Add to collection(s) Add to saved
  1. No category
Uploaded by Thiago Andrade Rangel

NE40E&80E V600R008C10 Configuration Guide - Basic Configurations 01(pdf)

advertisement 
HUAWEI NetEngine80E/40E Router
V600R008C10
Configuration Guide - Basic
Configurations
Issue
02
Date
2014-09-30
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address:
Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
i
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
About This Document
About This Document
Purpose
This section describes the organization, product version, intended audience, conventions, and
change history of this document.
NOTE
l This document provides examples of the NE40E-X8 interface numbers and link types. The actual
interface numbers and link types may be different from those provided in this document.
l On the NE80E/40E series excluding NE40E-X1 and NE40E-X2, line processing boards are called Line
Processing Units (LPUs) and switching fabric boards are called Switching Fabric Units (SFUs). On
the NE40E-X1 and NE40E-X2, there are no LPUs or SFUs, and NPUs implement the same functions
of LPUs and SFUs to exchange and forward packets.
NOTICE
Note the following precautions:
l The encryption algorithms DES/3DES/SKIPJACK/RC2/RSA (RSA-1024 or lower)/MD2/
MD4/MD5 (in digital signature scenarios and password encryption)/SHA1 (in digital
signature scenarios) have a low security, which may bring security risks. If protocols allowed,
using more secure encryption algorithms, such as AES/RSA (RSA-2048 or higher)/SHA2/
HMAC-SHA2, is recommended.
l If the plain parameter is specified, the password will be saved in plaintext in the configuration
file, which has a high security risk. Therefore, specifying the cipher parameter is
recommended. To further improve device security, periodically change the password.
l Do not set both the start and end characters of a password to "%$%$." This causes the
password to be displayed directly in the configuration file.
Related Versions
The following table lists the product versions related to this document.
Issue 02 (2014-09-30)
Product Name
Version
HUAWEI NetEngine80E/40E
Router
V600R008C10
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ii
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
About This Document
Intended Audience
This document is intended for:
l
Commissioning engineers
l
Data configuration engineers
l
Network monitoring engineers
l
System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, may result in minor or moderate injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Calls attention to important information, best practices and
tips.
NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iii
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
About This Document
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by
vertical bars. One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by
vertical bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by
vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by
vertical bars. Several items or no item can be selected.
&<1-n>
The parameter before the & sign can be repeated 1 to n times.
#
A line starting with the # sign is comments.
Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.
Changes in Issue 02 (2014-09-30)
This issue is the second official release.
Changes in Issue 01 (2014-06-30)
This issue is the first official release.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iv
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Contents
Contents
About This Document.....................................................................................................................ii
1 Logging In to the System for the First Time............................................................................1
1.1 Introduction to Log In to the Device for the First Time.................................................................................................2
1.2 Logging In to the Device Through the Console Port......................................................................................................2
1.2.1 Before You Start..........................................................................................................................................................2
1.2.2 Establishing the Physical Connection..........................................................................................................................3
1.2.3 Logging In to the Device.............................................................................................................................................3
1.3 Logging In to the router That Supports the Plug-and-Play Function.............................................................................6
2 CLI Overview.................................................................................................................................8
2.1 CLI Introduction.............................................................................................................................................................9
2.1.1 Command Line Interface.............................................................................................................................................9
2.1.2 Command Levels.........................................................................................................................................................9
2.1.3 Command Line Views...............................................................................................................................................12
2.2 Online Help...................................................................................................................................................................13
2.2.1 Full Help....................................................................................................................................................................13
2.2.2 Partial Help................................................................................................................................................................14
2.2.3 Command Line Interface Error Messages.................................................................................................................14
2.3 CLI Features.................................................................................................................................................................15
2.3.1 Editing.......................................................................................................................................................................15
2.3.2 Displaying..................................................................................................................................................................16
2.3.3 Regular Expressions..................................................................................................................................................16
2.3.4 Previously-Used Commands.....................................................................................................................................20
2.3.5 Batch Command Execution.......................................................................................................................................21
2.4 Shortcut Keys...............................................................................................................................................................23
2.4.1 Classifying Shortcut Keys.........................................................................................................................................23
2.4.2 Defining Shortcut Keys.............................................................................................................................................24
2.4.3 Using Shortcut Keys..................................................................................................................................................25
2.5 Configuration Examples...............................................................................................................................................25
2.5.1 Running Commands in Batches................................................................................................................................25
2.5.2 Using the Tab Key.....................................................................................................................................................26
2.5.3 Using Shortcut Keys..................................................................................................................................................27
2.5.4 Copying Commands Using Shortcut Keys................................................................................................................28
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
v
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Contents
3 Basic Configuration.....................................................................................................................30
3.1 Configuring the Basic System Environment................................................................................................................31
3.1.1 Before You Start........................................................................................................................................................31
3.1.2 Switching the Language Mode..................................................................................................................................31
3.1.3 Configuring the Equipment Name.............................................................................................................................32
3.1.4 Setting the System Clock...........................................................................................................................................32
3.1.5 Configuring a Header................................................................................................................................................39
3.1.6 Configuring Command Levels..................................................................................................................................40
3.1.7 Configuring the undo Command to Automatically Match the Higher-Level View..................................................41
3.2 Displaying System Status Messages.............................................................................................................................42
3.2.1 Displaying System Configuration.............................................................................................................................42
3.2.2 Displaying the System Status....................................................................................................................................43
3.2.3 Collecting System Diagnostic Information...............................................................................................................43
4 Configuring User Interfaces......................................................................................................44
4.1 User Interface Overview...............................................................................................................................................45
4.2 Configuring the Console User Interface.......................................................................................................................47
4.2.1 Before You Start........................................................................................................................................................47
4.2.2 Setting Physical Attributes of the Console User Interface........................................................................................48
4.2.3 Setting Terminal Attributes of the Console User Interface.......................................................................................49
4.2.4 Configuring the User Privilege of the Console User Interface..................................................................................50
4.2.5 Configuring the User Authentication Mode of the Console User Interface..............................................................51
4.2.6 Checking the Configuration.......................................................................................................................................52
4.3 Configuring the AUX User Interface...........................................................................................................................53
4.3.1 Before You Start........................................................................................................................................................54
4.3.2 Setting Physical Attributes of the AUX User Interface.............................................................................................54
4.3.3 Setting Terminal Attributes of the AUX User Interface............................................................................................55
4.3.4 Setting the User Priority of the AUX User Interface.................................................................................................56
4.3.5 Setting Modem Attributes of the AUX User Interface..............................................................................................57
4.3.6 (Optional) Configuring Auto-Execute Commands of the AUX User Interface........................................................58
4.3.7 Setting the User Authentication Mode of the AUX User Interface...........................................................................59
4.3.8 Checking the Configuration.......................................................................................................................................60
4.4 Configuring the VTY User Interface............................................................................................................................61
4.4.1 Before You Start........................................................................................................................................................61
4.4.2 Configuring the Maximum Number of VTY User Interfaces...................................................................................62
4.4.3 (Optional) Setting Restrictions for Incoming and Outgoing Calls on VTY User Interfaces.....................................63
4.4.4 Setting the Terminal Attributes of the VTY User Interface......................................................................................65
4.4.5 Setting the User Priority of the VTY User Interface.................................................................................................66
4.4.6 Setting the User Authentication Mode of the VTY User Interface...........................................................................66
4.4.7 (Optional) Configuring NMS Users to Log In Through VTY User Interfaces.........................................................68
4.4.8 Checking the Configuration.......................................................................................................................................69
4.5 Configuration Examples...............................................................................................................................................71
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
vi
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Contents
4.5.1 Example for Configuring the Console User Interface...............................................................................................71
4.5.2 Example for Configuring the AUX User Interface....................................................................................................73
4.5.3 Example for Configuring a VTY User Interface.......................................................................................................75
5 Configuring User Login.............................................................................................................77
5.1 User Login Overview...................................................................................................................................................78
5.2 Logging In to Devices Through the Console Port........................................................................................................81
5.2.1 Before You Start........................................................................................................................................................81
5.2.2 Logging In to the Device Using a Console Port........................................................................................................81
5.2.3 (Optional) Configuring the Console User Interface..................................................................................................84
5.2.4 Checking the Configuration.......................................................................................................................................85
5.3 Logging In to Devices Through the AUX Port............................................................................................................86
5.3.1 Before You Start........................................................................................................................................................86
5.3.2 Logging In to the Device Through an AUX Port......................................................................................................87
5.3.3 (Optional) Configuring the AUX User Interface.......................................................................................................91
5.3.4 Checking the Configuration.......................................................................................................................................92
5.4 Using Telnet to Log In to Devices................................................................................................................................93
5.4.1 Before You Start........................................................................................................................................................93
5.4.2 Configuring the User Access Level and User Authentication Mode of the VTY User Interface.............................94
5.4.3 Enabling the Telnet Service.......................................................................................................................................97
5.4.4 Using Telnet to Log In to the Device........................................................................................................................98
5.4.5 (Optional) Configuring the Listening Port Number of the Telnet Server.................................................................99
5.4.6 (Optional) Configuring Telnet Access Control.......................................................................................................100
5.4.7 Checking the Configuration.....................................................................................................................................101
5.5 Using STelnet to Log In to Devices...........................................................................................................................102
5.5.1 Before You Start......................................................................................................................................................102
5.5.2 Configuring the User Access Level and User Authentication Mode of the VTY User Interface...........................103
5.5.3 Configuring SSH for the VTY User Interface.........................................................................................................105
5.5.4 Configuring an SSH User and Specifying the Service Types.................................................................................106
5.5.5 Enabling the STelnet Server Function.....................................................................................................................112
5.5.6 Using STelnet to Log In to the Device....................................................................................................................112
5.5.7 (Optional) Configuring the STelnet Server Parameters...........................................................................................113
5.5.8 Checking the Configuration.....................................................................................................................................116
5.6 Common Operations After Login...............................................................................................................................117
5.6.1 Before You Start......................................................................................................................................................117
5.6.2 Locking User Interfaces...........................................................................................................................................117
5.6.3 Sending Messages to Other User Interfaces............................................................................................................118
5.6.4 Displaying Login Users...........................................................................................................................................118
5.6.5 Clearing Logged-in Users........................................................................................................................................119
5.6.6 Configuring Configuration Locking........................................................................................................................119
5.7 Configuration Examples.............................................................................................................................................120
5.7.1 Example for Using a Console Port to Configure User Login..................................................................................120
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
vii
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Contents
5.7.2 Example for Logging In Through the AUX Port....................................................................................................123
5.7.3 Example for Configuring User Login Through Telnet............................................................................................124
5.7.4 Example for Using STelnet to Configure User Login.............................................................................................127
6 Managing the File System.......................................................................................................131
6.1 File System Overview................................................................................................................................................132
6.1.1 File System..............................................................................................................................................................132
6.1.2 File Management Methods......................................................................................................................................132
6.2 Using the File System to Manage Files......................................................................................................................134
6.2.1 Before You Start......................................................................................................................................................134
6.2.2 Managing Storage Devices......................................................................................................................................134
6.2.3 Managing Directories..............................................................................................................................................135
6.2.4 Managing Files........................................................................................................................................................136
6.3 Using FTP to Manage Files........................................................................................................................................138
6.3.1 Before You Start......................................................................................................................................................138
6.3.2 Configuring a Local FTP User................................................................................................................................139
6.3.3 (Optional) Specifying a Port Number for the FTP Server.......................................................................................140
6.3.4 Enabling the FTP Server..........................................................................................................................................140
6.3.5 (Optional) Configuring the FTP Server Parameters................................................................................................141
6.3.6 (Optional) Configuring an FTP ACL......................................................................................................................142
6.3.7 Using FTP to Access the System.............................................................................................................................143
6.3.8 Using FTP Commands to Manage Files..................................................................................................................144
6.3.9 Checking the Configuration.....................................................................................................................................146
6.4 Using SFTP to Manage Files......................................................................................................................................147
6.4.1 Before You Start......................................................................................................................................................147
6.4.2 Configuring the VTY User Interface.......................................................................................................................148
6.4.3 Configuring SSH for the VTY User Interface.........................................................................................................148
6.4.4 Configuring an SSH User and Specifying SFTP as One of the Service Types.......................................................149
6.4.5 Enabling the SFTP Service......................................................................................................................................155
6.4.6 (Optional) Configuring the SFTP Server Parameters..............................................................................................156
6.4.7 Using SFTP to Access the System..........................................................................................................................158
6.4.8 Using SFTP to Manage Files...................................................................................................................................159
6.4.9 Checking the Configuration.....................................................................................................................................160
6.5 Using Xmodem to Manage Files................................................................................................................................162
6.5.1 Before You Start......................................................................................................................................................162
6.5.2 Obtaining a File Through Xmodem.........................................................................................................................162
6.6 Configuration Examples.............................................................................................................................................163
6.6.1 Example for Using the File System to Manage Files..............................................................................................163
6.6.2 Example for Using FTP to Manage Files................................................................................................................165
6.6.3 Example for Using SFTP to Manage Files..............................................................................................................167
6.6.4 Example for Using Xmodem to Perform File Operations.......................................................................................170
7 Configuring System Startup....................................................................................................172
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
viii
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Contents
7.1 System Startup Overview...........................................................................................................................................173
7.1.1 System Software......................................................................................................................................................173
7.1.2 Configuration Files..................................................................................................................................................173
7.1.3 Configuration Files and Current Configurations.....................................................................................................173
7.2 Managing Configuration Files....................................................................................................................................174
7.2.1 Before You Start......................................................................................................................................................174
7.2.2 Saving Configuration Files......................................................................................................................................175
7.2.3 Clearing a Configuration File..................................................................................................................................177
7.2.4 Comparing Configuration Files...............................................................................................................................178
7.2.5 Checking the Configuration.....................................................................................................................................179
7.3 Specifying a File for System Startup..........................................................................................................................180
7.3.1 Before You Start......................................................................................................................................................180
7.3.2 Configuring System Software for the router to Load at the Next Startup...............................................................180
7.3.3 Configuring the Configuration File for the Router to Load at the Next Startup.....................................................181
7.3.4 Checking the Configuration.....................................................................................................................................181
7.4 Configuration Examples.............................................................................................................................................182
7.4.1 Example for Configuring System Startup...............................................................................................................182
8 Accessing Another Device.......................................................................................................185
8.1 Accessing Another Device.........................................................................................................................................187
8.1.1 Telnet Method..........................................................................................................................................................187
8.1.2 FTP Method.............................................................................................................................................................189
8.1.3 TFTP Method..........................................................................................................................................................189
8.1.4 SSH Method............................................................................................................................................................190
8.2 Using Telnet to Log In to Other Devices...................................................................................................................191
8.2.1 Before You Start......................................................................................................................................................191
8.2.2 (Optional) Configuring a Source IP Address for a Telnet Client............................................................................192
8.2.3 Using Telnet to Log In to Another Device..............................................................................................................193
8.2.4 Checking the Configuration.....................................................................................................................................193
8.3 Using Telnet Redirection to Connect to Another Device...........................................................................................194
8.3.1 Before You Start......................................................................................................................................................194
8.3.2 Enabling Telnet Redirection....................................................................................................................................195
8.3.3 Using Telnet Redirection to Connect to Another Device........................................................................................196
8.3.4 Checking the Configuration.....................................................................................................................................196
8.4 Using STelnet to Log In to Another Device...............................................................................................................197
8.4.1 Before You Start......................................................................................................................................................197
8.4.2 Enabling First-Time Authentication on the SSH Client..........................................................................................198
8.4.3 Allocating a Public Key to the SSH Server.............................................................................................................199
8.4.4 Using STelnet to Log In to Another Device............................................................................................................200
8.4.5 Checking the Configuration.....................................................................................................................................201
8.5 Using TFTP to Access Files on Another Device........................................................................................................202
8.5.1 Before You Start......................................................................................................................................................202
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ix
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Contents
8.5.2 (Optional) Configuring a Source IP Address for a TFTP Client.............................................................................202
8.5.3 (Optional) Configuring TFTP Access Authority.....................................................................................................203
8.5.4 Using TFTP to Download Files...............................................................................................................................204
8.5.5 Using TFTP to Upload Files....................................................................................................................................205
8.5.6 Checking the Configuration.....................................................................................................................................205
8.6 Using FTP to Access Files on Another Device..........................................................................................................206
8.6.1 Before You Start......................................................................................................................................................206
8.6.2 (Optional) Configuring the Source IP Address and Interface of the FTP Client.....................................................206
8.6.3 Connecting to Other Devices Using FTP Commands.............................................................................................207
8.6.4 Using FTP Commands to Manage Files..................................................................................................................208
8.6.5 Changing Login Users.............................................................................................................................................211
8.6.6 Disconnecting from the FTP Server........................................................................................................................211
8.6.7 Checking the Configuration.....................................................................................................................................212
8.7 Using SFTP to Access Files on Another Device........................................................................................................212
8.7.1 Before You Start......................................................................................................................................................212
8.7.2 (Optional) Configuring a Source IP Address for an SFTP Client...........................................................................213
8.7.3 Enabling the First-Time Authentication on the SSH Client....................................................................................213
8.7.4 Allocating a Public Key to the SSH Server.............................................................................................................214
8.7.5 Using SFTP to Connect to Other Devices...............................................................................................................216
8.7.6 Using SFTP Commands to Manage Files................................................................................................................217
8.7.7 Checking the Configuration.....................................................................................................................................219
8.8 Configuration Examples.............................................................................................................................................220
8.8.1 Example for Using Telnet to Log In to Another Device.........................................................................................220
8.8.2 Example for Using Telnet Redirection to Log In to Another Device......................................................................222
8.8.3 Example for Using Telnet on a VPN to Log In to Another Device........................................................................224
8.8.4 Example for Using STelnet (RSA Authentication Mode) to Log In to the SSH Server.........................................226
8.8.5 Example for Using STelnet (DSA Authentication Mode) to Log In to the SSH Server.........................................232
8.8.6 Example for Using TFTP to Access Files on Another Device................................................................................238
8.8.7 Example for Configuring Access to the TFTP Server on the Public Network When the Management VPN Instance
Is Used..............................................................................................................................................................................241
8.8.8 Example for Using FTP to Access Files on Another Device..................................................................................243
8.8.9 Example for Configuring Access to the FTP Server on the Public Network When the Management VPN Instance Is
Used..................................................................................................................................................................................245
8.8.10 Example for Using SFTP (RSA Authentication Mode) to Access Files on Another Device................................246
8.8.11 Example for Using SFTP (DSA Authentication Mode) to Log In to the SSH Server..........................................252
8.8.12 Example for Configuring Access to the SFTP Server on the Public Network When the Management VPN Instance
Is Used..............................................................................................................................................................................258
8.8.13 Example for Accessing the SSH Server Through Other Ports..............................................................................264
9 Clock Synchronization Configuration..................................................................................271
9.1 Introduction to Clock Synchronization Configuration...............................................................................................272
9.1.1 Overview of Clock Synchronization Configuration................................................................................................272
9.1.2 Clock Synchronization Supported by the NE80E/40E............................................................................................272
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
x
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Contents
9.2 Setting Basic Clock Synchronization Configurations................................................................................................272
9.2.1 Before You Start......................................................................................................................................................273
9.2.2 Setting Basic Configurations for Clock Synchronization........................................................................................273
9.2.3 Checking the Configuration.....................................................................................................................................274
9.3 Configuring an External BITS Clock Source.............................................................................................................275
9.3.1 Before You Start......................................................................................................................................................275
9.3.2 Configuring the Lower Threshold of the Clock Signals Output by the BITS Clock..............................................276
9.3.3 Configuring an External Clock Source and Its Signal Type on the router..............................................................276
9.3.4 Checking the Configuration.....................................................................................................................................277
9.4 Configuring a Clock Reference Source Manually or Forcibly...................................................................................277
9.4.1 Before You Start......................................................................................................................................................277
9.4.2 Configuring a Clock Reference Source...................................................................................................................278
9.4.3 Checking the Configuration.....................................................................................................................................279
9.5 Configuring Clock Protection Switching Based on SSM Levels...............................................................................280
9.5.1 Before You Start......................................................................................................................................................280
9.5.2 Configuring the Router to Automatically Select Clock Sources.............................................................................280
9.5.3 Enabling SSM..........................................................................................................................................................281
9.5.4 Configuring the SSM Level of the Clock Reference Source...................................................................................281
9.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal to Carry SSMs............................................................282
9.5.6 Setting the Modes of Extracting SSM Levels.........................................................................................................282
9.5.7 (Optional)Configuring the Extended SSM .............................................................................................................283
9.5.8 Checking the Configuration.....................................................................................................................................285
9.6 Configuring Clock Protection Switching Based on Priorities....................................................................................285
9.6.1 Establishing the Configuration Task.......................................................................................................................285
9.6.2 Configuring the Router to Automatically Select Clock Sources.............................................................................285
9.6.3 Disabling SSM.........................................................................................................................................................286
9.6.4 Setting Priorities of Clock Reference Sources........................................................................................................286
9.6.5 Checking the Configuration.....................................................................................................................................287
9.7 Configuring Ethernet Clock Synchronization............................................................................................................288
9.7.1 Before You Start......................................................................................................................................................288
9.7.2 Enabling Ethernet Clock Synchronization..............................................................................................................289
9.7.3 Configuring Ethernet Clock Source........................................................................................................................289
9.7.4 Checking the Configuration.....................................................................................................................................290
9.8 Configuration Examples of Clock Synchronization...................................................................................................292
9.8.1 Example for Configuring Protection Switchover of Clock Sources........................................................................292
10 1588v2 Configuration..............................................................................................................300
10.1 Overview of 1588v2.................................................................................................................................................302
10.1.1 Introduction...........................................................................................................................................................302
10.1.2 1588v2 Features Supported by the NE80E/40E....................................................................................................307
10.2 Configuring 1588v2 on OC......................................................................................................................................309
10.2.1 Before You Start....................................................................................................................................................309
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
xi
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Contents
10.2.2 Configuring 1588v2 Globally................................................................................................................................310
10.2.3 Configuring 1588v2 on an Interface......................................................................................................................311
10.2.4 Configuring Time Attributes for 1588v2 Packets.................................................................................................312
10.2.5 Configuring Encapsulation Modes for 1588v2 Packets........................................................................................314
10.2.6 Checking the Configurations.................................................................................................................................316
10.3 Configuring 1588v2 on BC......................................................................................................................................317
10.3.1 Before You Start....................................................................................................................................................317
10.3.2 Configuring 1588v2 Globally................................................................................................................................319
10.3.3 Configuring 1588v2 on an Interface......................................................................................................................320
10.3.4 Configuring Time Attributes for 1588v2 Packets.................................................................................................321
10.3.5 Configuring Encapsulation Types for 1588v2 Packets.........................................................................................323
10.3.6 Checking the Configurations.................................................................................................................................325
10.4 Configuring 1588v2 on TC.......................................................................................................................................328
10.4.1 Establishing the Configuration Task.....................................................................................................................328
10.4.2 Configuring 1588v2 Globally................................................................................................................................330
10.4.3 Configuring 1588v2 on an Interface......................................................................................................................331
10.4.4 Configuring Time Attributes for 1588v2 Packets.................................................................................................332
10.4.5 Configuring Encapsulation Types for 1588v2 Packets.........................................................................................333
10.4.6 Checking the Configurations.................................................................................................................................335
10.5 Configuring 1588v2 on TCandBC...........................................................................................................................336
10.5.1 Before You Start....................................................................................................................................................336
10.5.2 Configuring 1588v2 Globally................................................................................................................................338
10.5.3 Configuring 1588v2 on an Interface......................................................................................................................339
10.5.4 Configuring Time Attributes for 1588v2 Packets.................................................................................................341
10.5.5 Configuring Encapsulation Types for 1588v2 Packets.........................................................................................342
10.5.6 Checking the Configurations.................................................................................................................................344
10.6 Configuring the 1588v2 Time Source......................................................................................................................346
10.6.1 Before You Start....................................................................................................................................................346
10.6.2 Configuring BITS Signals to Participate in the BMC Calculation........................................................................346
10.6.3 Configuring Attributes for the 1588v2 Time Source.............................................................................................349
10.6.4 Checking the Configurations.................................................................................................................................350
10.7 Configuring 1588 ACR............................................................................................................................................351
10.7.1 Checking the Configurations.................................................................................................................................351
10.7.2 Configuring the Unicast Negotiation Function for a Client..................................................................................352
10.7.3 Configuring the Unicast Negotiation Function for a Server..................................................................................354
10.7.4 (Optional) Adjusting Parameters for Establishing a Unicast Negotiation Connection.........................................355
10.7.5 Checking the Configurations.................................................................................................................................357
10.8 Maintaining 1588v2..................................................................................................................................................359
10.8.1 Clearing 1588v2 Statistics.....................................................................................................................................359
10.8.2 Monitoring 1588v2................................................................................................................................................360
10.9 1588 ACR Maintenance...........................................................................................................................................362
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
xii
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Contents
10.9.1 Clearing 1588 ACR Statistics................................................................................................................................363
10.10 Configuration Examples.........................................................................................................................................363
10.10.1 Example for Configuring the BITS as the 1588v2 Clock Source.......................................................................363
10.10.2 Example for Restoring Frequency Synchronization Between an IP Clock Server and NodeBs Through 1588v2
Packets..............................................................................................................................................................................368
10.10.3 Example for Synchronizing Frequencies Through the Integration of the 1588v2 Clock, Synchronous Ethernet
Clock, and WAN Clock....................................................................................................................................................369
10.10.4 Checking the Configurations...............................................................................................................................373
10.10.5 Example for Configuring Clock Synchronization of an Entire Network Through Multicast MAC-Encapsulated
1588v2 Packets.................................................................................................................................................................374
10.10.6 Example for Configuring 1588 ACR Clock Synchronization in a Single-Server Scenario................................378
11 Device Maintenance................................................................................................................382
11.1 Introduction of Device Maintenance........................................................................................................................384
11.1.1 Overview of Device Maintenance.........................................................................................................................384
11.1.2 Maintenance Features Supported by the NE80E/40E...........................................................................................384
11.2 Configuring an E-label for the Backplane of the NE80E.........................................................................................384
11.3 Configuring an Energy Saving Mode.......................................................................................................................385
11.4 Configuring the System MAC Address....................................................................................................................386
11.5 Powering off the MPU..............................................................................................................................................386
11.5.1 Before You Start....................................................................................................................................................386
11.5.2 Powering off the Slave MPU.................................................................................................................................387
11.5.3 Checking the Configuration...................................................................................................................................388
11.6 Powering off the SFU...............................................................................................................................................388
11.6.1 Before You Start....................................................................................................................................................389
11.6.2 Powering off the SFU............................................................................................................................................389
11.6.3 Checking the Configuration...................................................................................................................................390
11.7 Powering off the NPU..............................................................................................................................................391
11.7.1 Before You Start....................................................................................................................................................391
11.7.2 Powering off the NPU...........................................................................................................................................391
11.7.3 Checking the Configuration...................................................................................................................................392
11.8 Powering Off the LPU..............................................................................................................................................392
11.8.1 Before You Start....................................................................................................................................................392
11.8.2 Powering Off the LPU...........................................................................................................................................393
11.8.3 Checking the Configuration...................................................................................................................................393
11.9 (Optional) Configuring the NE80E with 5000 W power consumption to Power on LPUF-40s/LPUI-40s.............394
11.10 Configuring the Input Power of a Power Module..................................................................................................395
11.11 Restoring the Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s..............................................396
11.11.1 Before You Start..................................................................................................................................................396
11.11.2 Restoring the Outbound Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s..........................397
11.11.3 Checking the Configuration.................................................................................................................................398
11.12 Configuring an Access Mode for a Device.............................................................................................................398
11.12.1 Before You Start..................................................................................................................................................398
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
xiii
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Contents
11.12.2 Configuring an Access Mode for a Device..........................................................................................................399
11.12.3 Checking the Configuration.................................................................................................................................400
11.13 Configuring a Working Mode for an LPU.............................................................................................................401
11.13.1 Before You Start..................................................................................................................................................401
11.13.2 Configuring a Working Mode for an LPU..........................................................................................................402
11.13.3 Checking the Configuration.................................................................................................................................403
11.14 Configuring a Working Mode for an LPUF-40 or LPUF-20/21............................................................................404
11.14.1 Before You Start..................................................................................................................................................404
11.14.2 Configuring a Service Mode for an LPUF-20/21 or LPUF-40...........................................................................405
11.14.3 Checking the Configuration.................................................................................................................................406
11.15 Configuring Automatic Board Reset......................................................................................................................407
11.16 Setting the Working Mode of the 1-Port OC-192c/STM-64c POS-XFP Flexible Card on the LPUF-10.............408
11.16.1 Before You Start..................................................................................................................................................408
11.16.2 Setting the Working Mode of the 1-Port OC-192c/STM-64c POS-XFP Flexible Card on the LPUF-10..........409
11.17 (Optional) Configuring Periodic Reliability Detection on 2-Port OC-12c/STM-4c ATM-SFP Flexible Cards on
LPUF-10s..........................................................................................................................................................................410
11.18 Configuring the CMU.............................................................................................................................................410
11.18.1 Before You Start..................................................................................................................................................410
11.18.2 Configuring Monitor Items for a CMU...............................................................................................................411
11.18.3 Checking the Configuration.................................................................................................................................412
11.19 Configuring Link-heartbeat Loopback Detection...................................................................................................412
11.20 Configuring a Cleaning Cycle for the Air Filter.....................................................................................................415
11.20.1 Before You Start..................................................................................................................................................415
11.20.2 Configuring a Cleaning Cycle for the Air Filter..................................................................................................415
11.20.3 Monitoring the Cleaning Cycle of the Air Filter After Cleaning It.....................................................................416
11.20.4 Checking the Configuration.................................................................................................................................416
11.21 Monitoring the Device Status.................................................................................................................................417
11.21.1 Displaying the System Version Information.......................................................................................................417
11.21.2 Displaying Basic Information About the Router.................................................................................................417
11.21.3 Displaying the Electronic Label..........................................................................................................................418
11.21.4 Displaying the Soft Boot Mode...........................................................................................................................418
11.21.5 Displaying the Threshold of the Memory Usage.................................................................................................419
11.21.6 Displaying the Threshold of CPU Usage............................................................................................................419
11.21.7 Displaying Alarm Information............................................................................................................................419
11.21.8 Displaying the Board Temperature......................................................................................................................420
11.21.9 Displaying the Board Voltage.............................................................................................................................420
11.21.10 Displaying the Power Supply Status.................................................................................................................421
11.21.11 Displaying Current Information About Boards.................................................................................................421
11.21.12 Displaying Entironment Information About the Device...................................................................................422
11.21.13 Displaying the Fan Status..................................................................................................................................422
11.21.14 Displaying the Sequence Number of the MPU.................................................................................................423
11.21.15 Displaying the Next Start Mode of the Board...................................................................................................423
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
xiv
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Contents
11.21.16 Displaying the Number of the Registered SFUs By Default.............................................................................423
11.22 Board Maintence ....................................................................................................................................................424
11.22.1 Resetting a Board.................................................................................................................................................424
11.22.2 Clearing CPU Usage Statistics............................................................................................................................424
11.23 Configuration Examples of the Device Maintenance.............................................................................................425
11.23.1 Example for Powering off the MPU....................................................................................................................425
11.23.2 Example for Powering off the SFU.....................................................................................................................426
11.23.3 Example for Powering off the LPU.....................................................................................................................428
12 Device Upgrading....................................................................................................................430
12.1 Device Upgrade Overview.......................................................................................................................................431
12.2 Upgrade Modes Supported by the NE80E/40E........................................................................................................431
13 Patch Management..................................................................................................................433
13.1 Patch Management Introduction...............................................................................................................................434
13.1.1 Patch Management Overview................................................................................................................................434
13.1.2 Patches Supported by the NE80E/40E..................................................................................................................436
13.2 Checking Whether a Patch is Running in the System..............................................................................................437
13.2.1 Before You Start....................................................................................................................................................437
13.2.2 Checking the Running of a Patch in the System...................................................................................................438
13.2.3 (Optional) Deleting a Patch...................................................................................................................................438
13.3 Loading a Patch........................................................................................................................................................438
13.3.1 Before You Start....................................................................................................................................................439
13.3.2 Loading a Patch.....................................................................................................................................................439
13.3.3 Checking the Configuration...................................................................................................................................440
13.4 Installing a Patch......................................................................................................................................................441
13.4.1 Establishing the Configuration Task.....................................................................................................................441
13.4.2 Loading a Patch.....................................................................................................................................................442
13.4.3 Activating a Patch..................................................................................................................................................442
13.4.4 Running a Patch.....................................................................................................................................................443
13.4.5 Checking the Configuration...................................................................................................................................443
13.5 (Optional) Deactivating the Patch............................................................................................................................445
13.5.1 Before You Start....................................................................................................................................................445
13.5.2 Deactivating a Patch..............................................................................................................................................445
13.5.3 Checking the Configuration...................................................................................................................................445
13.6 Configuration Examples for Patch Management......................................................................................................446
13.6.1 Example for Installing a Patch...............................................................................................................................446
A Glossary......................................................................................................................................449
B Acronyms and Abbreviations.................................................................................................455
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
xv
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
1
1 Logging In to the System for the First Time
Logging In to the System for the First Time
About This Chapter
This chapter describes how to log in to a new router and configure it through the console port
or with the plug-and-play function.
1.1 Introduction to Log In to the Device for the First Time
You can use the console port or plug-and-play function to log in to and configure a router that
is being powered on for the first time.
1.2 Logging In to the Device Through the Console Port
This section describes how to establish the configuration environment by using the console port
to connect a terminal to a router.
1.3 Logging In to the router That Supports the Plug-and-Play Function
The plug-and-play function enables the router to automatically access the network and obtains
an IP address after being powered on, which allows engineers to remotely log in to the router
and perform basic configurations.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
1 Logging In to the System for the First Time
1.1 Introduction to Log In to the Device for the First Time
You can use the console port or plug-and-play function to log in to and configure a router that
is being powered on for the first time.
Logging in to the router Through the Console Port
The console port is a linear port on the main control board.
Each main control board provides one DCE console port that conforms to the EIA/TIA-232
standard. You can directly connect the serial interface of a terminal to the console port on the
router and then configure the router on the terminal.
NOTE
When a device is powered on for the first time, log in to the device through the console port because this
login is a prerequisite for other login modes. For example, you must log in to the device through the console
port to configure the IP address for Telnet login.
Logging in to the router Using the Plug-and-Play Function
NOTE
The plug-and-play function only can be configured on the X1 , X2 and X3 models of the NE80E/40E.
When sites are being deployed, routers are installed far from equipment rooms. Sending software
commissioning engineers to deploy a network at the physical site is rather costly. When the plugand-play function is enabled, however, the router automatically obtains an IP address. After
installation engineers finish installing the hardware, software commissioning engineers are able
to remotely deliver configurations to the router through the NMS. This remote configuration
greatly simplifies the installation process and minimizes the number of required site visits,
thereby reducing costs.
The plug-and-play function is controlled by a PAF file, which users do not need to configure
manually. This function is automatically disabled after the router correctly obtains an IP address.
1.2 Logging In to the Device Through the Console Port
This section describes how to establish the configuration environment by using the console port
to connect a terminal to a router.
1.2.1 Before You Start
Before logging in to the router through the console port, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This preparation will help you complete the configuration task quickly and
accurately.
Applicable Environment
When you power on the router for the first time, use the console port to log in to, configure, and
manage the router.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
1 Logging In to the System for the First Time
Pre-configuration Tasks
Before logging in to the router through the console port, complete the following tasks:
l
Install a terminal emulation program, for example, Windows XP HyperTerminal, on the
PC.
l
Preparing the RS-232 cable
Data Preparation
To log in to the router through the console port, you need the following data.
No.
Data
1
Terminal communication parameters
l Baud rate
l Data bit
l Parity
l Stop bit
l Flow-control mode
NOTE
The system automatically uses default parameter values for the first login.
1.2.2 Establishing the Physical Connection
Use a console cable to connect the console port of the router to the COM port of a terminal.
Procedure
Step 1 Power on all devices and perform a self-check.
Step 2 Use a cable to connect the COM port on the PC with the console port on the router.
----End
1.2.3 Logging In to the Device
To manage a router that is being powered on for the first time, you can use the console port to
log in to it.
Context
PC terminal attributes, including the transmission rate, data bit, parity bit, stop bit, and flow
control mode must be configured to match those configured for the console port. Default values
for terminal attributes are used when first logging in to the device.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
1 Logging In to the System for the First Time
Procedure
Step 1 Start a terminal emulation program, such as the HyperTerminal of Windows XP, on the PC and
establish a connection as shown in Figure 1-1.
NOTE
In the case of a Windows OS that does not provide the HyperTerminal, access Microsoft website and
download the HyperTerminal.
Figure 1-1 Creating a connection
Step 2 Set an interface, as shown in Figure 1-2.
Figure 1-2 Settings an interface
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
1 Logging In to the System for the First Time
Step 3 Set communication parameters to match the router defaults, as shown in Figure 1-3.
Figure 1-3 Setting communication parameter
Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system
automatically saves the new password.
An initial password is required for the first login via the console.
Set a password and keep it safe! Otherwise you will not be able to login via the
console.
Please configure the login password (8-16)
Enter Password:
Confirm Password:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
1 Logging In to the System for the First Time
NOTE
l If the device has the default password before delivery, enter the default password Admin@huawei.com
to log in. The password is insecure, so you must change it immediately. For details on how to change
the password, see 4.2.5 Configuring the User Authentication Mode of the Console User
Interface.
l After you set the password for the user interface, you must use this user interface to log in to the system
again. Use password authentication mode and enter the new password.
l The passwords must meet the following requirements:
l The password input is in man-machine interaction mode, and the system does not display the
entered password.
l The password is a string of 8 to 16 case-sensitive characters. The password must contain at least
two of the following characters: upper-case characters, lower-case characters, numbers, and special
characters.
Special character except the question mark (?) and space.
The configured password is displayed in the configuration file in ciphertext.
l After you restart the device using the console port, press Enter after the following information is
displayed.
Recover configuration...OK!
Press ENTER to get started.
----End
1.3 Logging In to the router That Supports the Plug-and-Play
Function
The plug-and-play function enables the router to automatically access the network and obtains
an IP address after being powered on, which allows engineers to remotely log in to the router
and perform basic configurations.
Context
NOTE
The plug-and-play function only can be configured on the X1, X2 and X3 models of the NE80E/40E.
The plug-and-play function takes effect only when the device is connected with a Dynamic Host
Configuration Protocol (DHCP) server. This device can only be connected with Huawei U2000,
which acts as a DHCP server.
When sites are being deployed, routers are installed far from equipment rooms. Sending software
commissioning engineers to deploy a network at the physical site is rather costly. When the plugand-play function is enabled, however, the router automatically obtains an IP address. After
installation engineers finish installing the hardware, software commissioning engineers are able
to remotely deliver configurations to the router through the NMS. This remote configuration
greatly simplifies the installation process and minimizes the number of required site visits,
thereby reducing costs. The plug-and-play function is controlled by a PAF file, which users do
not need to configure manually. This function is automatically disabled after the router correctly
obtains an IP address. The process of logging in to the router that supports the plug-and-play
function is as follows:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
1 Logging In to the System for the First Time
Procedure
Step 1 After planning the network, network planning engineers provide a planning list for software
commissioning engineers.
Step 2 Based on this planning list, software commissioning engineers configure the mappings between
the router locations and IP addresses on the DHCP server, compile configuration scripts, and
configure the mappings between these router locations and scripts.
Step 3 Hardware installation personnel install the router at the site and power it on.
Step 4 The router sends a DHCPREQUEST message to the DHCP server, and then the interface
connecting to the DHCP server obtains an IP address.
Step 5 The NMS delivers configurations to the router.
----End
Follow-up Procedure
When the router serves as the DHCP client that supports the plug-and-play function, you can
run the display pnp dhcp-option command to check the Options usage, which is carried in the
packet delivered by the DHCP server. For example:
<HUAWEI> display pnp dhcp-option
********************************************************************************
sub 1 software version : NE40E-X3V600R005C00
sub 2 system name
:
sub 3 Vlanif ID
: 0
sub 4 Subif ID
: 0,vlan ID : 0
config type
: 0 (0 :SubIf and MainIf,1 :VlanIf,2 :Config failed)
sub 5 VPN NAME
:
********************************************************************************
If no DHCP server is configured on the network or the router cannot obtain an IP address for
some reason, the router displays the following information:
PNP State!!!PLEASE UNDO PNP enable for manual Setup!
view with "undo pnp enable"
You can undo PNP in system
Perform the following to disable the plug-and-play function:
1.
Run the system-view command to enter the system view.
2.
Run the undo pnp enable command to disable the plug-and-play function.
3.
Run the undo pnp default route [ vpn-instance instance-name ] command to delete the
default route generated by the plug-and-play function.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
2
CLI Overview
About This Chapter
The command line interface (CLI) is used to configure and maintain devices.
2.1 CLI Introduction
After you log in to the router, a prompt is displayed, informing you that you can interact with
the router through the command line interface (CLI).
2.2 Online Help
When inputting command lines or configuring services, you can use the online help to obtain
immediate assistance.
2.3 CLI Features
The CLI provides several features that make it easy to use.
2.4 Shortcut Keys
System or user-defined shortcut keys make it easier to enter commands.
2.5 Configuration Examples
This section provides several examples that illustrate the use of command lines.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
2.1 CLI Introduction
After you log in to the router, a prompt is displayed, informing you that you can interact with
the router through the command line interface (CLI).
2.1.1 Command Line Interface
You can use CLI commands to configure and manage the router.
The CLI enables you to access the following features and capabilities:
l
Local or remote configuration through the AUX port.
l
Local configuration through the console port.
l
Local or remote configuration through Telnet or Secure Shell (SSH).
l
Remote configuration by using Modem dialup to log in to an asynchronous serial interface
on the router.
l
The telnet command for directly logging in to and managing other routers.
l
FTP service for uploading and downloading files.
l
A user interface view for specific configuration management.
l
A hierarchical command protection structure, which givs certain levels of users permission
to run certain levels of commands.
l
The ability to enter "?" anytime for online help.
l
Two authentication modes, namely, password authentication, and Authentication,
Authorization, and Accounting (AAA) authentication. Password and AAA authentication
protect system security by prohibiting unauthorized users from logging in to the router.
l
A command line interpreter, which provides intelligent text entry methods such as key word
fuzzy match and context conjunction. These methods help users to enter commands easily
and correctly.
l
Network test commands such as tracert and ping, and abundant debugging information
for fast network diagnostics.
l
The ability to run a command, such as DosKey, that was used previously on the device.
NOTE
l The system supports commands that contain a maximum of 510 characters. A command does not have
to be entered in full, as long as the part of the command entered is unique within the system. For
example, to run the display current-configuration command, enter d cu, di cu, or dis cu. Entering
d c or dis c will not run the command because these entries are not unique to the command.
l The system saves the complete form of incomplete commands to configuration files. Saved commands
may have more than 510 characters. When the system restarts, incomplete commands cannot be
restored. Therefore, pay attention to the length of incomplete commands before saving them.
2.1.2 Command Levels
The system hierarchically structures access to command functions to protect system security.
The system administrator sets user access levels that grant specific users access to specific
command levels.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
By default, the user command level is a value ranging from 0 to 3, and the user access level is
a value ranging from 0 to 15. Table 2-1 lists the association between user access levels and
command levels.
Table 2-1 Association between user access levels and command levels
User
Level
Com
man
d
Level
Level
Name
Description
0
0
Visiting
level
This level gives users access to commands that run network
diagnostic tools (such as ping and tracert) and commands that
start from a local device, visit external devices (such as Telnet
client side ), and are a part of display commands.
1
0 and
1
Monitor
ing
level
This level gives access to commands, like the display command,
that are used for system maintenance and fault diagnosis.
NOTE
Some display commands are not found at this level. For example, the
display current-configuration and display saved-configuration
commands are found in level 3. For details about command levels, see
NE80E/40E Command Reference.
2
0, 1,
and 2
Configu
ration
level
This level gives access to commands that configure network
services provided directly to users, including routing and
network layer commands.
3-15
0, 1,
2, and
3
Manage
ment
level
These levels give access to commands that control basic system
operations and provide support for services, such as the
following command types: file system , FTP , TFTP , XModem
downloading , configuration file switching , power supply
control , backup board control , user management , level setting ,
and debugging for fault diagnosis.
To manage efficiently, you can increase the command levels to 0-15. For details on how to
increase the increase in the command levels, refer to Chapter 4 "Basic Configuration"
Configuring Command LevelsConfiguring Command Levels in the HUAWEI NetEngine80E/
40E Configuration Guide - Basic Configurations.
NOTE
l The default command level may be higher than the actual command level.
l The level of command a user can run is determined by the user level.
l The user level is corresponding with command level. The login users can only use the commands in
levels that are less than or equal to theirs. The user privilege level level command sets the user level.
Searching Commands Based on Command Levels
You can search for all commands at a specific level by performing the following steps:
1.
Issue 02 (2014-09-30)
Open the command reference (.chm.) file.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2.
2 CLI Overview
Click the "Search" tab. The search window is displayed, as shown in Figure 2-1.
Figure 2-1 Search window
3.
Issue 02 (2014-09-30)
Enter the desired command level in the "Type in the word(s) to search for" textbox and
click "List Topics". All commands in the specified level are displayed as shown in Figure
2-2.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
11
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
Figure 2-2 Searching for commands in a specific level
2.1.3 Command Line Views
The command line interface has different command views. Each command is registered to run
in one or more command views. You can run a command only after you enter an appropriate
command view.
The following example describes how you can open the BFD views.
# Establish a connection to the router. If the router is using the default configurations, the
<HUAWEI> prompt indicates that you have entered the user view.
<HUAWEI>
# Run the system-view command to enter the system view.
<HUAWEI> system-view
[HUAWEI]
# Run the aaa command in the system view to enter the AAA view.
[HUAWEI] aaa
[HUAWEI-aaa]
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
NOTE
l
The command prompt "HUAWEI" is the default host name.
l
The prompt indicates a specific view. For example, "HUAWEI" indicates the user view, and
"[HUAWEI-ui-console0]" indicates the console user interface view.
l
You can enter ! or # followed by a character string in any view. All entered content (including ! and
#) is displayed as comments. That is, the corresponding configuration is not generated.
Some commands can be used in more than one view, but their effects vary from view to view.
For example, the mpls command can be run in the system view to enable MPLS globally or in
the interface view to enable MPLS only on this interface.
2.2 Online Help
When inputting command lines or configuring services, you can use the online help to obtain
immediate assistance.
2.2.1 Full Help
When inputting a command, you can use the full help function to obtain keywords or parameters
for the command.
Procedure
l
When you are inputting commands, you can use any of the following methods to obtain
full help:
– Enter a question mark (?) in any command line view to display command names and
descriptions for all commands in that view.
<HUAWEI> ?
User view commands:
arp-ping
backup
batch-cmd
board-channel-check
capture-packet
cd
...
...
ARP-ping
Backup information
Batch commands
Board-Channel-Check enable/disable
enable capturing packet
Change current directory
– Enter a command and a question mark (?) separated by a space. All keywords associated
with this command, as well as simple descriptions, are displayed. For example:
<HUAWEI> language-mode ?
Chinese Chinese environment
English English environment
Chinese and English are keywords; Chinese environment and English
environment describe the keywords.
– Enter a command and a question mark (?) separated by a space. Parameter names for
this command, as well as parameter descriptions, are displayed. For example:
[HUAWEI] ftp timeout ?
INTEGER<1-35791> The value of FTP timeout, the default value is 30 minutes
[HUAWEI] ftp timeout 35 ?
<cr>
[HUAWEI] ftp timeout 35
In this command output, INTEGER<1-35791> describes the parameter value and The
value of FTP timeout, the default value is 30 minutes is a simple description of what
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
13
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
the parameter sets. <cr> indicates that no parameters are associated with this command,
which is repeated in the next command line. You can press Enter to run the command.
----End
2.2.2 Partial Help
If you enter only the first or first character several characters of a command, partial help provides
keywords that begin with this character or character string.
Procedure
l
Use any of the following methods to obtain partial help from a command line.
– Enter a character string followed directly by a question mark (?) to display all commands
that begin with this character string.
<HUAWEI> d?
debugging
dir
delete
display
– Enter a command and a character string followed directly by a question mark (?) to
display all key words that begin with this character string.
<HUAWEI> display b?
bas-interface
bgp
board-power
bootmode-current
bootrom
buffer
bfd
board-current
board-type
bootmode-next
btv
bulk-stat
– Enter the first several letters of a key word in the command and then press Tab to display
a complete key word. A complete keyword is displayed only if the partial string of letters
uniquely identifies a specific key word. If they do not identify a specific key word,
continue pressing Tab to display different key words. You can then select the desired
key word.
----End
2.2.3 Command Line Interface Error Messages
If you enter a command and it passes the syntax check, the system executes it. Otherwise, the
system reports an error message.
Table 2-2 lists common error messages.
Table 2-2 Common command line error messages
Error message
Cause of the error
Unrecognized command
The command cannot be found.
The key word cannot be found.
Wrong parameter
The wrong parameter type is entered.
The parameter value is out of range.
Incomplete command
Issue 02 (2014-09-30)
An incomplete command is entered.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
14
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
Error message
Cause of the error
Too many parameters
Too many parameters are entered.
Ambiguous command
Ambiguous parameters are entered.
2.3 CLI Features
The CLI provides several features that make it easy to use.
2.3.1 Editing
The command line editing function allows you to use certain keys to edit command lines or
obtain help.
Keys that are frequently used for command line editing are shown in Table 2-3.
Table 2-3 Command line editing keys
Key
Function
Common key
Inserts a character at the current cursor position as long as the
editing buffer is not full. The cursor then moves to the right. If the
buffer is full, an alarm is generated.
Backspace
Moves the cursor to the left and deletes the character in that
position. When the cursor reaches the head of the command, an
alarm is generated.
Left cursor key ← or
Ctrl_B
Moves the cursor to the left one space at a time. When the cursor
reaches the head of the command, an alarm is generated.
Right cursor key → or
Ctrl_F
Moves the cursor to the right one space at a time. When the cursor
reaches the end of the command, an alarm is generated.
Tab
Press Tab after typing a partial key word and the system runs
partial help:
l If the matching key word is unique, the system replaces the
typed character string with a complete key word and displays
it in a new line with the cursor placed at the end of the word.
l If there are several matches or no match, the system displays
the prefix first. Then you can press Tab to view any matching
key words one at a time. The cursor directly follows the end of
the word. You can press the spacebar to enter the next word.
l If a non-existent or incorrect key word is entered, press Tab
and the word is displayed on a new line.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
15
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
2.3.2 Displaying
Command lines have a feature thats control how they are displayed.
You can enable this feature on the CLI as follows:
l
You can use the language-mode language-name command to change the language mode
to display prompts and help information in Chinese or English.
l
If output information cannot be displayed on a full screen, you have three viewing options,
as shown in Table 2-4.
Table 2-4 Display keys
Key
Function
Ctrl_C
Stops the display and running of a command.
NOTE
You can also press any key except the spacebar and Enter to stop the
display and running of a command.
Space
Displays information on the next screen.
Enter
Displays information on the next line.
2.3.3 Regular Expressions
A regular expression describes a set of strings. It consists of common characters (such as letters
from "a" to "z") and special characters (called metacharacters). The regular expression is a
template that enables you to search for required strings. You can use regular expressions to filter
output to locate needed information quickly.
A regular expression provides the following functions:
l
Searches for sub-strings that match a rule in the main string.
l
Substitutes strings based on specific matching rules.
Formal Language Theory of the Regular Expression
A regular expression consists of common characters and special characters.
l
Common characters
Common characters, including all upper-case and lower-case letters, digits, underline,
punctuation marks, and special symbols, match themselves in a string. For example, "a"
matches the letter "a" in "abc", "202" matches the digit "202" in "202.113.25.155", and
"@" matches the symbol "@" in "xxx@xxx.com".
l
Special characters
Special characters are used together with common characters to match complex or special
string combinations. Table 2-5 describes special characters and their syntax.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
16
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
Table 2-5 Description of special characters
Special
characte
r
Syntax
Example
\
Defines an escape character, which
is used to mark the next character
(common or special) as the common
character.
\* matches "*".
^
Matches the starting position of the
string.
^10 matches "10.10.10.1" instead of
"20.10.10.1".
$
Matches the ending position of the
string.
1$ matches "10.10.10.1" instead of
"10.10.10.2".
*
Matches the preceding element zero
or more times.
10* matches "1", "10", "100", and
"1000".
(10)* matches "null", "10", "1010",
and "101010".
+
Matches the preceding element one
or more times
10+ matches "10", "100", and
"1000".
(10)+ matches "10", "1010", and
"101010".
?
Matches the preceding element zero
or one time.
10? matches "1" and "10".
(10)? matches "null" and "10".
NOTE
Huawei datacom devices do not support
regular expressions with ?. When
regular expressions with ? are entered
on Huawei datacom devices, helpful
information is provided.
.
Matches any single character.
0.0 matches "0x0" and "020".
.oo matches "book", "look", and
"tool".
()
Defines a subexpression, which can
be null. Both the expression and the
subexpression should be matched.
100(200)+ matches "100200" and
"100200200".
x|y
Matches x or y.
100|200 matches "100" or "200".
1(2|3)4 matches "124" or "134",
instead of "1234", "14", "1224", and
"1334".
Issue 02 (2014-09-30)
[xyz]
Matches any single character in the
regular expression.
[123] matches the character 2 in
"255".
[^xyz]
Matches any character that is not
contained within the brackets.
[^123] matches any character except
for "1", "2", and "3".
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
17
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
Special
characte
r
Syntax
Example
[a-z]
Matches any character within the
specified range.
[0-9] matches any character ranging
from 0 to 9.
[^a-z]
Matches any character beyond the
specified range.
[^0-9] matches all non-numeric
characters.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
l
Degeneration of special characters
A special character becomes a common character when following \. In the following
situations, the special characters listed in Table 2-6 function as common characters.
– If the special character "*", "+", or "?" is placed at the beginning of a regular expression,
a special character becomes a common character. For example, +45 matches "+45" and
abc(*def) matches "abc*def".
– If the special character "^" is placed in any position except for the beginning of a regular
expression, a special character becomes a common character. For example, abc^
matches "abc^".
– If the special character "$" is placed in any position except for the end of a regular
expression, a special character becomes a common character. For example, 12$2
matches "12$2".
– If a right parenthesis ")" or right bracket "]" is not paired with a corresponding left
parenthesis "(" or bracket "[", a special character becomes a common character. For
example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules also apply when the preceding regular expressions
are subexpressions within parentheses.
l
Combinations of common and special characters
In actual usage, regular expressions combine multiple common and special characters to
match certain strings.
Regular Expression Examples
The key to using regular expressions is to design them accurately. Table 2-6 shows how to
design regular expressions using special characters and describes the meaning of those regular
expressions.
Table 2-6 Regular expression examples
Issue 02 (2014-09-30)
Regular
Expression
Description
^100
Matches strings beginning with 100, for example, 100085.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
18
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
Regular
Expression
Description
200$
Matches strings ending with 200, for example, 255.255.100.200.
[0-9]+
Matches strings of repeated digits ranging from 0 to 9, for example,
007.
(abc)*
Matches strings with abc occurring zero or more times, for example,
d and dabc.
^100([0-9]+)*200$
Matches strings beginning with 100 and ending with 200, including
those with zero or several digits in the middle, for example, 100200.
Windows (95|98|
2000|XP)
Matches Windows 95, Windows 98, Windows 2000, or Windows XP.
100[^0-9]?
Matches strings beginning with 100 followed by zero or one non-digit
character, for example, 100 or 100@.
.\.\*
Matches a string beginning with a single character except \n followed
by . and *, for example, 1.* or a.*.
^172\.16\.(10)\.
([0-9]+)$
Matches an IP address in a line, for example, 172.16.10.X.
Specifying a Filtering Mode in a Command
NOTICE
The HUAWEI NetEngine80E/40E uses a regular expression to implement the pipe character
filtering function. A display command supports the pipe character only when there is excessive
output information.
When filtering conditions are set to query output, the first line of the command output starts with
information containing the regular expression.
Some commands can carry the parameter | count to display the number of matching entries. The
parameter | count can be used together with other parameters.
For commands that support regular expressions, three filtering methods are available:
l
| begin regular-expression: displays information that begins with the line that matches
regular expression.
l
| exclude regular-expression: displays information that excludes the lines that match
regular expression.
l
| include regular-expression: displays information that includes the lines that match regular
expression.
NOTE
The value of regular-expression is a string of 1 to 255 characters.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
19
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
After the command output is filtered, the displayed information is displayed with its context.
Context rules are as follows:
l
before before-line-number: displays lines that match filtering rules and the preceding
before-line-number lines.
l
after after-line-number: displays lines that match filtering rules and the subsequent afterline-number lines.
l
before before-line-number + after after-line-number or after after-line-number + before
before-line-number: displays lines that match filtering rules, the preceding before-linenumber lines, and the subsequent after-line-number lines.
NOTE
Values of before-line-number and after-line-number are a string of 1 to 999 characters.
Specify a Filtering Mode When Information Is Displayed Screen by Screen
NOTE
When the output of the following commands is displayed screen by screen, you can specify a filtering
mode:
l
display current-configuration
l
display interface
l
display arp
When a large amount of information is displayed screen by screen, you can specify a filtering
mode in the prompt "---- More ----".
l
/regular-expression: displays the information that begins with the line that matches regular
expression.
l
-regular-expression: displays the information that excludes lines that match regular
expression.
l
+regular-expression: displays the information that includes lines that match regular
expression.
2.3.4 Previously-Used Commands
The CLI provides a function similar to DosKey that automatically saves any command used on
the device. If you need to run a command that has been previously executed, you can use this
function to recall the command.
By default, the system saves 10 previously-used commands for each user. You can run the
history-command max-size size-value command in the user view to set the number of
previously-used commands saved by the system. A maximum of 256 previously-used commands
can be saved.
NOTE
Set the number of saved previously-used commands to a reasonably low value. If a large number of
previously-used commands are saved, locating a command can be time-consuming and inefficient.
The keys and commands for accessing previously-used commands are shown in Table 2-7
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
20
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
Table 2-7 Keys and commands for accessing previously-used commands
Action
Key or Command
Result
Display
previouslyused
commands.
display historycommand [ allusers ]
Display previously-used commands entered by
users.
Access the last
previouslyused
command.
Up arrow key (↑) or
Ctrl_P
Display the last previously-used command if there
are more than one. Otherwise, an alarm is
generated.
Access the next
previouslyused
command.
Down arrow key (↓)
or Ctrl_N
Display the next previously-used command if there
are more than one. Otherwise, the command is
cleared and an alarm is generated.
NOTE
Windows 9X defines keys differently and the arrow key ↑ cannot be used with Windows 9X
HyperTerminals. You can use Ctrl_P instead.
When you use previously-used commands, note the following points:
l
Previously-used commands are saved exactly as they are entered by users. For example, if
a user enters an incomplete command, the saved command is also incomplete.
l
A command is only saved the first time it is run. If a command is entered in different forms
or with different parameters, each entry is considered to be a different command.
For example, if the display ip routing-table command is run several times, only one
previously-used command is saved. If the disp ip routing command and the display ip
routing-table command are run, two previously-used commands are saved.
2.3.5 Batch Command Execution
If multiple commands are frequently used consecutively, you can edit these commands to be
executed in batches. This simplifies command input and improves efficiency.
Context
Two operating modes allow the system to execute commands in batches and You can run the
batch-cmd edit command to import the commands that need to be executed in batches, then
run the batch-cmd execute command to execute the commands in batches. The other mode is
the maintenance assistant task. You can use a *.bat file to import commands that need to be
executed in batches. Then the system automatically executes the commands at the scheduled
time.
Procedure
Step 1 Manually execute the commands in batches.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
21
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
1.
2 CLI Overview
In the user view, run:
batch-cmd edit
Commands are edited to be executed in batches.
The batch-cmd edit command can be used by only one user at a time.
The maximum length of a command (including the incomplete command) to be entered is
510 characters.
When editing commands, press Enter to complete the editing of each command.
NOTE
l After the batch-cmd edit command is run successfully to edit the commands to be executed in
batches, the system deletes the original commands to be run in batches.
l The commands that are already edited are saved in memory and are deleted for ever when the
system is restarted.
2.
After all commands are edited, you can press the shortcut buttons Ctrl_Z to exit the editing
state and return to the user view.
3.
In the user view, run:
batch-cmd execute
The commands are executed in batches.
The batch-cmd execute command can be used by only one user at a time.
The sequence of running commands is the same as the sequence of editing commands. You
can view the execution of these commands on the CLI. After the execution is complete,
the user view is displayed.
NOTE
If the batch-cmd edit or batch-cmd execute command is among the commands to be executed in
batches, the system displays an error when executing the batch-cmd edit or batch-cmd execute
command and continues to execute the following commands.
Step 2 Configure a maintenance assistant task for the system to automatically execute commands in
batches at a scheduled time.
1.
Run:
system-view
The system view is displayed.
2.
Run:
assistant task task-name
The maintenance assistant task is created, and the maintenance assistant view is displayed.
3.
Run:
if-match timer cron seconds minutes hours days-of-month months days-of-week
[ years ]
The time at which the system automatically executes commands is scheduled.
4.
Run:
perform priority batch-file file-name
The maintenance assistant task is performed.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
22
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
file-name is a .bat file that needs to be edited and then sent to the device before you run this
command. The value of this parameter must not contain file directory information, and the
file specified by this parameter must be in the root directory of the user/bat folder.
----End
2.4 Shortcut Keys
System or user-defined shortcut keys make it easier to enter commands.
2.4.1 Classifying Shortcut Keys
There are two types of shortcut keys: system shortcut keys and user-defined shortcut keys.
Familiarize yourself with the shortcut keys so you can use them correctly.
The shortcut keys in the system are classified into the following two types:
l
User-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, and CTRL_U. The user can
assign these shortcut keys to any commands. When a shortcut key is pressed, the system
automatically runs the assigned command. For details about defining the shortcut keys, see
section 2.4.2 Defining Shortcut Keys.
l
System-defined shortcut keys: The system defines a number of shortcut keys with fixed
functions. Table 2-8 lists the system-defined shortcut keys.
NOTE
Different terminal software defines these keys differently. The shortcut keys on your terminal may be
different from those listed in this section.
Table 2-8 System-defined shortcut keys
Issue 02 (2014-09-30)
Key
Function
CTRL_A
The cursor moves to the beginning of the current line.
CTRL_B
The cursor moves to the left one space at a time.
CTRL_C
Terminates the running function.
CTRL_D
Deletes the character where the cursor lies.
CTRL_E
The cursor moves to the end of the current line.
CTRL_F
The cursor moves to the right one space at a time.
CTRL_H
Deletes the character to the left of the cursor.
CTRL_K
Stops the creation of the outbound connection.
CTRL_N
Displays the next command in the previously-used command
buffer.
CTRL_P
Displays the previous command in the previously-used
command buffer.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
23
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
Key
Function
CTRL_R
Repeats the information displayed on the current line.
CTRL_T
Terminates the outbound connection.
CTRL_V
Pastes the contents onto the clipboard.
CTRL_W
Deletes the character string or character to the left of the cursor.
CTRL_X
Deletes all the characters to the left of the cursor.
CTRL_Y
Deletes all the characters to the right of the cursor.
CTRL_Z
Returns to the user view.
CTRL_]
Terminates the inbound or redirection connections.
ESC_B
The cursor moves one word to the left.
ESC_D
Deletes the word to the right of the cursor.
ESC_F
The cursor moves to the end of the word to the right.
ESC_N
The cursor moves downward to the next line.
ESC_P
The cursor moves upward to the previous line.
ESC_SHIFT_<
Sets the position of the cursor to the beginning of the clipboard.
ESC_SHIFT_>
Sets the position of the cursor to the end of the clipboard.
2.4.2 Defining Shortcut Keys
If you regularly use one or more commands, you can assign shortcut keys to run them, which
facilitates user operations and improves efficiency. Only management-level users have the right
to define shortcut keys.
Configure the following shortcut keys in the system view.
Action
Command
Define shortcut keys
hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U }
command-text
CTRL_G, CTRL_L, CTRL_O and CTRL_U are assigned to run the following commands by
default:
l
CTRL_G: display current-configuration
l
CTRL_L: display ip routing-table
l
CTRL_O: undo debugging all
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
24
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
2 CLI Overview
CTRL_U: By default, CTRL_U is not assigned to any command. If no command is
specified for CTRL_U, this shortcut key deletes an entered character or command.
When defining shortcut keys, mark the command with double quotation marks if the command
consists of more than one word or includes spaces.
2.4.3 Using Shortcut Keys
You can use a shortcut key in any position you can enter a command. The system executes the
entered shortcut key and displays the corresponding command on the screen exactly as if you
had entered the complete command.
l
If you have typed part of a command and have not pressed Enter, you can press the shortcut
keys to clear what you have entered or display the full command. This operation has the
same effect as that of deleting a command and then re-entering the complete command.
l
The shortcut keys are run like the commands. The syntax is recorded in the command buffer
and logged for fault location and querying.
NOTE
The terminal being used may affect the shortcut key functions. For example, if shortcut keys customized
for the terminal conflict with those for the router, the input shortcut keys are captured by the terminal
program and do not function.
Run the following command in any view to display the shortcut keys being used.
Action
Command
Check the shortcut keys being used.
display hotkey
2.5 Configuration Examples
This section provides several examples that illustrate the use of command lines.
2.5.1 Running Commands in Batches
In this example, you can edit the commands to be run in batches to configure the system to
automatically run them in batches.
Context
If you frequently run commands in a particular order, you can run them in batches to improve
efficiency. This is particularly effective if you run a large number of commands in a row.
For example, you can run commands in batches during a preventive maintenance inspection
(PMI). By running commands in batches, you can enter all PMI commands at once and then
send all the command output information to the PMI tool, which can improve the PMI efficiency.
To run commands in batches, log in to the router and perform the following:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
25
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
Procedure
Step 1 Edit the display users, display startup, and display clock commands to be run in batches.
<HUAWEI> batch-cmd edit
Info: Begin editing batch commands. Press "Ctrl+Z" to abort this session.
display users
display startup
display clock
<HUAWEI>
Step 2 Run the commands in batches.
<HUAWEI> batch-cmd execute
<HUAWEI>batch-cmd execute command: display users
User-Intf
Delay
Type
Network Address
AuthenStatus
35 VTY 1
00:00:00 TEL
190.120.2.19
Username : Unspecified
<HUAWEI>batch-cmd execute command: display startup
MainBoard:
Configured startup system software:
Startup system software:
Next startup system software:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup paf file:
Next startup paf file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
<HUAWEI>
batch-cmd execute command: display clock
AuthorcmdFlag
no
cfcard:/V600R008C10.cc
cfcard:/V600R008C10.cc
cfcard:/V600R008C10.cc
cfcard:/vrp.cfg
cfcard:/vrp.cfg
default
default
default
default
NULL
NULL
2011-01-27 01:25:24
Thursday
Time Zone(DefaultZoneName) : UTC
<HUAWEI>
batch-cmd execute finished.
----End
2.5.2 Using the Tab Key
After inputting part of a keyword, you can press Tab to obtain all the related keywords or check
the accuracy of the input keyword.
Context
You do not always need to input complete keywords. Instead, input one or more of the first
characters of a keyword and press Tab to complete the keyword. The Tab key helps search for
and use commands.
Procedure
l
Tab can be used in three ways as shown in the following example.
– After you enter part of a key word and press the Tab key, a unique matching key word
is displayed.
1.
Issue 02 (2014-09-30)
Input part of a key word.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
26
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
[HUAWEI] info-
2.
Press Tab.
The system replaces the incomplete key word with a complete key word and
displays it on a new line followed by a cursor.
[HUAWEI] info-center
– After you enter part of a key word and press the Tab key, several matches or no matches
are displayed.
# info-center can be followed by three key words.
[HUAWEI] info-center log?
logbuffer
logfile
loghost
1.
Input the incomplete key word.
[HUAWEI] info-center l
2.
Press Tab.
The system displays the prefix first. In this example, the prefix is "log".
[HUAWEI] info-center log
Continue pressing Tab. The cursor comes right after the end of the word.
[HUAWEI] info-center loghost
[HUAWEI] info-center logbuffer
[HUAWEI] info-center logfile
When you find the key word you need, for example, logfile, stop pressing Tab.
3.
Enter a space and the next word, channel, is displayed.
[HUAWEI] info-center logfile channel
– Input an incorrect keyword and press Tab to check the accuracy of the keyword.
1.
For example, input the incorrect keyword loglog.
[HUAWEI] info-center loglog
2.
Press Tab.
[HUAWEI] info-center loglog
The system displays information on a new line, but the keyword loglog remains
unchanged and there is no space between the cursor and the keyword. This result
indicates that this keyword is non-existent.
----End
2.5.3 Using Shortcut Keys
In this example, you assign shortcut keys to frequently-used commands. Then, you can press
the shortcut keys instead of inputting the commands to facilitate user operations and improve
efficiency.
Context
If the login router supports shortcut keys, any user, regardless of their user level, can use them.
Procedure
Step 1 Assign Ctrl_U to the display ip routing-table command and run the shortcut keys.
<HUAWEI> system-view
[HUAWEI] hotkey ctrl_u "display ip routing-table"
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
27
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
NOTE
When assigning shortcut keys to a command, enclose the command in quotation marks if it consists of two
or more words separated by spaces.
Step 2 Press Ctrl_U when the prompt [HUAWEI] appears.
[HUAWEI] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
51.51.51.9/32 Direct 0
0
D 127.0.0.1
InLoopBack0
100.2.0.0/16 Direct 0
0
D 100.2.150.51
GigabitEthernet0/
0/0
100.2.150.51/32 Direct 0
0
D 127.0.0.1
InLoopBack0
100.2.255.255/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
0
D 127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
0
D 127.0.0.1
InLoopBack0
---------------------------------------------------------------------
----End
2.5.4 Copying Commands Using Shortcut Keys
In this example, you can use shortcut keys to copy a specified command and then use the shortcut
keys Ctrl_Shift_V to paste the command.
Context
If you need to repeatedly run a command, you can use shortcut keys to copy the command.
The copied command is saved on the clipboard and is available only for the current user. After
the user logs out, the clipboard is cleared.
You can use shortcut keys to copy a command in any view.
Procedure
Step 1 Move the cursor to the beginning of the command and press Esc_Shift_<. Move the cursor to
the end of the command and press Esc_Shift_>.
<HUAWEI> display ip routing-table
Step 2 Run the display clipboard command to view the contents on the clipboard.
<HUAWEI> display clipboard
---------------- CLIPBOARD----------------display ip routing-table
Step 3 Enter the command in any view, and press Ctrl_Shift_V to paste the contents of clipboard.
<HUAWEI> display ip routing-table
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
28
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2 CLI Overview
NOTE
If you press shortcut keys to copy a new command, you can use shortcut keys to paste only the new
command.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
29
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
3 Basic Configuration
3
Basic Configuration
About This Chapter
This chapter describes how to configure the router to suit your network environment.
3.1 Configuring the Basic System Environment
This section describes how to configure the basic system environment.
3.2 Displaying System Status Messages
This section describes how to use display commands to check basic system configurations.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
30
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
3 Basic Configuration
3.1 Configuring the Basic System Environment
This section describes how to configure the basic system environment.
3.1.1 Before You Start
Before configuring the basic system environment, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.
Applicable Environment
Before configuring services, you need to configure the basic system environment (for example,
the language mode, system time, device name, login information, and command level) to meet
environmental requirements.
Pre-configuration Tasks
Before configuring the basic system environment, power on the router.
Data Preparation
To configure the basic system environment, you need the following data.
No.
Data
1
Language mode
2
System time
3
Host name
4
Login information
5
Command level
3.1.2 Switching the Language Mode
You can switch between the Chinese mode and the English mode as needed.
Context
After the language mode is switched, the system displays prompts and command line outputs in
the specified language.
Language information (Chinese and English) has been stored in the system software and does
not need to be loaded.
In the user view, perform the following:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
31
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
3 Basic Configuration
Procedure
l
Run:
language-mode { chinese | english }
The language mode is switched.
By default, the English mode is used.
The help information on the router can be in English or in Chinese. The language mode is
stored in the system software and does not need to be loaded.
----End
3.1.3 Configuring the Equipment Name
If multiple devices on a network need to be managed, set equipment names to identify each
device.
Context
New equipment names take effect immediately.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
sysname host-name
The equipment name is set.
By default, the equipment name of the router is HUAWEI.
You can change the name of the router that appears in the command prompt.
----End
3.1.4 Setting the System Clock
The system clock must be correctly set to ensure synchronization with other devices.
Context
The system clock is the time indicated by the system timestamp. Because the rules governing
local time differ in different regions, the system clock can be configured to comply with the
rules of any given region.
The system clock is calculated using the following formula: System clock = Coordinated
Universal Time (UTC) + Time zone offset + Daylight saving time offset.
Set the system clock to the correct time to ensure that the device effectively operates with other
devices.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
32
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
3 Basic Configuration
Setting the system clocks of all the devices on a network manually is time-consuming and cannot
ensure the clock accuracy. Network Time Protocol (NTP) can address this problem by
synchronizing all clocks of devices on the network so that the devices can provide uniform timebased applications.
NOTE
A local system running NTP can be synchronized by other clock sources or acts as a clock source to
synchronize other clocks. In addition, mutual synchronization can be implemented through NTP packet
exchanges.
By default, the system clock of NTP-enabled devices is UTC. The time zone and daylight saving
time vary with the country and region, and if a time zone and daylight saving time are configured
on an NTP server, the same time zone and daylight saving time must be configured on NTP
clients.
For details about NTP, see the NTP chapter in NE80E/40E Feature Description - System
Management.
For details about NTP configurations, see the NTP Configuration chapter in NE80E/40E
Configuration Guide - System Management.
Perform the following steps in the user view to set the system clock:
Procedure
Step 1 Run:
clock datetime HH:MM:SS YYYY-MM-DD
The current date and time are set.
NOTE
If the time zone has not been configured or is set to 0, the date and time set by this command are considered
to be UTC. Set the time zone and UTC correctly.
Step 2 Run:
system-view
The system view is displayed.
Step 3 Run:
clock timezone time-zone-name { add | minus } offset
The time zone is set.
l If add is configured, the current time is the UTC time plus the time offset. That is, the default
UTC time plus offset is equal to the time of time-zone-name.
l If minus is configured, the current time is the UTC time minus the time offset. That is, the
default UTC time minus offset is equal to the time of time-zone-name.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
33
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
3 Basic Configuration
NOTE
UTC stands for the Universal Time Coordinated.
After the time zone is set:
l The time format of local logs is Original system time ± zone-offset, for example, Oct 30 2013 22:21:11
+08:00.
l The time format of logs sent to the log host is the UTC time, for example, Oct 30 2013 07:58:20. After
the info-center loghost local-time command is run to set the time format to local time, the time format
of user logs is Original system time ± zone-offset, for example, Oct 30 2013 22:21:11+08:00.
Step 4 Run:
clock daylight-saving-time time-zone-name one-year start-time start-date end-time
end-date offset
or
clock daylight-saving-time time-zone-name repeating start-time { { first | second
| third | fourth | last } weekday month | start-date } end-time { { first |
second | third | fourth | last } weekday month | end-date } offset [ start-year
[ end-year ] ]
Daylight saving time is set.
By default, daylight saving time is not set.
The start time is the local mean time (LMT), and the end time is the daylight saving time (DST).
The start time and end time can be set to date+data, week+week, date+week, or week+date
format. To configure the daylight saving time, run the clock daylight-saving-time command.
NOTICE
When the device is upgraded from an earlier version to the V600R008C10 version, the
configured daylight saving time does not take effect and needs to be reconfigured.
----End
System Clock Display
The system clock is determined by the clock datetime, clock timezone, and clock daylightsaving-time commands.
l
If none of the preceding three commands have been run, the original system time is
displayed after you run the display clock command.
l
You can also run the three preceding commands in combination with one another to
configure the system clock, as listed in Table 3-1.
In the following examples, the original system time is 08:00:00 January 1, 2010.
l
1: Run the clock datetime command to set the current date and time to date-time.
l
2: Run the clock timezone command to configure the time zone with the time zone offset
zone-offset.
l
3: Run the clock daylight-saving-time command to configure the daylight saving time
with the offset offset.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
34
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
3 Basic Configuration
[1]: The clock datetime command configuration is optional.
Table 3-1 System clock configuration examples
Operation
Configured System
Time
Example
1
date-time
Run the clock datetime 8:0:0 2011-11-12
command.
Configured system time:
2011-11-12 08:00:03
Saturday
Time Zone(DefaultZoneName): UTC
2
Original system time +/zone-offset
Run the clock timezone BJ add 8 command.
Configured system time:
2010-01-01 16:00:20+08:00
Friday
Time Zone(BJ): UTC+08:00
1, 2
date-time +/- zone-offset
Run the clock datetime 8:0:0 2011-11-12 and
clock timezone BJ add 8 commands.
Configured system time:
2011-11-12 16:00:13+08:00
Saturday
Time Zone(BJ): UTC+08:00
[1], 2, 1
date-time
Run the lock timezone NJ add 8 and clock
datetime 9:0:0 2011-11-12 commands.
Configured system time:
2011-11-12 09:00:02+08:00
Saturday
Time Zone(NJ): UTC+08:00
3
Issue 02 (2014-09-30)
Original system time if
the original system time
is not during the
configured daylight
saving time period
Run the clock daylight-saving-time BJ one-year
6:0 2011-8-1 6:0 2011-10-01 1 command.
Configured system time:
2010-01-01 08:00:51
Friday
Time Zone(DefaultZoneName): UTC
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
Saving time : 01:00:00
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
35
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Operation
1, 3
3 Basic Configuration
Configured System
Time
Example
Original system time +
offset if the original
system time is during the
configured daylight
saving time period
Run the clock daylight-saving-time BJ one-year
6:0 2011-1-1 6:0 2011-9-1 2 command.
date-time if date-time is
not during the configured
daylight saving time
period
Run the clock datetime 9:0:0 2011-11-12 and
clock daylight-saving-time BJ one-year 6:0
2012-8-1 6:0 2012-10-01 1 commands.
Configured system time:
2010-01-01 10:00:34 DST
Friday
Time Zone(BJ): UTC
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00
Saving time : 02:00:00
Configured system time:
2011-11-12 09:00:26
Saturday
Time Zone(DefaultZoneName): UTC
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2012
End year
: 2012
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
Saving time : 01:00:00
date-time + offset if datetime is during the
configured daylight
saving time period
Run the clock datetime 9:0:0 2011-11-12 and
clock daylight-saving-time BJ one-year 9:0
2011-11-12 6:0 2011-12-01 2 commands.
Configured system time:
2011-11-12 11:02:21 DST
Saturday
Time Zone(BJ): UTC
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 11-12 09:00:00
End time
: 12-01 06:00:00
Saving time : 02:00:00
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
36
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
3 Basic Configuration
Operation
Configured System
Time
Example
[1], 3, 1
date-time if date-time is
not during the configured
daylight saving time
period
Run the clock daylight-saving-time BJ one-year
6:0 2012-8-1 6:0 2012-10-01 1 and clock datetime
9:0 2011-11-12 commands.
Configured system time:
2011-11-12 09:00:02
Saturday
Time Zone(DefaultZoneName): UTC
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2012
End year
: 2012
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
Saving time : 01:00:00
date-time if date-time is
during the configured
daylight saving time
period
Run the clock daylight-saving-time BJ one-year
1:0 2011-1-1 1:0 2011-9-1 2 and clock datetime
3:0 2011-1-1 commands.
Configured system time:
2011-01-01 03:00:19 DST
Saturday
Time Zone(BJ): UTC
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00
Saving time : 02:00:00
2, 3 or 3, 2
Issue 02 (2014-09-30)
Original system time +/zone-offset if the value of
Original system time +/zone-offset is not during
the configured daylight
saving time period
Run the clock timezone BJ add 8 and clock
daylight-saving-time BJ one-year 6:0 2011-1-1
6:0 2011-9-1 2 commands.
Configured system time:
2010-01-01 16:01:29+08:00
Friday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00
Saving time : 02:00:00
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
37
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Operation
1, 2, 3, or 1,
3, 2
Issue 02 (2014-09-30)
3 Basic Configuration
Configured System
Time
Example
Original system time +/zone-offset +/- offset if
the value of Original
system time +/- zoneoffset is during the
configured daylight
saving time period
Run the clock daylight-saving-time BJ one-year
1:0 2010-1-1 1:0 2010-9-1 2 and clock timezone
BJ add 8 commands.
date-time +/- zone-offset
if the value of date-time
+/- zone-offset is not
during the configured
daylight saving time
period
Run the clock datetime 8:0:0 2011-11-12, clock
timezone BJ add 8, and clock daylight-savingtime BJ one-year 6:0 2012-1-1 6:0 2012-9-1 2
commands.
date-time +/- zone-offset
+ offset if the value of
date-time +/- zone-offset
is during the configured
daylight saving time
period
Run the clock datetime 8:0:0 2011-1-1, clock
daylight-saving-time BJ one-year 6:0 2011-1-1
6:0 2011-9-1 2, and clock timezone BJ add 8
commands.
Configured system time:
2010-01-01 18:05:31+08:00 DST
Friday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2010
End year
: 2010
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00
Saving time : 02:00:00
Configured system time:
2011-11-12 16:01:40+08:00
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2012
End year
: 2012
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00
Saving time : 02:00:00
Configured system time:
2011-01-01 18:00:43+08:00 DST
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00
Saving time : 02:00:00
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
38
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
3 Basic Configuration
Operation
Configured System
Time
Example
[1], 2, 3, 1
or [1], 3, 2,
1
date-time if date-time is
not during the configured
daylight saving time
period
Run the clock daylight-saving-time BJ one-year
6:0 2012-1-1 6:0 2012-9-1 2, clock timezone BJ
add 8, and clock datetime 8:0:0 2011-11-12
commands.
Configured system time:
2011-11-12 08:00:03+08:00
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2012
End year
: 2012
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00
Saving time : 02:00:00
date-time if date-time is
during the configured
daylight saving time
period
Run the clock timezone BJ add 8, clock daylightsaving-time BJ one-year 1:0 2011-1-1 1:0
2011-9-1 2, and clock datetime 3:0:0 2011-1-1
commands.
Configured system time:
2011-01-01 03:00:03+08:00 DST
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00
Saving time : 02:00:00
3.1.5 Configuring a Header
If you need to provide information for users logging in, you can configure a header that the
system displays during or after login.
Context
A header is a text message displayed by the system at the time a user logs in to the router.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
39
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
3 Basic Configuration
header login { information text | file file-name }
A header displayed during login is set.
Step 3 Run:
header shell { information text | file file-name }
A header displayed after login is set.
To display the header when the terminal connection has been activated but the user has not been
authenticated, configure the parameter login.
To display the header after the user has logged in, configure the parameter shell.
NOTICE
l The header message starts and ends with the same character. Enter the first character of the
header and press Enter. An interactive interface for setting the header is displayed. Input the
required information and, when you are finished, end the header by entering the first character
again. The system then exits from the interactive interface.
l If a user logs in to the router using SSH1.X, the login header is not displayed during login,
but the shell header is displayed after login.
l If a user logs in to the router using SSH2.0, both the login and shell headers are displayed.
----End
3.1.6 Configuring Command Levels
This section describes how to configure command levels to ensure device security or allow lowlevel users to run high-level commands. By default, commands are registered in the sequence
of Level 0 to Level 3. If refined rights management is required, you can divide commands in to
16 levels, that is, from Level 0 to Level 15.
Context
If you do not adjust a command level, after the command level is updated, all originallyregistered command lines adjust automatically according to the following rules:
l
The Level 0 and Level 1 commands remain unchanged.
l
The Level 2 commands are updated to Level 10 and the Level 3 commands are updated to
Level 15.
l
No command lines exist in Level 2 to Level 9 or in Level 11 to Level 14. You can adjust
the command lines to these levels to refine the management of privileges.
NOTICE
Do not change the default level of a command. Otherwise, some users may be unable to continue
using the command.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
40
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
3 Basic Configuration
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
command-privilege level rearrange
Update the command levels in batches.
Step 3 Run:
command-privilege level level view view-name command-key
The command level is configured. With this command, you can specify the level for each
command and view multiple commands at one time (command-key).
All commands have default command views and levels. You do not need to reconfigure them.
----End
3.1.7 Configuring the undo Command to Automatically Match the
Higher-Level View
After performing this configuration, if a user runs the undo command but it is not registered in
the current view, the system automatically switches to the view one level up from the current
view to search for this command. If the command is found, the undo command takes effect. If
the undo command does not exist in this view, the system progressively searches higher-level
views for the command until it reaches the system view. If the undo command is not found in
the higher-level view, it will not be executed.
Context
NOTICE
The undo command has disadvantages due to automatic matching. For example, when the user
runs the undo ospf command in the interface view where the command is not registered, the
system automatically searches the system view. This may lead to the global deletion of the OSPF
feature.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
matched upper-view
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
41
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
3 Basic Configuration
The undo command is configured to automatically search higher-level views if it is run in a
view where it is not registered.
By default, the undo command does not automatically search higher-level views.
NOTE
l The matched upper-view command is valid for current login users who run this command.
l Configuring the undo command to automatically match the upper level view is recommended only if
necessary.
----End
3.2 Displaying System Status Messages
This section describes how to use display commands to check basic system configurations.
Context
You can use display commands to collect information about the system status. The display
commands display the following information:
l
System configurations
l
System running status
l
Diagnostic information about a system.
l
Restart information about the main control board
See related sections concerning display commands for information on protocols and interfaces.
This section only shows system-level display commands.
3.2.1 Displaying System Configuration
This section describes how to use command lines to check the system version, system time,
original configuration, and current configuration.
Context
Run the following commands in any view:
Procedure
l
Run the display version command to display the system version.
l
Run the display clock [ utc ] command to display the system time.
l
Run the display calendar command to display system calendar.
l
Run the display saved-configuration command to display the original configuration.
l
Run the display current-configuration command to display the current configuration.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
42
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
3 Basic Configuration
NOTE
l The display version command displays the software version of the system, the chassis type, and
information about the main control board and interface board.
l The original configuration refers to information about configuration files the device uses when
it powers on and initializes. The current configuration refers to the configuration files that take
effect when the device is in use. For details, see the chapter "Configuring System Startup" in the
NE80E/40E Basic-Configuration.
l
Run the display history-command command to display the executed command history
command for all users.
----End
3.2.2 Displaying the System Status
This section describes how to use command lines to check the system operating status (the
configuration of the current view).
Procedure
l
Run the display this command to display the configuration of the current view.
----End
3.2.3 Collecting System Diagnostic Information
This section describes how to collect information about system modules.
Context
If you cannot perform routine maintenance, run the various display commands to collect the
information you need to locate faults. The display diagnostic-information command gathers
information about all currently running system modules.
Procedure
l
Run:
display diagnostic-information [ file-name ]
System diagnostic information is displayed.
The display diagnostic-information command collects the same information as many
other individual commands, such as display clock, display version, display cpu-usage,
display interface, display current-configuration, display saved-configuration, and
display history-command.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
43
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4
4 Configuring User Interfaces
Configuring User Interfaces
About This Chapter
When a user uses a console port, AUX port, Telnet, or SSH (STelnet) to log in to a router, the
system manages the session between the user and the router on the corresponding user interface.
4.1 User Interface Overview
The system supports console, AUX, and Virtual Type Terminal (VTY) user interfaces.
4.2 Configuring the Console User Interface
If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.
4.3 Configuring the AUX User Interface
When you use the AUX port to log in to a device for local or remote configuration, you must
configure attributes in the corresponding AUX user interface.
4.4 Configuring the VTY User Interface
If you need to use Telnet or SSH to log in to the router and perform local or remote maintenance,
you can configure the VTY user interface as needed.
4.5 Configuration Examples
This section provides examples for configuring console, AUX, and VTY user interfaces. These
configuration examples explain the networking requirements and provide configuration
roadmaps and notes.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
44
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
4.1 User Interface Overview
The system supports console, AUX, and Virtual Type Terminal (VTY) user interfaces.
Each user interface has a user interface view. A user interface view is a command line view the
system provides to configure and manage all the physical and logical interfaces in asynchronous
mode.
User Interfaces Supported by the System
l
Console port (CON)
The console port is a serial port provided by the main control board of the device.
The main control board provides one EIA/TIA-232 DCE console port. A terminal can use
this port to connect directly to a device to perform local configurations.
l
Auxiliary port (AUX)
The auxiliary port is a linear port provided by the main control board of the device that uses
a modem to support dialup.
Each main control board provides one AUX port of type EIA/TIA-232 DTE. A terminal
can remotely access the device through the modem on the AUX port.
l
Virtual type terminal (VTY)
A VTY is a logical terminal line. A VTY connection is set up when a device uses Telnet
to connect to a terminal. This kind of connection is used to locally or remotely access a
device.
Numbering of a User Interface
After a user logs in to the device, the system assigns the user the lowest numbered idle user
interface. The type of interface assigned depends on the user's login mode. There are two ways
to number user interfaces:
l
Relative numbering
Relative numbering uses a user interface type + number format.
Relative numbering is used to specify user interfaces of a particular type. It can be used to
number single user interfaces or user interface groups and must adhere to the following
rules:
– Number of the console port: CON 0
– Number of the auxiliary port: AUX 0
– Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on
l
Absolute numbering
Absolute numbering is used to give a single user interface or a group of user interfaces a
unique number.
Absolute numbering starts with 0. Ports are numbered in a sequence beginning with
CON -> AUX -> VTY. There is only one console port, one AUX port, and 0-15 VTY
interfaces. You can use the user-interface maximum-vty command to set the maximum
number of user interfaces.
By default, the system supports three types of user interfaces: CON, AUX, and VTY.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
45
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
Table 4-1 shows absolute numbers for the user interfaces in this system.
Table 4-1 Description of absolute and relative numbers for user interfaces
User
interface
Description
Absolute
Number
Relative Number
Console user
interface
Manages and
monitors users that
log in through the
console port.
0
0
AUX user
interface
Manages and
monitors users that
log in through the
AUX port.
33
0
34 to 48, and 50
to 54
l Absolute numbers 34 to
48 correspond to relative
numbers TTY 0 to TTY
14.
The Modem dialup
function of AUX
ports is frequently
used.
VTY user
interface
Manages and
monitors users that
use Telnet or SSH to
log in.
Among the
absolute
numbers, 49 is
reserved for
future use and
50 to 54 are
reserved for the
network
management
system.
l Absolute numbers 50 to
54 correspond to relative
numbers TTY 16 to TTY
20.
Among the relative numbers,
VTY 15 is reserved for
future use and VTY 16 to
VTY 20 are reserved for the
network management
system.
NOTE
The absolute numbers allocated for AUX and VTY interfaces are device-specific.
Numbers 1 to 32 are reserved for TTY user interfaces.
Run the display user-interface command to view the absolute number of user interfaces.
Authentication of a User Interface
After a user is configured, the system authenticates the user during login.
There are two user authentication modes: password and AAA, which are described as follows:
l
Issue 02 (2014-09-30)
Password authentication: Users must enter a password, but not a username, during the login
process.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
46
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
4 Configuring User Interfaces
AAA authentication: Users must enter a password and a username during the login process.
Telnet users are usually authenticated in this mode.
NOTE
When the user logs in to the NE80E/40E by using Telnet or SSH and so on, the NE80E/40E defaults the
user to default_admin.
Priority of a User Interface
Users logged in to the router are managed according to their levels.
A user's level determines the level of commands the user is authorized to run.
l
In the case of password authentication, the level of the command the user can run is
determined by the level of the user interface.
l
In the case of AAA authentication, the level of the command the user can run is determined
by the level of the local user specified in the AAA configuration.
4.2 Configuring the Console User Interface
If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.
4.2.1 Before You Start
Before configuring the console user interface, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.
Applicable Environment
If you need to log in to the router through a console port to perform local maintenance, you can
configure the corresponding console user interface, including the physical attributes, terminal
attributes, user priority, and user authentication mode. These parameters have default values that
require no additional configuration, but you may modify these parameters as needed.
Pre-configuration Tasks
Before configuring a console user interface, use a terminal to log in to the router.
Data Preparation
To configure a console user interface, you need the following data.
Issue 02 (2014-09-30)
No.
Data
1
Baud rate, flow-control mode, parity, stop bit, and data bit
2
Idle timeout period, terminal screen length, number of characters in each line
displayed in a terminal screen,and the size of the history command buffer
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
47
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
No.
Data
3
User priority
4
User authentication method, username, and password
4 Configuring User Interfaces
NOTE
All the default values (excluding the password and username) are stored on the router and do not need
additional configuration.
4.2.2 Setting Physical Attributes of the Console User Interface
You can configure the rate, flow control mode, parity mode, stop bit, and data bit for the console
port.
Context
Physical attributes of a console port have default values on the router. No additional
configuration is needed.
NOTE
When a user logs in to a router through a console port, the physical attributes set for the console port on
the HyperTerminal must be consistent with the attributes of the console user interface on the router, or the
user will not be able to log in.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface console interface-number
The console user interface view is displayed.
Step 3 Run:
speed speed-value
The baud rate is set.
By default, the baud rate is 9600 bit/s.
Step 4 Run:
flow-control { hardware | none | software }
The flow control mode is set. By default, the flow-control mode is none.
Step 5 Run:
parity { even | mark | none | odd | space }
The parity mode is set.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
48
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
By default, the value is none.
Step 6 Run:
stopbits { 1.5 | 1 | 2 }
The stop bit is set.
By default, the value is 1 bit.
Step 7 Run:
databits { 5 | 6 | 7 | 8 }
The data bit is set.
By default, the data bit is 8.
----End
4.2.3 Setting Terminal Attributes of the Console User Interface
This section describes how to set terminal attributes of the console user interface, including the
user timeout disconnection function, number of lines or number of characters in each line
displayed on a terminal screen, and size of the history command buffer.
Context
Terminal attributes of the console user interface have default values on the router that you may
modify as needed.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface console interface-number
The console user interface view is displayed.
Step 3 Run:
shell
The terminal service is started.
Step 4 Run:
idle-timeout minutes [ seconds ]
The idle timeout period is set.
If a connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the idle timeout period on the user interface is 10 minutes.
Step 5 Run:
screen-length screen-length [ temporary ]
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
49
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
The terminal screen length is set.
The parameter temporary is used to display the number of lines to be temporarily displayed on
a terminal screen.
By default, the terminal screen length is 24 lines.
Step 6 Run:
screen-widthscreen-width
The maximum number of characters in each line displayed on a terminal screen is set.
By default, each line displayed on a terminal screen has a maximum of 80 characters.
Step 7 Run:
history-command max-size size-value
The history command buffer is set.
By default, the size of the history command buffer is 10 entries.
----End
4.2.4 Configuring the User Privilege of the Console User Interface
This section describes how to control a user's authority to log in to the router and how to configure
a user's priority to improve router security.
Context
l
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
l
This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see section 2.1.2 "Command Levels".
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface console interface-number
The console user interface view is displayed.
Step 3 Run:
user privilege level level
The user privilege is set.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
50
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
NOTE
l By default, users that log in through the console user interface can use level 15 commands, and users
logging in through other user interfaces can use commands at level 0.
l If the command level and user level are inconsistent, the user level takes precedence.
----End
4.2.5 Configuring the User Authentication Mode of the Console
User Interface
The system provides two authentication modes: AAA and password. Configuring user
authentication modes improves router security.
Context
The system provides two authentication modes, as described in Table 4-2.
Table 4-2 Authentication Modes
Authen
tication
Mode
Advantage
Disadvantage
AAA
AAA provides user authentication with high
security.
The configuration is complex.
The user name and password for
AAA authentication must be
created.
The user name and password must be entered
for login.
Passwor
d
authenti
cation
Password authentication is based on VTY
channels, which provides security. The
configuration is simple and only the login
password is needed.
It provides less security than
AAA.
All users can use the login
password to log in to a device.
Procedure
l
Configure AAA authentication
1.
Run:
system-view
The system view is displayed.
2.
Run:
aaa
The AAA view is displayed.
3.
Run:
local-user user-name password { cipher cipher-password | irreversiblecipher irreversible--password }
A username and password are created for the local user.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
51
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4.
4 Configuring User Interfaces
Run:
quit
Exit the AAA view.
5.
Run:
user-interface console interface-number
The console user interface view is displayed.
6.
Run:
authentication-mode aaa
The authentication mode is set to AAA authentication.
l
Configure password authentication
1.
Run:
system-view
The system view is displayed.
2.
Run:
user-interface console interface-number
The console user interface view is displayed.
3.
Run:
authentication-mode password
The authentication mode is set to password authentication.
4.
Run:
set authentication password [ cipher password ]
A password for password authentication is set.
NOTE
Passwords must meet the following requirements:
l If you do not enter cipher, the password is input in man-machine interaction mode, and
the system does not display the entered password.
The password is a string of 8 to 16 case-sensitive characters. The password must contain
at least two of the following characters: upper-case characters, lower-case characters,
numbers, and special characters.
Special character except the question mark (?) and space.
l When you enter cipher, the password is displayed in either plaintext or ciphertext.
l When you input the password in plaintext, the password requirements are the same as
those when you do not enter cipher.
l When you input the password in ciphertext, the password must be a string of 56
consecutive characters.
The password is displayed in ciphertext in the configuration file regardless of whether you
input it in plaintext or ciphertext.
----End
4.2.6 Checking the Configuration
After configuring the console user interface, you can view information about the user interface,
physical attributes and configurations of the user interface, local user list, and online users.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
52
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
Prerequisites
The configurations of the user management function are complete.
Procedure
l
Run the display users [ all ] command to check information about the user interface.
l
Run the display user-interface console ui-number1 [ summary ] command to check
physical attributes and configurations of the user interface.
l
Run the display local-user command to check the local user list.
l
Run the display access-user command to check the local user list.
----End
Example
Run the display users command to view information about the current user interface.
<HUAWEI> display users
User-Intf
Delay
Type
0
CON 0
00:00:44
Username : Unspecified
Network Address
AuthenStatus
pass
AuthorcmdFlag
no
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<HUAWEI> display user-interface console 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
0
CON 0
9600
3
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Int
-
Run the display local-user command to view the local user list.
<HUAWEI> display local-user
---------------------------------------------------------------------------Username
State Type
CAR Access-limit Online
---------------------------------------------------------------------------user123
Active All
Dft
No
0
ll
Active F
Dft
No
0
user1
Active F
Dft
No
0
---------------------------------------------------------------------------Total 3,3 printed
4.3 Configuring the AUX User Interface
When you use the AUX port to log in to a device for local or remote configuration, you must
configure attributes in the corresponding AUX user interface.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
53
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
4.3.1 Before You Start
Before configuring the AUX user interface, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
Applicable Environment
If you need to use an AUX port to log in to a router for remote maintenance, you can configure
the corresponding AUX user interface by setting the physical attributes, terminal attributes, user
priority, and user authentication mode. The preceding parameters have default values on the
router and therefore do not require additional configuration.
Pre-configuration Tasks
Before configuring an AUX user interface, use a terminal to log in to the router.
Data Preparation
Before configuring an AUX user interface, you need the following data.
No.
Data
1
Baud rate, flow-control mode, parity, stop bit, and data bit
2
Idle timeout period, number of lines displayed in a terminal screen, number of
characters in each line displayed in a terminal screen, and the size of the history
command buffer
3
User priority
4
Modem attributes
5
(Optional) Auto-execute commands
6
User authentication method, user name, and password
NOTE
All the default values (excluding the auto-run commands, password, and username) are stored on the
router and do not need additional configuration.
4.3.2 Setting Physical Attributes of the AUX User Interface
Physical attributes of the AUX user interface include the transmission rate, flow control mode,
parity mode, stop bit, and data bit of the AUX port.
Context
Physical attributes of the AUX user interface have default values on the router. No additional
configuration is required.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
54
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface aux interface-number
The AUX user interface view is displayed.
Step 3 Run:
speed speed-value
The transmission rate is set.
By default, the baud rate is 9600 bit/s.
Step 4 Run:
flow-control { hardware | none | software }
The flow control mode is set.
By default, the flow-control mode is none.
Step 5 Run:
parity { even | mark | none | odd | space }
The parity mode is set.
By default, the value is none.
Step 6 Run:
stopbits { 1.5 | 1 | 2 }
The stop bit is set.
By default, the value is 1 bit.
Step 7 Run:
databits { 5 | 6 | 7 | 8 }
The data bit is set.
By default, the value is 8.
NOTE
When a user logs in to a router through an AUX port, the configured attributes for the console port on the
HyperTerminal should be in accordance with the attributes of the AUX user interface on the router.
Otherwise, the user cannot log in to the router.
----End
4.3.3 Setting Terminal Attributes of the AUX User Interface
This section describes how to configure terminal attributes of the AUX user interface, including
the user idle timeout, number of lines or number of characters in each line displayed in a terminal
screen, and size of the history command buffer.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
55
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
Context
Terminal attributes of the AUX user interface have default values on the router. You can
configure them as needed.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface aux interface-number
The AUX user interface view is displayed.
Step 3 Run:
shell
The AUX terminal service is enabled.
Step 4 Run:
idle-timeout minutes [ seconds ]
User idle timeout is enabled.
If the connection remains idle within the timeout period, the system automatically terminates
the connection.
By default, the idle timeout period on the interface is 10 minutes.
Step 5 Run:
screen-length screen-length [ temporary ]
The length of a terminal screen is set.
The parameter temporary is used to display the number of lines to be temporarily displayed on
a terminal screen.
By default, the length of a terminal screen is 24 lines.
Step 6 Run:
history-command max-size size-value
The size of the history command buffer is configured.
By default, the size of the history command buffer on the user interface is 10 entries.
----End
4.3.4 Setting the User Priority of the AUX User Interface
This section describes how to control a user's authority to log in to the router and how to configure
a user's priority to improve router security.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
56
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
Context
l
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
l
This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see section 2.1.2 "Command Levels".
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface aux interface-number
The AUX user interface view is displayed.
Step 3 Run:
user privilege level level
The user priority is set.
NOTE
l By default, users log in through the AUX user interface and can use commands at level 0.
l If the authority to use commands is inconsistent with the user level, the user level takes precedence.
----End
4.3.5 Setting Modem Attributes of the AUX User Interface
You can set the following attributes on the modem: time period from which it picks up the signal
until it detects the carrier when a call is established, whether it functions modem for only
incoming calls or for both incoming and outgoing calls, and whether automatic answer is
enabled.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface aux interface-number
The AUX user interface view is displayed.
Step 3 Run:
modem timer answer seconds
The period between the time at which the system receives the ring signal and the system waits
for the CD_UP is set. This period is the time that elapses between the signal being picked up
and the carrier being detected because this is when the call is established.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
57
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
By default, the waiting time is 30 seconds.
Step 4 Run:
modem [ both | call-in ]
The switch of the incoming or outgoing call is set.
By default, incoming and outgoing calls are prohibited.
Step 5 Run:
modem auto-answer
Automatic answer is enabled.
By default, manual answering is enabled.
----End
4.3.6 (Optional) Configuring Auto-Execute Commands of the AUX
User Interface
You can set a command to be executed automatically.
Context
NOTICE
After you run the auto-execute command command, you cannot use a terminal to perform
general system configurations.
Before configuring the auto-execute command and save commands to save the existing
configurations, make sure you can use other methods to log in to the system and delete the
configurations.
Perform the following on the router to which the user logs in:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface aux 0
The AUX user interface view is displayed.
Step 3 Run:
auto-execute command command
A command is specified as an auto-execute command.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
58
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
Generally, the auto-execute command command is run to configure Telnet on a terminal. After
the configuration, the user can automatically connect to a designated host.
----End
4.3.7 Setting the User Authentication Mode of the AUX User
Interface
The system provides two authentication modes: AAA and password. Configuring user
authentication modes improves router security.
Context
By default, the user authentication mode of the AUX user interface is not configured.
Administrators must manually set a user authentication mode for the AUX user interface. If no
user authentication mode is set, users cannot log in to the device on the AUX user interface.
Procedure
l
Configuring AAA Authentication
1.
Run:
system-view
The system view is displayed.
2.
Run:
user-interface aux interface-number
The AUX user interface view is displayed.
3.
Run:
authentication-mode aaa
The authentication mode is set to AAA authentication.
4.
Run:
quit
You have exited the AUX user interface view.
5.
Run:
aaa
The AAA view is displayed.
6.
Run:
local-user user-name password { cipher | irreversible-cipher } password
The local user and password are configured.
l
Configuring Password Authentication
1.
Run:
system-view
The system view is displayed.
2.
Run:
user-interface aux interface-number
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
59
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
The AUX user interface view is displayed.
3.
Run:
authentication-mode password
The authentication mode is set to password authentication.
4.
Run:
set authentication password [ cipher password ]
A password is set.
NOTE
Passwords must meet the following requirements:
l If you do not enter cipher, the password is input in man-machine interaction mode, and
the system does not display the entered password.
The password is a string of 8 to 16 case-sensitive characters. The password must contain
at least two of the following characters: upper-case characters, lower-case characters,
numbers, and special characters.
Special character except the question mark (?) and space.
l When you enter cipher, the password is displayed in either plaintext or ciphertext.
l When you input the password in plaintext, the password requirements are the same as
those when you do not enter cipher.
l When you input the password in ciphertext, the password must be a string of 56
consecutive characters.
The password is displayed in ciphertext in the configuration file regardless of whether you
input it in plaintext or ciphertext.
----End
4.3.8 Checking the Configuration
After configuring the AUX user interface, you can view its usage information, including physical
attributes and configurations, the local user list, and online users.
Prerequisites
Configurations of the AUX user interface are complete.
Procedure
l
Run the display users [ all ] command to check usage information about the AUX user
interface.
l
Run the display user-interface aux interface-number [ summary ] command to check the
physical attributes and configurations of the user interface.
l
Run the display local-user command to check the local user list.
l
Run the display access-user command to check the local user list.
----End
Example
To view information about the current user interface, run the display users command:
<HUAWEI> display users
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
60
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
User-Intf
Delay
Type
33 AUX 0
00:00:44
Username : Unspecified
4 Configuring User Interfaces
Network Address
AuthenStatus
pass
AuthorcmdFlag
no
Run the display user-interface aux ui-number1 [ summary ] command, and you can view the
physical attributes and configurations of the user interface.
<HUAWEI> display user-interface aux 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
33
AUX 0
9600
0
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Int
-
Run the display local-user command, and you can view the local user list.
<HUAWEI> display local-user
---------------------------------------------------------------------------Username
State Type
CAR Access-limit Online
---------------------------------------------------------------------------user123
Active All
Dft
No
0
ll
Active F
Dft
No
0
user1
Active F
Dft
No
0
---------------------------------------------------------------------------Total 3,3 printed
4.4 Configuring the VTY User Interface
If you need to use Telnet or SSH to log in to the router and perform local or remote maintenance,
you can configure the VTY user interface as needed.
4.4.1 Before You Start
Before configuring a VTY user interface, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration task quickly and correctly.
Applicable Environment
If you need to use Telnet or SSH to log in to the router and perform local or remote maintenance,
you can configure a VTY user interface. You can configure the maximum number of VTY user
interfaces, restrictions on incoming and outgoing calls, terminal property, user priority, and user
authentication mode.
Pre-configuration Tasks
Before configuring a VTY user interface, use a terminal to log in to the router.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
61
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
Data Preparation
To configure a VTY user interface, you need the following data.
No.
Data
1
Maximum VTY user interfaces
2
(Optional) ACL code to restrict incoming and outgoing calls on VTY user interfaces
3
Idle timeout period, number of characters in each line displayed on a terminal screen,
and size of the history command buffer
4
User priority
5
User authentication method, username, and password
NOTE
All of the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user
interfaces, user authentication method, username, and password) have default values that require no
additional configuration.
4.4.2 Configuring the Maximum Number of VTY User Interfaces
This section describes how to configure the maximum number of VTY user interfaces to limit
the number of users that log in to the router.
Context
The maximum number of VTY user interfaces equals the total number of users that can use
Telnet or SSH to log in to the router.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface maximum-vty number
The maximum number of VTY user interfaces is set.
NOTE
When the maximum number of VTY user interfaces is set to zero, no user (including the network
administrator) can use a VTY user interface to log in to the router.
If the set maximum number of VTY user interfaces is less than the maximum number of online
users, a message is displayed indicating that the configuration failed.
If the set maximum number of VTY user interfaces is greater than the maximum number of
current interfaces, the authentication mode and password must be set for the newly added user
interfaces.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
62
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
Consider, for example, a system that permits a maximum of five users to be online. To enable
15 VTY users to be online at the same time, run the authentication-mode command to configure
authentication modes for VTY user interfaces from 5 to 14. The commands are run as follows:
<HUAWEI> system-view
[HUAWEI] user-interface maximum-vty 15
[HUAWEI] user-interface vty 5 14
[HUAWEI-ui-vty5-14] authentication-mode password
----End
4.4.3 (Optional) Setting Restrictions for Incoming and Outgoing
Calls on VTY User Interfaces
This section describes how to configure an ACL to restrict access of incoming and outgoing
calls on a VTY user interface to specific IP addresses or address segments.
Context
Perform the following steps on the device that functions as a server:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Compared to a basic ACL that filters packets based on source addresses, an advanced ACL
supports richer filtering rules: not only based on packet source addresses but also based on packet
destination address or priorities. Run either of the following commands:
l For a basic ACL:
To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name [ basic ]
[ number acl-number2 ] } [ match-order { auto | config } ] command.
To enter the ACL6 view, run the acl ipv6 { [ number ] acl6-number1 | name acl-name
[ number acl-number2 ] } [ match-order { auto | config } ] command.
l For an advanced ACL:
To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name
[ advance ] [ number acl-number2 ] } [ match-order { auto | config } ] command.
To enter the ACL6 view, run the acl ipv6 { [ number ] acl6-number1 | name acl-name
[ number acl-number2 ] } [ match-order { auto | config } ] command.
The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL
ranging from 3000 to 3999.
Step 3 Run either of the following commands:
l For a basic ACL:
To configure a basic ACL rule, run the rule [ rule-id ] { deny | permit } [ fragment-type
fragment-type-name | source { source-ip-address source-wildcard | any } | time-range timename | vpn-instance vpn-instance-name ] * command.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
63
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
To configure a basic ACL6 rule, run the rule [ rule-id ] { deny | permit } [ fragmenttype fragment-type-name | source { source-ip-address source-wildcard | any } | timerange time-name | vpn-instance vpn-instance-name ] * command.
l For an advanced ACL:
To configure an advanced ACL rule, run the rule [ rule-id ] { deny | permit } protocol
[ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ip-address
destination-wildcard | any } | fragment-type fragment-type-name | source { source-ipaddress source-wildcard | any } | time-range time-name | vpn-instance vpn-instancename ] * command.
To configure an advanced ACL6 rule, run the rule [ rule-id ] { deny | permit } protocol
[ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | source
{ source-ipv6-address 3prefix-length | source-ipv6-address/prefix-length | any } | timerange time-name | vpn-instance vpn-instance-name ] * command.
NOTE
l By default, the deny action in an ACL rule is taken for all the login user packets. Only users whose
source IP addresses match the ACL rule with a permit action can log in to the device.
In the following example, two rules are configured to prohibit users with the IP address 10.1.1.10 from
logging in to the device while allowing the other users to log in to the device:
l rule deny source 10.1.1.10 0
l rule permit source any
If the rule permit source any command is not configured, users whose source IP addresses are not
10.1.1.10 will also be prohibited from logging in to the device.
l If a user's source IP address does not match the ACL rule that allows login, the user is prohibited from
logging in to the device.
l If the ACL referenced by VTY does not contain any rules or does not exist, any user can log in to the
device.
Step 4 Run:
quit
The system view is displayed.
Step 5 Run:
user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.
Step 6 Run:
acl [ ipv6 ] acl-number { inbound | outbound }
Restrictions for incoming and outgoing calls on the VTY interface are configured.
l If you want to prevent a user with a specific address or segment address from logging in to
the router, use the inbound command.
l If you want to enable a user to log in to the router but prevent the user from accessing other
routers, use the outbound command.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
64
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
4.4.4 Setting the Terminal Attributes of the VTY User Interface
This section describes how to configure the terminal attributes of a VTY user interface, including
the user idle timeout, number of lines or characters displayed in each line in a terminal screen,
and size of the history command buffer.
Context
On the router, the terminal attributes of the VTY user interface have default values, which you
can reconfigure as needed.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface vty number1 [ number2 ]
The VTY user interface view is displayed.
Step 3 Run:
shell
The VTY terminal service is enabled.
Step 4 Run:
idle-timeout minutes [ seconds ]
The user idle timeout is enabled.
If the connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the timeout period is 10 minutes.
Step 5 Run:
screen-length screen-length [ temporary ]
The terminal screen length is set.
The parameter temporary is used to display the number of lines to be temporarily displayed on
the terminal screen.
By default, the terminal screen length is 24 lines.
Step 6 Run:
history-command max-size size-value
Set the size of the history command buffer.
By default, a maximum number of 10 commands can be cached in the history command buffer.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
65
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
4.4.5 Setting the User Priority of the VTY User Interface
This section describes how to control a user's authority to log in to the router and how to configure
a user's priority to improve router security.
Context
l
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
l
This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see section 2.1.2 "Command Levels".
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface vty interface-number
The VTY user interface view is displayed.
Step 3 Run:
user privilege level level
The user priority is set.
By default, users who log in through the VTY user interface can use commands at level 0.
NOTE
If the command level configured in the VTY user interface view and user priority are inconsistent, user
priority takes precedence.
----End
4.4.6 Setting the User Authentication Mode of the VTY User
Interface
The system provides two authentication modes: AAA and password. Configuring user
authentication modes improves router security.
Context
The system provides two authentication modes, as described in Table 4-3.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
66
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
Table 4-3 Authentication Modes
Authen
tication
Mode
Advantage
Disadvantage
AAA
AAA provides user authentication with high
security.
The configuration is complex.
The user name and password for
AAA authentication must be
created.
The user name and password must be entered
for login.
Passwor
d
authenti
cation
Password authentication is based on VTY
channels, which provides security. The
configuration is simple and only the login
password is needed.
It provides less security than
AAA.
All users can use the login
password to log in to a device.
Procedure
l
Configuring AAA authentication
1.
Run:
system-view
The system view is displayed.
2.
Run:
user-interface vty number1 [ number2 ]
The VTY user interface view is displayed.
3.
Run:
authentication-mode aaa
The authentication mode is set to AAA authentication.
4.
Run:
quit
You have exited the VTY user interface view.
5.
Run:
aaa
The AAA view is displayed.
6.
Run:
local-user user-name password { cipher cipher-password | irreversiblecipher irreversible--password }
A username and password are created for the local user.
l
Configuring password authentication
1.
Run:
system-view
The system view is displayed.
2.
Run:
user-interface vty number1 [ number2 ]
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
67
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
The VTY user interface view is displayed.
3.
Run:
authentication-mode password
The authentication mode is set to password authentication.
4.
Run:
set authentication password [ cipher password ]
A password is set.
NOTE
Passwords must meet the following requirements:
l If you do not enter cipher, the password is input in man-machine interaction mode, and
the system does not display the entered password.
The password is a string of 8 to 16 case-sensitive characters. The password must contain
at least two of the following characters: upper-case characters, lower-case characters,
numbers, and special characters.
Special character except the question mark (?) and space.
l When you enter cipher, the password is displayed in either plaintext or ciphertext.
l When you input the password in plaintext, the password requirements are the same as
those when you do not enter cipher.
l When you input the password in ciphertext, the password must be a string of 56
consecutive characters.
The password is displayed in ciphertext in the configuration file regardless of whether you
input it in plaintext or ciphertext.
----End
4.4.7 (Optional) Configuring NMS Users to Log In Through VTY
User Interfaces
Network Management System (NMS) users can log in to a device through VTY user interfaces
to set device parameters.
Context
NMS users can log in to the router through VTY user interfaces to set router parameters.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
aaa
The AAA view is displayed.
Step 3 Run:
local-user user-name password { cipher | irreversible-cipher } password
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
68
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
A local user is created.
Step 4 Run:
local-user user-name user-type netmanager
The local user is set as an NM user.
Step 5 Run:
quit
The system view is displayed.
Step 6 Run:
user-interface vty first-ui-number [ last-ui-number ]
The user interface view is displayed.
Step 7 Run:
authentication-mode aaa
An authentication mode for logging in to the user interface is configured.
NOTE
The system reserves five VTYs (VTY 16-VTY 20) for an NMS user. The five VTYs are used as special
network management channels. The channels do not support the RSA authentication mode, but they do
support password authentication.
Step 8 Run:
quit
The system view is displayed.
Step 9 Run:
mmi-mode enable
The system is switched to the machine-to-machine mode.
NOTE
l This command is invisible to terminals and cannot be obtained by using the online help. In man-tomachine mode, exercise caution when using this command.
l In the VTY machine-to-machine mode, the system reserves five user interfaces to which an NMS user
can log in through VTYs. A common user cannot use the five reserved user interfaces to log in through
Telnet.
l In the machine-to-machine mode, the system does not output logs, alarms, or debugging information
to the screen.
l In the machine-to-machine mode, the save and reboot commands can be used directly.
l In the machine-to-machine mode, a maximum of 512 lines are displayed by default. You can use the
screen-length command to adjust this value. In addition, you can run the screen-length temporary
command to adjust the number of lines temporarily displayed on the screen.
----End
4.4.8 Checking the Configuration
After configuring a VTY user interface, you can view the maximum number of VTY user
interfaces, and physical attributes and configurations of user interfaces.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
69
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
Prerequisites
The configurations of the VTY user interface are complete.
Procedure
l
Run the display users [ all ] command to check information about user interfaces.
l
Run the display user-interface maximum-vty command to check the maximum number
of VTY user interfaces.
l
Run the display user-interface [ ui-type ui-number1 | ui-number ] [ summary ] command
to check the physical attributes and configurations of user interfaces.
l
Run the display local-user command to check the local user list.
l
Run the display vty mode command to check the VTY mode.
----End
Example
Run the display users command to view information about current user interfaces.
<HUAWEI> display users
User-Intf
Delay
Type
34 VTY 0
00:00:12 TEL
Username : Unspecified
+ 35 VTY 1
00:00:00 TEL
Username : Unspecified
Network Address
10.138.77.38
AuthenStatus
10.138.77.57
AuthorcmdFlag
no
no
Run the display user-interface maximum-vty command to view the maximum number of VTY
user interfaces.
<HUAWEI> display user-interface maximum-vty
Maximum of VTY user:15
Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check
the physical attributes and configurations of user interfaces.
<HUAWEI> display user-interface vty 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
+ 34
VTY 0
14
14
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Int
-
Run the display local-user command to view the local user list.
<HUAWEI> display local-user
---------------------------------------------------------------------------Username
State Type
CAR Access-limit Online
---------------------------------------------------------------------------user123
Active All
Dft
No
0
ll
Active F
Dft
No
0
user1
Active F
Dft
No
0
----------------------------------------------------------------------------
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
70
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
Total 3,3 printed
Run the display vty mode command to view the message indicating that the machine-to-machine
mode is enabled. For example:
<HUAWEI> display vty mode
Current user-interface mode is Human-Machine interface.
4.5 Configuration Examples
This section provides examples for configuring console, AUX, and VTY user interfaces. These
configuration examples explain the networking requirements and provide configuration
roadmaps and notes.
4.5.1 Example for Configuring the Console User Interface
In this example, a console user interface is configured to allow a user in password authentication
mode to log in to the router. The physical attributes, terminal attributes, user priority, user
authentication mode, and password are set for the interface.
Networking Requirements
A user uses the console user interface to log in to the router to initialize router configurations or
perform local router maintenance. You can set console user interface attributes (for example,
security considerations) to allow user logins.
In the console user interface view, the user priority is set to 15, and the password authentication
mode is set (the password is Huawei-123).
If no user activity occurs and a connection is idle for more than 30 minutes after login, the
connection is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enter the interface view and set physical attributes of the console user interface.
2.
Set terminal attributes of the console user interface.
3.
Set the user priority of the console user interface.
4.
Set the user authentication mode and password of the console user interface.
Data Preparation
To complete the configuration, you need the following data:
l
Transmission rate of the console user interface: 4800 bit/s
l
Flow control mode of the console user interface: None
l
Parity of the console user interface: even
l
Stop bit of the console user interface: 2
l
Data bit of the console user interface: 6
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
71
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
l
Timeout period for disconnecting from the console user interface: 30 minutes
l
Number of lines a terminal screen displays: 30
l
Number of characters a terminal screen displays: 60
l
Size of the history command buffer: 20
l
User priority: 15
l
User authentication mode: password (password: Huawei-123)
Procedure
Step 1 Set physical attributes of the console user interface.
<HUAWEI> system-view
[HUAWEI] user-interface console 0
[HUAWEI-ui-console0] speed 4800
[HUAWEI-ui-console0] flow-control none
[HUAWEI-ui-console0] parity even
[HUAWEI-ui-console0] stopbits 2
[HUAWEI-ui-console0] databits 6
Step 2 Set terminal attributes of the console user interface.
[HUAWEI-ui-console0]
[HUAWEI-ui-console0]
[HUAWEI-ui-console0]
[HUAWEI-ui-console0]
[HUAWEI-ui-console0]
shell
idle-timeout 30
screen-length 30
screen-width 60
history-command max-size 20
Step 3 Set the user priority of the console user interface.
[HUAWEI-ui-console0] user privilege level 15
Step 4 Set the user authentication mode in the console user interface to password.
[HUAWEI-ui-console0] authentication-mode password
[HUAWEI-ui-console0] set authentication password cipher Huawei-123)
[HUAWEI-ui-console0] quit
After the console user interface is configured, a user in password authentication mode can use
a console port to log in and perform local maintenance on the router. For details on how a user
logs in to the router, see chapter 5 Configuring User Login.
----End
Configuration Files
#
sysname HUAWEI
#
user-interface con 0
authentication-mode password
user privilege level 15
set authentication password cipher $1a$.]U;PI9EtF$%$qzNQb7:,PNeT*K+i_#UYW%
@qVRrNa0`\.t*^%@$
history-command max-size 20
idle-timeout 30 0
screen-length 30
databits 6
parity even
stopbits 2
speed 9600
#
return
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
72
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
4.5.2 Example for Configuring the AUX User Interface
This section provides an example describing how to configure the AUX user interface. In the
configuration example, to enable a user in AAA authentication mode to use an AUX interface
to log in to a router, you must set multiple attributes of the console user interface, including
physical attributes, terminal attributes, user priority, user authentication mode, and password.
Networking Requirements
To locally or remotely maintain the router, a user can log in to the router through an AUX user
interface.
To enable user login, an operator can set attributes of the AUX user interface as needed (for
security reasons, for example).
In the AUX user interface, the user priority is set to 15, and the authentication mode is set to
AAA. The user name is user123 and the password is Huawei-123.
After a user logs in, if the user takes no action on the router for more than 30 minutes, the
connection between the user and the router is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enter the interface view and set the physical attributes of the AUX user interface.
2.
Set the terminal attributes of the AUX user interface.
3.
Set the user priority of the AUX user interface.
4.
Set the modem attributes of the AUX user interface.
5.
Set the authentication mode and password in the AUX user interface.
Data Preparation
To complete the configuration, you need the following data:
l
Transmission rate of the AUX user interface: 9600 bit/s
l
Flow control mode of the AUX user interface: None
l
Parity of the AUX user interface: None
l
Stop bit of the AUX user interface: 1
l
Data bit of the AUX user interface: 8
l
Timeout period for disconnecting from the AUX user interface: 30 minutes
l
Number of lines a terminal screen displays: 30
l
Number of characters a terminal screen displays: 60
l
Size of the history command buffer: 20
l
User priority: 15
l
Modem attributes: idle timeout from off-hook to carrier detection (45 seconds), call-in
permission, and automatic response
l
User authentication mode and password in the AUX user interface
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
73
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
Procedure
Step 1 Set physical attributes of the AUX user interface.
<HUAWEI> system-view
[HUAWEI] user-interface aux 0
[HUAWEI-ui-aux0] speed 9600
[HUAWEI-ui-aux0] flow-control none
[HUAWEI-ui-aux0] parity none
[HUAWEI-ui-aux0] stopbits 1
[HUAWEI-ui-aux0] databits 8
All of the preceding physical attributes of the AUX user interface are set with default values. In
fact, if a user chooses to use the default values, the user does not need to set them. The preceding
settings only serve to provide the configuration method.
Step 2 Set terminal attributes of the AUX user interface.
[HUAWEI-ui-aux0]
[HUAWEI-ui-aux0]
[HUAWEI-ui-aux0]
[HUAWEI-ui-aux0]
[HUAWEI-ui-aux0]
shell
idle-timeout 30
screen-length 30
screen-width 60
history-command max-size 20
Step 3 Set the user priority of the AUX user interface.
[HUAWEI-ui-aux0] user privilege level 15
Step 4 Set modem attributes of the AUX user interface.
[HUAWEI-ui-aux0] modem timer answer 45
[HUAWEI-ui-aux0] modem call-in
[HUAWEI-ui-aux0] modem auto-answer
Step 5 Set the authentication mode of the AUX user interface to AAA.
[HUAWEI-ui-aux0] authentication-mode aaa
[HUAWEI-ui-aux0] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user user123 password cipher Huawei-123
[HUAWEI-aaa] quit
After the AUX user interface is configured, a user in AAA authentication mode can log in to
the router through an AUX port to maintain the router. For details on how a user logs in to the
router, refer to chapter 5 Configuring User Login.
----End
Configuration Files
#
sysname HUAWEI
#
user-interface aux 0
authentication-mode aaa
user privilege level 15
history-command max-size 20
idle-timeout 30 0
modem call-in
modem auto-answer
modem timer answer 45
screen-length 30
screen-width 60
#
return
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
74
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
4.5.3 Example for Configuring a VTY User Interface
In this example, a VTY user interface is configured to enable a user in password authentication
mode to use Telnet or SSH (Stelnet) to log in to the router. The maximum number of VTY user
interfaces permitted, restrictions for incoming and outgoing calls, terminal attributes,
authentication mode, and password are set for the interface.
Networking Requirements
A user uses Telnet or SSH to log in to the router using a VTY channel. You can set VTY user
interface attributes as needed (for example, security considerations) to enable user logins.
In the VTY user interface, the user priority is set to 15, the authentication mode is set to password
authentication, and the password is "Huawei-123". A user with the IP address of 10.1.1.1 is
prohibited from logging in to the router.
If no user activity occurs and a connection is idle for more than 30 minutes after login, the
connection is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enter the interface view and set the maximum number of VTY user interfaces to 15.
2.
Set restrictions for incoming and outgoing calls on the VTY user interface to prevent an IP
address or an IP address segment for accessing the router.
3.
Set terminal attributes of the VTY user interface.
4.
Set the user priority of the VTY user interface.
5.
Set the authentication mode and password of the VTY user interface.
Data Preparation
To complete the configuration, you need the following data:
l
Maximum number of VTY user interfaces: 15
l
ACL applied to restrict incoming calls on the VTY user interface: 2000
l
Timeout period for disconnecting from the VTY user interface: 30 minutes
l
Number of lines a terminal screen displays: 30
l
Number of characters a terminal screen displays: 60
l
Size of the history command buffer: 20
l
User priority: 15
l
User authentication mode: password (password: Huawei-123)
Procedure
Step 1 Set the maximum number of VTY user interfaces.
<HUAWEI> system-view
[HUAWEI] user-interface maximum-vty 15
Step 2 Set the limit on call-in and call-out in the VTY user interface.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
75
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
4 Configuring User Interfaces
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000]
[HUAWEI-acl-basic-2000]
[HUAWEI] user-interface
[HUAWEI-ui-vty0-14] acl
rule deny source 10.1.1.1 0
quit
vty 0 14
2000 inbound
Step 3 Set terminal attributes of the VTY user interface.
[HUAWEI-ui-vty0-14]
[HUAWEI-ui-vty0-14]
[HUAWEI-ui-vty0-14]
[HUAWEI-ui-vty0-14]
[HUAWEI-ui-vty0-14]
shell
idle-timeout 30
screen-length 30
screen-width 60
history-command max-size 20
Step 4 Set the user priority of the VTY user interface.
[HUAWEI-ui-vty0-14] user privilege level 15
Step 5 Set the authentication mode and password of the VTY user interface.
[HUAWEI-ui-vty0-14] authentication-mode password
[HUAWEI-ui-vty0-14] set authentication password cipher Huawei-123
[HUAWEI-ui-vty0-14] quit
After the VTY user interface is configured, a user authenticated in password mode can use Telnet
or SSH (Stelnet) to log in to the router and perform local or remote maintenance on the router.
For details on how a user logs in to the router, see the 5 Configuring User Login.
----End
Configuration Files
#
sysname HUAWEI
#
acl number 2000
rule 5 deny source 10.1.1.1 0
rule permit source any
#
user-interface maximum-vty 15
user-interface vty 0 14
acl 2000 inbound
user privilege level 15
authentication-mode password
$1a$.]U;PI9EtF$%$qzNQb7:,PNeT*K+i_#UYW%@qVRrNa0`\.t*^%@$
history-command max-size 20
idle-timeout 30 0
screen-length 30
#
return
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
76
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
5
Configuring User Login
About This Chapter
A user can log in to the router through a console port, an AUX port, or by using Telnet or SSH
(STelnet). The user can maintain the router locally or remotely after login.
5.1 User Login Overview
When the device works as the server, a user can log in to the device through a console port,
Telnet, STelnet, or web.
5.2 Logging In to Devices Through the Console Port
When a user needs to maintain a router locally or configure a router that is being powered on
for the first time, the user can log in through a console port.
5.3 Logging In to Devices Through the AUX Port
When a user terminal and the router have no reachable route between each other, the user can
log in to the router through an AUX port to remotely configure and manage or locally maintain
the router.
5.4 Using Telnet to Log In to Devices
When multiple routers need to be configured and managed, you do not need to maintain each
router locally. Instead, you can use Telnet to remotely log in to the routers and perform
maintenance, which greatly facilitates device management.
5.5 Using STelnet to Log In to Devices
STelnet provides secure remote access over an insecure network. After the client/server
negotiation is complete and a secure connection is established, STelnet login is similar to Telnet
login.
5.6 Common Operations After Login
After logging in to the router, you can perform user priority switching, terminal window locking,
and other operations as needed.
5.7 Configuration Examples
This section provides several examples describing how to configure users to log in through a
console port, Telnet, or STelnet. The configuration examples provide information and diagrams
for networking requirements, configuration notes, and configuration roadmaps.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
77
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
5.1 User Login Overview
When the device works as the server, a user can log in to the device through a console port,
Telnet, STelnet, or web.
Table 5-1 lists the modes by which a user can log in to the device to configure and manage it.
Table 5-1 User login modes
Login Mode
Applicable Scenario
Remarks
5.2 Logging In to
Devices Through
the Console Port
A user logs in to the device
using the console port on the
user terminal to power on
and configure the device for
the first time.
By default, a user can directly log in to
the device using the console port. The
authentication mode is password
authentication, indicating that a
password is required for authentication.
The command access level is 3.
l If a user cannot access
the device remotely, the
user can log in to the
device locally using the
console port.
l A user can log in using
the console port to
diagnose a fault if the
device fails to start or to
enter the BootROM to
upgrade the system.
5.3 Logging In to
Devices Through
the AUX Port
When a reachable route does
not exist between the user
terminal and the device, a
user cannot log in to the
device using Telnet. In this
case, however, the user can
log in to the device using the
AUX port.
By default, the user authentication mode
of the AUX user interface is not
configured. Administrators must
manually set a user authentication mode
for the AUX user interface. If no user
authentication mode is set for the AUX
user interface, users cannot log in to the
device using the AUX user interface. A
user can use the AUX port to log in to the
device but cannot use the AUX port to
manage or maintain the device.
To enable management and maintenance
of the device using the AUX port, log in
to the device locally using the console
port, and change the user access level of
the AUX user interface. By default, the
command access level of the AUX user
is 0.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
78
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Login Mode
Applicable Scenario
Remarks
5.4 Using Telnet
to Log In to
Devices
A user accesses the network
using a user terminal and
logs in to the device using
Telnet to perform local or
remote configuration. The
target device authenticates
the user using the
configured login
parameters.
By default, a user cannot log in to the
device directly using Telnet. To enable
Telnet login, log in to the device locally
using the console port and perform the
following configuration tasks:
The Telnet login mode
facilitates remote device
management and
maintenance.
l Configure the IP address of the
management network port on the
device and ensure that a reachable
route exists between the user terminal
and the device. By default, an IP
address is not configured on the
device.
l Configure the user authentication
mode of the VTY user interface. (By
default, the user authentication mode
of the VTY user interface is not
configured. Administrators must
manually set a user authentication
mode for the VTY user interface.)
l Configure the user access level of the
VTY user interface. By default, the
user access level of the VTY user
interface is 0.
l Enable the Telnet server function. By
default, the Telnet server function is
enabled.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
79
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Login Mode
Applicable Scenario
Remarks
5.5 Using STelnet
to Log In to
Devices
A user accesses the network
using a user terminal. If the
network is insecure, use the
Secure Shell (SSH) protocol
to increase the security of
the transmission and utilize
a powerful authentication
mechanism. SSH protects
the device system against
attacks, such as IP proofing
and plain text password
interception.
By default, a user cannot log in to the
device directly using STelnet. To enable
STelnet login, log in to the device locally
using the console port and perform the
following configuration tasks:
The STelnet login mode
better ensures the security of
the exchanged data.
l Configure the user authentication
mode of the VTY user interface. (By
default, the user authentication mode
of the VTY user interface is not
configured. Administrators must
manually set a user authentication
mode for the VTY user interface.)
l Configure the IP address of the
management network port on the
device and ensure that a reachable
route exists between the user terminal
and the device. By default, an IP
address is not configured on the
device.
l Configure the user access level of the
VTY user interface. By default, the
user access level of the VTY user
interface is 0.
l Configure the VTY user interface to
support the SSH protocol. By default,
the VTY user interface supports the
Telnet protocol.
l Configure the SSH user and specify
STelnet as a service mode. By default,
the SSH user is not configured on the
device, and the service mode of SSH
users is null (no service mode is
supported).
l Enable the STelnet server function.
By default, the STelnet server
function is disabled.
NOTE
Logging in using Telnet is insecure because a secure authentication mechanism is not used and data is
transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts data in
both directions to guarantee secure transmissions on a conventional insecure network. SSH supports
security Telnet (STelnet).
For detailed information about SSH, see NE80E/40E Feature Description - Basic Configurations.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
80
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
5.2 Logging In to Devices Through the Console Port
When a user needs to maintain a router locally or configure a router that is being powered on
for the first time, the user can log in through a console port.
5.2.1 Before You Start
Before configuring user login through a console port, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.
Applicable Environment
A user can locally log in to a device through a console port. The user must log in through a
console port when a router is being powered on for the first time.
l
If a user cannot access the device remotely, the user can log in to the device locally using
the console port.
l
A user can log in using the console port to diagnose a fault if the device fails to start or to
enter the BootROM to upgrade the system.
Pre-configuration Tasks
Before configuring user login through a console port, complete the following tasks:
l
Configure the PC/terminal (including the serial port and RS-232 cable)
l
Install the terminal emulator (for example, the Windows XP HyperTerminal) to the PC
Data Preparation
To configure user login through a console port, you need the following data.
No.
Data
1
l Transmission rate, flow control mode, parity mode, stop bit, and data bit
l Number of lines displayed in a terminal screen, number of characters displayed
in a terminal screen, and size of the history command buffer
l User priority
l User authentication mode, username, and password
5.2.2 Logging In to the Device Using a Console Port
A user can log in by using a console port to connect a terminal to the device.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
81
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Context
l
Communication parameters of the user terminal must match physical attribute parameters
of the console user interface on the device.
l
A user authentication mode must be configured on the console user interface.
Authentication enhances network security because a user can log in to the device only after
being successfully authenticated.
NOTE
If the master main control board fails, a user can log in to the slave main control board, if available, through the
console port to query configurations on the slave main control board. This login option facilitates fault locating.
Procedure
Step 1 Start a terminal emulation program, such as the HyperTerminal of Windows XP, on the PC and
establish a connection as shown in Figure 5-1.
NOTE
In the case of a Windows OS that does not provide the HyperTerminal, access Microsoft website and
download the HyperTerminal.
Figure 5-1 Creating a connection
Step 2 Set an interface, as shown in Figure 5-2.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
82
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Figure 5-2 Settings an interface
Step 3 Set communication parameters to match the router defaults, as shown in Figure 5-3.
Figure 5-3 Setting communication parameter
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
83
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system
automatically saves the new password.
An initial password is required for the first login via the console.
Set a password and keep it safe! Otherwise you will not be able to login via the
console.
Please configure the login password (8-16)
Enter Password:
Confirm Password:
NOTE
l If the device has the default password before delivery, enter the default password Admin@huawei.com
to log in. The password is insecure, so you must change it immediately. For details on how to change
the password, see 4.2.5 Configuring the User Authentication Mode of the Console User
Interface.
l After you set the password for the user interface, you must use this user interface to log in to the system
again. Use password authentication mode and enter the new password.
l The passwords must meet the following requirements:
l The password input is in man-machine interaction mode, and the system does not display the
entered password.
l The password is a string of 8 to 16 case-sensitive characters. The password must contain at least
two of the following characters: upper-case characters, lower-case characters, numbers, and special
characters.
Special character except the question mark (?) and space.
The configured password is displayed in the configuration file in ciphertext.
l After you restart the device using the console port, press Enter after the following information is
displayed.
Recover configuration...OK!
Press ENTER to get started.
----End
5.2.3 (Optional) Configuring the Console User Interface
If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.
Context
Console user interface attributes have default values on the device, and generally need no
modification. To meet specific user requirements or ensure network security, you can modify
console user interface attributes, such as terminal attributes and the user authentication mode.
For detailed settings, see section 4.2 Configuring Console User Interface.
NOTE
Changes to console user interface attributes take effect immediately. Therefore, the connection may be
interrupted if console user interface attributes are modified when you log in to the device through the
console port. For this reason, use another login mode to log into the device when you modify console user
interface attributes. To log in to the device through the console port after you chang the default console
user interface attributes, ensure that the configuration of the terminal emulator running on the PC is
consistent with the console user interface attributes configured on the device.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
84
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
5.2.4 Checking the Configuration
After logging in through a console port, a user can view the usage information, physical attributes
and configurations, local user list, and online users on the console user interface.
Prerequisites
Configurations that enable a user to log in through a console port are complete.
Procedure
l
Run the display users [ all ] command to check information about the user interface.
l
Run the display user-interface console ui-number1 [ summary ] command to check
physical attributes and configurations of the user interface.
l
Run the display local-user command to check the local user list.
l
Run the display access-user command to check the local user list.
----End
Example
Run the display users command to view information about the current user interface.
<HUAWEI> display users
User-Intf
Delay
Type
0
CON 0
00:00:44
Username : Unspecified
Network Address
AuthenStatus
pass
AuthorcmdFlag
no
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<HUAWEI> display user-interface console 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
0
CON 0
9600
3
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Int
-
Run the display local-user command to view the local user list.
<HUAWEI> display local-user
---------------------------------------------------------------------------Username
State Type
CAR Access-limit Online
---------------------------------------------------------------------------user123
Active All
Dft
No
0
ll
Active F
Dft
No
0
user1
Active F
Dft
No
0
---------------------------------------------------------------------------Total 3,3 printed
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
85
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
5.3 Logging In to Devices Through the AUX Port
When a user terminal and the router have no reachable route between each other, the user can
log in to the router through an AUX port to remotely configure and manage or locally maintain
the router.
5.3.1 Before You Start
Before configuring user login through an AUX port, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This will help
you complete the configuration task quickly and accurately.
Applicable Environment
You can configure and maintain the router locally or remotely through an AUX port.
When you locally configure the router, the AUX login method is similar to the console login
method. The only difference between the two login methods lies in the default user priority: The
default user priority of the console user interface is 3, whereas that of the AUX user interface is
0. Therefore, using the console method to login is recommended in the local configuration. The
following section describes how to log in and configure the router through an AUX port.
NOTE
To manage and maintain the router through an AUX port, first modify the user priority of the AUX user
interface.
When no reachable route is available between a PC and the router, you can use a modem to
connect the serial port of the PC to the AUX port of the router. In this manner, you can use the
Public Switched Telephone Network (PSTN) to configure and maintain the router remotely.
As shown in Figure 5-4, The COM interface of the PC is connected to the modem that is
connected to the PSTN. The AUX port of the router is connected to another modem that is
connected to the PSTN.
Figure 5-4 Networking diagram of remote login through an AUX port
PSTN
PC
Modem
Modem
Router
Pre-configuration Tasks
Before configuring user login through an AUX port, complete the following tasks:
l
Issue 02 (2014-09-30)
Connect the PC to the router through modems
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
86
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
l
Configure the modems
l
Install a terminal emulator (such as HyperTerminal of Windows XP) on the PC
Data Preparation
To configure user login through an AUX port, you need the following data.
No.
Data
1
l Transmission rate, flow control mode, parity, stop bit, and data bit
l Number of lines displayed in a terminal screen, number of characters displayed
in a terminal screen, and size of the history command buffer
l User priority
l Modem attributes
l (Optional) Auto-run commands
l User authentication mode, user name, and password
2
Telephone number of the modem at the remote router side.
5.3.2 Logging In to the Device Through an AUX Port
You can establish a connection between a terminal and the device through an AUX port.
Context
NOTE
By default, the user access level of the AUX user is 0. The AUX user cannot directly manage or maintain
the device after logging in to the device through the AUX port. To enable the AUX user to remotely manage
and maintain the device, locally log in to the device through the console port to change the user access
level of the AUX user interface.
Procedure
Step 1 After logging in to the device through the console port, perform the following steps:
1.
Run:
system-view
The system view is displayed.
2.
Run:
user-interface aux interface-number
The AUX user interface view is displayed.
3.
Run:
user privilege level level
The user access level is set.
4.
Run:
authentication-mode password
The authentication mode is set to password authentication.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
87
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5.
5 Configuring User Login
Run:set authentication password [ cipher password ]
A password for password authentication is set.
NOTE
Passwords must meet the following requirements:
l If you do not enter cipher, the password is input in man-machine interaction mode, and the system
does not display the entered password.
The password is a string of 8 to 16 case-sensitive characters. The password must contain at least
two of the following characters: upper-case characters, lower-case characters, numbers, and
special characters.
Special character except the question mark (?) and space.
l When you enter cipher, the password is displayed in either plaintext or ciphertext.
l When you input the password in plaintext, the password requirements are the same as those
when you do not enter cipher.
l When you input the password in ciphertext, the password must be a string of 56 consecutive
characters.
The password is displayed in ciphertext in the configuration file regardless of whether you input
it in plaintext or ciphertext.
Step 2 Start a terminal emulator (such as HyperTerminal of Windows XP) in the PC to establish a
connection with the router, as shown in Figure 5-5.
Figure 5-5 Creating a connection
Step 3 Set the dialing information, as shown in Figure 5-6.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
88
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Figure 5-6 Setting the dialing information
Step 4 Establish a connection with the router, as shown in Figure 5-7.
Figure 5-7 Establishing a connection with the router
If you need to modify communication parameters, click Modify in the Connect box shown in
Figure 5-7 to open the AuxCon Properties box, as shown in Figure 5-8. Then press Set, as
shown in Figure 5-9.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
89
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Figure 5-8 Modifying the connection attribute
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
90
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Figure 5-9 Setting the communication parameters
Step 5 Press Dialing. If user authentication is needed, input the corresponding authentication
information, and wait until the command line prompt of the user view, such as <HUAWEI>,
appears. This indicates that you have entered the user view and can input configurations.
----End
5.3.3 (Optional) Configuring the AUX User Interface
When you use the AUX port to log in to a device for local or remote configuration, you must
configure attributes in the corresponding AUX user interface.
Context
Attributes of an AUX user interface have default values on the device, and generally need no
additional settings. To meet specific application requirements or ensure network security, you
can also set attributes of the AUX user interface, such as terminal attributes and the user
authentication mode.
For detailed settings, see section 4.3 Configuring AUX User Interface.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
91
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
5.3.4 Checking the Configuration
After a user logs in through an AUX port, the user can view information on the console user
interface, such as user information, physical attributes and configurations, the local user list, and
online users.
Prerequisites
User login configurations through the AUX port are complete.
Procedure
l
Run the display users [ all ] command to check usage information about the AUX user
interface.
l
Run the display user-interface aux interface-number [ summary ] command to check the
physical attributes and configurations of the user interface.
l
Run the display local-user command to check the local user list.
l
Run the display access-user command to check the local user list.
----End
Example
To view information about the current user interface, run the display users command:
<HUAWEI> display users
User-Intf
Delay
Type
33 AUX 0
00:00:44
Username : Unspecified
Network Address
AuthenStatus
pass
AuthorcmdFlag
no
Run the display user-interface aux ui-number1 [ summary ] command, and you can view the
physical attributes and configurations of the user interface.
<HUAWEI> display user-interface aux 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
33
AUX 0
9600
0
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Int
-
Run the display local-user command, and you can view the local user list.
<HUAWEI> display local-user
---------------------------------------------------------------------------Username
State Type
CAR Access-limit Online
---------------------------------------------------------------------------user123
Active All
Dft
No
0
ll
Active F
Dft
No
0
user1
Active F
Dft
No
0
---------------------------------------------------------------------------Total 3,3 printed
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
92
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
5.4 Using Telnet to Log In to Devices
When multiple routers need to be configured and managed, you do not need to maintain each
router locally. Instead, you can use Telnet to remotely log in to the routers and perform
maintenance, which greatly facilitates device management.
Context
The Telnet protocol poses a security risk, and therefore the STelnet protocol is recommended.
5.4.1 Before You Start
Before using Telnet to configure user login, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.
Applicable Environment
If you know the IP address of a remote router, you can use Telnet to log in to the router from a
local terminal. Telnet login allows you to maintain multiple remote routers from one local
terminal, which greatly facilitates device management.
Note that router IP addresses must be preset through console ports.
Pre-configuration Tasks
Before using Telnet to configure user login, you must log in to the device through the console
port to change the following default configurations on the device. Then users can use Telnet to
remotely log in to the device to manage and maintain it.
l
Configure the IP address of the management network port on the device and ensure that a
reachable route exists between the user terminal and the device
l
5.4.2 Configuring the User Access Level and User Authentication Mode of the VTY
User Interface for remote device management and maintenance
l
5.4.3 Enabling the Telnet Service so that users can remotely log in to the device through
Telnet
Data Preparation
Before configuring Telnet user login, you need the following data.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
93
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
No.
Data
1
l User priority
5 Configuring User Login
l User authentication mode, username, and password
l (Optional) Maximum number of VTY user interfaces permitted
l (Optional) ACL to restrict incoming and outgoing calls on VTY user interfaces
l (Optional) Connection timeout period of terminal users, number of lines displayed
in a terminal screen, number of characters displayed in a terminal screen, and size
of the history command buffer
2
IPv4/IPv6 address or host name of the router
3
TCP port number the remote device uses to provide Telnet services, and the VPN
instance name
5.4.2 Configuring the User Access Level and User Authentication
Mode of the VTY User Interface
By default, the user access level of the VTY user interface is 0. To enable a user terminal to use
Telnet to remotely log in to the device for maintenance and management, log in to the device
using the console port, change the user access level, and set a user authentication mode for the
VTY user interface.
Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see section 4.4 Configuring the VTY
User Interface.
The sequence of the following steps is not fixed but all the configurations are mandatory.
Procedure
l
Configure the user access level of the VTY user interface.
1.
Run:
system-view
The system view is displayed.
2.
Run:
user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.
3.
Run:
user privilege level level
The user access level is set.
By default, the user access level of the VTY user interface is 0. Table 5-2 describes
the relationship between the user access levels and command levels.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
94
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Table 5-2 Association between user access levels and command levels
User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
0
0
Visit
level
This level gives access to commands that run network
diagnostic tools, such as ping and tracert, and commands
that start from a local device and visit external devices,
such as Telnet client side.
1
0 and
1
Monit
oring
level
This level gives access to commands, such as the
display command, that are used for system maintenance
and fault diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display savedconfiguration commands are at level 3. For details about
command levels, see HUAWEI NetEngine80E/40E Command
Reference.
2
0, 1,
and 2
Config
uration
level
This level gives access to commands that configure
network services provided directly to users, including
routing and network layer commands.
3-15
0, 1,
2,
and 3
Manag
ement
level
This level gives access to commands that control basic
system operations and provide support for services. These
commands include file system commands, FTP
commands, TFTP commands, XModem downloading
commands, configuration file switching commands,
power supply control commands, backup board control
commands, user management commands, level setting
commands, and debugging commands for fault diagnosis.
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level less than or equal to the command
level of the user. This helps ensure the security of the device.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
l
Configure the user authentication mode of the VTY user interface.
Two authentication modes are available: password authentication, and AAA
authentication.
– Configuring Password Authentication
1.
Run:
system-view
The system view is displayed.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
95
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2.
5 Configuring User Login
Run:
user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.
3.
Run:
authentication-mode password
The authentication mode is set to password authentication.
4.
Run:
set authentication password [ cipher password ]
A password in the encrypted text for password authentication is set.
NOTE
Passwords must meet the following requirements:
l If you do not enter cipher, the password is input in man-machine interaction mode,
and the system does not display the entered password.
The password is a string of 8 to 16 case-sensitive characters. The password must contain
at least two of the following characters: upper-case characters, lower-case characters,
numbers, and special characters.
Special character except the question mark (?) and space.
l When you enter cipher, the password is displayed in either plaintext or ciphertext.
l When you input the password in plaintext, the password requirements are the same
as those when you do not enter cipher.
l When you input the password in ciphertext, the password must be a string of 56
consecutive characters.
The password is displayed in ciphertext in the configuration file regardless of whether
you input it in plaintext or ciphertext.
– Configuring AAA Authentication
When the user authentication mode of the VTY user interface is set to AAA
authentication, the access type of the local user must be specified. A management user
belongs to the default_admin domain by default.
1.
Run:
system-view
The system view is displayed.
2.
Run:
aaa
The AAA view is displayed.
3.
Run:
local-user user-name password { cipher cipher-password | irreversiblecipher irreversible--password }
A username and password for the local user are created.
4.
Run:
local-user user-name service-type telnet
The access type of the local user is set to Telnet.
5.
Run:
quit
You have exited the AAA view.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
96
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6.
5 Configuring User Login
Run:
user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.
7.
Run:
authentication-mode aaa
The authentication mode is set to AAA authentication.
----End
5.4.3 Enabling the Telnet Service
Before a user terminal establishes a Telnet connection with the device, log in to the device
through the console interface to enable the Telnet server function on the device. Then the user
terminal can use Telnet to remotely log in to the device.
Context
By default, the Telnet server function is enabled.
On the device that serves as a Telnet server, select and perform the following steps for either
IPv4 or IPv6.
Procedure
l
For the IPv4 network
1.
Run:
system-view
The system view is displayed.
2.
Run:
telnet server enable
The Telnet service is enabled.
l
For the IPv6 network
1.
Run:
system-view
The system view is displayed.
2.
Run:
telnet ipv6 server enable
The Telnet service is enabled.
NOTE
l If the undo telnet [ipv6] server enable command is run when a user uses Telnet to log in,
the command does not take effect.
l After the Telnet server function is disabled, you can only use SSH or an asynchronous
serial port (rather than Telnet) to log in to the device.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
97
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
5.4.4 Using Telnet to Log In to the Device
After a remote device is configured, use Telnet to log in to the device from a terminal and perform
remote maintenance on the device.
Context
Use either the Windows CLI or third-party software in the terminal to log in to the router through
Telnet. This section describes how to use the Windows command line prompt.
On the user terminal, perform the following steps::
Procedure
Step 1 Open the Windows CLI.
Step 2 Run the telnet ip-address command to Telnet the device.
1.
Input the IP address of the Telnet server, as shown in Figure 5-10.
Figure 5-10 Windows CLI
2.
Press Enter to display the command line prompt, such as <HUAWEI>, for the system
view. This indicates that you have accessed the Telnet server.
If the password or AAA authentication mode has been set on the device, you must enter
the login user name and password, and press Enter. The command line prompt of the user
view is displayed, as shown in Figure 5-11.
Figure 5-11 Login
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
98
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
----End
5.4.5 (Optional) Configuring the Listening Port Number of the
Telnet Server
Setting appropriate parameters for the Telnet server, such as the listening port number and source
interface, improves network security.
Context
l
Listening port number
By default, the listening port number of a Telnet server is 23. Users can use the default
listening port number to directly log in to the router. Attackers may access the default
listening port, which consumes bandwidth, deteriorates server performance, and causes
authorized users to be unable to access the server. After the listening port number of the
Telnet server is changed, attackers do not know the new listening port number. This
effectively prevents attackers from accessing the listening port.
l
Source interface
By default, a Telnet server receives connection requests from all interfaces, and therefore,
the system is vulnerable to attacks. To enhance system security, you can specify the source
interface of the Telnet server. This sets a login condition, and then only authorized users
can log in to the Telnet server.
After the source interface is specified, the system only allows Telnet users to log in to the
Telnet server through this source interface, and Telnet users logging in through other
interfaces are denied. Note that setting this parameter only affects Telnet users that attempt
to log in to the Telnet server, and it does not affect Telnet users that have logged in to the
server.
Perform the following on the router that functions as a Telnet server:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Configure Telnet server parameters.
l Run:
telnet server port port-number
The listening port number of the Telnet server is set.
If a new listening port number is set, the Telnet server terminates all established Telnet
connections, and uses the new port number to listen to new requests for Telnet connections.
l Run:
telnet server-source -i loopback interface-number
The source interface of the Telnet server is set.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
99
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
NOTE
Before specifying the source interface of the Telnet server, ensure that the loopback interface to be
specified as the source interface has been created. If the loopback interface has not been created, the
telnet server-source command cannot be correctly executed.
----End
5.4.6 (Optional) Configuring Telnet Access Control
An ACL can be configured to allow only specified clients to access an Telnet server.
Context
When a device functions as an Telnet server, you can configure an ACL to allow only the clients
that meet the rules specified in the ACL to access the Telnet server.
Do as follows on the device that functions as an Telnet server:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl {
[ number ] acl-number1 | name acl-name [ basic ] [ number acl-number2 ] } [ matchorder { auto | config } ] or acl ipv6 { [ number ] acl6-number1 | name acl-name
[ number acl-number2 ] } [ match-order { auto | config } ]
The ACL or ACL6 view is displayed.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source
{ source-ip-address source-wildcard | any } | time-range time-name | vpn-instance
vpn-instance-name ] * or rule [ rule-id ] { deny | permit } [ fragment | source
{ source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } |
time-range time-name | vpn-instance vpn-instance-name ] *
The ACL or ACL6 rule is configured.
NOTE
l By default, the deny action in an ACL rule is taken for all the login user packets. Only users whose
source IP addresses match the ACL rule with a permit action can log in to the device.
In the following example, two rules are configured to prohibit users with the IP address 10.1.1.10 from
logging in to the device while allowing the other users to log in to the device:
l rule deny source 10.1.1.10 0
l rule permit source any
If the rule permit source any command is not configured, users whose source IP addresses are not
10.1.1.10 will also be prohibited from logging in to the device.
l If a user's source IP address does not match the ACL rule that allows login, the user is prohibited from
logging in to the device.
l If the ACL referenced by FTP does not contain any rules or does not exist, any user can log in to the
device.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
100
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Step 4 Run:
quit
The system view is displayed.
Step 5 Run:
telnet [ ipv6 ] server acl { acl-number | acl-name }
An ACL is configured to filter Telnet users.
----End
5.4.7 Checking the Configuration
After you use Telnet to log in to the system, you can view the connection status of each user
interface, including the current user interface, and the status of all established TCP connections.
Prerequisites
Telnet login configurations are complete.
Procedure
l
Run the display users [ all ] command to check information about users logged in to user
interfaces.
l
Run the display tcp status command to check TCP connections.
l
Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display users command to view information about the currently-used user interface.
<HUAWEI> display users
User-Intf
Delay
Type
34 VTY 0
00:00:12 TEL
Username : Unspecified
+ 35 VTY 1
00:00:00 TEL
Username : Unspecified
Network Address
10.138.77.38
AuthenStatus
10.138.77.57
AuthorcmdFlag
no
no
Run the display tcp status command to view TCP connections. In the command output,
Established indicates that a TCP connection has been established.
<HUAWEI> display tcp status
TCPCB
Tid/Soid
Local Add:port
State
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established
Foreign Add:port
VPNID
0.0.0.0:0
0
0.0.0.0:0
14849
10.164.6.13:1147
0
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<HUAWEI> display telnet server status
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
101
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
TELNET IPV4 server
TELNET IPV6 server
TELNET server port
TELNET Server Source address
ACL4 number
ACL6 number
5 Configuring User Login
:Enable
:Enable
:23
:0.0.0.0
:0
:0
5.5 Using STelnet to Log In to Devices
STelnet provides secure remote access over an insecure network. After the client/server
negotiation is complete and a secure connection is established, STelnet login is similar to Telnet
login.
5.5.1 Before You Start
Before configuring users to log in using STelnet, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.
Applicable Environment
Telnet logins present security risks because no secure authentication mechanism exists and data
is transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts
data in both directions to guarantee secure transmissions on a conventional insecure network.
SSH supports STelnet, and SFTP.
STelnet is a secure Telnet protocol. SSH users can use the STelnet service in the same way they
use the Telnet service.
Pre-configuration Tasks
Before configuring users to log in using STelnet, you must log in to the device through the
console port to change the following default configurations on the device. Then users can
remotely log in to the device using Telnet to manage and maintain the device.
l
Configure the IP address of the management network port on the device and ensure that a
reachable route exists between the user terminal and the device
l
Configure the user access level and authentication mode of the VTY user interface for
remote device management and maintenance.
l
Configure the VTY user interface to support the SSH protocol, configure the SSH
user and specify STelnet as a service mode for the SSH user, and enable the STelnet
server function so that the user can remotely log in to the device through STelnet
Data Preparation
To configure users to log in using STelnet, you need the following data:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
102
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
No.
Data
1
User authentication mode, username, password, (optional)maximum number of VTY
user interfaces permitted, (optional) ACL for restricting incoming and outgoing calls
on VTY user interfaces, (optional)connection timeout period for terminal users,
number of rows displayed in a terminal screen, and size of the history command buffer
2
Username, password, authentication mode, and service type of an SSH user, and
remote public Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature
Algorithm (DSA) key pair allocated to the SSH user
3
(Optional) Name of an SSH server, number of the port monitored by the SSH server,
preferred encryption algorithm from the STelnet client to the SSH server, preferred
encryption algorithm from the SSH server to the STelnet client, preferred Hashed
message authentication code (HMAC) algorithm from the STelnet client to the SSH
server, preferred HMAC algorithm from the SSH server to the STelnet client,
preferred algorithm for key exchange, name of the outgoing interface, and source
address
5.5.2 Configuring the User Access Level and User Authentication
Mode of the VTY User Interface
By default, the user access level is 0. Before logging in to the device using STelnet for
maintenance and management, you must log in to the device through the console port to change
the user access level, and set a user authentication mode.
Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see section 4.4 Configuring the VTY
User Interface.
The sequence of the following steps is not fixed but all the configurations are mandatory.
Procedure
l
Configure the user access level of the VTY user interface.
1.
Run:
system-view
The system view is displayed.
2.
Run:
user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.
3.
Run:
user privilege level level
The user access level is set.
By default, the user access level of the VTY user interface is 0. Table 5-3 describes
the relationship between the user access levels and command levels.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
103
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Table 5-3 Association between user access levels and command levels
User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
0
0
Visit
level
This level gives access to commands that run network
diagnostic tools, such as ping and tracert, and commands
that start from a local device and visit external devices,
such as Telnet client side.
1
0 and
1
Monit
oring
level
This level gives access to commands, such as the
display command, that are used for system maintenance
and fault diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display savedconfiguration commands are at level 3. For details about
command levels, see HUAWEI NetEngine80E/40E Command
Reference.
2
0, 1,
and 2
Config
uration
level
This level gives access to commands that configure
network services provided directly to users, including
routing and network layer commands.
3-15
0, 1,
2,
and 3
Manag
ement
level
This level gives access to commands that control basic
system operations and provide support for services. These
commands include file system commands, FTP
commands, TFTP commands, XModem downloading
commands, configuration file switching commands,
power supply control commands, backup board control
commands, user management commands, level setting
commands, and debugging commands for fault diagnosis.
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level less than or equal to the command
level of the user. This helps ensure the security of the device.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
l
Configure the user authentication mode of the VTY user interface.
When the authentication mode of the VTY user interface is set to AAA authentication, the
access type of the local user must be specified.
1.
Run:
system-view
The system view is displayed.
2.
Issue 02 (2014-09-30)
Run:
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
104
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
local-user user-name password { cipher cipher-password | irreversiblecipher irreversible--password }
A username and password for the local user are created.
NOTE
A default user name root and password Changeme_123 for the initial login have been loaded
to the configuration file of the device before delivery. Do not clear the configurations.
Otherwise, you cannot log in to the device. After you log in for the first time, change the user
name and password for security.
3.
Run:
local-user user-name service-type ssh
The access type of the local user is set to SSH.
4.
Run:
user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.
5.
Run:
authentication-mode aaa
The authentication mode is set to AAA authentication.
----End
5.5.3 Configuring SSH for the VTY User Interface
For users to log in to the device using STelnet, VTY user interfaces must be configured to support
SSH.
Context
By default, user interfaces support Telnet. A user interface must be configured to support SSH
for users to log in to the device using STelnet.
NOTE
A VTY user interface configured to support SSH must also be configured with AAA authentication.
Otherwise, the protocol inbound ssh command cannot be configured.
Perform the following on the router that serves as an SSH server:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
The VTY user interface is displayed.
Step 3 Run:
authentication-mode aaa
The AAA authentication mode is configured.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
105
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Step 4 Run:
protocol inbound ssh
The VTY user interface is configured to support SSH.
----End
5.5.4 Configuring an SSH User and Specifying the Service Types
To implement STelnet access, configure a Secure Shell (SSH) user, create a local Revist-ShamirAdleman algorithm (RSA) or digital signature algorithm (DSA) key pair, configure a user
authentication mode, and specify a service type for the SSH user.
Context
l
These SSH user authentication modes are available: RSA, DSA, password, password-RSA,
password-DSA and all. Password authentication depends on Authentication, Authorization
and Accounting (AAA). Before a user logs in to the device in password, password-RSA or
password-DSA authentication mode, you must create a local user with the specified user
name in the AAA view.
– Password-RSA authentication depends on both password authentication and RSA
authentication.
– Password-DSA authentication depends on both password authentication and DSA
authentication.
– All authentication depends on either of the following authentications: password
authentication, or DSA authentication or RSA authentication.
l
The device must be configured to generate local RSA or DSA key pairs, which are a key
part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSAor DSA key pair. If an
SSH user logs in to an SSH server in RSA or DSA authentication mode, configure both the
server and the client to generate local RSA or DSA key pairs.
RSA key and DSA key are algorithms for user authentication in SSH. Compared with RSA
authentication, DSA authentication adopts the DSA encryption mode and is widely used.
In many cases, SSH only supports DSA to authenticate the server and the client. When the
RSA or DSA authentication mode is used, the priority of the users depends on the priority
of the VTY user interfaces used for login.
Perform the following operations on the router that functions as an SSH server:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ssh user user-name
An SSH user is created.
If password authentication is configured for the SSH user, create the same SSH user in the AAA
view
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
106
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
1.
Run the aaa command to enter the AAA view.
2.
Run the local-user user-name password { cipher cipher-password | irreversible-cipher
irreversible--password } command to configure a local user name and a password.
Step 3 Create an RSA or DSA key pair.
l Run the rsa local-key-pair create command to create a local RSA key pair.
NOTE
l Configure the rsa local-key-pair create command to generate a local key pair before completing
other SSH configurations. The minimum length of the server key pair and the host key pair is 512
bits, and the maximum length is 2048 bits.
The default length of a local key pair is 2048 bits. After an upgrade, if the original key pair length
is shorter than 1024 bits, running the rsa local-key-pair create command to generate a new local
key pair is recommended.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local
RSA key-pairs, including the local key-pair and server key-pair.
Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair
destroy command. The rsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.
l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
NOTE
l You must configure the dsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 512 bits, 1024 bits and 2048 bits. By default, the length of the key pair is bits.
l After a local key pair is generated, you can run the display dsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local
DSA key-pairs, including the local key-pair and server key-pair.
Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair
destroy command. The dsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.
Step 4 Perform the operations as described in Table 5-4 based on the configured SSH user
authentication mode.
Table 5-4 Configuring an authentication mode for the SSH user
Issue 02 (2014-09-30)
Operation
Command
Description
Configure
Password
Authentication
1. Run the ssh user user-name
authentication-type password
command
If local or HuaWei Terminal
Access Controller Access Control
System (HWTACACS)
authentication is used and there
are only a few users, use password
authentication.
2. Run the aaa command to enter
the AAA view.
-
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
107
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Operation
Issue 02 (2014-09-30)
5 Configuring User Login
Command
Description
3. Run the local-user user-name
password { cipher | irreversiblecipher } password command to
configure the user name and the
password for the local user.
The user name must be the same
to the SSH user.
4. Run the local-user user-name
service-type ssh command to set
the access type of the local user to
SSH.
-
Configure the
Default Password
Authentication
Run the ssh authentication-type
default password command
When you log in using SSH and
use a TACACS server for
authentication, the network
administrator needs to specify the
information about an SSH user on
the TACACS server. In most
cases, however, the SSH server
cannot obtain the user
information from the TACACS
server. To resolve this problem,
you can run the ssh
authentication-type default
password command to set the
authentication mode as password
authentication. Then, you can log
in to the device on the SSH server
safely.
Configure RSA
authentication
1. Run the ssh user user-name
authentication-type rsa command
to configure RSA authentication.
-
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
By default, the administrators are
all in the domain default_admin.
108
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Operation
5 Configuring User Login
Command
Description
2. Run the rsa peer-public-key keyname [ encoding-type { der |
openssh | pem } ] command to
configure an encoding format for an
RSA public key and enter the RSA
public key view.
Huawei data communications
devices support only the DER
format for RSA keys before
V600R006C00 version. If you use
an RSA key in non-DER format,
use a third-party tool to convert
the key into a key in DER format.
The default encoding format is
distinguished encoding rules (DER)
for an RSA public key.
In addition to DER, RSA keys
need to support the privacyenhanced mail (PEM) and
OpenSSH formats since
V600R006C00 to improve RSA
usability.
Third-party software, such as
SecureCRT, PuTTY, OpenSSH,
and OpenSSL, can be used to
generate RSA keys in different
formats. The details are as
follows:
l The SecureCRT and PuTTY
generate RSA keys in PEM
format.
l The OpenSSH generates RSA
keys in OpenSSH format.
l The OpenSSL generates RSA
keys in DER format.
3. Run the public-key-code begin
command to enter the public key
edit view.
-
4. Enter hex-data to edit the public
key.
l In the public key edit view,
only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.
5. Run the public-key-code end
command to exit from the public
key edit view.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
-
109
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Operation
5 Configuring User Login
Command
Description
6. Run the peer-public-key end
command to return to the system
view.
l Running the peer-public-key
end command generates a key
only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.
Configure DSA
authentication
7. Run the ssh user user-name
assign rsa-key key-name command
to assign the SSH user a public key.
-
1. Run the ssh user user-name
authentication-type dsa command
to configure DSA authentication.
-
2. Run the dsa peer-public-key
key-name encoding-type { der |
openssh | pem } command to
configure an encoding format for a
DSA public key and enter the DSA
public key view.
Huawei data communications
devices support the DER and
PEM formats for DSA keys
before V600R006C00 version. If
you use an RSA key in non-DER/
PEM format, use a third-party tool
to convert the key into a key in
DER or PEM format.
In addition to DER, DSA keys
need to support the PEM and
OpenSSH formats since
V600R006C00 to improve DSA
usability.
3. Run the public-key-code begin
command to enter the public key
edit view.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
-
110
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Operation
5 Configuring User Login
Command
Description
4. Enter hex-data to edit the public
key.
l In the public key edit view,
only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.
5. Run the public-key-code end
command to exit from the public
key edit view.
-
6. Run the peer-public-key end
command to return to the system
view.
l Running the peer-public-key
end command generates a key
only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.
7. Run the ssh user user-name
assign dsa-key key-name command
to assign the SSH user a public key.
-
Step 5 (Optional) Use command lines to authorize SSH users.
Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Step 6 Run:
ssh user username service-type { stelnet | all }
The service type of the SSH user is configured.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
111
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
By default, the service type of the SSH user is not configured.
----End
5.5.5 Enabling the STelnet Server Function
By default, the STelnet server function is disabled. Before a user terminal logs in to a device
using STelnet, you must log in to the device through the console interface to enable the STelnet
server function on the device.
Context
By default, the STelnet server function is disabled on devices. Users can establish connections
to the device using STelnet only after the STelnet server function is enabled on the device.
Perform the following steps on the device serving as an SSH server:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
stelnet server enable
The STelnet server function is enabled.
By default, the STelnet server function is disabled.
----End
5.5.6 Using STelnet to Log In to the Device
After you log in to the device through the console interface and complete the required
configurations, users can remotely log in to the device using the Secure Shell (SSH) protocol
from remote user terminals to remotely maintain the device.
Context
Third-party software can be used on a terminal for STelnet login. This section describes the use
of third-party software OpenSSH and the Windows CLI.
After installing OpenSSH on the user terminal, perform the following on the user terminal:
NOTE
For details about how to install OpenSSH, refer to the software installation guide.
For details about how to use OpenSSH commands to log in to the system, see the software help document.
Procedure
Step 1 Open the Windows CLI.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
112
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Step 2 Run required OpenSSH commands to log in to the router in STelnet mode, as shown in Figure
5-12.
Figure 5-12 Logging in to the device in STelnet mode
----End
5.5.7 (Optional) Configuring the STelnet Server Parameters
You can configure a device to be compatible with earlier versions of the SSH protocol, configure
or change the listening port number of an SSH server, set an interval at which the key pair of
the SSH server is updated, and specify the source interface.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Perform any of the operations shown in Table 5-5 as needed.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
113
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Table 5-5 Server parameters
Server
parameters
Command
Description
Configure the
interval at
which the key
pair of the
SSH server is
updated
Run the ssh server rekey-interval
interval command.
You can set an interval at which the
key pair of an SSH server is updated.
When the timer expires, the key pair
is automatically updated, improving
security.
Configure the
timeout
period of SSH
authentication
Run the ssh server timeout
seconds command.
Configure the
number of
times that
SSH
authentication
is retried
Run the ssh server authenticationretries times command.
Configure
earlier SSH
version
compatibility
Run the ssh server compatiblessh1x enable command.
By default, the interval is 0,
indicating that the key is never
updated.
By default, the timeout period is 60
seconds.
By default, SSH authentication
retries a maximum of 3 times.
By default, an SSH server running
SSH2.0 is compatible with SSH1.X.
To prevent clients running SSH1.3 to
SSH1.99 from logging in, run the
undo ssh server compatible-ssh1x
enable command to disable support
for earlier SSH protocol versions.
NOTE
If the SSH server is enabled to be
compatible with earlier SSH versions,
the system prompts a security risk.
Issue 02 (2014-09-30)
If a user fails to log in when the
timeout period of SSH
authentication expires, the system
disconnects the current connection
to ensure the system security.
The number of times that SSH
authentication is retried is set to deny
access of invalid users.
There are two SSH versions:
SSH1.X (earlier than SSH2.0) and
SSH2.0. SSH2.0 has an extended
structure and supports more
authentication modes and key
exchange methods than SSH1.X,
SSH 2.0 can eliminate the security
risks that SSH 1.X has. SSH 2.0 is
more secure and therefore is
recommended. SSH2.0 also
supports more advanced services
such as SFTP. The HUAWEI
NetEngine80E/40E supports SSH
versions ranging from 1.3 to 2.0.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
114
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Server
parameters
Command
Description
Configure the
listening port
number of the
SSH server
Run the ssh server port portnumber command.
The default listening port number of
an SSH server is 22. Users can log in
to the device by using the default
listening port number. Attackers
may access the default listening port,
which consumes bandwidth,
deteriorates server performance, and
causes authorized users to be unable
to access the server. After the
listening port number of the SSH
server is changed, attackers do not
know the new port number. This
effectively prevents attackers from
accessing the listening port and
improves security.
By default, the listening port number
is 22.
If a new listening port is set, the SSH
server cuts off all established STelnet
and SFTP connections, and uses the
new port number to listen to
connection requests.
Source
interface
Run the ssh server-source -i
loopback interface-number
command.
Before the source interface of an
SSH server is specified, ensure that
the loopback interface to be specified
as the source interface has been
created. If the loopback interface is
not created, the ssh server-source
command cannot be correctly
executed.
Configuring
an ACL on the
SSH server
Run the ssh server acl acl-number or
ssh ipv6 server acl acl-number
command.
By default, an SSH server receives
connection requests from all
interfaces, and therefore, the system
is vulnerable to attacks. To enhance
system security, you can specify the
source interface of the SSH server.
This sets a login condition after
which only authorized users can log
in to the SSH server.
After the source interface is
specified, the system only allows
SFTP or STelnet users to log in to the
SSH server through this source
interface. Any SFTP or STelnet
users that log in through other
interfaces are denied. Note that
setting this parameter only affects
SFTP or STelnet users that attempt
to log in to the SSH server, but it does
not affect SFTP or STelnet users that
have already logged in to the server.
This command specifies the clients
that can access the SSH server
running IPv4/IPv6. This
configuration prevents unauthorized
users from accessing the SSH server,
ensuring data security.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
115
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
5.5.8 Checking the Configuration
After configuring users to log in using STelnet, you can view the SSH server configuration.
Prerequisites
STelnet login configurations are complete.
Procedure
l
Run the display ssh user-information username command on the SSH server to check
information about SSH users.
l
Run the display ssh server status command on the SSH server to check its configurations.
l
Run the display ssh server session command on the SSH server to check sessions for SSH
users.
----End
Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<HUAWEI> display ssh user-information client001
User Name
: client001
Authentication-type
: password
User-public-key-name
: User-public-key-type
: RSA
Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: Yes
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view SSH server configurations.
<HUAWEI> display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH authentication retries
SFTP server
Stelnet server
SSH server source
ACL4 number
ACL6 number
:1.99
:60 seconds
:0 hours
:3 times
:Disable
:Enable
:0.0.0.0
:0
:0
Run the display ssh server session command. The command output shows information about
a session between the SSH server and client.
<HUAWEI> display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
116
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
5 Configuring User Login
:
:
:
:
:
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group-exchange-sha1
stelnet
password
5.6 Common Operations After Login
After logging in to the router, you can perform user priority switching, terminal window locking,
and other operations as needed.
5.6.1 Before You Start
Before performing any operations after login, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.
Applicable Environment
Configure user level switching and enable messaging between user interfaces to ensure that
operators can manage routers safely.
Pre-configuration Tasks
Before performing operations after login, connect the terminal to the router
Data Preparations
Before performing operations after login, you need the following data:
No.
Data
1
Password used for switching user levels
2
Type and number of the user interface
3
Contents of the message to be sent
5.6.2 Locking User Interfaces
If you must be away from your work area, you can lock the user interface on a terminal to prevent
unauthorized access.
Context
The user interface can be a console user interface, AUX user interface, or VTY user interface.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
117
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Procedure
Step 1 Run:
lock
The user interface is locked.
Step 2 Follow the system prompts and input a password to unlock the user interface.
<HUAWEI> lock
Enter Password:
Confirm Password:
If the locking is successful, the system prompts that the user interface is locked.
You must enter the previously set password to unlock the user interface.
NOTE
The passwords must meet the following requirements:
l The password is a string of 8 to 16 case-sensitive characters.
l The password must contain at least two of the following characters: upper-case characters, lower-case
characters, numbers, and special characters (excluding question marks and spaces).
----End
5.6.3 Sending Messages to Other User Interfaces
Users logged in to different interfaces can send messages to each other.
Context
Users logged in to the router can send messages from their user interface to users on other user
interfaces.
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
You can enable messages to be sent between user interfaces.
Step 2 Follow the prompt to view the message to be sent. You can press Ctrl_Z or Enter to end the
display or Ctrl_C to abort the display.
----End
5.6.4 Displaying Login Users
You can query information about login users.
Context
You can query the user name, address, and authentication and authorization information.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
118
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Procedure
l
Run the display users [ all ] command to view information about logged-in users.
If all is configured, information about all users logged in to user interfaces is displayed.
----End
5.6.5 Clearing Logged-in Users
If you want to force a logged-in user to log out of the router, you can tear down the connection
between the router and the user.
Context
You can run the display users command to view users logged in to the router.
Procedure
Step 1 Run:
kill user-interface { ui-number | ui-type ui-number1 }
Online users are cleared.
Step 2 Based on the displayed information, you can confirm whether specified logged-in users have
been cleared.
----End
5.6.6 Configuring Configuration Locking
When multiple users log in to the router to configure the device, configuration conflict may
occur. To prevent these conflicts from affecting services, you can enable the configuration
locking function. This allows only one user to configure the device at a time.
Context
Before configuring configuration locking, check whether the configuration set is locked by
another user. If no user has locked the configuration set, you can exclusively lock the
configuration.
Procedure
Step 1 Run:
configuration exclusive
You have obtained exclusive configuration access.
After enabling the configuration locking function, you have the exclusive authority to perform
configurations on the router.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
119
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
NOTE
l You can run this command in any view.
l If the configuration set is already locked, you can not relock it.
l SNMP users can share the same configuration right.
l You can run the display configuration-occupied user command to see which user has locked the
configuration.
Step 2 Run:
system-view
The system view is displayed.
Step 3 Run:
configuration-occupied timeout timeout-value
The timeout period for automatically unlocking the configuration is set.
After the timeout period expires, the configuration is automatically unlocked, and other users
can configure the device.
By default, the timeout period is 30s.
NOTE
l If a user without exclusive configuration access, this command cannot be confiured.
l If the configuration set is locked by another user, this command cannot be configured.
l If the configuration set is locked by the current user, the current user can run this command.
----End
5.7 Configuration Examples
This section provides several examples describing how to configure users to log in through a
console port, Telnet, or STelnet. The configuration examples provide information and diagrams
for networking requirements, configuration notes, and configuration roadmaps.
5.7.1 Example for Using a Console Port to Configure User Login
This example describes how to use a console port to configure user login. Login settings that
enable access to the router using a console port are configured on a PC.
Networking Requirements
If default values for console user interface parameters are modified, you must reset the
corresponding parameters on the PC before you can log in to the router again.
Figure 5-13 Networking diagram for using a console port to log in
PC
Issue 02 (2014-09-30)
Router
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
120
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Configuration Roadmap
1.
Connect a PC to the router through a console port.
2.
Set login parameters on the PC.
3.
Log in to the router.
NOTE
In this example, a terminal emulator is used.
Data Preparation
Communication parameters for the PC (baud rate: 4800 bps, data bit: 6, parity: even, stop bit:
2, flow control mode: none)
Procedure
Step 1 Use a standard RS-232 cable to connect the serial port of the PC to the console port of the
router.
Step 2 Run the terminal emulator on the PC. As shown in Figure 5-14, set communication parameters
for the PC to Figure 5-16. Set the transmission rate to 4800 bit/s, data bit to 6, parity bit to even,
stop bit to 2, and flow control mode to none.
Figure 5-14 Connection creation
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
121
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Figure 5-15 Interface setting
Figure 5-16 Communication parameter settings
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
122
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Step 3 Power on the router. The system starts an automatic configuration and self-check. After the selfcheck is complete, at the prompt "Password:," enter the correct authentication password and
press Enter. If a message (such as <HUAWEI>) is displayed, the login to the system is complete.
Then, you can enter a command to view the operating status of the router or configure the
router.
----End
5.7.2 Example for Logging In Through the AUX Port
In this example, you can configure terminal and modem communication parameters so you can
log in to the router through the AUX port.
Networking Requirements
If you cannot configure the router by logging in locally and no router is reachable to other
routers, connect the serial port of the PC with the AUX port of the router through the modem.
The detailed configuration environment is shown in Figure 5-17.
Figure 5-17 Networking diagram for logging in through the AUX port
Modem
Modem
PSTN
Router
COM
PC
Configuration Roadmap
The configuration roadmap is as follows:
1.
Establish the physical connection.
2.
Configure the name, authentication mode, and password of a user that logs in.
3.
Configure the AUX port to support the modem dialup.
4.
Configure modem parameters.
Data Preparation
To complete the configuration, you need the following data:
l
Type of terminals
l
Terminal communication parameters
l
User name, password, and authentication mode used for user login, which are huawei,
Huawei-123, and password respectively.
l
Modem communication parameters
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
123
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Procedure
Step 1 Establish the physical connection, as shown in Figure 5-17.
Step 2 Configure the AUX port to support the modem dialup.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user huawei password cipher Huawei-123
[HUAWEI-aaa] local-user huawei service-type terminal
[HUAWEI-aaa] local-user huawei level 3
[HUAWEI-aaa] quit
[HUAWEI] user-interface aux 0
[HUAWEI-ui-aux0] authentication-mode aaa
[HUAWEI-ui-aux0] modem both
Step 3 Configure the modem parameters.
# Start a terminal emulator on the PC. For details, see section 5.3.2 Logging in to the router
Through an AUX Port
Press Enter on the PC emulation terminal until a modem command line prompt such as ">"
appears.
Configure the modem to meet AUX communication requirements.
For details, see the modem descriptions.
Step 4 Log in to the router.
Enter the user name and password in the remote terminal emulation program.
After the authentication is complete, a command line prompt such as <HUAWEI> appears.
Enter the command to check the running status of the router or configure the router.
Enter "?" for help.
----End
5.7.3 Example for Configuring User Login Through Telnet
This example describes how to set parameters for using Telnet to log in to the router. In this
configuration example, a user logs in to the router after setting the VTY user interface and user
login parameters.
Networking Requirements
You can use a PC or other terminal to log in to a router on another network segment to perform
remote maintenance.
Figure 5-18 Networking diagram for login using Telnet
G E 1 /0 /1
N e tW o rk
PC
Issue 02 (2014-09-30)
R o u te r
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
124
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
After a Telnet user logs in to the router in AAA authentication mode, the Telnet user is prohibited
from using this router to log in to another router.
Configuration Roadmap
1.
Establish a physical connection.
2.
Assign IP addresses to interfaces on the router.
3.
Set parameters of the VTY user interface, including limit on call-in and call-out.
4.
Set user login parameters.
5.
Log in to the router.
Data Preparation
To complete the configuration, you need the following data:
l
IP address of the PC
l
IP address of the Ethernet interface on the router: 10.137.147.91/16
l
Maximum number of VTY user interfaces: 10
l
Number of the ACL that is used to prohibit users from logging into another router: 3001
l
Timeout period for disconnecting from the VTY user interface: 20 minutes
l
Number of lines a terminal screen displays: 30
l
Size of the history command buffer: 20
l
Telnet user information (authentication mode: AAA, username: huawei, password: !
QAZ@WSX3edc)
Procedure
Step 1 Connect the PC and the router to the network.
Step 2 Configure a login address.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo shutdown
[HUAWEI-GigabitEthernet1/0/1] ip address 10.137.147.91 255.255.0.0
[HUAWEI-GigabitEthernet1/0/1] quit
Step 3 Configure the VTY user interface on the router.
# Set the maximum number of VTY user interfaces.
[HUAWEI] user-interface maximum-vty 10
# Configure an ACL that is used to prohibit users from logging into another router.
[HUAWEI]acl 3001
[HUAWEI-acl-adv-3001]rule deny tcp source any destination-port eq telnet
[HUAWEI-acl-adv-3001]quit
[HUAWEI] user-interface vty 0 9
[HUAWEI-ui-vty0-9] acl 3001 outbound
# Set terminal attributes of the VTY user interface.
[HUAWEI-ui-vty0-9] shell
[HUAWEI-ui-vty0-9] idle-timeout 20
[HUAWEI-ui-vty0-9] screen-length 30
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
125
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
[HUAWEI-ui-vty0-9] history-command max-size 20
# Set the user authentication mode of the VTY user interface.
[HUAWEI-ui-vty0-9] authentication-mode aaa
[HUAWEI-ui-vty0-9] quit
Step 4 Set user login parameters on the router.
# Specify the user authentication mode.
[HUAWEI] aaa
[HUAWEI-aaa]
[HUAWEI-aaa]
[HUAWEI-aaa]
[HUAWEI-aaa]
local-user huawei password irreversible-cipher Huawei-123
local-user huawei service-type telnet
local-user huawei level 3
quit
Step 5 # Configure user login.
Use the command line to telnet the router. The Telnet login window is shown in Figure 5-19.
Figure 5-19 Telnet login window on the PC
Press Enter, and then input the username and password in the login window. If user
authentication succeeds, a command line prompt is displayed in the system view, which indicates
that you have entered the user view.
Figure 5-20 Window after login of the router
Press Enter and then input the username and password in the login window. If user
authentication succeeds, a command line prompt such as <HUAWEI> is displayed.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
126
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Configuration Files
Router configuration file
#
sysname HUAWEI
#
acl number 3001
rule 5 deny tcp destination-port eq telnet
#
aaa
local-user huawei password irreversible-cipher %$%$#{!{*"|uh/$|z(E0TW=G_Gj~%$%$
local-user huawei service-type telnet
local-user huawei state block fail-times 3 interval 5
local-user huawei level 3
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.137.147.91 255.255.0.0
#
user-interface maximum-vty 10
user-interface con 0
user-interface vty 0 9
acl 3001 outbound
authentication-mode aaa
history-command max-size 20
idle-timeout 20 0
screen-length 30
#
return
5.7.4 Example for Using STelnet to Configure User Login
This example describes how to configure user login through STelnet. After generating the local
key pair, configuring the SSH user name and password, and enabling the STelnet service on the
SSH server, you can connect the Stelnet client to the SSH server.
Networking Requirements
As shown in Figure 5-21, after the STelnet service is enabled on the SSH server, an STelnet
client can use any authentication mode (password, Revest-Shamir-Adleman Algorithm (RSA),
password-RSA, Digital Signature Algorithm (DSA), password-DSA or all) to log in to the SSH
server.
NOTE
To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to
the SSH server.
This example uses the password authentication mode.
Figure 5-21 Networking diagram for configuring user login through STelnet
Network
PC
Issue 02 (2014-09-30)
GE1/0/1
10.137.217.225/16
SSH Server
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
127
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure a local key pair on the SSH server to enable secure data exchange between the
STelnet client and the SSH server.
2.
Configure a VTY user interface on the SSH server.
3.
Configure an SSH client, which involves setting a user authentication mode, a username,
and a password.
4.
Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
To complete the configuration, you need the following data:
l
SSH user authentication mode: password, username: client001, password: Huawei-123
l
User level of client001: 3
l
IP address of the SSH server: 10.164.39.210
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: HUAWEI_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 2048]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Configure a VTY user interface.
[SSH
[SSH
[SSH
[SSH
Server] user-interface vty 0 4
Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit
NOTE
If SSH is configured as the login protocol, the NE80E/40E automatically disables Telnet.
Step 3 Configure the password of SSH user Client001 as Huawei-123.
[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
local-user client001 password irreversible-cipher Huawei-123
local-user client001 level 3
local-user client001 service-type ssh
quit
Step 4 Enable the STelnet service on the SSH server.
[SSH
[SSH
[SSH
[SSH
Issue 02 (2014-09-30)
Server]
Server]
Server]
Server]
ssh user client001 service-type stelnet
stelnet server enable
ssh user client001 authentication-type password
quit
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
128
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Step 5 Verify the configuration.
# Use PuTTY software to log in to the device. Specify the IP address of the device as
10.164.39.210 and the login protocol as SSH, as shown in Figure 5-22.
Figure 5-22 PuTTY configuration
# Use PuTTY software to log in to the device, and enter the username client001 and the
password !QAZ@WSX3edc, as shown in figure 5-23.
Figure 5-23 Logging in to the device using PuTTY software
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
129
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
5 Configuring User Login
Configuration Files
l
SSH server configuration file
#
sysname SSH Server
#
aaa
local-user client001 password irreversible-cipher %$%$#{!{*"|uh/$|z(E0TW=G_Gj~
%$%$
local-user client001 level 3
local-user client001 service-type ssh
local-user client001 state block fail-times 3 interval 5
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.137.217.225 255.255.255.0
#
stelnet server enable
ssh user client001 authentication-type password
ssh user client001
ssh user client001 service-type stelnet
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
130
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
6
Managing the File System
About This Chapter
The file system manages the files and directories on the storage devices of the router. It can
move or delete a file or directory, or display the contents of a file.
6.1 File System Overview
The router uses the file system to manage all files.
6.2 Using the File System to Manage Files
You can use the file system to manage storage devices, directories, and files.
6.3 Using FTP to Manage Files
FTP can transmit files between local and remote hosts. FTP is widely used for upgrading
versions, downloading logs, transmitting files, and saving time spent on configurations.
6.4 Using SFTP to Manage Files
SFTP enables you to securely log in to the router from a remote device to manage files, which
makes data transmission to the remote end more secure.
6.5 Using Xmodem to Manage Files
This section describes how to transfer files through XModem.
6.6 Configuration Examples
The examples in this section show how to use FTP, SFTP, or FTPS to access the system and
manage files. These configuration examples explain the networking requirements and provide
configuration roadmaps and configuration notes.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
131
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
6.1 File System Overview
The router uses the file system to manage all files.
6.1.1 File System
The file system manages files and directories on the storage devices. It can create, delete, modify,
or rename a file or directory, or display the contents of a file.
The file system has two functions: managing storage devices and managing the files that are
stored on those devices.
Managing Files Using the File System
l
Storage devices
Storage devices are hardware devices for storing data.
At present, the router supports the storage devices CF card.
l
Files
A file is resources for storing and managing data.
l
Directories
A directory is a logical container that the system uses to organize files.
6.1.2 File Management Methods
You can use FTP, SFTP, or FTPS to manage files.
Using FTP to Manage Files
FTP is a standard application protocol based on the TCP/IP protocol suite. FTP is used to transfer
files between local clients and remote servers. FTP uses two TCP connections to copy a file
from one system to another. The TCP connections are usually established in client-server mode:
one for control (the server port number is 21) and the other for data transmission (the server port
number is 20).
l
Control connection: issues commands from the client to the server and transmits replies
from the server to the client, which minimizes the transmission delay.
l
Data connection: transmits data between the client and server, which maximizes the
throughput.
FTP has two file transfer modes:
l
Binary mode: Used to transfer program files, such as .app, .bin, and .btm files.
l
ASCII mode: Used to transfer text files, such as .txt, .bat, and .cfg files.
The device provides the following FTP functions:
l
Issue 02 (2014-09-30)
FTP client: Users can use the terminal emulator or Telnet program to connect PCs to the
device, and run the ftp command to establish a connection between the device and a remote
FTP server to access and operate files on the server.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
132
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
6 Managing the File System
FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
NOTE
The FTP is an insecure protocol. When it is used, security risks exist. Therefore, exercise caution when
using it.
Using SFTP to Manage Files
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely
log in to the device to manage and transfer files. On the other hand, users can use the device that
functions as a client to log in to a remote server and transfer files securely.
If the SFTP server or the connection between the server and the client fails, the client needs to
detect the fault in time and remove the connection. To help the client accomplish this, configure
an interval at which Keepalive packets are sent if no packets are received and the maximum
number of times the server does not respond to the client before being released:
l
If the client does not receive any packets within the specified period, the client sends a
Keepalive packet to the server.
l
If the maximum number of times the server does not respond exceeds the specified value,
the client proactively releases the connection.
Using FTPS to Manage Files
FTPS adds support to Secure Sockets Layer (SSL) and is an extension to the commonly used
FTP. Using SSL to authenticate the identities of the client and server and encrypt the data to be
transmitted, FTPS manages device security.
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered
with, which poses security threats.An SSL policy can be configured on the FTP server to improve
security. SSL implements data encryption, identity authentication, and message integrity
verification, which improves data transmission security. In addition, SSL provides secure
connections for the FTP server, which greatly improves the security of the FTP server.
By default, a user cannot use FTPS to log in to the device. To log into the device using FTPS,
perform the following steps:
l
Log in to the device through the console port and load a digital certificate on the security
sub-directory of the system directory on the FTPS server
l
Install the FTP client software that supports SSL on the PC
Using Xmodem to Manage Files
Xmodem is a file transfer protocol that mainly applies to the AUX port.XModem does not
support simultaneous operations for multiple users.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
133
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
6.2 Using the File System to Manage Files
You can use the file system to manage storage devices, directories, and files.
6.2.1 Before You Start
Before using the file system to manage files, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration tasks quickly and correctly.
Applicable Environment
Use the file system to manage files or directories on the router. If the router is unable to save or
obtain data, log in to the file system and repair the faulty storage devices.
Pre-configuration Tasks
Before logging in to the file system to manage files, connect the client to the server.
Data Preparation
To manage files by logging in to the file system, you need the following data:
No.
Data
1
Storage device name
2
Directory name
3
File name
6.2.2 Managing Storage Devices
If a storage device file system on the router is not functioning correctly, you must repair and
format the file system before managing the storage device.
Context
If the file system on a storage device fails, the terminal of the router prompts you to rectify the
fault.
You can format a storage device if you are unable to repair the file system or do not need any
data saved on the storage device.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
134
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
NOTICE
Formatting storage devices can lead to data loss. Exercise caution when performing this
operation.
Procedure
l
Run:
fixdisk device-name
The storage device with file system problems is repaired.
NOTE
If, after running this command, the prompt still says the system should be repaired, there may be
damage to the physical storage medium.
l
Run:
format device-name
The storage device is formatted.
NOTE
If the storage device does not work after you run this command, there may be a hardware fault.
----End
6.2.3 Managing Directories
You can manage directories to store files in a logical hierarchy.
Context
You can manage directories by changing or displaying directories, displaying files in directories
or sub-directories, and creating or deleting directories.
Procedure
l
Run:
cd directory
A directory is specified.
l
Run:
pwd
The current directory is displayed.
l
Run:
dir [ /all ] [ filename ]
A list of files and sub-directories in the directory is displayed.
Either the absolute path or relative path applies.
l
Run:
mkdir make-remote-directory
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
135
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
The directory is created.
l
Run:
rmdir delete-remote-directory
The directory is deleted.
----End
6.2.4 Managing Files
You can log in to the file system to view, delete, or rename files on the router.
Context
l
Managing files includes: displaying contents, copying, moving, renaming, compressing,
deleting, undeleting, deleting files in the recycle bin, running files in batches and
configuring prompt modes.
l
You can run the cd directory command to enter another directory from the current directory.
l
Run:
Procedure
more file-name [ offset ] [ all ]
The content of a file is displayed.
Specify parameters in the more command for file viewing options:
– Run the more file-name command to view the file named file-name. Text file contents
are displayed one screen at a time. Press the spacebar on the current terminal to display
all contents of the current file.
Two preconditions must be set to display the contents of a text one file screen at a time:
– The value configured by screen-length screen-length temporary command must
be greater than 0.
– The total number of lines in the file must be greater than the value configured by the
screen-length command.
– Run the more file-name offset command to view the file named file-name. Text file
contents are displayed one screen at a time, beginning with the line specified by
offset. Press and hold the spacebar on the current terminal to display all contents of the
current file.
Two preconditions must be met to display the contents of a text file screen one screen
at a time:
– The value configured by the screen-length screen-length command must be greater
than 0.
– The difference between the number of file characters subtracted and the value of
offset must be greater than the value configured by the screen-length command.
– Run the more file-name all command to view the file named file-name. All text file
contents are displayed without pausing after each screen.
l
Run:
copy source-filename destination-filename
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
136
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
The file is copied.
l
Run:
move source-filename destination-filename
The file is moved.
l
Run:
rename source-filename destination-filename
The file is renamed.
l
Run:
zip source-filename destination-filename
The file is compressed.
l
Run:
delete [ /unreserved ] [ /quiet ] { filename | device-name }
The file is deleted.
NOTICE
If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored
after being deleted.
l
Run:
undelete filename
The deleted file is recovered.
NOTE
If the current directory is not the parent directory, you must use the absolute path to the file to perform
operations.
l
Run:
reset recycle-bin [ filename ]
The file is deleted.
You can use this command to permanently delete files in the recycle bin.
l
Run the following files in batches.
You can process uploaded files in batches. The edited batch files need to be saved to a
storage device on the router.
You can create and run a batch file to implement routine tasks as follows:
1.
Run:
system-view
The system view is displayed.
2.
Run:
execute filename
The batched file is executed.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
137
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
6 Managing the File System
Configure prompt modes.
The system displays prompts or warning messages when you operate the device (especially
if these operations lead to data loss). If you need to change the prompt mode for file
operations, you can configure the file system prompt mode.
1.
Run:
system-view
The system view is displayed.
2.
Run:
file prompt { alert | quiet }
The file system prompt mode is configured.
The default prompt mode is alert.
NOTICE
If the prompt mode is set to quiet, no prompt appears when data is lost due to
inappropriate operating procedures.
----End
6.3 Using FTP to Manage Files
FTP can transmit files between local and remote hosts. FTP is widely used for upgrading
versions, downloading logs, transmitting files, and saving time spent on configurations.
Context
The FTP protocol poses a security risk, and therefore the SFTP protocol is recommended.
6.3.1 Before You Start
Before using FTP to manage files, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration task quickly and correctly.
Applicable Environment
When an FTP client logs in to a router that serves as an FTP server, the user can transfer files
between the client and the server.
Pre-configuration Tasks
Before using FTP to manage files, connect the FTP client to the server.
Data Preparation
To use FTP to manage files, you need the following data:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
138
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
No.
Data
1
FTP username and password, and authorized FTP file directory name
2
(Optional) Listening port number specified on the FTP server
3
(Optional) Source IP address or source interface of the FTP server
(Optional) Timeout period for disconnecting from the FTP server
4
IP address or host name of the FTP server
6.3.2 Configuring a Local FTP User
You can configure a user authorization mode and an authorized directory for FTP users to access.
Unauthorized users cannot access the specified directory, which reduces security risks.
Context
To use FTP to manage files, you must configure a local username and a password on the
router and specify a service type and the directories that can be accessed.
Perform the following operations on the router that functions as the FTP server:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
set default ftp-directory directory
The default FTP working directory is configured.
NOTE
The configuration in this step takes effect only for TACACS users.
Step 3 Run:
aaa
The AAA view is displayed.
Step 4 Run:
local-user user-name password { cipher cipher-password | irreversible-cipher
irreversible--password }
The local user name and password are configured.
Step 5 Run:
local-user user-name service-type ftp
The FTP service type is configured.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
139
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Step 6 Run:
local-user user-name level level user-name privilege level level
The local user level is set.
NOTE
The local user level must be set to level 3 or higher.
Step 7 Run:
local-user user-name ftp-directory directory
The authorized directory for the FTP user is configured.
----End
6.3.3 (Optional) Specifying a Port Number for the FTP Server
You can configure or change the listening port number for an FTP server. After the port number
is changed, only the user knows the current port number, which protects system security.
Context
The default listening port number for an FTP server is 21. Users can log in to the router directly
by using the default listening port number. Attackers can also access the default listening port
to launch attacks that reduce available bandwidth and affect server performance, which prevents
valid users from accessing the server. Changing the FTP server listening port number effectively
prevents attackers from accessing the server through the listening port.
NOTE
If FTP is not enabled, change the FTP port.
If FTP is enabled, run the undo ftp server command to disable FTP, and then change the FTP port.
Perform the following on the router that serves as the FTP server:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ftp [ ipv6 ] server port port-number
The port number of the FTP server is configured.
Once a new listening port number is configured, the FTP server interrupts all existing FTP
connections and starts using the new listening port.
----End
6.3.4 Enabling the FTP Server
You must enable an FTP server on the router before using FTP to manage files.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
140
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Context
The FTP server is disabled on the router by default. You must enable the FTP server before using
it.
Perform the following on the router that serves as the FTP server:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ftp [ ipv6 ] server enable
The FTP server is enabled.
NOTE
When file operations between clients and the router are complete, run the undo ftp [ ipv6 ] server command
to disable the FTP server function. This protects router security.
----End
6.3.5 (Optional) Configuring the FTP Server Parameters
FTP server parameters include the FTP server source address and the timeout period for FTP
connections.
Context
l
You can configure a source IP address for the FTP server. The FTP client can only access
this address, which protects system security.
l
You can configure the timeout period for FTP connections on the FTP server. When the
timeout period for an FTP connection expires, the system terminates the connection to
release resources.
Perform the following on the router that serves as the FTP server:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ftp server-source { -a ip-address | -i
interface-type interface-number }
The source IP address and source interface of an FTP server are configured.
To log in to the FTP server, you must specify the source IP address for the server in the ftp
command, or you cannot log in to the FTP server.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
141
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Step 3 Run:
ftp [ ipv6 ] timeout minutes
The timeout period for the FTP server is configured.
If the client is idle for the configured time, the connection to the FTP server is terminated.
By default, the timeout value is 30 minutes.
----End
6.3.6 (Optional) Configuring an FTP ACL
After an FTP ACL is configured, only specified clients can access the router.
Context
When the routerfunctions as an FTP server, you can configure an ACL to allow the clients that
meet matching rules to access the FTP server.
Perform the following steps on the router that serves as the FTP server:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Compared to a basic ACL that filters packets based on source addresses, an advanced ACL
supports richer filtering rules: not only based on packet source addresses but also based on packet
destination address or priorities. Run either of the following commands:
l For a basic ACL:
To enter the ACL6 view, run the acl ipv6 { [ number ] acl6-number1 | name acl-name
[ number acl-number2 ] } [ match-order { auto | config } ] command.
l For an advanced ACL:
To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name
[ advance ] [ number acl-number2 ] } [ match-order { auto | config } ] command.
To enter the ACL6 view, run the acl ipv6 { [ number ] acl6-number1 | name acl-name
[ number acl-number2 ] } [ match-order { auto | config } ] command.
The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL
ranging from 3000 to 3999.
Step 3 Run either of the following commands:
l For a basic ACL:
To configure a basic ACL rule, run the rule [ rule-id ] { deny | permit } [ fragment-type
fragment-type-name | source { source-ip-address source-wildcard | any } | time-range timename | vpn-instance vpn-instance-name ] * command.
To configure a basic ACL6 rule, run the rule [ rule-id ] { deny | permit } [ fragmenttype fragment-type-name | source { source-ip-address source-wildcard | any } | timerange time-name | vpn-instance vpn-instance-name ] * command.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
142
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
l For an advanced ACL:
To configure an advanced ACL rule, run the rule [ rule-id ] { deny | permit } protocol
[ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ip-address
destination-wildcard | any } | fragment-type fragment-type-name | source { source-ipaddress source-wildcard | any } | time-range time-name | vpn-instance vpn-instancename ] * command.
To configure an advanced ACL6 rule, run the rule [ rule-id ] { deny | permit } protocol
[ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | source
{ source-ipv6-address 3prefix-length | source-ipv6-address/prefix-length | any } | timerange time-name | vpn-instance vpn-instance-name ] * command.
NOTE
l By default, the deny action in an ACL rule is taken for all the login user packets. Only users whose
source IP addresses match the ACL rule with a permit action can log in to the device.
In the following example, two rules are configured to prohibit users with the IP address 10.1.1.10 from
logging in to the device while allowing the other users to log in to the device:
l rule deny source 10.1.1.10 0
l rule permit source any
If the rule permit source any command is not configured, users whose source IP addresses are not
10.1.1.10 will also be prohibited from logging in to the device.
l If a user's source IP address does not match the ACL rule that allows login, the user is prohibited from
logging in to the device.
l If the ACL referenced by FTP does not contain any rules or does not exist, any user can log in to the
device.
Step 4 Run:
quit
The system view is displayed.
Step 5 Run:
ftp [ ipv6 ] acl acl-number
The FTP ACL is configured.
----End
6.3.7 Using FTP to Access the System
After the FTP server is configured, you can use FTP to access the router from a PC and manage
the files on the router.
Context
You can use either the Windows command line prompt or third-party software to log in to the
router. The example here uses the Windows command line prompt.
Do as follows on the PC:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
143
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Procedure
Step 1 Open the Windows CLI.
Step 2 Run the ftp ip-address command to log in to the router using FTP.
Enter a username and password at the prompt, and press Enter. When the Windows command
line prompt, such as ftp>, is displayed in the FTP client view, you have entered the working
directory of the FTP server.
Figure 6-1 Using FTP to log in to the device
----End
6.3.8 Using FTP Commands to Manage Files
After using FTP to log in to the router that functions as an FTP server, you can upload and
download files to and from the router or manage the directories on the router.
Context
NOTE
FTP is insecure. Using SFTP is recommended.
After you log in to the FTP server, you can perform the following operations:
l
Configuring the data type for the file
l
Uploading or downloading files
l
Creating or deleting directories on the FTP server
l
Displaying information about a specific remote directory or a file of the FTP server, or
deleting a specific file from the FTP server
After logging in to the FTP server and entering the FTP client view, you can perform the
following operations:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
144
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Procedure
l
Configure the data type and transmission mode for a file
– Run:
ascii or binary
The data type of the file to be transmitted is ascii or binary.
NOTE
FTP supports ASCII and the binary files. The difference the two is:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
An FTP transmission mode can be set for each client. The system uses ASCII transmission mode
by default, but a mode switch command can switch a client between ASCII and binary modes.
The ASCII mode is used to transmit .txt files and the binary mode is used to transmit binary files.
l
Upload or download files
– Upload or download a file.
– Run:
put local-filename [ remote-filename ]
The local file is uploaded to the remote FTP server.
– Run:
get remote-filename [ local-filename ]
The FTP file is downloaded from the FTP server and saved to the local file.
– Upload or download multiple files.
– Run the mput local-filenames command to upload multiple local files
synchronously to the remote FTP server.
– Run the mget remote-filenames command to download multiple files from the FTP
server and save them locally.
NOTE
l When you are uploading or downloading files and you run the prompt command in the FTP
client view to enable the file transmission prompt function, the system will prompt you to confirm
the uploading or downloading operation.
l If you run the prompt command again in the FTP client view, the file transmission prompt
function will be disabled.
l
Run one or more of the following commands to manage directories
– Run:
cd pathname
The working path of the remote FTP server is specified.
– Run:
pwd
The specified directory of the FTP server is displayed.
– Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
145
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
– Run:
mkdir make-remote-directory
A directory is created on the FTP server.
– Run:
rmdir delete-remote-directory
A directory is removed from the FTP server.
l
Run one or more of the following commands to manage files
– Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.
If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
– Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed.
If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
– Run:
delete remote-filename
The specified file on the FTP server is deleted.
If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
When local-filename is set, related information about the file can be downloaded locally.
NOTE
If you need more information about FTP operations, run the help [ command ] command in the
Windows CLI.
----End
6.3.9 Checking the Configuration
After the configuration is complete, you can view the configuration and status of the FTP server
as well as login information about FTP users.
Prerequisites
All configurations for using FTP to manage files are complete.
Procedure
l
Run the display [ ipv6 ][ ipv6 ] ftp-server command to check the configuration of the FTP
server.
l
Run the display ftp-users command to check how many users are currently logged in to
the FTP server.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
146
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Example
Run the display [ ipv6 ] ftp-server to view the status of the FTP server.
<HUAWEI> display ftp-server
FTP server is running
Max user number
User count
Timeout value(in minute)
Listening Port
Acl number
FTP server's source address
SSL security status
5
1
30
1080
0
1.1.1.1
Disabled
Run the display ftp-users command to view the username, port number, and authorization
directory of the FTP user.
<HUAWEI> display ftp-users
username host
zll
100.2.150.226
port
1383
idle
3
topdir
cfcard:
6.4 Using SFTP to Manage Files
SFTP enables you to securely log in to the router from a remote device to manage files, which
makes data transmission to the remote end more secure.
6.4.1 Before You Start
Before using SFTP to manage files, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration task quickly and correctly.
Applicable Environment
SSH authenticates clients and encrypts data in both directions to guarantee secure data
transmission on conventional networks. SSH supports SFTP.
SFTP is a secure FTP service that enables users to log in to the FTP server to transmit data.
Pre-configuration Tasks
Before using SFTP to manage files, configure reachable routes between the terminal and the
device.
Data Preparation
Before using SFTP to manage files, you need the following data.
Issue 02 (2014-09-30)
No.
Data
1
Maximum number of Virtual Type Terminal (VTY) user interfaces, (optional) ACL
for restricting incoming and outgoing calls on VTY user interfaces, connection
timeout period of terminal users, number of rows displayed in a terminal screen, size
of the history command buffer, user authentication mode, username, and password
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
147
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
No.
Data
2
Username, password, authentication mode, and service type of an SSH user, remote
public Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature Algorithm
(DSA) key pair allocated to the SSH user, and SFTP working directory of the SSH
user
3
(Optional) Number of the port monitored by the SSH server
(Optional) The interval for updating the key pair on the SSH server
4
Name of the SSH server, number of the port monitored by the SSH server, preferred
encryption algorithm from the SFTP client to the SSH server, preferred encryption
algorithm from the SSH server to the SFTP client, preferred Hashed message
authentication code (HMAC) algorithm from the SFTP client to the SSH server,
preferred HMAC algorithm from the SSH server to the SFTP client, preferred
algorithm of key exchange, name of the outgoing interface, source address
5
Directory name and file name
6.4.2 Configuring the VTY User Interface
To allow a user to log in to the device by using SFTP, you need to configure attributes of the
Virtual Type Terminal (VTY) user interface.
Context
Before a user logs in to the device by using SFTP, you must set the user authentication mode in
the VTY user interface. Otherwise, the user cannot log in to the device.
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see section 4.4 Configuring the VTY
User Interface.
6.4.3 Configuring SSH for the VTY User Interface
Before users can log in to the router using SFTP, you must configure VTY user interfaces to
support SSH.
Context
By default, user interfaces support Telnet. If no user interfaces are configured to support SSH,
you cannot log in to the router using SFTP.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
148
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
user-interface [ vty ] first-ui-number [ last-ui-number ]
The VTY user interface is displayed.
Step 3 Run:
authentication-mode aaa
The AAA authentication mode is configured.
Step 4 Run:
protocol inbound ssh
The VTY user interface is configured to support SSH.
----End
6.4.4 Configuring an SSH User and Specifying SFTP as One of the
Service Types
Before logging in to the router using SFTP, you must configure an SSH user, configure the
router to generate a local RSA (Revest-Shamir-Adleman Algorithm)or DSA (Digital Signature
Algorithm)key pair, configure a user authentication mode, and specify a service type and
authorized directory for the SSH user.
Context
l
These SSH user authentication modes are available: RSA, DSA, password, password-RSA,
password-DSA and all. Password authentication depends on Authentication, Authorization
and Accounting (AAA). Before a user logs in to the device in password, password-RSA or
password-DSA authentication mode, you must create a local user with the specified user
name in the AAA view.
– Password-RSA authentication depends on both password authentication and RSA
authentication.
– Password-DSA authentication depends on both password authentication and DSA
authentication.
– All authentication depends on either of the following authentications: password
authentication, or DSA authentication or RSA authentication.
l
The device must be configured to generate local RSA or DSA key pairs, which are a key
part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSAor DSA key pair. If an
SSH user logs in to an SSH server in RSA or DSA authentication mode, configure both the
server and the client to generate local RSA or DSA key pairs.
RSA key and DSA key are algorithms for user authentication in SSH. Compared with RSA
authentication, DSA authentication adopts the DSA encryption mode and is widely used.
In many cases, SSH only supports DSA to authenticate the server and the client. When the
RSA or DSA authentication mode is used, the priority of the users depends on the priority
of the VTY user interfaces used for login.
Perform the following operations on the router that functions as an SSH server:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
149
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ssh user user-name
An SSH user is created.
If password authentication is configured for the SSH user, create the same SSH user in the AAA
view
1.
Run the aaa command to enter the AAA view.
2.
Run the local-user user-name password { cipher cipher-password | irreversible-cipher
irreversible--password } command to configure a local user name and a password.
Step 3 Run:
local-user user-name level level
The SSH user level is set.
NOTE
The SSH user level must be set to 3 or higher.
Step 4 Create an RSA or DSA key pair.
l Run the rsa local-key-pair create command to create a local RSA key pair.
NOTE
l Configure the rsa local-key-pair create command to generate a local key pair before completing
other SSH configurations. The minimum length of the server key pair and the host key pair is 512
bits, and the maximum length is 2048 bits.
The default length of a local key pair is 2048 bits. After an upgrade, if the original key pair length
is shorter than 1024 bits, running the rsa local-key-pair create command to generate a new local
key pair is recommended.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local
RSA key-pairs, including the local key-pair and server key-pair.
Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair
destroy command. The rsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.
l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
150
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
NOTE
l You must configure the dsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 512 bits, 1024 bits and 2048 bits. By default, the length of the key pair is bits.
l After a local key pair is generated, you can run the display dsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local
DSA key-pairs, including the local key-pair and server key-pair.
Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair
destroy command. The dsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.
Step 5 Perform the operations as described in Table 6-1 based on the configured SSH user
authentication mode.
Table 6-1 Configuring an authentication mode for the SSH user
Issue 02 (2014-09-30)
Operation
Command
Description
Configure
Password
Authentication
1. Run the ssh user user-name
authentication-type password
command
If local or HuaWei Terminal
Access Controller Access Control
System (HWTACACS)
authentication is used and there
are only a few users, use password
authentication.
2. Run the aaa command to enter
the AAA view.
-
3. Run the local-user user-name
password { cipher | irreversiblecipher } password command to
configure the user name and the
password for the local user.
The user name must be the same
to the SSH user.
4. Run the local-user user-name
service-type ssh command to set
the access type of the local user to
SSH.
-
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
By default, the administrators are
all in the domain default_admin.
151
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Operation
Command
Description
Configure the
Default Password
Authentication
Run the ssh authentication-type
default password command
When you log in using SSH and
use a TACACS server for
authentication, the network
administrator needs to specify the
information about an SSH user on
the TACACS server. In most
cases, however, the SSH server
cannot obtain the user
information from the TACACS
server. To resolve this problem,
you can run the ssh
authentication-type default
password command to set the
authentication mode as password
authentication. Then, you can log
in to the device on the SSH server
safely.
Configure RSA
authentication
1. Run the ssh user user-name
authentication-type rsa command
to configure RSA authentication.
-
2. Run the rsa peer-public-key keyname [ encoding-type { der |
openssh | pem } ] command to
configure an encoding format for an
RSA public key and enter the RSA
public key view.
Huawei data communications
devices support only the DER
format for RSA keys before
V600R006C00 version. If you use
an RSA key in non-DER format,
use a third-party tool to convert
the key into a key in DER format.
The default encoding format is
distinguished encoding rules (DER)
for an RSA public key.
In addition to DER, RSA keys
need to support the privacyenhanced mail (PEM) and
OpenSSH formats since
V600R006C00 to improve RSA
usability.
Third-party software, such as
SecureCRT, PuTTY, OpenSSH,
and OpenSSL, can be used to
generate RSA keys in different
formats. The details are as
follows:
l The SecureCRT and PuTTY
generate RSA keys in PEM
format.
l The OpenSSH generates RSA
keys in OpenSSH format.
l The OpenSSL generates RSA
keys in DER format.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
152
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Operation
6 Managing the File System
Command
Description
3. Run the public-key-code begin
command to enter the public key
edit view.
-
4. Enter hex-data to edit the public
key.
l In the public key edit view,
only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.
5. Run the public-key-code end
command to exit from the public
key edit view.
-
6. Run the peer-public-key end
command to return to the system
view.
l Running the peer-public-key
end command generates a key
only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.
Configure DSA
authentication
Issue 02 (2014-09-30)
7. Run the ssh user user-name
assign rsa-key key-name command
to assign the SSH user a public key.
-
1. Run the ssh user user-name
authentication-type dsa command
to configure DSA authentication.
-
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
153
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Operation
6 Managing the File System
Command
Description
2. Run the dsa peer-public-key
key-name encoding-type { der |
openssh | pem } command to
configure an encoding format for a
DSA public key and enter the DSA
public key view.
Huawei data communications
devices support the DER and
PEM formats for DSA keys
before V600R006C00 version. If
you use an RSA key in non-DER/
PEM format, use a third-party tool
to convert the key into a key in
DER or PEM format.
In addition to DER, DSA keys
need to support the PEM and
OpenSSH formats since
V600R006C00 to improve DSA
usability.
3. Run the public-key-code begin
command to enter the public key
edit view.
-
4. Enter hex-data to edit the public
key.
l In the public key edit view,
only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.
5. Run the public-key-code end
command to exit from the public
key edit view.
-
6. Run the peer-public-key end
command to return to the system
view.
l Running the peer-public-key
end command generates a key
only after a valid hex-data
complying with the public key
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
154
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Operation
6 Managing the File System
Command
Description
7. Run the ssh user user-name
assign dsa-key key-name command
to assign the SSH user a public key.
-
Step 6 (Optional) Use command lines to authorize SSH users.
Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Step 7 Run:
ssh user username service-type { SFTP | all }
The service type of an SSH user is set to SFTP or all.
By default, the service type of the SSH user is not configured.
Step 8 Run:
ssh user username sftp-directory directoryname
The authorized directory of the SFTP service for the SSH user is configured.
By default, the authorized directory of the SFTP service for the SSH user is cfcard:.
----End
6.4.5 Enabling the SFTP Service
You must enable the STelnet service before you can use it.
Context
By default, the SFTP server function is not enabled on the router. You can use SFTP to establish
connections with the router only after the SFTP server function is enabled on the router.
Do as follows on the router that serves as an SSH server:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
sftp server enable
The SFTP service is enabled.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
155
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
By default, the SFTP service is disabled.
----End
6.4.6 (Optional) Configuring the SFTP Server Parameters
You can configure a device to be compatible with earlier versions of the SSH protocol, configure
or change the listening port number of an SSH server, set an interval at which the key pair of
the SSH server is updated, and specify the source interface.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Perform any of the operations shown in Table 6-2 as needed.
Table 6-2 Server parameters
Issue 02 (2014-09-30)
Server
parameters
Command
Description
Configure the
interval at
which the key
pair of the
SSH server is
updated
Run the ssh server rekey-interval
interval command.
You can set an interval at which the
key pair of an SSH server is updated.
When the timer expires, the key pair
is automatically updated, improving
security.
Configure the
timeout
period of SSH
authentication
Run the ssh server timeout
seconds command.
Configure the
number of
times that
SSH
authentication
is retried
Run the ssh server authenticationretries times command.
By default, the interval is 0,
indicating that the key is never
updated.
By default, the timeout period is 60
seconds.
By default, SSH authentication
retries a maximum of 3 times.
If a user fails to log in when the
timeout period of SSH
authentication expires, the system
disconnects the current connection
to ensure the system security.
The number of times that SSH
authentication is retried is set to deny
access of invalid users.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
156
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Server
parameters
Command
Description
Configure
earlier SSH
version
compatibility
Run the ssh server compatiblessh1x enable command.
There are two SSH versions:
SSH1.X (earlier than SSH2.0) and
SSH2.0. SSH2.0 has an extended
structure and supports more
authentication modes and key
exchange methods than SSH1.X,
SSH 2.0 can eliminate the security
risks that SSH 1.X has. SSH 2.0 is
more secure and therefore is
recommended. SSH2.0 also
supports more advanced services
such as SFTP. The HUAWEI
NetEngine80E/40E supports SSH
versions ranging from 1.3 to 2.0.
By default, an SSH server running
SSH2.0 is compatible with SSH1.X.
To prevent clients running SSH1.3 to
SSH1.99 from logging in, run the
undo ssh server compatible-ssh1x
enable command to disable support
for earlier SSH protocol versions.
NOTE
If the SSH server is enabled to be
compatible with earlier SSH versions,
the system prompts a security risk.
Configure the
listening port
number of the
SSH server
Run the ssh server port portnumber command.
By default, the listening port number
is 22.
If a new listening port is set, the SSH
server cuts off all established STelnet
and SFTP connections, and uses the
new port number to listen to
connection requests.
Issue 02 (2014-09-30)
6 Managing the File System
The default listening port number of
an SSH server is 22. Users can log in
to the device by using the default
listening port number. Attackers
may access the default listening port,
which consumes bandwidth,
deteriorates server performance, and
causes authorized users to be unable
to access the server. After the
listening port number of the SSH
server is changed, attackers do not
know the new port number. This
effectively prevents attackers from
accessing the listening port and
improves security.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
157
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Server
parameters
Command
Description
Source
interface
Run the ssh server-source -i
loopback interface-number
command.
By default, an SSH server receives
connection requests from all
interfaces, and therefore, the system
is vulnerable to attacks. To enhance
system security, you can specify the
source interface of the SSH server.
This sets a login condition after
which only authorized users can log
in to the SSH server.
Before the source interface of an
SSH server is specified, ensure that
the loopback interface to be specified
as the source interface has been
created. If the loopback interface is
not created, the ssh server-source
command cannot be correctly
executed.
Configuring
an ACL on the
SSH server
Run the ssh server acl acl-number or
ssh ipv6 server acl acl-number
command.
After the source interface is
specified, the system only allows
SFTP or STelnet users to log in to the
SSH server through this source
interface. Any SFTP or STelnet
users that log in through other
interfaces are denied. Note that
setting this parameter only affects
SFTP or STelnet users that attempt
to log in to the SSH server, but it does
not affect SFTP or STelnet users that
have already logged in to the server.
This command specifies the clients
that can access the SSH server
running IPv4/IPv6. This
configuration prevents unauthorized
users from accessing the SSH server,
ensuring data security.
----End
6.4.7 Using SFTP to Access the System
After the configuration is complete, you can use SFTP to log in to the router from a user terminal
and manage files on the router.
Context
You can use third-party software to access the router from the user terminal using SFTP. The
example here uses third-party software OpenSSH and the Windows CLI.
Install OpenSSH on the user terminal and then perform the following:
NOTE
For details on how to install OpenSSH, see the software installation guide.
For details on how to use OpenSSH commands to log in to the router, see help documentation for the
software.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
158
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Procedure
Step 1 Open the Windows CLI.
Step 2 Run OpenSSH commands to log in to the router in SFTP mode.
When a command line prompt, such as sftp>, is displayed in the SFTP client view, as shown in
Figure 6-2, you have entered the working directory of the SFTP server.
Figure 6-2 Using SFTP to log in to the device
----End
6.4.8 Using SFTP to Manage Files
You can log in to the SSH server from an SFTP client to create or delete directories on the SSH
server.
Context
After logging in to the SFTP server, you can perform the following operations:
l
Display the SFTP client command help
l
Manage directories on the SFTP server
l
Manage files on the SFTP server
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
159
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
After logging in to the SFTP server and entering the SFTP client view, you can perform one or
more of the following operations.
Procedure
l
Perform the following operations as required.
– Run:
cd [ remote-directory ]
The current operating directory of the users is changed.
– Run:
pwd
The current operating directory of the users is displayed.
– Run:
dir/ls [ path ]
A list of files in the specified directory is displayed.
– Run:
rmdir delete-remote-directory &<1-10>
The directory on the server is deleted.
– Run:
mkdir make-remote-directory
A directory is created on the server.
l
Perform of the following operations as required.
– Run:
rename old-name new-name
The name of the specified file on the server is changed.
– Run:
get remote-filename [ local-filename ]
The file on the remote server is downloaded.
– Run:
put local-filename [ remote-filename ]
The local file is uploaded to the remote server.
– Run:
rmdir delete-remote-directory &<1-10>
The file on the server is removed.
----End
6.4.9 Checking the Configuration
After using SFTP to manage files, you can view SSH user information and global configurations
for the SSH server.
Prerequisites
The configurations of SSH users are complete.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
160
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Procedure
l
Run the display ssh user-information username command on the SSH server to check
information about the SSH client.
l
Run the display ssh server status command on the SSH server to check its global
configurations.
l
Run the display ssh server session command on the SSH server to check information about
connection sessions with SSH clients.
----End
Example
Run the display ssh user-information username command. It shows that the SSH user named
clinet001 is authenticated by password.
[HUAWEI] display ssh user-information client001
User Name
: client001
Authentication-type
: password
User-public-key-name
: User-public-key-type
: RSA
Sftp-directory
: Service-type
: sftp
Authorization-cmd
: Yes
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view the global configurations of an SSH server.
<HUAWEI> display ssh server status
SSH version
: 1.99
-------------------------------------------------------------------------------
If no SSH user is specified, information about all SSH users logging in to an SSH server will be
displayed.
Run the display ssh server status command to view the global configurations of an SSH server.
<HUAWEI> display ssh server status
<HUAWEI> display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH Authentication retries
SFTP server
Stelnet server
SSH server port
SSH server source
ACL4 number
ACL6 number
: 1.99
: 60 seconds
: 2 hours
: 5 times
: Enable
: Enable
: 55535
:0.0.0.0
:0
:0
NOTE
If the default listening port is in use, information about the current listening port is not displayed.
Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
<HUAWEI> display ssh server session
Session 2:
Conn
: VTY 4
Version
: 2.0
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
161
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
6 Managing the File System
:
:
:
:
:
:
:
:
:
:
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group-exchange-sha1
sftp
password
6.5 Using Xmodem to Manage Files
This section describes how to transfer files through XModem.
6.5.1 Before You Start
Before configuring XModem, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.
Applicable Environment
Configure XModem to transfer files through serial interfaces.
Pre-configuration Tasks
Before configuring XModem, complete the following tasks:
l
Power on the router.
l
Use an AUX port or a console port to connect the router to the PC.
l
Log in to the router through a terminal emulation program and specify a file path.
Data Preparation
To configure XModem, you need the following data.
No.
Data
1
Name of a specific file
2
Absolute path of the file
6.5.2 Obtaining a File Through Xmodem
Using XModem, you can download files to a router through the AUX port.
Context
XModem file transfer consists of a receiving program and a sending program.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
162
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
l
The receiving program first sends the negotiation character to negotiate the check mode.
l
After the negotiation is successful, the sending program begins to send packets.
l
When the receiving program receives a complete packet, it checks the packet in the
negotiated mode.
l
If the check is successful, the receiving program sends the acknowledgement character and
then the sending program sends the next packet.
l
If the check fails, the receiving program sends the denial character and the sending program
retransmits the packet.
NE80E/40E provides the XModem receiving program function, which is applied to the AUX
port and supports 128-byte packets and CRC. The XModem sending program is automatically
included in the HyperTerminal.
Do as follows on the router:
Procedure
l
Run:
xmodem get { filename | devicename }
XModem is used to get the file.
NOTE
l Before getting the file, confirm the path and name of the file to be sent.
l For the filename, an absolute path name is required.
l If the filename is similar to an existing one, the system sends a prompt asking you whether or
not to overwrite the file.
----End
6.6 Configuration Examples
The examples in this section show how to use FTP, SFTP, or FTPS to access the system and
manage files. These configuration examples explain the networking requirements and provide
configuration roadmaps and configuration notes.
6.6.1 Example for Using the File System to Manage Files
This example shows how to use the file system to manage files. In the example, you log in to
the router to view and copy directories.
Networking Requirements
You can log in to the router through the console port, AUX port, Telnet, or STelnet to manage
files on the router.
You must enter the path to the file on the storage device correctly. If you do not specify a target
file name, the source file name is the name of the target file by default.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
163
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Configuration Roadmap
The configuration roadmap is as follows:
1.
Check the files in a directory.
2.
Copy a file to this directory.
3.
Check that the file has been copied to the directory.
Data Preparation
To complete the configuration, you need the following data:
l
Source file name and target file name
l
Source file path and target file path
Procedure
Step 1
Display the file information in the current directory. cfcard:/ is the flash memory identifier.
<HUAWEI> dir cfcard:/
Directory of cfcard:/
Idx
Attr
Size(Byte)
0
-rw64
1
-rw418
2
-rw38017
3
-rw2292
4
-rw7041
5
-rw117013076
V600R008C10.cc
500192 KB total (347760 KB free)
Nov
Jul
Aug
Aug
Aug
Jul
Date
15 2006
26 2007
01 2007
21 2006
02 2007
13 2007
Time
13:07:44
19:52:14
11:02:00
15:35:50
11:02:00
10:40:44
FileName
patchnpstate.dat
vrpcfg.zip
paf.txt
vrp.zip
license.txt
Step 2 Copy files from cfcard2:/sample.txt to cfcard:/sample.txt
<HUAWEI> copy cfcard2:/sample.txt cfcard:/sample1.txt
Copy cfcard2:/sample.txt to cfcard:/sample1.txt?[Y/N]:y
100% complete
Info:Copied file cfcard2:/sample.txt to cfcard:/sample1.txt...Done
Step 3 Display the file information about the current directory to check that the file has been copied to
the specified directory.
<HUAWEI> dir cfcard:/
Directory of cfcard:/
Idx
Attr
Size(Byte)
0
-rw64
1
-rw418
2
-rw38017
3
-rw2292
4
-rw7041
5
-rw117013076
V600R008C10.cc
6
-rw1605
500192 KB total (346155 KB free)
Nov
Jul
Aug
Aug
Aug
Jul
Date
15 2006
26 2007
01 2007
21 2006
02 2007
13 2007
Time
13:07:44
19:52:14
11:02:00
15:35:50
11:02:00
10:40:44
Nov 18 2007 05:30:11
FileName
patchnpstate.dat
vrpcfg.zip
paf.txt
vrp.zip
license.txt
sample1.txt
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
164
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
6.6.2 Example for Using FTP to Manage Files
This example shows how to use FTP to manage files. In the example, a user uses FTP to log in
to the router from a PC and then download files to the FTP client.
Networking Requirements
As shown in Figure 6-3, after the FTP server is enabled on the router, you can log in to the FTP
server from the HyperTerminal to upload or download files.
Figure 6-3 Networking for using FTP to manage files
Network
GE1/0/1
10.137.217.221/16
PC
FTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure the IP address of the FTP server.
2.
Enable the FTP server.
3.
Configure the authentication information, authorization mode, and directories that can be
accessed for an FTP user.
4.
Enter the username and password to log in to the FTP server.
5.
Upload files to or download files from the FTP server.
Data Preparation
To complete the configuration, you need the following data:
l
IP address of the FTP server: 10.137.217.221
l
Timeout period for the FTP connection: 30 minutes
l
On the server, FTP username: huawei and password: Huawei-123
l
Destination file name and its location on the FTP client
Procedure
Step 1 Configure the IP address of the FTP server.
[server] interface gigabitethernet1/0/1
[server-GigabitEthernet1/0/1] undo shutdown
[server-GigabitEthernet1/0/1] ip address 10.137.217.221 255.255.0.0
[server-GigabitEthernet1/0/1] quit
Step 2 Enable the FTP server.
<HUAWEI> system-view
[HUAWEI] sysname server
[server] ftp server enable
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
165
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
[server] ftp timeout 30
Step 3 Configure the authentication information, authorization mode, and directories that can be
accessed for an FTP user on the FTP server.
[server] aaa
[server-aaa]
[server-aaa]
[server-aaa]
[server-aaa]
[server-aaa]
local-user
local-user
local-user
local-user
quit
huawei
huawei
huawei
huawei
password irreversible-cipher Huawei-123
level 3
service-type ftp
ftp-directory cfcard:
Step 4 Run FTP commands at the Windows command line prompt, and enter the username and
password to set up an FTP connection with the FTP server, as shown in Figure 6-4.
Figure 6-4 Logging in to the FTP server
Step 5 Upload and download files, as shown in Figure 6-5.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
166
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Figure 6-5 Using FTP to manage files
NOTE
You can run the dir command before downloading a file or after uploading a file to view detailed
information about the file.
----End
Configuration File
l
FTP server configuration file
#
sysname Server
#
FTP server enable
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.137.217.221 255.255.0.0
#
aaa
local-user huawei password irreversible-cipher %$%$Skdd9`7(<QDv`NXLTB()aS}T=J
\E%hGAP&3-R,*7S_]SS}Wa%$%$
local-user huawei level 3
local-user huawei service-type ftp
local-user huawei state block fail-times 3 interval 5
local-user huawei ftp-directory cfcard:
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
return
6.6.3 Example for Using SFTP to Manage Files
This example shows how to use SFTP to manage files. In the example, a local key pair and a
user name and a password are configured on the SSH server for an SSH user. After SFTP services
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
167
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
are enabled on the server and the SFTP client is connected to the server, you can manage files
between the client and the server.
Networking Requirements
As shown in Figure 6-6, after SFTP services are enabled on the router that functions as an SSH
server, you can log in to the server from an SFTP client PC in password, Revest-Shamir-Adleman
Algorithm (RSA), password-RSA, Digital Signature Algorithm (DSA), password-DSA or all
authentication mode.
NOTE
To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to
the SSH server.
Configure a user to log in to the SSH server in password authentication mode.
Figure 6-6 Networking diagram for using SFTP to manage files
Network
GE1/0/1
10.137.217.225/16
SSH Server
PC
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure a local key pair on the SSH server to exchange data securely between the SFTP
client and the SSH server.
2.
Configure VTY user interfaces on the SSH server.
3.
Configure an SSH user, including user authentication mode, username, password, and
authorization directory.
4.
Enable SFTP services on the SSH server and configure a user service type.
Data Preparation
To complete the configuration, you need the following data:
l
SSH user authentication mode: password, username: client001, password: Huawei-123
l
User level of client001: 3
l
IP address of the SSH server: 10.137.217.225
Procedure
Step 1 Configure a local key pair on the SSH server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
168
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
The key name will be: HUAWEI_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 2048]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Configure VTY user interfaces on the SSH server.
[SSH
[SSH
[SSH
[SSH
Server] user-interface vty 0 4
Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit
Step 3 Configure the SSH username and password on the SSH server.
[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
local-user client001 password Huawei-123
local-user client001 level 3
local-user client001 service-type ssh
quit
Step 4 Enable SFTP and configure the user service type as SFTP.
[SSH Server] sftp server enable
[SSH Server] ssh user client001 authentication-type password
[SSH Server] ssh user client001 service-type sftp
Step 5 Configure the authorization directory for the SSH user.
[SSH Server] ssh user client001 sftp-directory cfcard:
Step 6 Verify the configurations.
Figure 6-7 Access interface
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
169
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Configuration File
l
SSH server configuration file
#
sysname SSH Server
#
aaa
local-user client001 password irreversible-cipher %$%$Skdd9`7(<QDv`NXLTB()aS}
T=J\E%hGAP&3-R,*7S_]SS}Wa%$%$
local-user client001 level 3
local-user client001 service-type ssh
local-user client001 state block fail-times 3 interval 5
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.137.217.225 255.255.255.0
#
sftp server enable
ssh user client001 authentication-type password
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
6.6.4 Example for Using Xmodem to Perform File Operations
In this example, you run the HyperTerminal on a PC and then log in to a router to download
files through the AUX port.
Networking Requirements
The router is connected to PC through the AUX port. Log in to the router through the AUX port,
to receive files from the AUX port and save the received files to the cfcard.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Run the HyperTerminal on the PC and log in to the router.
2.
Use the xmodem get command to download files on the router, and specify the file path
on the HyperTerminal.
Data Preparation
To complete the configuration, you need the following data:
l
Files that are copied to the PC
l
The path of the file in the PC
Procedure
Step 1 Log in to the router through the AUX port.
Refer to chapter 2 "Logging in to the Devices Through the AUX Port" in the NE80E/
40EConfiguration Guide - Basic Configuration.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
170
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6 Managing the File System
Step 2 Use the XModem protocol to receive the file from the AUX port.
The received file is saved on the cfcard memory of the router and the file name is paf.txt.
<HUAWEI> xmodem get cfcard:/paf.txt
**** WARNING ****
xmodem is a slow transfer protocol limited to the current speed
settings of the auxiliary ports.
During the course of the download no exec input/output will be
available!
---- ******* ---Proceed?[Y/N]y
Destination filename [cfcard:/ paf.txt]?
Before press ENTER you must choose 'YES' or 'NO'[Y/N]:y
Download with XMODEM protocol....
Step 3 Specify the file to be sent on the HyperTerminal.
Figure 6-8 Specifying the file to be sent
After the configuration is complete, press Send to send the file.
Step 4 The system prompts that the file is sent successfully. Then, you can view the directory of the
file named cfcard.
<HUAWEI>
Download successful!
<HUAWEI> dir
Directory of cfcard:/
Idx Attr Size(Byte) Date
0
-rw- 10014764 Jun 20
1
-rw98776 Jul 27
2
-rw28 Jul 27
3
-rw480 May 10
4
-rw- 10103172 Jul 22
5
-rw1515 Jul 19
6
-rw3844 Jul 14
7
-rw8628372 Jun 01
8
-rw45 Jul 27
2005
2005
2005
2003
2005
2005
2004
2005
2005
Time
15:00:28
09:36:12
09:34:39
11:25:18
16:40:37
17:39:55
11:51:45
10:14:34
10:51:26
FileName
ne20-vrp5.10-c01b070.bin
matnlog.dat
private-data.txt
vrpcfg.zip
ne20-vrp5.10-c01db90.bin
vrpcfg.cfg
exception.dat
ne20-vrp330-0521.01.bin
paf.txt
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
171
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
7
7 Configuring System Startup
Configuring System Startup
About This Chapter
When the router is powered on, system software starts and configuration files are loaded. To
ensure that the router runs smoothly, you need to manage system software and configuration
files efficiently.
7.1 System Startup Overview
When the router is powered on, system software starts and configuration files are loaded.
7.2 Managing Configuration Files
You can manage the configuration files for the current and next startup operations on the
router.
7.3 Specifying a File for System Startup
You can specify a file to be used for system startup by specifying the system software and
configuration file for the next startup of the router.
7.4 Configuration Examples
The example in this section shows how to configure system startup. The example explains the
networking requirements, and provides a configuration roadmap and configuration notes.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
172
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
7 Configuring System Startup
7.1 System Startup Overview
When the router is powered on, system software starts and configuration files are loaded.
7.1.1 System Software
System software provides an operating system for the router. System software must be set up
correctly for the router to run and provide services efficiently.
The extension of the system software file is .cc. The file must be saved in the root directory of
the storage device.
7.1.2 Configuration Files
The configuration file is used to configure the initial settings of the router.
The configuration file is a text file with the following properties:
l
It is saved in the command format.
l
To save space, default parameters are not saved.
l
Commands are organized according to the command view. All commands of the same
command view are grouped into a section. Every two command sections are separated by
one or several blank lines or comment lines (beginning with "#").
l
The sequence of the command sections is as follows: global configuration, physical
interface configuration, logical interface configuration, and routing protocol configuration.
l
The filename extension of the configuration file must be .cfg or .zip, and must be stored in
the root directory of a storage device.
l
In a configuration file, the commands must be expressed in full names. No abbreviation is
allowed.
l
In a configuration file, each command is wrapped using \r\n. No other invisible characters
can be used to wrap commands.
l
Transmitting the configuration file using FTP in bin mode to a device is recommended.
NOTE
l The system supports commands that contain a maximum of 510 characters. A command does not have
to be entered in full, as long as the part of the command entered is unique within the system. For
example, to run the display current-configuration command, enter d cu, di cu, or dis cu. Entering
d c or dis c will not run the command because these entries are not unique to the command.
l The system saves the complete form of incomplete commands to configuration files. Saved commands
may have more than 510 characters. When the system restarts, incomplete commands cannot be
restored. Therefore, pay attention to the length of incomplete commands before saving them.
7.1.3 Configuration Files and Current Configurations
When the router is running, current configurations differ from configuration files.
The concepts of configuration files and current configurations are defined as follows.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
173
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
7 Configuring System Startup
Concept
Identifying Method
Configuration files
Current configurations
When the router is powered
on, it retrieves configuration
files from a default save path
to initialize itself. If
configuration files do not
exist in the default save path,
the router uses default
initialization parameters.
l Run the display startup
command to view the
configuration files for the
current startup and next
startup on the router.
Current configurations
indicate the configurations in
effect on the router when it is
actually running.
Run the display currentconfiguration command to
view current configurations
on the router.
l Run the display savedconfiguration command
to view the configuration
file for the next startup on
the router.
You can use the command line interface to modify current router configurations. Use the save
command to save modified configurations to the next startup configuration file on the storage
device. This configuration file will be used to initialize the router the next time the router is
powered on.
7.2 Managing Configuration Files
You can manage the configuration files for the current and next startup operations on the
router.
7.2.1 Before You Start
Before managing configuration files, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration task quickly and correctly.
Applicable Environment
Configuration files can be saved, cleared, and compared. Configuration file management is
required to upgrade the router, take preventive measures, repair configuration files, and view
configurations after the router starts.
Pre-configuration Tasks
Before managing configuration files, install and power on the router.
Data Preparation
To manage configuration files, you need the following data.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
174
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
7 Configuring System Startup
No.
Data
1
Configuration file and its name
2
Configuration file saving interval and delay interval
3
Number of the start line from which the comparison of the configuration files
begins
7.2.2 Saving Configuration Files
The configurations completed by using command lines are valid only for the current operation
on the router. To allow the configurations to be valid for the next startup, you need to save the
current configurations to the next startup configuration file before restarting the router.
Context
You can save configuration files on demand or set the system to save configuration files at regular
intervals. This prevents data loss if the router restarts without warning or when it is powered off.
Run one of the following commands to save configuration files.
Procedure
l
Run:
NOTICE
When the automatic saving function is enabled and the LPU is not correctly installed,
corresponding configurations may be lost.
1.
system-view
The system view is displayed.
2.
set save-configuration [ interval interval | cpu-limit cpu-usage |delay
delay-interval ] *
The configuration file is saved at intervals.
After you specify the parameter interval interval, the system saves the current
configuration if the configuration has changed; if the configuration has not changed,
the system does not save saves the current configuration.
– If you do not run the set save-configuration command, the system does not
automatically save configurations.
– If you run the set save-configuration command without specifying interval, the
system automatically saves configurations at an interval of 30 minutes.
When you configure the automatic saving function, to prevent that function from
affecting system performance, you can set the upper limit of the CPU usage for the
system during automatic saving. When automatic saving is triggered by the expiry of
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
175
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
7 Configuring System Startup
the timer, the CPU usage is checked. If the CPU usage is higher than the set upper
limit, automatic saving will be canceled.
After you specify delay delay-interval, if the configuration is changed, the device
automatically saves the configuration after the specified delay.
After you configure the configurations to be automatically saved, the system
automatically saves the changed configurations to the configuration file for the next
startup. Then, the configuration files change according to the saved configurations.
Before you configure the configurations to be automatically saved on the server, you
need to run the set save-configuration backup-to-server server server-ip [ vpninstance vpn-instance-name ] transport-type { ftp | sftp } user user-name
password password [ path folder ] or set save-configuration backup-to-server
server server-ip [ vpn-instance vpn-instance-name ] transport-type tftp [ path
folder ] command to configure the server, including the IP address, username,
password of the server, destination path, and mode of transporting the configuration
file to the server.
NOTE
If you use TFTP, run the tftp client-source command to configure a loopback interface address as
a client source IP address on the router, thereby improving security.
l
Run:
save [ all ] [ configuration-file ]
The current configurations are saved.
The extension of the configuration file must be .cfg or .zip. The system startup configuration
file must be saved in the root directory of a storage device.
*.cfg files are stored in ASCII format, and *.zip files are stored in zip format.
You can modify the current configuration through the CLI. To set the current configuration
as initial configuration when the router starts next time, you can use the save command to
save the current configuration in the cfcard memory.
You can use the save all command to save all the current configurations, including the
configurations of the boards that have not been inserted, to the next startup configuration
file.
NOTE
When you save the configuration file for the first time, if you do not specify the optional parameter
configuration-file, the router asks you whether you want to save the file as "vrpcfg.zip". "vrpcfg.zip"
is the default configuration file which initially contains no configuration.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
176
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
7 Configuring System Startup
NOTICE
The save and save config-filename commands have different functions. Note the following
when using them.
l The save command saves the current configuration to the configuration file for the next
startup on the storage device. You can use the display startup command to view
information about the configuration file for the next startup. By default, the
configuration file of the next startup is cfcard:/ vrpcfg.zip.
l The save config-filename command backs up the current configuration to the file
specified by config-filename on the storage device. The command execution does not
affect the current startup configuration file. If config-filename is specified the same as
the configuration file for the next startup and the storage path for the configuration file,
the save config-filename command functions the same as the save command.
l If you have run the save config-filename command to back up the current configuration
and still want to deliver the new configuration, you must run the save config-filename
command again to back up the new configuration to the configuration file. This ensures
that the new configuration restores after the device restarts.
----End
7.2.3 Clearing a Configuration File
This section describes how to clear the content of the configuration file that has been loaded to
a device or how to delete configurations on an interface to restore the default configurations or
how to delete the inactive configurations on the boards that have not been installed.
Context
The configuration file stored in the cfcard memory needs to be cleared in the following cases:
l
The system software does not match the configuration file after the router has been
upgraded.
l
The configuration file is destroyed or an incorrect configuration file has been loaded.
Perform the following operations to clear the content of a configuration file:
Procedure
l
Clear the currently loaded configuration file.
Run the reset saved-configuration command to clear the currently loaded configuration
file.
– If the configuration file used for the current startup of the router is the same as the file
to be used for the next startup, running the reset saved-configuration command clears
both files. The router will use the default configuration file for the next startup.
– If the configuration file used for the current startup of the router is different from the
file to be used for the next startup, running the reset saved-configuration command
clears the configuration file used for the current startup.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
177
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
7 Configuring System Startup
– If you run the reset saved-configuration command and the configuration file used for
the current startup of the router is empty, the system states that the configuration file
does not exist.
NOTICE
l Exercise caution when running this command. If necessary, do so under the guidance
of Huawei technical support personnel.
l After the contents of a configuration file are cleared, the empty configuration file with
the original file name remains.
l After the configuration file is cleared, if you do not run the startup savedconfiguration configuration-file command to specify a new configuration file or the
save command to save the configuration file, the router will use the default configuration
file at the next startup.
l
Clear the inactive configurations of the boards that have not been installed.
1.
Run the system-view command to enter the system view.
2.
Run the clear inactive-configuration slot command to clear the inactive
configurations of the boards that are not installed in slots.
----End
7.2.4 Comparing Configuration Files
You can determine whether the current configuration file or another file specified on the
router will be used for the next startup by comparing them.
Context
You can compare the current configuration file to the file specified for the next startup to
determine which one to specify for the next startup.
Procedure
l
Run:
compare configuration [ configuration-file ] [ current-line-number save-linenumber ]
The current configuration is compared with the configuration file for next startup.
– If no parameter is specified, the system compares whether the current configurations
are identical with the next startup configuration file from the first line.
– If configuration-file is configured, the system checks whether the current configuration
file is the same as the specified configuration file.
– If no parameter is set, the comparison begins with the first lines of the configuration
files. If values for current-line-number and save-line-number are set, the comparison
continues and ignore differences between the configuration files.
The system begins to display the content of the current and saved configuration file from
the first line that is different between the two files. Beginning with this line, 150 characters
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
178
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
7 Configuring System Startup
are displayed by default for each of the files. If fewer than 150 characters remain after the
first line with a difference, all remaining file content is displayed.
NOTE
When trying to compare configuration files, if the configuration file for next startup is unavailable
or its content is empty, the system cannot read the file.
----End
7.2.5 Checking the Configuration
After managing configuration files, you can view the current configuration files and files in the
storage device.
Prerequisites
The configurations for managing configuration files are complete.
Procedure
l
Run the display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] or display
current-configuration [ all | inactive ]command to check current configurations.
l
Run the display startup command to check files for startup.
l
Run the dir [ /all ] [ filename ] command to check files saved in the storage device.
l
Run the display saved-configuration configuration command to view configurations of
the autosave function, including the status of the autosave function, time for autosave check,
threshold for the CPU usage, and period during which configurations remain unchanged
(when the period expires, configurations are automatically saved).
l
Run the display changed-configuration time command to check the time of the last
configuration change.
----End
Example
Run the display startup command to check files for startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software:
Startup system software:
Next startup system software:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup paf file:
Next startup paf file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
Issue 02 (2014-09-30)
cfcard:/V600R008C10.cc
cfcard:/V600R008C10.cc
cfcard:/V600R008C10.cc
cfcard:/vrp.cfg
cfcard:/vrp.cfg
default
default
default
default
NULL
NULL
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
179
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
7 Configuring System Startup
7.3 Specifying a File for System Startup
You can specify a file to be used for system startup by specifying the system software and
configuration file for the next startup of the router.
7.3.1 Before You Start
Before specifying a file for system startup, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration task quickly and correctly.
Applicable Environment
To enable the router to provide user-defined configurations during the next startup, you need to
correctly specify the system software and configuration file for the next startup.
Pre-configuration Tasks
Before specifying a file for system startup, install the router and powerg it on.
Data Preparation
To specify a file for system startup, you need the following data.
No.
Data
1
System software and its file name on the NE80E/40E
2
Configuration file and its file name on the device
7.3.2 Configuring System Software for the router to Load at the Next
Startup
If you need to upgrade a router's system software, you can specify the router system software to
be loaded at the next startup.
Context
The system will continue to load the current system software at each startup until different system
software is specified for the next system startup. To change system software for the next startup,
you need to specify the system software you require.
The filename extension of the system software must be .cc and the file must be stored in the root
directory of a storage device.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
180
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
7 Configuring System Startup
Procedure
Step 1 Run:
startup system-software system-file [ slave-board ]
The system software to be load at the next startup of the router is configured.
You can specify the system-file and use the system software for the next startup that is saved on
the device.
You must set the same names for the next-startup system software on the master and slave main
control boards. Otherwise, the system cannot be restarted. The file names of system software on
the master and slave main control board are case insensitive. All entered letters are saved as
lower-case letters.
slave-board is valid only on the router with dual main control boards.
----End
7.3.3 Configuring the Configuration File for the Router to Load at
the Next Startup
Before restarting a router, you can specify which configuration files will be loaded at the next
startup.
Context
Run the display startup command on the router to check whether a specific configuration file
is set to be loaded at the next startup. If a specific configuration file is not specified, the default
configuration file will be loaded at the next startup.
The filename extension of the configuration file must be .cfg or .zip, and the file must be stored
in the root directory of a storage device.
When the router is powered on, by default, it reads the configuration file from the cfcard memory
to initialize. The data in this configuration file is the initial configuration. If no configuration
file is saved in the cfcard memory, the router uses default parameters for initiation.
Procedure
l
Run:
startup saved-configuration configuration-file
A configuration file is saved for the router to load at the next startup.
The system allows you to set different names for the configuration files on the master and
slave main control boards, but the system requires your confirmation. After your
confirmation, the system can be restarted.
----End
7.3.4 Checking the Configuration
After specifying a configuration file for system startup, you can check the content of the
configuration file and information about the files to be used at the router's next startup.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
181
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
7 Configuring System Startup
Prerequisites
A configuration file has been specified for system startup.
Procedure
l
Run the display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] command to
check current configurations.
l
Run the display saved-configuration [ last | time | configuration ] command to check the
contents of the configuration file to be loaded at the next startup.
l
Run the display startup command to check information about the files to be used at next
startup.
----End
Example
Run the display startup command to check information about the files to be used at the next
startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software:
Startup system software:
Next startup system software:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup paf file:
Next startup paf file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
cfcard:/V600R008C10.cc
cfcard:/V600R008C10.cc
cfcard:/V600R008C10.cc
cfcard:/vrp.cfg
cfcard:/vrp.cfg
default
default
default
default
NULL
NULL
7.4 Configuration Examples
The example in this section shows how to configure system startup. The example explains the
networking requirements, and provides a configuration roadmap and configuration notes.
7.4.1 Example for Configuring System Startup
This example shows how to configure system startup. In the example, a configuration file is
saved and the system software and configuration file to be loaded at the next startup are specified
so that the router can start appropriately.
Networking Requirements
The router is installed with double main control boards. After the router is configured, new
configurations take effect after the system restarts.
Configuration Roadmap
The configuration roadmap is as follows:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
182
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
7 Configuring System Startup
1.
Save the current configuration.
2.
Specify the configuration file to be loaded at the next startup of the router.
3.
Specify the system software to be loaded at the next startup of the router.
Data Preparation
To complete the configuration, you need the following data:
l
Name of the configuration file
l
File name of the system software
Procedure
Step 1 Check the configuration file and system software that were used during the current startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software:
Startup system software:
Next startup system software:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup paf file:
Next startup paf file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
cfcard:/V600R008C10.cc
cfcard:/V600R008C10.cc
cfcard:/V600R008C10.cc
cfcard:/vrp.cfg
cfcard:/vrp.cfg
default
default
default
default
NULL
NULL
Step 2 Save the current configuration to the specified file.
<HUAWEI> save vrpcfg.cfg
The system prompts you whether to save the current configuration to the file named vrpcfg.cfg
on the master and slave main control boards. Enter y at the prompt to save the configuration.
Step 3 Specify the configuration file to be loaded at the router's next startup.
<HUAWEI> startup saved-configuration vrpcfg.cfg
Step 4 Specify the system software to be loaded at the router's next startup.
Specify the system software to be loaded at the next startup of the master main control board.
<HUAWEI> startup system-software V600R008C10.cc
Specify the system software to be loaded at the slave main control board's next startup.
<HUAWEI> startup system-software V600R008C10.cc slave-board
NOTE
l The slave main control board automatically synchronizes with the master main control board after the
configuration file to be loaded during the next startup is specified for the master main control board.
l Ensure that the system software to be loaded during the next startup of the router is saved on the master
and slave main control boards of the router. Configure the system software to be loaded during the next
startup of the master and slave main control boards respectively.
Step 5 Verify the configuration.
After the configuration is complete, run the following command to check which configuration
file and system software will be loaded at the router's next startup.
<HUAWEI> display startup
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
183
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
MainBoard:
Configured startup system software:
Startup system software:
Next startup system software:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup paf file:
Next startup paf file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
7 Configuring System Startup
cfcard:/V600R008C10.cc
cfcard:/V600R008C10.cc
cfcard:/V600R008C10.cc
cfcard:/vrp.cfg
cfcard:/vrpcfg.cfg
default
default
default
default
NULL
NULL
----End
Configuration Files
None.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
184
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
8
Accessing Another Device
About This Chapter
To manage configurations or operate files on another device, you can use Telnet, STelnet, TFTP,
FTP, or SFTP to access the device from the device that you have logged in to.
8.1 Accessing Another Device
To manage configurations or use files on a device other than the device to which you are logged
in, you can use Telnet, FTP, TFTP, or SSH to access that device.
8.2 Using Telnet to Log In to Other Devices
On most networks, multiple routers need to be managed and maintained, but it may be impossible
to connect some of these routers to a PC terminal. In other cases, there may be no reachable
route between a router and a PC terminal. You can log in to a local router and then use Telnet
to log in to remote routers to complete management and maintenance tasks.
8.3 Using Telnet Redirection to Connect to Another Device
If the client is not connected to the remote device on an IP network, you can use the Telnet
redirection function to manage the remote device from the router to which you are logged in.
8.4 Using STelnet to Log In to Another Device
STelnet provides secure Telnet services. You can use STelnet to log in to another router and
manage the device remotely.
8.5 Using TFTP to Access Files on Another Device
You can configure the router as a TFTP client and log in to the TFTP server to upload and
download files.
8.6 Using FTP to Access Files on Another Device
This section describes how to configure a router as an FTP client to log in to an FTP server and
how to upload files to or download files from this server.
8.7 Using SFTP to Access Files on Another Device
SFTP is a secure FTP service. After the router is configured as an SFTP client, the SFTP server
authenticates the client and encrypts data in both directions to provide secure data transmission.
8.8 Configuration Examples
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
185
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
This section provides examples for accessing another device. These examples explain the
networking requirements, configuration notes, and configuration roadmap.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
186
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
8.1 Accessing Another Device
To manage configurations or use files on a device other than the device to which you are logged
in, you can use Telnet, FTP, TFTP, or SSH to access that device.
Figure 8-1 Networking diagram for accessing another device from the router
Network
Server
Network
Client
PC
As shown in Figure 8-1, when you run a terminal emulation or Telnet program on a PC to
connect to the router, the router can still function as a client to access another device on the
network. There are several ways to accomplish this.
8.1.1 Telnet Method
To configure and manage a remote device on the network, you can use the router that you have
logged in to as a client to log in to that device, or you can use a redirection terminal service on
the router to log in to that device.
Telnet is an application layer protocol in the TCP/IP protocol suite that provides remote login
and virtual terminal services.
The NE80E/40E provides the following Telnet services:
l
Telnet server: You can run the Telnet client program on a PC to log in to a router to complete
configuration and management tasks. The router acts as a Telnet server.
l
Telnet client: You can run the terminal emulation program or Telnet client program on a
PC to connect to the router. You can then run the telnet command to log in to other
routers to configure and manage them. As shown in Figure 8-2,Router A serves as both a
Telnet server and a Telnet client.
Figure 8-2 Telnet client services
Telnet Session2
Telnet Session 1
Telnet Server
PC
l
Issue 02 (2014-09-30)
RouterA
RouterB
Redirection terminal services: You can run the Telnet client program on a PC to log in to
the router through a specified port number. Then connect to serial interface devices that
are connected through the asynchronous interface of the router, as shown in Figure 8-3.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
187
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
This scenario is typically used to connect an asynchronous router interface with multiple
remote devices to complete configuration and maintenance tasks.
Figure 8-3 Telnet redirection services
PC
Ethernet
Router
Async0
Async3
Async1
Router1
Async2
Modem
Switch
Router2
NOTE
Only devices that provide asynchronous interfaces support the Telnet redirection service.
l
Interruption of Telnet services
Two shortcut key combinations can terminate a Telnet connection.
As shown in Figure 8-4, Router A logs in to Router B through Telnet, and Router B logs
in to Router C through Telnet. Thus, a cascade network is formed. In this case, Router A
is the client of Router B and Router B is the client of Router C. Figure 8-4 illustrates the
usage of shortcut keys.
Figure 8-4 Usage of Telnet shortcut keys
Telnet Session 1
Telnet Session2
Telnet
Client
Telnet
Server
RouterA
RouterB
RouterC
Ctrl_]: The server interrupts the connection.
If the network connection is normal and you press Ctrl_], the Telnet server terminates the
current Telnet connection. For example:
<RouterC>
Press Ctrl_] to return to the Router B prompt.
Info: The max number of VTY users is 10, and the current number
of VTY users on line is 1.
Info: The connection was closed by the remote host.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
188
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
<RouterB>
Press Ctrl_] to return to the Router A prompt.
Info: The max number of VTY users is 10, and the current number
of VTY users on line is 1.
Info: The connection was closed by the remote host.
<RouterA>
NOTE
If a router becomes disconnected from the network, these shortcut keys are invalid. Instructions
cannot be sent to the server.
Ctrl_]: The client interrupts the connection.
If the server fails and the client is unaware of this failure, the client continues to transmit
data but the server does not respond. In this case, press Ctrl_T to terminate the Telnet
connection.
For example:
<RouterC>
Press Ctrl_T to terminate and quit a Telnet connection.
<RouterA>
NOTICE
If remote login users are using the maximum number of VTY user interfaces allowed, the
system states that all user interfaces are in use and does not allow additional Telnet logins.
8.1.2 FTP Method
To access files on a remote FTP server, you can use FTP to establish a connection between the
router to which you are logged in and the remote FTP server.
FTP can transmit files between hosts and provide users with common FTP commands for file
system management. That is, you can use an FTP client program that does not reside on the
router to upload or download files and access directories on the router, and you can use an FTP
client program that resides on the router to transfer files to the FTP servers of other devices.
FTP can transmit files between local and remote hosts. It is widely used for upgrading versions,
downloading logs, transmitting files, and saving configurations.
8.1.3 TFTP Method
If network client/server interaction requirements are relatively simple, you can enable the TFTP
service on the router that functions as a TFTP client to access files on a TFTP server.
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.
Unlike FTP, TFTP does not have a complex interactive access interface or authentication control.
TFTP is used in environments where there is no complex interaction between the client and the
server. For example, TFTP is used to obtain a memory image of the system when the system
starts up.
Implementation of TFTP is based on the User Datagram Protocol (UDP).
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
189
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
The client initiates a TFTP transfer. To download files, the client sends a read request packet to
the TFTP server, receives packets from the server, and returns an acknowledgement to the server.
To upload files, the client sends a write request packet to the TFTP server, sends packets to the
server, and receives an acknowledgement from the server.
TFTP uses two formats for file transfer:
l
Binary format: transfers program files.
l
ASCII format: transfers text files.
The NE80E/40E can only serve as a TFTP client and can only transfer files in binary format.
8.1.4 SSH Method
Logging in to a remote device using SSH (including STelnet, SFTP) provides secure
communications between the remote device and the router to which you are logged in.
SSH Overview
When users on an insecure network use Telnet to log in to the router, the Secure Shell (SSH)
feature provides authentication and keeps data secure. SSH defends the router from IP address
spoofing and other such attacks, and protects the router against the interception of plain text
passwords.
The SSH client function enables users to establish SSH connections with routers that serve as
SSH servers or with UNIX hosts.
SSH Client Function
The NE80E/40E supports the STelnet client function and SFTP client function.
l
STelnet client (Secure Telnet)
Telnet does not provide secure authentication and TCP transmits data in plain text, which
creates security vulnerabilities. Denial of service (DOS) attacks, host IP address spoofing,
and route spoofing also threaten system security. Therefore, Telnet services are vulnerable
to network attacks.
SSH implements secure remote access on insecure networks and has the following
advantages compared with Telnet:
– SSH supports Remote Subscriber Access (RSA) authentication and Digital Signature
Algorithm authentication (DSA). SSH uses RSA authentication or DSA authentication
to generate and exchange public and private keys compliant with an asymmetric
encryption system that protects session security.
NOTE
To improve security, it is not recommended that you use RSA as the authentication algorithm to
log in to the SSH server.
– SSH supports Data Encryption Standard (DES), 3DES, RC4 , and Advanced Encryption
Standard (AES) authentications.
NOTE
To improve security, it is recommended that you use securer AES as the authentication algorithm
for remote access.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
190
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
– SSH usernames and passwords are encrypted in the communication between an SSH
client and server, which prevents password interception.
– SSH encrypts transmitted data.
If the STelnet server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at configured time intervals. If a configured number of keepalive packets receives no reply
from the server, the client determines that there is a fault and releases the connection.
l
SFTP client
SFTP is short for Secure FTP. You can log in to a device from a secure remote end to
manage files, which improves data transmission security when the remote system is
updated. The client function enables you to use SFTP to log in to the remote device for
secure file transmission.
If the SFTP server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at configured time intervals. If a configured number of keepalive packets receives no reply
from the server, the client determines that there is a fault and releases the connection.
8.2 Using Telnet to Log In to Other Devices
On most networks, multiple routers need to be managed and maintained, but it may be impossible
to connect some of these routers to a PC terminal. In other cases, there may be no reachable
route between a router and a PC terminal. You can log in to a local router and then use Telnet
to log in to remote routers to complete management and maintenance tasks.
The Telnet protocol poses a security risk, and therefore the STelnet protocol is recommended.
8.2.1 Before You Start
Before configuring logins to another device from the device to which you are logged in,
familiarize yourself with the applicable environment, complete the pre-configuration tasks, and
obtain any data required for the configuration. This will help you complete the configuration
task quickly and correctly.
Applicable Environment
Figure 8-5 Networking diagram for accessing another device to which you are logged in
Network
PC
Issue 02 (2014-09-30)
Network
RouterA
RouterB
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
191
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
As shown in Figure 8-5, you can use Telnet to log in to Router A from a PC. You cannot,
however, manage Router B remotely, because there is no reachable route between the PC and
Router B. To manage Router B remotely, you must use Telnet and log in from Router A.
In this situation, Router A functions as a Telnet client and Router B functions as a server.
Pre-configuration Tasks
Before using Telnet to log in to another device on the network, complete the following tasks:
l
Log in to devices using Telnet.
l
Configure a reachable route between the client and Telnet server
Data Preparation
To use Telnet to log in to another device, you need the following data:
No.
Data
1
IP address or host name of RouterB
2
Number of the TCP port RouterB uses to provide Telnet services
8.2.2 (Optional) Configuring a Source IP Address for a Telnet Client
You can configure a source IP address for a Telnet client and then use this address to set up a
Telnet connection from the client to the server along a specific route.
Context
An IP address is configured for an interface on the router and functions as the source IP address
of a Telnet connection. This configuration enables security checks.
The source of a client can be a source interface or a source IP address.
Do as follows on a router that functions as a Telnet client.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
telnet client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of a Telnet client is configured.
After the configuration, the source IP address of the Telnet client displayed on the Telnet server
must be the same as the configured IP address.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
192
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
8.2.3 Using Telnet to Log In to Another Device
You can use Telnet to log in to and manage another router.
Context
Telnet provides an interactive CLI for users to log in to a remote server. Users can first use Telnet
to log in to a host, and then remotely use Telnet again to log in to a remote host. This host can
then be remotely configured and managed. Not all hosts need to be connected directly to a
hardware terminal.
Do as follows on the router that serves as a Telnet client:
Procedure
l
Select and perform one of the following steps for IPv4 or IPv6.
– Run:
telnet [ vpn-instance vpn-instance-name ] [ -a source-ip-address | -i
interface-type interface-number ] host-name [ port-number ]
Log in to the router and manage other routers.
– Run:
telnet [ vpn-instance vpn-instance-name ] [ -a source-ip-address | -i
interface-type interface-number ] host-name [ port-number ]
Log in to the router and manage other routers.
– Run:
telnet ipv6 [ -a source-ip-address ] [ vpn6-instance vpn6-instance-name ]
host-name [ -oi interface-type interface-number ] [ port-number ]
Log in to the router and manage other routers.
– Run:
telnet ipv6 [ -a source-ip-address ] [ vpn6-instance vpn6-instance-name ]
host-name [ -oi interface-type interface-number ] [ port-number ]
Log in to the router and manage other routers.
----End
8.2.4 Checking the Configuration
When you use a router to log in to another router, you can check information about the established
TCP connection.
Prerequisites
All configurations for logging in to another device are complete.
Procedure
l
Run the display tcp status command to check the status of all TCP connections.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
193
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Example
Run the display tcp status command to view the status of TCP connections. The Established
status indicates that a TCP connection has been established.
<HUAWEI> display tcp status
TCPCB
Tid/Soid
Local Add:port
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established
Foreign Add:port
0.0.0.0:0
VPNID
0
0.0.0.0:0
14849
10.164.6.13:1147
0
State
8.3 Using Telnet Redirection to Connect to Another Device
If the client is not connected to the remote device on an IP network, you can use the Telnet
redirection function to manage the remote device from the router to which you are logged in.
The Telnet protocol poses a security risk, and therefore the STelnet protocol is recommended.
8.3.1 Before You Start
Before establishing the configuration task of redirecting the client login to another device,
familiarize yourself with the applicable environment, complete the pre-configuration tasks, and
obtain any data required for the configuration. This will help you complete the configuration
task quickly and correctly.
Applicable Environment
If a remote device, such as a new device on the network, needs to be managed and maintained
but is not connected with the terminal PC on the IP network, you can use the Telnet redirection
function to log in to the remote device.
The remote device can be a device that supports serial interfaces, such as a router, a switch, or
a modem.
Figure 8-6 Schematic diagram of using Telnet to redirect the client login to another device
Session
Network
PC
Aux Console
RouterA
RouterB
As shown in Figure 8-6, remote Router B is not connected with the client over the IP network.
If Router B needs to be managed remotely, you can use the Telnet redirection function of
Router A. That is, connect the asynchronous serial interface of Router A to the serial interface
of Router B. This allows you to run the Telnet client program on the PC to log in to Router B
through a specified interface, and therefore, to manage and maintain the device remotely.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
194
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Router B in Figure 8-6 has been configured with serial interfaces. Router A is directly connected
with Router B.
Pre-configuration Tasks
Before using Telnet to redirect the client to another device, complete the following tasks:
l
Use Telnet to log in to devices.
l
Configure a reachable route between the client and Telnet server.
Data Preparation
To use the Telnet redirection function to log in to another device, you need the following data:
No.
Data
1
Router A IP address
8.3.2 Enabling Telnet Redirection
After the redirection function is enabled on the router that functions as a Telnet client, you can
log in to a remote device from a specified client interface to manage and maintain the remote
device.
Context
The Telnet redirection function is supported by the products whose AUX ports or True Type
Terminal (TTY) interfaces can be configured with this function.
Perform the following steps on the router:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface aux 0
The AUX0 user interface is displayed.
Step 3 Run:
undo shell
Terminal services are disabled on the AUX0 user interface.
Step 4 Run:
redirect
The Telnet redirection function is enabled on the AUX0 user interface.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
195
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
NOTE
l After the Telnet redirection function is enabled, the interface number used for redirection will be
assigned. AUX0 is numbered 33, and the interface number is therefore 2033.
l You can log in to the Telnet client and use the specified interface to log in to the remote device that
needs to be managed and maintained.
----End
8.3.3 Using Telnet Redirection to Connect to Another Device
You can use the Telnet redirection function to log in to remote a device from the router that
functions as a Telnet client to perform management tasks..
Context
Users attempt to log in to another device by using a specified client interface.
Perform the following step on the client:
Procedure
l
Run:
telnet host-name port-number
You have logged in to the remote device.
The host-name parameter specifies the IP address or host name of the router that has enabled
the redirection function.
----End
8.3.4 Checking the Configuration
After using Telnet to log in to another device remotely, you can check status information about
the current TCP connection.
Prerequisites
The configurations for using the Telnet redirection function to log in to another device are
complete.
Context
l
Run the display tcp status command to check status information about the established TCP
connection.
Example
Run the display tcp status command to view status information about the established TCP
connection.
<HUAWEI> display tcp status
TCPCB
Tid/Soid
Local Add:port
348d3c50
6 /1
0.0.0.0:21
Listening
Issue 02 (2014-09-30)
Foreign Add:port
0.0.0.0:0
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
VPNID
23553
State
196
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
3b558554
Listening
31cf1978
Listening
31cf1bb0
Listening
11a22ad8
Established
8 Accessing Another Device
128/1
0.0.0.0:23
0.0.0.0:0
128/4
0.0.0.0:2033
128/6
0.0.0.0:4033
0.0.0.0:0
23553
128/3
10.137.217.225:23
10.138.77.38:3670
0
0.0.0.0:0
23553
23553
8.4 Using STelnet to Log In to Another Device
STelnet provides secure Telnet services. You can use STelnet to log in to another router and
manage the device remotely.
8.4.1 Before You Start
Before you use STelnet to configure login to another device, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain any date required for
the configuration. This will help you complete the configuration task quickly and correctly.
Applicable Environment
Telnet logins are insecure because no secure authentication mechanism is available and data is
transmitted over TCP connections in plain text mode.
STelnet is a secure Telnet protocol. STelnet is based on SSH. SSH users can use STelnet services
in place of ordinary Telnet services.
In this configuration, the device to which you have logged in functions as a Telnet client, and
the device to which you want to log in functions as an SSH server.
Pre-configuration Tasks
Before you use STelnet to log in to another device, complete the following tasks:
l
Use STelnet to log in to devices.
l
Configure a reachable route between the client and SSH server.
Data Preparation
To use STelnet to log in to another device, you need the following data.
Issue 02 (2014-09-30)
No.
Data
1
Name of the SSH server and public key that is assigned by the client to the SSH server
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
197
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
No.
Data
2
IPv4 or IPv6 address or host name of the SSH server, number of the port monitored
by the SSH server, preferred encryption algorithm for data from the SFTP client to
the SSH server, preferred encryption algorithm for data from the SSH server to the
SFTP client, preferred Hashed message authentication code (HMAC) algorithm for
data from the SFTP client to the SSH server, preferred HMAC algorithm for data from
the SSH server to the SFTP client, preferred algorithm of key exchange, and
user information for logging in to the SSH server
8.4.2 Enabling First-Time Authentication on the SSH Client
After first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the Revest-Shamir-Adleman Algorithm (RSA) orDigital Signature Algorithm
(DSA) public key when it logs in to the SSH server for the first time.
Context
If first-time authentication on the SSH client is enabled, the STelnet client does not check the
validity of the RSA or DSA public key when it logs in to the SSH server for the first time. After
the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at the next login.
NOTE
To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to
the SSH server.
Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ssh client first-time enable
First-time authentication on the SSH client is enabled.
By default, first-time authentication on the SSH client is disabled.
NOTE
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the RSA or DSA public key validity check and cannot
log in to the server.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
198
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
NOTE
To ensure that an STelnet client can log in to an SSH server on the first attempt, you can assign an RSA
or DSA public key to the SSH server on the SSH client in advance. You can also enable first-time
authentication on the SSH client.
----End
8.4.3 Allocating a Public Key to the SSH Server
To configure the first successful login to another device on an SSH client, you must allocate an
Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature Algorithm (DSA) public key to
the SSH server before login.
Context
If first-time authentication is not enabled on the SSH client, when the STelnet client logs in to
the SSH server for the first time, the STelnet client fails to pass the RSA or DSA public key
validity check and cannot log in to the server. You must allocate an RSA or DSA public key to
the SSH server before the STelnet client logs in to the SSH server.
NOTE
To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to
the SSH server.
Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] or dsa peerpublic-key key-name encoding-type { der | openssh | pem }
An encoding format is configured for a public key, and the public key view is displayed.
Step 3 Run:
public-key-code begin
The public key editing view is displayed.
Step 4 Run:
hex-data
The public key is edited.
The public key is a string of hexadecimal alphanumeric characters an SSH client generates.
NOTE
l The RSA or DSA public key assigned to the SSH server must be generated on the server. Otherwise,
the validity check for the RSA or DSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA public key generated on the server to
the router that functions as the client.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
199
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Step 5 Run:
public-key-code end
Quit the public key editing view.
l If the specified hex-data is invalid, the public key cannot be generated after you run the peerpublic-key end command.
l If the specified key-name is deleted in other views, the system determines that the key does
not exist after you run the peer-public-key end command, and the system view is displayed.
Step 6 Run:
peer-public-key end
Return to the system view from the public key view.
Step 7 Run:
ssh client servername assign { rsa-key | dsa-key } keyname
The RSA or DSA public key is assigned to the SSH server
NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key } command to cancel the association between the SSH client and the SSH server.
Then, run the ssh client servername assign { rsa-key | dsa-key } keyname command to allocate a new
RSA or DSA public key to the SSH server.
----End
8.4.4 Using STelnet to Log In to Another Device
You can use STelnet to log in to an SSH server from an SSH client, and manage the device
remotely.
Context
During communication with an SSH server, an STelnet client can carry a source address and a
VPN instance name, choose a key exchange algorithm, an encryption algorithm, or a Hashed
message authentication code (HMAC) algorithm and configure the keepalive function.
Perform the following steps on the router serving as an SSH client:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 According to the address type of the SSH server, perform either of the following operations:
If the address of the SSH server is an IPv4 address, perform the following operation:
Run the stelnet [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] |
[ identity-key { rsa | dsa } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] |
[ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 |
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
200
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 |
sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ -ki aliveinterval ] | [ -kc
alivecountmax ] ] * command. You can log in to the SSH server through STelnet.
If the address of the SSH server is an IPv6 address, perform the following operation:
Run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ]
[ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ identity-key { rsa | dsa } ] |
[ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des |
aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 |
md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 |
md5_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] * command. You can log in to the SSH
server through STelnet.
----End
8.4.5 Checking the Configuration
After configuring login to another device using STelnet, you can check the mappings between
all SSH servers of the STelnet client and the Revest-Shamir-Adleman Algorithm (RSA) or
Digital Signature Algorithm (DSA) public keys on the client. You can also check the global
configurations of the SSH servers, and information about sessions between the SSH servers and
the STelnet client.
Prerequisites
The configurations for logging in to another device by using STelnet are complete.
Procedure
l
Run the display ssh server-info command to check the mappings between all SSH servers
of the SSH client and the RSA or DSA public keys on the client.
----End
Example
Run the display ssh server-info to view the mappings between all servers of the SSH client and
the RSA or DSA public keys on the SSH client.
<HUAWEI> display ssh server-info
Server Name(IP)
Server Public Key Type Server public key name
______________________________________________________________________________
10.137.128.216
RSA
10.137.128.217
RSA
10.137.128.217
DSA
sdfasdfasdfasdfasdfasdfadfasdf
127.0.0.1
RSA
127.0.0.1
DSA
1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1
RSA
0ffff:ffff:
1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000fff
1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10.137.128.216
10.137.128.217
127.0.0.1
10.137.128.217
1fff:00ffff:00ffff:
1fff:00ffff:ffff:00ffff:
1fff:ffff:ffff:00ffff:
201
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
000ffff:
1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1
RSA
1fff:ffff:ffff:ffff:ffff:ffff:
8.1.1.2
RSA
8 Accessing Another Device
8.1.1.2
8.5 Using TFTP to Access Files on Another Device
You can configure the router as a TFTP client and log in to the TFTP server to upload and
download files.
8.5.1 Before You Start
Before configuring access to another device using TFTP, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This will help you complete the configuration task quickly and correctly.
Applicable Environment
You can use TFTP to in a simple interaction environment to transfer files between a server and
a client.
The current router functions as a TFTP client, and the router to be accessed functions as a TFTP
server.
Pre-configuration Tasks
Before configuring access to another device using TFTP, configure a reachable route between
the client and the TFTP server.
Data Preparation
To access another device using TFTP, you need the following data.
No.
Data
1
(Optional) Source address or source interface of the router that functions as a TFTP
client
2
IP address or host name of the TFTP server
3
Name of the specific file in the TFTP server and the file directory
8.5.2 (Optional) Configuring a Source IP Address for a TFTP Client
You can configure a source IP address for a TFTP client and then use the source IP address to
set up a TFTP connection from the TFTP client to the server along a specific route.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
202
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Context
An IP address is configured for an interface on the router. This IP address functions as the source
IP address of a TFTP connection, which enables security checks to be implemented.
The source address of a client can be configured as a source interface or a source IP address.
Do as follows on a router that functions as a TFTP client:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
tftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of a TFTP client is configured.
After the configuration, the source IP address of the TFTP client displayed on the TFTP server
must be the same as the configured one.
----End
8.5.3 (Optional) Configuring TFTP Access Authority
This section describes how to use an ACL rule to specify which TFTP servers can be accessed
by using TFTP from the router to which you are logged in.
Context
When the routerfunctions as an TFTP server, you can configure an ACL to allow the clients that
meet matching rules to access the TFTP server.
Perform the following steps on the router that serves as the TFTP client:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl {
[ number ] acl-number1 | name acl-name [ basic ] [ number acl-number2 ] } [ matchorder { auto | config } ] or acl ipv6 { [ number ] acl6-number1 | name acl-name
[ number acl-number2 ] } [ match-order { auto | config } ]
The ACL or ACL6 view is displayed.
TFTP supports only the basic ACL (2000 to 2999).
Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source
{ source-ip-address source-wildcard | any } | time-range time-name | vpn-instance
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
203
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
vpn-instance-name ] * or rule [ rule-id ] { deny | permit } [ fragment | source
{ source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } |
time-range time-name | vpn-instance vpn-instance-name ] *
The basic ACL or ACL6 rule is configured.
NOTE
l By default, the deny action in an ACL rule is taken for all the login user packets. Only users whose
source IP addresses match the ACL rule with a permit action can log in to the device.
In the following example, two rules are configured to prohibit users with the IP address 10.1.1.10 from
logging in to the device while allowing the other users to log in to the device:
l rule deny source 10.1.1.10 0
l rule permit source any
If the rule permit source any command is not configured, users whose source IP addresses are not
10.1.1.10 will also be prohibited from logging in to the device.
l If a user's source IP address does not match the ACL rule that allows login, the user is prohibited from
logging in to the device.
l If the ACL referenced by TFTP does not contain any rules or does not exist, any user can log in to the
device.
Step 4 Run:
quit
The system view is displayed.
Step 5 Run:
tftp-server acl acl-number
The ACL can be used to limit access to the TFTP server.
----End
8.5.4 Using TFTP to Download Files
You can download files from a TFTP server to a TFTP client.
Context
Do as follows on the router that serves as the TFTP client:
Procedure
l
Run the following commands according to the server IP address type.
– If the IP address of the server is an IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] get source-filename
[ destination-filename ]
The router is configured to download files through TFTP.
– If the IP address of the server is an IPv6 address, run:
tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -oi interface-type
interface-number ] get source-filename [ destination-filename ]
The router is configured to download files using TFTP.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
204
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
8.5.5 Using TFTP to Upload Files
You can upload files from a TFTP client to a TFTP server.
Context
Do as follows on the router that serves as the TFTP client:
Procedure
l
Run the following commands according to the server IP address type.
– If the IP address of the server is an IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] put source-filename
[ destination-filename ]
The router is configured to upload files using TFTP.
– If the IP address of the server is an IPv6 address, run:
tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -oi interface-type
interface-number ] put source-filename [ destination-filename ]
The router is configured to upload files using TFTP.
----End
8.5.6 Checking the Configuration
When a device is configured as a TFTP client, you can check the source address of the client
and the configured ACL rule.
Prerequisites
Configurations for using the device as a TFTP client are complete.
Procedure
l
Run the display tftp-client command to check the device address that is set as the source
address of the TFTP client.
l
Run the display acl { name acl-name | acl-number | all } command to check the ACL rule
that is configured on the TFTP client.
----End
Example
Run the display tftp-client command to view the source address of the TFTP client.
<HUAWEI> display tftp-client
The source address of TFTP client is 1.1.1.1.
Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured
on the TFTP client.
<HUAWEI> display acl 2001
Basic acl 2001, 2 rules,
Acl's step is 5
rule 5 permit
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
205
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
rule 10 permit source 1.1.1.1 0
8.6 Using FTP to Access Files on Another Device
This section describes how to configure a router as an FTP client to log in to an FTP server and
how to upload files to or download files from this server.
Context
The FTP protocol poses a security risk, and therefore the SFTP protocol is recommended.
8.6.1 Before You Start
Before configuring the use of FTP to access files on another device, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain any data required
for the configuration. This will help you complete the configuration task quickly and correctly.
Applicable Environment
Before transmitting files between a client and a remote FTP server or managing directories on
the server, you can configure the router to which you have logged in as an FTP client. You can
then use FTP to access the FTP server for file transmission or directory management.
Pre-configuration Tasks
Before configuring the use of FTP to access files on another device, configure a reachable route
between the router and the FTP server.
Data Preparation
To configure the use of FTP to access files on another device, you need the following data:
No.
Data
1
(Optional) Source IP address or source interface of the router that functions as an
FTP client
2
Host name or IP address of the FTP server, port number of the connecting FTP, login
username, and password
3
Local file names and file names on the remote FTP server, name of the working
directory on the remote FTP server, name of the working directory on the local FTP
client, or directory name of the remote FTP server
8.6.2 (Optional) Configuring the Source IP Address and Interface
of the FTP Client
This section describes how to configure the source IP address and interface of an FTP client to
connect to an FTP server.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
206
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Prerequisites
An IP address is configured for an interface on the router and functions as the source IP address
for an FTP connection. This allows implementation of security checks.
The source of a client can be a source interface or a source IP address.
Configuring a source interface as the source for a client is possible only if the system has a
loopback interface.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ftp client-source { -a source-ip-address | -i interface-type interface-number }
The source address of the FTP client is configured.
After the source address of the FTP client is configured, you can run the display ftp-users
command on the FTP server to check that the displayed source address of the FTP client is the
same as the configured one.
----End
8.6.3 Connecting to Other Devices Using FTP Commands
You can run FTP commands to log in to other devices from the router that functions as the FTP
client.
Context
You can log in to the FTP server in the user view or the FTP view.
Do as follows on the router that serves as the client:
Procedure
Step 1 Run the following commands according to types of the server IP address.
l If the IP address of the server is an IPv4 address, do as follows:
– In the user view, establish a connection to the FTP server.
Run:
ftp [ -a source-ip-address | -i interface-type interface-number ] host [ portnumber ] [ public-net | vpn-instance vpn-instance-name ]
The router is connected to the FTP server.
– In the FTP view, establish a connection to the FTP server.
1.
In the user view,Run:
ftp
The FTP view is displayed.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
207
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
2.
8 Accessing Another Device
Run:
open [-a source-ip-address | -i interface-type interface-number ] host
[ port-number ] [ vpn-instance vpn-instance-name ]
The router is connected to the FTP server.
NOTE
Before logging in to the FTP server, you can run the set net-manager vpn-instance
command to configure a default VPN instance. After a default VPN instance is configured,
it will be used for FTP operations.
l If the IP address of the server is an IPv6 address, do as follows:
– In the user view, establish a connection to the FTP server.
Run:
ftp ipv6 host [ port-number ]
The router is connected to the FTP server.
– In the FTP view, establish a connection to the FTP server.
1.
In the user view,Run:
ftp
The FTP view is displayed.
2.
Run:
open ipv6 host-ipv6-address [ port-number ]
The router is connected to the FTP server.
----End
8.6.4 Using FTP Commands to Manage Files
After you log in to an FTP server, you can use FTP commands to manage files. File operations
include configuring a file transmission method, checking online help about FTP commands,
uploading or downloading files, and managing directories and files.
Context
After logging in to an FTP server, you can perform the following operations:
l
Configure a data type for transmission files and a file transmission method.
l
Check the online help about FTP commands in the FTP client view.
l
Upload local files to the remote FTP server, or download files from the FTP server and
save them locally.
l
Create directories on or delete directories from the FTP server.
l
Display information about a specified remote directory or a file of the FTP server, or delete
a specified file from the FTP server.
After you log in to the router that functions as a client and enter the FTP client view, you can
perform the following steps:
Procedure
l
Issue 02 (2014-09-30)
Configure the data type and transmission mode for the file.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
208
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
– Run:
ascii | binary
The data type of the file to be transmitted is ascii or binary mode.
NOTE
FTP supports both ASCII and binary files. Their differences are as follows:
l In ASCII transmission mode, ASCII characters are used to separate the carriage returned
from line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
Clients can select an FTP transmission mode as required. The system defaults to the ASCII
transmission mode. The client can use a mode switch command to switch between the ASCII
mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary mode is
used to transmit binary files.
– Run:
passive
The passive file transfer mode is configured.
– Run:
verbose
The verbose mode for FTP is enabled.
When the verbose mode is enabled, all FTP responses are displayed. Then, file
transmission efficiency statistics will be displayed.
l
View online help for FTP commands.
remotehelp [ command ]
The online help of the FTP commands is displayed.
l
Upload or download files.
– Upload or download a file.
– Run:
put local-filename [ remote-filename ]
The local file is uploaded to the remote FTP server.
– Run:
get remote-filename [ local-filename ]
The FTP file is downloaded from the FTP server and saved to the local file.
– Upload or download multiple files.
– Run the mput local-filenames command to simultaneously upload multiple local
files to the remote FTP server.
– Run the mget remote-filenames command to download multiple files from the FTP
server and save them locally.
NOTE
l When you are uploading or downloading files, and you run the prompt command in the FTP
client view to enable the file transmission prompt function. Then, the system will prompt you to
confirm the upload or download.
l If you run the prompt command again in the FTP client view, the file transmission prompt
function will be disabled.
l
Issue 02 (2014-09-30)
Run one or more of the the following commands to manage directories.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
209
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
– Run:
cd pathname
The working path of the remote FTP server is specified.
– Run:
cdup
The working path of the FTP server is switched to the upper-level directory.
– Run:
pwd
The specified directory of the FTP server is displayed.
– Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.
– Run:
mkdir make-remote-directory
A directory is created on the FTP server.
– Run:
rmdir delete-remote-directory
A directory is removed from the FTP server.
NOTE
l A directory name can use letters and digits, but not special characters such as <, >, ?, \ and :.
l When you run the mkdir /abc command, you create a sub-directory named "abc".
l
Run one or more of the the following commands to manage files.
– Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.
If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
If local-filename is configured, the remote file can be saved in another local file.
– Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed.
If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
If local-filename is configured, the remote file can be saved in another local file.
– Run:
delete remote-filename
The specified file on the FTP server is deleted.
If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
210
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
8.6.5 Changing Login Users
After you log in to an FTP server, you can change the username on the client and re-log in to
the server with the new username.
Context
If you are logged in to the NE80E/40E that functions as an FTP client, you can switch to a
different username and log in to the FTP server without logging out of the FTP client view. The
FTP connection established in this way is identical to that established by running the ftp
command.
Perform the following steps on the router that functions as a client:
Procedure
l
Run:
user user-name [ password ]
The user that previously logged in to the FTP server is changed and the new user logs in
to the server.
When the username used to log in to the FTP server is changed, the original connection
between the user and the FTP server is interrupted.
----End
8.6.6 Disconnecting from the FTP Server
You can terminate a connection with an FTP server and return to the user view or FTP view.
Context
Various commands can be used from the FTP client view to terminate a connection with an FTP
server.
Do as follows on the router that serves as the client.
Procedure
l
Run one of the following commands depending on your system configurations.
– Run:
bye
Or
quit
The client router is disconnected from the FTP server.
Return to the user view.
– Run:
close
Or
disconnect
The client router is disconnected from the FTP server.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
211
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Return to the FTP view.
----End
8.6.7 Checking the Configuration
After the configurations for accessing other devices using FTP are complete, you can view the
source parameters configured on the FTP client.
Prerequisites
The configurations for accessing other devices using FTP are complete.
Procedure
l
Run the display ftp-client command to view the source parameters of the FTP client.
----End
Example
Run the display ftp-client command to view the source parameters of the FTP client.
<HUAWEI> display ftp-client
The source address of FTP client is 1.1.1.1.
8.7 Using SFTP to Access Files on Another Device
SFTP is a secure FTP service. After the router is configured as an SFTP client, the SFTP server
authenticates the client and encrypts data in both directions to provide secure data transmission.
8.7.1 Before You Start
Before you configure the use of SFTP to access files on another device, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain any data required
for the configuration. This will help you complete the configuration task quickly and correctly.
Applicable Environment
SFTP is a secure FTP protocol that is based on SSH. SFTP allows users to log in to a remote
device and transmit or manage files securely. You can log in to a remote SSH server from the
router that functions as an SFTP client.
Pre-configuration Tasks
Before configuring the use of SFTP to access files on another device, configure a reachable route
between the client and SSH server.
Data Preparation
To use SFTP to access files on another device, you need the following data:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
212
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
No.
Data
1
(Optional) Source address of the device that functions as the SFTP client
2
(Optional) Name of the SSH server
3
(Optional) Public key assigned by the client to the SSH server
4
IPv4 or IPv6 address or host name of the SSH server
5
Number of the port monitored by the SSH server, preferred encryption algorithm for
data from the SFTP client to the SSH server, preferred encryption algorithm for data
from the SSH server to the SFTP client, preferred HMAC algorithm for data from the
SFTP client to the SSH server, preferred HMAC algorithm for data from the SSH
server to the SFTP client, preferred algorithm for key exchange, name of the outgoing
interface, source address, and user information for logging in to the SSH server
6
Name and directory of a specified file on the SSH server
8.7.2 (Optional) Configuring a Source IP Address for an SFTP Client
You can configure a source IP address for an SFTP client and then use this source address to set
up an SFTP connection from the client to server along a specific route.
Context
An IP address is configured for an interface on the router. This IP address functions as the source
IP address of an FTP connection, which enables security checks to be implemented.
The source address of a client can be configured as a source interface or a source IP address.
Do as follows on a router that functions as an SFTP client.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
sftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address is configured for an SFTP client.
----End
8.7.3 Enabling the First-Time Authentication on the SSH Client
After first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature Algorithm (DSA)
public key when it logs in to the SSH server for the first time.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
213
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Context
If first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the RSA or DSA public key when it logs in to the SSH server for the first time. After
the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at the next login.
Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ssh client first-time enable
First-time authentication on the SSH client is enabled.
By default, first-time authentication on the SSH client is disabled.
NOTE
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the RSA or DSA public key validity check and cannot
log in to the server.
NOTE
To ensure that an STelnet client can log in to an SSH server on the first attempt, you can assign an RSA
or DSA public key to the SSH server on the SSH client in advance. You can also enable first-time
authentication on the SSH client.
----End
8.7.4 Allocating a Public Key to the SSH Server
To configure the first successful login to another device on an SSH client, allocate an RevestShamir-Adleman Algorithm (RSA) or Digital Signature Algorithm (DSA) public key on the
SSH server before you log in.
Context
If first-time authentication is not enabled on an SSH client, when the SFTP client logs in to an
SSH server for the first time, the SFTP client fails to pass the RSA or DSA public key validity
check and cannot log in to the server.
NOTE
To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to
the SSH server.
Do as follows on the router that functions as an SSH client:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
214
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] or dsa peerpublic-key key-name encoding-type { der | openssh | pem }
An encoding format is configured for a public key, and the public key view is displayed.
Step 3 Run:
public-key-code begin
The public key editing view is displayed.
Step 4 Run:
hex-data
The public key is edited.
The public key is a string of hexadecimal alphanumeric characters an SSH client generates.
NOTE
l The RSA or DSA public key assigned to the SSH server must be generated on the server. Otherwise,
the validity check for the RSA or DSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA public key generated on the server to
the router that functions as the client.
Step 5 Run:
public-key-code end
Quit the public key editing view.
l If the specified hex-data is invalid, the public key cannot be generated after you run the peerpublic-key end command.
l If the specified key-name is deleted in other views, the system determines that the key does
not exist after you run the peer-public-key end command, and the system view is displayed.
Step 6 Run:
peer-public-key end
Return to the system view from the public key view.
Step 7 Run:
ssh client servername assign { rsa-key | dsa-key } keyname
The RSA or DSA public key is assigned to the SSH server
NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key } command to cancel the association between the SSH client and the SSH server.
Then, run the ssh client servername assign { rsa-key | dsa-key } keyname command to allocate a new
RSA or DSA public key to the SSH server.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
215
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
8.7.5 Using SFTP to Connect to Other Devices
You can use SFTP to log in to an SSH server from an SSH client.
Context
The command for enabling an SFTP client is similar to that of STelnet. When accessing an SSH
server, SFTP can carry the source address and name of the VPN instance and choose the key
exchange algorithm, encryption algorithm, and Hashed message authentication code (HMAC)
algorithm, and configure the keepalive function.
Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 According to the address type of the SSH server, perform either of the following operations:
If the address of the SSH server is an IPv4 address, perform the following operation:
Run the sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ]
[ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 |
dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] |
[ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 |
sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 |
sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ -ki aliveinterval ] | [ -kc
alivecountmax ] | [ identity-key { dsa | rsa } ] ] * command. You can log in to the SSH server
through STelnet.
If the address of the SSH server is an IPv6 address, perform the following operation:
Run the sftp ipv6 { -a source-address host-ipv6 | host-ipv6 } [ [ -oi interface-type interfacenumber ] [ port ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] |
[ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des |
aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 |
md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha2_256 | sha2_256_96 | sha1_96 | md5 |
md5_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] | [ identity-key { dsa | rsa } ] ] *
command. You can log in to the SSH server through STelnet.
Step 3 According to the address type of the SSH server, select and perform one of the following
configurations.
l For IPv4 addresses,
Run:
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4
[ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex
{ dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des |
aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ]
| [ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 |
md5_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] | [ identity-key
{ dsa | rsa } ] ] *
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
216
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
You can log in to the SSH server through SFTP.
l For IPv6 addresses,
Run:
sftp ipv6 { -a source-address host-ipv6 | host-ipv6 } [ [ -oi interface-type
interface-number ] [ port ] | [ prefer_kex { dh_group1 | dh_exchange_group } ]
| [ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] |
[ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac {
sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac
{ sha1 | sha2_256 | sha2_256_96 | sha1_96 | md5 | md5_96 } ] | [ -ki
aliveinterval ] | [ -kc alivecountmax ] | [ identity-key { dsa | rsa } ] ] *
----End
8.7.6 Using SFTP Commands to Manage Files
You can use an SFTP client to manage directories and files on the SSH server, and check the
command help on the SFTP client.
Context
After you log in to an SSH server from an SFTP client, you can use the SFTP client to perform
the following operations:
l
Create or delete directories on the SSH server, display the current working directory, or
display the specified directory and information about the file in the specified directory.
l
Change file names, delete files, display a file list, and upload or download files.
l
Display the SFTP client command help.
After you log in to the router that functions as an SSH client and enter the SFTP client view,
you can perform the following steps:
Procedure
l
Manage directories.
Perform the following steps as required:
– Run:
cd [ remote-directory ]
The current operating directory of the users is changed.
– Run:
cdup
The view is switched to a directory one level up.
– Run:
pwd
The current operating directory of the users is displayed.
– Run:
dir / ls [ remote-directory ]
A list of files in the specified directory is displayed.
– Run:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
217
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
rmdir delete-remote-directory & <1-10>
– The directory on the server is deleted.
– Run:
mkdir make-remote-directory
A directory is created on the server.
l
Manage files.
Perform the following steps as required:
– Run:
rename old-name new-name
The name of the specified file on the server is changed.
– Run:
get remote-filename [local-filename]
The file on the remote server is downloaded.
You can also run the following commands in the system view to download files on the
server to the local device:
– On the IPv4 network: run the sftp client-transfile get [ -a source-address | -i
interface-type interface-number ] host-ip host-ipv4 [ port ] [ [ public-net | -vpninstance vpn-instance-name ] | [ prefer_kex { dh_group1 |
dh_exchange_group } ] | [ identity-key { rsa | dsa } ] | [ prefer_ctos_cipher {
des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 |
aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 |
sha2_256_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 |
sha2_256 | sha2_256_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] *
username user-name password password sourcefile source-file [ destination
destination ] command.
On the IPv6 network: run the sftp client-transfile get ipv6 [ -a source-address]
host-ip host-ipv6 [ -oi interface-type interface-number ] [ port ] [ [ prefer_kex
{ dh_group1 | dh_exchange_group } ] | [ identity-key { rsa | dsa } ] |
[ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher {
des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 |
md5_96 | sha2_256 | sha2_256_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 |
md5 | md5_96 | sha2_256 | sha2_256_96 } ] | [ -ki aliveinterval ] | [ -kc
alivecountmax ] ] * username user-name password password sourcefile sourcefile [ destination destination ] command.
– Run:
put local-filename [remote-filename]
The local file is uploaded to the remote server.
You can also run the following commands in the system view to upload files to the
server:
– On the IPv4 network: run the sftp client-transfile put [ -a source-address | -i
interface-type interface-number ] host-ip host-ipv4 [ port ] [ [ public-net | -vpninstance vpn-instance-name ] | [ prefer_kex { dh_group1 |
dh_exchange_group } ] | [ identity-key { rsa | dsa } ] | [ prefer_ctos_cipher {
des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 |
aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 |
sha2_256_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 |
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
218
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
sha2_256 | sha2_256_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] *
username user-name password password sourcefile source-file [ destination
destination ] command.
On the IPv6 network: run the sftp client-transfile put ipv6 [ -a source-address]
host-ip host-ipv6 [ -oi interface-type interface-number ] [ port ] [ [ prefer_kex
{ dh_group1 | dh_exchange_group } ] | [ identity-key { rsa | dsa } ] |
[ prefer_ctos_cipher { des | 3des | aes128 | aes256 } ] | [ prefer_stoc_cipher {
des | 3des | aes128 | aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 |
md5_96 | sha2_256 | sha2_256_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 |
md5 | md5_96 | sha2_256 | sha2_256_96 } ] | [ -ki aliveinterval ] | [ -kc
alivecountmax ] ] * username user-name password password sourcefile sourcefile [ destination destination ] command.
– Run:
remove remote-filename
The file on the server is removed.
----End
8.7.7 Checking the Configuration
After using SFTP to log in to another device, you can view the source address of the SSH client,
mappings between all SSH servers and the Revest-Shamir-Adleman Algorithm (RSA), Digital
Signature Algorithm (DSA) public keys on the client, global configurations of the SSH servers,
and sessions between the SSH servers and the client.
Prerequisites
The configuration for using SFTP to access files on another device is complete.
Procedure
l
Run the display sftp-client command to check the source IP address of the SFTP client on
the SSH client.
l
Run the display ssh server-info command to check the mapping between the SSH server
and the RSA or DSA public key on the SSH client.
----End
Example
Run the display sftp-client command on the client to view the source parameters of the device
that functions as an SFTP client.
<HUAWEI> display sftp-client
The source address of SFTP client is 1.1.1.1
Run the display ssh server-info command to view the mappings between all servers and the
RSA or DSA public keys on the SSH client.
<HUAWEI> display ssh server-info
Server Name(IP)
Server Public Key Type Server public key name
______________________________________________________________________________
10.137.128.216
Issue 02 (2014-09-30)
RSA
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10.137.128.216
219
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
10.137.128.217
RSA
10.137.128.217
DSA
sdfasdfasdfasdfasdfasdfadfasdf
127.0.0.1
RSA
127.0.0.1
DSA
1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1
RSA
0ffff:ffff:
1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000fff
1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000ffff:
1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1
RSA
1fff:ffff:ffff:ffff:ffff:ffff:
8.1.1.2
RSA
10.137.128.217
127.0.0.1
10.137.128.217
1fff:00ffff:00ffff:
1fff:00ffff:ffff:00ffff:
1fff:ffff:ffff:00ffff:
8.1.1.2
8.8 Configuration Examples
This section provides examples for accessing another device. These examples explain the
networking requirements, configuration notes, and configuration roadmap.
8.8.1 Example for Using Telnet to Log In to Another Device
This section provides an example for using Telnet to log in to another device. In this example,
the authentication mode and password are configured for users to log in through Telnet.
Networking Requirements
As shown in Figure 8-7, users can Telnet Router A but cannot Telnet Router B. The route
between Router A and Router B is reachable. In this case, users can Telnet Router B from
Router A to remotely configure and manage Router B.
Figure 8-7 Networking diagram for using Telnet to log in to another device
Session
Network
PC
Session
GE1/0/1
1.1.1.1/24
Network
RouterA
GE1/0/1
2.1.1.1/24
RouterB
Configuration Roadmap
The configuration roadmap is as follows:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
220
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
1.
On Router B, configure the authentication mode and password for users on Router A to log
in to Router B..
2.
Configure a Telnet server port number on Router B to ensure that users log in only through
this port.
Data Preparation
To complete the configuration, you need the following data:
l
Host address of Router B: 2.1.1.1
l
Password for user login: Huawei-123
l
Telnet server port number: 1028
Procedure
Step 1 Configure the authentication mode and password for Telnet services on Router B.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] user-interface vty 0 4
[RouterB-ui-vty0-4]set authentication password cipher Huawei-123
[RouterB-ui-vty0-4] quit
To configure an ACL for Telnetting another device, run the following commands on Router B.
[RouterB] acl 2000
[RouterB-acl-basic-2000] rule permit source 1.1.1.1 0
[RouterB-acl-basic-2000] quit
[RouterB] user-interface vty 0 4
[RouterB-ui-vty0-4] acl 2000 inbound
[RouterB-ui-vty0-4] quit
NOTE
Configuring an ACL for Telnet services is optional.
Step 2 Log in to Router B from Router A through Telnet.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] quit
<RouterA> telnet 2.1.1.1
Trying 2.1.1.1 ...
Press CTRL+K to abort
Connected to 2.1.1.1 ...
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.
Login authentication
Password:
Info: Authentication success,Welcome!
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2010-02-22 14:31:01.
<RouterB>
Step 3 Configure a Telnet server port number on Router B.
<RouterB> system-view
[RouterB] telnet server port 1028
Warning: This operation will cause all the online Telnet users to be offline. Co
ntinue?[Y/N]: y
Info: Succeeded in changing the listening port of telnet server.
Step 4 Use the port number 1028 to log in to Router B from Router A through Telnet.
<RouterA> telnet 2.1.1.1 1028
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
221
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Trying 2.1.1.1 ...
Press CTRL+K to abort
Connected to 2.1.1.1 ...
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.
Login authentication
Password:
Info: Authentication success,Welcome!
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2010-02-22 14:33:48.
<RouterB>
----End
Configuration Files
l
Router A configuration file
#
sysname RouterA
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
return
l
Router B configuration file
#
sysname RouterB
#
acl number 2000
rule 5 permit source 1.1.1.1 0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
acl 2000 inbound
set authentication password cipher $1a$uKWbVT9(dS$"E9fV,x,t#iXd7RDZ2|8l_OgW;kQ
$A<l8u8H-WoM$
#
return
8.8.2 Example for Using Telnet Redirection to Log In to Another
Device
This section describes an example for using the Telnet redirection function to log in to another
device on the network, which enables users to manage the device remotely.
Networking Requirements
As shown in Figure 8-8, there is a reachable route between the PC and Router A, and Router A
is not connected to Router B on the IP network. To manage Router B remotely, you can enable
the Telnet redirection function on Router A, and connect the asynchronous serial interface of
Router A to the serial interface of Router B. Then, you can remotely log in toRouter B from the
terminal PC by using the specified port number of Router A to manage Router B.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
222
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Figure 8-8 Networking for using Telnet redirection to log in to another device
Session
Network
GE1/0/1
10.1.1.1/24
Aux Console
RouterA
PC
RouterB
Configuration Roadmap
The configuration roadmap is as follows:
1.
Use the AUX interface of Router A to connect withRouter B.
2.
Enable the Telnet redirection function on Router A.
Data Preparation
To complete the configuration, you need the following data:
l
IP address of Router A: 10.1.1.1
Procedure
Step 1 Open the AUX interface of Router A.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface Aux 0/0/1
[RouterA-Aux0/0/1] undo shutdown
[RouterA-Aux0/0/1] quit
Step 2 Enable the redirection function on Router A.
[RouterA] user-interface aux 0
[RouterA-ui-aux0] undo shell
[RouterA-ui-aux0] redirect
Step 3 View the port number.
<RouterA> display tcp status
TCPCB
Tid/Soid Local Add:port
37b26538 6 /1
0.0.0.0:21
37b20808 135/4
0.0.0.0:22
15b8a270 135/1
0.0.0.0:23
32fa2744 135/15
0.0.0.0:2033
32facdac 135/17
0.0.0.0:4033
32f9e4b4 88 /1
0.0.0.0:6000
2ff6bbcc 135/9
10.137.217.226:23
Foreign Add:port
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
10.138.77.21:2993
VPNID State
23553 Listening
23553 Listening
23553 Listening
23553 Listening
23553 Listening
23553 Listening
0
Established
Step 4 Verify the configuration.
Run the telnet 10.1.1.1 2033(or 4033) command on the PC to log in to Router B.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
223
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Configuration Files
l
Router A configuration file
#
sysname RouterA
#
interface Aux0/0/1
undo shutdown
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
user-interface con 0
user-interface aux 0
undo shell
redirect
#
return
8.8.3 Example for Using Telnet on a VPN to Log In to Another
Device
This section provides an example for logging in to another device by using Telnet on a VPN. In
this example, the authentication mode and password are configured for users on a VPN so they
can log in to the router through Telnet.
Networking Requirements
As shown in Figure 8-9, Router A and Router B can ping through each other. Users can log in
to Router A from Router B through Telnet.
Figure 8-9 Networking diagram for logging in to another device by using Telnet on a VPN
GE1/0/0
1.1.1.1 24
IP Network
RouterA
GE1/0/0
1.1.1.2 24
VPN tt
RouterB
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure a VPN on Router B.
2.
Configure the authentication mode and password of the user interface VTY0 to VTY4 on
Router B.
3.
Set the user to enter the password to log in to Router B from Router A in Telnet mode.
Data Preparation
To complete the configuration, you need the following data:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
224
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
Host IP address of Router B
l
Authentication mode and password
l
VPN instance
8 Accessing Another Device
Procedure
Step 1 Configure the VPN instance and IP address.
# Configure Router A.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface gigabitethernet1/0/0
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24
# Configure Router B.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] ip vpn-instance tt
[RouterB-vpn-instance-tt] route-distinguisher 1000:1
[RouterB-vpn-instance-tt] quit
[RouterB] interface gigabitethernet1/0/0
[RouterB-GigabitEthernet1/0/0] undo shutdown
[RouterB-GigabitEthernet1/0/0] ip binding vpn-instance tt
[RouterB-GigabitEthernet1/0/0] ip address 1.1.1.2 24
[RouterB-GigabitEthernet1/0/0] quit
[RouterB] quit
Step 2 Configure the Telnet authentication mode and password on Router B.
<RouterB> system-view
[RouterB] user-interface vty 0 4
[RouterB-ui-vty0-4] authentication-mode password
Please configure the login password (8-16)
Enter
Password:
Confirm Password:
[RouterB-ui-vty0-4] quit
To configure Telnet terminal services based on the ACL, perform the following on Router B.
[RouterB] acl 2000
[RouterB-acl-basic-2000] rule permit vpn-instance tt source 1.1.1.1 0
[RouterB-acl-basic-2000] quit
[RouterB] user-interface vty 0 4
[RouterB-ui-vty0-4] acl 2000 inbound
NOTE
Configuring Telnet terminal services based on the ACL is optional.
Step 3 Verify the configuration.
After the configuration is complete, you can log in to Router B from Router A through Telnet.
<RouterA> telnet 1.1.1.2
Trying 1.1.1.2 ...
Press CTRL+K to abort
Connected to 1.1.1.2 ...
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.
Login authentication
Password:
Info: Authentication success,Welcome!
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
225
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Note: The max number of VTY users is 10, and the current number
of VTY users on line is 1.
<RouterB>
----End
Configuration Files
l
Router A configuration file
#
sysname RouterA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
return
l
Router B configuration file
#
sysname RouterB
#
ip vpn-instance tt
route-distinguisher 1000:1
#
acl number 2000
rule 5 permit vpn-instance tt source 1.1.1.1 0
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance tt
ip address 1.1.1.2 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
acl 2000 inbound
#
return
8.8.4 Example for Using STelnet (RSA Authentication Mode) to Log
In to the SSH Server
This section provides an example for logging in to another device by using STelnet.In this
example, the local key pairs are generated on the STelnet client and the SSH server, and the
public Revest-Shamir-Adleman Algorithm (RSA) key is generated on the SSH server and then
bound to the STelnet client. In this manner, the STelnet client can connect to the SSH server.
Networking Requirements
As shown in Figure 8-10, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, Digital Signature
Algorithm (DSA), password-DSA, or all authentication mode. In this example, the Huawei
router functions as an SSH server.
Two users, Client001 and Client002, are configured to log in to the SSH server in the password
and RSA authentication modes, respectively.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
226
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Figure 8-10 Networking diagram for using STelnet to log in to another device
SSH Server
GE1/0/1
10.10.1.1/16
GE1/0/1
10.10.2.2/16
GE1/0/1
10.10.3.3/16
Client 001
Client 002
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.
2.
Create a local RSA key pair on STelnet client Client002 and the SSH server, and bind client
Client002 to an RSA key to authenticate the client when the client attempts to log in to the
server.
3.
Enable the STelnet service on the SSH server.
4.
Set the service type of Client001 and Client002 to STelnet.
5.
Enable first-time authentication on the SSH clients.
6.
Users Client001 and Client002 can now log in to the SSH server through STelnet.
Data Preparation
To complete the configuration, you need the following data:
l
Client001 with the password !QAZ@WSX3edc and authentication mode password
l
Client002 with the public key RsaKey001 and authentication mode RSA
l
IP address of the SSH server: 10.10.1.1.
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 2048]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
227
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Step 2 Create an SSH user on the server.
NOTE
The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa,
and all.
l When the SSH user adopts the password, password-DSA, or password-RSA authentication mode,
configure a local user with the same name.
l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, or all authentication mode,
the server should save the RSA or DSA public key for the SSH client.
# Configure the VTY user interface.
[SSH
[SSH
[SSH
[SSH
Server] user-interface vty 0 4
Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit
l Create SSH user Client001.
# Configure password authentication for SSH user Client001.
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password
# Configure password of SSH user Client001 to !QAZ@WSX3edc.
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]local-user huawei password irreversible-cipher !QAZ@WSX3edc
Server-aaa] local-user client001 service-type ssh
Server-aaa] quit
l Create SSH user Client002.
# Configure RSA authentication for SSH user Client002.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type rsa
Step 3 Configure the RSA public key on the server.
# Generate a local key pair on the client.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] rsa local-key-pair create
# View the RSA public key generated on the client.
[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
228
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]
# Send the RSA public key generated on the client software to the server.
[SSH Server]rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[SSH Server-rsa-public-key]public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[SSH Server-rsa-key-code]3047
[SSH Server-rsa-key-code]0240
[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[SSH Server-rsa-key-code] 1D7E3E1B
[SSH Server-rsa-key-code]0203
[SSH Server-rsa-key-code]010001
[SSH Server-rsa-key-code]public-key-code end
[SSH Server-rsa-public-key]peer-public-key end
Step 4 Bind SSH user Client002 to the RSA public key of the SSH client.
[SSH Server] ssh user client002 assign rsa-key RsaKey001
Step 5 Enable the STelnet service on the SSH server.
# Enable the STelnet service.
[SSH Server] stelnet server enable
Step 6 Configure the STelnet service for SSH users Client001 and Client002.
[SSH Server] ssh user client001 service-type stelnet
[SSH Server] ssh user client002 service-type stelnet
Step 7 Connect the STelnet client to the SSH server.
# At the first login, you need to enable the first authentication on the SSH client.
Enable the first authentication on Client001.
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable
Enable the first authentication on Client002.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] ssh client first-time enable
# Client001 of the STelnet connects to the SSH server in password authentication mode. Enter
the user name and password.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
229
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
<client001> system-view
[client001] stelnet 10.10.1.1
Please input the username:client001
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.10.1.1. Please wait...
Enter password:
Enter the password !QAZ@WSX3edc. The login is complete.
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 6.
The current login time is 2010-09-06 11:42:42.
<SSH Server>
# Connect STelnet client Client002 to the SSH server in RSA authentication mode.
<client002> system-view
[client002] stelnet 10.10.1.1
Please input the username: client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.10.1.1. Please wait...
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 6.
The current login time is 2010-09-06 11:42:42.
<SSH Server>
Step 8 Verify the configuration.
After the configuration, run the display ssh server status and display ssh server session
commands. You can view that the STelnet service is enabled and the STelnet client is connected
to the SSH server.
# Display the SSH status.
[SSH Server] display ssh server status
SSH version
: 1.99
SSH connection timeout
: 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries
: 3 times
SFTP server
: Disable
Stelnet server
: Enable
# Display the connection of the SSH server.
[SSH Server] display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: stelnet
Authentication Type : password
Session 2:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
230
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
8 Accessing Another Device
:
:
:
:
:
:
:
:
:
:
:
:
VTY 4
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group1-sha1
stelnet
rsa
# Display information about the SSH user.
[SSH Server] display ssh user-information
User 1:
User Name
: client001
Authentication-type : password
User-public-key-name : Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: No
User 2:
User Name
: client002
Authentication-type : rsa
User-public-key-name : RsaKey001
Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: No
----End
Configuration Files
l
SSH server configuration file
#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher %$%$Skdd9`7(<QDv`NXLTB()aS}
T=J\E%hGAP&3-R,*7S_]SS}Wa%$%$
local-user client001 service-type ssh
local-user client001 state block fail-times 3 interval 5
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
stelnet server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
231
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
ssh user client001 service-type stelnet
ssh user client002 service-type stelnet
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
l
Client001 configuration file
#
sysname client001
#
interface GigabitEthernet1/0/1
ip address 10.10.2.2 255.255.0.0
#
ssh client first-time enable
#
return
l
Client002 configuration file
#
sysname client002
#
interface GigabitEthernet1/0/1
ip address 10.10.3.3 255.255.0.0
#
ssh client first-time enable
#
return
8.8.5 Example for Using STelnet (DSA Authentication Mode) to Log
In to the SSH Server
This section provides an example for logging in to the SSH server using STelnet. In this example,
the local key pairs are generated on the STelnet client and secure shell (SSH) server, and the
digital signature algorithm (DSA) public key is generated on the SSH server and then bound to
the STelnet client. These configurations implement communication between the STelnet clients
and SSH server.
Networking Requirements
After the STelnet service is enabled on the SSH server, the STelnet client can log in to the SSH
server in any of the following authentication modes: password, Revest-Shamir-Adleman
Algorithm (RSA), password-RSA, DSA, password-DSA, and all. In this example, the Huawei
router functions as an SSH server.
In Figure 8-11, two users Client001 and Client002, are configured to use STelnet to log in to
the SSH server in password authentication mode and DSA authentication mode, respectively.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
232
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Figure 8-11 Networking diagram for STelnet login mode
SSH Server
GE1/0/1
10.10.1.1/16
GE1/0/1
10.10.2.2/16
GE1/0/1
10.10.3.3/16
Client 001
Client 002
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure Client001 and Client002 to log in to the SSH server in password authentication
mode and DSA authentication mode, respectively.
2.
Create a local DSA key pair on Client002 and the SSH server, and bind Client002 to the
SSH client's DSA public key. These configurations implement authentication for the client
that attempts to log in to the server.
3.
Enable the STelnet service on the SSH server.
4.
Set the service type of Client001 and Client002 to STelnet.
5.
Enable first-time authentication on the SSH clients.
6.
Use Client001 and Client002 to use STelnet to log in to the SSH server.
Data Preparation
To complete the configuration, you need the following data:
l
Client001 with the password %TGB6yhn7ujm and authentication mode password
l
Client002 with the public key DsaKey001 and authentication mode DSA
l
SSH server IP address: 10.10.1.1
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create
Info: The key name will be: ssh server_Host_DSA.
Info: The key modulus can be any one of the following : 512, 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
Step 2 Create SSH users on the server.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
233
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
NOTE
The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa,
and all.
l When the SSH user adopts the password, password-DSA, or password-RSA authentication mode,
configure a local user with the same name.
l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, or all authentication mode,
the server should save the RSA or DSA public key for the SSH client.
# Configure the VTY user interface.
[SSH
[SSH
[SSH
[SSH
Server] user-interface vty 0 4
Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit
l Create SSH user Client001.
# Create SSH user Client001 and configure the authentication mode as password.
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password
# Set Client001's password to %TGB6yhn7ujm.
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa] local-user client001 password irreversible-cipher %TGB6yhn7ujm
Server-aaa] local-user client001 service-type ssh
Server-aaa] quit
l Create SSH user Client002.
# Create SSH user Client002 and configure the authentication mode as DSA.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type dsa
Step 3 Configure the DSA public key on the server.
.
# Generate a local key pair on Client002.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] dsa local-key-pair create
Info: The key name will be: ssh server_Host_DSA.
Info: The key modulus can be any one of the following : 512, 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
# View the DSA public key generated on Client002.
[client002] display dsa local-key-pair public
=====================================================
Time of Key pair created: 10:14:48 2011/12/01
Key name
: client002_Host_DSA
Key modulus : 2048
Key type
: DSA encryption Key
=====================================================
Key code:
3081DC
0240
AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B
A34004C1 B37824BB D3160595 702901CD 53F0EAE0
6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE
87C63485
0214
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
234
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
94FC5624
0240
91FF0F2C
7BCA4251
0B4C3530
C986329F
0240
9D5CA69C
717B2208
EC06D0AE
958C4074
8 Accessing Another Device
DCEB09DA E9B88293 2AC88508 AB7C813F
91996828 BAAD5068 CD2FE83E CEFA1CF4
9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
DAA25592 DEAFA0EB 61225712 E4AF6139
7BD9249B B4F1D747 707B5C13 EB980A1E
8F9C46F5 0F1875DE 013FFCD3 D4089356
B256A4DD 4B418138 74CEBD9C 16123F7A
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWV
cCkBzVPw6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biC
kyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614
zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQQCdXKace9kkm7Tx10dw
e1wT65gKHnF7IgiPnEb1Dxh13gE//NPUCJNW7AbQrrJWpN1LQYE4dM69nBYSP3qV
jEB0
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-dss AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/
6FNgHAfwpMLo0AEwbN4JLvTFgWVcCkBzVPw6uBsxG0tvnj2pD3Equ/
HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna
6biCkyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614zA0zXe/
SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQQCdXKace9kkm7Tx10dw
e1wT65gKHnF7IgiPnEb1Dxh13gE//NPUCJNW7AbQrrJWpN1LQYE4dM69nBYSP3qVjEB0
# Send the DSA public key generated on the client to the server.
[SSH Server] dsa peer-public-key DsaKey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return the last view with "public-key-code end".
[SSH Server-dsa-key-code] 3081DC
[SSH Server-dsa-key-code] 0240
[SSH Server-dsa-key-code] AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B
[SSH Server-dsa-key-code] A34004C1 B37824BB D3160595 702901CD 53F0EAE0
[SSH Server-dsa-key-code] 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE
[SSH Server-dsa-key-code] 87C63485
[SSH Server-dsa-key-code] 0214
[SSH Server-dsa-key-code] 94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
[SSH Server-dsa-key-code] 0240
[SSH Server-dsa-key-code] 91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4
[SSH Server-dsa-key-code] 7BCA4251 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
[SSH Server-dsa-key-code] 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139
[SSH Server-dsa-key-code] C986329F
[SSH Server-dsa-key-code] 0240
[SSH Server-dsa-key-code] 9D5CA69C 7BD9249B B4F1D747 707B5C13 EB980A1E
[SSH Server-dsa-key-code] 717B2208 8F9C46F5 0F1875DE 013FFCD3 D4089356
[SSH Server-dsa-key-code] EC06D0AE B256A4DD 4B418138 74CEBD9C 16123F7A
[SSH Server-dsa-key-code] 958C4074
[SSH Server-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end
[SSH Server]
Step 4 Bind Client002 to the SSH client's DSA public key.
[SSH Server] ssh user client002 assign dsa-key DsaKey001
Step 5 Enable the STelnet service on the SSH server.
# Enable the STelnet service.
[SSH Server] stelnet server enable
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
235
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Step 6 Configure the STelnet service for Client001 and Client002.
[SSH Server] ssh user client001 service-type stelnet
[SSH Server] ssh user client002 service-type stelnet
Step 7 Connect the STelnet client to the SSH server.
# At the first login, Enable first-time authentication on the SSH clients.
Enable first-time authentication on Client001.
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable
Enable first-time authentication on Client002.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] ssh client first-time enable
# Connect Client001 to the SSH server in password authentication mode. Enter the user name
and password.
<client001> system-view
[client001] stelnet 10.10.1.1
Please input the username:client001
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.10.1.1. Please wait...
Enter password:
Enter the password huawei. The command output shows that the login is complete.
Info: The max number of VTY users is 20, and the number of current VTY users on line
is 6. The current login time is 2010-09-06 11:42:42.
<SSH Server>
# Connect client002 to the SSH server in DSA authentication mode.
<client002> system-view
[client002] stelnet 10.10.1.1
Please input the username: client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.10.1.1. Please wait...
Info: The max number of VTY users is 20, and the number of current VTY users on line
is 6. The current login time is 2010-09-06 11:42:42.
<SSH Server>
Step 8 Verify the configuration.
After the configuration is complete, run the display ssh server status and display ssh server
session commands. The command outputs show that the STelnet service is enabled and the
STelnet clients have logged in to the SSH server.
# View the SSH status.
[SSH Server] display ssh server status
SSH version
: 1.99
SSH connection timeout
: 60 seconds
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
236
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
SSH server key generating interval
SSH Authentication retries
SFTP server
Stelnet server
8 Accessing Another Device
:
:
:
:
0 hours
3 times
Disable
Enable
# View the connection of the SSH server.
[SSH Server] display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: stelnet
Authentication Type : password
Session 2:
Conn
: VTY 4
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: stelnet
Authentication Type : dsa
# View information about the SSH users.
[SSH Server] display ssh user-information
User 1:
User Name
: client001
Authentication-type : password
User-public-key-name : Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: No
User 2:
User Name
: client002
Authentication-type : dsa
User-public-key-name : DsaKey001
Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: No
----End
Configuration Files
l
Configuration file of the SSH server
#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
public-key-code begin
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
237
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher %$%$f/{P1yhirreversiblecipher %$%$f/{P1yh<T$"_sQ6#>~86_
Is[R-YITd6B@"f)it>FXNd3Is^_%$%$
local-user client001 service-type ssh
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
stelnet server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type dsa
ssh user client002 assign dsa-key DsaKey001
ssh user client001 service-type stelnet
ssh user client002 service-type stelnet
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
l
Client001 configuration file
#
sysname client001
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.2.2 255.255.0.0
#
ssh client first-time enable
#
return
l
Client002 configuration file
#
sysname client002
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.3.3 255.255.0.0
#
ssh client first-time enable
#
return
8.8.6 Example for Using TFTP to Access Files on Another Device
In this example, the TFTP application is run on the TFTP server and the location of the source
file on the server is set. Then, you can upload and download files.
Networking Requirements
As shown in Figure 8-12, the IP address of the TFTP server is 10.111.16.160/24.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
238
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Log in to the router from the HyperTerminal and then download the file V600R008C10.cc from
the TFTP server.
Figure 8-12 Networking diagram for using TFTP to access files on another device
10.111.16.160/24
PC
TFTP Client
TFTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
Run the TFTP application on the TFTP server, and set the location of the file on the server.
2.
Use the TFTP command on the router to download the file.
3.
Use the TFTP command on the router to upload the file.
Data Preparation
To complete the configuration, you need the following data:
l
The TFTP application installed on the TFTP server
l
The path of the file on the TFTP server
l
The destination file name and its path on the router
Procedure
Step 1 Start the TFTP server, and set its Current Directory as the directory where the
V600R008C10.cc file resides. Figure 8-13 shows the interface.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
239
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Figure 8-13 Setting the base directory of the TFTP server
NOTE
The display may be different depending on which TFTP server application is run on the computer.
Step 2 Log in to the router from computer HyperTerminal and enter the following command to
download the file.
<HUAWEI>tftp 10.111.16.160 get V600R008C10.cc cfcard:/V600R008C10.cc
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...|
TFTP: Downloading the file successfully.
15805100 bytes received in 42734
second.
Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory
on the router.
<HUAWEI> dir cfcard:
Directory of cfcard:/
Idx Attr Size(Byte)
1
-rw40
2
-rw396
3
-rw540
4
-rw2718
5
-rw14343
6
-rw1004
7
-rw6247
8
-rw14343
9
-rw- 86235884
Date
Jun 24
May 19
May 19
Jun 21
May 19
Feb 05
May 19
May 16
Feb 05
2006
2006
2006
2006
2006
2001
2006
2006
2001
Time
09:30:40
15:00:10
15:00:10
17:46:46
15:00:10
09:51:22
15:00:10
14:13:42
10:23:46
FileName
private-data.txt
rsahostkey.dat
rsaserverkey.dat
1.cfg
paf.txt
vrp1.zip
license.txt
paf.txt.bak
V600R008C10.cc
Step 4 Log in to the router from computer HyperTerminal and enter the following command to upload
the file.
<HUAWEI> tftp 10.111.16.160 put cfcard:/vrpcfg.zip
Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait.../
TFTP: Uploading the file successfully.
1217 bytes send in 1 second.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
240
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
8.8.7 Example for Configuring Access to the TFTP Server on the
Public Network When the Management VPN Instance Is Used
This section provides an example for configuring access to the TFTP server on the public network
when the management VPN instance is used. In this example, after you log in to a router
configured with the management VPN instance, you can download files from the TFTP server
on the public network.
Networking Requirements
As shown in Figure 8-14, a management VPN instance is configured on the router. Users use
the VPN instance to access the FTP server from the router. To enable the client to access the
TFTP server on the public network, connect the router to the TFTP server on the public network.
Log in to the router from the HyperTerminal and then download the file V600R008C10.cc from
the TFTP server.
Figure 8-14 Networking diagram of configuring access to the TFTP server on the public network
when the management VPN instance is used
TFTP Server
10.111.16.160/24
Network
PC
TFTP Client
Configuration Roadmap
The configuration roadmap is as follows:
1.
Run the TFTP application on the TFTP server, and set the location of the file on the server.
2.
Use the TFTP command on the router to download the file.
3.
Use the TFTP command on the router to upload the file.
Data Preparation
To complete the configuration, you need the following data:
l
The TFTP application installed on the TFTP server
l
The path of the file on the TFTP server
l
The destination file name and its path on the router
Procedure
Step 1 Start the TFTP server, and set its Current Directory as the directory where the
V600R008C10.cc file resides. Figure 8-15 shows the interface.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
241
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Figure 8-15 Setting the base directory of the TFTP server
NOTE
The display may be different depending on which TFTP server application is run on the computer.
Step 2 Log in to the router from computer HyperTerminal and enter the following command to
download the file.
<HUAWEI>tftp 10.111.16.160 public-net get V600R008C10.cc cfcard:/V600R008C10.cc
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...|
TFTP: Downloading the file successfully.
15805100 bytes received in 42734
second.
Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory
on the router.
<HUAWEI> dir cfcard:
Directory of cfcard:/
Idx Attr Size(Byte)
1
-rw40
2
-rw396
3
-rw540
4
-rw2718
5
-rw14343
6
-rw1004
7
-rw6247
8
-rw14343
9
-rw- 86235884
Date
Jun 24
May 19
May 19
Jun 21
May 19
Feb 05
May 19
May 16
Feb 05
2006
2006
2006
2006
2006
2001
2006
2006
2001
Time
09:30:40
15:00:10
15:00:10
17:46:46
15:00:10
09:51:22
15:00:10
14:13:42
10:23:46
FileName
private-data.txt
rsahostkey.dat
rsaserverkey.dat
1.cfg
paf.txt
vrp1.zip
license.txt
paf.txt.bak
V600R008C10.cc
Step 4 Log in to the router from computer HyperTerminal and enter the following command to upload
the file.
<HUAWEI> tftp 10.111.16.160 public-net put cfcard:/vrpcfg.zip
Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait.../
TFTP: Uploading the file successfully.
1217 bytes send in 1 second.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
242
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Configuration Files
None.
8.8.8 Example for Using FTP to Access Files on Another Device
This section provides an example for using FTP to access files on another device. In this example,
a user logs in to the FTP server from the router to download system software and configuration
software from the FTP server.
Networking Requirements
As shown in Figure 8-16, the route between Router A that functions as the FTP client and the
FTP server is reachable. A user needs to download system software and configuration software
from the FTP server. The Huawei router functions as an FTP server.
Figure 8-16 Networking diagram for using FTP to access files on another device
GE1/0/1
2.1.1.1/24
Network
GE1/0/1
1.1.1.1/24
RouterA
FTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure the user name and password for an FTP user to log in to the FTP server.
2.
Enable the FTP server on the router.
3.
Run login commands to log in to the FTP server.
4.
Configure the file transmission mode and directories for the client before downloading
required files from the FTP server.
Data Preparation
To complete the configuration, you need the following data:
l
User name: huawei and password: !QAZ@WSX3edc
l
IP address of the FTP server: 1.1.1.1
l
Target file and its location on Router A
Procedure
Step 1 Configure an FTP user on the FTP server.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user huawei password irreversible-cipher !QAZ@WSX3edc
[HUAWEI-aaa] local-user huawei service-type ftp
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
243
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
[HUAWEI-aaa] local-user huawei ftp-directory cfcard:
[HUAWEI-aaa] local-user huawei level 3
[HUAWEI-aaa] quit
Step 2 Enable the FTP server.
[HUAWEI] ftp server enable
Step 3 Log in to the FTP server from Router A.
<HUAWEI> ftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1.
220 FTP service ready.
User(1.1.1.1:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
Step 4 On Router A, configure the binary format as the file transfer mode and flash:/ as the working
directory.
[ftp] binary
200 Type set to I.
[ftp] lcd cfcard:/
Info: Local directory now cfcard:.
Step 5 On Router A, download the latest system software from the remote FTP server.
[ftp] get V600R008C10.cc
200 Port command okay.
150 Opening ASCII mode data connection for V600R008C10.cc.
226 Transfer complete.
FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.
[ftp] quit
You can run the dir command to check whether the required file is downloaded to the client.
----End
Configuration Files
l
Configuration file on the FTP server
#
FTP server enable
#
aaa
local-user huawei password irreversible-cipher %$%$Skdd9`7(<QDv`NXLTB()aS}T=J
\E%hGAP&3-R,*7S_]SS}Wa%$%$
local-user huawei service-type ftp
local-user huawei state block fail-times 3 interval 5
local-user huawei ftp-directory cfcard:
local-user huawei level 3
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
Return
l
Configuration file on the FTP client
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 2.1.1.1 255.255.255.0
Return
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
244
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
8.8.9 Example for Configuring Access to the FTP Server on the
Public Network When the Management VPN Instance Is Used
This section provides an example for configuring access to the FTP server on the public network
when the management VPN instance is used. In this example, after you log in to a router
configured with the management VPN instance, you can download files from the FTP server on
the public network.
Networking Requirements
As shown in Figure 8-17, a management VPN instance is configured on Router A. Users use
the VPN instance to access the FTP server. To enable Router A to access the FTP server on the
public network, you need to connect the router to the FTP server on the public network.
The route between router that functions as the FTP client and the FTP server is reachable. A
user needs to download system software and configuration software from the FTP server on the
public network.
Figure 8-17 Networking diagram of configuring access to the FTP server on the public network
when the management VPN instance is used
GE1/0/1
2.1.1.1/24
Network
GE1/0/1
1.1.1.1/24
RouterA
FTP Server
Configuration Roadmap
1.
Log in to the FTP server from the FTP client on the public network.
2.
Download the system files from the server to the storage devices on the client side.
Data Preparation
To complete the configuration, you need the following data:
l
IP address of the FTP server: 1.1.1.1
l
User name: huawei and password: huawei
l
The destination file name and its position in the router
Procedure
Step 1 Log in to the FTP server from the router.
<HUAWEI> ftp 1.1.1.1 public-net
Trying 1.1.1.1
Press CTRL+K to abort
Connected to 1.1.1.1
220 FTP service ready.
User(ftp 1.1.1.1:(none)):huawei
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
245
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
331 Password required for huawei
Password:
230 User logged in.
Step 2 Configure the transmission mode to the binary format and configure the directory of the cfcard
memory on the router..
[ftp] binary
200 Type set to I.
[ftp] lcd cfcard:/
Info: Local directory now cfcard:.
Step 3 Download the newest system software from the remote FTP server on the router.
[ftp] get V600R008C10.cc
200 Port command okay.
150 Opening ASCII mode data connection for V600R008C10.cc.
226 Transfer complete.
FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.
[ftp] quit
----End
Configuration Files
None.
8.8.10 Example for Using SFTP (RSA Authentication Mode) to
Access Files on Another Device
In this example, the local key pairs are generated on the SFTP client and the SSH server
respectively, and the public RSA key is generated on the SSH server that binds the public RevestShamir-Adleman Algorithm (RSA) key to the SFTP client. In this manner, the SFTP client can
connect to the SSH server.
Networking Requirements
As shown in Figure 8-18, after the SFTP service is enabled on the SSH server, the SFTP client
can log in to the SSH server with the password, RSA, password-RSA, Digital Signature
Algorithm (DSA), password-DSA, or all authentication. In this example, the Huawei router
functions as an SSH server.
Two users client001 and client002, are configured to log in to the SSH server in password and
RSA authentication modes, respectively.
Figure 8-18 Networking diagram for accessing files on another device by using SFTP
SSH Server
GE1/0/1
10.10.1.1/16
GE1/0/1
10.10.2.2/16
GE1/0/1
10.10.3.3/16
Client 001
Issue 02 (2014-09-30)
Client 002
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
246
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.
2.
Create a local RSA key pair on SFTP client Client002 and the SSH server, and bind client
Client002 to an RSA key to authenticate the client when the client attempts to log in to the
server.
3.
Enable the SFTP service on the SSH server.
4.
Configure the service mode and authorization directory for the SSH user.
5.
Client001 and Client002 log in to the SSH server by using an SFTP to access files on the
server.
Data Preparation
To complete the configuration, you need the following data:
l
Client001 password: %TGB6yhn7ujm. Adopt password authentication.
l
Client002: adopt RSA authentication and assign public key RsaKey001 to Client002.
l
IP address of the SSH server: 10.10.1.1.
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 2048]: 768
Generating keys...
.........++++++++
......................++++++++
......................+++++++++
.....+++++++++
Step 2 Create an SSH user on the server.
NOTE
The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa,
and all.
l When the SSH user adopts the password, password-DSA, or password-RSA authentication mode,
configure a local user with the same name.
l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, or all authentication mode,
the server should save the RSA or DSA public key for the SSH client.
# Configure the VTY user interface.
[SSH
[SSH
[SSH
[SSH
Issue 02 (2014-09-30)
Server] user-interface vty 0 4
Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
247
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
l Create Client001 for the SSH user.
# Create an SSH user with the name Client001. The authentication mode is password.
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password
# Set %TGB6yhn7ujm as the password for Client001 of the SSH user.
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa] local-user client001 password irreversible-cipher %TGB6yhn7ujm
Server-aaa] local-user client001 service-type ssh
Server-aaa] quit
l Create Client002 for the SSH user.
# Create an SSH user with user name Client002 and RSA authentication.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type rsa
Step 3 Configure the public RSA key of the server.
# Generate a local key pair on the client.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] rsa local-key-pair create
# View the RSA public key generated on the client.
[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
248
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
# Send the RSA public key generated on the client to the server.
[SSH Server] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[SSH Server-rsa-key-code] 3047
[SSH Server-rsa-key-code] 0240
[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[SSH Server-rsa-key-code] 1D7E3E1B
[SSH Server-rsa-key-code] 0203
[SSH Server-rsa-key-code] 010001
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end
Step 4 Bind the RSA public key of SSH client to Client002 of the SSH user.
[SSH Server] ssh user client002 assign rsa-key RsaKey001
Step 5 Enable the STelnet service on the SSH server.
# Enable the STelnet service.
[SSH Server] sftp server enable
Step 6 Configure the service type and authorized directory of the SSH user.
Two SSH users are configured on the SSH server: Client001 and Client002. The password
authentication mode is configured for Client001 and the RSA authentication mode is configured
for Client002.
[SSH
[SSH
[SSH
[SSH
Server]
Server]
Server]
Server]
ssh
ssh
ssh
ssh
user
user
user
user
client001
client001
client002
client002
service-type sftp
sftp-directory cfcard:
service-type sftp
sftp-directory cfcard:
Step 7 Connect the STelnet client to the SSH server.
# For the first login, you need to enable the first authentication on the SSH client.
Enable the first authentication on Client001.
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable
Enable the first authentication on Client002.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] ssh client first-time enable
# Connect the STelnet client Client001 to the SSH server in password authentication mode.
<client001> system-view
[client001] sftp 10.10.1.1
Please input the username:client001
Trying 10.10.1.1 ...
Press CTRL+K to abort
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] : y
The server's public key will be saved with the name 10.10.1.1. Please wait.
..
Enter password:
sftp-client>
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
249
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
# Connect STelnet client Client002 to the SSH server in RSA authentication mode.
<client002> system-view
[client002] sftp 10.10.1.1
Please input the username: client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.10.1.1. Please wait.
..
sftp-client>
Step 8 Verify the configuration.
After the configuration, run the display ssh server status and display ssh server session
commands. You can view that the STelnet service is enabled and the SFTP client is connected
to the SSH server.
# Display the SSH status.
[SSH Server] display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP server: Enable
Stelnet server: Disable
# Display the connection of the SSH server.
[SSH Server] display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: sftp
Authentication Type : password
Session 2:
Conn
: VTY 4
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: sftp
Authentication Type : rsa
# Display information about the SSH user.
[SSH Server]display ssh user-information
User 1:
User Name
: client001
Authentication-type : password
User-public-key-name : Sftp-directory
: cfcard:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
250
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Service-type
Authorization-cmd
User 2:
User Name
Authentication-type
User-public-key-name
Sftp-directory
Service-type
Authorization-cmd
8 Accessing Another Device
: sftp
: No
:
:
:
:
:
:
client002
rsa
RsaKey001
cfcard:
sftp
No
----End
Configuration Files
l
SSH server configuration file
#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher %$%$f/{P1yhirreversiblecipher %$%$f/{P1yh<T$"_sQ6#>~86_
Is[R-YITd6B@"f)it>FXNd3Is^_%$%$
local-user client001 service-type ssh
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
sftp server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type sftp
ssh user client002 service-type sftp
ssh user client001 sftp-directory cfcard:.
ssh user client002 sftp-directory cfcard:.
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
Return
l
Configuration file of Client001 on the SSH client
#
sysname client001
#
interface GigabitEthernet1/0/1
ip address 10.10.2.2 255.255.0.0
#
ssh client first-time enable
#
return
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
251
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
8 Accessing Another Device
Configuration file of Client002 on the SSH client
#
sysname client002
#
interface GigabitEthernet1/0/1
ip address 10.10.3.3 255.255.0.0
#
ssh client first-time enable
#
return
8.8.11 Example for Using SFTP (DSA Authentication Mode) to Log
In to the SSH Server
This section provides an example for using SFTP to log in to the secure shell (SSH) server. In
this example, the local key pairs are generated on the SFTP client and SSH server, and the public
Digital Signature Algorithm (DSA) key is generated on the SSH server and bound to the SFTP
client. These configurations create an implement connection between the SFTP client and SSH
server.
Networking Requirements
In Figure 8-19, after the SFTP service is enabled on the SSH server, the SFTP client can log in
to the SSH server in any of the following authentication modes: password, Revest-ShamirAdleman Algorithm (RSA), password-RSA, Digital Signature Algorithm (DSA), passwordDSA, and all. In this example, the Huawei router functions as an SSH server.
Two users client001 and client002 are configured to log in to the SSH server in password
authentication mode and DSA authentication mode, respectively.
Figure 8-19 Networking diagram for using SFTP to access files on other devices
SSH Server
GE1/0/1
10.10.1.1/16
GE1/0/1
10.10.2.2/16
GE1/0/1
10.10.3.3/16
Client 001
Client 002
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure Cient001 and Client002 to log in to the SSH server in different authentication
modes.
2.
Create a local DSA key pair on client002 and the SSH server, and bind client002 to the
SSH client's DSA public key. These configurations implement authentication for the client
that attempts to log in to the server.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
252
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
3.
Enable the SFTP service on the SSH server.
4.
Configure the service type and authorized directory for the SSH users.
5.
Use client001 and client002 to log in to the SSH server. Then use SFTP to access files on
the server.
Data Preparation
To complete the configuration, you need the following data:
l
Client001 with the password %TGB6yhn7ujm and authentication mode password
l
Client002 with the public key DsaKey001 and authentication mode DSA
l
Directory to which SSH users are allowed access: flash
l
SSH server IP address: 10.10.1.1
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The DSA host key named SSH Server_Host_DSA already exists.
Warning: Do you want to replace it ?[Y/N]: y
Info: The key modulus can be any one of the following : 512, 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
Step 2 Create SSH users on the server.
NOTE
The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa,
and all.
l When the SSH user adopts the password, password-DSA, or password-RSA authentication mode,
configure a local user with the same name.
l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, or all authentication mode,
the server should save the RSA or DSA public key for the SSH client.
# Configure the VTY user interface.
[SSH
[SSH
[SSH
[SSH
[SSH
Server] user-interface vty 0 4
Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] user privilege level 3
Server-ui-vty0-4] quit
l Create SSH user Client001.
# Create SSH user Client001 and configure the authentication mode as password.
[SSH Server] ssh user client001 Info: Succeeded in adding a new SSH user.
[SSH Server] ssh user client001 authentication-type password
# Set client001's password to %TGB6yhn7ujm.
[SSH
[SSH
[SSH
[SSH
Issue 02 (2014-09-30)
Server] aaa
Server-aaa] local-user client001 password irreversible-cipher %TGB6yhn7ujm
Server-aaa] local-user client001 service-type ssh
Server-aaa] local-user client001 level 15
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
253
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
[SSH Server-aaa] quit
l Create SSH user Client002.
# Create SSH user Client002 and configure the authentication mode as DSA.
[SSH Server] ssh user client002 Info: Succeeded in adding a new SSH user.
[SSH Server] ssh user client002 authentication-type dsa
Step 3 Configure the DSA public key on the server.
.
# Generate a local key pair on the client.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] dsa local-key-pair create
Info: The key name will be: client002_Host_DSA.
Info: The key modulus can be any one of the following : 512, 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
[client002] display dsa local-key-pair public
=====================================================
Time of Key pair created: 19:05:37 2012/7/12
Key name
: client002_Host_DSA
Key modulus : 2048
Key type
: DSA encryption Key
=====================================================
Key code:
3081DC
0240
AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B
A34004C1 B37824BB D3160595 702901CD 53F0EAE0
6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE
87C63485
0214
94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
0240
91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4
7BCA4251 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139
C986329F
0240
A40A1B4E 7176FF2C 72052269 15A538DA F085C88C
51475F29 CC3D1E63 83FB4193 93AFE905 65FDA2C7
D8A1B55A 15ECC7F7 A0D78921 BDF53C84 7CCBF47B
E5FC773C
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWV
cCkBzVPw6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biC
kyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614
zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQQCkChtOcXb/LHIFImkV
pTja8IXIjFFHXynMPR5jg/tBk5Ov6QVl/aLH2KG1WhXsx/eg14khvfU8hHzL9Hvl
/Hc8
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-dss AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWVcCkBzVPw
6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biCkyrIhQirfIE/AAAAQQCR/w8s
kZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKf
AAAAQQCkChtOcXb/LHIFImkVpTja8IXIjFFHXynMPR5jg/tBk5Ov6QVl/aLH2KG1WhXsx/eg14khvfU8
hHzL9Hvl/Hc8 dsa-key
# Send the DSA public key generated on the client to the server.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
254
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
[SSH Server] dsa peer-public-key DsaKey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return the last view with "public-key-code end".
[SSH Server-dsa-key-code] 3081DC
[SSH Server-dsa-key-code] 0240
[SSH Server-dsa-key-code] AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B
[SSH Server-dsa-key-code] A34004C1 B37824BB D3160595 702901CD 53F0EAE0
[SSH Server-dsa-key-code] 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE
[SSH Server-dsa-key-code] 87C63485
[SSH Server-dsa-key-code] 0214
[SSH Server-dsa-key-code] 94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
[SSH Server-dsa-key-code] 0240
[SSH Server-dsa-key-code] 91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4
[SSH Server-dsa-key-code] 7BCA4251 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
[SSH Server-dsa-key-code] 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139
[SSH Server-dsa-key-code] C986329F
[SSH Server-dsa-key-code] 0240
[SSH Server-dsa-key-code] 77DF0AD1 511AF98F FE573511 2E25EE9B B908EF02
[SSH Server-dsa-key-code] 9023CCF9 0C82B474 2A9D8445 5004779F 18853E9F
[SSH Server-dsa-key-code] 0D7EE1CA D59FAF7F 13260646 44C0E8F4 119F0BF1
[SSH Server-dsa-key-code] B442C340
[SSH Server-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end
[SSH Server]
Step 4 Bind client002 to the SSH client's DSA public key.
[SSH Server] ssh user client002 assign dsa-key DsaKey001
Step 5 Enable the SFTP service on the SSH server.
# Enable the SFTP service.
[SSH Server] sftp server enable
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password authentication mode
and client002 in DSA authentication mode.
[SSH
[SSH
[SSH
[SSH
Server]
Server]
Server]
Server]
ssh
ssh
ssh
ssh
user
user
user
user
client001
client001
client002
client002
service-type sftp
sftp-directory cfcard:
service-type sftp
sftp-directory cfcard:
Step 7 Connect the SFTP client to the SSH server.
# At the first login, Enable first-time authentication on the SSH clients.
Enable first-time authentication on Client001.
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable
Enable first-time authentication on client002.
[client002] ssh client first-time enable
# Connect Client001 to the SSH server in password authentication mode.
[client001] sftp 10.10.1.1
Please input the username:client001
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
255
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.10.1.1. Please wait...
Enter password:
sftp-client>
# Connect client002 to the SSH server in DSA authentication mode.
Please input the username:client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.10.1.1. Please wait...
sftp-client>
Step 8 Verify the configuration.
After the configuration is complete, run the display ssh server status and display ssh server
session commands. The command outputs show that the SFTP service is enabled and the SFTP
clients have logged in to the SSH server.
# View the SSH status.
SSH version
SSH connection timeout
SSH server key generating interval
SSH authentication retries
SFTP server
Stelnet server
:1.99
:60 seconds
:0 hours
:3 times
:Enable
:Disable
SSH server source
:0.0.0.0
# View the connection of the SSH server.
[SSH Server] display ssh server session
Session 1:
Conn
: VTY 0
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
CTOS Compress
: none
STOC Compress
: none
Kex
: diffie-hellman-group1-sha1
Public Key
: rsa
Service Type
: sftp
Authentication Type : dsa
Session 2:
Conn
: VTY 1
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
CTOS Compress
: none
STOC Compress
: none
Kex
: diffie-hellman-group1-sha1
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
256
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Public Key
Service Type
Authentication Type
8 Accessing Another Device
: rsa
: sftp
: password
# View information about the SSH users.
[SSH Server] display ssh user-information
User 1:
User Name
: client001
Authentication-type : password
User-public-key-name : User-public-key-type : Sftp-directory
: cfcard:
Service-type
: sftp
Authorization-cmd
: No
User 2:
User Name
: client002
Authentication-type : dsa
User-public-key-name : DsaKey001
User-public-key-type : dsa
Sftp-directory
: cfcard:
Service-type
: sftp
Authorization-cmd
: No
----End
Configuration Files
l
SSH server configuration file
#
sysname SSH Server
#
dsa peer-public-key DsaKey001 encoding-type der
public-key-code begin
3081DC
0240
AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B
702901CD 53F0EAE0 6CC46D2D BE78F6A4 3DC4AAEF
0214
94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
0240
91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4
AD78CC0D 335DEFD2 0B4C3530 DAA25592 DEAFA0EB
0240
77DF0AD1 511AF98F FE573511 2E25EE9B B908EF02
5004779F 18853E9F 0D7EE1CA D59FAF7F 13260646
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher
cipher %$%$f/{P1yh<T$"_sQ6#>~86_
Is[R-YITd6B@"f)it>FXNd3Is^_%$%$
local-user client001 service-type ssh
local-user client001 level 15
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory cfcard:
ssh user client002
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
A34004C1 B37824BB D3160595
C7228E01 9C2EF7CE 87C63485
7BCA4251 9F04FD24 6CFB50A3
61225712 E4AF6139 C986329F
9023CCF9 0C82B474 2A9D8445
44C0E8F4 119F0BF1 B442C340
%$%$f/{P1yhirreversible-
257
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
ssh user
ssh user
ssh user
ssh user
#
return
l
client002
client002
client002
client002
8 Accessing Another Device
authentication-type dsa
assign dsa-key DsaKey001
service-type sftp
sftp-directory cfcard:
Client001 configuration file
#
sysname client001
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.2.2 255.255.0.0
#
ssh client first-time enable
#
return
l
Client002 configuration file
#
sysname client002
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.3.3 255.255.0.0
#
ssh client first-time enable
#
return
8.8.12 Example for Configuring Access to the SFTP Server on the
Public Network When the Management VPN Instance Is Used
This section provides an example for configuring access to the SFTP server on the public network
when the management VPN instance is used. In this example, after you generate the local key
pair on the SFTP client and SSH server, generate the Revest-Shamir-Adleman Algorithm (RSA)
public key on the SSH server, and bind the RSA public key to the client, you can connect the
SFTP client to the SFTP server on the public network when you use the management VPN
instance.
Networking Requirements
As shown in Figure 8-20, a management VPN instance is configured for Client001 and
Client002. Users use the VPN instance to access the FTP server. To enable the client to access
the SFTP server on the public network, you need to connect the router to the SFTP server on the
public network.
The Huawei router functions as an SSH server. Two users Client001 and Client002 are
configured to log in to the SSH server in the password and RSA authentication modes,
respectively.
NOTE
To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to
the SSH server.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
258
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Figure 8-20 Networking diagram for configuring access to the SFTP server on the public
network when the management VPN instance is used
SSH Server
GE1/0/1
10.10.1.1/16
GE1/0/1
10.10.2.2/16
GE1/0/1
10.10.3.3/16
Client 001
Client 002
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure Client001 and Client002 to log in to the SSH server in different authentication
modes..
2.
Create a local RSA key pair on STelnet client Client002 and the SSH server, and bind client
Client002 to an RSA key to authenticate the client when the client attempts to log in to the
server.
3.
Enable the SFTP service on the SSH server.
4.
Configure the service mode and authorization directory for the SSH user.
5.
Configure Client001 and Client002 to log in to the SSH server on the public network
through SFTP..
Data Preparation
To complete the configuration, you need the following data:
l
Client001 with the password %TGB6yhn7ujm and authentication mode password
l
Client002 with the public key RsaKey001 and authentication mode RSA
l
IP address of the SSH server: 10.10.1.1.
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: HUAWEI_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 2048]: 768
Generating keys...
.........++++++++
......................++++++++
......................+++++++++
.....+++++++++
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
259
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Step 2 Create an SSH user on the server.
NOTE
The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa,
and all.
l When the SSH user adopts the password, password-DSA, or password-RSA authentication mode,
configure a local user with the same name.
l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, or all authentication mode,
the server should save the RSA or DSA public key for the SSH client.
# Configure the VTY user interface.
[SSH
[SSH
[SSH
[SSH
Server] user-interface vty 0 4
Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit
l Create Client001 for the SSH user.
# Create an SSH user with the name Client001. The authentication mode is password.
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password
# Set %TGB6yhn7ujm as the password for Client001 of the SSH user.
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa] local-user client001 password irreversible-cipher %TGB6yhn7ujm
Server-aaa] local-user client001 service-type ssh
Server-aaa] quit
l Create Client002 for the SSH user.
# Create an SSH user with user name Client002 and RSA authentication.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type rsa
Step 3 Configure the RSA public key on the server.
# Generate a local key pair on the client.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] rsa local-key-pair create
# View the RSA public key generated on the client.
[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
260
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]
# Send the RSA public key generated on the client to the server.
[SSH Server] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[SSH Server-rsa-key-code] 3047
[SSH Server-rsa-key-code] 0240
[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[SSH Server-rsa-key-code] 1D7E3E1B
[SSH Server-rsa-key-code] 0203
[SSH Server-rsa-key-code] 010001
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end
Step 4 Bind the RSA public key of the SSH client to Client002 of the SSH user.
[SSH Server] ssh user client002 assign rsa-key RsaKey001
Step 5 Enable the STelnet service on the SSH server.
# Enable the STelnet service.
[SSH Server] sftp server enable
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: Client001 and Client002. The password
authentication mode is configured for Client001 and the RSA authentication mode is configured
for Client002.
[SSH
[SSH
[SSH
[SSH
Server]
Server]
Server]
Server]
ssh
ssh
ssh
ssh
user
user
user
user
client001
client001
client002
client002
service-type sftp
sftp-directory cfcard:
service-type sftp
sftp-directory cfcard:
Step 7 Connect the STelnet client to the SSH server.
# At the first login, you need to enable the first authentication on the SSH client.
Enable the first authentication on Client001.
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable
Enable the first authentication on Client002.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
261
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] ssh client first-time enable
# Connect STelnet client Client001to the SSH server in password authentication mode.
<client001> system-view
[client001] sftp 10.10.1.1 public-net
Please input the username:client001
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
Enter password:
sftp-client>
# Connect STelnet client Client002 to the SSH server in RSA authentication mode.
<client002> system-view
[client002] sftp 10.10.1.1 public-net
Please input the username: client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
sftp-client>
Step 8 Verify the configuration.
After the configuration, run the display ssh server status and display ssh server session
commands. You can view that the STelnet service is enabled and the SFTP client is connected
to the SSH server.
# Display the SSH status.
[SSH Server] display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP server: Enable
STELNET server: Disable
# Display the connection of the SSH server.
[SSH Server] display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: sftp
Authentication Type : password
Session 2:
Conn
: VTY 4
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
262
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Kex
Service Type
Authentication Type
8 Accessing Another Device
: diffie-hellman-group1-sha1
: sftp
: rsa
# Display information about the SSH user.
[SSH Server] display ssh user-information
User 1:
User Name
: client001
Authentication-type : password
User-public-key-name : Sftp-directory
: cfcard:
Service-type
: sftp
Authorization-cmd
: No
User 2:
User Name
: client002
Authentication-type : rsa
User-public-key-name : RsaKey001
Sftp-directory
: cfcard:
Service-type
: sftp
Authorization-cmd
: No
----End
Configuration Files
l
SSH server configuration file
#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher %$%$f/{P1yhirreversiblecipher %$%$f/{P1yh<T$"_sQ6#>~86_
Is[R-YITd6B@"f)it>FXNd3Is^_%$%$
local-user client001 service-type ssh
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
sftp server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type sftp
ssh user client002 service-type sftp
ssh user client001 sftp-directory cfcard:.
ssh user client002 sftp-directory cfcard:.
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
263
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Return
l
Client001 configuration file
#
sysname client001
#
interface GigabitEthernet1/0/1
ip address 10.10.2.2 255.255.0.0
#
ssh client first-time enable
#
return
l
Client002 configuration file
#
sysname client002
#
interface GigabitEthernet1/0/1
ip address 10.10.3.3 255.255.0.0
#
ssh client first-time enable
#
return
8.8.13 Example for Accessing the SSH Server Through Other Ports
This section provides an example for accessing the SSH server through other port numbers. In
this example, the monitoring port number of the SSH server is set to a port number other than
the standard monitoring port number so that only valid users can set up connections with the
SSH server.
Networking Requirements
The standard monitored port number of the SSH protocol is 22. Frequent malicious access to
the standard port consumes bandwidth and affects the performance of the server, and therefore,
other users cannot access the standard port.
After the number of the port monitored by the SSH server is set to another port number, the
attacker does not know the new monitored port number and keeps sending socket connection
requests to standard port 22. When the SSH detects that the port number in the connection
requests is not the number of the monitored port, the SSH does not set up the socket connection.
Therefore, only the valid user can set up the socket connection through the non-standard
monitored port set by the SSH server, and only the valid user can negotiate the SSH version
number, negotiate the algorithm, generate the session key, authenticate the server, send a session
request, and perform the interactive session.
The router functions as an SSH server. Client Client001 is configured to use STelnet in password
authentication mode to log in to the SSH server and client Client002 is configured to use SFTP
in RSA authentication mode of RSA to log in to the SSH server.
NOTE
To improve security, it is not recommended that you use RSA as the authentication algorithm to log in to
the SSH server.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
264
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Figure 8-21 Networking diagram for accessing the SSH server through other port numbers
SSH Server
GE1/0/1
10.10.1.1/16
GE1/0/1
10.10.2.2/16
GE1/0/1
10.10.3.3/16
Client 001
Client 002
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure Client001 and Client002 to log in to the SSH server in different authentication
modes..
2.
Create a local RSA key pair on STelnet client Client002 and the SSH server, and bind client
Client002 to an RSA key to authenticate the client when the client attempts to log in to the
server.
3.
Enable STelnet and SFTP services on the SSH server.
4.
Configure the service mode and authorization directory for the SSH user.
5.
Configure the listening port number for the SSH server so that the client can access the
server through other port numbers.
6.
Client001 and Client002 log in to the SSH server through STelnet and SFTP respectively.
Data Preparation
To complete the configuration, you need the following data:
l
Client001 with the password Huawei-123 and authentication mode password
l
Client002 with the public key RsaKey001 and authentication mode RSA
l
IP address of the SSH server: 10.10.1.1.
l
Number of the port monitored by the SSH server: 1025.
Procedure
Step 1 On the client, generate a local key pair.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 2048]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
265
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
......++++++++
Step 2 Configure the RSA public key on the server.
# Generate a local key pair of client on the client.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] rsa local-key-pair create
# View the RSA public key generated on the client.
[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
# Send the RSA public key generated on the client to the server.
[SSH Server] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[SSH Server-rsa-key-code] 3047
[SSH Server-rsa-key-code] 0240
[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[SSH Server-rsa-key-code] 1D7E3E1B
[SSH Server-rsa-key-code] 0203
[SSH Server-rsa-key-code] 010001
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
266
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
Step 3 Create an SSH user on the server.
NOTE
The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa,
and all.
l When the SSH user adopts the password, password-DSA, or password-RSA authentication mode,
configure a local user with the same name.
l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, or all authentication mode,
the server should save the RSA or DSA public key for the SSH client.
# Configure the VTY user interface.
[SSH
[SSH
[SSH
[SSH
Server] user-interface vty 0 4
Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit
l Create Client001 for the SSH user.
# Create an SSH user with the name Client001. The authentication mode is password.
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password
# Set Huawei-123 as the password for SSH user Client001.
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa] local-user client001 password Huawei-123
Server-aaa] local-user client001 service-type ssh
Server-aaa] quit
# Configure Client001 with service type of STelnet.
[SSH Server] ssh user client001 service-type stelnet
l Create Client002 for the SSH user.
Create an SSH user with the name Client002 and RSA authentication, and bind it to the RSA
public key of the SSH client.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type rsa
[SSH Server] ssh user client002 assign rsa-key RsaKey001
# Configure the service type of Client002 as SFTP and the authorization directory.
[SSH Server] ssh user client002 service-type sftp
[SSH Server] ssh user client002 sftp-directory cfcard:
Step 4 Enable the STelnet service and the SFTP service on the SSH server.
# Enable the STelnet service and the SFTP service.
[SSH Server] stelnet server enable
[SSH Server] sftp server enable
Step 5 Configure a new number for the port monitored by the SSH server.
[SSH Server] ssh server port 1025
Step 6 Connect the STelnet client to the SSH server.
# At the first login, you need to enable the first authentication on the SSH client.
Enable the first authentication on Client001.
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable
Enable the first authentication on Client002.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
267
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] ssh client first-time enable
# Connect the STelnet client to the SSH server through the new port number.
[client001] stelnet 10.10.1.1 1025
Please input the username:client001
Trying 10.10.1.1 ...
Press CTRL+K to abort
Connected to 10.10.1.1 ...
he server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
he server's public key will be saved with the name 10.10.1.1. Please wait...
Enter password:
Enter the password Huawei and view the following:
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
<SSH Server>
# Connect the SFTP client to the SSH server through the new port number.
[client002] sftp 10.10.1.1 1025
Please input the username:client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.10.1.1. Please wait.
..
sftp-client>
Step 7 Verify the configuration.
The attacker fails to log in to the SSH server through port 22.
[client002] sftp 10.10.1.1
Please input the username:client002
Trying 10.10.1.1 ...
Press CTRL+K to abort
Error: Failed to connect to the server.
After the configuration, run the display ssh server status and display ssh server session
commands. You can view the number of the port monitored by the SSH server and that the
STelnet client or SFTP client is connected to the SSH server.
# Display the SSH status.
[SSH Server] display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP server: Enable
STELNET server: Enable
SSH server port: 1025
# Display the connection of the SSH server.
[SSH Server] display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
268
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
Session 2:
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
8 Accessing Another Device
:
:
:
:
:
:
:
:
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group1-sha1
stelnet
password
:
:
:
:
:
:
:
:
:
:
:
:
VTY 4
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group1-sha1
sftp
rsa
----End
Configuration Files
l
SSH server configuration file
#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher %$%$f/{P1yhirreversiblecipher %$%$f/{P1yh<T$"_sQ6#>~86_
Is[R-YITd6B@"f)it>FXNd3Is^_%$%$
local-user client001 service-type ssh
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
sftp server enable
stelnet server enable
ssh server port 1025
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type RSA
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type stelnet
ssh user client002 service-type sftp
ssh user client002 sftp-directory cfcard:.
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
269
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
8 Accessing Another Device
#
return
l
Client001 configuration file
#
sysname client001
#
interface GigabitEthernet1/0/1
ip address 10.10.2.2 255.255.0.0
#
ssh client first-time enable
#
return
l
Client002 configuration file
#
sysname client002
#
interface GigabitEthernet1/0/1
ip address 10.10.3.3 255.255.0.0
#
ssh client first-time enable
#
return
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
270
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9
9 Clock Synchronization Configuration
Clock Synchronization Configuration
About This Chapter
Clock synchronization is used to keep differences in clock frequency and network element
phases within a tolerable range. Effective clock synchronization improves the transmission
performance of a network.
9.1 Introduction to Clock Synchronization Configuration
Clock synchronization ensures that digital pulse signals are sent and received in a specific
timeslot.
9.2 Setting Basic Clock Synchronization Configurations
This section describes how to set basic configurations for clock synchronization.
9.3 Configuring an External BITS Clock Source
You can run commands on the routerto configure the device to trace different types of external
BITS clock sources.
9.4 Configuring a Clock Reference Source Manually or Forcibly
This section describes how to manually or forcibly configure a clock reference source.
9.5 Configuring Clock Protection Switching Based on SSM Levels
The higher a clock`s SSM level, the more accurate it is. By default, a clock board uses the most
accurate clock source available.
9.6 Configuring Clock Protection Switching Based on Priorities
If clock sources are configured with different priorities, then the clock source with the second
highest priority becomes effective immediately after the clock source with the highest priority
fails.
9.7 Configuring Ethernet Clock Synchronization
Ethernet clock synchronization implements clock synchronization among devices on an IP
bearer network.
9.8 Configuration Examples of Clock Synchronization
This section provides examples for configuring clock protection switching and for configuring
Ethernet clock synchronization.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
271
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
9.1 Introduction to Clock Synchronization Configuration
Clock synchronization ensures that digital pulse signals are sent and received in a specific
timeslot.
9.1.1 Overview of Clock Synchronization Configuration
Definition
Synchronization must be maintained on Data Communications Networks (DCN). The sending
end places a pulse in a specified timeslot at the end of the digital pulse signal. The receiving end
extracts the pulse in the specified timeslot, so that normal communications between the sending
and receiving ends are guaranteed. A clock ensures that signals are sent in a certain timeslot and
then received and extracted from that timeslot.
Purpose
Clock synchronization is used to keep differences in clock frequency and network element
phasess on a digital network within a specific range. If the differences exceed the specified range,
bit errors and jitter occur and transmission performance is degraded.
9.1.2 Clock Synchronization Supported by the NE80E/40E
Clock Transmission
The clock signals can be transmitted on the Ethernet network, Asynchronous Transfer Mode
(ATM) network, and Synchronous Digital Hierarchy (SDH) network.
Tracing BITS Clock
For the Building Integrated Timing Supply System (BITS) clock source, the clock module
extracts Synchronization Status Messages (SSMs) from the 2.048 Mbit/s stream signals, or sets
a preset SSM level for the 2.048 MHz clock signals.
Stratum-3 Clock Source
The device that provides the clock signals for the local device is called the clock source. The
local device may have multiple clock sources. Include BITS0, BITS1, BITS2 and PTP.
9.2 Setting Basic Clock Synchronization Configurations
This section describes how to set basic configurations for clock synchronization.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
272
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
9.2.1 Before You Start
Applicable Environment
Before configuring clock synchronization, you must set basic configurations.
Pre-configuration Tasks
None.
Data Preparation
None.
9.2.2 Setting Basic Configurations for Clock Synchronization
Context
Perform the following steps on every router on the clock synchronization network:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
clock ethernet-synchronization enable
The Ethernet clock synchronization function is enabled.
Step 3 Run:
clock source { bits0 | bits1 | bits2 | ptp } synchronization enable
id ]
[ slot slot-
The clock synchronization function is enabled.
The clock synchronization function is enabled.
The clock synchronization function is enabled.
Step 4 Run:
interface interface-type interface-number
or
controller { e1 | cpos } controller-number
The interface view is displayed.
Step 5 Run:
clock synchronization enable
The clock synchronization function is enabled on a port.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
273
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
Step 6 Run:
quit
You have returned to the system view from the interface view.
Step 7 (Optional) Run:
clock ssm-control { on | off }
SSM control is enabled.
By default, SSM control is enabled.
Step 8 (Optional) Run:
clock run-mode
The running mode of the Ethernet Equipment Clock (EEC) is set. By default, an EEC works in
normal mode.
Step 9 (Optional) Run:
clock switch { revertive | non-revertive }
The recovery mode for a clock is configured. By default, a clock is revertive.
Step 10 (Optional) Run:
clock wtr
The Wait to Recovery (WTR) time is configured.
By default, the WTR time is five minutes.
Step 11 (Optional) Run:
clock source-lost holdoff-time
The holdoff time is set for a clock when the timing signal is invalid.
By default, the holdoff time is 1000 ms.
Step 12 (Optional) Run:
clock max-out-ssm
The max out ssm value of the interface clock source is configured.
Step 13 (Optional) Run:
clock freq-deviation-detect enable
Clock frequency offset detection is enabled. By default, clock frequency offset detection is
disabled.
----End
9.2.3 Checking the Configuration
Procedure
l
Run:
display clock config
Check whether basic configurations for clock synchronization take effect.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
274
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
9 Clock Synchronization Configuration
Run:
display clock source freq-deviation
Check the frequency deviation values of clock sources.
NOTE
You can view the frequency deviation values of clock sources only after you enable Ethernet clock
synchronization and frequency deviation detection.
----End
Example
Run the display clock config command. You can view the configuration information of the
clock. For example:
<HUAWEI> display clock config
ethernet synchronization
:enable
clock freq deviation detect:enable
clock unk map
:ssub
system pll run mode
:normal
sys pll max out SSM
:ssua
2msync-1 pll max out SSM
:prc
2msync-2 pll max out SSM
:prc
bits output threshold
:dnu
tod protocol
:nmea
switch config
sys pll
2msync-1 pll
2msync-2 pll
SSM control
Extend SSM control
internal clockid
switch mode
wtr
holdoff time
:auto mode
:auto mode
:auto mode
:on
:off
:0
:revertive
:0min
:1200ms
Run the display clock source freq-deviation command. You can view the the frequency
deviation values of clock sources. For example:
<HUAWEI> display clock source freq-deviation
Source
Freq-deviation-value
---------------------------------------------------------* bits0/4
0.26ppm(normal)
bits0/5
--GE1/0/0
0.31ppm(normal)
GE1/1/1
---
9.3 Configuring an External BITS Clock Source
You can run commands on the routerto configure the device to trace different types of external
BITS clock sources.
9.3.1 Before You Start
Before configuring the router to trace an external BITS clock source, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain the data required
the configuration. This will help you complete the configuration task quickly and accurately.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
275
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
Applicable Environment
On a synchronous Ethernet network, if the site where the router is located has a BITS clock, the
router must be set to trace the BITS clock. The router serves as the primary clock to provide a
clock source for the entire synchronous Ethernet network.
There are four types of BITS clocks: 2.048 MHz, 2.048 Mbit/s, 1 pps, and DCLS. You can use
commands to specify the type of external BITS clock source on the clock board.
Pre-configuration Tasks
None.
Data Preparation
None.
9.3.2 Configuring the Lower Threshold of the Clock Signals Output
by the BITS Clock
Context
Do as follows on all routers on the clock synchronization network.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
clock bits output-threshold
The lower threshold (lowest quality level) of clock signals output by the BITS clock is
configured.
----End
9.3.3 Configuring an External Clock Source and Its Signal Type on
the router
The router supports four types of signals: 2mhz, 2mbps, dcls, and 1pps.
Context
Do as follows on each router on the clock synchronization network.
Procedure
Step 1 Run:
system-view
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
276
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
The system view is displayed.
Step 2 Run:
clock bits-type
An external BITS clock source and its signal type are configured.
For information about clock source IDs and signal types, refer to the HUAWEI NetEngine80E/
40E Router - Command Reference.
Step 3 Run:
clock tod protocol { ubx | nmea | ccsa }
The protocol type by which the packets carrying TOD information abide configured.
----End
9.3.4 Checking the Configuration
Context
Run the following commands to check the previous configuration.
Procedure
l
Run the display clock source command to check the status and attributes of the clock
reference source.
l
Run the display clock config command to check the configuration informations of the
clock reference source.
----End
9.4 Configuring a Clock Reference Source Manually or
Forcibly
This section describes how to manually or forcibly configure a clock reference source.
9.4.1 Before You Start
Applicable Environment
Manually configuring the clock reference source and forcibly configuring the clock reference
source differ in the following aspects:
l
The clock reference source cannot be configured manually in the following situations:
– The clock reference source is not enabled with the clock synchronization enable
command.
– The clock reference source is in the Abnormal state.
– The quality level of the clock reference source is not the highest level or is QL-DNU.
l
Issue 02 (2014-09-30)
The clock reference source cannot be forcibly configured in the following situations:
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
277
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
– The clock reference source is not enabled with the clock synchronization enable
command.
– The clock reference source is in the Abnormal state.
– The QL of the clock reference source is QL-DNU.
– The clock is operating in hold mode.
You can use command lines to switch the mode for configuring the clock reference source from
manual to forcible.
The clock reference source should be specified on the master clock, as shown in Figure 9-1. On
Router A, the external clock interface, bits0, on the master clock board is connected to BITS0,
a reference clock source. The external clock interface, bits0, on the slave clock board is connected
to BITS1, on the control board is connected to BITS1, another reference clock source. The
output clock signals of BITS0 and BITS1 are the same.
Router A is manually or forcibly configured to trace the clock signal input through bits0. In
normal situations, Router A traces the BITS0 clock reference source. If the master clock board
fails, a clock board switchover is performed. After that, Router A traces the BITS1 clock
reference source.
Figure 9-1 Diagram of manually configuring the clock reference source
BITS0
CLK-IN
ETH
Router A
CLK-IN
ETH
Router B
Router C
BITS1
Pre-configuration Tasks
Before you manually configure the clock reference source, configuring an external clock
reference source and its signal type on the device.
Data Preparation
None.
9.4.2 Configuring a Clock Reference Source
Context
Do as follows on all routers on the clock synchronization network.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
278
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
Procedure
l
Manually configure a clock reference source.
1.
Run:
system-view
The system view is displayed.
2.
(Optional) Run:
clock clear [ 2msync-1 | 2msync-2 ]
Forcible specification of a clock reference source is cancelled.
If forcible specification of a clock reference source has been configured, run the clock
clear command to cancel the configuration before you configure manual specification
of a clock reference source.
3.
Run:
or
clock manual source { bits0 | bits1 | ptp | interface interface-type
interface-number}
A clock reference source is manually configured.
l
Forcibly configure a clock reference source.
1.
Run:
system-view
The system view is displayed.
2.
Run:
clock force { 2msync-1 | 2msync-2 } source interface interface-type
interface-number
or
clock force source { bits0 | bits1 | bits2 | ptp | interface interfacetype interface-number} slot slot-id
A clock reference source is forcibly configured.
----End
9.4.3 Checking the Configuration
Context
Run the following commands to check the previous configuration.
Procedure
Step 1 Run:
display clock { config | source }
View the information about the clock source attributes.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
279
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
9.5 Configuring Clock Protection Switching Based on SSM
Levels
The higher a clock`s SSM level, the more accurate it is. By default, a clock board uses the most
accurate clock source available.
9.5.1 Before You Start
Applicable Environment
Synchronous Ethernet signals can be used to carry SSM messages. The system then selects one
clock source based on the SSM levels of all the available clock sources. If clock sources are
configured with SSM levels, the configured SSM levels are used; if clock sources are not
configured with SSM levels, the SSM levels carried in the SSM messages are extracted for use.
The SSM levels include Primary Reference Clock (PRC), primary level SSU (SSU-A), second
level SSU (SSU-B), SDH Equipment Clock (SEC), Do Not Use for synchronization (DNU),
and UNK in the descending order. If the SSM level of a clock source is DNU and SSM is enabled,
the clock source is not selected during protection switchover.
The BITS clock has two types of signal. When the BITS clock signal is 2.048 Mbit/s, the clock
board extracts the SSM from the signal. When the BITS clock signal is 2.048 MHz, set the SSM
level manually.
Pre-configuration Tasks
Before configuring protection switchover of clock sources based on SSM levels, complete the
following tasks:
l
Configuring an external clock reference source and its signal type on the device.
Data Preparation
To configure protection switchover of clock sources based on SSM levels, you need SSM levels
of clock sources.
9.5.2 Configuring the Router to Automatically Select Clock Sources
Context
Do as follows on all routers in the clock synchronization network:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
280
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
Step 2 Run:
clock clear [ 2msync-1 | 2msync-2 ]
The router is configured to automatically select clock sources.
NOTE
If the clock sources are manually or forcibly specified, you need to run the clock clear command to enable
the system to automatically select clock sources. By default, the router automatically selects clock sources.
Step 3 Run:
clock run-mode normal
The Ethernet Equipment Clock (EEC) is configured to work in normal mode.
By default, the EEC works in normal mode.
----End
9.5.3 Enabling SSM
SSM must be enabled for the system to perform clock protection switching based on SSM levels.
Context
Do as follows on every router on the clock synchronization network:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
clock ssm-control on
SSM is enabled.
----End
9.5.4 Configuring the SSM Level of the Clock Reference Source
Context
Do as follows on the router that are connected with external clock sources:
Procedure
l
Configuring the SSM level of the clock reference source
1.
Run:
system-view
The system view is displayed.
2.
Issue 02 (2014-09-30)
Run:
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
281
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
clock source { bits0 | bits1 | bits2 | ptp } ssm { prc | ssua | ssub |
sec | dnu | unk }
The SSM level of the external clock reference source is configured.
l
Configuring the SSM level of the clock reference source on the interface
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
or
controller { e1 | cpos } controller-number
The interface view is displayed.
3.
Run:
clock ssm { dnu | prc | sec | ssua | ssub | unk }
The SSM level of the clock reference source on the interface is configured.
----End
9.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal to
Carry SSMs
Context
Do as follows on the router that are connected with external BITS clock sources:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
clock sa-bit { sa4 | sa5 | sa6 | sa7 | sa8 } source { bits0 | bits1 | bits2 }
[ slot slot-id ]
The setting timeslot of the 2.048 Mbit/s BITS clock signal is set to carry SSMs.
----End
9.5.6 Setting the Modes of Extracting SSM Levels
Context
SSM levels can be configured in one of the following modes:
l
Issue 02 (2014-09-30)
Forcibly configuring an SSM level
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
282
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
9 Clock Synchronization Configuration
Extracting the SSM level from the interface
By default, the SSM level is extracted from the interface. If the SSM level is forcibly set, the
forcibly-set SSM level takes effect.
Do as follows on all routers in the clock synchronization network:
Procedure
l
Forcibly configure the SSM levels of the clock reference sources.
1.
Run:
system-view
The system view is displayed.
2.
Run:
clock source { bits0 | bits1 | bits2 | ptp }ssm { dnu | prc | sec | ssua
| ssub | unk } [ slot slot-id ]
The SSM level of the clock reference source is configured.
NOTE
Repeat Step 2 to configure SSM levels for multiple clock reference sources.
To forcibly configure the SSM level of a clock reference source on the interface, you can
first enter the corresponding interface view and run the clock ssm { dnu | prc | sec | ssua
| ssub | unk } [ slot slot-id ] commands. This can achieve the same effect as that of Step 2.
l
Extracting the SSM level of the clock reference source from the interface
1.
Run:
system-view
The system view is displayed.
2.
Run:
undo clock source { bits0 | bits1 | bits2 | ptp }ssm [ slot slot-id ]
Forcibly configuring the SSM level of a clock reference source is disabled.
To extract the SSM level of a clock reference source from the interface, you can first enter
the corresponding interface view and run the undo clock ssm command. This can achieve
the same effect as that of Step 2.
NOTE
The current version only supports extracting the SSM level of a clock reference source from the
Ethernet interface, GigabitEthernet interface and CE1 interface.
To extract the SSM level of a clock reference source from the CE1 interface , you need to configure
the frame format as crc4.
----End
9.5.7 (Optional)Configuring the Extended SSM
Clock protection ensures that every device on a network can still trace a correct clock source
when faults occur on the network.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
283
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
Context
When a reference clock on a network fails, clock protection enables every device on the network
to trace a new reference clock.
The basic rules for clock protection are as follows:
l
After priorities of clock sources are configured, a device selects the clock source of the
highest quality for clock synchronization, and transmits the Synchronous Status Message
Byte (SSMB) to the downstream devices.
l
If there are multiple clock sources of the same quality, the device selects the clock source
with the highest priority and transmits the SSMB to the downstream devices.
l
If device B traces the clock output by device A, device B sends the DNU (an SSM level)
to device A.
l
If the extended SSM protocol is enabled, a device does not select the clock source whose
clock ID is the same as its own, or the clock source whose clock ID is 0.
Do as follows on every device on the network:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
clock extend-ssm-control on
The extended SSM protocol is enabled.
Step 3 Configure clock ID for the clock source
1.
Run:
clock source { bits0 | bits1 | ptp } clock-id clock-id slot slot-id
The clock id of a BITS clock source or the PTP clock source is configured.
2.
Run:
clock source internal clock-id clock-id
The clock id of the internal clock source is configured.
3.
Run:
interface interface-type interface-number
The interface view is displayed.
clock sourceinternal clock-id clock-id
The clock id of a link clock source is configured.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
284
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
9.5.8 Checking the Configuration
Context
Run the following commands to check the previous configuration.
Procedure
l
Run:
display clock { config | source }
View the information about the clock source attributes.
----End
9.6 Configuring Clock Protection Switching Based on
Priorities
If clock sources are configured with different priorities, then the clock source with the second
highest priority becomes effective immediately after the clock source with the highest priority
fails.
9.6.1 Establishing the Configuration Task
Applicable Environment
When you configure protection switchover of clock sources based on priorities, you need to run
the command clock ssm-control off to disable SSM.
When there are multiple clock sources, you can set different priorities for them. Normally, the
clock uses the clock source with the highest priority. When the clock source with the highest
priority is faulty, the clock uses the clock source with the second highest priority. By default the
priority of a clock reference source is not set, it indicates that this clock reference source does
not participate in selecting the clock source.
Pre-configuration Tasks
Before configuring protection switchover of clock sources based on priorities, complete the
following tasks:
l
Configuring an external clock reference source and its signal type on the device.
Data Preparation
To configure protection switchover of clock sources based on priorities, you need the priorities
of different clock sources.
9.6.2 Configuring the Router to Automatically Select Clock Sources
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
285
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
Context
Perform the following steps on all router in the clock synchronization network:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
clock clear [ 2msync-1 | 2msync-2 ]
The router is configured to automatically select clock sources.
NOTE
If the clock sources are manually or forcibly specified, you need to run the clock clear [ 2msync-1 |
2msync-2 ] command to enable the system to automatically select clock sources. By default, the router
automatically selects clock sources.
Step 3 Run:
clock run-mode normal
Set the Ethernet Equipment Clock (EEC) to work in normal mode.
By default, the EEC work in normal mode.
----End
9.6.3 Disabling SSM
Context
Do as follows on all router in the clock synchronization network:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
clock ssm-control off
SSM is disabled.
NOTE
When SSM is disabled, the router selects a clock source based on priorities.
----End
9.6.4 Setting Priorities of Clock Reference Sources
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
286
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
Context
Do as follows on all routers in the clock synchronization network.
Procedure
l
Setting priorities for the clock reference sources BITS and 1588
1.
Run:
system-view
The system view is displayed.
2.
Run:
clock source { bits0 | bits1
[ slot slot-id ]
| bits2 | ptp } priority priority-value
Priorities are set for the clock reference sources BITS and 1588.
– Repeat the preceding step to configure priorities for multiple clock reference
sources.
– You can set the same priority for multiple clock reference sources. The clock
reference source is selected according to the priority. In the case of the same
priority, the clock reference source is selected based on the type of the clock
reference source and port number.
l
Setting the priority of a clock reference source on the interface
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
or
or controller { e1 | cpos }controller-number
The interface view is displayed.
3.
Run:
clock [ 2msync-1 | 2msync-2 ] priority priority-value
The priority of the clock reference source on the interface is set.
----End
9.6.5 Checking the Configuration
Context
Run the following commands to check the previous configuration.
Procedure
Step 1 Run:
display clock { config | source }
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
287
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
View the information about the clock source attributes.
----End
9.7 Configuring Ethernet Clock Synchronization
Ethernet clock synchronization implements clock synchronization among devices on an IP
bearer network.
9.7.1 Before You Start
Applicable Environment
As shown in Figure 9-2, the IP and Ethernet technology is adopted on the IP bearer network
between the Radio Network Controller (RNC) and the Base Transceiver Station (BTS) in the
application of wireless service. The clock signals sent by the devices on the bearer network are
sent to the data communication devices that connect the BTS after pass through the Ethernet
clock synchronization. The Ethernet clock synchronization can ensure reliable quality of clock
transmission.
Figure 9-2 Networking diagram of applying Ethernet clock synchronization
BTS
FE
RNC
FE
BTS
GE
GE
GE
Router A
FE
GE
Router B
BITS
Router C
BTS
Pre-configuration Tasks
Before configuring the Ethernet clock synchronization, complete the following tasks:
l
Issue 02 (2014-09-30)
Configuring the parameters of the link layer protocols and assign IP addresses to the
interfaces so that the link layer protocol status of the interface is Up.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
288
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
9 Clock Synchronization Configuration
Configuring a static route or the Interior gateway protocol (IGP) protocol to so that there
is reachable IP route between the nodes.
Data Preparation
To configure the Ethernet clock synchronization, you need the following data.
l
Slot number, sub-card number, and port number of the Ethernet clock source
9.7.2 Enabling Ethernet Clock Synchronization
Context
NOTE
Ethernet clock signals can be transmitted only after the Ethernet clock synchronization is enabled on all
the router in an IP bearer network.
Do as follows on all router in the clock synchronization network:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
clock ethernet-synchronization enable
The Ethernet clock synchronization is enabled.
----End
9.7.3 Configuring Ethernet Clock Source
Context
Perform the following steps on all router in the clock synchronization network:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
or
controller { e1 | cpos }
controller-number
The interface view is displayed.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
289
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
Step 3 Run:
clock synchronization enable
The Ethernet clock synchronization function is enabled.
Step 4 (Optional)Run:
set negotiation-mode slave
By default, the clock on a GE electrical interface works in auto-negotiation mode at the physical
layer.
When you deploy synchronous Ethernet and you want a GE electrical interface to work as the
tracking clock source or candidate clock source on the device, the clock of the GE electrical
interface must work in slave mode at the physical layer. The working mode can be displayed
using the display negotiation-mode command. Run the set negotiation-mode slave command
only on the GE electrical interface but not on the connected interface.
NOTE
The set negotiation-mode slave command takes effect only when the connected interfaces meet the following
conditions:
l GE electrical interfaces
l Rate of 1 Gbit/s
l In auto-negotiation mode
l Not in loopback mode
After you run the set negotiation-mode slave or undo set negotiation-mode slave command
to change the working mode of the clock of an interface at the physical layer, the interface resets
and renegotiates the working mode of its clock with the connected interface.
l If the set negotiation-mode slave command is configured on one interface but not on the
connected interface, the clock of the interface works in slave mode, and the clock of the
connected interface works in master mode at the physical layer.
l If the set negotiation-mode slave command is configured on two connected interfaces or
on neither of the interfaces, the interfaces automatically negotiate the working mode of their
clocks at the physical layer, and the negotiation result is indefinite.
Step 5 Run:
clock [ 2msync-1 | 2msync-2 ] priority priority-value
The priority of the clock reference source is configured.
Step 6 Run:
clock ssm { dnu | prc | sec | ssua | ssub | unk }
The SSM level of the clock source is configured.
----End
9.7.4 Checking the Configuration
Context
Run the following commands to check the previous configuration.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
290
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
Procedure
l
Run:
display clock { config | source }
View information about the attributes of the clock source.
l
Run:
display clock source freq-deviation
Check the frequency deviation values of clock sources.
NOTE
You can view the frequency deviation values of clock sources only after you enable Ethernet clock
synchronization and frequency deviation detection.
l
Run:
display negotiation-mode
Check the working mode of the clock on an interface at the physical layer.
----End
Example
Run the display clock config command. You can view the configuration information of the
clock. For example:
<HUAWEI> display clock config
ethernet synchronization
:enable
clock freq deviation detect:enable
clock unk map
:ssub
system pll run mode
:normal
sys pll max out SSM
:ssua
2msync-1 pll max out SSM
:prc
2msync-2 pll max out SSM
:prc
bits output threshold
:dnu
tod protocol
:nmea
switch config
sys pll
2msync-1 pll
2msync-2 pll
SSM control
Extend SSM control
internal clockid
switch mode
wtr
holdoff time
:auto mode
:auto mode
:auto mode
:on
:off
:0
:revertive
:0min
:1200ms
Run the display clock source freq-deviation command. You can view the the frequency
deviation values of clock sources. For example:
<HUAWEI> display clock source freq-deviation
Source
Freq-deviation-value
---------------------------------------------------------* bits0/4
0.26ppm(normal)
bits0/5
--GE1/0/0
0.31ppm(normal)
GE1/1/1
---
For a GE electrical interface, run the display negotiation-mode command to view the working
mode of the clock on the interface at the physical layer
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
291
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
<HUAWEI> system-view
[HUAWEI] interface gigabitEthernet 1/0/0
[HUAWEI-GigabitEthernet1/0/0] display negotiation-mode
Negotiation result is:master
9.8 Configuration Examples of Clock Synchronization
This section provides examples for configuring clock protection switching and for configuring
Ethernet clock synchronization.
Follow-up Procedure
NOTE
This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this document.
9.8.1 Example for Configuring Protection Switchover of Clock
Sources
Networking Requirements
As shown in Figure 9-3, there are two BITS clock sources on the network, and the master BITS
clock source is used to synchronize the clock of the entire network. If the NEs cannot trace the
clock signal from the master BITS clock source, they change to trace the clock signal from the
slave BITS clock source. As shown in Figure 9-3, Router A to Router F trace the clock signal
from BITS0. The figure shows the direction of clock tracing in normal situations.
Figure 9-3 Networking diagram of configuring clock source tracing
BITS 0
GE1/0/0
W
GE1/0/0
E
GE2/0/0
E 10.1.1.1
GE2/0/0
W 10.1.1.2
Router A
Router B
Router F
GE2/0/0 W
E GE1/0/0
20.1.1.1
GE2/0/0 E
50.1.1.1
Router C
GE1/0/0 W
40.1.1.2
W GE1/0/0
20.1.1.2
Router E
Router D
GE1/0/0 E
40.1.1.1
E GE2/0/0
30.1.1.1
W GE2/0/0
30.1.1.2
BITS 1
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
292
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure the external BITS clock signal types of Router A and Router D.
2.
Configure the priorities of all clock sources for the router.
Data Preparation
To complete the configuration, you need the following data:
Table 9-1 Clock sources of all router and the priorities
Issue 02 (2014-09-30)
Router
Current Clock
Source
Available Clock
Sources
Priority
Router A
BITS0
BITS0
1
Router A
BITS0
GE1/0/0
2
Router A
BITS0
Internal clock
3
Router B
GE1/0/0
GE1/0/0
1
Router B
GE1/0/0
GE2/0/0
2
Router B
GE1/0/0
Internal clock
3
Router C
GE2/0/0
GE2/0/0
1
Router C
GE2/0/0
GE1/0/0
2
Router C
GE2/0/0
Internal clock
3
Router D
GE1/0/0
GE1/0/0
1
Router D
GE1/0/0
BITS1
2
Router D
GE1/0/0
Internal clock
3
Router E
GE1/0/0
GE1/0/0
1
Router E
GE1/0/0
GE2/0/0
2
Router E
GE1/0/0
Internal clock
3
Router F
GE2/0/0
GE2/0/0
1
Router F
GE2/0/0
GE1/0/0
2
Router F
GE2/0/0
Internal clock
3
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
293
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
Procedure
Step 1 Connect the router and the BITS clock sources as shown inFigure 9-3
Step 2 Configure the IP addresses of the interfaces.
The details are not mentioned here.
Step 3 Set the priorities of all clock sources for the router as shown inFigure 9-3.
# Configure Router A
<RouterA> system-view
[RouterA] clock ethernet-synchronization enable
[RouterA] clock source bits0 synchronization enable
[RouterA] clock source bits0 ssm prc
[RouterA] clock source bits0 priority 1
[RouterA] interface GigabitEthernet 1/0/0
[RouterA-GigabitEthernet1/0/0] clock synchronization enable
[RouterA-GigabitEthernet1/0/0] clock priority 2
[RouterA-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0
[RouterA-GigabitEthernet2/0/0] clock synchronization enable
# Configure Router B
<RouterB> system-view
[RouterB] clock ethernet-synchronization enable
[RouterB] interface GigabitEthernet 1/0/0
[RouterB-GigabitEthernet1/0/0] clock synchronization enable
[RouterB-GigabitEthernet1/0/0] clock priority 1
[RouterB-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0
[RouterB-GigabitEthernet2/0/0] clock synchronization enable
[RouterB-GigabitEthernet2/0/0] clock priority 2
# Configure Router C
<RouterC> system-view
[RouterC] clock ethernet-synchronization enable
[RouterC] interface GigabitEthernet 1/0/0
[RouterC-GigabitEthernet1/0/0] clock synchronization enable
[RouterC-GigabitEthernet1/0/0] clock priority 2
[RouterC-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0
[RouterC-GigabitEthernet2/0/0] clock synchronization enable
[RouterC-GigabitEthernet2/0/0] clock priority 1
# Configure Router D
<RouterD> system-view
[RouterD] clock ethernet-synchronization enable
[RouterD] clock source bits1 synchronization enable
[RouterD] clock source bits1 ssm ssua
[RouterD] clock source bits1 priority 2
[RouterD] interface GigabitEthernet 1/0/0
[RouterD-GigabitEthernet1/0/0] clock synchronization enable
[RouterD-GigabitEthernet1/0/0] clock priority 1
[RouterD-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0
[RouterD-GigabitEthernet2/0/0] clock synchronization enable
# Configure Router E
<RouterE> system-view
[RouterE] clock ethernet-synchronization enable
[RouterE] interface GigabitEthernet 1/0/0
[RouterE-GigabitEthernet1/0/0] clock synchronization enable
[RouterE-GigabitEthernet1/0/0] clock priority 1
[RouterE-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0
[RouterE-GigabitEthernet2/0/0] clock synchronization enable
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
294
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
[RouterE-GigabitEthernet2/0/0] clock priority 2
# Configure Router F
<RouterF> system-view
[RouterF] clock ethernet-synchronization enable
[RouterF] interface GigabitEthernet 1/0/0
[RouterF-GigabitEthernet1/0/0] clock synchronization enable
[RouterF-GigabitEthernet1/0/0] clock priority 2
[RouterF-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0
[RouterF-GigabitEthernet2/0/0] clock synchronization enable
[RouterF-GigabitEthernet2/0/0] clock priority 1
Step 4 Check the clock source attributes of Router A.
<RouterA> display clock source
System trace source State:
lock mode
into pull-in range
Current system trace source: bits0
Current 2M-1 trace source:
system PLL
Current 2M-2 trace source:
system PLL
Frequency lock success:
yes
Master board
source
Pri(sys/2m-1/2m-2) In-SSM
Out-SSM
State
-------------------------------------------------------------------------bits0
1 /---/--prc
dnu
normal
GigabitEthernet1/0/0
2 /---/--dnu
prc
normal
GigabitEthernet2/0/0
---/---/--dnu
prc
normal
Slave board
source
In-SSM
Out-SSM
State
-------------------------------------------------------------------------bits0
prc
dnu
normal
Step 5 Check the clock source attributes of other router.
# The displayed information about Router B, Router C, Router D, Router E, and Router F is
similar. The following uses Router B as an example.
<RouterB> display clock source
System trace source State:
lock
mode
into pull-in
range
Current system trace source:
GigabitEthernet1/0/0
Current 2M-1 trace source:
system
PLL
Current 2M-2 trace source:
system
PLL
Frequency lock success:
yes
Master
board
source
State
Pri(sys/2m-1/2m-2) In-SSM
Out-SSM
-------------------------------------------------------------------------GigabitEthernet1/0/0
normal
GigabitEthernet2/0/0
normal
Issue 02 (2014-09-30)
1
/---/---
prc
dnu
2
/---/---
dnu
prc
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
295
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
Slave
board
source
In-SSM
Out-SSM
State
--------------------------------------------------------------------------
Step 6 Verify the configuration.
When the master BITS clock source fails, all NEs trace the clock signal from the slave BITS
clock source.
The following takes Router A as an example.
# Run the following command on Router A.
<RouterA> display clock source
System trace source State:
lock mode
into pull-in range
Current system trace source:
GigabitEthernet1/0/0
Current 2M-1 trace source:
system PLL
Current 2M-2 trace source:
system PLL
Frequency lock success:
yes
Master board
source
Pri(sys/2m-1/2m-2) In-SSM
Out-SSM
State
-------------------------------------------------------------------------bits0
1 /---/--prc
ssua
abnormal
GigabitEthernet1/0/0
2 /---/--ssua
dnu
normal
GigabitEthernet2/0/0
---/---/--ssua
ssua
normal
Slave board
source
In-SSM
Out-SSM
State
-------------------------------------------------------------------------bits0
prc
ssua
abnormal
# After the connection between the BITS clock source and Router A is closed, all router perform
clock source tracing switchover/
Figure 9-4shows the clock source tracing after the connection between the BITS clock source
and Router A is closed.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
296
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
Figure 9-4 Networking diagram of the clock source tracing after the connection between the
BITS clock source and Router A is closed
E
W
Router A
E
Router B
W
Router F
W
E
E
W
Router C
W
Router E
Router D
E
E
W
BITS 1
----End
Configuration Files
l
Router A Configuration Files
#
sysname RouterA
#
clock
clock
clock
clock
ethernet-synchronization enable
source bits0 priority 1
source bits0 ssm prc
source bits0 synchronization enable
#
interface GigabitEthernet1/0/0
undo shutdown
clock priority 2
clock synchronization enable
#
interface GigabitEthernet2/0/0
undo shutdown
clock synchronization enable
#
return
l
Router B Configuration Files
#
sysname RouterB
#
clock ethernet-synchronization enable
#
interface GigabitEthernet1/0/0
undo shutdown
clock priority 1
clock synchronization enable
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
297
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
#
interface GigabitEthernet2/0/0
undo shutdown
clock priority 2
clock synchronization enable
#
return
l
Router C Configuration Files
#
sysname RouterC
#
clock ethernet-synchronization enable
#
interface GigabitEthernet1/0/0
undo shutdown
clock priority 2
clock synchronization enable
#
interface GigabitEthernet2/0/0
undo shutdown
clock priority 1
clock synchronization enable
#
return
l
Router D Configuration Files
#
sysname RouterD
#
clock ethernet-synchronization enable
clock source bits1 priority 2
clock source bits1 ssm ssua
clock source bits1 synchronization enable
#
interface GigabitEthernet1/0/0
undo shutdown
clock priority 1
clock synchronization enable
#
interface GigabitEthernet2/0/0
undo shutdown
clock synchronization enable
#
return
l
Router E Configuration Files
#
sysname RouterE
#
clock ethernet-synchronization enable
#
interface GigabitEthernet1/0/0
undo shutdown
clock priority 1
clock synchronization enable
#
interface GigabitEthernet2/0/0
undo shutdown
clock priority 2
clock synchronization enable
#
return
l
Router F Configuration Files
#
sysname RouterF
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
298
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
9 Clock Synchronization Configuration
#
clock ethernet-synchronization enable
#
interface GigabitEthernet1/0/0
undo shutdown
clock priority 2
clock synchronization enable
#
interface GigabitEthernet2/0/0
undo shutdown
clock priority 1
clock synchronization enable
#
return
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
299
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
10
1588v2 Configuration
About This Chapter
By configuring IEEE 1588v2, you can enable devices in the IP RAN scenario to implement time
synchronization and clock synchronization.
Context
NOTE
1588v2 is under GTL control. 1588v2 can be enabled on the NE80E/40E only after a valid GTL file is
loaded and activated.
10.1 Overview of 1588v2
IEEE 1588, defined by the Institute of Electrical and Electronics Engineers (IEEE), is a standard
for Precision Clock Synchronization Protocol for Networked Measurement And Control
Systems (PTP). As a time synchronization protocol, 1588v2 is used to implement high-precise
time synchronization between devices. In addition, 1588v2 can be used to implement clock
synchronization between devices.
10.2 Configuring 1588v2 on OC
An ordinary clock (OC) has only one 1588v2 clock interface (a clock interface enabled with
1588v2) through which the OC synchronizes with an upstream node or distributes time signals
to downstream nodes.
10.3 Configuring 1588v2 on BC
A boundary clock (BC) has multiple 1588v2 clock interfaces, one of which is used to synchronize
with an upstream node. The other interfaces are used to distribute time signals to downstream
nodes.
10.4 Configuring 1588v2 on TC
Unlike the BC and OC, a Transparent Clock (TC) does not need to be synchronized with other
clocks. A TC has multiple 1588v2 interfaces, among which 1588v2 messages are forwarded to
correct the message forwarding delay on each interface. The TC is not synchronized with other
clocks through any of these interfaces.
10.5 Configuring 1588v2 on TCandBC
A TCandBC can function as both a TC and a BC. It has several physical interfaces to
communicate with the 1588v2 network. Some interfaces are of the TC type and other interfaces
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
300
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
are of the BC type. The domain value of a BC interface must be the one configured in the system
view; the domain value of a TC interface must be configured in the interface view.
10.6 Configuring the 1588v2 Time Source
This section describes how to configure a 1588v2 clock source, including how to obtain a
standard synchronous time through a clock interface from a BITS device without using 1588v2
and how to use 1588v2 to advertise the standard synchronous time to downstream nodes through
the other two interfaces.
10.7 Configuring 1588 ACR
In one 1588 ACR domain, a client initiates a request for negotiation, and exchanges Layer 3
unicast packets with the server to set up a connection. The client exchanges 1588v2 packets with
the server over the connection to restore clock information.
10.8 Maintaining 1588v2
This section describes how to maintain 1588v2, including clearing 1588v2 statistics, monitoring
the operating status of 1588v2.
10.9 1588 ACR Maintenance
This section describes how to maintain 1588 ACR, including how to clear 1588 ACR statistics.
10.10 Configuration Examples
This section provides several configuration examples of 1588v2.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
301
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
10.1 Overview of 1588v2
IEEE 1588, defined by the Institute of Electrical and Electronics Engineers (IEEE), is a standard
for Precision Clock Synchronization Protocol for Networked Measurement And Control
Systems (PTP). As a time synchronization protocol, 1588v2 is used to implement high-precise
time synchronization between devices. In addition, 1588v2 can be used to implement clock
synchronization between devices.
10.1.1 Introduction
This part helps you understand the concept of clock synchronization and backgrounds, basic
concepts, and application scenarios of 1588v2.
Definition of synchronization
On a modern communications network, the proper functioning of most telecommunications
services requires that the frequency offset or time difference between devices be kept in a
reasonable range. This is the network's requirement for clock synchronization. Network clock
synchronization consists of time synchronization and frequency synchronization.
l
Frequency synchronization
Frequency synchronization, namely, clock synchronization, refers to a strict relationship
between signals based on a constant frequency offset or phase offset, in which signals are
sent or received at an average rate in an instance time. In this manner, all devices in the
communications network operate at the same rate. The difference in phases between signals
is a constant value.
l
Time synchronization
Time synchronization, namely, phase synchronization, refers to consistency of both
frequencies and phases between signals. The phase offset between signals is always 0.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
302
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Figure 10-1 Schematic diagram of time synchronization and frequency synchronization
Phase synchronization
Watch A
Watch B
Frequency synchronization
Watch A
Watch B
Figure 10-1 shows the difference between time synchronization and frequency synchronization.
In time synchronization, Watch A and Watch B always keep the same time, but in frequency
synchronization, Watch A and Watch B keep different time, but the time difference between the
two watches is a constant value, for example, six hours.
Phase synchronization is also called time synchronization; frequency synchronization is also
known as clock synchronization.
Background
With the evolution towards IP network, devices on the wireless bearer network require highaccurate clock synchronization. To achieve clock synchronization between base stations in an
IP RAN, you need to ensure that clock frequencies between base stations are within a certain
precision. Call dropping occurs during handoff. In certain wireless communications systems,
phase synchronization is required in addition to frequency synchronization.
Table 10-1 shows different requirements for network clock synchronization.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
303
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Table 10-1 Different requirements for network clock synchronization in wireless
communications
Wireless
Communications
Systems
Clock Frequency
Accuracy Clock
Phase Synchronization
Requirement
GSM
0.05 ppm
N/A
WCDMA
0.05 ppm
N/A
TD-SCDMA
0.05 ppm
3us
CDMA2000
0.05 ppm
3us
WiMax FDD
0.05 ppm
N/A
WiMax TDD
0.05 ppm
1 us
LTE
0.05 ppm
In favor of phase
synchronization
Clock synchronization on different base stations of different standards is implemented by using
various methods, such as physical clocks (such as the building integrated timing supply system
(BITS) clock, WAN clock, or synchronous Ethernet clock) and recovery clocks by exchanging
packets (such as the Communication Engineering Standard Adaptive Clock Recovery (CES
ACR)/Data Clock Recovery (DCR), and 1588v2 clock). Base stations usually directly access
the global positioning system (GPS) to meet the requirement for time synchronization. Packetbased time synchronization cannot meet the requirement of base stations. Time synchronization
reaches sub-second precision by using the Network Time Protocol (NTP) and sub-millisecond
precision through 1588v1. With the assistance of hardware, 1588v2 provides time
synchronization of sub-micro second precision required by wireless networks.
Operation and maintenance costs of 1588v2 is lower than GPS (which needs to be deployed at
each base station). In addition, 1588v2 works independently of GPS, which is of strategic
significance.
Concepts of 1588v2
The Precision Time Protocol (PTP), also called 1588, is a standard defined by the Institute of
Electrical and Electronics Engineers (IEEE) for Precision Clock Synchronization Protocol For
Networked Measurement and Control Systems. IEEE 1588v2 is a time synchronization protocol.
IEEE 1588v2 ensures high-precision time synchronization between devices, and is also used in
clock synchronization between devices.
A physical network can be logically divided into multiple clock domains. In each clock domain,
there is synchronized time, with which all devices in the domain are synchronized. The
synchronized time of one clock domain is independent of that of another clock domain.
Each node on a time synchronization network is called a clock. 1588v2 defines the following
types of clocks:
l
Issue 02 (2014-09-30)
Ordinary clock
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
304
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
An ordinary clock (OC) has only one 1588v2 clock interface (a clock interface enabled
with 1588v2) through which the local clock is synchronized with an upstream 1588-aware
node or distributes time signals to downstream 1588-aware nodes.
l
Boundary clock
A boundary clock (BC) has multiple 1588v2 clock interfaces. One port is synchronized
with an upstream 1588-aware node and the others distribute time signals to downstream
1588-aware nodes.
In the case that a router obtains the standard time through an external non-1588v2 port from
a BITS device and distributes the time to downstream nodes through two 1588v2 ports. As
the router has more than one 1588v2 port, the router is called a BC.
l
Transparent clock
Distinct from BC and OC that need to be synchronized with other clocks, TC does not need
to be synchronized with other clocks. A TC has multiple 1588v2 ports, through which
1588v2 packets are forwarded. In addition, the TC corrects forwarding delays for these
1588v2 packets (for details, see the following sections) and is not synchronized with other
clocks through any port.
TCs are classified into end-to-end (E2E) TCs and peer-to-peer (P2P) TCs.
– End-to-End Transparent Clock (E2ETC): transparently forwards Sync and Announce
packets and expires the other 1588v2 packets. It calculates the entire end-to-end link
delay.
– Peer-to-Peer Transparent Clock (P2PTC): transparently forwards Sync and Announce
packets and expires the other 1588v2 packets. It calculates every peer-to-peer segment
delay along an entire link.
In addition to the three basic types of clocks, the NE80E/40E supports the following two
compound types of clocks:
l
TCOC: carries the characteristics of both a TC and an OC. A TCOC provides multiple ports
connected to a 1588v2 network. Among those ports, one is OC and the others are TCs. A
TCOC implements 1588v2 frequency synchronization, not time synchronization.
l
TCandBC: carries the characteristics of both the TC and BC. A TCandBC provides multiple
ports connected to a 1588v2 network. Among those ports, some are TCs and the others are
BCs. TCs and BCs belong to different clock domains. A TCandBC implements both 1588v2
frequency synchronization and time synchronization. The domain value of BC ports is the
same as the 1588v2 domain value configured in the global view. However, the domain
value of each TC port should be configured in its interface view.
In a 1588v2 system, all clocks are organized based on the master/slave synchronization
hierarchy, with the grandmaster clock at the top of the hierarchy. Clock synchronization is
implemented by exchanging 1588v2 packets. The slave clock calculates its offset and delay
comparing with the master clock based on the timestamp information carried in the 1588v2
packet and then synchronizes its local clock with the master clock.
A 1588v2 packet carries information about clock information and time. On the network shown
in Figure 10-2, the 1588v2 device accesses and writes a timestamp carried in a 1588v2 packet
at the data link layer to calculate the delay of every link segment. Compared with the Network
Time Protocol (NTP), 1588v2 ensures a higher precision.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
305
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Figure 10-2 Timestamping in the 1588v2 packet
Timestamping
PTP Aplication
PTP Aplication
MAC
MAC
PHY
PHY
Timestamping
PTP Packet
Master Clock
Slave Clock
1588 ACR
Adaptive Clock Recovery (ACR) carries out clock synchronization by exchanging 1588v2
packets. Unlike 1588v2 that achieves frequency synchronization only when all devices on a
network support 1588v2, 1588 ACR is capable of implementing frequency synchronization on
a network with both 1588v2-aware devices and 1588v2-unaware devices.
Applications of 1588v2
On the network shown in Figure 10-3, an OC encapsulates clock information with high accuracy
provided by the Global Positioning System (GPS) into a 1588v2 packet, and provides clock
information for a bearer network by using the 1588v2 packet. A TC, as a core device,
transparently transmits clock information provided by the OC over the entire bearer network.
After that, edge devices on the bearer network function as BC and provide the high-accurate
clock information obtained through the 1588v2 packet to wireless access devices, such as a
NodeB or an RNC.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
306
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Figure 10-3 Application of 1588v2 on a bearer network
GPS
BC
TC
RNC
OC
TC
TC
TC
TC
BC
BC
NodeB
NodeB
NodeB
NodeB
PTP Packet
10.1.2 1588v2 Features Supported by the NE80E/40E
The 1588v2 features supported by the NE80E/40E are clock node types, link delay measurement
mechanisms, packet encapsulation formats, and clock source selection modes.
Seven Types of 1588v2 Devices Supported by the NE80E/40E
The NE80E/40E supports the following types of 1588v2 devices:
l
OC: Ordinary clock
l
BC: Boundary clock
l
E2ETC: End-to-end transparent clock
l
P2PTC: Peer-to-peer transparent clock
l
TCandBC: Transparent clock and boundary clock
l
E2ETCOC: End-to-end transparent clock and ordinary clock
l
P2PTCOC: Peer-to-peer transparent clock and ordinary clock
Four 1588v2 Packet Encapsulation Modes Supported by the NE80E/40E
The NE80E/40E supports MAC and UDP encapsulation modes.
l
Issue 02 (2014-09-30)
MAC encapsulation: VLAN IDs and an 802.1p value are carried in 1588v2 packets. MAC
encapsulation is classified into two types:
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
307
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
– Unicast encapsulation
– Multicast encapsulation
l
UDP encapsulation: Differentiated Service CodePoint (DSCP) values are carried in 1588v2
packets. UDP encapsulation is classified into two types:
– Unicast encapsulation
– Multicast encapsulation
An encapsulation mode depends on either of the following types of links:
l
On a Layer 2 link: The MAC encapsulation mode is used.
l
On a Layer 3 link: The UDP encapsulation mode is used.
Two Delay Measurement Mechanisms Supported by the NE80E/40E
The NE80E/40E supports either of the following link delay measurement mechanisms
configured for 1588v2:
l
Delay: Delay request-response mechanism
l
PDelay: Peer delay mechanism
BMC Algorithm and Static Clock Source Selection Supported by the NE80E/40E
The NE80E/40E supports the best master clock (BMC) algorithm and static clock source
selection.
l
BMC
1588v2 devices using the BMC algorithm dynamically selects the best master clock on a
network, ensuring clock accuracy of devices.
l
Static clock source selection
A specified clock source is selected as the master clock source by using a configuration
command.
1588 ACR Supported by the NE80E/40E
The NE80E/40E supports 1588 ACR in either of the following modes:
l
1588 ACR in single-server mode
In one 1588 ACR domain, a client initiates a request for negotiation, and exchanges Layer
3 unicast packets with the server to set up a connection. The client exchanges 1588v2
packets with the server over the connection to restore clock information. If the clock server
fails, the client does not automatically initiate a connection request to another clock server.
l
1588 ACR in master/slave server mode
In one 1588 ACR domain, a client initiates a request for negotiation, and exchanges Layer
3 unicast packets with the master server to set up a connection. The client exchanges 1588v2
packets with the master server over the connection to restore clock information. If the
master clock server fails, the client automatically initiates a connection request to the slave
clock server.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
308
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
10.2 Configuring 1588v2 on OC
An ordinary clock (OC) has only one 1588v2 clock interface (a clock interface enabled with
1588v2) through which the OC synchronizes with an upstream node or distributes time signals
to downstream nodes.
10.2.1 Before You Start
Before configuring 1588v2 for an OC, familiarize yourself with the usage scenario, complete
the pre-configuration tasks, and obtain the required data.
Applicable Environment
As shown in Figure 10-4, when two devices transmit wireless data on the IP bearer network, a
low delay transmission of real-time radio services should be guaranteed. The two devices serve
as OC to transmit time information through 1588v2 packets, which ensures clock
synchronization between devices. OC can provide a high-accurate time source for wireless
devices through the Building Integrated Timing Supply (BITS) system.
Figure 10-4 Configuring 1588v2 on OC
Master
BITS
Slave
OC
OC1
OC2
Pre-configuration Tasks
Before configuring 1588v2 on OC, complete the following tasks:
l
Configure physical parameters for the interfaces so that the physical layer of the interfaces
is Up.
l
(Optional) Configure static routes or IGP protocols to make IP routes reachable among
nodes.
l
Ensure that the OC has correctly imported the clock and time signals from the BITS.
Data Preparation
To configure 1588v2 on OC, you need the following data.
Issue 02 (2014-09-30)
No.
Data
1
Number and IP address of each interface
2
IDs of 1588v2 domains to which devices belong
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
309
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
No.
Data
3
(Optional) Asymmetric correction value of the 1588v2 packet
4
(Optional) Interval for sending Announce packets and the timeout period for
receiving Announce packets
5
(Optional) Interval for sending Sync packets
6
(Optional) Minimum interval for sending Delay packets
7
(Optional) Destination MAC address, source IP address, destination IP address,
DSCP value, VLAN ID, and priority corresponding to the VLAN encapsulated into
the 1588v2 packet
10.2.2 Configuring 1588v2 Globally
To configure 1588v2 globally, you need to enable 1588v2 on a router in the system view,
configure the router as an OC, specify the domain to which the router belongs to, and statically
configure the status of the OC interface.
Context
Perform the following steps on the OC:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run
ptp enable
1588v2 is enabled.
Step 3 Run:
ptp device-type oc
The device type is configured as OC.
Step 4 (Optional) Run:
ptp slaveonly
The OC is configured to work in slave-only mode.
When a device functioning as OC synchronizes its clock with other clocks, you can configure
the device to work in slave-only mode. After the OC is configured to work in slave-only mode,
interfaces of the OC are in the slave state, which means that the OC can only function as a slave
clock to receive clock signals from other clocks rather than a master clock to provide clock
signals for other clocks.
Step 5 Run:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
310
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
ptp domain domain-value
The domain to which the 1588v2 device belongs is configured.
NOTE
Clocks that need to be synchronized through 1588v2 packets must belong to the same 1588v2 clock domain.
Step 6 (Optional) Run:
ptp virtual-clock-id clock-id-value
The virtual clock ID of the OC is set.
Step 7 (Optional) Run:
ptp acl enable
The function of controlling the range of clock source candidates is enabled.
Step 8 (Optional) Run:
ptp acl-permit-clockid clockid-value
The clock ID of the clock source that is permitted to participate in local BMC calculation is set.
Step 9 (Optional) Run:
ptp set-port-state enable
The function of statically specifying a 1588v2 port is enabled.
----End
10.2.3 Configuring 1588v2 on an Interface
After enabling 1588v2 in the system view, you need to enable 1588v2 in the interface view. In
addition, you need to configure the link delay measurement mechanism, asymmetric delay
correction time, mode in which packets are timestamped, and statically configure the status of
1588v2 interface on the interface.
Context
Perform the following steps on the OC:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 (Optional) Run:
ptp delay-mechanism { delay | pdelay }
One of the following delay measurement mechanisms is configured for the device:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
311
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
The default measurement mechanism for P2PTC and P2PTCOC is Pdelay; the default
measurement mechanism for E2ETC, E2ETCOC, OC, BC, and TCandBC is Delay. The
measurement mechanism on the OC, BC, and TCandBC can be set to Pdelay.
l Delay mode:
A delay request-response mechanism, in which information about the clock and time is
calculated according to the delay of the entire link between the master clock and slave clock.
l PDelay mode:
A peer delay mechanism, in which information about the clock and time is calculated
according to the delay of each segment of the link between the master clock and slave clock.
NOTE
Different delay measurement mechanisms cannot replace each other. Therefore, delay measurement
mechanisms configured on 1588v2 interfaces on the same link segment must be identical.
Step 4 Run:
ptp enable
1588v2 is enabled on the interface.
Step 5 (Optional) Run:
ptp asymmetry-correction { negative negative-asymmetry-correction-value | positive
positive-asymmetry-correction-value }
The asymmetric correction time for sending 1588v2 packets on the interface is set.
Step 6 (Optional) Run:
ptp clock-step { one-step | two-step }
The timestamping mode of the synchronization packets sending by the 1588v2 port is set.
Step 7 (Optional) Run:
ptp port-state { slave | passive | master | premaster | listening | faulty |
disabled | initializing }
The synchronization status of 1588v2 port is set.
----End
10.2.4 Configuring Time Attributes for 1588v2 Packets
1588v2 nodes exchange Announce messages, Sync messages, and Delay messages to transmit
clock information and maintain the connectivity of the 1588v2 connection. You can set the
sending intervals and the allowable maximum number of consecutive Announce packets that
the interface on a 1588v2 device fails to receive, intervals periods for Sync messages, and
intervals periods for Delay messages in the view of the 1588v2 interface. Usually, you can use
the default value.
Context
Perform the following steps on the 1588v2 device:
Procedure
l
Configuring time attributes for Announce packets
1.
Issue 02 (2014-09-30)
Run:
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
312
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp announce-interval announce-interval
The interval for sending Announce packets on an interface is set to the announceintervalth power of 2, in 1/1024 seconds.
The default value of announce-interval is 7, which means that the interval for sending
Announce packets on the interface is 128/1024s.
4.
Run:
ptp announce receipt-timeout receipt-timeout
The allowable maximum number of consecutive Announce packets that the interface
on a 1588v2 device fails to receive is set.
The default value is 3.
l
Configuring time attributes for Sync packets
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp sync-interval sync-interval
The interval for sending Sync packets on an interface is set to the sync-intervalth power
of 2, in 1/1024 seconds.
The default sync-interval is 0, which means that the interval for sending Sync packets
on the interface is 1/1024s.
l
Configuring time attributes for Delay packets
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp min-delayreq-interval min-delayreq-interval
The interval for sending Delay_Req packets on an interface is set to the min-delayreqintervalth power of 2, in 1/1024 seconds.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
313
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
The default min-delayreq-interval is 7, which means that the interval for sending
Delay_Req packets on the interface is 128/1024s.
4.
Run:
ptp min-pdelayreq-interval min-pdelayreq-interval
The interval for sending PDelay_Req packets is set to the min-pdelayreq-intervalth
power of 2, in 1/1024 seconds.
The default min-pdelayreq-interval is 7, which means that the interval for sending
PDelay_Req packets on the interface is 128/1024s.
----End
10.2.5 Configuring Encapsulation Modes for 1588v2 Packets
1588v2 messages can be encapsulated into Layer 2 and Layer 3 packets for transmission. You
can select the encapsulation type according to the actual networking environment and configure
the source and destination IP addresses of the packets and the transmission priority.
Prerequisites
Before configuring encapsulation modes for 1588v2 packets, check the link type for 1588v2
packet transmission:
l
The Layer 2 link adopts the MAC encapsulation mode for 1588v2 packets.
l
The Layer 3 link adopts the UDP encapsulation mode for 1588v2 packets.
Context
Perform the following steps on the 1588v2 device:
Procedure
l
Configuring the MAC encapsulation mode
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
(Optional) Run:
ptp mac-egress destination-mac destination-mac
The 1588v2 packets to be sent from the interface is encapsulated in MAC
encapsulation mode, and the destination MAC address is configured.
– For unicast MAC encapsulation
Specify the unicast destination MAC address encapsulated in the 1588v2 packet
in the interface view.
– For multicast MAC encapsulation
A default multicast destination MAC address is adopted, which means that
destination-MAC destination-MAC does not need to be configured. The default
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
314
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
multicast destination MAC address varies with delay measurement mechanisms
as shown in the following table.
Packet Type
MAC Address
All except peer delay measurement
mechanisms
01-1B-19-00-00-00
Peer delay measurement mechanism
01-80-C2-00-00-0E
NOTE
If the unicast destination MAC address is not configured, a multicast destination MAC address
is adopted by default.
4.
Run:
ptp mac-egress vlan vlan-id [ priority priority ]
The VLAN ID for transmitting MAC-encapsulated 1588v2 packets and the 802.1p
priority of the 1588v2 packet are configured.
l
Configuring the UDP encapsulation mode
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp udp-egress source-ip source-ip [ destination-ip destination-ip ]
The 1588v2 packets to be sent from the interface are encapsulated in UDP
encapsulation mode, and the source and destination IP addresses are configured.
– For unicast UDP encapsulation
Specify the unicast destination IP address encapsulated in the 1588v2 packet in
the interface view.
– For multicast UDP encapsulation
A default multicast destination IP address is adopted, which means that
destination-ip destination-ip does not need to be configured. The default multicast
destination IP address varies with delay measurement mechanisms as shown in the
following table.
Issue 02 (2014-09-30)
Packet Type
IP Address
All except peer delay measurement
mechanisms
224.0.1.129
Peer delay measurement mechanism
224.0.0.107
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
315
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
NOTE
If the parameter destination-ip destination-ip is not configured, a multicast IP address is
adopted.
4.
Run:
ptp udp-egress destination-mac destination-mac
The next hop MAC address of the 1588v2 packet is configured.
5.
Run:
ptp udp-egress source-ip source-ip [ dscp dscp ]
The DSCP priority to be carried in the UDP-encapsulated 1588v2 packet is configured.
6.
Run:
ptp udp-egress source-ip source-ip vlan vlan-id [ priority priority ]
The VLAN ID for sending and receiving 1588v2 packets and the priority of the UDPencapsulated 1588v2 packet are configured on the interface.
----End
10.2.6 Checking the Configurations
After enabling 1588v2 for an OC, you can check whether the configurations of 1588v2 meet the
requirement.
Prerequisites
OC1 and OC2 have been configured.
Procedure
l
Run the display ptp all [ state | config ] command to display the operating status and
configuration of 1588v2.
l
Run the display ptp interface interface-type interface-number command to display
1588v2 information of the interface on the 1588v2 device.
----End
Example
Run the display ptp all command, and you can view the configuration and operating status of
1588v2.
l
The 1588v2 configuration includes the following:
– 1588v2 is enabled.
– The 1588v2 domain value is 1.
– The device type is OC.
– The device works in slave-only mode.
l
The 1588v2 operation information includes the following:
– The clock ID of the local clock is 001882fffe1b1bf4.
– The clock ID of the time source is 001882fffe77c2cf.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
316
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
– The clock ID of the parent clock is 001882fffe77c2cf.
– The interface enabled with 1588v2 is GE 1/0/0.
– The delay measurement mechanism on the interface is Delay.
– The timeout period for receiving Announce packets on the interface is 1s.
<HUAWEI> display ptp all
Device config info
-----------------------------------------------------------------PTP state
:enabled
Domain value
:1
Slave only
:yes
Device type
:OC
Set port state
:no
Local clock ID
:001882fffe1b1bf4
Acl
:no
Virtual clock ID
:no
Acr
:no
Time lock success :no
BMC run info
-----------------------------------------------------------------Grand clock ID
:001882fffe77c2cf
Receive number
:GigabitEthernet1/0/0
Parent clock ID
:001882fffe77c2cf
Parent portnumber :6417
Priority1
:128
Priority2
:128
Step removed
:1
Clock accuracy
:49
Clock class
:187
Time Source
:160
UTC Offset
:0
UTC Offset Valid
:False
Time Scale
:ARB
Time Traceable
:False
Leap
:None
Frequence Traceable:False
Port info
Name
State
Delay-mech Ann-timeout Type Domain
-----------------------------------------------------------------------GigabitEthernet1/0/0 slave
delay
10
OC
1
Time Performance Statistics(ns): Slot 1 Card 0 Port 0
-----------------------------------------------------------------------Realtime(T2-T1)
:534
Pathdelay
:0
Max(T2-T1)
:887704804
Min(T2-T1)
:512
Clock source info
Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status
-----------------------------------------------------------------------local 200 128 0x31
187
0xa0
bits0 128 128 0x20
6
0x20
none
off
-/abnormal
bits1 128 128 0x20
6
0x20
none
off
-/abnormal
bits2 128 128 0x20
6
0x20
none
off
-/abnormal
10.3 Configuring 1588v2 on BC
A boundary clock (BC) has multiple 1588v2 clock interfaces, one of which is used to synchronize
with an upstream node. The other interfaces are used to distribute time signals to downstream
nodes.
10.3.1 Before You Start
Before configuring 1588v2 for a BC, familiarize yourself with the usage scenario, complete the
pre-configuration tasks, and obtain the required data.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
317
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Applicable Environment
As shown in Figure 10-5, NodeBs need to synchronize with the BITS time source. All routers
on the bearer network support 1588v2, and NodeBs do not support 1588v2. BC is connected to
the BITS to synchronize with the BITS clock and advertise clock information to other clocks on
the bearer network. Other backbone nodes on the bearer network are deployed as BC, which can
therefore synchronize with the BITS clock source and advertise clock information to downstream
clocks. Besides that, two OCs are deployed at the user side of the bearer network to synchronize
with the upstream BITS clock and advertise clock information to NodeBs in traditional mode.
By adopting the preceding network deployment scheme that combines 1588v2 and traditional
synchronization mode, clocks on the bearer network and wireless network can be synchronized
based on the combination of 1588v2 and traditional synchronization mode.
Figure 10-5 Configuring 1588v2 on a BC
BITS
BC1
NodeB
BC2
OC1
BC3
OC2
NodeB
Pre-configuration Tasks
Before configuring 1588v2 on BC, complete the following tasks:
l
Configure physical parameters for the interfaces so that the physical layer of the interfaces
is Up.
l
(Optional) Configure the static route or enabling IGP to ensure that IP routes between the
nodes are reachable.
l
Ensure that BC2 has correctly imported clock and time signals from the BITS.
Data Preparation
To configure 1588v2 on BC, you need the following data.
Issue 02 (2014-09-30)
No.
Data
1
Number and IP address of each interface
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
318
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
No.
Data
2
IDs of 1588v2 domains to which devices belong
3
(Optional) Asymmetric correction value of the 1588v2 packet
4
(Optional) Interval for sending Announce packets and the timeout period for
receiving Announce packets
5
(Optional) Interval for sending Sync packets
6
(Optional) Minimum interval for sending Delay packets
7
(Optional) Destination MAC address, source IP address, destination IP address,
DSCP value, VLAN ID, and corresponding priority encapsulated into the 1588v2
packet
10.3.2 Configuring 1588v2 Globally
To configure 1588v2 globally, you need to enable 1588v2 on a router in the system view,
configure the router as a BC, specify the domain to which the router belongs to, and enable the
static configuration of the status of the BC interface.
Context
Perform the following steps on the BC:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ptp enable
1588v2 is enabled on the BC.
Step 3 Run:
ptp device-type bc
The device type is configured as BC.
Step 4 (Optional) Run:
ptp domain domain-value
The domain where the 1588v2 device resides is set.
NOTE
Clocks that need to be synchronized through 1588v2 packets must belong to the same 1588v2 clock domain.
Step 5 (Optional) Run:
ptp virtual-clock-id clock-id-value
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
319
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
The virtual clock ID of the BC is set.
Step 6 (Optional) Run:
ptp acl enable
The function of controlling the range of clock source candidates is enabled.
Step 7 (Optional) Run:
ptp acl-permit-clockid clockid-value
The clock ID of the BC that is permitted to participate in local BMC calculation.
Step 8 (Optional) Run:
ptp set-port-state enable
The function of statically specifying a 1588v2 port is enabled.
----End
10.3.3 Configuring 1588v2 on an Interface
After enabling 1588v2 in the system view, you need to enable 1588v2 in the interface view. In
addition, you need to configure the link delay measurement mechanism, asymmetric delay
correction time, mode in which packets are timestamped, and statically configure the status of
1588v2 interface on each interface.
Context
Perform the following steps on the BC:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 (Optional) Run:
ptp delay-mechanism { delay | pdelay }
A delay measurement mechanism is configured for the device, which can be either of the
following:
The default measurement mechanism for P2PTC and P2PTCOC is Pdelay; the default
measurement mechanism for E2ETC, E2ETCOC, OC, BC, and TCandBC is Delay. The
measurement mechanism on the OC, BC, and TCandBC can be set to Pdelay.
l Delay mode:
A delay request-response mechanism, in which information about the clock and time is
calculated according to the delay of the entire link between the master clock and slave clock.
l PDelay mode:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
320
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
A peer delay mechanism, in which information about the time and clock is calculated
according to the delay of each segment of the link between the master clock and slave clock.
NOTE
Different delay measurement mechanisms cannot replace each other. Therefore, delay measurement
mechanisms configured on IEEE 1588v2 interfaces on the same link segment must be identical.
Step 4 Run:
ptp enable
1588v2 is enabled on the interface.
Step 5 (Optional) Run:
ptp announce-drop enable
The interface of the 1588v2 device is configured to discard the received Announce packets.
NOTE
Announce packets can ensure the 1588v2 clock synchronization between devices. If an interface discards
Announce packets, the device where the interface resides cannot receive clock synchronization information
from other 1588v2 devices. Usually, this command is configured on the UNI-side interface.
Step 6 (Optional) Run:
ptp asymmetry-correction { negative negative-asymmetry-correction-value | positive
positive-asymmetry-correction-value }
The asymmetric correction time for sending 1588v2 packets on the interface is set.
Step 7 (Optional) Run:
ptp clock-step { one-step | two-step }
The timestamping mode of the synchronization packets sending by the 1588v2 port is set.
Step 8 (Optional) Run:
ptp port-state { slave | passive | master | premaster | listening | faulty |
disabled | initializing }
The synchronization status of 1588v2 port is set.
----End
10.3.4 Configuring Time Attributes for 1588v2 Packets
1588v2 nodes exchange Announce messages, Sync messages, and Delay messages to transmit
clock information and maintain the connectivity of the 1588v2 connection. You can set the
sending intervals and the allowable maximum number of consecutive Announce packets that
the interface on a 1588v2 device fails to receive, intervals periods for Sync messages, and
intervals periods for Delay messages in the view of the 1588v2 interface. Usually, you can use
the default value.
Context
Perform the following steps on the 1588v2 device:
Procedure
l
Configuring time attributes for Announce packets
1.
Issue 02 (2014-09-30)
Run:
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
321
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp announce-interval announce-interval
The interval for sending Announce packets on an interface is set to the announceintervalth power of 2, in 1/1024 seconds.
The default value of announce-interval is 7, which means that the interval for sending
Announce packets on the interface is 128/1024s.
4.
Run:
ptp announce receipt-timeout receipt-timeout
The allowable maximum number of consecutive Announce packets that the interface
on a 1588v2 device fails to receive is set.
The default value is 3.
l
Configuring time attributes for Sync packets
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp sync-interval sync-interval
The interval for sending Sync packets on an interface is set to the sync-intervalth power
of 2, in 1/1024 seconds.
The default sync-interval is 0, which means that the interval for sending Sync packets
on the interface is 1/1024s.
l
Configuring time attributes for Delay packets
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp min-delayreq-interval min-delayreq-interval
The interval for sending Delay_Req packets on an interface is set to the min-delayreqintervalth power of 2, in 1/1024 seconds.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
322
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
The default min-delayreq-interval is 7, which means that the interval for sending
Delay_Req packets on the interface is 128/1024s.
4.
Run:
ptp min-pdelayreq-interval min-pdelayreq-interval
The interval for sending PDelay_Req packets is set to the min-pdelayreq-intervalth
power of 2, in 1/1024 seconds.
The default min-pdelayreq-interval is 7, which means that the interval for sending
PDelay_Req packets on the interface is 128/1024s.
----End
10.3.5 Configuring Encapsulation Types for 1588v2 Packets
1588v2 messages can be encapsulated into Layer 2 and Layer 3 packets for transmission. You
can select the encapsulation type according to the actual networking environment and configure
the source and destination IP addresses of the packets and the transmission priority.
Prerequisites
Before configuring encapsulation modes for 1588v2 packets, check the link type for 1588v2
packet transmission:
l
The Layer 2 link adopts the MAC encapsulation mode for 1588v2 packets.
l
The Layer 3 link adopts the UDP encapsulation mode for 1588v2 packets.
Context
Perform the following steps on the 1588v2 device:
Procedure
l
Configuring the MAC encapsulation mode
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
(Optional) Run:
ptp mac-egress destination-mac destination-mac
The 1588v2 packets to be sent from the interface is encapsulated in MAC
encapsulation mode, and the destination MAC address is configured.
– For unicast MAC encapsulation
Specify the unicast destination MAC address encapsulated in the 1588v2 packet
in the interface view.
– For multicast MAC encapsulation
A default multicast destination MAC address is adopted, which means that
destination-MAC destination-MAC does not need to be configured. The default
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
323
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
multicast destination MAC address varies with delay measurement mechanisms
as shown in the following table.
Packet Type
MAC Address
All except peer delay measurement
mechanisms
01-1B-19-00-00-00
Peer delay measurement mechanism
01-80-C2-00-00-0E
NOTE
If the unicast destination MAC address is not configured, a multicast destination MAC address
is adopted by default.
4.
Run:
ptp mac-egress vlan vlan-id [ priority priority ]
The VLAN ID for transmitting MAC-encapsulated 1588v2 packets and the 802.1p
priority of the 1588v2 packet are configured.
l
Configuring the UDP encapsulation mode
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp udp-egress source-ip source-ip [ destination-ip destination-ip ]
The 1588v2 packets to be sent from the interface are encapsulated in UDP
encapsulation mode, and the source and destination IP addresses are configured.
– For unicast UDP encapsulation
Specify the unicast destination IP address encapsulated in the 1588v2 packet in
the interface view.
– For multicast UDP encapsulation
A default multicast destination IP address is adopted, which means that
destination-ip destination-ip does not need to be configured. The default multicast
destination IP address varies with delay measurement mechanisms as shown in the
following table.
Issue 02 (2014-09-30)
Packet Type
IP Address
All except peer delay measurement
mechanisms
224.0.1.129
Peer delay measurement mechanism
224.0.0.107
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
324
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
NOTE
If the parameter destination-ip destination-ip is not configured, a multicast IP address is
adopted.
4.
Run:
ptp udp-egress destination-mac destination-mac
The next hop MAC address of the 1588v2 packet is configured.
5.
Run:
ptp udp-egress source-ip source-ip [ dscp dscp ]
The DSCP priority to be carried in the UDP-encapsulated 1588v2 packet is configured.
6.
Run:
ptp udp-egress source-ip source-ip vlan vlan-id [ priority priority ]
The VLAN ID for sending and receiving 1588v2 packets and the priority of the UDPencapsulated 1588v2 packet are configured on the interface.
----End
10.3.6 Checking the Configurations
After enabling 1588v2 for a BC, you can check whether the configurations of 1588v2 meet the
requirement.
Prerequisites
The BC has been configured.
Procedure
l
Run the display ptp all command to display the operating status and configuration of
1588v2 on the BC.
l
Run the display ptp interface interface-type interface-number command to display
1588v2 information of the interface on the BC.
----End
Example
As shown in Figure 10-5, BC2 is the grandmaster clock on the 1588v2 network. Run the display
ptp all command on BC2, and you can view the operating status and configuration of 1588v2.
l
The 1588v2 configuration includes the following:
– 1588v2 is enabled.
– The 1588v2 domain value is 1.
– The device type is BC.
– The device works in non-slave-only mode.
l
The 1588v2 operation information includes the following:
– Clock ID of the local clock is 001882fffe77c2cf.
– Interface enabled with 1588v2 are GE 1/0/0 and GE 2/0/0.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
325
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
– GE 1/0/0 and GE 2/0/0 are in the Master state.
– The delay measurement mechanism on GE 1/0/0 and GE 2/0/0 is Delay.
– The timeout periods for receiving Announce packets on GE 1/0/0 and GE 2/0/0 are both
512/1024s.
<HUAWEI> display ptp all
Device config info
-----------------------------------------------------------------PTP state
:enabled
Domain value
:1
Slave only
:no
Device type
:BC
Set port state
:no
Local clock ID
:001882fffe77c2cf
Acl
:no
Virtual clock ID
:no
Acr
:no
Time lock success :no
BMC run info
-----------------------------------------------------------------Source port
:bits1
Leap
:None
UTC Offset
:0
UTC Offset Valid :False
Port info
Name
State
Delay-mech Ann-timeout Type Domain
-----------------------------------------------------------------------GigabitEthernet1/0/0 master
delay
9
BC
1
GigabitEthernet2/0/0 master
delay
9
BC
1
Clock source info
Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status
-----------------------------------------------------------------------local 128 128 0x31
1
0xa0
bits0 128 128 0x20
6
0x20
none
off
-/abnormal
bits1 100 128 0x20
6
0x20
1pps
on
in/normal
bits2 128 128 0x20
6
0x20
none
off
-/abnormal
BC1 and BC3 are slave clocks of BC2; meanwhile, they are master clocks of OC1 and OC2
respectively. After configurations are complete, run the display ptp all command. You can view
the configuration and operating status of 1588v2. Take the command output on BC1 as an
example.
l
The 1588v2 configuration includes the following:
– 1588v2 is enabled.
– The 1588v2 domain value is 1.
– The device type is BC.
– The device works in non-slave-only mode.
l
The 1588v2 operation information includes the following:
– The clock ID of the local clock is 001882fffe1b1bf4.
– The clock ID of the time source is 001882fffe77c2cf.
– The clock ID of the parent clock is 001882fffe77c2cf.
– Interfaces enabled with 1588v2 are GE 1/0/0 and GE 2/0/0.
– The delay measurement mechanism on GE 1/0/0 and GE 2/0/0 is Delay.
– The timeout period for receiving Announce packets on GE 1/0/0 is 1s.
<HUAWEI> display ptp all
Device config info
------------------------------------------------------------------
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
326
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
PTP state
Slave only
Set port state
Acl
Acr
10 1588v2 Configuration
:enabled
:no
:no
:no
:no
Domain value
Device type
Local clock ID
Virtual clock ID
Time lock success
:1
:BC
:001882fffe1b1bf4
:no
:no
BMC run info
-----------------------------------------------------------------Grand clock ID
:001882fffe77c2cf
Receive number
:GigabitEthernet1/0/0
Parent clock ID
:001882fffe77c2cf
Parent portnumber :2049
Priority1
:128
Priority2
:128
Step removed
:1
Clock accuracy
:49
Clock class
:187
Time Source
:160
UTC Offset
:0
UTC Offset Valid
:False
Time Scale
:ARB
Time Traceable
:False
Leap
:None
Frequence Traceable:False
Port info
Name
State
Delay-mech Ann-timeout Type Domain
-----------------------------------------------------------------------GigabitEthernet1/0/0 slave
delay
10
bc
1
GigabitEthernet2/0/0 master
delay
10
bc
1
Time Performance Statistics(ns): Slot 1 Card 0 Port 0
-----------------------------------------------------------------------Realtime(T2-T1)
:534
Pathdelay
:0
Max(T2-T1)
:887704804
Min(T2-T1)
:512
Clock source info
Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status
-----------------------------------------------------------------------local 200 128 0x31
187
0xa0
bits0 128 128 0x20
6
0x20
none
off
-/abnormal
bits1 128 128 0x20
6
0x20
none
off
-/abnormal
bits2 128 128 0x20
6
0x20
none
off
-/abnormal
OC1 and OC2 serve as the leaf nodes of the 1588v2 network to synchronize with the clock
signals of BC1 and BC3, and expire 1588v2 packets. After the configurations, run the display
ptp all command. You can view the configuration and operating status of 1588v2. Take the
command output on OC1 as an example.
l
The 1588v2 configuration includes the following:
– 1588v2 is enabled.
– The 1588v2 domain value is 1.
– The device type is OC.
– The device works in slave-only mode.
l
The 1588v2 operation information includes the following:
– The clock ID of the local clock is 001882fffe1b1235.
– The clock ID of the time source is 001882fffe77c2cf.
– The clock ID of the parent clock is 001882fffe1b1bf4.
– The interface enabled with 1588v2 is GE 1/0/0.
– The delay measurement mechanism on GE 1/0/0 is Delay.
– The timeout period for receiving Announce packets on GE 1/0/0 is 1s.
<HUAWEI> display ptp all
Device config info
------------------------------------------------------------------
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
327
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
PTP state
Slave only
Set port state
Acl
Acr
10 1588v2 Configuration
:enabled
:yes
:no
:no
:no
Domain value
Device type
Local clock ID
Virtual clock ID
Time lock success
:1
:OC
:001882fffe1b1bf4
:no
:no
BMC run info
-----------------------------------------------------------------Grand clock ID
:001882fffe77c2cf
Receive number
:GigabitEthernet1/0/0
Parent clock ID
:001882fffe77c2cf
Parent portnumber :6417
Priority1
:128
Priority2
:128
Step removed
:1
Clock accuracy
:49
Clock class
:187
Time Source
:160
UTC Offset
:0
UTC Offset Valid
:False
Time Scale
:ARB
Time Traceable
:False
Leap
:None
Frequence Traceable:False
Port info
Name
State
Delay-mech Ann-timeout Type Domain
-----------------------------------------------------------------------GigabitEthernet1/0/0 slave
delay
10
OC
1
Time Performance Statistics(ns): Slot 1 Card 0 Port 0
-----------------------------------------------------------------------Realtime(T2-T1)
:534
Pathdelay
:0
Max(T2-T1)
:887704804
Min(T2-T1)
:512
Clock source info
Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status
-----------------------------------------------------------------------local 200 128 0x31
187
0xa0
bits0 128 128 0x20
6
0x20
none
off
-/abnormal
bits1 128 128 0x20
6
0x20
none
off
-/abnormal
bits2 128 128 0x20
6
0x20
none
off
-/abnormal
10.4 Configuring 1588v2 on TC
Unlike the BC and OC, a Transparent Clock (TC) does not need to be synchronized with other
clocks. A TC has multiple 1588v2 interfaces, among which 1588v2 messages are forwarded to
correct the message forwarding delay on each interface. The TC is not synchronized with other
clocks through any of these interfaces.
10.4.1 Establishing the Configuration Task
Before configuring 1588v2 for a TC, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.
Applicable Environment
As shown in Figure 10-6, NodeBs support 1588v2 and function as OC. 1588v2 is configured
to ensure the clock synchronization between devices on the bearer network. Core devices on the
bearer network function as TC to forward 1588v2 packets and synchronize the clock or time
between BC and OC.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
328
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Figure 10-6 Configuring 1588v2 on TC
BITS
Master
TC1
NodeB
BC
OC1
TC2
OC2
NodeB
Pre-configuration Tasks
Before configuring 1588v2 on TC, complete the following tasks:
l
Configuring physical parameters for the interfaces so that the physical layer of the interfaces
is Up
l
(Optional) Configuring the static route or enabling IGP to ensure that IP routes between
the nodes are reachable
l
Ensuring that Master has correctly imported clock and time signals from the BITS
Data Preparation
To configure 1588v2 on TC, you need the following data.
Issue 02 (2014-09-30)
No.
Data
1
Number and IP address of each interface
2
IDs of 1588v2 domains to which devices belong
3
(Optional) Asymmetric correction value of the 1588v2 packet
4
(Optional) Interval for sending Announce packets and the timeout period for
receiving Announce packets
5
(Optional) Interval for sending Sync packets
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
329
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
No.
Data
6
(Optional) Minimum interval for sending Delay packets
7
(Optional) Destination MAC address, source IP address, destination IP address,
DSCP value, VLAN ID, and corresponding priority encapsulated into the 1588v2
packet
10.4.2 Configuring 1588v2 Globally
To configure 1588v2 globally, you need to enable 1588v2 on a router in the system view,
configure the router as a TC, specify the domain to which the router belongs to, and enable the
static configuration of the status of the TC interface.
Context
Perform the following steps on the TC:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ptp enable
1588v2 is enabled on the TC.
Step 3 Run:
ptp device-type { e2etc | e2etcoc | p2ptc | p2ptcoc }
The 1588v2 device type is configured as TC.
l e2etc: configures the clock mode of the device to E2ETC.
l e2etcoc: configures the clock mode of the device to E2ETCOC.
l p2ptc: configures the clock mode of the device to P2PTC.
l p2ptcoc: configures the clock mode of the device to P2PTCOC.
NOTE
TCOC is a special type of TC. TCOC can also synchronize frequency with its upstream clock.
Step 4 Run:
ptp domain domain-value
The domain to which the 1588v2 interface belongs is configured.
NOTE
Clocks need to be synchronized through 1588v2 packets must belong to the same 1588v2 clock domain.
Step 5 (Optional) Run:
ptp virtual-clock-id clock-id-value
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
330
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
The virtual clock ID of the TC is set.
----End
10.4.3 Configuring 1588v2 on an Interface
After enabling 1588v2 in the system view, you need to enable 1588v2 in the interface view. In
addition, you need to configure the asymmetric delay correction time, mode in which packets
are timestamped, and statically configure the status of 1588v2 interface on each interface.
Context
Perform the following steps on the TC:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ptp enable
1588v2 is enabled on the interface.
Step 4 Run:
ptp tcoc-clock-id clock-source-id port-num port-num
The clock source traced by an interface on the TCOC is configured.
NOTE
This command takes effect only on the TCOC.
Step 5 (Optional) Run:
ptp asymmetry-correction { negative negative-asymmetry-correction-value | positive
positive-asymmetry-correction-value }
The asymmetric correction time for sending 1588v2 packets on the interface is set.
Step 6 (Optional) Run:
ptp clock-step { one-step | two-step }
The timestamping mode of the synchronization packets sending by the 1588v2 port is set.
Step 7 (Optional) Run:
ptp port-state { slave | uncalibrated | passive | master | premaster | listening |
faulty | disabled | initializing }
The synchronization status of 1588v2 port is set.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
331
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
10.4.4 Configuring Time Attributes for 1588v2 Packets
1588v2 nodes exchange Announce messages, Sync messages, and Delay messages to transmit
clock information and maintain the connectivity of the 1588v2 connection. You can set the
sending intervals and the allowable maximum number of consecutive Announce packets that
the interface on a 1588v2 device fails to receive, intervals periods for Sync messages, and
intervals periods for Delay messages in the view of the 1588v2 interface. Usually, you can use
the default value.
Context
Perform the following steps on the 1588v2 device:
Procedure
l
Configuring time attributes for Announce packets
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp announce-interval announce-interval
The interval for sending Announce packets on an interface is set to the announceintervalth power of 2, in 1/1024 seconds.
The default value of announce-interval is 7, which means that the interval for sending
Announce packets on the interface is 128/1024s.
4.
Run:
ptp announce receipt-timeout receipt-timeout
The allowable maximum number of consecutive Announce packets that the interface
on a 1588v2 device fails to receive is set.
The default value is 3.
l
Configuring time attributes for Sync packets
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp sync-interval sync-interval
The interval for sending Sync packets on an interface is set to the sync-intervalth power
of 2, in 1/1024 seconds.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
332
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
The default sync-interval is 0, which means that the interval for sending Sync packets
on the interface is 1/1024s.
l
Configuring time attributes for Delay packets
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp min-delayreq-interval min-delayreq-interval
The interval for sending Delay_Req packets on an interface is set to the min-delayreqintervalth power of 2, in 1/1024 seconds.
The default min-delayreq-interval is 7, which means that the interval for sending
Delay_Req packets on the interface is 128/1024s.
4.
Run:
ptp min-pdelayreq-interval min-pdelayreq-interval
The interval for sending PDelay_Req packets is set to the min-pdelayreq-intervalth
power of 2, in 1/1024 seconds.
The default min-pdelayreq-interval is 7, which means that the interval for sending
PDelay_Req packets on the interface is 128/1024s.
----End
10.4.5 Configuring Encapsulation Types for 1588v2 Packets
1588v2 messages can be encapsulated into Layer 2 and Layer 3 packets for transmission. You
can select the encapsulation type according to the actual networking environment and configure
the source and destination IP addresses of the packets and the transmission priority.
Prerequisites
Before configuring encapsulation modes for 1588v2 packets, check the link type for 1588v2
packet transmission:
l
The Layer 2 link adopts the MAC encapsulation mode for 1588v2 packets.
l
The Layer 3 link adopts the UDP encapsulation mode for 1588v2 packets.
Context
Perform the following steps on the 1588v2 device:
Procedure
l
Configuring the MAC encapsulation mode
1.
Run:
system-view
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
333
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
(Optional) Run:
ptp mac-egress destination-mac destination-mac
The 1588v2 packets to be sent from the interface is encapsulated in MAC
encapsulation mode, and the destination MAC address is configured.
– For unicast MAC encapsulation
Specify the unicast destination MAC address encapsulated in the 1588v2 packet
in the interface view.
– For multicast MAC encapsulation
A default multicast destination MAC address is adopted, which means that
destination-MAC destination-MAC does not need to be configured. The default
multicast destination MAC address varies with delay measurement mechanisms
as shown in the following table.
Packet Type
MAC Address
All except peer delay measurement
mechanisms
01-1B-19-00-00-00
Peer delay measurement mechanism
01-80-C2-00-00-0E
NOTE
If the unicast destination MAC address is not configured, a multicast destination MAC address
is adopted by default.
4.
Run:
ptp mac-egress vlan vlan-id [ priority priority ]
The VLAN ID for transmitting MAC-encapsulated 1588v2 packets and the 802.1p
priority of the 1588v2 packet are configured.
l
Configuring the UDP encapsulation mode
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp udp-egress source-ip source-ip [ destination-ip destination-ip ]
The 1588v2 packets to be sent from the interface are encapsulated in UDP
encapsulation mode, and the source and destination IP addresses are configured.
– For unicast UDP encapsulation
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
334
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Specify the unicast destination IP address encapsulated in the 1588v2 packet in
the interface view.
– For multicast UDP encapsulation
A default multicast destination IP address is adopted, which means that
destination-ip destination-ip does not need to be configured. The default multicast
destination IP address varies with delay measurement mechanisms as shown in the
following table.
Packet Type
IP Address
All except peer delay measurement
mechanisms
224.0.1.129
Peer delay measurement mechanism
224.0.0.107
NOTE
If the parameter destination-ip destination-ip is not configured, a multicast IP address is
adopted.
4.
Run:
ptp udp-egress destination-mac destination-mac
The next hop MAC address of the 1588v2 packet is configured.
5.
Run:
ptp udp-egress source-ip source-ip [ dscp dscp ]
The DSCP priority to be carried in the UDP-encapsulated 1588v2 packet is configured.
6.
Run:
ptp udp-egress source-ip source-ip vlan vlan-id [ priority priority ]
The VLAN ID for sending and receiving 1588v2 packets and the priority of the UDPencapsulated 1588v2 packet are configured on the interface.
----End
10.4.6 Checking the Configurations
After enabling 1588v2 for a TC, you can check whether the configurations of 1588v2 meet the
requirement.
Prerequisites
The TC has been configured.
Procedure
l
Run the display ptp all [state | config ] command to display the operating status and
configuration of 1588v2 on the TC.
l
Run the display ptp interface interface-type interface-number command to display
1588v2 information of the interface.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
335
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Example
Run the display ptp all command, and you can view the configuration and operating status of
1588v2 on the TC.
<HUAWEI> display ptp all
Device config info
-----------------------------------------------------------------PTP state
:enabled
Domain value
:1
Slave only
:no
Device type
:E2ETC
Set port state
:no
Local clock ID
:00e0fcfffea4b000
Acl
:no
Virtual clock ID
:no
Acr
:no
Time lock success :no
BMC run info
-----------------------------------------------------------------Source port
:local
Port info
Name
State
Delay-mech Ann-timeout Type Domain
-----------------------------------------------------------------------GigabitEthernet1/0/0 premaster
pdelay
9
TC
1
GigabitEthernet1/0/1 premaster
pdelay
9
TC
1
Clock source info
Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status
-----------------------------------------------------------------------local 100 255 0x20
187
0xa0
bits0 128 128 0x20
6
0x20
none
off
-/abnormal
bits1 49 128 0x20
6
0x20
none
off
-/abnormal
bits2 128 128 0x20
6
0x20
none
on
-/abnormal
10.5 Configuring 1588v2 on TCandBC
A TCandBC can function as both a TC and a BC. It has several physical interfaces to
communicate with the 1588v2 network. Some interfaces are of the TC type and other interfaces
are of the BC type. The domain value of a BC interface must be the one configured in the system
view; the domain value of a TC interface must be configured in the interface view.
10.5.1 Before You Start
Before configuring 1588v2 for a TCandBC, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain the required data.
Applicable Environment
As shown in Figure 10-7, all routers and NodeB support 1588v2. Operator A has NodeBs, OC2,
OC3, and a BITS standard clock source BTIS2, but do not have bearer network devices. Operator
B leases its bearer network to Operator A. Devices on the bearer network synchronize with the
BITS standard clock source BTIS1 of Operator B. The following network deployment scheme
is adopted to ensure that clock synchronization is implemented independently on devices of
Operator A and Operator B:
l
OC1 and OC2 are respectively connected to BITS1 and BITS2, and advertise clock
synchronization information to downstream clocks through 1588v2 packets.
l
The interface on TCandBC1 that is directly connected to OC1 is a BC interface, which
synchronizes the clock in Domain1; the interface of TCandBC1 at the user side is a TC
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
336
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
interface, which exchanges 1588v2 packets with TCandBC2 through an L2VPN, MPLS,
or L3VPN tunnel.
l
The interface on TCandBC2 that is directly connected to OC1 is a BC interface, which
synchronizes the clock in Domain1; the interface of TCandBC2 at the user side is a TC
interface, which exchanges 1588v2 packets with TCBC1 through an L2VPN. MPLS, or
L3VPN tunnel.
l
OC3 receives the 1588v2 packets sent from TCandBC1 and synchronizes with the clock
signals from TCandBC1. Then, OC3 advertises clock signals to NodeB in the traditional
mode, such as the Ethernet-based clock synchronization.
l
P node functions as a BC to implement 1588v2 synchronization and transmit messages
between TCandBC1 and TCandBC2.
The entire bearer network functions as a huge TC, which transparently transmits BIST2 clock
information to NodeB.
Figure 10-7 Configuring 1588v2 on a TCandBC
Domain1
Domain2
BITS1
ISP B
OC1
OC3
ISP A
OC2
P
TCBC2
PW
TCBC1
BITS2
NodeB
Pre-configuration Tasks
Before configuring 1588v2 on a TCandBC, complete the following tasks:
l
Configure physical parameters for the interfaces so that the physical layer of the interfaces
is Up.
l
(Optional) Configure the static route or enabling IGP to ensure that IP routes between the
nodes are reachable.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
337
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
10 1588v2 Configuration
Ensure that OC1 and OC2 have correctly imported clock and time signals from the BITS.
Data Preparation
To configure 1588v2 on a TCandBC, you need the following data.
No.
Data
1
Number and IP address of each interface
2
IDs of 1588v2 domains to which devices belong
3
(Optional) Asymmetric correction value of the 1588v2 packet
4
(Optional) Interval for sending Announce packets and the timeout period for
receiving Announce packets
5
(Optional) Interval for sending Sync packets
6
(Optional) Minimum interval for sending Delay packets
7
(Optional) Destination MAC address, source IP address, destination IP address,
DSCP value, VLAN ID, and corresponding priority encapsulated into the 1588v2
packet
10.5.2 Configuring 1588v2 Globally
To configure 1588v2 globally, you need to enable 1588v2 on a router in the system view,
configure the router as a TCandBC, specify the domain to which the router belongs to, and enable
the static configuration of the status of the TCandBC interface.
Context
Perform the following steps on the TCandBC:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ptp enable
1588v2 is enabled on the device.
Step 3 Run:
ptp device-type tcandbc
The device type is configured as TCandBC.
Step 4 Run:
ptp domain domain-value
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
338
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
The value of the 1588v2 domain to which the BC ports of TCandBC belong is configured.
Step 5 (Optional) Run:
ptp virtual-clock-id clock-id-value
The virtual clock ID of the TCandBC is set.
Step 6 (Optional) Run:
ptp acl enable
The function of controlling the range of clock source candidates is enabled.
Step 7 (Optional) Run:
ptp acl-permit-clockid clockid-value
The clock ID of the clock source that is permitted to participate in local BMC calculation is set.
Step 8 (Optional) Run:
ptp set-port-state enable
The function of statically specifying a 1588v2 port is enabled.
----End
10.5.3 Configuring 1588v2 on an Interface
After enabling 1588v2 in the system view, you need to enable 1588v2 in the interface view. In
addition, you need to configure the link delay measurement mechanism, asymmetric delay
correction time, mode in which packets are timestamped, and statically configure the status of
1588v2 interface on each interface.
Context
Perform the following steps on the device:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ptp port-type { bc | tc }
The type of the 1588v2 interface either TC or BC.
Step 4 In the TC interface view, run:
ptp domain domain-value
The domain to which the 1588v2 interface belongs is configured.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
339
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
NOTE
The 1588v2 clock domain configured in the system view is the domain to which the BC interface belongs,
and you do not need to configure a domain for the BC interface. The domain to which the TC interface
belongs needs to be configured in the interface view.
Step 5 Run:
ptp enable
1588v2 is enabled on the interface.
Step 6 (Optional) Run:
ptp delay-mechanism { delay | pdelay }
A delay measurement mechanism is configured for the device, which can be either of the
following:
The default measurement mechanism for P2PTC and P2PTCOC is Pdelay; the default
measurement mechanism for E2ETC, E2ETCOC, OC, BC, and TCandBC is Delay. The
measurement mechanism on the OC, BC, and TCandBC can be set to Pdelay.
l Delay mode:
A delay request-response mechanism, in which information about the clock and time is
calculated according to the delay of the entire link between the master clock and slave clock.
l PDelay mode:
A peer delay mechanism, in which information about the clock and time is calculated
according to the delay of each segment of the link between the master clock and slave clock.
NOTE
Different delay measurement mechanisms cannot replace each other. Therefore, delay measurement
mechanisms configured on 1588v2 interfaces on the same link segment must be identical.
Step 7 (Optional) Run:
ptp announce-drop enable
The interface of the 1588v2 device is configured to discard the received Announce packets.
NOTE
Announce packets can ensure the 1588v2 clock synchronization between devices. If an interface discards
Announce packets, the device where the interface resides cannot receive clock synchronization information
from other 1588v2 clocks. Usually, this command is configured on the interface at the user side.
Step 8 (Optional) Run:
ptp asymmetry-correction { negative negative-asymmetry-correction-value | positive
positive-asymmetry-correction-value }
The asymmetric correction time for sending 1588v2 packets on the interface is set.
Step 9 (Optional) Run:
ptp clock-step { one-step | two-step }
The timestamping mode of the synchronization packets sending by the 1588v2 port is set.
Step 10 (Optional) Run:
ptp port-state { slave | passive | master | premaster | listening | faulty |
disabled | initializing }
The synchronization status of 1588v2 port is set.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
340
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
10.5.4 Configuring Time Attributes for 1588v2 Packets
1588v2 nodes exchange Announce messages, Sync messages, and Delay messages to transmit
clock information and maintain the connectivity of the 1588v2 connection. You can set the
sending intervals and the allowable maximum number of consecutive Announce packets that
the interface on a 1588v2 device fails to receive, intervals periods for Sync messages, and
intervals periods for Delay messages in the view of the 1588v2 interface. Usually, you can use
the default value.
Context
Perform the following steps on the 1588v2 device:
Procedure
l
Configuring time attributes for Announce packets
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp announce-interval announce-interval
The interval for sending Announce packets on an interface is set to the announceintervalth power of 2, in 1/1024 seconds.
The default value of announce-interval is 7, which means that the interval for sending
Announce packets on the interface is 128/1024s.
4.
Run:
ptp announce receipt-timeout receipt-timeout
The allowable maximum number of consecutive Announce packets that the interface
on a 1588v2 device fails to receive is set.
The default value is 3.
l
Configuring time attributes for Sync packets
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp sync-interval sync-interval
The interval for sending Sync packets on an interface is set to the sync-intervalth power
of 2, in 1/1024 seconds.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
341
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
The default sync-interval is 0, which means that the interval for sending Sync packets
on the interface is 1/1024s.
l
Configuring time attributes for Delay packets
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp min-delayreq-interval min-delayreq-interval
The interval for sending Delay_Req packets on an interface is set to the min-delayreqintervalth power of 2, in 1/1024 seconds.
The default min-delayreq-interval is 7, which means that the interval for sending
Delay_Req packets on the interface is 128/1024s.
4.
Run:
ptp min-pdelayreq-interval min-pdelayreq-interval
The interval for sending PDelay_Req packets is set to the min-pdelayreq-intervalth
power of 2, in 1/1024 seconds.
The default min-pdelayreq-interval is 7, which means that the interval for sending
PDelay_Req packets on the interface is 128/1024s.
----End
10.5.5 Configuring Encapsulation Types for 1588v2 Packets
1588v2 messages can be encapsulated into Layer 2 and Layer 3 packets for transmission. You
can select the encapsulation type according to the actual networking environment and configure
the source and destination IP addresses of the packets and the transmission priority.
Prerequisites
Before configuring encapsulation modes for 1588v2 packets, check the link type for 1588v2
packet transmission:
l
The Layer 2 link adopts the MAC encapsulation mode for 1588v2 packets.
l
The Layer 3 link adopts the UDP encapsulation mode for 1588v2 packets.
Context
Perform the following steps on the 1588v2 device:
Procedure
l
Configuring the MAC encapsulation mode
1.
Run:
system-view
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
342
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
(Optional) Run:
ptp mac-egress destination-mac destination-mac
The 1588v2 packets to be sent from the interface is encapsulated in MAC
encapsulation mode, and the destination MAC address is configured.
– For unicast MAC encapsulation
Specify the unicast destination MAC address encapsulated in the 1588v2 packet
in the interface view.
– For multicast MAC encapsulation
A default multicast destination MAC address is adopted, which means that
destination-MAC destination-MAC does not need to be configured. The default
multicast destination MAC address varies with delay measurement mechanisms
as shown in the following table.
Packet Type
MAC Address
All except peer delay measurement
mechanisms
01-1B-19-00-00-00
Peer delay measurement mechanism
01-80-C2-00-00-0E
NOTE
If the unicast destination MAC address is not configured, a multicast destination MAC address
is adopted by default.
4.
Run:
ptp mac-egress vlan vlan-id [ priority priority ]
The VLAN ID for transmitting MAC-encapsulated 1588v2 packets and the 802.1p
priority of the 1588v2 packet are configured.
l
Configuring the UDP encapsulation mode
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The interface view is displayed.
3.
Run:
ptp udp-egress source-ip source-ip [ destination-ip destination-ip ]
The 1588v2 packets to be sent from the interface are encapsulated in UDP
encapsulation mode, and the source and destination IP addresses are configured.
– For unicast UDP encapsulation
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
343
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Specify the unicast destination IP address encapsulated in the 1588v2 packet in
the interface view.
– For multicast UDP encapsulation
A default multicast destination IP address is adopted, which means that
destination-ip destination-ip does not need to be configured. The default multicast
destination IP address varies with delay measurement mechanisms as shown in the
following table.
Packet Type
IP Address
All except peer delay measurement
mechanisms
224.0.1.129
Peer delay measurement mechanism
224.0.0.107
NOTE
If the parameter destination-ip destination-ip is not configured, a multicast IP address is
adopted.
4.
Run:
ptp udp-egress destination-mac destination-mac
The next hop MAC address of the 1588v2 packet is configured.
5.
Run:
ptp udp-egress source-ip source-ip [ dscp dscp ]
The DSCP priority to be carried in the UDP-encapsulated 1588v2 packet is configured.
6.
Run:
ptp udp-egress source-ip source-ip vlan vlan-id [ priority priority ]
The VLAN ID for sending and receiving 1588v2 packets and the priority of the UDPencapsulated 1588v2 packet are configured on the interface.
----End
10.5.6 Checking the Configurations
After enabling 1588v2 for a TCandBC, you can check whether the configurations of 1588v2
meet the requirement.
Prerequisites
The TCandBC has been configured.
Procedure
l
Run the display ptp all [ state | config ] command to display the operating status and
configuration of 1588v2 on the TCandBC.
l
Run the display ptp interface interface-type interface-number command to display
1588v2 information of the interface.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
344
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Example
Run the display ptp all state command on TCandBC1. You can view the configuration and
operating status of 1588v2. Take the command output on TCandBC1 as an example.
l
The 1588v2 configuration includes the following:
– 1588v2 is enabled.
– The device type is TCandBC.
– The 1588v2 domain value is 1.
– The device works in non-slave-only mode.
l
The 1588v2 operation information includes the following:
– The clock ID of the local clock is 001882fffe1b1bf4.
– The clock ID of the time source is 001882fffe77c2cf.
– The clock ID of the parent clock is 001882fffe77c2cf.
– Interfaces enabled with 1588v2 are GE 1/0/0 and GE 2/0/0.
– The value of the 1588v2 domain to which the BC interface belongs is 1; the value of
the 1588v2 domain to which the TC interface belongs is 2.
– The BC interface is in the Slave state.
– The delay measurement mechanism on the interface is Delay.
– The timeout periods for receiving Announce packets on the BC and TC interfaces are
both 512/1024s.
<HUAWEI> display ptp all
Device config info
-----------------------------------------------------------------PTP state
:enabled
Domain value
:1
Slave only
:no
Device type
:TCandBC
Set port state
:no
Local clock ID
:001882fffe1b1bf4
Acl
:no
Virtual clock ID
:no
Acr
:no
Time lock success :no
BMC run info
-----------------------------------------------------------------Grand clock ID
:001882fffe77c2cf
Receive number
:GigabitEthernet1/0/0
Parent clock ID
:001882fffe77c2cf
Parent portnumber :6417
Priority1
:128
Priority2
:128
Step removed
:1
Clock accuracy
:49
Clock class
:187
Time Source
:160
UTC Offset
:0
UTC Offset Valid
:False
Time Scale
:ARB
Time Traceable
:False
Leap
:None
Frequence Traceable:False
Port info
Name
State
Delay-mech Ann-timeout Type Domain
-----------------------------------------------------------------------GigabitEthernet1/0/0 slave
delay
9
bc 1
GigabitEthernet2/0/0 premaster delay
9
tc 2
Time Performance Statistics(ns): Slot 1 Card 0 Port 0
-----------------------------------------------------------------------Realtime(T2-T1)
:534
Pathdelay
:0
Max(T2-T1)
:887704804
Min(T2-T1)
:512
Clock source info
Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
345
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
-----------------------------------------------------------------------local 200 128 0x31
187
0xa0
bits0 128 128 0x20
6
0x20
none
off
-/abnormal
bits1 128 128 0x20
6
0x20
none
off
-/abnormal
bits2 128 128 0x20
6
0x20
none
off
-/abnormal
10.6 Configuring the 1588v2 Time Source
This section describes how to configure a 1588v2 clock source, including how to obtain a
standard synchronous time through a clock interface from a BITS device without using 1588v2
and how to use 1588v2 to advertise the standard synchronous time to downstream nodes through
the other two interfaces.
10.6.1 Before You Start
Before configuring a 1588v2 clock source, familiarize yourself with the usage scenario, complete
the pre-configuration tasks, and obtain the required data.
Applicable Environment
On a 1588v2 network, the grandmaster clock usually imports clock or time signals from an
external BITS time source, such as a GPS, and then advertises these clock or time signals to
downstream clocks through 1588v2 packets to implement clock synchronization of the entire
network. In this case, to ensure clock synchronization between 1588v2 devices, a BITS time
source must be correctly imported.
Pre-configuration Tasks
None
Data Preparation
To configure a 1588v2 time source, you need the following data.
No.
Data
1
Number of the interface from which the clock and time signals of the BITS time
source is imported
2
(Optional) Class of the time source
3
(Optional) Priority of the time source
4
(Optional) Accuracy of the time source
10.6.2 Configuring BITS Signals to Participate in the BMC
Calculation
1588v2 is a protocol used to transmit clock synchronization signals between network devices.
To obtain an external clock source, you need to configure the system to import a standard
synchronous time from the BITS through the clock interface without using 1588v2.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
346
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Context
Perform the following steps on the device:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 (Optional) Run:clock bits-type. The type of inputting or outputting signal is configured.
clock bits-type
The new MPU that supports 1588v2 is deployed with four ports, that is, CLK/TOD0, CLK/
TOD1, CLK/1PPS, and CLK/Serial. MPUs used on NE40E-X1, NE40E-X2 and NE40E-X3
only contain two RJ45 ports. The usage of these RJ45 ports is the same as the usage of BITS0
and BITS1. For the figures of interfaces on MPUs of different models, refer to the section "Panel
Instruction" in the chapter "Cabinet" of the HUAWEI NetEngine80E/40E - Hardware
Description.
CLK/TOD0 is called as BITS0 and CLK/TOD1 is called as BITS1; CLK/1PPS and CLK/Serial
of SMB type are bound together to be bits2. A BITS port can transmit one type of signal at a
time.
Both the RJ45 port and SMB port must be installed with dedicated clock cables to input and
output clock signals and time signals. For descriptions of clock cables, refer to the chapter "Clock
Cables" in the HUAWEI NetEngine80E/40E - Hardware Description.
The following table shows types of signals that can be transmitted through ports.
Table 10-2 Signals input to a BITS port
Interface ID of
a Clock Board
Interface ID of
Software
Interface
Type
Types of Input Signal or Output
Signal
CLK/TOD0
BITS0
RJ45
Types of clock signals:
l 2 Mbit/s clock signals
l 2 MHz clock signals
Types of time signals:
l Time signals of 1 pps of the RS422
level and ASCII of the RS422 level
l Two-line (one for input and the
other for output) DCLS time
signals
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
347
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Interface ID of
a Clock Board
Interface ID of
Software
Interface
Type
Types of Input Signal or Output
Signal
CLK/TOD1
BITS1
RJ45
Types of clock signals:
l 2 Mbit/s clock signals
l 2 MHz clock signals
Types of time signals:
l Time signals of 1 pps of the RS422
level and ASCII of the RS422 level
l Two-line (one for input and the
other for output) DCLS time
signals
CLK/1PPS
BITS2
CLK/Serial
SMB
SMB
Types of clock signals:
l 2 Mbit/s clock signals
l 2 MHz clock signals
Types of time signals:
l Time signals of 1PPS of the TTL
level and ASCII of the RS232 level
In the preceding table:
l If the input or output signals on a BITS port are 2 Mbit/s clock signals, 2 MHz clock signals,
or two-line DCLS time signals, you do not need to configure the input or output parameter.
This is because the 2 Mbit/s clock signals, 2 MHz clock signals, or two-line DCLS time
signals are input and output through the same port. For example, if 2 Mbit/s clock signals
are transmitted through BITS0, 2 Mbit/s clock signals are both input and output through
BITS0.
l If the input or output signals on a BITS port are 1PPS+ASCII time signals, you must specify
the input or output parameter. This is because the 1PPS+ASCII time signals can be only
input or output at a time.
l When BITS2 transmits 1PPS+ASCII time signals, the two SMB ports must simultaneously
input or output these signals. If BITS2 transmits clock signals, the CLK/1PPS port must
always input signals and the CLK/Serial port must always output signals.
The type of inputting or outputting signal is configured.
Step 3 Run:
ptp clock-source { bits0 | bits1 |bits2 } { on | off }
BITS signals can be configured to participate in or do not participate in the BMC calculation.
Step 4 (Optional) Run:
Set the SSM level of the BITS clock source.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
348
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
NOTE
The BITS signal input port must be the CLK port on the active system control board. If the system control boards
undergo an active/standby switchover, switch the BITS signal input port to the CLK port on the new active
system control board.
Step 5 Run:
clock source { bits0 | ptp } priority
priority-value
Set the priority of the clock reference source.
----End
10.6.3 Configuring Attributes for the 1588v2 Time Source
This topic describes how to configure attributes for the 1588v2 time source, including how to
configure attributes for a local time source and how to advertise time signals to downstream
nodes through 1588v2 messages.
Context
Perform the following steps on the device:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ptp clock-source { local
[ slot slot-id ]
| bits0 | bits1 | bits2 }time-source time-source-value
The type of the time source to be traced is configured.
NOTE
The attribute of the time-source can be configured only on the grandmaster clock. The external time source
to which the router connects should be configured with corresponding parameters. The mapping between
the time-source-value and external time source is on the Command Reference.
Step 3 Run:
ptp clock-source { local
value [ slot slot-id ]
| bits0 | bits1 | bits2 }clock-accuracy clock-accuracy-
The clock accuracy of the time source is configured.
Step 4 Run:
ptp clock-source { local
[ slot slot-id ]
| bits0 | bits1 | bits2 }clock-class clock-class-value
The class of the time source is configured.
NOTE
When clock-class-value is smaller than 128, the device cannot be used as the slave clock.
Step 5 Run:
ptp clock-source { local
[ slot slot-id ]
Issue 02 (2014-09-30)
| bits0 | bits1 | bits2 }priority1 priority1-value
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
349
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
The value is set for priority1 of the time source.
Step 6 Run:
ptp clock-source { local
[ slot slot-id ]
| bits0 | bits1 | bits2 }priority2 priority2-value
The value is set for priority2 of the time source.
Step 7 (Optional) Run:
ptp clock-source { bits0 | bits1 | bits2 } { receive-delay receive-delay-time |
send-delay send-delay-time } [ slot slot-id ]
The delay for receiving or sending time source signals is set.
----End
10.6.4 Checking the Configurations
After the 1588v2 clock source is imported and related configurations are complete, you can run
the display ptp all command to check whether configurations of the clock source take effect and
are correct.
Prerequisites
The 1588v2 time source has been configured.
Procedure
l
Run the display clock source command to check time information about the BITS clock
source that the device traces.
----End
Example
When the NE40E traces a BITS clock source successfully, run the display clock source
command on the device to view obtained time information from the clock source.
System trace source State:
lock mode
into pull-in range
Current system trace source: bits0
Current 2M-1 trace source:
Ethernet1/0/0
Current 2M-2 trace source:
Ethernet1/0/0
Frequency lock success:
yes
Master board
source
Pri(sys/2m-1/2m-2) In-SSM
Out-SSM
State
-------------------------------------------------------------------------bits0
3 /---/--prc
ssua
normal
bits1
3 /---/--prc
ssua
abnormal
Ethernet2/0/0
2 /1 /1
ssub
-normal
Ethernet1/0/0
1 /1 /1
ssua
-normal
Run the display ptp all command, and you can view the 1588v2 configuration and BMC
operating status on the device.
The 1588v2 configuration includes the following time source configurations:
l
Issue 02 (2014-09-30)
Priority
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
350
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
Accuracy
l
Class
l
Type of the time source
l
Input signals of the clock
10 1588v2 Configuration
<OC1> display ptp all
Device config info
-----------------------------------------------------------------PTP state
:enabled
Domain value
:0
Slave only
:no
Device type
:OC
Set port state
:no
Local clock ID
:00e0fcfffea4b000
Acl
:no
Virtual clock ID
:no
Acr
:no
Time lock success :no
BMC run info
-----------------------------------------------------------------Source port
:bits1
Leap
:None
UTC Offset
:0
UTC Offset Valid :False
Clock source info
Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status
-----------------------------------------------------------------------local 128 128 0x31
1
0xa0
bits0 1
128 0x20
6
0x20
none
on
-/normal
bits1 100 128 0x20
6
0x20
1pps
on
in/normal
bits2 128 128 0x20
6
0x20
none
off
-/abnormal
10.7 Configuring 1588 ACR
In one 1588 ACR domain, a client initiates a request for negotiation, and exchanges Layer 3
unicast packets with the server to set up a connection. The client exchanges 1588v2 packets with
the server over the connection to restore clock information.
Context
NOTE
1588 ACR Server cannot be configured on the X1 and X2 models of the NE80E/40E.
10.7.1 Checking the Configurations
After MP limiting parameters are configured, you can check the configurations of the parameters.
Procedure
Step 1 Run the display current-configuration interface [ interface-type [ interface-number ] ]
command to check the configuration of MP-Group interface.
----End
Example
After running the display current-configuration interface command, you can check
configurations on the MP-Group interface.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
351
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
<HUAWEI> display current-configuration interface mp-group 1/0/1
#
interface Mp-group1/0/1
mrru 1200
ppp mp threshold 2
ppp mp damping detect-time 32 flapping-count 32 damping-time 62
#
return
10.7.2 Configuring the Unicast Negotiation Function for a Client
The unicast negotiation function and parameters for a connection between a client and a clock
server are configured on the HUAWEI NetEngine80E/40E functioning as a 1588 ACR client.
Context
ACR, which is an adaptive clock recovery technology, allows a 1588 ACR client to exchange
1588v2 packets with a clock server on a link where a 1588v2-incapable device resides. After
receiving 1588v2 packets, the client uses clock information carried in the packets to restore clock
information.
1588 ACR and 1588v2 (which implements hop-by-hop clock synchronization) are mutually
exclusive. If 1588 ACR is enabled on a 1588v2-capable device, the 1588v2 configurations on
the device no longer take effect.Before enabling 1588 ACR, first disable IEEE 1588v2. After
1588 ACR is enabled, configurations related to IEEE 1588v2 will be deleted automatically.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ptp-adaptive enable
1588 ACR is enabled.
Step 3 Run:
ptp-adaptive device-type client
The 1588 ACR clock working mode is set to client.
Step 4 (Optional) Run:
ptp-adaptive frequency profile
The 1588 ACR-enabled device to totally comply with ITU-T G.8265.1 is configured.
By default, a 1588 ACR-enabled device complies with ITU-T G.8265.1 partially.
After the ptp-adaptive frequency profile command is run, the default domain value changes
to 4. The domain value range changes to 4-23.
Step 5 (Optional) Run:
ptp-adaptive domain domain-value
A 1588 ACR domain is configured.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
352
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
NOTE
The client and clock server, which exchange 1588v2 packets for clock or time synchronization, must be
in one 1588 ACR clock domain.
Step 6 Run:
ptp-adaptive local-ip ip-address
An IP address is assigned to the client, which is used to initiate a request for negotiation and
send Layer 3 unicast packets.
The clock server's and client's IP addresses uniquely identify a 1588 ACR connection, which is
set up by exchanging Layer 3 unicast packets between a client and a clock server during
negotiation. Configuring a loopback address as the client's IP address is recommended, not the
IP address of the management network port on the device, helping the clock server direct packets
to the client.
If a client and a clock server are connected over a VPN, the VPN instance name carried in 1588v2
packets must be specified on both the client and clock server after IP addresses are configured
for them.
Step 7 (Optional) Run:
ptp-adaptive forward-mode centralized
The HUAWEI NetEngine80E/40E is configured to work in centralized ACR client mode.
NOTE
The X1 and X2 models of the NE40E support centralized ACR client mode and distributed ACR client
mode switchover automatically, and therefore you do not need to run this command on them.
To use the centralized ACR client mode, at least one of the following types of interface boards has been
installed: LPUI-21-L, LPUF-50, LPUF-51, LPUI-51, LPUS-51, LPUF-101, LPUI-101, LPUS-101,
LPUF-120, LPUI-120, LPUF-240, or LPUI-240.
Step 8 (Optional) Run:
ptp-adaptive vpn-instance instance-name
The VPN instance name carried in 1588v2 packets is specified, which identifies the VPN
instance bound to the client's loopback interface.
Step 9 Run:
ptp-adaptive { remote-server1-ip | remote-server2-ip } ip-address
The remote clock server list is configured.
If multiple clock servers exist on a network, the HUAWEI NetEngine80E/40E, functioning as
a client, tracks its clock server based on the clock server's IP address.
Running this command twice specifies master and slave clock servers.
If two clock servers are configured, the client initiates a request for a connection to one clock
server. If the connection fails to be established or the established connection is closed, the client
initiates a request for a connection to the other clock server. If the connection also fails, the client
re-initiates a request for a connection to the first clock server. The procedure repeats until a
connection is created.
Step 10 Run:
ptp-adaptive acr [ one-way | two-way ]
Issue 02 (2014-09-30)
unicast-negotiate enable
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
353
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
1588 ACR unicast negotiation is enabled on the HUAWEI NetEngine80E/40E and the frequency
recovery mode is configured.
By default, the frequency recovery mode is one-way.
Step 11 (Optional) Run:
ptp-adaptive clockclass-ssm mapping
Select the clock source automatically based on the Best Master Clock Algorithm (BMCA) is
enabled on the 1588 ACR client.
By default, a 1588 ACR client cannot select the clock source automatically based on the BMCA.
When a router functions as a 1588 ACR client and is connected to two remote clock servers,
you can run the ptp-adaptive clockclass-ssm mapping command to enable the router to select
one clock server that meets the clock class requirement automatically, trace the clock server to
recover clock information, and send the clock recovery information to devices on a downstream
network or base stations through an SDH network or a synchronous Ethernet.
----End
10.7.3 Configuring the Unicast Negotiation Function for a Server
The unicast negotiation function and parameters for a connection between a client and a clock
server are configured on the HUAWEI NetEngine80E/40E functioning as a 1588 ACR clock
server.
Context
ACR, which is an adaptive clock recovery technology, allows a 1588 ACR client to exchange
1588v2 packets with a clock server on a link where a 1588v2-incapable device resides. After
receiving 1588v2 packets, the client uses clock information carried in the packets to restore clock
information.
1588 ACR and 1588v2 (which implements hop-by-hop clock synchronization) are mutually
exclusive. If 1588 ACR is enabled on a 1588v2-capable device, the 1588v2 configurations on
the device no longer take effect.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ptp-adaptive enable
1588 ACR is enabled.
Step 3 Run:
ptp-adaptive device-type server
The 1588 ACR clock working mode is set to server.
Step 4 (Optional) Run:
ptp-adaptive frequency profile
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
354
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
The 1588 ACR-enabled device to totally comply with ITU-T G.8265.1 is configured.
By default, a 1588 ACR-enabled device complies with ITU-T G.8265.1 partially.
After the ptp-adaptive frequency profile command is run, the default domain value changes
to 4. The domain value range changes to 4-23.
Step 5 (Optional) Run:
ptp-adaptive domain domain-value
A 1588 ACR domain is configured.
NOTE
The client and clock server, which exchange 1588v2 packets for clock synchronization, must be in one
1588v2 clock domain.
Step 6 Run:
ptp-adaptive local-ip ip-address
An IP address is assigned to the clock server.
The clock server's and client's IP addresses uniquely identify a 1588 ACR connection, which is
set up by exchanging Layer 3 unicast packets between a client and a clock server during
negotiation. Configuring a loopback address as the server's IP address is recommended, helping
the clock server direct packets to the client.
If a client and a clock server are connected over a VPN, the VPN instance name carried in 1588v2
packets must be specified on both the client and clock server after IP addresses are configured
for them.
Step 7 (Optional) Run:
ptp-adaptive vpn-instance instance-name
The VPN instance name carried in 1588v2 packets is specified, which identifies the VPN
instance bound to the server's loopback interface.
Step 8 Run:
ptp-adaptive acr unicast-negotiate enable
The 1588 ACR unicast negotiation on the HUAWEI NetEngine80E/40E is configured.
----End
10.7.4 (Optional) Adjusting Parameters for Establishing a Unicast
Negotiation Connection
Adjustable parameters include the maximum number of consecutive Announce packets that the
client fails to receive (If the number of unreceived Announce packets exceeds the threshold, the
client determines that the connection to the server fails.), duration of the Sync, Delay_Resp, and
Announce packets (After the duration of a Sync packet , a Delay_Resp packet, or an Announce
packet expires, the client re-establishes the connection with the server), DSCP value (the DSCP
value ensures that 1588v2 packets reach the destination even if a congestion occurs on the
network), and the interval at which the server sends Sync, Delay_Resp, and Announce packets.
Context
Adjustable parameters on a client are as follows:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
355
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
l
1. the maximum number of consecutive Delay_Resp packets that the client fails to receive
l
2. Duration field values in Sync, Delay_Resp and Announce packets
l
3. DSCP value for 1588 ACR packets
l
4. Interval at which Sync, Delay_Resp and Announce packets are sent
Adjustable parameters on a clock server are as follows:
l
1. DSCP value for 1588 ACR packets
Procedure
Step 1 Run:
ptp-adaptive dscp
priority-value
The DSCP value in 1588 ACR packets is set.
Setting a large DSCP value to ensure that 1588v2 packets reach the destination even if a
congestion occurs on a network. This value is adjustable on both the client and clock server.
Step 2 Run:
ptp-adaptive { announce-duration | sync-duration | delay-resp-duration } durationvalue
The duration field value is set for each type of 1588 ACR packet.
If a set duration time expires, the client re-initiates a request for a connection to a clock server.
The default value is recommended. By default, the duration value in all 1588v2 packets is 300,
in seconds.
Step 3 Run:
ptp-adaptive request sync-interval
sync-interval
The interval at which an ACR clock server sends Sync packets is set.
By default, the interval is 8/1024 seconds.
Step 4 Run:
ptp-adaptive request announce-interval announce-interval
The interval at which an ACR clock server sends Announce packets is set.
By default, the interval at which Sync packets are sent is 2 seconds.
Step 5 Run:
ptp-adaptive request delay-resp-interval delay-resp-interval
The interval at which the 1588 ACR-enabled server sends Delay_Resp packets is set.
By default, the interval at which the 1588 ACR-enabled server sends Delay_Resp packets is 3
(8/1024s).
Step 6 Run:
ptp-adaptive announce receipt-timeout receipt-timeout
The allowable maximum number of consecutive Announce packets that the client fails to receive
is set.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
356
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
By default, the allowable maximum number of consecutive Announce packets that the client
fails to receive is 3.
----End
10.7.5 Checking the Configurations
This section describes how to check 1588 ACR configurations on the router serving as a client
or server.
Procedure
l
l
When the router functions as a client:
1.
Run the display ptp-adaptive all command to check all 1588 ACR configurations on
the client.
2.
Run the display ptp-adaptive server [ server-id ] command to check 1588 ACR
configurations on the server.
When the router functions as a server:
1.
Run the display ptp-adaptive all command to check all 1588 ACR configurations on
the server.
2.
Run the display ptp-adaptive { all | client [ client-id ] } command to check 1588
ACR configurations on the client.
----End
Example
# Display the current 1588 ACR configurations on the client.
l
If the ptp-adaptive frequency profile command is run, the display ptp-adaptive all
command output is as follows:
<HUAWEI> display ptp-adaptive all
Device config info
--------------------------------------------------------------------------Ptp adaptive state
: enable
Device type
: client
Sync mode
: frequency
Current state
: slave
Packet dscp
: 56
Domain value
: 4
Announce interval
: 12
Announce duration : 300s
Sync interval
: 4
Sync duration
: 300s
Delay_resp interval
: 6
Delay_resp duration: 400s
Announce receipt timeout: 3
Acr mode
: one-way
Local ip
: 2.2.2.240
Client board
: NA
Clockclass-ssm mapping : enable
Forward mode
: distributed
Ptp port name
: GigabitEthernet8/1/7
Frequency profile
: yes
BMCA run info
-----------------------------------------------------------------------Current trace source : server1
Frequency lock success: yes
Time performance statistics(ns)
-----------------------------------------------------------------------Realtime(T2-T1)
:23281
Max(T2-T1)
:26277
Min(T2-T1)
:21853
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
357
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Remote server info
--------------------------------------------------------------------------Ip address
Negotiate state
SSM
Priority PTSF
Server1: 1.1.1.1
success
prc
1
normal
Server2: 2.2.2.2
error (reason:announce grant timeout)
l
If the ptp-adaptive frequency profile command is not run, the display ptp-adaptive all
command output is as follows:
<HUAWEI> display ptp-adaptive all
Device config info
--------------------------------------------------------------------------Ptp adaptive state
: enable
Device type
: client
Sync mode
: frequency
Current state
: slave
Packet dscp
: 56
Domain value
: 0
Announce interval
: 12
Announce duration : 300s
Sync interval
: 4
Sync duration
: 300s
Delay_resp interval
: 6
Delay_resp duration: 300s
Announce receipt timeout: 3
Acr mode
: one-way
Local ip
: 2.2.2.240
Client board
: NA
Clockclass-ssm mapping : enable
Forward mode
: distributed
Ptp port name
: GigabitEthernet8/1/7
Ptp port name
: none
Frequency profile
: no
BMCA run info
--------------------------------------------------------------------------Current trace source
: local
Frequency lock success : no
Remote server info
--------------------------------------------------------------------------Current negotiate server: 1
Ip address
Negotiate state
Server1: 1.1.1.1
Nego init
Server2:
# Display configurations of the clock server 1 on the client.
<HUAWEI> display
Server id
Clock id
Priority1
Clock class
ptp-adaptive server
: 1
: 001882fffe43552f
: 128
: 84
1
Ip address
Time source
Priority2
Clock accuracy
:
:
:
:
1.1.1.1
0x10
128
0x22
Recv Packet Statistics
--------------------------------------------------------------------------Signalling
:22
Announce
:2737
Sync
:2743
Delay_resp
:0
Send Packet Statistics
--------------------------------------------------------------------------Signalling
:52
Delay_req
:0
Discard Packet Statistics
--------------------------------------------------------------------------Signalling
:0
Announce
:0
Sync
:0
Delay_resp
:0
# Display the current 1588 ACR configurations on the server.
<HUAWEI> display ptp-adaptive all
Device config info
--------------------------------------------------------------------------Ptp adaptive state
: enable
Device type
: server
Sync mode
: frequency
Current state
: master
Packet dscp
: 56
Domain value
: 0
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
358
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Local ip
Frequency profile
VPN
: 1.1.1.1
: no
: none
Server board
Active status
: 3
: active
Client info
ID Ip Address
Clock ID
Mode
Announce Sync Delay_resp
--------------------------------------------------------------------------1
0
2.2.2.2
001882fffed48301 one-way 1
-7
none
# Display configurations of client 0 on the server.
<HUAWEI> display ptp-adaptive client 0
Client id
: 0
Ip address
: 2.2.2.2
Clock id
: 001882fffed48301
Mode
: one-way
Announce interval
: 1
Announce duration
: 300s
Sync interval
: -7
Delay_resp interval : none
Sync duration
: 300s
Delay_resp duration : none
Recv Packet Statistics
--------------------------------------------------------------------------Signalling
:2
Delay_req
:1
Send Packet Statistics
--------------------------------------------------------------------------Signalling
:2
Announce
:50
Sync
:13086
Delay_resp
:1
Discard Packet Statistics
--------------------------------------------------------------------------Signalling
:0
Delay_req
:0
10.8 Maintaining 1588v2
This section describes how to maintain 1588v2, including clearing 1588v2 statistics, monitoring
the operating status of 1588v2.
10.8.1 Clearing 1588v2 Statistics
You can run the reset ptp statistics command to clear the 1588v2 statistics.
Context
NOTICE
Statistics cannot be restored after being cleared. So, confirm the action before you run the
command.
After confirming that 1588v2 statistics need to be cleared, run the following command in the
user view.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
359
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Procedure
Step 1 Run:
reset ptp statistics { all | interface interface-type interface-number }
The counter counting the number of sent and received 1588v2 packets on the interface is reset,
making statistics on 1588v2 packets to be cleared.
----End
10.8.2 Monitoring 1588v2
You can run the display pt command to view the operating status of 1588v2, including the current
operation mode of the device, clock synchronization status, clock source ID, and input interface
of clock signals.
Context
In routine maintenance, you can run the following command in any view to view the operating
status of 1588v2.
Procedure
l
Run:
display ptp { all [ config | state ] | interface interface-type interfacenumber }
Information about the configuration and operating status of 1588v2 is displayed.
----End
Example
# Display the status and statistics of all the modules related to 1588v2 on the current device.
l
The slave clock
<HUAWEI> display ptp all
Device config info
-----------------------------------------------------------------PTP state
:enabled
Domain value
:1
Slave only
:no
Device type
:BC
Set port state
:no
Local clock ID
:000a0bfffe0c0d42
Acl
:no
Virtual clock ID
:no
Acr
:no
Time lock success :no
BMC run info
-----------------------------------------------------------------Grand clock ID
:000a0bfffe0c0dd4
Receive number
:GigabitEthernet1/0/0
Parent clock ID
:000a0bfffe0c0dd4
Parent portnumber :6417
Priority1
:128
Priority2
:128
Step removed
:1
Clock accuracy
:49
Clock class
:187
Time Source
:160
UTC Offset
:0
UTC Offset Valid
:False
Time Scale
:ARB
Time Traceable
:False
Leap
:None
Frequence Traceable:False
Port info
Name
Issue 02 (2014-09-30)
State
Delay-mech Ann-timeout Type Domain
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
360
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
-----------------------------------------------------------------------GigabitEthernet1/0/0 slave
delay
10
BC
1
Time Performance Statistics(ns): Slot 1 Card 0 Port 0
-----------------------------------------------------------------------Realtime(T2-T1)
:534
Pathdelay
:0
Max(T2-T1)
:887704804
Min(T2-T1)
:512
Clock source info
Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status
-----------------------------------------------------------------------local 200 128 0x31
187
0xa0
bits0 128 128 0x20
6
0x20
none
off
-/abnormal
bits1 128 128 0x20
6
0x20
none
off
-/abnormal
bits2 128 128 0x20
6
0x20
none
off
-/abnormal
l
The master clock
<HUAWEI> display ptp all
Device config info
-----------------------------------------------------------------PTP state
:enabled
Domain value
:1
Slave only
:no
Device type
:BC
Set port state
:no
Local clock ID
:00e0fcfffea4b000
Acl
:no
Virtual clock ID
:no
Acr
:no
Time lock success :no
BMC run info
-----------------------------------------------------------------Source port
:bits1
Leap
:None
UTC Offset
:0
UTC Offset Valid :False
Clock source info
Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status
-----------------------------------------------------------------------local 128 128 0x31
1
0xa0
bits0 128 128 0x20
6
0x20
none
off
-/abnormal
bits1 100 128 0x20
6
0x20
1pps
on
in/normal
bits2 128 128 0x20
6
0x20
none
off
-/abnormal
# Display configurations of GE 1/0/1.
<HUAWEI> display ptp interface Gigabitethernet 1/0/1
Port State :slave
Port Number :8451
Announce-interval :10
Grand clock ID
:001882fffe771111
Receive number
:GigabitEthernet1/0/1
Parent clock ID
:000a0bfffe0c0dd4
Parent portnumber :1
Priority1
:128
Priority2
:128
Step removed
:0
Clock accuracy
:34
Clock class
:6
Time Source
:16
UTC Offset
:0
UTC Offset Valid
:False
Time Scale
:PTP
Time Traceable
:False
Leap
:59
Frequence Traceable:False
Recv Packet Statistics
----------------------------------------------------------------------Announce
:2288
Sync
:14933
Req
:0
Resp
:0
Followup
:0
Pdelay_resp_followup
:0
Send Packet Statistics
----------------------------------------------------------------------Announce
:0
Sync
:1
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
361
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Req
Followup
10 1588v2 Configuration
:0
:0
Resp
Pdelay_resp_followup
:0
:0
Discard Packet Statistics
----------------------------------------------------------------------Announce
:0
Sync
:1183
Delayreq
:0
Pdelayreq
:0
Resp
:0
Pdelayresp
:0
Followup
:0
Pdelay_resp_followup
:0
Table 10-3 Description of the display ptp command output
Item
Description
PTP state
Whether 1588v2 is enabled
Domain value
Value of the 1588v2 domain where the
clock resides
Slave only
Whether the slaveonly mode is adopted
Device-type
1588v2 device type
Static BMC
Whether the static Best Master Clock
(BMC) algorithm is used
Local clock ID
clock ID of the local clock
Grand clock ID
clock ID of the grandmaster clock
Receive number
Signals input interface of the clock source
Parent clock ID
clock ID of the parent clock
Parent portnumber
Signal output interface of the parent clock
Pri1
Priority1 of the clock source
Pri2
Priority2 of the clock source
Step removed
Step of the learnt clock sources
Clock-accuracy
Accuracy of the clock source
Clock-class
Class of the clock source
Port state
Status of interfaces enabled with 1588v2
clock source info
Configuration of the clock source
10.9 1588 ACR Maintenance
This section describes how to maintain 1588 ACR, including how to clear 1588 ACR statistics.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
362
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
10.9.1 Clearing 1588 ACR Statistics
This section describes how to clear 1588 ACR statistics using the reset ptp-adaptive
statistics command.
Context
NOTICE
Statistics cannot be restored after being cleared. Exercise caution when running the reset ptpadaptive statistics command.
After you confirm the statistics need to be cleared, run the following command in the user view.
Procedure
Step 1 Run:
reset ptp-adaptive statistics
1588 ACR statistics are cleared.
----End
10.10 Configuration Examples
This section provides several configuration examples of 1588v2.
Context
NOTE
This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this document.
10.10.1 Example for Configuring the BITS as the 1588v2 Clock
Source
1588v2 is used to transmit clock signals within a network. If the clock signals within a network
need to be synchronized with those of an external clock source, the external standard clock source
is required.
Configuration Roadmap
As shown in Figure 10-8, the BITS is connected to an external GPS to advertise the input clock
or time signals to the device named Master, which serves as the master clock of the bearer
network and advertises the received clock or time signals to devices on the bearer network.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
363
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Figure 10-8 Networking diagram of configuring the BITS as the 1588v2 clock source
BITS
Master
GE1/0/0
PE1
GE1/0/1
GE1/0/2 PE3
PE2
GE1/0/0
GE1/0/0
GE1/0/0
GE1/0/0
NodeB
GE1/0/1
GE1/0/1
GE1/0/1
GE1/0/0
CE1
CE2
GE1/0/1
NodeB
The configuration roadmap is as follows:
1.
Connect Master to the BITS clock.
2.
Configure attributes for the BITS clock.
3.
Configure the BITS as the 1588v2 clock or time source.
The new MPU that supports 1588v2 is deployed with four ports, that is, CLK/TOD0, CLK/
TOD1, CLK/1PPS, and CLK/Serial. MPUs used on NE40E-X1, NE40E-X2 and NE40EX3 only contain two RJ45 ports. The usage of these RJ45 ports is the same as the usage of
BITS0 and BITS1 which is described as follows. For the figures of interfaces on MPUs of
different models, refer to the section "Panel Instruction" in the chapter "Cabinet" of the
HUAWEI NetEngine80E/40E - Hardware Description.
CLK/TOD0 is called as BITS0 and CLK/TOD1 is called as BITS1; CLK/1PPS and CLK/
Serial of SMB type are bound together to be bits2. A BITS port can transmit one type of
signal at a time.
Both the RJ45 port and SMB port must be installed with dedicated clock cables to input
and output clock signals and time signals. For descriptions of clock cables, refer to the
chapter "Clock Cables" in the HUAWEI NetEngine80E/40E - Hardware Description.
The following table shows types of signals that can be transmitted through ports.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
364
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Table 10-4 Signals input to a BITS port
Interface ID
of a Clock
Board
Interface ID of
Software
Interface
Type
Types of Input Signal or Output
Signal
CLK/TOD0
BITS0
RJ45
Types of clock signals:
l 2 Mbit/s clock signals
l 2 MHz clock signals
Types of time signals:
l Time signals of 1 pps of the
RS422 level and ASCII of the
RS422 level
l Two-line (one for input and the
other for output) DCLS time
signals
CLK/TOD1
BITS1
RJ45
Types of clock signals:
l 2 Mbit/s clock signals
l 2 MHz clock signals
Types of time signals:
l Time signals of 1 pps of the
RS422 level and ASCII of the
RS422 level
l Two-line (one for input and the
other for output) DCLS time
signals
CLK/1PPS
BITS2
CLK/Serial
SMB
SMB
Types of clock signals:
l 2 Mbit/s clock signals
l 2 MHz clock signals
Types of time signals:
l Time signals of 1 pps of the TTL
level and ASCII of the RS232
level
In the preceding table:
l If the input or output signals on a BITS port are 2 Mbit/s clock signals, 2 MHz clock
signals, or two-line DCLS time signals, you do not need to configure the input or
output parameter. This is because the 2 Mbit/s clock signals, 2 MHz clock signals, or
two-line DCLS time signals are input and output through the same port. For example,
if 2 Mbit/s clock signals are transmitted through BITS0, 2 Mbit/s clock signals are both
input and output through BITS0.
l If the input or output signals on a BITS port are 1 pps+ASCII time signals, you must
specify the input or output parameter. This is because the 1 pps+ASCII time signals
can be only input or output at a time.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
365
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
l When BITS2 transmits 1 pps+ASCII time signals, the two SMB ports must
simultaneously input or output these signals. If BITS2 transmits clock signals, the CLK/
1PPS port must always input signals and the CLK/Serial port must always output
signals.
Data Preparation
To complete the configuration, you need the following data:
l
BITS signal types (in this example, including 2 MHz clock signals are input through BITS0
and time signals of 1 pps of the RS422 level and ASCII of the RS422 level through BITS1)
l
Attributes of the BITS time source, including time source value, clock accuracy, clock
stratum, priority 1, and priority 2
l
Priority of the static clock source
Procedure
Step 1 Use a clock cables connect BITS0 to the clock signal source and connect BITS1 to the time
signal source.
Step 2 Configure attributes for the input signals of the BITS clock.
<Master>
[Master]
[Master]
[Master]
[Master]
[Master]
system-view
clock bits-type bits0 2mhz
clock manual source bits0
clock bits-type bits1 1pps input
ptp clock-source bits1 on
ptp clock-source bits1 priority1 1
Step 3 Configure attributes for the BITS clock source on Master.
[Master] ptp clock-source bits1 time-source 2
NOTE
BITS is connected to an external time source, namely, GPS, and its time-source is 2.
[Master] ptp clock-source bits1 clock-accuracy 20
[Master] ptp clock-source bits1 clock-class 1
NOTE
If clock-class is set smaller than 128, then the clock cannot be a slave clock.
[Master] ptp clock-source bits1 priority2 2
[Master] ptp clock-source bits1 send-delay 500
[Master] ptp clock-source bits1 receive-delay 1000
Step 4 Enable basic 1588v2 functions on Master and configure the device type as OC.
<Master> system-view
[Master] ptp enable
[Master] ptp domain 1
[Master] ptp device-type oc
[Master] interface gigabitethernet 1/0/0
[Master-GigabitEthernet1/0/0] ptp delay-mechanism pdelay
[Master-GigabitEthernet1/0/0] ptp enable
[Master-GigabitEthernet1/0/0] quit
Step 5 Verify the configuration.
Run the display clock source command in any view on Master. You can view that BITS0 is in
the Normal state, which means that Master has successfully input frequency signals from BITS0
port.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
366
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
<Master> display clock source
System trace source State:
lock mode
into pull-in range
Current system trace source: GigabitEthernet1/0/0
Current 2M-1 trace source:
system PLL
Current 2M-2 trace source:
system PLL
Master board
source
Pri(sys/2m-1/2m-2) In-SSM
Out-SSM
State
-------------------------------------------------------------------------bits0
5 /---/--unk
ssua
normal
bits1
---/---/--prc
ssua
initial
bits2
---/---/--prc
ssua
initial
GigabitEthernet1/0/0
3 /---/--ssua
dnu
normal
GigabitEthernet3/1/0
3 /---/--unk
ssua
normal
GigabitEthernet3/1/1
8 /---/--unk
ssua
normal
Run the display clock config command in any view on Master. You can view that Master has
stepped into lock mode, which means the frequency of Master has traced the signal from BITS0
port.
<Master> display clock config
Current source:
Workmode:
SSM control:
Primary source:
Output SSM Level:
Current source step into pull-in range
Clock is in lock mode
Ethernet-synchronization enable
11
manual
off
11
unknown
After the configurations, run the display ptp all state command on Master. You can view the
current operating status of 1588v2.
<Master> display ptp all
Device config info
-----------------------------------------------------------------PTP state
:enabled
Domain value
:1
Slave only
:no
Device type
:OC
Static BMC
:no
Local clock ID
:101122fffe225555
BMC run info
-----------------------------------------------------------------Clock ID value
:101122fffe225555
Source port
:bits1
Port info
Name
State
Delay-mech Ann-timeout Type Domain
-----------------------------------------------------------------------GigabitEthernet1/0/0 master
pdelay
9
OC
1
Clock source info
Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status
-----------------------------------------------------------------------local 128 128 0x31
187
0xa0
bits0
6
6 0x20
187
0x20
none
off
-/abnormal
bits1
0
2 0x10
1
0x20
none
on
-/normal
bits2
6
6 0x20
187
0x20
none
off
-/abnormal
Device config info
-----------------------------------------------------------------PTP state
:enabled
Domain value
:1
Slave only
:no
Device type
:BC
Set port state
:no
Local clock ID
:00e0fcfffea4b000
Acl
:no
Virtual clock ID
:no
Acr
:no
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
367
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
BMC run info
-----------------------------------------------------------------Source port
:bits1
Leap
:None
UTC Offset
:0
UTC Offset Valid :False
Clock source info
Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status
-----------------------------------------------------------------------local 128 128 0x31
1
0xa0
bits0 128 128 0x20
6
0x20
none
off
-/abnormal
bits1 1
2
0x20
1
0x20
1pps
on
in/normal
bits2 128 128 0x20
6
0x20
none
off
-/abnormal
----End
Configuration Files
l
Configuration file of Master
#
Master
#
ptp enable
ptp device-type oc
clock bits-type bits0 2mhz
clock manual source bits0
clock bits-type bits1 1pps input
ptp clock-source bits1 on
ptp clock-source bits1 priority1 0
ptp clock-source bits1 time-source 20
ptp clock-source bits1 clock-accuracy 20
ptp clock-source bits1 clock-class 1
ptp clock-source bits1 priority1 1
ptp clock-source bits1 priority2 2
ptp clock-source bits1 send-delay 500
ptp clock-source bits1 receive-delay 1000
#
interface GigabitEthernet1/0/0
undo shutdown
ptp delay-mechanism pdelay
ptp enable
#
return
10.10.2 Example for Restoring Frequency Synchronization Between
an IP Clock Server and NodeBs Through 1588v2 Packets
In the case that devices on a bearer network do not support 1588v2, an IP clock server and
NodeBs can directly exchange 1588v2 packets over the QoS-guaranteed bearer network to
achieve frequency synchronization between NodeBs.
Networking Requirements
As shown in Figure 10-9, a BITS server can generate 1588v2 packets carrying frequency
information and send them to NodeBs over a QoS-guaranteed bearer network. The devices of
the bearer network do not need to support 1588v2, which saves investments of operators.
In this application scenario, the bearer network devices only need to provide end-to-end Layer
3 channels with the jitter being within 20 ms to transparently transmit 1588v2 packets between
the IP clock server and NodeBs.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
368
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Figure 10-9 Networking diagram of restoring frequency synchronization between an IP clock
server and NodeBs through 1588v2 packets
IP Clock Server
1588v2
packets
GE2/0/0 GE1/0/0
Node B1
with 1588
1588v2
packets
POS6/0/0
E1/0/0
POS6/0/0
GE1/0/0
GE1/0/0
POS6/0/0
RouterA
RouterB
RouterC
RouterD
Node B2
with 1588
Configuration Roadmap
No configuration is needed because the bearer network devices do not need to support 1588v2.
10.10.3 Example for Synchronizing Frequencies Through the
Integration of the 1588v2 Clock, Synchronous Ethernet Clock, and
WAN Clock
Currently, only the Ethernet interface, GE interface support 1588v2 functions. Other types of
interfaces on the existing network do not support the 1588v2 functions. When POS interfaces
or non-1588v2-aware Ethernet interfaces are deployed on a network, integrating 1588v2 with
the Ethernet and WAN clock synchronization technologies can achieve clock synchronization
over the entire network in a flexible manner.
Networking Requirements
A mobile operator runs a mobile bearer network as shown in Figure 10-10. The network is
configured with both POS interfaces and Ethernet interfaces. To meet the frequency
synchronization requirements of wireless bearer services, each device and NodeB on the bearer
network must be connected to a BITS server. The installation and maintenance are therefore
costly.
The operator then purchases 1588v2-aware devices and then upgrades the clock synchronization
network. After these, only one BITS server needs to be deployed on the bearer network, which
also meets the frequency synchronization requirements of the wireless bearer services.
The clock synchronization network can be deployed as follows based on different types of
interfaces. BITS clock signals are injected to Router B and then transmitted to NodeB 2 on the
right through the WAN clock, 1588v2 clock, and WAN clock in sequence and to NodeB 1 on
the left through the synchronous Ethernet clock and 1588v2 clock. 1588v2 packets are
encapsulated through UDP and then transmitted to destination nodes.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
369
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Figure 10-10 Networking diagram of synchronizing frequencies through the integration of the
1588v2 clock, synchronous Ethernet clock, and WAN clock
BITS
GE2/0/0 GE1/0/0
Node B1
with 1588
POS6/0/0
GE1/0/0
POS6/0/0
GE1/0/0
GE1/0/0
POS6/0/0
Node B2
RouterA
RouterB
RouterC
RouterD without 1588
Ethernet sychronization
WAN
1588v2
Device Name
Interface Number
IP Address
Router A
GE1/0/0
10.0.0.2/24
Router A
GE2/0/0
11.0.0.1/24
Router B
GE1/0/0
10.0.0.1/24
Router B
POS 6/0/0
12.0.0.1/24
Router C
POS 6/0/0
12.0.0.2/24
Router C
GE1/0/0
13.0.0.1/24
Router D
GE1/0/0
13.0.0.2/24
Router D
POS 6/0/0
14.0.0.1/24
NodeB 1
11.0.0.2/24
NodeB 2
14.0.0.2/24
Device Name
Interface Number
MAC Address
RouterC
GE1/0/0
0000-1111-cccc
RouterD
GE1/0/0
0000-1111-dddd
NodeB1
-
0000-1111-b1b1
Configuration Roadmap
The configuration roadmap is as follows:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
370
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
1.
Configure an IP address on each interface and routes to ensure connectivity between
devices.
2.
Import external BITS clock signals to Router B.
3.
Synchronize clock signals of Router A with those of Router B through the synchronous
Ethernet clock.
4.
Synchronize clock signals of Router C with those of Router B through the WAN clock.
5.
Configure Router A as the BC that encapsulates 1588v2 packets through UDP and sends
clock signals to NodeB 1.
6.
Configure Router C as the BC that encapsulates 1588v2 packets through UDP and sends
clock signals to Router D.
7.
Configure Router D as the OC and synchronize clock signals of Router D with those of
Router C.
8.
Configure Router D and send clock signals to NodeB 2 through the WAN clock.
Data Preparation
To complete the configuration, you need the following data:
l
1588 link delay measurement mechanism: delay
Procedure
Step 1 Enable a link layer protocol and configure an IP address on each interface. For configuration
details, see "Configuration Files" in this section.
Step 2 Enable OSPF to ensure the interworking between devices. For configuration details, see
"Configuration Files" in this section.
Step 3 Import signals of the external BITS clock source to Router B.
[RouterB] clock bits-type bits0 2mhz
[RouterB] clock source bits0 ssm prc
[RouterB] clock source bits0 priority 1
Step 4 Synchronize clock signals of Router A with those of Router B through the synchronous Ethernet
clock.
# Enable Router B with Ethernet clock synchronization.
[RouterB] clock ethernet-synchronization enable
[RouterB] interface GigabitEthernet 1/0/0
[RouterB-GigabitEthernet1/0/0] clock synchronization enable
[RouterB-GigabitEthernet1/0/0] clock priority 2
# Enable Ethernet clock synchronization on Router A.
[RouterA] clock ethernet-synchronization enable
[RouterA] interface GigabitEthernet 1/0/0
[RouterA-GigabitEthernet1/0/0] clock synchronization enable
[RouterA-GigabitEthernet1/0/0] clock priority 2
Step 5 Synchronize clock signals of Router C with those of Router B through the WAN clock.
# Configure POS 6/0/0 of Router B as the master interface.
[RouterB] interface POS 6/0/0
[RouterB-POS 6/0/0] clock master
# Configure POS 6/0/0 of Router C as the slave interface.
[RouterC] interface POS 6/0/0
[RouterC-POS 6/0/0] clock slave
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
371
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
[RouterC-POS 6/0/0] quit
Step 6 Configure Router A as the BC that encapsulates 1588v2 packets through UDP and sends clock
signals to NodeB 1.
[RouterA] ptp enable
[RouterA] ptp device-type bc
[RouterA] ptp clock-source local priority1 0
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] ptp enable
[RouterA-GigabitEthernet2/0/0] ptp udp-egress source-ip 11.0.0.1 destination-ip
11.0.0.2
[RouterA-GigabitEthernet2/0/0] ptp udp-egress destination-mac 0000-1111-b1b1
[RouterA-GigabitEthernet2/0/0] quit
# Enable NodeB 1 to receive 1588v2 packets from Router A. For configuration details, see
"Configuration Files" in this sectione.
Step 7 Configure Router C as the BC that encapsulates 1588v2 packets through UDP and sends clock
signals to Router D.
# Configure Router C as the BC that encapsulates 1588v2 packets through UDP and sends clock
signals to Router D.
<RouterC> system-view
[RouterC] ptp enable
[RouterC] ptp device-type bc
[RouterC] ptp clock-source local priority1 0
[RouterC] interface ethernet 1/0/0
[RouterC-Ethernet1/0/0] ptp enable
[RouterC-Ethernet1/0/0] ptp udp-egress source-ip 13.0.0.1 destination-ip 13.0.0.2
[RouterC-Ethernet1/0/0] ptp udp-egress destination-mac 0000-1111-dddd
[RouterC-Ethernet1/0/0] quit
Step 8 # Configure Router D as the OC and synchronizes clock signals of Router D with those of
Router C through 1588v2 packets.
[RouterD] ptp enable
[RouterD] ptp device-type oc
[RouterD] ptp clock-source local priority1 128
[RouterD] clock manual source ptp
[RouterD] interface gigabitethernet 1/0/0
[RouterD-GigabitEthernet1/0/0] ptp enable
[RouterD-GigabitEthernet1/0/0] ptp udp-egress source-ip 13.0.0.2 destination-ip
13.0.0.1
[RouterD-GigabitEthernet1/0/0] ptp udp-egress destination-mac 0000-1111-cccc
[RouterD-GigabitEthernet1/0/0] quit
Step 9 Configure Router D and send clock signals to NodeB 2 through the WAN clock.
# Configure POS 6/0/0 of Router D as the master interface.
[RouterD] interface POS 6/0/0
[RouterD-POS 6/0/0] clock master
# Configure NodeB 2 as the slave interface. For configuration details, see "Configuration Files"
in this section.
----End
Configuration Files
l
Configuration file of Router A
#
sysname RouterA
#
clock ethernet-synchronization enable
interface GigabitEthernet 1/0/0
clock synchronization enable
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
372
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
clock priority 2
ptp clock-source local priority1 0
ptp enable
ptp device-type bc
interface gigabitethernet 2/0/0
ptp enable
ptp udp-egress source-ip 11.0.0.1 destination-ip 11.0.0.2
ptp udp-egress destination-mac 0000-1111-b1b1
#
l
Configuration file of Router B
#
sysname RouterB
#
clock bits-type bits0 2mhz
clock source bits0 ssm prc
clock source bits0 priority 1
clock ethernet-synchronization enable
interface GigabitEthernet 1/0/0
clock synchronization enable
clock priority 2
interface POS 6/0/0
clock master
#
l
Configuration file of Router C
#
sysname Router C
#
ptp enable
ptp device-type bc
ptp clock-source local priority1 0
clock manual source ptp
interface POS 6/0/0
clock slave
interface ethernet 1/0/0
ptp enable
ptp udp-egress source-ip 13.0.0.1 destination-ip 13.0.0.2
ptp udp-egress destination-mac 0000-1111-dddd
#
l
Configuration file of Router D
#
sysname Router D
#
ptp enable
ptp device-type oc
ptp clock-source local priority1 128
clock manual source ptp
interface gigabitethernet 1/0/0
undo shutdown
ptp enable
ptp udp-egress source-ip 13.0.0.2 destination-ip 13.0.0.1
ptp udp-egress destination-mac 0000-1111-cccc
interface POS 6/0/0
clock master
#
10.10.4 Checking the Configurations
After MP limiting parameters are configured, you can check the configurations of the parameters.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
373
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Procedure
Step 1 Run the display current-configuration interface [ interface-type [ interface-number ] ]
command to check the configuration of MP-Group interface.
----End
Example
After running the display current-configuration interface command, you can check
configurations on the MP-Group interface.
<HUAWEI> display current-configuration interface mp-group 1/0/1
#
interface Mp-group1/0/1
mrru 1200
ppp mp threshold 2
ppp mp damping detect-time 32 flapping-count 32 damping-time 62
#
return
10.10.5 Example for Configuring Clock Synchronization of an
Entire Network Through Multicast MAC-Encapsulated 1588v2
Packets
Serving as a clock synchronization protocol, 1588v2 can transmit frequency signals and time
signals of BITS servers across an entire network, which achieves clock synchronization between
the wireless bearer network and wireless access network. By default, NE80E/40Es encapsulate
1588v2 packets in multicast MAC mode. For NodeBs supporting multicast MAC-encapsulated
1588v2 packets, you can configure all clocks of an entire network as BCs to simplify the
operation of clock synchronization on the entire network.
Networking Requirements
As shown in Figure 10-11, PE1 and PE2 are core devices on a bearer network and CE1 and CE2
are edge devices on a wireless access network. PE1 and PE2, functioning as the external BITS
clock sources for BCs, advertise clock and time information to CE1 and CE2. CE1 and CE2,
functioning as BCs, synchronize clock signals with the BITS through 1588v2 and send 1588v2
packets carrying the frequency and time information to their attached NodeBs. In addition, CE2
can send E1 signals carrying frequency information to non-1588v2-aware NodeB 2 for restoring
frequency synchronization.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
374
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Figure 10-11 Networking diagram of configuring clock synchronization of an entire network
through multicast MAC-encapsulated 1588v2 packets
BITS
GE1/0/1
GE1/0/1
GE1/0/0
CE1
NodeB1
with 1588v2
NodeB2
without 1588v2
BITS
POS6/0/0
GE1/0/1
POS6/0/0
GE1/0/1
PE1
PE2
E1
GE1/0/0
CE2
NodeB3
with 1588v2
Configuration Roadmap
The configuration roadmap is as follows:
1.
Add PE1, PE2, CE1, and CE2 to a VLAN.
2.
Connect PE1 and PE2 to BITS clock sources.
3.
Configure PE1, PE2, CE1, and CE2 as BCs.
NOTE
1588v2 packets are encapsulated in the default multicast MAC mode.
Data Preparation
To complete the configuration, you need the following data:
l
ID of the 1588v2 domain to which devices belong
l
Interval for sending Announce messages and timeout period of receiving Announce
messages
l
Interval for sending Sync messages
l
Interval for sending Delay messages
l
MAC address of each NodeB
Procedure
Step 1 Configure PE1 and PE2 so that they can import BITS clock signals through their clock interfaces.
For the detailed configurations, see the section Example for Configuring the BITS as the PTP
Clock Source.
Step 2 Configure PE1 and PE2 as BCs.
# Configure PE1.
[PE1] ptp enable
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
375
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
[PE1] ptp device-type bc
[PE1] ptp domain 1
[PE1] ptp clock-source local priority1 128
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ptp enable
[PE1-GigabitEthernet1/0/0] quit
# Configure PE2.
<PE2> system-view
[PE2] ptp enable
[PE2] ptp device-type bc
[PE2] ptp domain 1
[PE2] ptp clock-source local priority1 128
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] ptp enable
[PE2-GigabitEthernet1/0/0] quit
Step 3 Configure CE1 and CE2 as BCs so that they can synchronize the clock and time information
with that of PE1 and PE2 and advertise the information to NodeB 1 and NodeB 3.
# Configure CE1.
[CE1] ptp enable
[CE1] ptp device-type bc
[CE1] ptp domain 1
[CE1] ptp clock-source local priority1 128
[CE1] clock manual source ptp
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ptp enable
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface gigabitethernet 1/0/1
[CE1-GigabitEthernet1/0/1] ptp enable
[CE1-GigabitEthernet1/0/1] ptp announce-drop enable
[CE1-GigabitEthernet1/0/1] quit
# Configure CE2.
[CE2] ptp enable
[CE2] ptp device-type bc
[CE2] ptp domain 1
[CE2] ptp clock-source local priority1 128
[CE1] clock manual source ptp
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] ptp enable
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface gigabitethernet 1/0/1
[CE2-GigabitEthernet1/0/1] ptp enable
[CE2-GigabitEthernet1/0/1] ptp announce-drop enable
[CE2-GigabitEthernet1/0/1] quit
Step 4 Verify the configuration.
After the preceding configurations, CE1 and CE2 can trace the clock and time information of
PE1 and PE2. Take the display on CE1 as an example. Run the display ptp all command. You
can view information about 1588v2 synchronization.
<CE1> display ptp all
Device config info
-----------------------------------------------------------------PTP state
:enabled
Domain value
:1
Slave only
:no
Device type
:BC
Set port state
:no
Local clock ID
:000a0bfffe0c0d42
Acl
:no
Virtual clock ID
:no
Acr
:no
BMC run info
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
376
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
-----------------------------------------------------------------Grand clock ID
:000a0bfffe0c0dd4
Receive number
:GigabitEthernet1/0/0
Parent clock ID
:000a0bfffe0c0dd4
Parent portnumber :6417
Priority1
:128
Priority2
:128
Step removed
:1
Clock accuracy
:49
Clock class
:187
Time Source
:160
UTC Offset
:0
UTC Offset Valid
:False
Time Scale
:ARB
Time Traceable
:False
Leap
:None
Frequence Traceable:False
Port info
Name
State
Delay-mech Ann-timeout Type Domain
-----------------------------------------------------------------------GigabitEthernet1/0/0 slave
delay
10
BC
1
Time Performance Statistics(ns): Slot 1 Card 0 Port 0
-----------------------------------------------------------------------Realtime(T2-T1)
:534
Pathdelay
:0
Max(T2-T1)
:887704804
Min(T2-T1)
:512
Clock source info
Clock Pri1 Pri2 Accuracy Class TimeSrc Signal Switch Direction In-Status
-----------------------------------------------------------------------local 200 128 0x31
187
0xa0
bits0 128 128 0x20
6
0x20
none
off
-/abnormal
bits1 128 128 0x20
6
0x20
none
off
-/abnormal
bits2 128 128 0x20
6
0x20
none
off
-/abnormal
----End
Configuration Files
l
Configuration file of CE1
#
sysname CE1
#
clock manual source ptp
#
ptp enable
ptp domain 1
ptp device-type bc
ptp clock-source local priority1 128
#
interface GigabitEthernet1/0/0
undo shutdown
ptp enable
#
interface GigabitEthernet1/0/1
undo shutdown
ptp enable
ptp announce-drop enable
#
return
l
Configuration file of CE2
#
sysname CE2
#
clock manual source ptp
#
ptp enable
ptp domain 1
ptp device-type bc
ptp clock-source local priority1 128
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
377
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
#
interface GigabitEthernet1/0/0
undo shutdown
ptp enable
#
interface GigabitEthernet1/0/1
undo shutdown
ptp enable
ptp announce-drop enable
#
l
Configuration file of PE1
#
sysname PE1
#
clock bits-type bits0 2mhz
clock bits-type bits2 1pps input
clock manual source bits0
ptp clock-source bits2 priority1 0
ptp clock-source bits2 on
#
ptp enable
ptp domain 1
ptp device-type bc
ptp clock-source local priority1 128
#
interface GigabitEthernet1/0/1
undo shutdown
ptp enable
#
return
l
Configuration file of PE2
#
sysname PE2
#
clock bits-type bits0 2mhz
clock bits-type bits2 1pps input
clock manual source bits0
ptp clock-source bits2 priority1 0
ptp clock-source bits2 on
ptp clock-source local priority1 128
#
ptp enable
ptp domain 1
ptp device-type bc
#
interface GigabitEthernet1/0/1
undo shutdown
ptp enable
#
return
10.10.6 Example for Configuring 1588 ACR Clock Synchronization
in a Single-Server Scenario
This section describes how to configure 1588 ACR on the router functioning as a client and the
router functioning as a server to restore clock information in a single-server scenario by using
an example.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
378
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Networking Requirements
On the IP RAN shown in Figure 10-12, Router A functions as a clock server and is connected
to an IP CLK. Router C functions as a client, and sends a 1588 ACR Layer 3 unicast negotiation
request to the server to achieve clock synchronization.
Figure 10-12 Networking diagram of configuring 1588 ACR clock synchronization in a singleserver scenario
2.2.2.2/32
IP/MPLS
Backbone
1.1.1.1/32
IP CLK
Node B
with 1588
RouterC
Slave
RouterB
RouterA
Master
RNC
1588v2 ACR
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure Router A as a server.
2.
Configure Router C as a client.
3.
Adjust Layer 3 unicast negotiation parameters on the server and the client.
Data Preparation
To complete the configuration, you need the following data:
l
IP address of the server and the IP address of the client
l
Interval for sending Sync , Delay_Resp and Announce packets on the server
Procedure
Step 1 Configure Router A as a server.
<RouterA> system-view
[RouterA] interface loopback 0
[RouterA-Loopback0] ip address 1.1.1.1 32
[RouterA-Loopback0] quit
[RouterA] ptp-adaptive enable
[RouterA] ptp-adaptive device-type server
[RouterA] ptp-adaptive local-ip 1.1.1.1
Step 2 Configure Router C as a client.
<RouterC> system-view
[RouterC] interface loopback 0
[RouterC-Loopback0] ip address 2.2.2.2 32
[RouterC-Loopback0] quit
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
379
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
[RouterC]
[RouterC]
[RouterC]
[RouterC]
ptp-adaptive
ptp-adaptive
ptp-adaptive
ptp-adaptive
10 1588v2 Configuration
enable
device-type client
local-ip 2.2.2.2
remote-server1-ip 1.1.1.1
Step 3 Adjust Layer 3 unicast negotiation parameters on the client and the server.
# Configure the client.
[RouterC] ptp-adaptive request sync-interval 4
[RouterC] ptp-adaptive request announce-interval 12
[RouterC] ptp-adaptive request delay-resp-interval 6
Step 4 Configure unicast negotiation on the server and client.
# Configure the server.
[RouterA] ptp-adaptive acr unicast-negotiate enable
# Configure the client.
[RouterC] ptp-adaptive acr unicast-negotiate enable
Step 5 Verify the configuration.
# Check the 1588 ACR configuration on Router C.
<RouterC> display ptp-adaptive all
Device config info
--------------------------------------------------------------------------Ptp adaptive state
: enable
Device type
: client
Sync mode
: frequency
Current state
: slave
Packet dscp
: 56
Domain value
: 0
Announce interval
: 12
Announce duration : 300s
Sync interval
: 4
Sync duration
: 300s
Delay_resp interval
: 6
Delay_resp duration: 300s
Announce receipt timeout: 3
Acr mode
: one-way
Local ip
: 2.2.2.2
Client board
: NA
Clockclass-ssm mapping : enable
Forward mode
: distributed
Ptp port name
: GigabitEthernet1/5/1
Frequency profile
: no
BMCA run info
--------------------------------------------------------------------------Current trace source
: server1
Frequency lock success : yes
Time Performance Statistics(ns):
-----------------------------------------------------------------------Realtime(T2-T1)
:987740873
Max(T2-T1)
:987742555
Min(T2-T1)
:987423502
Remote server info
--------------------------------------------------------------------------Current negotiate server: 1
Ip address
Negotiate state Pri1 Class
Accuracy Pri2
Server1: 1.1.1.1
Nego success
128 6
0x34
128
Server2:
# Check the 1588 ACR configuration on Router A.
<RouterA> display ptp-adaptive all
Device config info
--------------------------------------------------------------------------Ptp adaptive state
: enable
Device type
: server
Sync mode
: frequency
Current state
: master
Packet dscp
: 56
Domain value
: 0
Local ip
: 1.1.1.1
Server board
: 3
Frequency profile
: no
VPN
: none
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
380
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
10 1588v2 Configuration
Client info
ID Ip Address
Clock ID
Mode
Announce Sync Delay_resp
--------------------------------------------------------------------------1
0
2.2.2.2
001882fffed48301 one-way 2
-6
-4
----End
Configuration Files
Configuration file of Router A
#
sysname RouterA
#
ptp-adaptive enable
ptp-adaptive device-type server
ptp-adaptive local-ip 1.1.1.1
ptp-adaptive acr unicast-negotiate enable
#
interface Loopback0
ip address 1.1.1.1 255.255.255.255
#
return
Configuration file of Router C
#
sysname RouterC
#
ptp-adaptive enable
ptp-adaptive device-type client
ptp-adaptive local-ip 2.2.2.2
ptp-adaptive remote-server1-ip 1.1.1.1
ptp-adaptive request sync-interval 4
ptp-adaptive request announce-interval 12
ptp-adaptive request delay-resp-interval 6
ptp-adaptive acr unicast-negotiate enable
#
interface Loopback0
ip address 2.2.2.2 255.255.255.255
#
return
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
381
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
11
Device Maintenance
About This Chapter
With routine device maintenance, you can detect potential operation threats on devices and then
eradicate the potential threats in time to ensure that the system runs securely, stably, and reliably.
11.1 Introduction of Device Maintenance
Device maintenance involves replacing boards and monitoring the internal environment.
11.2 Configuring an E-label for the Backplane of the NE80E
Users can set e-lables to maintain and manage assets on the NE80E.
11.3 Configuring an Energy Saving Mode
The router allows you to configure an energy saving mode to reduce the router power
consumption.
11.4 Configuring the System MAC Address
11.5 Powering off the MPU
To ensure non-stop services, you can power off the slave MPU only. If the device has only one
MPU, confirm the action before powering off the MPU.
11.6 Powering off the SFU
When the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU.
11.7 Powering off the NPU
This section describes how to power off the NPU.
11.8 Powering Off the LPU
If the LPU is faulty or you need to routinely maintain it, you can power it off.
11.9 (Optional) Configuring the NE80E with 5000 W power consumption to Power on
LPUF-40s/LPUI-40s
This section describes how to configure the NE80E with 5000 W power consumption to power
on LPUF-40s/LPUI-40s.
11.10 Configuring the Input Power of a Power Module
When the maximum output power supplied by the power cabinet is less than the rated power of
a power module, you need to configure the input power of this power module. The power
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
382
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
management module ensures that power modules supply power to boards based on their
configured input power.
11.11 Restoring the Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s
To restore the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s, you need to
bind a valid Global Trotter License (GTL) file to the NPU.
11.12 Configuring an Access Mode for a Device
11.13 Configuring a Working Mode for an LPU
LPUs support various working modes, which you can use commands to configure.
11.14 Configuring a Working Mode for an LPUF-40 or LPUF-20/21
LPUF-20/21 or LPUF-40 supports various service modes, which you can use commands to
configure.
11.15 Configuring Automatic Board Reset
This section describes how to configure boards to automatically reset when an alarm is generated.
11.16 Setting the Working Mode of the 1-Port OC-192c/STM-64c POS-XFP Flexible Card on
the LPUF-10
The 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10 can work in
oversubscription mode or non-oversubscription mode, which can be configured through a
command.
11.17 (Optional) Configuring Periodic Reliability Detection on 2-Port OC-12c/STM-4c ATMSFP Flexible Cards on LPUF-10s
11.18 Configuring the CMU
11.19 Configuring Link-heartbeat Loopback Detection
The NE80E/40E supports the link-heartbeat loopback detection function which is implemented
by sending link-heartbeat packets. This function helps locate faults rapidly and maintain the
device.
11.20 Configuring a Cleaning Cycle for the Air Filter
This section describes the procedure for configuring a cleaning cycle for the air filter.
11.21 Monitoring the Device Status
You can monitor the device status to facilitate fault location and cause analysis.
11.22 Board Maintence
Board Maintenance involves resetting a board and clearing the maximum CPU usage.
11.23 Configuration Examples of the Device Maintenance
This section provides examples for powering off different types of boards to describe common
device maintenance operations.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
383
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
11.1 Introduction of Device Maintenance
Device maintenance involves replacing boards and monitoring the internal environment.
11.1.1 Overview of Device Maintenance
Device maintenance involves replacing boards and monitoring the internal environment.
Concept
The stable running of a routerdepends on the mature network planning and the routine
maintenance. In addition, fast location of the hidden hazards is necessary.
The maintenance personnel must check the alarm information in time and deal with the fault
properly to keep the device in normal operation and reduce the failure rate. Thus, the system
runs in a safe, stable, and reliable environment.
Maintenance Operation
Maintenance such as board replacement and internal environment check ensures the normal
operation of the router.
11.1.2 Maintenance Features Supported by the NE80E/40E
The NE80E/40Eboards to be powered off and allows the operation status to be monitored.
Powering off
You can power on or power off the boards through command lines to perform hot plugging
without interrupting the services on the router.
Monitoring
In routine maintenance of the device, you can run the display commands to view the working
status of the router. This can help the maintenance personnel fast locate the fault during the
troubleshooting procedure.
11.2 Configuring an E-label for the Backplane of the NE80E
Users can set e-lables to maintain and manage assets on the NE80E.
Context
Users can set e-lables to maintain and manage assets on the NE80E. An e-label includes a bar
code and an asset ID.
NOTE
This function takes effect only on the NE80E.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
384
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
set elabel { backplane barcode | asset assetid }
An e-label is configured for the backplane of the NE80E.
----End
Checking the Configuration
Run the display elabel asset command to check the e-label of the backplane of the NE80E.
<HUAWEI>display elabel asset
11.3 Configuring an Energy Saving Mode
The router allows you to configure an energy saving mode to reduce the router power
consumption.
Context
An energy saving mode allows the router to disable some unused modules during the system
running, reducing the router power consumption.
The router supports the following energy saving modes:
l
Standard energy saving mode: This mode allows the router to disable the default unused
modules during the system running, without affecting the router running. This mode is
applicable when the router is used as the network core device or when a large number of
services are transmitted.
l
Basic energy saving mode: This mode allows the system to dynamically monitor each
module's working status and disable or hibernate unused modules.
l
Deep energy-saving mode: When the basic energy-saving mode has been used, this mode
allows the router to shut down or hibernate unused components. This mode applies only
when the router's operating environment is stable and less burst traffic exists.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
set energy-mode mode [ standard
Issue 02 (2014-09-30)
| basic
| deep ]
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
385
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
An energy saving mode is configured for the router.By default, the router uses the basic energy
saving mode.
----End
Checking the Configuration
Run the display energy-mode mode command to check the configured energy saving mode.
<HUAWEI>system-view
[HUAWEI]display energy-mode mode
NE40E`s current energy-mode : basic
11.4 Configuring the System MAC Address
Context
If the system MAC addresses of two devices are the same, the system MAC address of a device
must be modified to avoid network faults.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
set system-mac
The system MAC is configured.
NOTICE
The modified MAC address takes effect after the device restarts.
----End
11.5 Powering off the MPU
To ensure non-stop services, you can power off the slave MPU only. If the device has only one
MPU, confirm the action before powering off the MPU.
11.5.1 Before You Start
Before powering off the MPU, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
386
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Applicable Environment
The two Main Processing Units (MPUs) are in 1:1 backup mode. During operation, one MPU
serves as the master MPU and the other as the slave MPU. Remove the MPUs in the following
situations:
l
Maintenance of the MPU such as dust removing
l
Upgrade of the hardware on the MPUs such as memory capacity extending
l
Failure of the MPU
Pre-configuration Tasks
Before powering off the MPU, complete the following tasks:
l
Checking the slot of the MPU to be powered off
l
Running the display device command to check the status of the MPU
If the MPU is the master MPU, perform the master and slave switchover first.
Data Preparation
To power off the MPU, you need the following data.
No.
Data
1
Slot number of the MPU to be powered off
11.5.2 Powering off the Slave MPU
When the MPU is faulty or you need to routinely maintain the MPU, you can power off the
MPU.
Context
CAUTION
The router cannot work with a single MPU for a long time. If the single MPU fails, the whole
system breaks down. After powering off the slave MPU, restore the MPU immediately.
Do as follows on the router to be configured:
Procedure
Step 1 Run:
power off slot slot-id
The slave MPU is powered off.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
387
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
NOTE
If there is no terminal on the deployment site, you can power off the slave MPU by using the OFL (offline)
button. The OFL button is in the upper part of the slave MPU. Press the button for six seconds.
If the OFL indicator is on, it means that the slave MPU is powered off successfully.
----End
11.5.3 Checking the Configuration
After the MPU is powered off, you can run the display device command to check whether the
MPU has been powered off.
Context
Run the following commands to check the previous configuration.
Procedure
l
Run:
display device
Check the registration of the SRU/MPU.
----End
Example
After the power-off operation, run the display device command. If the slave SRU/MPU is in
the abnormal state, it means that the operation succeeds. For example:
<HUAWEI> display device
NE40E's Device status:
Slot #
Type
Online
Register
Status
Primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5
6
9
12
11
16
17
18
19
20
21
22
23
24
25
26
27
28
LPU
LPU
LPU
LPU
LPU
LPU
MPU
MPU
SFU
SFU
SFU
SFU
CLK
CLK
PWR
PWR
FAN
FAN
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Registered
Registered
Registered
Registered
Registered
Registered
Unregistered
NA
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Normal
Normal
Normal
Normal
Normal
Normal
Abnormal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
NA
NA
NA
NA
NA
NA
Slave
Master
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
11.6 Powering off the SFU
When the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
388
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
NOTE
SFUs are not supported on the X1 and X2 models of the NE80E/40E.
11.6.1 Before You Start
Before powering off the SFU, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.
Applicable Environment
During normal operation of the device, four Switch and Fabric Units (SFUs) work in 3+1 load
balancing mode. Remove the SFUs in the following situations:
l
Maintenance of the SFU such as dust removing
l
Failure of the SFU and replacement or repair of the SFU
Pre-configuration Tasks
Before powering off the SFU, complete the following tasks:
l
Checking the slot of the SFU to be powered off
Data Preparation
To power off the SFU, you need the following data.
No.
Data
1
Slot number of the SFU to be powered off
11.6.2 Powering off the SFU
You can power off the SFU by using a command or pressing the OFL button.
Context
Do as follows on the router to be configured:
Procedure
Step 1 Run:
power off slot slot-id
The SFU is powered off.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
389
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
NOTE
SFU is not supported on the X1 and X2 models of the NE80E/40E.
If there is no terminal on the deployment site, you can power off the slave SFU by using the OFL button.
The OFL button is in the upper part of the slave SFU. Press the button for six seconds. If the OFL indicator
is on, it means that powering off the SFU succeeds.
----End
11.6.3 Checking the Configuration
After the SFU is powered off, you can run the display device command to check whether the
SFU has been powered off.
Context
Run the following commands to check the previous configuration.
Procedure
Step 1 Run:
display device
Check the registration of the SFU.
----End
Example
After the power-off operation, run the display device command. If the SFU is in the unregistered
state, it means that the operation succeeds. For example:
<HUAWEI> display device
NE40E-X8's Device status:
Slot #
Type
Online
Register
Status
Primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5
6
9
12
11
16
17
18
19
20
21
22
23
24
25
26
27
28
Issue 02 (2014-09-30)
LPU
LPU
LPU
LPU
LPU
LPU
MPU
MPU
SFU
SFU
SFU
SFU
CLK
CLK
PWR
PWR
FAN
FAN
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Registered
Registered
Registered
Registered
Registered
Registered
Registered
NA
Unregistered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Abnormal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
NA
NA
NA
NA
NA
NA
Slave
Master
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
390
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
11.7 Powering off the NPU
This section describes how to power off the NPU.
NOTE
NPUs are only supported on the X1 and X2 models of the NE80E/40E.
11.7.1 Before You Start
Applicable Environment
Remove the NPU in the following situations:
l
Maintenance of the NPU such as dust removing
l
Failure of the NPU and replacement or repair of the NPU
Pre-configuration Tasks
Before powering off the NPU, complete the following tasks:
None.
Data Preparation
To power off the NPU, you need the following data.
No.
Data
1
Slot number of the NPU to be powered off
11.7.2 Powering off the NPU
Context
Do as follows on the router to be configured:
Procedure
Step 1 Run:
power off slot slot-id
The NPU is powered off.
NOTE
If there is no terminal on the deployment site, you can power off the slave NPU by using the OFL button.
The OFL button is in the upper part of the slave NPU. Press the button for six seconds. If the OFL indicator
is on, it means that powering off the NPU succeeds.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
391
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
11.7.3 Checking the Configuration
Context
Run the following commands to check the previous configuration.
Procedure
Step 1 Run:
display device
Check the registration of the NPU.
----End
Example
After the power-off operation, run the display device command. If the NPU is in the unregistered
state, it means that the operation succeeds. For example:
<HUAWEI> display device
NE40E-X1's Device status:
Slot #
Type
Online
Register
Status
Primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1
NPU
Present
Unregistered Abnormal
NA
2
PIC
Present
Registered
Normal
NA
3
PIC
Present
Registered
Normal
NA
4
PIC
Present
Registered
Normal
NA
5
PIC
Present
Registered
Normal
NA
7
MPU
Present
NA
Normal
Master
8
PWR
Present
Registered
Normal
NA
10
FAN
Present
Registered
Normal
NA
12
CLK
Present
Registered
Normal
Master
11.8 Powering Off the LPU
If the LPU is faulty or you need to routinely maintain it, you can power it off.
11.8.1 Before You Start
Before powering off the LPU, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.
Applicable Environment
Power off the LPU in the following situations:
l
When performing routine maintenance on the LPU, such as removing dust
l
If the LFU fails and it needs to be repaired or replaced
Pre-configuration Tasks
Before powering off the LPU, you need to prepare a slave LPU.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
392
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Data Preparation
To power off the LPU, you need the following data:
No.
Data
1
The slot number of the LPU to be powered off
2
A slave LPU whose board type and Physical Interface Card (PIC) type are the same
as those of the LPU to be powered off
11.8.2 Powering Off the LPU
You can run a command or press the OFL button to power off the LPU.
Context
Do as follows on the router to be configured:
Procedure
Step 1 Run:
power off slot slot-id
The LPU is powered off.
NOTE
l To power off the sub-cards of the FPICs, run the power off slot slot-id card card-idcommand.
l If no terminal exists at the deployment site, you can use the OFL button to power off the LPU. The
OFL button is located on the upper part of the LPU. Press and hold the button for six seconds. If the
OFL indicator is on, powering off the LPU succeeds.
----End
11.8.3 Checking the Configuration
After you power off the interface board, you can run the display device command to check
whether it has been powered off correctly.
Context
Run the following command to check the previous configuration.
Procedure
l
Run:
display device
Check the registration of the interface board.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
393
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Example
After you power off the device, run the display device command. If the LPU is in the unregistered
state, the operation is complete. In the following example, the LPU in slot 5 is powered off:
<HUAWEI> display device
NE40E-X8's Device status:
Slot #
Type
Online
Register
Status
Primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5
6
9
12
11
16
17
18
19
20
21
22
23
24
25
26
27
28
LPU
LPU
LPU
LPU
LPU
LPU
MPU
MPU
SFU
SFU
SFU
SFU
CLK
CLK
PWR
PWR
FAN
FAN
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Unregistered
Registered
Registered
Registered
Registered
Registered
Registered
NA
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Abnormal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
NA
NA
NA
NA
NA
NA
Slave
Master
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
11.9 (Optional) Configuring the NE80E with 5000 W power
consumption to Power on LPUF-40s/LPUI-40s
This section describes how to configure the NE80E with 5000 W power consumption to power
on LPUF-40s/LPUI-40s.
Context
LPUF-40s/LPUI-40s are not recommended for the NE80E with 5000 W power consumption
because of power supply and heat dissipation issues. If LPUF-40s/LPUI-40s are required, install
the boards on the NE80E with 5000 W power consumption that is working properly and run the
set board-power-on lower-performance-fan enable command to configure the NE80E with
5000 W power consumption to power on the boards. Alternatively, restart the NE80E with 5000
W power consumption to power on the boards.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
set board-power-on lower-performance-fan enable
The NE80E with 5000 W power consumption is configured to power on LPUF-40s/LPUI-40s.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
394
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
NOTE
This command can only be used on the NE80E with 5000 W power consumption, and does not need to be
used on the NE80E with 8000 W power consumption.
----End
11.10 Configuring the Input Power of a Power Module
When the maximum output power supplied by the power cabinet is less than the rated power of
a power module, you need to configure the input power of this power module. The power
management module ensures that power modules supply power to boards based on their
configured input power.
Context
By default, the power management module ensures that power modules supply power to boards
based on their rated power. When the maximum output power supplied by the power cabinet is
less than the rated power of a power module, this power module may not supply sufficient power
to boards. In this situation, the boards that are powered on may restart or power off. To resolve
this problem, run the set power input-power command to configure the input power of the
power module and ensure the power management module to ensure that power modules supply
power to the boards based on their configured input power.
This command applies in the following scenarios:
l
A device is installed for the first time. If the maximum output power supplied by the power
cabinet is less than the rated power of a power module, run this command to configure the
input power of this power module after the main processing unit (MPU) starts up. Based
on the rated power of each board, calculate the number of boards to which the configured
input power can be allocated. Then install the boards based on the calculation results.
l
Additional boards need to be installed on a device. If the maximum output power supplied
by the power cabinet is less than the rated power of a power module, run this command to
configure the input power of this power module. Based on the rated power of each board,
calculate the number of boards to which the remainder of the configured input power can
be allocated. Then install the boards based on the calculation results.
NOTE
l When the maximum output power supplied by the power cabinet is greater than or equal to the rated
power of a power module, you do not need to run the set power input-power command. If you have
run this command, the power management module still ensures that power modules supply power to
boards based on their rated power.
l When the maximum output power supplied by the power cabinet is less than the rated power of a power
module, you must run the set power input-power command.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
set power input-power power-value
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
395
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
The input power of the power module is configured.
NOTICE
l The power-on sequence of boards cannot be controlled. If a board has been installed on a
device but has not been powered on, this board may power on after the device restarts. In
addition, boards that have already been powered on may power off.
l The configured input power is saved on the MPU's flash memory. The MPU must not be
used as the master MPU in another subrack. If the MPU is used as the master MPU in another
subrack, run set power input-power command to reconfigure the input power.
----End
11.11 Restoring the Bandwidth of 10GE LAN/WAN
Interfaces on an NPU to 10 Gbit/s
To restore the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s, you need to
bind a valid Global Trotter License (GTL) file to the NPU.
NOTE
NPUs are only supported on the X1 and X2 models of the NE80E/40E.
11.11.1 Before You Start
Before restoring the bandwidth of 10GE LAN/WAN interfaces on the NPU to 10 Gbit/s ,
familiarize yourself with the applicable environment, complete the pre-configuration tasks, and
obtain the required data. This can help you complete the configuration task quickly and
accurately.
Application Environment
By default, the bandwidth of 10GE LAN/WAN interfaces on an NPU is 10 Mbit/s. To restore
the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, purchase a legitimate GTL file.
Pre-configuration Tasks
None.
Data Preparation
To restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, you need the following
data.
Issue 02 (2014-09-30)
No.
Data
1
GTL file used to restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
396
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
11.11.2 Restoring the Outbound Bandwidth of 10GE LAN/WAN
Interfaces on an NPU to 10 Gbit/s
To restore the outbound bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s ,
you need to bind a valid Global Trotter License (GTL) file to the NPU.
Prerequisites
Run the license active file-name command to activate the license files of the main control board
and slave control board.
Context
By default, the outbound bandwidth of 10GE LAN/WAN interfaces on an NPU is 10 Mbit/s.
To restore the outbound bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, purchase a
legitimate GTL file.
Procedure
l
Activate the GTL license for the 10GE interfaces in license view
1.
Run:
system-view
The system view is displayed.
2.
Run:
license
The license viewis displayed.
3.
Run:
active 10ge-interface slot slotid
The GTL file used to restore the outbound bandwidth of 10GE LAN/WAN interfaces
to 10 Gbit/s is bound to the NPU.
l
Activate the GTL license for the 10GE interfaces in slot view
1.
Run:
system-view
The system view is displayed.
2.
Run:
slot slot-id
The slot view is displayed.
3.
Run:
active 10ge-interface
The GTL file used to restore the outbound bandwidth of 10GE LAN/WAN interfaces
to 10 Gbit/s is bound to the NPU.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
397
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
NOTE
The active 10ge-interface command takes effect only in the view of the slot where the NPU
resides.
After you bind the GTL file to the NPU, run the save command to save the configuration.
Otherwise, you will need to bind the GTL file again once the device restarts.
The active 10ge-interface command has the same function as that of the active 10geinterface slot slotid command in the license view. The former command will be replaced by
the latter one in the configuration file.
----End
11.11.3 Checking the Configuration
After you enable the 10GE LAN/WAN interface on an NPU, you can check the current PIC
cards on the device.
Context
Run the following command to check the previous configuration.
Procedure
Step 1 Run the display device pic-status command to view the current PIC cards on the device.
----End
Example
# View the current PIC cards on the device.
<HUAWEI> display device pic-status
Pic-status information in Chassis 1:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SLOT PIC Status
Type
Port_count Init_result
Logic down
7
0
Registered LAN_WAN_2x10GX_V_CARD 2
SUCCESS
SUCCESS
7
6
Registered ETH_8xGF_B_CARD
8
SUCCESS
SUCCESS
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
11.12 Configuring an Access Mode for a Device
NOTE
Only the X1 and X2 models of the NE80E/40E support the configuration of an access mode.
11.12.1 Before You Start
Applicable Environment
The X1 and X2 models of the NE80E/40E support two access modes: ring mode and dualhoming mode. By default, the access mode is ring-mode. Before dual-homing an NPU to an
upper network through 10GE interfaces, configure the dual-homing access mode for the device.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
398
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
In dual-homing access mode, a device supports a maximum of 21 interfaces. If the dual-homing
access mode is configured for a device, and the number of interfaces on the interface boards of
the device exceeds 21, manually specify an unregistered interface board to ensure that the total
number of interfaces on the device is less than 21.
In dual-homing access mode, the NE80E/40E-X1 supports a maximum of 21 forwarding
ports,and the NE80E/40E-X2 supports a maximum of 42 forwarding ports.
Interface Type
Forwarding port for the interface
GE interface and FE interface
One forwarding port for one interface
ATM interface
One forwarding port for one interface
CE1 interface and CPOS interface
One forwarding port for all interfaces of the
interface board
If the dual-homing access mode is configured for a device and the total number of forwarding
ports for the interfaces exceeds the maximum, you should manually configure an interface board
as unregistered.
Pre-configuration Tasks
None.
Data Preparation
To configure an access mode for an NPU, you need the following data.
No
Data
1
Access mode of the device
2
(Optional) Card ID of the interface board that needs to be manually configured as
unregistered
11.12.2 Configuring an Access Mode for a Device
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
set service-mode { dual-home-mode | ring-mode }
The access mode off the device is configured.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
399
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
The default access mode of the device is the ring access mode.
Step 3 (Optional) Run:
set service-mode card card-id { register-disable-mode | register-enable-mode }
The specified interface board is manually configured as unregistered or registered.
NOTICE
If an interface board is manually configured as unregistered, all interfaces on the interface board
are unavailable. Before performing this operation, ensure that no services have been configured
on the interface board.
----End
11.12.3 Checking the Configuration
Context
Run the following commands to check the configuration:
Procedure
Step 1 Run the display service-mode command to check the access mode configuration of a device.
Step 2 Run the display device command to check the registration status of an interface board.
----End
Example
# Display the access mode of a device.
<HUAWEI> display service-mode
The device can work under the following mode:
=======================================================================:
Service-mode
Functions:
RING-MODE
The equipment is proposed to support ring net
work for better convergence
DUAL-HOME-MODE
The equipment is proposed to support dual-way
network for better convergence
=======================================================================:
The current service-mode is RING-MODE!
# After No.3 interface board is manually configured as unregistered, display the registration
status of all interface boards on the device.
<HUAWEI> display device
NE40E-X2's Device status:
Slot #
Type
Online
Register
Status
Primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1
MPU
Present
NA
Normal
Master
2
MPU
Present
Registered
Normal
Slave
3
PIC
Present
Unregistered Abnormal
NA
4
PIC
Present
Registered
Normal
NA
5
PIC
Present
Registered
Normal
NA
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
400
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
6
7
8
9
11
12
13
15
16
17
PIC
NPU
NPU
PIC
PIC
PIC
PWR
FAN
CLK
CLK
11 Device Maintenance
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
NA
NA
NA
NA
NA
NA
NA
NA
Master
Slave
11.13 Configuring a Working Mode for an LPU
LPUs support various working modes, which you can use commands to configure.
NOTE
LPUs are not supported on NE80E/40E-X1s or NE80E/40E-X2s.
11.13.1 Before You Start
Before configuring a working mode for an LPU, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
Applicable Environment
You cannot run frame relay and ATM cell concatenation services on an LPUF-10 at the same
time. To enable the LPUF-10 to support one of these services, configure the corresponding
working mode for the LPUF-10. LPUF-10s support the following working modes:
l
fr-mode: LPUF-10s working in this mode support Ethernet interfaces, POS interfaces,
CPOS interfaces, CE1/CT1 interfaces, and E3/CT3 interfaces.
– The link layer protocol of the POS interfaces can be configured as FR, PPP or HDLC.
– The link layer protocol of the serial interfaces created by E1/T1 channels of the CPOS
interfaces can be configured as FR,TDM, PPP or HDLC.
– The link layer protocol of the serial interfaces created by E3/T3 channels of the CPOS
interfaces can be configured as PPP or HDLC.
– The link layer protocol of the serial interfaces created by the CE1/CT1 interfaces can
be configured as TDM, PPP or HDLC.
– The link layer protocol of the serial interfaces created by the E3/CT3 interfaces can be
configured as PPP or HDLC.
l
atm-cell-concatenation-mode: LPUF-10s working in this mode support ATM interfaces
on the ATM cell concatenation subcards and CPOS interfaces. The link layer protocol of
the serial interfaces created by E1/T1 channels of the CPOS interfaces can only be
configured as TDM.
l
atm-mode: This is the default working mode of LPUF-10s. LPUF-10s working in this
mode support Ethernet interfaces, POS interfaces, ATM interfaces, CPOS interfaces, CE1/
CT1 interfaces, and E3/CT3 interfaces.
– The link layer protocol of the POS interfaces can be configured as PPP or HDLC.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
401
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
– The link layer protocol of the serial interfaces created by E1/T1 channels of the CPOS
interfaces can be configured as ATM,TDM, PPP or HDLC.
– The link layer protocol of the serial interfaces created by E3/T3 channels of the CPOS
interfaces can be configured as PPP or HDLC.
– The link layer protocol of the serial interfaces created by the CE1/CT1 interfaces can
be configured as ATM, TDM, PPP or HDLC.
– The link layer protocol of the serial interfaces created by the E3/CT3 interfaces can be
configured as PPP or HDLC.
LPUF-10s, LPUF-20/21s, and LPUF-40s support two Peak Information Rate (PIR) values for
user queues: 30 Gbit/s and 60 Gbit/s, which can be selected based on actual service volumes.
Pre-configuration Tasks
Before configuring a working mode for an LPU, checking the current working mode of the LPU.
Data Preparation
To configure a working mode for an LPU, you need the following data.
No.
Data
1
Slot ID of the LPU whose current working mode needs to be changed
11.13.2 Configuring a Working Mode for an LPU
LPUs support various working modes.
Context
You cannot run frame relay and ATM cell concatenation services on an LPUF-10 at the same
time. To enable the LPUF-10 to support one of these services, configure the corresponding
working mode for the LPUF-10.
LPUF-10s, LPUF-20/21, and LPUF-40support two Peak Information Rate (PIR) values for user
queues: 30 Gbit/s and 60 Gbit/s, which can be selected based on actual service volumes.
Perform the following steps on the router to configure working modes for its LPUs:
Procedure
l
Configure a different working mode for each LPUF-10 to enable it to support different
services.
1.
Run:
system-view
The system view is displayed.
2.
Run:
set service-mode slot { slot-id | all } { normal | atm-cpos-enhance
ethenet-enhance | bas-modecell-concatenation-mode }
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
|
402
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
The LPUF-10 is configured with a working mode to support the specific type of
services.
NOTE
normal corresponds to atm-mode and fr-mode.
l
Change a working mode for an LPUF-10, LPUF-20/21, or LPUF-40 to increase the PIR
value of user queues.
1.
Run:
system-view
The system view is displayed.
2.
Run:
set service-mode slot slot-id { normal-speed-scheduler | high-speedscheduler }
The PIR value of user queues is configured.
The default PIR value of user queues is 30 Gbit/s.
– normal-speed-scheduler: indicates that the PIR value of user queues is 30 Gbit/
s.
– high-speed-scheduler: indicates that the PIR value of user queues is 60 Gbit/s.
NOTICE
After you run the set service-mode slot slot-id { normal-speed-scheduler | highspeed-scheduler } command to change the PIR value of user queues on an LPU, the
LPU will reset automatically.
----End
11.13.3 Checking the Configuration
After the preceding configuration is complete, you can check the working mode of an LPU.
Context
Run the following command to check the configurations:
Procedure
Step 1 Run the display service-mode slot slot-id command to check the working mode of an LPU.
Step 2 Run the display work-mode [ slot slot-id ] command to check the current work mode of an
LPUF-10 or an LPUF-50.
NOTE
LPUF-10 and LPUF-50 are not supported on the X1 and X2 models of the NE80E/40E.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
403
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
The board to be viewed must be an LPUF-10 or an LPUF-50. Otherwise, the display workmode slot command cannot be used.
----End
Example
# Display the current working mode of the LPU in slot 1.
<HUAWEI> display service-mode slot 1
The device can work under the following mode:
=======================================================================:
Service-mode
Functions:
NETSTREAM-1-MODE
Support 2047 MPLS OAM sessions.support (2048
3.3ms | 2048 10ms) bfd sessions.can not suppo
rt 1588 ACR serverSupport 4095 Mep,4095 Rmep,
4095 Ma EOAM/MPLS-TP sessions.Support Netstr
eam.
PTP-1-MODE
Support 2047 MPLS OAM sessions.support (2048
3.3ms | 2048 10ms) bfd sessions.support 1588
ACR serverSupport 4095 Mep,4095 Rmep,4095 Ma
EOAM/MPLS-TP sessions.Does not Support Netst
ream.
=======================================================================:
The current service-mode is PTP-1-MODE!
# Display the current work mode of all boards.
<HUAWEI> display work-mode
NE40E-X8's current work-mode:
Slot
Type
Current-workmode
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2
LPUF-10
SUPPORT-ATM
3
LPUF-50
NORMAL
11.14 Configuring a Working Mode for an LPUF-40 or
LPUF-20/21
LPUF-20/21 or LPUF-40 supports various service modes, which you can use commands to
configure.
NOTE
LPUs are not supported on NE80E/40E-X1s and NE80E/40E-X2s.
11.14.1 Before You Start
Before configuring a service mode for an LPU, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
Applicable Environment
An LPUF-20/21 or LPUF-40 cannot be configured with the 1588 ACR server function and
NetStream at the same time. Before configuring either the 1588 ACR server function or
NetStream, configure a corresponding service mode for the LPU.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
404
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
l
netstream-1-mode: When working in this mode, the LPU can be configured with
NetStream, but not the 1588 ACR server function.
l
ptp-1-mode: When working in this mode, the LPU can be configured with the 1588 ACR
server function, but not NetStream.
The LAN_WAN_10G_TM_CARD, ETH_10XGF_TM_CARD, or ETH_6XGF_TM_CARD
subcard can be configured with a service mode to support specified functions. The service modes
and supported service types are as follows:
l
reassemble-mode: When working in this mode, the subcard supports packet fragmentation
and reassembly, but not 1588v2 or the 1588 ACR client function.
l
ptp-slave-mode: When working in this mode, the subcard supports 1588v2 and the 1588
ACR client function, but not packet reassembly.
Pre-configuration Tasks
Before you configure a service mode for an LPU, determine its current service mode.
l
Determining the current service mode of the LPU
Data Preparation
To configure a service mode for an LPU, you need the following data.
No.
Data
1
Slot ID of the LPU whose service mode needs to be configured
2
Card ID of the subcard whose service mode needs to be configured
11.14.2 Configuring a Service Mode for an LPUF-20/21 or LPUF-40
An LPUF-20/21 or LPUF-40 can work in different service modes. You can use the command
to change the service mode.
Context
You cannot configure an LPUF-20/21 or LPUF-40 with the 1588 ACR server function and
NetStream at the same time. Before you configure either the 1588 ACR server function or
NetStream, configure the service mode for the LPU.
You can configure the LAN_WAN_10G_TM_CARD, or ETH_10XGF_TM_CARD subcard
with a service mode to support specified functions. The service modes and supported service
types are as follows. You can configure a service mode for the subcard based on the required
service type.
l
reassemble-mode: When working in this mode, the subcard supports packet fragmentation
and reassembly, but not 1588v2 or the 1588 ACR client function.
l
ptp-slave-mode: When working in this mode, the subcard supports packet fragmentation,
1588v2, and the 1588 ACR client function, but not packet reassembly.
Perform the following steps on the router to configure a service mode for the LPU:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
405
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
set service-mode slot { slot-id | all } { netstream-1-mode | ptp-1-mode }
A service mode is configured for the LPU to support the 1588 ACR server function or NetStream.
NOTICE
This command can take effect on the LPUF-20/21 or LPUF-40.
Step 3 Run:
set service-mode slot { slot-id card card-id | all card all } { reassemble-mode |
ptp-slave-mode }
A service mode is configured for a subcard.
The default service mode of the subcard is reassemble-mode.
The service mode of the subcard is irrelevant to the service mode of the LPU where the subcard
resides.
NOTICE
This command can take effect on a LAN_WAN_10G_TM_CARD or
ETH_10XGF_TM_CARD of the LPUF-21.
To query the type of a subcard, run the display device pic-status command.
----End
11.14.3 Checking the Configuration
After you complete the preceding configuration, you can check the service mode of an LPU or
a subcard.
Context
Run the following command to check the configuration:
Procedure
Step 1 Run the display service-mode slot slot-id command to check the service mode of an LPU or a
subcard.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
406
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Example
# Run the display service-mode command in the system view to display the current working
mode of the LPU in slot 1.
[HUAWEI] display service-mode slot 1
The device can work under the following mode:
=======================================================================:
Service-mode
Functions:
NETSTREAM-1-MODE
Support 2047 MPLS OAM sessions.support (2048
3.3ms | 2048 10ms) bfd sessions.can not suppo
rt 1588 ACR serverSupport 4095 Mep,4095 Rmep,
4095 Ma EOAM/MPLS-TP sessions.Support Netstr
eam.
PTP-1-MODE
Support 2047 MPLS OAM sessions.support (2048
3.3ms | 2048 10ms) bfd sessions.support 1588
ACR serverSupport 4095 Mep,4095 Rmep,4095 Ma
EOAM/MPLS-TP sessions.Does not Support Netst
ream.
=======================================================================:
The current service-mode is PTP-1-MODE!
11.15 Configuring Automatic Board Reset
This section describes how to configure boards to automatically reset when an alarm is generated.
Applicable Environment
After certain alarms are generated, the corresponding boards need to reset to restore services.
You can configure boards to reset automatically after alarms with specified codes are generated.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
fm
The fault management view is displayed.
Step 3 (Optional) Run:
display alarm all history verbose
Detailed information about all historical alarms of the current system is displayed.
The alarm codes can also be displayed. You can run this command to view detailed information
about all historical alarms, including alarm codes, and then configure a board to automatically
reset based on these alarm codes.
Step 4 Run:
set board-reset hardware-alarm error-code error-code-value [ slot slot-id ]
Alarm codes are set.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
407
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
A maximum of 20 alarm codes can be specified in this command.
----End
Checking the Configuration
Run the display board-reset hardware-alarm error-code command to view the alarm codes
for automatic board reset.
<HUAWEI> system-view
[HUAWEI] fm
[HUAWEI-fm] display board-reset hardware-alarm error-code
hardware-alarm error-code 0x10821
hardware-alarm error-code 0x10822
hardware-alarm error-code 0x10823
hardware-alarm error-code 0x1093c
hardware-alarm error-code 0x10824 slot 9
hardware-alarm error-code 0x10824 slot 11
11.16 Setting the Working Mode of the 1-Port OC-192c/
STM-64c POS-XFP Flexible Card on the LPUF-10
The 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10 can work in
oversubscription mode or non-oversubscription mode, which can be configured through a
command.
11.16.1 Before You Start
Before setting the working mode of the 1-port OC-192c/STM-64c POS-XFP flexible card on
the LPUF-10, familiarize yourself with the applicable environment, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration
task quickly and accurately.
Applicable Environment
The motherboard LPUF-10 has four slots that can hold four subcards. The LPUF-10 has 10 Gbit/
s bandwidth. Therefore, when using the LPUF-10 and its subcards, take the following factors
into consideration:
l
To use the 10G POS interface that works at the line rate, set the 1-port OC-192c/STM-64c
POS-XFP flexible card on the LPUF-10 to work in non-oversubscription mode. In this case,
you cannot register the other subcards that work in non-oversubscription mode after you
insert them into the LPUF-10. You can register the other subcards that work in
oversubscription mode after you insert them into the LPUF-10, but they cannot work at the
line rate.
l
To use the 10G POS interface without needing to achieve the line rate, set the 1-port
OC-192c/STM-64c POS-XFP flexible card on the LPUF-10 to work in oversubscription
mode. In this case, you can still register the other subcards that work in oversubscription
mode and non-oversubscription mode after you insert them after being inserted into the
LPUF-10.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
408
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Pre-configuration Tasks
Before setting the working mode of the 1-port OC-192c/STM-64c POS-XFP flexible card on
the LPUF-10, determine in which mode the 1-port OC-192c/STM-64c POS-XFP flexible card
on the LPUF-10 needs to work.
Data Preparation
To set the working mode of the 1-port OC-192c/STM-64c POS-XFP flexible card on the
LPUF-10, you need the following data.
No.
Data
1
Slot number and subcard number of the 1-port OC-192c/STM-64c POS-XFP flexible
card on the LPUF-10
11.16.2 Setting the Working Mode of the 1-Port OC-192c/STM-64c
POS-XFP Flexible Card on the LPUF-10
Context
The LPUF-10 has 10 Gbit/s bandwidth, which can ensure the line rate of only one 1-port
OC-192c/STM-64c POS-XFP flexible card on the LPUF-10. To use the 10G POS interface that
works in the line rate, you need to set the 1-port OC-192c/STM-64c POS-XFP flexible card on
the LPUF-10 to work in non-oversubscription mode. In this case, the LPUF-10 does not enable
the registration of the other subcards that work in non-oversubscription mode.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
set pos-10g-card non-convergence slot slot-id card card-id
The non-oversubscription mode of the 1-port OC-192c/STM-64c POS-XFP flexible card on the
LPUF-10 is set.
By default, the 1-port OC-192c/STM-64c POS-XFP flexible card on the LPUF-10 works in nonoversubscription mode.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
409
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
11.17 (Optional) Configuring Periodic Reliability Detection
on 2-Port OC-12c/STM-4c ATM-SFP Flexible Cards on
LPUF-10s
Applicable Environment
To monitor the working status of 2-port OC-12c/STM-4c ATM-SFP flexible cards on, run the
set card-special-check atm-sar command to enable the periodic reliability detection function
and configure the detection interval. This function allows users to take measures promptly when
a fault occurs.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
set card-special-check atm-sar interval interval-value
The periodic reliability detection function is enabled and the detection interval is configured on
2-port OC-12c/STM-4c ATM-SFP flexible cards.
By default, the periodic reliability detection function is disabled on 2-port OC-12c/STM-4c
ATM-SFP flexible cards.
----End
Checking the Configuration
Run the display this command in the system view to view the configured detection interval.
[HUAWEI] display this
#
set card-special-check atm-sar interval 600
#
The field in bold indicates that the detection interval is 600s.
11.18 Configuring the CMU
11.18.1 Before You Start
Before configuring monitor items for a CMU, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
410
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Application Environment
In remote and unattended equipment rooms, routers can monitor the working environment in
real time. If a router receives an input signal that indicate that a specific environmental variable
is abnormal, the router generates an alarm. Then, maintenance personnel can take immediate
action to adjust this variable, without having to wait on site to monitor the environment. This
effectively reduces equipment room maintenance costs for carriers.
You can connect the CMU on the AUXQ to an environmental monitoring device. Based on the
received input signals from this device, the CMU generates an alarm and reports it to the NMS
to inform maintenance personnel of the problem.
Pre-configuration Tasks
None.
Data Preparation
None.
11.18.2 Configuring Monitor Items for a CMU
Prerequisites
In remote and unattended equipment rooms, router providing the environment monitoring
function can monitor the working environment in real time. Upon receiving an input signal
indicating that a specific environment variable is abnormal, a router will generate an alarm. Then,
the maintenance personnel can take immediate actions to adjust the environment variable,
without having to wait on site for environment monitoring. This effectively reduces equipment
room maintenance costs for carriers.
The CMU on the AUXQ can be connected to an environment monitoring device. Based on the
received input signals from the environment monitoring device, the CMU generates an alarm
and reports the alarm to the NMS so that the maintenance personnel can be informed of the
problem and come to the site to address the problem.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
cmu-switch switch-id alarm-mode { 0 | 1 } slot slot-id { name { voltage | door |
humidity | fog | temperature } | user-defined-name user-defined-name }
Monitor items such as objects to be monitored and an alarm mode are configured for a CMU.
NOTE
A router can monitor four types of environmental variables at a time. Run the cmu-switch command to
configure each environmental variable that needs to be monitored and its associated alarm mode.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
411
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
11.18.3 Checking the Configuration
Context
Run the following command to check the configuration:
Procedure
Step 1 Run the display current-configuration command to check the CMU configuration.
----End
Example
# Run the display current-configuration command in the system view to display the current
CMU configuration.
[HUAWEI] display current-configuration
#
sysname HUAWEI
#
cmu-switch 0 alarm-mode 1 slot 3 name voltage
#
return
11.19 Configuring Link-heartbeat Loopback Detection
The NE80E/40E supports the link-heartbeat loopback detection function which is implemented
by sending link-heartbeat packets. This function helps locate faults rapidly and maintain the
device.
Context
NOTE
In addition, after the link-heartbeat loopback detection function is enabled, if malicious packet modification
and packet loss occur on the remote device, the local device may perform incorrect operations. Therefore,
in this scenario, disabling the link-heartbeat loopback detection function is recommended.
Heartbeat packets may mistakenly match ACLs, affecting the accuracy of MF traffic statistics.
When network devices are running, if packets are modified or lost, the fault must be located
rapidly and associated processing must be performed timely to restore services.
The NE80E/40E supports the link-heartbeat loopback detection function which is implemented
by sending link-heartbeat packets to detect faults. This function can locate faulty devices rapidly
and perform associated processing timely to recover service automatically. Therefore, this
function improves network reliability and maintainability.
The link-heartbeat detection function can detect packet loss and packet modification. Packet
modification detection enables the device to check whether contents of received packets and
contents of sent packets are consistent. Packet loss detection enables the device to check whether
the difference between the number of received packets and the number of sent packets is in the
allowable range. After the link-heartbeat detection function is enabled, packet modification
detection is enabled by default. By running specified commands, you can determine whether to
perform associated processing and whether to enable packet loss detection.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
412
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
11 Device Maintenance
Length of a heartbeat packet:
– When the length of MTU + Layer 2 link header is less than 129 bytes, only packets
whose length is the MTU length are sent.
– When the length of MTU + Layer 2 link header ranges from 129 to 192 bytes, only
packets whose length is 129 bytes are sent.
– When the length of MTU + Layer 2 link header is greater than 192 bytes, packets whose
length is the MTU length and 129 bytes are sent.
l
The detection period can be normal detection period (60s) and approaching state detection
period. The packet loss detection period is 300s, and the packet modification detection
period is 60s. Both packet sending intervals of these two types of detection periods are 1s.
The detailed implementation process is as follows:
1.
If packet loss or packet modification is detected in the normal detection period, the
system enters the approaching state detection period.
2.
If the alarm generated in the approaching state detection period, go to Step 5.
3.
If no packet loss or packet modification is detected in the approaching state detection
period, the alarm is cleared. The system enters the normal detection period.
4.
By default, no alarm is generated when packets are lost. Only after you run the linkheartbeat packet-loss threshold threshold-value command to configure a threshold,
an alarm can be generated. The minimum allowable threshold is 1%.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
slot slot-id
The slot view is displayed.
NOTE
The link-heartbeat detection function only supports IPv4 GE and POS interfaces, not sub-interfaces. After
the function is enabled on an interface, the number of packets on the interface will increase.
The system sends one link-heartbeat packet per second and sends them only when traffic exists on
interfaces.
Step 3 Run:
undo link-heartbeat send disable
The function of sending link-heartbeat packets is enabled
Step 4 Run:
link-heartbeat packet-loss threshold threshold-value
A packet loss threshold at which an alarm will be generated is set, and alarm reporting is enabled.
NOTE
If the packet loss threshold exceeds 80%, packet loss detection will not be enabled.
Step 5 (Optional) Run:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
413
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
link-heartbeat linkage { packet-loss | packet-modify } enable
The device is enabled to automatically reset a board when the board generates a link-heartbeat
packet loss alarm or a link-heartbeat packet modification alarm.
The alarm mechanisms for packet loss and modification are as follows:
l The alarm mechanism for packet loss is as follows:
An alarm is generated when both the packet loss ratio in a detection period and the packet
loss ratio per minute reach the alarm threshold and meanwhile channel backpressure is not
performed.
l The Alarm mechanism for packet modification is as follows:
– An alarm is generated when the packet modification ratio in a detection period is more
than 5% and no faults are detected by intelligent link-heartbeat packets.
– An alarm is generated when the packet modification ratio in three consecutive detection
periods is not 0 but less than 5% and no faults are detected by intelligent link-heartbeat
packets.
When any of the preceding alarm conditions is met, the system takes the following actions:
l If a fault is detected on a single interface of a board, the system resets the board, powers cycle
the board, and then disables the faulty interface. Each time after all these operations are
performed in sequence, the link-heartbeat detection function enters the normal detection
period.
l If a fault is detected on multiple interfaces of a board, the system disables the first faulty
interface. For other faulty interfaces, the system resets the board, powers cycle the board,
and then disables the faulty interfaces. Each time after all these operations are performed in
sequence, the link-heartbeat detection function enters the normal detection period.
----End
Follow-up Procedure
Run the display link-heartbeat interface { interface-type interface-number | interface-name }
command to check information about link-heartbeat loopback detection on a specified interface.
<HUAWEI> display link-heartbeat interface GigabitEthernet 0/3/1
Link-detect status : Enable
Port ready
: Ready(0xFF)
IP address
: 10.1.1.3
Source MAC
: CCCC-8175-A014
Destination MAC
: 0001-0002-0004
Lost packet detect : Enable, Threshold = 40%
Lost packet linkage : Disable
Error packet linkage: Disable
Cyc Time
: 25
Send packet length : 115
Cyc send patcket
: 25
Cyc receive patcket : 0
Magic word
: 0xBA23 0x1187 0x6A77
Last recv magic word: 0x0000
Last send seed
: 246
Last recv seed
: 0
Sub(Lost) status
: Off
Sub status lost
: 0
Sub status cyc count: 0
Lost packet alarm
: Normal
Error packet alarm : Normal
Lpu linkage status : Normal
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
414
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
NP information
:
NP info history
:
Lost packet history :
Sub(Error) status
:
Observe num
:
Error flag history :
Send num in sub cyc :
Error num in sub cyc:
Error info history :
11 Device Maintenance
0x8
0x8 0x8 0x8 0x8 0x8 0x8 0x8 0x8 0x8 0x8
60 60 60 60 60 60 60 60 60 60
Off
0
0 0 0
0
0
0x0
11.20 Configuring a Cleaning Cycle for the Air Filter
This section describes the procedure for configuring a cleaning cycle for the air filter.
Context
NOTE
The X1 and X2 models of the NE80E/40E do not have air filter.
11.20.1 Before You Start
Application Environment
After the air filter has been running for a period of time, you need to clean it.
Pre-configuration Tasks
None.
Data Preparation
To configure a cleaning cycle for the air filter, you need the following data.
No.
Data
1
Cleaning cycle of the air filter
11.20.2 Configuring a Cleaning Cycle for the Air Filter
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
415
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Step 2 Run
dustproof check-timer day INTEGER
The cleaning cycle for the air filtered is configured.
NOTE
The air filter is a component without memory. All monitored information is saved on the MPU, which may
be inserted, removed, switched, or replaced during use. Therefore, the monitoring cycle may differ from
the set cycle, but this does not affect the monitoring function.
----End
11.20.3 Monitoring the Cleaning Cycle of the Air Filter After
Cleaning It
Context
The system generates an alarm about cleaning the air filter. After ensuring that the air filter is
cleaned or does not need to be cleaned, clear the alarm and begin monitoring the cleaning cycle
of the air filter again.
Do as follows on the router:
Procedure
Step 1 Run:
reset dustproof run-time
The alarm is cleared. The cleaning cycle of the air filter is monitored.
----End
11.20.4 Checking the Configuration
Procedure
Step 1 Run:
display dustproof
Information about the air filter is displayed.
----End
Example
Run the display dustproof command. You can view information about the cleaning cycle of
the air filter, the last time the air filter was cleaned (according to the router), how many days the
router had run since the previous cleaning, and how long the alarm about cleaning the air filter
has existed. For example:
<HUAWEI> display dustproof
Clean Dustproof-Net cycle : 365(days)
Last clean date
: 2009/02/07
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
416
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Up to last clean days
: 1(day)
Clean alarm existence days: 0(day)
11.21 Monitoring the Device Status
You can monitor the device status to facilitate fault location and cause analysis.
11.21.1 Displaying the System Version Information
The system version information includes the system software version and various hardware
versions.
Procedure
Step 1 Run:
display version
The system version information is displayed.
You can run this command in any view to view the system version information. The main
information is as follows:
l System software version
l Hardware and software version of the MPUs
l Hardware and software version of the SFUs
l Hardware and software version of the LPUs
.
l Hardware and software version of the Fan and Black Plane
.
----End
11.21.2 Displaying Basic Information About the Router
Basic router information includes detailed information about the LPU, MPU, SFU, clock board,
power supply, and fan module.
Procedure
Step 1 Run:
display device [ pic-status | slot-id]
Basic information about the router is displayed.
You can run this command in any view to view the basic device information. Enter slot-id to
view information about the board in the specified slot.
l Choose a board in a certain slot. You can view basic information about this board.
l Run:
display device pic-status
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
417
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Basic information about the PIC card of the LPU is displayed.
----End
11.21.3 Displaying the Electronic Label
The electronic label information includes the type of board/card, bar code, BOM code, English
description, production date, supplier name, issuing number, Common Language Equipment
Identification (CLEI) code, and sales BOM code.
Procedure
l
Run:
display elabel [ asset | backplane | fuse-unit [ fuse-id ] | filter [ filterid ] | slot-id | brief | optical-module { brief | interface interfacenumber } ]
The electronic label is displayed.
In practice, you can run this command in the user view to view information about the
electronic label of the boards. Enter slot-id to view information about the electronic label
of the board in the specified slot.
NOTE
For the range of numbers of the slots on the router, refer to the HUAWEI NetEngine80E/40E Router
Hardware Description.
Displayed information includes the type of the board and PIC card, bar code, BOM, English
description, production date, supplier name, issuing number, Common Language
Equipment Identification (CLEI) code, and sales BOM.
l
Run:
display power manufacture-info slot slot-id
The electronic label of the power module in a specified slot is displayed.
l
Run:
display pmu manufacture-info slot slot-id
The electronic label of the PMU in a specified slot is displayed.
This command applies only to the NE40E-X1/X2.
----End
11.21.4 Displaying the Soft Boot Mode
By default, the soft boot mode function is automatically enabled, which shortens the time spent
on restarting the system.
Procedure
Step 1 Run the display system soft-bootmode command to view the soft boot mode.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
418
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
NOTE
By default, the soft boot mode function is automatically enabled, which shortens the time spent on system
startup during reset. You can run the undo set system soft-bootmode command in the system view to
disable the boot function.
----End
11.21.5 Displaying the Threshold of the Memory Usage
You can specify the slot ID to check the memory usage of the MPU or LPU.
Procedure
Step 1 Run:
display memory-usage [ slave | slot slot-id ]
The memory usage threshold of the main MPU and LPU are displayed.
NOTE
To set the memory usage threshold in the main MPU and LPU, you can run the set memory-usage
threshold threshold [ slot slot-id ]command.
----End
11.21.6 Displaying the Threshold of CPU Usage
You can specify the slot ID to check the CPU usage of the MPU or LPU.
Procedure
Step 1 Run:
display cpu-usage entry-number [ offset ] [ verbose ] [ slave | slot slot-id ]
[ history ]
The CPU usage threshold of the main MPU and LPU are displayed.
You can select the following parameters when you run this command:
l entry-number: specifies the number of entries to be displayed.
l offset: specifies the entry with the offset value before the current entry.
l verbose: displays information about each record.
l history: displays CPU usage history records.
NOTE
To set the threshold of the CPU usage on the main MPU and LPU, you can run the set cpu-usage
threshold threshold-value [ slave | slot slot-id ] command. You can run the [ slave | slot slot-id ] command
to display the current CPU usage configuration.
You can run the monitor cpu-usage command to dynamically monitor the CPU usage.
----End
11.21.7 Displaying Alarm Information
The alarm information includes the alarm severity, alarm date and time, and alarm description.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
419
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Procedure
Step 1 Run:
display alarm { slot-id | all }
Information about the alarm is displayed.
You can run this command in any view to view current information about the router alarm. Alarm
information includes the following:
l Alarm severity
l Alarm date and time
l Alarm description
NOTE
After the router alarm is displayed, you can run the clear alarm index index-id { send-trap | no-trap }
command to clear the alarm at the specified index-id.
----End
11.21.8 Displaying the Board Temperature
The temperature information includes the temperature status, alarm thresholds, and actual
temperature of each board.
Procedure
Step 1 Run:
display temperature [ slot slot-id | lpu [ slot slot-id [ pic pic-id ] ] | { mpu |
sfu } ]
The temperature of the specified board is displayed.
NOTE
l Run the display temperature [lpu [ slot slot-id [pic pic-id ] ] ] command to view the temperature of
the specified subcard in the specified slot.
l Run the display temperature command to view the temperature of each module of all the boards on
the router.
l Since NE40E-X1, NE40E-X2, and NE40E-X3 do not have the SFU, the display temperature sfu
command does not apply to these devices.
You can run this command in any view to view the current temperature information of the
router.
----End
11.21.9 Displaying the Board Voltage
The voltage information includes the number of voltage sensors on each board, working voltage
sensor of each board, working status of the voltage sensor on each board, and voltage alarm
thresholds of each board.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
420
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Procedure
Step 1 Run:
display voltage [ slot slot-id | lpu [ slot slot-id [ pic pic-id ] ] | { mpu |
sfu } ]
The board voltage is displayed.
NOTE
l Run the display voltage [ lpu [ slot slot-id [ pic pic-id ] ] ] command to view the voltage of the specified
subcard on the specified LPU.
l Run the display voltage command to view the voltage of all the boards on the router.
l Since NE40E-X1, NE40E-X2, and NE40E-X3 do not have the SFU, the display voltage sfu command
is not applicable to these devices.
In practice, using this command in any view, you can view the voltage of all the boards. The
voltage information includes the following:
l Number of the voltage sensors
l Working voltage sensors
l Working status of the voltage sensors
l Alarm field value of the voltage
l Actual board voltage
l Normal working temperature of the voltage sensors
----End
11.21.10 Displaying the Power Supply Status
The power supply information includes the slot ID of the power supply module, whether the
power supply module is registered, working mode of the power supply module, and cable status
of the power supply module.
Procedure
Step 1 Run:
display power [ { environment-info | manufacture-info } slot slot-id | slot [ slotid ] ]
The power supply status is displayed.
In practice, using this command in any view, you can view the power supply status. The displayed
information includes the following:
l Slot number of the power supply module
l Presence status of the power supply module
l Operation mode of the power supply module
l Cable status of the power supply module
----End
11.21.11 Displaying Current Information About Boards
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
421
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Context
Do as follows on the router.
Procedure
Step 1 Run:
display board-current [ slot slot-id ]
Current information about a specified board is displayed.
----End
11.21.12 Displaying Entironment Information About the Device
You can check environment information about the device that is installed with an environment
monitoring board.
Context
Do as follows on the router:
Procedure
Step 1 Run:
display device [ CMU-slotID ]
Entironment information about the device is displayed.
This command is supported only on the NE40E-X8 and NE40E-X16 on which the entironment
monitoring board is installed and runs normally.
----End
11.21.13 Displaying the Fan Status
The fan status information includes the slot ID of the fan module, whether a fan module is
registered, registration status, working status of the fan module, and speed mode of the fan
module.
Procedure
Step 1 Run:
display fan
The fan status is displayed.
In practice, using this command in any view, you can view the fan status. The information
includes the following:
l Slot number of the fan module
l Presence and registration status of the fan module
l Working status of the fan module
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
422
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
l Fan speed mode of the fan module
----End
11.21.14 Displaying the Sequence Number of the MPU
Each MPU has a globally unique equipment serial number (ESN).
Procedure
Step 1 Run:
display esn
The sequence number of the MPU is displayed. In the operation, using this command in any
view, you can view the sequence number of the MPU on the router.
----End
11.21.15 Displaying the Next Start Mode of the Board
A board supports two startup modes, namely, fast startup and normal startup.
Procedure
Step 1 Run:
display bootmode-next
The next start mode of the board is displayed.
In the operation, you can use the command in any view to check the next start mode of each
board on the router, including the MPU, SFU, and LPU. The start modes are as follows:
l The fast start mode
l The normal start mode
----End
11.21.16 Displaying the Number of the Registered SFUs By Default
The number of actually used SFUs must be greater than the number of SFUs that the system
requires for registration by default; otherwise, an alarm will be generated.
Context
NOTE
SFUs are not supported on the X1 and X2 models of the NE80E/40E.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
423
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Step 2 Run:
display least sfuboard
The number of the registered SFUs that the device requires by default is displayed.
In the operation, if the number of the SFUs that is actually used is smaller than the number of
the SFUs that the device requires for registration, the trap is generated. Run the least
sfuboardindex-id command to change the number of the SFUs that the device requires for
registration.
----End
11.22 Board Maintence
Board Maintenance involves resetting a board and clearing the maximum CPU usage.
11.22.1 Resetting a Board
You need to back up important data before resetting a board.
Context
In the case that a board is faulty, you can use the reset slot command to reset the board.
CAUTION
Back up important data before resetting the board.
Do as follows on the router:
Procedure
Step 1 Run:
reset slot slot-id [card card-id]
The board is reset.
NOTE
l If the board is still abnormal after being reset, contact the Huawei technical support personnel.
----End
11.22.2 Clearing CPU Usage Statistics
Before collecting CPU usage statistics, you must clear the original CPU usage statistics.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
424
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Context
NOTICE
The CPU usage statistics cannot be restored after they are cleared. Exercise caution when running
the following command.
To clear CPU usage statistics, run the following reset command in the system view.
Procedure
l
Run the reset cpu-usage record [ slot slot-id [ vcpu vcpu-id ] | slave ] command to clear
CPU usage statistics.
----End
11.23 Configuration Examples of the Device Maintenance
This section provides examples for powering off different types of boards to describe common
device maintenance operations.
Follow-up Procedure
NOTE
This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this document.
11.23.1 Example for Powering off the MPU
On a dual-MPU router, if the master MPU malfunctions or you need to routinely maintain the
master MPU, you can power off the master MPU after performing the master/slave switchover.
Networking Requirements
After checking the alarm information, you find that the hardware on the master MPU fails. Then,
check the hardware by powering off the master MPU.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Switch the master MPU to the slave MPU through the master and slave switchover.
2.
Power off the slave MPU
Data Preparation
To complete the configuration, you need the following data:
l
Issue 02 (2014-09-30)
Slot number of the master MPU
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
425
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
l
11 Device Maintenance
In this example, the slot number of the master MPU is.17
Procedure
Step 1 Perform the master and slave switchover on the router.
<HUAWEI> system-view
[HUAWEI] slave switchover enable
Before performing the master and slave switchover, make sure that the user interfaces such as
AUX, console, and VTY are connected to the two MPUs. Otherwise, the users that use the
interfaces connected with the former master MPU automatically quit the login after the master
and slave switchover.
[HUAWEI] slave switchover
Caution!!! Confirm switch slave to master[Y/N]?y
Switching......................................................................
......
Step 2 Power off the MPU in slot 17.
<HUAWEI> power off slot 17
Caution!!! This command may affect operation by wrong use, please carefully use
it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y
Step 3 Verify the configuration.
# Check the registration status of the MPU. You can view that the MPU in slot 17 is in the
unregistered and abnormal state. It means that powering off the MPU succeeds.
<HUAWEI> display device
NE40E-X8's Device status:
Slot #
Type
Online
Register
Status
Primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5
6
9
12
11
16
17
18
19
20
21
22
23
24
25
26
27
28
LPU
LPU
LPU
LPU
LPU
LPU
MPU
MPU
SFU
SFU
SFU
SFU
CLK
CLK
PWR
PWR
FAN
FAN
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Registered
Registered
Registered
Registered
Registered
Registered
Unregistered
NA
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Normal
Normal
Normal
Normal
Normal
Normal
Abnormal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
NA
NA
NA
NA
NA
NA
Slave
Master
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
----End
Configuration Files
None
11.23.2 Example for Powering off the SFU
When the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
426
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Networking Requirements
NOTE
SFUs are not supported on the X1 and X2 models of the NE80E/40E.
You need to power off the SFUs before dust removing.
Configuration Roadmap
The configuration roadmap is as follows:
l
Power off the SFU.
Data Preparation
To complete the configuration, you need the following data:
Slot number of the current SFU In this example, the slot number of the SFU is 19.
Procedure
Step 1 Power off the SFU in slot 19
<HUAWEI> power off slot 19
Caution!!! This command may affect operation by wrong use, please carefully use
it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y
Step 2 Verify the configuration.
# Check the registration status of the SRU in slot 19. You can view that the SRU is in the
unregistered and abnormal state. It means that powering off the SRU succeeds.
<HUAWEI> display device
NE40E-X8's Device status:
Slot #
Type
Online
Register
Status
Primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5
6
9
12
11
16
17
18
19
20
21
22
23
24
25
26
27
28
LPU
LPU
LPU
LPU
LPU
LPU
MPU
MPU
SFU
SFU
SFU
SFU
CLK
CLK
PWR
PWR
FAN
FAN
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Present
Registered
Registered
Registered
Registered
Registered
Registered
Registered
NA
Unregistered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Abnormal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
NA
NA
NA
NA
NA
NA
Slave
Master
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
427
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
11 Device Maintenance
Configuration Files
None
11.23.3 Example for Powering off the LPU
If the LPU is faulty or you need to routinely maintain it, you can power it off.
Networking Requirements
NOTE
LPUs are not supported on the X1 and X2 models of the NE80E/40E.
None
Configuration Roadmap
The configuration roadmap is as follows:
Replace the failed LPU.
Data Preparation
To complete the configuration, you need the following data:
l
Slot number of the LPU that needs to be replaced.
In this example, the slot number of the LPU is 5.
l
Service part whose PIC card type and board type are the same as those of the LPU to be
replaced.
Procedure
Step 1 Power off the LPU in slot 5.
<HUAWEI> power off slot 5
Caution!!! This command may affect operation by wrong use, please carefully use
it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y
Step 2 Verify the configuration.
# Check the registration status of the LPU in slot 51. You can view that the LPU is in the
unregistered and abnormal state. Therefore, powering off the LPU is complete.
<HUAWEI> display device
NE40E-X8's Device status:
Slot #
Type
Online
Register
Status
Primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5
6
9
12
11
16
17
18
19
Issue 02 (2014-09-30)
LPU
LPU
LPU
LPU
LPU
LPU
MPU
MPU
SFU
Present
Present
Present
Present
Present
Present
Present
Present
Present
Unregistered
Registered
Registered
Registered
Registered
Registered
Registered
NA
Registered
Abnormal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
NA
NA
NA
NA
NA
NA
Slave
Master
NA
428
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
20
21
22
23
24
25
26
27
28
SFU
SFU
SFU
CLK
CLK
PWR
PWR
FAN
FAN
11 Device Maintenance
Present
Present
Present
Present
Present
Present
Present
Present
Present
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
NA
NA
NA
NA
NA
NA
NA
NA
NA
----End
Configuration Files
None
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
429
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
12 Device Upgrading
12
Device Upgrading
About This Chapter
When you need to add new features, optimize existing features, or solve problems in the current
version, you can upgrade the device.
12.1 Device Upgrade Overview
12.2 Upgrade Modes Supported by the NE80E/40E
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
430
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
12 Device Upgrading
12.1 Device Upgrade Overview
You need to upgrade a device when you want to add new features, optimize the existing
performance, or solve problems with the current version.
Note
Before you upgrade the NE80E/40E, perform the following:
l
When you upgrade the NE80E/40E on site, prepare a spare part for each board.
l
Obtain the new system software, Product Adaptive File (PAF) or license file, and
corresponding documents of the new version from Huawei.
l
Back up configuration files, and collect and save service configurations.
l
Enable the log function to record all the operations performed during the upgrade process.
l
Check software versions of all modules on each board, including versions of the BootROM,
Firmware, and MonitorBus.
12.2 Upgrade Modes Supported by the NE80E/40E
You can use a command, mobile storage device, or BootROM to upgrade the NE80E/40E.
Upgrade by Using the Command Line
This mode applies to the following situations. For details, refer to the "NE80E&40E
V600R008C10 Version Upgrade Guide" of the corresponding system software version.
l
The NE80E/40E uses FTP/TFTP for the upgrade. Other devices can remotely log in to the
NE80E/40E.
l
You are upgrading the NE80E/40E for the first time, and it has been loaded with the system
software package. Other devices can log in to the NE80E/40E through the serial interface
to configure the IP address or use NAP to remotely log in to the NE80E/40E.
Upgrade by Using a Mobile Storage Device (CF card)
You generally use a CF card to upgrade the NE80E/40E during the engineering stage or
troubleshooting process. Before performing the upgrade, prepare two CF cards.
In this mode, you upgrade the NE80E/40E by replacing the CF card on the master and slave
MPU/SRU with CF cards containing the system software package. For details, refer to the
"Version Upgrade Guide" of the corresponding system software version.
Upgrade by Using BootROM
This mode applies to the following situations. For details, refer to the "NE80E&40E
V600R008C10 Version Upgrade Guide" of the corresponding system software version:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
431
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
12 Device Upgrading
l
The NE80E/40E is being upgraded for the first time, but the system software package of
the NE80E/40E does not exist or is incorrect.
l
After the NE80E/40E is upgraded and restarted, neither the master nor slave MPUs/SRUs
can be registered.
l
After the NE80E/40E is upgraded, the master MPU/SRU can be registered but the slave
MPUs/SRUs cannot be registered.
l
The MPU/SRU is replaced.
l
Other devices cannot log in to the NE80E/40E through Telnet.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
432
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
13
Patch Management
About This Chapter
Patch management includes checking the running patch, loading patch files, and installing
patches.
13.1 Patch Management Introduction
This section describes basic patch functions.
13.2 Checking Whether a Patch is Running in the System
The system allows only one patch to run. Therefore, confirm that no patch is running before
loading a new patch.
13.3 Loading a Patch
You can load patches through FTP, TFTP, or XModem.
13.4 Installing a Patch
You can install a patch on the system to repair it. By installing the patch, you can upgrade the
system without upgrading the system software.
13.5 (Optional) Deactivating the Patch
If an installed patch does not take effect, you need to deactivate it.
13.6 Configuration Examples for Patch Management
This section describes some configuration examples for managing patches.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
433
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
13.1 Patch Management Introduction
This section describes basic patch functions.
13.1.1 Patch Management Overview
You can install patches to improve system functions.
Patch Overview
You occasionally need to revise the system software, such as remove system defects or add new
functions, while the device is running. In the past, it was common practice to shut the system
down before performing an upgrade, but this static upgrade affects the service on the device and
does not improve its communication. However, if you load a patch to the system software, you
can upgrade it online without interrupting the operation of the device. This dynamic upgrade
does not affect services and can actually improve its communication.
l
Hot patch
Loading hot patches does not interrupt running services on the device. A hot patch fixes
the system software bug when the device is running.
l
Cold patch
A cold patch fixes the system software bug only after the device is restarted.
Table 13-1 Naming Rules for Patches
Patch Name
=
Product Name + Space + Release
Number + Patch Number
Emergency
Correction
Patches
(ECP)
number
=
Hot ECP number: HPyyyy
Accumulated
Correction
Updates
(ACU)
number
=
Cold ECP number: CPyyyy
SPxyyyy (Note: SP refers to service
pack. x refers to H or C)
Naming rules for Emergency Correction Patches (ECP) are as follows:
1.
For an ECP that is released based on an ACU, if activating and validating the ECP would
not affect user experience, the ECP is a hot ECP and named HPyyyy; if activating and
validating the ECP would affect user experience, the ECP is a cold ECP and named CPyyyy.
2.
The first y in HPyyyy or CPyyyy is fixed at 0, and the subsequent yyy is the same as yyy
in SPCyyy or SPHyyy of the corresponding ACU. Therefore, an ECP is named in the format
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
434
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
of HP0yyy or CP0yyy. If a calculated ECP name is the same as that of the previously
released ECP, the newly calculated one increases by 1.
Naming rules for Accumulated Correction Updates (ACUs) are as follows:
1.
For an ACU that is released based on the previous cold ACU, if the current ACU contains
patches that would affect user experience when being activated and validated, the current
ACU is a cold ACU and named SPCyyy.
2.
For an ACU that is released based on the previous cold ACU, if the current ACU does not
contain any patches that would affect user experience when being activated and validated,
the current ACU is a hot ACU and named SPHyyy.
Patch Area
In the memory of the Main Processing Unit (MPU) and Line Processing Unit (LPU), a space,
called a patch area, is reserved for the patch.
To install the patch, save it to the patch area in the memory of the board.
The patch saved in the patch area is numbered uniquely. Up to 200 patches can be saved to the
patch area in the memory of the MPU or LPU.
Patch States
The patch state can be idle, deactive, active, or running. For details, see Table 13-2,
Table 13-2 Patch states
State
Description
States Conversion
No patch
(idle)
The patch file is saved to the CF
card but is not loaded to the patch
area in the memory.
When the patch is loaded to the patch
area, the patch status is set to deactive.
deactive
The patch is loaded to the patch
area but is disabled.
The patch in the deactive state can be:
l Uninstalled, that is, deleted from the
patch area.
l Enabled temporarily and then
switched to the active state.
active
The patch is loaded to the patch
area and enabled temporarily.
If the board is reset, the active
patch on that board switches to the
deactive state.
The patch in the active state can be:
l Uninstalled, that is, deleted from the
patch area.
l Enabled temporarily and then
switched to the active state.
l Enabled permanently and then
switched to the running state.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
435
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
State
Description
States Conversion
running
The patch is loaded to the patch
area and enabled permanently.
The patch in the running state can be
uninstalled and deleted from the patch
area.
If the board is reset, the patch on
the board remains in the running
state.
Figure 13-1shows the conversion between patch states.
Figure 13-1 Conversion between patch states
Load patch
No patch
Delete patch
Deactivated
Deactive patch
Delete patch
Active patch
Delete patch
Running
Run patch
Activated
13.1.2 Patches Supported by the NE80E/40E
The NE80E/40E enables patches to be loaded to the system or a certain board.
Patch Functions
Installing patches can improve system functions or fix bugs. By installing a patch, you can
upgrade the system without upgrading the system software.
In special scenarios, you can install patches specific to an MPU or LPU to optimize board
functions.
Logic Relationships Between Configuration Tasks
Figure 13-2shows the logical relationships between the configuration tasks.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
436
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
Figure 13-2 Logical relationships between configuration tasks
Resort to
technical
support for
new patch
Run VRP
Normally run
No
Enable patch
temporarily
Bug removed
Yes
No
Disable patch
Yes
End
Unload patch
13.2 Checking Whether a Patch is Running in the System
The system allows only one patch to run. Therefore, confirm that no patch is running before
loading a new patch.
13.2.1 Before You Start
Before checking the running patch, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.
Applicable Environment
The system allows the running of only one patch at a time. Therefore, you need to confirm no
patch is running in the current system before installing a patch. If a patch is running, delete it
before installing the new patch.
Pre-configuration Tasks
Before checking whether a patch is running in the system, complete the following tasks:
l
Ensure that the router starts normally after being powered on.
l
Ensure that you can log in to the router.
Data Preparation
None
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
437
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
13.2.2 Checking the Running of a Patch in the System
You can run the display patch-information command to view information about the running
patch units, activated patch units, and deactivated patch units.
Context
Do as follows on the router to be upgraded:
Procedure
Step 1 Run:
display patch-information
All information about the current patch is displayed, including information about the patch units
that are running, the patch units that are activated, and the patch units that are deactivated.
----End
Example
<HUAWEI> display patch-information
Info: No patch exists.
This indicates that no patch is running in the current system.
NOTE
If patches are running, delete them before loading new patches.
13.2.3 (Optional) Deleting a Patch
The system allows only one patch to run at a time. If a patch is running, delete it before loading
a new patch.
Context
Before installing a patch, you need to delete the running patch.
Do as follows on the router to be upgraded.
Procedure
Step 1 Run:patch delete all
The running patch is deleted.
----End
13.3 Loading a Patch
You can load patches through FTP, TFTP, or XModem.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
438
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
13.3.1 Before You Start
Before loading a patch, familiarize yourself with the applicable environment, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration
task quickly and accurately.
Applicable Environment
Before a patch is installed, it should be uploaded to the root directory of the CF card of the master
and slave MPUs. Upload the patch to the root directory of the CF card of the master MPU. Then,
copy the patch to the root directory of the CF card of the slave MPU.
The three methods used to upload a patch are FTP, TFTP and XModem.
Pre-configuration Tasks
Before loading a patch, complete the following tasks:
l
Ensure that the router starts normally after being powered on.
l
Ensure that you can log in to the router.
Data Preparation
Before running a patch, obtain a patch that is consistent with the board.
No.
Data
1
Uploading a Patch to the Root Directory of the CF Card of the Master MPU
2
Copying a Patch to the Root Directory of the CF Card of the Slave MPU
13.3.2 Loading a Patch
On a dual-MPU router, you need to load a patch to both the master MPU and the slave MPU.
Context
Do as follows on the router to be upgraded:
Procedure
Step 1 Upload a patch to the root directory of the CF card of the master MPU.
The router supports the uploading of files through FTP, TFTP, and XModem. For more
information, see: "FTP, TFTP, and XModem". Choose an uploading method based on your
requirements.
Step 2 Run:
copy source-filename slave#cfcard:/destination-filename
The patch is copied to the root directory of the CF card of the slave MPU.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
439
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
Step 3 Run:
startup patch file-name
The patch package is specified for the master MPU on the next startup.
Step 4 Run:
startup patch file-name slave-board
The patch package is specified for the slave MPU on the next startup.
----End
13.3.3 Checking the Configuration
After a patch is loaded, you can check the patch information.
Context
Run the following commands to check the previous configuration.
Procedure
l
Run:
dir cfcard:/
Check the files on the MPU.
l
Run:
dir slave#cfcard:/
Check the files on the slave MPU.
l
Run:
display startup
Check the patch file to be used in the next system startup.
----End
Example
After uploading the files, run the dir cfcard:/ and dir slave#cfcard:/ commands. The patch.pat
file is contained in the files on the CF card.
For example, check the files on the CF card of the master MPU:
<HUAWEI> dir cfcard:/
Directory of cfcard:/
Idx
Attr
Size(Byte)
0
-rw64
1
-rw418
2
-rw38017
3
-rw2292
4
-rw7041
5
-rw117013076
6
-rw134213212
7
-rw4041
500192 KB total (347760 KB free)
Nov
Jul
Aug
Aug
Aug
Jul
Nov
Nov
Date
15 2006
26 2007
01 2007
21 2006
02 2007
13 2007
18 2007
02 2007
Time
13:07:44
19:52:14
11:02:00
15:35:50
11:02:00
10:40:44
05:30:11
11:04:00
FileName
patchnpstate.dat
vrpcfg.zip
paf.txt
vrp.zip
license.txt
V600R008C10.cc
V600R008C10.cc
patch.pat
For example, check the files on the CF card of the slave MPU:
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
440
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
<HUAWEI> dir slave#cfcard:/
Directory of slave#cfcard:/
Idx
Attr
Size(Byte)
0
-rw64
1
-rw418
2
-rw38017
3
-rw2292
4
-rw7041
5
-rw117013076
6
-rw134213212
7
-rw4041
500192 KB total (343160 KB free)
Nov
Jul
Aug
Aug
Aug
Jul
Nov
Nov
Date
15 2006
26 2007
01 2007
21 2006
02 2007
13 2007
18 2007
02 2007
Time
13:07:44
19:52:14
11:02:00
15:35:50
11:02:00
10:40:44
05:30:11
11:04:00
FileName
patchnpstate.dat
vrpcfg.zip
paf.txt
vrp.zip
license.txt
V600R008C10.cc
V600R008C10.cc
patch.pat
For example, check the patch file to be used in the next system startup.
<HUAWEI>display startup
MainBoard:
Configed startup system software:
Startup system software:
Next startup system software:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup paf file:
Next startup paf file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
cfcard:/V600R008C10.cc
cfcard:/V600R008C10.cc
cfcard:/V600R008C10.cc
cfcard:/current_cfg.cfg
cfcard:/current_cfg.cfg
cfcard:/paf-V600R008C10.txt
cfcard:/paf-V600R008C10.txt
cfcard:/license-V600R008C10.txt
cfcard:/license-V600R008C10.txt
Null
cfcard:/patch.pat
13.4 Installing a Patch
You can install a patch on the system to repair it. By installing the patch, you can upgrade the
system without upgrading the system software.
13.4.1 Establishing the Configuration Task
Before installing a patch on the system, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.
Applicable Environment
NOTICE
When installing a patch, it is recommended to specify all to install the patch for all boards at
one time rather than specify slot to install the patch for boards one by one. In some special
scenarios, you must specify slot to install a patch for the master and slave MPUs, and then for
all LPUs one by one.
Installing patches can fix system vulnerabilities or correct system defects. By installing a patch,
you can upgrade the system without upgrading the system software.
When a patch is uploaded, the system checks that the patch version is the same as the system
version. If the two versions are not the same, the system prompts that the patch uploading fails.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
441
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
Pre-configuration Tasks
Before installing a patch, upload the patch to the root directory of the CF card of the master
MPU and slave MPU.
Data Preparation
None
13.4.2 Loading a Patch
You can load a patch only when the patch version matches the system software version.
Context
Do as follows on the router to be upgraded:
Procedure
Step 1 Run:
patch load file-name all
The patch is loaded.
----End
Follow-up Procedure
When a patch is loaded, the system checks whether the patch version is the same as the system
version. If both versions are not the same, the system determines that the patch loading fails.
When the patch is loaded successfully, it's status is Deactive. This status remains Deactive after
the board is reset.
13.4.3 Activating a Patch
A patch can be activated only when it is correctly loaded and is in the deactivated state.
Context
Do as follows on the router to be upgraded:
Procedure
Step 1 Run:
patch active all
The patch is activated.
----End
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
442
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
Follow-up Procedure
A patch can be activated only when it is correctly loaded and is in the deactivated state. When
a patch is activated, it immediately becomes valid. After the board is reset, however, the status
of the patch becomes Deactive , and the patch does not remain valid.
13.4.4 Running a Patch
A patch can be run only after it is activated. Running a patch means that the patch is activated
permanently.
Context
Do as follows on the router be upgraded:
Procedure
Step 1 Run:
patch run all
The patch is run.
----End
Follow-up Procedure
A patch can be run only after it is activated. Running a patch means that the patch is activated
permanently and the patch remains valid after the board is reset. The status of the patch remains
Running.
13.4.5 Checking the Configuration
After a patch is installed on the system, you can check the patch status and the patch for the next
startup.
Procedure
l
Run:
display patch-information
Check the patch state.
----End
Example
After the patch is loaded, run the display patch-information command. The results are as
follows:
<HUAWEI> display patch-information
Service pack Version:V600R008C10SPH001
Pack file name
cfcard:/patch.pat
----------The patch information of slot
This slot does not need patch
Issue 02 (2014-09-30)
3----------
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
443
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
----------The patch information of slot
This slot does not need patch
4----------
----------The patch information of slot
This slot does not need patch
6----------
----------The patch information of slot 33---------Total Patch Unit
: 1
Running Patch Unit
:
Active Patch Unit
:
Deactive Patch Unit
: 1 - 1
----------The patch information of slot 34---------Total Patch Unit
: 1
Running Patch Unit
:
Active Patch Unit
:
Deactive Patch Unit
: 1 - 1
After the patch is actived, run the display patch-information command. The results are as
follows:
<HUAWEI> display patch-information
Service pack Version:V600R008C10SPH001
Pack file name
cfcard:/patch.pat
----------The patch information of slot
This slot does not need patch
3----------
----------The patch information of slot
This slot does not need patch
4----------
----------The patch information of slot
This slot does not need patch
6----------
----------The patch information of slot 33---------Total Patch Unit
: 1
Running Patch Unit
:
Active Patch Unit
: 1 - 1
Deactive Patch Unit
:
----------The patch information of slot 34---------Total Patch Unit
: 1
Running Patch Unit
:
Active Patch Unit
: 1 - 1
Deactive Patch Unit
:
After running the patch , run the display patch-information command. The results are as
follows:
<HUAWEI> display patch-information
Service pack Version:V600R008C10SPH001
Pack file name
cfcard:/patch.pat
----------The patch information of slot
This slot does not need patch
3----------
----------The patch information of slot
This slot does not need patch
4----------
----------The patch information of slot
This slot does not need patch
6----------
----------The patch information of slot 33---------Total Patch Unit
: 1
Running Patch Unit
: 1 - 1
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
444
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Active Patch Unit
Deactive Patch Unit
13 Patch Management
:
:
----------The patch information of slot 34---------Total Patch Unit
: 1
Running Patch Unit
: 1 - 1
Active Patch Unit
:
Deactive Patch Unit
:
13.5 (Optional) Deactivating the Patch
If an installed patch does not take effect, you need to deactivate it.
13.5.1 Before You Start
Before deactivating a patch, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.
Applicable Environment
After a patch is activated, you need to determine whether the patch has achieved the expected
effect. If the patch is not valid, you need to activate it.
A patch can be deactivated only after it is activated.
Pre-configuration Tasks
None
Data Preparation
None
13.5.2 Deactivating a Patch
Deactivating a patch makes an active patch become inactive.
Procedure
Step 1 Run:
patch deactive all
The patch is deactivated.
----End
13.5.3 Checking the Configuration
After a patch is deactivated, you can run the display command to check the patch status.
Procedure
l
Issue 02 (2014-09-30)
Run:
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
445
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
display patch-information
Check the patch state.
----End
Example
After the preceding configuration is complete, run the display patch-information command.
The results are as follows:
<HUAWEI> display patch-information
Service pack Version:V600R008C10SPH001
Pack file name
cfcard:/patch.pat
----------The patch information of slot
This slot does not need patch
3----------
----------The patch information of slot
This slot does not need patch
4----------
----------The patch information of slot
This slot does not need patch
6----------
----------The patch information of slot 33---------Total Patch Unit
: 1
Running Patch Unit
:
Active Patch Unit
:
Deactive Patch Unit
: 1 - 1
----------The patch information of slot 34---------Total Patch Unit
: 1
Running Patch Unit
:
Active Patch Unit
:
Deactive Patch Unit
: 1 - 1
13.6 Configuration Examples for Patch Management
This section describes some configuration examples for managing patches.
13.6.1 Example for Installing a Patch
When the system has vulnerabilities or defects, you can install a patch to repair the system.
Networking Requirements
Figure 13-3shows that some urgent bug occurs on the system software at the Provider Edge
(PE) connected to the Internet. Huawei provides a patch file to remove the bug. Install the patch
in this patch file to remove the bug.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
446
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
Figure 13-3 Networking diagram of installing a patch
FTP Server
10.1.1.2/24
GE0/0/0
10.1.1.1/24
MPLS Core
PE
PC
10.1.1.3/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Save the patch file to the root directory of the CF card on the master and slave MPUs.
2.
Load the patch.
3.
Activate the patch.
4.
Run the patch.
Data Preparation
To complete the configuration, you need the following data:
l
File name of the patch: patch.pat
l
Path the patch saved to on the MPU: cfcard:/
Procedure
Step 1 Upload the patch file for the system software.
# Log in to the FTP server.
<PE> ftp 10.1.1.2
Trying 10.1.1.2 ...
Press CTRL+K to abort
Connected to 192.168.1.2.
220 FTP service ready.
User(10.1.1.2:(none)):huawei
331 Password required for huawei.
Password:
230 User logged in.
[ftp]
# Configure the binary transmission format and the working directory of the CF card on the PE.
[ftp] binary
200 Type set to I.
[ftp] lcd cfcard:/
% Local directory now cfcard:.
# Load the patch file for the current system software from the remote FTP server.
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
447
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
13 Patch Management
[ftp] get patch.pat
200 Port command okay.
150 Opening ASCII mode data connection for license.txt.
226 Transfer complete.
FTP: 6309 byte(s) received in 0.188 second(s) 33.55Kbyte(s)/sec.
[ftp] bye
221 Server closing.
<PE>
# Copy the patch file to the CF card on the slave MPU.
<PE> copy cfcard:/patch.pat slave#cfcard:/
Copy cfcard:/patch.pat to slave#cfcard:/patch.pat?[Y/N]:y
100% complete
Info:Copied file cfcard:/ patch.pat to slave#cfcard:/ patch.pat...Done
Step 2 Load the patch.
<PE>
patch load patch.pat all
Step 3 Activate the patch.
<PE> patch active all
Step 4 Run the patch.
<PE> patch run all
Step 5 Verify the configuration
<PE> display patch-information
Patch Package Name
:cfcard:/patch.pat
Patch Package Version:V600R008C10SPH001
************************************************************************
*
The hot patch information, as follows:
*
************************************************************************
Slot
Type
State
Count
-----------------------------------------------------------7
C
Running
1
************************************************************************
*
The cold patch information, as follows:
*
************************************************************************
all slots do not need cold patch
----End
Configuration Files
None
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
448
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
A Glossary
A
Glossary
This appendix collates frequently used terms in this document.
A
Accounting
A network security service that records the user's access to the
network.
Agent
A process that is used in all managed devices. It receives request
packets from the NM Station and performs the Read or Write
operation on managed variables according to packet types and
generates response packets and sends them to the NM Station.
AH
Authentication Header. A security protocol that provides data
authentication and integrity for IP packets. AH is used in the
transmission mode and in the tunneling mode.
ASSP
Analogue Sensor Signal Processes. An error tolerance protocol
that provides the interface backup in the multiple access, multicast
and broadcast in LAN (such as Ethernet).
Authentication
A method used to prove user identity.
Authorization
A method used to prove identity of users to use the service.
B
Issue 02 (2014-09-30)
Backup center
A mechanism in which the interfaces on a device back up each
other and trace the status of the interface. If an interface is Down,
the backup center provides a backup interface to undertake the
service.
BFD
Bidirectional Forwarding Detection. A unified detection
mechanism that is used to detect and monitor the link or IP routes
forwarding at a fast pace.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
449
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
Black list
A Glossary
A filtering mode that is used to filter the packet according to the
source IP address. Compared with the ACL, the black list can filter
the packet at a high speed because its matching region is simple.
It can shield the packet from the specified IP address.
C
CLI
Command Line Interface. An interface that allows the user to
interact with the operating system. Users can configure and
manage the NE80E/40E by entering commands through the CLI.
Congestion avoidance
A flow control mechanism by which the network overload is
relieved by adjusting the network traffic. When the congestion
occurs and becomes worse, the packet is discarded by monitoring
the network resource.
Congestion management A flow control measure to solve the problem of network resource
competition. When the network congestion occurs, it places the
packet into the queue for buffer and determines the order of
forwarding the packet.
Command line level
The priority of the system command that is divided into 4 levels.
Users of a level can run the command only of the same or lower
level.
E
Ethernet
A baseband LAN specification created by Xerox and developed
by Xerox, Intel, and Digital Equipment Corporation (DEC). This
specification is similar to IEEE802.3.
Ethernet_II
An encapsulation format of the Ethernet frame. Ethernet_II that
contains a 16-bit protocol type field is the standard ARPA Ethernet
Version 2.0 encapsulation.
Ethernet_SNAP
An encapsulation format of the Ethernet frame. The frame format
complies with RFC 1042 and enables the transmission of the
Ethernet frame on the IEEE 802.2 media.
F
Issue 02 (2014-09-30)
FIFO
First In First Out. A queuing scheme in which the first data into
the network is also the fist data out of the network.
File system
A method in which files and directories in the storage devices are
managed, such as creating a file system, creating, deleting,
modifying and renaming a file or directory or displaying the
contents of the file.
FTP
File Transfer Protocol. An application protocol in the TCP/IP
stack, used for transferring files between remote hosts. FTP is
implemented based on the file system.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
450
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
A Glossary
H
HGMPv2
Huawei Group Management Protocol Version 2. A protocol with
which the discovery, topology collection, centralized management
and remote maintenance are implemented on Layer 2 devices of a
cluster that are connected with the router.
I
Information center
The information hinge in the MA5200G that can classify and filter
the output information.
IPv6
Internet Protocol Version 6. Replacement for the current version
of IP (version 4) designed by the IETF. It is the second generation
standard protocol of the internet layer and it is also called IPng
(next generation). The length of the IP address in IPv6 is 128 bits
and the length of the IP address in IPv4 is 32 bits.
IP negotiated
An attribute of the interface. When the user accesses the Internet
through the ISP, the IP address is usually allocated by the peer
server. The PPP packet must be encapsulated and the IP address
negotiated attribute must be configured on the interface so that the
local interface accepts the IP address allocated by the peer end
through the PPP negotiation.
IP unnumbered
A mechanism in which the interface that is not configured with an
IP address can borrow the IP address of the interface that is
configured with an IP address to save the IP address resource.
ISATAP tunnel
Intra-site Automatic Tunnel Addressing Protocol. A protocol that
is used for the IPv4/IPv6 host in the IPv4 network to access the
IPv6 network. The ISATAP tunnel can be established between the
ISATAP hosts or between the ISATAP host and the ISATAP
router.
ISIS-TE
Traffic engineering of IS-IS. (For the information of IS-IS, refer
to Acronyms and Abbreviations)
L
Issue 02 (2014-09-30)
LAN interface
Local Area Network interface. Often an Ethernet interface through
which the router can exchange data with the network device in a
LAN.
License
Permission of some features that dynamically control the product.
Logical interface
A configured interface that can exchange data but does not exist
physically. A logical interface can be a sub-interface, virtualtemplate interface, virtual Ethernet interface, Loopback interface,
Null interface and Tunnel interface.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
451
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
A Glossary
M
MIB
Management Information Base. A database of variables of the
monitored network device. It can uniquely define a managed
object.
Modem
Modulator-demodulator. Device that converts digital and analog
signals.
Multicast
A process of transmitting packets of data from one source to many
destinations. The destination address of the multicast packet uses
Class D address, that is, the IP address ranges from 224.0.0.0 to
239.255.255.255. Each multicast address represents a multicast
group rather than a host.
N
NDP
Neighbor Discovery Protocol. A protocol that is used to discover
the information of the neighboring Huawei device that is
connected with the local device.
NMS
Network Management System. A system that sends various query
packets and receives the response packet and trap packet from the
managed devices and displays all the information.
NTDP
A protocol that is used to collect the information of the adjacency
and the backup switch of each device in the network.
NTP
Network Time Protocol. An application protocol that is used to
synchronize the distributed server and the client side.
O
OSPF-TE
Traffic engineering of OSPF. (For the information of OSPF, refer
to Acronyms and Abbreviations)
P
Policy-based routing
A routing scheme that forwards packets to specific interfaces based
on user-configured policies.
R
Regular expression
Issue 02 (2014-09-30)
When a lot of information is output, you can filter the unnecessary
contents out with regular expressions and display the necessary
contents.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
452
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
A Glossary
RMON
Remote monitoring. An MIB agent specification defined by the
IETF that defines functions for the remote monitoring of the data
flow of a network segment or the whole network.
router
A device on the network layer that selects routes in the network.
The router selects the optimal route according to the destination
address of the received packet through a network and forwards the
packet to the next router. The last router is responsible for sending
the packet to the destination host.
RRPP
Rapid Ring Protection Protocol. A protocol that is applied on the
data link layer. When the Ethernet ring is complete, it can prevent
the broadcast storm caused by the data loop. When a link is
disconnected on an Ethernet ring, it can rapidly restore the
communication link between the nodes on the ring network.
RSVP-TE
Traffic engineering of RSVP. (For the information of RSVP, refer
to Acronyms and Abbreviations)
S
Service tracing
A method of service debugging, diagnosis and error detection that
is mainly used for service personnel to locate the fault in user
access. The service tracing can output the status change and the
result of the protocol processing of the specified user during the
access to the terminal or the server for the reference and analysis
of the service personnel.
SSH
Secure Shell. A protocol that provides a secure connection to a
router through a TCP application.
Static ARP
A protocol that binds some IP addresses to a specified gateway.
The packet of these IP addresses must be forwarded through this
gateway.
System environment
Basic parameters for running the MA5200G such as host name,
language mode and system time. After configuration, the system
environment can meet the requirements of the actual environment.
T
Issue 02 (2014-09-30)
Telnet
An application protocol of the TCP/IP stack that provides virtual
terminal services for a wide variety of remote systems.
Terminal
A device that is connected with other devices through the serial
port. The keyboard and the display have no disk drives.
Traffic policing
A process used to measure the actual traffic flow across a given
connection and compare it to the total admissible traffic flow for
that connection. When the traffic exceeds the flow that is agreed
upon , some restrictions or penalties are adopted to protect the
interest and the network resource of the operator.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
453
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
A Glossary
Traffic shaping
A flow control measure to shape the flow rate. It is often used to
control the flow in regular amounts to ensure that the traffic is
within the traffic stipulated for the downstream router and prevents
unnecessary discard and congestion.
Tunnel
Secure communication path between two peers in the VPN that
protect the internal information of the VPN from the interruption.
V
VPN
Virtual Private Network. A new technology developed with the
Internet to provide an apparent single private network over a public
network. "Virtual" means the network is a logical network.
VRP
Versatile Routing Platform. A versatile routing operating system
platform developed for all data communication products of
Huawei. With the IP service as its core, the VRP adopts the
componentized architecture. The VRP realizes rich functions and
provides tailorability and scalability based on applications.
VRRP
Virtual router Redundancy Protocol. An error tolerant protocol
defined in RFC 2338. It forms a backup group for a group of
router in a LAN that functions as a virtual router.
VTY
Virtual type terminal. A terminal line that is used to access a
router through Telnet.
W
X
Issue 02 (2014-09-30)
X.25
A protocol applied on the data link layer that defines how
connections between DTE and DCE are maintained for remote
terminal access and computer communications in PDNs.
XModem
A transmission protocol in the format of the binary code.
XOT
X.25 over TCP. A protocol that implements the interconnection
between two X.25 networks through the TCP packet bearing X.25
frames.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
454
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
B
B Acronyms and Abbreviations
Acronyms and Abbreviations
This appendix collates frequently used acronyms and abbreviations in this document.
Numerics
3DES
Triple Data Encryption Standard
A
AAA
Authentication, Authorization and Accounting
ACL
Access Control List
ARP
Address Resolution Protocol
AES
Advanced Encryption Standard
ASPF
Application Specific Packet Filter
AUX
Auxiliary port
B
BGP
Border Gateway Protocol
C
CBQ
Class-based Queue
CHAP
Challenge Handshake Authentication Protocol
CQ
Custom Queuing
CR-LDP
Constraint-based Routing LDP
D
Issue 02 (2014-09-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
455
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
B Acronyms and Abbreviations
DES
Data Encryption Standard
DHCP
Dynamic Host Configuration Protocol
DNS
Domain Name System
E
ESP
Encapsulating Security Payload
F
FR
Frame Relay
G
GRE
Generic Routing Encapsulation
H
HDLC
High Level Data Link Control
I
IETF
Internet Engineering Task Force
IKE
Internet Key Exchange
IPSec
IP Security
IS-IS
Intermediate System-to-Intermediate System intra-domain
routing information exchange protocol
ITU-T
International Telecommunication Union Telecommunications
Standardization Sector
L
L2TP
Layer Two Tunneling Protocol
LAPB
Link Access Procedure Balanced
LDP
Label Distribution Protocol
M
MAC
Issue 02 (2014-09-30)
Medium Access Control
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
456
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
B Acronyms and Abbreviations
MBGP
Multiprotocol Extensions for BGP-4
MFR
Multiple Frame Relay
MP
MultiLink PPP
MPLS
Multiprotocol Label Switching
MSDP
Multicast Source Discovery Protocol
MTU
Maximum Transmission Unit
N
NAT
Network Address Translation
O
OAM
Operation, Administration and Maintenance
OSPF
Open Shortest Path First
P
PAP
Password Authentication Protocol
PE
Provider Edge
Ping
Ping (Packet Internet Groper)
PPP
Point-to-Point Protocol
PPPoA
PPP over AAL5
PPPoE
Point-to-Point Protocol over Ethernet
PPPoEoA
PPPoE on AAL5
PQ
Priority Queuing
Q
QoS
Quality of Service
R
Issue 02 (2014-09-30)
RADIUS
Remote Authentication Dial In User Service
RIP
Routing Information Protocol
RPR
Resilient Packet Ring
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
457
HUAWEI NetEngine80E/40E Router
Configuration Guide - Basic Configurations
RSVP
B Acronyms and Abbreviations
Resource Reservation Protocol
S
SFTP
SSH File Transfer Protocol
T
TE
Traffic Engineering
TCP
Transmission Control Protocol
TFTP
Trivial File Transfer Protocol
V
VPN
Virtual Private Network
VRP
Versatile Routing Platform
VRRP
Virtual Router Redundancy Protocol
W
WAN
Wide Area Network
WFQ
Weighted Fair Queuing
WRED
Weighted Random Early Detection
X
XOT
Issue 02 (2014-09-30)
X.25 Over TCP
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
458
Related documents
WORK SOCIOLOGY PRESENTATION SLIDE
WORK SOCIOLOGY PRESENTATION SLIDE
Readme 980
Readme 980
Fresh Graduate Software Engineers
Fresh Graduate Software Engineers
ICT Job Fair - Transmission.Optix
ICT Job Fair - Transmission.Optix
Corporate Introduction (彩页)
Corporate Introduction (彩页)
Download
advertisement