using STelnet for maintenance and management, you must log in to the device through the console port to change the user access level, and set a user authentication mode. Context In general, the default values of other VTY user interface attributes do not need to be modified. These attributes can be changed if necessary. For details, see section 4.4 Configuring the VTY User Interface. The sequence of the following steps is not fixed but all the configurations are mandatory. Procedure l Configure the user access level of the VTY user interface. 1. Run: system-view The system view is displayed. 2. Run: user-interface vty first-ui-number [ last-ui-number ] The VTY user interface view is displayed. 3. Run: user privilege level level The user access level is set. By default, the user access level of the VTY user interface is 0. Table 5-3 describes the relationship between the user access levels and command levels. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 103 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Table 5-3 Association between user access levels and command levels User Lev el Co mm and Lev el Level Name Description 0 0 Visit level This level gives access to commands that run network diagnostic tools, such as ping and tracert, and commands that start from a local device and visit external devices, such as Telnet client side. 1 0 and 1 Monit oring level This level gives access to commands, such as the display command, that are used for system maintenance and fault diagnosis. NOTE Some display commands are not at this level. For example, the display current-configuration and display savedconfiguration commands are at level 3. For details about command levels, see HUAWEI NetEngine80E/40E Command Reference. 2 0, 1, and 2 Config uration level This level gives access to commands that configure network services provided directly to users, including routing and network layer commands. 3-15 0, 1, 2, and 3 Manag ement level This level gives access to commands that control basic system operations and provide support for services. These commands include file system commands, FTP commands, TFTP commands, XModem downloading commands, configuration file switching commands, power supply control commands, backup board control commands, user management commands, level setting commands, and debugging commands for fault diagnosis. NOTE l Different user access levels are associated with different command levels. A user at a certain access level can use only commands that have a level less than or equal to the command level of the user. This helps ensure the security of the device. l If the configured command level of the user interface conflicts with the operation rights of the username, the operation rights of the username take precedence. l Configure the user authentication mode of the VTY user interface. When the authentication mode of the VTY user interface is set to AAA authentication, the access type of the local user must be specified. 1. Run: system-view The system view is displayed. 2. Issue 02 (2014-09-30) Run: Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 104 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login local-user user-name password { cipher cipher-password | irreversiblecipher irreversible--password } A username and password for the local user are created. NOTE A default user name root and password Changeme_123 for the initial login have been loaded to the configuration file of the device before delivery. Do not clear the configurations. Otherwise, you cannot log in to the device. After you log in for the first time, change the user name and password for security. 3. Run: local-user user-name service-type ssh The access type of the local user is set to SSH. 4. Run: user-interface vty first-ui-number [ last-ui-number ] The VTY user interface view is displayed. 5. Run: authentication-mode aaa The authentication mode is set to AAA authentication. ----End 5.5.3 Configuring SSH for the VTY User Interface For users to log in to the device using STelnet, VTY user interfaces must be configured to support SSH. Context By default, user interfaces support Telnet. A user interface must be configured to support SSH for users to log in to the device using STelnet. NOTE A VTY user interface configured to support SSH must also be configured with AAA authentication. Otherwise, the protocol inbound ssh command cannot be configured. Perform the following on the router that serves as an SSH server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface [ vty ] first-ui-number [ last-ui-number ] The VTY user interface is displayed. Step 3 Run: authentication-mode aaa The AAA authentication mode is configured. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 105 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Step 4 Run: protocol inbound ssh The VTY user interface is configured to support SSH. ----End 5.5.4 Configuring an SSH User and Specifying the Service Types To implement STelnet access, configure a Secure Shell (SSH) user, create a local Revist-ShamirAdleman algorithm (RSA) or digital signature algorithm (DSA) key pair, configure a user authentication mode, and specify a service type for the SSH user. Context l These SSH user authentication modes are available: RSA, DSA, password, password-RSA, password-DSA and all. Password authentication depends on Authentication, Authorization and Accounting (AAA). Before a user logs in to the device in password, password-RSA or password-DSA authentication mode, you must create a local user with the specified user name in the AAA view. – Password-RSA authentication depends on both password authentication and RSA authentication. – Password-DSA authentication depends on both password authentication and DSA authentication. – All authentication depends on either of the following authentications: password authentication, or DSA authentication or RSA authentication. l The device must be configured to generate local RSA or DSA key pairs, which are a key part of the SSH login process. If an SSH user logs in to an SSH server in password authentication mode, configure the server to generate a local RSAor DSA key pair. If an SSH user logs in to an SSH server in RSA or DSA authentication mode, configure both the server and the client to generate local RSA or DSA key pairs. RSA key and DSA key are algorithms for user authentication in SSH. Compared with RSA authentication, DSA authentication adopts the DSA encryption mode and is widely used. In many cases, SSH only supports DSA to authenticate the server and the client. When the RSA or DSA authentication mode is used, the priority of the users depends on the priority of the VTY user interfaces used for login. Perform the following operations on the router that functions as an SSH server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ssh user user-name An SSH user is created. If password authentication is configured for the SSH user, create the same SSH user in the AAA view Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 106 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login 1. Run the aaa command to enter the AAA view. 2. Run the local-user user-name password { cipher cipher-password | irreversible-cipher irreversible--password } command to configure a local user name and a password. Step 3 Create an RSA or DSA key pair. l Run the rsa local-key-pair create command to create a local RSA key pair. NOTE l Configure the rsa local-key-pair create command to generate a local key pair before completing other SSH configurations. The minimum length of the server key pair and the host key pair is 512 bits, and the maximum length is 2048 bits. The default length of a local key pair is 2048 bits. After an upgrade, if the original key pair length is shorter than 1024 bits, running the rsa local-key-pair create command to generate a new local key pair is recommended. l After a local key pair is generated, you can run the display rsa local-key-pair public command to view the public key in the local key pair. l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local RSA key-pairs, including the local key-pair and server key-pair. Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair destroy command. The rsa local-key-pair destroy command configuration takes effect only once and therefore will not be saved in the configuration file. l Run the dsa local-key-pair create command to generate the RSA local-key-pair. NOTE l You must configure the dsa local-key-pair create command to generate a local key pair before completing other SSH configurations. The length of the server key pair and the host key pair can be 512 bits, 1024 bits and 2048 bits. By default, the length of the key pair is bits. l After a local key pair is generated, you can run the display dsa local-key-pair public command to view the public key in the local key pair. l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local DSA key-pairs, including the local key-pair and server key-pair. Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair destroy command. The dsa local-key-pair destroy command configuration takes effect only once and therefore will not be saved in the configuration file. Step 4 Perform the operations as described in Table 5-4 based on the configured SSH user authentication mode. Table 5-4 Configuring an authentication mode for the SSH user Issue 02 (2014-09-30) Operation Command Description Configure Password Authentication 1. Run the ssh user user-name authentication-type password command If local or HuaWei Terminal Access Controller Access Control System (HWTACACS) authentication is used and there are only a few users, use password authentication. 2. Run the aaa command to enter the AAA view. - Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 107 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Operation Issue 02 (2014-09-30) 5 Configuring User Login Command Description 3. Run the local-user user-name password { cipher | irreversiblecipher } password command to configure the user name and the password for the local user. The user name must be the same to the SSH user. 4. Run the local-user user-name service-type ssh command to set the access type of the local user to SSH. - Configure the Default Password Authentication Run the ssh authentication-type default password command When you log in using SSH and use a TACACS server for authentication, the network administrator needs to specify the information about an SSH user on the TACACS server. In most cases, however, the SSH server cannot obtain the user information from the TACACS server. To resolve this problem, you can run the ssh authentication-type default password command to set the authentication mode as password authentication. Then, you can log in to the device on the SSH server safely. Configure RSA authentication 1. Run the ssh user user-name authentication-type rsa command to configure RSA authentication. - Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. By default, the administrators are all in the domain default_admin. 108 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Operation 5 Configuring User Login Command Description 2. Run the rsa peer-public-key keyname [ encoding-type { der | openssh | pem } ] command to configure an encoding format for an RSA public key and enter the RSA public key view. Huawei data communications devices support only the DER format for RSA keys before V600R006C00 version. If you use an RSA key in non-DER format, use a third-party tool to convert the key into a key in DER format. The default encoding format is distinguished encoding rules (DER) for an RSA public key. In addition to DER, RSA keys need to support the privacyenhanced mail (PEM) and OpenSSH formats since V600R006C00 to improve RSA usability. Third-party software, such as SecureCRT, PuTTY, OpenSSH, and OpenSSL, can be used to generate RSA keys in different formats. The details are as follows: l The SecureCRT and PuTTY generate RSA keys in PEM format. l The OpenSSH generates RSA keys in OpenSSH format. l The OpenSSL generates RSA keys in DER format. 3. Run the public-key-code begin command to enter the public key edit view. - 4. Enter hex-data to edit the public key. l In the public key edit view, only hexadecimal strings complying with the public key format can be typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals for SSH client software. l After entering the public key edit view, paste the RSA public key generated on the client to the server. 5. Run the public-key-code end command to exit from the public key edit view. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. - 109 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Operation 5 Configuring User Login Command Description 6. Run the peer-public-key end command to return to the system view. l Running the peer-public-key end command generates a key only after a valid hex-data complying with the public key format is entered. l If the peer-public-key end command is used after the key key-name specified in Step 2 is deleted in another window, the system prompts a message, indicating that the key does not exist, and the system view is displayed. Configure DSA authentication 7. Run the ssh user user-name assign rsa-key key-name command to assign the SSH user a public key. - 1. Run the ssh user user-name authentication-type dsa command to configure DSA authentication. - 2. Run the dsa peer-public-key key-name encoding-type { der | openssh | pem } command to configure an encoding format for a DSA public key and enter the DSA public key view. Huawei data communications devices support the DER and PEM formats for DSA keys before V600R006C00 version. If you use an RSA key in non-DER/ PEM format, use a third-party tool to convert the key into a key in DER or PEM format. In addition to DER, DSA keys need to support the PEM and OpenSSH formats since V600R006C00 to improve DSA usability. 3. Run the public-key-code begin command to enter the public key edit view. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. - 110 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Operation 5 Configuring User Login Command Description 4. Enter hex-data to edit the public key. l In the public key edit view, only hexadecimal strings complying with the public key format can be typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals for SSH client software. l After entering the public key edit view, paste the RSA public key generated on the client to the server. 5. Run the public-key-code end command to exit from the public key edit view. - 6. Run the peer-public-key end command to return to the system view. l Running the peer-public-key end command generates a key only after a valid hex-data complying with the public key format is entered. l If the peer-public-key end command is used after the key key-name specified in Step 2 is deleted in another window, the system prompts a message, indicating that the key does not exist, and the system view is displayed. 7. Run the ssh user user-name assign dsa-key key-name command to assign the SSH user a public key. - Step 5 (Optional) Use command lines to authorize SSH users. Run: ssh user user-name authorization-cmd aaa The command line authorization is configured for the specified SSH user. After configuring the authorization through command lines for the SSH user to perform RSA authentication, you have to configure the AAA authorization. Otherwise, the command line authorization for the SSH user does not take effect. Step 6 Run: ssh user username service-type { stelnet | all } The service type of the SSH user is configured. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 111 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login By default, the service type of the SSH user is not configured. ----End 5.5.5 Enabling the STelnet Server Function By default, the STelnet server function is disabled. Before a user terminal logs in to a device using STelnet, you must log in to the device through the console interface to enable the STelnet server function on the device. Context By default, the STelnet server function is disabled on devices. Users can establish connections to the device using STelnet only after the STelnet server function is enabled on the device. Perform the following steps on the device serving as an SSH server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: stelnet server enable The STelnet server function is enabled. By default, the STelnet server function is disabled. ----End 5.5.6 Using STelnet to Log In to the Device After you log in to the device through the console interface and complete the required configurations, users can remotely log in to the device using the Secure Shell (SSH) protocol from remote user terminals to remotely maintain the device. Context Third-party software can be used on a terminal for STelnet login. This section describes the use of third-party software OpenSSH and the Windows CLI. After installing OpenSSH on the user terminal, perform the following on the user terminal: NOTE For details about how to install OpenSSH, refer to the software installation guide. For details about how to use OpenSSH commands to log in to the system, see the software help document. Procedure Step 1 Open the Windows CLI. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 112 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Step 2 Run required OpenSSH commands to log in to the router in STelnet mode, as shown in Figure 5-12. Figure 5-12 Logging in to the device in STelnet mode ----End 5.5.7 (Optional) Configuring the STelnet Server Parameters You can configure a device to be compatible with earlier versions of the SSH protocol, configure or change the listening port number of an SSH server, set an interval at which the key pair of the SSH server is updated, and specify the source interface. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Perform any of the operations shown in Table 5-5 as needed. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 113 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Table 5-5 Server parameters Server parameters Command Description Configure the interval at which the key pair of the SSH server is updated Run the ssh server rekey-interval interval command. You can set an interval at which the key pair of an SSH server is updated. When the timer expires, the key pair is automatically updated, improving security. Configure the timeout period of SSH authentication Run the ssh server timeout seconds command. Configure the number of times that SSH authentication is retried Run the ssh server authenticationretries times command. Configure earlier SSH version compatibility Run the ssh server compatiblessh1x enable command. By default, the interval is 0, indicating that the key is never updated. By default, the timeout period is 60 seconds. By default, SSH authentication retries a maximum of 3 times. By default, an SSH server running SSH2.0 is compatible with SSH1.X. To prevent clients running SSH1.3 to SSH1.99 from logging in, run the undo ssh server compatible-ssh1x enable command to disable support for earlier SSH protocol versions. NOTE If the SSH server is enabled to be compatible with earlier SSH versions, the system prompts a security risk. Issue 02 (2014-09-30) If a user fails to log in when the timeout period of SSH authentication expires, the system disconnects the current connection to ensure the system security. The number of times that SSH authentication is retried is set to deny access of invalid users. There are two SSH versions: SSH1.X (earlier than SSH2.0) and SSH2.0. SSH2.0 has an extended structure and supports more authentication modes and key exchange methods than SSH1.X, SSH 2.0 can eliminate the security risks that SSH 1.X has. SSH 2.0 is more secure and therefore is recommended. SSH2.0 also supports more advanced services such as SFTP. The HUAWEI NetEngine80E/40E supports SSH versions ranging from 1.3 to 2.0. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 114 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Server parameters Command Description Configure the listening port number of the SSH server Run the ssh server port portnumber command. The default listening port number of an SSH server is 22. Users can log in to the device by using the default listening port number. Attackers may access the default listening port, which consumes bandwidth, deteriorates server performance, and causes authorized users to be unable to access the server. After the listening port number of the SSH server is changed, attackers do not know the new port number. This effectively prevents attackers from accessing the listening port and improves security. By default, the listening port number is 22. If a new listening port is set, the SSH server cuts off all established STelnet and SFTP connections, and uses the new port number to listen to connection requests. Source interface Run the ssh server-source -i loopback interface-number command. Before the source interface of an SSH server is specified, ensure that the loopback interface to be specified as the source interface has been created. If the loopback interface is not created, the ssh server-source command cannot be correctly executed. Configuring an ACL on the SSH server Run the ssh server acl acl-number or ssh ipv6 server acl acl-number command. By default, an SSH server receives connection requests from all interfaces, and therefore, the system is vulnerable to attacks. To enhance system security, you can specify the source interface of the SSH server. This sets a login condition after which only authorized users can log in to the SSH server. After the source interface is specified, the system only allows SFTP or STelnet users to log in to the SSH server through this source interface. Any SFTP or STelnet users that log in through other interfaces are denied. Note that setting this parameter only affects SFTP or STelnet users that attempt to log in to the SSH server, but it does not affect SFTP or STelnet users that have already logged in to the server. This command specifies the clients that can access the SSH server running IPv4/IPv6. This configuration prevents unauthorized users from accessing the SSH server, ensuring data security. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 115 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login 5.5.8 Checking the Configuration After configuring users to log in using STelnet, you can view the SSH server configuration. Prerequisites STelnet login configurations are complete. Procedure l Run the display ssh user-information username command on the SSH server to check information about SSH users. l Run the display ssh server status command on the SSH server to check its configurations. l Run the display ssh server session command on the SSH server to check sessions for SSH users. ----End Example Run the display ssh user-information username command to view information about a specified SSH user. <HUAWEI> display ssh user-information client001 User Name : client001 Authentication-type : password User-public-key-name : User-public-key-type : RSA Sftp-directory : Service-type : stelnet Authorization-cmd : Yes If no SSH user is specified, information about all SSH users logged in to an SSH server will be displayed. Run the display ssh server status command to view SSH server configurations. <HUAWEI> display ssh server status SSH version SSH connection timeout SSH server key generating interval SSH authentication retries SFTP server Stelnet server SSH server source ACL4 number ACL6 number :1.99 :60 seconds :0 hours :3 times :Disable :Enable :0.0.0.0 :0 :0 Run the display ssh server session command. The command output shows information about a session between the SSH server and client. <HUAWEI> display ssh server session Session 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 116 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations CTOS Hmac STOC Hmac Kex Service Type Authentication Type 5 Configuring User Login : : : : : hmac-sha1-96 hmac-sha1-96 diffie-hellman-group-exchange-sha1 stelnet password 5.6 Common Operations After Login After logging in to the router, you can perform user priority switching, terminal window locking, and other operations as needed. 5.6.1 Before You Start Before performing any operations after login, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment Configure user level switching and enable messaging between user interfaces to ensure that operators can manage routers safely. Pre-configuration Tasks Before performing operations after login, connect the terminal to the router Data Preparations Before performing operations after login, you need the following data: No. Data 1 Password used for switching user levels 2 Type and number of the user interface 3 Contents of the message to be sent 5.6.2 Locking User Interfaces If you must be away from your work area, you can lock the user interface on a terminal to prevent unauthorized access. Context The user interface can be a console user interface, AUX user interface, or VTY user interface. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 117 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Procedure Step 1 Run: lock The user interface is locked. Step 2 Follow the system prompts and input a password to unlock the user interface. <HUAWEI> lock Enter Password: Confirm Password: If the locking is successful, the system prompts that the user interface is locked. You must enter the previously set password to unlock the user interface. NOTE The passwords must meet the following requirements: l The password is a string of 8 to 16 case-sensitive characters. l The password must contain at least two of the following characters: upper-case characters, lower-case characters, numbers, and special characters (excluding question marks and spaces). ----End 5.6.3 Sending Messages to Other User Interfaces Users logged in to different interfaces can send messages to each other. Context Users logged in to the router can send messages from their user interface to users on other user interfaces. Procedure Step 1 Run: send { all | ui-type ui-number | ui-number1 } You can enable messages to be sent between user interfaces. Step 2 Follow the prompt to view the message to be sent. You can press Ctrl_Z or Enter to end the display or Ctrl_C to abort the display. ----End 5.6.4 Displaying Login Users You can query information about login users. Context You can query the user name, address, and authentication and authorization information. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 118 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Procedure l Run the display users [ all ] command to view information about logged-in users. If all is configured, information about all users logged in to user interfaces is displayed. ----End 5.6.5 Clearing Logged-in Users If you want to force a logged-in user to log out of the router, you can tear down the connection between the router and the user. Context You can run the display users command to view users logged in to the router. Procedure Step 1 Run: kill user-interface { ui-number | ui-type ui-number1 } Online users are cleared. Step 2 Based on the displayed information, you can confirm whether specified logged-in users have been cleared. ----End 5.6.6 Configuring Configuration Locking When multiple users log in to the router to configure the device, configuration conflict may occur. To prevent these conflicts from affecting services, you can enable the configuration locking function. This allows only one user to configure the device at a time. Context Before configuring configuration locking, check whether the configuration set is locked by another user. If no user has locked the configuration set, you can exclusively lock the configuration. Procedure Step 1 Run: configuration exclusive You have obtained exclusive configuration access. After enabling the configuration locking function, you have the exclusive authority to perform configurations on the router. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 119 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login NOTE l You can run this command in any view. l If the configuration set is already locked, you can not relock it. l SNMP users can share the same configuration right. l You can run the display configuration-occupied user command to see which user has locked the configuration. Step 2 Run: system-view The system view is displayed. Step 3 Run: configuration-occupied timeout timeout-value The timeout period for automatically unlocking the configuration is set. After the timeout period expires, the configuration is automatically unlocked, and other users can configure the device. By default, the timeout period is 30s. NOTE l If a user without exclusive configuration access, this command cannot be confiured. l If the configuration set is locked by another user, this command cannot be configured. l If the configuration set is locked by the current user, the current user can run this command. ----End 5.7 Configuration Examples This section provides several examples describing how to configure users to log in through a console port, Telnet, or STelnet. The configuration examples provide information and diagrams for networking requirements, configuration notes, and configuration roadmaps. 5.7.1 Example for Using a Console Port to Configure User Login This example describes how to use a console port to configure user login. Login settings that enable access to the router using a console port are configured on a PC. Networking Requirements If default values for console user interface parameters are modified, you must reset the corresponding parameters on the PC before you can log in to the router again. Figure 5-13 Networking diagram for using a console port to log in PC Issue 02 (2014-09-30) Router Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 120 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Configuration Roadmap 1. Connect a PC to the router through a console port. 2. Set login parameters on the PC. 3. Log in to the router. NOTE In this example, a terminal emulator is used. Data Preparation Communication parameters for the PC (baud rate: 4800 bps, data bit: 6, parity: even, stop bit: 2, flow control mode: none) Procedure Step 1 Use a standard RS-232 cable to connect the serial port of the PC to the console port of the router. Step 2 Run the terminal emulator on the PC. As shown in Figure 5-14, set communication parameters for the PC to Figure 5-16. Set the transmission rate to 4800 bit/s, data bit to 6, parity bit to even, stop bit to 2, and flow control mode to none. Figure 5-14 Connection creation Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 121 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Figure 5-15 Interface setting Figure 5-16 Communication parameter settings Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 122 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Step 3 Power on the router. The system starts an automatic configuration and self-check. After the selfcheck is complete, at the prompt "Password:," enter the correct authentication password and press Enter. If a message (such as <HUAWEI>) is displayed, the login to the system is complete. Then, you can enter a command to view the operating status of the router or configure the router. ----End 5.7.2 Example for Logging In Through the AUX Port In this example, you can configure terminal and modem communication parameters so you can log in to the router through the AUX port. Networking Requirements If you cannot configure the router by logging in locally and no router is reachable to other routers, connect the serial port of the PC with the AUX port of the router through the modem. The detailed configuration environment is shown in Figure 5-17. Figure 5-17 Networking diagram for logging in through the AUX port Modem Modem PSTN Router COM PC Configuration Roadmap The configuration roadmap is as follows: 1. Establish the physical connection. 2. Configure the name, authentication mode, and password of a user that logs in. 3. Configure the AUX port to support the modem dialup. 4. Configure modem parameters. Data Preparation To complete the configuration, you need the following data: l Type of terminals l Terminal communication parameters l User name, password, and authentication mode used for user login, which are huawei, Huawei-123, and password respectively. l Modem communication parameters Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 123 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Procedure Step 1 Establish the physical connection, as shown in Figure 5-17. Step 2 Configure the AUX port to support the modem dialup. <HUAWEI> system-view [HUAWEI] aaa [HUAWEI-aaa] local-user huawei password cipher Huawei-123 [HUAWEI-aaa] local-user huawei service-type terminal [HUAWEI-aaa] local-user huawei level 3 [HUAWEI-aaa] quit [HUAWEI] user-interface aux 0 [HUAWEI-ui-aux0] authentication-mode aaa [HUAWEI-ui-aux0] modem both Step 3 Configure the modem parameters. # Start a terminal emulator on the PC. For details, see section 5.3.2 Logging in to the router Through an AUX Port Press Enter on the PC emulation terminal until a modem command line prompt such as ">" appears. Configure the modem to meet AUX communication requirements. For details, see the modem descriptions. Step 4 Log in to the router. Enter the user name and password in the remote terminal emulation program. After the authentication is complete, a command line prompt such as <HUAWEI> appears. Enter the command to check the running status of the router or configure the router. Enter "?" for help. ----End 5.7.3 Example for Configuring User Login Through Telnet This example describes how to set parameters for using Telnet to log in to the router. In this configuration example, a user logs in to the router after setting the VTY user interface and user login parameters. Networking Requirements You can use a PC or other terminal to log in to a router on another network segment to perform remote maintenance. Figure 5-18 Networking diagram for login using Telnet G E 1 /0 /1 N e tW o rk PC Issue 02 (2014-09-30) R o u te r Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 124 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login After a Telnet user logs in to the router in AAA authentication mode, the Telnet user is prohibited from using this router to log in to another router. Configuration Roadmap 1. Establish a physical connection. 2. Assign IP addresses to interfaces on the router. 3. Set parameters of the VTY user interface, including limit on call-in and call-out. 4. Set user login parameters. 5. Log in to the router. Data Preparation To complete the configuration, you need the following data: l IP address of the PC l IP address of the Ethernet interface on the router: 10.137.147.91/16 l Maximum number of VTY user interfaces: 10 l Number of the ACL that is used to prohibit users from logging into another router: 3001 l Timeout period for disconnecting from the VTY user interface: 20 minutes l Number of lines a terminal screen displays: 30 l Size of the history command buffer: 20 l Telnet user information (authentication mode: AAA, username: huawei, password: ! QAZ@WSX3edc) Procedure Step 1 Connect the PC and the router to the network. Step 2 Configure a login address. <HUAWEI> system-view [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] undo shutdown [HUAWEI-GigabitEthernet1/0/1] ip address 10.137.147.91 255.255.0.0 [HUAWEI-GigabitEthernet1/0/1] quit Step 3 Configure the VTY user interface on the router. # Set the maximum number of VTY user interfaces. [HUAWEI] user-interface maximum-vty 10 # Configure an ACL that is used to prohibit users from logging into another router. [HUAWEI]acl 3001 [HUAWEI-acl-adv-3001]rule deny tcp source any destination-port eq telnet [HUAWEI-acl-adv-3001]quit [HUAWEI] user-interface vty 0 9 [HUAWEI-ui-vty0-9] acl 3001 outbound # Set terminal attributes of the VTY user interface. [HUAWEI-ui-vty0-9] shell [HUAWEI-ui-vty0-9] idle-timeout 20 [HUAWEI-ui-vty0-9] screen-length 30 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 125 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login [HUAWEI-ui-vty0-9] history-command max-size 20 # Set the user authentication mode of the VTY user interface. [HUAWEI-ui-vty0-9] authentication-mode aaa [HUAWEI-ui-vty0-9] quit Step 4 Set user login parameters on the router. # Specify the user authentication mode. [HUAWEI] aaa [HUAWEI-aaa] [HUAWEI-aaa] [HUAWEI-aaa] [HUAWEI-aaa] local-user huawei password irreversible-cipher Huawei-123 local-user huawei service-type telnet local-user huawei level 3 quit Step 5 # Configure user login. Use the command line to telnet the router. The Telnet login window is shown in Figure 5-19. Figure 5-19 Telnet login window on the PC Press Enter, and then input the username and password in the login window. If user authentication succeeds, a command line prompt is displayed in the system view, which indicates that you have entered the user view. Figure 5-20 Window after login of the router Press Enter and then input the username and password in the login window. If user authentication succeeds, a command line prompt such as <HUAWEI> is displayed. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 126 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Configuration Files Router configuration file # sysname HUAWEI # acl number 3001 rule 5 deny tcp destination-port eq telnet # aaa local-user huawei password irreversible-cipher %$%$#{!{*"|uh/$|z(E0TW=G_Gj~%$%$ local-user huawei service-type telnet local-user huawei state block fail-times 3 interval 5 local-user huawei level 3 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.147.91 255.255.0.0 # user-interface maximum-vty 10 user-interface con 0 user-interface vty 0 9 acl 3001 outbound authentication-mode aaa history-command max-size 20 idle-timeout 20 0 screen-length 30 # return 5.7.4 Example for Using STelnet to Configure User Login This example describes how to configure user login through STelnet. After generating the local key pair, configuring the SSH user name and password, and enabling the STelnet service on the SSH server, you can connect the Stelnet client to the SSH server. Networking Requirements As shown in Figure 5-21, after the STelnet service is enabled on the SSH server, an STelnet client can use any authentication mode (password, Revest-Shamir-Adleman Algorithm (RSA), password-RSA, Digital Signature Algorithm (DSA), password-DSA or all) to log in to the SSH server. NOTE To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to the SSH server. This example uses the password authentication mode. Figure 5-21 Networking diagram for configuring user login through STelnet Network PC Issue 02 (2014-09-30) GE1/0/1 10.137.217.225/16 SSH Server Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 127 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Configuration Roadmap The configuration roadmap is as follows: 1. Configure a local key pair on the SSH server to enable secure data exchange between the STelnet client and the SSH server. 2. Configure a VTY user interface on the SSH server. 3. Configure an SSH client, which involves setting a user authentication mode, a username, and a password. 4. Enable the STelnet server function on the SSH server and configure a user service type. Data Preparation To complete the configuration, you need the following data: l SSH user authentication mode: password, username: client001, password: Huawei-123 l User level of client001: 3 l IP address of the SSH server: 10.164.39.210 Procedure Step 1 Generate a local key pair on the server. <HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: HUAWEI_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 2048]: 768 Generating keys... .......++++++++++++ ..........++++++++++++ ...................................++++++++ ......++++++++ Step 2 Configure a VTY user interface. [SSH [SSH [SSH [SSH Server] user-interface vty 0 4 Server-ui-vty0-4] authentication-mode aaa Server-ui-vty0-4] protocol inbound ssh Server-ui-vty0-4] quit NOTE If SSH is configured as the login protocol, the NE80E/40E automatically disables Telnet. Step 3 Configure the password of SSH user Client001 as Huawei-123. [SSH [SSH [SSH [SSH [SSH Server] aaa Server-aaa] Server-aaa] Server-aaa] Server-aaa] local-user client001 password irreversible-cipher Huawei-123 local-user client001 level 3 local-user client001 service-type ssh quit Step 4 Enable the STelnet service on the SSH server. [SSH [SSH [SSH [SSH Issue 02 (2014-09-30) Server] Server] Server] Server] ssh user client001 service-type stelnet stelnet server enable ssh user client001 authentication-type password quit Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 128 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Step 5 Verify the configuration. # Use PuTTY software to log in to the device. Specify the IP address of the device as 10.164.39.210 and the login protocol as SSH, as shown in Figure 5-22. Figure 5-22 PuTTY configuration # Use PuTTY software to log in to the device, and enter the username client001 and the password !QAZ@WSX3edc, as shown in figure 5-23. Figure 5-23 Logging in to the device using PuTTY software ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 129 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 5 Configuring User Login Configuration Files l SSH server configuration file # sysname SSH Server # aaa local-user client001 password irreversible-cipher %$%$#{!{*"|uh/$|z(E0TW=G_Gj~ %$%$ local-user client001 level 3 local-user client001 service-type ssh local-user client001 state block fail-times 3 interval 5 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.225 255.255.255.0 # stelnet server enable ssh user client001 authentication-type password ssh user client001 ssh user client001 service-type stelnet # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # return Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 130 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System 6 Managing the File System About This Chapter The file system manages the files and directories on the storage devices of the router. It can move or delete a file or directory, or display the contents of a file. 6.1 File System Overview The router uses the file system to manage all files. 6.2 Using the File System to Manage Files You can use the file system to manage storage devices, directories, and files. 6.3 Using FTP to Manage Files FTP can transmit files between local and remote hosts. FTP is widely used for upgrading versions, downloading logs, transmitting files, and saving time spent on configurations. 6.4 Using SFTP to Manage Files SFTP enables you to securely log in to the router from a remote device to manage files, which makes data transmission to the remote end more secure. 6.5 Using Xmodem to Manage Files This section describes how to transfer files through XModem. 6.6 Configuration Examples The examples in this section show how to use FTP, SFTP, or FTPS to access the system and manage files. These configuration examples explain the networking requirements and provide configuration roadmaps and configuration notes. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 131 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System 6.1 File System Overview The router uses the file system to manage all files. 6.1.1 File System The file system manages files and directories on the storage devices. It can create, delete, modify, or rename a file or directory, or display the contents of a file. The file system has two functions: managing storage devices and managing the files that are stored on those devices. Managing Files Using the File System l Storage devices Storage devices are hardware devices for storing data. At present, the router supports the storage devices CF card. l Files A file is resources for storing and managing data. l Directories A directory is a logical container that the system uses to organize files. 6.1.2 File Management Methods You can use FTP, SFTP, or FTPS to manage files. Using FTP to Manage Files FTP is a standard application protocol based on the TCP/IP protocol suite. FTP is used to transfer files between local clients and remote servers. FTP uses two TCP connections to copy a file from one system to another. The TCP connections are usually established in client-server mode: one for control (the server port number is 21) and the other for data transmission (the server port number is 20). l Control connection: issues commands from the client to the server and transmits replies from the server to the client, which minimizes the transmission delay. l Data connection: transmits data between the client and server, which maximizes the throughput. FTP has two file transfer modes: l Binary mode: Used to transfer program files, such as .app, .bin, and .btm files. l ASCII mode: Used to transfer text files, such as .txt, .bat, and .cfg files. The device provides the following FTP functions: l Issue 02 (2014-09-30) FTP client: Users can use the terminal emulator or Telnet program to connect PCs to the device, and run the ftp command to establish a connection between the device and a remote FTP server to access and operate files on the server. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 132 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l 6 Managing the File System FTP server: Users can use the FTP client program to log in to the device and operate files on the device. Before users log in, the network administrator must configure an IP address for the FTP server. NOTE The FTP is an insecure protocol. When it is used, security risks exist. Therefore, exercise caution when using it. Using SFTP to Manage Files SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely log in to the device to manage and transfer files. On the other hand, users can use the device that functions as a client to log in to a remote server and transfer files securely. If the SFTP server or the connection between the server and the client fails, the client needs to detect the fault in time and remove the connection. To help the client accomplish this, configure an interval at which Keepalive packets are sent if no packets are received and the maximum number of times the server does not respond to the client before being released: l If the client does not receive any packets within the specified period, the client sends a Keepalive packet to the server. l If the maximum number of times the server does not respond exceeds the specified value, the client proactively releases the connection. Using FTPS to Manage Files FTPS adds support to Secure Sockets Layer (SSL) and is an extension to the commonly used FTP. Using SSL to authenticate the identities of the client and server and encrypt the data to be transmitted, FTPS manages device security. Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP server is configured with login user names and passwords, the FTP server can authenticate clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered with, which poses security threats.An SSL policy can be configured on the FTP server to improve security. SSL implements data encryption, identity authentication, and message integrity verification, which improves data transmission security. In addition, SSL provides secure connections for the FTP server, which greatly improves the security of the FTP server. By default, a user cannot use FTPS to log in to the device. To log into the device using FTPS, perform the following steps: l Log in to the device through the console port and load a digital certificate on the security sub-directory of the system directory on the FTPS server l Install the FTP client software that supports SSL on the PC Using Xmodem to Manage Files Xmodem is a file transfer protocol that mainly applies to the AUX port.XModem does not support simultaneous operations for multiple users. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 133 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System 6.2 Using the File System to Manage Files You can use the file system to manage storage devices, directories, and files. 6.2.1 Before You Start Before using the file system to manage files, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration tasks quickly and correctly. Applicable Environment Use the file system to manage files or directories on the router. If the router is unable to save or obtain data, log in to the file system and repair the faulty storage devices. Pre-configuration Tasks Before logging in to the file system to manage files, connect the client to the server. Data Preparation To manage files by logging in to the file system, you need the following data: No. Data 1 Storage device name 2 Directory name 3 File name 6.2.2 Managing Storage Devices If a storage device file system on the router is not functioning correctly, you must repair and format the file system before managing the storage device. Context If the file system on a storage device fails, the terminal of the router prompts you to rectify the fault. You can format a storage device if you are unable to repair the file system or do not need any data saved on the storage device. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 134 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System NOTICE Formatting storage devices can lead to data loss. Exercise caution when performing this operation. Procedure l Run: fixdisk device-name The storage device with file system problems is repaired. NOTE If, after running this command, the prompt still says the system should be repaired, there may be damage to the physical storage medium. l Run: format device-name The storage device is formatted. NOTE If the storage device does not work after you run this command, there may be a hardware fault. ----End 6.2.3 Managing Directories You can manage directories to store files in a logical hierarchy. Context You can manage directories by changing or displaying directories, displaying files in directories or sub-directories, and creating or deleting directories. Procedure l Run: cd directory A directory is specified. l Run: pwd The current directory is displayed. l Run: dir [ /all ] [ filename ] A list of files and sub-directories in the directory is displayed. Either the absolute path or relative path applies. l Run: mkdir make-remote-directory Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 135 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System The directory is created. l Run: rmdir delete-remote-directory The directory is deleted. ----End 6.2.4 Managing Files You can log in to the file system to view, delete, or rename files on the router. Context l Managing files includes: displaying contents, copying, moving, renaming, compressing, deleting, undeleting, deleting files in the recycle bin, running files in batches and configuring prompt modes. l You can run the cd directory command to enter another directory from the current directory. l Run: Procedure more file-name [ offset ] [ all ] The content of a file is displayed. Specify parameters in the more command for file viewing options: – Run the more file-name command to view the file named file-name. Text file contents are displayed one screen at a time. Press the spacebar on the current terminal to display all contents of the current file. Two preconditions must be set to display the contents of a text one file screen at a time: – The value configured by screen-length screen-length temporary command must be greater than 0. – The total number of lines in the file must be greater than the value configured by the screen-length command. – Run the more file-name offset command to view the file named file-name. Text file contents are displayed one screen at a time, beginning with the line specified by offset. Press and hold the spacebar on the current terminal to display all contents of the current file. Two preconditions must be met to display the contents of a text file screen one screen at a time: – The value configured by the screen-length screen-length command must be greater than 0. – The difference between the number of file characters subtracted and the value of offset must be greater than the value configured by the screen-length command. – Run the more file-name all command to view the file named file-name. All text file contents are displayed without pausing after each screen. l Run: copy source-filename destination-filename Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 136 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System The file is copied. l Run: move source-filename destination-filename The file is moved. l Run: rename source-filename destination-filename The file is renamed. l Run: zip source-filename destination-filename The file is compressed. l Run: delete [ /unreserved ] [ /quiet ] { filename | device-name } The file is deleted. NOTICE If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored after being deleted. l Run: undelete filename The deleted file is recovered. NOTE If the current directory is not the parent directory, you must use the absolute path to the file to perform operations. l Run: reset recycle-bin [ filename ] The file is deleted. You can use this command to permanently delete files in the recycle bin. l Run the following files in batches. You can process uploaded files in batches. The edited batch files need to be saved to a storage device on the router. You can create and run a batch file to implement routine tasks as follows: 1. Run: system-view The system view is displayed. 2. Run: execute filename The batched file is executed. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 137 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l 6 Managing the File System Configure prompt modes. The system displays prompts or warning messages when you operate the device (especially if these operations lead to data loss). If you need to change the prompt mode for file operations, you can configure the file system prompt mode. 1. Run: system-view The system view is displayed. 2. Run: file prompt { alert | quiet } The file system prompt mode is configured. The default prompt mode is alert. NOTICE If the prompt mode is set to quiet, no prompt appears when data is lost due to inappropriate operating procedures. ----End 6.3 Using FTP to Manage Files FTP can transmit files between local and remote hosts. FTP is widely used for upgrading versions, downloading logs, transmitting files, and saving time spent on configurations. Context The FTP protocol poses a security risk, and therefore the SFTP protocol is recommended. 6.3.1 Before You Start Before using FTP to manage files, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment When an FTP client logs in to a router that serves as an FTP server, the user can transfer files between the client and the server. Pre-configuration Tasks Before using FTP to manage files, connect the FTP client to the server. Data Preparation To use FTP to manage files, you need the following data: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 138 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System No. Data 1 FTP username and password, and authorized FTP file directory name 2 (Optional) Listening port number specified on the FTP server 3 (Optional) Source IP address or source interface of the FTP server (Optional) Timeout period for disconnecting from the FTP server 4 IP address or host name of the FTP server 6.3.2 Configuring a Local FTP User You can configure a user authorization mode and an authorized directory for FTP users to access. Unauthorized users cannot access the specified directory, which reduces security risks. Context To use FTP to manage files, you must configure a local username and a password on the router and specify a service type and the directories that can be accessed. Perform the following operations on the router that functions as the FTP server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: set default ftp-directory directory The default FTP working directory is configured. NOTE The configuration in this step takes effect only for TACACS users. Step 3 Run: aaa The AAA view is displayed. Step 4 Run: local-user user-name password { cipher cipher-password | irreversible-cipher irreversible--password } The local user name and password are configured. Step 5 Run: local-user user-name service-type ftp The FTP service type is configured. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 139 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Step 6 Run: local-user user-name level level user-name privilege level level The local user level is set. NOTE The local user level must be set to level 3 or higher. Step 7 Run: local-user user-name ftp-directory directory The authorized directory for the FTP user is configured. ----End 6.3.3 (Optional) Specifying a Port Number for the FTP Server You can configure or change the listening port number for an FTP server. After the port number is changed, only the user knows the current port number, which protects system security. Context The default listening port number for an FTP server is 21. Users can log in to the router directly by using the default listening port number. Attackers can also access the default listening port to launch attacks that reduce available bandwidth and affect server performance, which prevents valid users from accessing the server. Changing the FTP server listening port number effectively prevents attackers from accessing the server through the listening port. NOTE If FTP is not enabled, change the FTP port. If FTP is enabled, run the undo ftp server command to disable FTP, and then change the FTP port. Perform the following on the router that serves as the FTP server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ftp [ ipv6 ] server port port-number The port number of the FTP server is configured. Once a new listening port number is configured, the FTP server interrupts all existing FTP connections and starts using the new listening port. ----End 6.3.4 Enabling the FTP Server You must enable an FTP server on the router before using FTP to manage files. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 140 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Context The FTP server is disabled on the router by default. You must enable the FTP server before using it. Perform the following on the router that serves as the FTP server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ftp [ ipv6 ] server enable The FTP server is enabled. NOTE When file operations between clients and the router are complete, run the undo ftp [ ipv6 ] server command to disable the FTP server function. This protects router security. ----End 6.3.5 (Optional) Configuring the FTP Server Parameters FTP server parameters include the FTP server source address and the timeout period for FTP connections. Context l You can configure a source IP address for the FTP server. The FTP client can only access this address, which protects system security. l You can configure the timeout period for FTP connections on the FTP server. When the timeout period for an FTP connection expires, the system terminates the connection to release resources. Perform the following on the router that serves as the FTP server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ftp server-source { -a ip-address | -i interface-type interface-number } The source IP address and source interface of an FTP server are configured. To log in to the FTP server, you must specify the source IP address for the server in the ftp command, or you cannot log in to the FTP server. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 141 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Step 3 Run: ftp [ ipv6 ] timeout minutes The timeout period for the FTP server is configured. If the client is idle for the configured time, the connection to the FTP server is terminated. By default, the timeout value is 30 minutes. ----End 6.3.6 (Optional) Configuring an FTP ACL After an FTP ACL is configured, only specified clients can access the router. Context When the routerfunctions as an FTP server, you can configure an ACL to allow the clients that meet matching rules to access the FTP server. Perform the following steps on the router that serves as the FTP server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Compared to a basic ACL that filters packets based on source addresses, an advanced ACL supports richer filtering rules: not only based on packet source addresses but also based on packet destination address or priorities. Run either of the following commands: l For a basic ACL: To enter the ACL6 view, run the acl ipv6 { [ number ] acl6-number1 | name acl-name [ number acl-number2 ] } [ match-order { auto | config } ] command. l For an advanced ACL: To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name [ advance ] [ number acl-number2 ] } [ match-order { auto | config } ] command. To enter the ACL6 view, run the acl ipv6 { [ number ] acl6-number1 | name acl-name [ number acl-number2 ] } [ match-order { auto | config } ] command. The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging from 3000 to 3999. Step 3 Run either of the following commands: l For a basic ACL: To configure a basic ACL rule, run the rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range timename | vpn-instance vpn-instance-name ] * command. To configure a basic ACL6 rule, run the rule [ rule-id ] { deny | permit } [ fragmenttype fragment-type-name | source { source-ip-address source-wildcard | any } | timerange time-name | vpn-instance vpn-instance-name ] * command. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 142 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System l For an advanced ACL: To configure an advanced ACL rule, run the rule [ rule-id ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ipaddress source-wildcard | any } | time-range time-name | vpn-instance vpn-instancename ] * command. To configure an advanced ACL6 rule, run the rule [ rule-id ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | source { source-ipv6-address 3prefix-length | source-ipv6-address/prefix-length | any } | timerange time-name | vpn-instance vpn-instance-name ] * command. NOTE l By default, the deny action in an ACL rule is taken for all the login user packets. Only users whose source IP addresses match the ACL rule with a permit action can log in to the device. In the following example, two rules are configured to prohibit users with the IP address 10.1.1.10 from logging in to the device while allowing the other users to log in to the device: l rule deny source 10.1.1.10 0 l rule permit source any If the rule permit source any command is not configured, users whose source IP addresses are not 10.1.1.10 will also be prohibited from logging in to the device. l If a user's source IP address does not match the ACL rule that allows login, the user is prohibited from logging in to the device. l If the ACL referenced by FTP does not contain any rules or does not exist, any user can log in to the device. Step 4 Run: quit The system view is displayed. Step 5 Run: ftp [ ipv6 ] acl acl-number The FTP ACL is configured. ----End 6.3.7 Using FTP to Access the System After the FTP server is configured, you can use FTP to access the router from a PC and manage the files on the router. Context You can use either the Windows command line prompt or third-party software to log in to the router. The example here uses the Windows command line prompt. Do as follows on the PC: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 143 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Procedure Step 1 Open the Windows CLI. Step 2 Run the ftp ip-address command to log in to the router using FTP. Enter a username and password at the prompt, and press Enter. When the Windows command line prompt, such as ftp>, is displayed in the FTP client view, you have entered the working directory of the FTP server. Figure 6-1 Using FTP to log in to the device ----End 6.3.8 Using FTP Commands to Manage Files After using FTP to log in to the router that functions as an FTP server, you can upload and download files to and from the router or manage the directories on the router. Context NOTE FTP is insecure. Using SFTP is recommended. After you log in to the FTP server, you can perform the following operations: l Configuring the data type for the file l Uploading or downloading files l Creating or deleting directories on the FTP server l Displaying information about a specific remote directory or a file of the FTP server, or deleting a specific file from the FTP server After logging in to the FTP server and entering the FTP client view, you can perform the following operations: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 144 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Procedure l Configure the data type and transmission mode for a file – Run: ascii or binary The data type of the file to be transmitted is ascii or binary. NOTE FTP supports ASCII and the binary files. The difference the two is: l In ASCII transmission mode, ASCII characters are used to separate carriage returned from line feeds. l In binary transmission mode, characters can be transferred without format conversion or formatting. An FTP transmission mode can be set for each client. The system uses ASCII transmission mode by default, but a mode switch command can switch a client between ASCII and binary modes. The ASCII mode is used to transmit .txt files and the binary mode is used to transmit binary files. l Upload or download files – Upload or download a file. – Run: put local-filename [ remote-filename ] The local file is uploaded to the remote FTP server. – Run: get remote-filename [ local-filename ] The FTP file is downloaded from the FTP server and saved to the local file. – Upload or download multiple files. – Run the mput local-filenames command to upload multiple local files synchronously to the remote FTP server. – Run the mget remote-filenames command to download multiple files from the FTP server and save them locally. NOTE l When you are uploading or downloading files and you run the prompt command in the FTP client view to enable the file transmission prompt function, the system will prompt you to confirm the uploading or downloading operation. l If you run the prompt command again in the FTP client view, the file transmission prompt function will be disabled. l Run one or more of the following commands to manage directories – Run: cd pathname The working path of the remote FTP server is specified. – Run: pwd The specified directory of the FTP server is displayed. – Run: lcd [ local-directory ] The directory of the FTP client is displayed or changed. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 145 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System – Run: mkdir make-remote-directory A directory is created on the FTP server. – Run: rmdir delete-remote-directory A directory is removed from the FTP server. l Run one or more of the following commands to manage files – Run: ls [ remote-filename ] [ local-filename ] The specified directory or file on the remote FTP server is displayed. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. – Run: dir [ remote-filename ] [ local-filename ] The specified directory or file on the local FTP server is displayed. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. – Run: delete remote-filename The specified file on the FTP server is deleted. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. When local-filename is set, related information about the file can be downloaded locally. NOTE If you need more information about FTP operations, run the help [ command ] command in the Windows CLI. ----End 6.3.9 Checking the Configuration After the configuration is complete, you can view the configuration and status of the FTP server as well as login information about FTP users. Prerequisites All configurations for using FTP to manage files are complete. Procedure l Run the display [ ipv6 ][ ipv6 ] ftp-server command to check the configuration of the FTP server. l Run the display ftp-users command to check how many users are currently logged in to the FTP server. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 146 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Example Run the display [ ipv6 ] ftp-server to view the status of the FTP server. <HUAWEI> display ftp-server FTP server is running Max user number User count Timeout value(in minute) Listening Port Acl number FTP server's source address SSL security status 5 1 30 1080 0 1.1.1.1 Disabled Run the display ftp-users command to view the username, port number, and authorization directory of the FTP user. <HUAWEI> display ftp-users username host zll 100.2.150.226 port 1383 idle 3 topdir cfcard: 6.4 Using SFTP to Manage Files SFTP enables you to securely log in to the router from a remote device to manage files, which makes data transmission to the remote end more secure. 6.4.1 Before You Start Before using SFTP to manage files, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment SSH authenticates clients and encrypts data in both directions to guarantee secure data transmission on conventional networks. SSH supports SFTP. SFTP is a secure FTP service that enables users to log in to the FTP server to transmit data. Pre-configuration Tasks Before using SFTP to manage files, configure reachable routes between the terminal and the device. Data Preparation Before using SFTP to manage files, you need the following data. Issue 02 (2014-09-30) No. Data 1 Maximum number of Virtual Type Terminal (VTY) user interfaces, (optional) ACL for restricting incoming and outgoing calls on VTY user interfaces, connection timeout period of terminal users, number of rows displayed in a terminal screen, size of the history command buffer, user authentication mode, username, and password Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 147 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System No. Data 2 Username, password, authentication mode, and service type of an SSH user, remote public Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature Algorithm (DSA) key pair allocated to the SSH user, and SFTP working directory of the SSH user 3 (Optional) Number of the port monitored by the SSH server (Optional) The interval for updating the key pair on the SSH server 4 Name of the SSH server, number of the port monitored by the SSH server, preferred encryption algorithm from the SFTP client to the SSH server, preferred encryption algorithm from the SSH server to the SFTP client, preferred Hashed message authentication code (HMAC) algorithm from the SFTP client to the SSH server, preferred HMAC algorithm from the SSH server to the SFTP client, preferred algorithm of key exchange, name of the outgoing interface, source address 5 Directory name and file name 6.4.2 Configuring the VTY User Interface To allow a user to log in to the device by using SFTP, you need to configure attributes of the Virtual Type Terminal (VTY) user interface. Context Before a user logs in to the device by using SFTP, you must set the user authentication mode in the VTY user interface. Otherwise, the user cannot log in to the device. In general, the default values of other VTY user interface attributes do not need to be modified. These attributes can be changed if necessary. For details, see section 4.4 Configuring the VTY User Interface. 6.4.3 Configuring SSH for the VTY User Interface Before users can log in to the router using SFTP, you must configure VTY user interfaces to support SSH. Context By default, user interfaces support Telnet. If no user interfaces are configured to support SSH, you cannot log in to the router using SFTP. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 148 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System user-interface [ vty ] first-ui-number [ last-ui-number ] The VTY user interface is displayed. Step 3 Run: authentication-mode aaa The AAA authentication mode is configured. Step 4 Run: protocol inbound ssh The VTY user interface is configured to support SSH. ----End 6.4.4 Configuring an SSH User and Specifying SFTP as One of the Service Types Before logging in to the router using SFTP, you must configure an SSH user, configure the router to generate a local RSA (Revest-Shamir-Adleman Algorithm)or DSA (Digital Signature Algorithm)key pair, configure a user authentication mode, and specify a service type and authorized directory for the SSH user. Context l These SSH user authentication modes are available: RSA, DSA, password, password-RSA, password-DSA and all. Password authentication depends on Authentication, Authorization and Accounting (AAA). Before a user logs in to the device in password, password-RSA or password-DSA authentication mode, you must create a local user with the specified user name in the AAA view. – Password-RSA authentication depends on both password authentication and RSA authentication. – Password-DSA authentication depends on both password authentication and DSA authentication. – All authentication depends on either of the following authentications: password authentication, or DSA authentication or RSA authentication. l The device must be configured to generate local RSA or DSA key pairs, which are a key part of the SSH login process. If an SSH user logs in to an SSH server in password authentication mode, configure the server to generate a local RSAor DSA key pair. If an SSH user logs in to an SSH server in RSA or DSA authentication mode, configure both the server and the client to generate local RSA or DSA key pairs. RSA key and DSA key are algorithms for user authentication in SSH. Compared with RSA authentication, DSA authentication adopts the DSA encryption mode and is widely used. In many cases, SSH only supports DSA to authenticate the server and the client. When the RSA or DSA authentication mode is used, the priority of the users depends on the priority of the VTY user interfaces used for login. Perform the following operations on the router that functions as an SSH server: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 149 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ssh user user-name An SSH user is created. If password authentication is configured for the SSH user, create the same SSH user in the AAA view 1. Run the aaa command to enter the AAA view. 2. Run the local-user user-name password { cipher cipher-password | irreversible-cipher irreversible--password } command to configure a local user name and a password. Step 3 Run: local-user user-name level level The SSH user level is set. NOTE The SSH user level must be set to 3 or higher. Step 4 Create an RSA or DSA key pair. l Run the rsa local-key-pair create command to create a local RSA key pair. NOTE l Configure the rsa local-key-pair create command to generate a local key pair before completing other SSH configurations. The minimum length of the server key pair and the host key pair is 512 bits, and the maximum length is 2048 bits. The default length of a local key pair is 2048 bits. After an upgrade, if the original key pair length is shorter than 1024 bits, running the rsa local-key-pair create command to generate a new local key pair is recommended. l After a local key pair is generated, you can run the display rsa local-key-pair public command to view the public key in the local key pair. l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local RSA key-pairs, including the local key-pair and server key-pair. Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair destroy command. The rsa local-key-pair destroy command configuration takes effect only once and therefore will not be saved in the configuration file. l Run the dsa local-key-pair create command to generate the RSA local-key-pair. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 150 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System NOTE l You must configure the dsa local-key-pair create command to generate a local key pair before completing other SSH configurations. The length of the server key pair and the host key pair can be 512 bits, 1024 bits and 2048 bits. By default, the length of the key pair is bits. l After a local key pair is generated, you can run the display dsa local-key-pair public command to view the public key in the local key pair. l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local DSA key-pairs, including the local key-pair and server key-pair. Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair destroy command. The dsa local-key-pair destroy command configuration takes effect only once and therefore will not be saved in the configuration file. Step 5 Perform the operations as described in Table 6-1 based on the configured SSH user authentication mode. Table 6-1 Configuring an authentication mode for the SSH user Issue 02 (2014-09-30) Operation Command Description Configure Password Authentication 1. Run the ssh user user-name authentication-type password command If local or HuaWei Terminal Access Controller Access Control System (HWTACACS) authentication is used and there are only a few users, use password authentication. 2. Run the aaa command to enter the AAA view. - 3. Run the local-user user-name password { cipher | irreversiblecipher } password command to configure the user name and the password for the local user. The user name must be the same to the SSH user. 4. Run the local-user user-name service-type ssh command to set the access type of the local user to SSH. - Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. By default, the administrators are all in the domain default_admin. 151 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Operation Command Description Configure the Default Password Authentication Run the ssh authentication-type default password command When you log in using SSH and use a TACACS server for authentication, the network administrator needs to specify the information about an SSH user on the TACACS server. In most cases, however, the SSH server cannot obtain the user information from the TACACS server. To resolve this problem, you can run the ssh authentication-type default password command to set the authentication mode as password authentication. Then, you can log in to the device on the SSH server safely. Configure RSA authentication 1. Run the ssh user user-name authentication-type rsa command to configure RSA authentication. - 2. Run the rsa peer-public-key keyname [ encoding-type { der | openssh | pem } ] command to configure an encoding format for an RSA public key and enter the RSA public key view. Huawei data communications devices support only the DER format for RSA keys before V600R006C00 version. If you use an RSA key in non-DER format, use a third-party tool to convert the key into a key in DER format. The default encoding format is distinguished encoding rules (DER) for an RSA public key. In addition to DER, RSA keys need to support the privacyenhanced mail (PEM) and OpenSSH formats since V600R006C00 to improve RSA usability. Third-party software, such as SecureCRT, PuTTY, OpenSSH, and OpenSSL, can be used to generate RSA keys in different formats. The details are as follows: l The SecureCRT and PuTTY generate RSA keys in PEM format. l The OpenSSH generates RSA keys in OpenSSH format. l The OpenSSL generates RSA keys in DER format. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 152 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Operation 6 Managing the File System Command Description 3. Run the public-key-code begin command to enter the public key edit view. - 4. Enter hex-data to edit the public key. l In the public key edit view, only hexadecimal strings complying with the public key format can be typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals for SSH client software. l After entering the public key edit view, paste the RSA public key generated on the client to the server. 5. Run the public-key-code end command to exit from the public key edit view. - 6. Run the peer-public-key end command to return to the system view. l Running the peer-public-key end command generates a key only after a valid hex-data complying with the public key format is entered. l If the peer-public-key end command is used after the key key-name specified in Step 2 is deleted in another window, the system prompts a message, indicating that the key does not exist, and the system view is displayed. Configure DSA authentication Issue 02 (2014-09-30) 7. Run the ssh user user-name assign rsa-key key-name command to assign the SSH user a public key. - 1. Run the ssh user user-name authentication-type dsa command to configure DSA authentication. - Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 153 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Operation 6 Managing the File System Command Description 2. Run the dsa peer-public-key key-name encoding-type { der | openssh | pem } command to configure an encoding format for a DSA public key and enter the DSA public key view. Huawei data communications devices support the DER and PEM formats for DSA keys before V600R006C00 version. If you use an RSA key in non-DER/ PEM format, use a third-party tool to convert the key into a key in DER or PEM format. In addition to DER, DSA keys need to support the PEM and OpenSSH formats since V600R006C00 to improve DSA usability. 3. Run the public-key-code begin command to enter the public key edit view. - 4. Enter hex-data to edit the public key. l In the public key edit view, only hexadecimal strings complying with the public key format can be typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals for SSH client software. l After entering the public key edit view, paste the RSA public key generated on the client to the server. 5. Run the public-key-code end command to exit from the public key edit view. - 6. Run the peer-public-key end command to return to the system view. l Running the peer-public-key end command generates a key only after a valid hex-data complying with the public key format is entered. l If the peer-public-key end command is used after the key key-name specified in Step 2 is deleted in another window, the system prompts a message, indicating that the key does not exist, and the system view is displayed. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 154 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Operation 6 Managing the File System Command Description 7. Run the ssh user user-name assign dsa-key key-name command to assign the SSH user a public key. - Step 6 (Optional) Use command lines to authorize SSH users. Run: ssh user user-name authorization-cmd aaa The command line authorization is configured for the specified SSH user. After configuring the authorization through command lines for the SSH user to perform RSA authentication, you have to configure the AAA authorization. Otherwise, the command line authorization for the SSH user does not take effect. Step 7 Run: ssh user username service-type { SFTP | all } The service type of an SSH user is set to SFTP or all. By default, the service type of the SSH user is not configured. Step 8 Run: ssh user username sftp-directory directoryname The authorized directory of the SFTP service for the SSH user is configured. By default, the authorized directory of the SFTP service for the SSH user is cfcard:. ----End 6.4.5 Enabling the SFTP Service You must enable the STelnet service before you can use it. Context By default, the SFTP server function is not enabled on the router. You can use SFTP to establish connections with the router only after the SFTP server function is enabled on the router. Do as follows on the router that serves as an SSH server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: sftp server enable The SFTP service is enabled. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 155 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System By default, the SFTP service is disabled. ----End 6.4.6 (Optional) Configuring the SFTP Server Parameters You can configure a device to be compatible with earlier versions of the SSH protocol, configure or change the listening port number of an SSH server, set an interval at which the key pair of the SSH server is updated, and specify the source interface. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Perform any of the operations shown in Table 6-2 as needed. Table 6-2 Server parameters Issue 02 (2014-09-30) Server parameters Command Description Configure the interval at which the key pair of the SSH server is updated Run the ssh server rekey-interval interval command. You can set an interval at which the key pair of an SSH server is updated. When the timer expires, the key pair is automatically updated, improving security. Configure the timeout period of SSH authentication Run the ssh server timeout seconds command. Configure the number of times that SSH authentication is retried Run the ssh server authenticationretries times command. By default, the interval is 0, indicating that the key is never updated. By default, the timeout period is 60 seconds. By default, SSH authentication retries a maximum of 3 times. If a user fails to log in when the timeout period of SSH authentication expires, the system disconnects the current connection to ensure the system security. The number of times that SSH authentication is retried is set to deny access of invalid users. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 156 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Server parameters Command Description Configure earlier SSH version compatibility Run the ssh server compatiblessh1x enable command. There are two SSH versions: SSH1.X (earlier than SSH2.0) and SSH2.0. SSH2.0 has an extended structure and supports more authentication modes and key exchange methods than SSH1.X, SSH 2.0 can eliminate the security risks that SSH 1.X has. SSH 2.0 is more secure and therefore is recommended. SSH2.0 also supports more advanced services such as SFTP. The HUAWEI NetEngine80E/40E supports SSH versions ranging from 1.3 to 2.0. By default, an SSH server running SSH2.0 is compatible with SSH1.X. To prevent clients running SSH1.3 to SSH1.99 from logging in, run the undo ssh server compatible-ssh1x enable command to disable support for earlier SSH protocol versions. NOTE If the SSH server is enabled to be compatible with earlier SSH versions, the system prompts a security risk. Configure the listening port number of the SSH server Run the ssh server port portnumber command. By default, the listening port number is 22. If a new listening port is set, the SSH server cuts off all established STelnet and SFTP connections, and uses the new port number to listen to connection requests. Issue 02 (2014-09-30) 6 Managing the File System The default listening port number of an SSH server is 22. Users can log in to the device by using the default listening port number. Attackers may access the default listening port, which consumes bandwidth, deteriorates server performance, and causes authorized users to be unable to access the server. After the listening port number of the SSH server is changed, attackers do not know the new port number. This effectively prevents attackers from accessing the listening port and improves security. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 157 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Server parameters Command Description Source interface Run the ssh server-source -i loopback interface-number command. By default, an SSH server receives connection requests from all interfaces, and therefore, the system is vulnerable to attacks. To enhance system security, you can specify the source interface of the SSH server. This sets a login condition after which only authorized users can log in to the SSH server. Before the source interface of an SSH server is specified, ensure that the loopback interface to be specified as the source interface has been created. If the loopback interface is not created, the ssh server-source command cannot be correctly executed. Configuring an ACL on the SSH server Run the ssh server acl acl-number or ssh ipv6 server acl acl-number command. After the source interface is specified, the system only allows SFTP or STelnet users to log in to the SSH server through this source interface. Any SFTP or STelnet users that log in through other interfaces are denied. Note that setting this parameter only affects SFTP or STelnet users that attempt to log in to the SSH server, but it does not affect SFTP or STelnet users that have already logged in to the server. This command specifies the clients that can access the SSH server running IPv4/IPv6. This configuration prevents unauthorized users from accessing the SSH server, ensuring data security. ----End 6.4.7 Using SFTP to Access the System After the configuration is complete, you can use SFTP to log in to the router from a user terminal and manage files on the router. Context You can use third-party software to access the router from the user terminal using SFTP. The example here uses third-party software OpenSSH and the Windows CLI. Install OpenSSH on the user terminal and then perform the following: NOTE For details on how to install OpenSSH, see the software installation guide. For details on how to use OpenSSH commands to log in to the router, see help documentation for the software. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 158 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Procedure Step 1 Open the Windows CLI. Step 2 Run OpenSSH commands to log in to the router in SFTP mode. When a command line prompt, such as sftp>, is displayed in the SFTP client view, as shown in Figure 6-2, you have entered the working directory of the SFTP server. Figure 6-2 Using SFTP to log in to the device ----End 6.4.8 Using SFTP to Manage Files You can log in to the SSH server from an SFTP client to create or delete directories on the SSH server. Context After logging in to the SFTP server, you can perform the following operations: l Display the SFTP client command help l Manage directories on the SFTP server l Manage files on the SFTP server Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 159 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System After logging in to the SFTP server and entering the SFTP client view, you can perform one or more of the following operations. Procedure l Perform the following operations as required. – Run: cd [ remote-directory ] The current operating directory of the users is changed. – Run: pwd The current operating directory of the users is displayed. – Run: dir/ls [ path ] A list of files in the specified directory is displayed. – Run: rmdir delete-remote-directory &<1-10> The directory on the server is deleted. – Run: mkdir make-remote-directory A directory is created on the server. l Perform of the following operations as required. – Run: rename old-name new-name The name of the specified file on the server is changed. – Run: get remote-filename [ local-filename ] The file on the remote server is downloaded. – Run: put local-filename [ remote-filename ] The local file is uploaded to the remote server. – Run: rmdir delete-remote-directory &<1-10> The file on the server is removed. ----End 6.4.9 Checking the Configuration After using SFTP to manage files, you can view SSH user information and global configurations for the SSH server. Prerequisites The configurations of SSH users are complete. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 160 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Procedure l Run the display ssh user-information username command on the SSH server to check information about the SSH client. l Run the display ssh server status command on the SSH server to check its global configurations. l Run the display ssh server session command on the SSH server to check information about connection sessions with SSH clients. ----End Example Run the display ssh user-information username command. It shows that the SSH user named clinet001 is authenticated by password. [HUAWEI] display ssh user-information client001 User Name : client001 Authentication-type : password User-public-key-name : User-public-key-type : RSA Sftp-directory : Service-type : sftp Authorization-cmd : Yes If no SSH user is specified, information about all SSH users logged in to an SSH server will be displayed. Run the display ssh server status command to view the global configurations of an SSH server. <HUAWEI> display ssh server status SSH version : 1.99 ------------------------------------------------------------------------------- If no SSH user is specified, information about all SSH users logging in to an SSH server will be displayed. Run the display ssh server status command to view the global configurations of an SSH server. <HUAWEI> display ssh server status <HUAWEI> display ssh server status SSH version SSH connection timeout SSH server key generating interval SSH Authentication retries SFTP server Stelnet server SSH server port SSH server source ACL4 number ACL6 number : 1.99 : 60 seconds : 2 hours : 5 times : Enable : Enable : 55535 :0.0.0.0 :0 :0 NOTE If the default listening port is in use, information about the current listening port is not displayed. Run the display ssh server session command to view information about sessions between the SSH server and SSH clients. <HUAWEI> display ssh server session Session 2: Conn : VTY 4 Version : 2.0 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 161 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations State Username Retry CTOS Cipher STOC Cipher CTOS Hmac STOC Hmac Kex Service Type Authentication Type 6 Managing the File System : : : : : : : : : : started client002 1 aes128-cbc aes128-cbc hmac-sha1-96 hmac-sha1-96 diffie-hellman-group-exchange-sha1 sftp password 6.5 Using Xmodem to Manage Files This section describes how to transfer files through XModem. 6.5.1 Before You Start Before configuring XModem, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Applicable Environment Configure XModem to transfer files through serial interfaces. Pre-configuration Tasks Before configuring XModem, complete the following tasks: l Power on the router. l Use an AUX port or a console port to connect the router to the PC. l Log in to the router through a terminal emulation program and specify a file path. Data Preparation To configure XModem, you need the following data. No. Data 1 Name of a specific file 2 Absolute path of the file 6.5.2 Obtaining a File Through Xmodem Using XModem, you can download files to a router through the AUX port. Context XModem file transfer consists of a receiving program and a sending program. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 162 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System l The receiving program first sends the negotiation character to negotiate the check mode. l After the negotiation is successful, the sending program begins to send packets. l When the receiving program receives a complete packet, it checks the packet in the negotiated mode. l If the check is successful, the receiving program sends the acknowledgement character and then the sending program sends the next packet. l If the check fails, the receiving program sends the denial character and the sending program retransmits the packet. NE80E/40E provides the XModem receiving program function, which is applied to the AUX port and supports 128-byte packets and CRC. The XModem sending program is automatically included in the HyperTerminal. Do as follows on the router: Procedure l Run: xmodem get { filename | devicename } XModem is used to get the file. NOTE l Before getting the file, confirm the path and name of the file to be sent. l For the filename, an absolute path name is required. l If the filename is similar to an existing one, the system sends a prompt asking you whether or not to overwrite the file. ----End 6.6 Configuration Examples The examples in this section show how to use FTP, SFTP, or FTPS to access the system and manage files. These configuration examples explain the networking requirements and provide configuration roadmaps and configuration notes. 6.6.1 Example for Using the File System to Manage Files This example shows how to use the file system to manage files. In the example, you log in to the router to view and copy directories. Networking Requirements You can log in to the router through the console port, AUX port, Telnet, or STelnet to manage files on the router. You must enter the path to the file on the storage device correctly. If you do not specify a target file name, the source file name is the name of the target file by default. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 163 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Configuration Roadmap The configuration roadmap is as follows: 1. Check the files in a directory. 2. Copy a file to this directory. 3. Check that the file has been copied to the directory. Data Preparation To complete the configuration, you need the following data: l Source file name and target file name l Source file path and target file path Procedure Step 1 Display the file information in the current directory. cfcard:/ is the flash memory identifier. <HUAWEI> dir cfcard:/ Directory of cfcard:/ Idx Attr Size(Byte) 0 -rw64 1 -rw418 2 -rw38017 3 -rw2292 4 -rw7041 5 -rw117013076 V600R008C10.cc 500192 KB total (347760 KB free) Nov Jul Aug Aug Aug Jul Date 15 2006 26 2007 01 2007 21 2006 02 2007 13 2007 Time 13:07:44 19:52:14 11:02:00 15:35:50 11:02:00 10:40:44 FileName patchnpstate.dat vrpcfg.zip paf.txt vrp.zip license.txt Step 2 Copy files from cfcard2:/sample.txt to cfcard:/sample.txt <HUAWEI> copy cfcard2:/sample.txt cfcard:/sample1.txt Copy cfcard2:/sample.txt to cfcard:/sample1.txt?[Y/N]:y 100% complete Info:Copied file cfcard2:/sample.txt to cfcard:/sample1.txt...Done Step 3 Display the file information about the current directory to check that the file has been copied to the specified directory. <HUAWEI> dir cfcard:/ Directory of cfcard:/ Idx Attr Size(Byte) 0 -rw64 1 -rw418 2 -rw38017 3 -rw2292 4 -rw7041 5 -rw117013076 V600R008C10.cc 6 -rw1605 500192 KB total (346155 KB free) Nov Jul Aug Aug Aug Jul Date 15 2006 26 2007 01 2007 21 2006 02 2007 13 2007 Time 13:07:44 19:52:14 11:02:00 15:35:50 11:02:00 10:40:44 Nov 18 2007 05:30:11 FileName patchnpstate.dat vrpcfg.zip paf.txt vrp.zip license.txt sample1.txt ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 164 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System 6.6.2 Example for Using FTP to Manage Files This example shows how to use FTP to manage files. In the example, a user uses FTP to log in to the router from a PC and then download files to the FTP client. Networking Requirements As shown in Figure 6-3, after the FTP server is enabled on the router, you can log in to the FTP server from the HyperTerminal to upload or download files. Figure 6-3 Networking for using FTP to manage files Network GE1/0/1 10.137.217.221/16 PC FTP Server Configuration Roadmap The configuration roadmap is as follows: 1. Configure the IP address of the FTP server. 2. Enable the FTP server. 3. Configure the authentication information, authorization mode, and directories that can be accessed for an FTP user. 4. Enter the username and password to log in to the FTP server. 5. Upload files to or download files from the FTP server. Data Preparation To complete the configuration, you need the following data: l IP address of the FTP server: 10.137.217.221 l Timeout period for the FTP connection: 30 minutes l On the server, FTP username: huawei and password: Huawei-123 l Destination file name and its location on the FTP client Procedure Step 1 Configure the IP address of the FTP server. [server] interface gigabitethernet1/0/1 [server-GigabitEthernet1/0/1] undo shutdown [server-GigabitEthernet1/0/1] ip address 10.137.217.221 255.255.0.0 [server-GigabitEthernet1/0/1] quit Step 2 Enable the FTP server. <HUAWEI> system-view [HUAWEI] sysname server [server] ftp server enable Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 165 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System [server] ftp timeout 30 Step 3 Configure the authentication information, authorization mode, and directories that can be accessed for an FTP user on the FTP server. [server] aaa [server-aaa] [server-aaa] [server-aaa] [server-aaa] [server-aaa] local-user local-user local-user local-user quit huawei huawei huawei huawei password irreversible-cipher Huawei-123 level 3 service-type ftp ftp-directory cfcard: Step 4 Run FTP commands at the Windows command line prompt, and enter the username and password to set up an FTP connection with the FTP server, as shown in Figure 6-4. Figure 6-4 Logging in to the FTP server Step 5 Upload and download files, as shown in Figure 6-5. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 166 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Figure 6-5 Using FTP to manage files NOTE You can run the dir command before downloading a file or after uploading a file to view detailed information about the file. ----End Configuration File l FTP server configuration file # sysname Server # FTP server enable # interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.221 255.255.0.0 # aaa local-user huawei password irreversible-cipher %$%$Skdd9`7(<QDv`NXLTB()aS}T=J \E%hGAP&3-R,*7S_]SS}Wa%$%$ local-user huawei level 3 local-user huawei service-type ftp local-user huawei state block fail-times 3 interval 5 local-user huawei ftp-directory cfcard: authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # return 6.6.3 Example for Using SFTP to Manage Files This example shows how to use SFTP to manage files. In the example, a local key pair and a user name and a password are configured on the SSH server for an SSH user. After SFTP services Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 167 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System are enabled on the server and the SFTP client is connected to the server, you can manage files between the client and the server. Networking Requirements As shown in Figure 6-6, after SFTP services are enabled on the router that functions as an SSH server, you can log in to the server from an SFTP client PC in password, Revest-Shamir-Adleman Algorithm (RSA), password-RSA, Digital Signature Algorithm (DSA), password-DSA or all authentication mode. NOTE To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to the SSH server. Configure a user to log in to the SSH server in password authentication mode. Figure 6-6 Networking diagram for using SFTP to manage files Network GE1/0/1 10.137.217.225/16 SSH Server PC Configuration Roadmap The configuration roadmap is as follows: 1. Configure a local key pair on the SSH server to exchange data securely between the SFTP client and the SSH server. 2. Configure VTY user interfaces on the SSH server. 3. Configure an SSH user, including user authentication mode, username, password, and authorization directory. 4. Enable SFTP services on the SSH server and configure a user service type. Data Preparation To complete the configuration, you need the following data: l SSH user authentication mode: password, username: client001, password: Huawei-123 l User level of client001: 3 l IP address of the SSH server: 10.137.217.225 Procedure Step 1 Configure a local key pair on the SSH server. <HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 168 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System The key name will be: HUAWEI_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 2048]: 768 Generating keys... .......++++++++++++ ..........++++++++++++ ...................................++++++++ ......++++++++ Step 2 Configure VTY user interfaces on the SSH server. [SSH [SSH [SSH [SSH Server] user-interface vty 0 4 Server-ui-vty0-4] authentication-mode aaa Server-ui-vty0-4] protocol inbound ssh Server-ui-vty0-4] quit Step 3 Configure the SSH username and password on the SSH server. [SSH [SSH [SSH [SSH [SSH Server] aaa Server-aaa] Server-aaa] Server-aaa] Server-aaa] local-user client001 password Huawei-123 local-user client001 level 3 local-user client001 service-type ssh quit Step 4 Enable SFTP and configure the user service type as SFTP. [SSH Server] sftp server enable [SSH Server] ssh user client001 authentication-type password [SSH Server] ssh user client001 service-type sftp Step 5 Configure the authorization directory for the SSH user. [SSH Server] ssh user client001 sftp-directory cfcard: Step 6 Verify the configurations. Figure 6-7 Access interface ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 169 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Configuration File l SSH server configuration file # sysname SSH Server # aaa local-user client001 password irreversible-cipher %$%$Skdd9`7(<QDv`NXLTB()aS} T=J\E%hGAP&3-R,*7S_]SS}Wa%$%$ local-user client001 level 3 local-user client001 service-type ssh local-user client001 state block fail-times 3 interval 5 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.225 255.255.255.0 # sftp server enable ssh user client001 authentication-type password # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # return 6.6.4 Example for Using Xmodem to Perform File Operations In this example, you run the HyperTerminal on a PC and then log in to a router to download files through the AUX port. Networking Requirements The router is connected to PC through the AUX port. Log in to the router through the AUX port, to receive files from the AUX port and save the received files to the cfcard. Configuration Roadmap The configuration roadmap is as follows: 1. Run the HyperTerminal on the PC and log in to the router. 2. Use the xmodem get command to download files on the router, and specify the file path on the HyperTerminal. Data Preparation To complete the configuration, you need the following data: l Files that are copied to the PC l The path of the file in the PC Procedure Step 1 Log in to the router through the AUX port. Refer to chapter 2 "Logging in to the Devices Through the AUX Port" in the NE80E/ 40EConfiguration Guide - Basic Configuration. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 170 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 Managing the File System Step 2 Use the XModem protocol to receive the file from the AUX port. The received file is saved on the cfcard memory of the router and the file name is paf.txt. <HUAWEI> xmodem get cfcard:/paf.txt **** WARNING **** xmodem is a slow transfer protocol limited to the current speed settings of the auxiliary ports. During the course of the download no exec input/output will be available! ---- ******* ---Proceed?[Y/N]y Destination filename [cfcard:/ paf.txt]? Before press ENTER you must choose 'YES' or 'NO'[Y/N]:y Download with XMODEM protocol.... Step 3 Specify the file to be sent on the HyperTerminal. Figure 6-8 Specifying the file to be sent After the configuration is complete, press Send to send the file. Step 4 The system prompts that the file is sent successfully. Then, you can view the directory of the file named cfcard. <HUAWEI> Download successful! <HUAWEI> dir Directory of cfcard:/ Idx Attr Size(Byte) Date 0 -rw- 10014764 Jun 20 1 -rw98776 Jul 27 2 -rw28 Jul 27 3 -rw480 May 10 4 -rw- 10103172 Jul 22 5 -rw1515 Jul 19 6 -rw3844 Jul 14 7 -rw8628372 Jun 01 8 -rw45 Jul 27 2005 2005 2005 2003 2005 2005 2004 2005 2005 Time 15:00:28 09:36:12 09:34:39 11:25:18 16:40:37 17:39:55 11:51:45 10:14:34 10:51:26 FileName ne20-vrp5.10-c01b070.bin matnlog.dat private-data.txt vrpcfg.zip ne20-vrp5.10-c01db90.bin vrpcfg.cfg exception.dat ne20-vrp330-0521.01.bin paf.txt ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 171 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 7 7 Configuring System Startup Configuring System Startup About This Chapter When the router is powered on, system software starts and configuration files are loaded. To ensure that the router runs smoothly, you need to manage system software and configuration files efficiently. 7.1 System Startup Overview When the router is powered on, system software starts and configuration files are loaded. 7.2 Managing Configuration Files You can manage the configuration files for the current and next startup operations on the router. 7.3 Specifying a File for System Startup You can specify a file to be used for system startup by specifying the system software and configuration file for the next startup of the router. 7.4 Configuration Examples The example in this section shows how to configure system startup. The example explains the networking requirements, and provides a configuration roadmap and configuration notes. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 172 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 7 Configuring System Startup 7.1 System Startup Overview When the router is powered on, system software starts and configuration files are loaded. 7.1.1 System Software System software provides an operating system for the router. System software must be set up correctly for the router to run and provide services efficiently. The extension of the system software file is .cc. The file must be saved in the root directory of the storage device. 7.1.2 Configuration Files The configuration file is used to configure the initial settings of the router. The configuration file is a text file with the following properties: l It is saved in the command format. l To save space, default parameters are not saved. l Commands are organized according to the command view. All commands of the same command view are grouped into a section. Every two command sections are separated by one or several blank lines or comment lines (beginning with "#"). l The sequence of the command sections is as follows: global configuration, physical interface configuration, logical interface configuration, and routing protocol configuration. l The filename extension of the configuration file must be .cfg or .zip, and must be stored in the root directory of a storage device. l In a configuration file, the commands must be expressed in full names. No abbreviation is allowed. l In a configuration file, each command is wrapped using \r\n. No other invisible characters can be used to wrap commands. l Transmitting the configuration file using FTP in bin mode to a device is recommended. NOTE l The system supports commands that contain a maximum of 510 characters. A command does not have to be entered in full, as long as the part of the command entered is unique within the system. For example, to run the display current-configuration command, enter d cu, di cu, or dis cu. Entering d c or dis c will not run the command because these entries are not unique to the command. l The system saves the complete form of incomplete commands to configuration files. Saved commands may have more than 510 characters. When the system restarts, incomplete commands cannot be restored. Therefore, pay attention to the length of incomplete commands before saving them. 7.1.3 Configuration Files and Current Configurations When the router is running, current configurations differ from configuration files. The concepts of configuration files and current configurations are defined as follows. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 173 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 7 Configuring System Startup Concept Identifying Method Configuration files Current configurations When the router is powered on, it retrieves configuration files from a default save path to initialize itself. If configuration files do not exist in the default save path, the router uses default initialization parameters. l Run the display startup command to view the configuration files for the current startup and next startup on the router. Current configurations indicate the configurations in effect on the router when it is actually running. Run the display currentconfiguration command to view current configurations on the router. l Run the display savedconfiguration command to view the configuration file for the next startup on the router. You can use the command line interface to modify current router configurations. Use the save command to save modified configurations to the next startup configuration file on the storage device. This configuration file will be used to initialize the router the next time the router is powered on. 7.2 Managing Configuration Files You can manage the configuration files for the current and next startup operations on the router. 7.2.1 Before You Start Before managing configuration files, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment Configuration files can be saved, cleared, and compared. Configuration file management is required to upgrade the router, take preventive measures, repair configuration files, and view configurations after the router starts. Pre-configuration Tasks Before managing configuration files, install and power on the router. Data Preparation To manage configuration files, you need the following data. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 174 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 7 Configuring System Startup No. Data 1 Configuration file and its name 2 Configuration file saving interval and delay interval 3 Number of the start line from which the comparison of the configuration files begins 7.2.2 Saving Configuration Files The configurations completed by using command lines are valid only for the current operation on the router. To allow the configurations to be valid for the next startup, you need to save the current configurations to the next startup configuration file before restarting the router. Context You can save configuration files on demand or set the system to save configuration files at regular intervals. This prevents data loss if the router restarts without warning or when it is powered off. Run one of the following commands to save configuration files. Procedure l Run: NOTICE When the automatic saving function is enabled and the LPU is not correctly installed, corresponding configurations may be lost. 1. system-view The system view is displayed. 2. set save-configuration [ interval interval | cpu-limit cpu-usage |delay delay-interval ] * The configuration file is saved at intervals. After you specify the parameter interval interval, the system saves the current configuration if the configuration has changed; if the configuration has not changed, the system does not save saves the current configuration. – If you do not run the set save-configuration command, the system does not automatically save configurations. – If you run the set save-configuration command without specifying interval, the system automatically saves configurations at an interval of 30 minutes. When you configure the automatic saving function, to prevent that function from affecting system performance, you can set the upper limit of the CPU usage for the system during automatic saving. When automatic saving is triggered by the expiry of Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 175 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 7 Configuring System Startup the timer, the CPU usage is checked. If the CPU usage is higher than the set upper limit, automatic saving will be canceled. After you specify delay delay-interval, if the configuration is changed, the device automatically saves the configuration after the specified delay. After you configure the configurations to be automatically saved, the system automatically saves the changed configurations to the configuration file for the next startup. Then, the configuration files change according to the saved configurations. Before you configure the configurations to be automatically saved on the server, you need to run the set save-configuration backup-to-server server server-ip [ vpninstance vpn-instance-name ] transport-type { ftp | sftp } user user-name password password [ path folder ] or set save-configuration backup-to-server server server-ip [ vpn-instance vpn-instance-name ] transport-type tftp [ path folder ] command to configure the server, including the IP address, username, password of the server, destination path, and mode of transporting the configuration file to the server. NOTE If you use TFTP, run the tftp client-source command to configure a loopback interface address as a client source IP address on the router, thereby improving security. l Run: save [ all ] [ configuration-file ] The current configurations are saved. The extension of the configuration file must be .cfg or .zip. The system startup configuration file must be saved in the root directory of a storage device. *.cfg files are stored in ASCII format, and *.zip files are stored in zip format. You can modify the current configuration through the CLI. To set the current configuration as initial configuration when the router starts next time, you can use the save command to save the current configuration in the cfcard memory. You can use the save all command to save all the current configurations, including the configurations of the boards that have not been inserted, to the next startup configuration file. NOTE When you save the configuration file for the first time, if you do not specify the optional parameter configuration-file, the router asks you whether you want to save the file as "vrpcfg.zip". "vrpcfg.zip" is the default configuration file which initially contains no configuration. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 176 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 7 Configuring System Startup NOTICE The save and save config-filename commands have different functions. Note the following when using them. l The save command saves the current configuration to the configuration file for the next startup on the storage device. You can use the display startup command to view information about the configuration file for the next startup. By default, the configuration file of the next startup is cfcard:/ vrpcfg.zip. l The save config-filename command backs up the current configuration to the file specified by config-filename on the storage device. The command execution does not affect the current startup configuration file. If config-filename is specified the same as the configuration file for the next startup and the storage path for the configuration file, the save config-filename command functions the same as the save command. l If you have run the save config-filename command to back up the current configuration and still want to deliver the new configuration, you must run the save config-filename command again to back up the new configuration to the configuration file. This ensures that the new configuration restores after the device restarts. ----End 7.2.3 Clearing a Configuration File This section describes how to clear the content of the configuration file that has been loaded to a device or how to delete configurations on an interface to restore the default configurations or how to delete the inactive configurations on the boards that have not been installed. Context The configuration file stored in the cfcard memory needs to be cleared in the following cases: l The system software does not match the configuration file after the router has been upgraded. l The configuration file is destroyed or an incorrect configuration file has been loaded. Perform the following operations to clear the content of a configuration file: Procedure l Clear the currently loaded configuration file. Run the reset saved-configuration command to clear the currently loaded configuration file. – If the configuration file used for the current startup of the router is the same as the file to be used for the next startup, running the reset saved-configuration command clears both files. The router will use the default configuration file for the next startup. – If the configuration file used for the current startup of the router is different from the file to be used for the next startup, running the reset saved-configuration command clears the configuration file used for the current startup. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 177 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 7 Configuring System Startup – If you run the reset saved-configuration command and the configuration file used for the current startup of the router is empty, the system states that the configuration file does not exist. NOTICE l Exercise caution when running this command. If necessary, do so under the guidance of Huawei technical support personnel. l After the contents of a configuration file are cleared, the empty configuration file with the original file name remains. l After the configuration file is cleared, if you do not run the startup savedconfiguration configuration-file command to specify a new configuration file or the save command to save the configuration file, the router will use the default configuration file at the next startup. l Clear the inactive configurations of the boards that have not been installed. 1. Run the system-view command to enter the system view. 2. Run the clear inactive-configuration slot command to clear the inactive configurations of the boards that are not installed in slots. ----End 7.2.4 Comparing Configuration Files You can determine whether the current configuration file or another file specified on the router will be used for the next startup by comparing them. Context You can compare the current configuration file to the file specified for the next startup to determine which one to specify for the next startup. Procedure l Run: compare configuration [ configuration-file ] [ current-line-number save-linenumber ] The current configuration is compared with the configuration file for next startup. – If no parameter is specified, the system compares whether the current configurations are identical with the next startup configuration file from the first line. – If configuration-file is configured, the system checks whether the current configuration file is the same as the specified configuration file. – If no parameter is set, the comparison begins with the first lines of the configuration files. If values for current-line-number and save-line-number are set, the comparison continues and ignore differences between the configuration files. The system begins to display the content of the current and saved configuration file from the first line that is different between the two files. Beginning with this line, 150 characters Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 178 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 7 Configuring System Startup are displayed by default for each of the files. If fewer than 150 characters remain after the first line with a difference, all remaining file content is displayed. NOTE When trying to compare configuration files, if the configuration file for next startup is unavailable or its content is empty, the system cannot read the file. ----End 7.2.5 Checking the Configuration After managing configuration files, you can view the current configuration files and files in the storage device. Prerequisites The configurations for managing configuration files are complete. Procedure l Run the display current-configuration [ configuration [ configuration-type [ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ] [ feature feature-name [ filter filter-expression ] | filter filter-expression ] or display current-configuration [ all | inactive ]command to check current configurations. l Run the display startup command to check files for startup. l Run the dir [ /all ] [ filename ] command to check files saved in the storage device. l Run the display saved-configuration configuration command to view configurations of the autosave function, including the status of the autosave function, time for autosave check, threshold for the CPU usage, and period during which configurations remain unchanged (when the period expires, configurations are automatically saved). l Run the display changed-configuration time command to check the time of the last configuration change. ----End Example Run the display startup command to check files for startup. <HUAWEI> display startup MainBoard: Configured startup system software: Startup system software: Next startup system software: Startup saved-configuration file: Next startup saved-configuration file: Startup paf file: Next startup paf file: Startup license file: Next startup license file: Startup patch package: Next startup patch package: Issue 02 (2014-09-30) cfcard:/V600R008C10.cc cfcard:/V600R008C10.cc cfcard:/V600R008C10.cc cfcard:/vrp.cfg cfcard:/vrp.cfg default default default default NULL NULL Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 179 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 7 Configuring System Startup 7.3 Specifying a File for System Startup You can specify a file to be used for system startup by specifying the system software and configuration file for the next startup of the router. 7.3.1 Before You Start Before specifying a file for system startup, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment To enable the router to provide user-defined configurations during the next startup, you need to correctly specify the system software and configuration file for the next startup. Pre-configuration Tasks Before specifying a file for system startup, install the router and powerg it on. Data Preparation To specify a file for system startup, you need the following data. No. Data 1 System software and its file name on the NE80E/40E 2 Configuration file and its file name on the device 7.3.2 Configuring System Software for the router to Load at the Next Startup If you need to upgrade a router's system software, you can specify the router system software to be loaded at the next startup. Context The system will continue to load the current system software at each startup until different system software is specified for the next system startup. To change system software for the next startup, you need to specify the system software you require. The filename extension of the system software must be .cc and the file must be stored in the root directory of a storage device. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 180 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 7 Configuring System Startup Procedure Step 1 Run: startup system-software system-file [ slave-board ] The system software to be load at the next startup of the router is configured. You can specify the system-file and use the system software for the next startup that is saved on the device. You must set the same names for the next-startup system software on the master and slave main control boards. Otherwise, the system cannot be restarted. The file names of system software on the master and slave main control board are case insensitive. All entered letters are saved as lower-case letters. slave-board is valid only on the router with dual main control boards. ----End 7.3.3 Configuring the Configuration File for the Router to Load at the Next Startup Before restarting a router, you can specify which configuration files will be loaded at the next startup. Context Run the display startup command on the router to check whether a specific configuration file is set to be loaded at the next startup. If a specific configuration file is not specified, the default configuration file will be loaded at the next startup. The filename extension of the configuration file must be .cfg or .zip, and the file must be stored in the root directory of a storage device. When the router is powered on, by default, it reads the configuration file from the cfcard memory to initialize. The data in this configuration file is the initial configuration. If no configuration file is saved in the cfcard memory, the router uses default parameters for initiation. Procedure l Run: startup saved-configuration configuration-file A configuration file is saved for the router to load at the next startup. The system allows you to set different names for the configuration files on the master and slave main control boards, but the system requires your confirmation. After your confirmation, the system can be restarted. ----End 7.3.4 Checking the Configuration After specifying a configuration file for system startup, you can check the content of the configuration file and information about the files to be used at the router's next startup. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 181 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 7 Configuring System Startup Prerequisites A configuration file has been specified for system startup. Procedure l Run the display current-configuration [ configuration [ configuration-type [ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ] [ feature feature-name [ filter filter-expression ] | filter filter-expression ] command to check current configurations. l Run the display saved-configuration [ last | time | configuration ] command to check the contents of the configuration file to be loaded at the next startup. l Run the display startup command to check information about the files to be used at next startup. ----End Example Run the display startup command to check information about the files to be used at the next startup. <HUAWEI> display startup MainBoard: Configured startup system software: Startup system software: Next startup system software: Startup saved-configuration file: Next startup saved-configuration file: Startup paf file: Next startup paf file: Startup license file: Next startup license file: Startup patch package: Next startup patch package: cfcard:/V600R008C10.cc cfcard:/V600R008C10.cc cfcard:/V600R008C10.cc cfcard:/vrp.cfg cfcard:/vrp.cfg default default default default NULL NULL 7.4 Configuration Examples The example in this section shows how to configure system startup. The example explains the networking requirements, and provides a configuration roadmap and configuration notes. 7.4.1 Example for Configuring System Startup This example shows how to configure system startup. In the example, a configuration file is saved and the system software and configuration file to be loaded at the next startup are specified so that the router can start appropriately. Networking Requirements The router is installed with double main control boards. After the router is configured, new configurations take effect after the system restarts. Configuration Roadmap The configuration roadmap is as follows: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 182 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 7 Configuring System Startup 1. Save the current configuration. 2. Specify the configuration file to be loaded at the next startup of the router. 3. Specify the system software to be loaded at the next startup of the router. Data Preparation To complete the configuration, you need the following data: l Name of the configuration file l File name of the system software Procedure Step 1 Check the configuration file and system software that were used during the current startup. <HUAWEI> display startup MainBoard: Configured startup system software: Startup system software: Next startup system software: Startup saved-configuration file: Next startup saved-configuration file: Startup paf file: Next startup paf file: Startup license file: Next startup license file: Startup patch package: Next startup patch package: cfcard:/V600R008C10.cc cfcard:/V600R008C10.cc cfcard:/V600R008C10.cc cfcard:/vrp.cfg cfcard:/vrp.cfg default default default default NULL NULL Step 2 Save the current configuration to the specified file. <HUAWEI> save vrpcfg.cfg The system prompts you whether to save the current configuration to the file named vrpcfg.cfg on the master and slave main control boards. Enter y at the prompt to save the configuration. Step 3 Specify the configuration file to be loaded at the router's next startup. <HUAWEI> startup saved-configuration vrpcfg.cfg Step 4 Specify the system software to be loaded at the router's next startup. Specify the system software to be loaded at the next startup of the master main control board. <HUAWEI> startup system-software V600R008C10.cc Specify the system software to be loaded at the slave main control board's next startup. <HUAWEI> startup system-software V600R008C10.cc slave-board NOTE l The slave main control board automatically synchronizes with the master main control board after the configuration file to be loaded during the next startup is specified for the master main control board. l Ensure that the system software to be loaded during the next startup of the router is saved on the master and slave main control boards of the router. Configure the system software to be loaded during the next startup of the master and slave main control boards respectively. Step 5 Verify the configuration. After the configuration is complete, run the following command to check which configuration file and system software will be loaded at the router's next startup. <HUAWEI> display startup Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 183 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations MainBoard: Configured startup system software: Startup system software: Next startup system software: Startup saved-configuration file: Next startup saved-configuration file: Startup paf file: Next startup paf file: Startup license file: Next startup license file: Startup patch package: Next startup patch package: 7 Configuring System Startup cfcard:/V600R008C10.cc cfcard:/V600R008C10.cc cfcard:/V600R008C10.cc cfcard:/vrp.cfg cfcard:/vrpcfg.cfg default default default default NULL NULL ----End Configuration Files None. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 184 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device 8 Accessing Another Device About This Chapter To manage configurations or operate files on another device, you can use Telnet, STelnet, TFTP, FTP, or SFTP to access the device from the device that you have logged in to. 8.1 Accessing Another Device To manage configurations or use files on a device other than the device to which you are logged in, you can use Telnet, FTP, TFTP, or SSH to access that device. 8.2 Using Telnet to Log In to Other Devices On most networks, multiple routers need to be managed and maintained, but it may be impossible to connect some of these routers to a PC terminal. In other cases, there may be no reachable route between a router and a PC terminal. You can log in to a local router and then use Telnet to log in to remote routers to complete management and maintenance tasks. 8.3 Using Telnet Redirection to Connect to Another Device If the client is not connected to the remote device on an IP network, you can use the Telnet redirection function to manage the remote device from the router to which you are logged in. 8.4 Using STelnet to Log In to Another Device STelnet provides secure Telnet services. You can use STelnet to log in to another router and manage the device remotely. 8.5 Using TFTP to Access Files on Another Device You can configure the router as a TFTP client and log in to the TFTP server to upload and download files. 8.6 Using FTP to Access Files on Another Device This section describes how to configure a router as an FTP client to log in to an FTP server and how to upload files to or download files from this server. 8.7 Using SFTP to Access Files on Another Device SFTP is a secure FTP service. After the router is configured as an SFTP client, the SFTP server authenticates the client and encrypts data in both directions to provide secure data transmission. 8.8 Configuration Examples Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 185 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device This section provides examples for accessing another device. These examples explain the networking requirements, configuration notes, and configuration roadmap. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 186 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device 8.1 Accessing Another Device To manage configurations or use files on a device other than the device to which you are logged in, you can use Telnet, FTP, TFTP, or SSH to access that device. Figure 8-1 Networking diagram for accessing another device from the router Network Server Network Client PC As shown in Figure 8-1, when you run a terminal emulation or Telnet program on a PC to connect to the router, the router can still function as a client to access another device on the network. There are several ways to accomplish this. 8.1.1 Telnet Method To configure and manage a remote device on the network, you can use the router that you have logged in to as a client to log in to that device, or you can use a redirection terminal service on the router to log in to that device. Telnet is an application layer protocol in the TCP/IP protocol suite that provides remote login and virtual terminal services. The NE80E/40E provides the following Telnet services: l Telnet server: You can run the Telnet client program on a PC to log in to a router to complete configuration and management tasks. The router acts as a Telnet server. l Telnet client: You can run the terminal emulation program or Telnet client program on a PC to connect to the router. You can then run the telnet command to log in to other routers to configure and manage them. As shown in Figure 8-2,Router A serves as both a Telnet server and a Telnet client. Figure 8-2 Telnet client services Telnet Session2 Telnet Session 1 Telnet Server PC l Issue 02 (2014-09-30) RouterA RouterB Redirection terminal services: You can run the Telnet client program on a PC to log in to the router through a specified port number. Then connect to serial interface devices that are connected through the asynchronous interface of the router, as shown in Figure 8-3. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 187 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device This scenario is typically used to connect an asynchronous router interface with multiple remote devices to complete configuration and maintenance tasks. Figure 8-3 Telnet redirection services PC Ethernet Router Async0 Async3 Async1 Router1 Async2 Modem Switch Router2 NOTE Only devices that provide asynchronous interfaces support the Telnet redirection service. l Interruption of Telnet services Two shortcut key combinations can terminate a Telnet connection. As shown in Figure 8-4, Router A logs in to Router B through Telnet, and Router B logs in to Router C through Telnet. Thus, a cascade network is formed. In this case, Router A is the client of Router B and Router B is the client of Router C. Figure 8-4 illustrates the usage of shortcut keys. Figure 8-4 Usage of Telnet shortcut keys Telnet Session 1 Telnet Session2 Telnet Client Telnet Server RouterA RouterB RouterC Ctrl_]: The server interrupts the connection. If the network connection is normal and you press Ctrl_], the Telnet server terminates the current Telnet connection. For example: <RouterC> Press Ctrl_] to return to the Router B prompt. Info: The max number of VTY users is 10, and the current number of VTY users on line is 1. Info: The connection was closed by the remote host. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 188 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device <RouterB> Press Ctrl_] to return to the Router A prompt. Info: The max number of VTY users is 10, and the current number of VTY users on line is 1. Info: The connection was closed by the remote host. <RouterA> NOTE If a router becomes disconnected from the network, these shortcut keys are invalid. Instructions cannot be sent to the server. Ctrl_]: The client interrupts the connection. If the server fails and the client is unaware of this failure, the client continues to transmit data but the server does not respond. In this case, press Ctrl_T to terminate the Telnet connection. For example: <RouterC> Press Ctrl_T to terminate and quit a Telnet connection. <RouterA> NOTICE If remote login users are using the maximum number of VTY user interfaces allowed, the system states that all user interfaces are in use and does not allow additional Telnet logins. 8.1.2 FTP Method To access files on a remote FTP server, you can use FTP to establish a connection between the router to which you are logged in and the remote FTP server. FTP can transmit files between hosts and provide users with common FTP commands for file system management. That is, you can use an FTP client program that does not reside on the router to upload or download files and access directories on the router, and you can use an FTP client program that resides on the router to transfer files to the FTP servers of other devices. FTP can transmit files between local and remote hosts. It is widely used for upgrading versions, downloading logs, transmitting files, and saving configurations. 8.1.3 TFTP Method If network client/server interaction requirements are relatively simple, you can enable the TFTP service on the router that functions as a TFTP client to access files on a TFTP server. Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol. Unlike FTP, TFTP does not have a complex interactive access interface or authentication control. TFTP is used in environments where there is no complex interaction between the client and the server. For example, TFTP is used to obtain a memory image of the system when the system starts up. Implementation of TFTP is based on the User Datagram Protocol (UDP). Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 189 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device The client initiates a TFTP transfer. To download files, the client sends a read request packet to the TFTP server, receives packets from the server, and returns an acknowledgement to the server. To upload files, the client sends a write request packet to the TFTP server, sends packets to the server, and receives an acknowledgement from the server. TFTP uses two formats for file transfer: l Binary format: transfers program files. l ASCII format: transfers text files. The NE80E/40E can only serve as a TFTP client and can only transfer files in binary format. 8.1.4 SSH Method Logging in to a remote device using SSH (including STelnet, SFTP) provides secure communications between the remote device and the router to which you are logged in. SSH Overview When users on an insecure network use Telnet to log in to the router, the Secure Shell (SSH) feature provides authentication and keeps data secure. SSH defends the router from IP address spoofing and other such attacks, and protects the router against the interception of plain text passwords. The SSH client function enables users to establish SSH connections with routers that serve as SSH servers or with UNIX hosts. SSH Client Function The NE80E/40E supports the STelnet client function and SFTP client function. l STelnet client (Secure Telnet) Telnet does not provide secure authentication and TCP transmits data in plain text, which creates security vulnerabilities. Denial of service (DOS) attacks, host IP address spoofing, and route spoofing also threaten system security. Therefore, Telnet services are vulnerable to network attacks. SSH implements secure remote access on insecure networks and has the following advantages compared with Telnet: – SSH supports Remote Subscriber Access (RSA) authentication and Digital Signature Algorithm authentication (DSA). SSH uses RSA authentication or DSA authentication to generate and exchange public and private keys compliant with an asymmetric encryption system that protects session security. NOTE To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to the SSH server. – SSH supports Data Encryption Standard (DES), 3DES, RC4 , and Advanced Encryption Standard (AES) authentications. NOTE To improve security, it is recommended that you use securer AES as the authentication algorithm for remote access. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 190 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device – SSH usernames and passwords are encrypted in the communication between an SSH client and server, which prevents password interception. – SSH encrypts transmitted data. If the STelnet server or the connection between the server and a client is faulty, the client must detect the fault and release the connection. A fault detection function must be configured on the client to accomplish this. The client sends keepalive packets to the server at configured time intervals. If a configured number of keepalive packets receives no reply from the server, the client determines that there is a fault and releases the connection. l SFTP client SFTP is short for Secure FTP. You can log in to a device from a secure remote end to manage files, which improves data transmission security when the remote system is updated. The client function enables you to use SFTP to log in to the remote device for secure file transmission. If the SFTP server or the connection between the server and a client is faulty, the client must detect the fault and release the connection. A fault detection function must be configured on the client to accomplish this. The client sends keepalive packets to the server at configured time intervals. If a configured number of keepalive packets receives no reply from the server, the client determines that there is a fault and releases the connection. 8.2 Using Telnet to Log In to Other Devices On most networks, multiple routers need to be managed and maintained, but it may be impossible to connect some of these routers to a PC terminal. In other cases, there may be no reachable route between a router and a PC terminal. You can log in to a local router and then use Telnet to log in to remote routers to complete management and maintenance tasks. The Telnet protocol poses a security risk, and therefore the STelnet protocol is recommended. 8.2.1 Before You Start Before configuring logins to another device from the device to which you are logged in, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment Figure 8-5 Networking diagram for accessing another device to which you are logged in Network PC Issue 02 (2014-09-30) Network RouterA RouterB Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 191 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device As shown in Figure 8-5, you can use Telnet to log in to Router A from a PC. You cannot, however, manage Router B remotely, because there is no reachable route between the PC and Router B. To manage Router B remotely, you must use Telnet and log in from Router A. In this situation, Router A functions as a Telnet client and Router B functions as a server. Pre-configuration Tasks Before using Telnet to log in to another device on the network, complete the following tasks: l Log in to devices using Telnet. l Configure a reachable route between the client and Telnet server Data Preparation To use Telnet to log in to another device, you need the following data: No. Data 1 IP address or host name of RouterB 2 Number of the TCP port RouterB uses to provide Telnet services 8.2.2 (Optional) Configuring a Source IP Address for a Telnet Client You can configure a source IP address for a Telnet client and then use this address to set up a Telnet connection from the client to the server along a specific route. Context An IP address is configured for an interface on the router and functions as the source IP address of a Telnet connection. This configuration enables security checks. The source of a client can be a source interface or a source IP address. Do as follows on a router that functions as a Telnet client. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: telnet client-source { -a source-ip-address | -i interface-type interface-number } A source IP address of a Telnet client is configured. After the configuration, the source IP address of the Telnet client displayed on the Telnet server must be the same as the configured IP address. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 192 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device 8.2.3 Using Telnet to Log In to Another Device You can use Telnet to log in to and manage another router. Context Telnet provides an interactive CLI for users to log in to a remote server. Users can first use Telnet to log in to a host, and then remotely use Telnet again to log in to a remote host. This host can then be remotely configured and managed. Not all hosts need to be connected directly to a hardware terminal. Do as follows on the router that serves as a Telnet client: Procedure l Select and perform one of the following steps for IPv4 or IPv6. – Run: telnet [ vpn-instance vpn-instance-name ] [ -a source-ip-address | -i interface-type interface-number ] host-name [ port-number ] Log in to the router and manage other routers. – Run: telnet [ vpn-instance vpn-instance-name ] [ -a source-ip-address | -i interface-type interface-number ] host-name [ port-number ] Log in to the router and manage other routers. – Run: telnet ipv6 [ -a source-ip-address ] [ vpn6-instance vpn6-instance-name ] host-name [ -oi interface-type interface-number ] [ port-number ] Log in to the router and manage other routers. – Run: telnet ipv6 [ -a source-ip-address ] [ vpn6-instance vpn6-instance-name ] host-name [ -oi interface-type interface-number ] [ port-number ] Log in to the router and manage other routers. ----End 8.2.4 Checking the Configuration When you use a router to log in to another router, you can check information about the established TCP connection. Prerequisites All configurations for logging in to another device are complete. Procedure l Run the display tcp status command to check the status of all TCP connections. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 193 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Example Run the display tcp status command to view the status of TCP connections. The Established status indicates that a TCP connection has been established. <HUAWEI> display tcp status TCPCB Tid/Soid Local Add:port 39952df8 36 /1509 0.0.0.0:0 Closed 32af9074 59 /1 0.0.0.0:21 Listening 34042c80 73 /17 10.164.39.99:23 Established Foreign Add:port 0.0.0.0:0 VPNID 0 0.0.0.0:0 14849 10.164.6.13:1147 0 State 8.3 Using Telnet Redirection to Connect to Another Device If the client is not connected to the remote device on an IP network, you can use the Telnet redirection function to manage the remote device from the router to which you are logged in. The Telnet protocol poses a security risk, and therefore the STelnet protocol is recommended. 8.3.1 Before You Start Before establishing the configuration task of redirecting the client login to another device, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment If a remote device, such as a new device on the network, needs to be managed and maintained but is not connected with the terminal PC on the IP network, you can use the Telnet redirection function to log in to the remote device. The remote device can be a device that supports serial interfaces, such as a router, a switch, or a modem. Figure 8-6 Schematic diagram of using Telnet to redirect the client login to another device Session Network PC Aux Console RouterA RouterB As shown in Figure 8-6, remote Router B is not connected with the client over the IP network. If Router B needs to be managed remotely, you can use the Telnet redirection function of Router A. That is, connect the asynchronous serial interface of Router A to the serial interface of Router B. This allows you to run the Telnet client program on the PC to log in to Router B through a specified interface, and therefore, to manage and maintain the device remotely. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 194 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Router B in Figure 8-6 has been configured with serial interfaces. Router A is directly connected with Router B. Pre-configuration Tasks Before using Telnet to redirect the client to another device, complete the following tasks: l Use Telnet to log in to devices. l Configure a reachable route between the client and Telnet server. Data Preparation To use the Telnet redirection function to log in to another device, you need the following data: No. Data 1 Router A IP address 8.3.2 Enabling Telnet Redirection After the redirection function is enabled on the router that functions as a Telnet client, you can log in to a remote device from a specified client interface to manage and maintain the remote device. Context The Telnet redirection function is supported by the products whose AUX ports or True Type Terminal (TTY) interfaces can be configured with this function. Perform the following steps on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface aux 0 The AUX0 user interface is displayed. Step 3 Run: undo shell Terminal services are disabled on the AUX0 user interface. Step 4 Run: redirect The Telnet redirection function is enabled on the AUX0 user interface. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 195 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device NOTE l After the Telnet redirection function is enabled, the interface number used for redirection will be assigned. AUX0 is numbered 33, and the interface number is therefore 2033. l You can log in to the Telnet client and use the specified interface to log in to the remote device that needs to be managed and maintained. ----End 8.3.3 Using Telnet Redirection to Connect to Another Device You can use the Telnet redirection function to log in to remote a device from the router that functions as a Telnet client to perform management tasks.. Context Users attempt to log in to another device by using a specified client interface. Perform the following step on the client: Procedure l Run: telnet host-name port-number You have logged in to the remote device. The host-name parameter specifies the IP address or host name of the router that has enabled the redirection function. ----End 8.3.4 Checking the Configuration After using Telnet to log in to another device remotely, you can check status information about the current TCP connection. Prerequisites The configurations for using the Telnet redirection function to log in to another device are complete. Context l Run the display tcp status command to check status information about the established TCP connection. Example Run the display tcp status command to view status information about the established TCP connection. <HUAWEI> display tcp status TCPCB Tid/Soid Local Add:port 348d3c50 6 /1 0.0.0.0:21 Listening Issue 02 (2014-09-30) Foreign Add:port 0.0.0.0:0 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. VPNID 23553 State 196 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 3b558554 Listening 31cf1978 Listening 31cf1bb0 Listening 11a22ad8 Established 8 Accessing Another Device 128/1 0.0.0.0:23 0.0.0.0:0 128/4 0.0.0.0:2033 128/6 0.0.0.0:4033 0.0.0.0:0 23553 128/3 10.137.217.225:23 10.138.77.38:3670 0 0.0.0.0:0 23553 23553 8.4 Using STelnet to Log In to Another Device STelnet provides secure Telnet services. You can use STelnet to log in to another router and manage the device remotely. 8.4.1 Before You Start Before you use STelnet to configure login to another device, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any date required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment Telnet logins are insecure because no secure authentication mechanism is available and data is transmitted over TCP connections in plain text mode. STelnet is a secure Telnet protocol. STelnet is based on SSH. SSH users can use STelnet services in place of ordinary Telnet services. In this configuration, the device to which you have logged in functions as a Telnet client, and the device to which you want to log in functions as an SSH server. Pre-configuration Tasks Before you use STelnet to log in to another device, complete the following tasks: l Use STelnet to log in to devices. l Configure a reachable route between the client and SSH server. Data Preparation To use STelnet to log in to another device, you need the following data. Issue 02 (2014-09-30) No. Data 1 Name of the SSH server and public key that is assigned by the client to the SSH server Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 197 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device No. Data 2 IPv4 or IPv6 address or host name of the SSH server, number of the port monitored by the SSH server, preferred encryption algorithm for data from the SFTP client to the SSH server, preferred encryption algorithm for data from the SSH server to the SFTP client, preferred Hashed message authentication code (HMAC) algorithm for data from the SFTP client to the SSH server, preferred HMAC algorithm for data from the SSH server to the SFTP client, preferred algorithm of key exchange, and user information for logging in to the SSH server 8.4.2 Enabling First-Time Authentication on the SSH Client After first-time authentication on the SSH client is enabled, the STelnet client does not check the validity of the Revest-Shamir-Adleman Algorithm (RSA) orDigital Signature Algorithm (DSA) public key when it logs in to the SSH server for the first time. Context If first-time authentication on the SSH client is enabled, the STelnet client does not check the validity of the RSA or DSA public key when it logs in to the SSH server for the first time. After the login, the system automatically allocates the RSA or DSA public key and saves it for authentication at the next login. NOTE To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to the SSH server. Do as follows on the router that serves as an SSH client: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ssh client first-time enable First-time authentication on the SSH client is enabled. By default, first-time authentication on the SSH client is disabled. NOTE l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public key of the SSH server. l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled on the SSH client, the STelnet client fails to pass the RSA or DSA public key validity check and cannot log in to the server. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 198 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device NOTE To ensure that an STelnet client can log in to an SSH server on the first attempt, you can assign an RSA or DSA public key to the SSH server on the SSH client in advance. You can also enable first-time authentication on the SSH client. ----End 8.4.3 Allocating a Public Key to the SSH Server To configure the first successful login to another device on an SSH client, you must allocate an Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature Algorithm (DSA) public key to the SSH server before login. Context If first-time authentication is not enabled on the SSH client, when the STelnet client logs in to the SSH server for the first time, the STelnet client fails to pass the RSA or DSA public key validity check and cannot log in to the server. You must allocate an RSA or DSA public key to the SSH server before the STelnet client logs in to the SSH server. NOTE To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to the SSH server. Do as follows on the router that serves as an SSH client: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] or dsa peerpublic-key key-name encoding-type { der | openssh | pem } An encoding format is configured for a public key, and the public key view is displayed. Step 3 Run: public-key-code begin The public key editing view is displayed. Step 4 Run: hex-data The public key is edited. The public key is a string of hexadecimal alphanumeric characters an SSH client generates. NOTE l The RSA or DSA public key assigned to the SSH server must be generated on the server. Otherwise, the validity check for the RSA or DSA public key on the STelnet client will fail. l After entering the public key edit view, paste the RSA or DSA public key generated on the server to the router that functions as the client. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 199 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Step 5 Run: public-key-code end Quit the public key editing view. l If the specified hex-data is invalid, the public key cannot be generated after you run the peerpublic-key end command. l If the specified key-name is deleted in other views, the system determines that the key does not exist after you run the peer-public-key end command, and the system view is displayed. Step 6 Run: peer-public-key end Return to the system view from the public key view. Step 7 Run: ssh client servername assign { rsa-key | dsa-key } keyname The RSA or DSA public key is assigned to the SSH server NOTE If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername assign { rsa-key | dsa-key } command to cancel the association between the SSH client and the SSH server. Then, run the ssh client servername assign { rsa-key | dsa-key } keyname command to allocate a new RSA or DSA public key to the SSH server. ----End 8.4.4 Using STelnet to Log In to Another Device You can use STelnet to log in to an SSH server from an SSH client, and manage the device remotely. Context During communication with an SSH server, an STelnet client can carry a source address and a VPN instance name, choose a key exchange algorithm, an encryption algorithm, or a Hashed message authentication code (HMAC) algorithm and configure the keepalive function. Perform the following steps on the router serving as an SSH client: Procedure Step 1 Run: system-view The system view is displayed. Step 2 According to the address type of the SSH server, perform either of the following operations: If the address of the SSH server is an IPv4 address, perform the following operation: Run the stelnet [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ identity-key { rsa | dsa } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 200 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] * command. You can log in to the SSH server through STelnet. If the address of the SSH server is an IPv6 address, perform the following operation: Run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ identity-key { rsa | dsa } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] * command. You can log in to the SSH server through STelnet. ----End 8.4.5 Checking the Configuration After configuring login to another device using STelnet, you can check the mappings between all SSH servers of the STelnet client and the Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature Algorithm (DSA) public keys on the client. You can also check the global configurations of the SSH servers, and information about sessions between the SSH servers and the STelnet client. Prerequisites The configurations for logging in to another device by using STelnet are complete. Procedure l Run the display ssh server-info command to check the mappings between all SSH servers of the SSH client and the RSA or DSA public keys on the client. ----End Example Run the display ssh server-info to view the mappings between all servers of the SSH client and the RSA or DSA public keys on the SSH client. <HUAWEI> display ssh server-info Server Name(IP) Server Public Key Type Server public key name ______________________________________________________________________________ 10.137.128.216 RSA 10.137.128.217 RSA 10.137.128.217 DSA sdfasdfasdfasdfasdfasdfadfasdf 127.0.0.1 RSA 127.0.0.1 DSA 1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1 RSA 0ffff:ffff: 1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1 RSA 000fff 1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1 RSA Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 10.137.128.216 10.137.128.217 127.0.0.1 10.137.128.217 1fff:00ffff:00ffff: 1fff:00ffff:ffff:00ffff: 1fff:ffff:ffff:00ffff: 201 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 000ffff: 1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1 RSA 1fff:ffff:ffff:ffff:ffff:ffff: 8.1.1.2 RSA 8 Accessing Another Device 8.1.1.2 8.5 Using TFTP to Access Files on Another Device You can configure the router as a TFTP client and log in to the TFTP server to upload and download files. 8.5.1 Before You Start Before configuring access to another device using TFTP, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment You can use TFTP to in a simple interaction environment to transfer files between a server and a client. The current router functions as a TFTP client, and the router to be accessed functions as a TFTP server. Pre-configuration Tasks Before configuring access to another device using TFTP, configure a reachable route between the client and the TFTP server. Data Preparation To access another device using TFTP, you need the following data. No. Data 1 (Optional) Source address or source interface of the router that functions as a TFTP client 2 IP address or host name of the TFTP server 3 Name of the specific file in the TFTP server and the file directory 8.5.2 (Optional) Configuring a Source IP Address for a TFTP Client You can configure a source IP address for a TFTP client and then use the source IP address to set up a TFTP connection from the TFTP client to the server along a specific route. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 202 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Context An IP address is configured for an interface on the router. This IP address functions as the source IP address of a TFTP connection, which enables security checks to be implemented. The source address of a client can be configured as a source interface or a source IP address. Do as follows on a router that functions as a TFTP client: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: tftp client-source { -a source-ip-address | -i interface-type interface-number } A source IP address of a TFTP client is configured. After the configuration, the source IP address of the TFTP client displayed on the TFTP server must be the same as the configured one. ----End 8.5.3 (Optional) Configuring TFTP Access Authority This section describes how to use an ACL rule to specify which TFTP servers can be accessed by using TFTP from the router to which you are logged in. Context When the routerfunctions as an TFTP server, you can configure an ACL to allow the clients that meet matching rules to access the TFTP server. Perform the following steps on the router that serves as the TFTP client: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl { [ number ] acl-number1 | name acl-name [ basic ] [ number acl-number2 ] } [ matchorder { auto | config } ] or acl ipv6 { [ number ] acl6-number1 | name acl-name [ number acl-number2 ] } [ match-order { auto | config } ] The ACL or ACL6 view is displayed. TFTP supports only the basic ACL (2000 to 2999). Step 3 Run: rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 203 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device vpn-instance-name ] * or rule [ rule-id ] { deny | permit } [ fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] * The basic ACL or ACL6 rule is configured. NOTE l By default, the deny action in an ACL rule is taken for all the login user packets. Only users whose source IP addresses match the ACL rule with a permit action can log in to the device. In the following example, two rules are configured to prohibit users with the IP address 10.1.1.10 from logging in to the device while allowing the other users to log in to the device: l rule deny source 10.1.1.10 0 l rule permit source any If the rule permit source any command is not configured, users whose source IP addresses are not 10.1.1.10 will also be prohibited from logging in to the device. l If a user's source IP address does not match the ACL rule that allows login, the user is prohibited from logging in to the device. l If the ACL referenced by TFTP does not contain any rules or does not exist, any user can log in to the device. Step 4 Run: quit The system view is displayed. Step 5 Run: tftp-server acl acl-number The ACL can be used to limit access to the TFTP server. ----End 8.5.4 Using TFTP to Download Files You can download files from a TFTP server to a TFTP client. Context Do as follows on the router that serves as the TFTP client: Procedure l Run the following commands according to the server IP address type. – If the IP address of the server is an IPv4 address, run: tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] get source-filename [ destination-filename ] The router is configured to download files through TFTP. – If the IP address of the server is an IPv6 address, run: tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -oi interface-type interface-number ] get source-filename [ destination-filename ] The router is configured to download files using TFTP. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 204 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device 8.5.5 Using TFTP to Upload Files You can upload files from a TFTP client to a TFTP server. Context Do as follows on the router that serves as the TFTP client: Procedure l Run the following commands according to the server IP address type. – If the IP address of the server is an IPv4 address, run: tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] put source-filename [ destination-filename ] The router is configured to upload files using TFTP. – If the IP address of the server is an IPv6 address, run: tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -oi interface-type interface-number ] put source-filename [ destination-filename ] The router is configured to upload files using TFTP. ----End 8.5.6 Checking the Configuration When a device is configured as a TFTP client, you can check the source address of the client and the configured ACL rule. Prerequisites Configurations for using the device as a TFTP client are complete. Procedure l Run the display tftp-client command to check the device address that is set as the source address of the TFTP client. l Run the display acl { name acl-name | acl-number | all } command to check the ACL rule that is configured on the TFTP client. ----End Example Run the display tftp-client command to view the source address of the TFTP client. <HUAWEI> display tftp-client The source address of TFTP client is 1.1.1.1. Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured on the TFTP client. <HUAWEI> display acl 2001 Basic acl 2001, 2 rules, Acl's step is 5 rule 5 permit Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 205 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device rule 10 permit source 1.1.1.1 0 8.6 Using FTP to Access Files on Another Device This section describes how to configure a router as an FTP client to log in to an FTP server and how to upload files to or download files from this server. Context The FTP protocol poses a security risk, and therefore the SFTP protocol is recommended. 8.6.1 Before You Start Before configuring the use of FTP to access files on another device, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment Before transmitting files between a client and a remote FTP server or managing directories on the server, you can configure the router to which you have logged in as an FTP client. You can then use FTP to access the FTP server for file transmission or directory management. Pre-configuration Tasks Before configuring the use of FTP to access files on another device, configure a reachable route between the router and the FTP server. Data Preparation To configure the use of FTP to access files on another device, you need the following data: No. Data 1 (Optional) Source IP address or source interface of the router that functions as an FTP client 2 Host name or IP address of the FTP server, port number of the connecting FTP, login username, and password 3 Local file names and file names on the remote FTP server, name of the working directory on the remote FTP server, name of the working directory on the local FTP client, or directory name of the remote FTP server 8.6.2 (Optional) Configuring the Source IP Address and Interface of the FTP Client This section describes how to configure the source IP address and interface of an FTP client to connect to an FTP server. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 206 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Prerequisites An IP address is configured for an interface on the router and functions as the source IP address for an FTP connection. This allows implementation of security checks. The source of a client can be a source interface or a source IP address. Configuring a source interface as the source for a client is possible only if the system has a loopback interface. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ftp client-source { -a source-ip-address | -i interface-type interface-number } The source address of the FTP client is configured. After the source address of the FTP client is configured, you can run the display ftp-users command on the FTP server to check that the displayed source address of the FTP client is the same as the configured one. ----End 8.6.3 Connecting to Other Devices Using FTP Commands You can run FTP commands to log in to other devices from the router that functions as the FTP client. Context You can log in to the FTP server in the user view or the FTP view. Do as follows on the router that serves as the client: Procedure Step 1 Run the following commands according to types of the server IP address. l If the IP address of the server is an IPv4 address, do as follows: – In the user view, establish a connection to the FTP server. Run: ftp [ -a source-ip-address | -i interface-type interface-number ] host [ portnumber ] [ public-net | vpn-instance vpn-instance-name ] The router is connected to the FTP server. – In the FTP view, establish a connection to the FTP server. 1. In the user view,Run: ftp The FTP view is displayed. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 207 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 2. 8 Accessing Another Device Run: open [-a source-ip-address | -i interface-type interface-number ] host [ port-number ] [ vpn-instance vpn-instance-name ] The router is connected to the FTP server. NOTE Before logging in to the FTP server, you can run the set net-manager vpn-instance command to configure a default VPN instance. After a default VPN instance is configured, it will be used for FTP operations. l If the IP address of the server is an IPv6 address, do as follows: – In the user view, establish a connection to the FTP server. Run: ftp ipv6 host [ port-number ] The router is connected to the FTP server. – In the FTP view, establish a connection to the FTP server. 1. In the user view,Run: ftp The FTP view is displayed. 2. Run: open ipv6 host-ipv6-address [ port-number ] The router is connected to the FTP server. ----End 8.6.4 Using FTP Commands to Manage Files After you log in to an FTP server, you can use FTP commands to manage files. File operations include configuring a file transmission method, checking online help about FTP commands, uploading or downloading files, and managing directories and files. Context After logging in to an FTP server, you can perform the following operations: l Configure a data type for transmission files and a file transmission method. l Check the online help about FTP commands in the FTP client view. l Upload local files to the remote FTP server, or download files from the FTP server and save them locally. l Create directories on or delete directories from the FTP server. l Display information about a specified remote directory or a file of the FTP server, or delete a specified file from the FTP server. After you log in to the router that functions as a client and enter the FTP client view, you can perform the following steps: Procedure l Issue 02 (2014-09-30) Configure the data type and transmission mode for the file. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 208 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device – Run: ascii | binary The data type of the file to be transmitted is ascii or binary mode. NOTE FTP supports both ASCII and binary files. Their differences are as follows: l In ASCII transmission mode, ASCII characters are used to separate the carriage returned from line feeds. l In binary transmission mode, characters can be transferred without format conversion or formatting. Clients can select an FTP transmission mode as required. The system defaults to the ASCII transmission mode. The client can use a mode switch command to switch between the ASCII mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary mode is used to transmit binary files. – Run: passive The passive file transfer mode is configured. – Run: verbose The verbose mode for FTP is enabled. When the verbose mode is enabled, all FTP responses are displayed. Then, file transmission efficiency statistics will be displayed. l View online help for FTP commands. remotehelp [ command ] The online help of the FTP commands is displayed. l Upload or download files. – Upload or download a file. – Run: put local-filename [ remote-filename ] The local file is uploaded to the remote FTP server. – Run: get remote-filename [ local-filename ] The FTP file is downloaded from the FTP server and saved to the local file. – Upload or download multiple files. – Run the mput local-filenames command to simultaneously upload multiple local files to the remote FTP server. – Run the mget remote-filenames command to download multiple files from the FTP server and save them locally. NOTE l When you are uploading or downloading files, and you run the prompt command in the FTP client view to enable the file transmission prompt function. Then, the system will prompt you to confirm the upload or download. l If you run the prompt command again in the FTP client view, the file transmission prompt function will be disabled. l Issue 02 (2014-09-30) Run one or more of the the following commands to manage directories. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 209 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device – Run: cd pathname The working path of the remote FTP server is specified. – Run: cdup The working path of the FTP server is switched to the upper-level directory. – Run: pwd The specified directory of the FTP server is displayed. – Run: lcd [ local-directory ] The directory of the FTP client is displayed or changed. – Run: mkdir make-remote-directory A directory is created on the FTP server. – Run: rmdir delete-remote-directory A directory is removed from the FTP server. NOTE l A directory name can use letters and digits, but not special characters such as <, >, ?, \ and :. l When you run the mkdir /abc command, you create a sub-directory named "abc". l Run one or more of the the following commands to manage files. – Run: ls [ remote-filename ] [ local-filename ] The specified directory or file on the remote FTP server is displayed. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. If local-filename is configured, the remote file can be saved in another local file. – Run: dir [ remote-filename ] [ local-filename ] The specified directory or file on the local FTP server is displayed. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. If local-filename is configured, the remote file can be saved in another local file. – Run: delete remote-filename The specified file on the FTP server is deleted. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 210 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device 8.6.5 Changing Login Users After you log in to an FTP server, you can change the username on the client and re-log in to the server with the new username. Context If you are logged in to the NE80E/40E that functions as an FTP client, you can switch to a different username and log in to the FTP server without logging out of the FTP client view. The FTP connection established in this way is identical to that established by running the ftp command. Perform the following steps on the router that functions as a client: Procedure l Run: user user-name [ password ] The user that previously logged in to the FTP server is changed and the new user logs in to the server. When the username used to log in to the FTP server is changed, the original connection between the user and the FTP server is interrupted. ----End 8.6.6 Disconnecting from the FTP Server You can terminate a connection with an FTP server and return to the user view or FTP view. Context Various commands can be used from the FTP client view to terminate a connection with an FTP server. Do as follows on the router that serves as the client. Procedure l Run one of the following commands depending on your system configurations. – Run: bye Or quit The client router is disconnected from the FTP server. Return to the user view. – Run: close Or disconnect The client router is disconnected from the FTP server. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 211 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Return to the FTP view. ----End 8.6.7 Checking the Configuration After the configurations for accessing other devices using FTP are complete, you can view the source parameters configured on the FTP client. Prerequisites The configurations for accessing other devices using FTP are complete. Procedure l Run the display ftp-client command to view the source parameters of the FTP client. ----End Example Run the display ftp-client command to view the source parameters of the FTP client. <HUAWEI> display ftp-client The source address of FTP client is 1.1.1.1. 8.7 Using SFTP to Access Files on Another Device SFTP is a secure FTP service. After the router is configured as an SFTP client, the SFTP server authenticates the client and encrypts data in both directions to provide secure data transmission. 8.7.1 Before You Start Before you configure the use of SFTP to access files on another device, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly. Applicable Environment SFTP is a secure FTP protocol that is based on SSH. SFTP allows users to log in to a remote device and transmit or manage files securely. You can log in to a remote SSH server from the router that functions as an SFTP client. Pre-configuration Tasks Before configuring the use of SFTP to access files on another device, configure a reachable route between the client and SSH server. Data Preparation To use SFTP to access files on another device, you need the following data: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 212 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device No. Data 1 (Optional) Source address of the device that functions as the SFTP client 2 (Optional) Name of the SSH server 3 (Optional) Public key assigned by the client to the SSH server 4 IPv4 or IPv6 address or host name of the SSH server 5 Number of the port monitored by the SSH server, preferred encryption algorithm for data from the SFTP client to the SSH server, preferred encryption algorithm for data from the SSH server to the SFTP client, preferred HMAC algorithm for data from the SFTP client to the SSH server, preferred HMAC algorithm for data from the SSH server to the SFTP client, preferred algorithm for key exchange, name of the outgoing interface, source address, and user information for logging in to the SSH server 6 Name and directory of a specified file on the SSH server 8.7.2 (Optional) Configuring a Source IP Address for an SFTP Client You can configure a source IP address for an SFTP client and then use this source address to set up an SFTP connection from the client to server along a specific route. Context An IP address is configured for an interface on the router. This IP address functions as the source IP address of an FTP connection, which enables security checks to be implemented. The source address of a client can be configured as a source interface or a source IP address. Do as follows on a router that functions as an SFTP client. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: sftp client-source { -a source-ip-address | -i interface-type interface-number } A source IP address is configured for an SFTP client. ----End 8.7.3 Enabling the First-Time Authentication on the SSH Client After first-time authentication on the SSH client is enabled, the SFTP client does not check the validity of the Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature Algorithm (DSA) public key when it logs in to the SSH server for the first time. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 213 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Context If first-time authentication on the SSH client is enabled, the SFTP client does not check the validity of the RSA or DSA public key when it logs in to the SSH server for the first time. After the login, the system automatically allocates the RSA or DSA public key and saves it for authentication at the next login. Do as follows on the router that serves as an SSH client: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ssh client first-time enable First-time authentication on the SSH client is enabled. By default, first-time authentication on the SSH client is disabled. NOTE l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public key of the SSH server. l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled on the SSH client, the STelnet client fails to pass the RSA or DSA public key validity check and cannot log in to the server. NOTE To ensure that an STelnet client can log in to an SSH server on the first attempt, you can assign an RSA or DSA public key to the SSH server on the SSH client in advance. You can also enable first-time authentication on the SSH client. ----End 8.7.4 Allocating a Public Key to the SSH Server To configure the first successful login to another device on an SSH client, allocate an RevestShamir-Adleman Algorithm (RSA) or Digital Signature Algorithm (DSA) public key on the SSH server before you log in. Context If first-time authentication is not enabled on an SSH client, when the SFTP client logs in to an SSH server for the first time, the SFTP client fails to pass the RSA or DSA public key validity check and cannot log in to the server. NOTE To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to the SSH server. Do as follows on the router that functions as an SSH client: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 214 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] or dsa peerpublic-key key-name encoding-type { der | openssh | pem } An encoding format is configured for a public key, and the public key view is displayed. Step 3 Run: public-key-code begin The public key editing view is displayed. Step 4 Run: hex-data The public key is edited. The public key is a string of hexadecimal alphanumeric characters an SSH client generates. NOTE l The RSA or DSA public key assigned to the SSH server must be generated on the server. Otherwise, the validity check for the RSA or DSA public key on the STelnet client will fail. l After entering the public key edit view, paste the RSA or DSA public key generated on the server to the router that functions as the client. Step 5 Run: public-key-code end Quit the public key editing view. l If the specified hex-data is invalid, the public key cannot be generated after you run the peerpublic-key end command. l If the specified key-name is deleted in other views, the system determines that the key does not exist after you run the peer-public-key end command, and the system view is displayed. Step 6 Run: peer-public-key end Return to the system view from the public key view. Step 7 Run: ssh client servername assign { rsa-key | dsa-key } keyname The RSA or DSA public key is assigned to the SSH server NOTE If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername assign { rsa-key | dsa-key } command to cancel the association between the SSH client and the SSH server. Then, run the ssh client servername assign { rsa-key | dsa-key } keyname command to allocate a new RSA or DSA public key to the SSH server. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 215 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device 8.7.5 Using SFTP to Connect to Other Devices You can use SFTP to log in to an SSH server from an SSH client. Context The command for enabling an SFTP client is similar to that of STelnet. When accessing an SSH server, SFTP can carry the source address and name of the VPN instance and choose the key exchange algorithm, encryption algorithm, and Hashed message authentication code (HMAC) algorithm, and configure the keepalive function. Do as follows on the router that serves as an SSH client: Procedure Step 1 Run: system-view The system view is displayed. Step 2 According to the address type of the SSH server, perform either of the following operations: If the address of the SSH server is an IPv4 address, perform the following operation: Run the sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] | [ identity-key { dsa | rsa } ] ] * command. You can log in to the SSH server through STelnet. If the address of the SSH server is an IPv6 address, perform the following operation: Run the sftp ipv6 { -a source-address host-ipv6 | host-ipv6 } [ [ -oi interface-type interfacenumber ] [ port ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha2_256 | sha2_256_96 | sha1_96 | md5 | md5_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] | [ identity-key { dsa | rsa } ] ] * command. You can log in to the SSH server through STelnet. Step 3 According to the address type of the SSH server, select and perform one of the following configurations. l For IPv4 addresses, Run: sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] | [ identity-key { dsa | rsa } ] ] * Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 216 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device You can log in to the SSH server through SFTP. l For IPv6 addresses, Run: sftp ipv6 { -a source-address host-ipv6 | host-ipv6 } [ [ -oi interface-type interface-number ] [ port ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha2_256 | sha2_256_96 | sha1_96 | md5 | md5_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] | [ identity-key { dsa | rsa } ] ] * ----End 8.7.6 Using SFTP Commands to Manage Files You can use an SFTP client to manage directories and files on the SSH server, and check the command help on the SFTP client. Context After you log in to an SSH server from an SFTP client, you can use the SFTP client to perform the following operations: l Create or delete directories on the SSH server, display the current working directory, or display the specified directory and information about the file in the specified directory. l Change file names, delete files, display a file list, and upload or download files. l Display the SFTP client command help. After you log in to the router that functions as an SSH client and enter the SFTP client view, you can perform the following steps: Procedure l Manage directories. Perform the following steps as required: – Run: cd [ remote-directory ] The current operating directory of the users is changed. – Run: cdup The view is switched to a directory one level up. – Run: pwd The current operating directory of the users is displayed. – Run: dir / ls [ remote-directory ] A list of files in the specified directory is displayed. – Run: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 217 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device rmdir delete-remote-directory & <1-10> – The directory on the server is deleted. – Run: mkdir make-remote-directory A directory is created on the server. l Manage files. Perform the following steps as required: – Run: rename old-name new-name The name of the specified file on the server is changed. – Run: get remote-filename [local-filename] The file on the remote server is downloaded. You can also run the following commands in the system view to download files on the server to the local device: – On the IPv4 network: run the sftp client-transfile get [ -a source-address | -i interface-type interface-number ] host-ip host-ipv4 [ port ] [ [ public-net | -vpninstance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ identity-key { rsa | dsa } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] * username user-name password password sourcefile source-file [ destination destination ] command. On the IPv6 network: run the sftp client-transfile get ipv6 [ -a source-address] host-ip host-ipv6 [ -oi interface-type interface-number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ identity-key { rsa | dsa } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] * username user-name password password sourcefile sourcefile [ destination destination ] command. – Run: put local-filename [remote-filename] The local file is uploaded to the remote server. You can also run the following commands in the system view to upload files to the server: – On the IPv4 network: run the sftp client-transfile put [ -a source-address | -i interface-type interface-number ] host-ip host-ipv4 [ port ] [ [ public-net | -vpninstance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ identity-key { rsa | dsa } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 | Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 218 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device sha2_256 | sha2_256_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] * username user-name password password sourcefile source-file [ destination destination ] command. On the IPv6 network: run the sftp client-transfile put ipv6 [ -a source-address] host-ip host-ipv6 [ -oi interface-type interface-number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ identity-key { rsa | dsa } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] * username user-name password password sourcefile sourcefile [ destination destination ] command. – Run: remove remote-filename The file on the server is removed. ----End 8.7.7 Checking the Configuration After using SFTP to log in to another device, you can view the source address of the SSH client, mappings between all SSH servers and the Revest-Shamir-Adleman Algorithm (RSA), Digital Signature Algorithm (DSA) public keys on the client, global configurations of the SSH servers, and sessions between the SSH servers and the client. Prerequisites The configuration for using SFTP to access files on another device is complete. Procedure l Run the display sftp-client command to check the source IP address of the SFTP client on the SSH client. l Run the display ssh server-info command to check the mapping between the SSH server and the RSA or DSA public key on the SSH client. ----End Example Run the display sftp-client command on the client to view the source parameters of the device that functions as an SFTP client. <HUAWEI> display sftp-client The source address of SFTP client is 1.1.1.1 Run the display ssh server-info command to view the mappings between all servers and the RSA or DSA public keys on the SSH client. <HUAWEI> display ssh server-info Server Name(IP) Server Public Key Type Server public key name ______________________________________________________________________________ 10.137.128.216 Issue 02 (2014-09-30) RSA Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 10.137.128.216 219 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device 10.137.128.217 RSA 10.137.128.217 DSA sdfasdfasdfasdfasdfasdfadfasdf 127.0.0.1 RSA 127.0.0.1 DSA 1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1 RSA 0ffff:ffff: 1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1 RSA 000fff 1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1 RSA 000ffff: 1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1 RSA 1fff:ffff:ffff:ffff:ffff:ffff: 8.1.1.2 RSA 10.137.128.217 127.0.0.1 10.137.128.217 1fff:00ffff:00ffff: 1fff:00ffff:ffff:00ffff: 1fff:ffff:ffff:00ffff: 8.1.1.2 8.8 Configuration Examples This section provides examples for accessing another device. These examples explain the networking requirements, configuration notes, and configuration roadmap. 8.8.1 Example for Using Telnet to Log In to Another Device This section provides an example for using Telnet to log in to another device. In this example, the authentication mode and password are configured for users to log in through Telnet. Networking Requirements As shown in Figure 8-7, users can Telnet Router A but cannot Telnet Router B. The route between Router A and Router B is reachable. In this case, users can Telnet Router B from Router A to remotely configure and manage Router B. Figure 8-7 Networking diagram for using Telnet to log in to another device Session Network PC Session GE1/0/1 1.1.1.1/24 Network RouterA GE1/0/1 2.1.1.1/24 RouterB Configuration Roadmap The configuration roadmap is as follows: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 220 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device 1. On Router B, configure the authentication mode and password for users on Router A to log in to Router B.. 2. Configure a Telnet server port number on Router B to ensure that users log in only through this port. Data Preparation To complete the configuration, you need the following data: l Host address of Router B: 2.1.1.1 l Password for user login: Huawei-123 l Telnet server port number: 1028 Procedure Step 1 Configure the authentication mode and password for Telnet services on Router B. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4]set authentication password cipher Huawei-123 [RouterB-ui-vty0-4] quit To configure an ACL for Telnetting another device, run the following commands on Router B. [RouterB] acl 2000 [RouterB-acl-basic-2000] rule permit source 1.1.1.1 0 [RouterB-acl-basic-2000] quit [RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] acl 2000 inbound [RouterB-ui-vty0-4] quit NOTE Configuring an ACL for Telnet services is optional. Step 2 Log in to Router B from Router A through Telnet. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] quit <RouterA> telnet 2.1.1.1 Trying 2.1.1.1 ... Press CTRL+K to abort Connected to 2.1.1.1 ... Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet. Login authentication Password: Info: Authentication success,Welcome! Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. The current login time is 2010-02-22 14:31:01. <RouterB> Step 3 Configure a Telnet server port number on Router B. <RouterB> system-view [RouterB] telnet server port 1028 Warning: This operation will cause all the online Telnet users to be offline. Co ntinue?[Y/N]: y Info: Succeeded in changing the listening port of telnet server. Step 4 Use the port number 1028 to log in to Router B from Router A through Telnet. <RouterA> telnet 2.1.1.1 1028 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 221 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Trying 2.1.1.1 ... Press CTRL+K to abort Connected to 2.1.1.1 ... Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet. Login authentication Password: Info: Authentication success,Welcome! Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. The current login time is 2010-02-22 14:33:48. <RouterB> ----End Configuration Files l Router A configuration file # sysname RouterA # interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # return l Router B configuration file # sysname RouterB # acl number 2000 rule 5 permit source 1.1.1.1 0 # interface GigabitEthernet1/0/1 undo shutdown ip address 2.1.1.1 255.255.255.0 # user-interface con 0 user-interface vty 0 4 acl 2000 inbound set authentication password cipher $1a$uKWbVT9(dS$"E9fV,x,t#iXd7RDZ2|8l_OgW;kQ $A<l8u8H-WoM$ # return 8.8.2 Example for Using Telnet Redirection to Log In to Another Device This section describes an example for using the Telnet redirection function to log in to another device on the network, which enables users to manage the device remotely. Networking Requirements As shown in Figure 8-8, there is a reachable route between the PC and Router A, and Router A is not connected to Router B on the IP network. To manage Router B remotely, you can enable the Telnet redirection function on Router A, and connect the asynchronous serial interface of Router A to the serial interface of Router B. Then, you can remotely log in toRouter B from the terminal PC by using the specified port number of Router A to manage Router B. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 222 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Figure 8-8 Networking for using Telnet redirection to log in to another device Session Network GE1/0/1 10.1.1.1/24 Aux Console RouterA PC RouterB Configuration Roadmap The configuration roadmap is as follows: 1. Use the AUX interface of Router A to connect withRouter B. 2. Enable the Telnet redirection function on Router A. Data Preparation To complete the configuration, you need the following data: l IP address of Router A: 10.1.1.1 Procedure Step 1 Open the AUX interface of Router A. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] interface Aux 0/0/1 [RouterA-Aux0/0/1] undo shutdown [RouterA-Aux0/0/1] quit Step 2 Enable the redirection function on Router A. [RouterA] user-interface aux 0 [RouterA-ui-aux0] undo shell [RouterA-ui-aux0] redirect Step 3 View the port number. <RouterA> display tcp status TCPCB Tid/Soid Local Add:port 37b26538 6 /1 0.0.0.0:21 37b20808 135/4 0.0.0.0:22 15b8a270 135/1 0.0.0.0:23 32fa2744 135/15 0.0.0.0:2033 32facdac 135/17 0.0.0.0:4033 32f9e4b4 88 /1 0.0.0.0:6000 2ff6bbcc 135/9 10.137.217.226:23 Foreign Add:port 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 10.138.77.21:2993 VPNID State 23553 Listening 23553 Listening 23553 Listening 23553 Listening 23553 Listening 23553 Listening 0 Established Step 4 Verify the configuration. Run the telnet 10.1.1.1 2033(or 4033) command on the PC to log in to Router B. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 223 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Configuration Files l Router A configuration file # sysname RouterA # interface Aux0/0/1 undo shutdown # interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.1 255.255.255.0 # user-interface con 0 user-interface aux 0 undo shell redirect # return 8.8.3 Example for Using Telnet on a VPN to Log In to Another Device This section provides an example for logging in to another device by using Telnet on a VPN. In this example, the authentication mode and password are configured for users on a VPN so they can log in to the router through Telnet. Networking Requirements As shown in Figure 8-9, Router A and Router B can ping through each other. Users can log in to Router A from Router B through Telnet. Figure 8-9 Networking diagram for logging in to another device by using Telnet on a VPN GE1/0/0 1.1.1.1 24 IP Network RouterA GE1/0/0 1.1.1.2 24 VPN tt RouterB Configuration Roadmap The configuration roadmap is as follows: 1. Configure a VPN on Router B. 2. Configure the authentication mode and password of the user interface VTY0 to VTY4 on Router B. 3. Set the user to enter the password to log in to Router B from Router A in Telnet mode. Data Preparation To complete the configuration, you need the following data: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 224 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l Host IP address of Router B l Authentication mode and password l VPN instance 8 Accessing Another Device Procedure Step 1 Configure the VPN instance and IP address. # Configure Router A. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] interface gigabitethernet1/0/0 [RouterA-GigabitEthernet1/0/0] undo shutdown [RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24 # Configure Router B. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] ip vpn-instance tt [RouterB-vpn-instance-tt] route-distinguisher 1000:1 [RouterB-vpn-instance-tt] quit [RouterB] interface gigabitethernet1/0/0 [RouterB-GigabitEthernet1/0/0] undo shutdown [RouterB-GigabitEthernet1/0/0] ip binding vpn-instance tt [RouterB-GigabitEthernet1/0/0] ip address 1.1.1.2 24 [RouterB-GigabitEthernet1/0/0] quit [RouterB] quit Step 2 Configure the Telnet authentication mode and password on Router B. <RouterB> system-view [RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] authentication-mode password Please configure the login password (8-16) Enter Password: Confirm Password: [RouterB-ui-vty0-4] quit To configure Telnet terminal services based on the ACL, perform the following on Router B. [RouterB] acl 2000 [RouterB-acl-basic-2000] rule permit vpn-instance tt source 1.1.1.1 0 [RouterB-acl-basic-2000] quit [RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] acl 2000 inbound NOTE Configuring Telnet terminal services based on the ACL is optional. Step 3 Verify the configuration. After the configuration is complete, you can log in to Router B from Router A through Telnet. <RouterA> telnet 1.1.1.2 Trying 1.1.1.2 ... Press CTRL+K to abort Connected to 1.1.1.2 ... Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet. Login authentication Password: Info: Authentication success,Welcome! Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 225 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Note: The max number of VTY users is 10, and the current number of VTY users on line is 1. <RouterB> ----End Configuration Files l Router A configuration file # sysname RouterA # interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.1 255.255.255.0 # return l Router B configuration file # sysname RouterB # ip vpn-instance tt route-distinguisher 1000:1 # acl number 2000 rule 5 permit vpn-instance tt source 1.1.1.1 0 # interface GigabitEthernet1/0/0 undo shutdown ip binding vpn-instance tt ip address 1.1.1.2 255.255.255.0 # user-interface con 0 user-interface vty 0 4 acl 2000 inbound # return 8.8.4 Example for Using STelnet (RSA Authentication Mode) to Log In to the SSH Server This section provides an example for logging in to another device by using STelnet.In this example, the local key pairs are generated on the STelnet client and the SSH server, and the public Revest-Shamir-Adleman Algorithm (RSA) key is generated on the SSH server and then bound to the STelnet client. In this manner, the STelnet client can connect to the SSH server. Networking Requirements As shown in Figure 8-10, after the STelnet service is enabled on the SSH server, the STelnet client can log in to the SSH server with the password, RSA, password-rsa, Digital Signature Algorithm (DSA), password-DSA, or all authentication mode. In this example, the Huawei router functions as an SSH server. Two users, Client001 and Client002, are configured to log in to the SSH server in the password and RSA authentication modes, respectively. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 226 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Figure 8-10 Networking diagram for using STelnet to log in to another device SSH Server GE1/0/1 10.10.1.1/16 GE1/0/1 10.10.2.2/16 GE1/0/1 10.10.3.3/16 Client 001 Client 002 Configuration Roadmap The configuration roadmap is as follows: 1. Configure Client001 and Client002 to log in to the SSH server in different authentication modes. 2. Create a local RSA key pair on STelnet client Client002 and the SSH server, and bind client Client002 to an RSA key to authenticate the client when the client attempts to log in to the server. 3. Enable the STelnet service on the SSH server. 4. Set the service type of Client001 and Client002 to STelnet. 5. Enable first-time authentication on the SSH clients. 6. Users Client001 and Client002 can now log in to the SSH server through STelnet. Data Preparation To complete the configuration, you need the following data: l Client001 with the password !QAZ@WSX3edc and authentication mode password l Client002 with the public key RsaKey001 and authentication mode RSA l IP address of the SSH server: 10.10.1.1. Procedure Step 1 Generate a local key pair on the server. <HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: SSH Server_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 2048]: 768 Generating keys... .......++++++++++++ ..........++++++++++++ ...................................++++++++ ......++++++++ Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 227 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Step 2 Create an SSH user on the server. NOTE The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa, and all. l When the SSH user adopts the password, password-DSA, or password-RSA authentication mode, configure a local user with the same name. l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, or all authentication mode, the server should save the RSA or DSA public key for the SSH client. # Configure the VTY user interface. [SSH [SSH [SSH [SSH Server] user-interface vty 0 4 Server-ui-vty0-4] authentication-mode aaa Server-ui-vty0-4] protocol inbound ssh Server-ui-vty0-4] quit l Create SSH user Client001. # Configure password authentication for SSH user Client001. [SSH Server] ssh user client001 [SSH Server] ssh user client001 authentication-type password # Configure password of SSH user Client001 to !QAZ@WSX3edc. [SSH [SSH [SSH [SSH Server] aaa Server-aaa]local-user huawei password irreversible-cipher !QAZ@WSX3edc Server-aaa] local-user client001 service-type ssh Server-aaa] quit l Create SSH user Client002. # Configure RSA authentication for SSH user Client002. [SSH Server] ssh user client002 [SSH Server] ssh user client002 authentication-type rsa Step 3 Configure the RSA public key on the server. # Generate a local key pair on the client. <HUAWEI> system-view [HUAWEI] sysname client002 [client002] rsa local-key-pair create # View the RSA public key generated on the client. [client002] display rsa local-key-pair public ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7 yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b ---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file : Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 228 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001 [client002] # Send the RSA public key generated on the client software to the server. [SSH Server]rsa peer-public-key RsaKey001 Enter "RSA public key" view, return system view with "peer-public-key end". [SSH Server-rsa-public-key]public-key-code begin Enter "RSA key code" view, return last view with "public-key-code end". [SSH Server-rsa-key-code]3047 [SSH Server-rsa-key-code]0240 [SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 [SSH Server-rsa-key-code] 1D7E3E1B [SSH Server-rsa-key-code]0203 [SSH Server-rsa-key-code]010001 [SSH Server-rsa-key-code]public-key-code end [SSH Server-rsa-public-key]peer-public-key end Step 4 Bind SSH user Client002 to the RSA public key of the SSH client. [SSH Server] ssh user client002 assign rsa-key RsaKey001 Step 5 Enable the STelnet service on the SSH server. # Enable the STelnet service. [SSH Server] stelnet server enable Step 6 Configure the STelnet service for SSH users Client001 and Client002. [SSH Server] ssh user client001 service-type stelnet [SSH Server] ssh user client002 service-type stelnet Step 7 Connect the STelnet client to the SSH server. # At the first login, you need to enable the first authentication on the SSH client. Enable the first authentication on Client001. <HUAWEI> system-view [HUAWEI] sysname client001 [client001] ssh client first-time enable Enable the first authentication on Client002. <HUAWEI> system-view [HUAWEI] sysname client002 [client002] ssh client first-time enable # Client001 of the STelnet connects to the SSH server in password authentication mode. Enter the user name and password. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 229 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device <client001> system-view [client001] stelnet 10.10.1.1 Please input the username:client001 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... The server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y The server's public key will be saved with the name 10.10.1.1. Please wait... Enter password: Enter the password !QAZ@WSX3edc. The login is complete. Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2010-09-06 11:42:42. <SSH Server> # Connect STelnet client Client002 to the SSH server in RSA authentication mode. <client002> system-view [client002] stelnet 10.10.1.1 Please input the username: client002 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... The server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y The server's public key will be saved with the name 10.10.1.1. Please wait... Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2010-09-06 11:42:42. <SSH Server> Step 8 Verify the configuration. After the configuration, run the display ssh server status and display ssh server session commands. You can view that the STelnet service is enabled and the STelnet client is connected to the SSH server. # Display the SSH status. [SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server : Disable Stelnet server : Enable # Display the connection of the SSH server. [SSH Server] display ssh server session Session 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password Session 2: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 230 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Conn Version State Username Retry CTOS Cipher STOC Cipher CTOS Hmac STOC Hmac Kex Service Type Authentication Type 8 Accessing Another Device : : : : : : : : : : : : VTY 4 2.0 started client002 1 aes128-cbc aes128-cbc hmac-sha1-96 hmac-sha1-96 diffie-hellman-group1-sha1 stelnet rsa # Display information about the SSH user. [SSH Server] display ssh user-information User 1: User Name : client001 Authentication-type : password User-public-key-name : Sftp-directory : Service-type : stelnet Authorization-cmd : No User 2: User Name : client002 Authentication-type : rsa User-public-key-name : RsaKey001 Sftp-directory : Service-type : stelnet Authorization-cmd : No ----End Configuration Files l SSH server configuration file # sysname SSH Server # rsa peer-public-key rsakey001 public-key-code begin 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password irreversible-cipher %$%$Skdd9`7(<QDv`NXLTB()aS} T=J\E%hGAP&3-R,*7S_]SS}Wa%$%$ local-user client001 service-type ssh local-user client001 state block fail-times 3 interval 5 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0 # stelnet server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 231 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device ssh user client001 service-type stelnet ssh user client002 service-type stelnet # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # return l Client001 configuration file # sysname client001 # interface GigabitEthernet1/0/1 ip address 10.10.2.2 255.255.0.0 # ssh client first-time enable # return l Client002 configuration file # sysname client002 # interface GigabitEthernet1/0/1 ip address 10.10.3.3 255.255.0.0 # ssh client first-time enable # return 8.8.5 Example for Using STelnet (DSA Authentication Mode) to Log In to the SSH Server This section provides an example for logging in to the SSH server using STelnet. In this example, the local key pairs are generated on the STelnet client and secure shell (SSH) server, and the digital signature algorithm (DSA) public key is generated on the SSH server and then bound to the STelnet client. These configurations implement communication between the STelnet clients and SSH server. Networking Requirements After the STelnet service is enabled on the SSH server, the STelnet client can log in to the SSH server in any of the following authentication modes: password, Revest-Shamir-Adleman Algorithm (RSA), password-RSA, DSA, password-DSA, and all. In this example, the Huawei router functions as an SSH server. In Figure 8-11, two users Client001 and Client002, are configured to use STelnet to log in to the SSH server in password authentication mode and DSA authentication mode, respectively. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 232 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Figure 8-11 Networking diagram for STelnet login mode SSH Server GE1/0/1 10.10.1.1/16 GE1/0/1 10.10.2.2/16 GE1/0/1 10.10.3.3/16 Client 001 Client 002 Configuration Roadmap The configuration roadmap is as follows: 1. Configure Client001 and Client002 to log in to the SSH server in password authentication mode and DSA authentication mode, respectively. 2. Create a local DSA key pair on Client002 and the SSH server, and bind Client002 to the SSH client's DSA public key. These configurations implement authentication for the client that attempts to log in to the server. 3. Enable the STelnet service on the SSH server. 4. Set the service type of Client001 and Client002 to STelnet. 5. Enable first-time authentication on the SSH clients. 6. Use Client001 and Client002 to use STelnet to log in to the SSH server. Data Preparation To complete the configuration, you need the following data: l Client001 with the password %TGB6yhn7ujm and authentication mode password l Client002 with the public key DsaKey001 and authentication mode DSA l SSH server IP address: 10.10.1.1 Procedure Step 1 Generate a local key pair on the server. <HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] dsa local-key-pair create Info: The key name will be: ssh server_Host_DSA. Info: The key modulus can be any one of the following : 512, 1024, 2048. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=2048]: Info: Generating keys... Info: Succeeded in creating the DSA host keys. Step 2 Create SSH users on the server. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 233 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device NOTE The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa, and all. l When the SSH user adopts the password, password-DSA, or password-RSA authentication mode, configure a local user with the same name. l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, or all authentication mode, the server should save the RSA or DSA public key for the SSH client. # Configure the VTY user interface. [SSH [SSH [SSH [SSH Server] user-interface vty 0 4 Server-ui-vty0-4] authentication-mode aaa Server-ui-vty0-4] protocol inbound ssh Server-ui-vty0-4] quit l Create SSH user Client001. # Create SSH user Client001 and configure the authentication mode as password. [SSH Server] ssh user client001 [SSH Server] ssh user client001 authentication-type password # Set Client001's password to %TGB6yhn7ujm. [SSH [SSH [SSH [SSH Server] aaa Server-aaa] local-user client001 password irreversible-cipher %TGB6yhn7ujm Server-aaa] local-user client001 service-type ssh Server-aaa] quit l Create SSH user Client002. # Create SSH user Client002 and configure the authentication mode as DSA. [SSH Server] ssh user client002 [SSH Server] ssh user client002 authentication-type dsa Step 3 Configure the DSA public key on the server. . # Generate a local key pair on Client002. <HUAWEI> system-view [HUAWEI] sysname client002 [client002] dsa local-key-pair create Info: The key name will be: ssh server_Host_DSA. Info: The key modulus can be any one of the following : 512, 1024, 2048. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=2048]: Info: Generating keys... Info: Succeeded in creating the DSA host keys. # View the DSA public key generated on Client002. [client002] display dsa local-key-pair public ===================================================== Time of Key pair created: 10:14:48 2011/12/01 Key name : client002_Host_DSA Key modulus : 2048 Key type : DSA encryption Key ===================================================== Key code: 3081DC 0240 AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B A34004C1 B37824BB D3160595 702901CD 53F0EAE0 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE 87C63485 0214 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 234 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 94FC5624 0240 91FF0F2C 7BCA4251 0B4C3530 C986329F 0240 9D5CA69C 717B2208 EC06D0AE 958C4074 8 Accessing Another Device DCEB09DA E9B88293 2AC88508 AB7C813F 91996828 BAAD5068 CD2FE83E CEFA1CF4 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2 DAA25592 DEAFA0EB 61225712 E4AF6139 7BD9249B B4F1D747 707B5C13 EB980A1E 8F9C46F5 0F1875DE 013FFCD3 D4089356 B256A4DD 4B418138 74CEBD9C 16123F7A Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWV cCkBzVPw6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biC kyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614 zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQQCdXKace9kkm7Tx10dw e1wT65gKHnF7IgiPnEb1Dxh13gE//NPUCJNW7AbQrrJWpN1LQYE4dM69nBYSP3qV jEB0 ---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file : ssh-dss AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/ 6FNgHAfwpMLo0AEwbN4JLvTFgWVcCkBzVPw6uBsxG0tvnj2pD3Equ/ HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna 6biCkyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614zA0zXe/ SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQQCdXKace9kkm7Tx10dw e1wT65gKHnF7IgiPnEb1Dxh13gE//NPUCJNW7AbQrrJWpN1LQYE4dM69nBYSP3qVjEB0 # Send the DSA public key generated on the client to the server. [SSH Server] dsa peer-public-key DsaKey001 encoding-type der Info: Enter "DSA public key" view, return system view with "peer-public-key end". [SSH Server-dsa-public-key] public-key-code begin Info: Enter "DSA key code" view, return the last view with "public-key-code end". [SSH Server-dsa-key-code] 3081DC [SSH Server-dsa-key-code] 0240 [SSH Server-dsa-key-code] AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B [SSH Server-dsa-key-code] A34004C1 B37824BB D3160595 702901CD 53F0EAE0 [SSH Server-dsa-key-code] 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE [SSH Server-dsa-key-code] 87C63485 [SSH Server-dsa-key-code] 0214 [SSH Server-dsa-key-code] 94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F [SSH Server-dsa-key-code] 0240 [SSH Server-dsa-key-code] 91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4 [SSH Server-dsa-key-code] 7BCA4251 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2 [SSH Server-dsa-key-code] 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139 [SSH Server-dsa-key-code] C986329F [SSH Server-dsa-key-code] 0240 [SSH Server-dsa-key-code] 9D5CA69C 7BD9249B B4F1D747 707B5C13 EB980A1E [SSH Server-dsa-key-code] 717B2208 8F9C46F5 0F1875DE 013FFCD3 D4089356 [SSH Server-dsa-key-code] EC06D0AE B256A4DD 4B418138 74CEBD9C 16123F7A [SSH Server-dsa-key-code] 958C4074 [SSH Server-dsa-key-code] public-key-code end [SSH Server-dsa-public-key] peer-public-key end [SSH Server] Step 4 Bind Client002 to the SSH client's DSA public key. [SSH Server] ssh user client002 assign dsa-key DsaKey001 Step 5 Enable the STelnet service on the SSH server. # Enable the STelnet service. [SSH Server] stelnet server enable Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 235 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Step 6 Configure the STelnet service for Client001 and Client002. [SSH Server] ssh user client001 service-type stelnet [SSH Server] ssh user client002 service-type stelnet Step 7 Connect the STelnet client to the SSH server. # At the first login, Enable first-time authentication on the SSH clients. Enable first-time authentication on Client001. <HUAWEI> system-view [HUAWEI] sysname client001 [client001] ssh client first-time enable Enable first-time authentication on Client002. <HUAWEI> system-view [HUAWEI] sysname client002 [client002] ssh client first-time enable # Connect Client001 to the SSH server in password authentication mode. Enter the user name and password. <client001> system-view [client001] stelnet 10.10.1.1 Please input the username:client001 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... The server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y The server's public key will be saved with the name 10.10.1.1. Please wait... Enter password: Enter the password huawei. The command output shows that the login is complete. Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2010-09-06 11:42:42. <SSH Server> # Connect client002 to the SSH server in DSA authentication mode. <client002> system-view [client002] stelnet 10.10.1.1 Please input the username: client002 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... The server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y The server's public key will be saved with the name 10.10.1.1. Please wait... Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2010-09-06 11:42:42. <SSH Server> Step 8 Verify the configuration. After the configuration is complete, run the display ssh server status and display ssh server session commands. The command outputs show that the STelnet service is enabled and the STelnet clients have logged in to the SSH server. # View the SSH status. [SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 236 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations SSH server key generating interval SSH Authentication retries SFTP server Stelnet server 8 Accessing Another Device : : : : 0 hours 3 times Disable Enable # View the connection of the SSH server. [SSH Server] display ssh server session Session 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password Session 2: Conn : VTY 4 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : dsa # View information about the SSH users. [SSH Server] display ssh user-information User 1: User Name : client001 Authentication-type : password User-public-key-name : Sftp-directory : Service-type : stelnet Authorization-cmd : No User 2: User Name : client002 Authentication-type : dsa User-public-key-name : DsaKey001 Sftp-directory : Service-type : stelnet Authorization-cmd : No ----End Configuration Files l Configuration file of the SSH server # sysname SSH Server # dsa peer-public-key dsakey001 encoding-type der public-key-code begin 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 237 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password irreversible-cipher %$%$f/{P1yhirreversiblecipher %$%$f/{P1yh<T$"_sQ6#>~86_ Is[R-YITd6B@"f)it>FXNd3Is^_%$%$ local-user client001 service-type ssh # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0 # stelnet server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type dsa ssh user client002 assign dsa-key DsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type stelnet # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # return l Client001 configuration file # sysname client001 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.2.2 255.255.0.0 # ssh client first-time enable # return l Client002 configuration file # sysname client002 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.3.3 255.255.0.0 # ssh client first-time enable # return 8.8.6 Example for Using TFTP to Access Files on Another Device In this example, the TFTP application is run on the TFTP server and the location of the source file on the server is set. Then, you can upload and download files. Networking Requirements As shown in Figure 8-12, the IP address of the TFTP server is 10.111.16.160/24. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 238 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Log in to the router from the HyperTerminal and then download the file V600R008C10.cc from the TFTP server. Figure 8-12 Networking diagram for using TFTP to access files on another device 10.111.16.160/24 PC TFTP Client TFTP Server Configuration Roadmap The configuration roadmap is as follows: 1. Run the TFTP application on the TFTP server, and set the location of the file on the server. 2. Use the TFTP command on the router to download the file. 3. Use the TFTP command on the router to upload the file. Data Preparation To complete the configuration, you need the following data: l The TFTP application installed on the TFTP server l The path of the file on the TFTP server l The destination file name and its path on the router Procedure Step 1 Start the TFTP server, and set its Current Directory as the directory where the V600R008C10.cc file resides. Figure 8-13 shows the interface. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 239 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Figure 8-13 Setting the base directory of the TFTP server NOTE The display may be different depending on which TFTP server application is run on the computer. Step 2 Log in to the router from computer HyperTerminal and enter the following command to download the file. <HUAWEI>tftp 10.111.16.160 get V600R008C10.cc cfcard:/V600R008C10.cc Info: Transfer file in binary mode. Downloading the file from the remote TFTP server. Please wait...| TFTP: Downloading the file successfully. 15805100 bytes received in 42734 second. Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory on the router. <HUAWEI> dir cfcard: Directory of cfcard:/ Idx Attr Size(Byte) 1 -rw40 2 -rw396 3 -rw540 4 -rw2718 5 -rw14343 6 -rw1004 7 -rw6247 8 -rw14343 9 -rw- 86235884 Date Jun 24 May 19 May 19 Jun 21 May 19 Feb 05 May 19 May 16 Feb 05 2006 2006 2006 2006 2006 2001 2006 2006 2001 Time 09:30:40 15:00:10 15:00:10 17:46:46 15:00:10 09:51:22 15:00:10 14:13:42 10:23:46 FileName private-data.txt rsahostkey.dat rsaserverkey.dat 1.cfg paf.txt vrp1.zip license.txt paf.txt.bak V600R008C10.cc Step 4 Log in to the router from computer HyperTerminal and enter the following command to upload the file. <HUAWEI> tftp 10.111.16.160 put cfcard:/vrpcfg.zip Info: Transfer file in binary mode. Uploading the file to the remote TFTP server. Please wait.../ TFTP: Uploading the file successfully. 1217 bytes send in 1 second. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 240 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device 8.8.7 Example for Configuring Access to the TFTP Server on the Public Network When the Management VPN Instance Is Used This section provides an example for configuring access to the TFTP server on the public network when the management VPN instance is used. In this example, after you log in to a router configured with the management VPN instance, you can download files from the TFTP server on the public network. Networking Requirements As shown in Figure 8-14, a management VPN instance is configured on the router. Users use the VPN instance to access the FTP server from the router. To enable the client to access the TFTP server on the public network, connect the router to the TFTP server on the public network. Log in to the router from the HyperTerminal and then download the file V600R008C10.cc from the TFTP server. Figure 8-14 Networking diagram of configuring access to the TFTP server on the public network when the management VPN instance is used TFTP Server 10.111.16.160/24 Network PC TFTP Client Configuration Roadmap The configuration roadmap is as follows: 1. Run the TFTP application on the TFTP server, and set the location of the file on the server. 2. Use the TFTP command on the router to download the file. 3. Use the TFTP command on the router to upload the file. Data Preparation To complete the configuration, you need the following data: l The TFTP application installed on the TFTP server l The path of the file on the TFTP server l The destination file name and its path on the router Procedure Step 1 Start the TFTP server, and set its Current Directory as the directory where the V600R008C10.cc file resides. Figure 8-15 shows the interface. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 241 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Figure 8-15 Setting the base directory of the TFTP server NOTE The display may be different depending on which TFTP server application is run on the computer. Step 2 Log in to the router from computer HyperTerminal and enter the following command to download the file. <HUAWEI>tftp 10.111.16.160 public-net get V600R008C10.cc cfcard:/V600R008C10.cc Info: Transfer file in binary mode. Downloading the file from the remote TFTP server. Please wait...| TFTP: Downloading the file successfully. 15805100 bytes received in 42734 second. Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory on the router. <HUAWEI> dir cfcard: Directory of cfcard:/ Idx Attr Size(Byte) 1 -rw40 2 -rw396 3 -rw540 4 -rw2718 5 -rw14343 6 -rw1004 7 -rw6247 8 -rw14343 9 -rw- 86235884 Date Jun 24 May 19 May 19 Jun 21 May 19 Feb 05 May 19 May 16 Feb 05 2006 2006 2006 2006 2006 2001 2006 2006 2001 Time 09:30:40 15:00:10 15:00:10 17:46:46 15:00:10 09:51:22 15:00:10 14:13:42 10:23:46 FileName private-data.txt rsahostkey.dat rsaserverkey.dat 1.cfg paf.txt vrp1.zip license.txt paf.txt.bak V600R008C10.cc Step 4 Log in to the router from computer HyperTerminal and enter the following command to upload the file. <HUAWEI> tftp 10.111.16.160 public-net put cfcard:/vrpcfg.zip Info: Transfer file in binary mode. Uploading the file to the remote TFTP server. Please wait.../ TFTP: Uploading the file successfully. 1217 bytes send in 1 second. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 242 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Configuration Files None. 8.8.8 Example for Using FTP to Access Files on Another Device This section provides an example for using FTP to access files on another device. In this example, a user logs in to the FTP server from the router to download system software and configuration software from the FTP server. Networking Requirements As shown in Figure 8-16, the route between Router A that functions as the FTP client and the FTP server is reachable. A user needs to download system software and configuration software from the FTP server. The Huawei router functions as an FTP server. Figure 8-16 Networking diagram for using FTP to access files on another device GE1/0/1 2.1.1.1/24 Network GE1/0/1 1.1.1.1/24 RouterA FTP Server Configuration Roadmap The configuration roadmap is as follows: 1. Configure the user name and password for an FTP user to log in to the FTP server. 2. Enable the FTP server on the router. 3. Run login commands to log in to the FTP server. 4. Configure the file transmission mode and directories for the client before downloading required files from the FTP server. Data Preparation To complete the configuration, you need the following data: l User name: huawei and password: !QAZ@WSX3edc l IP address of the FTP server: 1.1.1.1 l Target file and its location on Router A Procedure Step 1 Configure an FTP user on the FTP server. <HUAWEI> system-view [HUAWEI] aaa [HUAWEI-aaa] local-user huawei password irreversible-cipher !QAZ@WSX3edc [HUAWEI-aaa] local-user huawei service-type ftp Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 243 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device [HUAWEI-aaa] local-user huawei ftp-directory cfcard: [HUAWEI-aaa] local-user huawei level 3 [HUAWEI-aaa] quit Step 2 Enable the FTP server. [HUAWEI] ftp server enable Step 3 Log in to the FTP server from Router A. <HUAWEI> ftp 1.1.1.1 Trying 1.1.1.1 ... Press CTRL+K to abort Connected to 1.1.1.1. 220 FTP service ready. User(1.1.1.1:(none)):huawei 331 Password required for huawei. Enter password: 230 User logged in. [ftp] Step 4 On Router A, configure the binary format as the file transfer mode and flash:/ as the working directory. [ftp] binary 200 Type set to I. [ftp] lcd cfcard:/ Info: Local directory now cfcard:. Step 5 On Router A, download the latest system software from the remote FTP server. [ftp] get V600R008C10.cc 200 Port command okay. 150 Opening ASCII mode data connection for V600R008C10.cc. 226 Transfer complete. FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec. [ftp] quit You can run the dir command to check whether the required file is downloaded to the client. ----End Configuration Files l Configuration file on the FTP server # FTP server enable # aaa local-user huawei password irreversible-cipher %$%$Skdd9`7(<QDv`NXLTB()aS}T=J \E%hGAP&3-R,*7S_]SS}Wa%$%$ local-user huawei service-type ftp local-user huawei state block fail-times 3 interval 5 local-user huawei ftp-directory cfcard: local-user huawei level 3 # interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 Return l Configuration file on the FTP client # interface GigabitEthernet1/0/1 undo shutdown ip address 2.1.1.1 255.255.255.0 Return Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 244 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device 8.8.9 Example for Configuring Access to the FTP Server on the Public Network When the Management VPN Instance Is Used This section provides an example for configuring access to the FTP server on the public network when the management VPN instance is used. In this example, after you log in to a router configured with the management VPN instance, you can download files from the FTP server on the public network. Networking Requirements As shown in Figure 8-17, a management VPN instance is configured on Router A. Users use the VPN instance to access the FTP server. To enable Router A to access the FTP server on the public network, you need to connect the router to the FTP server on the public network. The route between router that functions as the FTP client and the FTP server is reachable. A user needs to download system software and configuration software from the FTP server on the public network. Figure 8-17 Networking diagram of configuring access to the FTP server on the public network when the management VPN instance is used GE1/0/1 2.1.1.1/24 Network GE1/0/1 1.1.1.1/24 RouterA FTP Server Configuration Roadmap 1. Log in to the FTP server from the FTP client on the public network. 2. Download the system files from the server to the storage devices on the client side. Data Preparation To complete the configuration, you need the following data: l IP address of the FTP server: 1.1.1.1 l User name: huawei and password: huawei l The destination file name and its position in the router Procedure Step 1 Log in to the FTP server from the router. <HUAWEI> ftp 1.1.1.1 public-net Trying 1.1.1.1 Press CTRL+K to abort Connected to 1.1.1.1 220 FTP service ready. User(ftp 1.1.1.1:(none)):huawei Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 245 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device 331 Password required for huawei Password: 230 User logged in. Step 2 Configure the transmission mode to the binary format and configure the directory of the cfcard memory on the router.. [ftp] binary 200 Type set to I. [ftp] lcd cfcard:/ Info: Local directory now cfcard:. Step 3 Download the newest system software from the remote FTP server on the router. [ftp] get V600R008C10.cc 200 Port command okay. 150 Opening ASCII mode data connection for V600R008C10.cc. 226 Transfer complete. FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec. [ftp] quit ----End Configuration Files None. 8.8.10 Example for Using SFTP (RSA Authentication Mode) to Access Files on Another Device In this example, the local key pairs are generated on the SFTP client and the SSH server respectively, and the public RSA key is generated on the SSH server that binds the public RevestShamir-Adleman Algorithm (RSA) key to the SFTP client. In this manner, the SFTP client can connect to the SSH server. Networking Requirements As shown in Figure 8-18, after the SFTP service is enabled on the SSH server, the SFTP client can log in to the SSH server with the password, RSA, password-RSA, Digital Signature Algorithm (DSA), password-DSA, or all authentication. In this example, the Huawei router functions as an SSH server. Two users client001 and client002, are configured to log in to the SSH server in password and RSA authentication modes, respectively. Figure 8-18 Networking diagram for accessing files on another device by using SFTP SSH Server GE1/0/1 10.10.1.1/16 GE1/0/1 10.10.2.2/16 GE1/0/1 10.10.3.3/16 Client 001 Issue 02 (2014-09-30) Client 002 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 246 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Configuration Roadmap The configuration roadmap is as follows: 1. Configure Client001 and Client002 to log in to the SSH server in different authentication modes. 2. Create a local RSA key pair on SFTP client Client002 and the SSH server, and bind client Client002 to an RSA key to authenticate the client when the client attempts to log in to the server. 3. Enable the SFTP service on the SSH server. 4. Configure the service mode and authorization directory for the SSH user. 5. Client001 and Client002 log in to the SSH server by using an SFTP to access files on the server. Data Preparation To complete the configuration, you need the following data: l Client001 password: %TGB6yhn7ujm. Adopt password authentication. l Client002: adopt RSA authentication and assign public key RsaKey001 to Client002. l IP address of the SSH server: 10.10.1.1. Procedure Step 1 Generate a local key pair on the server. <HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: SSH Server_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 2048]: 768 Generating keys... .........++++++++ ......................++++++++ ......................+++++++++ .....+++++++++ Step 2 Create an SSH user on the server. NOTE The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa, and all. l When the SSH user adopts the password, password-DSA, or password-RSA authentication mode, configure a local user with the same name. l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, or all authentication mode, the server should save the RSA or DSA public key for the SSH client. # Configure the VTY user interface. [SSH [SSH [SSH [SSH Issue 02 (2014-09-30) Server] user-interface vty 0 4 Server-ui-vty0-4] authentication-mode aaa Server-ui-vty0-4] protocol inbound ssh Server-ui-vty0-4] quit Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 247 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device l Create Client001 for the SSH user. # Create an SSH user with the name Client001. The authentication mode is password. [SSH Server] ssh user client001 [SSH Server] ssh user client001 authentication-type password # Set %TGB6yhn7ujm as the password for Client001 of the SSH user. [SSH [SSH [SSH [SSH Server] aaa Server-aaa] local-user client001 password irreversible-cipher %TGB6yhn7ujm Server-aaa] local-user client001 service-type ssh Server-aaa] quit l Create Client002 for the SSH user. # Create an SSH user with user name Client002 and RSA authentication. [SSH Server] ssh user client002 [SSH Server] ssh user client002 authentication-type rsa Step 3 Configure the public RSA key of the server. # Generate a local key pair on the client. <HUAWEI> system-view [HUAWEI] sysname client002 [client002] rsa local-key-pair create # View the RSA public key generated on the client. [client002] display rsa local-key-pair public ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7 yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b ---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001 [client] Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 248 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device # Send the RSA public key generated on the client to the server. [SSH Server] rsa peer-public-key RsaKey001 Enter "RSA public key" view, return system view with "peer-public-key end". [SSH Server-rsa-public-key] public-key-code begin Enter "RSA key code" view, return last view with "public-key-code end". [SSH Server-rsa-key-code] 3047 [SSH Server-rsa-key-code] 0240 [SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 [SSH Server-rsa-key-code] 1D7E3E1B [SSH Server-rsa-key-code] 0203 [SSH Server-rsa-key-code] 010001 [SSH Server-rsa-key-code] public-key-code end [SSH Server-rsa-public-key] peer-public-key end Step 4 Bind the RSA public key of SSH client to Client002 of the SSH user. [SSH Server] ssh user client002 assign rsa-key RsaKey001 Step 5 Enable the STelnet service on the SSH server. # Enable the STelnet service. [SSH Server] sftp server enable Step 6 Configure the service type and authorized directory of the SSH user. Two SSH users are configured on the SSH server: Client001 and Client002. The password authentication mode is configured for Client001 and the RSA authentication mode is configured for Client002. [SSH [SSH [SSH [SSH Server] Server] Server] Server] ssh ssh ssh ssh user user user user client001 client001 client002 client002 service-type sftp sftp-directory cfcard: service-type sftp sftp-directory cfcard: Step 7 Connect the STelnet client to the SSH server. # For the first login, you need to enable the first authentication on the SSH client. Enable the first authentication on Client001. <HUAWEI> system-view [HUAWEI] sysname client001 [client001] ssh client first-time enable Enable the first authentication on Client002. <HUAWEI> system-view [HUAWEI] sysname client002 [client002] ssh client first-time enable # Connect the STelnet client Client001 to the SSH server in password authentication mode. <client001> system-view [client001] sftp 10.10.1.1 Please input the username:client001 Trying 10.10.1.1 ... Press CTRL+K to abort The server is not authenticated. Continue to access it? [Y/N] :y Save the server's public key? [Y/N] : y The server's public key will be saved with the name 10.10.1.1. Please wait. .. Enter password: sftp-client> Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 249 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device # Connect STelnet client Client002 to the SSH server in RSA authentication mode. <client002> system-view [client002] sftp 10.10.1.1 Please input the username: client002 Trying 10.10.1.1 ... Press CTRL+K to abort The server is not authenticated. Continue to access it? [Y/N] :y Save the server's public key? [Y/N] :y The server's public key will be saved with the name 10.10.1.1. Please wait. .. sftp-client> Step 8 Verify the configuration. After the configuration, run the display ssh server status and display ssh server session commands. You can view that the STelnet service is enabled and the SFTP client is connected to the SSH server. # Display the SSH status. [SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server: Enable Stelnet server: Disable # Display the connection of the SSH server. [SSH Server] display ssh server session Session 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : password Session 2: Conn : VTY 4 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : rsa # Display information about the SSH user. [SSH Server]display ssh user-information User 1: User Name : client001 Authentication-type : password User-public-key-name : Sftp-directory : cfcard: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 250 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Service-type Authorization-cmd User 2: User Name Authentication-type User-public-key-name Sftp-directory Service-type Authorization-cmd 8 Accessing Another Device : sftp : No : : : : : : client002 rsa RsaKey001 cfcard: sftp No ----End Configuration Files l SSH server configuration file # sysname SSH Server # rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password irreversible-cipher %$%$f/{P1yhirreversiblecipher %$%$f/{P1yh<T$"_sQ6#>~86_ Is[R-YITd6B@"f)it>FXNd3Is^_%$%$ local-user client001 service-type ssh # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0 # sftp server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type sftp ssh user client002 service-type sftp ssh user client001 sftp-directory cfcard:. ssh user client002 sftp-directory cfcard:. # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # Return l Configuration file of Client001 on the SSH client # sysname client001 # interface GigabitEthernet1/0/1 ip address 10.10.2.2 255.255.0.0 # ssh client first-time enable # return Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 251 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l 8 Accessing Another Device Configuration file of Client002 on the SSH client # sysname client002 # interface GigabitEthernet1/0/1 ip address 10.10.3.3 255.255.0.0 # ssh client first-time enable # return 8.8.11 Example for Using SFTP (DSA Authentication Mode) to Log In to the SSH Server This section provides an example for using SFTP to log in to the secure shell (SSH) server. In this example, the local key pairs are generated on the SFTP client and SSH server, and the public Digital Signature Algorithm (DSA) key is generated on the SSH server and bound to the SFTP client. These configurations create an implement connection between the SFTP client and SSH server. Networking Requirements In Figure 8-19, after the SFTP service is enabled on the SSH server, the SFTP client can log in to the SSH server in any of the following authentication modes: password, Revest-ShamirAdleman Algorithm (RSA), password-RSA, Digital Signature Algorithm (DSA), passwordDSA, and all. In this example, the Huawei router functions as an SSH server. Two users client001 and client002 are configured to log in to the SSH server in password authentication mode and DSA authentication mode, respectively. Figure 8-19 Networking diagram for using SFTP to access files on other devices SSH Server GE1/0/1 10.10.1.1/16 GE1/0/1 10.10.2.2/16 GE1/0/1 10.10.3.3/16 Client 001 Client 002 Configuration Roadmap The configuration roadmap is as follows: 1. Configure Cient001 and Client002 to log in to the SSH server in different authentication modes. 2. Create a local DSA key pair on client002 and the SSH server, and bind client002 to the SSH client's DSA public key. These configurations implement authentication for the client that attempts to log in to the server. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 252 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device 3. Enable the SFTP service on the SSH server. 4. Configure the service type and authorized directory for the SSH users. 5. Use client001 and client002 to log in to the SSH server. Then use SFTP to access files on the server. Data Preparation To complete the configuration, you need the following data: l Client001 with the password %TGB6yhn7ujm and authentication mode password l Client002 with the public key DsaKey001 and authentication mode DSA l Directory to which SSH users are allowed access: flash l SSH server IP address: 10.10.1.1 Procedure Step 1 Generate a local key pair on the server. <HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] dsa local-key-pair create Info: The key name will be: SSH Server_Host_DSA. Info: The DSA host key named SSH Server_Host_DSA already exists. Warning: Do you want to replace it ?[Y/N]: y Info: The key modulus can be any one of the following : 512, 1024, 2048. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=2048]: Info: Generating keys... Info: Succeeded in creating the DSA host keys. Step 2 Create SSH users on the server. NOTE The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa, and all. l When the SSH user adopts the password, password-DSA, or password-RSA authentication mode, configure a local user with the same name. l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, or all authentication mode, the server should save the RSA or DSA public key for the SSH client. # Configure the VTY user interface. [SSH [SSH [SSH [SSH [SSH Server] user-interface vty 0 4 Server-ui-vty0-4] authentication-mode aaa Server-ui-vty0-4] protocol inbound ssh Server-ui-vty0-4] user privilege level 3 Server-ui-vty0-4] quit l Create SSH user Client001. # Create SSH user Client001 and configure the authentication mode as password. [SSH Server] ssh user client001 Info: Succeeded in adding a new SSH user. [SSH Server] ssh user client001 authentication-type password # Set client001's password to %TGB6yhn7ujm. [SSH [SSH [SSH [SSH Issue 02 (2014-09-30) Server] aaa Server-aaa] local-user client001 password irreversible-cipher %TGB6yhn7ujm Server-aaa] local-user client001 service-type ssh Server-aaa] local-user client001 level 15 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 253 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device [SSH Server-aaa] quit l Create SSH user Client002. # Create SSH user Client002 and configure the authentication mode as DSA. [SSH Server] ssh user client002 Info: Succeeded in adding a new SSH user. [SSH Server] ssh user client002 authentication-type dsa Step 3 Configure the DSA public key on the server. . # Generate a local key pair on the client. <HUAWEI> system-view [HUAWEI] sysname client002 [client002] dsa local-key-pair create Info: The key name will be: client002_Host_DSA. Info: The key modulus can be any one of the following : 512, 1024, 2048. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=2048]: Info: Generating keys... Info: Succeeded in creating the DSA host keys. [client002] display dsa local-key-pair public ===================================================== Time of Key pair created: 19:05:37 2012/7/12 Key name : client002_Host_DSA Key modulus : 2048 Key type : DSA encryption Key ===================================================== Key code: 3081DC 0240 AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B A34004C1 B37824BB D3160595 702901CD 53F0EAE0 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE 87C63485 0214 94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F 0240 91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4 7BCA4251 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139 C986329F 0240 A40A1B4E 7176FF2C 72052269 15A538DA F085C88C 51475F29 CC3D1E63 83FB4193 93AFE905 65FDA2C7 D8A1B55A 15ECC7F7 A0D78921 BDF53C84 7CCBF47B E5FC773C Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWV cCkBzVPw6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biC kyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614 zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQQCkChtOcXb/LHIFImkV pTja8IXIjFFHXynMPR5jg/tBk5Ov6QVl/aLH2KG1WhXsx/eg14khvfU8hHzL9Hvl /Hc8 ---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file : ssh-dss AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWVcCkBzVPw 6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biCkyrIhQirfIE/AAAAQQCR/w8s kZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKf AAAAQQCkChtOcXb/LHIFImkVpTja8IXIjFFHXynMPR5jg/tBk5Ov6QVl/aLH2KG1WhXsx/eg14khvfU8 hHzL9Hvl/Hc8 dsa-key # Send the DSA public key generated on the client to the server. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 254 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device [SSH Server] dsa peer-public-key DsaKey001 encoding-type der Info: Enter "DSA public key" view, return system view with "peer-public-key end". [SSH Server-dsa-public-key] public-key-code begin Info: Enter "DSA key code" view, return the last view with "public-key-code end". [SSH Server-dsa-key-code] 3081DC [SSH Server-dsa-key-code] 0240 [SSH Server-dsa-key-code] AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B [SSH Server-dsa-key-code] A34004C1 B37824BB D3160595 702901CD 53F0EAE0 [SSH Server-dsa-key-code] 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE [SSH Server-dsa-key-code] 87C63485 [SSH Server-dsa-key-code] 0214 [SSH Server-dsa-key-code] 94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F [SSH Server-dsa-key-code] 0240 [SSH Server-dsa-key-code] 91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4 [SSH Server-dsa-key-code] 7BCA4251 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2 [SSH Server-dsa-key-code] 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139 [SSH Server-dsa-key-code] C986329F [SSH Server-dsa-key-code] 0240 [SSH Server-dsa-key-code] 77DF0AD1 511AF98F FE573511 2E25EE9B B908EF02 [SSH Server-dsa-key-code] 9023CCF9 0C82B474 2A9D8445 5004779F 18853E9F [SSH Server-dsa-key-code] 0D7EE1CA D59FAF7F 13260646 44C0E8F4 119F0BF1 [SSH Server-dsa-key-code] B442C340 [SSH Server-dsa-key-code] public-key-code end [SSH Server-dsa-public-key] peer-public-key end [SSH Server] Step 4 Bind client002 to the SSH client's DSA public key. [SSH Server] ssh user client002 assign dsa-key DsaKey001 Step 5 Enable the SFTP service on the SSH server. # Enable the SFTP service. [SSH Server] sftp server enable Step 6 Configure the service type and authorized directory for the SSH users. Two SSH users are configured on the SSH server: client001 in password authentication mode and client002 in DSA authentication mode. [SSH [SSH [SSH [SSH Server] Server] Server] Server] ssh ssh ssh ssh user user user user client001 client001 client002 client002 service-type sftp sftp-directory cfcard: service-type sftp sftp-directory cfcard: Step 7 Connect the SFTP client to the SSH server. # At the first login, Enable first-time authentication on the SSH clients. Enable first-time authentication on Client001. <HUAWEI> system-view [HUAWEI] sysname client001 [client001] ssh client first-time enable Enable first-time authentication on client002. [client002] ssh client first-time enable # Connect Client001 to the SSH server in password authentication mode. [client001] sftp 10.10.1.1 Please input the username:client001 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... The server is not authenticated. Continue to access it? [Y/N] :y Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 255 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Save the server's public key? [Y/N] :y The server's public key will be saved with the name 10.10.1.1. Please wait... Enter password: sftp-client> # Connect client002 to the SSH server in DSA authentication mode. Please input the username:client002 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... The server is not authenticated. Continue to access it? [Y/N] :y Save the server's public key? [Y/N] :y The server's public key will be saved with the name 10.10.1.1. Please wait... sftp-client> Step 8 Verify the configuration. After the configuration is complete, run the display ssh server status and display ssh server session commands. The command outputs show that the SFTP service is enabled and the SFTP clients have logged in to the SSH server. # View the SSH status. SSH version SSH connection timeout SSH server key generating interval SSH authentication retries SFTP server Stelnet server :1.99 :60 seconds :0 hours :3 times :Enable :Disable SSH server source :0.0.0.0 # View the connection of the SSH server. [SSH Server] display ssh server session Session 1: Conn : VTY 0 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 CTOS Compress : none STOC Compress : none Kex : diffie-hellman-group1-sha1 Public Key : rsa Service Type : sftp Authentication Type : dsa Session 2: Conn : VTY 1 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 CTOS Compress : none STOC Compress : none Kex : diffie-hellman-group1-sha1 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 256 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Public Key Service Type Authentication Type 8 Accessing Another Device : rsa : sftp : password # View information about the SSH users. [SSH Server] display ssh user-information User 1: User Name : client001 Authentication-type : password User-public-key-name : User-public-key-type : Sftp-directory : cfcard: Service-type : sftp Authorization-cmd : No User 2: User Name : client002 Authentication-type : dsa User-public-key-name : DsaKey001 User-public-key-type : dsa Sftp-directory : cfcard: Service-type : sftp Authorization-cmd : No ----End Configuration Files l SSH server configuration file # sysname SSH Server # dsa peer-public-key DsaKey001 encoding-type der public-key-code begin 3081DC 0240 AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B 702901CD 53F0EAE0 6CC46D2D BE78F6A4 3DC4AAEF 0214 94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F 0240 91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4 AD78CC0D 335DEFD2 0B4C3530 DAA25592 DEAFA0EB 0240 77DF0AD1 511AF98F FE573511 2E25EE9B B908EF02 5004779F 18853E9F 0D7EE1CA D59FAF7F 13260646 public-key-code end peer-public-key end # aaa local-user client001 password irreversible-cipher cipher %$%$f/{P1yh<T$"_sQ6#>~86_ Is[R-YITd6B@"f)it>FXNd3Is^_%$%$ local-user client001 service-type ssh local-user client001 level 15 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0 # sftp server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type sftp ssh user client001 sftp-directory cfcard: ssh user client002 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. A34004C1 B37824BB D3160595 C7228E01 9C2EF7CE 87C63485 7BCA4251 9F04FD24 6CFB50A3 61225712 E4AF6139 C986329F 9023CCF9 0C82B474 2A9D8445 44C0E8F4 119F0BF1 B442C340 %$%$f/{P1yhirreversible- 257 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations ssh user ssh user ssh user ssh user # return l client002 client002 client002 client002 8 Accessing Another Device authentication-type dsa assign dsa-key DsaKey001 service-type sftp sftp-directory cfcard: Client001 configuration file # sysname client001 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.2.2 255.255.0.0 # ssh client first-time enable # return l Client002 configuration file # sysname client002 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.3.3 255.255.0.0 # ssh client first-time enable # return 8.8.12 Example for Configuring Access to the SFTP Server on the Public Network When the Management VPN Instance Is Used This section provides an example for configuring access to the SFTP server on the public network when the management VPN instance is used. In this example, after you generate the local key pair on the SFTP client and SSH server, generate the Revest-Shamir-Adleman Algorithm (RSA) public key on the SSH server, and bind the RSA public key to the client, you can connect the SFTP client to the SFTP server on the public network when you use the management VPN instance. Networking Requirements As shown in Figure 8-20, a management VPN instance is configured for Client001 and Client002. Users use the VPN instance to access the FTP server. To enable the client to access the SFTP server on the public network, you need to connect the router to the SFTP server on the public network. The Huawei router functions as an SSH server. Two users Client001 and Client002 are configured to log in to the SSH server in the password and RSA authentication modes, respectively. NOTE To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to the SSH server. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 258 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Figure 8-20 Networking diagram for configuring access to the SFTP server on the public network when the management VPN instance is used SSH Server GE1/0/1 10.10.1.1/16 GE1/0/1 10.10.2.2/16 GE1/0/1 10.10.3.3/16 Client 001 Client 002 Configuration Roadmap The configuration roadmap is as follows: 1. Configure Client001 and Client002 to log in to the SSH server in different authentication modes.. 2. Create a local RSA key pair on STelnet client Client002 and the SSH server, and bind client Client002 to an RSA key to authenticate the client when the client attempts to log in to the server. 3. Enable the SFTP service on the SSH server. 4. Configure the service mode and authorization directory for the SSH user. 5. Configure Client001 and Client002 to log in to the SSH server on the public network through SFTP.. Data Preparation To complete the configuration, you need the following data: l Client001 with the password %TGB6yhn7ujm and authentication mode password l Client002 with the public key RsaKey001 and authentication mode RSA l IP address of the SSH server: 10.10.1.1. Procedure Step 1 Generate a local key pair on the server. <HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: HUAWEI_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 2048]: 768 Generating keys... .........++++++++ ......................++++++++ ......................+++++++++ .....+++++++++ Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 259 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Step 2 Create an SSH user on the server. NOTE The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa, and all. l When the SSH user adopts the password, password-DSA, or password-RSA authentication mode, configure a local user with the same name. l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, or all authentication mode, the server should save the RSA or DSA public key for the SSH client. # Configure the VTY user interface. [SSH [SSH [SSH [SSH Server] user-interface vty 0 4 Server-ui-vty0-4] authentication-mode aaa Server-ui-vty0-4] protocol inbound ssh Server-ui-vty0-4] quit l Create Client001 for the SSH user. # Create an SSH user with the name Client001. The authentication mode is password. [SSH Server] ssh user client001 [SSH Server] ssh user client001 authentication-type password # Set %TGB6yhn7ujm as the password for Client001 of the SSH user. [SSH [SSH [SSH [SSH Server] aaa Server-aaa] local-user client001 password irreversible-cipher %TGB6yhn7ujm Server-aaa] local-user client001 service-type ssh Server-aaa] quit l Create Client002 for the SSH user. # Create an SSH user with user name Client002 and RSA authentication. [SSH Server] ssh user client002 [SSH Server] ssh user client002 authentication-type rsa Step 3 Configure the RSA public key on the server. # Generate a local key pair on the client. <HUAWEI> system-view [HUAWEI] sysname client002 [client002] rsa local-key-pair create # View the RSA public key generated on the client. [client002] display rsa local-key-pair public ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7 yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b ---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file : Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 260 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001 [client] # Send the RSA public key generated on the client to the server. [SSH Server] rsa peer-public-key RsaKey001 Enter "RSA public key" view, return system view with "peer-public-key end". [SSH Server-rsa-public-key] public-key-code begin Enter "RSA key code" view, return last view with "public-key-code end". [SSH Server-rsa-key-code] 3047 [SSH Server-rsa-key-code] 0240 [SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 [SSH Server-rsa-key-code] 1D7E3E1B [SSH Server-rsa-key-code] 0203 [SSH Server-rsa-key-code] 010001 [SSH Server-rsa-key-code] public-key-code end [SSH Server-rsa-public-key] peer-public-key end Step 4 Bind the RSA public key of the SSH client to Client002 of the SSH user. [SSH Server] ssh user client002 assign rsa-key RsaKey001 Step 5 Enable the STelnet service on the SSH server. # Enable the STelnet service. [SSH Server] sftp server enable Step 6 Configure the service type and authorized directory for the SSH users. Two SSH users are configured on the SSH server: Client001 and Client002. The password authentication mode is configured for Client001 and the RSA authentication mode is configured for Client002. [SSH [SSH [SSH [SSH Server] Server] Server] Server] ssh ssh ssh ssh user user user user client001 client001 client002 client002 service-type sftp sftp-directory cfcard: service-type sftp sftp-directory cfcard: Step 7 Connect the STelnet client to the SSH server. # At the first login, you need to enable the first authentication on the SSH client. Enable the first authentication on Client001. <HUAWEI> system-view [HUAWEI] sysname client001 [client001] ssh client first-time enable Enable the first authentication on Client002. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 261 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device <HUAWEI> system-view [HUAWEI] sysname client002 [client002] ssh client first-time enable # Connect STelnet client Client001to the SSH server in password authentication mode. <client001> system-view [client001] sftp 10.10.1.1 public-net Please input the username:client001 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... Enter password: sftp-client> # Connect STelnet client Client002 to the SSH server in RSA authentication mode. <client002> system-view [client002] sftp 10.10.1.1 public-net Please input the username: client002 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... sftp-client> Step 8 Verify the configuration. After the configuration, run the display ssh server status and display ssh server session commands. You can view that the STelnet service is enabled and the SFTP client is connected to the SSH server. # Display the SSH status. [SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server: Enable STELNET server: Disable # Display the connection of the SSH server. [SSH Server] display ssh server session Session 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : password Session 2: Conn : VTY 4 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 262 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Kex Service Type Authentication Type 8 Accessing Another Device : diffie-hellman-group1-sha1 : sftp : rsa # Display information about the SSH user. [SSH Server] display ssh user-information User 1: User Name : client001 Authentication-type : password User-public-key-name : Sftp-directory : cfcard: Service-type : sftp Authorization-cmd : No User 2: User Name : client002 Authentication-type : rsa User-public-key-name : RsaKey001 Sftp-directory : cfcard: Service-type : sftp Authorization-cmd : No ----End Configuration Files l SSH server configuration file # sysname SSH Server # rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password irreversible-cipher %$%$f/{P1yhirreversiblecipher %$%$f/{P1yh<T$"_sQ6#>~86_ Is[R-YITd6B@"f)it>FXNd3Is^_%$%$ local-user client001 service-type ssh # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0 # sftp server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type sftp ssh user client002 service-type sftp ssh user client001 sftp-directory cfcard:. ssh user client002 sftp-directory cfcard:. # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 263 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Return l Client001 configuration file # sysname client001 # interface GigabitEthernet1/0/1 ip address 10.10.2.2 255.255.0.0 # ssh client first-time enable # return l Client002 configuration file # sysname client002 # interface GigabitEthernet1/0/1 ip address 10.10.3.3 255.255.0.0 # ssh client first-time enable # return 8.8.13 Example for Accessing the SSH Server Through Other Ports This section provides an example for accessing the SSH server through other port numbers. In this example, the monitoring port number of the SSH server is set to a port number other than the standard monitoring port number so that only valid users can set up connections with the SSH server. Networking Requirements The standard monitored port number of the SSH protocol is 22. Frequent malicious access to the standard port consumes bandwidth and affects the performance of the server, and therefore, other users cannot access the standard port. After the number of the port monitored by the SSH server is set to another port number, the attacker does not know the new monitored port number and keeps sending socket connection requests to standard port 22. When the SSH detects that the port number in the connection requests is not the number of the monitored port, the SSH does not set up the socket connection. Therefore, only the valid user can set up the socket connection through the non-standard monitored port set by the SSH server, and only the valid user can negotiate the SSH version number, negotiate the algorithm, generate the session key, authenticate the server, send a session request, and perform the interactive session. The router functions as an SSH server. Client Client001 is configured to use STelnet in password authentication mode to log in to the SSH server and client Client002 is configured to use SFTP in RSA authentication mode of RSA to log in to the SSH server. NOTE To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to the SSH server. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 264 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Figure 8-21 Networking diagram for accessing the SSH server through other port numbers SSH Server GE1/0/1 10.10.1.1/16 GE1/0/1 10.10.2.2/16 GE1/0/1 10.10.3.3/16 Client 001 Client 002 Configuration Roadmap The configuration roadmap is as follows: 1. Configure Client001 and Client002 to log in to the SSH server in different authentication modes.. 2. Create a local RSA key pair on STelnet client Client002 and the SSH server, and bind client Client002 to an RSA key to authenticate the client when the client attempts to log in to the server. 3. Enable STelnet and SFTP services on the SSH server. 4. Configure the service mode and authorization directory for the SSH user. 5. Configure the listening port number for the SSH server so that the client can access the server through other port numbers. 6. Client001 and Client002 log in to the SSH server through STelnet and SFTP respectively. Data Preparation To complete the configuration, you need the following data: l Client001 with the password Huawei-123 and authentication mode password l Client002 with the public key RsaKey001 and authentication mode RSA l IP address of the SSH server: 10.10.1.1. l Number of the port monitored by the SSH server: 1025. Procedure Step 1 On the client, generate a local key pair. <HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: SSH Server_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 2048]: 768 Generating keys... .......++++++++++++ ..........++++++++++++ ...................................++++++++ Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 265 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device ......++++++++ Step 2 Configure the RSA public key on the server. # Generate a local key pair of client on the client. <HUAWEI> system-view [HUAWEI] sysname client002 [client002] rsa local-key-pair create # View the RSA public key generated on the client. [client002] display rsa local-key-pair public ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7 yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b ---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001 # Send the RSA public key generated on the client to the server. [SSH Server] rsa peer-public-key RsaKey001 Enter "RSA public key" view, return system view with "peer-public-key end". [SSH Server-rsa-public-key] public-key-code begin Enter "RSA key code" view, return last view with "public-key-code end". [SSH Server-rsa-key-code] 3047 [SSH Server-rsa-key-code] 0240 [SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 [SSH Server-rsa-key-code] 1D7E3E1B [SSH Server-rsa-key-code] 0203 [SSH Server-rsa-key-code] 010001 [SSH Server-rsa-key-code] public-key-code end [SSH Server-rsa-public-key] peer-public-key end Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 266 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device Step 3 Create an SSH user on the server. NOTE The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa, and all. l When the SSH user adopts the password, password-DSA, or password-RSA authentication mode, configure a local user with the same name. l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, or all authentication mode, the server should save the RSA or DSA public key for the SSH client. # Configure the VTY user interface. [SSH [SSH [SSH [SSH Server] user-interface vty 0 4 Server-ui-vty0-4] authentication-mode aaa Server-ui-vty0-4] protocol inbound ssh Server-ui-vty0-4] quit l Create Client001 for the SSH user. # Create an SSH user with the name Client001. The authentication mode is password. [SSH Server] ssh user client001 [SSH Server] ssh user client001 authentication-type password # Set Huawei-123 as the password for SSH user Client001. [SSH [SSH [SSH [SSH Server] aaa Server-aaa] local-user client001 password Huawei-123 Server-aaa] local-user client001 service-type ssh Server-aaa] quit # Configure Client001 with service type of STelnet. [SSH Server] ssh user client001 service-type stelnet l Create Client002 for the SSH user. Create an SSH user with the name Client002 and RSA authentication, and bind it to the RSA public key of the SSH client. [SSH Server] ssh user client002 [SSH Server] ssh user client002 authentication-type rsa [SSH Server] ssh user client002 assign rsa-key RsaKey001 # Configure the service type of Client002 as SFTP and the authorization directory. [SSH Server] ssh user client002 service-type sftp [SSH Server] ssh user client002 sftp-directory cfcard: Step 4 Enable the STelnet service and the SFTP service on the SSH server. # Enable the STelnet service and the SFTP service. [SSH Server] stelnet server enable [SSH Server] sftp server enable Step 5 Configure a new number for the port monitored by the SSH server. [SSH Server] ssh server port 1025 Step 6 Connect the STelnet client to the SSH server. # At the first login, you need to enable the first authentication on the SSH client. Enable the first authentication on Client001. <HUAWEI> system-view [HUAWEI] sysname client001 [client001] ssh client first-time enable Enable the first authentication on Client002. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 267 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device <HUAWEI> system-view [HUAWEI] sysname client002 [client002] ssh client first-time enable # Connect the STelnet client to the SSH server through the new port number. [client001] stelnet 10.10.1.1 1025 Please input the username:client001 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... he server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y he server's public key will be saved with the name 10.10.1.1. Please wait... Enter password: Enter the password Huawei and view the following: Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. <SSH Server> # Connect the SFTP client to the SSH server through the new port number. [client002] sftp 10.10.1.1 1025 Please input the username:client002 Trying 10.10.1.1 ... Press CTRL+K to abort The server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y The server's public key will be saved with the name 10.10.1.1. Please wait. .. sftp-client> Step 7 Verify the configuration. The attacker fails to log in to the SSH server through port 22. [client002] sftp 10.10.1.1 Please input the username:client002 Trying 10.10.1.1 ... Press CTRL+K to abort Error: Failed to connect to the server. After the configuration, run the display ssh server status and display ssh server session commands. You can view the number of the port monitored by the SSH server and that the STelnet client or SFTP client is connected to the SSH server. # Display the SSH status. [SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server: Enable STELNET server: Enable SSH server port: 1025 # Display the connection of the SSH server. [SSH Server] display ssh server session Session 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 268 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Retry CTOS Cipher STOC Cipher CTOS Hmac STOC Hmac Kex Service Type Authentication Type Session 2: Conn Version State Username Retry CTOS Cipher STOC Cipher CTOS Hmac STOC Hmac Kex Service Type Authentication Type 8 Accessing Another Device : : : : : : : : 1 aes128-cbc aes128-cbc hmac-sha1-96 hmac-sha1-96 diffie-hellman-group1-sha1 stelnet password : : : : : : : : : : : : VTY 4 2.0 started client002 1 aes128-cbc aes128-cbc hmac-sha1-96 hmac-sha1-96 diffie-hellman-group1-sha1 sftp rsa ----End Configuration Files l SSH server configuration file # sysname SSH Server # rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password irreversible-cipher %$%$f/{P1yhirreversiblecipher %$%$f/{P1yh<T$"_sQ6#>~86_ Is[R-YITd6B@"f)it>FXNd3Is^_%$%$ local-user client001 service-type ssh # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0 # sftp server enable stelnet server enable ssh server port 1025 ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type RSA ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type sftp ssh user client002 sftp-directory cfcard:. # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 269 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 8 Accessing Another Device # return l Client001 configuration file # sysname client001 # interface GigabitEthernet1/0/1 ip address 10.10.2.2 255.255.0.0 # ssh client first-time enable # return l Client002 configuration file # sysname client002 # interface GigabitEthernet1/0/1 ip address 10.10.3.3 255.255.0.0 # ssh client first-time enable # return Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 270 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 9 Clock Synchronization Configuration Clock Synchronization Configuration About This Chapter Clock synchronization is used to keep differences in clock frequency and network element phases within a tolerable range. Effective clock synchronization improves the transmission performance of a network. 9.1 Introduction to Clock Synchronization Configuration Clock synchronization ensures that digital pulse signals are sent and received in a specific timeslot. 9.2 Setting Basic Clock Synchronization Configurations This section describes how to set basic configurations for clock synchronization. 9.3 Configuring an External BITS Clock Source You can run commands on the routerto configure the device to trace different types of external BITS clock sources. 9.4 Configuring a Clock Reference Source Manually or Forcibly This section describes how to manually or forcibly configure a clock reference source. 9.5 Configuring Clock Protection Switching Based on SSM Levels The higher a clock`s SSM level, the more accurate it is. By default, a clock board uses the most accurate clock source available. 9.6 Configuring Clock Protection Switching Based on Priorities If clock sources are configured with different priorities, then the clock source with the second highest priority becomes effective immediately after the clock source with the highest priority fails. 9.7 Configuring Ethernet Clock Synchronization Ethernet clock synchronization implements clock synchronization among devices on an IP bearer network. 9.8 Configuration Examples of Clock Synchronization This section provides examples for configuring clock protection switching and for configuring Ethernet clock synchronization. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 271 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration 9.1 Introduction to Clock Synchronization Configuration Clock synchronization ensures that digital pulse signals are sent and received in a specific timeslot. 9.1.1 Overview of Clock Synchronization Configuration Definition Synchronization must be maintained on Data Communications Networks (DCN). The sending end places a pulse in a specified timeslot at the end of the digital pulse signal. The receiving end extracts the pulse in the specified timeslot, so that normal communications between the sending and receiving ends are guaranteed. A clock ensures that signals are sent in a certain timeslot and then received and extracted from that timeslot. Purpose Clock synchronization is used to keep differences in clock frequency and network element phasess on a digital network within a specific range. If the differences exceed the specified range, bit errors and jitter occur and transmission performance is degraded. 9.1.2 Clock Synchronization Supported by the NE80E/40E Clock Transmission The clock signals can be transmitted on the Ethernet network, Asynchronous Transfer Mode (ATM) network, and Synchronous Digital Hierarchy (SDH) network. Tracing BITS Clock For the Building Integrated Timing Supply System (BITS) clock source, the clock module extracts Synchronization Status Messages (SSMs) from the 2.048 Mbit/s stream signals, or sets a preset SSM level for the 2.048 MHz clock signals. Stratum-3 Clock Source The device that provides the clock signals for the local device is called the clock source. The local device may have multiple clock sources. Include BITS0, BITS1, BITS2 and PTP. 9.2 Setting Basic Clock Synchronization Configurations This section describes how to set basic configurations for clock synchronization. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 272 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration 9.2.1 Before You Start Applicable Environment Before configuring clock synchronization, you must set basic configurations. Pre-configuration Tasks None. Data Preparation None. 9.2.2 Setting Basic Configurations for Clock Synchronization Context Perform the following steps on every router on the clock synchronization network: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: clock ethernet-synchronization enable The Ethernet clock synchronization function is enabled. Step 3 Run: clock source { bits0 | bits1 | bits2 | ptp } synchronization enable id ] [ slot slot- The clock synchronization function is enabled. The clock synchronization function is enabled. The clock synchronization function is enabled. Step 4 Run: interface interface-type interface-number or controller { e1 | cpos } controller-number The interface view is displayed. Step 5 Run: clock synchronization enable The clock synchronization function is enabled on a port. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 273 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration Step 6 Run: quit You have returned to the system view from the interface view. Step 7 (Optional) Run: clock ssm-control { on | off } SSM control is enabled. By default, SSM control is enabled. Step 8 (Optional) Run: clock run-mode The running mode of the Ethernet Equipment Clock (EEC) is set. By default, an EEC works in normal mode. Step 9 (Optional) Run: clock switch { revertive | non-revertive } The recovery mode for a clock is configured. By default, a clock is revertive. Step 10 (Optional) Run: clock wtr The Wait to Recovery (WTR) time is configured. By default, the WTR time is five minutes. Step 11 (Optional) Run: clock source-lost holdoff-time The holdoff time is set for a clock when the timing signal is invalid. By default, the holdoff time is 1000 ms. Step 12 (Optional) Run: clock max-out-ssm The max out ssm value of the interface clock source is configured. Step 13 (Optional) Run: clock freq-deviation-detect enable Clock frequency offset detection is enabled. By default, clock frequency offset detection is disabled. ----End 9.2.3 Checking the Configuration Procedure l Run: display clock config Check whether basic configurations for clock synchronization take effect. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 274 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l 9 Clock Synchronization Configuration Run: display clock source freq-deviation Check the frequency deviation values of clock sources. NOTE You can view the frequency deviation values of clock sources only after you enable Ethernet clock synchronization and frequency deviation detection. ----End Example Run the display clock config command. You can view the configuration information of the clock. For example: <HUAWEI> display clock config ethernet synchronization :enable clock freq deviation detect:enable clock unk map :ssub system pll run mode :normal sys pll max out SSM :ssua 2msync-1 pll max out SSM :prc 2msync-2 pll max out SSM :prc bits output threshold :dnu tod protocol :nmea switch config sys pll 2msync-1 pll 2msync-2 pll SSM control Extend SSM control internal clockid switch mode wtr holdoff time :auto mode :auto mode :auto mode :on :off :0 :revertive :0min :1200ms Run the display clock source freq-deviation command. You can view the the frequency deviation values of clock sources. For example: <HUAWEI> display clock source freq-deviation Source Freq-deviation-value ---------------------------------------------------------* bits0/4 0.26ppm(normal) bits0/5 --GE1/0/0 0.31ppm(normal) GE1/1/1 --- 9.3 Configuring an External BITS Clock Source You can run commands on the routerto configure the device to trace different types of external BITS clock sources. 9.3.1 Before You Start Before configuring the router to trace an external BITS clock source, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required the configuration. This will help you complete the configuration task quickly and accurately. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 275 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration Applicable Environment On a synchronous Ethernet network, if the site where the router is located has a BITS clock, the router must be set to trace the BITS clock. The router serves as the primary clock to provide a clock source for the entire synchronous Ethernet network. There are four types of BITS clocks: 2.048 MHz, 2.048 Mbit/s, 1 pps, and DCLS. You can use commands to specify the type of external BITS clock source on the clock board. Pre-configuration Tasks None. Data Preparation None. 9.3.2 Configuring the Lower Threshold of the Clock Signals Output by the BITS Clock Context Do as follows on all routers on the clock synchronization network. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: clock bits output-threshold The lower threshold (lowest quality level) of clock signals output by the BITS clock is configured. ----End 9.3.3 Configuring an External Clock Source and Its Signal Type on the router The router supports four types of signals: 2mhz, 2mbps, dcls, and 1pps. Context Do as follows on each router on the clock synchronization network. Procedure Step 1 Run: system-view Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 276 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration The system view is displayed. Step 2 Run: clock bits-type An external BITS clock source and its signal type are configured. For information about clock source IDs and signal types, refer to the HUAWEI NetEngine80E/ 40E Router - Command Reference. Step 3 Run: clock tod protocol { ubx | nmea | ccsa } The protocol type by which the packets carrying TOD information abide configured. ----End 9.3.4 Checking the Configuration Context Run the following commands to check the previous configuration. Procedure l Run the display clock source command to check the status and attributes of the clock reference source. l Run the display clock config command to check the configuration informations of the clock reference source. ----End 9.4 Configuring a Clock Reference Source Manually or Forcibly This section describes how to manually or forcibly configure a clock reference source. 9.4.1 Before You Start Applicable Environment Manually configuring the clock reference source and forcibly configuring the clock reference source differ in the following aspects: l The clock reference source cannot be configured manually in the following situations: – The clock reference source is not enabled with the clock synchronization enable command. – The clock reference source is in the Abnormal state. – The quality level of the clock reference source is not the highest level or is QL-DNU. l Issue 02 (2014-09-30) The clock reference source cannot be forcibly configured in the following situations: Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 277 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration – The clock reference source is not enabled with the clock synchronization enable command. – The clock reference source is in the Abnormal state. – The QL of the clock reference source is QL-DNU. – The clock is operating in hold mode. You can use command lines to switch the mode for configuring the clock reference source from manual to forcible. The clock reference source should be specified on the master clock, as shown in Figure 9-1. On Router A, the external clock interface, bits0, on the master clock board is connected to BITS0, a reference clock source. The external clock interface, bits0, on the slave clock board is connected to BITS1, on the control board is connected to BITS1, another reference clock source. The output clock signals of BITS0 and BITS1 are the same. Router A is manually or forcibly configured to trace the clock signal input through bits0. In normal situations, Router A traces the BITS0 clock reference source. If the master clock board fails, a clock board switchover is performed. After that, Router A traces the BITS1 clock reference source. Figure 9-1 Diagram of manually configuring the clock reference source BITS0 CLK-IN ETH Router A CLK-IN ETH Router B Router C BITS1 Pre-configuration Tasks Before you manually configure the clock reference source, configuring an external clock reference source and its signal type on the device. Data Preparation None. 9.4.2 Configuring a Clock Reference Source Context Do as follows on all routers on the clock synchronization network. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 278 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration Procedure l Manually configure a clock reference source. 1. Run: system-view The system view is displayed. 2. (Optional) Run: clock clear [ 2msync-1 | 2msync-2 ] Forcible specification of a clock reference source is cancelled. If forcible specification of a clock reference source has been configured, run the clock clear command to cancel the configuration before you configure manual specification of a clock reference source. 3. Run: or clock manual source { bits0 | bits1 | ptp | interface interface-type interface-number} A clock reference source is manually configured. l Forcibly configure a clock reference source. 1. Run: system-view The system view is displayed. 2. Run: clock force { 2msync-1 | 2msync-2 } source interface interface-type interface-number or clock force source { bits0 | bits1 | bits2 | ptp | interface interfacetype interface-number} slot slot-id A clock reference source is forcibly configured. ----End 9.4.3 Checking the Configuration Context Run the following commands to check the previous configuration. Procedure Step 1 Run: display clock { config | source } View the information about the clock source attributes. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 279 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration 9.5 Configuring Clock Protection Switching Based on SSM Levels The higher a clock`s SSM level, the more accurate it is. By default, a clock board uses the most accurate clock source available. 9.5.1 Before You Start Applicable Environment Synchronous Ethernet signals can be used to carry SSM messages. The system then selects one clock source based on the SSM levels of all the available clock sources. If clock sources are configured with SSM levels, the configured SSM levels are used; if clock sources are not configured with SSM levels, the SSM levels carried in the SSM messages are extracted for use. The SSM levels include Primary Reference Clock (PRC), primary level SSU (SSU-A), second level SSU (SSU-B), SDH Equipment Clock (SEC), Do Not Use for synchronization (DNU), and UNK in the descending order. If the SSM level of a clock source is DNU and SSM is enabled, the clock source is not selected during protection switchover. The BITS clock has two types of signal. When the BITS clock signal is 2.048 Mbit/s, the clock board extracts the SSM from the signal. When the BITS clock signal is 2.048 MHz, set the SSM level manually. Pre-configuration Tasks Before configuring protection switchover of clock sources based on SSM levels, complete the following tasks: l Configuring an external clock reference source and its signal type on the device. Data Preparation To configure protection switchover of clock sources based on SSM levels, you need SSM levels of clock sources. 9.5.2 Configuring the Router to Automatically Select Clock Sources Context Do as follows on all routers in the clock synchronization network: Procedure Step 1 Run: system-view The system view is displayed. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 280 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration Step 2 Run: clock clear [ 2msync-1 | 2msync-2 ] The router is configured to automatically select clock sources. NOTE If the clock sources are manually or forcibly specified, you need to run the clock clear command to enable the system to automatically select clock sources. By default, the router automatically selects clock sources. Step 3 Run: clock run-mode normal The Ethernet Equipment Clock (EEC) is configured to work in normal mode. By default, the EEC works in normal mode. ----End 9.5.3 Enabling SSM SSM must be enabled for the system to perform clock protection switching based on SSM levels. Context Do as follows on every router on the clock synchronization network: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: clock ssm-control on SSM is enabled. ----End 9.5.4 Configuring the SSM Level of the Clock Reference Source Context Do as follows on the router that are connected with external clock sources: Procedure l Configuring the SSM level of the clock reference source 1. Run: system-view The system view is displayed. 2. Issue 02 (2014-09-30) Run: Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 281 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration clock source { bits0 | bits1 | bits2 | ptp } ssm { prc | ssua | ssub | sec | dnu | unk } The SSM level of the external clock reference source is configured. l Configuring the SSM level of the clock reference source on the interface 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number or controller { e1 | cpos } controller-number The interface view is displayed. 3. Run: clock ssm { dnu | prc | sec | ssua | ssub | unk } The SSM level of the clock reference source on the interface is configured. ----End 9.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal to Carry SSMs Context Do as follows on the router that are connected with external BITS clock sources: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: clock sa-bit { sa4 | sa5 | sa6 | sa7 | sa8 } source { bits0 | bits1 | bits2 } [ slot slot-id ] The setting timeslot of the 2.048 Mbit/s BITS clock signal is set to carry SSMs. ----End 9.5.6 Setting the Modes of Extracting SSM Levels Context SSM levels can be configured in one of the following modes: l Issue 02 (2014-09-30) Forcibly configuring an SSM level Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 282 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l 9 Clock Synchronization Configuration Extracting the SSM level from the interface By default, the SSM level is extracted from the interface. If the SSM level is forcibly set, the forcibly-set SSM level takes effect. Do as follows on all routers in the clock synchronization network: Procedure l Forcibly configure the SSM levels of the clock reference sources. 1. Run: system-view The system view is displayed. 2. Run: clock source { bits0 | bits1 | bits2 | ptp }ssm { dnu | prc | sec | ssua | ssub | unk } [ slot slot-id ] The SSM level of the clock reference source is configured. NOTE Repeat Step 2 to configure SSM levels for multiple clock reference sources. To forcibly configure the SSM level of a clock reference source on the interface, you can first enter the corresponding interface view and run the clock ssm { dnu | prc | sec | ssua | ssub | unk } [ slot slot-id ] commands. This can achieve the same effect as that of Step 2. l Extracting the SSM level of the clock reference source from the interface 1. Run: system-view The system view is displayed. 2. Run: undo clock source { bits0 | bits1 | bits2 | ptp }ssm [ slot slot-id ] Forcibly configuring the SSM level of a clock reference source is disabled. To extract the SSM level of a clock reference source from the interface, you can first enter the corresponding interface view and run the undo clock ssm command. This can achieve the same effect as that of Step 2. NOTE The current version only supports extracting the SSM level of a clock reference source from the Ethernet interface, GigabitEthernet interface and CE1 interface. To extract the SSM level of a clock reference source from the CE1 interface , you need to configure the frame format as crc4. ----End 9.5.7 (Optional)Configuring the Extended SSM Clock protection ensures that every device on a network can still trace a correct clock source when faults occur on the network. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 283 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration Context When a reference clock on a network fails, clock protection enables every device on the network to trace a new reference clock. The basic rules for clock protection are as follows: l After priorities of clock sources are configured, a device selects the clock source of the highest quality for clock synchronization, and transmits the Synchronous Status Message Byte (SSMB) to the downstream devices. l If there are multiple clock sources of the same quality, the device selects the clock source with the highest priority and transmits the SSMB to the downstream devices. l If device B traces the clock output by device A, device B sends the DNU (an SSM level) to device A. l If the extended SSM protocol is enabled, a device does not select the clock source whose clock ID is the same as its own, or the clock source whose clock ID is 0. Do as follows on every device on the network: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: clock extend-ssm-control on The extended SSM protocol is enabled. Step 3 Configure clock ID for the clock source 1. Run: clock source { bits0 | bits1 | ptp } clock-id clock-id slot slot-id The clock id of a BITS clock source or the PTP clock source is configured. 2. Run: clock source internal clock-id clock-id The clock id of the internal clock source is configured. 3. Run: interface interface-type interface-number The interface view is displayed. clock sourceinternal clock-id clock-id The clock id of a link clock source is configured. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 284 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration 9.5.8 Checking the Configuration Context Run the following commands to check the previous configuration. Procedure l Run: display clock { config | source } View the information about the clock source attributes. ----End 9.6 Configuring Clock Protection Switching Based on Priorities If clock sources are configured with different priorities, then the clock source with the second highest priority becomes effective immediately after the clock source with the highest priority fails. 9.6.1 Establishing the Configuration Task Applicable Environment When you configure protection switchover of clock sources based on priorities, you need to run the command clock ssm-control off to disable SSM. When there are multiple clock sources, you can set different priorities for them. Normally, the clock uses the clock source with the highest priority. When the clock source with the highest priority is faulty, the clock uses the clock source with the second highest priority. By default the priority of a clock reference source is not set, it indicates that this clock reference source does not participate in selecting the clock source. Pre-configuration Tasks Before configuring protection switchover of clock sources based on priorities, complete the following tasks: l Configuring an external clock reference source and its signal type on the device. Data Preparation To configure protection switchover of clock sources based on priorities, you need the priorities of different clock sources. 9.6.2 Configuring the Router to Automatically Select Clock Sources Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 285 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration Context Perform the following steps on all router in the clock synchronization network: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: clock clear [ 2msync-1 | 2msync-2 ] The router is configured to automatically select clock sources. NOTE If the clock sources are manually or forcibly specified, you need to run the clock clear [ 2msync-1 | 2msync-2 ] command to enable the system to automatically select clock sources. By default, the router automatically selects clock sources. Step 3 Run: clock run-mode normal Set the Ethernet Equipment Clock (EEC) to work in normal mode. By default, the EEC work in normal mode. ----End 9.6.3 Disabling SSM Context Do as follows on all router in the clock synchronization network: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: clock ssm-control off SSM is disabled. NOTE When SSM is disabled, the router selects a clock source based on priorities. ----End 9.6.4 Setting Priorities of Clock Reference Sources Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 286 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration Context Do as follows on all routers in the clock synchronization network. Procedure l Setting priorities for the clock reference sources BITS and 1588 1. Run: system-view The system view is displayed. 2. Run: clock source { bits0 | bits1 [ slot slot-id ] | bits2 | ptp } priority priority-value Priorities are set for the clock reference sources BITS and 1588. – Repeat the preceding step to configure priorities for multiple clock reference sources. – You can set the same priority for multiple clock reference sources. The clock reference source is selected according to the priority. In the case of the same priority, the clock reference source is selected based on the type of the clock reference source and port number. l Setting the priority of a clock reference source on the interface 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number or or controller { e1 | cpos }controller-number The interface view is displayed. 3. Run: clock [ 2msync-1 | 2msync-2 ] priority priority-value The priority of the clock reference source on the interface is set. ----End 9.6.5 Checking the Configuration Context Run the following commands to check the previous configuration. Procedure Step 1 Run: display clock { config | source } Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 287 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration View the information about the clock source attributes. ----End 9.7 Configuring Ethernet Clock Synchronization Ethernet clock synchronization implements clock synchronization among devices on an IP bearer network. 9.7.1 Before You Start Applicable Environment As shown in Figure 9-2, the IP and Ethernet technology is adopted on the IP bearer network between the Radio Network Controller (RNC) and the Base Transceiver Station (BTS) in the application of wireless service. The clock signals sent by the devices on the bearer network are sent to the data communication devices that connect the BTS after pass through the Ethernet clock synchronization. The Ethernet clock synchronization can ensure reliable quality of clock transmission. Figure 9-2 Networking diagram of applying Ethernet clock synchronization BTS FE RNC FE BTS GE GE GE Router A FE GE Router B BITS Router C BTS Pre-configuration Tasks Before configuring the Ethernet clock synchronization, complete the following tasks: l Issue 02 (2014-09-30) Configuring the parameters of the link layer protocols and assign IP addresses to the interfaces so that the link layer protocol status of the interface is Up. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 288 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l 9 Clock Synchronization Configuration Configuring a static route or the Interior gateway protocol (IGP) protocol to so that there is reachable IP route between the nodes. Data Preparation To configure the Ethernet clock synchronization, you need the following data. l Slot number, sub-card number, and port number of the Ethernet clock source 9.7.2 Enabling Ethernet Clock Synchronization Context NOTE Ethernet clock signals can be transmitted only after the Ethernet clock synchronization is enabled on all the router in an IP bearer network. Do as follows on all router in the clock synchronization network: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: clock ethernet-synchronization enable The Ethernet clock synchronization is enabled. ----End 9.7.3 Configuring Ethernet Clock Source Context Perform the following steps on all router in the clock synchronization network: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number or controller { e1 | cpos } controller-number The interface view is displayed. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 289 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration Step 3 Run: clock synchronization enable The Ethernet clock synchronization function is enabled. Step 4 (Optional)Run: set negotiation-mode slave By default, the clock on a GE electrical interface works in auto-negotiation mode at the physical layer. When you deploy synchronous Ethernet and you want a GE electrical interface to work as the tracking clock source or candidate clock source on the device, the clock of the GE electrical interface must work in slave mode at the physical layer. The working mode can be displayed using the display negotiation-mode command. Run the set negotiation-mode slave command only on the GE electrical interface but not on the connected interface. NOTE The set negotiation-mode slave command takes effect only when the connected interfaces meet the following conditions: l GE electrical interfaces l Rate of 1 Gbit/s l In auto-negotiation mode l Not in loopback mode After you run the set negotiation-mode slave or undo set negotiation-mode slave command to change the working mode of the clock of an interface at the physical layer, the interface resets and renegotiates the working mode of its clock with the connected interface. l If the set negotiation-mode slave command is configured on one interface but not on the connected interface, the clock of the interface works in slave mode, and the clock of the connected interface works in master mode at the physical layer. l If the set negotiation-mode slave command is configured on two connected interfaces or on neither of the interfaces, the interfaces automatically negotiate the working mode of their clocks at the physical layer, and the negotiation result is indefinite. Step 5 Run: clock [ 2msync-1 | 2msync-2 ] priority priority-value The priority of the clock reference source is configured. Step 6 Run: clock ssm { dnu | prc | sec | ssua | ssub | unk } The SSM level of the clock source is configured. ----End 9.7.4 Checking the Configuration Context Run the following commands to check the previous configuration. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 290 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration Procedure l Run: display clock { config | source } View information about the attributes of the clock source. l Run: display clock source freq-deviation Check the frequency deviation values of clock sources. NOTE You can view the frequency deviation values of clock sources only after you enable Ethernet clock synchronization and frequency deviation detection. l Run: display negotiation-mode Check the working mode of the clock on an interface at the physical layer. ----End Example Run the display clock config command. You can view the configuration information of the clock. For example: <HUAWEI> display clock config ethernet synchronization :enable clock freq deviation detect:enable clock unk map :ssub system pll run mode :normal sys pll max out SSM :ssua 2msync-1 pll max out SSM :prc 2msync-2 pll max out SSM :prc bits output threshold :dnu tod protocol :nmea switch config sys pll 2msync-1 pll 2msync-2 pll SSM control Extend SSM control internal clockid switch mode wtr holdoff time :auto mode :auto mode :auto mode :on :off :0 :revertive :0min :1200ms Run the display clock source freq-deviation command. You can view the the frequency deviation values of clock sources. For example: <HUAWEI> display clock source freq-deviation Source Freq-deviation-value ---------------------------------------------------------* bits0/4 0.26ppm(normal) bits0/5 --GE1/0/0 0.31ppm(normal) GE1/1/1 --- For a GE electrical interface, run the display negotiation-mode command to view the working mode of the clock on the interface at the physical layer Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 291 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration <HUAWEI> system-view [HUAWEI] interface gigabitEthernet 1/0/0 [HUAWEI-GigabitEthernet1/0/0] display negotiation-mode Negotiation result is:master 9.8 Configuration Examples of Clock Synchronization This section provides examples for configuring clock protection switching and for configuring Ethernet clock synchronization. Follow-up Procedure NOTE This document takes interface numbers and link types of the NE40E-X8 as an example. In working situations, the actual interface numbers and link types may be different from those used in this document. 9.8.1 Example for Configuring Protection Switchover of Clock Sources Networking Requirements As shown in Figure 9-3, there are two BITS clock sources on the network, and the master BITS clock source is used to synchronize the clock of the entire network. If the NEs cannot trace the clock signal from the master BITS clock source, they change to trace the clock signal from the slave BITS clock source. As shown in Figure 9-3, Router A to Router F trace the clock signal from BITS0. The figure shows the direction of clock tracing in normal situations. Figure 9-3 Networking diagram of configuring clock source tracing BITS 0 GE1/0/0 W GE1/0/0 E GE2/0/0 E 10.1.1.1 GE2/0/0 W 10.1.1.2 Router A Router B Router F GE2/0/0 W E GE1/0/0 20.1.1.1 GE2/0/0 E 50.1.1.1 Router C GE1/0/0 W 40.1.1.2 W GE1/0/0 20.1.1.2 Router E Router D GE1/0/0 E 40.1.1.1 E GE2/0/0 30.1.1.1 W GE2/0/0 30.1.1.2 BITS 1 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 292 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration Configuration Roadmap The configuration roadmap is as follows: 1. Configure the external BITS clock signal types of Router A and Router D. 2. Configure the priorities of all clock sources for the router. Data Preparation To complete the configuration, you need the following data: Table 9-1 Clock sources of all router and the priorities Issue 02 (2014-09-30) Router Current Clock Source Available Clock Sources Priority Router A BITS0 BITS0 1 Router A BITS0 GE1/0/0 2 Router A BITS0 Internal clock 3 Router B GE1/0/0 GE1/0/0 1 Router B GE1/0/0 GE2/0/0 2 Router B GE1/0/0 Internal clock 3 Router C GE2/0/0 GE2/0/0 1 Router C GE2/0/0 GE1/0/0 2 Router C GE2/0/0 Internal clock 3 Router D GE1/0/0 GE1/0/0 1 Router D GE1/0/0 BITS1 2 Router D GE1/0/0 Internal clock 3 Router E GE1/0/0 GE1/0/0 1 Router E GE1/0/0 GE2/0/0 2 Router E GE1/0/0 Internal clock 3 Router F GE2/0/0 GE2/0/0 1 Router F GE2/0/0 GE1/0/0 2 Router F GE2/0/0 Internal clock 3 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 293 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration Procedure Step 1 Connect the router and the BITS clock sources as shown inFigure 9-3 Step 2 Configure the IP addresses of the interfaces. The details are not mentioned here. Step 3 Set the priorities of all clock sources for the router as shown inFigure 9-3. # Configure Router A <RouterA> system-view [RouterA] clock ethernet-synchronization enable [RouterA] clock source bits0 synchronization enable [RouterA] clock source bits0 ssm prc [RouterA] clock source bits0 priority 1 [RouterA] interface GigabitEthernet 1/0/0 [RouterA-GigabitEthernet1/0/0] clock synchronization enable [RouterA-GigabitEthernet1/0/0] clock priority 2 [RouterA-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterA-GigabitEthernet2/0/0] clock synchronization enable # Configure Router B <RouterB> system-view [RouterB] clock ethernet-synchronization enable [RouterB] interface GigabitEthernet 1/0/0 [RouterB-GigabitEthernet1/0/0] clock synchronization enable [RouterB-GigabitEthernet1/0/0] clock priority 1 [RouterB-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterB-GigabitEthernet2/0/0] clock synchronization enable [RouterB-GigabitEthernet2/0/0] clock priority 2 # Configure Router C <RouterC> system-view [RouterC] clock ethernet-synchronization enable [RouterC] interface GigabitEthernet 1/0/0 [RouterC-GigabitEthernet1/0/0] clock synchronization enable [RouterC-GigabitEthernet1/0/0] clock priority 2 [RouterC-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterC-GigabitEthernet2/0/0] clock synchronization enable [RouterC-GigabitEthernet2/0/0] clock priority 1 # Configure Router D <RouterD> system-view [RouterD] clock ethernet-synchronization enable [RouterD] clock source bits1 synchronization enable [RouterD] clock source bits1 ssm ssua [RouterD] clock source bits1 priority 2 [RouterD] interface GigabitEthernet 1/0/0 [RouterD-GigabitEthernet1/0/0] clock synchronization enable [RouterD-GigabitEthernet1/0/0] clock priority 1 [RouterD-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterD-GigabitEthernet2/0/0] clock synchronization enable # Configure Router E <RouterE> system-view [RouterE] clock ethernet-synchronization enable [RouterE] interface GigabitEthernet 1/0/0 [RouterE-GigabitEthernet1/0/0] clock synchronization enable [RouterE-GigabitEthernet1/0/0] clock priority 1 [RouterE-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterE-GigabitEthernet2/0/0] clock synchronization enable Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 294 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration [RouterE-GigabitEthernet2/0/0] clock priority 2 # Configure Router F <RouterF> system-view [RouterF] clock ethernet-synchronization enable [RouterF] interface GigabitEthernet 1/0/0 [RouterF-GigabitEthernet1/0/0] clock synchronization enable [RouterF-GigabitEthernet1/0/0] clock priority 2 [RouterF-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterF-GigabitEthernet2/0/0] clock synchronization enable [RouterF-GigabitEthernet2/0/0] clock priority 1 Step 4 Check the clock source attributes of Router A. <RouterA> display clock source System trace source State: lock mode into pull-in range Current system trace source: bits0 Current 2M-1 trace source: system PLL Current 2M-2 trace source: system PLL Frequency lock success: yes Master board source Pri(sys/2m-1/2m-2) In-SSM Out-SSM State -------------------------------------------------------------------------bits0 1 /---/--prc dnu normal GigabitEthernet1/0/0 2 /---/--dnu prc normal GigabitEthernet2/0/0 ---/---/--dnu prc normal Slave board source In-SSM Out-SSM State -------------------------------------------------------------------------bits0 prc dnu normal Step 5 Check the clock source attributes of other router. # The displayed information about Router B, Router C, Router D, Router E, and Router F is similar. The following uses Router B as an example. <RouterB> display clock source System trace source State: lock mode into pull-in range Current system trace source: GigabitEthernet1/0/0 Current 2M-1 trace source: system PLL Current 2M-2 trace source: system PLL Frequency lock success: yes Master board source State Pri(sys/2m-1/2m-2) In-SSM Out-SSM -------------------------------------------------------------------------GigabitEthernet1/0/0 normal GigabitEthernet2/0/0 normal Issue 02 (2014-09-30) 1 /---/--- prc dnu 2 /---/--- dnu prc Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 295 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration Slave board source In-SSM Out-SSM State -------------------------------------------------------------------------- Step 6 Verify the configuration. When the master BITS clock source fails, all NEs trace the clock signal from the slave BITS clock source. The following takes Router A as an example. # Run the following command on Router A. <RouterA> display clock source System trace source State: lock mode into pull-in range Current system trace source: GigabitEthernet1/0/0 Current 2M-1 trace source: system PLL Current 2M-2 trace source: system PLL Frequency lock success: yes Master board source Pri(sys/2m-1/2m-2) In-SSM Out-SSM State -------------------------------------------------------------------------bits0 1 /---/--prc ssua abnormal GigabitEthernet1/0/0 2 /---/--ssua dnu normal GigabitEthernet2/0/0 ---/---/--ssua ssua normal Slave board source In-SSM Out-SSM State -------------------------------------------------------------------------bits0 prc ssua abnormal # After the connection between the BITS clock source and Router A is closed, all router perform clock source tracing switchover/ Figure 9-4shows the clock source tracing after the connection between the BITS clock source and Router A is closed. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 296 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration Figure 9-4 Networking diagram of the clock source tracing after the connection between the BITS clock source and Router A is closed E W Router A E Router B W Router F W E E W Router C W Router E Router D E E W BITS 1 ----End Configuration Files l Router A Configuration Files # sysname RouterA # clock clock clock clock ethernet-synchronization enable source bits0 priority 1 source bits0 ssm prc source bits0 synchronization enable # interface GigabitEthernet1/0/0 undo shutdown clock priority 2 clock synchronization enable # interface GigabitEthernet2/0/0 undo shutdown clock synchronization enable # return l Router B Configuration Files # sysname RouterB # clock ethernet-synchronization enable # interface GigabitEthernet1/0/0 undo shutdown clock priority 1 clock synchronization enable Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 297 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration # interface GigabitEthernet2/0/0 undo shutdown clock priority 2 clock synchronization enable # return l Router C Configuration Files # sysname RouterC # clock ethernet-synchronization enable # interface GigabitEthernet1/0/0 undo shutdown clock priority 2 clock synchronization enable # interface GigabitEthernet2/0/0 undo shutdown clock priority 1 clock synchronization enable # return l Router D Configuration Files # sysname RouterD # clock ethernet-synchronization enable clock source bits1 priority 2 clock source bits1 ssm ssua clock source bits1 synchronization enable # interface GigabitEthernet1/0/0 undo shutdown clock priority 1 clock synchronization enable # interface GigabitEthernet2/0/0 undo shutdown clock synchronization enable # return l Router E Configuration Files # sysname RouterE # clock ethernet-synchronization enable # interface GigabitEthernet1/0/0 undo shutdown clock priority 1 clock synchronization enable # interface GigabitEthernet2/0/0 undo shutdown clock priority 2 clock synchronization enable # return l Router F Configuration Files # sysname RouterF Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 298 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration # clock ethernet-synchronization enable # interface GigabitEthernet1/0/0 undo shutdown clock priority 2 clock synchronization enable # interface GigabitEthernet2/0/0 undo shutdown clock priority 1 clock synchronization enable # return Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 299 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration 10 1588v2 Configuration About This Chapter By configuring IEEE 1588v2, you can enable devices in the IP RAN scenario to implement time synchronization and clock synchronization. Context NOTE 1588v2 is under GTL control. 1588v2 can be enabled on the NE80E/40E only after a valid GTL file is loaded and activated. 10.1 Overview of 1588v2 IEEE 1588, defined by the Institute of Electrical and Electronics Engineers (IEEE), is a standard for Precision Clock Synchronization Protocol for Networked Measurement And Control Systems (PTP). As a time synchronization protocol, 1588v2 is used to implement high-precise time synchronization between devices. In addition, 1588v2 can be used to implement clock synchronization between devices. 10.2 Configuring 1588v2 on OC An ordinary clock (OC) has only one 1588v2 clock interface (a clock interface enabled with 1588v2) through which the OC synchronizes with an upstream node or distributes time signals to downstream nodes. 10.3 Configuring 1588v2 on BC A boundary clock (BC) has multiple 1588v2 clock interfaces, one of which is used to synchronize with an upstream node. The other interfaces are used to distribute time signals to downstream nodes. 10.4 Configuring 1588v2 on TC Unlike the BC and OC, a Transparent Clock (TC) does not need to be synchronized with other clocks. A TC has multiple 1588v2 interfaces, among which 1588v2 messages are forwarded to correct the message forwarding delay on each interface. The TC is not synchronized with other clocks through any of these interfaces. 10.5 Configuring 1588v2 on TCandBC A TCandBC can function as both a TC and a BC. It has several physical interfaces to communicate with the 1588v2 network. Some interfaces are of the TC type and other interfaces Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 300 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration are of the BC type. The domain value of a BC interface must be the one configured in the system view; the domain value of a TC interface must be configured in the interface view. 10.6 Configuring the 1588v2 Time Source This section describes how to configure a 1588v2 clock source, including how to obtain a standard synchronous time through a clock interface from a BITS device without using 1588v2 and how to use 1588v2 to advertise the standard synchronous time to downstream nodes through the other two interfaces. 10.7 Configuring 1588 ACR In one 1588 ACR domain, a client initiates a request for negotiation, and exchanges Layer 3 unicast packets with the server to set up a connection. The client exchanges 1588v2 packets with the server over the connection to restore clock information. 10.8 Maintaining 1588v2 This section describes how to maintain 1588v2, including clearing 1588v2 statistics, monitoring the operating status of 1588v2. 10.9 1588 ACR Maintenance This section describes how to maintain 1588 ACR, including how to clear 1588 ACR statistics. 10.10 Configuration Examples This section provides several configuration examples of 1588v2. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 301 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration 10.1 Overview of 1588v2 IEEE 1588, defined by the Institute of Electrical and Electronics Engineers (IEEE), is a standard for Precision Clock Synchronization Protocol for Networked Measurement And Control Systems (PTP). As a time synchronization protocol, 1588v2 is used to implement high-precise time synchronization between devices. In addition, 1588v2 can be used to implement clock synchronization between devices. 10.1.1 Introduction This part helps you understand the concept of clock synchronization and backgrounds, basic concepts, and application scenarios of 1588v2. Definition of synchronization On a modern communications network, the proper functioning of most telecommunications services requires that the frequency offset or time difference between devices be kept in a reasonable range. This is the network's requirement for clock synchronization. Network clock synchronization consists of time synchronization and frequency synchronization. l Frequency synchronization Frequency synchronization, namely, clock synchronization, refers to a strict relationship between signals based on a constant frequency offset or phase offset, in which signals are sent or received at an average rate in an instance time. In this manner, all devices in the communications network operate at the same rate. The difference in phases between signals is a constant value. l Time synchronization Time synchronization, namely, phase synchronization, refers to consistency of both frequencies and phases between signals. The phase offset between signals is always 0. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 302 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Figure 10-1 Schematic diagram of time synchronization and frequency synchronization Phase synchronization Watch A Watch B Frequency synchronization Watch A Watch B Figure 10-1 shows the difference between time synchronization and frequency synchronization. In time synchronization, Watch A and Watch B always keep the same time, but in frequency synchronization, Watch A and Watch B keep different time, but the time difference between the two watches is a constant value, for example, six hours. Phase synchronization is also called time synchronization; frequency synchronization is also known as clock synchronization. Background With the evolution towards IP network, devices on the wireless bearer network require highaccurate clock synchronization. To achieve clock synchronization between base stations in an IP RAN, you need to ensure that clock frequencies between base stations are within a certain precision. Call dropping occurs during handoff. In certain wireless communications systems, phase synchronization is required in addition to frequency synchronization. Table 10-1 shows different requirements for network clock synchronization. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 303 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Table 10-1 Different requirements for network clock synchronization in wireless communications Wireless Communications Systems Clock Frequency Accuracy Clock Phase Synchronization Requirement GSM 0.05 ppm N/A WCDMA 0.05 ppm N/A TD-SCDMA 0.05 ppm 3us CDMA2000 0.05 ppm 3us WiMax FDD 0.05 ppm N/A WiMax TDD 0.05 ppm 1 us LTE 0.05 ppm In favor of phase synchronization Clock synchronization on different base stations of different standards is implemented by using various methods, such as physical clocks (such as the building integrated timing supply system (BITS) clock, WAN clock, or synchronous Ethernet clock) and recovery clocks by exchanging packets (such as the Communication Engineering Standard Adaptive Clock Recovery (CES ACR)/Data Clock Recovery (DCR), and 1588v2 clock). Base stations usually directly access the global positioning system (GPS) to meet the requirement for time synchronization. Packetbased time synchronization cannot meet the requirement of base stations. Time synchronization reaches sub-second precision by using the Network Time Protocol (NTP) and sub-millisecond precision through 1588v1. With the assistance of hardware, 1588v2 provides time synchronization of sub-micro second precision required by wireless networks. Operation and maintenance costs of 1588v2 is lower than GPS (which needs to be deployed at each base station). In addition, 1588v2 works independently of GPS, which is of strategic significance. Concepts of 1588v2 The Precision Time Protocol (PTP), also called 1588, is a standard defined by the Institute of Electrical and Electronics Engineers (IEEE) for Precision Clock Synchronization Protocol For Networked Measurement and Control Systems. IEEE 1588v2 is a time synchronization protocol. IEEE 1588v2 ensures high-precision time synchronization between devices, and is also used in clock synchronization between devices. A physical network can be logically divided into multiple clock domains. In each clock domain, there is synchronized time, with which all devices in the domain are synchronized. The synchronized time of one clock domain is independent of that of another clock domain. Each node on a time synchronization network is called a clock. 1588v2 defines the following types of clocks: l Issue 02 (2014-09-30) Ordinary clock Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 304 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration An ordinary clock (OC) has only one 1588v2 clock interface (a clock interface enabled with 1588v2) through which the local clock is synchronized with an upstream 1588-aware node or distributes time signals to downstream 1588-aware nodes. l Boundary clock A boundary clock (BC) has multiple 1588v2 clock interfaces. One port is synchronized with an upstream 1588-aware node and the others distribute time signals to downstream 1588-aware nodes. In the case that a router obtains the standard time through an external non-1588v2 port from a BITS device and distributes the time to downstream nodes through two 1588v2 ports. As the router has more than one 1588v2 port, the router is called a BC. l Transparent clock Distinct from BC and OC that need to be synchronized with other clocks, TC does not need to be synchronized with other clocks. A TC has multiple 1588v2 ports, through which 1588v2 packets are forwarded. In addition, the TC corrects forwarding delays for these 1588v2 packets (for details, see the following sections) and is not synchronized with other clocks through any port. TCs are classified into end-to-end (E2E) TCs and peer-to-peer (P2P) TCs. – End-to-End Transparent Clock (E2ETC): transparently forwards Sync and Announce packets and expires the other 1588v2 packets. It calculates the entire end-to-end link delay. – Peer-to-Peer Transparent Clock (P2PTC): transparently forwards Sync and Announce packets and expires the other 1588v2 packets. It calculates every peer-to-peer segment delay along an entire link. In addition to the three basic types of clocks, the NE80E/40E supports the following two compound types of clocks: l TCOC: carries the characteristics of both a TC and an OC. A TCOC provides multiple ports connected to a 1588v2 network. Among those ports, one is OC and the others are TCs. A TCOC implements 1588v2 frequency synchronization, not time synchronization. l TCandBC: carries the characteristics of both the TC and BC. A TCandBC provides multiple ports connected to a 1588v2 network. Among those ports, some are TCs and the others are BCs. TCs and BCs belong to different clock domains. A TCandBC implements both 1588v2 frequency synchronization and time synchronization. The domain value of BC ports is the same as the 1588v2 domain value configured in the global view. However, the domain value of each TC port should be configured in its interface view. In a 1588v2 system, all clocks are organized based on the master/slave synchronization hierarchy, with the grandmaster clock at the top of the hierarchy. Clock synchronization is implemented by exchanging 1588v2 packets. The slave clock calculates its offset and delay comparing with the master clock based on the timestamp information carried in the 1588v2 packet and then synchronizes its local clock with the master clock. A 1588v2 packet carries information about clock information and time. On the network shown in Figure 10-2, the 1588v2 device accesses and writes a timestamp carried in a 1588v2 packet at the data link layer to calculate the delay of every link segment. Compared with the Network Time Protocol (NTP), 1588v2 ensures a higher precision. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 305 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Figure 10-2 Timestamping in the 1588v2 packet Timestamping PTP Aplication PTP Aplication MAC MAC PHY PHY Timestamping PTP Packet Master Clock Slave Clock 1588 ACR Adaptive Clock Recovery (ACR) carries out clock synchronization by exchanging 1588v2 packets. Unlike 1588v2 that achieves frequency synchronization only when all devices on a network support 1588v2, 1588 ACR is capable of implementing frequency synchronization on a network with both 1588v2-aware devices and 1588v2-unaware devices. Applications of 1588v2 On the network shown in Figure 10-3, an OC encapsulates clock information with high accuracy provided by the Global Positioning System (GPS) into a 1588v2 packet, and provides clock information for a bearer network by using the 1588v2 packet. A TC, as a core device, transparently transmits clock information provided by the OC over the entire bearer network. After that, edge devices on the bearer network function as BC and provide the high-accurate clock information obtained through the 1588v2 packet to wireless access devices, such as a NodeB or an RNC. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 306 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Figure 10-3 Application of 1588v2 on a bearer network GPS BC TC RNC OC TC TC TC TC BC BC NodeB NodeB NodeB NodeB PTP Packet 10.1.2 1588v2 Features Supported by the NE80E/40E The 1588v2 features supported by the NE80E/40E are clock node types, link delay measurement mechanisms, packet encapsulation formats, and clock source selection modes. Seven Types of 1588v2 Devices Supported by the NE80E/40E The NE80E/40E supports the following types of 1588v2 devices: l OC: Ordinary clock l BC: Boundary clock l E2ETC: End-to-end transparent clock l P2PTC: Peer-to-peer transparent clock l TCandBC: Transparent clock and boundary clock l E2ETCOC: End-to-end transparent clock and ordinary clock l P2PTCOC: Peer-to-peer transparent clock and ordinary clock Four 1588v2 Packet Encapsulation Modes Supported by the NE80E/40E The NE80E/40E supports MAC and UDP encapsulation modes. l Issue 02 (2014-09-30) MAC encapsulation: VLAN IDs and an 802.1p value are carried in 1588v2 packets. MAC encapsulation is classified into two types: Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 307 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration – Unicast encapsulation – Multicast encapsulation l UDP encapsulation: Differentiated Service CodePoint (DSCP) values are carried in 1588v2 packets. UDP encapsulation is classified into two types: – Unicast encapsulation – Multicast encapsulation An encapsulation mode depends on either of the following types of links: l On a Layer 2 link: The MAC encapsulation mode is used. l On a Layer 3 link: The UDP encapsulation mode is used. Two Delay Measurement Mechanisms Supported by the NE80E/40E The NE80E/40E supports either of the following link delay measurement mechanisms configured for 1588v2: l Delay: Delay request-response mechanism l PDelay: Peer delay mechanism BMC Algorithm and Static Clock Source Selection Supported by the NE80E/40E The NE80E/40E supports the best master clock (BMC) algorithm and static clock source selection. l BMC 1588v2 devices using the BMC algorithm dynamically selects the best master clock on a network, ensuring clock accuracy of devices. l Static clock source selection A specified clock source is selected as the master clock source by using a configuration command. 1588 ACR Supported by the NE80E/40E The NE80E/40E supports 1588 ACR in either of the following modes: l 1588 ACR in single-server mode In one 1588 ACR domain, a client initiates a request for negotiation, and exchanges Layer 3 unicast packets with the server to set up a connection. The client exchanges 1588v2 packets with the server over the connection to restore clock information. If the clock server fails, the client does not automatically initiate a connection request to another clock server. l 1588 ACR in master/slave server mode In one 1588 ACR domain, a client initiates a request for negotiation, and exchanges Layer 3 unicast packets with the master server to set up a connection. The client exchanges 1588v2 packets with the master server over the connection to restore clock information. If the master clock server fails, the client automatically initiates a connection request to the slave clock server. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 308 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration 10.2 Configuring 1588v2 on OC An ordinary clock (OC) has only one 1588v2 clock interface (a clock interface enabled with 1588v2) through which the OC synchronizes with an upstream node or distributes time signals to downstream nodes. 10.2.1 Before You Start Before configuring 1588v2 for an OC, familiarize yourself with the usage scenario, complete the pre-configuration tasks, and obtain the required data. Applicable Environment As shown in Figure 10-4, when two devices transmit wireless data on the IP bearer network, a low delay transmission of real-time radio services should be guaranteed. The two devices serve as OC to transmit time information through 1588v2 packets, which ensures clock synchronization between devices. OC can provide a high-accurate time source for wireless devices through the Building Integrated Timing Supply (BITS) system. Figure 10-4 Configuring 1588v2 on OC Master BITS Slave OC OC1 OC2 Pre-configuration Tasks Before configuring 1588v2 on OC, complete the following tasks: l Configure physical parameters for the interfaces so that the physical layer of the interfaces is Up. l (Optional) Configure static routes or IGP protocols to make IP routes reachable among nodes. l Ensure that the OC has correctly imported the clock and time signals from the BITS. Data Preparation To configure 1588v2 on OC, you need the following data. Issue 02 (2014-09-30) No. Data 1 Number and IP address of each interface 2 IDs of 1588v2 domains to which devices belong Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 309 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration No. Data 3 (Optional) Asymmetric correction value of the 1588v2 packet 4 (Optional) Interval for sending Announce packets and the timeout period for receiving Announce packets 5 (Optional) Interval for sending Sync packets 6 (Optional) Minimum interval for sending Delay packets 7 (Optional) Destination MAC address, source IP address, destination IP address, DSCP value, VLAN ID, and priority corresponding to the VLAN encapsulated into the 1588v2 packet 10.2.2 Configuring 1588v2 Globally To configure 1588v2 globally, you need to enable 1588v2 on a router in the system view, configure the router as an OC, specify the domain to which the router belongs to, and statically configure the status of the OC interface. Context Perform the following steps on the OC: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run ptp enable 1588v2 is enabled. Step 3 Run: ptp device-type oc The device type is configured as OC. Step 4 (Optional) Run: ptp slaveonly The OC is configured to work in slave-only mode. When a device functioning as OC synchronizes its clock with other clocks, you can configure the device to work in slave-only mode. After the OC is configured to work in slave-only mode, interfaces of the OC are in the slave state, which means that the OC can only function as a slave clock to receive clock signals from other clocks rather than a master clock to provide clock signals for other clocks. Step 5 Run: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 310 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration ptp domain domain-value The domain to which the 1588v2 device belongs is configured. NOTE Clocks that need to be synchronized through 1588v2 packets must belong to the same 1588v2 clock domain. Step 6 (Optional) Run: ptp virtual-clock-id clock-id-value The virtual clock ID of the OC is set. Step 7 (Optional) Run: ptp acl enable The function of controlling the range of clock source candidates is enabled. Step 8 (Optional) Run: ptp acl-permit-clockid clockid-value The clock ID of the clock source that is permitted to participate in local BMC calculation is set. Step 9 (Optional) Run: ptp set-port-state enable The function of statically specifying a 1588v2 port is enabled. ----End 10.2.3 Configuring 1588v2 on an Interface After enabling 1588v2 in the system view, you need to enable 1588v2 in the interface view. In addition, you need to configure the link delay measurement mechanism, asymmetric delay correction time, mode in which packets are timestamped, and statically configure the status of 1588v2 interface on the interface. Context Perform the following steps on the OC: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 (Optional) Run: ptp delay-mechanism { delay | pdelay } One of the following delay measurement mechanisms is configured for the device: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 311 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration The default measurement mechanism for P2PTC and P2PTCOC is Pdelay; the default measurement mechanism for E2ETC, E2ETCOC, OC, BC, and TCandBC is Delay. The measurement mechanism on the OC, BC, and TCandBC can be set to Pdelay. l Delay mode: A delay request-response mechanism, in which information about the clock and time is calculated according to the delay of the entire link between the master clock and slave clock. l PDelay mode: A peer delay mechanism, in which information about the clock and time is calculated according to the delay of each segment of the link between the master clock and slave clock. NOTE Different delay measurement mechanisms cannot replace each other. Therefore, delay measurement mechanisms configured on 1588v2 interfaces on the same link segment must be identical. Step 4 Run: ptp enable 1588v2 is enabled on the interface. Step 5 (Optional) Run: ptp asymmetry-correction { negative negative-asymmetry-correction-value | positive positive-asymmetry-correction-value } The asymmetric correction time for sending 1588v2 packets on the interface is set. Step 6 (Optional) Run: ptp clock-step { one-step | two-step } The timestamping mode of the synchronization packets sending by the 1588v2 port is set. Step 7 (Optional) Run: ptp port-state { slave | passive | master | premaster | listening | faulty | disabled | initializing } The synchronization status of 1588v2 port is set. ----End 10.2.4 Configuring Time Attributes for 1588v2 Packets 1588v2 nodes exchange Announce messages, Sync messages, and Delay messages to transmit clock information and maintain the connectivity of the 1588v2 connection. You can set the sending intervals and the allowable maximum number of consecutive Announce packets that the interface on a 1588v2 device fails to receive, intervals periods for Sync messages, and intervals periods for Delay messages in the view of the 1588v2 interface. Usually, you can use the default value. Context Perform the following steps on the 1588v2 device: Procedure l Configuring time attributes for Announce packets 1. Issue 02 (2014-09-30) Run: Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 312 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp announce-interval announce-interval The interval for sending Announce packets on an interface is set to the announceintervalth power of 2, in 1/1024 seconds. The default value of announce-interval is 7, which means that the interval for sending Announce packets on the interface is 128/1024s. 4. Run: ptp announce receipt-timeout receipt-timeout The allowable maximum number of consecutive Announce packets that the interface on a 1588v2 device fails to receive is set. The default value is 3. l Configuring time attributes for Sync packets 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp sync-interval sync-interval The interval for sending Sync packets on an interface is set to the sync-intervalth power of 2, in 1/1024 seconds. The default sync-interval is 0, which means that the interval for sending Sync packets on the interface is 1/1024s. l Configuring time attributes for Delay packets 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp min-delayreq-interval min-delayreq-interval The interval for sending Delay_Req packets on an interface is set to the min-delayreqintervalth power of 2, in 1/1024 seconds. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 313 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration The default min-delayreq-interval is 7, which means that the interval for sending Delay_Req packets on the interface is 128/1024s. 4. Run: ptp min-pdelayreq-interval min-pdelayreq-interval The interval for sending PDelay_Req packets is set to the min-pdelayreq-intervalth power of 2, in 1/1024 seconds. The default min-pdelayreq-interval is 7, which means that the interval for sending PDelay_Req packets on the interface is 128/1024s. ----End 10.2.5 Configuring Encapsulation Modes for 1588v2 Packets 1588v2 messages can be encapsulated into Layer 2 and Layer 3 packets for transmission. You can select the encapsulation type according to the actual networking environment and configure the source and destination IP addresses of the packets and the transmission priority. Prerequisites Before configuring encapsulation modes for 1588v2 packets, check the link type for 1588v2 packet transmission: l The Layer 2 link adopts the MAC encapsulation mode for 1588v2 packets. l The Layer 3 link adopts the UDP encapsulation mode for 1588v2 packets. Context Perform the following steps on the 1588v2 device: Procedure l Configuring the MAC encapsulation mode 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. (Optional) Run: ptp mac-egress destination-mac destination-mac The 1588v2 packets to be sent from the interface is encapsulated in MAC encapsulation mode, and the destination MAC address is configured. – For unicast MAC encapsulation Specify the unicast destination MAC address encapsulated in the 1588v2 packet in the interface view. – For multicast MAC encapsulation A default multicast destination MAC address is adopted, which means that destination-MAC destination-MAC does not need to be configured. The default Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 314 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration multicast destination MAC address varies with delay measurement mechanisms as shown in the following table. Packet Type MAC Address All except peer delay measurement mechanisms 01-1B-19-00-00-00 Peer delay measurement mechanism 01-80-C2-00-00-0E NOTE If the unicast destination MAC address is not configured, a multicast destination MAC address is adopted by default. 4. Run: ptp mac-egress vlan vlan-id [ priority priority ] The VLAN ID for transmitting MAC-encapsulated 1588v2 packets and the 802.1p priority of the 1588v2 packet are configured. l Configuring the UDP encapsulation mode 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp udp-egress source-ip source-ip [ destination-ip destination-ip ] The 1588v2 packets to be sent from the interface are encapsulated in UDP encapsulation mode, and the source and destination IP addresses are configured. – For unicast UDP encapsulation Specify the unicast destination IP address encapsulated in the 1588v2 packet in the interface view. – For multicast UDP encapsulation A default multicast destination IP address is adopted, which means that destination-ip destination-ip does not need to be configured. The default multicast destination IP address varies with delay measurement mechanisms as shown in the following table. Issue 02 (2014-09-30) Packet Type IP Address All except peer delay measurement mechanisms 224.0.1.129 Peer delay measurement mechanism 224.0.0.107 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 315 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration NOTE If the parameter destination-ip destination-ip is not configured, a multicast IP address is adopted. 4. Run: ptp udp-egress destination-mac destination-mac The next hop MAC address of the 1588v2 packet is configured. 5. Run: ptp udp-egress source-ip source-ip [ dscp dscp ] The DSCP priority to be carried in the UDP-encapsulated 1588v2 packet is configured. 6. Run: ptp udp-egress source-ip source-ip vlan vlan-id [ priority priority ] The VLAN ID for sending and receiving 1588v2 packets and the priority of the UDPencapsulated 1588v2 packet are configured on the interface. ----End 10.2.6 Checking the Configurations After enabling 1588v2 for an OC, you can check whether the configurations of 1588v2 meet the requirement. Prerequisites OC1 and OC2 have been configured. Procedure l Run the display ptp all [ state | config ] command to display the operating status and configuration of 1588v2. l Run the display ptp interface interface-type interface-number command to display 1588v2 information of the interface on the 1588v2 device. ----End Example Run the display ptp all command, and you can view the configuration and operating status of 1588v2. l The 1588v2 configuration includes the following: – 1588v2 is enabled. – The 1588v2 domain value is 1. – The device type is OC. – The device works in slave-only mode. l The 1588v2 operation information includes the following: – The clock ID of the local clock is 001882fffe1b1bf4. – The clock ID of the time source is 001882fffe77c2cf. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 316 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration – The clock ID of the parent clock is 001882fffe77c2cf. – The interface enabled with 1588v2 is GE 1/0/0. – The delay measurement mechanism on the interface is Delay. – The timeout period for receiving Announce packets on the interface is 1s. <HUAWEI> display ptp all Device config info -----------------------------------------------------------------PTP state :enabled Domain value :1 Slave only :yes Device type :OC Set port state :no Local clock ID :001882fffe1b1bf4 Acl :no Virtual clock ID :no Acr :no Time lock success :no BMC run info -----------------------------------------------------------------Grand clock ID :001882fffe77c2cf Receive number :GigabitEthernet1/0/0 Parent clock ID :001882fffe77c2cf Parent portnumber :6417 Priority1 :128 Priority2 :128 Step removed :1 Clock accuracy :49 Clock class :187 Time Source :160 UTC Offset :0 UTC Offset Valid :False Time Scale :ARB Time Traceable :False Leap :None Frequence Traceable:False Port info Name State Delay-mech Ann-timeout Type Domain -----------------------------------------------------------------------GigabitEthernet1/0/0 slave delay 10 OC 1 Time Performance Statistics(ns): Slot 1 Card 0 Port 0 -----------------------------------------------------------------------Realtime(T2-T1) :534 Pathdelay :0 Max(T2-T1) :887704804 Min(T2-T1) :512 Clock source info Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status -----------------------------------------------------------------------local 200 128 0x31 187 0xa0 bits0 128 128 0x20 6 0x20 none off -/abnormal bits1 128 128 0x20 6 0x20 none off -/abnormal bits2 128 128 0x20 6 0x20 none off -/abnormal 10.3 Configuring 1588v2 on BC A boundary clock (BC) has multiple 1588v2 clock interfaces, one of which is used to synchronize with an upstream node. The other interfaces are used to distribute time signals to downstream nodes. 10.3.1 Before You Start Before configuring 1588v2 for a BC, familiarize yourself with the usage scenario, complete the pre-configuration tasks, and obtain the required data. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 317 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Applicable Environment As shown in Figure 10-5, NodeBs need to synchronize with the BITS time source. All routers on the bearer network support 1588v2, and NodeBs do not support 1588v2. BC is connected to the BITS to synchronize with the BITS clock and advertise clock information to other clocks on the bearer network. Other backbone nodes on the bearer network are deployed as BC, which can therefore synchronize with the BITS clock source and advertise clock information to downstream clocks. Besides that, two OCs are deployed at the user side of the bearer network to synchronize with the upstream BITS clock and advertise clock information to NodeBs in traditional mode. By adopting the preceding network deployment scheme that combines 1588v2 and traditional synchronization mode, clocks on the bearer network and wireless network can be synchronized based on the combination of 1588v2 and traditional synchronization mode. Figure 10-5 Configuring 1588v2 on a BC BITS BC1 NodeB BC2 OC1 BC3 OC2 NodeB Pre-configuration Tasks Before configuring 1588v2 on BC, complete the following tasks: l Configure physical parameters for the interfaces so that the physical layer of the interfaces is Up. l (Optional) Configure the static route or enabling IGP to ensure that IP routes between the nodes are reachable. l Ensure that BC2 has correctly imported clock and time signals from the BITS. Data Preparation To configure 1588v2 on BC, you need the following data. Issue 02 (2014-09-30) No. Data 1 Number and IP address of each interface Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 318 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration No. Data 2 IDs of 1588v2 domains to which devices belong 3 (Optional) Asymmetric correction value of the 1588v2 packet 4 (Optional) Interval for sending Announce packets and the timeout period for receiving Announce packets 5 (Optional) Interval for sending Sync packets 6 (Optional) Minimum interval for sending Delay packets 7 (Optional) Destination MAC address, source IP address, destination IP address, DSCP value, VLAN ID, and corresponding priority encapsulated into the 1588v2 packet 10.3.2 Configuring 1588v2 Globally To configure 1588v2 globally, you need to enable 1588v2 on a router in the system view, configure the router as a BC, specify the domain to which the router belongs to, and enable the static configuration of the status of the BC interface. Context Perform the following steps on the BC: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ptp enable 1588v2 is enabled on the BC. Step 3 Run: ptp device-type bc The device type is configured as BC. Step 4 (Optional) Run: ptp domain domain-value The domain where the 1588v2 device resides is set. NOTE Clocks that need to be synchronized through 1588v2 packets must belong to the same 1588v2 clock domain. Step 5 (Optional) Run: ptp virtual-clock-id clock-id-value Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 319 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration The virtual clock ID of the BC is set. Step 6 (Optional) Run: ptp acl enable The function of controlling the range of clock source candidates is enabled. Step 7 (Optional) Run: ptp acl-permit-clockid clockid-value The clock ID of the BC that is permitted to participate in local BMC calculation. Step 8 (Optional) Run: ptp set-port-state enable The function of statically specifying a 1588v2 port is enabled. ----End 10.3.3 Configuring 1588v2 on an Interface After enabling 1588v2 in the system view, you need to enable 1588v2 in the interface view. In addition, you need to configure the link delay measurement mechanism, asymmetric delay correction time, mode in which packets are timestamped, and statically configure the status of 1588v2 interface on each interface. Context Perform the following steps on the BC: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 (Optional) Run: ptp delay-mechanism { delay | pdelay } A delay measurement mechanism is configured for the device, which can be either of the following: The default measurement mechanism for P2PTC and P2PTCOC is Pdelay; the default measurement mechanism for E2ETC, E2ETCOC, OC, BC, and TCandBC is Delay. The measurement mechanism on the OC, BC, and TCandBC can be set to Pdelay. l Delay mode: A delay request-response mechanism, in which information about the clock and time is calculated according to the delay of the entire link between the master clock and slave clock. l PDelay mode: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 320 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration A peer delay mechanism, in which information about the time and clock is calculated according to the delay of each segment of the link between the master clock and slave clock. NOTE Different delay measurement mechanisms cannot replace each other. Therefore, delay measurement mechanisms configured on IEEE 1588v2 interfaces on the same link segment must be identical. Step 4 Run: ptp enable 1588v2 is enabled on the interface. Step 5 (Optional) Run: ptp announce-drop enable The interface of the 1588v2 device is configured to discard the received Announce packets. NOTE Announce packets can ensure the 1588v2 clock synchronization between devices. If an interface discards Announce packets, the device where the interface resides cannot receive clock synchronization information from other 1588v2 devices. Usually, this command is configured on the UNI-side interface. Step 6 (Optional) Run: ptp asymmetry-correction { negative negative-asymmetry-correction-value | positive positive-asymmetry-correction-value } The asymmetric correction time for sending 1588v2 packets on the interface is set. Step 7 (Optional) Run: ptp clock-step { one-step | two-step } The timestamping mode of the synchronization packets sending by the 1588v2 port is set. Step 8 (Optional) Run: ptp port-state { slave | passive | master | premaster | listening | faulty | disabled | initializing } The synchronization status of 1588v2 port is set. ----End 10.3.4 Configuring Time Attributes for 1588v2 Packets 1588v2 nodes exchange Announce messages, Sync messages, and Delay messages to transmit clock information and maintain the connectivity of the 1588v2 connection. You can set the sending intervals and the allowable maximum number of consecutive Announce packets that the interface on a 1588v2 device fails to receive, intervals periods for Sync messages, and intervals periods for Delay messages in the view of the 1588v2 interface. Usually, you can use the default value. Context Perform the following steps on the 1588v2 device: Procedure l Configuring time attributes for Announce packets 1. Issue 02 (2014-09-30) Run: Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 321 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp announce-interval announce-interval The interval for sending Announce packets on an interface is set to the announceintervalth power of 2, in 1/1024 seconds. The default value of announce-interval is 7, which means that the interval for sending Announce packets on the interface is 128/1024s. 4. Run: ptp announce receipt-timeout receipt-timeout The allowable maximum number of consecutive Announce packets that the interface on a 1588v2 device fails to receive is set. The default value is 3. l Configuring time attributes for Sync packets 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp sync-interval sync-interval The interval for sending Sync packets on an interface is set to the sync-intervalth power of 2, in 1/1024 seconds. The default sync-interval is 0, which means that the interval for sending Sync packets on the interface is 1/1024s. l Configuring time attributes for Delay packets 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp min-delayreq-interval min-delayreq-interval The interval for sending Delay_Req packets on an interface is set to the min-delayreqintervalth power of 2, in 1/1024 seconds. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 322 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration The default min-delayreq-interval is 7, which means that the interval for sending Delay_Req packets on the interface is 128/1024s. 4. Run: ptp min-pdelayreq-interval min-pdelayreq-interval The interval for sending PDelay_Req packets is set to the min-pdelayreq-intervalth power of 2, in 1/1024 seconds. The default min-pdelayreq-interval is 7, which means that the interval for sending PDelay_Req packets on the interface is 128/1024s. ----End 10.3.5 Configuring Encapsulation Types for 1588v2 Packets 1588v2 messages can be encapsulated into Layer 2 and Layer 3 packets for transmission. You can select the encapsulation type according to the actual networking environment and configure the source and destination IP addresses of the packets and the transmission priority. Prerequisites Before configuring encapsulation modes for 1588v2 packets, check the link type for 1588v2 packet transmission: l The Layer 2 link adopts the MAC encapsulation mode for 1588v2 packets. l The Layer 3 link adopts the UDP encapsulation mode for 1588v2 packets. Context Perform the following steps on the 1588v2 device: Procedure l Configuring the MAC encapsulation mode 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. (Optional) Run: ptp mac-egress destination-mac destination-mac The 1588v2 packets to be sent from the interface is encapsulated in MAC encapsulation mode, and the destination MAC address is configured. – For unicast MAC encapsulation Specify the unicast destination MAC address encapsulated in the 1588v2 packet in the interface view. – For multicast MAC encapsulation A default multicast destination MAC address is adopted, which means that destination-MAC destination-MAC does not need to be configured. The default Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 323 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration multicast destination MAC address varies with delay measurement mechanisms as shown in the following table. Packet Type MAC Address All except peer delay measurement mechanisms 01-1B-19-00-00-00 Peer delay measurement mechanism 01-80-C2-00-00-0E NOTE If the unicast destination MAC address is not configured, a multicast destination MAC address is adopted by default. 4. Run: ptp mac-egress vlan vlan-id [ priority priority ] The VLAN ID for transmitting MAC-encapsulated 1588v2 packets and the 802.1p priority of the 1588v2 packet are configured. l Configuring the UDP encapsulation mode 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp udp-egress source-ip source-ip [ destination-ip destination-ip ] The 1588v2 packets to be sent from the interface are encapsulated in UDP encapsulation mode, and the source and destination IP addresses are configured. – For unicast UDP encapsulation Specify the unicast destination IP address encapsulated in the 1588v2 packet in the interface view. – For multicast UDP encapsulation A default multicast destination IP address is adopted, which means that destination-ip destination-ip does not need to be configured. The default multicast destination IP address varies with delay measurement mechanisms as shown in the following table. Issue 02 (2014-09-30) Packet Type IP Address All except peer delay measurement mechanisms 224.0.1.129 Peer delay measurement mechanism 224.0.0.107 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 324 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration NOTE If the parameter destination-ip destination-ip is not configured, a multicast IP address is adopted. 4. Run: ptp udp-egress destination-mac destination-mac The next hop MAC address of the 1588v2 packet is configured. 5. Run: ptp udp-egress source-ip source-ip [ dscp dscp ] The DSCP priority to be carried in the UDP-encapsulated 1588v2 packet is configured. 6. Run: ptp udp-egress source-ip source-ip vlan vlan-id [ priority priority ] The VLAN ID for sending and receiving 1588v2 packets and the priority of the UDPencapsulated 1588v2 packet are configured on the interface. ----End 10.3.6 Checking the Configurations After enabling 1588v2 for a BC, you can check whether the configurations of 1588v2 meet the requirement. Prerequisites The BC has been configured. Procedure l Run the display ptp all command to display the operating status and configuration of 1588v2 on the BC. l Run the display ptp interface interface-type interface-number command to display 1588v2 information of the interface on the BC. ----End Example As shown in Figure 10-5, BC2 is the grandmaster clock on the 1588v2 network. Run the display ptp all command on BC2, and you can view the operating status and configuration of 1588v2. l The 1588v2 configuration includes the following: – 1588v2 is enabled. – The 1588v2 domain value is 1. – The device type is BC. – The device works in non-slave-only mode. l The 1588v2 operation information includes the following: – Clock ID of the local clock is 001882fffe77c2cf. – Interface enabled with 1588v2 are GE 1/0/0 and GE 2/0/0. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 325 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration – GE 1/0/0 and GE 2/0/0 are in the Master state. – The delay measurement mechanism on GE 1/0/0 and GE 2/0/0 is Delay. – The timeout periods for receiving Announce packets on GE 1/0/0 and GE 2/0/0 are both 512/1024s. <HUAWEI> display ptp all Device config info -----------------------------------------------------------------PTP state :enabled Domain value :1 Slave only :no Device type :BC Set port state :no Local clock ID :001882fffe77c2cf Acl :no Virtual clock ID :no Acr :no Time lock success :no BMC run info -----------------------------------------------------------------Source port :bits1 Leap :None UTC Offset :0 UTC Offset Valid :False Port info Name State Delay-mech Ann-timeout Type Domain -----------------------------------------------------------------------GigabitEthernet1/0/0 master delay 9 BC 1 GigabitEthernet2/0/0 master delay 9 BC 1 Clock source info Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status -----------------------------------------------------------------------local 128 128 0x31 1 0xa0 bits0 128 128 0x20 6 0x20 none off -/abnormal bits1 100 128 0x20 6 0x20 1pps on in/normal bits2 128 128 0x20 6 0x20 none off -/abnormal BC1 and BC3 are slave clocks of BC2; meanwhile, they are master clocks of OC1 and OC2 respectively. After configurations are complete, run the display ptp all command. You can view the configuration and operating status of 1588v2. Take the command output on BC1 as an example. l The 1588v2 configuration includes the following: – 1588v2 is enabled. – The 1588v2 domain value is 1. – The device type is BC. – The device works in non-slave-only mode. l The 1588v2 operation information includes the following: – The clock ID of the local clock is 001882fffe1b1bf4. – The clock ID of the time source is 001882fffe77c2cf. – The clock ID of the parent clock is 001882fffe77c2cf. – Interfaces enabled with 1588v2 are GE 1/0/0 and GE 2/0/0. – The delay measurement mechanism on GE 1/0/0 and GE 2/0/0 is Delay. – The timeout period for receiving Announce packets on GE 1/0/0 is 1s. <HUAWEI> display ptp all Device config info ------------------------------------------------------------------ Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 326 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations PTP state Slave only Set port state Acl Acr 10 1588v2 Configuration :enabled :no :no :no :no Domain value Device type Local clock ID Virtual clock ID Time lock success :1 :BC :001882fffe1b1bf4 :no :no BMC run info -----------------------------------------------------------------Grand clock ID :001882fffe77c2cf Receive number :GigabitEthernet1/0/0 Parent clock ID :001882fffe77c2cf Parent portnumber :2049 Priority1 :128 Priority2 :128 Step removed :1 Clock accuracy :49 Clock class :187 Time Source :160 UTC Offset :0 UTC Offset Valid :False Time Scale :ARB Time Traceable :False Leap :None Frequence Traceable:False Port info Name State Delay-mech Ann-timeout Type Domain -----------------------------------------------------------------------GigabitEthernet1/0/0 slave delay 10 bc 1 GigabitEthernet2/0/0 master delay 10 bc 1 Time Performance Statistics(ns): Slot 1 Card 0 Port 0 -----------------------------------------------------------------------Realtime(T2-T1) :534 Pathdelay :0 Max(T2-T1) :887704804 Min(T2-T1) :512 Clock source info Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status -----------------------------------------------------------------------local 200 128 0x31 187 0xa0 bits0 128 128 0x20 6 0x20 none off -/abnormal bits1 128 128 0x20 6 0x20 none off -/abnormal bits2 128 128 0x20 6 0x20 none off -/abnormal OC1 and OC2 serve as the leaf nodes of the 1588v2 network to synchronize with the clock signals of BC1 and BC3, and expire 1588v2 packets. After the configurations, run the display ptp all command. You can view the configuration and operating status of 1588v2. Take the command output on OC1 as an example. l The 1588v2 configuration includes the following: – 1588v2 is enabled. – The 1588v2 domain value is 1. – The device type is OC. – The device works in slave-only mode. l The 1588v2 operation information includes the following: – The clock ID of the local clock is 001882fffe1b1235. – The clock ID of the time source is 001882fffe77c2cf. – The clock ID of the parent clock is 001882fffe1b1bf4. – The interface enabled with 1588v2 is GE 1/0/0. – The delay measurement mechanism on GE 1/0/0 is Delay. – The timeout period for receiving Announce packets on GE 1/0/0 is 1s. <HUAWEI> display ptp all Device config info ------------------------------------------------------------------ Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 327 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations PTP state Slave only Set port state Acl Acr 10 1588v2 Configuration :enabled :yes :no :no :no Domain value Device type Local clock ID Virtual clock ID Time lock success :1 :OC :001882fffe1b1bf4 :no :no BMC run info -----------------------------------------------------------------Grand clock ID :001882fffe77c2cf Receive number :GigabitEthernet1/0/0 Parent clock ID :001882fffe77c2cf Parent portnumber :6417 Priority1 :128 Priority2 :128 Step removed :1 Clock accuracy :49 Clock class :187 Time Source :160 UTC Offset :0 UTC Offset Valid :False Time Scale :ARB Time Traceable :False Leap :None Frequence Traceable:False Port info Name State Delay-mech Ann-timeout Type Domain -----------------------------------------------------------------------GigabitEthernet1/0/0 slave delay 10 OC 1 Time Performance Statistics(ns): Slot 1 Card 0 Port 0 -----------------------------------------------------------------------Realtime(T2-T1) :534 Pathdelay :0 Max(T2-T1) :887704804 Min(T2-T1) :512 Clock source info Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status -----------------------------------------------------------------------local 200 128 0x31 187 0xa0 bits0 128 128 0x20 6 0x20 none off -/abnormal bits1 128 128 0x20 6 0x20 none off -/abnormal bits2 128 128 0x20 6 0x20 none off -/abnormal 10.4 Configuring 1588v2 on TC Unlike the BC and OC, a Transparent Clock (TC) does not need to be synchronized with other clocks. A TC has multiple 1588v2 interfaces, among which 1588v2 messages are forwarded to correct the message forwarding delay on each interface. The TC is not synchronized with other clocks through any of these interfaces. 10.4.1 Establishing the Configuration Task Before configuring 1588v2 for a TC, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Applicable Environment As shown in Figure 10-6, NodeBs support 1588v2 and function as OC. 1588v2 is configured to ensure the clock synchronization between devices on the bearer network. Core devices on the bearer network function as TC to forward 1588v2 packets and synchronize the clock or time between BC and OC. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 328 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Figure 10-6 Configuring 1588v2 on TC BITS Master TC1 NodeB BC OC1 TC2 OC2 NodeB Pre-configuration Tasks Before configuring 1588v2 on TC, complete the following tasks: l Configuring physical parameters for the interfaces so that the physical layer of the interfaces is Up l (Optional) Configuring the static route or enabling IGP to ensure that IP routes between the nodes are reachable l Ensuring that Master has correctly imported clock and time signals from the BITS Data Preparation To configure 1588v2 on TC, you need the following data. Issue 02 (2014-09-30) No. Data 1 Number and IP address of each interface 2 IDs of 1588v2 domains to which devices belong 3 (Optional) Asymmetric correction value of the 1588v2 packet 4 (Optional) Interval for sending Announce packets and the timeout period for receiving Announce packets 5 (Optional) Interval for sending Sync packets Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 329 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration No. Data 6 (Optional) Minimum interval for sending Delay packets 7 (Optional) Destination MAC address, source IP address, destination IP address, DSCP value, VLAN ID, and corresponding priority encapsulated into the 1588v2 packet 10.4.2 Configuring 1588v2 Globally To configure 1588v2 globally, you need to enable 1588v2 on a router in the system view, configure the router as a TC, specify the domain to which the router belongs to, and enable the static configuration of the status of the TC interface. Context Perform the following steps on the TC: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ptp enable 1588v2 is enabled on the TC. Step 3 Run: ptp device-type { e2etc | e2etcoc | p2ptc | p2ptcoc } The 1588v2 device type is configured as TC. l e2etc: configures the clock mode of the device to E2ETC. l e2etcoc: configures the clock mode of the device to E2ETCOC. l p2ptc: configures the clock mode of the device to P2PTC. l p2ptcoc: configures the clock mode of the device to P2PTCOC. NOTE TCOC is a special type of TC. TCOC can also synchronize frequency with its upstream clock. Step 4 Run: ptp domain domain-value The domain to which the 1588v2 interface belongs is configured. NOTE Clocks need to be synchronized through 1588v2 packets must belong to the same 1588v2 clock domain. Step 5 (Optional) Run: ptp virtual-clock-id clock-id-value Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 330 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration The virtual clock ID of the TC is set. ----End 10.4.3 Configuring 1588v2 on an Interface After enabling 1588v2 in the system view, you need to enable 1588v2 in the interface view. In addition, you need to configure the asymmetric delay correction time, mode in which packets are timestamped, and statically configure the status of 1588v2 interface on each interface. Context Perform the following steps on the TC: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: ptp enable 1588v2 is enabled on the interface. Step 4 Run: ptp tcoc-clock-id clock-source-id port-num port-num The clock source traced by an interface on the TCOC is configured. NOTE This command takes effect only on the TCOC. Step 5 (Optional) Run: ptp asymmetry-correction { negative negative-asymmetry-correction-value | positive positive-asymmetry-correction-value } The asymmetric correction time for sending 1588v2 packets on the interface is set. Step 6 (Optional) Run: ptp clock-step { one-step | two-step } The timestamping mode of the synchronization packets sending by the 1588v2 port is set. Step 7 (Optional) Run: ptp port-state { slave | uncalibrated | passive | master | premaster | listening | faulty | disabled | initializing } The synchronization status of 1588v2 port is set. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 331 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration 10.4.4 Configuring Time Attributes for 1588v2 Packets 1588v2 nodes exchange Announce messages, Sync messages, and Delay messages to transmit clock information and maintain the connectivity of the 1588v2 connection. You can set the sending intervals and the allowable maximum number of consecutive Announce packets that the interface on a 1588v2 device fails to receive, intervals periods for Sync messages, and intervals periods for Delay messages in the view of the 1588v2 interface. Usually, you can use the default value. Context Perform the following steps on the 1588v2 device: Procedure l Configuring time attributes for Announce packets 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp announce-interval announce-interval The interval for sending Announce packets on an interface is set to the announceintervalth power of 2, in 1/1024 seconds. The default value of announce-interval is 7, which means that the interval for sending Announce packets on the interface is 128/1024s. 4. Run: ptp announce receipt-timeout receipt-timeout The allowable maximum number of consecutive Announce packets that the interface on a 1588v2 device fails to receive is set. The default value is 3. l Configuring time attributes for Sync packets 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp sync-interval sync-interval The interval for sending Sync packets on an interface is set to the sync-intervalth power of 2, in 1/1024 seconds. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 332 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration The default sync-interval is 0, which means that the interval for sending Sync packets on the interface is 1/1024s. l Configuring time attributes for Delay packets 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp min-delayreq-interval min-delayreq-interval The interval for sending Delay_Req packets on an interface is set to the min-delayreqintervalth power of 2, in 1/1024 seconds. The default min-delayreq-interval is 7, which means that the interval for sending Delay_Req packets on the interface is 128/1024s. 4. Run: ptp min-pdelayreq-interval min-pdelayreq-interval The interval for sending PDelay_Req packets is set to the min-pdelayreq-intervalth power of 2, in 1/1024 seconds. The default min-pdelayreq-interval is 7, which means that the interval for sending PDelay_Req packets on the interface is 128/1024s. ----End 10.4.5 Configuring Encapsulation Types for 1588v2 Packets 1588v2 messages can be encapsulated into Layer 2 and Layer 3 packets for transmission. You can select the encapsulation type according to the actual networking environment and configure the source and destination IP addresses of the packets and the transmission priority. Prerequisites Before configuring encapsulation modes for 1588v2 packets, check the link type for 1588v2 packet transmission: l The Layer 2 link adopts the MAC encapsulation mode for 1588v2 packets. l The Layer 3 link adopts the UDP encapsulation mode for 1588v2 packets. Context Perform the following steps on the 1588v2 device: Procedure l Configuring the MAC encapsulation mode 1. Run: system-view Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 333 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. (Optional) Run: ptp mac-egress destination-mac destination-mac The 1588v2 packets to be sent from the interface is encapsulated in MAC encapsulation mode, and the destination MAC address is configured. – For unicast MAC encapsulation Specify the unicast destination MAC address encapsulated in the 1588v2 packet in the interface view. – For multicast MAC encapsulation A default multicast destination MAC address is adopted, which means that destination-MAC destination-MAC does not need to be configured. The default multicast destination MAC address varies with delay measurement mechanisms as shown in the following table. Packet Type MAC Address All except peer delay measurement mechanisms 01-1B-19-00-00-00 Peer delay measurement mechanism 01-80-C2-00-00-0E NOTE If the unicast destination MAC address is not configured, a multicast destination MAC address is adopted by default. 4. Run: ptp mac-egress vlan vlan-id [ priority priority ] The VLAN ID for transmitting MAC-encapsulated 1588v2 packets and the 802.1p priority of the 1588v2 packet are configured. l Configuring the UDP encapsulation mode 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp udp-egress source-ip source-ip [ destination-ip destination-ip ] The 1588v2 packets to be sent from the interface are encapsulated in UDP encapsulation mode, and the source and destination IP addresses are configured. – For unicast UDP encapsulation Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 334 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Specify the unicast destination IP address encapsulated in the 1588v2 packet in the interface view. – For multicast UDP encapsulation A default multicast destination IP address is adopted, which means that destination-ip destination-ip does not need to be configured. The default multicast destination IP address varies with delay measurement mechanisms as shown in the following table. Packet Type IP Address All except peer delay measurement mechanisms 224.0.1.129 Peer delay measurement mechanism 224.0.0.107 NOTE If the parameter destination-ip destination-ip is not configured, a multicast IP address is adopted. 4. Run: ptp udp-egress destination-mac destination-mac The next hop MAC address of the 1588v2 packet is configured. 5. Run: ptp udp-egress source-ip source-ip [ dscp dscp ] The DSCP priority to be carried in the UDP-encapsulated 1588v2 packet is configured. 6. Run: ptp udp-egress source-ip source-ip vlan vlan-id [ priority priority ] The VLAN ID for sending and receiving 1588v2 packets and the priority of the UDPencapsulated 1588v2 packet are configured on the interface. ----End 10.4.6 Checking the Configurations After enabling 1588v2 for a TC, you can check whether the configurations of 1588v2 meet the requirement. Prerequisites The TC has been configured. Procedure l Run the display ptp all [state | config ] command to display the operating status and configuration of 1588v2 on the TC. l Run the display ptp interface interface-type interface-number command to display 1588v2 information of the interface. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 335 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Example Run the display ptp all command, and you can view the configuration and operating status of 1588v2 on the TC. <HUAWEI> display ptp all Device config info -----------------------------------------------------------------PTP state :enabled Domain value :1 Slave only :no Device type :E2ETC Set port state :no Local clock ID :00e0fcfffea4b000 Acl :no Virtual clock ID :no Acr :no Time lock success :no BMC run info -----------------------------------------------------------------Source port :local Port info Name State Delay-mech Ann-timeout Type Domain -----------------------------------------------------------------------GigabitEthernet1/0/0 premaster pdelay 9 TC 1 GigabitEthernet1/0/1 premaster pdelay 9 TC 1 Clock source info Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status -----------------------------------------------------------------------local 100 255 0x20 187 0xa0 bits0 128 128 0x20 6 0x20 none off -/abnormal bits1 49 128 0x20 6 0x20 none off -/abnormal bits2 128 128 0x20 6 0x20 none on -/abnormal 10.5 Configuring 1588v2 on TCandBC A TCandBC can function as both a TC and a BC. It has several physical interfaces to communicate with the 1588v2 network. Some interfaces are of the TC type and other interfaces are of the BC type. The domain value of a BC interface must be the one configured in the system view; the domain value of a TC interface must be configured in the interface view. 10.5.1 Before You Start Before configuring 1588v2 for a TCandBC, familiarize yourself with the usage scenario, complete the pre-configuration tasks, and obtain the required data. Applicable Environment As shown in Figure 10-7, all routers and NodeB support 1588v2. Operator A has NodeBs, OC2, OC3, and a BITS standard clock source BTIS2, but do not have bearer network devices. Operator B leases its bearer network to Operator A. Devices on the bearer network synchronize with the BITS standard clock source BTIS1 of Operator B. The following network deployment scheme is adopted to ensure that clock synchronization is implemented independently on devices of Operator A and Operator B: l OC1 and OC2 are respectively connected to BITS1 and BITS2, and advertise clock synchronization information to downstream clocks through 1588v2 packets. l The interface on TCandBC1 that is directly connected to OC1 is a BC interface, which synchronizes the clock in Domain1; the interface of TCandBC1 at the user side is a TC Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 336 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration interface, which exchanges 1588v2 packets with TCandBC2 through an L2VPN, MPLS, or L3VPN tunnel. l The interface on TCandBC2 that is directly connected to OC1 is a BC interface, which synchronizes the clock in Domain1; the interface of TCandBC2 at the user side is a TC interface, which exchanges 1588v2 packets with TCBC1 through an L2VPN. MPLS, or L3VPN tunnel. l OC3 receives the 1588v2 packets sent from TCandBC1 and synchronizes with the clock signals from TCandBC1. Then, OC3 advertises clock signals to NodeB in the traditional mode, such as the Ethernet-based clock synchronization. l P node functions as a BC to implement 1588v2 synchronization and transmit messages between TCandBC1 and TCandBC2. The entire bearer network functions as a huge TC, which transparently transmits BIST2 clock information to NodeB. Figure 10-7 Configuring 1588v2 on a TCandBC Domain1 Domain2 BITS1 ISP B OC1 OC3 ISP A OC2 P TCBC2 PW TCBC1 BITS2 NodeB Pre-configuration Tasks Before configuring 1588v2 on a TCandBC, complete the following tasks: l Configure physical parameters for the interfaces so that the physical layer of the interfaces is Up. l (Optional) Configure the static route or enabling IGP to ensure that IP routes between the nodes are reachable. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 337 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l 10 1588v2 Configuration Ensure that OC1 and OC2 have correctly imported clock and time signals from the BITS. Data Preparation To configure 1588v2 on a TCandBC, you need the following data. No. Data 1 Number and IP address of each interface 2 IDs of 1588v2 domains to which devices belong 3 (Optional) Asymmetric correction value of the 1588v2 packet 4 (Optional) Interval for sending Announce packets and the timeout period for receiving Announce packets 5 (Optional) Interval for sending Sync packets 6 (Optional) Minimum interval for sending Delay packets 7 (Optional) Destination MAC address, source IP address, destination IP address, DSCP value, VLAN ID, and corresponding priority encapsulated into the 1588v2 packet 10.5.2 Configuring 1588v2 Globally To configure 1588v2 globally, you need to enable 1588v2 on a router in the system view, configure the router as a TCandBC, specify the domain to which the router belongs to, and enable the static configuration of the status of the TCandBC interface. Context Perform the following steps on the TCandBC: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ptp enable 1588v2 is enabled on the device. Step 3 Run: ptp device-type tcandbc The device type is configured as TCandBC. Step 4 Run: ptp domain domain-value Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 338 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration The value of the 1588v2 domain to which the BC ports of TCandBC belong is configured. Step 5 (Optional) Run: ptp virtual-clock-id clock-id-value The virtual clock ID of the TCandBC is set. Step 6 (Optional) Run: ptp acl enable The function of controlling the range of clock source candidates is enabled. Step 7 (Optional) Run: ptp acl-permit-clockid clockid-value The clock ID of the clock source that is permitted to participate in local BMC calculation is set. Step 8 (Optional) Run: ptp set-port-state enable The function of statically specifying a 1588v2 port is enabled. ----End 10.5.3 Configuring 1588v2 on an Interface After enabling 1588v2 in the system view, you need to enable 1588v2 in the interface view. In addition, you need to configure the link delay measurement mechanism, asymmetric delay correction time, mode in which packets are timestamped, and statically configure the status of 1588v2 interface on each interface. Context Perform the following steps on the device: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: ptp port-type { bc | tc } The type of the 1588v2 interface either TC or BC. Step 4 In the TC interface view, run: ptp domain domain-value The domain to which the 1588v2 interface belongs is configured. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 339 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration NOTE The 1588v2 clock domain configured in the system view is the domain to which the BC interface belongs, and you do not need to configure a domain for the BC interface. The domain to which the TC interface belongs needs to be configured in the interface view. Step 5 Run: ptp enable 1588v2 is enabled on the interface. Step 6 (Optional) Run: ptp delay-mechanism { delay | pdelay } A delay measurement mechanism is configured for the device, which can be either of the following: The default measurement mechanism for P2PTC and P2PTCOC is Pdelay; the default measurement mechanism for E2ETC, E2ETCOC, OC, BC, and TCandBC is Delay. The measurement mechanism on the OC, BC, and TCandBC can be set to Pdelay. l Delay mode: A delay request-response mechanism, in which information about the clock and time is calculated according to the delay of the entire link between the master clock and slave clock. l PDelay mode: A peer delay mechanism, in which information about the clock and time is calculated according to the delay of each segment of the link between the master clock and slave clock. NOTE Different delay measurement mechanisms cannot replace each other. Therefore, delay measurement mechanisms configured on 1588v2 interfaces on the same link segment must be identical. Step 7 (Optional) Run: ptp announce-drop enable The interface of the 1588v2 device is configured to discard the received Announce packets. NOTE Announce packets can ensure the 1588v2 clock synchronization between devices. If an interface discards Announce packets, the device where the interface resides cannot receive clock synchronization information from other 1588v2 clocks. Usually, this command is configured on the interface at the user side. Step 8 (Optional) Run: ptp asymmetry-correction { negative negative-asymmetry-correction-value | positive positive-asymmetry-correction-value } The asymmetric correction time for sending 1588v2 packets on the interface is set. Step 9 (Optional) Run: ptp clock-step { one-step | two-step } The timestamping mode of the synchronization packets sending by the 1588v2 port is set. Step 10 (Optional) Run: ptp port-state { slave | passive | master | premaster | listening | faulty | disabled | initializing } The synchronization status of 1588v2 port is set. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 340 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration 10.5.4 Configuring Time Attributes for 1588v2 Packets 1588v2 nodes exchange Announce messages, Sync messages, and Delay messages to transmit clock information and maintain the connectivity of the 1588v2 connection. You can set the sending intervals and the allowable maximum number of consecutive Announce packets that the interface on a 1588v2 device fails to receive, intervals periods for Sync messages, and intervals periods for Delay messages in the view of the 1588v2 interface. Usually, you can use the default value. Context Perform the following steps on the 1588v2 device: Procedure l Configuring time attributes for Announce packets 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp announce-interval announce-interval The interval for sending Announce packets on an interface is set to the announceintervalth power of 2, in 1/1024 seconds. The default value of announce-interval is 7, which means that the interval for sending Announce packets on the interface is 128/1024s. 4. Run: ptp announce receipt-timeout receipt-timeout The allowable maximum number of consecutive Announce packets that the interface on a 1588v2 device fails to receive is set. The default value is 3. l Configuring time attributes for Sync packets 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp sync-interval sync-interval The interval for sending Sync packets on an interface is set to the sync-intervalth power of 2, in 1/1024 seconds. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 341 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration The default sync-interval is 0, which means that the interval for sending Sync packets on the interface is 1/1024s. l Configuring time attributes for Delay packets 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp min-delayreq-interval min-delayreq-interval The interval for sending Delay_Req packets on an interface is set to the min-delayreqintervalth power of 2, in 1/1024 seconds. The default min-delayreq-interval is 7, which means that the interval for sending Delay_Req packets on the interface is 128/1024s. 4. Run: ptp min-pdelayreq-interval min-pdelayreq-interval The interval for sending PDelay_Req packets is set to the min-pdelayreq-intervalth power of 2, in 1/1024 seconds. The default min-pdelayreq-interval is 7, which means that the interval for sending PDelay_Req packets on the interface is 128/1024s. ----End 10.5.5 Configuring Encapsulation Types for 1588v2 Packets 1588v2 messages can be encapsulated into Layer 2 and Layer 3 packets for transmission. You can select the encapsulation type according to the actual networking environment and configure the source and destination IP addresses of the packets and the transmission priority. Prerequisites Before configuring encapsulation modes for 1588v2 packets, check the link type for 1588v2 packet transmission: l The Layer 2 link adopts the MAC encapsulation mode for 1588v2 packets. l The Layer 3 link adopts the UDP encapsulation mode for 1588v2 packets. Context Perform the following steps on the 1588v2 device: Procedure l Configuring the MAC encapsulation mode 1. Run: system-view Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 342 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. (Optional) Run: ptp mac-egress destination-mac destination-mac The 1588v2 packets to be sent from the interface is encapsulated in MAC encapsulation mode, and the destination MAC address is configured. – For unicast MAC encapsulation Specify the unicast destination MAC address encapsulated in the 1588v2 packet in the interface view. – For multicast MAC encapsulation A default multicast destination MAC address is adopted, which means that destination-MAC destination-MAC does not need to be configured. The default multicast destination MAC address varies with delay measurement mechanisms as shown in the following table. Packet Type MAC Address All except peer delay measurement mechanisms 01-1B-19-00-00-00 Peer delay measurement mechanism 01-80-C2-00-00-0E NOTE If the unicast destination MAC address is not configured, a multicast destination MAC address is adopted by default. 4. Run: ptp mac-egress vlan vlan-id [ priority priority ] The VLAN ID for transmitting MAC-encapsulated 1588v2 packets and the 802.1p priority of the 1588v2 packet are configured. l Configuring the UDP encapsulation mode 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ptp udp-egress source-ip source-ip [ destination-ip destination-ip ] The 1588v2 packets to be sent from the interface are encapsulated in UDP encapsulation mode, and the source and destination IP addresses are configured. – For unicast UDP encapsulation Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 343 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Specify the unicast destination IP address encapsulated in the 1588v2 packet in the interface view. – For multicast UDP encapsulation A default multicast destination IP address is adopted, which means that destination-ip destination-ip does not need to be configured. The default multicast destination IP address varies with delay measurement mechanisms as shown in the following table. Packet Type IP Address All except peer delay measurement mechanisms 224.0.1.129 Peer delay measurement mechanism 224.0.0.107 NOTE If the parameter destination-ip destination-ip is not configured, a multicast IP address is adopted. 4. Run: ptp udp-egress destination-mac destination-mac The next hop MAC address of the 1588v2 packet is configured. 5. Run: ptp udp-egress source-ip source-ip [ dscp dscp ] The DSCP priority to be carried in the UDP-encapsulated 1588v2 packet is configured. 6. Run: ptp udp-egress source-ip source-ip vlan vlan-id [ priority priority ] The VLAN ID for sending and receiving 1588v2 packets and the priority of the UDPencapsulated 1588v2 packet are configured on the interface. ----End 10.5.6 Checking the Configurations After enabling 1588v2 for a TCandBC, you can check whether the configurations of 1588v2 meet the requirement. Prerequisites The TCandBC has been configured. Procedure l Run the display ptp all [ state | config ] command to display the operating status and configuration of 1588v2 on the TCandBC. l Run the display ptp interface interface-type interface-number command to display 1588v2 information of the interface. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 344 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Example Run the display ptp all state command on TCandBC1. You can view the configuration and operating status of 1588v2. Take the command output on TCandBC1 as an example. l The 1588v2 configuration includes the following: – 1588v2 is enabled. – The device type is TCandBC. – The 1588v2 domain value is 1. – The device works in non-slave-only mode. l The 1588v2 operation information includes the following: – The clock ID of the local clock is 001882fffe1b1bf4. – The clock ID of the time source is 001882fffe77c2cf. – The clock ID of the parent clock is 001882fffe77c2cf. – Interfaces enabled with 1588v2 are GE 1/0/0 and GE 2/0/0. – The value of the 1588v2 domain to which the BC interface belongs is 1; the value of the 1588v2 domain to which the TC interface belongs is 2. – The BC interface is in the Slave state. – The delay measurement mechanism on the interface is Delay. – The timeout periods for receiving Announce packets on the BC and TC interfaces are both 512/1024s. <HUAWEI> display ptp all Device config info -----------------------------------------------------------------PTP state :enabled Domain value :1 Slave only :no Device type :TCandBC Set port state :no Local clock ID :001882fffe1b1bf4 Acl :no Virtual clock ID :no Acr :no Time lock success :no BMC run info -----------------------------------------------------------------Grand clock ID :001882fffe77c2cf Receive number :GigabitEthernet1/0/0 Parent clock ID :001882fffe77c2cf Parent portnumber :6417 Priority1 :128 Priority2 :128 Step removed :1 Clock accuracy :49 Clock class :187 Time Source :160 UTC Offset :0 UTC Offset Valid :False Time Scale :ARB Time Traceable :False Leap :None Frequence Traceable:False Port info Name State Delay-mech Ann-timeout Type Domain -----------------------------------------------------------------------GigabitEthernet1/0/0 slave delay 9 bc 1 GigabitEthernet2/0/0 premaster delay 9 tc 2 Time Performance Statistics(ns): Slot 1 Card 0 Port 0 -----------------------------------------------------------------------Realtime(T2-T1) :534 Pathdelay :0 Max(T2-T1) :887704804 Min(T2-T1) :512 Clock source info Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 345 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration -----------------------------------------------------------------------local 200 128 0x31 187 0xa0 bits0 128 128 0x20 6 0x20 none off -/abnormal bits1 128 128 0x20 6 0x20 none off -/abnormal bits2 128 128 0x20 6 0x20 none off -/abnormal 10.6 Configuring the 1588v2 Time Source This section describes how to configure a 1588v2 clock source, including how to obtain a standard synchronous time through a clock interface from a BITS device without using 1588v2 and how to use 1588v2 to advertise the standard synchronous time to downstream nodes through the other two interfaces. 10.6.1 Before You Start Before configuring a 1588v2 clock source, familiarize yourself with the usage scenario, complete the pre-configuration tasks, and obtain the required data. Applicable Environment On a 1588v2 network, the grandmaster clock usually imports clock or time signals from an external BITS time source, such as a GPS, and then advertises these clock or time signals to downstream clocks through 1588v2 packets to implement clock synchronization of the entire network. In this case, to ensure clock synchronization between 1588v2 devices, a BITS time source must be correctly imported. Pre-configuration Tasks None Data Preparation To configure a 1588v2 time source, you need the following data. No. Data 1 Number of the interface from which the clock and time signals of the BITS time source is imported 2 (Optional) Class of the time source 3 (Optional) Priority of the time source 4 (Optional) Accuracy of the time source 10.6.2 Configuring BITS Signals to Participate in the BMC Calculation 1588v2 is a protocol used to transmit clock synchronization signals between network devices. To obtain an external clock source, you need to configure the system to import a standard synchronous time from the BITS through the clock interface without using 1588v2. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 346 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Context Perform the following steps on the device: Procedure Step 1 Run: system-view The system view is displayed. Step 2 (Optional) Run:clock bits-type. The type of inputting or outputting signal is configured. clock bits-type The new MPU that supports 1588v2 is deployed with four ports, that is, CLK/TOD0, CLK/ TOD1, CLK/1PPS, and CLK/Serial. MPUs used on NE40E-X1, NE40E-X2 and NE40E-X3 only contain two RJ45 ports. The usage of these RJ45 ports is the same as the usage of BITS0 and BITS1. For the figures of interfaces on MPUs of different models, refer to the section "Panel Instruction" in the chapter "Cabinet" of the HUAWEI NetEngine80E/40E - Hardware Description. CLK/TOD0 is called as BITS0 and CLK/TOD1 is called as BITS1; CLK/1PPS and CLK/Serial of SMB type are bound together to be bits2. A BITS port can transmit one type of signal at a time. Both the RJ45 port and SMB port must be installed with dedicated clock cables to input and output clock signals and time signals. For descriptions of clock cables, refer to the chapter "Clock Cables" in the HUAWEI NetEngine80E/40E - Hardware Description. The following table shows types of signals that can be transmitted through ports. Table 10-2 Signals input to a BITS port Interface ID of a Clock Board Interface ID of Software Interface Type Types of Input Signal or Output Signal CLK/TOD0 BITS0 RJ45 Types of clock signals: l 2 Mbit/s clock signals l 2 MHz clock signals Types of time signals: l Time signals of 1 pps of the RS422 level and ASCII of the RS422 level l Two-line (one for input and the other for output) DCLS time signals Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 347 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Interface ID of a Clock Board Interface ID of Software Interface Type Types of Input Signal or Output Signal CLK/TOD1 BITS1 RJ45 Types of clock signals: l 2 Mbit/s clock signals l 2 MHz clock signals Types of time signals: l Time signals of 1 pps of the RS422 level and ASCII of the RS422 level l Two-line (one for input and the other for output) DCLS time signals CLK/1PPS BITS2 CLK/Serial SMB SMB Types of clock signals: l 2 Mbit/s clock signals l 2 MHz clock signals Types of time signals: l Time signals of 1PPS of the TTL level and ASCII of the RS232 level In the preceding table: l If the input or output signals on a BITS port are 2 Mbit/s clock signals, 2 MHz clock signals, or two-line DCLS time signals, you do not need to configure the input or output parameter. This is because the 2 Mbit/s clock signals, 2 MHz clock signals, or two-line DCLS time signals are input and output through the same port. For example, if 2 Mbit/s clock signals are transmitted through BITS0, 2 Mbit/s clock signals are both input and output through BITS0. l If the input or output signals on a BITS port are 1PPS+ASCII time signals, you must specify the input or output parameter. This is because the 1PPS+ASCII time signals can be only input or output at a time. l When BITS2 transmits 1PPS+ASCII time signals, the two SMB ports must simultaneously input or output these signals. If BITS2 transmits clock signals, the CLK/1PPS port must always input signals and the CLK/Serial port must always output signals. The type of inputting or outputting signal is configured. Step 3 Run: ptp clock-source { bits0 | bits1 |bits2 } { on | off } BITS signals can be configured to participate in or do not participate in the BMC calculation. Step 4 (Optional) Run: Set the SSM level of the BITS clock source. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 348 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration NOTE The BITS signal input port must be the CLK port on the active system control board. If the system control boards undergo an active/standby switchover, switch the BITS signal input port to the CLK port on the new active system control board. Step 5 Run: clock source { bits0 | ptp } priority priority-value Set the priority of the clock reference source. ----End 10.6.3 Configuring Attributes for the 1588v2 Time Source This topic describes how to configure attributes for the 1588v2 time source, including how to configure attributes for a local time source and how to advertise time signals to downstream nodes through 1588v2 messages. Context Perform the following steps on the device: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ptp clock-source { local [ slot slot-id ] | bits0 | bits1 | bits2 }time-source time-source-value The type of the time source to be traced is configured. NOTE The attribute of the time-source can be configured only on the grandmaster clock. The external time source to which the router connects should be configured with corresponding parameters. The mapping between the time-source-value and external time source is on the Command Reference. Step 3 Run: ptp clock-source { local value [ slot slot-id ] | bits0 | bits1 | bits2 }clock-accuracy clock-accuracy- The clock accuracy of the time source is configured. Step 4 Run: ptp clock-source { local [ slot slot-id ] | bits0 | bits1 | bits2 }clock-class clock-class-value The class of the time source is configured. NOTE When clock-class-value is smaller than 128, the device cannot be used as the slave clock. Step 5 Run: ptp clock-source { local [ slot slot-id ] Issue 02 (2014-09-30) | bits0 | bits1 | bits2 }priority1 priority1-value Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 349 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration The value is set for priority1 of the time source. Step 6 Run: ptp clock-source { local [ slot slot-id ] | bits0 | bits1 | bits2 }priority2 priority2-value The value is set for priority2 of the time source. Step 7 (Optional) Run: ptp clock-source { bits0 | bits1 | bits2 } { receive-delay receive-delay-time | send-delay send-delay-time } [ slot slot-id ] The delay for receiving or sending time source signals is set. ----End 10.6.4 Checking the Configurations After the 1588v2 clock source is imported and related configurations are complete, you can run the display ptp all command to check whether configurations of the clock source take effect and are correct. Prerequisites The 1588v2 time source has been configured. Procedure l Run the display clock source command to check time information about the BITS clock source that the device traces. ----End Example When the NE40E traces a BITS clock source successfully, run the display clock source command on the device to view obtained time information from the clock source. System trace source State: lock mode into pull-in range Current system trace source: bits0 Current 2M-1 trace source: Ethernet1/0/0 Current 2M-2 trace source: Ethernet1/0/0 Frequency lock success: yes Master board source Pri(sys/2m-1/2m-2) In-SSM Out-SSM State -------------------------------------------------------------------------bits0 3 /---/--prc ssua normal bits1 3 /---/--prc ssua abnormal Ethernet2/0/0 2 /1 /1 ssub -normal Ethernet1/0/0 1 /1 /1 ssua -normal Run the display ptp all command, and you can view the 1588v2 configuration and BMC operating status on the device. The 1588v2 configuration includes the following time source configurations: l Issue 02 (2014-09-30) Priority Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 350 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l Accuracy l Class l Type of the time source l Input signals of the clock 10 1588v2 Configuration <OC1> display ptp all Device config info -----------------------------------------------------------------PTP state :enabled Domain value :0 Slave only :no Device type :OC Set port state :no Local clock ID :00e0fcfffea4b000 Acl :no Virtual clock ID :no Acr :no Time lock success :no BMC run info -----------------------------------------------------------------Source port :bits1 Leap :None UTC Offset :0 UTC Offset Valid :False Clock source info Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status -----------------------------------------------------------------------local 128 128 0x31 1 0xa0 bits0 1 128 0x20 6 0x20 none on -/normal bits1 100 128 0x20 6 0x20 1pps on in/normal bits2 128 128 0x20 6 0x20 none off -/abnormal 10.7 Configuring 1588 ACR In one 1588 ACR domain, a client initiates a request for negotiation, and exchanges Layer 3 unicast packets with the server to set up a connection. The client exchanges 1588v2 packets with the server over the connection to restore clock information. Context NOTE 1588 ACR Server cannot be configured on the X1 and X2 models of the NE80E/40E. 10.7.1 Checking the Configurations After MP limiting parameters are configured, you can check the configurations of the parameters. Procedure Step 1 Run the display current-configuration interface [ interface-type [ interface-number ] ] command to check the configuration of MP-Group interface. ----End Example After running the display current-configuration interface command, you can check configurations on the MP-Group interface. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 351 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration <HUAWEI> display current-configuration interface mp-group 1/0/1 # interface Mp-group1/0/1 mrru 1200 ppp mp threshold 2 ppp mp damping detect-time 32 flapping-count 32 damping-time 62 # return 10.7.2 Configuring the Unicast Negotiation Function for a Client The unicast negotiation function and parameters for a connection between a client and a clock server are configured on the HUAWEI NetEngine80E/40E functioning as a 1588 ACR client. Context ACR, which is an adaptive clock recovery technology, allows a 1588 ACR client to exchange 1588v2 packets with a clock server on a link where a 1588v2-incapable device resides. After receiving 1588v2 packets, the client uses clock information carried in the packets to restore clock information. 1588 ACR and 1588v2 (which implements hop-by-hop clock synchronization) are mutually exclusive. If 1588 ACR is enabled on a 1588v2-capable device, the 1588v2 configurations on the device no longer take effect.Before enabling 1588 ACR, first disable IEEE 1588v2. After 1588 ACR is enabled, configurations related to IEEE 1588v2 will be deleted automatically. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ptp-adaptive enable 1588 ACR is enabled. Step 3 Run: ptp-adaptive device-type client The 1588 ACR clock working mode is set to client. Step 4 (Optional) Run: ptp-adaptive frequency profile The 1588 ACR-enabled device to totally comply with ITU-T G.8265.1 is configured. By default, a 1588 ACR-enabled device complies with ITU-T G.8265.1 partially. After the ptp-adaptive frequency profile command is run, the default domain value changes to 4. The domain value range changes to 4-23. Step 5 (Optional) Run: ptp-adaptive domain domain-value A 1588 ACR domain is configured. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 352 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration NOTE The client and clock server, which exchange 1588v2 packets for clock or time synchronization, must be in one 1588 ACR clock domain. Step 6 Run: ptp-adaptive local-ip ip-address An IP address is assigned to the client, which is used to initiate a request for negotiation and send Layer 3 unicast packets. The clock server's and client's IP addresses uniquely identify a 1588 ACR connection, which is set up by exchanging Layer 3 unicast packets between a client and a clock server during negotiation. Configuring a loopback address as the client's IP address is recommended, not the IP address of the management network port on the device, helping the clock server direct packets to the client. If a client and a clock server are connected over a VPN, the VPN instance name carried in 1588v2 packets must be specified on both the client and clock server after IP addresses are configured for them. Step 7 (Optional) Run: ptp-adaptive forward-mode centralized The HUAWEI NetEngine80E/40E is configured to work in centralized ACR client mode. NOTE The X1 and X2 models of the NE40E support centralized ACR client mode and distributed ACR client mode switchover automatically, and therefore you do not need to run this command on them. To use the centralized ACR client mode, at least one of the following types of interface boards has been installed: LPUI-21-L, LPUF-50, LPUF-51, LPUI-51, LPUS-51, LPUF-101, LPUI-101, LPUS-101, LPUF-120, LPUI-120, LPUF-240, or LPUI-240. Step 8 (Optional) Run: ptp-adaptive vpn-instance instance-name The VPN instance name carried in 1588v2 packets is specified, which identifies the VPN instance bound to the client's loopback interface. Step 9 Run: ptp-adaptive { remote-server1-ip | remote-server2-ip } ip-address The remote clock server list is configured. If multiple clock servers exist on a network, the HUAWEI NetEngine80E/40E, functioning as a client, tracks its clock server based on the clock server's IP address. Running this command twice specifies master and slave clock servers. If two clock servers are configured, the client initiates a request for a connection to one clock server. If the connection fails to be established or the established connection is closed, the client initiates a request for a connection to the other clock server. If the connection also fails, the client re-initiates a request for a connection to the first clock server. The procedure repeats until a connection is created. Step 10 Run: ptp-adaptive acr [ one-way | two-way ] Issue 02 (2014-09-30) unicast-negotiate enable Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 353 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration 1588 ACR unicast negotiation is enabled on the HUAWEI NetEngine80E/40E and the frequency recovery mode is configured. By default, the frequency recovery mode is one-way. Step 11 (Optional) Run: ptp-adaptive clockclass-ssm mapping Select the clock source automatically based on the Best Master Clock Algorithm (BMCA) is enabled on the 1588 ACR client. By default, a 1588 ACR client cannot select the clock source automatically based on the BMCA. When a router functions as a 1588 ACR client and is connected to two remote clock servers, you can run the ptp-adaptive clockclass-ssm mapping command to enable the router to select one clock server that meets the clock class requirement automatically, trace the clock server to recover clock information, and send the clock recovery information to devices on a downstream network or base stations through an SDH network or a synchronous Ethernet. ----End 10.7.3 Configuring the Unicast Negotiation Function for a Server The unicast negotiation function and parameters for a connection between a client and a clock server are configured on the HUAWEI NetEngine80E/40E functioning as a 1588 ACR clock server. Context ACR, which is an adaptive clock recovery technology, allows a 1588 ACR client to exchange 1588v2 packets with a clock server on a link where a 1588v2-incapable device resides. After receiving 1588v2 packets, the client uses clock information carried in the packets to restore clock information. 1588 ACR and 1588v2 (which implements hop-by-hop clock synchronization) are mutually exclusive. If 1588 ACR is enabled on a 1588v2-capable device, the 1588v2 configurations on the device no longer take effect. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ptp-adaptive enable 1588 ACR is enabled. Step 3 Run: ptp-adaptive device-type server The 1588 ACR clock working mode is set to server. Step 4 (Optional) Run: ptp-adaptive frequency profile Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 354 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration The 1588 ACR-enabled device to totally comply with ITU-T G.8265.1 is configured. By default, a 1588 ACR-enabled device complies with ITU-T G.8265.1 partially. After the ptp-adaptive frequency profile command is run, the default domain value changes to 4. The domain value range changes to 4-23. Step 5 (Optional) Run: ptp-adaptive domain domain-value A 1588 ACR domain is configured. NOTE The client and clock server, which exchange 1588v2 packets for clock synchronization, must be in one 1588v2 clock domain. Step 6 Run: ptp-adaptive local-ip ip-address An IP address is assigned to the clock server. The clock server's and client's IP addresses uniquely identify a 1588 ACR connection, which is set up by exchanging Layer 3 unicast packets between a client and a clock server during negotiation. Configuring a loopback address as the server's IP address is recommended, helping the clock server direct packets to the client. If a client and a clock server are connected over a VPN, the VPN instance name carried in 1588v2 packets must be specified on both the client and clock server after IP addresses are configured for them. Step 7 (Optional) Run: ptp-adaptive vpn-instance instance-name The VPN instance name carried in 1588v2 packets is specified, which identifies the VPN instance bound to the server's loopback interface. Step 8 Run: ptp-adaptive acr unicast-negotiate enable The 1588 ACR unicast negotiation on the HUAWEI NetEngine80E/40E is configured. ----End 10.7.4 (Optional) Adjusting Parameters for Establishing a Unicast Negotiation Connection Adjustable parameters include the maximum number of consecutive Announce packets that the client fails to receive (If the number of unreceived Announce packets exceeds the threshold, the client determines that the connection to the server fails.), duration of the Sync, Delay_Resp, and Announce packets (After the duration of a Sync packet , a Delay_Resp packet, or an Announce packet expires, the client re-establishes the connection with the server), DSCP value (the DSCP value ensures that 1588v2 packets reach the destination even if a congestion occurs on the network), and the interval at which the server sends Sync, Delay_Resp, and Announce packets. Context Adjustable parameters on a client are as follows: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 355 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration l 1. the maximum number of consecutive Delay_Resp packets that the client fails to receive l 2. Duration field values in Sync, Delay_Resp and Announce packets l 3. DSCP value for 1588 ACR packets l 4. Interval at which Sync, Delay_Resp and Announce packets are sent Adjustable parameters on a clock server are as follows: l 1. DSCP value for 1588 ACR packets Procedure Step 1 Run: ptp-adaptive dscp priority-value The DSCP value in 1588 ACR packets is set. Setting a large DSCP value to ensure that 1588v2 packets reach the destination even if a congestion occurs on a network. This value is adjustable on both the client and clock server. Step 2 Run: ptp-adaptive { announce-duration | sync-duration | delay-resp-duration } durationvalue The duration field value is set for each type of 1588 ACR packet. If a set duration time expires, the client re-initiates a request for a connection to a clock server. The default value is recommended. By default, the duration value in all 1588v2 packets is 300, in seconds. Step 3 Run: ptp-adaptive request sync-interval sync-interval The interval at which an ACR clock server sends Sync packets is set. By default, the interval is 8/1024 seconds. Step 4 Run: ptp-adaptive request announce-interval announce-interval The interval at which an ACR clock server sends Announce packets is set. By default, the interval at which Sync packets are sent is 2 seconds. Step 5 Run: ptp-adaptive request delay-resp-interval delay-resp-interval The interval at which the 1588 ACR-enabled server sends Delay_Resp packets is set. By default, the interval at which the 1588 ACR-enabled server sends Delay_Resp packets is 3 (8/1024s). Step 6 Run: ptp-adaptive announce receipt-timeout receipt-timeout The allowable maximum number of consecutive Announce packets that the client fails to receive is set. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 356 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration By default, the allowable maximum number of consecutive Announce packets that the client fails to receive is 3. ----End 10.7.5 Checking the Configurations This section describes how to check 1588 ACR configurations on the router serving as a client or server. Procedure l l When the router functions as a client: 1. Run the display ptp-adaptive all command to check all 1588 ACR configurations on the client. 2. Run the display ptp-adaptive server [ server-id ] command to check 1588 ACR configurations on the server. When the router functions as a server: 1. Run the display ptp-adaptive all command to check all 1588 ACR configurations on the server. 2. Run the display ptp-adaptive { all | client [ client-id ] } command to check 1588 ACR configurations on the client. ----End Example # Display the current 1588 ACR configurations on the client. l If the ptp-adaptive frequency profile command is run, the display ptp-adaptive all command output is as follows: <HUAWEI> display ptp-adaptive all Device config info --------------------------------------------------------------------------Ptp adaptive state : enable Device type : client Sync mode : frequency Current state : slave Packet dscp : 56 Domain value : 4 Announce interval : 12 Announce duration : 300s Sync interval : 4 Sync duration : 300s Delay_resp interval : 6 Delay_resp duration: 400s Announce receipt timeout: 3 Acr mode : one-way Local ip : 2.2.2.240 Client board : NA Clockclass-ssm mapping : enable Forward mode : distributed Ptp port name : GigabitEthernet8/1/7 Frequency profile : yes BMCA run info -----------------------------------------------------------------------Current trace source : server1 Frequency lock success: yes Time performance statistics(ns) -----------------------------------------------------------------------Realtime(T2-T1) :23281 Max(T2-T1) :26277 Min(T2-T1) :21853 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 357 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Remote server info --------------------------------------------------------------------------Ip address Negotiate state SSM Priority PTSF Server1: 1.1.1.1 success prc 1 normal Server2: 2.2.2.2 error (reason:announce grant timeout) l If the ptp-adaptive frequency profile command is not run, the display ptp-adaptive all command output is as follows: <HUAWEI> display ptp-adaptive all Device config info --------------------------------------------------------------------------Ptp adaptive state : enable Device type : client Sync mode : frequency Current state : slave Packet dscp : 56 Domain value : 0 Announce interval : 12 Announce duration : 300s Sync interval : 4 Sync duration : 300s Delay_resp interval : 6 Delay_resp duration: 300s Announce receipt timeout: 3 Acr mode : one-way Local ip : 2.2.2.240 Client board : NA Clockclass-ssm mapping : enable Forward mode : distributed Ptp port name : GigabitEthernet8/1/7 Ptp port name : none Frequency profile : no BMCA run info --------------------------------------------------------------------------Current trace source : local Frequency lock success : no Remote server info --------------------------------------------------------------------------Current negotiate server: 1 Ip address Negotiate state Server1: 1.1.1.1 Nego init Server2: # Display configurations of the clock server 1 on the client. <HUAWEI> display Server id Clock id Priority1 Clock class ptp-adaptive server : 1 : 001882fffe43552f : 128 : 84 1 Ip address Time source Priority2 Clock accuracy : : : : 1.1.1.1 0x10 128 0x22 Recv Packet Statistics --------------------------------------------------------------------------Signalling :22 Announce :2737 Sync :2743 Delay_resp :0 Send Packet Statistics --------------------------------------------------------------------------Signalling :52 Delay_req :0 Discard Packet Statistics --------------------------------------------------------------------------Signalling :0 Announce :0 Sync :0 Delay_resp :0 # Display the current 1588 ACR configurations on the server. <HUAWEI> display ptp-adaptive all Device config info --------------------------------------------------------------------------Ptp adaptive state : enable Device type : server Sync mode : frequency Current state : master Packet dscp : 56 Domain value : 0 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 358 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Local ip Frequency profile VPN : 1.1.1.1 : no : none Server board Active status : 3 : active Client info ID Ip Address Clock ID Mode Announce Sync Delay_resp --------------------------------------------------------------------------1 0 2.2.2.2 001882fffed48301 one-way 1 -7 none # Display configurations of client 0 on the server. <HUAWEI> display ptp-adaptive client 0 Client id : 0 Ip address : 2.2.2.2 Clock id : 001882fffed48301 Mode : one-way Announce interval : 1 Announce duration : 300s Sync interval : -7 Delay_resp interval : none Sync duration : 300s Delay_resp duration : none Recv Packet Statistics --------------------------------------------------------------------------Signalling :2 Delay_req :1 Send Packet Statistics --------------------------------------------------------------------------Signalling :2 Announce :50 Sync :13086 Delay_resp :1 Discard Packet Statistics --------------------------------------------------------------------------Signalling :0 Delay_req :0 10.8 Maintaining 1588v2 This section describes how to maintain 1588v2, including clearing 1588v2 statistics, monitoring the operating status of 1588v2. 10.8.1 Clearing 1588v2 Statistics You can run the reset ptp statistics command to clear the 1588v2 statistics. Context NOTICE Statistics cannot be restored after being cleared. So, confirm the action before you run the command. After confirming that 1588v2 statistics need to be cleared, run the following command in the user view. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 359 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Procedure Step 1 Run: reset ptp statistics { all | interface interface-type interface-number } The counter counting the number of sent and received 1588v2 packets on the interface is reset, making statistics on 1588v2 packets to be cleared. ----End 10.8.2 Monitoring 1588v2 You can run the display pt command to view the operating status of 1588v2, including the current operation mode of the device, clock synchronization status, clock source ID, and input interface of clock signals. Context In routine maintenance, you can run the following command in any view to view the operating status of 1588v2. Procedure l Run: display ptp { all [ config | state ] | interface interface-type interfacenumber } Information about the configuration and operating status of 1588v2 is displayed. ----End Example # Display the status and statistics of all the modules related to 1588v2 on the current device. l The slave clock <HUAWEI> display ptp all Device config info -----------------------------------------------------------------PTP state :enabled Domain value :1 Slave only :no Device type :BC Set port state :no Local clock ID :000a0bfffe0c0d42 Acl :no Virtual clock ID :no Acr :no Time lock success :no BMC run info -----------------------------------------------------------------Grand clock ID :000a0bfffe0c0dd4 Receive number :GigabitEthernet1/0/0 Parent clock ID :000a0bfffe0c0dd4 Parent portnumber :6417 Priority1 :128 Priority2 :128 Step removed :1 Clock accuracy :49 Clock class :187 Time Source :160 UTC Offset :0 UTC Offset Valid :False Time Scale :ARB Time Traceable :False Leap :None Frequence Traceable:False Port info Name Issue 02 (2014-09-30) State Delay-mech Ann-timeout Type Domain Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 360 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration -----------------------------------------------------------------------GigabitEthernet1/0/0 slave delay 10 BC 1 Time Performance Statistics(ns): Slot 1 Card 0 Port 0 -----------------------------------------------------------------------Realtime(T2-T1) :534 Pathdelay :0 Max(T2-T1) :887704804 Min(T2-T1) :512 Clock source info Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status -----------------------------------------------------------------------local 200 128 0x31 187 0xa0 bits0 128 128 0x20 6 0x20 none off -/abnormal bits1 128 128 0x20 6 0x20 none off -/abnormal bits2 128 128 0x20 6 0x20 none off -/abnormal l The master clock <HUAWEI> display ptp all Device config info -----------------------------------------------------------------PTP state :enabled Domain value :1 Slave only :no Device type :BC Set port state :no Local clock ID :00e0fcfffea4b000 Acl :no Virtual clock ID :no Acr :no Time lock success :no BMC run info -----------------------------------------------------------------Source port :bits1 Leap :None UTC Offset :0 UTC Offset Valid :False Clock source info Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status -----------------------------------------------------------------------local 128 128 0x31 1 0xa0 bits0 128 128 0x20 6 0x20 none off -/abnormal bits1 100 128 0x20 6 0x20 1pps on in/normal bits2 128 128 0x20 6 0x20 none off -/abnormal # Display configurations of GE 1/0/1. <HUAWEI> display ptp interface Gigabitethernet 1/0/1 Port State :slave Port Number :8451 Announce-interval :10 Grand clock ID :001882fffe771111 Receive number :GigabitEthernet1/0/1 Parent clock ID :000a0bfffe0c0dd4 Parent portnumber :1 Priority1 :128 Priority2 :128 Step removed :0 Clock accuracy :34 Clock class :6 Time Source :16 UTC Offset :0 UTC Offset Valid :False Time Scale :PTP Time Traceable :False Leap :59 Frequence Traceable:False Recv Packet Statistics ----------------------------------------------------------------------Announce :2288 Sync :14933 Req :0 Resp :0 Followup :0 Pdelay_resp_followup :0 Send Packet Statistics ----------------------------------------------------------------------Announce :0 Sync :1 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 361 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Req Followup 10 1588v2 Configuration :0 :0 Resp Pdelay_resp_followup :0 :0 Discard Packet Statistics ----------------------------------------------------------------------Announce :0 Sync :1183 Delayreq :0 Pdelayreq :0 Resp :0 Pdelayresp :0 Followup :0 Pdelay_resp_followup :0 Table 10-3 Description of the display ptp command output Item Description PTP state Whether 1588v2 is enabled Domain value Value of the 1588v2 domain where the clock resides Slave only Whether the slaveonly mode is adopted Device-type 1588v2 device type Static BMC Whether the static Best Master Clock (BMC) algorithm is used Local clock ID clock ID of the local clock Grand clock ID clock ID of the grandmaster clock Receive number Signals input interface of the clock source Parent clock ID clock ID of the parent clock Parent portnumber Signal output interface of the parent clock Pri1 Priority1 of the clock source Pri2 Priority2 of the clock source Step removed Step of the learnt clock sources Clock-accuracy Accuracy of the clock source Clock-class Class of the clock source Port state Status of interfaces enabled with 1588v2 clock source info Configuration of the clock source 10.9 1588 ACR Maintenance This section describes how to maintain 1588 ACR, including how to clear 1588 ACR statistics. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 362 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration 10.9.1 Clearing 1588 ACR Statistics This section describes how to clear 1588 ACR statistics using the reset ptp-adaptive statistics command. Context NOTICE Statistics cannot be restored after being cleared. Exercise caution when running the reset ptpadaptive statistics command. After you confirm the statistics need to be cleared, run the following command in the user view. Procedure Step 1 Run: reset ptp-adaptive statistics 1588 ACR statistics are cleared. ----End 10.10 Configuration Examples This section provides several configuration examples of 1588v2. Context NOTE This document takes interface numbers and link types of the NE40E-X8 as an example. In working situations, the actual interface numbers and link types may be different from those used in this document. 10.10.1 Example for Configuring the BITS as the 1588v2 Clock Source 1588v2 is used to transmit clock signals within a network. If the clock signals within a network need to be synchronized with those of an external clock source, the external standard clock source is required. Configuration Roadmap As shown in Figure 10-8, the BITS is connected to an external GPS to advertise the input clock or time signals to the device named Master, which serves as the master clock of the bearer network and advertises the received clock or time signals to devices on the bearer network. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 363 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Figure 10-8 Networking diagram of configuring the BITS as the 1588v2 clock source BITS Master GE1/0/0 PE1 GE1/0/1 GE1/0/2 PE3 PE2 GE1/0/0 GE1/0/0 GE1/0/0 GE1/0/0 NodeB GE1/0/1 GE1/0/1 GE1/0/1 GE1/0/0 CE1 CE2 GE1/0/1 NodeB The configuration roadmap is as follows: 1. Connect Master to the BITS clock. 2. Configure attributes for the BITS clock. 3. Configure the BITS as the 1588v2 clock or time source. The new MPU that supports 1588v2 is deployed with four ports, that is, CLK/TOD0, CLK/ TOD1, CLK/1PPS, and CLK/Serial. MPUs used on NE40E-X1, NE40E-X2 and NE40EX3 only contain two RJ45 ports. The usage of these RJ45 ports is the same as the usage of BITS0 and BITS1 which is described as follows. For the figures of interfaces on MPUs of different models, refer to the section "Panel Instruction" in the chapter "Cabinet" of the HUAWEI NetEngine80E/40E - Hardware Description. CLK/TOD0 is called as BITS0 and CLK/TOD1 is called as BITS1; CLK/1PPS and CLK/ Serial of SMB type are bound together to be bits2. A BITS port can transmit one type of signal at a time. Both the RJ45 port and SMB port must be installed with dedicated clock cables to input and output clock signals and time signals. For descriptions of clock cables, refer to the chapter "Clock Cables" in the HUAWEI NetEngine80E/40E - Hardware Description. The following table shows types of signals that can be transmitted through ports. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 364 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Table 10-4 Signals input to a BITS port Interface ID of a Clock Board Interface ID of Software Interface Type Types of Input Signal or Output Signal CLK/TOD0 BITS0 RJ45 Types of clock signals: l 2 Mbit/s clock signals l 2 MHz clock signals Types of time signals: l Time signals of 1 pps of the RS422 level and ASCII of the RS422 level l Two-line (one for input and the other for output) DCLS time signals CLK/TOD1 BITS1 RJ45 Types of clock signals: l 2 Mbit/s clock signals l 2 MHz clock signals Types of time signals: l Time signals of 1 pps of the RS422 level and ASCII of the RS422 level l Two-line (one for input and the other for output) DCLS time signals CLK/1PPS BITS2 CLK/Serial SMB SMB Types of clock signals: l 2 Mbit/s clock signals l 2 MHz clock signals Types of time signals: l Time signals of 1 pps of the TTL level and ASCII of the RS232 level In the preceding table: l If the input or output signals on a BITS port are 2 Mbit/s clock signals, 2 MHz clock signals, or two-line DCLS time signals, you do not need to configure the input or output parameter. This is because the 2 Mbit/s clock signals, 2 MHz clock signals, or two-line DCLS time signals are input and output through the same port. For example, if 2 Mbit/s clock signals are transmitted through BITS0, 2 Mbit/s clock signals are both input and output through BITS0. l If the input or output signals on a BITS port are 1 pps+ASCII time signals, you must specify the input or output parameter. This is because the 1 pps+ASCII time signals can be only input or output at a time. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 365 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration l When BITS2 transmits 1 pps+ASCII time signals, the two SMB ports must simultaneously input or output these signals. If BITS2 transmits clock signals, the CLK/ 1PPS port must always input signals and the CLK/Serial port must always output signals. Data Preparation To complete the configuration, you need the following data: l BITS signal types (in this example, including 2 MHz clock signals are input through BITS0 and time signals of 1 pps of the RS422 level and ASCII of the RS422 level through BITS1) l Attributes of the BITS time source, including time source value, clock accuracy, clock stratum, priority 1, and priority 2 l Priority of the static clock source Procedure Step 1 Use a clock cables connect BITS0 to the clock signal source and connect BITS1 to the time signal source. Step 2 Configure attributes for the input signals of the BITS clock. <Master> [Master] [Master] [Master] [Master] [Master] system-view clock bits-type bits0 2mhz clock manual source bits0 clock bits-type bits1 1pps input ptp clock-source bits1 on ptp clock-source bits1 priority1 1 Step 3 Configure attributes for the BITS clock source on Master. [Master] ptp clock-source bits1 time-source 2 NOTE BITS is connected to an external time source, namely, GPS, and its time-source is 2. [Master] ptp clock-source bits1 clock-accuracy 20 [Master] ptp clock-source bits1 clock-class 1 NOTE If clock-class is set smaller than 128, then the clock cannot be a slave clock. [Master] ptp clock-source bits1 priority2 2 [Master] ptp clock-source bits1 send-delay 500 [Master] ptp clock-source bits1 receive-delay 1000 Step 4 Enable basic 1588v2 functions on Master and configure the device type as OC. <Master> system-view [Master] ptp enable [Master] ptp domain 1 [Master] ptp device-type oc [Master] interface gigabitethernet 1/0/0 [Master-GigabitEthernet1/0/0] ptp delay-mechanism pdelay [Master-GigabitEthernet1/0/0] ptp enable [Master-GigabitEthernet1/0/0] quit Step 5 Verify the configuration. Run the display clock source command in any view on Master. You can view that BITS0 is in the Normal state, which means that Master has successfully input frequency signals from BITS0 port. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 366 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration <Master> display clock source System trace source State: lock mode into pull-in range Current system trace source: GigabitEthernet1/0/0 Current 2M-1 trace source: system PLL Current 2M-2 trace source: system PLL Master board source Pri(sys/2m-1/2m-2) In-SSM Out-SSM State -------------------------------------------------------------------------bits0 5 /---/--unk ssua normal bits1 ---/---/--prc ssua initial bits2 ---/---/--prc ssua initial GigabitEthernet1/0/0 3 /---/--ssua dnu normal GigabitEthernet3/1/0 3 /---/--unk ssua normal GigabitEthernet3/1/1 8 /---/--unk ssua normal Run the display clock config command in any view on Master. You can view that Master has stepped into lock mode, which means the frequency of Master has traced the signal from BITS0 port. <Master> display clock config Current source: Workmode: SSM control: Primary source: Output SSM Level: Current source step into pull-in range Clock is in lock mode Ethernet-synchronization enable 11 manual off 11 unknown After the configurations, run the display ptp all state command on Master. You can view the current operating status of 1588v2. <Master> display ptp all Device config info -----------------------------------------------------------------PTP state :enabled Domain value :1 Slave only :no Device type :OC Static BMC :no Local clock ID :101122fffe225555 BMC run info -----------------------------------------------------------------Clock ID value :101122fffe225555 Source port :bits1 Port info Name State Delay-mech Ann-timeout Type Domain -----------------------------------------------------------------------GigabitEthernet1/0/0 master pdelay 9 OC 1 Clock source info Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status -----------------------------------------------------------------------local 128 128 0x31 187 0xa0 bits0 6 6 0x20 187 0x20 none off -/abnormal bits1 0 2 0x10 1 0x20 none on -/normal bits2 6 6 0x20 187 0x20 none off -/abnormal Device config info -----------------------------------------------------------------PTP state :enabled Domain value :1 Slave only :no Device type :BC Set port state :no Local clock ID :00e0fcfffea4b000 Acl :no Virtual clock ID :no Acr :no Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 367 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration BMC run info -----------------------------------------------------------------Source port :bits1 Leap :None UTC Offset :0 UTC Offset Valid :False Clock source info Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status -----------------------------------------------------------------------local 128 128 0x31 1 0xa0 bits0 128 128 0x20 6 0x20 none off -/abnormal bits1 1 2 0x20 1 0x20 1pps on in/normal bits2 128 128 0x20 6 0x20 none off -/abnormal ----End Configuration Files l Configuration file of Master # Master # ptp enable ptp device-type oc clock bits-type bits0 2mhz clock manual source bits0 clock bits-type bits1 1pps input ptp clock-source bits1 on ptp clock-source bits1 priority1 0 ptp clock-source bits1 time-source 20 ptp clock-source bits1 clock-accuracy 20 ptp clock-source bits1 clock-class 1 ptp clock-source bits1 priority1 1 ptp clock-source bits1 priority2 2 ptp clock-source bits1 send-delay 500 ptp clock-source bits1 receive-delay 1000 # interface GigabitEthernet1/0/0 undo shutdown ptp delay-mechanism pdelay ptp enable # return 10.10.2 Example for Restoring Frequency Synchronization Between an IP Clock Server and NodeBs Through 1588v2 Packets In the case that devices on a bearer network do not support 1588v2, an IP clock server and NodeBs can directly exchange 1588v2 packets over the QoS-guaranteed bearer network to achieve frequency synchronization between NodeBs. Networking Requirements As shown in Figure 10-9, a BITS server can generate 1588v2 packets carrying frequency information and send them to NodeBs over a QoS-guaranteed bearer network. The devices of the bearer network do not need to support 1588v2, which saves investments of operators. In this application scenario, the bearer network devices only need to provide end-to-end Layer 3 channels with the jitter being within 20 ms to transparently transmit 1588v2 packets between the IP clock server and NodeBs. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 368 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Figure 10-9 Networking diagram of restoring frequency synchronization between an IP clock server and NodeBs through 1588v2 packets IP Clock Server 1588v2 packets GE2/0/0 GE1/0/0 Node B1 with 1588 1588v2 packets POS6/0/0 E1/0/0 POS6/0/0 GE1/0/0 GE1/0/0 POS6/0/0 RouterA RouterB RouterC RouterD Node B2 with 1588 Configuration Roadmap No configuration is needed because the bearer network devices do not need to support 1588v2. 10.10.3 Example for Synchronizing Frequencies Through the Integration of the 1588v2 Clock, Synchronous Ethernet Clock, and WAN Clock Currently, only the Ethernet interface, GE interface support 1588v2 functions. Other types of interfaces on the existing network do not support the 1588v2 functions. When POS interfaces or non-1588v2-aware Ethernet interfaces are deployed on a network, integrating 1588v2 with the Ethernet and WAN clock synchronization technologies can achieve clock synchronization over the entire network in a flexible manner. Networking Requirements A mobile operator runs a mobile bearer network as shown in Figure 10-10. The network is configured with both POS interfaces and Ethernet interfaces. To meet the frequency synchronization requirements of wireless bearer services, each device and NodeB on the bearer network must be connected to a BITS server. The installation and maintenance are therefore costly. The operator then purchases 1588v2-aware devices and then upgrades the clock synchronization network. After these, only one BITS server needs to be deployed on the bearer network, which also meets the frequency synchronization requirements of the wireless bearer services. The clock synchronization network can be deployed as follows based on different types of interfaces. BITS clock signals are injected to Router B and then transmitted to NodeB 2 on the right through the WAN clock, 1588v2 clock, and WAN clock in sequence and to NodeB 1 on the left through the synchronous Ethernet clock and 1588v2 clock. 1588v2 packets are encapsulated through UDP and then transmitted to destination nodes. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 369 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Figure 10-10 Networking diagram of synchronizing frequencies through the integration of the 1588v2 clock, synchronous Ethernet clock, and WAN clock BITS GE2/0/0 GE1/0/0 Node B1 with 1588 POS6/0/0 GE1/0/0 POS6/0/0 GE1/0/0 GE1/0/0 POS6/0/0 Node B2 RouterA RouterB RouterC RouterD without 1588 Ethernet sychronization WAN 1588v2 Device Name Interface Number IP Address Router A GE1/0/0 10.0.0.2/24 Router A GE2/0/0 11.0.0.1/24 Router B GE1/0/0 10.0.0.1/24 Router B POS 6/0/0 12.0.0.1/24 Router C POS 6/0/0 12.0.0.2/24 Router C GE1/0/0 13.0.0.1/24 Router D GE1/0/0 13.0.0.2/24 Router D POS 6/0/0 14.0.0.1/24 NodeB 1 11.0.0.2/24 NodeB 2 14.0.0.2/24 Device Name Interface Number MAC Address RouterC GE1/0/0 0000-1111-cccc RouterD GE1/0/0 0000-1111-dddd NodeB1 - 0000-1111-b1b1 Configuration Roadmap The configuration roadmap is as follows: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 370 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration 1. Configure an IP address on each interface and routes to ensure connectivity between devices. 2. Import external BITS clock signals to Router B. 3. Synchronize clock signals of Router A with those of Router B through the synchronous Ethernet clock. 4. Synchronize clock signals of Router C with those of Router B through the WAN clock. 5. Configure Router A as the BC that encapsulates 1588v2 packets through UDP and sends clock signals to NodeB 1. 6. Configure Router C as the BC that encapsulates 1588v2 packets through UDP and sends clock signals to Router D. 7. Configure Router D as the OC and synchronize clock signals of Router D with those of Router C. 8. Configure Router D and send clock signals to NodeB 2 through the WAN clock. Data Preparation To complete the configuration, you need the following data: l 1588 link delay measurement mechanism: delay Procedure Step 1 Enable a link layer protocol and configure an IP address on each interface. For configuration details, see "Configuration Files" in this section. Step 2 Enable OSPF to ensure the interworking between devices. For configuration details, see "Configuration Files" in this section. Step 3 Import signals of the external BITS clock source to Router B. [RouterB] clock bits-type bits0 2mhz [RouterB] clock source bits0 ssm prc [RouterB] clock source bits0 priority 1 Step 4 Synchronize clock signals of Router A with those of Router B through the synchronous Ethernet clock. # Enable Router B with Ethernet clock synchronization. [RouterB] clock ethernet-synchronization enable [RouterB] interface GigabitEthernet 1/0/0 [RouterB-GigabitEthernet1/0/0] clock synchronization enable [RouterB-GigabitEthernet1/0/0] clock priority 2 # Enable Ethernet clock synchronization on Router A. [RouterA] clock ethernet-synchronization enable [RouterA] interface GigabitEthernet 1/0/0 [RouterA-GigabitEthernet1/0/0] clock synchronization enable [RouterA-GigabitEthernet1/0/0] clock priority 2 Step 5 Synchronize clock signals of Router C with those of Router B through the WAN clock. # Configure POS 6/0/0 of Router B as the master interface. [RouterB] interface POS 6/0/0 [RouterB-POS 6/0/0] clock master # Configure POS 6/0/0 of Router C as the slave interface. [RouterC] interface POS 6/0/0 [RouterC-POS 6/0/0] clock slave Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 371 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration [RouterC-POS 6/0/0] quit Step 6 Configure Router A as the BC that encapsulates 1588v2 packets through UDP and sends clock signals to NodeB 1. [RouterA] ptp enable [RouterA] ptp device-type bc [RouterA] ptp clock-source local priority1 0 [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ptp enable [RouterA-GigabitEthernet2/0/0] ptp udp-egress source-ip 11.0.0.1 destination-ip 11.0.0.2 [RouterA-GigabitEthernet2/0/0] ptp udp-egress destination-mac 0000-1111-b1b1 [RouterA-GigabitEthernet2/0/0] quit # Enable NodeB 1 to receive 1588v2 packets from Router A. For configuration details, see "Configuration Files" in this sectione. Step 7 Configure Router C as the BC that encapsulates 1588v2 packets through UDP and sends clock signals to Router D. # Configure Router C as the BC that encapsulates 1588v2 packets through UDP and sends clock signals to Router D. <RouterC> system-view [RouterC] ptp enable [RouterC] ptp device-type bc [RouterC] ptp clock-source local priority1 0 [RouterC] interface ethernet 1/0/0 [RouterC-Ethernet1/0/0] ptp enable [RouterC-Ethernet1/0/0] ptp udp-egress source-ip 13.0.0.1 destination-ip 13.0.0.2 [RouterC-Ethernet1/0/0] ptp udp-egress destination-mac 0000-1111-dddd [RouterC-Ethernet1/0/0] quit Step 8 # Configure Router D as the OC and synchronizes clock signals of Router D with those of Router C through 1588v2 packets. [RouterD] ptp enable [RouterD] ptp device-type oc [RouterD] ptp clock-source local priority1 128 [RouterD] clock manual source ptp [RouterD] interface gigabitethernet 1/0/0 [RouterD-GigabitEthernet1/0/0] ptp enable [RouterD-GigabitEthernet1/0/0] ptp udp-egress source-ip 13.0.0.2 destination-ip 13.0.0.1 [RouterD-GigabitEthernet1/0/0] ptp udp-egress destination-mac 0000-1111-cccc [RouterD-GigabitEthernet1/0/0] quit Step 9 Configure Router D and send clock signals to NodeB 2 through the WAN clock. # Configure POS 6/0/0 of Router D as the master interface. [RouterD] interface POS 6/0/0 [RouterD-POS 6/0/0] clock master # Configure NodeB 2 as the slave interface. For configuration details, see "Configuration Files" in this section. ----End Configuration Files l Configuration file of Router A # sysname RouterA # clock ethernet-synchronization enable interface GigabitEthernet 1/0/0 clock synchronization enable Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 372 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration clock priority 2 ptp clock-source local priority1 0 ptp enable ptp device-type bc interface gigabitethernet 2/0/0 ptp enable ptp udp-egress source-ip 11.0.0.1 destination-ip 11.0.0.2 ptp udp-egress destination-mac 0000-1111-b1b1 # l Configuration file of Router B # sysname RouterB # clock bits-type bits0 2mhz clock source bits0 ssm prc clock source bits0 priority 1 clock ethernet-synchronization enable interface GigabitEthernet 1/0/0 clock synchronization enable clock priority 2 interface POS 6/0/0 clock master # l Configuration file of Router C # sysname Router C # ptp enable ptp device-type bc ptp clock-source local priority1 0 clock manual source ptp interface POS 6/0/0 clock slave interface ethernet 1/0/0 ptp enable ptp udp-egress source-ip 13.0.0.1 destination-ip 13.0.0.2 ptp udp-egress destination-mac 0000-1111-dddd # l Configuration file of Router D # sysname Router D # ptp enable ptp device-type oc ptp clock-source local priority1 128 clock manual source ptp interface gigabitethernet 1/0/0 undo shutdown ptp enable ptp udp-egress source-ip 13.0.0.2 destination-ip 13.0.0.1 ptp udp-egress destination-mac 0000-1111-cccc interface POS 6/0/0 clock master # 10.10.4 Checking the Configurations After MP limiting parameters are configured, you can check the configurations of the parameters. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 373 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Procedure Step 1 Run the display current-configuration interface [ interface-type [ interface-number ] ] command to check the configuration of MP-Group interface. ----End Example After running the display current-configuration interface command, you can check configurations on the MP-Group interface. <HUAWEI> display current-configuration interface mp-group 1/0/1 # interface Mp-group1/0/1 mrru 1200 ppp mp threshold 2 ppp mp damping detect-time 32 flapping-count 32 damping-time 62 # return 10.10.5 Example for Configuring Clock Synchronization of an Entire Network Through Multicast MAC-Encapsulated 1588v2 Packets Serving as a clock synchronization protocol, 1588v2 can transmit frequency signals and time signals of BITS servers across an entire network, which achieves clock synchronization between the wireless bearer network and wireless access network. By default, NE80E/40Es encapsulate 1588v2 packets in multicast MAC mode. For NodeBs supporting multicast MAC-encapsulated 1588v2 packets, you can configure all clocks of an entire network as BCs to simplify the operation of clock synchronization on the entire network. Networking Requirements As shown in Figure 10-11, PE1 and PE2 are core devices on a bearer network and CE1 and CE2 are edge devices on a wireless access network. PE1 and PE2, functioning as the external BITS clock sources for BCs, advertise clock and time information to CE1 and CE2. CE1 and CE2, functioning as BCs, synchronize clock signals with the BITS through 1588v2 and send 1588v2 packets carrying the frequency and time information to their attached NodeBs. In addition, CE2 can send E1 signals carrying frequency information to non-1588v2-aware NodeB 2 for restoring frequency synchronization. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 374 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Figure 10-11 Networking diagram of configuring clock synchronization of an entire network through multicast MAC-encapsulated 1588v2 packets BITS GE1/0/1 GE1/0/1 GE1/0/0 CE1 NodeB1 with 1588v2 NodeB2 without 1588v2 BITS POS6/0/0 GE1/0/1 POS6/0/0 GE1/0/1 PE1 PE2 E1 GE1/0/0 CE2 NodeB3 with 1588v2 Configuration Roadmap The configuration roadmap is as follows: 1. Add PE1, PE2, CE1, and CE2 to a VLAN. 2. Connect PE1 and PE2 to BITS clock sources. 3. Configure PE1, PE2, CE1, and CE2 as BCs. NOTE 1588v2 packets are encapsulated in the default multicast MAC mode. Data Preparation To complete the configuration, you need the following data: l ID of the 1588v2 domain to which devices belong l Interval for sending Announce messages and timeout period of receiving Announce messages l Interval for sending Sync messages l Interval for sending Delay messages l MAC address of each NodeB Procedure Step 1 Configure PE1 and PE2 so that they can import BITS clock signals through their clock interfaces. For the detailed configurations, see the section Example for Configuring the BITS as the PTP Clock Source. Step 2 Configure PE1 and PE2 as BCs. # Configure PE1. [PE1] ptp enable Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 375 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration [PE1] ptp device-type bc [PE1] ptp domain 1 [PE1] ptp clock-source local priority1 128 [PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] ptp enable [PE1-GigabitEthernet1/0/0] quit # Configure PE2. <PE2> system-view [PE2] ptp enable [PE2] ptp device-type bc [PE2] ptp domain 1 [PE2] ptp clock-source local priority1 128 [PE2] interface gigabitethernet 1/0/0 [PE2-GigabitEthernet1/0/0] ptp enable [PE2-GigabitEthernet1/0/0] quit Step 3 Configure CE1 and CE2 as BCs so that they can synchronize the clock and time information with that of PE1 and PE2 and advertise the information to NodeB 1 and NodeB 3. # Configure CE1. [CE1] ptp enable [CE1] ptp device-type bc [CE1] ptp domain 1 [CE1] ptp clock-source local priority1 128 [CE1] clock manual source ptp [CE1] interface gigabitethernet 1/0/0 [CE1-GigabitEthernet1/0/0] ptp enable [CE1-GigabitEthernet1/0/0] quit [CE1] interface gigabitethernet 1/0/1 [CE1-GigabitEthernet1/0/1] ptp enable [CE1-GigabitEthernet1/0/1] ptp announce-drop enable [CE1-GigabitEthernet1/0/1] quit # Configure CE2. [CE2] ptp enable [CE2] ptp device-type bc [CE2] ptp domain 1 [CE2] ptp clock-source local priority1 128 [CE1] clock manual source ptp [CE2] interface gigabitethernet 1/0/0 [CE2-GigabitEthernet1/0/0] ptp enable [CE2-GigabitEthernet1/0/0] quit [CE2] interface gigabitethernet 1/0/1 [CE2-GigabitEthernet1/0/1] ptp enable [CE2-GigabitEthernet1/0/1] ptp announce-drop enable [CE2-GigabitEthernet1/0/1] quit Step 4 Verify the configuration. After the preceding configurations, CE1 and CE2 can trace the clock and time information of PE1 and PE2. Take the display on CE1 as an example. Run the display ptp all command. You can view information about 1588v2 synchronization. <CE1> display ptp all Device config info -----------------------------------------------------------------PTP state :enabled Domain value :1 Slave only :no Device type :BC Set port state :no Local clock ID :000a0bfffe0c0d42 Acl :no Virtual clock ID :no Acr :no BMC run info Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 376 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration -----------------------------------------------------------------Grand clock ID :000a0bfffe0c0dd4 Receive number :GigabitEthernet1/0/0 Parent clock ID :000a0bfffe0c0dd4 Parent portnumber :6417 Priority1 :128 Priority2 :128 Step removed :1 Clock accuracy :49 Clock class :187 Time Source :160 UTC Offset :0 UTC Offset Valid :False Time Scale :ARB Time Traceable :False Leap :None Frequence Traceable:False Port info Name State Delay-mech Ann-timeout Type Domain -----------------------------------------------------------------------GigabitEthernet1/0/0 slave delay 10 BC 1 Time Performance Statistics(ns): Slot 1 Card 0 Port 0 -----------------------------------------------------------------------Realtime(T2-T1) :534 Pathdelay :0 Max(T2-T1) :887704804 Min(T2-T1) :512 Clock source info Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status -----------------------------------------------------------------------local 200 128 0x31 187 0xa0 bits0 128 128 0x20 6 0x20 none off -/abnormal bits1 128 128 0x20 6 0x20 none off -/abnormal bits2 128 128 0x20 6 0x20 none off -/abnormal ----End Configuration Files l Configuration file of CE1 # sysname CE1 # clock manual source ptp # ptp enable ptp domain 1 ptp device-type bc ptp clock-source local priority1 128 # interface GigabitEthernet1/0/0 undo shutdown ptp enable # interface GigabitEthernet1/0/1 undo shutdown ptp enable ptp announce-drop enable # return l Configuration file of CE2 # sysname CE2 # clock manual source ptp # ptp enable ptp domain 1 ptp device-type bc ptp clock-source local priority1 128 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 377 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration # interface GigabitEthernet1/0/0 undo shutdown ptp enable # interface GigabitEthernet1/0/1 undo shutdown ptp enable ptp announce-drop enable # l Configuration file of PE1 # sysname PE1 # clock bits-type bits0 2mhz clock bits-type bits2 1pps input clock manual source bits0 ptp clock-source bits2 priority1 0 ptp clock-source bits2 on # ptp enable ptp domain 1 ptp device-type bc ptp clock-source local priority1 128 # interface GigabitEthernet1/0/1 undo shutdown ptp enable # return l Configuration file of PE2 # sysname PE2 # clock bits-type bits0 2mhz clock bits-type bits2 1pps input clock manual source bits0 ptp clock-source bits2 priority1 0 ptp clock-source bits2 on ptp clock-source local priority1 128 # ptp enable ptp domain 1 ptp device-type bc # interface GigabitEthernet1/0/1 undo shutdown ptp enable # return 10.10.6 Example for Configuring 1588 ACR Clock Synchronization in a Single-Server Scenario This section describes how to configure 1588 ACR on the router functioning as a client and the router functioning as a server to restore clock information in a single-server scenario by using an example. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 378 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Networking Requirements On the IP RAN shown in Figure 10-12, Router A functions as a clock server and is connected to an IP CLK. Router C functions as a client, and sends a 1588 ACR Layer 3 unicast negotiation request to the server to achieve clock synchronization. Figure 10-12 Networking diagram of configuring 1588 ACR clock synchronization in a singleserver scenario 2.2.2.2/32 IP/MPLS Backbone 1.1.1.1/32 IP CLK Node B with 1588 RouterC Slave RouterB RouterA Master RNC 1588v2 ACR Configuration Roadmap The configuration roadmap is as follows: 1. Configure Router A as a server. 2. Configure Router C as a client. 3. Adjust Layer 3 unicast negotiation parameters on the server and the client. Data Preparation To complete the configuration, you need the following data: l IP address of the server and the IP address of the client l Interval for sending Sync , Delay_Resp and Announce packets on the server Procedure Step 1 Configure Router A as a server. <RouterA> system-view [RouterA] interface loopback 0 [RouterA-Loopback0] ip address 1.1.1.1 32 [RouterA-Loopback0] quit [RouterA] ptp-adaptive enable [RouterA] ptp-adaptive device-type server [RouterA] ptp-adaptive local-ip 1.1.1.1 Step 2 Configure Router C as a client. <RouterC> system-view [RouterC] interface loopback 0 [RouterC-Loopback0] ip address 2.2.2.2 32 [RouterC-Loopback0] quit Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 379 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations [RouterC] [RouterC] [RouterC] [RouterC] ptp-adaptive ptp-adaptive ptp-adaptive ptp-adaptive 10 1588v2 Configuration enable device-type client local-ip 2.2.2.2 remote-server1-ip 1.1.1.1 Step 3 Adjust Layer 3 unicast negotiation parameters on the client and the server. # Configure the client. [RouterC] ptp-adaptive request sync-interval 4 [RouterC] ptp-adaptive request announce-interval 12 [RouterC] ptp-adaptive request delay-resp-interval 6 Step 4 Configure unicast negotiation on the server and client. # Configure the server. [RouterA] ptp-adaptive acr unicast-negotiate enable # Configure the client. [RouterC] ptp-adaptive acr unicast-negotiate enable Step 5 Verify the configuration. # Check the 1588 ACR configuration on Router C. <RouterC> display ptp-adaptive all Device config info --------------------------------------------------------------------------Ptp adaptive state : enable Device type : client Sync mode : frequency Current state : slave Packet dscp : 56 Domain value : 0 Announce interval : 12 Announce duration : 300s Sync interval : 4 Sync duration : 300s Delay_resp interval : 6 Delay_resp duration: 300s Announce receipt timeout: 3 Acr mode : one-way Local ip : 2.2.2.2 Client board : NA Clockclass-ssm mapping : enable Forward mode : distributed Ptp port name : GigabitEthernet1/5/1 Frequency profile : no BMCA run info --------------------------------------------------------------------------Current trace source : server1 Frequency lock success : yes Time Performance Statistics(ns): -----------------------------------------------------------------------Realtime(T2-T1) :987740873 Max(T2-T1) :987742555 Min(T2-T1) :987423502 Remote server info --------------------------------------------------------------------------Current negotiate server: 1 Ip address Negotiate state Pri1 Class Accuracy Pri2 Server1: 1.1.1.1 Nego success 128 6 0x34 128 Server2: # Check the 1588 ACR configuration on Router A. <RouterA> display ptp-adaptive all Device config info --------------------------------------------------------------------------Ptp adaptive state : enable Device type : server Sync mode : frequency Current state : master Packet dscp : 56 Domain value : 0 Local ip : 1.1.1.1 Server board : 3 Frequency profile : no VPN : none Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 380 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 10 1588v2 Configuration Client info ID Ip Address Clock ID Mode Announce Sync Delay_resp --------------------------------------------------------------------------1 0 2.2.2.2 001882fffed48301 one-way 2 -6 -4 ----End Configuration Files Configuration file of Router A # sysname RouterA # ptp-adaptive enable ptp-adaptive device-type server ptp-adaptive local-ip 1.1.1.1 ptp-adaptive acr unicast-negotiate enable # interface Loopback0 ip address 1.1.1.1 255.255.255.255 # return Configuration file of Router C # sysname RouterC # ptp-adaptive enable ptp-adaptive device-type client ptp-adaptive local-ip 2.2.2.2 ptp-adaptive remote-server1-ip 1.1.1.1 ptp-adaptive request sync-interval 4 ptp-adaptive request announce-interval 12 ptp-adaptive request delay-resp-interval 6 ptp-adaptive acr unicast-negotiate enable # interface Loopback0 ip address 2.2.2.2 255.255.255.255 # return Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 381 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance 11 Device Maintenance About This Chapter With routine device maintenance, you can detect potential operation threats on devices and then eradicate the potential threats in time to ensure that the system runs securely, stably, and reliably. 11.1 Introduction of Device Maintenance Device maintenance involves replacing boards and monitoring the internal environment. 11.2 Configuring an E-label for the Backplane of the NE80E Users can set e-lables to maintain and manage assets on the NE80E. 11.3 Configuring an Energy Saving Mode The router allows you to configure an energy saving mode to reduce the router power consumption. 11.4 Configuring the System MAC Address 11.5 Powering off the MPU To ensure non-stop services, you can power off the slave MPU only. If the device has only one MPU, confirm the action before powering off the MPU. 11.6 Powering off the SFU When the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU. 11.7 Powering off the NPU This section describes how to power off the NPU. 11.8 Powering Off the LPU If the LPU is faulty or you need to routinely maintain it, you can power it off. 11.9 (Optional) Configuring the NE80E with 5000 W power consumption to Power on LPUF-40s/LPUI-40s This section describes how to configure the NE80E with 5000 W power consumption to power on LPUF-40s/LPUI-40s. 11.10 Configuring the Input Power of a Power Module When the maximum output power supplied by the power cabinet is less than the rated power of a power module, you need to configure the input power of this power module. The power Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 382 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance management module ensures that power modules supply power to boards based on their configured input power. 11.11 Restoring the Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s To restore the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s, you need to bind a valid Global Trotter License (GTL) file to the NPU. 11.12 Configuring an Access Mode for a Device 11.13 Configuring a Working Mode for an LPU LPUs support various working modes, which you can use commands to configure. 11.14 Configuring a Working Mode for an LPUF-40 or LPUF-20/21 LPUF-20/21 or LPUF-40 supports various service modes, which you can use commands to configure. 11.15 Configuring Automatic Board Reset This section describes how to configure boards to automatically reset when an alarm is generated. 11.16 Setting the Working Mode of the 1-Port OC-192c/STM-64c POS-XFP Flexible Card on the LPUF-10 The 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10 can work in oversubscription mode or non-oversubscription mode, which can be configured through a command. 11.17 (Optional) Configuring Periodic Reliability Detection on 2-Port OC-12c/STM-4c ATMSFP Flexible Cards on LPUF-10s 11.18 Configuring the CMU 11.19 Configuring Link-heartbeat Loopback Detection The NE80E/40E supports the link-heartbeat loopback detection function which is implemented by sending link-heartbeat packets. This function helps locate faults rapidly and maintain the device. 11.20 Configuring a Cleaning Cycle for the Air Filter This section describes the procedure for configuring a cleaning cycle for the air filter. 11.21 Monitoring the Device Status You can monitor the device status to facilitate fault location and cause analysis. 11.22 Board Maintence Board Maintenance involves resetting a board and clearing the maximum CPU usage. 11.23 Configuration Examples of the Device Maintenance This section provides examples for powering off different types of boards to describe common device maintenance operations. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 383 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance 11.1 Introduction of Device Maintenance Device maintenance involves replacing boards and monitoring the internal environment. 11.1.1 Overview of Device Maintenance Device maintenance involves replacing boards and monitoring the internal environment. Concept The stable running of a routerdepends on the mature network planning and the routine maintenance. In addition, fast location of the hidden hazards is necessary. The maintenance personnel must check the alarm information in time and deal with the fault properly to keep the device in normal operation and reduce the failure rate. Thus, the system runs in a safe, stable, and reliable environment. Maintenance Operation Maintenance such as board replacement and internal environment check ensures the normal operation of the router. 11.1.2 Maintenance Features Supported by the NE80E/40E The NE80E/40Eboards to be powered off and allows the operation status to be monitored. Powering off You can power on or power off the boards through command lines to perform hot plugging without interrupting the services on the router. Monitoring In routine maintenance of the device, you can run the display commands to view the working status of the router. This can help the maintenance personnel fast locate the fault during the troubleshooting procedure. 11.2 Configuring an E-label for the Backplane of the NE80E Users can set e-lables to maintain and manage assets on the NE80E. Context Users can set e-lables to maintain and manage assets on the NE80E. An e-label includes a bar code and an asset ID. NOTE This function takes effect only on the NE80E. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 384 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: set elabel { backplane barcode | asset assetid } An e-label is configured for the backplane of the NE80E. ----End Checking the Configuration Run the display elabel asset command to check the e-label of the backplane of the NE80E. <HUAWEI>display elabel asset 11.3 Configuring an Energy Saving Mode The router allows you to configure an energy saving mode to reduce the router power consumption. Context An energy saving mode allows the router to disable some unused modules during the system running, reducing the router power consumption. The router supports the following energy saving modes: l Standard energy saving mode: This mode allows the router to disable the default unused modules during the system running, without affecting the router running. This mode is applicable when the router is used as the network core device or when a large number of services are transmitted. l Basic energy saving mode: This mode allows the system to dynamically monitor each module's working status and disable or hibernate unused modules. l Deep energy-saving mode: When the basic energy-saving mode has been used, this mode allows the router to shut down or hibernate unused components. This mode applies only when the router's operating environment is stable and less burst traffic exists. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: set energy-mode mode [ standard Issue 02 (2014-09-30) | basic | deep ] Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 385 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance An energy saving mode is configured for the router.By default, the router uses the basic energy saving mode. ----End Checking the Configuration Run the display energy-mode mode command to check the configured energy saving mode. <HUAWEI>system-view [HUAWEI]display energy-mode mode NE40E`s current energy-mode : basic 11.4 Configuring the System MAC Address Context If the system MAC addresses of two devices are the same, the system MAC address of a device must be modified to avoid network faults. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: set system-mac The system MAC is configured. NOTICE The modified MAC address takes effect after the device restarts. ----End 11.5 Powering off the MPU To ensure non-stop services, you can power off the slave MPU only. If the device has only one MPU, confirm the action before powering off the MPU. 11.5.1 Before You Start Before powering off the MPU, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 386 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Applicable Environment The two Main Processing Units (MPUs) are in 1:1 backup mode. During operation, one MPU serves as the master MPU and the other as the slave MPU. Remove the MPUs in the following situations: l Maintenance of the MPU such as dust removing l Upgrade of the hardware on the MPUs such as memory capacity extending l Failure of the MPU Pre-configuration Tasks Before powering off the MPU, complete the following tasks: l Checking the slot of the MPU to be powered off l Running the display device command to check the status of the MPU If the MPU is the master MPU, perform the master and slave switchover first. Data Preparation To power off the MPU, you need the following data. No. Data 1 Slot number of the MPU to be powered off 11.5.2 Powering off the Slave MPU When the MPU is faulty or you need to routinely maintain the MPU, you can power off the MPU. Context CAUTION The router cannot work with a single MPU for a long time. If the single MPU fails, the whole system breaks down. After powering off the slave MPU, restore the MPU immediately. Do as follows on the router to be configured: Procedure Step 1 Run: power off slot slot-id The slave MPU is powered off. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 387 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance NOTE If there is no terminal on the deployment site, you can power off the slave MPU by using the OFL (offline) button. The OFL button is in the upper part of the slave MPU. Press the button for six seconds. If the OFL indicator is on, it means that the slave MPU is powered off successfully. ----End 11.5.3 Checking the Configuration After the MPU is powered off, you can run the display device command to check whether the MPU has been powered off. Context Run the following commands to check the previous configuration. Procedure l Run: display device Check the registration of the SRU/MPU. ----End Example After the power-off operation, run the display device command. If the slave SRU/MPU is in the abnormal state, it means that the operation succeeds. For example: <HUAWEI> display device NE40E's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5 6 9 12 11 16 17 18 19 20 21 22 23 24 25 26 27 28 LPU LPU LPU LPU LPU LPU MPU MPU SFU SFU SFU SFU CLK CLK PWR PWR FAN FAN Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Registered Registered Registered Registered Registered Registered Unregistered NA Registered Registered Registered Registered Registered Registered Registered Registered Registered Registered Normal Normal Normal Normal Normal Normal Abnormal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal NA NA NA NA NA NA Slave Master NA NA NA NA NA NA NA NA NA NA 11.6 Powering off the SFU When the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 388 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance NOTE SFUs are not supported on the X1 and X2 models of the NE80E/40E. 11.6.1 Before You Start Before powering off the SFU, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Applicable Environment During normal operation of the device, four Switch and Fabric Units (SFUs) work in 3+1 load balancing mode. Remove the SFUs in the following situations: l Maintenance of the SFU such as dust removing l Failure of the SFU and replacement or repair of the SFU Pre-configuration Tasks Before powering off the SFU, complete the following tasks: l Checking the slot of the SFU to be powered off Data Preparation To power off the SFU, you need the following data. No. Data 1 Slot number of the SFU to be powered off 11.6.2 Powering off the SFU You can power off the SFU by using a command or pressing the OFL button. Context Do as follows on the router to be configured: Procedure Step 1 Run: power off slot slot-id The SFU is powered off. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 389 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance NOTE SFU is not supported on the X1 and X2 models of the NE80E/40E. If there is no terminal on the deployment site, you can power off the slave SFU by using the OFL button. The OFL button is in the upper part of the slave SFU. Press the button for six seconds. If the OFL indicator is on, it means that powering off the SFU succeeds. ----End 11.6.3 Checking the Configuration After the SFU is powered off, you can run the display device command to check whether the SFU has been powered off. Context Run the following commands to check the previous configuration. Procedure Step 1 Run: display device Check the registration of the SFU. ----End Example After the power-off operation, run the display device command. If the SFU is in the unregistered state, it means that the operation succeeds. For example: <HUAWEI> display device NE40E-X8's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5 6 9 12 11 16 17 18 19 20 21 22 23 24 25 26 27 28 Issue 02 (2014-09-30) LPU LPU LPU LPU LPU LPU MPU MPU SFU SFU SFU SFU CLK CLK PWR PWR FAN FAN Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Registered Registered Registered Registered Registered Registered Registered NA Unregistered Registered Registered Registered Registered Registered Registered Registered Registered Registered Normal Normal Normal Normal Normal Normal Normal Normal Abnormal Normal Normal Normal Normal Normal Normal Normal Normal Normal Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. NA NA NA NA NA NA Slave Master NA NA NA NA NA NA NA NA NA NA 390 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance 11.7 Powering off the NPU This section describes how to power off the NPU. NOTE NPUs are only supported on the X1 and X2 models of the NE80E/40E. 11.7.1 Before You Start Applicable Environment Remove the NPU in the following situations: l Maintenance of the NPU such as dust removing l Failure of the NPU and replacement or repair of the NPU Pre-configuration Tasks Before powering off the NPU, complete the following tasks: None. Data Preparation To power off the NPU, you need the following data. No. Data 1 Slot number of the NPU to be powered off 11.7.2 Powering off the NPU Context Do as follows on the router to be configured: Procedure Step 1 Run: power off slot slot-id The NPU is powered off. NOTE If there is no terminal on the deployment site, you can power off the slave NPU by using the OFL button. The OFL button is in the upper part of the slave NPU. Press the button for six seconds. If the OFL indicator is on, it means that powering off the NPU succeeds. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 391 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance 11.7.3 Checking the Configuration Context Run the following commands to check the previous configuration. Procedure Step 1 Run: display device Check the registration of the NPU. ----End Example After the power-off operation, run the display device command. If the NPU is in the unregistered state, it means that the operation succeeds. For example: <HUAWEI> display device NE40E-X1's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 NPU Present Unregistered Abnormal NA 2 PIC Present Registered Normal NA 3 PIC Present Registered Normal NA 4 PIC Present Registered Normal NA 5 PIC Present Registered Normal NA 7 MPU Present NA Normal Master 8 PWR Present Registered Normal NA 10 FAN Present Registered Normal NA 12 CLK Present Registered Normal Master 11.8 Powering Off the LPU If the LPU is faulty or you need to routinely maintain it, you can power it off. 11.8.1 Before You Start Before powering off the LPU, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Applicable Environment Power off the LPU in the following situations: l When performing routine maintenance on the LPU, such as removing dust l If the LFU fails and it needs to be repaired or replaced Pre-configuration Tasks Before powering off the LPU, you need to prepare a slave LPU. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 392 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Data Preparation To power off the LPU, you need the following data: No. Data 1 The slot number of the LPU to be powered off 2 A slave LPU whose board type and Physical Interface Card (PIC) type are the same as those of the LPU to be powered off 11.8.2 Powering Off the LPU You can run a command or press the OFL button to power off the LPU. Context Do as follows on the router to be configured: Procedure Step 1 Run: power off slot slot-id The LPU is powered off. NOTE l To power off the sub-cards of the FPICs, run the power off slot slot-id card card-idcommand. l If no terminal exists at the deployment site, you can use the OFL button to power off the LPU. The OFL button is located on the upper part of the LPU. Press and hold the button for six seconds. If the OFL indicator is on, powering off the LPU succeeds. ----End 11.8.3 Checking the Configuration After you power off the interface board, you can run the display device command to check whether it has been powered off correctly. Context Run the following command to check the previous configuration. Procedure l Run: display device Check the registration of the interface board. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 393 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Example After you power off the device, run the display device command. If the LPU is in the unregistered state, the operation is complete. In the following example, the LPU in slot 5 is powered off: <HUAWEI> display device NE40E-X8's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5 6 9 12 11 16 17 18 19 20 21 22 23 24 25 26 27 28 LPU LPU LPU LPU LPU LPU MPU MPU SFU SFU SFU SFU CLK CLK PWR PWR FAN FAN Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Unregistered Registered Registered Registered Registered Registered Registered NA Registered Registered Registered Registered Registered Registered Registered Registered Registered Registered Abnormal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal NA NA NA NA NA NA Slave Master NA NA NA NA NA NA NA NA NA NA 11.9 (Optional) Configuring the NE80E with 5000 W power consumption to Power on LPUF-40s/LPUI-40s This section describes how to configure the NE80E with 5000 W power consumption to power on LPUF-40s/LPUI-40s. Context LPUF-40s/LPUI-40s are not recommended for the NE80E with 5000 W power consumption because of power supply and heat dissipation issues. If LPUF-40s/LPUI-40s are required, install the boards on the NE80E with 5000 W power consumption that is working properly and run the set board-power-on lower-performance-fan enable command to configure the NE80E with 5000 W power consumption to power on the boards. Alternatively, restart the NE80E with 5000 W power consumption to power on the boards. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: set board-power-on lower-performance-fan enable The NE80E with 5000 W power consumption is configured to power on LPUF-40s/LPUI-40s. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 394 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance NOTE This command can only be used on the NE80E with 5000 W power consumption, and does not need to be used on the NE80E with 8000 W power consumption. ----End 11.10 Configuring the Input Power of a Power Module When the maximum output power supplied by the power cabinet is less than the rated power of a power module, you need to configure the input power of this power module. The power management module ensures that power modules supply power to boards based on their configured input power. Context By default, the power management module ensures that power modules supply power to boards based on their rated power. When the maximum output power supplied by the power cabinet is less than the rated power of a power module, this power module may not supply sufficient power to boards. In this situation, the boards that are powered on may restart or power off. To resolve this problem, run the set power input-power command to configure the input power of the power module and ensure the power management module to ensure that power modules supply power to the boards based on their configured input power. This command applies in the following scenarios: l A device is installed for the first time. If the maximum output power supplied by the power cabinet is less than the rated power of a power module, run this command to configure the input power of this power module after the main processing unit (MPU) starts up. Based on the rated power of each board, calculate the number of boards to which the configured input power can be allocated. Then install the boards based on the calculation results. l Additional boards need to be installed on a device. If the maximum output power supplied by the power cabinet is less than the rated power of a power module, run this command to configure the input power of this power module. Based on the rated power of each board, calculate the number of boards to which the remainder of the configured input power can be allocated. Then install the boards based on the calculation results. NOTE l When the maximum output power supplied by the power cabinet is greater than or equal to the rated power of a power module, you do not need to run the set power input-power command. If you have run this command, the power management module still ensures that power modules supply power to boards based on their rated power. l When the maximum output power supplied by the power cabinet is less than the rated power of a power module, you must run the set power input-power command. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: set power input-power power-value Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 395 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance The input power of the power module is configured. NOTICE l The power-on sequence of boards cannot be controlled. If a board has been installed on a device but has not been powered on, this board may power on after the device restarts. In addition, boards that have already been powered on may power off. l The configured input power is saved on the MPU's flash memory. The MPU must not be used as the master MPU in another subrack. If the MPU is used as the master MPU in another subrack, run set power input-power command to reconfigure the input power. ----End 11.11 Restoring the Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s To restore the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s, you need to bind a valid Global Trotter License (GTL) file to the NPU. NOTE NPUs are only supported on the X1 and X2 models of the NE80E/40E. 11.11.1 Before You Start Before restoring the bandwidth of 10GE LAN/WAN interfaces on the NPU to 10 Gbit/s , familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Application Environment By default, the bandwidth of 10GE LAN/WAN interfaces on an NPU is 10 Mbit/s. To restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, purchase a legitimate GTL file. Pre-configuration Tasks None. Data Preparation To restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, you need the following data. Issue 02 (2014-09-30) No. Data 1 GTL file used to restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 396 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance 11.11.2 Restoring the Outbound Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s To restore the outbound bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s , you need to bind a valid Global Trotter License (GTL) file to the NPU. Prerequisites Run the license active file-name command to activate the license files of the main control board and slave control board. Context By default, the outbound bandwidth of 10GE LAN/WAN interfaces on an NPU is 10 Mbit/s. To restore the outbound bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, purchase a legitimate GTL file. Procedure l Activate the GTL license for the 10GE interfaces in license view 1. Run: system-view The system view is displayed. 2. Run: license The license viewis displayed. 3. Run: active 10ge-interface slot slotid The GTL file used to restore the outbound bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s is bound to the NPU. l Activate the GTL license for the 10GE interfaces in slot view 1. Run: system-view The system view is displayed. 2. Run: slot slot-id The slot view is displayed. 3. Run: active 10ge-interface The GTL file used to restore the outbound bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s is bound to the NPU. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 397 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance NOTE The active 10ge-interface command takes effect only in the view of the slot where the NPU resides. After you bind the GTL file to the NPU, run the save command to save the configuration. Otherwise, you will need to bind the GTL file again once the device restarts. The active 10ge-interface command has the same function as that of the active 10geinterface slot slotid command in the license view. The former command will be replaced by the latter one in the configuration file. ----End 11.11.3 Checking the Configuration After you enable the 10GE LAN/WAN interface on an NPU, you can check the current PIC cards on the device. Context Run the following command to check the previous configuration. Procedure Step 1 Run the display device pic-status command to view the current PIC cards on the device. ----End Example # View the current PIC cards on the device. <HUAWEI> display device pic-status Pic-status information in Chassis 1: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SLOT PIC Status Type Port_count Init_result Logic down 7 0 Registered LAN_WAN_2x10GX_V_CARD 2 SUCCESS SUCCESS 7 6 Registered ETH_8xGF_B_CARD 8 SUCCESS SUCCESS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11.12 Configuring an Access Mode for a Device NOTE Only the X1 and X2 models of the NE80E/40E support the configuration of an access mode. 11.12.1 Before You Start Applicable Environment The X1 and X2 models of the NE80E/40E support two access modes: ring mode and dualhoming mode. By default, the access mode is ring-mode. Before dual-homing an NPU to an upper network through 10GE interfaces, configure the dual-homing access mode for the device. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 398 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance In dual-homing access mode, a device supports a maximum of 21 interfaces. If the dual-homing access mode is configured for a device, and the number of interfaces on the interface boards of the device exceeds 21, manually specify an unregistered interface board to ensure that the total number of interfaces on the device is less than 21. In dual-homing access mode, the NE80E/40E-X1 supports a maximum of 21 forwarding ports,and the NE80E/40E-X2 supports a maximum of 42 forwarding ports. Interface Type Forwarding port for the interface GE interface and FE interface One forwarding port for one interface ATM interface One forwarding port for one interface CE1 interface and CPOS interface One forwarding port for all interfaces of the interface board If the dual-homing access mode is configured for a device and the total number of forwarding ports for the interfaces exceeds the maximum, you should manually configure an interface board as unregistered. Pre-configuration Tasks None. Data Preparation To configure an access mode for an NPU, you need the following data. No Data 1 Access mode of the device 2 (Optional) Card ID of the interface board that needs to be manually configured as unregistered 11.12.2 Configuring an Access Mode for a Device Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: set service-mode { dual-home-mode | ring-mode } The access mode off the device is configured. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 399 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance The default access mode of the device is the ring access mode. Step 3 (Optional) Run: set service-mode card card-id { register-disable-mode | register-enable-mode } The specified interface board is manually configured as unregistered or registered. NOTICE If an interface board is manually configured as unregistered, all interfaces on the interface board are unavailable. Before performing this operation, ensure that no services have been configured on the interface board. ----End 11.12.3 Checking the Configuration Context Run the following commands to check the configuration: Procedure Step 1 Run the display service-mode command to check the access mode configuration of a device. Step 2 Run the display device command to check the registration status of an interface board. ----End Example # Display the access mode of a device. <HUAWEI> display service-mode The device can work under the following mode: =======================================================================: Service-mode Functions: RING-MODE The equipment is proposed to support ring net work for better convergence DUAL-HOME-MODE The equipment is proposed to support dual-way network for better convergence =======================================================================: The current service-mode is RING-MODE! # After No.3 interface board is manually configured as unregistered, display the registration status of all interface boards on the device. <HUAWEI> display device NE40E-X2's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 MPU Present NA Normal Master 2 MPU Present Registered Normal Slave 3 PIC Present Unregistered Abnormal NA 4 PIC Present Registered Normal NA 5 PIC Present Registered Normal NA Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 400 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 6 7 8 9 11 12 13 15 16 17 PIC NPU NPU PIC PIC PIC PWR FAN CLK CLK 11 Device Maintenance Present Present Present Present Present Present Present Present Present Present Registered Registered Registered Registered Registered Registered Registered Registered Registered Registered Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal NA NA NA NA NA NA NA NA Master Slave 11.13 Configuring a Working Mode for an LPU LPUs support various working modes, which you can use commands to configure. NOTE LPUs are not supported on NE80E/40E-X1s or NE80E/40E-X2s. 11.13.1 Before You Start Before configuring a working mode for an LPU, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately. Applicable Environment You cannot run frame relay and ATM cell concatenation services on an LPUF-10 at the same time. To enable the LPUF-10 to support one of these services, configure the corresponding working mode for the LPUF-10. LPUF-10s support the following working modes: l fr-mode: LPUF-10s working in this mode support Ethernet interfaces, POS interfaces, CPOS interfaces, CE1/CT1 interfaces, and E3/CT3 interfaces. – The link layer protocol of the POS interfaces can be configured as FR, PPP or HDLC. – The link layer protocol of the serial interfaces created by E1/T1 channels of the CPOS interfaces can be configured as FR,TDM, PPP or HDLC. – The link layer protocol of the serial interfaces created by E3/T3 channels of the CPOS interfaces can be configured as PPP or HDLC. – The link layer protocol of the serial interfaces created by the CE1/CT1 interfaces can be configured as TDM, PPP or HDLC. – The link layer protocol of the serial interfaces created by the E3/CT3 interfaces can be configured as PPP or HDLC. l atm-cell-concatenation-mode: LPUF-10s working in this mode support ATM interfaces on the ATM cell concatenation subcards and CPOS interfaces. The link layer protocol of the serial interfaces created by E1/T1 channels of the CPOS interfaces can only be configured as TDM. l atm-mode: This is the default working mode of LPUF-10s. LPUF-10s working in this mode support Ethernet interfaces, POS interfaces, ATM interfaces, CPOS interfaces, CE1/ CT1 interfaces, and E3/CT3 interfaces. – The link layer protocol of the POS interfaces can be configured as PPP or HDLC. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 401 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance – The link layer protocol of the serial interfaces created by E1/T1 channels of the CPOS interfaces can be configured as ATM,TDM, PPP or HDLC. – The link layer protocol of the serial interfaces created by E3/T3 channels of the CPOS interfaces can be configured as PPP or HDLC. – The link layer protocol of the serial interfaces created by the CE1/CT1 interfaces can be configured as ATM, TDM, PPP or HDLC. – The link layer protocol of the serial interfaces created by the E3/CT3 interfaces can be configured as PPP or HDLC. LPUF-10s, LPUF-20/21s, and LPUF-40s support two Peak Information Rate (PIR) values for user queues: 30 Gbit/s and 60 Gbit/s, which can be selected based on actual service volumes. Pre-configuration Tasks Before configuring a working mode for an LPU, checking the current working mode of the LPU. Data Preparation To configure a working mode for an LPU, you need the following data. No. Data 1 Slot ID of the LPU whose current working mode needs to be changed 11.13.2 Configuring a Working Mode for an LPU LPUs support various working modes. Context You cannot run frame relay and ATM cell concatenation services on an LPUF-10 at the same time. To enable the LPUF-10 to support one of these services, configure the corresponding working mode for the LPUF-10. LPUF-10s, LPUF-20/21, and LPUF-40support two Peak Information Rate (PIR) values for user queues: 30 Gbit/s and 60 Gbit/s, which can be selected based on actual service volumes. Perform the following steps on the router to configure working modes for its LPUs: Procedure l Configure a different working mode for each LPUF-10 to enable it to support different services. 1. Run: system-view The system view is displayed. 2. Run: set service-mode slot { slot-id | all } { normal | atm-cpos-enhance ethenet-enhance | bas-modecell-concatenation-mode } Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. | 402 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance The LPUF-10 is configured with a working mode to support the specific type of services. NOTE normal corresponds to atm-mode and fr-mode. l Change a working mode for an LPUF-10, LPUF-20/21, or LPUF-40 to increase the PIR value of user queues. 1. Run: system-view The system view is displayed. 2. Run: set service-mode slot slot-id { normal-speed-scheduler | high-speedscheduler } The PIR value of user queues is configured. The default PIR value of user queues is 30 Gbit/s. – normal-speed-scheduler: indicates that the PIR value of user queues is 30 Gbit/ s. – high-speed-scheduler: indicates that the PIR value of user queues is 60 Gbit/s. NOTICE After you run the set service-mode slot slot-id { normal-speed-scheduler | highspeed-scheduler } command to change the PIR value of user queues on an LPU, the LPU will reset automatically. ----End 11.13.3 Checking the Configuration After the preceding configuration is complete, you can check the working mode of an LPU. Context Run the following command to check the configurations: Procedure Step 1 Run the display service-mode slot slot-id command to check the working mode of an LPU. Step 2 Run the display work-mode [ slot slot-id ] command to check the current work mode of an LPUF-10 or an LPUF-50. NOTE LPUF-10 and LPUF-50 are not supported on the X1 and X2 models of the NE80E/40E. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 403 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance The board to be viewed must be an LPUF-10 or an LPUF-50. Otherwise, the display workmode slot command cannot be used. ----End Example # Display the current working mode of the LPU in slot 1. <HUAWEI> display service-mode slot 1 The device can work under the following mode: =======================================================================: Service-mode Functions: NETSTREAM-1-MODE Support 2047 MPLS OAM sessions.support (2048 3.3ms | 2048 10ms) bfd sessions.can not suppo rt 1588 ACR serverSupport 4095 Mep,4095 Rmep, 4095 Ma EOAM/MPLS-TP sessions.Support Netstr eam. PTP-1-MODE Support 2047 MPLS OAM sessions.support (2048 3.3ms | 2048 10ms) bfd sessions.support 1588 ACR serverSupport 4095 Mep,4095 Rmep,4095 Ma EOAM/MPLS-TP sessions.Does not Support Netst ream. =======================================================================: The current service-mode is PTP-1-MODE! # Display the current work mode of all boards. <HUAWEI> display work-mode NE40E-X8's current work-mode: Slot Type Current-workmode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2 LPUF-10 SUPPORT-ATM 3 LPUF-50 NORMAL 11.14 Configuring a Working Mode for an LPUF-40 or LPUF-20/21 LPUF-20/21 or LPUF-40 supports various service modes, which you can use commands to configure. NOTE LPUs are not supported on NE80E/40E-X1s and NE80E/40E-X2s. 11.14.1 Before You Start Before configuring a service mode for an LPU, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately. Applicable Environment An LPUF-20/21 or LPUF-40 cannot be configured with the 1588 ACR server function and NetStream at the same time. Before configuring either the 1588 ACR server function or NetStream, configure a corresponding service mode for the LPU. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 404 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance l netstream-1-mode: When working in this mode, the LPU can be configured with NetStream, but not the 1588 ACR server function. l ptp-1-mode: When working in this mode, the LPU can be configured with the 1588 ACR server function, but not NetStream. The LAN_WAN_10G_TM_CARD, ETH_10XGF_TM_CARD, or ETH_6XGF_TM_CARD subcard can be configured with a service mode to support specified functions. The service modes and supported service types are as follows: l reassemble-mode: When working in this mode, the subcard supports packet fragmentation and reassembly, but not 1588v2 or the 1588 ACR client function. l ptp-slave-mode: When working in this mode, the subcard supports 1588v2 and the 1588 ACR client function, but not packet reassembly. Pre-configuration Tasks Before you configure a service mode for an LPU, determine its current service mode. l Determining the current service mode of the LPU Data Preparation To configure a service mode for an LPU, you need the following data. No. Data 1 Slot ID of the LPU whose service mode needs to be configured 2 Card ID of the subcard whose service mode needs to be configured 11.14.2 Configuring a Service Mode for an LPUF-20/21 or LPUF-40 An LPUF-20/21 or LPUF-40 can work in different service modes. You can use the command to change the service mode. Context You cannot configure an LPUF-20/21 or LPUF-40 with the 1588 ACR server function and NetStream at the same time. Before you configure either the 1588 ACR server function or NetStream, configure the service mode for the LPU. You can configure the LAN_WAN_10G_TM_CARD, or ETH_10XGF_TM_CARD subcard with a service mode to support specified functions. The service modes and supported service types are as follows. You can configure a service mode for the subcard based on the required service type. l reassemble-mode: When working in this mode, the subcard supports packet fragmentation and reassembly, but not 1588v2 or the 1588 ACR client function. l ptp-slave-mode: When working in this mode, the subcard supports packet fragmentation, 1588v2, and the 1588 ACR client function, but not packet reassembly. Perform the following steps on the router to configure a service mode for the LPU: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 405 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: set service-mode slot { slot-id | all } { netstream-1-mode | ptp-1-mode } A service mode is configured for the LPU to support the 1588 ACR server function or NetStream. NOTICE This command can take effect on the LPUF-20/21 or LPUF-40. Step 3 Run: set service-mode slot { slot-id card card-id | all card all } { reassemble-mode | ptp-slave-mode } A service mode is configured for a subcard. The default service mode of the subcard is reassemble-mode. The service mode of the subcard is irrelevant to the service mode of the LPU where the subcard resides. NOTICE This command can take effect on a LAN_WAN_10G_TM_CARD or ETH_10XGF_TM_CARD of the LPUF-21. To query the type of a subcard, run the display device pic-status command. ----End 11.14.3 Checking the Configuration After you complete the preceding configuration, you can check the service mode of an LPU or a subcard. Context Run the following command to check the configuration: Procedure Step 1 Run the display service-mode slot slot-id command to check the service mode of an LPU or a subcard. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 406 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Example # Run the display service-mode command in the system view to display the current working mode of the LPU in slot 1. [HUAWEI] display service-mode slot 1 The device can work under the following mode: =======================================================================: Service-mode Functions: NETSTREAM-1-MODE Support 2047 MPLS OAM sessions.support (2048 3.3ms | 2048 10ms) bfd sessions.can not suppo rt 1588 ACR serverSupport 4095 Mep,4095 Rmep, 4095 Ma EOAM/MPLS-TP sessions.Support Netstr eam. PTP-1-MODE Support 2047 MPLS OAM sessions.support (2048 3.3ms | 2048 10ms) bfd sessions.support 1588 ACR serverSupport 4095 Mep,4095 Rmep,4095 Ma EOAM/MPLS-TP sessions.Does not Support Netst ream. =======================================================================: The current service-mode is PTP-1-MODE! 11.15 Configuring Automatic Board Reset This section describes how to configure boards to automatically reset when an alarm is generated. Applicable Environment After certain alarms are generated, the corresponding boards need to reset to restore services. You can configure boards to reset automatically after alarms with specified codes are generated. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: fm The fault management view is displayed. Step 3 (Optional) Run: display alarm all history verbose Detailed information about all historical alarms of the current system is displayed. The alarm codes can also be displayed. You can run this command to view detailed information about all historical alarms, including alarm codes, and then configure a board to automatically reset based on these alarm codes. Step 4 Run: set board-reset hardware-alarm error-code error-code-value [ slot slot-id ] Alarm codes are set. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 407 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance A maximum of 20 alarm codes can be specified in this command. ----End Checking the Configuration Run the display board-reset hardware-alarm error-code command to view the alarm codes for automatic board reset. <HUAWEI> system-view [HUAWEI] fm [HUAWEI-fm] display board-reset hardware-alarm error-code hardware-alarm error-code 0x10821 hardware-alarm error-code 0x10822 hardware-alarm error-code 0x10823 hardware-alarm error-code 0x1093c hardware-alarm error-code 0x10824 slot 9 hardware-alarm error-code 0x10824 slot 11 11.16 Setting the Working Mode of the 1-Port OC-192c/ STM-64c POS-XFP Flexible Card on the LPUF-10 The 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10 can work in oversubscription mode or non-oversubscription mode, which can be configured through a command. 11.16.1 Before You Start Before setting the working mode of the 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10, familiarize yourself with the applicable environment, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Applicable Environment The motherboard LPUF-10 has four slots that can hold four subcards. The LPUF-10 has 10 Gbit/ s bandwidth. Therefore, when using the LPUF-10 and its subcards, take the following factors into consideration: l To use the 10G POS interface that works at the line rate, set the 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10 to work in non-oversubscription mode. In this case, you cannot register the other subcards that work in non-oversubscription mode after you insert them into the LPUF-10. You can register the other subcards that work in oversubscription mode after you insert them into the LPUF-10, but they cannot work at the line rate. l To use the 10G POS interface without needing to achieve the line rate, set the 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10 to work in oversubscription mode. In this case, you can still register the other subcards that work in oversubscription mode and non-oversubscription mode after you insert them after being inserted into the LPUF-10. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 408 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Pre-configuration Tasks Before setting the working mode of the 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10, determine in which mode the 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10 needs to work. Data Preparation To set the working mode of the 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10, you need the following data. No. Data 1 Slot number and subcard number of the 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10 11.16.2 Setting the Working Mode of the 1-Port OC-192c/STM-64c POS-XFP Flexible Card on the LPUF-10 Context The LPUF-10 has 10 Gbit/s bandwidth, which can ensure the line rate of only one 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10. To use the 10G POS interface that works in the line rate, you need to set the 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10 to work in non-oversubscription mode. In this case, the LPUF-10 does not enable the registration of the other subcards that work in non-oversubscription mode. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: set pos-10g-card non-convergence slot slot-id card card-id The non-oversubscription mode of the 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10 is set. By default, the 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10 works in nonoversubscription mode. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 409 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance 11.17 (Optional) Configuring Periodic Reliability Detection on 2-Port OC-12c/STM-4c ATM-SFP Flexible Cards on LPUF-10s Applicable Environment To monitor the working status of 2-port OC-12c/STM-4c ATM-SFP flexible cards on, run the set card-special-check atm-sar command to enable the periodic reliability detection function and configure the detection interval. This function allows users to take measures promptly when a fault occurs. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: set card-special-check atm-sar interval interval-value The periodic reliability detection function is enabled and the detection interval is configured on 2-port OC-12c/STM-4c ATM-SFP flexible cards. By default, the periodic reliability detection function is disabled on 2-port OC-12c/STM-4c ATM-SFP flexible cards. ----End Checking the Configuration Run the display this command in the system view to view the configured detection interval. [HUAWEI] display this # set card-special-check atm-sar interval 600 # The field in bold indicates that the detection interval is 600s. 11.18 Configuring the CMU 11.18.1 Before You Start Before configuring monitor items for a CMU, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 410 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Application Environment In remote and unattended equipment rooms, routers can monitor the working environment in real time. If a router receives an input signal that indicate that a specific environmental variable is abnormal, the router generates an alarm. Then, maintenance personnel can take immediate action to adjust this variable, without having to wait on site to monitor the environment. This effectively reduces equipment room maintenance costs for carriers. You can connect the CMU on the AUXQ to an environmental monitoring device. Based on the received input signals from this device, the CMU generates an alarm and reports it to the NMS to inform maintenance personnel of the problem. Pre-configuration Tasks None. Data Preparation None. 11.18.2 Configuring Monitor Items for a CMU Prerequisites In remote and unattended equipment rooms, router providing the environment monitoring function can monitor the working environment in real time. Upon receiving an input signal indicating that a specific environment variable is abnormal, a router will generate an alarm. Then, the maintenance personnel can take immediate actions to adjust the environment variable, without having to wait on site for environment monitoring. This effectively reduces equipment room maintenance costs for carriers. The CMU on the AUXQ can be connected to an environment monitoring device. Based on the received input signals from the environment monitoring device, the CMU generates an alarm and reports the alarm to the NMS so that the maintenance personnel can be informed of the problem and come to the site to address the problem. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: cmu-switch switch-id alarm-mode { 0 | 1 } slot slot-id { name { voltage | door | humidity | fog | temperature } | user-defined-name user-defined-name } Monitor items such as objects to be monitored and an alarm mode are configured for a CMU. NOTE A router can monitor four types of environmental variables at a time. Run the cmu-switch command to configure each environmental variable that needs to be monitored and its associated alarm mode. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 411 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance 11.18.3 Checking the Configuration Context Run the following command to check the configuration: Procedure Step 1 Run the display current-configuration command to check the CMU configuration. ----End Example # Run the display current-configuration command in the system view to display the current CMU configuration. [HUAWEI] display current-configuration # sysname HUAWEI # cmu-switch 0 alarm-mode 1 slot 3 name voltage # return 11.19 Configuring Link-heartbeat Loopback Detection The NE80E/40E supports the link-heartbeat loopback detection function which is implemented by sending link-heartbeat packets. This function helps locate faults rapidly and maintain the device. Context NOTE In addition, after the link-heartbeat loopback detection function is enabled, if malicious packet modification and packet loss occur on the remote device, the local device may perform incorrect operations. Therefore, in this scenario, disabling the link-heartbeat loopback detection function is recommended. Heartbeat packets may mistakenly match ACLs, affecting the accuracy of MF traffic statistics. When network devices are running, if packets are modified or lost, the fault must be located rapidly and associated processing must be performed timely to restore services. The NE80E/40E supports the link-heartbeat loopback detection function which is implemented by sending link-heartbeat packets to detect faults. This function can locate faulty devices rapidly and perform associated processing timely to recover service automatically. Therefore, this function improves network reliability and maintainability. The link-heartbeat detection function can detect packet loss and packet modification. Packet modification detection enables the device to check whether contents of received packets and contents of sent packets are consistent. Packet loss detection enables the device to check whether the difference between the number of received packets and the number of sent packets is in the allowable range. After the link-heartbeat detection function is enabled, packet modification detection is enabled by default. By running specified commands, you can determine whether to perform associated processing and whether to enable packet loss detection. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 412 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l 11 Device Maintenance Length of a heartbeat packet: – When the length of MTU + Layer 2 link header is less than 129 bytes, only packets whose length is the MTU length are sent. – When the length of MTU + Layer 2 link header ranges from 129 to 192 bytes, only packets whose length is 129 bytes are sent. – When the length of MTU + Layer 2 link header is greater than 192 bytes, packets whose length is the MTU length and 129 bytes are sent. l The detection period can be normal detection period (60s) and approaching state detection period. The packet loss detection period is 300s, and the packet modification detection period is 60s. Both packet sending intervals of these two types of detection periods are 1s. The detailed implementation process is as follows: 1. If packet loss or packet modification is detected in the normal detection period, the system enters the approaching state detection period. 2. If the alarm generated in the approaching state detection period, go to Step 5. 3. If no packet loss or packet modification is detected in the approaching state detection period, the alarm is cleared. The system enters the normal detection period. 4. By default, no alarm is generated when packets are lost. Only after you run the linkheartbeat packet-loss threshold threshold-value command to configure a threshold, an alarm can be generated. The minimum allowable threshold is 1%. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: slot slot-id The slot view is displayed. NOTE The link-heartbeat detection function only supports IPv4 GE and POS interfaces, not sub-interfaces. After the function is enabled on an interface, the number of packets on the interface will increase. The system sends one link-heartbeat packet per second and sends them only when traffic exists on interfaces. Step 3 Run: undo link-heartbeat send disable The function of sending link-heartbeat packets is enabled Step 4 Run: link-heartbeat packet-loss threshold threshold-value A packet loss threshold at which an alarm will be generated is set, and alarm reporting is enabled. NOTE If the packet loss threshold exceeds 80%, packet loss detection will not be enabled. Step 5 (Optional) Run: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 413 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance link-heartbeat linkage { packet-loss | packet-modify } enable The device is enabled to automatically reset a board when the board generates a link-heartbeat packet loss alarm or a link-heartbeat packet modification alarm. The alarm mechanisms for packet loss and modification are as follows: l The alarm mechanism for packet loss is as follows: An alarm is generated when both the packet loss ratio in a detection period and the packet loss ratio per minute reach the alarm threshold and meanwhile channel backpressure is not performed. l The Alarm mechanism for packet modification is as follows: – An alarm is generated when the packet modification ratio in a detection period is more than 5% and no faults are detected by intelligent link-heartbeat packets. – An alarm is generated when the packet modification ratio in three consecutive detection periods is not 0 but less than 5% and no faults are detected by intelligent link-heartbeat packets. When any of the preceding alarm conditions is met, the system takes the following actions: l If a fault is detected on a single interface of a board, the system resets the board, powers cycle the board, and then disables the faulty interface. Each time after all these operations are performed in sequence, the link-heartbeat detection function enters the normal detection period. l If a fault is detected on multiple interfaces of a board, the system disables the first faulty interface. For other faulty interfaces, the system resets the board, powers cycle the board, and then disables the faulty interfaces. Each time after all these operations are performed in sequence, the link-heartbeat detection function enters the normal detection period. ----End Follow-up Procedure Run the display link-heartbeat interface { interface-type interface-number | interface-name } command to check information about link-heartbeat loopback detection on a specified interface. <HUAWEI> display link-heartbeat interface GigabitEthernet 0/3/1 Link-detect status : Enable Port ready : Ready(0xFF) IP address : 10.1.1.3 Source MAC : CCCC-8175-A014 Destination MAC : 0001-0002-0004 Lost packet detect : Enable, Threshold = 40% Lost packet linkage : Disable Error packet linkage: Disable Cyc Time : 25 Send packet length : 115 Cyc send patcket : 25 Cyc receive patcket : 0 Magic word : 0xBA23 0x1187 0x6A77 Last recv magic word: 0x0000 Last send seed : 246 Last recv seed : 0 Sub(Lost) status : Off Sub status lost : 0 Sub status cyc count: 0 Lost packet alarm : Normal Error packet alarm : Normal Lpu linkage status : Normal Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 414 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations NP information : NP info history : Lost packet history : Sub(Error) status : Observe num : Error flag history : Send num in sub cyc : Error num in sub cyc: Error info history : 11 Device Maintenance 0x8 0x8 0x8 0x8 0x8 0x8 0x8 0x8 0x8 0x8 0x8 60 60 60 60 60 60 60 60 60 60 Off 0 0 0 0 0 0 0x0 11.20 Configuring a Cleaning Cycle for the Air Filter This section describes the procedure for configuring a cleaning cycle for the air filter. Context NOTE The X1 and X2 models of the NE80E/40E do not have air filter. 11.20.1 Before You Start Application Environment After the air filter has been running for a period of time, you need to clean it. Pre-configuration Tasks None. Data Preparation To configure a cleaning cycle for the air filter, you need the following data. No. Data 1 Cleaning cycle of the air filter 11.20.2 Configuring a Cleaning Cycle for the Air Filter Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 415 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Step 2 Run dustproof check-timer day INTEGER The cleaning cycle for the air filtered is configured. NOTE The air filter is a component without memory. All monitored information is saved on the MPU, which may be inserted, removed, switched, or replaced during use. Therefore, the monitoring cycle may differ from the set cycle, but this does not affect the monitoring function. ----End 11.20.3 Monitoring the Cleaning Cycle of the Air Filter After Cleaning It Context The system generates an alarm about cleaning the air filter. After ensuring that the air filter is cleaned or does not need to be cleaned, clear the alarm and begin monitoring the cleaning cycle of the air filter again. Do as follows on the router: Procedure Step 1 Run: reset dustproof run-time The alarm is cleared. The cleaning cycle of the air filter is monitored. ----End 11.20.4 Checking the Configuration Procedure Step 1 Run: display dustproof Information about the air filter is displayed. ----End Example Run the display dustproof command. You can view information about the cleaning cycle of the air filter, the last time the air filter was cleaned (according to the router), how many days the router had run since the previous cleaning, and how long the alarm about cleaning the air filter has existed. For example: <HUAWEI> display dustproof Clean Dustproof-Net cycle : 365(days) Last clean date : 2009/02/07 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 416 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Up to last clean days : 1(day) Clean alarm existence days: 0(day) 11.21 Monitoring the Device Status You can monitor the device status to facilitate fault location and cause analysis. 11.21.1 Displaying the System Version Information The system version information includes the system software version and various hardware versions. Procedure Step 1 Run: display version The system version information is displayed. You can run this command in any view to view the system version information. The main information is as follows: l System software version l Hardware and software version of the MPUs l Hardware and software version of the SFUs l Hardware and software version of the LPUs . l Hardware and software version of the Fan and Black Plane . ----End 11.21.2 Displaying Basic Information About the Router Basic router information includes detailed information about the LPU, MPU, SFU, clock board, power supply, and fan module. Procedure Step 1 Run: display device [ pic-status | slot-id] Basic information about the router is displayed. You can run this command in any view to view the basic device information. Enter slot-id to view information about the board in the specified slot. l Choose a board in a certain slot. You can view basic information about this board. l Run: display device pic-status Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 417 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Basic information about the PIC card of the LPU is displayed. ----End 11.21.3 Displaying the Electronic Label The electronic label information includes the type of board/card, bar code, BOM code, English description, production date, supplier name, issuing number, Common Language Equipment Identification (CLEI) code, and sales BOM code. Procedure l Run: display elabel [ asset | backplane | fuse-unit [ fuse-id ] | filter [ filterid ] | slot-id | brief | optical-module { brief | interface interfacenumber } ] The electronic label is displayed. In practice, you can run this command in the user view to view information about the electronic label of the boards. Enter slot-id to view information about the electronic label of the board in the specified slot. NOTE For the range of numbers of the slots on the router, refer to the HUAWEI NetEngine80E/40E Router Hardware Description. Displayed information includes the type of the board and PIC card, bar code, BOM, English description, production date, supplier name, issuing number, Common Language Equipment Identification (CLEI) code, and sales BOM. l Run: display power manufacture-info slot slot-id The electronic label of the power module in a specified slot is displayed. l Run: display pmu manufacture-info slot slot-id The electronic label of the PMU in a specified slot is displayed. This command applies only to the NE40E-X1/X2. ----End 11.21.4 Displaying the Soft Boot Mode By default, the soft boot mode function is automatically enabled, which shortens the time spent on restarting the system. Procedure Step 1 Run the display system soft-bootmode command to view the soft boot mode. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 418 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance NOTE By default, the soft boot mode function is automatically enabled, which shortens the time spent on system startup during reset. You can run the undo set system soft-bootmode command in the system view to disable the boot function. ----End 11.21.5 Displaying the Threshold of the Memory Usage You can specify the slot ID to check the memory usage of the MPU or LPU. Procedure Step 1 Run: display memory-usage [ slave | slot slot-id ] The memory usage threshold of the main MPU and LPU are displayed. NOTE To set the memory usage threshold in the main MPU and LPU, you can run the set memory-usage threshold threshold [ slot slot-id ]command. ----End 11.21.6 Displaying the Threshold of CPU Usage You can specify the slot ID to check the CPU usage of the MPU or LPU. Procedure Step 1 Run: display cpu-usage entry-number [ offset ] [ verbose ] [ slave | slot slot-id ] [ history ] The CPU usage threshold of the main MPU and LPU are displayed. You can select the following parameters when you run this command: l entry-number: specifies the number of entries to be displayed. l offset: specifies the entry with the offset value before the current entry. l verbose: displays information about each record. l history: displays CPU usage history records. NOTE To set the threshold of the CPU usage on the main MPU and LPU, you can run the set cpu-usage threshold threshold-value [ slave | slot slot-id ] command. You can run the [ slave | slot slot-id ] command to display the current CPU usage configuration. You can run the monitor cpu-usage command to dynamically monitor the CPU usage. ----End 11.21.7 Displaying Alarm Information The alarm information includes the alarm severity, alarm date and time, and alarm description. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 419 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Procedure Step 1 Run: display alarm { slot-id | all } Information about the alarm is displayed. You can run this command in any view to view current information about the router alarm. Alarm information includes the following: l Alarm severity l Alarm date and time l Alarm description NOTE After the router alarm is displayed, you can run the clear alarm index index-id { send-trap | no-trap } command to clear the alarm at the specified index-id. ----End 11.21.8 Displaying the Board Temperature The temperature information includes the temperature status, alarm thresholds, and actual temperature of each board. Procedure Step 1 Run: display temperature [ slot slot-id | lpu [ slot slot-id [ pic pic-id ] ] | { mpu | sfu } ] The temperature of the specified board is displayed. NOTE l Run the display temperature [lpu [ slot slot-id [pic pic-id ] ] ] command to view the temperature of the specified subcard in the specified slot. l Run the display temperature command to view the temperature of each module of all the boards on the router. l Since NE40E-X1, NE40E-X2, and NE40E-X3 do not have the SFU, the display temperature sfu command does not apply to these devices. You can run this command in any view to view the current temperature information of the router. ----End 11.21.9 Displaying the Board Voltage The voltage information includes the number of voltage sensors on each board, working voltage sensor of each board, working status of the voltage sensor on each board, and voltage alarm thresholds of each board. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 420 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Procedure Step 1 Run: display voltage [ slot slot-id | lpu [ slot slot-id [ pic pic-id ] ] | { mpu | sfu } ] The board voltage is displayed. NOTE l Run the display voltage [ lpu [ slot slot-id [ pic pic-id ] ] ] command to view the voltage of the specified subcard on the specified LPU. l Run the display voltage command to view the voltage of all the boards on the router. l Since NE40E-X1, NE40E-X2, and NE40E-X3 do not have the SFU, the display voltage sfu command is not applicable to these devices. In practice, using this command in any view, you can view the voltage of all the boards. The voltage information includes the following: l Number of the voltage sensors l Working voltage sensors l Working status of the voltage sensors l Alarm field value of the voltage l Actual board voltage l Normal working temperature of the voltage sensors ----End 11.21.10 Displaying the Power Supply Status The power supply information includes the slot ID of the power supply module, whether the power supply module is registered, working mode of the power supply module, and cable status of the power supply module. Procedure Step 1 Run: display power [ { environment-info | manufacture-info } slot slot-id | slot [ slotid ] ] The power supply status is displayed. In practice, using this command in any view, you can view the power supply status. The displayed information includes the following: l Slot number of the power supply module l Presence status of the power supply module l Operation mode of the power supply module l Cable status of the power supply module ----End 11.21.11 Displaying Current Information About Boards Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 421 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Context Do as follows on the router. Procedure Step 1 Run: display board-current [ slot slot-id ] Current information about a specified board is displayed. ----End 11.21.12 Displaying Entironment Information About the Device You can check environment information about the device that is installed with an environment monitoring board. Context Do as follows on the router: Procedure Step 1 Run: display device [ CMU-slotID ] Entironment information about the device is displayed. This command is supported only on the NE40E-X8 and NE40E-X16 on which the entironment monitoring board is installed and runs normally. ----End 11.21.13 Displaying the Fan Status The fan status information includes the slot ID of the fan module, whether a fan module is registered, registration status, working status of the fan module, and speed mode of the fan module. Procedure Step 1 Run: display fan The fan status is displayed. In practice, using this command in any view, you can view the fan status. The information includes the following: l Slot number of the fan module l Presence and registration status of the fan module l Working status of the fan module Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 422 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance l Fan speed mode of the fan module ----End 11.21.14 Displaying the Sequence Number of the MPU Each MPU has a globally unique equipment serial number (ESN). Procedure Step 1 Run: display esn The sequence number of the MPU is displayed. In the operation, using this command in any view, you can view the sequence number of the MPU on the router. ----End 11.21.15 Displaying the Next Start Mode of the Board A board supports two startup modes, namely, fast startup and normal startup. Procedure Step 1 Run: display bootmode-next The next start mode of the board is displayed. In the operation, you can use the command in any view to check the next start mode of each board on the router, including the MPU, SFU, and LPU. The start modes are as follows: l The fast start mode l The normal start mode ----End 11.21.16 Displaying the Number of the Registered SFUs By Default The number of actually used SFUs must be greater than the number of SFUs that the system requires for registration by default; otherwise, an alarm will be generated. Context NOTE SFUs are not supported on the X1 and X2 models of the NE80E/40E. Procedure Step 1 Run: system-view The system view is displayed. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 423 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Step 2 Run: display least sfuboard The number of the registered SFUs that the device requires by default is displayed. In the operation, if the number of the SFUs that is actually used is smaller than the number of the SFUs that the device requires for registration, the trap is generated. Run the least sfuboardindex-id command to change the number of the SFUs that the device requires for registration. ----End 11.22 Board Maintence Board Maintenance involves resetting a board and clearing the maximum CPU usage. 11.22.1 Resetting a Board You need to back up important data before resetting a board. Context In the case that a board is faulty, you can use the reset slot command to reset the board. CAUTION Back up important data before resetting the board. Do as follows on the router: Procedure Step 1 Run: reset slot slot-id [card card-id] The board is reset. NOTE l If the board is still abnormal after being reset, contact the Huawei technical support personnel. ----End 11.22.2 Clearing CPU Usage Statistics Before collecting CPU usage statistics, you must clear the original CPU usage statistics. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 424 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Context NOTICE The CPU usage statistics cannot be restored after they are cleared. Exercise caution when running the following command. To clear CPU usage statistics, run the following reset command in the system view. Procedure l Run the reset cpu-usage record [ slot slot-id [ vcpu vcpu-id ] | slave ] command to clear CPU usage statistics. ----End 11.23 Configuration Examples of the Device Maintenance This section provides examples for powering off different types of boards to describe common device maintenance operations. Follow-up Procedure NOTE This document takes interface numbers and link types of the NE40E-X8 as an example. In working situations, the actual interface numbers and link types may be different from those used in this document. 11.23.1 Example for Powering off the MPU On a dual-MPU router, if the master MPU malfunctions or you need to routinely maintain the master MPU, you can power off the master MPU after performing the master/slave switchover. Networking Requirements After checking the alarm information, you find that the hardware on the master MPU fails. Then, check the hardware by powering off the master MPU. Configuration Roadmap The configuration roadmap is as follows: 1. Switch the master MPU to the slave MPU through the master and slave switchover. 2. Power off the slave MPU Data Preparation To complete the configuration, you need the following data: l Issue 02 (2014-09-30) Slot number of the master MPU Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 425 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations l 11 Device Maintenance In this example, the slot number of the master MPU is.17 Procedure Step 1 Perform the master and slave switchover on the router. <HUAWEI> system-view [HUAWEI] slave switchover enable Before performing the master and slave switchover, make sure that the user interfaces such as AUX, console, and VTY are connected to the two MPUs. Otherwise, the users that use the interfaces connected with the former master MPU automatically quit the login after the master and slave switchover. [HUAWEI] slave switchover Caution!!! Confirm switch slave to master[Y/N]?y Switching...................................................................... ...... Step 2 Power off the MPU in slot 17. <HUAWEI> power off slot 17 Caution!!! This command may affect operation by wrong use, please carefully use it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y Step 3 Verify the configuration. # Check the registration status of the MPU. You can view that the MPU in slot 17 is in the unregistered and abnormal state. It means that powering off the MPU succeeds. <HUAWEI> display device NE40E-X8's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5 6 9 12 11 16 17 18 19 20 21 22 23 24 25 26 27 28 LPU LPU LPU LPU LPU LPU MPU MPU SFU SFU SFU SFU CLK CLK PWR PWR FAN FAN Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Registered Registered Registered Registered Registered Registered Unregistered NA Registered Registered Registered Registered Registered Registered Registered Registered Registered Registered Normal Normal Normal Normal Normal Normal Abnormal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal NA NA NA NA NA NA Slave Master NA NA NA NA NA NA NA NA NA NA ----End Configuration Files None 11.23.2 Example for Powering off the SFU When the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 426 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Networking Requirements NOTE SFUs are not supported on the X1 and X2 models of the NE80E/40E. You need to power off the SFUs before dust removing. Configuration Roadmap The configuration roadmap is as follows: l Power off the SFU. Data Preparation To complete the configuration, you need the following data: Slot number of the current SFU In this example, the slot number of the SFU is 19. Procedure Step 1 Power off the SFU in slot 19 <HUAWEI> power off slot 19 Caution!!! This command may affect operation by wrong use, please carefully use it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y Step 2 Verify the configuration. # Check the registration status of the SRU in slot 19. You can view that the SRU is in the unregistered and abnormal state. It means that powering off the SRU succeeds. <HUAWEI> display device NE40E-X8's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5 6 9 12 11 16 17 18 19 20 21 22 23 24 25 26 27 28 LPU LPU LPU LPU LPU LPU MPU MPU SFU SFU SFU SFU CLK CLK PWR PWR FAN FAN Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Registered Registered Registered Registered Registered Registered Registered NA Unregistered Registered Registered Registered Registered Registered Registered Registered Registered Registered Normal Normal Normal Normal Normal Normal Normal Normal Abnormal Normal Normal Normal Normal Normal Normal Normal Normal Normal NA NA NA NA NA NA Slave Master NA NA NA NA NA NA NA NA NA NA ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 427 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 11 Device Maintenance Configuration Files None 11.23.3 Example for Powering off the LPU If the LPU is faulty or you need to routinely maintain it, you can power it off. Networking Requirements NOTE LPUs are not supported on the X1 and X2 models of the NE80E/40E. None Configuration Roadmap The configuration roadmap is as follows: Replace the failed LPU. Data Preparation To complete the configuration, you need the following data: l Slot number of the LPU that needs to be replaced. In this example, the slot number of the LPU is 5. l Service part whose PIC card type and board type are the same as those of the LPU to be replaced. Procedure Step 1 Power off the LPU in slot 5. <HUAWEI> power off slot 5 Caution!!! This command may affect operation by wrong use, please carefully use it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y Step 2 Verify the configuration. # Check the registration status of the LPU in slot 51. You can view that the LPU is in the unregistered and abnormal state. Therefore, powering off the LPU is complete. <HUAWEI> display device NE40E-X8's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5 6 9 12 11 16 17 18 19 Issue 02 (2014-09-30) LPU LPU LPU LPU LPU LPU MPU MPU SFU Present Present Present Present Present Present Present Present Present Unregistered Registered Registered Registered Registered Registered Registered NA Registered Abnormal Normal Normal Normal Normal Normal Normal Normal Normal Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. NA NA NA NA NA NA Slave Master NA 428 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 20 21 22 23 24 25 26 27 28 SFU SFU SFU CLK CLK PWR PWR FAN FAN 11 Device Maintenance Present Present Present Present Present Present Present Present Present Registered Registered Registered Registered Registered Registered Registered Registered Registered Normal Normal Normal Normal Normal Normal Normal Normal Normal NA NA NA NA NA NA NA NA NA ----End Configuration Files None Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 429 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 12 Device Upgrading 12 Device Upgrading About This Chapter When you need to add new features, optimize existing features, or solve problems in the current version, you can upgrade the device. 12.1 Device Upgrade Overview 12.2 Upgrade Modes Supported by the NE80E/40E Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 430 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 12 Device Upgrading 12.1 Device Upgrade Overview You need to upgrade a device when you want to add new features, optimize the existing performance, or solve problems with the current version. Note Before you upgrade the NE80E/40E, perform the following: l When you upgrade the NE80E/40E on site, prepare a spare part for each board. l Obtain the new system software, Product Adaptive File (PAF) or license file, and corresponding documents of the new version from Huawei. l Back up configuration files, and collect and save service configurations. l Enable the log function to record all the operations performed during the upgrade process. l Check software versions of all modules on each board, including versions of the BootROM, Firmware, and MonitorBus. 12.2 Upgrade Modes Supported by the NE80E/40E You can use a command, mobile storage device, or BootROM to upgrade the NE80E/40E. Upgrade by Using the Command Line This mode applies to the following situations. For details, refer to the "NE80E&40E V600R008C10 Version Upgrade Guide" of the corresponding system software version. l The NE80E/40E uses FTP/TFTP for the upgrade. Other devices can remotely log in to the NE80E/40E. l You are upgrading the NE80E/40E for the first time, and it has been loaded with the system software package. Other devices can log in to the NE80E/40E through the serial interface to configure the IP address or use NAP to remotely log in to the NE80E/40E. Upgrade by Using a Mobile Storage Device (CF card) You generally use a CF card to upgrade the NE80E/40E during the engineering stage or troubleshooting process. Before performing the upgrade, prepare two CF cards. In this mode, you upgrade the NE80E/40E by replacing the CF card on the master and slave MPU/SRU with CF cards containing the system software package. For details, refer to the "Version Upgrade Guide" of the corresponding system software version. Upgrade by Using BootROM This mode applies to the following situations. For details, refer to the "NE80E&40E V600R008C10 Version Upgrade Guide" of the corresponding system software version: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 431 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 12 Device Upgrading l The NE80E/40E is being upgraded for the first time, but the system software package of the NE80E/40E does not exist or is incorrect. l After the NE80E/40E is upgraded and restarted, neither the master nor slave MPUs/SRUs can be registered. l After the NE80E/40E is upgraded, the master MPU/SRU can be registered but the slave MPUs/SRUs cannot be registered. l The MPU/SRU is replaced. l Other devices cannot log in to the NE80E/40E through Telnet. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 432 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management 13 Patch Management About This Chapter Patch management includes checking the running patch, loading patch files, and installing patches. 13.1 Patch Management Introduction This section describes basic patch functions. 13.2 Checking Whether a Patch is Running in the System The system allows only one patch to run. Therefore, confirm that no patch is running before loading a new patch. 13.3 Loading a Patch You can load patches through FTP, TFTP, or XModem. 13.4 Installing a Patch You can install a patch on the system to repair it. By installing the patch, you can upgrade the system without upgrading the system software. 13.5 (Optional) Deactivating the Patch If an installed patch does not take effect, you need to deactivate it. 13.6 Configuration Examples for Patch Management This section describes some configuration examples for managing patches. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 433 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management 13.1 Patch Management Introduction This section describes basic patch functions. 13.1.1 Patch Management Overview You can install patches to improve system functions. Patch Overview You occasionally need to revise the system software, such as remove system defects or add new functions, while the device is running. In the past, it was common practice to shut the system down before performing an upgrade, but this static upgrade affects the service on the device and does not improve its communication. However, if you load a patch to the system software, you can upgrade it online without interrupting the operation of the device. This dynamic upgrade does not affect services and can actually improve its communication. l Hot patch Loading hot patches does not interrupt running services on the device. A hot patch fixes the system software bug when the device is running. l Cold patch A cold patch fixes the system software bug only after the device is restarted. Table 13-1 Naming Rules for Patches Patch Name = Product Name + Space + Release Number + Patch Number Emergency Correction Patches (ECP) number = Hot ECP number: HPyyyy Accumulated Correction Updates (ACU) number = Cold ECP number: CPyyyy SPxyyyy (Note: SP refers to service pack. x refers to H or C) Naming rules for Emergency Correction Patches (ECP) are as follows: 1. For an ECP that is released based on an ACU, if activating and validating the ECP would not affect user experience, the ECP is a hot ECP and named HPyyyy; if activating and validating the ECP would affect user experience, the ECP is a cold ECP and named CPyyyy. 2. The first y in HPyyyy or CPyyyy is fixed at 0, and the subsequent yyy is the same as yyy in SPCyyy or SPHyyy of the corresponding ACU. Therefore, an ECP is named in the format Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 434 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management of HP0yyy or CP0yyy. If a calculated ECP name is the same as that of the previously released ECP, the newly calculated one increases by 1. Naming rules for Accumulated Correction Updates (ACUs) are as follows: 1. For an ACU that is released based on the previous cold ACU, if the current ACU contains patches that would affect user experience when being activated and validated, the current ACU is a cold ACU and named SPCyyy. 2. For an ACU that is released based on the previous cold ACU, if the current ACU does not contain any patches that would affect user experience when being activated and validated, the current ACU is a hot ACU and named SPHyyy. Patch Area In the memory of the Main Processing Unit (MPU) and Line Processing Unit (LPU), a space, called a patch area, is reserved for the patch. To install the patch, save it to the patch area in the memory of the board. The patch saved in the patch area is numbered uniquely. Up to 200 patches can be saved to the patch area in the memory of the MPU or LPU. Patch States The patch state can be idle, deactive, active, or running. For details, see Table 13-2, Table 13-2 Patch states State Description States Conversion No patch (idle) The patch file is saved to the CF card but is not loaded to the patch area in the memory. When the patch is loaded to the patch area, the patch status is set to deactive. deactive The patch is loaded to the patch area but is disabled. The patch in the deactive state can be: l Uninstalled, that is, deleted from the patch area. l Enabled temporarily and then switched to the active state. active The patch is loaded to the patch area and enabled temporarily. If the board is reset, the active patch on that board switches to the deactive state. The patch in the active state can be: l Uninstalled, that is, deleted from the patch area. l Enabled temporarily and then switched to the active state. l Enabled permanently and then switched to the running state. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 435 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management State Description States Conversion running The patch is loaded to the patch area and enabled permanently. The patch in the running state can be uninstalled and deleted from the patch area. If the board is reset, the patch on the board remains in the running state. Figure 13-1shows the conversion between patch states. Figure 13-1 Conversion between patch states Load patch No patch Delete patch Deactivated Deactive patch Delete patch Active patch Delete patch Running Run patch Activated 13.1.2 Patches Supported by the NE80E/40E The NE80E/40E enables patches to be loaded to the system or a certain board. Patch Functions Installing patches can improve system functions or fix bugs. By installing a patch, you can upgrade the system without upgrading the system software. In special scenarios, you can install patches specific to an MPU or LPU to optimize board functions. Logic Relationships Between Configuration Tasks Figure 13-2shows the logical relationships between the configuration tasks. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 436 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management Figure 13-2 Logical relationships between configuration tasks Resort to technical support for new patch Run VRP Normally run No Enable patch temporarily Bug removed Yes No Disable patch Yes End Unload patch 13.2 Checking Whether a Patch is Running in the System The system allows only one patch to run. Therefore, confirm that no patch is running before loading a new patch. 13.2.1 Before You Start Before checking the running patch, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Applicable Environment The system allows the running of only one patch at a time. Therefore, you need to confirm no patch is running in the current system before installing a patch. If a patch is running, delete it before installing the new patch. Pre-configuration Tasks Before checking whether a patch is running in the system, complete the following tasks: l Ensure that the router starts normally after being powered on. l Ensure that you can log in to the router. Data Preparation None Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 437 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management 13.2.2 Checking the Running of a Patch in the System You can run the display patch-information command to view information about the running patch units, activated patch units, and deactivated patch units. Context Do as follows on the router to be upgraded: Procedure Step 1 Run: display patch-information All information about the current patch is displayed, including information about the patch units that are running, the patch units that are activated, and the patch units that are deactivated. ----End Example <HUAWEI> display patch-information Info: No patch exists. This indicates that no patch is running in the current system. NOTE If patches are running, delete them before loading new patches. 13.2.3 (Optional) Deleting a Patch The system allows only one patch to run at a time. If a patch is running, delete it before loading a new patch. Context Before installing a patch, you need to delete the running patch. Do as follows on the router to be upgraded. Procedure Step 1 Run:patch delete all The running patch is deleted. ----End 13.3 Loading a Patch You can load patches through FTP, TFTP, or XModem. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 438 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management 13.3.1 Before You Start Before loading a patch, familiarize yourself with the applicable environment, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Applicable Environment Before a patch is installed, it should be uploaded to the root directory of the CF card of the master and slave MPUs. Upload the patch to the root directory of the CF card of the master MPU. Then, copy the patch to the root directory of the CF card of the slave MPU. The three methods used to upload a patch are FTP, TFTP and XModem. Pre-configuration Tasks Before loading a patch, complete the following tasks: l Ensure that the router starts normally after being powered on. l Ensure that you can log in to the router. Data Preparation Before running a patch, obtain a patch that is consistent with the board. No. Data 1 Uploading a Patch to the Root Directory of the CF Card of the Master MPU 2 Copying a Patch to the Root Directory of the CF Card of the Slave MPU 13.3.2 Loading a Patch On a dual-MPU router, you need to load a patch to both the master MPU and the slave MPU. Context Do as follows on the router to be upgraded: Procedure Step 1 Upload a patch to the root directory of the CF card of the master MPU. The router supports the uploading of files through FTP, TFTP, and XModem. For more information, see: "FTP, TFTP, and XModem". Choose an uploading method based on your requirements. Step 2 Run: copy source-filename slave#cfcard:/destination-filename The patch is copied to the root directory of the CF card of the slave MPU. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 439 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management Step 3 Run: startup patch file-name The patch package is specified for the master MPU on the next startup. Step 4 Run: startup patch file-name slave-board The patch package is specified for the slave MPU on the next startup. ----End 13.3.3 Checking the Configuration After a patch is loaded, you can check the patch information. Context Run the following commands to check the previous configuration. Procedure l Run: dir cfcard:/ Check the files on the MPU. l Run: dir slave#cfcard:/ Check the files on the slave MPU. l Run: display startup Check the patch file to be used in the next system startup. ----End Example After uploading the files, run the dir cfcard:/ and dir slave#cfcard:/ commands. The patch.pat file is contained in the files on the CF card. For example, check the files on the CF card of the master MPU: <HUAWEI> dir cfcard:/ Directory of cfcard:/ Idx Attr Size(Byte) 0 -rw64 1 -rw418 2 -rw38017 3 -rw2292 4 -rw7041 5 -rw117013076 6 -rw134213212 7 -rw4041 500192 KB total (347760 KB free) Nov Jul Aug Aug Aug Jul Nov Nov Date 15 2006 26 2007 01 2007 21 2006 02 2007 13 2007 18 2007 02 2007 Time 13:07:44 19:52:14 11:02:00 15:35:50 11:02:00 10:40:44 05:30:11 11:04:00 FileName patchnpstate.dat vrpcfg.zip paf.txt vrp.zip license.txt V600R008C10.cc V600R008C10.cc patch.pat For example, check the files on the CF card of the slave MPU: Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 440 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management <HUAWEI> dir slave#cfcard:/ Directory of slave#cfcard:/ Idx Attr Size(Byte) 0 -rw64 1 -rw418 2 -rw38017 3 -rw2292 4 -rw7041 5 -rw117013076 6 -rw134213212 7 -rw4041 500192 KB total (343160 KB free) Nov Jul Aug Aug Aug Jul Nov Nov Date 15 2006 26 2007 01 2007 21 2006 02 2007 13 2007 18 2007 02 2007 Time 13:07:44 19:52:14 11:02:00 15:35:50 11:02:00 10:40:44 05:30:11 11:04:00 FileName patchnpstate.dat vrpcfg.zip paf.txt vrp.zip license.txt V600R008C10.cc V600R008C10.cc patch.pat For example, check the patch file to be used in the next system startup. <HUAWEI>display startup MainBoard: Configed startup system software: Startup system software: Next startup system software: Startup saved-configuration file: Next startup saved-configuration file: Startup paf file: Next startup paf file: Startup license file: Next startup license file: Startup patch package: Next startup patch package: cfcard:/V600R008C10.cc cfcard:/V600R008C10.cc cfcard:/V600R008C10.cc cfcard:/current_cfg.cfg cfcard:/current_cfg.cfg cfcard:/paf-V600R008C10.txt cfcard:/paf-V600R008C10.txt cfcard:/license-V600R008C10.txt cfcard:/license-V600R008C10.txt Null cfcard:/patch.pat 13.4 Installing a Patch You can install a patch on the system to repair it. By installing the patch, you can upgrade the system without upgrading the system software. 13.4.1 Establishing the Configuration Task Before installing a patch on the system, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Applicable Environment NOTICE When installing a patch, it is recommended to specify all to install the patch for all boards at one time rather than specify slot to install the patch for boards one by one. In some special scenarios, you must specify slot to install a patch for the master and slave MPUs, and then for all LPUs one by one. Installing patches can fix system vulnerabilities or correct system defects. By installing a patch, you can upgrade the system without upgrading the system software. When a patch is uploaded, the system checks that the patch version is the same as the system version. If the two versions are not the same, the system prompts that the patch uploading fails. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 441 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management Pre-configuration Tasks Before installing a patch, upload the patch to the root directory of the CF card of the master MPU and slave MPU. Data Preparation None 13.4.2 Loading a Patch You can load a patch only when the patch version matches the system software version. Context Do as follows on the router to be upgraded: Procedure Step 1 Run: patch load file-name all The patch is loaded. ----End Follow-up Procedure When a patch is loaded, the system checks whether the patch version is the same as the system version. If both versions are not the same, the system determines that the patch loading fails. When the patch is loaded successfully, it's status is Deactive. This status remains Deactive after the board is reset. 13.4.3 Activating a Patch A patch can be activated only when it is correctly loaded and is in the deactivated state. Context Do as follows on the router to be upgraded: Procedure Step 1 Run: patch active all The patch is activated. ----End Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 442 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management Follow-up Procedure A patch can be activated only when it is correctly loaded and is in the deactivated state. When a patch is activated, it immediately becomes valid. After the board is reset, however, the status of the patch becomes Deactive , and the patch does not remain valid. 13.4.4 Running a Patch A patch can be run only after it is activated. Running a patch means that the patch is activated permanently. Context Do as follows on the router be upgraded: Procedure Step 1 Run: patch run all The patch is run. ----End Follow-up Procedure A patch can be run only after it is activated. Running a patch means that the patch is activated permanently and the patch remains valid after the board is reset. The status of the patch remains Running. 13.4.5 Checking the Configuration After a patch is installed on the system, you can check the patch status and the patch for the next startup. Procedure l Run: display patch-information Check the patch state. ----End Example After the patch is loaded, run the display patch-information command. The results are as follows: <HUAWEI> display patch-information Service pack Version:V600R008C10SPH001 Pack file name cfcard:/patch.pat ----------The patch information of slot This slot does not need patch Issue 02 (2014-09-30) 3---------- Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 443 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management ----------The patch information of slot This slot does not need patch 4---------- ----------The patch information of slot This slot does not need patch 6---------- ----------The patch information of slot 33---------Total Patch Unit : 1 Running Patch Unit : Active Patch Unit : Deactive Patch Unit : 1 - 1 ----------The patch information of slot 34---------Total Patch Unit : 1 Running Patch Unit : Active Patch Unit : Deactive Patch Unit : 1 - 1 After the patch is actived, run the display patch-information command. The results are as follows: <HUAWEI> display patch-information Service pack Version:V600R008C10SPH001 Pack file name cfcard:/patch.pat ----------The patch information of slot This slot does not need patch 3---------- ----------The patch information of slot This slot does not need patch 4---------- ----------The patch information of slot This slot does not need patch 6---------- ----------The patch information of slot 33---------Total Patch Unit : 1 Running Patch Unit : Active Patch Unit : 1 - 1 Deactive Patch Unit : ----------The patch information of slot 34---------Total Patch Unit : 1 Running Patch Unit : Active Patch Unit : 1 - 1 Deactive Patch Unit : After running the patch , run the display patch-information command. The results are as follows: <HUAWEI> display patch-information Service pack Version:V600R008C10SPH001 Pack file name cfcard:/patch.pat ----------The patch information of slot This slot does not need patch 3---------- ----------The patch information of slot This slot does not need patch 4---------- ----------The patch information of slot This slot does not need patch 6---------- ----------The patch information of slot 33---------Total Patch Unit : 1 Running Patch Unit : 1 - 1 Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 444 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Active Patch Unit Deactive Patch Unit 13 Patch Management : : ----------The patch information of slot 34---------Total Patch Unit : 1 Running Patch Unit : 1 - 1 Active Patch Unit : Deactive Patch Unit : 13.5 (Optional) Deactivating the Patch If an installed patch does not take effect, you need to deactivate it. 13.5.1 Before You Start Before deactivating a patch, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Applicable Environment After a patch is activated, you need to determine whether the patch has achieved the expected effect. If the patch is not valid, you need to activate it. A patch can be deactivated only after it is activated. Pre-configuration Tasks None Data Preparation None 13.5.2 Deactivating a Patch Deactivating a patch makes an active patch become inactive. Procedure Step 1 Run: patch deactive all The patch is deactivated. ----End 13.5.3 Checking the Configuration After a patch is deactivated, you can run the display command to check the patch status. Procedure l Issue 02 (2014-09-30) Run: Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 445 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management display patch-information Check the patch state. ----End Example After the preceding configuration is complete, run the display patch-information command. The results are as follows: <HUAWEI> display patch-information Service pack Version:V600R008C10SPH001 Pack file name cfcard:/patch.pat ----------The patch information of slot This slot does not need patch 3---------- ----------The patch information of slot This slot does not need patch 4---------- ----------The patch information of slot This slot does not need patch 6---------- ----------The patch information of slot 33---------Total Patch Unit : 1 Running Patch Unit : Active Patch Unit : Deactive Patch Unit : 1 - 1 ----------The patch information of slot 34---------Total Patch Unit : 1 Running Patch Unit : Active Patch Unit : Deactive Patch Unit : 1 - 1 13.6 Configuration Examples for Patch Management This section describes some configuration examples for managing patches. 13.6.1 Example for Installing a Patch When the system has vulnerabilities or defects, you can install a patch to repair the system. Networking Requirements Figure 13-3shows that some urgent bug occurs on the system software at the Provider Edge (PE) connected to the Internet. Huawei provides a patch file to remove the bug. Install the patch in this patch file to remove the bug. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 446 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management Figure 13-3 Networking diagram of installing a patch FTP Server 10.1.1.2/24 GE0/0/0 10.1.1.1/24 MPLS Core PE PC 10.1.1.3/24 Configuration Roadmap The configuration roadmap is as follows: 1. Save the patch file to the root directory of the CF card on the master and slave MPUs. 2. Load the patch. 3. Activate the patch. 4. Run the patch. Data Preparation To complete the configuration, you need the following data: l File name of the patch: patch.pat l Path the patch saved to on the MPU: cfcard:/ Procedure Step 1 Upload the patch file for the system software. # Log in to the FTP server. <PE> ftp 10.1.1.2 Trying 10.1.1.2 ... Press CTRL+K to abort Connected to 192.168.1.2. 220 FTP service ready. User(10.1.1.2:(none)):huawei 331 Password required for huawei. Password: 230 User logged in. [ftp] # Configure the binary transmission format and the working directory of the CF card on the PE. [ftp] binary 200 Type set to I. [ftp] lcd cfcard:/ % Local directory now cfcard:. # Load the patch file for the current system software from the remote FTP server. Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 447 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations 13 Patch Management [ftp] get patch.pat 200 Port command okay. 150 Opening ASCII mode data connection for license.txt. 226 Transfer complete. FTP: 6309 byte(s) received in 0.188 second(s) 33.55Kbyte(s)/sec. [ftp] bye 221 Server closing. <PE> # Copy the patch file to the CF card on the slave MPU. <PE> copy cfcard:/patch.pat slave#cfcard:/ Copy cfcard:/patch.pat to slave#cfcard:/patch.pat?[Y/N]:y 100% complete Info:Copied file cfcard:/ patch.pat to slave#cfcard:/ patch.pat...Done Step 2 Load the patch. <PE> patch load patch.pat all Step 3 Activate the patch. <PE> patch active all Step 4 Run the patch. <PE> patch run all Step 5 Verify the configuration <PE> display patch-information Patch Package Name :cfcard:/patch.pat Patch Package Version:V600R008C10SPH001 ************************************************************************ * The hot patch information, as follows: * ************************************************************************ Slot Type State Count -----------------------------------------------------------7 C Running 1 ************************************************************************ * The cold patch information, as follows: * ************************************************************************ all slots do not need cold patch ----End Configuration Files None Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 448 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations A Glossary A Glossary This appendix collates frequently used terms in this document. A Accounting A network security service that records the user's access to the network. Agent A process that is used in all managed devices. It receives request packets from the NM Station and performs the Read or Write operation on managed variables according to packet types and generates response packets and sends them to the NM Station. AH Authentication Header. A security protocol that provides data authentication and integrity for IP packets. AH is used in the transmission mode and in the tunneling mode. ASSP Analogue Sensor Signal Processes. An error tolerance protocol that provides the interface backup in the multiple access, multicast and broadcast in LAN (such as Ethernet). Authentication A method used to prove user identity. Authorization A method used to prove identity of users to use the service. B Issue 02 (2014-09-30) Backup center A mechanism in which the interfaces on a device back up each other and trace the status of the interface. If an interface is Down, the backup center provides a backup interface to undertake the service. BFD Bidirectional Forwarding Detection. A unified detection mechanism that is used to detect and monitor the link or IP routes forwarding at a fast pace. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 449 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations Black list A Glossary A filtering mode that is used to filter the packet according to the source IP address. Compared with the ACL, the black list can filter the packet at a high speed because its matching region is simple. It can shield the packet from the specified IP address. C CLI Command Line Interface. An interface that allows the user to interact with the operating system. Users can configure and manage the NE80E/40E by entering commands through the CLI. Congestion avoidance A flow control mechanism by which the network overload is relieved by adjusting the network traffic. When the congestion occurs and becomes worse, the packet is discarded by monitoring the network resource. Congestion management A flow control measure to solve the problem of network resource competition. When the network congestion occurs, it places the packet into the queue for buffer and determines the order of forwarding the packet. Command line level The priority of the system command that is divided into 4 levels. Users of a level can run the command only of the same or lower level. E Ethernet A baseband LAN specification created by Xerox and developed by Xerox, Intel, and Digital Equipment Corporation (DEC). This specification is similar to IEEE802.3. Ethernet_II An encapsulation format of the Ethernet frame. Ethernet_II that contains a 16-bit protocol type field is the standard ARPA Ethernet Version 2.0 encapsulation. Ethernet_SNAP An encapsulation format of the Ethernet frame. The frame format complies with RFC 1042 and enables the transmission of the Ethernet frame on the IEEE 802.2 media. F Issue 02 (2014-09-30) FIFO First In First Out. A queuing scheme in which the first data into the network is also the fist data out of the network. File system A method in which files and directories in the storage devices are managed, such as creating a file system, creating, deleting, modifying and renaming a file or directory or displaying the contents of the file. FTP File Transfer Protocol. An application protocol in the TCP/IP stack, used for transferring files between remote hosts. FTP is implemented based on the file system. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 450 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations A Glossary H HGMPv2 Huawei Group Management Protocol Version 2. A protocol with which the discovery, topology collection, centralized management and remote maintenance are implemented on Layer 2 devices of a cluster that are connected with the router. I Information center The information hinge in the MA5200G that can classify and filter the output information. IPv6 Internet Protocol Version 6. Replacement for the current version of IP (version 4) designed by the IETF. It is the second generation standard protocol of the internet layer and it is also called IPng (next generation). The length of the IP address in IPv6 is 128 bits and the length of the IP address in IPv4 is 32 bits. IP negotiated An attribute of the interface. When the user accesses the Internet through the ISP, the IP address is usually allocated by the peer server. The PPP packet must be encapsulated and the IP address negotiated attribute must be configured on the interface so that the local interface accepts the IP address allocated by the peer end through the PPP negotiation. IP unnumbered A mechanism in which the interface that is not configured with an IP address can borrow the IP address of the interface that is configured with an IP address to save the IP address resource. ISATAP tunnel Intra-site Automatic Tunnel Addressing Protocol. A protocol that is used for the IPv4/IPv6 host in the IPv4 network to access the IPv6 network. The ISATAP tunnel can be established between the ISATAP hosts or between the ISATAP host and the ISATAP router. ISIS-TE Traffic engineering of IS-IS. (For the information of IS-IS, refer to Acronyms and Abbreviations) L Issue 02 (2014-09-30) LAN interface Local Area Network interface. Often an Ethernet interface through which the router can exchange data with the network device in a LAN. License Permission of some features that dynamically control the product. Logical interface A configured interface that can exchange data but does not exist physically. A logical interface can be a sub-interface, virtualtemplate interface, virtual Ethernet interface, Loopback interface, Null interface and Tunnel interface. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 451 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations A Glossary M MIB Management Information Base. A database of variables of the monitored network device. It can uniquely define a managed object. Modem Modulator-demodulator. Device that converts digital and analog signals. Multicast A process of transmitting packets of data from one source to many destinations. The destination address of the multicast packet uses Class D address, that is, the IP address ranges from 224.0.0.0 to 239.255.255.255. Each multicast address represents a multicast group rather than a host. N NDP Neighbor Discovery Protocol. A protocol that is used to discover the information of the neighboring Huawei device that is connected with the local device. NMS Network Management System. A system that sends various query packets and receives the response packet and trap packet from the managed devices and displays all the information. NTDP A protocol that is used to collect the information of the adjacency and the backup switch of each device in the network. NTP Network Time Protocol. An application protocol that is used to synchronize the distributed server and the client side. O OSPF-TE Traffic engineering of OSPF. (For the information of OSPF, refer to Acronyms and Abbreviations) P Policy-based routing A routing scheme that forwards packets to specific interfaces based on user-configured policies. R Regular expression Issue 02 (2014-09-30) When a lot of information is output, you can filter the unnecessary contents out with regular expressions and display the necessary contents. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 452 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations A Glossary RMON Remote monitoring. An MIB agent specification defined by the IETF that defines functions for the remote monitoring of the data flow of a network segment or the whole network. router A device on the network layer that selects routes in the network. The router selects the optimal route according to the destination address of the received packet through a network and forwards the packet to the next router. The last router is responsible for sending the packet to the destination host. RRPP Rapid Ring Protection Protocol. A protocol that is applied on the data link layer. When the Ethernet ring is complete, it can prevent the broadcast storm caused by the data loop. When a link is disconnected on an Ethernet ring, it can rapidly restore the communication link between the nodes on the ring network. RSVP-TE Traffic engineering of RSVP. (For the information of RSVP, refer to Acronyms and Abbreviations) S Service tracing A method of service debugging, diagnosis and error detection that is mainly used for service personnel to locate the fault in user access. The service tracing can output the status change and the result of the protocol processing of the specified user during the access to the terminal or the server for the reference and analysis of the service personnel. SSH Secure Shell. A protocol that provides a secure connection to a router through a TCP application. Static ARP A protocol that binds some IP addresses to a specified gateway. The packet of these IP addresses must be forwarded through this gateway. System environment Basic parameters for running the MA5200G such as host name, language mode and system time. After configuration, the system environment can meet the requirements of the actual environment. T Issue 02 (2014-09-30) Telnet An application protocol of the TCP/IP stack that provides virtual terminal services for a wide variety of remote systems. Terminal A device that is connected with other devices through the serial port. The keyboard and the display have no disk drives. Traffic policing A process used to measure the actual traffic flow across a given connection and compare it to the total admissible traffic flow for that connection. When the traffic exceeds the flow that is agreed upon , some restrictions or penalties are adopted to protect the interest and the network resource of the operator. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 453 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations A Glossary Traffic shaping A flow control measure to shape the flow rate. It is often used to control the flow in regular amounts to ensure that the traffic is within the traffic stipulated for the downstream router and prevents unnecessary discard and congestion. Tunnel Secure communication path between two peers in the VPN that protect the internal information of the VPN from the interruption. V VPN Virtual Private Network. A new technology developed with the Internet to provide an apparent single private network over a public network. "Virtual" means the network is a logical network. VRP Versatile Routing Platform. A versatile routing operating system platform developed for all data communication products of Huawei. With the IP service as its core, the VRP adopts the componentized architecture. The VRP realizes rich functions and provides tailorability and scalability based on applications. VRRP Virtual router Redundancy Protocol. An error tolerant protocol defined in RFC 2338. It forms a backup group for a group of router in a LAN that functions as a virtual router. VTY Virtual type terminal. A terminal line that is used to access a router through Telnet. W X Issue 02 (2014-09-30) X.25 A protocol applied on the data link layer that defines how connections between DTE and DCE are maintained for remote terminal access and computer communications in PDNs. XModem A transmission protocol in the format of the binary code. XOT X.25 over TCP. A protocol that implements the interconnection between two X.25 networks through the TCP packet bearing X.25 frames. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 454 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations B B Acronyms and Abbreviations Acronyms and Abbreviations This appendix collates frequently used acronyms and abbreviations in this document. Numerics 3DES Triple Data Encryption Standard A AAA Authentication, Authorization and Accounting ACL Access Control List ARP Address Resolution Protocol AES Advanced Encryption Standard ASPF Application Specific Packet Filter AUX Auxiliary port B BGP Border Gateway Protocol C CBQ Class-based Queue CHAP Challenge Handshake Authentication Protocol CQ Custom Queuing CR-LDP Constraint-based Routing LDP D Issue 02 (2014-09-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 455 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations B Acronyms and Abbreviations DES Data Encryption Standard DHCP Dynamic Host Configuration Protocol DNS Domain Name System E ESP Encapsulating Security Payload F FR Frame Relay G GRE Generic Routing Encapsulation H HDLC High Level Data Link Control I IETF Internet Engineering Task Force IKE Internet Key Exchange IPSec IP Security IS-IS Intermediate System-to-Intermediate System intra-domain routing information exchange protocol ITU-T International Telecommunication Union Telecommunications Standardization Sector L L2TP Layer Two Tunneling Protocol LAPB Link Access Procedure Balanced LDP Label Distribution Protocol M MAC Issue 02 (2014-09-30) Medium Access Control Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 456 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations B Acronyms and Abbreviations MBGP Multiprotocol Extensions for BGP-4 MFR Multiple Frame Relay MP MultiLink PPP MPLS Multiprotocol Label Switching MSDP Multicast Source Discovery Protocol MTU Maximum Transmission Unit N NAT Network Address Translation O OAM Operation, Administration and Maintenance OSPF Open Shortest Path First P PAP Password Authentication Protocol PE Provider Edge Ping Ping (Packet Internet Groper) PPP Point-to-Point Protocol PPPoA PPP over AAL5 PPPoE Point-to-Point Protocol over Ethernet PPPoEoA PPPoE on AAL5 PQ Priority Queuing Q QoS Quality of Service R Issue 02 (2014-09-30) RADIUS Remote Authentication Dial In User Service RIP Routing Information Protocol RPR Resilient Packet Ring Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 457 HUAWEI NetEngine80E/40E Router Configuration Guide - Basic Configurations RSVP B Acronyms and Abbreviations Resource Reservation Protocol S SFTP SSH File Transfer Protocol T TE Traffic Engineering TCP Transmission Control Protocol TFTP Trivial File Transfer Protocol V VPN Virtual Private Network VRP Versatile Routing Platform VRRP Virtual Router Redundancy Protocol W WAN Wide Area Network WFQ Weighted Fair Queuing WRED Weighted Random Early Detection X XOT Issue 02 (2014-09-30) X.25 Over TCP Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 458

HUAWEI NetEngine Router Configuration Guide

Related documents

Products

Support

HUAWEI NetEngine Router Configuration Guide

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib